Trojan.Generic.14777992_30acd931a2

by malwarelabrobot on August 8th, 2015 in Malware Descriptions.

Trojan.Generic.14777992 (B) (Emsisoft), Trojan.Generic.14777992 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 30acd931a20e52dde06b0591d5bee143
SHA1: d1b30fb9d68efe309ff3de378fdce9d9102150db
SHA256: a65beb608a53a0b14454891ac5a275b4f3a85375fd0c82fec15dcf0faa0714a2
SSDeep: 49152:zZojpmLKSUViyKftMZZZfu0JipznARZhhrszbl:NUpmLKSQKlM1u0JipznYzqfl
Size: 5193728 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2015-05-24 03:30:21
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:496

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cdn_djl[1].js (239 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAWBU14T.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\public[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\espay[1].css (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo[1].png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\espay[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\service[1].js (6 bytes)
C:\Hook.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cdn_djl[2].js (324 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAVIW3ZT.shtml#pay-card (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tcss.ping[2].js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eicon[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\card[1].htm (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@qq[1].txt (139 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (184 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tcss.ping[1].js (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page[1].js (2 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (360 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cdn_djl[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tcss.ping[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

Registry activity

The process %original file name%.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1432427421"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 A1 56 29 6C 77 54 A3 E0 7B FF 69 D4 90 D7 E5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
4659f476b80e067bceeaa8e821c3fab8 c:\Hook.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: QQ164959334
Product Name: Q?????
Product Version: 1.0.0.0
Legal Copyright: Q?????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Q?????
Comments: Q?????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 901655 905216 4.49637 e279843f380d3f328210cab57f775c54
.rdata 909312 4104974 4108288 3.17505 3556835a527bcd9f099a4a8da42655e7
.data 5017600 374442 114688 3.79788 61d7f811c0ffe95c2094bc0fb4163805
.rsrc 5394432 59772 61440 3.15506 4fb203453cbc953559bcef07b91f039d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
hxxp://pay.qq.com/js/espay.js?v=1.0
hxxp://imgcache.qq.com.cdngc.net/bossweb/espay/v2/css/espay.css 174.35.71.11
hxxp://imgcache.qq.com.cdngc.net/bossweb/espay/v2/css/eicon.css 174.35.71.11
hxxp://pay.qq.com/js/page.js?v=1.0
hxxp://pay.qq.com/js/service.js
hxxp://imgcache.qq.com.cdngc.net/bossweb/espay/v2/images/public.png 174.35.71.11
hxxp://imgcache.qq.com.cdngc.net/bossweb/espay/v2/images/logo.png 174.35.71.11
hxxp://pay.qq.com/template/pay/card.html?version=0.9
hxxp://imgcache.qq.com.cdngc.net/bossweb/espay/v2/images/icon.png 174.35.71.11
hxxp://ui.ptlogin2.qq.com/cgi-bin/login?appid=11000101&f_url=loginerroralert&link_target=blank&ep=http://q.pay.qq.com/cgi-bin/login/qqacctlogin.cgi&s_url=http://q.pay.qq.com/jump.shtml#pay-card&qlogin_jumpname=payjump&qlogin_param=url=http://q.pay.qq.com/jump.shtml#pay-card 112.90.83.106
hxxp://ssd.tcdn.qq.com/tcss.ping.js?version=0.9
hxxp://captcha.qq.com/getimage?aid=11000101&0.41125558216650987 112.90.83.73
hxxp://ssd.tcdn.qq.com/cdn_djl.js
hxxp://pingfore.qq.com/pingd?dm=q.pay.qq.com&url=/index.shtml&rdm=ADTAG&rurl=PAY.PT.HEADER.LINK&rarg=-&or=--&pvid=7669226101&scr=1024x768&scl=32-bit&lang=en-us&java=1&pf=Win32&tz=-3&flash=11.0&ct=lan&vs=tcss.3.1.5&ext=nw=1;tm=219;ch=2&hurlcn=&rand=2197&reserved1=-1&tt= 163.177.72.141
hxxp://jqmtws.tcdn.qq.com/cdn_dianjiliu.js?a=0.589845096595204
hxxp://imgcache.qq.com/bossweb/espay/v2/images/public.png 174.35.71.11
hxxp://q.pay.qq.com/js/espay.js?v=1.0 14.18.245.151
hxxp://jqmt.qq.com/cdn_dianjiliu.js?a=0.589845096595204 203.205.148.71
hxxp://q.pay.qq.com/js/page.js?v=1.0 14.18.245.151
hxxp://q.pay.qq.com/js/service.js 14.18.245.151
hxxp://imgcache.qq.com/bossweb/espay/v2/css/eicon.css 174.35.71.11
hxxp://imgcache.qq.com/bossweb/espay/v2/images/logo.png 174.35.71.11
hxxp://q.pay.qq.com/template/pay/card.html?version=0.9 14.18.245.151
hxxp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK 14.18.245.151
hxxp://imgcache.qq.com/bossweb/espay/v2/images/icon.png 174.35.71.11
hxxp://pingjs.qq.com/tcss.ping.js?version=0.9 103.7.30.59
hxxp://jsqmt.qq.com/cdn_djl.js 203.205.147.226
hxxp://imgcache.qq.com/bossweb/espay/v2/css/espay.css 174.35.71.11
google1000.cn 42.51.153.12


