MD5: 244e856da43d196da572b9a0aa6459cf
SHA1: fce562d95bc4f1aeeeec7b3df5a634863f83e339
SHA256: 96a6b4fbb1006dcbc8a9c7524c50d35a7028852d9946bcf4f6cc823a66d07597
SSDeep: 49152:9pGNJMFqdwk0cQHGiYYSzSY5voVU7zQYwH: XMFqdwkLQHHhsSYt8lH
Size: 1871872 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-05-21 08:35:22
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1832

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\ucenter[1].js (19040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\jquery-1.2.1.pack[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\top_bar[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\tjrm_img09[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\161QF3VD[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\sgxz2_20140506[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\4399_17152503697[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\4399_16125310445[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\xfv521[1].htm (1751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tjrm_img06[1].jpg (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\4399_17485812405[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\style[1].css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\4399_10301944353[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\2611145923P[1].jpg (942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\btn2[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\161Q63IW6[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\logo[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\xfv521[1].swf (29645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\base[1].css (13921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\4399_17491964623[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\dizhi[1].txt (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tjrm_img08[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\xfv521[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\sgxz2_20140506[2].css (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\129731[2].htm (2618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\129731[1].htm (3286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\jquery-1.2.1.pack[2].js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\chkDomain[1].js (554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tqq[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\tjrm_img011[1].jpg (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\bg[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\291[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tjrm_img07[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\161Q62J3c[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\2QH24a102[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\xfv521[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\jquery-1.2.1.pack[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\sgxz2_20140506[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\129731[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D6 B2 41 42 B9 CF 17 04 7D A7 20 FC E1 00 43"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://4399hw.xdwscache.glb0.lxdns.com/flash/129731.htm
hxxp://www.se592.com/dahui/291.txt	103.225.85.207
hxxp://www.se592.com/dahui/dizhi.txt	103.225.85.207
hxxp://4399hw.xdwscache.glb0.lxdns.com/css/sgxz2_20140506.css
hxxp://4399hw.xdwscache.glb0.lxdns.com/jss/jquery-1.2.1.pack.js
hxxp://4399hw.xdwscache.glb0.lxdns.com/images/play/logo.gif
hxxp://other.all.4399yyy.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm
hxxp://4399hw.xdwscache.glb0.lxdns.com/uploads/userup/1401/161Q63IW6.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/uploads/userup/1401/161Q62J3c.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2015/4/20/4399_16125310445.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2015/4/30/4399_17491964623.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/flashzt/img/sgxz2/bg.png
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2015/4/25/4399_10301944353.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/images/play/top_bar.gif
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2012/tjyx/tjrm_img07.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2012/tjyx/tjrm_img09.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/uploads/userup/1404/2611145923P.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/flashzt/img/sgxz2/btn1.png
hxxp://4399hw.xdwscache.glb0.lxdns.com/uploads/userup/1409/2QH24a102.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/uploads/userup/1401/161QF3VD.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/gongfupai/images/tqq.gif
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2012/tjyx/tjrm_img08.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2015/1/26/4399_17152503697.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2015/3/12/4399_17485812405.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2012/tjyx/tjrm_img06.jpg
hxxp://other.all.4399yyy.com/4399swf/js/chkDomain.js
hxxp://4399hw.xdwscache.glb0.lxdns.com/flashzt/img/sgxz2/btn2.png
hxxp://4399hw.xdwscache.glb0.lxdns.com/flashzt/img/sgxz2/bg2.jpg
hxxp://4399hw.xdwscache.glb0.lxdns.com/resource/css/base.css
hxxp://4399hw.xdwscache.glb0.lxdns.com/flashUniLogin/css/style.css?v=20121016
hxxp://4399hw.xdwscache.glb0.lxdns.com/resource/ucenter.js
hxxp://4399hw.xdwscache.glb0.lxdns.com/upload_pic/2012/tjyx/tjrm_img011.jpg
hxxp://other.all.4399yyy.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.swf
hxxp://imga2.4399.cn/upload_pic/2012/tjyx/tjrm_img07.jpg	203.130.61.92
hxxp://news.4399.com/uploads/userup/1404/2611145923P.jpg	203.130.61.92
hxxp://imga1.4399.cn/upload_pic/2012/tjyx/tjrm_img06.jpg	203.130.61.92
hxxp://www.4399.com/jss/jquery-1.2.1.pack.js	203.130.61.92
hxxp://news.4399.com/gongfupai/images/tqq.gif	203.130.61.92
hxxp://imga2.4399.cn/upload_pic/2015/4/25/4399_10301944353.jpg	203.130.61.92
hxxp://news.4399.com/uploads/userup/1401/161Q63IW6.jpg	203.130.61.92
hxxp://www.4399.com/images/play/logo.gif	203.130.61.92
hxxp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.swf	218.95.101.8
hxxp://www.4399.com/flashzt/img/sgxz2/btn2.png	203.130.61.92
hxxp://news.4399.com/uploads/userup/1409/2QH24a102.jpg	203.130.61.92
hxxp://imga1.4399.cn/upload_pic/2015/3/12/4399_17485812405.jpg	203.130.61.92
hxxp://ptlogin.3304399.net/resource/css/base.css	203.130.61.92
hxxp://imga3.4399.cn/upload_pic/2012/tjyx/tjrm_img09.jpg	203.130.61.92
hxxp://imga.4399.cn/upload_pic/2015/1/26/4399_17152503697.jpg	203.130.61.92
hxxp://news.4399.com/uploads/userup/1401/161Q62J3c.jpg	203.130.61.92
hxxp://www.4399.com/images/play/top_bar.gif	203.130.61.92
hxxp://news.4399.com/uploads/userup/1401/161QF3VD.jpg	203.130.61.92
hxxp://imga3.4399.cn/upload_pic/2015/4/20/4399_16125310445.jpg	203.130.61.92
hxxp://www.4399.com/flash/129731.htm	203.130.61.92
hxxp://imga4.4399.cn/upload_pic/2012/tjyx/tjrm_img011.jpg	203.130.61.92
hxxp://ptlogin.3304399.net/resource/ucenter.js	203.130.61.92
hxxp://imga4.4399.cn/upload_pic/2015/4/30/4399_17491964623.jpg	203.130.61.92
hxxp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm	218.95.101.8
hxxp://www.4399.com/css/sgxz2_20140506.css	203.130.61.92
hxxp://szhong.4399.com/4399swf/js/chkDomain.js	218.95.101.8
hxxp://s4.img4399.com/flashUniLogin/css/style.css?v=20121016	203.130.61.92
hxxp://www.4399.com/flashzt/img/sgxz2/bg.png	203.130.61.92
hxxp://imga.4399.cn/upload_pic/2012/tjyx/tjrm_img08.jpg	203.130.61.92
stat.api.4399.com	115.182.52.104

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Outdated Windows Flash Version IE

Traffic

GET /resource/css/base.css HTTP/1.1

Accept: */*

Referer: hXXp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ptlogin.3304399.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Tue, 04 Aug 2015 04:20:04 GMT

Date: Tue, 04 Aug 2015 03:20:04 GMT

Server: nginx/1.4.1

Content-Type: text/css

Content-Length: 33079

Last-Modified: Fri, 19 Jun 2015 09:10:56 GMT

ETag: "5583dca0-8137"

Cache-Control: max-age=3600

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 jfzh181:8107 (Cdn Cache Server V2.0), 1.1 kf50:2 (Cdn Cache Server V2.0)

Connection: keep-alive
@charset "utf-8";../* CSS Document ..Use for:...Version:.1.0..Date:..2
011/08/10..Author:..f2er..Update:     2012/05/03..*/...login_embed_ifr
ame{border:none; width:100%;}...login_embed_iframe_hor{border:none; wi
dth:100%; height:100%}...login_horizon{height:31px; line-height:31px; 
/*padding:9px 0;height:12px;*/}...login_vertical{width:530px;} /*modif
y by qf 05-03*/../*............*/...mt5{ margin-top:5px;}...mt10{ marg
in-top:10px;}...mt20{ margin-top:20px;}...mt30{ margin-top:30px;}...mt
35{ margin-top:35px;}...w256{ width:256px;}..#popup_login_div{ width:4
00px; margin:0 auto; padding: 16px 0; }..#popup_reg_div{ padding: 0 0 
16px 0; }../*............*/...login_horizon legend,.login_vertical leg
end,.login_module legend{ display:none}../*login_horizon*/...iptw1{ wi
dth:73px;}...iptw2{ width:154px}...wtc{ width:352px;}...wframe{ /*widt
h:620px;*/ width:530px;}...wframepwd{width:280px;}...login_horizon a,.
login_vertical a{ color:#1278c0;vertical-align:middle;}../*......chrom
e..@media screen and (-webkit-min-device-pixel-ratio:0){..  .login_hor
izon a,.login_vertical a{...vertical-align:top;..  } ..}*/...login_hor
izon a:hover,.login_vertical a:hover{color:#ff5712}../*login_horizon*/
...login_horizon .login_hor,.login_horizon .login_btn{ float:left; mar
gin-right:10px; display:inline;}...login_horizon label{ color:#333}...
login_horizon .login_ipt,.login_vertical .login_ipt{ border:1px solid 
#ccc;/* width:144px;*/ padding:2px 3px; background:url(../images/sprit
eV2.png?v=131127) repeat-x 0 -31px; height:22px; line-height:22px;
<<< skipped >>>

GET /uploads/userup/1401/161Q62J3c.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: news.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 13 Dec 2015 12:14:01 GMT

Date: Tue, 16 Jun 2015 12:14:01 GMT

Server: nginx/1.4.2

Content-Type: image/jpeg

Content-Length: 5242

Last-Modified: Thu, 16 Jan 2014 10:16:27 GMT

ETag: "52d7b17b-147a"

