Gen.Variant.Graftor.Elzob.84_5b0348707a

by malwarelabrobot on May 23rd, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Injector.jksa (Kaspersky), Gen:Variant.Graftor.Elzob.84 (B) (Emsisoft), Gen:Variant.Graftor.Elzob.84 (AdAware), GenericEmailWorm.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5b0348707a150821aaf29801d98ac60f
SHA1: 040a6a4247ee17fa7b8281caec76262e51138947
SHA256: 748f27ab38313af3423fca9997e41f45ff6a05aa20fbc7dab500727ffe573d96
SSDeep: 49152:Ec//////ZTIeezIl KqykWJQ2aM2zLoOVxkUAP30dIUmwiGECOIr2G2XP49ajkbP:Ec////// 1K6WJozLXn 30d7f25P4IjA
Size: 2692608 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: APPS installer
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

ksbinstaller_66_82685.exe:984
%original file name%.exe:1264
KNBCenter.exe:1240
regsvr32.exe:1536
liebao.exe:1780
liebao.exe:516
down_s_66_82685.exe:1988
ping.exe:972
wuauclt.exe:924
tencentdl.exe:1932
netsh.exe:320
Tencentdl.exe:848
0liebao.exe:1948
knbcenter.exe:2036
knbcenter.exe:916
reg.exe:1976
reg.exe:708
skinupdater.exe:348

The Trojan injects its code into the following process(es):

ÊÖ»úºäÕ¨»ú.exe:652

File activity

The process ksbinstaller_66_82685.exe:984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (586 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearchb.dat (6341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztma002d.psg (74 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.ini (172 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbpolicy.dll (15628 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\alipay.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\baifubao.png (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\atxhlp.dat (21 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\xinput1_3.dll (880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kdumprep.exe (7541 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\毒霸网址大全.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3002.ksg (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseutil.dll (2976 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj021204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0005.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\unknown.ksg (422 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\libvideo.dat (15 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_unsafe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\bc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\vinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\spdb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepbb002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaevname.dat (108 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksedset.ini (425 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepc0002.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7001.vsg (265 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全浏览器\修复浏览器.lnk (748 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome.dll (503987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0002.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\cdeploy.dat (11 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Localauto.db (40 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\manifest.json (2 bytes)
%System%\drivers\ksapi.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\KNBDrv64.sys (1543 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\99bill.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Install.bat (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\npaliedit.dll (2836 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gare.db (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj011204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb7001.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3001.ksg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Extract.dll (3773 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\incognito.dat (1650 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepba000.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7999.vsg (266 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kmsgsvc.dll (8953 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac002.ksg (3702 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\skin_thumbnail.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\karchive.dat (101 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6001.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\boc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaext2.dat (85 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\skinupdater.exe (21987 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\autofilljs2.dat (89 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\FixBrowser.exe (18429 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adfilter.dat (131 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0002.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kui.pak (30655 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvba012.vsg (273 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\en-US.pak (195 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBrowserUpgrade2.dll (2787 bytes)
%Documents and Settings%\%current user%\Desktop\猎豹安全浏览器.lnk (634 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.fsg (120 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksecfg.ini (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\psbc.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zema0007.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\befc2009.psg (82 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmb0014.psg (68 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdet2.dll (10359 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\p1tl.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\mousegesturelib.xml (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全浏览器\卸载猎豹安全浏览器.lnk (726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\newtab_img2.zip (7972 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\nologin.dat (897 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw2.dat (772 bytes)
%Program Files%\liebao\2014522163323984_1\browserpacket.xml (178 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_touch_100_percent.pak (6399 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbctrl.dll (3109 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ManualUpgrade.exe (9449 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\resources.pak (45687 bytes)
%Documents and Settings%\%current user%\Desktop\毒霸网址大全.lnk (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\config\kseeat.cfg (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (238 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\trackers.dat (1760 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.sys (712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\ceb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences_resintall (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay_site.dat (19 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\tn.dat (1704 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.dat (327 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\AllSigns.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000f.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_en-US.pak (25 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksesscan.dll (7879 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\sqlite3.exe (5007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\ljdfelebfnfpjclmmkljlnagcdkpfpdl\1.0\Cached Theme.pak (6363 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\zlib1.dll (1112 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\KPreferences (503 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb8009.ksg (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uninst.exe (10202 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseexf.dat (107 bytes)
%Program Files%\liebao\liebao.exe (11518 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksepnf.dat (107 bytes)
%System%\drivers\knbdrv.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\dlcore.dll (20026 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw.dat (669 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb8003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\checkvideo.dat (61 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb8008.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_46.dll (28052 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\localurl.db (3668 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kadfilter.dll (5863 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\LegoIcon\lego.dat (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\MouseGesture.dll (8245 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\feature2.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libGLESv2.dll (5682 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install_info.json (255 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay.dat (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install2_log.log (72726 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj101204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac001.ksg (1844 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\third_party\baidu_hd_query.dll (3341 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmc0000.psg (66 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.psg (132 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\czb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\pepflashplayer.dll (110917 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb7001.ksg (1 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\kBUpdateHelper.dll (13747 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ffmpegsumo.dll (11323 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\kvipinter.dll (3811 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全浏览器\猎豹安全浏览器.lnk (632 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.dll (691 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb9008.vsg (264 bytes)
%System%\drivers\KNBDrv64.sys (601 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\hxb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseescan.dll (4564 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000b.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Logos.db (3769 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0011.vsg (263 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\ktoolupd.dll (2779 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\icbc.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj141203.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.exe (14580 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6002.ksg (4 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipbb004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfb7001.fsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb0001.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\Allvinfo.ini (833 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseset.dat (229 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\srvpref.dat (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj051204.fsg (262 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\zh-CN.pak (193 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\resource.dat (735 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Bookmarks (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_43.dll (15709 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.ksg (888 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0019.vsg (264 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\ksais.dat (8 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\anti_injection2.dat (710 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\scom.dll (1596 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\libEGL.dll (1722 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kfcdetect.dll (7469 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\SecondaryTile.png (5 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\np-mswmp.dll (1724 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0005.fsg (288 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\uplive.dll (15007 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\sqlite.dll (1872 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvbb00d.vsg (270 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\signs.ini (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\tenpay.png (2 bytes)
%Program Files%\liebao\test_access (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_100_percent.pak (6387 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\cmb.png (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearcha.dat (1358 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gdeploy.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb9002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\gdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaextend.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\upgrade.dll (9080 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecoref.dat (106 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipba004.ksg (7 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorea.dat (173 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kaxhlp.dll (4594 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adb_easylist.dat (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbdrv.sys (1326 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\webresource.dat (7712 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.dll (210497 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\TNProxy.dll (5849 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.ico (30 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\switchcore.db (7386 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\Cached Theme.pak (1610 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\knbcenter.exe (4415 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\unionpay.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxy.dll (4458 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0002.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kwnp.dat (23 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\master_preferences (557 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Tencentdl.exe (8880 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\sdb.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipc0003.ksg (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cyui.exe (3249 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_safe.png (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdt.ini (2 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7002.vsg (294 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\DesktopTips.exe (7305 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_zh-CN.pak (24 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorem.dat (97 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Data\wd.dat (6 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfc2009.psg (92 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb7004.ksg (3 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxyPS.dll (1806 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\猎豹安全浏览器.lnk (652 bytes)
%Program Files%\liebao\2014522163323984_1\LBBrowser\cysvc.dll (6685 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (0 bytes)
%Program Files%\liebao\2014522163323984_1 (0 bytes)
%Program Files%\liebao\test_access (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (0 bytes)
%Program Files%\liebao\4.5.34.6725 (0 bytes)

The process %original file name%.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0liebao.exe (3750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ÊÖ»úºäÕ¨»ú.exe (12288 bytes)

The process KNBCenter.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\liebao\4.5.34.6725\Data\expand_safepay.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (532 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\manager.log (455 bytes)
%Program Files%\liebao\4.5.34.6725\log\kmctrl.log (1537 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\cleanup.log (1064 bytes)
%System%\drivers\knbdrv.sys (601 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (0 bytes)

The process liebao.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (32 bytes)

The process liebao.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\2.tmp (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000001.dbtmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000002.dbtmp (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\CURRENT~RFab99b.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\CURRENT (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State~RFab97b.TMP (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000003.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOCK (0 bytes)

The process down_s_66_82685.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.tmp (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (365108 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd (9216408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (3656 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (0 bytes)

The process wuauclt.exe:924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The process Tencentdl.exe:848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Tencent\QQDownload\122\dlcore.dll (14022 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe (6841 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\extract.dll (2105 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\DownloadProxyPS.dll (601 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\InstallInfo.xml (25 bytes)
%Program Files%\Common Files\Tencent\QQDownload\122\tnproxy.dll (2105 bytes)

The process 0liebao.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (5547 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (0 bytes)

Registry activity

The process ksbinstaller_66_82685.exe:984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\liebao]
"Report" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"DisplayVersion" = "4.5.34.6725"

[HKCU\Software\Kingsoft\KBROWSER]
"Report" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\liebao]
"Install Path Dir" = "%Program Files%\liebao"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"UninstallString" = "%Program Files%\liebao\4.5.34.6725\uninst.exe"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\liebao]
"ver" = "4.5.34.6725"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\liebao\Coop]
"PreOEM" = "h_home"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\liebao]
"SPID" = "82685"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Kingsoft\KBROWSER]
"InstallTime" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"DisplayIcon" = "%Program Files%\liebao\4.5.34.6725\uninst.exe"

[HKLM\SOFTWARE\liebao\Coop]
"oem" = "h_home"

[HKLM\SOFTWARE\liebao]
"PID" = "66"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\knbcenter]
"ImagePath" = "%Program Files%\liebao\4.5.34.6725\knbcenter.exe"