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /js/espay.js?v=1.0 HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: q.pay.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:51 GMT
Server: Apache
Last-Modified: Thu, 29 May 2014 08:15:17 GMT
ETag: "13000ff-3164-4fa8587748f40"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4161
Connection: close
Content-Type: application/javascript
...........:kw....g~Es...RkF".]...#..x.8H.z3.uZ=w4.3....=..9....c...G.
/q.&N0...$.I..=.>./l.}.cf...C..H..{..V...[U..#.?yeD....s...O..}....
...?..{..9...)..MO..3..O.....Wz..1..................G...s.e.....d.....
.....*.z.Q.K..//.|xg........r.AfO.>u.8...85s.DH./..=<s..,...#.N.
\.......C...-.,.{._..p/.....'....J..c...j.4.......W.5XkS...5.0..x..D.k
..iQ'(..l...W........n.`y....QI.^&.$..h.......u....~o......7.._.%.k.f-
[email protected]=..%....eQ..Q=.3.....A.....D.u.z....Z../..9...1~.?.
P..O..W..;....._%.....o.A@=.(..g....S..!...a...v.................0..v]
[email protected]...(..f......l..z...._.....N.........E.b..w........t.....G
)P.7\........T.z.n...3.;.t..a.8..*o..#.g..3....Z....W6Sf.Sg....%[.....
.BC.'.R...7. ...}.>xW ).2A.%.).$D..I.....mf....7...:.......8T......
:*.;~C...DU...8x......Fyddo.Q_/....Lq.B.J!...b ..b.O6.ir.............^
.vk..4-....X.*`.O..AL.?z.....77{...|.k..;.=./o..^..|...9,.n..........m
.{G.v|...#..P...,...cc\...FcS..*GM.U....Q...#..2.:N..P8..W.)...d.b....
.T..Y....@....;..........|.."nL.....P.....l.....). $}...e.D..@`.*vu.M.
.Sk.....?U...]..w~s.w.....2...-. s...es.ip......H..a.v....?y...6.....S
Iy\H..CN&v.|QnF..0. [email protected]..........$........K_.*.eZ....]..3x...
....a....S.u..5".9v....b..S:.rb......-.....C..bc...\1.....<EH.RW...
....|.o. ...#R..}LR|..kD'.M.:.{[email protected]....}A..q...9 ..8f.....`~.
...NVc..#...&Pl&(.C...4}.u.d...d.>.z...:.u~..,..e/..,..;....,...,.'
..t58..*.D.?.<..Z.2..L.RF.az.....96.X8. ..6.f..j.....} a..6`:.4./..
_...V.]Nd.h.z..|...E.......(x../.?....&p.....A0b.*q.2.."..7.F.....
<<< skipped >>>


GET /pingd?dm=q.pay.qq.com&url=/index.shtml&rdm=ADTAG&rurl=PAY.PT.HEADER.LINK&rarg=-&or=--&pvid=7669226101&scr=1024x768&scl=32-bit&lang=en-us&java=1&pf=Win32&tz=-3&flash=11.0&ct=lan&vs=tcss.3.1.5&ext=nw=1;tm=219;ch=2&hurlcn=&rand=2197&reserved1=-1&tt= HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pingfore.qq.com
Connection: Keep-Alive
Cookie: pt_clientip=51bab95dba221105; pt_serverip=41e20af172633d2a; pgv_info=ssid=s2651691400; pgv_pvid=7669226101


HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 0



GET /js/service.js HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: q.pay.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:57 GMT
Server: Apache
Last-Modified: Wed, 01 Apr 2015 03:54:59 GMT
ETag: "16940fe-191a-512a1add4eac0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1441
Connection: close
Content-Type: application/javascript
............ko.V.._.R...W- .2.I ^[email protected]|Jb.q.:..(.A....1..P...
U.q...Z.L.'..s..E..DI............CKb.....^.......C.........}..}IZJ>
[email protected]....~q.>n....t]1I.....b)O.&.V.."........<... . \
JL.A8.......F...{..O...=.A...3S.K..-.% ......P.e...A(...0.h.Z...3."!(.
!..Y*.1.,.N.R. G......A7....Ud.3..N.#/.)..z'..ix......3......i.H.l.N.1
R^..\.S.k_...z.....#..u...0.....S.....EQ..>l...e!q.X.yQ.V6:6..Q-2(.
.Gr ...@.....{%SVL.g..:..g.w]93..x.........DT.....i)G.`../g.V7.....$5.
:b..H.2l.:...gH..z.4...#.. .....d.................^....M......4.T{....
.>..l..}.....'cj..-...I.C`.l<_G"'..Z.O...V`....j.v....69Q...'...
.Ye....#0.?...e4.-R.z.aO...<..0'i...H?wo.:....;.V?.t.8d.OS.`D<..
...Y^-..........'Yg."...h. .\.......Z..f#k...0.;.....j..~].......y.p6*
...BT..R.7.ML..5...o..T.B...(*..wt~....V.;.....V:..%.].sWvj..w.W:.e. .
z.XzA9...4(..x..%....t2.......?..Kg.R[}...........X.g$.....$...i|.jJ.5
..T..#.....Dq.....Ac........9.f..J......8.:*..h2.% ..)...pu.....)....d
M:#f,B.$.........G..6...s.]ZN..}....@%.......]@/......}v.|v.<......
.'S..i^.;.d....%.M...[y__{...4n....K.l ....n0...e,...%.....K`J7.S.....
.........V..e(d...D.{M......SL....e'KHV.B...V.......k._...U..-p<$..
f.O...aR<B?a,`n|..d.0A..xX.....ELk..O........p..b......=..lT.......
iF]..:SW.........Bi..W....x..6.,....>..D...DUx..f.o... 8$...\..-hn.
=.=8.?S...8?..8..@$8.]...*...FF...k.."{......Z..a..#...F.5.7......SL..
=..?.x.. ....^L.o..v...1?F$..tk~.g"..Sy.PF.....O9.7>.........GAlz.!
..`.........
<<< skipped >>>


