Gen.Variant.Graftor.8297_6cd206861b

by malwarelabrobot on August 18th, 2014 in Malware Descriptions.

Gen:Variant.Graftor.8297 (B) (Emsisoft), Gen:Variant.Graftor.8297 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6cd206861b4db3a83667a7b14de4b58d
SHA1: ae18c729391d1744b705ec93f0160605477061c9
SHA256: c9e0f1c6c794a929f331dd5e7f6d4d5800766e73b14f129d8224d6c04949d6f9
SSDeep: 24576:3vPhP6i9K0wfkAUTZaqdiXSp0c02uFG6dAk3xMkR:/JP6Gw6TZaqdwk0c05HGil
Size: 1601536 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2014-07-05 13:26:32
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2012

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img011[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hdv832[1].htm (684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\news_footer[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mlb[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\22110Gb5I[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[2].css (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_14504425052[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xml[1].xml (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdsstyle[1].css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ucenter[1].js (19465 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\16100Q15406[1].jpg (4088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mlc[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mlt[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico[1].png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m6[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399_14533870073[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[2].css (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img06[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m12[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.2.1.pack[1].js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1-2[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\311622246152[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a7[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[2].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\backg[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\31160T42W2[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zwsf2-3[1].gif (987 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@4399[1].txt (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s15.4399.com\seed4399Value.sxx (80 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sxx (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img08[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\unilogin_package[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31155012a51[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m9[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4399_17564382760[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (2467 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bds_s_v2[1].js (1807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACLIJK5.php (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\131P03EP7[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m2[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\click[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\flash_ctrl_version[1].xml (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hdv832[1].swf (4269751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ctrl_mo_v5[1].swf (70245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m8[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shell_v2[1].js (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a5[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m10[1].jpg (1171 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\3115344X010[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_keys[1].gif (537 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a6[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\uijs[1].htm (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m11[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4399_17053265645[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hottop[1].gif (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m4[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img09[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m13[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn[1].png (392 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b3[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0Q443302F2[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAIF0DA3.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m5[1].jpg (1191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns[1].jpg (2181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[2].htm (2400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nav2[1].png (3875 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logger[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\lazy_iframe[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baiduLoader_as3[1].swf (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31153132L32[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img07[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311629555O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\04150AJ2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\141US92O1[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c[1].php (1163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_16460972266[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ecom[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a1[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\chkDomain[1].js (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311612435933[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\A4399dv_base[1].swf (5532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\more[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\top_bar[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b2[1].jpg (4850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\141U0313620[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31154AH4T[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m14[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m3[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base[1].css (13565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[2].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bdshare[1].js (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\linkImg[1].jpg (26432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (0 bytes)

Registry activity

The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePrefix" = ":2014081720140818:"
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1404555992"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081720140818\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 89 C3 D8 9D 30 F9 E3 F3 72 21 43 3A F8 F4 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 470447 471040 4.54404 84112665e3d73644f9136e52fe52e973
.rdata 475136 967030 970752 5.28926 2213235e3c8c52cff8d0b61dfffda90d
.data 1445888 184074 65536 3.45572 a803471009ef1b78c190f02824cc6ab6
.rsrc 1630208 87156 90112 2.27554 3a870711b3c73f57b527a56dad041452

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://115.182.52.104/flash_ctrl_version.xml?ran=65853.53179834783
hxxp://8.37.233.6/jss/2014ysxy.js
hxxp://4399stat.5054399.com/js/click.js 115.182.52.78
hxxp://e.xdwscache.glb0.lxdns.com/crossdomain.xml
hxxp://e.xdwscache.glb0.lxdns.com/control/zwsf2-3.gif?20120719
hxxp://e.xdwscache.glb0.lxdns.com/control/A4399dv_base.swf?20130625
hxxp://c.split.cnzz.com/c.php?id=30039538
hxxp://c.split.cnzz.com/core.php?web_id=30039538&t=q
hxxp://q7.cnzz.com/stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1551506341
hxxp://pcookie.split.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu
hxxp://static.n.shifen.com/v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1
hxxp://115.182.52.104/xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm
hxxp://cb.e.shifen.com/crossdomain.xml
hxxp://cb.e.shifen.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544
hxxp://cpro.e.shifen.com/cpro/ui/baiduLoader_as3.swf
hxxp://cpro.e.shifen.com/cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=鲜花&f=过滤词1 过滤词2 过滤词3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580
hxxp://drmcmm.e.shifen.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg
hxxp://e.xdwscache.glb0.lxdns.com/control/ctrl_mo_v5.swf?20140327
hxxp://115.182.52.104/flashflowstatis/submitflowstatis.php?gameid=100016523&seedvalue=718567ba529daf641296ba5d763bf7b2&adid=-1&gamekey=asdf&nocache=1408230825122&os=Windows XP&lng=en&hosturl=hxxp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm&scres=1024x768&playurl=hxxp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf&fp=WIN 11,6,602,168&adLoadTime=0&adPlayTime=0&browser=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&ctrVer=5
hxxp://save.d.4399api.net/crossdomain.xml
hxxp://save.d.4399api.net/?ac=get_time&ran=688197.0977410674
hxxp://cpro.baidu.com/cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=鲜花&f=过滤词1 过滤词2 过滤词3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580 123.125.70.108
hxxp://pcookie.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu 42.120.219.171
hxxp://stat.api.4399.com/xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm
hxxp://nsclick.baidu.com/v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1 115.239.211.92
hxxp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf 123.125.70.108
hxxp://save.api.4399.com/?ac=get_time&ran=688197.0977410674 115.182.52.102
hxxp://cdn.comment.4399pk.com/control/A4399dv_base.swf?20130625 8.37.233.6
hxxp://drmcmm.baidu.com/media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg 123.125.65.55
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1551506341 42.120.219.171
hxxp://cb.baidu.com/crossdomain.xml 123.125.115.99
hxxp://stat.api.4399.com/flash_ctrl_version.xml?ran=65853.53179834783
hxxp://save.api.4399.com/crossdomain.xml 115.182.52.102
hxxp://cb.baidu.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544 123.125.115.99
hxxp://c.cnzz.com/core.php?web_id=30039538&t=q 42.120.219.6
hxxp://cdn.comment.4399pk.com/crossdomain.xml 8.37.233.6
hxxp://cdn.comment.4399pk.com/control/zwsf2-3.gif?20120719 8.37.233.6
hxxp://w.cnzz.com/c.php?id=30039538 1.99.192.14
hxxp://www.4399.com/jss/2014ysxy.js
hxxp://hqs10.cnzz.com/stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355 42.156.140.139
hxxp://cdn.comment.4399pk.com/control/ctrl_mo_v5.swf?20140327 8.37.233.6
gprp.4399api.net 42.62.52.249