[HKLM\SOFTWARE\liebao]
"hid" = "a8a67a25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\liebao]
"InstallTime" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 1B BE EF 3F 2B 30 3A 4A 78 B8 A0 78 B6 03 8F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"Publisher" = "猎豹工作室"
"DisplayName" = "猎豹安全浏览器"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\liebao]
"old_def_browser" = "%Program Files%\Internet Explorer\iexplore.exe -nohome"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\liebao\Coop]
"OEMName" = "h_home"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao]
"URLInfoAbout" = "http://www.ijinshan.com"

The process %original file name%.exe:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 12 33 7A 7B 09 F9 70 73 8A 1F 01 0C 7D 7E 12"

The process KNBCenter.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA AD 6F 16 BF 2C A4 6E E6 5C D7 8C 78 F0 97 2A"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\LocalService\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"DisplayName" = "KNBDrv"

[HKCU\Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}]
"svrid" = "l99zivdyl8kcx8rr2ed8snx5acet"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\liebao]
"AppDataPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Kingsoft\KBROWSER]
"vtime" = "1400765614"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"Type" = "1"

[HKLM\SOFTWARE\liebao]
"ProgramPath" = "%Program Files%\liebao\4.5.34.6725\"

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"ImagePath" = "\??\%System%\drivers\KNBDrv.sys"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\KNBDrv]
"Start" = "3"

The process regsvr32.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D6 D7 EF 3E E1 02 A0 BA 23 2F D6 7E A6 42 D4"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\DownloadProxyPS.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process liebao.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 20 3E E7 F7 95 81 37 6F 11 C2 C7 B4 E0 9F 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process liebao.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Liebao.URL\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCR\ftp\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\%Program Files%\liebao]
"liebao.exe" = "猎豹安全浏览器"

[HKCR\ftp\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "Liebao.URL"

[HKCU\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\liebao\liebao.exe,1"

[HKCR\https\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\.htm]
"(Default)" = "Liebao.HTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"http" = "Liebao.URL"

[HKCU\Software\Classes\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCU\Software\Classes\Liebao.URL]
"(Default)" = "Liebao HTML Document"

[HKCU\Software\Classes\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCR\Liebao.HTML\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".html" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.URL\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCR\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xhtml" = "Liebao.HTML"
".shtml" = "Liebao.HTML"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.HTML\shell\open\ddeexec]
"(Default)" = ""

[HKCR\file\shell]
"(Default)" = "open"

[HKCR\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs]
"(Default)" = "{0002DF01-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\ftp]
"URL Protocol" = ""

[HKCU\Software\Classes\Liebao.HTML]
"(Default)" = "Liebao HTML Document"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"ftp" = "Liebao.URL"
"https" = "Liebao.URL"

[HKCU\Software\Classes\http\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCR\.html]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\.xht]
"(Default)" = "Liebao.HTML"

[HKCR\https\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Classes\file\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\Liebao.HTML]
"(Default)" = "Liebao HTML Document"

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\.html]
"(Default)" = "Liebao.HTML"

[HKCR\HTTP\shell]
"(Default)" = "open"

[HKCU\Software\Classes\https]
"URL Protocol" = ""

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKCR\HTTP\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\.shtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\Liebao.HTML]
"URL Protocol" = ""

[HKCR\Liebao.URL]
"URL Protocol" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec\Application]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "Liebao.URL"

[HKCR\https\shell]
"(Default)" = "open"

[HKCR\.xhtml]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.URL\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationName" = "猎豹安全浏览器"

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec\Application]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationName" = "猎豹安全浏览器"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xht" = "Liebao.HTML"

[HKCR\.htm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\ftp]
"URL Protocol" = ""

[HKLM\SOFTWARE\RegisteredApplications]
"liebao.exe" = "Software\Clients\StartMenuInternet\liebao.exe\Capabilities"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCR\ftp\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationIcon" = "%Program Files%\liebao\liebao.exe,1"

[HKCR\HTTP\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\.xhtml]
"(Default)" = "Liebao.HTML"

[HKCR\htmlfile\shell]
"(Default)" = "open"

[HKCR\https\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\http\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\.mht]
"(Default)" = "Liebao.HTML"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xht" = "Liebao.HTML"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 55 60 41 78 CC 8B 9B EE 7C ED A9 71 E0 2E EE"

[HKCU\Software\Classes\file\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"http" = "Liebao.URL"

[HKCU\Software\Classes\.mhtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\https\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice]
"Progid" = "Liebao.URL"

[HKCR\Liebao.HTML\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCR\Liebao.HTML\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"https" = "Liebao.URL"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCR\.shtml]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\mhtmlfile\shell]
"(Default)" = "open"

[HKCR\AppID\{0002DF01-0000-0000-C000-000000000046}]
"(Default)" = "Internet Explorer(Ver 1.0)"

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Classes\.mhtml]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\InternetShortcut\shell]
"(Default)" = "open"

[HKCU\Software\Classes\Liebao.HTML\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKCR\Liebao.URL\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\ftp\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCR\HTTP\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationDescription" = "猎豹安全浏览器是由金山网络历时半年多开发、推出的主打安全与极速特性的浏览器,界面炫酷,采用Trident和WebKit双渲染引擎,并整合金山自家的BIPS进行安全防护。猎豹安全浏览器对Chrome的Webkit内核进行了超过100项的技术优化,使访问网页的速度更快。其具有首创的智能切换引擎,动态选择内核匹配不同网页,并且完美支持HTML5新国际网页标准。极速浏览的同时也充分保证兼容性。"

[HKCR\https\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCR\Liebao.URL\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe]
"(Default)" = "猎豹安全浏览器"

[HKCU\Software\Classes\http]
"URL Protocol" = ""

[HKCR\https]
"URL Protocol" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".html" = "Liebao.HTML"

[HKCU\Software\Classes\.shtml]
"(Default)" = "Liebao.HTML"

[HKCR\HTTP]
"URL Protocol" = ""

[HKCR\.mhtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.HTML\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Classes\Liebao.URL\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.URL\shell\open\ddeexec\Topic]
"(Default)" = ""

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities]
"ApplicationDescription" = "猎豹安全浏览器是由金山网络历时半年多开发、推出的主打安全与极速特性的浏览器,界面炫酷,采用Trident和WebKit双渲染引擎,并整合金山自家的BIPS进行安全防护。猎豹安全浏览器对Chrome的Webkit内核进行了超过100项的技术优化,使访问网页的速度更快。其具有首创的智能切换引擎,动态选择内核匹配不同网页,并且完美支持HTML5新国际网页标准。极速浏览的同时也充分保证兼容性。"

[HKCR\.mhtml]
"(Default)" = "Liebao.HTML"

[HKCR\Liebao.HTML\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Classes\AppID\{0002DF01-0000-0000-C000-000000000046}]
"(Default)" = "Internet Explorer(Ver 1.0)"

[HKCR\file\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Classes\htmlfile\shell]
"(Default)" = "open"

[HKCU\Software\Classes\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCU\Software\Classes\Liebao.URL]
"URL Protocol" = ""

[HKCU\Software\TENCENT\Traveler]
"EXE" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\.mht]
"(Default)" = "Liebao.HTML"

[HKCR\HTTP\shell\open\ddeexec\Application]
"(Default)" = ""

[HKLM\SOFTWARE\TENCENT\Traveler]
"EXE" = "%Program Files%\liebao\liebao.exe"

[HKCR\mhtmlfile\shell]
"(Default)" = "open"

[HKCR\Liebao.URL]
"(Default)" = "Liebao HTML Document"

[HKCU\Software\Classes\.shtm]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\Liebao.HTML\shell]
"(Default)" = "open"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".shtml" = "Liebao.HTML"

[HKCU\Software\Classes\CLSID\{D5E8041D-920F-45E9-B8FB-B1DEB82C6E5E}\TreatAs]
"(Default)" = "{0002DF01-0000-0000-C000-000000000046}"

[HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\%Program Files%\liebao]
"liebao.exe" = "猎豹安全浏览器"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\URLAssociations]
"ftp" = "Liebao.URL"

[HKLM\SOFTWARE\Clients\StartMenuInternet]
"(Default)" = "liebao.exe"

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".xhtml" = "Liebao.HTML"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe]
"(Default)" = "猎豹安全浏览器"

[HKCU\Software\RegisteredApplications]
"liebao.exe" = "Software\Clients\StartMenuInternet\liebao.exe\Capabilities"

[HKCR\Liebao.HTML\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Classes\Liebao.HTML]
"URL Protocol" = ""

[HKCR\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCR\Liebao.URL\shell\open\ddeexec]
"NoActivateHandler" = ""
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "Liebao.URL"

[HKCU\Software\Classes\https\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCR\ftp\shell]
"(Default)" = "open"

[HKCR\InternetShortcut\shell]
"(Default)" = "open"

[HKCR\Liebao.URL\DefaultIcon]
"(Default)" = "%Program Files%\liebao\liebao.exe,1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".htm" = "Liebao.HTML"

[HKCU\Software\Classes\Liebao.URL\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\https\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCR\.xht]
"(Default)" = "Liebao.HTML"

[HKCU\Software\Classes\ftp\shell\open\ddeexec\Application]
"(Default)" = ""

[HKCU\Software\Clients\StartMenuInternet\liebao.exe\Capabilities\FileAssociations]
".htm" = "Liebao.HTML"

[HKCR\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe %1"

[HKCR\ftp\shell\open\ddeexec]
"NoActivateHandler" = ""

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice]
"Progid" = "Liebao.URL"

[HKCU\Software\Clients\StartmenuInternet]
"(Default)" = "liebao.exe"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKLM\SOFTWARE\Clients\StartMenuInternet\liebao.exe\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\liebao\liebao.exe %1"

[HKCR\Liebao.HTML\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice]
"Progid" = "Liebao.URL"

The process down_s_66_82685.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\liebao]
"UID" = "3c5f6e2b73049b0ecc3362e627a51fa3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 D9 BF FE 0E 04 BC E1 BC 7C 6C CD 9F 39 6E 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Kingsoft\KBROWSER]
"vtime" = "1400765523"