Cache-Control: max-age=15552000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx39:8106 (Cdn Cache Server V2.0), 1.1 kf49:2 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................t.j.........
......................................................................
...........!1.A.Qa"q.2...Bb#...R.....r.S4.......................!1.A..
..Qaq."2B........#3.............?..y....i.c.5/$.B....bz.....[c.x..2. g
....i..Wi*......j.h.7_N.../[*....J.).H..q9.1y......Oz......=u...G.P...
.S.L....4. ...$...jY.....9.Gy%...1...F...4%.B{z.U1. ...y.nm.. ..U5.f_.
;...X....[..d..z....eg....#o...0..M1.9RT.!..*......Oz.........8....=..
\.\...0...."R. l.....w...v.j<.........P...^_.....eg.........5..J...
WoQ...b=|9j....u.....1..EgHV.....'._..x..C...^..e...B.L%A.s...@....]G.
.. .Vv.};}>'...kJ.h..g.:.>.....X.p....p]...k.....WSG..$.........
.K8.......xc..,3....v..9.......VS...e...)....,.I.]_.M...S\$w.V:.d...O.
/~........?...s.".O cq.j....S.TW..@;...#..n.tcukF%.$g..[..&.?.J..`...)
.i@G~...Qwm..<}...q.i.$3L....,YY..#..........P...._....0.y.dK..N..A
...ibha(....'.....j.)Y:.O_d..L?......S.G..8....|. ....-....Z...Q......
..=u..uIw.i9...p|..=........#.....f'....Y'....&-.U..X......Q.....t....
....G.......za.9....e/q.el..tk....ZM0.....F.uf7..,...&..]eJ...Pd......
..&.&......e.)..j.N.._...L'.....P..v;..}...M.P....2..... u....6.lK3.^.
RI$../.....H..9f....r...x#1[.%.Yc>.s/...{z.5.kRGg...8...-C;HdZ.n.@4
.;@.Y_.tn.`4...<.5.\A...........N......U......= N.../.....d...U..s.
...;........>.Gm<0[.....C e...]....^sk%.....73..O/.z.]=.....
<<< skipped >>>

GET /uploads/userup/1409/2QH24a102.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: news.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 13 Dec 2015 12:13:41 GMT

Date: Tue, 16 Jun 2015 12:13:41 GMT

Server: nginx/1.4.2

Content-Type: image/jpeg

Content-Length: 5705

Last-Modified: Sun, 28 Sep 2014 09:22:49 GMT

ETag: "5427d369-1649"

Cache-Control: max-age=15552000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx40:8106 (Cdn Cache Server V2.0), 1.1 kf49:5 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<......Adobe.d.........
......................................................................
..................................................................t.j.
......................................................................
...................!.1A..Qa".2B#q.....Rb3........c$4..................
.....!1..AQ.aq"2.......B....Rb.#3r..............?..:D4.i..'....1..X..C
........ir....;.W'..........}......bA.....:....b.B..].\.F.:Z.[..g.w<
;..b352Q1....".'}..Clw...i..3epI.Fs.]&.."f.}'....O..~<....v.H.f....
....a..sY:Ir...*...U..a.S4b.\ ..^^@xj.u. ..........u........c*..V.,.i.
(.p7..).E..n.\...n4.u.7..../....n.C..._...K$kW%Nw.....$..AF.JH.....;..
....43;=.n--....}i$..3.@....$..."e.N'}.qR..=......e...c..Vog.3X...q..!
$..O...V..:..}O.9.o.*.S..S..M-........R..i...V..XcY!......\:[email protected]..
... .\.......g~... Tl?........^..._.....?(..L:..x.[s.[c.....e-.5.7..=.
f..77f..M...K...Z...a.F...37ld...b....`x....~....7...-j..i.J*:=.......
.[.../N..,.._.I^FNm.3K3.Y.O.]|....f......4..S..`....r.8........!....y.
.;2.*O..(ge.7m.........5..SZh...U.N.....D.,.c...Dq....ry.!..H.K.T..X.x
..Q...fS$l.Tx......RXt.N..b......E@$e4>.....R.{i3.{..kw/l..6$h..Wx.
.vd,>..m.[c.L.....;/.....$.jr.|~FVa-G....*.t.wU;m.4.......O.(I.Y...
S2...X...n..~W.>:....F......B1N.-4..a..I%....q..q.qt!V.T..9..}.n..v
...*.Jf(..V..\x..xjd.6).i'....d>.....r=Tu:...H..}......N>..]b.N'
.>#[email protected]\.".T...}.l....K..K.....8wc..-t..w.}..Tv..F.;
.\0#.e..].....l....J..iXl..U...O>..d ...u.A.....35[y.......J...
<<< skipped >>>

GET /uploads/userup/1401/161QF3VD.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: news.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 13 Dec 2015 12:13:49 GMT

Date: Tue, 16 Jun 2015 12:13:49 GMT

Server: nginx/1.4.2

Content-Type: image/jpeg

Content-Length: 5012

Last-Modified: Thu, 16 Jan 2014 10:17:03 GMT

ETag: "52d7b19f-1394"

Cache-Control: max-age=15552000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx41:80 (Cdn Cache Server V2.0), 1.1 kf48:2 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................t.j.........
......................................................................
..........!1..AQ..a".q.23..Bb#...RrC..c$.....S..F.....................
...!1Q.Aa"...2...q...Bb#.R.r..............?..[m..<.. . 8G..*,.Bsux.
..U.22......{.0.s...\.......[hyJ...a...oz..d..O. ...{........]*)..e\..
J....).!h.k.|(. ig.L.$..s.B.e.9^.*Jo.v.E.?Ql.;o....Z..'.K....E'....R..
."...v...~.Ooh.QA.a........Hb....9.2"3.........K- ..HQ...{..oz.Yd..c. 
...{./N....d..l....(..$.L.....:....._...!...oz.=;........i......z..h.H
...!.3.6)Br.g.(. ......7qn.......r.wD.L4..KbD....JKiI2...hE7..tFo...{.
F..4.7&.h..............*.*...o......T...I....I..H.......b.....p.....{.
...}..t..R....j........<.........Kn..k.U..a...}b..)m..IJL..... 1...
.....GE...mm..p...X.b...P.*.BS..J0R....0......i...9{|e...............m
>.........C(..K.S.C$Fy.....H...?l8...<| .......l..-.c...-*......
..i'ISd..'R..a...Y*...A ...z&Q0. [email protected]....%.iR.HgXS..R....S..
<.7.. h..I.......K.....9. ....?.3w.;Otb.2.g.Z."3..<0...l8..p>
...}.....a........Z...L..*Y...P.z.6....0..i...6...iT.b............&..h
.q.....=]Z...6....D..u...>..z{..i.h.4.....Hp.F..x...fe....._..f.4v.
.?..!-#..E..Dg........<..>....[...6.}...E dS.L.....O....9.hGs..:
#...U.K.U....ek...p...QR..c.J.A.t....:... .F...(P..U:5%.........4.....
c.9QT.UY......M.H)HI...`2JfHO!8..b...S##...C g..r0...CVbg..5..G..#
<<< skipped >>>

GET /resource/ucenter.js HTTP/1.1

Accept: */*

Referer: hXXp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ptlogin.3304399.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Tue, 04 Aug 2015 05:10:41 GMT

Date: Tue, 04 Aug 2015 04:10:41 GMT

Server: nginx/1.4.1

Content-Type: application/x-javascript

Content-Length: 46416

Last-Modified: Fri, 17 Jul 2015 08:10:58 GMT

ETag: "55a8b892-b550"

Cache-Control: max-age=3600

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 jfzh182:80 (Cdn Cache Server V2.0), 1.1 kf48:10 (Cdn Cache Server V2.0)

Connection: keep-alive
uni_login_type_key = "loginType";..uni_login_username_key = "username"
;..uni_login_uid_key = "uid";..uni_login_nick_key = "Pnick";..uni_logi
n_qqnick_key = "Qnick";..uni_login_puser_key = "Puser";..uni_login_ptu
sertype_key = "ptusertype";..uni_login_phonebinded = "phonebinded";..u
ni_login_lastLoginDate = "lastLoginDate";..uni_login_lastLoginAppGame 
= "lastLoginAppGame";..uni_login_lastLoginTime = "lastLoginTimeStamp";
..uni_login_type_qq = "qq";..uni_login_layout_horizontal = "horizontal
";..uni_login_layout_vertical = "vertical";.....var unionLoginProps = 
{};..function getCookieValue(propKey, defaultValue){...uniCookie = JK.
Passport.get();...if(!uniCookie)....return defaultValue;...return uniC
ookie[propKey] || defaultValue;..}..UniLogin = {};..UniLogin.getUid = 
function(){...return getCookieValue(uni_login_uid_key);..}..UniLogin.g
etUname = function(){...return getCookieValue(uni_login_username_key);
..}..UniLogin.getUserType = function(){...return getCookieValue(uni_lo
gin_ptusertype_key);..}..UniLogin.getQnick = function(){...return getC
ookieValue(uni_login_qqnick_key);..}..UniLogin.getNick = function(){..
.if (!UniLogin.getUid()) return null;...var nick = getCookieValue(uni_
login_nick_key);...if (!nick) {....return null;...} else {....if (nick
.replace(/[^x00-xFF]/g,'**').length < 2) {.....return null;....} el
se {.....return nick;....}...}..}..fetchNickTryCount = 0;..UniLogin.fe
tchNick = function(callback){..setTimeout(function(){....if (!UniLogin
.getUid()) return;....var nick = getCookieValue(uni_login_nick_key
<<< skipped >>>

GET /upload_pic/2012/tjyx/tjrm_img09.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga3.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 07:12:36 GMT