GET /template/pay/card.html?version=0.9 HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK#pay-card
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: q.pay.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:58 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 3015
Connection: close
Content-Type: text/html
...........Z.s.V..l....,.....|hb.aX..l........e9VcK..N2...](m.t......v
[email protected];q....... .J...-...%.......*T\.1l.xk..PO_..o.=5..V...z.CN.
?.......|.<Q...\l..b?.....U....gI.75..L.h...xM.O.....h..o{.=[.k..im
...\..nyQ......S.."......|(O&.oU.]rT.iu..\$._.n.}..]O0"a.."..s...1....
...T(.8Q.M[]S..oz`..D.Q.'Z@~....w:@N...1.0...1.......N...=...Xn.....{.
...Z..9.~..X]e..."Y^..//.~7.]$`....x..g..?......3....S._.....gf@.. g..
.....`{..Y}........_..3.....b9....?.g..........c..<.l#\."..*..k..(.
...a....E.]....*.4[u\....%.....%.d*...R........#...9\~:}..7#[email protected]
./...../[email protected])x.p...v}M.]W(....q.F.(..:.!/a-..&I.....^Xl
.n.......jDQ.tZ../...X..b..e...e.Dk....4...Y......A~tU....XjS....;PH..
.2wl..u;t._F!.^z...p.&^.m[ '..r......:.4lWR.......1:...nt...2..B.....n
..S...f4/]Z...H.z.o."..B..A..V......wSp.T .4..(..'WmF[.V|.....{:.?h}.y
z.......Q.9..;&.,..R/...c.r..6. wz..*.o^7.yr2-]0..2..../.5.-R{.`TK....
<.FN.......Q...9).m.....).....|...um..*[email protected]....
\.....\..Zi....\.......?..>.re......;..[).b..N0.uL..J... ...o.~b.,.
e%G.D..." `..Y`..1.-.k.K..,`..*{........F)d.....X.m...-|.......nB#i...
!._..?\..-...\..f.9..1B.0>l..T..ZP9....i. .5^...\...Y...N..V...0Wt.
...S.....&>.C........E...m..R..W(...(@(.~9.V.@..........<g.`..e.
...On..0...g.qo.J......>......X..m...;...R.Y....x.(".Bi. ._.>H..
jQP...9.".......!..d$.0E....t..^.}(...b.%hf.bN_.|..h.N...^...@ (,..I..
|h..o,/1..5.;&..-xx.q..........\_*....$C6Ak.6.q....X....|;L,..W.Z.[..L
4>.bP.Qu....a..hD121.NN'<....pG.8...H..#qI...g.z!.)...Qt?#..
<<< skipped >>>


GET /index.shtml?ADTAG=PAY.PT.HEADER.LINK HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: q.pay.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:51 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1883
Connection: close
Content-Type: text/html
[email protected]%"U...-..........;.=$1...pb.A."M..M.
.=.4yiQ.vj..E..'..~s.j)[email protected].......>..S....4..t
#f.5<...zQq..S.l.V....,A^Av..!.jq..^..i..,.. ...O".r.......F.=..5L.
.......l....<...N.[<p...........G.]......~2.....}x.N~6.......>
;......~..g./>..........0?b....>R......}0Jw\k.9.s...N7J.].....5.
F}..]J.;..kG.!...h...K...z...]jnl.6.Y-..[.e..'}k.. Q/&<.Y........:.
....UKAr...T..x.........].F..8..<d. eDZ!w..V.y..2.4.o.W....t...0...
J.6.".../.f..3.L..N.c.)...A.B..V.-.D.2.<})....wI..<.).;'T%Z....r
{]...q..)...Gat..6..........DW.8..m.Y......~.{..<.n....l...K.?...w.
.p..G.y~....l..db2...k...$p...Q....N.B....d&......6.}1d.P ..X.#A.yE.6.
r:..u}0...*n......N.,...FUK.-t3U...]#.D.b..v..%...^....i\.z.qn.>..q
...2.i..l.cD...q...>.8l....C..}..7H.6....O`4[<...A].a..95.6u.JP.
.}.%.....6.......u..6".E..d.B..T.:..2.J......x..Icn.q.\Z\~.....9..r...
.E.5(..'......4P..g.n..y^r.-.S..Hu....V...~1..o.-....<.........q=..
t..k..Ja."..>YM.D'E.......Y.^S.......-G..]..x.q....2lDg..!.....'...
F.......&...?.>{....-..q..0.. ..9..../?T..."Eg9.....$x.;..|<x...
...Qxu......-.v.=.T..`...gJ.H*.\yk.Q.z.....O.w..=......e..=....z...vIG
U.z.$n...b.....W}@.............\...d.....3[Z}....dq.ykq..W..c...-_....
F5..I..L..r..B..Pp.M...J..._-....m.3.q."I]..........Q......E'.-.TW.C..
c`..(...F.Wv.`_.sQ.[...m..e...y T.........S$... .',yQ.xH.e,....!lNiz$.
..5..c....=gL.edL.._1..(..FU..h...A.q ,A.1..\5.<.V*.TaG.bm.(w[*....
... b4..D&.N.......?.29....v...)[email protected].
<<< skipped >>>