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

POST /?ac=get_time&ran=688197.0977410674 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: save.api.4399.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: _4399stats_vid=140823078785628

gameid=100016523&uid=
HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:13:06 GMT
Server: Apache/2.4.7 (Unix)
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Content-Length: 30
Connection: close
Content-Type: text/html;charset=utf-8
{"time":"2014-08-17 12:13:06"}..



GET /media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: drmcmm.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1

GET /media/id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: drmcmm.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1


HTTP/1.1 200 OK
media: media
Cache-Control: max-age=31536000
Expires: Fri, 26 Oct 2012 12:24:13 GMT
Last-Modified: Sat, 25 Apr 2009 07:04:00 GMT
Content-Type: image/jpeg
Date: Sun, 17 Aug 2014 04:12:52 GMT
Server: apache
Content-Length: 19625
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:9AC6534D2232E2
1197278D32144D5421" xmpMM:DocumentID="xmp.did:D93AE388322711E2B782C4EF
4C8536EF" xmpMM:InstanceID="xmp.iid:D93AE387322711E2B782C4EF4C8536EF" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:8524B6A02632E21197278D32144D5421" stRef:
documentID="xmp.did:9AC6534D2232E21197278D32144D5421"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.....................,................................................
.........................................!1.A.Q"..aq2.......BR#3..br..
.....Cs$45S.t6......................!.1A.Qaq"....2....B....Rb#3.r.....
.Sc.............?......q..Z!...)..,w. ...K.6........Xn.r..ZA..V.J...I.
;n.eHHA.J. .#C..X..........,wB.$!B. .4.&P%H..1.w..%[email protected]...&.$
.$........V..1.-.IR.!..J.@r4*H.!..%[email protected]......*C...
<<< skipped >>>


GET /app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:28 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=qxl3DGTX4jwCAbhrJiYA1Bqu; expires=Wed, 14-Aug-24 04:12:28 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /jss/2014ysxy.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.4399.com
Connection: Keep-Alive
Cookie: cookie_hs=4399.com|||%u52C7%u58EB%u7684%u4FE1%u4EF0||80727||0; bdshare_firstime=1408230785700


HTTP/1.1 200 OK
Expires: Sat, 15 Nov 2014 01:50:43 GMT
Date: Sun, 17 Aug 2014 01:50:43 GMT
Server: nginx
Content-Type: application/x-javascript
Last-Modified: Mon, 12 May 2014 09:24:19 GMT
Transfer-Encoding: chunked
Cache-Control: max-age=7776000
Content-Encoding: gzip
Age: 1
X-Via: 1.1 hzsx166:8080 (Cdn Cache Server V2.0), 1.1 hx3:1 (Cdn Cache Server V2.0)
Connection: keep-alive
f2f.............Z................{g(i..W......].HUe.....z..].9..LJ.<
;D..G88..w.B .#\P....!U(R.Fi....wfv.k..]..5.l.......T[v.7.[y........G7
n.r..rm.i...c.Z[/..Q.......o. ....5..8M.q.9.U.j.c~....L...Y......l.S.n
YVZ....<.L,J...G....!...3.<.<....$..a.t(:....Sn5@;.b.,F_...S.
...4%...%ILLG0..d..c..m..8..Wv...q..l.8...~.5-c^0.....>.....\....V-
....j:...A....2.3.cG..,.q.{Z.P.I...=.hx...}...~.ZB.)"..s..%.CC...b...}
."(.....e`.......d.!!.O".f.I.V..:...;.xF.pMN....v.b.A..m3w........ZH..
p...xu......M...-.....JA-YNy.../.Q..wA...8...d<...^.5.=....d.n.$.};
R..{i... ...O ..K......A....g|.[b..C9...:..Jz.Q.........m..5.w.\.c....
...u...axL...w..,Xa..W5...LMO...h#........`...S5]Vu...F.65...M.s..5bP[
............i;1...L...Xy..c.~..N.}l.6p".!.=I..'1.g.*..R..M0...dE....BX
8..Kw..HP...|(.r9G.&=......h.....1....m....fU..F1.rM....v....|%.v...;.
K.....r......._.....}w...,=.3.6...Je..s\.g.X........\WdA..zf...7....6.
4?........5,...z....7......7?;q.........] ...ww.....]...{....9.B.!..#.
.).b.At.eZLyTB...c..n.s[.<.l..4tnK]..e.5W.... ..N........w?XY\...g.
.n=8.|....N..t..o_~....3...X....[.... <:......,C.....gF...H><
.F{.p"..;t....H.......Uu.S.;.i.C.h...Dd......"-..fC..........Z:....^.}
y......yo......?.m...!..........,..[._"O...C.g.<.......w...ctK.%0..
...I..0....0..n...k..W.^..._.>...&.....e.-.Yr........5...|v.Oe..:..
.PW....n...G..u.....K.~p....7.?.....{3/.x...........~.tme..........7."
....X......... W.sjq.....K....Y.....n.....Ko.9{......o.].o..W.`:...v..
.5].t.......g...j.?a........pm.G.xQ..C.H.f...'.U.USl.........6-...
<<< skipped >>>