[HKCR\CLSID\{DA3CB2BC-1CCA-412d-BC7C-4DFB532D2223}\Implemented Categories\{D7BD91AA-CB34-4eae-A9D1-2DB9A7C6815C}]
"UID" = "3c5f6e2b73049b0ecc3362e627a51fa3"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ping.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D9 13 7E 78 4F 19 0C 9D 6E 39 7A 0B 14 D6 07"

The process tencentdl.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}]
"(Default)" = "Downloader Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\tencentdl.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\DownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\DownloadProxy.Downloader.1\CLSID]
"(Default)" = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\DownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\LocalServer32]
"(Default)" = "c:\program files\common files\tencent\qqdownload\122\tencentdl.exe"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\VersionIndependentProgID]
"(Default)" = "DownloadProxy.Downloader"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\DownloadProxy.Downloader\CurVer]
"(Default)" = "DownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\ProgID]
"(Default)" = "DownloadProxy.Downloader.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 83 76 56 7D 6B AB BB 78 B0 56 59 90 A3 B3 2A"

[HKCR\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\DownloadProxy.Downloader\CLSID]
"(Default)" = "{70DE12EA-79F4-46bc-9812-86DB50A2FD64}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process netsh.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 3F 4A 72 9A DC FA 0A 01 00 1C 3E 3C 8A 6E 11"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Tencent\QQDownload\122]
"Tencentdl.exe" = "%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe:*:Enabled:腾讯产品下载组件"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Tencent\QQDownload\122]
"Tencentdl.exe" = "%Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe:*:Enabled:腾讯产品下载组件"

The process ÊÖ»úºäÕ¨»ú.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 28 CD B6 37 93 88 58 0C C4 FB 54 CE C4 7E B1"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The process Tencentdl.exe:848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 8A 46 BD AD 74 4B 18 7B 8D 9E 0F 64 E3 B4 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\tencent\qqdownload\122]
"Tencentdl.exe" = "腾讯高速下载引擎"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 0liebao.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 5E 11 0A 94 ED 82 8C 63 55 9A F5 D3 84 B6 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp]
"setup.bat" = "setup"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process knbcenter.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 A6 0F C5 90 88 5E B1 BD 69 7A B6 B3 AC 3C BB"

[HKLM\System\CurrentControlSet\Services\knbcenter]
"ImagePath" = "%Program Files%\liebao\4.5.34.6725\KNBCenter.exe"

The process knbcenter.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 40 9D 2C 07 E4 E8 E4 43 9E CD 86 9F D7 31 A8"

[HKLM\System\CurrentControlSet\Services\knbcenter]
"Description" = "猎豹浏览器主动防御(BIPS)及安全组件更新服务,帮助用户防御最新木马。"

The process reg.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 5F 5F B3 0D 3F F8 A8 6E B0 5B 81 DC CB 5B 53"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.duba.com/?un_4_413286"

The process reg.exe:708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 C1 6E 85 4B FB D3 D0 94 EE 9F FA 4A 47 37 98"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.duba.com/?un_4_413286"

The process skinupdater.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 19 E1 6D DD B4 03 1E 75 C0 04 D6 8C 8B 13 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

Dropped PE files

MD5 File path
2aa21c79b5dd2b5152d49f5825c87388 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0liebao.exe
143f817034ae745c8225c424fa944f43 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\1.tmp\down_s_66_82685.exe
b209163d6c82ef393c15c02ed206bbc4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ÊÖ»úºäÕ¨»ú.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\KNBDrv.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Propagation

VersionInfo

Company Name: ????????
Product Name:
Product Version: 1.0.0.0
Legal Copyright: ????? ?????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????????????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 40132 40448 4.51726 4b3aeb2fc3b7b21ea3fdd5ad16a9ddf5
DATA 45056 15632 15872 5.26127 1fb0fcf0a8c302fd1e7df6150f434d7e
BSS 61440 1825 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 65536 1730 2048 2.91217 9e9581a6aeb1c6de49e8280941f8bb34
.tls 69632 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 73728 24 512 0.142404 996c4942e3a4d2795a22f3ace698d094
.reloc 77824 1792 2048 4.24404 d645c969d7346a611453d5e9e94c66f4
.rsrc 81920 2630444 2630656 5.53486 0aaa3ad251a10f1f12ad7ae8e034fabc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://lbdata.tj.ijinshan.com/data/ 114.112.93.201
hxxp://lbdl.union.ijinshan.com/?pid=66&spid=82685&date=1400765523 114.112.93.101
hxxp://lbdl.union.ijinshan.com/liebao/66_82685.pack 114.112.93.101
hxxp://lbdl.union.ijinshan.com/liebao/66_0.pack 114.112.93.101
hxxp://tf01.dlmix.glb0.lxdns.com/liebao/pack/ksbInstaller_6725_66_0.pack
hxxp://d.union.ijinshan.com/liebao/pack/ksbInstaller_6725_66_0.pack 8.37.234.15


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))

Traffic

GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Range: bytes=11728801-
Pragma: no-cache
Cache-Control: no-cache
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com


HTTP/1.0 206 Partial Content
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Range: bytes 11728801-46915205/46915206
Content-Length: 35186405
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
q..../d.N....Wj;8`...h.4Z...]w.=..=.Ibb..'u4.3F..HK.!.s...5...l....y..
..._=$$...q...#.auK"[email protected];...D..W.O$a..?O>.
.`-.K..F ....pg..E..9$..([email protected]...|hS...ww....f....2.v1.4x.-.2
..R.un......K@.(....F0.......I..&....g.X ..]..F...M.\..S..QR.K.!...F..
r.<(..Q.y^.......wK..P.^...Q.L...n4.....mfT......p.]um.9.|..m.."...
....,..S.o...=..Z.......%...H.'.Ss.h.....}._&40.7...8.A.2sj.......pH._
X....E .....x...D.......n.....T.y.}.....D.G....Y..QY.X..B..v.N)'/.2I..
.......]C.i8.......~..A...KKY.]x......~K..1".?...`}?.....mu.i...,..kz3
.%...Hs16....f.L:[email protected]............$MM<..C.4 .d.S.......r
.`=D.`..u..$!.OwL..l....$.09F.ko7..|G......m..(}..6q.0:%.."...W.....-.
%w...8......F..X....&uA...zg)n......Y.=..M%. .....M.V~.......s.b......
....r..9l...$..F.t0.pnW...*..N..3..B..3P.P...w.JL...z.7..l.QV..I1?....
h....Ob1.eS..[...`.....z .d&......P8u....h.N.En.S........34.Q..F..m...
FsTq_.t~.-.j......dEk....g..sa/.%_..:}_...17t..>.....0.......T....X
.TG:........x.k..h.w..x.J..2.8#[email protected]#Y..c..CD..;=Z
.....4. ..3] qg...xdo.X....U...G.yD..y..b...u.........X.#...u../.hL#.1
)n...u;....\.fd.u..Jv.2.bP..>...n<..j...&cx.......&zJ...f.?k.dz.
.....n`.%..#...y.k.....M....b.....O.E..e#..jd..-.0Z V..a 4...c.L..O..D
C.C.W#H.~p.W....*.R..E.5...j#>Vt.....C.%v}...H.S...U.6piM)..DB.....
f.....hg.f$.....e..U.|._x...Yn....`JB.Q.M~.@04Ot`ns...ue.TE\.R.. .]...
......:.QF|[email protected][..Hk.....g..'...*...(C{A.R...G.w.9.
.\...`O...i.....9P.......#.S....3<2.M^.....a.... >.x=.....}.
<<< skipped >>>


GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Range: bytes=35186403-
Pragma: no-cache
Cache-Control: no-cache
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com


HTTP/1.0 206 Partial Content
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Range: bytes 35186403-46915205/46915206
Content-Length: 11728803
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
._....M....Z...o\..OBD..CT.s.....n7...;e. .H..m$.._,.......s7..Z..F...
Z?../..^42'x.9.3.:.A.T...N...2?u......4...woT...;...~.4..NC.....c..q.i
-...3.F.sHGZ.c...q[[email protected]..".L0C{.5.....,.12.<&v...e.^".
...C..po.".LO...9.i.pf.F..4..r7w.9.)....J.8..i.d..;..uA.kup.'"p]..~.'u
..$... /].0....@.>..y.ws..k.|..H......G...-E..O9.*.... .V6.%.4....o
...&.0"H.{``..<A..}...,.7E.............Q......a...........6.~..R.`\
q\m.X=..I...D]..........n....!V.q...Q...bZ...9../.o....L.xT.@BI.)8....
,.{... .ea......e....3..:..f&..'..p(.o......\..$..M..........p...h.r..
....c\#..fj..).....g......)#.?...4(....#...qU.........e...`..O.....4Y.
.KJ....|................\;..Z..F./.d......Qa.{@v....H.w'.V....8`.-..v.
....;)w....q.......EG..'...../.9V...O,....M...%...`66.t.`s..:.ZTr.w.!.
 .1`#....y..U..<g.Joo.....`)......}e%.h..-{:#.....h..Wo......A8.B.n
A....:......M.n...|.U..}....6*O.G..r..E..E{...c.[[email protected]....;d.
~_^..3..ZY.....kT....{..3.....kc...Qj7#..E..Y......=-.zv.b.<...Nr..
?.3_.j.[.f..........$..h0.:..(o.....}D...Y'6.E.~.....[....!...T.....".
xb..u.m.N.....{So....).T.*.i....?.x,.....9.N..<..2#..]~6.y........w
.1...}I:mf?=..Q.......PLJvAB|..X..m...p...u..)...F......... @.....8*..
....w..EY.....>..W#...W.^...l.R...4..........Aj..'...7>.....f...
.c.....!..s...h$`.O...b.....l*..b.JK.....\......i...T.V...Y.._c}H...ZR
t...;FR?.0N..Z.j..^)Wo...'....O..../..-..p.:}.....{...0.E..r.p.U......
K....h.....<.8e#U~..D<...C..|.......k.....a.".U....2)...i/.=.5tf
.=g...H`..]o..N.a.>U...w9'&..-.Nw.H5(.W....t[.9P..*Pu.;..e[e..=
<<< skipped >>>


GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Range: bytes=23457602-
Pragma: no-cache
Cache-Control: no-cache
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com


HTTP/1.0 206 Partial Content
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Range: bytes 23457602-46915205/46915206
Content-Length: 23457604
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
....x...0.`AH..e.,..'...0..Li...d=....;.......l~.$......b...k.EP. .Q,d
0.............X.sU.m..4.... GH0..........LO{KF.gP<.......~.........
.......{.......rU..\5...@.#a...S0fZ[..ZV'1`=...n.H.P.]P.H.C...l(tVJ.M^
.).. .pJC..^....1.4.8UE....l...0.O....W)v...z...`..t.;..z .........".p
4OS.E..?..}C..*:T=.\....F*N.h.]....`h.K.?6.A..{..gD.K......Lg/(.d`...p
B!..'W......Z."..>.....o..X.H8.....5& y....-.c...k..$.,.U....}yP.d.
'.=4q....... !...%.....{4G.2"u.!..3F..n%}._4..k.Zcj....2.._;-.d..7...Q
.X..,.&?[..0.....G&...M..,.q&.D.wS........`........D.y..:.PE.v=....$..
...... hi.?...}.3.....TsFE.5..S..'..j.)............}.jL...*.t.........
....;|~.K..y.."m.1...;.H....x.4..).. w/...D.~....4M.........D...SY#q..
...U.Z...iw.G.i..G.%........k[L...m._.$.Hsd|..........R&...`.^.9..|Xq.
\....qn&_Y^..aL.<3..YS./....,P._.=........x..MH......?H<.w*..^..
..l"}#.B:...c>....t.G.'...3j..D....A...O.x.....=.m..i..z.. b!.....%
.D .-Qb...YOd...K....`w9\x8{.........C...Q1....i...T....U./L......A.V.
1.1.....:...%E.{.y.7.X..{...lJX.(m.#.ke.......=..K.....b.U...h....6?X.
.>..t.m..\|^.=......nH......}.q...8...r..D....#pR..l#-..2k......V..
&.&.o.....#.T.9.D..n#....xR..9._.8........].03.fi0........x..]c_.^.{..
.$....Rd.Ps.~..b~C).0.L.......;i2..t..}.fS..>...8..... 7.....9...m.
.;g-.B?f.^ Gn..u.1}k.P..........N.\...YmMd..y.x..b........q.].. (..r..
..h.......9.i......."h]z....bc.].A...}......O...._...2b..V..-Up.......
j} ..5....>........MVu..]......7...ZO.Dg.r.X.9.T..Nx...\:....%u....
w.......Gsd..O........#..a...S..S...#..6..s......F...aPp_.3?..".s.
<<< skipped >>>


POST /data/ HTTP/1.1
Connection: close
Cache-Control: no-cache
User-Agent: liebao
Host: lbdata.tj.ijinshan.com
Content-Length: 177

............A..0....
. '.....(..Z..5....p.=..6..k.. ~Q.......x...6.<..K....@KH.!.&.Pt.\..&|.r..[F......b..a..QRr....#.9:...y!4.tU ...^.L..3.u...[m.B............................
HTTP/1.1 200 OK
Server: ngx_openresty/1.4.3.4
Date: Thu, 22 May 2014 13:32:00 GMT
Content-Type: text/plain
Content-Length: 35
Connection: close
[common]..result=1..time=1400765520..



GET /liebao/pack/ksbInstaller_6725_66_0.pack HTTP/1.1
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.8888.8888;)
Host: d.union.ijinshan.com
Connection: Close


HTTP/1.0 200 OK
Date: Thu, 22 May 2014 13:32:05 GMT
Server: Tengine/1.5.2
Content-Type: application/octet-stream
Last-Modified: Thu, 09 Jan 2014 09:24:45 GMT
Accept-Ranges: bytes
Content-Length: 46915206
X-Cache: HIT from cache.51cdn.com
Via: 1.0 jg9:38080 (Cdn Cache Server V2.0)
Connection: close
x...}|T..8~.%.M.d.L`..QW..1.....@6D!....DL...u....$V...U......Z_.-Z.&l
t;.mQ....`.^......h'.T. ....93w7.......~.;/g...s...3....... .....B... 
....y:A....Y.....h..........-Y..................?oi...... .....C...8jT
.M.q....7........{.#........};.6 ......>..]k.^.q.......}.../...p...
.iL.\...w.........F..y.........].......G.)..uiB.......^......._..,...t
A.@ ..G..zAH.t,?.......~.#.^(ia........,....Ve..`..f!.m.p..}..........
..g.e...1GE.Q.....F.)..'~..N.....o..L. ......VM\......p..=.{...g...zK&
r0aJ.~Vf.."......L.,^&....7.....[.l.. ....F...=Y..........'.l..U..e..p
[email protected]..{T.....H...`.........V....C.&/i....2../H..........&.../
...l....f.]..!|s.7>...y....9......B..I.......H?O...........On.7.l._
..:3.<=*...A...yt./......b.(/....Ov....j.jH.m.......G.@>.......F
....yC..B....h..tD..B....=...e..<._...R]yv].i.GK..jpH)....]....M..J
v.rl...cV2o(..5..4 ..8.PWI(R";EG.....bz.J.C.......j<GUW.`.6/......e
.....H..=^.r=..e.:Rb.[....sc.]..7....Sg~[..X..6.=].......,7*w.......$.
.t].A...w...=.y..s}J.:.!..h{.a?.~j.U.I.U.....HK....j.*.i2|MvA.......t.
....NGw....n...y]........Q......G..... ..%....o..;I.aoR...%z}..3..{...
..E............g...*{H.Vcr}=..|.Py$Q.U..F..Se.Py.;....U5T.#.#j..m9t.l.
...xmWu`...../Ce...!.........Z:...s...E.L.3r.....rS.9u..U..H.g..jN....
.g<...'..L.oB......WUnL.B.xG.iC. .l3...U...3.g.m..`.87..w.e'..-..?.
D.:.t..b8uU'....^.;...-6.$..G..k......]..,......N.{...>C.&..#a2.e..
...Xn<.3...c..........ez.A..t...oW...._.1T...udAM..lj.u...O....W.j.
.>... `..>6...=...i.;..'...'G.....<........*..}...dd..2..
<<< skipped >>>


GET /?pid=66&spid=82685&date=1400765523 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; )
Host: lbdl.union.ijinshan.com
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: kws
Date: Thu, 22 May 2014 13:32:02 GMT
Content-Type: text/html
Content-Length: 176
Location: hXXp://lbdl.union.ijinshan.com/liebao/66_82685.pack
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>kws</center>..</body>..</html>......


GET /liebao/66_82685.pack HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; )
Host: lbdl.union.ijinshan.com
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: kws
Date: Thu, 22 May 2014 13:32:02 GMT
Content-Type: text/html
Content-Length: 176
Location: hXXp://lbdl.union.ijinshan.com/liebao/66_0.pack
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>kws</center>..</body>..</html>......


GET /liebao/66_0.pack HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; )
Host: lbdl.union.ijinshan.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: kws
Date: Thu, 22 May 2014 13:32:02 GMT
Content-Type: text/plain
Content-Length: 131
Last-Modified: Thu, 09 Jan 2014 09:33:51 GMT
Connection: keep-alive
Accept-Ranges: bytes
x.E.A.. [email protected]<@..4d..Rq0..oL........f.i...cO.\......cf.....,.
....a.'.KqO..S...Q...N....^...s.B.......&.....0p...q........."5.HTTP/1
.1 200 OK..Server: kws..Date: Thu, 22 May 2014 13:32:02 GMT..Content-T
ype: text/plain..Content-Length: 131..Last-Modified: Thu, 09 Jan 2014 
09:33:51 GMT..Connection: keep-alive..Accept-Ranges: bytes..x.E.A.. .@
...W..e0M<@..4d..Rq0..oL........f.i...cO.\......cf.....,.....a.'.Kq
O..S...Q...N....^...s.B.......&.....0p...q........."5...

The Trojan connects to the servers at the folowing location(s):

cmd.exe_520:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
USER32.dll
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
RegDeleteKeyW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegOpenKeyExW
ShellExecuteExW
CmdBatNotification
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
_pipe
GetProcessWindowStation
cmd.pdb
CMD Internal Error %s
)(&&())))(&))
)&((&)&))&())
)&((&)&)&()))
)(&&()))&))))
CMD.EXE
()|&=,;"
COPYCMD
\XCOPY.EXE
CMDCMDLINE
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
0123456789
cmd.exe
DIRCMD
%d.%d.d
Ungetting: '%s'
DisableCMD
GeToken: (%x) '%s'
%s\Shell\Open\Command
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
.exe"
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
CMDEXTVERSION
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%s %s
(%s) %s
%s %s%s
&()[]{}^=;!%' ,`~
d%sd%s
-%sd%sd%sd
d%sd%sd
%s=%s
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
\CMD.EXE
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Windows
Operating System
5.1.2600.5512
Press any key to continue . . . %0
operable program or batch file.
The system cannot execute the specified program.
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
a pipe operation.
KEYS is on.
KEYS is off.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
$B | (pipe)
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
under Windows XP.
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
this version of the operating system.
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
* / %% - arithmetic operators
  - - arithmetic operators
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
be passed to the for body for each iteration.
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
Missing operand.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

ÊÖ»úºäÕ¨»ú.exe_652:

.text
`.rdata
@.data
Hi.Chief;
Hi.ChiefuP
.rsrc
t$(SSh
~%UVW
t.It It
u$SShe
4g.qD
user32.dll
ntdll.dll
kernel32.dll
Setupapi.dll
gdiplus.dll
GdiPlus.dll
Kernel32.dll
wininet.dll
User32.dll
Ole32.dll
gdi32.dll
ole32.dll
msimg32.dll
Gdi32.dll
Gdiplus.dll
UxTheme.dll
CreateWindowStationA
CloseWindowStation
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
GetKeyState
GdipSetStringFormatHotkeyPrefix
SetWindowsHookExA
UnhookWindowsHookEx
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
config.ini
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
30426153
piaofh.asp
plyzxl.asp
piaoyh.asp
http://www.shzly.in/plwlyz/
MSXML2.XMLHTTP
Microsoft.XMLHTTP
MSXML2.ServerXMLHTTP
MSXML2.ServerXMLHTTP.6.0
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
application/x-www-form-urlencoded
\\.\PhysicalDrive0
10/05/12
\.YVV
Ï[H
L <
Ex_DirectUI_MsgBox
msg_wnd
http://www.shzly.in/
http://www.pubyun.com/accounts/signup_vcode/4449056/?mobile=
http://
https://
http=
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
http://www.istudy.com.cn/incpage/ARandomCode.html
http://mp3.easou.com/dg.e?l=2ld.1&esid=xf5aHaRUMZo&wver=c
&song=花火-丁当&esid=xf5aHaRUMZo&id=1514183&submit=通过短信免费点播
http://wap.mail.163.com/reg.s?regtype=mobile
&password=19951221&password2=19951221&action=提交注册信息
http://i.house.sina.com.cn/index.php
&password=19951221&province=50&city=500100&auth_code=·òÏà&nickname=159xxxx0043&type=mobile&inviteid=&ctrl=register&act=create_mobile
loginname=
http://www.m3.cc/url.php?class=check
http://www.gogo.com/js/regAjax.ashx
http://passport.soufun.com/ajax/ajaxmobilecode_v3.aspx
http://www.chinaface.com/aj/user/mobileregister
http://reg.jiayuan.com/libs/xajax/reguser.server.php?processUserMobile
&xajaxr=1341738718781
xajax=processUserMobile&xajaxargs[]=mobile=
http://reg.jiayuan.com/libs/xajax/reguser.server.php?processSendOrUpdateMessage
&xajaxargs[]=mobile&xajaxr=1341738718874
xajax=processSendOrUpdateMessage&xajaxargs[]=mobile=
http://china.alibaba.com/member/sendIdentityCodeByMobile.htm?callback=jQuery17209392130269428131_1341739007515&mobile=
http://www.dianping.com/ajax/json/account/reg/mobile/send
http://reg.ztgame.com/registe/mobilePhoneRegister
http://user.qunar.com/ajax/validator.jsp
http://saa.auto.sohu.com/reg/mobileReg.at
&vuser.nickName=952898714&vuser.pwd=nizaina&repasswd=nizaina&vuser.rStatus=1&vuser.rBrandId=218&vuser.rModelId=1947&validate=bdxh
vuser.userMobile=
http://www.keepc.com/voip/registerForMobileForCode.act
http://www.skywldh.com/registerForMobileForCode.act
http://www.uwewe.com/get/SendMessage.aspx?phone=
http://www.139talk.com/user/regnum.html
&type=1&key=btdufou6jv7vc3ed5142m56hu6
http://newreg.eesina.net//servlet/ValidatePhone?time=
http://newreg.eesina.net//servlet/RandomServlet?time=
http://chinatelecom.zc.qq.com/cgi-bin/send_sms
http://login.m18.com/Service/ContactService.ashx?Method=RegisterByPhoneSendCheckCode&MobilePhone=
http://club.service.autohome.com.cn/Ashx/CreateMobileCode.ashx
http://passport.eastmoney.com/chkphone.aspx
http://service.che168.com/Ashx/CreateMobileCode.ashx
http://register.sdo.com/gaea/SendPhoneMsg.ashx?page=REG&mobile=
http://reg.email.163.com/mailregAll/sendvcode.do?
&domain=163.com&mobile=
http://passport.wanmei.com/NoteAction.do?method=sendCode
http://www.aicall800.com/freecall.php
&password=19951221&seccode=wryk&PhoneNumber=
http://member1.taobao.com/member/new_set_cell_phone.do
paras=MTAyOTk5NjgwOQ==&css_style=&userNumId=1029996809&mobile_area=1&mobile=
http://www.baixing.com/ajax/auth/sendCode/?mobile=
http://passport.17u.cn/Member/RegisterHandler.ashx?action=phone&phone=
http://u.uzai.com/SendCheckCode
http://user.qunar.com/user/confirmContact.jsp?ret=/userinfo/index.jsp
http://www.dreams-travel.com/user/reg/reg_action.asp
&user_tel=&user_name=²ÐÆƶø&user_sfz=0&country=ChinaÖйú&province=Ê¡(ÖÝ)&city=±±¾©[email protected]&user_password=19951221&user_password1=19951221&zcxy=1&dzzk=1&yzfs=tel&imageField.x=28&imageField.y=14
[email protected]&zc_tel=
http://www.mangocity.com/mbrweb/registerAjax/randomNumber.action
http://yuyue.shdc.org.cn/User/ajaxSendConfirmCode.aspx
http://www.tianpin.com/user/send_telephone_code
http://yantubbs.com/register.php?nowtime=1352018399000&verify=f40830d2
http://passport.q.com.cn/register/index/sendphonecode/
&_=1352018752859
http://gwpassport.woniu.com/v2/sendsms?jsoncallback=jQuery17204481290172278189_1352018741044&mobile=
http://service.cq.10086.cn/app?service=ajaxDirect/1/newLogin.login/newLogin.login/javascript/&pagename=newLogin.login&eventname=sendSMSlogin&&SERIAL_NUMBER=
http://bbs.zhue.com.cn/ajax.php?infloat=register&handlekey=register&action=getverifycode1&mobile=
http://www.frisochina.com/ajax/GetPhoneCode.aspx?mobile=
http://mail.sina.com.cn/cgi-bin/phonecode.php
http://www.51taonan.com/?page=join&handler=ajax&action=send_reg_mobile_vcode&page_key=7ef0c64ccfeccd5cdda1306c3b769e1b&mobile_number=
http://reg.99114.com/Ajax/Secrity.ashx?action=passwordprotect&type=1&phone=
http://my.checkoo.com/register.jsp?flow=smscode&mobile=
http://as.baidu.com/a/msg?act=sendtomobile&f=home_2015_0&mobile=
http://passport.kongzhong.com/x/call/plaincall/regjs.reSendVcode.dwr
c0-param1=string:1a1780ed-691b-466e-965d-532ab3b506eac0-param2=boolean:falsec0-param3=boolean:falsebatchId=1
callCount=1page=/register/reg_succ_phone.jsphttpSessionId=B138818BA9DBAD8D7A3A6220B45068F5scriptSessionId=53F4C2FEA4D843099C12C210057FA3DC486c0-scriptName=regjsc0-methodName=reSendVcodec0-id=0c0-param0=string:
http://www.cqsq.com/register.php
http://i.360.cn/smsApi/sendsmscode?account=
http://member.tiancity.com/handler/GetPhoneRegAuthCodeHandler.ashx?a=0.9170439269767781&userid=
http://www.kunlun.com/index.php?act=ajax.checkUsername&user_name=
&smsvcode=输入手机获取的验证码&_=1352977641984
http://passport.kongzhong.com/acc.do?m=sendPhoneVcodeFast&callback=jQuery17204441263292015887_1352977631016&phone=
http://www.91wan.com/huodong/bind_phone/get_code.php
http://my.xoyo.com/register/NewIsExist/?uid=
http://user.51wan.com/reg_index_sendphone_0.html
http://www.tiboo.cn/register.php?nowtime=1352981025093
http://user.syyx.com/ajax/users/checkusername.aspx?u=
http://core.u7u7.com/Inf/Register.aspx?jsoncallback=jsonp1352981442421&username=
&_=1352982551343 HTTP/1.1Accept: */*Referer: http://register.sdo.com/gaea/phone_default.aspx?from=89&zone=home_embed&... zh-cnAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; QQDownload 734; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)Host: authleqr.sdo.comConnection: Keep-AliveCookie: sdo_beacon_id=113.205.173.252.1350557866205.7; SNDA_ADRefererSystem_UserTicket=a2b6c754-ff5b-4ac9-b226-9c47dceedf1e; SNDA_ADRefererSystem_ADID=; SNDA_ADRefererSystem_RefererUrl=http://register.sdo.com/gaea/phone_default.aspx?from=89&zone=home_embed&NotifyId=dnEnv1; SNDA_ADRefererSystem_RefererTime=2012-11-15 20:20:53; SNDA_ADRefererSystem_InSiteUrl=http://adrs.sdo.com/ADRefererSystem/prereg.html; SNDA_ADRefererSystem_ClientSign=BD69A9244616AAB258C27E9AF8C11B36; SNDA_ADRefererSystem_MachineTicket=a2b6c754-ff5b-4ac9-b226-9c47dceedf1e