GET /cgi-bin/login?appid=11000101&f_url=loginerroralert&link_target=blank&ep=http://q.pay.qq.com/cgi-bin/login/qqacctlogin.cgi&s_url=http://q.pay.qq.com/jump.shtml#pay-card&qlogin_jumpname=payjump&qlogin_param=url=http://q.pay.qq.com/jump.shtml#pay-card HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ui.ptlogin2.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Fri, 07 Aug 2015 11:14:04 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=86400
Set-Cookie: pt_user_id=16604782216216744725; EXPIRES=Mon, 04-Aug-2025 11:14:04 GMT; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Set-Cookie: pt_login_sig=wYTnQnDPMCMNUmBvNDjWWgb*uYQpmAzyadyKS4ln1GdDMIEoVbuEGgO8NYAerngF; PATH=/; DOMAIN=ptlogin2.qq.com;
Set-Cookie: pt_clientip=51bab95dba221105; PATH=/; DOMAIN=qq.com;
Set-Cookie: pt_serverip=41e20af172633d2a; PATH=/; DOMAIN=qq.com;
Set-Cookie: login_param=appid=11000101&f_url=loginerroralert&link_target=blank&ep=http%3A%2F%2Fq.pay.qq.com%2Fcgi-bin%2Flogin%2Fqqacctlogin.cgi&s_url=http%3A%2F%2Fq.pay.qq.com%2Fjump.shtml%23pay-card&qlogin_jumpname=payjump&qlogin_param=url%3Dhttp%3A%2F%2Fq.pay.qq.com%2Fjump.shtml%23pay-card; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Set-Cookie: uikey=a422600fb92025af3cac4ce4f8842c60f640cc2e94c2d004a0894bf32498ccdf; PATH=/; DOMAIN=ptlogin2.qq.com;
Set-Cookie: ptui_identifier=000DA096F56C48C0DC1FF0581C6A681F35ED891CD6A49E3CCD757409; PATH=/; DOMAIN=ui.ptlogin2.qq.com;
Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
Content-Encoding: gzip
Content-Type: text/html
Content-Length: 7354
...........]y...u.*...Z.qc...X..X....8.U....vD...:5.H?.....Vhb.={|.u{.
.}.M..9r.....7>........|.9...c.p.s.a....Kv.Z......^..z.~Z#h?.H..5. 
....{..}.~.......9`.."JsC.p..A../...1.zd...W........-k...r.:p...;..x.f
..l...R....Q.#g<...G.2^h..G.......=..K~<.F.j.fq....mz..(..].....
.24...{N.._i........3.|[email protected]$..?,C..].U../........2g.Y.}.l...l:
#s`.....8.-x...M...}...._.3S..G.6Eo`..G..q.}.......3.......#..pj.hQ)..
'.o%.&.g....~...Y.0..0m....W,...d......h.........cy.....9.w,....oW.G%.
..#.Q.f..b..5.'dJ<=.e)3....q.v..:.3>(M..|n...T... .j..}.jT t./m.
...''..K.u..in.c..8G%,.....~uR...~4N8..K..OQ.OL..G,.I...H:.P...U0....^
.t...wWB....w[.W.0..=.y..[I.X.....T.,z..b...w......"B..~.z....].J.....
...P...h9.O...........F.........2.'...s.C.B..f..:*ik.C.....Z....s.V'Wb
...L...5.f....=a.....&il.\i.u..}...-.....&qK..........9...-.xL8.......
..p.!RBvU.I^$..j..w..I..5...r...@..]..... !.>y.. E.;.r.\.]....P.. .
..kT*....-z...@._m....i....JN..9..... ....:...9.\..Y...........A.A.b.4
G.J...._5..-[.zMi.b ...Y...5K..P...Z.....N....N..R.;...<..M.H.Y.p..
..Q..2...P.-^..1.3..S".X'5.P....=.kK.4....c.Lr|....E...<..yh...4u".
.k..y....U..Ok.z.X].`C.J........Z%Zh<.ah........~b...?..N..*.......
QL.".!W....`......~...X%j.!\8.....P.].{'...z$.QC...!"q~p.^..U..m.h<
...[..5vI....CK.U.5...s.>.8"M.g... C. R.....RTu.MW.\....ZE. |O.L...
..L...mR.A5..N[]..7...5.g..z...J...*...W...b...RB..T,..S^s....a...nl..
`.......b..Vx...y.......`..Q.....w...X.U..
<<< skipped >>>


GET /cdn_dianjiliu.js?a=0.589845096595204 HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: jqmt.qq.com
Connection: Keep-Alive
Cookie: pt_clientip=51bab95dba221105; pt_serverip=41e20af172633d2a; pgv_info=ssid=s2651691400; pgv_pvid=7669226101


HTTP/1.1 200 OK                                                              
Server: MCP-HTTP
Content-Length: 481                             
Content-Type: application/x-javascript                                        
Cache-Control: no-cache
Content-Encoding: gzip
Connection: Close
...........S.n.0....?.<.$..2r.C..{..AQ.f..!.6k...U..........r...r.;
;...vP..Na2..:}.e...A7...........x.......^...f..n.;WT........._.>.a
.6f......R4..Q..F..M]I....~.J....b.9.K...x... Y..nL..s..y.OX.p.R......
......(e.4K...c.....b..<.M....d...........EV.v..}..)/3.w......Z..1a
}.f .j.'>..8p...j:..WfEL.Ms...0..q\.......Ij.;..%.W4.x.......a.%E..
~....P...._N.k....cp.\]8..{..j.&[....l..s.....<..(......r...h......
.t.|..}..Gj..qa&.../..i_.Q.,y.z.7............u..Ww_L...P.qM.i".r.$.._.
..:.....



GET /tcss.ping.js?version=0.9 HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pingjs.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: NWS_UGC_HY
Connection: keep-alive
Date: Fri, 07 Aug 2015 11:14:04 GMT
Cache-Control: max-age=600
Expires: Fri, 07 Aug 2015 11:24:04 GMT
Last-Modified: Thu, 29 Aug 2013 02:40:23 GMT
Content-Type: application/x-javascript
Content-Length: 4218
Content-Encoding: gzip
X-Cache-Lookup: Hit From Disktank Gz
...........:.r.8..b#..DH..3......cg.*.T...-[..IHbB........u.....l*%.@7
[email protected]&......J....^-.*.e....ngE.``.@."N.....}.....R.. ^.0.<V.m..
.#..#4(Z..Wv.zuw./>. .B^.... .0..P.....o....:[email protected].....>..
.........=..t....`....`V0rD..`..*.%.|#VqV....@..>.g\.3..n..z<[..
....`..cJ`LA;Y.!.JQU.....5.@<.l.,...a...<=.....Y*U....V..T...a"V
.IZ...y..".MV..&<....:.{)......F0<.1?P2N`...."2..1.....".W.#....
.G.....s...g>.....ga..K...........`.(.gTJ..f.=....R.2>.Lc|.Z.k`W
#V..... ..wsh.....!S..J....4C..Nb.,=E.....G.`.u.. Jl....< ...?.Dz.t
x.H..0..@.. .ZpP.......u .b.QL<.....8..~s.......g./0U"........... .
.~-.....I...k....B).}..2.N;._...uQ-.9....2 ..o!...f.3...*...FH'd..V.&l
t;.KJ#.Z._g.X.......U..I..2(........93.%[email protected]...]|...-.{'.
...V."..iI)._...k..5.Iu;....$..k......w.G..U...........x.....;..PF....
Nw......5: 9...%.d...d'5_>..U_y.\...tc...... d<..N.V............
.....#Nq..`...S.......0...&............h..o.P.z.....D........5!....@m.
..e(..4.4.[.<.t..#..{.9}......R1'E#v4".......c>j'..FI.....:.hT..
7RV..>.m......%N.u(.(........V...f#.L.!Q.. .=..g... p.i...{=.8d....
n..... s.^..r....>[email protected][.....R(P.&.......khOvuzD.I.%.H..
....D....0....;M5.............mu.6...i.[.......R..m..A.......Ln....;..
......I.jY....r.....T................]J...C.CfG..#.I...X..W......$..U]
.b...9.-......jE.D.#{....F. ....%v[gK....@.)....w=|..{.....z...[ .r|..
.4.R.l>T.........r.:[email protected]..@.....[........
 ..^......m...`;3v..h...|F.>APG.1s.d.......H....W;J6....d.P..K.
<<< skipped >>>