GET /c.php?id=30039538 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: w.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:26 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Sun, 17 Aug 2014 04:12:26 GMT
Expires: Sun, 17 Aug 2014 05:42:26 GMT
1f7a..(function(){function l(){this.c="30039538";this.O="q";this.K="";
this.H="";this.J="";this.o="1408248746";this.M="hqs10.cnzz.com";this.I
="";this.q="CNZZDATA" this.c;this.p="_CNZZDbridge_" this.c;this.C="_cn
zz_CV" this.c;this.s="1";this.v={};this.a={};this.ia()}function g(a,c)
{try{var b=[];b.push("siteid=30039538");.b.push("name=" f(a.name));b.p
ush("msg=" f(a.message));b.push("r=" f(h.referrer));b.push("page=" f(d
.location.href));b.push("agent=" f(d.navigator.userAgent));b.push("ex=
" f(c));b.push("rnd=" Math.floor(2147483648*Math.random()));(new Image
).src="hXXp://jserr.cnzz.com/log.php?" b.join("&")}catch(e){}}var h=do
cument,d=window,f=encodeURIComponent,k=decodeURIComponent,p=unescape,q
=escape;l.prototype={ia:function(){try{this.R(),this.G(),this.fa(),thi
s.D(),this.l(),this.da(),this.ca(),this.ga(),this.i(),.this.ba(),this.
ea(),this.ha(),this.$(),this.Y(),this.aa(),this.na(),d[this.p]=d[this.
p]||{},this.Z("_cnzz_CV")}catch(a){g(a,"i failed")}},la:function(){try
{var a=this;d._czc={push:function(){return a.w.apply(a,arguments)}}}ca
tch(c){g(c,"oP failed")}},Y:function(){try{var a=d._czc;if("[object Ar
ray]"==={}.toString.call(a))for(var c=0;c<a.length;c  ){var b=a[c];
switch(b[0]){case "_setAccount":d._cz_account="[object String]"==={}.t
oString.call(b[1])?b[1]:String(b[1]);break;case "_setAutoPageview":"bo
olean"===.typeof b[1]&&(d._cz_autoPageview=b[1])}}}catch(e){g(e,"cS fa
iled")}},na:function(){try{if("undefined"===typeof d._cz_account||d._c
z_account===this.c){d._cz_account=this.c;if("[object Array]"==={}.
<<< skipped >>>


GET /v.gif?pid=307&type=3071&sc=980,3477,1024,740&desturl=&apitype=1&linkid=hyxk90eeqem&velo_load=1812&velo_cssload=953&velo_jsLoad=953&cite_uid=480925&cite_type=1&cite_mini=1 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: nsclick.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Pragma: no-cache
Cache-Control: max-age=0
Content-Type: image/gif
ETag: "4280832337"
Accept-Ranges: bytes
Last-Modified: Fri, 23 Oct 2009 08:06:04 GMT
Expires: Sun, 17 Aug 2014 04:12:28 GMT
Content-Length: 0
Date: Sun, 17 Aug 2014 04:12:28 GMT
Server: BWS/1.0
Connection: Keep-Alive
HTTP/1.1 200 OK..Pragma: no-cache..Cache-Control: max-age=0..Content-T
ype: image/gif..ETag: "4280832337"..Accept-Ranges: bytes..Last-Modifie
d: Fri, 23 Oct 2009 08:06:04 GMT..Expires: Sun, 17 Aug 2014 04:12:28 G
MT..Content-Length: 0..Date: Sun, 17 Aug 2014 04:12:28 GMT..Server: BW
S/1.0..Connection: Keep-Alive..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 16 Aug 2014 23:41:37 GMT
Server: nginx/1.0.4
Content-Type: application/xml
Last-Modified: Wed, 17 Mar 2010 03:06:58 GMT
ETag: "5288176-14b-481f66842f880"
Accept-Ranges: bytes
Content-Length: 331
Age: 1
X-Via: 1.1 zjjhdx32:8104 (Cdn Cache Server V2.0), 1.1 hx4:6 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM '
hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<c
ross-domain-policy>..    <site-control permitted-cross-domain-po
licies="all" />..    <allow-access-from domain="*" />..    &l
t;allow-http-request-headers-from domain="*" headers="*"/>..</cr
oss-domain-policy>......