GET /lars/check-account-types.jsonp?callback=jQuery16207765257628973603_1352982046643&userId=
http://www.haodou.com/user/register.php?do=checkphone&phone=
http://x5.51.com/register/index.php?a=send_sms&time=
&User_Password=19951221&User_RePassword=19951221&User_Sex=true&User_Age=5&User_Shen=28&User_Town=2&User_City=2
&_=1352983295921
http://gwpassport.woniu.com/v2/sendsms?jsoncallback=jQuery17205666854927724374_1352983199964&mobile=
&nickname=大厦大厦&password=1d88b2bc03e98603188da35275e88ac6&pd=30&om=0&verifycode=F6TDE&cache=1352983608812®from=
http://login.i.xunlei.com/register?jsoncallback=jsonp1352983484410&m=new&mail=
http://passport.szgla.com/Validate/UserName?q=2204.1553552751447
http://www.1732.com/public/ajax.aspx?app=sendcode&bindaccount=
http://agent.eju.com/register/sendmobilereg
http://www.17lu.cn/register.php?nowtime=1352984434062&verify=edf8826b
http://www.55188.com/smssend_ajax.php?f=3
http://passport.kongzhong.com/acc.do?m=sendPhoneVcodeFast&callback=jQuery1720998364229230869_1352987358344&phone=
http://www.maiduo.com/handler/Register/Register.ashx?act=check&mobile=
http://www.sinosig.com/auth/regist_resetMsg.action
http://fmail.21cn.com/freeinterface/jsp/reg/getSmsVilCode.jsp
http://fmail.21cn.com/message/sendSMS
http://user.huitongke.com/member!getVerificationCode.action?mobile=
http://passport.cntv.cn/mobileRegister.do
&_=1353664161421
http://www.aapinche.cn/ajax/mobile_code.ashx?do=get&mobile=
http://m.jxedt.com/about/sendmsgtomobile.asp
type=wapurl&mobile=
&submit=È·¶¨
type=iphoneurl&mobile=
type=androidurl&mobile=
http://a3.act.jj.cn/www/get_sms_code.php?callback=jsonp1353664437829&_=1353664492296&mobile=
http://bbs.fobshanghai.com/ajax.php?inajax=1&action=checkmobile&mobile=
http://www.paixie.net/member/verify_phone_async.php?type=sendcode&phone=
HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 10:15:51 GMTServer: Apache CoyoteSet-Cookie: OZ_0Y_1701=1701&A_aHR0cDovL3d3dy5wYWl4aWUubmV0Lz9fc3ZfY29kZT00MDNfNDgwMDY4OF8xNzY2NDU0Mjc=&1353665665&-&1353665751&1&732033; path=/; domain=.oadz.comP3P: CP=NOI DSP LAW NID IVAa OUR STP UNICache-Control: no-cacheContent-Length: 43Keep-Alive: timeout=15, max=200Connection: Keep-AliveContent-Type: image/gifGIF89a
http://www.qgyyzs.net/business/checkregAjax.asp?menu=CheckRegSj&sj=
HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 10:38:57 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETContent-Length: 36Content-Type: text/html; Charset=gb2312Cache-control: private
http://auth.shequ.10086.cn/ajax/info.php?act=send_code
http://my.xizi.com/index.php?r=members/sendverify
http://www.taoxie.com/registerok.aspx?action=ajaxsendcode&mobile=
&verifyCode=&rand=56537441567125520&admin_uin=9176788&client_uin=&clientid=&visitor_comes=1&visitor_page=http://www.shgongshang.com/&visitor_last_page=&visitor_keyword=&visitor_entry=&cause=0
http://vip.tq.cn/vip/SendShortCall.do?uin=9186861&callPhone=
&verifyCode=&rand=52298377998835271&admin_uin=8429994&client_uin=&clientid=&visitor_comes=1&visitor_page=http://www.cppinfo.com/&visitor_last_page=&visitor_keyword=&visitor_entry=&cause=0
http://vip.tq.cn/vip/SendShortCall.do?uin=8429994&callPhone=
http://bbs.cnool.net/tools/getsms.aspx
09/27/12
Y]Key
http://sighttp.qq.com/msgrd?v=3&uin=885229130&site=qq&menu=yes
http://jifen.2345.com/wo/zhanghao.php
2OJ%U$
yo.zP&%
1.yZN
IEC http://www.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
urlTEXT
MsgeTEXT
Adobe Photoshop CS2 Windows
2008:06:29 22:36:52
G.wlUj^,
ÎbBP
63.cP
se%S<4
6.Wq\
=U%xJ
 KF%s
1i.gN8
RU)%SV
J]=.eg
mSGF
Pv(.Vz
N.NEve
DUSv%UNV,
N).fv
6.SKn
-se.GTJ
3551177
www.52pojie.cn
HTTP/1.1 200 OKDate: Fri, 23 Nov 2012 11:47:11 GMTServer: Apache CoyoteSet-Cookie: OZ_0Y_1701=1701&A_aHR0cDovL3d3dy5wYWl4aWUubmV0Lz9fc3ZfY29kZT00MDNfNDgwMDY4OF8xNzY2NDU0Mjc=&1353671204&-&1353671231&0&428186; path=/; domain=.oadz.comP3P: CP=NOI DSP LAW NID IVAa OUR STP UNICache-Control: no-cacheContent-Length: 43Keep-Alive: timeout=15, max=199Connection: Keep-AliveContent-Type: image/gifGIF89a
2@{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
yoSSSSh$J
www.shzly.in
885229130
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
SHLWAPI.dll
MPR.dll
VERSION.dll
p%U?c
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
x86 Family %s Model %s Stepping %s
X-X-X-X
X-X-X-X-X-X
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
2.Lsm
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
activation.php?code=
deactivation.php?hash=
.?AVIUrlBuilderSource@@
.AnRH
.MCa:
T!n%d
1fÄ
$z%D?
\c%C|
À=p
%C$8O
tm.Uf
.iZPa
.sWu&6i*
4.LwE
e.KiV%
h7.Lc
^|#%C
%ChO4s1'TdR>
*Hc%Cl
Zx7EzR%X
w0e.edZZ
}f}U
6qp7%f
i].Kd
.IRp/-K
XcYfV%7x
À,c
%C$O`i
`.Lsx
]>.MN
cLj%C
~U`/]>.av
t/]vF}
3:4R%Sq
.Ca6&E(
n=.LgmR
Sq.Ge>N-(F
hcRT
A%CxS
.LwL.
cc.fW;
FÀ,g
T7%F->R
%FPn9
%C u^
4.LcY
.Pq{N
.Ca6&
%C$I-
^|W%F
.MkT'E&M^r
 %Ch<
AÄW
d}.Of
\A%C|O
 %C$8
A_tHc%C C
AÀ,
I.aPX
(].wL
].LwE
yV%C '
%f/xyV
.YL A&6Q
<%Chi
/`U&M^%C$
.MNl3
aJBm_dX Ajb%7x
Uh
Wu:R}
G.aTo
h'%Cl_}"
6o<%Cx
%C|P3)JQ
ðN)R
t a:R}
IW%Cl`;
À&D
f!.LwD
Xh&& %f
.IUs8
Sq.Ge
|/DXPK%u
.Mk0{
y:%C$7
kQ;5dHf}<
J.LwE"#Az~
%C$P5f
9rDb%F
.Ge*b]@
SxT7þcXE
%Ch8V
?|u.oJ
j@V:Xc%Cx=
WO %S
q.uf}
|G.Lc
XÄ(o
Wu.oM
W%Src
.Lw]B5.
W%Chc
u.eri[
%f/|u
B`7%FO(
.YL/v!t7^
SHELL32.dll
WINMM.dll
.cIrb
_`.ub
b:\0,
.LRC\
.CXbt\Y
.qnaS>
^`g%FP
w.Nj\
JUdPa
V$F%x
;%DO\
\z.ay
wg.tq
\i-L}
|B\%f
.Qh\S
.AsD<
)\l.zc
F:\BQw
C\ .lE
cm.Ng\
%F:Y\Q
'\.mtl
{\.Bf
a.CiN
(.oTv
Q:P\.eC7
.vc3S
CmDk
.tjuN"\
.XQ\x
.kN)C$8_<
%C$8_
e>oole32.dll
g %Ch
%f{T(
WININET.dll
KERNEL32.dll
.aoT3
%F'Y<
*t%C$I
g.ePkr9
%f{
t_-N×
WINSPOOL.DRV
@3}.Lg0
K!f%C|Om
comdlg32.dll
.IFk,k
p%f{ \;HYwL
RASAPI32.dll
%CxT7%
SD.GH
\a.wT
.xCa\
_r%Uy
9p
\f7q$ %sJaz;m0
zX.qa
a.YfJuSL
Z,.YXz=a
8.BBi\
p%s.a
%u$
%uhOK
.UPAXM
~#]|%X
-
y4\p%s"
.RlJSp
!Xl%s*
 .VnZ
%s2ba
Jc\>%d
s%.mm
%F"_T
.XugE
^z }|x%SnS;p
\.Al(]
%CsH]^
3.pu*
#].as
;.WMx
.dMs4
.CG}B`
%s&l}L
M.Id)
TUm%f
s:\-B
FR"\.Ap
D;%sb
D/%Xk
p%s^2u.i
W\.Xe
%d`U?
k.MF _A
.kOW\
|%s*/
'q.zQ
y.RO0
:^.gNk*T
#%f&;!
%4U#o<\k^
.Xe\ Ud
ö<}
S1.Dh
V.wu#
(.aS[i
.hv8w
.xgPD
.Uut [
c:\Ed
%uP{\Y<
N%S Pa)$
o%D:&\
.HefG
-G2}gfd
-6}_$C,D
\%xSj
.gU\!
X.SIct
deX.do
*'c%D
S.Fx<
G:\1@
X-%f#6
OLEAUT32.dll
ADVAPI32.dll
U6%C$8
l$B%f
%f{T(w
Wu.Ge
{[.nv
>E6%CxT
L{>%X
z;h7.hxn
X)%C_
R].MP
,/%DV4
^.DTV[
%C#`;
F^>.xLng
%c`T80
r%u=EB;'
|.Imy
^@%xS
%fy6j
H.ST?f^@
.GwYo!
]w.iG
;.aVR
jD..tb
zY.vh
.yv}{"
RegOpenKeyExA
^|W6%xk
wiphlpapi.dll
WS2_32.dll
LsI.Or
@a%dG
zD.BOO
.yxW%v
Sq6%C
1, 0, 6, 6
-Skin.dll
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:
1.3.2012.11