GET /bossweb/espay/v2/images/logo.png HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:57 GMT
Server: PWS/8.1.20.22
X-Px: ms h0-s1193.p11-fra ( h0-s1214.p11-fra), rf-ht h0-s1214.p11-fra ( h0-s1022.p7-icn), rf-ht h0-s1022.p7-icn ( origin)
ETag: "4f4de6ea-16dc"
Cache-Control: max-age=7200
Expires: Fri, 07 Aug 2015 13:13:58 GMT
Age: 0
Content-Length: 5852
Content-Type: image/png
Last-Modified: Wed, 29 Feb 2012 08:50:50 GMT
Connection: keep-alive
.PNG........IHDR.......E.............tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE544o..3t....,e....f........vvv1..z....................f....
S....N.A........&U.hgg...V.......%...>.....4k....c.h.;qI..u....z.4j
U..T..!F|...B{...."\....ooo)].J......h.#M..Dz......;s...) c...-.......
.w............Z...........Tn......=..lU.......1L....g..WC..L....O.....
.;..'n.............[ZZ.V.".i6{.L..=.....BAA^[email protected].(p.
..9.....E...C..J..^....$S....U:...........D....H..L......-HQD..3....V8
..I....%6..O..(}Q........;0l...9...dddT..n..W.=Os*..v........S'..S....
....(..4..O..I..... z...eOeB.......................(./d...F...........
..5...Y.....}........N..B.....F..L..X.....r..L..?..P..(ye...[..l...nM.
..R....#...V..%..u...|c........~f.*......&`....<...@v$>Y..B. eC.
.$`#".....>..4.....g.....A]@......W...........J..8.._r{?....a..qj..
.........O.....a.......h.....tRNS.....................................
......................................................................
......................................................................
......................................................................
.........S..%...8IDATx.b.O.0.......UND.Q...... ........s.g.........3.0
2.U|.....^.$.R."..*....8Jv..o}....v\..l1.*e...F...._...O-O............
.._X......... ........a.b........L....x`x..T..T........ .q........?.[.
.Y)....y....1....q:T;[email protected]>).J.. .
..Vf.Za8.?y.hB.jf{m...1[4@.!....9..`..Aj...@....)..d...W.....p.p!...)8
$..X....N......60.A....Du...UH..*.>#.N....t......Q. ...)....}!.
<<< skipped >>>

GET /bossweb/espay/v2/images/icon.png HTTP/1.1


Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:59 GMT
Server: PWS/8.1.20.22
X-Px: ht-strm h0-s1193.p11-fra.cdngp.net
ETag: "4f4de6ea-3fce"
Cache-Control: max-age=7200
Expires: Fri, 07 Aug 2015 13:13:59 GMT
Age: 0
Content-Length: 16334
Content-Type: image/png
Last-Modified: Wed, 29 Feb 2012 08:50:50 GMT
Connection: keep-alive
.PNG........IHDR.......:.............tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE......l....0.p.....m.......sG..j........J{f........#.......
.qqq.....6.e...n.....E..e. ...'..8...G..{..t..l..........i.....h...&..
..T..F..&........R....u...T.......Y.S.......0...xT.....i....T...s..|..
..R4...&.....I.U.U....c..R2...d...i.....................`A.#..[2..x...
........5Y.A....a......V...r.o............%...=....A...D*x..[...t.....
...~."c}. ...j.#U.,..<.............=..K.t.iG...(..(c..*x.N...<e.
......................Q......9..5.i........... .y......PuQ.r./..H&..oL
.'........6.....d.N..-...$j.4....]zf.........8.."....o...e.......`....
!.... ...o...l.T.f..A<#p..7...D.X..)_I............=..u..........x.*
.B.....mm.~.}...|...........:...z...k....................r............
......0../...................R........o......?.c............GU~%.....Y
..>..!._.=z...............tRNS.....................................
......................................................................
......................................................................
......................................................................
.........S..%..;*IDATx.b.O9`@..Fb.'..f$.s....2@..!...S..."@.[n..?.-bz.
[email protected]#.....J..J.....][email protected]........#<.
......7H........e.8Le)7C...`..QP"((X.....HKK....tgh.PS;v.I......6$.Y7.
3.............I..l...w6.6.........J [email protected].,^.........
.66is.....K.V;WB....Fnn.!q....jy3e..;"...XP....dG...k}.G.... ..L....pq
....'.4C.!...%P..$1........ 3..ZG:[...(.z"&$...d.......`34k.7..L..
<<< skipped >>>


GET /cdn_djl.js HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: jsqmt.qq.com
Connection: Keep-Alive
Cookie: pt_clientip=51bab95dba221105; pt_serverip=41e20af172633d2a; pgv_info=ssid=s2651691400


HTTP/1.1 200 OK
Server: NWS_UGC_HY
Connection: keep-alive
Date: Fri, 07 Aug 2015 11:14:10 GMT
Cache-Control: max-age=600
Expires: Fri, 07 Aug 2015 11:24:10 GMT
Last-Modified: Fri, 25 Jul 2014 04:14:48 GMT
Content-Type: application/javascript
Content-Length: 239
Content-Encoding: gzip
X-Cache-Lookup: Hit From Disktank Gz
..........U.OK.0...-.;....t=xQ.....ao"eH...&i.. ..n.U.s.?...'..k....].
.'D..v...U..a{......!..]...yq..K..6[........,!...0...V\..&...'.#..s..$
x....WF./:!.*....N..P...p...P..........M*E=.xC...e;8R..tp.6.2.|k;;.6=.
..K...>...._...'......#..D.....