GET /control/zwsf2-3.gif?20120719 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 16 Aug 2014 23:41:37 GMT
Server: nginx/1.0.4
Content-Type: application/xml
Last-Modified: Wed, 17 Mar 2010 03:06:58 GMT
ETag: "5288176-14b-481f66842f880"
Accept-Ranges: bytes
Content-Length: 331
Age: 1
X-Via: 1.1 zjjhdx32:8104 (Cdn Cache Server V2.0), 1.1 hx4:6 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM '
hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<c
ross-domain-policy>..    <site-control permitted-cross-domain-po
licies="all" />..    <allow-access-from domain="*" />..    &l
t;allow-http-request-headers-from domain="*" headers="*"/>..</cr
oss-domain-policy>..HTTP/1.1 200 OK..Expires: Fri, 14 Nov 2014 18:1
7:32 GMT..Date: Sat, 16 Aug 2014 18:17:32 GMT..Server: nginx/1.0.4..Co
ntent-Type: image/gif..Last-Modified: Wed, 07 Sep 2011 08:07:32 GMT..E
Tag: "5383f2e-2bc8-4ac556fa31900"..Accept-Ranges: bytes..Content-Lengt
h: 11208..Cache-Control: max-age=7776000..Age: 1..X-Via: 1.1 zjjhdx31:
8080 (Cdn Cache Server V2.0), 1.1 hx3:7 (Cdn Cache Server V2.0)..Conne
ction: keep-alive..GIF89a..P...........[#.Z".Z#AAC.......wH..........e
e.........   ...kkl......aab.........ZZ[.zz...............noq..X@@@...
.66qqq.JJ............PPQ............$$$...............   ......===....
............l:..........  ...000......xxy.............................
..$$...EEF....["...............HHI.DD...............uvx..{..b...555...
.]&...}}~.b-TTU...uuu.....lrrtCCC999LLM.]]...eefnor...........r}~.BBD.
f1.==.........zz{.............UU.PPFFH......KKL..v.mm...NNP....h5.....
........|P._(...stv............BAC.....~...WWX.......  ...............
.....................wwz......ggh.\$AAA......__`...{|~................
......................................ccc~.....RRS....uu..............
..............\#.Z".........GGI.........................["...SSU.Z
<<< skipped >>>

GET /control/ctrl_mo_v5.swf?20140327 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:12:04 GMT
Server: nginx/1.0.4
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 15 Jul 2014 03:20:47 GMT
ETag: "538c83d-62c6f-4fe32e4c861c0"
Accept-Ranges: bytes
Content-Length: 404591
Age: 1
X-Via: 1.1 zjjhdx41:8080 (Cdn Cache Server V2.0), 1.1 hx5:5 (Cdn Cache Server V2.0)
Connection: keep-alive
CWS.....x...uX.[...,...PP..(H7..Jw#[email protected]...
=.....w]..^s.9....s.......; ..;..! ..t...R..C..............K.|.dr.`..x
x|}}.}.....<|...<..<..\@.....c......$..-(..l<..1.h7$...5..
#........of....l..(n.. ...;..7/...P...DYa..zh...,V...b.....D.....y ...
...._.......I....q..q...........s...........M.Q. [ .....\.........x.@.
?6.....h[G;......H............G]]y~i{atPv.Y.K.......B{{...:...QW......
r.A]R...nGG[1EAa..".....r..||....r..rJ..".r".p..n...........i...`..M.Y
..t.w.9.OV.......E.Dd.A... ....*......./..`.7.(OG....'....w O/...$.~u.
.....s..n.._.................O.._M .......;.mm~.PwoO.x....A.....@.....
........#e....hc.5.......q...Aq.aW...........O...........E......PH>
..&...~..........:..$...3FP........B.~O-.j....)A...w....> ..].....p
!.<H...\H5..cL..mno.yq.5.<.:z.QI..c.z..i9j.."-.5J).b.a9..G.oJ:..
.^.....;.._..;......i...Lg70.9J,.7.LrR.NH..S..........0.]...bit.h}....
[U..;N....4,..-...O..\..|:......k...GE...x'[^|<..W3Ul.EI.......E...
......E3as....r..gg.....76|..E.NO?.=s..w.\$fc3%%e.......7.|v<.ei.^&
gt;........<...o......iin..q.....f..QQ.....:-JK..}...qq.....<|H.
..a.../955.....FN.L[ju...].....!W...e._....gvn...quU...y>k."z=....{
Q......h..k;<F.&m&....../Wo..._.......^q..#HY.OEE%.-...8.y...(5...&
lt;.3.bU.....^^...w=...9..>..R...}...K|...............Zg..-f1/1.|R.
...o....9..[.])..R...F[dKX.................;..s.e.t[..._}..3..~J......
...`c.9{&.|.......<Y 1....H.......G.......HLLLz...L%.?/..n.lO.}[...
1.......,.\i.H.>....iVVV...g.........RC{;.......jK...v......xq.
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: save.api.4399.com
Connection: Keep-Alive
Cookie: _4399stats_vid=140823078785628


HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:13:05 GMT
Server: Apache/2.4.7 (Unix)
Last-Modified: Wed, 23 Jul 2014 01:28:29 GMT
ETag: "25b-4fed241e5a940"
Accept-Ranges: bytes
Content-Length: 603
Connection: close
Content-Type: application/xml
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM '
hXXp://VVV.macromedia.com/xml/dtds/cross-domain-policy.dtd'>..<c
ross-domain-policy>..    <allow-access-from domain="*.4399pk.com
"/>..    <allow-access-from domain="*.4399.com"/>..    <al
low-access-from domain="*.my4399.com"/>..    <allow-access-from 
domain="*.4399.net"/>..    <allow-access-from domain="4399pk.com
"/>..    <allow-access-from domain="*.4399api.com"/>..    <
;allow-access-from domain="imga.4399.com"/>..    <allow-access-f
rom domain="imga1.4399.com"/>...<allow-access-from domain="manag
e.5054399.com"/>..</cross-domain-policy>....



GET /9.gif?abc=1&rnd=1551506341 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:27 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=qxl3DGTX4jwCAbhrJiYA1Bqu; expires=Wed, 14-Aug-24 04:12:27 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=98630e66; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=bed8d8f476f71146473f3227_1408248747; expires=Wed, 14-Aug-24 04:12:27 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=qxl3DGTX4jwCAbhrJiYA1Bqu
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stat.api.4399.com
Connection: Keep-Alive
Cookie: _4399stats_vid=140823078785628

GET /xml.php?ran=30733.64836163819&gameid=100016523&url=http://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stat.api.4399.com
Connection: Keep-Alive
Cookie: _4399stats_vid=140823078785628


HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:12:30 GMT
Server: Apache/2.2.17 (Unix)
Content-Length: 664
Connection: close
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8" ?>.<config><entry 
id="62872" category="brand" time2skip="12"><item src="hXXp://cb.
baidu.com/ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&
return_type=1" click_base="hXXp://stat.api.flashgame163.com/brand.php?
url=" /></entry><entry id="999" category="baidu" time2skip
="12" channel="129" pubid="www4399com_tp_cpr" /><entry id="999" 
category="google" time2skip="12" channel="0000000136,game136" pubid="c
a-games-pub-9606551472994074" /><entry id="999" category="combra
nd" time2skip="12" width="640" height="640"><item src="hXXp://cd
n.comment.4399pk.com/control/4399.swf" link="" bgcolor="0xb5e9f9" />
;</entry></config>..



GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive

GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:42 GMT
Content-Type: text/xml
Content-Length: 3710
Last-Modified: Wed, 12 Mar 2014 07:45:00 GMT
Connection: Keep-Alive
ETag: "5320107c-e7e"
Accept-Ranges: bytes
<?xml version="1.0"?>..<!DOCTYPE cross-domain-policy SYSTEM "
hXXp://VVV.adobe.com/xml/dtds/cross-domain-policy.dtd">..<cross-
domain-policy>..    <site-control permitted-cross-domain-policie
s="master-only"/> ..    <allow-access-from domain="*.4399.com"/&
gt;..    <allow-http-request-headers-from domain="*.4399.com" heade
rs="SOAPAction"/>..    <allow-access-from domain="*.4399.net"/&g
t;..    <allow-http-request-headers-from domain="*.4399.net" header
s="SOAPAction"/>..    <allow-access-from domain="*.4399api.com"/
>..    <allow-http-request-headers-from domain="*.4399api.com" h
eaders="SOAPAction"/>..    <allow-access-from domain="*.4399pk.c
om"/>..    <allow-http-request-headers-from domain="*.4399pk.com
" headers="SOAPAction"/>..    <allow-access-from domain="*.4399p
k.net"/>..    <allow-http-request-headers-from domain="*.4399pk.
net" headers="SOAPAction"/>..    <allow-access-from domain="*.50
54399.com"/>..    <allow-http-request-headers-from domain="*.505
4399.com" headers="SOAPAction"/>..    <allow-access-from domain=
"*.61.com"/>..    <allow-http-request-headers-from domain="*.61.
com" headers="SOAPAction"/>..    <allow-access-from domain="*.ap
p111.com"/>..    <allow-http-request-headers-from domain="*.app1
11.com" headers="SOAPAction"/>..    <allow-access-from domain="*
.baidu.com"/>..    <allow-http-request-headers-from domain="*.ba
idu.com" headers="SOAPAction"/>..    <allow-access-from doma
<<< skipped >>>