Cache-Control: max-age=31536000

Content-Length: 3085

Content-Type: image/jpeg

Last-Modified: Thu, 01 Mar 2012 06:03:42 GMT

Accept-Ranges: bytes

ETag: "8086cdd71f7cc1:34b"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 zjjhdx39:8104 (Cdn Cache Server V2.0), 1.1 kf49:9 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xm
lns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.ado
be.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/
1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="xmp.did:7C3C9
0818062E1119A50B0F09DBE5343" xmpMM:DocumentID="xmp.did:490DB7D562B611E
1987FB533819DF614" xmpMM:InstanceID="xmp.iid:490DB7D462B611E1987FB5338
19DF614" xmp:CreatorTool="Adobe Photoshop 7.0"> <xmpMM:DerivedFr
om stRef:instanceID="uuid:02cd31e0-62b0-11e1-a9f2-89007db68855" stRef:
documentID="adobe:docid:photoshop:3e3cd8bb-62a6-11e1-b37d-c0893894c906
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>....Adobe.d....................................
......................................................................
.......................................*.D............................
...........................................................1.!Q..A"2..
aq..r3..Rb.#C4...B..D^..........................!1.AQ.aq.."2........
..BR#br..3C.............?..nq^.....m......./.a...PGR.y.W.xH........F..
.&..k.K-..dw.h:7.x..\[email protected]...;A..~6.q8...<.%}.{.a..[w...im..9b.j
<<< skipped >>>

GET /jss/jquery-1.2.1.pack.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 02 Nov 2015 02:52:24 GMT

Date: Tue, 04 Aug 2015 02:52:24 GMT

Server: nginx

Content-Type: application/x-javascript

Last-Modified: Sun, 10 Nov 2013 09:24:37 GMT

Transfer-Encoding: chunked

Cache-Control: max-age=7776000

Content-Encoding: gzip

Age: 1

X-Via: 1.1 shjc71:8080 (Cdn Cache Server V2.0), 1.1 kf49:6 (Cdn Cache Server V2.0)

Connection: keep-alive
39f2..............y_.J......h.$R,.......B....d;@..E6f..m..b^...U.@..{.
.9cI.^..k.j....JOJ'....g)..(....gW....Y.m.Gk......R......A.xZ.;A)Y\\*.
...K...._.O....3:.T..e..t6.d.I.-]....4=.J[..%......k..................
o/g.L...?^..Y. ._l...RRiV..b.4.X]\,.{...D.^va..........f.R.U.y.....3.w
9.L.......Nx.f.8.....Np3......y.Z}.......$..N..B ....w..?[..Jmuo:...Qo
<:.y....u3.SN.A..MG.._........=~.....V'...-..}..\...h8?.....G..A.(.
u.r....... Q...h....W......oW:i|.r.3...."...b..|..k..>......l..... 
.. .#..[.....n.~|^Z.K..^.^.J.V.Kki...........F.^Z.,.....{ j.<....u.
...W.. 4....L...|{z....G...$(?...=;z.G.............t-.<Ooj..o.N..nX
.<..z....oy..z.<...=....?z.....v..d&z.:tU}......V....~.*{T...e;.
.Q...V..d.(..n........J=z.. ...m.....r.(....)[email protected].^..4.#
uLOQ....b...x....T.....8...=...O..b...n(..=Z..c:.s..mX.4=c~/\...l..w..
..b......R M?.Z.z.....n.d.^.-.b...._.:..o....R._\._.,Q...._.2..P.TP.Z.
^/ . ...w>..............n...........X..=..g..|ai...>..Y.dy... Q.
[email protected].........{[email protected]....
]... ..g.xm.=z...AW.B5...1...Z..LS......]..(...rb.`...K..i9u.1.....f..
A.....iz.....a...k.'$D.. ._j..a.z.b...z.W..> v..R]..uk....[V....7..
.....k...b...[..}E.qX......n.3I.EL,...O....]-.o.`...........D3....-...
......Q..j'..jW........X,3..I..=..........E.G.._8.V~vT...(..0..Q...(..
g.1.V..J5...K.6..i......K. .K."6.Q....a.K.....{O. .n..nY..........u.~.
[email protected].%;^."vh9v.......$.{~.`... [email protected]}.F..i.
...:...o.....,J[..O.uAM$`...p..][email protected][s..V....:
<<< skipped >>>

GET /uploads/userup/1401/161Q63IW6.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: news.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 13 Dec 2015 12:13:38 GMT

Date: Tue, 16 Jun 2015 12:13:38 GMT

Server: nginx/1.4.2

Content-Type: image/jpeg

Content-Length: 5338

Last-Modified: Thu, 16 Jan 2014 10:16:37 GMT

ETag: "52d7b185-14da"

Cache-Control: max-age=15552000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx40:8080 (Cdn Cache Server V2.0), 1.1 kf50:10 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....d.d......Ducky.......<......Adobe.d.................
......................................................................
..........................................................t.j.........
......................................................................
...........!1A..Qaq"2..B...br#.R.5....3Sc......................!1..AQa
q.".........2BR.r..............?..:Dm..q..).. f.....4...(......^......
...c.....--<.t..-.n.6.[y....G="....A..P{."G9G'.5L6....k.P..j...QA..
.....#|3.)r...da_....q...PM.jGa...}.f..Z..xKz...Y...p.!.CH..."G.C...\.
...sGo...]\ZO56$.D..wUz.....L...X....g2..$Y...(..NR...'......Q...=..L.
JK...C^..0..[...7..\V.Q]b'.....^u.y..!yWs1$ S......eV.s.l;)...;we...6F
=W.M...3{. *B.0....... .q.N.I....e9.w........l$......I.8E.y.i.<I...
 L..q....V$..t_..>x.S-...*.C?u..EH. .. Q...,.._....R.....W...p.....
l...R...F.o.|........xIo..ZT...6.......S..@[email protected]. x
..K....&.....{.S.L ...........,..J.S.....1.egd.....$...P...WSG$.';....
...s..."E=V.d.........P...;e...J...t.... .oQ}6.........\..K..H.^......
..Q.*;m....]n.]%...S.s..........5.*._c.6...Aoof".g.e..v...z.Q.*0~...T.
.VHc...uP..J.....=.r...5...`....ru.`5...R$....f.D}6_.2yl.K....ec.Y..U.
......U..K...}..M..M.6.K.Q&..6J<.#..6w>E....0P<..I..."...{..&
gt;...F.gd...J.e.c].e24,*@ea.......>...K..N8.....n-...R......\0....
.........h.u(.w.......p[.<.0H..,M...cA0W..}..M.xt6w ~.vE..... ...;.
.......w...t...."E.T.......Y.,.I......Z..nZ..k....J/.[.\.......*..'.'.
Kk....Q..Z...1....ukP.#U..5.^.`..r[.E.O.../eoo..A,..._g....yR.$Ac.
<<< skipped >>>

GET /uploads/userup/1404/2611145923P.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: news.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 13 Dec 2015 12:13:43 GMT

Date: Tue, 16 Jun 2015 12:13:43 GMT

Server: nginx/1.4.2

Content-Type: image/jpeg

Content-Length: 10616

Last-Modified: Sat, 26 Apr 2014 03:14:59 GMT

ETag: "535b24b3-2978"

Cache-Control: max-age=15552000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 kf49:6 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......P.....)hXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> 
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
0 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http:
//ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/s
Type/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM
:InstanceID="xmp.iid:E7B7C668CCF011E395C9EF5B81B0F7E9" xmpMM:DocumentI
D="xmp.did:E7B7C669CCF011E395C9EF5B81B0F7E9"> <xmpMM:DerivedFrom
 stRef:instanceID="xmp.iid:E7B7C666CCF011E395C9EF5B81B0F7E9" stRef:doc
umentID="xmp.did:E7B7C667CCF011E395C9EF5B81B0F7E9"/> </rdf:Descr
iption> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&g
t;....Adobe.d.........................................................
......................................................................
..................t.j.................................................
............................................!.1A..".Qa2..q..Bb#35.R.CS
4U.rcT6V.W.........................!1..AQa.q"2.......BR...br#.S....3c.
...........?.... ... .D.h...A..4A..#.;....B=....5...X.\[.o!......jb..{
-.GjL..T..yc.Hj3N6...rRJF.}......q..Jr..../.E..?...(.^.....%.........K
.....LHkx"[email protected]@....J..6.]".....$.P....3...({s...UL.....(..p...~
.......Q....X..r2{*..U...~.mKM.....f..b.\.R_B..|(.^.m..,m-.2.V...X
<<< skipped >>>

GET /gongfupai/images/tqq.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: news.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Sun, 10 Jan 2016 10:53:31 GMT

Date: Tue, 14 Jul 2015 10:53:31 GMT

Server: nginx/1.4.2

Content-Type: image/gif

Content-Length: 2129

Last-Modified: Thu, 09 Feb 2012 06:08:38 GMT

ETag: "4f3362e6-851"

Cache-Control: max-age=15552000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx35:8104 (Cdn Cache Server V2.0), 1.1 kf49:2 (Cdn Cache Server V2.0)

Connection: keep-alive
GIF89a..........Q........|../.....,..:..5..............{..............
...,........0..!..............W..T.....,.................I............
...............~....0....,...a.....G...eW_PMQ. ......NR\.....P....N<
;..~......L.....5$$....T..........,Vh.....r6.....|.......9........r...
...0...w.............pny...E..%....#&..F.....................#.-../...
....................^a\.............*..E."<H...gfX...;;67........Di
s.......L..E.L............:#...{..-.........p.z...........D...........
.SB..................$............EW.....  O_.&....{.....J...p[M..=-.@
...GB......$......../.....&|.'..</3~...............................
......................................................................
......................................................................
....................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpC
ehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk
="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> 
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
; <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/
1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:
//ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Phot
oshop CS5 Windows" xmpMM:InstanceID="xmp.iid:4F13FA2D52CA11E1A74AFDC7A
4232DF9" xmpMM:DocumentID="xmp.did:4F13FA2E52CA11E1A74AFDC7A4232DF9"&g
t; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4F13FA2B52CA11E1A74
AFDC7A4232DF9" stRef:documentID="xmp.did:4F13FA2C52CA11E1A74AFDC7A
<<< skipped >>>