GET /getimage?aid=11000101&0.41125558216650987 HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: captcha.qq.com
Connection: Keep-Alive

GET /getimage?aid=11000101&0.41125558216650987 HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: captcha.qq.com
Connection: Keep-Alive



.......]b..... c..y..O...g.b....... ..>@.'.....g..<V|..CP..f.6..
..w..q..d6c......?p.;.M.vVl...|.HI.f...'.q.O4.S.r.o.a#..y.}BE.........
...A..G`@S........([email protected][i/4..X..Mn..N.J.?.c...(."..;..h%..L.x..pO.
.C].......9G..-...6O)....X..-.z.XS...^8...Q......Hx>W.....p8..u4Pg.
5.l.".6...RZ....H.m&(.Hd<..........V.zrF.y.-e2........t...].....P.j
.[...M..,..m.=.{.0<......x....A.......[.n....W.R}<..?...E......X
8.%..2..(9?..G.........i..o....G.3....Sp.#..9..K-J...k;.Ymw.Iu....1...
..O...h9...b....li.....GE.....g.;"#.*}.rs...pFA96z}.k...K..kp."...uB..
0....%I.=j..>.4...wh.G0.l.<Jy..B..b.<7.\ZGq}|.....].... .....
........f5...z....0..q F.U........n..... ..b..F...>z.7. .}..O.]....
.$......AE.Pl.QE..QE..QE.ck...7.u.p ..!.df.#..../..#.Z..-B_.m^H....".=
..9.q..R..x7:.M.o.?....h..^.u3....r@>.y>.z8.(.8.Q..UQ..t.QE..1[!
.QE..(...(...(...(...(..?..



GET /js/page.js?v=1.0 HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: q.pay.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:56 GMT
Server: Apache
Last-Modified: Tue, 07 Jan 2014 06:08:38 GMT
ETag: "15f448f-a44-4ef5b350dc580"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1117
Connection: close
Content-Type: application/javascript
...........VmS.8.....!..........Q;-.L.#m....LF..[E..Y.....J.....w_.i..
H......E..I.$*'\b.X.T.(.&.7..y%..Jz...".5.D\&...Q.URQ. B...]eL.h......
.a...,.L.&..`.....<..../....(=.q.}.h.5<..!.G...1..*.r....P%[?...
ros......W)3........C.J...?..q.o.q..Xa...O....h..kv.q.x .V7N_V.S?..".M
 .%.. [email protected]..:....d...43.....;>.....,....
...Pq..........r.K.s.....I...:n-.jsB.L.Y.N28_c.,7.Y._^..3....../..p...
.jF.k.<TgL%6..{..ul^............u.4.......4.{1.#'..zK..'x<..p..A
.;.UZ`...V...m.....f.h.....  d.F.&)$.......J:76=......*.~_.'.4.-.... a
[email protected]@r..;.?<.2..\.%. .=[.......e!..zA.ub. T.m.AD.R..0..U
..u..k...y..M..py...~?(nW..Zmo|.:.Kf.......k..?....5.#dC...M..e...W.T.
..2\..-.....Sh.M..".d.m.p.v.g$!...&g.....'.9..$'A.5t#p........WR...L..
..B....?;..Tl. 5..?........[..]`.]sS.D6r1.W.....c.,c/..\G..D.....f....
.!lUA(..k.....F.M.. C4..0..'..x.6....a......l.....Uj....,....".E....ON
g....F}.[.....<.yae....D.4c.(...W.2`...G..h...w...!.........U,8m...
/~4.x...B.l....Y..LO..%....b.....d..S.......`..bgQw.q.0...ww._........
r.1.N..,...7h..,....p>.C.F..6}..v._xnl..l..~..Qn...-..u.d?.h5..Gl..
........ .....Mo.D.....



GET /bossweb/espay/v2/css/espay.css HTTP/1.1
Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:55 GMT
Server: PWS/8.1.20.22
X-Px: ms h0-s1193.p11-fra ( h0-s1192.p11-fra), rf-ht h0-s1192.p11-fra ( h0-s1034.p7-icn), rf-ht h0-s1034.p7-icn ( origin)
ETag: "4f4de6ea-6bd4"
Cache-Control: max-age=600
Expires: Fri, 07 Aug 2015 11:23:55 GMT
Age: 0
Content-Length: 6462
Content-Type: text/css
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Wed, 29 Feb 2012 08:50:50 GMT
Connection: keep-alive
......MO...=k...q...?LH....{..../.l...$0...bv..v.....,..3....J.l9R...b
Q..).(9.`...?......{..3...ppw.......WW7..........go.q....?........Q.w.
..._..e.....|..*.j.... .F/.0....3........hV.:...h..y...~...[......'.w6
...?e...<........'.?...\.}gZ...w..............:]....m.Uv....q.z..r.
.<]...C..9.4.......Vu..e/-.#.y..QY,[email protected].)M...D..i....py..w
... g.....//......\.w.!.Us\...*O...oVE..\.s...a8.4.q..6...Ue.:t.^..F.x
..`..<{...n.......[...C/.e...G....j.#...,*A..-.....eU,j.R....j0...e
.\.CG.....2.`E2L.......C.:........g%JW...a:...\..<.U=#.....r....0..
.ezr..e$9..D..&EY.....s.P.c.zm....|...c........Z.uQafK'...... 6..E=.3.
........0.N..X......O..~..w....s....S<g^....;P..;..k#.#..jQ..:.....
.O..:.t..X..,.xl....1.a...E...I%l..;.&i4.\$...;..zc.I....(oP......(.V)
.`......TN...........u..B 9..........<~._......._.........&.".:jt..
V?.;.....^....:..?......@n...?...H....:..H..4.....JE...?|...gw....#.S.
&..>7.v.MS."I_H4.....k_...gX5....I..p....&...0......4.ao.?_l..JG..G
....(....][email protected][J.t
=.4F..(6D..C?..d.../F......S...,bR.."....!.N.....~g.Uk..!1.fu.<<
8..5K.........L....M...~'..|\ =B...fR.Y..8..%...u.6..=.'...\........z'
..*.T[.E....y....b.q..0N.....r4M7e.G.?..T.4....0....xs..K4j.G....I[a..
W.(...]./..........}..r....X....7`...,....i.`T0...p.q..\H.b........y".
.U....!E.7.^......Q..O..vo=Ksll..l.J..O9.V..(.A.....^.Cr1[......jE^Z~!
.`........|.)h.U&@Yk!i..*.A^.........=C...g./..QI..^.#.4..(..X.....6k&
lt;.. ...2..p2.....^:.Gc<.....Q;;D.;`.D&SB.`2.=.q.G.....e.8R|..
<<< skipped >>>