GET /ecom?di=62872&tm=BAIDU_CLB_XML&asp_url=4399.com&return_type=1&ran=2925.8037405088544 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:42 GMT
Content-Type: text/xml
Content-Length: 3710
Last-Modified: Wed, 12 Mar 2014 07:45:00 GMT
Connection: Keep-Alive
ETag: "5320107c-e7e"
Accept-Ranges: bytes
headers-from domain="*.baomihua.com" headers="SOAPAction"/>..    &l
t;allow-access-from domain="*.bokecc.com"/>..    <allow-http-req
uest-headers-from domain="*.bokecc.com" headers="SOAPAction"/>..   
 <allow-access-from domain="*.boosj.com"/>..    <allow-http-r
equest-headers-from domain="*.boosj.com" headers="SOAPAction"/>..  
  <allow-access-from domain="*.cztv.com"/>..    <allow-http-r
equest-headers-from domain="*.cztv.com" headers="SOAPAction"/>..   
 <allow-access-from domain="*.forex.com.cn"/>..    <allow-htt
p-request-headers-from domain="*.forex.com.cn" headers="SOAPAction"/&g
t;..    <allow-access-from domain="*.funshion.com"/>..    <al
low-http-request-headers-from domain="*.funshion.com" headers="SOAPAct
ion"/>..    <allow-access-from domain="*.ggxt.net"/>..    <
;allow-http-request-headers-from domain="*.ggxt.net" headers="SOAPActi
on"/>..    <allow-access-from domain="*.kumi.cn"/>..    <a
llow-http-request-headers-from domain="*.kumi.cn" headers="SOAPAction"
/>..    <allow-access-from domain="*.letv.com"/>..    <all
ow-http-request-headers-from domain="*.letv.com" headers="SOAPAction"/
>..    <allow-access-from domain="*.my4399.com"/>..    <al
low-http-request-headers-from domain="*.my4399.com" headers="SOAPActio
n"/>..    <allow-access-from domain="*.mytv365.com"/>..    &l
t;allow-http-request-headers-from domain="*.mytv365.com" headers="SOAP
Action"/>..    <allow-access-from domain="*.pipi.cn"/>.. 
<<< skipped >>>


GET /cpro/ui/baiduLoader_as3.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf/[[DYNAMIC]]/2
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cpro.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1



CWS..$..x..YyxTE...}...^...H'i..N.Y.$.`VLHhH.".....M7...;..AeQ.E..E...
.,.........h....q.}.G.ttp.w.v7..sx..{....:u..N.:un.M.b. ..G(...C.BhE..
 4=....k.L=^./X...LW(.Q.......]..........[....sA"7....=..`Vf.IF...B...
r.}&.....Pyff....q......~..'...=|[email protected].@.....$R.:..t..[.Ms.~I
..a..3=.b.a.b.PE....k-.-,i-((.Z...'Y.Be.nT2..$.x'...)..ZK[.J...e......
...N..{I.C.....y.........3....).... .BApi..R.P&..^>T.wtx..O..{r....
....s%....C...I0...__d.7?...5...K.[{;..f1....".g..........>A....F..
., -...RT0........`jquiMi.........R....q....I..Cs./.....l.w..B..P...O.
R]=yjQ.T........S.j.JJ.q._.8o..pw..... .B.....S..qW.7..-s..M..........
.~..G.._..?B../...~9..c......H$.b..."F.o~..M.L......^..*.?r2.>.7...
!.....wQ5biF.....h.,.@K..%%j..h..z.v..4*I.Uk....Q.H.i...5%....qzS...n"
..m........M...y...H...8.Q..0...h$B...a?.Q...]....0....0......I.....s.
..d. A4.c|...2..0.....S.P`.T0I...=.y.i..2(.h.zg..'......;..n.....}2..U
].?.......V.u....9.6......u..*....?_.w.5..{L?../{.:GY..... ...~...>
\...yO.|=.,X.^W9...-..4.j.s.k".....M.m.......W..x.e....].^M......=.M..
=5gD...B..s.N..Z....2....8..^........4b........y....,..x..k..o...=....
..Z.....k}.......b...^.....]YcM.7..w.....=......^}.1.......-.>.4...
T..'...%..oU?|...?...p..#...^..i>...W...=W.mGp.G....y.....YS?y._wm.
.O.....................).........hY.v..?y........|gu...k.2?........{..
...sT.?..V....f/_?..........._.v.....7M:..~....3.,....w......3E...._xp
q....=.a..~.........].:m..eM....q...|..o.Y....-.7_...wYB.{.<...'...
h....F.Ta......zd...I{.u7.............Y....gn}O.5...h..8dGy? ..Wc.
<<< skipped >>>


GET /stat.htm?id=30039538&r=&lg=en-us&ntime=none&cnzz_eid=860316973-1408248746-&showp=1024x768&t=undefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefinedundefined...&h=1&rnd=1129475355 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hqs10.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Sun, 17 Aug 2014 04:12:27 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /core.php?web_id=30039538&t=q HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Sun, 17 Aug 2014 04:12:27 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Sun, 17 Aug 2014 04:12:27 GMT
Expires: Sun, 17 Aug 2014 04:27:27 GMT
2ef..!function(){var p,q,r,a=encodeURIComponent,b="30039538",c="",d=""
,e="online_v3.php",f="hqs10.cnzz.com",g="",h="text",i="q",j="全&
#26223;统计",k=window["_CNZZDbridge_" b].bobject,l="http:"
,m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("
h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m
&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.crea
teScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.ph
p?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.co
m/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'>
<img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<
a href='" q "' target=_blank title='" j "'>" j "</a>",k.creat
eIcon([p])))}();..0..



