Trojan.GenericKD.1939521_ba3bb5f04c

by malwarelabrobot on January 1st, 2015 in Malware Descriptions.

Susp_Dropper (Kaspersky), Trojan.GenericKD.1939521 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ba3bb5f04cb5befb3842b5a3c1e70f09
SHA1: 4bc2fb10923d137038eb5077293c78c3d535c627
SHA256: 72bd6004fcce543051d36898a134c02cf08c4bf27ff010a623aca2656ce1f5aa
SSDeep: 98304:b2XpSXf4u188Aa2FLMHP5FY bKxtGzkVw2L7HcYO5/u7UkKeyiE/edfgUU//bmjy:bwHc2FLMxNbHaw 7Hc/WgkxbE/eqm9Q3
Size: 4082776 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-29 19:35:27
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:568
ZmPlatform.exe:1500

The Trojan injects its code into the following process(es):

ZmPlatform.exe:1748

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\ZMRL\config.dat (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\system\7z.dll (6391 bytes)
%Program Files%\Common Files\ZMRL\ZmPlatform.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ini001\setupres.7z (180 bytes)
%WinDir%\system\Client7z.dll (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zmsetup\ires.7z (12288 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zmsetup\ires.7z (0 bytes)
%WinDir%\system\Client7z.dll (0 bytes)
%WinDir%\system\7z.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ini001\setupres.7z (0 bytes)

The process ZmPlatform.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\~gm_1254\ZmPlatform.exe (631235 bytes)
%Program Files%\Common Files\ZMRL\config.dat (42 bytes)
%Documents and Settings%\%current user%\Application Data\Cache\Mini.exe (3849 bytes)
%System%\drivers\BootIME7.sys (51 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ZmPlatform1212[1].exe (631235 bytes)

Registry activity

The process %original file name%.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\zmrili]
"SetupPath" = "%Program Files%\zmrili"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\zmrili]
"ChannelID" = "0828"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D CF 47 8C F7 6C 54 8C 4A F8 A2 51 A0 E2 C7 2D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calendar" = "%Program Files%\zmrili\zmrili.exe -start"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ZmPlatform.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 03 9B 20 D3 E4 0F 08 36 2E A2 DF 75 97 74 F9"

The process ZmPlatform.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 3B DE 55 93 50 83 A4 C3 43 E4 2C 0A DE 8C ED"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%WinDir%\TEMP\ZmPlatform.exe,"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

Dropped PE files

MD5 File path
8415784ec3a900adf5e0894210b5f477 c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ZmPlatform1212[1].exe
1663648d20fcd1dc5899652a0a0fd893 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Cache\Mini.exe
8415784ec3a900adf5e0894210b5f477 c:\Program Files\Common Files\ZMRL\ZmPlatform.exe
01cb0203531dd8fffab24f789b9b8219 c:\WINDOWS\Temp\ZmPlatform.exe
a1141ab569f35866ffce24ceddd8aef3 c:\WINDOWS\system32\drivers\BootIME7.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\BootIME7.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Propagation

VersionInfo

Company Name:
Product Name: Setup Module
Product Version: 1, 0, 0, 1
Legal Copyright: Copyright 2014
Legal Trademarks:
Original Filename: Setup.exe
Internal Name: Setup
File Version: 1, 0, 0, 1
File Description: Setup Module
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2748416 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2752512 4067328 4064768 5.40176 30e1ead31201a081de78403007011153
.rsrc 6819840 12288 10240 3.66047 bd43ea0357a4debddf0eea5575bd0b4d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://112.124.141.130/update/ZmPlatform1212.exe
hxxp://h.811166.com/update/ZmPlatform1212.exe 112.124.141.130
yay.zmrili.com 112.124.141.130


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /update/ZmPlatform1212.exe HTTP/1.0
Host: h.811166.com


HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 31 Dec 2014 13:24:56 GMT
Content-Type: application/octet-stream
Content-Length: 1538048
Connection: close
Last-Modified: Tue, 16 Dec 2014 12:25:28 GMT
ETag: "549024b8-177800"
Expires: Thu, 01 Jan 2015 13:24:56 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......h.%_,.K.,.K.
,.K.7\..1.K.7\..l.K.7\....K.%...=.K.,.J...K.7\..4.K.....-.K.7\..-.K.Ri
ch,[email protected].. ....1...@.
..........................1...........@...............................
....1. .....1.......................1.................................
....$.1.H...........................................UPX0..............
......................UPX1.....p... [email protected]...
......1......n..............@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.91.UPX!.......A.....j1.6f....-.&.......U....@........3..E.Vh.
............j.P.............h.9.'...vQ..hP......R....:..>.-.....5..
[email protected][email protected]...<[email protected]#D........m..`.......h~
.........P....t[....f......f`.t...u?.....rr9 $(,..#.0.>}.I.{.|.....
..Hm....P.HP.p.>.{PY.h.Hb^.._pd.V.M.3...h..]...4../... .W^. ..?S..}
T....t|D...v......W/P....u..-.#...{L^_..E.PV5H.,.f.....j.=D.}..u./...!
@V.LhWk ..n._e..=...$S..uVW..$.......E.X.._.......X.... ......h..7..:~
..M..x....l..."...;.d._p.`AP..Sz.P...]..d./.u.3..]..}..G.3..F.....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