GET /upload_pic/2015/1/26/4399_17152503697.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 27 Jan 2015 07:39:34 GMT

Cache-Control: max-age=31536000

Content-Length: 2170

Content-Type: image/jpeg

Last-Modified: Mon, 26 Jan 2015 09:15:25 GMT

Accept-Ranges: bytes

ETag: "80b44c9e4839d01:388"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 kf49:2 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....H.H.....C..............................................
.........          ...C................                               
                  ......*.D.........................................6.
.........................!.1"AQ..23Ba.Rq.#Cbr.$4......................
.............3........................!1A.Q."#2Raq..3.....r...........
.....?......)..y%[email protected]..`...iXY...>/......nD.9..
.......4Fy...U4.O.5..#.R\.T..........fd!..dm...X=.j.t^e..f.2%L........
.K...\_.KT.2..o...VQL.~....d.mN..]...T.eq.r7.=kz.....0E5..33c@.}4...42
..d.......ZB..1.M.TI$.O...[.$}@z..x..S.h....>..........V..m[].TM$.$
.S....xE...,N...Cy*...u..\../.....4...$.1.b...ab.wX......[!KIL..p?..F.
|Us..].$=...N,..oe.Z.M3.K2Cr.y&G......Wn..M...........)..3...d..W...@N
...7..7....Y.......Z..Of...5A..g#.5.fwSi(..g.....!.Amk.c......uu..*...
.......S...tp.1S..H,.U..o..,4..K.F5:.5......=.e|..54r...T2$.o-eG..G;..
.....'v..xN..@. $yoby....\.....#....|_..|L..z5KG..6...B.....7.|.... ..
.M]..Qs.......lU,[email protected]...,....O......i&.........T.....$.....
..<.[...'..S.......p.$D.S..k.)....$.2.e.....%...S.6.]..T.....LU:.D.
Ogu/]...Y.HXr...G.........#je..1........E.....r....?./G.,.*]._....h..&
lt;..E.n-...%>O.T....Y..YQ......rC. ....%.2TL.c?){...... s......0..
..<...Sug..'..w.o=.....L.Mu....fD\....L..f........l4.....p(...f..N'
..2.z.[*JTYeG>... p.Hb.@%.yyzrS.'.R.|>.,t.c.w[O.2.C...sdR[....e.
...5D...AA..............ND~"..Lp......r.=c.P{[email protected].... 
......urS..Mna!.......#..X\9.U5N.......4..N..=z...I..r..ak.s.K..#8
<<< skipped >>>

GET /upload_pic/2012/tjyx/tjrm_img07.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga2.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 02 Mar 2015 10:13:09 GMT

Cache-Control: max-age=31536000

Content-Length: 3257

Content-Type: image/jpeg

Last-Modified: Wed, 29 Feb 2012 09:18:04 GMT

Accept-Ranges: bytes

ETag: "0ae5fac3f6cc1:388"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 zjjhdx39:8106 (Cdn Cache Server V2.0), 1.1 kf48:7 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xm
lns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.ado
be.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/
1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="xmp.did:7C3C9
0818062E1119A50B0F09DBE5343" xmpMM:DocumentID="xmp.did:48F37DFA62B611E
1987FB533819DF614" xmpMM:InstanceID="xmp.iid:48F37DF962B611E1987FB5338
19DF614" xmp:CreatorTool="Adobe Photoshop 7.0"> <xmpMM:DerivedFr
om stRef:instanceID="uuid:02cd31e0-62b0-11e1-a9f2-89007db68855" stRef:
documentID="adobe:docid:photoshop:3e3cd8bb-62a6-11e1-b37d-c0893894c906
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>....Adobe.d....................................
......................................................................
.......................................*.D............................
...............................................................!1AQ2.4
.a"3..q...BRb.#C...r.c67.......................!1...Q.Aq2..a3...."#.r.
Cc$4............?..........rxY7..H.".-.L...4j,f.QW1.U}.).......5......
.j....e!/~Ko-.s..E...m..8M.q.SH3.......*..gu- R5....m......H.p....
<<< skipped >>>

GET /upload_pic/2015/4/25/4399_10301944353.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga2.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 25 Apr 2015 06:50:12 GMT

Cache-Control: max-age=31536000

Content-Length: 2657

Content-Type: image/jpeg

Last-Modified: Sat, 25 Apr 2015 02:30:19 GMT

Accept-Ranges: bytes

ETag: "802f8fc5ff7ed01:38e"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 jfzh182:80 (Cdn Cache Server V2.0), 1.1 kf50:1 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....H.H.....C..............................................
.........          ...C................                               
                  ......*.D.........................................7.
..........................!1A."Q.#2Baq.b..$4CS...s....................
..............5.......................!..1AQaq...".....2br..3BR..#....
........?....3.2.....r..(qEN...7<&.1....3.<...(xC.3.....(./.MN..
.s .J..?.`...C.Hu.}* .7eki.%a ........._..7./..myV..i.g..I"....o}9..~.
.3,."...O .#.]!.......H.v.9..K..M.z.m.a...E......hD../.[..Q.(.;...4\..
..........N.....6.C%ISo[As..[..`Iu...l0b}..aHf.aM..W..[.x..N#..J..a..T
.kQ.....X.....<[email protected]..........{_A......l
.MG.#. u=...%...yI...!.|iP....UC9..1.....wG%!.(......q....7.^...~.r}.r
..iJ.N.._hs....."I[.q>.\g]a.t.Jo.P..8.......Q...-.#2M..P...I.j.....
..N".2.{.c......z..................{P......H..J...yn)l.$.I6).Rm.O.c=..
........M...a.N.........oU.|.....~....|w .MML\..r...(5..j..E.&3..D..L.
.B...1..(P..pfa.......w. n$..JH4....1...[....".....q.m...5%..uM.iP#B.^
1FK...5.d.......9.s..-.B.=...q6....>g.Xp.D.(.y7.y%j7......|...d.n..
N....*|.U.H.:....v...:.......j)....K...Y.bc1..?JC..K... ..k.o.. .o.ÿ
...q...:V.........N..rI......H9|.~.......|2..4m.SM....u.....EDX.../*..
y....N.?..%?q~..-.8........M..93..3.!cc..T?0..Y...m.UJ .-......m.'...x
.TN...\c7.hN.......po..S&Cv>.K..-....)[.0.|.[D\)......._.h.z.....M.
D.....*.k...n;.....9r.......*.....~`S..[.R7S.<....}....5...X*.9.(t 
.kJ...s...F..k?g(...oD.2.Q.....Yk......xOsa.L....=n.......j....n.j
<<< skipped >>>

GET /flash/129731.htm HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Tue, 04 Aug 2015 04:43:20 GMT

Date: Tue, 04 Aug 2015 04:13:20 GMT

Server: nginx

Content-Type: text/html

Last-Modified: Sat, 09 May 2015 05:49:22 GMT

Transfer-Encoding: chunked

Cache-Control: max-age=1800

Content-Encoding: gzip

X-Via: 1.1 shjcl69:8080 (Cdn Cache Server V2.0), 1.1 kf49:0 (Cdn Cache Server V2.0)

Connection: keep-alive
732b...............W.G...s....`s.8IFG.s][email protected]...>..._
......4Q......D.7..MNnmL....q{I.xg=U..Z.r...v...t'...O}....5k.....wk..
}..N.....wp....Y.."....Hd[.........e......WV...WU.WD"..dge...9..H..w.]
.......H...{L.f.._..Q>..X...M..O..'.w...z..:v,.....\V|.}.TYM1......
?.-.gc........uE.....*..m..){.&........g..j6.(q\............J.N...)/.P
...6..O...T.m.|..t.v...F.....x...3oxn,......!Y...Se...P...Ug.U %N~*..D
S..?{....L.iV...S.<..}......}Lu....._7.m{..)...t...{.}...?j....xt..
.....x...O...~{k......F;.w].....>q...)._.....>..........sm...q.n
.P].xG.....:y.....Hiuu...{.8G...,.....eg.)...]].~EY.........=Qi./.u.1.
......A...<[v..u.zg...tq............b...M.". V.B.........$...}.....
cU.gOA.Z...Tqy..l...C#.....;.g......j.......B......Zod.=...c..w...W..*
wT.W.,8...N,[email protected].............*.Jk..l|..7...W.$Y..q..Y'. ..
={.......MV. huY.....5g. O.s*.J..WU..?.".WOWU.o..X_^y......^..o..'...~
...., |...9Y^-..j.7)...........=Y.......5........g.....T....V..>.YB
.~9..... .G......SR\].US|...!.GK.......c.."'..TRu.}..c..d.B.....e.....
3l...Z....WV../l(~.SG .NTA.g..o|[email protected]...#. ...0..'
..3...........MYPD..W...4<?u........~.xE.9j...:{S...G..XT~.F....?..
.M...X..<...;.k(.....<...>..tYi9..v.....SWY=...........dg.c..
.....3../;vD.;...7._`..'W.`.5..c..e.Y.XU...g.AN4....U5.b.?....`.[^....
....Ug...^w....:.....\..F.L...#A..P......HIM%...'.#Y......`.g.We...._.
..*K .Ka`,>v.x.;....#...#.:...^}....kP...pYI_}.wg.j....:^\Q].o1.H .
.....=<..i..l&..-.........Oe...:]r..1...... K..Y.$.6.l.......C.
<<< skipped >>>

GET /css/sgxz2_20140506.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 02 Nov 2015 04:14:10 GMT

Date: Tue, 04 Aug 2015 04:14:10 GMT

Server: nginx

Content-Type: text/css

Last-Modified: Tue, 06 May 2014 07:18:27 GMT

Transfer-Encoding: chunked

Cache-Control: max-age=7776000

Content-Encoding: gzip

X-Via: 1.1 shjcl69:8080 (Cdn Cache Server V2.0), 1.1 kf48:3 (Cdn Cache Server V2.0)