GET /cpro/ui/uijs.php?at=6&fv=11&ch=129&ie=1&q=www4399com_tp_cpr&n=1&k=鲜花&f=过滤词1 过滤词2 过滤词3&u=4399.com&s=2&t=baiduxml_tiepian_400_300&w=940&h=580 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://cpro.baidu.com/cpro/ui/baiduLoader_as3.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cpro.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=0813F6F6D873A6FB1368C76E3EF141F3:FG=1


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:48 GMT
Content-Type: text/html
Content-Length: 380
Connection: close
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Set-Cookie: sequery=ÏÊ»¨:4399.com;path=/;domain=.cpro.baidu.com;HttpOnly
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun Aug 17 12:12:48 2014
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
P3P: CP=" OTI DSP COR IVA OUR IND COM "
<?xml version="1.0" encoding="GBK"?>.<cpro>..<adnum>
1</adnum>..<noad>7</noad>..<ads>...<ad>.
...<desc><![CDATA[hXXp://drmcmm.baidu.com/media/id=rHmkPWbznH
6&gp=403&time=nHndn1nkPWcvns.jpg]]></desc>....<surl><
;![CDATA[love.baidu.com]]></surl>....<curl><![CDATA[
hXXp://love.baidu.com/]]></curl>....<width>400</widt
h>....<height>300</height>...</ad>..</ads>.
.<type>gongyi</type>.</cpro>..



GET /js/click.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.4399.com/flash/80727.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 4399stat.5054399.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 04:12:26 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 15 Jan 2014 06:56:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Expires: Sun, 17 Aug 2014 04:12:27 GMT
Cache-Control: max-age=1
Content-Encoding: gzip
41b............}U.o.6..v.....DT.*...K<-.)6....uOA`0.%3.(....I....EY
...A......}p'.3..d..V....Zj..L.#M.<? {.[.hV...~........)......<.
[email protected]..[. .A=#mo4..1..u.?t.(]..Dv.:[email protected].
*.q.........4=.Fq.....**....Fm%W....!.....5j`.....U..e. .2P..I~$.f....
.......Je.<b.F./(.V<.oQ.....b.I.E.^1..)z..0&...T0OU2n...)..} ...
..a.%...E.......F...-..%ka0>.v.VY.>..I..`.....-g..?....IB^.3.^\.
.....XU...t.....JN......tr.-.t.J..`...H..V.fX.Z.".c.)./ 6......>..M
....=.^....igrp.l.m.//.m..vV....=.Y...$A... ... ...7\F....zr?....Ts..G
.v.....<\.0>.K..*.g:..0.[...g....Y....o.B.M!..ku..m.am.<=..&l
t;a....4r<.x2...&l.."av...............Ya.n([email protected].._2.
.U.vQ.z`f.?>~.....9.[n;...l.....=..^`..S..nvH.D.%...d.K...P:K)<V
..S....P..=........v.....E.Oi'bKuX.'.Ejk.{pknyH.n.g.t..9......n.y...d.
.a$...-..z.........,.Z.....Yb..Ov...@^j..TC..a.i].........i.....v..."O
.#.C..G...ln..D.........&.C......W.r *.o.......%1U..]..:X.jtD:.......R
5"[email protected]@|{<...}...j.;....M.
.}...H...?k.yH...Unc..(Q..Fi.^..t.6..U ..^"...z.F{......0..



GET /flash_ctrl_version.xml?ran=65853.53179834783 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stat.api.4399.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sun, 17 Aug 2014 04:12:24 GMT
Content-Type: text/xml
Content-Length: 530
Last-Modified: Thu, 27 Mar 2014 03:14:01 GMT
Connection: close
ETag: "53339779-212"
Accept-Ranges: bytes
<?xml version="1.0" encoding="utf-8"?>.<resInfos>..<inf
o resName="zwsf">hXXp://cdn.comment.4399pk.com/control/zwsf2-3.gif?
20120719</info>..<info resName="ctrl">hXXp://cdn.comment.4
399pk.com/control/ctrl_mo_v4.swf?20140327</info>..<info resNa
me="ads">hXXp://cdn.comment.4399pk.com/control/A4399dv_base.swf?201
30625</info>..<info resName="ctrl_v5">hXXp://cdn.comment.4
399pk.com/control/ctrl_mo_v5.swf?20140327</info>..<info resNa
me="tools_as3">hXXp://cdn.comment.4399pk.com/control/open4399tools_
AS3.swf?20130617</info>.</resInfos>...



