Generic.Malware.SYBddldprng.298347B3_aca02ef228

by malwarelabrobot on June 3rd, 2015 in Malware Descriptions.

Trojan.Win32.Inject.ijat (Kaspersky), Generic.Malware.SYBd!dldprng.298347B3 (B) (Emsisoft), Generic.Malware.SYBd!dldprng.298347B3 (AdAware), Backdoor.Win32.Zegost.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Worm, EmailWorm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: aca02ef228ca6a0cf55b921df0a86b4b
SHA1: 8c32c94574ef8aba07b2641bf5d79963c0b0c30d
SHA256: ccbfee5ca53eeb3afe313b9af237a092a7b074a0a489d123062a40cd91bfd6fe
SSDeep: 49152:g ZPgX0PBVRhaWSp2AoGutO2sD3Ev4TGFbKZNXoX1E1 99Y/:gNX0PB7haXpkGkxyX416/
Size: 3411585 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Generic creates the following process(es):

%original file name%.exe:2028

The Generic injects its code into the following process(es):

¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe:636
server.exe:1180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe:636 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1164 bytes)

The Generic deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)

The process %original file name%.exe:2028 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\server.exe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe (20507 bytes)
%System%\drivers\beep.sys (7 bytes)

The process server.exe:1180 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe (1281 bytes)
%WinDir%\Ball.exe (1281 bytes)
%WinDir%\Temp\zk.exe (1281 bytes)

Registry activity

The process %original file name%.exe:2028 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F C7 28 24 DC 20 87 5B A5 76 6A 48 77 4C D5 6E"

Dropped PE files

MD5 File path
f2f15ebc7e0ee49923961e9e59dd2443 c:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ball.exe
f2f15ebc7e0ee49923961e9e59dd2443 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\server.exe
1b0b0719a26652013f23aa7a00a386c3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe
f2f15ebc7e0ee49923961e9e59dd2443 c:\WINDOWS\Ball.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 24508 24576 4.51037 fe9741d9440745880409762b5b70b0bb
DATA 28672 3324 3584 3.51797 cb9b777bab5f53a0c9ee279705f95436
BSS 32768 3757 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 36864 2448 2560 3.07162 324b3843ac86281dd452fb8445da8cfd
.tls 40960 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 45056 24 512 0.14174 a59d5deeda3151a72e3841f3a8a37fbd
.reloc 49152 1548 2048 3.93841 800431cef35e18e3b4ace16e5fce61e2
.rsrc 53248 512 512 2.09142 a7f406bf6fb25a7f3329a2ee80fb270a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
389083d53ca592852b52f5a62735597d

URLs

URL IP
hxxp://114.215.104.9/lol/1.gif
hxxp://114.215.104.9/lol/2.gif
hxxp://114.215.104.9/lol/3.gif
hxxp://114.215.104.9/lol/4.gif
hxxp://114.215.104.9/lol/5.gif
hxxp://114.215.104.9/lol/6.gif
hxxp://114.215.104.9/lol/7.gif
hxxp://114.215.104.9/lol/8.gif
hxxp://114.215.104.9/lol/9.gif
hxxp://114.215.104.9/lol/10.gif
hxxp://x2.tcdn.qq.com/download.shtml
hxxp://www.a.shifen.com/
hxxp://lol.qq.com/download.shtml 203.205.142.142
hxxp://www.baidu.com/
qq652277163.f3322.net 125.71.245.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /download.shtml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: lol.qq.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: NWS_X2_MID
Connection: keep-alive
Date: Tue, 02 Jun 2015 05:26:42 GMT
Cache-Control: max-age=90
Expires: Tue, 02 Jun 2015 05:28:12 GMT
Last-Modified: Tue, 02 Jun 2015 05:20:00 GMT
Content-Type: text/html
Content-Length: 43956
X-Cache-Lookup: Hit From Upstream
X-Daa-Tunnel: hop_count=1
X-Cache-Lookup: Hit From Inner Cluster 
<!DOCTYPE HTML>..<html>..<head>..<meta charset="g
b2312" />..<meta name="robots" content="all" />..<meta nam
e="Copyright" content="TENCNET" />..<meta name="author" content=
"Tencent-TGideas" />..<meta name="keywords" content="...........
.,................,lol....,lol..............,lol........,lol....,lol..
....,lol........,..lol............" />..<meta name="description"
 content="........................................" />..<title&g
t;........-................-........</title>..<!-- ......jaso
nshuai | ......jasminjiang | ......20131028 | ..........hXXp://tgideas
.qq.com -->..<script type="text/javascript">var d0 = new Date
();</script>..<link href="/web201310/css/public.css" rel="sty
lesheet" />..<link href="/web201310/css/down.css" rel="styleshee
t" />..</head>..<body>..<div class="wraper">..   
 <div class="layout toper"><!--[if lt IE 7]>.    <p cla
ss="chromeframe">........IE................<a href="hXXp://windo
ws.microsoft.com/">........IE......</a>........<a href="ht
tp://VVV.google.com/chromeframe/?redirect=true">Google Chrome</a
>..<a href="hXXp://VVV.google.com/chromeframe/?redirect=true">
;Firefox</a>..................................</p>.<![e
ndif]-->.<script src="hXXp://gameact.qq.com/comm-htdocs/js/game_
area/lol_server_select.js"></script>.<script src="hXXp://l
ol.qq.com/web201310/js/head.js"></script>.<h1 class="t
<<< skipped >>>


GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 02 Jun 2015 05:26:50 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Wed, 03 Sep 2014 02:48:32 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=48D8A6B212BE6543412E5A1B6E9ADF95:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=48D8A6B212BE6543412E5A1B6E9ADF95; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1433222810; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
BDPAGETYPE: 1
BDQID: 0xb24567180004afa6
BDUSERID: 0
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>
;...<meta http-equiv="content-type" content="text/html;charset=utf-
8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">..
.<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link 
rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-pref
etch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="/
/t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.co
m"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...&l
t;link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="
dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........
................</title>...<link href="hXXp://s1.bdstatic.com
/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/cs
s" />...<!--[if lte IE 8]><style index="index" >#conten
t{height:480px\9}#m{top:260px\9}</style><![endif]-->...<
;!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:vis
ited{font-family:simsun}</style><![endif]-->...<script&
gt;var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if 
(hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace
("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};
</script>...<script>function h(obj){obj.style.behavior='ur
l(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}<
;/script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>


GET /lol/1.gif HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:39 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/2.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:39 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/3.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:39 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/4.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:40 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/5.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:40 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/6.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:40 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/7.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:41 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/8.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:41 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/9.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:41 GMT
Content-Length: 1830
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

GET /lol/10.gif HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: 114.215.104.9
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 02 Jun 2015 05:26:42 GMT
Content-Length: 1831
<!DOCTYPE html>..<html>..    <head>..        <tit
le>.....................</title>..        <meta name="view
port" content="width=device-width" />..        <style>..     
    body {font-family:"Verdana";font-weight:normal;font-size: .7em;col
or:black;} ..         p {font-family:"Verdana";font-weight:normal;colo
r:black;margin-top: -5px}..         b {font-family:"Verdana";font-weig
ht:bold;color:black;margin-top: -5px}..         H1 { font-family:"Verd
ana";font-weight:normal;font-size:18pt;color:red }..         H2 { font
-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }..  
       pre {font-family:"Consolas","Lucida Console",Monospace;font-siz
e:11pt;margin:0;padding:0.5em;line-height:14pt}..         .marker {fon
t-weight: bold; color: black;text-decoration: none;}..         .versio
n {color: gray;}..         .error {margin-bottom: 10px;}..         .ex
pandable { text-decoration:underline; font-weight:bold; color:navy; cu
rsor:hand; }..         @media screen and (max-width: 639px) {..       
   pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wra
p: break-word; }..         }..         @media screen and (max-width: 4
79px) {..          pre { width: 280px; }..         }..        </sty
le>..    </head>..    <body bgcolor="white">..         
   <span><H1>.../.......................................&l
t;hr width=100% size=1 color=silver></H1>..            <h2
> <i>.....................</i> </h2></span
<<< skipped >>>

The Generic connects to the servers at the folowing location(s):

server.exe_1180:

.text
`.rdata
.data
.rsrc
|$<.tK
D$8RPSSh
USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
WINMM.dll
__MSVCRT_HEAP_SELECT
user32.dll
WS2_32.dll
WININET.dll
MSVFW32.dll
PSAPI.DLL
WTSAPI32.dll
GetAsyncKeyState
GetKeyState
ExitWindowsEx
EnumWindows
keybd_event
MapVirtualKeyA
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegCreateKeyExA
RegDeleteKeyA
RegSetKeySecurity
RegEnumKeyExA
RegQueryInfoKeyA
RegRestoreKeyA
RegSaveKeyA
ShellExecuteA
SHDeleteKeyA
InternetOpenUrlA
GetWindowsDirectoryA
WinExec
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
KERNEL32.dll
NETAPI32.dll
AVICAP32.dll
GetCPInfo
%s//%s
Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
RasDialParams!%s#0
%s\%s
%s\shell\open\comman
%s\*.*
%s%s%s
%s%s*.*
a %s %s
a -r %s %s
rar.exe
x %s %s
SYSTEM\CurrentControlSet\Services\%s
Http/1.1 403 Forbidden
\keyboar.dat
:] %s
:]%d-%d-%d %d:%d:%d
Applications\iexplore.exe\shell\open\command
Windows Windows7/Vista/2008
Windows 2003
Windows XP
Windows 2000
Windows NT
kxetray.exe
egui.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
KSafeTray.exe
360tray.exe
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
:%dMB
:%dGB
.DEFAULT\Keyboard Layout\Toggle
Hotkey
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
C:\3389.bat
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d
c:\3389.bat
gdt = x
idt = x
%System%\ctfmon1.exe
%Documents and Settings%\All Users\
\Ball.exe
%WinDir%\Ball.exe
hXXp://
ws2_32.dll
%WinDir%\temp\svchost.exe
%WinDir%\temp\zk.exe
%-25s %-15s 0x%x(%d)
%-25s %-15s %s
\cmd.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
Mozilla/4.0 (compatible)
hXXps://
ddd
c:\windows\temp\svchost.exe
%WinDir%\TEMP\svchost.exe
c:\windows\temp\svchost.txt
URLDownloadToFileA
urlmon.dll
Shell32.dll
%System%\GroupPolicy\user\Scripts\scripts.ini
0CmdLine=C:\windows\temp\svchost.exe
%System%\GroupPolicy\user\Scripts\script.ini
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
%System%\GroupPolicy\gpt.ini
%System%\GroupPolicy\user\Scripts\Shutdown
%System%\GroupPolicy\user\Scripts\Startu
%System%\GroupPolicy\user\Scripts
%System%\GroupPolicy\user
%System%\GroupPolicy
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe
Rstray.exe
%s\SysTEM32\sysedit.exe
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
explorer.exe
1.1.4
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe
[201412215920]
201412215920

server.exe_1180_rwx_00423000_00001000:

USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler

server.exe_1180_rwx_00428000_00002000:

%s//%s
Microsoft\Network\Connections\pbk\rasphone.pbk
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
RasDialParams!%s#0
%s\%s
%s\shell\open\comman
%s\*.*
%s%s%s
%s%s*.*
a %s %s
a -r %s %s
rar.exe
x %s %s
SYSTEM\CurrentControlSet\Services\%s
Http/1.1 403 Forbidden
\keyboar.dat
:] %s
:]%d-%d-%d %d:%d:%d
Applications\iexplore.exe\shell\open\command
Windows Windows7/Vista/2008
Windows 2003
Windows XP
Windows 2000
Windows NT
kxetray.exe
egui.exe
RavMonD.exe
KvMonXP.exe
avp.exe
360sd.exe
KSafeTray.exe
360tray.exe
PortNumber
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
:%dMB
:%dGB
.DEFAULT\Keyboard Layout\Toggle
Hotkey
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogo
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
C:\3389.bat
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d
c:\3389.bat
gdt = x
idt = x
%System%\ctfmon1.exe
%Documents and Settings%\All Users\
\Ball.exe
%WinDir%\Ball.exe
hXXp://
ws2_32.dll
KERNEL32.dll
%WinDir%\temp\svchost.exe
%WinDir%\temp\zk.exe
%-25s %-15s 0x%x(%d)
%-25s %-15s %s
\cmd.exe
recycle.{645FF040-5081-101B-9F08-00AA002F954E}\GHOSTBAK.exe
Mozilla/4.0 (compatible)
hXXps://
ddd
c:\windows\temp\svchost.exe
%WinDir%\TEMP\svchost.exe
c:\windows\temp\svchost.txt
URLDownloadToFileA
urlmon.dll
Shell32.dll
%System%\GroupPolicy\user\Scripts\scripts.ini
0CmdLine=C:\windows\temp\svchost.exe
%System%\GroupPolicy\user\Scripts\script.ini
gPCUserExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}]
%System%\GroupPolicy\gpt.ini
%System%\GroupPolicy\user\Scripts\Shutdown
%System%\GroupPolicy\user\Scripts\Startu
%System%\GroupPolicy\user\Scripts
%System%\GroupPolicy\user
%System%\GroupPolicy
%Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe
Rstray.exe
%s\SysTEM32\sysedit.exe
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
explorer.exe
1.1.4

server.exe_1180_rwx_0042D000_00005000:

zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\server.exe

¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe_636:

.text
.rdata
@.data
.rsrc
@.text
t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
ole32.dll
kernel32.dll
GdiPlus.dll
wininet.dll
user32.dll
OLEACC.DLL
gdiplus.dll
gdi32.dll
advapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GdiplusShutdown
MsgWaitForMultipleObjects
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
MySQL
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2091E867B00B11E39D6CEF945C17CF93" xmpMM:DocumentID="xmp.did:2091E868B00B11E39D6CEF945C17CF93"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2091E865B00B11E39D6CEF945C17CF93" stRef:documentID="xmp.did:2091E866B00B11E39D6CEF945C17CF93"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2EAC18E2B00B11E3B47197C390700FD4" xmpMM:DocumentID="xmp.did:2EAC18E3B00B11E3B47197C390700FD4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2EAC18E0B00B11E3B47197C390700FD4" stRef:documentID="xmp.did:2EAC18E1B00B11E3B47197C390700FD4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
flash.ocx.......
dbghelp.dll
loljdhurs.dll
hacker.map
114.215.104.9
','1', '
hXXp://connect.qq.com/toc/auth_manager?from=auth
hXXp://connect.qq.com/intro/login
hXXp://114.215.104.9/fz/lol/3.txt
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7295366BB0BA11E39A65EBB195F086B4" xmpMM:DocumentID="xmp.did:7295366CB0BA11E39A65EBB195F086B4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72953669B0BA11E39A65EBB195F086B4" stRef:documentID="xmp.did:7295366AB0BA11E39A65EBB195F086B4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
 R%U~
^Hz%S~
:n%D'l:W<
A2V.Uq
%,.jc
%s40B
v"(.qF
T.VEb
W.YUb
( .yv
F5.la
pt$%ud"u
%DTny
Y?.GG8
[email protected]
.Dg.F`MF`f!
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:44CEBD44AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:44CEBD43AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:44CEBD4CAF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:44CEBD4BAF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
5<S6-8}
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:44FE597BAF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:44FE597AAF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
HwEb9
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:454ACCE4AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:453066BBAF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
b\V.DM
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:45E75D55AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:45E75D54AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:45E75D59AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:45E75D58AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:46128CA4AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:46128CA3AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:47286D89AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:47286D88AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:47286D85AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:47286D84AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
"2&*:*.<
&;%.C-6K
&6-&.9
uiUDPzV
W.Hi.
{x(>%f
 0.kRP
._%fv
j,^.Ll}
X\K".luM
-,2rV.bU
'%CZGpBq
.ei^KHf
!}f%.GzTK;
|H%Cs~Dw
1.eP6
%cr&kR
17.Go
Hq%XX!
.tk;1
/%s@Z
2C.Re
V`U.CgDI
.pfeF
p!mh
P.hK\a
_%X^E
424235235
mysqlpassword
103.242.1.19
hXXp://114.215.104.9/lol/1.gif
hXXp://114.215.104.9/lol/2.gif
hXXp://114.215.104.9/lol/3.gif
hXXp://114.215.104.9/lol/4.gif
hXXp://114.215.104.9/lol/5.gif
hXXp://114.215.104.9/lol/6.gif
hXXp://114.215.104.9/lol/7.gif
hXXp://114.215.104.9/lol/8.gif
hXXp://114.215.104.9/lol/9.gif
hXXp://114.215.104.9/lol/10.gif
hXXp://lol.qq.com/download.shtml
hXXp://id.qq.com/index.html
hXXp://user.qzone.qq.com
tabIndex=1 onclick=Nav.logout(); href="javascript:void(0);" target=page>[
<SPAN id=info_banner_nick>