Connection: keep-alive
b73.............Z...:........V."Hs......... H.a............26!....#M..
v.._}U.....v.....Y...//..G.............o..b#~..<.y..}..:w.yY..8....
]S5].......d....k..>.t.o..*=......x>.o?...X.u....6O....%.c.....q
..........*..NY....TNS.gU:G.9..1t..s\:....;....N.Ti.WN........(..{i...
.....L...}....|.ti_6u\7uN..c.=.x..,...S.....Y.kU.{...W......Y.{wJ ..F_
...9z.bW.)...q.....st9.t....X..y.".....>.9...?.........qd.}........
(.n....AJ....V..s...H[...c... %e].o.z..j....M....C!.K.|lDR5Es...>..
C.s..M.K...../..j\......k.....6V..)b...S.R<...h\B...............*.:
>A...........`....E..R.n.....y....<.H...^....u...S&}.W[H........
.l...f..h~.8. [email protected].%hJ..D..[-....Z....>......|gq....,
...d.|....._K.X...?6....k...s....y.%.i.8...BIb.9b...,f.EH..p....:.....
.!.F....2.....-w....;..k..J...9.C..(...'8.......]..../.hLL*.8..j..q.0.
...5)x=K...'..........1..7k............#x..e.l...{.....ye...2.H...h..l
....SB.I...*R.6T.G..<D.U...zN..*e.27..._:.#eT.Iv.UM.ZM9lH].~.\.....
.f..P.%*...\..l.X...r. ...,..3..9.[!...A"...N...AB.{.Q@3!0$O....E.|.6.
.*.u.z.Z......MKn..o.d.....&._...........)`~=TI..q.2X8.d?e...{..,..a.A
.d...&.AR.Ik....\e.Y.3.......oN.4E......W%. ..n'.n.C.....l..g.R.`.Up..
q?l.K.z.-:lh.E....S....G.Y..C./ ..7J...G..7.f....7Q.c.MtH..q.P.?...$.g
h...I.._..U....Uu.d....yG.......j.5..R`.I.[.....{.(?.FI.Z.A.p.%i.J...5
.5..&Ez...O...8`;@[email protected][....}.....=.`.P.af...p..uV"1O...\_..m.
...S>7....Za...'-^./.%.7.`;hB...!4..3...NM.'>GaT.......jp..D....
. %...l8m.i.....0..1.W'.......{........m.qe.......3..z.>.L.....
<<< skipped >>>

GET /images/play/logo.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 02 Nov 2015 01:50:42 GMT

Date: Tue, 04 Aug 2015 01:50:42 GMT

Server: nginx

Content-Type: image/gif

Content-Length: 2503

Last-Modified: Tue, 10 Jan 2012 01:51:38 GMT

Cache-Control: max-age=7776000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 shjcl69:88 (Cdn Cache Server V2.0), 1.1 kf49:8 (Cdn Cache Server V2.0)

Connection: keep-alive
GIF89az....................,...M.............Y......R..2..:..I........
.R.....f......wC..Z...R ............................r(.....<..0..2.
...c.z........=...n%Z..A....n.O...|.......R...k..Mv...s2.`..q=..j....i
"n...u'........5^.......b...........D.c,........M........d............
.l;.f#..3..B........c^.......w.......~-..W....K...b.z-....uC..K..D.K..
....]....m'.....].......e6.|;......y.....e...w*.....C.e1.E..^......k..
..z0.....z..{..\.[.....E..j$.e&....o.....M...5..9.v....n....1..6._..Y.
<...K.,....s.J.6.....$..0..8..(..4..&..2..:..*.........M.b.....g...
.h.......P....t.....j..b..>...........F..v..I..w.....6...x...q._-.G
..\..B..N..[..p?.p,.t)k....~.h:...L..P............o"..a..ia...k,.{H.f9
..e..f.I..e(.C......N........r.g...p.}*..V.}S..D.|*.},.x .............
yH....p..l...t......!.......,....z..............8..}P......#J.H1b.*...
..q.G......1cG.....F.[<M0c..I....5.. qR...'M...S.O.........'..]....
..'6i... ..E.rE.E,W....4. .Q.p.....`......A(..*..,B./Z..=..Y|......iY\
...[=...6.2.v7.5....i-.......P..p.....l......../..... .A.D.. .Wd^"..P.
 p....r.o....?C.........C..4.'.....\e..*#/....... k^...K}..a.-u.......
....c.......^ A..&T.!......X1!..'....&!.......P..A.V8.....y..?.xR..B..
K.H"Id....d.Vx.GA.x".O.....&..%...(.?Jx.C-h.)@Fu...I..........L.t.._~.
...E.J..... n...I.H#. .8...cT:.l&...  ."M...1RAb.c.!..A..~..MAv..H....
J....A.AP.c.....DFa.qH...S ..x.....QP#.......Z.]v..CA ... ......x..)..
.......%$.[o...4....a/.3.<..#.Z.=...hA8 .W..........3.-0.(....(..3.
(..d.(....(.4.@#..\W....A..$...'..H$..(PA.<...G....xH\..H#...-.
<<< skipped >>>

GET /images/play/top_bar.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 02 Nov 2015 02:56:57 GMT

Date: Tue, 04 Aug 2015 02:56:57 GMT

Server: nginx

Content-Type: image/gif

Content-Length: 1346

Last-Modified: Sat, 14 Jan 2012 05:54:53 GMT

Cache-Control: max-age=7776000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 hzsx165:88 (Cdn Cache Server V2.0), 1.1 kf50:3 (Cdn Cache Server V2.0)

Connection: keep-alive
GIF89a.. .............................................................
.......................................!..XMP DataXMP<?xpacket begi
n="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adob
e:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:
32:00        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22
-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights=
"hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com
/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceR
ef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="False"
 xmpMM:OriginalDocumentID="uuid:40EA2139F23BE1119226953069C5583C" xmpM
M:DocumentID="xmp.did:47447DEC3E7411E19800D956A861C7DD" xmpMM:Instance
ID="xmp.iid:47447DEB3E7411E19800D956A861C7DD" xmp:CreatorTool="Adobe P
hotoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.
iid:0E6BC4ECC93DE11199588C0DC067E928" stRef:documentID="uuid:40EA2139F
23BE1119226953069C5583C"/> </rdf:Description> </rdf:RDF>
; </x:xmpmeta> <?xpacket end="r"?>........................
......................................................................
....................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]
\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ...
..............................!.......,...... ....`%F.b(.CQ@[email protected]~
.W...;....
<<< skipped >>>

GET /4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: szhong.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 04 Aug 2015 03:12:24 GMT

Server: 4399SERVER

Last-Modified: Fri, 24 Apr 2015 02:50:54 GMT

Accept-Ranges: bytes

Cache-Control: max-age=31536000

Expires: Wed, 03 Aug 2016 03:12:24 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 1174

Content-Type: text/html

Age: 3710

Via: http/1.1 4399SERVER (CDN CACHE V1.0), http/1.1 4399SERVER (CDN CACHE V1.0)

Connection: keep-alive
...........VMo.E.>7R..v*$...;q....9....$j.!N.xw.....fg..?.3B..B/@ .
.*Q.m.(.........;..{.DU....y..|..w.v...h...2>h.]7.v.....21.h..q..L7
.....I(|...0.[.h..T....#%......4......B..>..B...4oNa.......;.....o_
.>?{....''._..>x...g..=.9.'.A.x.D;6.%..<2,cna1.....0.( ..&.".
....3....>{p......d.b..(.f. .....J.4U^8M\M./.].........Y.....*.asH&
...t(..`..=..Skuyf.4..O.......P#.7...j........z}cu...z.#C...py.R......
.zM..?,...T...8..*.P....67.$....tP..6.N.N^d.]F...s.t89:.u...G.f..?;.#o
.g...~.../...M.wW.w[.....`.?....l..7...](.GG..;..PK=...s.\N^.0?...8...
.P.........G.q.x0;[.>B*qL.Ob.*u.!...]L....1*<J.5..r.......f'..UT
.@{T...[3..L.X..:.>o................`. sK...*.]/..W.3..rd.P.8......
T&q..~.................r...gYH....4.....tU.A..BViC..T.......[-F..4q=.6
..7|.B.........#.je^i..UEW.*z..4.2>.z........(..'.;...1OB..9.q.....
.F.&K5...:..>N.8.\..P2..Pm.,4...-...o....5 ..w.r.<77;W..O....ac.
8|[email protected].&J:Xx...H..I:"........nC..........4..xX.T,..2<...x..
.h....x..2..%..v.s3..xG.........X...W.....].n.T].......es......zp.9}..
......C.7./e]>.w..yz.K.D".Oh..`0.....K.v.12R.H/8."..D.....a.Zu.....
kM>d\.b.....R5.5.RMO5.p.. ...=x.D..3.......Gp......yGq}.z_#^..q....
...N`7.[..g...7V.,.n.g..]];.?.......
<<< skipped >>>

GET /4399swf/js/chkDomain.js HTTP/1.1

Accept: */*

Referer: hXXp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: szhong.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 04 Aug 2015 03:55:00 GMT

Server: 4399SERVER

Last-Modified: Fri, 17 Sep 2010 03:21:31 GMT

Accept-Ranges: bytes

Cache-Control: max-age=31536000

Expires: Wed, 03 Aug 2016 03:55:00 GMT

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 352

Content-Type: application/javascript

Age: 1156

Via: http/1.1 4399SERVER (CDN CACHE V1.0), http/1.1 4399SERVER (CDN CACHE V1.0)