GET /bossweb/espay/v2/css/eicon.css HTTP/1.1


Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:55 GMT
Server: PWS/8.1.20.22
X-Px: ms h0-s1193.p11-fra ( h0-s1127.p11-fra), rf-ht h0-s1127.p11-fra ( h0-s1032.p7-icn), rf-ht h0-s1032.p7-icn ( origin)
ETag: "4f4de6ea-48b"
Cache-Control: max-age=600
Expires: Fri, 07 Aug 2015 11:23:56 GMT
Age: 0
Content-Length: 443
Content-Type: text/css
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Wed, 29 Feb 2012 08:50:50 GMT
Connection: keep-alive
......MO..}SKn.0......l.H$...........I..k}H..)9]...tQ...m.sT. ..h.4xof
..=.....~?>=<......u.o>..r...[.3...m...^...3R1.x......(.M.$..
B..R.l.m#6.jSU...c...e.n..0.7..[gfh4...6I.v...d.u..=8..L...m. .y..w..D
k.B(....pW)....EY.8....j.$.%._..W.......KN.. "...#i...q...e.."Q..T..S.
s......L7r..H.,J.E.....i...Z.....$......q..#a.........L...)..l)h.8...s
Po2............0.[..7"uGz./.....l\..M.j...K.Xcn2.Ov..}.s.5G......g.^..
[email protected]..........


GET /bossweb/espay/v2/images/public.png HTTP/1.1


Accept: */*
Referer: hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 07 Aug 2015 11:13:57 GMT
Server: PWS/8.1.20.22
X-Px: ms h0-s1193.p11-fra ( h0-s1129.p11-fra), rf-ht h0-s1129.p11-fra ( h0-s1023.p7-icn), rf-ht h0-s1023.p7-icn ( origin)
ETag: "4f4de6ea-1953"
Cache-Control: max-age=7200
Expires: Fri, 07 Aug 2015 13:13:58 GMT
Age: 0
Content-Length: 6483
Content-Type: image/png
Last-Modified: Wed, 29 Feb 2012 08:50:50 GMT
Connection: keep-alive
.PNG........IHDR.......\........n....tEXtSoftware.Adobe ImageReadyq.e&
lt;....PLTE...........................................................
................H..E..G......................................F..D..I..
J....................C....................D..I..D..C..V..:..c...f.!..7
77...J..J..S..E..O..U..T..H..E..T..F..P..N..N..P..F..L..Q..L..M..H..U.
.G..R..B..I..K..R..S..B..V..A....3...RRR{{{..g;..b....JL.....AAA....{#
.i.......>........^.....4....\.....u...===...vvv.....sccc..........
...n.NNN%........Q.....{........iii^^^Y...u...=.....................*.
.YYY..{...999.r...CM....VFFFA.....n........nnn........................
...r.......P......G..=.....I..S..W..X.....`..M..Q..A..C........rrr....
......k.h...........B......................-.x.............JJJ........
{E..W..o..t..\.....U..K..N..X..M.........~)^..G...............g....@..
"..j........`K......tRNS..............................................
......................................................................
......................................................................
......................................................................
S..%....IDATx.b...`...`...``..`...`...`...`...``..``..`...`.O.0j..C...
..P1.2.....6..b..x...2.C....O.B.X.9....Bf...h.1i....=.(.(dn......#....
......t-......(`4....Ydi...d..b......m"B./...BR]R..C...a....T..)..j..t
...Z.....'.......1..0..P.....1.0.......!q.&..gr.._........HQ.=.B{..{..
z..z.Bz....a:...(/le.. yV..$p%..g..Z....xV..I.:.....w.....a:..$......9
.........;..&......S.&./...~..F.......5b.T...t..`..Y....|[email protected].
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_496:




.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
ole32.dll
WinINet.dll
kernel32.dll
Kernel32.dll
shlwapi.dll
ntdll.dll
Hook.dll
NTDLL.DLL
user32.dll
OLEACC.DLL
gdi32.dll
advapi32.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
cardpassword
hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK#pay-card
hXXp://wpa.qq.com/msgrd?v=3&uin=
&SQL=
19,91,01,22,52,09
http=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.1
hXXp://
Function Getcpuid()
Set cpuSet = GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_Processor")
getcpuid=cpu.ProcessorId
Getcpuid
\\.\PHYSICALDRIVE
\\.\SCSI
\\.\SMARTVSD
\\.\PhysicalDrive0
hXXp://VVV.watele.cn/89.html
G|Z%d
GetKeyboardType,MessageBoxA,CharNextA
RegQueryValueExA,RegOpenKeyExA,RegCloseKey
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
javascript:CARD.setExtCode('img_ext_code')
.share
.reloc
KERNEL32.dll
SetWindowsHookExA
UnhookWindowsHookEx
HookProcess.dll
c:\documents and settings\administrator\my documents\visual studio 2005\projects\hookprocess\release\HookProcess.pdb
GBj%c
}&-4}v
piao.asp
hXXp://google1000.cn:888/qb/
\hook.dll
internet explorer\IEXPLORE.EXE
explorer.exe
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
hXXp://VVV.27399.com/Validator/getcode.aspx?
hXXp://VVV.watele.cn/90.html
VVV.watele.cn
comctl32.dll
wininet.dll
EnumChildWindows
cmd.exe /c del
8349?846:
{}{|}}{|
{~{{|~|{}~
~~~~||~|}}}
}|~}|}}~~~
}~}~}~}~~}
hXXp://user.qzone.qq.com/
nickname : '(.*?)'
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
hXXps://
Adodb.Stream
VVV.meitu.com
Lc.NLs,
jKd.xwGHe
Adobe Photoshop CS3 Windows
2015:05:23 08:07:16
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" dc:format="image/jpeg" xap:CreatorTool="Adobe Photoshop CS3 Windows" xap:CreateDate="2015-05-23T08:07:16 08:00" xap:ModifyDate="2015-05-23T08:07:16 08:00" xap:MetadataDate="2015-05-23T08:07:16 08:00" xapMM:DocumentID="uuid:D1520CC5DE00E5119AD9AD3CBFC7B0EE" xapMM:InstanceID="uuid:D2520CC5DE00E5119AD9AD3CBFC7B0EE" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History="" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;5E745F431F89A04EB772C0D011F3C281" exif:PixelXDimension="25" exif:PixelYDimension="25" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;5B3F64C237586968A3B9ABD0B80E5546"> <xapMM:DerivedFrom stRef:instanceID="uuid:CC520CC5DE00E5119AD9AD3CBFC7B0EE" stRef:documentID="uuid:CC520CC5DE00E5119AD9AD3CBFC7B0EE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
2015:05:23 08:04:15
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.1-c036 46.276720, Mon Feb 19 2007 22:40:08 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" dc:format="image/jpeg" xap:CreatorTool="Adobe Photoshop CS3 Windows" xap:CreateDate="2015-05-23T08:04:15 08:00" xap:ModifyDate="2015-05-23T08:04:15 08:00" xap:MetadataDate="2015-05-23T08:04:15 08:00" xapMM:DocumentID="uuid:CD520CC5DE00E5119AD9AD3CBFC7B0EE" xapMM:InstanceID="uuid:CE520CC5DE00E5119AD9AD3CBFC7B0EE" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History="" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;9B09E6011CFAF9FF9EF56335511C3EF8" exif:PixelXDimension="444" exif:PixelYDimension="31" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;5D886A819449957CD16F46CB0C534939"> <xapMM:DerivedFrom stRef:instanceID="uuid:CC520CC5DE00E5119AD9AD3CBFC7B0EE" stRef:documentID="uuid:CC520CC5DE00E5119AD9AD3CBFC7B0EE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
D.FEN
Adobe Photoshop CS4 Windows
2013:02:02 10:30:00
thXXp://ns.adobe.com/xap/1.0/
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 4.2.2-c063 53.352624, 2008/07/30-18:12:18 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmp:CreatorTool="Adobe Photoshop CS4 Windows" xmp:CreateDate="2013-02-02T10:29:49 08:00" xmp:ModifyDate="2013-02-02T10:30 08:00" xmp:MetadataDate="2013-02-02T10:30 08:00" dc:format="image/jpeg" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:D743E235E06CE211A7D8A5B3E809C861" xmpMM:DocumentID="xmp.did:D643E235E06CE211A7D8A5B3E809C861" xmpMM:OriginalDocumentID="xmp.did:D643E235E06CE211A7D8A5B3E809C861" tiff:Orientation="1" tiff:XResolution="720000/10000" tiff:YResolution="720000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;CFD4AA4ABA4807FF40F7DA6A29A4B9D4" exif:PixelXDimension="367" exif:PixelYDimension="239" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;E10E6FEF6245427B3A5D825CE32AFA8C"> <xmpMM:History> <rdf:Seq> <rdf:li stEvt:action="created" stEvt:instanceID="xmp.iid:D643E235E06CE211A7D8A5B3E809C861" stEvt:when="2013-02-02T10:30 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows"/> <rdf:li stEvt:action="converted" stEvt:parameters="from image/bmp to image/jpeg"/> <rdf:li stEvt:action="saved" stEvt:instanceID="xmp.iid:D743E235E06CE211A7D8A5B3E809C861" stEvt:when="2013-02-02T10:30 08:00" stEvt:softwareAgent="Adobe Photoshop CS4 Windows" stEvt:changed="/"/> </rdf:Seq> </xmpMM:History> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="w"?>
YU.Yb
XhfTpx
!.lT$
8I''.yF
.mgOV
.hK_~\
.tK /
;.yy=
..pJ1w
M[O.Ioo/.
tòFGC
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
RASAPI32.dll
GetProcessHeap
WinExec
GetKeyState
GetViewportOrgEx
WINMM.dll
WINSPOOL.DRV
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
WS2_32.dll
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
.PAVCException@@
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
#include "l.chs\afxres.rc" // Standard components
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
.hcdGAr
(('##"5)
(!!3,,?88
164959334
\<f?%X8
hXXp://tianjianbin.idc.08pr.com
hXXp://q.pay.qq.com/index.shtml?ADTAG=PAY.PT.HEADER.LINK#pay-cardk
w3.jotD
0Mfs-g}sq
R.Ohw\
%U]3pB
7.ZS5
=3gC.pW
GK`tsnmk`jg\621piXpiWqjV=60sjUtjWsjW=5.skVslVrjV93/miXlgZjh]56?mr}qy
rM.rM.
rM.rM/rM/rM/
rM.rM/
rM-rM.rM.
MMzrM.rM/
157358805
hXXp://VVV.27399.com/EsalesNew/QBEsalesPage.aspx?num=1&cknum=1&productid=DC8ED71C4E9BF6A8&price=1&flnid=5
Created with ajaxload.info
1.2.18
%*.*f
MSWHEEL_ROLLMSG
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
AVIFIL32.dll
oledlg.dll
\\.\Scsi0:
VVV.dywt.com.cn
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
msctls_hotkey32
.PAVCOleException@@
.PAVCOleDispatchException@@
c:\%original file name%.exe
1, 0, 6, 6
- Skin.dll
(*.*)
1.0.0.0

%original file name%.exe_496_rwx_10000000_0003E000:




`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cdn_djl[1].js (239 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAWBU14T.htm (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\public[1].png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\espay[1].css (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo[1].png (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\espay[1].js (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\service[1].js (6 bytes)
    C:\Hook.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cdn_djl[2].js (324 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CAVIW3ZT.shtml#pay-card (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tcss.ping[2].js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eicon[1].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\card[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@qq[1].txt (139 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (184 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (692 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tcss.ping[1].js (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page[1].js (2 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (360 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now