&encrytype=0&devtype=0&keytpye=0&uin=
hXXp://ptlogin2.qq.com/getface?appid=21000124&imgtype=
info_banner_nick
hXXp://user.qzone.qq.com/
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
\TCLS\config\LoginQ.dat
LoginUserRecord
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=1006102&daid=1&style=23&hide_border=1&proxy_url=http://id.qq.com/login/proxy.html&s_url=hXXp://id.qq.com/index.html
\Air\preferences\*.*
.properties
\TCLS\Client.exe
LolClient.exe
hXXp://114.215.104.9/fz/lol/a.txt
hXXp://114.215.104.9/fz/lol/b.txt
hXXp://114.215.104.9/fz/lol/c.txt
hXXp://114.215.104.9/fz/lol/d.txt
hXXp://114.215.104.9/fz/lol/e.txt
hXXp://114.215.104.9/fz/lol/1.txt
hXXp://114.215.104.9/fz/lol/2.txt
hXXp://114.215.104.9/fz/lol/wangzhan/ltan.txt
hXXp://connect.qq.com/manage
hXXp://114.215.104.9/fz/lol/wangzhan/wzs.txt
1662768861
hXXp://114.215.104.9/fz/lol/wangzhan/wz.txt
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
?A.nL
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2902681BB11711E397AB870A812BD431" xmpMM:DocumentID="xmp.did:2902681CB11711E397AB870A812BD431"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:29026819B11711E397AB870A812BD431" stRef:documentID="xmp.did:2902681AB11711E397AB870A812BD431"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
K%CS{z8'
.vW1@
G:l.zl/
}iÜ
 ei%f
3}%DKU4
4.IM!
.XG\@G
VQc6.IR
2.Mq)9
{hg_.GB6
.HeZ`yxm
%z.Pt
aR.Ot|7
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:60A91507AF9B11E38FF097488EA55558" xmpMM:InstanceID="xmp.iid:60A91506AF9B11E38FF097488EA55558" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="98275599685D98217E9B3B73D2D86E82" stRef:documentID="98275599685D98217E9B3B73D2D86E82"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
.VBUj
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:6315632CAF9B11E3ADB6C9B2D28C8DEE" xmpMM:InstanceID="xmp.iid:6315632BAF9B11E3ADB6C9B2D28C8DEE" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="0956C727893F4FFEA5A9F602073E8B2A" stRef:documentID="0956C727893F4FFEA5A9F602073E8B2A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:D4C336A6AF9411E39B34C173048B1529" xmpMM:InstanceID="xmp.iid:D4C336A5AF9411E39B34C173048B1529" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="471DDACE3E8E515D1B2CB40D387DA3AE" stRef:documentID="471DDACE3E8E515D1B2CB40D387DA3AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
0U.Qe
%D!&'
Co.Kd
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:CB3230BAAF9411E3900A8D70887E6514" xmpMM:InstanceID="xmp.iid:CB3230B9AF9411E3900A8D70887E6514" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="471DDACE3E8E515D1B2CB40D387DA3AE" stRef:documentID="471DDACE3E8E515D1B2CB40D387DA3AE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:453066B4AF7F11E385879C23B67CD1C0" xmpMM:InstanceID="xmp.iid:453066B3AF7F11E385879C23B67CD1C0" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="CEB3EDADB1493C52CB6E9946C992A678" stRef:documentID="CEB3EDADB1493C52CB6E9946C992A678"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
,,,---///@@@...:::???   
^^^___***[[[
sssHHHbbbaaajjjMMMKKK)))
"""|||(((
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:828B4E81AF9211E38CAA82FF524F2A73" xmpMM:InstanceID="xmp.iid:828B4E80AF9211E38CAA82FF524F2A73" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="0956C727893F4FFEA5A9F602073E8B2A" stRef:documentID="0956C727893F4FFEA5A9F602073E8B2A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:977EDF62AF8E11E3B8AED2739BF677FA" xmpMM:InstanceID="xmp.iid:977EDF61AF8E11E3B8AED2739BF677FA" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="089E40BC54BCBDD4D60AA027E096696D" stRef:documentID="089E40BC54BCBDD4D60AA027E096696D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:4DF7ED55AF8E11E385AD856EB00E0583" xmpMM:InstanceID="xmp.iid:4DF7ED54AF8E11E385AD856EB00E0583" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="089E40BC54BCBDD4D60AA027E096696D" stRef:documentID="089E40BC54BCBDD4D60AA027E096696D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
 hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:B274ADF5AF7511E3B2329001A47E3830" xmpMM:InstanceID="xmp.iid:B274ADF4AF7511E3B2329001A47E3830" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:75E7750AAF7511E39A91C85A9BE7B0A4" stRef:documentID="xmp.did:75E7750BAF7511E39A91C85A9BE7B0A4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
I.YBh
-PPm}
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:E415F2EFAF7211E39671CDEB688A6218" xmpMM:InstanceID="xmp.iid:E415F2EEAF7211E39671CDEB688A6218" xmp:CreatorTool="Adobe Photoshop CS6 Windows"> <xmpMM:DerivedFrom stRef:instanceID="1FC664D5FA550B483045728549623FA3" stRef:documentID="1FC664D5FA550B483045728549623FA3"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
.pal"
Adobe Photoshop CS4 (11.0x20071101 [20071101.m.190 2007/11/01:02:00:00 cutoff; m branch]) Windows
2011:11:10 12:10:51
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2-c021 1.124326, 2007/10/12-00:54:02 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" dc:format="image/jpeg" xap:CreatorTool="Adobe Photoshop CS4 (11.0x20071101 [20071101.m.190 2007/11/01:02:00:00 cutoff; m branch]) Windows" xap:CreateDate="2011-11-10T12:10:51 08:00" xap:ModifyDate="2011-11-10T12:10:51 08:00" xap:MetadataDate="2011-11-10T12:10:51 08:00" xapMM:DocumentID="uuid:07D12BD3510BE111B26FC90AFF2DAAB0" xapMM:InstanceID="uuid:08D12BD3510BE111B26FC90AFF2DAAB0" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;FBE36A23DC17EAD56AAA8F7132FE6A3B" exif:PixelXDimension="128" exif:PixelYDimension="128" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;2197F9070E91F8AFD09934B9DD8FA31E" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History=""> <xapMM:DerivedFrom stRef:instanceID="uuid:DFBD5A341F8FE011B7C98771E4F1C8A5" stRef:documentID="uuid:73F15F0BBC4AE011BFFBADAA3DF549D1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
jyM%f"
~.DqC
kA.yR"EC
oTi&.
-(00(5"!'
&& 4' ."-2
##&,$'-"$(#%)
") $ !%,
# $*$(.(,2"$'$&)247
"& #'#&*,/3 .2
#(&*/' 0)-2
!$#&)$'*%( ,/2#%'
!##&(%(*'*,( -,/1 .0
467 %'( ,),-045
"' #(#& 
# #&$'*#%'
!!&)%*-!%'#'),./
$&$'(&)*#()$)*
##.22"%%'**&))*--
%>UZ{DRn%6X
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:F8B8FFC6AF7811E3A9C4879A3B32AA6B" xmpMM:DocumentID="xmp.did:F8B8FFC7AF7811E3A9C4879A3B32AA6B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F8B8FFC4AF7811E3A9C4879A3B32AA6B" stRef:documentID="xmp.did:F8B8FFC5AF7811E3A9C4879A3B32AA6B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:01B43999AF7D11E39E87DB5B9E0ABD77" xmpMM:DocumentID="xmp.did:01B4399AAF7D11E39E87DB5B9E0ABD77"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:01B43997AF7D11E39E87DB5B9E0ABD77" stRef:documentID="xmp.did:01B43998AF7D11E39E87DB5B9E0ABD77"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1C049C73B00611E3890FD2BDDF177C75" xmpMM:DocumentID="xmp.did:1C049C74B00611E3890FD2BDDF177C75"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1C049C71B00611E3890FD2BDDF177C75" stRef:documentID="xmp.did:1C049C72B00611E3890FD2BDDF177C75"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
(7),01444
'9=82<.342
G%5xI
VVV.fuzhu999.com
2/ $3$'.
37	*,/ $.
~27&#/!%
"% #*%&1 #
BD7%XDAqVQ]B>T;8L64D0/<  4%'- # 
!' #& "!
!( #)!$$ )'
") ") "*!$*!$& !
464\^\|~|
|~|<><,.,
D-w.yD!
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
portuguese-brazilian
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
MSVFW32.dll
AVIFIL32.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
GetCPInfo
SetNamedPipeHandleState
WaitNamedPipeA
KERNEL32.dll