Connection: keep-alive
.......... K,RH.../-R.UHK.)N...*..&....].s.3..R.J.%%.V.....z&...z...J:
0QL......4u("..z.5.[...b.......8?.....aE,.w.%E>...%.. ...'.........
....... 3M.$.@..<3/%.\....3-.HA..;...:..9..rR..K2.....J9........Z..
...': V.........%[email protected]........%../,.|....k.>..g..
.G....W.9.tv..z....7..8}..w....'^o.wu....g?......g[....z...#..l9.LQI..
.Z...F.*...HTTP/1.1 200 OK..Date: Tue, 04 Aug 2015 03:55:00 GMT..Serve
r: 4399SERVER..Last-Modified: Fri, 17 Sep 2010 03:21:31 GMT..Accept-Ra
nges: bytes..Cache-Control: max-age=31536000..Expires: Wed, 03 Aug 201
6 03:55:00 GMT..Vary: Accept-Encoding..Content-Encoding: gzip..Content
-Length: 352..Content-Type: application/javascript..Age: 1156..Via: ht
tp/1.1 4399SERVER (CDN CACHE V1.0), http/1.1 4399SERVER (CDN CACHE V1.
0)..Connection: keep-alive............ K,RH.../-R.UHK.)N...*..&....].s
.3..R.J.%%.V.....z&...z...J:0QL......4u("..z.5.[...b.......8?.....aE,.
w.%E>...%.. ...'................ 3M.$.@..<3/%.\....3-.HA..;...:.
.9..rR..K2.....J9........Z.....': V.........%[email protected]..
......%../,.|....k.>..g...G....W.9.tv..z....7..8}..w....'^o.wu....g
?......g[....z...#..l9.LQI...Z...F.*.......
<<< skipped >>>

GET /4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.swf HTTP/1.1

Accept: */*

Accept-Language: en-US

Referer: hXXp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm

x-flash-version: 11,6,602,168

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: szhong.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 14 Jul 2015 07:15:35 GMT

Server: 4399SERVER

Last-Modified: Fri, 24 Apr 2015 02:51:02 GMT

Accept-Ranges: bytes

Content-Length: 2149285

Cache-Control: max-age=31536000

Expires: Wed, 13 Jul 2016 07:15:35 GMT

Content-Type: application/x-shockwave-flash

Age: 1803523

Via: http/1.1 4399SERVER (CDN CACHE V1.0), http/1.1 4399SERVER (CDN CACHE V1.0)

Connection: keep-alive
CWS...#.x....<...?>...53.A...Ee_.";e.I..a..1... ....J.JT....$.JQ
ZhC.T.....kh...........].=...=..s.}.(.@.$.....-"[email protected].!...X.6.N.:q
.\...j3&..DQ6FF.....f.|A.............p...y"f..O.;........8Q"........h.
......B~....pq...#6......F&.& ..b...D2E...(.'...3.3...C"b.1l.P.S.>.
.7#.G..q...,~0[.....1........`......c.L..a.?.(J.gE...BA.........`.G...
.F."x.X.#~S1....)...1B...L^X43.m.......cd.`>Q..Ss}.Sc...00.t....0..
...$..4..H..]@#A*. K., ....,.x......l.../^(bG..Y[{2y.p.aH.~"X...8....j
q.....kx.i..a.3..g..UUU...}P.E./>}..:.2b.....c......U5.:...o'...eF.
...R....q...B../.v: ...^..4.......?.Y.4.Do~O....r...Kc..^.{q......?On.
c.ug..9....w.(.........zW._Ou.Z..Z.#.0....[CN{....}..C.6D2....?DP.....
..M..... ...d....T..7.!...22=..C.82a.......B..2MR.#..&....`/s..g..!...
.}.z.Z.z.......M[.d.y.|.Dy...:..t.....,.....(..CSe./.-..t...c.....U.KR
...Z.....^....t.....|.X[3...B.9.z.p)emP.o.......^]yu-.v..Q.. c5D.....w
.v.K...1...;{^. 'XK..fh.I,.|..P.`...%._..G....;?.....y.}...........//8
..c.@^z..5V..;...\2N?7K..=.W[.U.....).....%.Ed......3..e}...~e...;^..6
...].u.*k.Z.l.....U'...g.{.e..........E.su.u}. .FCE.K.-.?..<.xk....
.. ..v.>_...'.....>q|\..........8..2.U*...#.....'..l.~>p..M..
...>y>..F..C'eV.....,....?d.T..RuvI.{%..Ujo...$....kv........]..
..>p6....g.G.fK.1..ym....6.L7.....w.|jDn.........F.6...N.:F.$.y..=.
....=...<..I....4.vk.[4G2.....2......;>-..d.=y]`pF..S...u.V!../w
.CZ.7....s.a.$..7V.j.6]....[6.a*u.l...z.W.U../9I...]...'.g.<...`..8
....V..c[..O`.u.|>...e.....u......."|z...c...{fhT...9yvb.7df.Ns
<<< skipped >>>

GET /flashzt/img/sgxz2/bg.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 02 Nov 2015 04:14:14 GMT

Date: Tue, 04 Aug 2015 04:14:14 GMT

Server: nginx

Content-Type: image/png

Content-Length: 5031

Last-Modified: Fri, 10 Jan 2014 02:21:02 GMT

Cache-Control: max-age=7776000

Accept-Ranges: bytes

X-Via: 1.1 shjc71:8080 (Cdn Cache Server V2.0), 1.1 kf50:1 (Cdn Cache Server V2.0)

Connection: keep-alive
.PNG........IHDR...d...d.....G<ef....tEXtSoftware.Adobe ImageReadyq
.e<....PLTE........................................................
......................................................................
.............................IDATx.lZ...8...P.HQ.T..Ww........FD...o..
*[email protected].)..]....:~.......-...Z...8.B..e.pan......=.. >m...
.o...>.)6.v!W.\t.&.2.....|\....<....F.......4..........~..[.....
.3PR.....x. ...1..q{z:...p|.>....'..............`....3.Bp."....r..6
4..J..pY..r... ..8.....<.....e...O......,.[.....V......Xt..q..=.}..
rO.~{.......x<..e.x>..S..L.Z..OF....K..p.@b_T..\.e.7.H,._...o.9.
.......J..F..B....G......3...*;.......O.....-1.#,t..#......g.}>'o .
>[email protected]].W.k...<.d..3 V...H'.
...q/..p]...?.. ......J...`.Z..u9..r.....>.6\....z..W9.3.an.(.....]
 .H.)e..i.0c..5#yB.*.q$.8.1...z^...P.|.=...8a....X7.1...9_....`.......
u..T. ...m=...V.gx85..U..../fj.V*a..d..B..G....&E0v..............Jjh.T
./.z.C..Z.0...=. 9..B..Ao.%".2d...zb.f.....`.{.U ....p.....Hadd%6.....
[email protected]|..^,.h....s.!H..3.]..).._..9.......!.......
_.Ivu...h...*........`.x.6DO..<...!.N/....&z...#....,...6..........
.....=...ph.Yq..4.........R...3........~`.>-.z..(K..e`dU.*...t3.i.B
.6@c.....$.... ..b..{.2..}..`|M......b...*...{..F"k.....>..q..vWAU.
....2-.E........W$...0......f.. .q.t6..(..0'..t.\.......,.7 G.,....p..
.M..%{...i$...v.B..h.....3s..r.....?...T..JZ.......|A&.Q.:......C.|...
..8......?....2r.......0l......$.$...G\.. .<d..-g.g. ...../....
<<< skipped >>>

GET /flashzt/img/sgxz2/btn2.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Mon, 02 Nov 2015 04:14:16 GMT

Date: Tue, 04 Aug 2015 04:14:16 GMT

Server: nginx

Content-Type: image/png

Content-Length: 3166

Last-Modified: Fri, 10 Jan 2014 02:21:02 GMT

Cache-Control: max-age=7776000

Accept-Ranges: bytes

X-Via: 1.1 hzsx165:88 (Cdn Cache Server V2.0), 1.1 kf49:10 (Cdn Cache Server V2.0)

Connection: keep-alive
.PNG........IHDR...t.........L.......tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE.O2{aN..y.......\3..x..-..s.yK....d"L..nN5..........Q2..s..
..d..v).8..........W(..i%.I...W.\.....rQ....qe.{*.kH.....6...]7(......
..O....|8..Z.t .`.e(.....E..T..y...(...........Y....X......y..j.[E.q?.
[......I..(..........Y...c.|lg1.....A..e.y:,..x....~1..f..k.....H..V..
...>...... ...xa.Y..hE.Y..2...>v<.~B......t..$..........R.8%.
....N...#....{:....yU..i.j1../.S.i4...S.\D............._..V..,........
.?bE2...u...y$..%..\\9..g2..........i).@.[%...B..^}b7.K..lR.T..eQ..n..
.....vH.....]...r7...@n0.....@)s7..]..[@..r........iz>.....U..V.u).
f$..w..U u...1.K) .Y".w:.l*....|6.q ..q..?....q;..a..-..X..&......v:..
p.._.........(....................................................U...
.:1O.......l =0-.........G<S....x..k.....I!.......e..>$.y[.....o
w;....a/...@..,..<....z... ........IDATx...{\S...O...........A $.sQ
$..."Q."....5....\....o.....Pe..B.V...*.U....x....sv....u.I.........p.
......w..B..{.....q.....9....8.........;w..4.h.......cNL_.2<&...O.s
....!........E...1..d.....o...C.Yot)......../\>.|...s........)....)
.h./. .F.c...."..o_.b......C...w.G..Zj.......O..........-.;...x~.^Ok.'
c......Y....c#H$0...:0b....a).....~...Z..F}.......x_....|ozL........9.
3...}.?....$vd... y.H....k.c.%.....9...v.Z.EJ..{>7.<[...Mo...i..
.....K....s..v....0&....M.}Z<0.ho.FbC...%$....o.m...k...M......]...
........OX..........w.br.......X...wF.4...v.>w..xn<..O..S......C
Ga...T.H...a.I...b......l"..zdF............)>...~...R..EZ..)...
<<< skipped >>>