ZmPlatform.exe_1748:

`.rsrc
t.SSj
u$SShe
SSQSSSSh
SSSSh
t%9x t
SSSShP
u SSh
t.hAp
t6Ht.Ht&
Lj.hLlX
n%XpX
CHttpFile
CNotSupportedException
Kernel32.dll
Comdlg32.dll
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
CCmdTarget
Comctl32.dll
CMDIFrameWndEx
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWnd
CMDIChildWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
operator
GetProcessWindowStation
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
\SysWow64\drivers\BootIME7.sys
\system32\drivers\BootIME7.sys
PortMoniterServices
%s@%s@%s
-run -minitips -url=%s -link="" -id=%d -width=%d -height=%d -mini=1
-run -minitips -url=%s -link="" -id=%d -width=%d -height=%d -mini=0
%s can't be opened
@#%&_123
XXXXXX
Error in GetFileVersionInfoSize: %d
Error in GetFileVersionInfo: %d
Error in VerQueryValue: %d
%d.%d.%d.%d
udo.exe
iprotect.exe
clsmn.exe
wxcltaidex.exe
rsclient.exe
winscript.exe
sendcmd.exe
BarClient.exe
wwm.exe
shortcut.exe
HClient.exe
entry.exe
ssp.exe
NSdominated.exe
PubwinClient.exe
partyclient.exe
wxGlw2CltPlg.wxe
WxCultureCli.exe
BarClientView.exe
BarClientSafeCenter.exe
Recreation.exe
DrvDefender.exe
BarOnline.exe
KHLauncher.exe
rwyNCM.exe
HintSafe.exe
wxprolife.wxe
mainpro.exe
VVV.baidu.com
\Mini.exe
\nStatic.dll
\ZMRL\config.dat
\ZMRL\ZmPlatform.exe
hXXp://yay.zmrili.com/api/z.php?cn=%s&id=%s&os=%s&ver=%s&md=%s&c=%s
url:%s
FhXXp://update.zmrili.com/update/update.php?version=%s
ZmPlatform.exe
%s%s_%x\
E:\2013_project\des\service\Release\ZmPlatform.pdb
zcÁ
VVV.tao123.com
HTTP/1.1
hao.360.cn
.PAVCException@@
.PAVCInternetException@@
.PAVCObject@@
.PAVCOleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCArchiveException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.PAVCFileException@@
.?AVCHttpFile@@
baidubrowser.exe
hao123.com
VVV.sogou.com
VVV.hao123.com
union.click.jd.com
VVV.jd.com
%Documents and Settings%\%current user%\Application Data\Cache\Mini.exe
%Program Files%\Common Files\ZMRL\ZmPlatform.exe
1.0.14.1015
%Program Files%\Common Files\ZMRL\config.dat
GET / HTTP/1.1
VVV.duba.com
123.sogou.com
cn.msn.com
VVV.2345.com
VVV.apple.com
hao.160.com
VVV.25298.com
VVV.z7755.com
VVV.wz58.com
VVV.3600.com
VVV.91ni.com
hao.qq.com
VVV.baiduso.com
1.huo99.com
GET HTTP/1.1
hao.rising.cn
123.duba.net
VVV.kd1000.com
hao.360.cn/src
VVV.qq.net
VVV.114la.com
VVV.1616.net
.idata
.edata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
%Program Files%\Borland\Delphi7\Source\Rtl\sys\SysUtils.pas
oleaut32.dll
EVariantBadIndexError
TWinHTTPLib
rpcrt4.dll
TAsyncWinHTTPThread
hXXp://h.811166.com/api/s.php?mid=%s&type=%s&id=%s
hXXp://h.811166.com/api/s.php?mid=%s&type=%s
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetCPInfo
MsgWaitForMultipleObjects
wininet.dll
InternetCombineUrlA
winhttp.dll
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpGetIEProxyConfigForCurrentUser
WinHttpCrackUrl
WinHttpAddRequestHeaders
WinHttpSetOption
netapi32.dll
nStatic.dll
getURL
> >$>(>,>
5&5.565>5
;!;%;);-;1;
KWindows
WinHTTPLibUnit
ALWinHttpWrapper
UrlMon
UAsyncWinHTTPThread
[email protected] 0
'hXXp://ocsp1.wosign.com/class3/code/ca106
*hXXp://aia1.wosign.com/class3.code.ca1.cer07
&hXXp://crls1.wosign.com/ca1-code-3.crl0Q
hXXp://VVV.wosign.com/policy/0
!Certification Authority of WoSign0
hXXp://crls1.wosign.com/ca1.crl0g
hXXp://ocsp1.wosign.com/ca10.
"hXXp://aia1.wosign.com/ca1-tsa.cer0
hXXp://VVV.usertrust.com1
6hXXp://crl.trust-provider.com/UTN-USERFirst-Object.crl0:
hXXp://ocsp.trust-provider.com0
Þe3F
hXXp://crls1.wosign.com/ca1.crl0o