ÊÖ»úºäÕ¨»ú.exe_652_rwx_005E5000_000EC000:




2.Lsm
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
activation.php?code=
deactivation.php?hash=
.?AVIUrlBuilderSource@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
.AnRH
.MCa:
T!n%d
1fÄ
$z%D?
\c%C|
À=p
%C$8O
tm.Uf
.iZPa
.sWu&6i*
4.LwE
e.KiV%
h7.Lc
^|#%C
%ChO4s1'TdR>
*Hc%Cl
Zx7EzR%X
w0e.edZZ
}f}U
6qp7%f
i].Kd
.IRp/-K
XcYfV%7x
À,c
%C$O`i
`.Lsx
]>.MN
cLj%C
~U`/]>.av
t/]vF}
3:4R%Sq
.Ca6&E(
n=.LgmR
Sq.Ge>N-(F
hcRT
A%CxS
.LwL.
cc.fW;
FÀ,g
T7%F->R
%FPn9
%C u^
4.LcY
.Pq{N
.Ca6&
%C$I-
^|W%F
.MkT'E&M^r
 %Ch<
AÄW
d}.Of
\A%C|O
 %C$8
A_tHc%C C
AÀ,
I.aPX
(].wL
].LwE
yV%C '
%f/xyV
.YL A&6Q
<%Chi
/`U&M^%C$
.MNl3
aJBm_dX Ajb%7x
Uh
Wu:R}
G.aTo
h'%Cl_}"
6o<%Cx
%C|P3)JQ
ðN)R
t a:R}
IW%Cl`;
À&D
f!.LwD
Xh&& %f
.IUs8
Sq.Ge
|/DXPK%u
.Mk0{
y:%C$7
kQ;5dHf}<
J.LwE"#Az~
%C$P5f
9rDb%F
.Ge*b]@
SxT7þcXE
%Ch8V
?|u.oJ
j@V:Xc%Cx=
WO %S
q.uf}
|G.Lc
XÄ(o
Wu.oM
W%Src
.Lw]B5.
W%Chc
KERNEL32.DLL
mscoree.dll
Error at initialization of bundled DLL: %s
Error at hooking API "%S"
Dumping first %d bytes:

ÊÖ»úºäÕ¨»ú.exe_652_rwx_00738000_00001000:




%F'Y<
*t%C$I
g.ePkr9

tencentdl.exe_1932:




.text
`.rdata
@.data
.rsrc
8%uvP
;*u.SUj
PSSSSSSh
>.uTV
j SSSSSSSh
aSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
YYtCP
t.hXOK
asio.ssl
asio.misc
D:\Boost\boost_1_44_0\include\boost-1_44\boost/exception/detail/exception_ptr.hpp
asio.misc error
asio.ssl error
fs_report.qq.com
fs_h2u.qq.com
fs_conn.qq.com
fs_hello.qq.com
xuanfengnet.qq.com
stun.qq.com
fs_tcp_conn.qq.com
pdlxf.qq.com
thread.exit_event
thread.entry_event
%s\Connection
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
www.tencent.com.
HTTP/1.1
$MD5Version: 1.0.0 November-19-1997 $
$Id: md5.c,v 1.1.1.1 2004/05/17 13:23:36 rcrittenden0569 Exp $
/tencentdlinstallinfo/dtrp?v=1&&format=json&&product=tencentdlinstallinfo&&cmd=1
dtrp.tencentdlinstallinfo.qq.com
standalone="%s"
encoding="%s"
version="%s"
&#xX;
%s='%s'
%s="%s"
PKEY_CUSTOMNAME
PKEY_PRODUCTNAME
PKEY_ISSHOW
PKEY_EXITTIME
PKEY_CUSTOMID
PKEY_START_STATUS
PKEY_GUID
PKEY_MINORVERSION
PKEY_MAJORVERSION
PKEY_COREVERSION
PKEY_EXEVERSION
PKEY_UPDATESERVERPORT
PKEY_UPDATESERVERIP
PKEY_EXHASH
PKEY_EXNAME
PKEY_TNHASH
PKEY_TNNAME
PKEY_COREHASH
PKEY_CORENAME
PKEY_EXEHASH
PKEY_EXENAME
PKEY_UPDATEURL
PKEY_FILENAME
PKEY_RESULT
xf_com_update_doctor.qq.com
PKEY_TTL
PKEY_ISFIX
PKEY_VERSION
PKEY_FILEEMULE_HASH
PKEY_FILEEMULE_SIZE
PKEY_FILEEMULE_NAME
PKEY_FILEBT_HASH
PKEY_FILEBT_SIZE
PKEY_FILEBT_NAME
PKEY_FILECORE_HASH
PKEY_FILECORE_SIZE
PKEY_FILECORE_NAME
PKEY_URL
PKEY_PERIOD
kernel32.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
GetProcessWindowStation
USER32.DLL
operator
portuguese-brazilian
FhModule = %u, pfunc = %u
DbgHelp.dll
crash.dmp
0xX
DlBugReport.ini
DlBugReport.dat
%Y-%m-%d %H:%M:%S
%d.%d.%d.%d
,d-d-d d:d:d
[ 0xX ] %s [%s]
Error: Write address 0xX
Error: Read address 0xX
version = %s
%s-----------------------------------
Type: %s
Address: 0xX
QQDownload.exe
EXCEPTION_FLT_INVALID_OPERATION
EXCEPTION_FLT_DENORMAL_OPERAND
(%d,%d,%d,%d)
0xX:
%s::x;
0xX[%X] %s:
%s::x
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
c:\downloadplugin\tencentdl_v122\output\release\Tencentdl.pdb
HttpQueryInfoW
HttpEndRequestW
HttpSendRequestExW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
GetProcessHeap
CreateIoCompletionPort
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyW
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
WS2_32.dll
VERSION.dll
NetWkstaTransportEnum
NETAPI32.dll
PSAPI.DLL
imagehlp.dll
zcÁ
'DownloadProxy.EXE'
DownloadProxy.Downloader.1 = s 'Downloader Class'
CLSID = s '{70DE12EA-79F4-46bc-9812-86DB50A2FD64}'
DownloadProxy.Downloader = s 'Downloader Class'
CurVer = s 'DownloadProxy.Downloader.1'
ForceRemove {70DE12EA-79F4-46bc-9812-86DB50A2FD64} = s 'Downloader Class'
ProgID = s 'DownloadProxy.Downloader.1'
VersionIndependentProgID = s 'DownloadProxy.Downloader'
'TypeLib' = s '{DA624F8F-98BF-4B03-AD11-A12D07119E81}'
stdole2.tlbWWW
cuiMsgTypeWWW
pMsgParamWWWd
6|pTaskUrl
Created by MIDL version 6.00.0366 at Thu Oct 11 11:26:38 2012
&UU*&&&&&&&&*UU(%%%%%%%%(UU)%%%%%%%%)UU.$$$$$$$$.UU1''''''''1UU
"7,,11,,7"
2222222222222222
11///20.
##!!! !!!##
.02///11
mM............................................................Mm
mM..........................................Mm
(((((((JgT..TgJ(((((((
$D>".PH'8xU
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
TNProxy.dll
qqdownload_config.xml
dlcore.dll
\tencentdl.exe
{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
CLSID\%s\LocalServer32
{%X-%X-%X-%X-%X%X}
B.tlb
Mscoree.dll
DownloadProxy.Downloader.1
\Tencentdl.exe
\Installlog.txt
\DownloadProxyPS.dll
\extract.dll
\tnproxy.dll
\dlcore.dll
regsvr32.exe
Kernel32.dll
Extract.dll
C\StringFileInfo\xx\
netsh.exe
\\.\PhysicalDrive%d
\\.\Scsi%d:
oiphlpapi.dll
nM-%.2d-%.2d %.2d:%.2d:%.2d
Unknown ProcessID. PID = %d
No pid option found in CmdLine
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
\downloadproxyps.dll
oInstallInfo.xml
\Global.db
PQD_Temp_Exe
%*.*f
Tencentdl.exe
: %s/s
%s: %s
\TDConfig.ini
H\set.log
c:\program files\common files\tencent\qqdownload\122\tencentdl.exe
(1-10240)
1, 0, 122, 3

ÊÖ»úºäÕ¨»ú.exe_652_rwx_10028000_00015000:




msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0

KNBCenter.exe_1240:




.text
`.rdata
@.data
.rsrc
@.reloc
[email protected]
j.Yf;
_tcPVj@
.PjRW
user.js
ERROR_REPORT
PlatformFile.UnknownErrors.Windows
Histogram: %s recorded %d samples
(flags = 0x%x)
(%d = %3.1f%%)
CHROME_PROFILER_TIME
Unsupported encoding. JSON must be UTF-8.
Dictionary keys must be quoted.
full-memory-crash-report
USER32.dll
SHELL32.dll
ole32.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
liebao.exe
Src\kbsevMain.cpp
RegOpenKeyTransactedW
chrome.dll
breakpad_win_crash_service_knbcenter.cpp
pipe name is
ieframe.dll
hlink.dll
urlmon.dll
wininet.dll
mpr.dll
msls31.dll
oleaut32.dll
xmllite.dll
d2d1.dll
dxgi.dll
dnsapi.dll
d3d9.dll
avrt.dll
mf.dll
mfplat.dll
mfreadwrite.dll
msdmo.dll
authz.dll
msacm32.dll
setupapi.dll
evr.dll
avifil32.dll
wmdrmsdk.dll
\liebao\User Data\liebao.log
4.5.34.6725
report_dump_file
lXXxXXXXXXXX
http://dump.upload.duba.net/DumpFileUploader/duba_dump/__utm.gif
c:\liebao_src_pool\release.branch_34\src\security\tmp\Release\knbcenter\dbginfo\knbcenter.pdb
VERSION.dll
PSAPI.DLL
WaitNamedPipeW
TransactNamedPipe
SetNamedPipeHandleState
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
GetWindowsDirectoryW
KERNEL32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
SHLWAPI.dll
WTSAPI32.dll
USERENV.dll
WINMM.dll
GetProcessHeap
GetCPInfo
zcÁ
%Program Files%\liebao\4.5.34.6725\KNBCenter.exe
;#;'; ;/;3;7; <
1"1&1*1.12161:1
024282<2
; ;@;`;|;
0 0004080<0@0
4 4$40484<4
debug.log
.\debug.log
debug_message.exe
\StringFileInfo\xx\%ls
kernel32.dll
Chrome_MessagePumpWindow_%p
Emscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
portuguese-brazilian
USER32.DLL
LIEBAO_EXE_PATH
CHROME_DLL_PATH
KNBCenter.exe
knbctrl.dll
kBrowserUpgrade2.dll
ksapi.dll
Local\LBKSINIT_{DE37097C-AC19-4513-9D64-E2E3D51676AE}
knbcenter.log
rknbpolicy.dll
\kmsgsvc.dll
Advapi32.dll
SYSTEM\CurrentControlSet\Services\%s
%d.%d.%d.%d
FLT_DENORMAL_OPERAND
FLT_INVALID_OPERATION
gcswf32.dll
\liebao\User Data\report.ini
report
cmdline
DumpKey
\kdumprep.exe"
https://clients2.google.com/cr/report
1441792
Breakpad/1.0 (Windows)
\\.\pipe\LiebaoCrashServices_SecSvr
dbghelp.dll
rpcrt4.dll
%s\%s.dmp
ddddddd
CLSID\{DA3CB2BC-1CCA-412d-BC7C-4DFB532D2223}\Implemented Categories\{D7BD91AA-CB34-4eae-A9D1-2DB9A7C6815C}
CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
x-x-x-xx-xxxxxx
/browser_version "4.5.34.6725"
%s\*.dmp
Data\kxecolbd.dat
%s%d\
Windows
Liebao\Crash Reports
verifier.dll
-full.dmp
knbcenter.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ksbinstaller_66_82685.exe:984
    %original file name%.exe:1264
    KNBCenter.exe:1240
    regsvr32.exe:1536
    liebao.exe:1780
    liebao.exe:516
    down_s_66_82685.exe:1988
    ping.exe:972
    wuauclt.exe:924
    tencentdl.exe:1932
    netsh.exe:320
    Tencentdl.exe:848
    0liebao.exe:1948
    knbcenter.exe:2036
    knbcenter.exe:916
    reg.exe:1976
    reg.exe:708
    skinupdater.exe:348