GET /flashUniLogin/css/style.css?v=20121016 HTTP/1.1

Accept: */*

Referer: hXXp://szhong.4399.com/4399swf/upload_swf/ftp13/linxy/20140120/sgxz2/xfv521.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s4.img4399.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Expires: Wed, 12 Aug 2015 06:14:15 GMT

Date: Mon, 13 Jul 2015 06:14:15 GMT

Server: nginx/1.6.1

Content-Type: text/css

Content-Length: 4316

Last-Modified: Thu, 14 May 2015 06:02:29 GMT

ETag: "55543a75-10dc"

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zhj192:8108 (Cdn Cache Server V2.0), 1.1 kf48:2 (Cdn Cache Server V2.0)

Connection: keep-alive
@charset "utf-8";..body{background-color:#37383c;}../*login*/..#regbot
 {display:block;}...loginDiv{border:none;width:538px;background:none;}
...login_hd{background:url(../images1/tbg.gif) no-repeat;padding:37px 
25px 0; }..#login_tagnum{background:url(../images1/ptlogin.gif) repeat
-y 0 0;padding:0 5px;}...login_fd{background:url(../images1/ptlogin.gi
f) no-repeat -538px 0;height:23px;}...login_close{background:url(../im
ages1/closed.gif) no-repeat;width:15px;height:15px;top:8px;}...login_c
lose:hover{background-position:0 -15px;}...login_horizon .ptlogin_btn,
 .login_vertical .ptlogin_btn{background:url(../images1/spriteV4.png) 
no-repeat;width:73px; height:28px; overflow:hidden;}...login_horizon a
, .login_vertical a{color:#ffaa00;}...login_vertical .login_hor .q_tip
{color:#899999;}...login_vertical .login_hor label{color:#899999;}..#l
ogin_tag{height:28px;}..#login_tag li, #login_tag li a, #login_tag li.
selectTag, #login_tag li.selectTag a{background:url(../images1/ptlogin
_tab.gif) no-repeat;}..#login_tag li{width:84px;height:28px;padding:0;
text-align:center;}..#login_tag li a{width:84px;height:28px;padding:0;
text-align:center;line-height:28px;}..#login_tag li.selectTag a{backgr
ound-position:0 0;color:#fff;}..#login_tag li a{background-position:-8
4px 0;color:#464646;}..#login_tag li{top:1px;}...login_vertical #login
_simple_toregister{background:url(../images1/spriteV4.png) no-repeat -
74px 0;width:73px;height:28px;overflow:hidden;}...login_vertical .ptlo
gin_register{background:url(../images1/spriteV4.png) no-repeat 0 -
<<< skipped >>>

GET /upload_pic/2015/3/12/4399_17485812405.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga1.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 30 Mar 2015 15:46:25 GMT

Cache-Control: max-age=31536000

Content-Length: 3665

Content-Type: image/jpeg

Last-Modified: Thu, 12 Mar 2015 09:48:58 GMT

Accept-Ranges: bytes

ETag: "0e1bac2a95cd01:388"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 tzh57:8110 (Cdn Cache Server V2.0), 1.1 hzh40:3 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<.....mhXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:5D0F06563000E4
11852EB53B0A44B31E" xmpMM:DocumentID="xmp.did:04DB1C99C89A11E488D2C85C
A5C73E70" xmpMM:InstanceID="xmp.iid:04DB1C98C89A11E488D2C85CA5C73E70" 
xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFro
m stRef:instanceID="xmp.iid:4CF0251A4B33E411981CFDB0683AC9B4" stRef:do
cumentID="xmp.did:5D0F06563000E411852EB53B0A44B31E"/> </rdf:Desc
ription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?&
gt;....Adobe.d........................................................
......................................................................
...................*.D................................................
......................................!..12.A"3..Qa4..B#6..Rbrc$5q..S.
DduF......................!1...AQaq"......2..BRr..3..#C.4.............
?...h.........sF4.r....jM.Z.w....i\.H=..WM....{[email protected]..`.
..1E.B.-*%Q......N.......w[}...E..i....Fxa8."! ."h.........6......)J..
.`......m..o.X.qG......."J... ..:...\.EMT.;0.Zy...R.n...Ra......eI
<<< skipped >>>

GET /upload_pic/2012/tjyx/tjrm_img08.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 02 Mar 2015 10:13:10 GMT

Cache-Control: max-age=31536000

Content-Length: 3177

Content-Type: image/jpeg

Last-Modified: Wed, 29 Feb 2012 09:18:04 GMT

Accept-Ranges: bytes

ETag: "0ae5fac3f6cc1:388"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 zjjhdx40:88 (Cdn Cache Server V2.0), 1.1 kf48:5 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xm
lns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.ado
be.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/
1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="xmp.did:7C3C9
0818062E1119A50B0F09DBE5343" xmpMM:DocumentID="xmp.did:48F37DFE62B611E
1987FB533819DF614" xmpMM:InstanceID="xmp.iid:48F37DFD62B611E1987FB5338
19DF614" xmp:CreatorTool="Adobe Photoshop 7.0"> <xmpMM:DerivedFr
om stRef:instanceID="uuid:02cd31e0-62b0-11e1-a9f2-89007db68855" stRef:
documentID="adobe:docid:photoshop:3e3cd8bb-62a6-11e1-b37d-c0893894c906
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>....Adobe.d....................................
......................................................................
.......................................*.D............................
...........................................................!1.AQ2.3.."
.4aqBb.R#$D...r...CSE.6.......................!1..A..2...Qaq.".Bb#C...
...$..R............?.-.....X.r...\[email protected].}...C......k.p..
.\)...;mB.y54.Z.I..C..<n4{....?...U.k...N...{....mk.A....Hy....
<<< skipped >>>

GET /upload_pic/2012/tjyx/tjrm_img06.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga1.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 30 Mar 2015 15:46:25 GMT

Cache-Control: max-age=31536000

Content-Length: 3160

Content-Type: image/jpeg

Last-Modified: Wed, 29 Feb 2012 09:18:04 GMT

Accept-Ranges: bytes

ETag: "0ae5fac3f6cc1:388"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 tzh53:8106 (Cdn Cache Server V2.0), 1.1 hzh36:9 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<......hXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-
c060 61.134777, 2010/02/12-17:32:00        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xm
lns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.ado
be.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/
1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="xmp.did:7C3C9
0818062E1119A50B0F09DBE5343" xmpMM:DocumentID="xmp.did:48F37DF662B611E
1987FB533819DF614" xmpMM:InstanceID="xmp.iid:48F37DF562B611E1987FB5338
19DF614" xmp:CreatorTool="Adobe Photoshop 7.0"> <xmpMM:DerivedFr
om stRef:instanceID="uuid:02cd31e0-62b0-11e1-a9f2-89007db68855" stRef:
documentID="adobe:docid:photoshop:3e3cd8bb-62a6-11e1-b37d-c0893894c906
"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> &l
t;?xpacket end="r"?>....Adobe.d....................................
......................HTTP/1.1 200 OK..Date: Mon, 30 Mar 2015 15:46:25
 GMT..Cache-Control: max-age=31536000..Content-Length: 3160..Content-T
ype: image/jpeg..Last-Modified: Wed, 29 Feb 2012 09:18:04 GMT..Accept-
Ranges: bytes..ETag: "0ae5fac3f6cc1:388"..Server: Microsoft-IIS/6.0..A
ge: 1..X-Via: 1.1 tzh53:8106 (Cdn Cache Server V2.0), 1.1 hzh36:9 (Cdn
 Cache Server V2.0)..Connection: keep-alive........Exif..II*......
<<< skipped >>>

GET /dahui/291.txt HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://VVV.se592.com/dahui/291.txt

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: VVV.se592.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 1

Content-Type: text/plain

Last-Modified: Fri, 03 Jul 2015 03:26:48 GMT

Accept-Ranges: bytes

ETag: "2ac1251840b5d01:22d4f"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 04 Aug 2015 04:09:21 GMT
2....


GET /dahui/dizhi.txt HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://VVV.se592.com/dahui/dizhi.txt

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: VVV.se592.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 29

Content-Type: text/plain

Last-Modified: Fri, 03 Jul 2015 03:13:30 GMT

Accept-Ranges: bytes

ETag: "5413963c3eb5d01:22d4f"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Tue, 04 Aug 2015 04:09:22 GMT
hXXp://VVV.zhongzi222.com/wg/HTTP/1.1 200 OK..Content-Length: 29..Cont
ent-Type: text/plain..Last-Modified: Fri, 03 Jul 2015 03:13:30 GMT..Ac
cept-Ranges: bytes..ETag: "5413963c3eb5d01:22d4f"..Server: Microsoft-I
IS/6.0..X-Powered-By: ASP.NET..Date: Tue, 04 Aug 2015 04:09:22 GMT..ht
tp://VVV.zhongzi222.com/wg/..