GetKeyState
RegisterHotKey
UnregisterHotKey
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
USER32.dll
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GDI32.dll
WINSPOOL.DRV
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
WSOCK32.dll
InternetOpenUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
hXXp://VVV.baidu.com
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
-1-1 0:0:0
2000-1-1
(*.htm;*.html)|*.htm;*.html
its:%s::%s
%d%d%d
rundll32.exe shell32.dll,
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
PIPE
ssl-cert
ssl-key
pipe
password
port
MYSQL
\\%s\pipe\%s
Unknown option to protocol: %s
d:t:o,/tmp/client.trace
MYSQL_PWD
Windows_NT
MYSQL_UNIX_PORT
MYSQL_TCP_PORT
mysql
Connection using old (pre 4.1.1) authentication protocol refused (client option 'secure_auth' enabled)
Can't open shared memory. %s event don't create for client (%lu)
Using unsupported buffer type: %d (parameter: %d)
Can't send long data for non string or binary data types (parameter: %d)
Can't set state of named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't open named pipe to host: %-.64s pipe: %-.32s (%lu)
Can't wait for named pipe to host: %-.64s pipe: %-.32s (%lu)
%-.100s via named pipe
Lost connection to MySQL server during query
%-.100s via TCP/IP
MySQL client run out of memory
Protocol mismatch. Server Version = %d Client Version = %d
MySQL server has gone away
Unknown MySQL Server Host '%-.100s' (%d)
Can't create TCP/IP socket (%d)
Can't connect to MySQL server on '%-.100s' (%d)
Can't connect to local MySQL server through socket '%-.100s' (%d)
Can't create UNIX socket (%d)
Unknown MySQL error
TCP/IP (%d)
socket (%d)
named pipe
%s would have been started with the following arguments:
error: Found option without preceding group in config file: %s at line: %d
error: Wrong group definition in config file: %s at line %d
C:/mysql/
Index.xml
127.0.0.1
Software\MySQL
HAVE_TCPIP
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Can't initialize threads: error %d
Can't sync file '%s' to disk (Errcode: %d)
Error on realpath() on '%s' (Error %d)
Can't create symlink '%s' pointing at '%s' (Error %d)
Can't read value for symlink '%s' (Error %d)
Out of resources when opening file '%s' (Errcode: %d)
Character set '%s' is not a compiled character set and is not specified in the '%s' file
Can't create directory '%s' (Errcode: %d)
Disk is full writing '%s'. Waiting for someone to free space...
%d files and %d streams is left open
Warning: '%s' had %d links
Can't change dir to '%s' (Errcode: %d)
Can't get working dirctory (Errcode: %d)
Can't open stream from handle (Errcode: %d)
Can't change size of file (Errcode: %d)
Can't get stat of '%s' (Errcode: %d)
Can't read dir of '%s' (Errcode: %d)
Can't unlock file (Errcode: %d)
Can't lock file (Errcode: %d)
Unexpected eof found when reading file '%s' (Errcode: %d)
Error on rename of '%s' to '%s' (Errcode: %d)
Error on delete of '%s' (Errcode: %d)
Out of memory (Needed %u bytes)
Error on close of '%s' (Errcode: %d)
Error writing file '%s' (Errcode: %d)
Error reading file '%s' (Errcode: %d)
Can't create/write to file '%s' (Errcode: %d)
File '%s' not found (Errcode: %d)
charsets.charset.collation.map
charsets.charset.collation.flag
charsets.charset.collation.order
charsets.charset.collation.id
charsets.charset.collation.name
charsets.charset.collation
charsets.charset.unicode.map
charsets.charset.unicode
charsets.charset.lower.map
charsets.charset.lower
charsets.charset.upper.map
charsets.charset.upper
charsets.charset.ctype.map
charsets.charset.ctype
charsets.charset.alias
charsets.charset.description
charsets.charset.family
charsets.charset.name
charsets.charset.binary-id
charsets.charset.primary-id
charsets.charset
charsets.max-id
xml.encoding