GET /control/A4399dv_base.swf?20130625 HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://s15.4399.com/4399swf/upload_swf/ftp7/hanbao/20120222/7/hdv832.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.comment.4399pk.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 17 Aug 2014 04:10:04 GMT
Server: nginx/1.0.4
Content-Type: application/x-shockwave-flash
Last-Modified: Tue, 25 Jun 2013 08:05:23 GMT
ETag: "538199e-841e-4dff5fdb016c0"
Accept-Ranges: bytes
Content-Length: 33822
Age: 1
X-Via: 1.1 zjjhdx35:80 (Cdn Cache Server V2.0), 1.1 hx5:7 (Cdn Cache Server V2.0)
Connection: keep-alive
CWS.A...x....\SG.>~..&77.....5....h.."(*`...........R..}..]q..}....
.....X..V[k..............}..g...9sf....2....8NK..>j..".....*.E.p...
=..Y...Z..YN......b...t.k.=O..0...(........u....\a.3.8..W..CU...1....k
e.!...rC...(8.o...Cw......H.~8..6.5...,.Lk...S..j...6.S.aH7..*...w.?G.
AxU}..b...Z-..T.[LN....cH7[3[T...e?U.}Mv..U.e..C.....[...<}Mk.#..L.
....>..e..9-1...I.F...7.1....m.T...rX.$... .. .[6.........>*.q.E
..j.)..hK_.........%U...9.w`B.._BF<..Xz>...T./....!p...*...K....
A.t..$...:..suVq._~......#..4.q..8.g...}...!....qd......~.P....\..a.0.
. ....p...m[{.........-.....4......?...k....>.?....\..:.H[. .93....
>>.]..}........t....4i...[...\.Mw.k.I..........W$.A\....R..\.|..
..C5|'F..VD..p..*.|.".I...X.=s..MI.....5.W...8..K..*...:D...BU...k..S.
J.J.$..V.R)..h..xi..HIZ.N[Q..PF..xh.^e* .....!W_..L.(....g.....z...?e.
t......0.m..KV....C.>..8W.[.W.....T).5..&:.(..B.Q*...^!(U>..X.A.
.W.~e.."....Q-.S..6..W.L.....`..g......J8^.^.O...>5....h..(|.V..?..
.U:....Q.=....T.1..g.^.{........_o.m..ul..e...L.6wc."nZ\....#k.....5c.
.?.tL...l. .Z..'SF5...8.j.....N..U..o{.YQ...8T:.e./..Y.cI.UE....).n.43
q..Kcz...V.J.....i.l..`..tN..].....9...[..~.!W.t{.G.X.'.-.Z4^w.a...;u{
*d..U.y.....f.....i..57...s.x.....:...}... ..wI..6v.........n~v.....9.
...~...vM...:.O.-}.o........=w}..ql....n.lH..|....Sk.7]T..X.v.}...5y..
....?.0ql.G..].f.......fQV..Y.w.....M.(*...U..-k`,.{.Mka......=Rpf..?6
...x..._<i..X.^... .l..b.q.if.....`}...;..m2...o...;e.6m..C...=.g..
.D7...3...^o?y.}.......G\...I/.~.tQ.G......-.. 7....?..<..o^Z..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2012:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
kernel32.dll
SkinH_EL.dll
hXXp://VVV.4399.com/flash/80727.htm
DSound.dll
Winmm.dll
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
RegisterHotKey
UnregisterHotKey
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
DeleteUrlCacheEntry
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%d%d%d
rundll32.exe shell32.dll,
(*.htm;*.html)|*.htm;*.html
its:%s::%s
index.dat
desktop.ini
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_2012_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[1].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img011[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hdv832[1].htm (684 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\news_footer[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\style[2].css (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mlb[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\22110Gb5I[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[2].css (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[1].css (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_14504425052[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\xml[1].xml (664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bdsstyle[1].css (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ucenter[1].js (19465 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\16100Q15406[1].jpg (4088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mlc[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\mlt[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico[1].png (5 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (540 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m6[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399_14533870073[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (8868 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ysxy_20140507[2].css (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tjrm_img06[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m12[1].jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery-1.2.1.pack[1].js (1740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1-2[1].jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\311622246152[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\crossdomain[1].xml (842 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a7[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[2].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\backg[1].png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\31160T42W2[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zwsf2-3[1].gif (987 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@4399[1].txt (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[1].js (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s15.4399.com\seed4399Value.sxx (80 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
    %Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s15.4399.com\settings.sxx (199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img08[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\unilogin_package[1].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31155012a51[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m9[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4399_17564382760[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[1].htm (2467 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\unilogin_package[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\save.api.4399[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bds_s_v2[1].js (1807 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CACLIJK5.php (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\131P03EP7[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m2[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\click[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\flash_ctrl_version[1].xml (530 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ico[1].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hdv832[1].swf (4269751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ctrl_mo_v5[1].swf (70245 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m8[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shell_v2[1].js (1 bytes)
    C:\SkinH_EL.dll (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4399[1].js (902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a5[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m10[1].jpg (1171 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\logo[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\3115344X010[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_keys[1].gif (537 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a6[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\uijs[1].htm (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m11[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m1[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4399_17053265645[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hottop[1].gif (857 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\m4[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img09[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m13[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn[1].png (392 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b3[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\0Q443302F2[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAIF0DA3.htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\m5[1].jpg (1191 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\id=rHmkPWbznH6&gp=403&time=nHndn1nkPWcvns[1].jpg (2181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\80727[2].htm (2400 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\nav2[1].png (3875 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logger[1].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\lazy_iframe[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baiduLoader_as3[1].swf (418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31153132L32[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tjrm_img07[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311629555O1[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\04150AJ2O[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[2].js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[2].xml (603 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\141US92O1[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\c[1].php (1163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\4399_16460972266[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ecom[1].xml (233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a1[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\chkDomain[1].js (554 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\311612435933[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\A4399dv_base[1].swf (5532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\more[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\top_bar[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b2[1].jpg (4850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\141U0313620[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\crossdomain[1].xml (331 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\31154AH4T[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m14[1].jpg (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\m3[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\play_hs1202[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\base[1].css (13565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2014ysxy[2].js (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\bdshare[1].js (182 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\linkImg[1].jpg (26432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.2.1.pack[1].js (392 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now