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\send_ba0.gz (586 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearchb.dat (6341 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztma002d.psg (74 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.ini (172 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbpolicy.dll (15628 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\alipay.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\baifubao.png (6 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\atxhlp.dat (21 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\xinput1_3.dll (880 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\kdumprep.exe (7541 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\毒霸网址大全.lnk (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3002.ksg (8 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseutil.dll (2976 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj021204.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0005.vsg (263 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\unknown.ksg (422 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\libvideo.dat (15 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_unsafe.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\bc.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\vinfo.ini (833 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\spdb.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepbb002.ksg (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaevname.dat (108 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksedset.ini (425 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepc0002.ksg (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7001.vsg (265 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全浏览器\修复浏览器.lnk (748 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\chrome.dll (503987 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb0002.vsg (263 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\cdeploy.dat (11 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Localauto.db (40 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.psg (132 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\manifest.json (2 bytes)
    %System%\drivers\ksapi.sys (601 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\KNBDrv64.sys (1543 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\99bill.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Install.bat (24 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\npaliedit.dll (2836 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gare.db (66 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj011204.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb7001.vsg (263 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb3001.ksg (92 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Extract.dll (3773 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\incognito.dat (1650 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepba000.ksg (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7999.vsg (266 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\kmsgsvc.dll (8953 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac002.ksg (3702 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\skin_thumbnail.png (5 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\karchive.dat (101 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6001.ksg (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\boc.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaext2.dat (85 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\skinupdater.exe (21987 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\autofilljs2.dat (89 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\FixBrowser.exe (18429 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adfilter.dat (131 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0002.fsg (288 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\kui.pak (30655 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvba012.vsg (273 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\locales\en-US.pak (195 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\kBrowserUpgrade2.dll (2787 bytes)
    %Documents and Settings%\%current user%\Desktop\猎豹安全浏览器.lnk (634 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.fsg (120 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksecfg.ini (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\psbc.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zema0007.psg (68 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\lego.dat (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\befc2009.psg (82 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmb0014.psg (68 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdet2.dll (10359 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\p1tl.dat (6 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\mousegesturelib.xml (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全浏览器\卸载猎豹安全浏览器.lnk (726 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0003.ksg (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\newtab_img2.zip (7972 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\nologin.dat (897 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw2.dat (772 bytes)
    %Program Files%\liebao\2014522163323984_1\browserpacket.xml (178 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_touch_100_percent.pak (6399 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbctrl.dll (3109 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\ManualUpgrade.exe (9449 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\resources.pak (45687 bytes)
    %Documents and Settings%\%current user%\Desktop\毒霸网址大全.lnk (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\config\kseeat.cfg (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\send_318.gz (238 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\trackers.dat (1760 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.sys (712 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\ceb.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\Preferences_resintall (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay_site.dat (19 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\tn.dat (1704 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecore.dat (327 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\AllSigns.ini (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000f.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_en-US.pak (25 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksesscan.dll (7879 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\sqlite3.exe (5007 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\ljdfelebfnfpjclmmkljlnagcdkpfpdl\1.0\Cached Theme.pak (6363 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\zlib1.dll (1112 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\KPreferences (503 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb8009.ksg (5 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\uninst.exe (10202 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseexf.dat (107 bytes)
    %Program Files%\liebao\liebao.exe (11518 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksepnf.dat (107 bytes)
    %System%\drivers\knbdrv.sys (601 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\dlcore.dll (20026 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\pkw.dat (669 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb8003.ksg (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\checkvideo.dat (61 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb8008.vsg (264 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_46.dll (28052 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\localurl.db (3668 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kadfilter.dll (5863 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\LegoIcon\lego.dat (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\MouseGesture.dll (8245 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\feature2.dat (23 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\libGLESv2.dll (5682 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install_info.json (255 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\safepay.dat (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\install2_log.log (72726 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj101204.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepac001.ksg (1844 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\third_party\baidu_hd_query.dll (3341 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztmc0000.psg (66 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\falset.psg (132 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\czb.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\PepperFlash\pepflashplayer.dll (110917 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb7001.ksg (1 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\kBUpdateHelper.dll (13747 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\ffmpegsumo.dll (11323 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\kvipinter.dll (3811 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\猎豹安全浏览器\猎豹安全浏览器.lnk (632 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\ksapi.dll (691 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvb9008.vsg (264 bytes)
    %System%\drivers\KNBDrv64.sys (601 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\hxb.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseescan.dll (4564 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfc000b.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Logos.db (3769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Local State (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0011.vsg (263 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\ktoolupd.dll (2779 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\icbc.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj141203.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.exe (14580 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\bepb6002.ksg (4 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipbb004.ksg (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfb7001.fsg (264 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb0001.ksg (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\Allvinfo.ini (833 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kseset.dat (229 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\srvpref.dat (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\oj051204.fsg (262 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\locales\zh-CN.pak (193 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\resource.dat (735 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\Bookmarks (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\d3dcompiler_43.dll (15709 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\false.ksg (888 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvc0019.vsg (264 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\ksais.dat (8 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\anti_injection2.dat (710 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\scom.dll (1596 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\libEGL.dll (1722 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kfcdetect.dll (7469 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\SecondaryTile.png (5 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\plugins\np-mswmp.dll (1724 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztfb0005.fsg (288 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\uplive.dll (15007 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\sqlite.dll (1872 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\ztvbb00d.vsg (270 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\signs.ini (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\tenpay.png (2 bytes)
    %Program Files%\liebao\test_access (30 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\chrome_100_percent.pak (6387 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\cmb.png (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaearcha.dat (1358 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\gdeploy.dat (6 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zepb9002.ksg (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\gdb.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaextend.dat (106 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\upgrade.dll (9080 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecoref.dat (106 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipba004.ksg (7 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorea.dat (173 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kaxhlp.dll (4594 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\adb_easylist.dat (7386 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\knbdrv.sys (1326 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\webresource.dat (7712 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.dll (210497 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\TNProxy.dll (5849 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\liebao.ico (30 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\switchcore.db (7386 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\PresetExtensions\nffflelpnjalbndohecponhmlcihbgeo\1.0\Cached Theme.pak (1610 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\knbcenter.exe (4415 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\unionpay.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxy.dll (4458 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb0002.ksg (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\kwnp.dat (23 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\master_preferences (557 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\Tencentdl.exe (8880 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\sdb.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipc0003.ksg (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\cyui.exe (3249 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\img\safesearch_safe.png (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\ksbwdt.ini (2 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btvb7002.vsg (294 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\DesktopTips.exe (7305 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\locales\kui_zh-CN.pak (24 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\security\kxescan\kae\kaecorem.dat (97 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Data\wd.dat (6 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\btfc2009.psg (92 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\security\ksg\zipb7004.ksg (3 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\Module\qqdl\DownloadProxyPS.dll (1806 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\猎豹安全浏览器.lnk (652 bytes)
    %Program Files%\liebao\2014522163323984_1\LBBrowser\cysvc.dll (6685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0liebao.exe (3750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ÊÖ»úºäÕ¨»ú.exe (12288 bytes)
    %Program Files%\liebao\4.5.34.6725\Data\expand_safepay.dat (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\uproperty.db-journal (532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\manager.log (455 bytes)
    %Program Files%\liebao\4.5.34.6725\log\kmctrl.log (1537 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\upgrade\cleanup.log (1064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\LOG (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\2.tmp (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000001 (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\MANIFEST-000002 (69 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000001.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\website\000002.dbtmp (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.tmp (131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\send_5ac.gz (432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe (365108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\boot_setup.pack.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd (9216408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\Bootsetup\2.1.11.3341\66\ksbinstaller_66_82685.exe.pack.fd.cfg (3656 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Program Files%\Common Files\Tencent\QQDownload\122\dlcore.dll (14022 bytes)
    %Program Files%\Common Files\Tencent\QQDownload\122\Tencentdl.exe (6841 bytes)
    %Program Files%\Common Files\Tencent\QQDownload\122\extract.dll (2105 bytes)
    %Program Files%\Common Files\Tencent\QQDownload\122\DownloadProxyPS.dll (601 bytes)
    %Program Files%\Common Files\Tencent\QQDownload\122\InstallInfo.xml (25 bytes)
    %Program Files%\Common Files\Tencent\QQDownload\122\tnproxy.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\setup.bat (350 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp\down_s_66_82685.exe (5547 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now