xml.version
1.1.4
%,%$%4%<%
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexe
s4s/s)s%s>sNsOs
!&"&#&$&%&&&'&(&)&*& &,&-&.&/&0&1&
2&3&4&5&6&7&8&
!(,("(-(
 !,!5!6!
!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<$=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%L%M%N%O%P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%t%u%v%
g9H5_DF>L!9yMGE~8
%Sv0$S
|T)>~T%C
8]7]:]=5
.Dh26a
Z6%d#d
ReXeQe
uewexe
<[email protected]@
6*6 8*8 5*5 :*: ;*; =*= <*
/"2"6"5"
21314151
'2(2)2*2 2
-6.6/6061626
.7/70717
[7\7]7^7
=8>8?8@8
19293949
%;&;';(;
<<=<><?<@<
%>&>'>(>
<>=>>>?>@>
[@\@]@^@
"U#U$U%U
8[9[:[;[<[=[>[
&\'\(\)\
~\!]"]#]
/]0]1]2]
4]5]6]7]8]
|_}_~_!`
&`'`(`)`
2`3`4`5`
WeXe
vewexe
$f%f&f
@mAmBmCmDm
S%S'S(S)S S,S-S0S2S5S<S=S>SBSLSKSYS[SaScSeSlSmSrSyS~S
d d"d$d%d)d*d/d0d5d=d?dKdOdQdRdSdTdZd[d\d]d_d`dadcdmdsdtd{d}d
.AK.)
.uGvG
/%S67
-<.GIg
 I.pKqK
J.AeRtH49
U U!U"U#U$U%U&U'U(U)U*U U,U-U.U/U0U1U2U3U4U5U6U7U8U9U:U;U<U=U>U?U@UAUBUCUDUEUFUGUHUIUJUKULUMUNUOUPUQURUSUTUUUVUWUXUYUZU[U\U]U^U_U`UaUbUcUdUeUfUgUhUiUjUkUlUmUnUoUpUqUrUsUtUuUvU
?q.SM!@
$R&ß
C.JMH
-)./...6. .
E~ExE|E{E
&t.KIx
"*0QIs%u1
)Q.GN
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X2X3X4X5X6X7X8X9X:X;X<X=X>X?X@XAXBXCXDXEXFXGXHXIXJXKXLXMXNXOXPXQXRXSXTXUXVXWXXXYXZX[X\X]X^X_X`XaXbXcXdXeXfX
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S<S=S@SBSDSFSKSLSMSPSTSXSYS[S]SeShSjSlSmSrSvSyS{S|S}S~S
U!U%U&U
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X<X=X
_!_"_#_$_
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;d<d>d@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e<e=e@eAeBeCeDeFeGeJeKeMeNePeReSeTeWeXeZe\e_e`eaedeeegeheiejemeneoeqeseuevexeyeze{e|e}e~e
2!2"2#2$2%2&2'2(2)2
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
1 1!1"1#1$1%1&1'1(1)1
!0"0#0$0%0&0'0(0)0
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<$=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%
W%f?i
e.lFO
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
urlsS
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~
u%urrGS
]']&].]$]
s"s9s%s,s8s1sPsMsWs`slsos~s
x<x%x,x#x)xNxmxVxWx&xPxGxLxjx
{.{1{ {%{${3{>{
!!"!#!(!
4!5!6!7!8!9!:!;!>!?!
~!2!3!<!=!
.VZN'Uu:&7V@
%FxG=R
~e%fWM
rP.BPb
C^%X*?M[lRzF*E
(m|P%c
NN"L.PSD25X^uU7<S;
.QqP8j9j:j5:
%CxF-kJD
(d.deB
3G,===%d
&8.pB1
mS.Xk@
tq.RG^JK
B]HC<F.NL]
yTDI.SS8`3
t6ZeXeYe@5
*M%u#u4=(u
"*")"'"("
%d&`&a&e&g&c&
%!%"%&%'%)%*%-%.%1%2%5%6%9%:$=%>%@%A%C%D%E%F%G%H%I%J%
[!\!]!^!
mQ.bx
{ | }9},
d6exe9j
]%sOu
m.t.zB}
w%xIyWy
%f?iCt
#$%&'()* ,
!"#$%&'()* ,-./0123456789:;<=>?@
%<%4%,%$%
%q%r%s%
`!`'`)` `
e%f-f f'f/f
%x-x x
~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
c{cichczc]eVeQeYeWe_UOeXeUeTe
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
a.bidodyd
duewexe
]!^"^#^ ^$^
t.uGuHu
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
{1{ {-{/{2{8{
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
kCpDpJpHpIpEpFp
3: %s unexpected (ident or '/' wanted)
5: %s unexpected ('>' wanted)
6: %s unexpected ('?' wanted)
4: %s unexpected (ident or string wanted)
1: %s unexpected (ident wanted)
'</%s>' unexpected ('</%s>' wanted)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
#include "l.chs\afxres.rc" // Standard components
(*.*)
1.0.0.1

¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe_636_rwx_00401000_000EA000:

t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2028

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\server.exe (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\¡¾¼«ËÙÀ¶¹â¡¿Ó¢ÐÛÁªÃËȫͼ¸¨Öú.exe (20507 bytes)
    %System%\drivers\beep.sys (7 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\Ball.exe (1281 bytes)
    %WinDir%\Ball.exe (1281 bytes)
    %WinDir%\Temp\zk.exe (1281 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now