GET /upload_pic/2015/4/30/4399_17491964623.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga4.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 30 Apr 2015 10:33:31 GMT

Cache-Control: max-age=31536000

Content-Length: 3092

Content-Type: image/jpeg

Last-Modified: Thu, 30 Apr 2015 09:49:19 GMT

Accept-Ranges: bytes

ETag: "80f97ced2a83d01:38e"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 fuzhou190:8080 (Cdn Cache Server V2.0), 1.1 kf49:5 (Cdn Cache Server V2.0)

Connection: keep-alive
......Exif..II*.................Ducky.......<.....ohXXp://ns.adobe.
com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?&g
t; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-
c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf
="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description
 rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRe
f="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://n
s.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:5D0F06563000E4
11852EB53B0A44B31E" xmpMM:DocumentID="xmp.did:993E2137EF1D11E4BDB7FC65
6D64EB11" xmpMM:InstanceID="xmp.iid:993E2136EF1D11E4BDB7FC656D64EB11" 
xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedF
rom stRef:instanceID="xmp.iid:295C639E06E8E4119A24BFFB8CAB7C7C" stRef:
documentID="xmp.did:5D0F06563000E411852EB53B0A44B31E"/> </rdf:De
scription> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"
?>....Adobe.d......................................................
......................................................................
.....................*.D..............................................
........................................!..12.A".4Qaq3...Bb5..Rr#Cc6..
......s.$DE.....................!.1A..Qa.2..."...B3q..rC4.............
?."we.'[h..N`...S..~.0..rP........$.bR..A....U.2.k....XT.....)bf_.t...
-.T..(.x.p....I(.d.7.. .....C.E..dt.....sH.....t.q.Y..{mi....d......mm
....x..._h...b...7(em.1.7ru...<..x..F..-9v..^...q.R...j......A\
<<< skipped >>>

GET /upload_pic/2015/4/20/4399_16125310445.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga3.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 20 Apr 2015 09:31:48 GMT

Cache-Control: max-age=31536000

Content-Length: 3016

Content-Type: image/jpeg

Last-Modified: Mon, 20 Apr 2015 08:12:53 GMT

Accept-Ranges: bytes

ETag: "80f0a1cc417bd01:38e"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 fuzhou184:8107 (Cdn Cache Server V2.0), 1.1 kf50:0 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....H.H.....C..............................................
......................C...............................................
........................*.D...........................................
4............................!"1.A#2Qa..$BRb................7.......................!..A."1Q.2aq....#3B...$Rr...b....
.........?.).n)u.Z.}....)P.v..d.wu.W.....e^........2.......29e....\.vo
..n.8...-."....1n..y].R..........E..)=..W9...i.)u....HOt..\Z&.&.Rx....
....)#j...P....K.........s.t.nX..Ve.N[@...!).......K..H...|..;.....4ME
8V../...o..f.*...uKi(.......yl".>...?/ULe.G.;..9.%I./"..n..../.-S..
.>.".4.....f.F.9iR........]M......:.........M..L&QT?.y.....,.(]5.M 
[email protected].._m...G.".j.X...p.L..qQ.4......O..v.K..5...R.H.Y.x..>
...ERc.......{X...x1.....D.p..Wk.....Fj*N`.$ .=|.z...T.tB|L*.a.>.-w
:k....]..N.n..u...y...X.#6..O.(...P0. ...<u..3.I...Ja...eYsj.....p.
W...I5.J....Q........(...C.p~."Oc.L*.#..).CrPTk[...y.46m...kp..m......
.G..... j?e$.../b..n...b;-g............9Ti2...k...q6]..w..r........*..
.......p7.^l.1O.....[.....U..ub..6.....V.:j.%!..`.v...<.Q.V.1......
.........X ..V...(....a.k.......S...;M..;F.K...!.,.P.Q..f..w4.z..x..#.
.a;,.. ....By.....y.....u|......W.cqy.dS..L.P..-.q...*..S..&.O..e.%B.P
=....=`R;u....G.T7......A1L.$q1...........@^J.. .j*..E..h..... b....%.
..P-.o..[.Z.Tit.g:[email protected]@m....3E.....2..X.K.H.w
....{.....\UN._.......</[email protected]....]..N..K.PW"....E.-...|
QW.*.$..}_...).r...Uzh...x..."....Z.2g......".t.`2..B...G.....nh.{
<<< skipped >>>

GET /upload_pic/2012/tjyx/tjrm_img011.jpg HTTP/1.1

Accept: */*

Referer: hXXp://VVV.4399.com/flash/129731.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imga4.4399.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Mon, 27 Oct 2014 07:12:36 GMT

Cache-Control: max-age=31536000

Content-Length: 2384

Content-Type: image/jpeg

Last-Modified: Wed, 07 Mar 2012 08:25:57 GMT

Accept-Ranges: bytes

ETag: "607ae2eb3bfccc1:34b"

Server: Microsoft-IIS/6.0

Age: 1

X-Via: 1.1 zjjhdx37:8080 (Cdn Cache Server V2.0), 1.1 kf50:8 (Cdn Cache Server V2.0)

Connection: keep-alive
......JFIF.....H.H.....C..............................................
.........""""""""""...C................             !      !!!   !!!!!
!!!"""""""""""""""......*.D..........................................6
.........................!..."1AQB..2a..#$3q..5Rr.....................
.............6........................!1..AQa."2q.....#b..3BRr........
........?......K.KH=....p..AV..<.......y.XHFa...`.hU...5..7.v<..
.Tr!=..#].x 4.o.....F...:..KD.......K.7..A.v.....X('.....\.....)^.F[..
<c.^.....|W.I.x.I..V........6....S.7;QPy.....om.E(k3.........}2.^VV
@..O9........:..J..5.(...C...;.V5...s.|*.N..].tu......J.m.]*..F.ED..VB
Q%.K.^.O>...~..t$U......3.......TU4..ER.....7..?.h.ZF..C.K#d.!6....
-b..{.q...|.m....q.T8.2..)..&.I...}....:.T^..9N.h:_2..uU..............
....Th.UT....3..K.qq${.p.6....L(0VP..Qt.D..r.~....TV.#y...m...:...y..8
_N>t.....Q5....W|... ...-..>...R.:..E....s..v.=.......c.... .n..
7..$J:....i..'...b....=.;8_......:**.5.9....)./....q..........{U.E.p..
3C/.nLqSN..8.g.......a...f...S...-........$..d.nJ!n....j./..$5.%....1'
[qJv..........$.Ff..N'o.{'.....%[email protected]..*.
....l|.Y.%A..-...g7..Aobx.h.w..~....z"~)WtR.Q..).......D.%x...r.?.....
x.&.....u[...o.....B..(!..b.PUGb.....eX.........,........Q.[k..6.[<
..ox..{uu....V.....a..e'rM&p.P.FTcZ.....U...i....&u%..m}.2Alj....).=..
.r.:;nee..Ge.......C:BuMVJ..R.kn.ISi.U..\.;@...w**.]....#.....3._.-d..
.1...(.K..........M........\.<s..B.Q ...].n..n.f.;..ku .....::.[..m
$...h...O..{?_..M.@"[email protected].;..r.S.;...UW..jd..%.....M..Q.}ydM...o
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

wininet.dll

SkinH_EL.dll

kernel32.dll

advapi32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

hXXp://VVV.se592.com/dahui/291.txt

hXXp://VVV.se592.com/dahui/dizhi.txt

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

%s;7*

0%x@w

%C^L:

%s T5

]E4%F(

.Funr

k%UPp

fg.VG

%C',@

>Ùd

0'.Ll

[I(3/#N0.bd

j"%u=w

q%Xn`

@|H.NI

.wdd!

S|%u4

*.Ea]S

Q.CGo

fTpe

.LLbX

-.Mdl

\-A}=3K

Y:.akpS

$.Zcqn

u.Jck~

zx/%FN[

ce_%D

%C@0H

%s=\RI

}j%c%Y)

Rx.GR

4o#.dM

IeS`%C

[n 4\.UY 

,4.qO,

gQ'.Io

%cLur?

s%DHB

]I%%X

5r.US

:mD].tB

f%fUZ

.fOuV12

*_.dC

&-N}<

({?.cQm

.Cqx~c

.`.Qw

**.dU

!n]%x

%X,Cr

&.PFy{xh

.um ZZE7L

/^p%u$

I.NoQY

zu.ew

D/.nT

q.7.qE

W>^T%S

%XiR^

1%SqlnD

U[5%u

.OW74

"E.jV

c T.Om

*U%XOd

D%FW@

.gM>$slt

B.iR%

vv#%sY7x

.TY3F

kEY94

.nyBK

wN%U/

4.Ky%t

.h.fO

.TK$N

%dRB:W

[I9%f

8o%sx

.WE= T!N

#?%s(C(

Rd.hYp

.TX=6

,%x)E

R%X4C (

$7.Gs

d,.bw p

o .Kb

KOz-%c Rd

zkey0

=.Lw/Ch

!c%SGd

A.YA'

`.yV8

.qL8d0{

m>[So;.yd] 

_ÎW,

%UZtQ

.Fu:#

SShXuy@

f.kz"

@o.Ns

i.IK(

9rBÀ

.nm[&

.DDU0

%f$8C

\SkinH_EL.dll

C$%cmb

.ppM|

 aZ.mO

%-^

.hk;~

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

17950677

VVV.5di1.com

[email protected]

20150521

hXXp://VVV.4399.com/flash/129731.htm

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

ole32.dll

__MSVCRT_HEAP_SELECT

user32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

VVV.dywt.com.cn

(*.htm;*.html)|*.htm;*.html

1.1.3

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÁ

VVV.se592.com

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\ucenter[1].js (19040 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\jquery-1.2.1.pack[1].js (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\top_bar[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\tjrm_img09[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\161QF3VD[1].jpg (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\sgxz2_20140506[1].css (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\4399_17152503697[1].jpg (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\4399_16125310445[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\xfv521[1].htm (1751 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tjrm_img06[1].jpg (86 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\4399_17485812405[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\style[1].css (337 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\4399_10301944353[1].jpg (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\2611145923P[1].jpg (942 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\btn2[1].png (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\161Q63IW6[1].jpg (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\logo[1].gif (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\xfv521[1].swf (29645 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\base[1].css (13921 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\4399_17491964623[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\dizhi[1].txt (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tjrm_img08[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\xfv521[1].htm (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\sgxz2_20140506[2].css (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\129731[2].htm (2618 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\129731[1].htm (3286 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\jquery-1.2.1.pack[2].js (1740 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\chkDomain[1].js (554 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tqq[1].gif (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\tjrm_img011[1].jpg (82 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\bg[1].png (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\291[1].txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X54WP6OJ\tjrm_img07[1].jpg (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6YXR8UDV\161Q62J3c[1].jpg (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\2QH24a102[1].jpg (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CXYJ0DYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6OT4EAUY\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.