hXXp://ocsp1.wosign.com/ca106
*hXXp://aia1.wosign.com/ca1-class3-code.cer0
!Certification Authority of WoSign
.rdata
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
%Program Files%\Borland\Delphi7\Source\Rtl\common\TypInfo.pas
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
%Program Files%\Borland\Delphi7\Source\Rtl\common\Classes.pas
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
Uhc%D
AutoHotkeys
Uh.vD
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewx:D
WindowState
OnKeyDown
OnKeyPress8
OnKeyUp\
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
%s, ClassID: %s
ole32.dll
olepro32.dll
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable0
OnWindowSetLeftt
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight@
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath`
OnTranslateUrl
OnCommandExec
'%s' is not supported.
!THTMLDocumentEventsonkeydownEvent
THTMLDocumentEventsonkeyupEvent
"THTMLDocumentEventsonkeypressEvent
onkeydown
onkeyup
onkeypressL5F
%s only supports sinking of method calls!
WebocPopupManagement
ValidateNavigateUrl
HttpUsernamePasswordDisable
GetUrlDomFilePathUnencoded
XmlHttp
PTF://
hXXp://
hXXps://
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
.Current
\ieframe.dll
\shdocvw.dll
\StringFileInfo\%0.4x%0.4x\%s
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown4
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
EmbeddedWB hXXp://bsalsa.com/
1.2.3
Portable Network Graphics
-url=
Internet Explorer\iexplore.exe
RunCMDTimer
RunCMDTimerTimer
52BB8691-C40A-4801-AFAA-D04DD37E9D3E
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteExA
ShellExecuteA
gdiplus.dll
GdiplusShutdown
6)7.7<7_7
6|7`7r7
2 2$2(2,2024282<2@2\2|2
2 2$2(2,2024282<2
8 8%8s8
9 9$9(9,9094989<9
1$2(2,202
0 0$0(0,0
3 4A4D4I4V4
6-6}6
3/43474<4
: ;/;3;7;<;
3,41484{4
>$?(?,?0?4?8?<?
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
DialogBoxes.DisableAll
PrintOptions.Margins.Left
PrintOptions.Margins.Right
PrintOptions.Margins.Top
PrintOptions.Margins.Bottom
PrintOptions.HTMLHeader.Strings
PrintOptions.Orientation
Picture.Data
!iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:BE9CA1D91AD411E385DDCCF2EF62535D" xmpMM:DocumentID="xmp.did:BE9CA1DA1AD411E385DDCCF2EF62535D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BE9CA1D71AD411E385DDCCF2EF62535D" stRef:documentID="xmp.did:BE9CA1D81AD411E385DDCCF2EF62535D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>v(
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:C7EF29DA1AD411E3B10CD290FE9B4D30" xmpMM:DocumentID="xmp.did:C7EF29DB1AD411E3B10CD290FE9B4D30"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C7EF29D81AD411E3B10CD290FE9B4D30" stRef:documentID="xmp.did:C7EF29D91AD411E3B10CD290FE9B4D30"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.5
VisualEffects.DisableSounds
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:029BB9E416B011E491B2FBD891EFCE9E" xmpMM:DocumentID="xmp.did:029BB9E516B011E491B2FBD891EFCE9E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:029BB9E216B011E491B2FBD891EFCE9E" stRef:documentID="xmp.did:029BB9E316B011E491B2FBD891EFCE9E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
.text
h.rdata
H.data
.reloc
TransportAddress
irpStack:%x
HTTP/1.1 302 Moved Permanently
Location: %s
HTTP/1.1 302 Found
hXXp://VVV.baidu.com/
Host: VVV.baidu.com
HTTP/1.1
find refer len:%d
Now %d, Old: %d, Now : %d, Old %d,%s,%s
Extern called :%d, %s
explorer.exe
this :%d, %s %d, %s
hXXp://VVV.hao123.com/?tn=90189843_hao_pg
find the mylink:%s
In the white list :%s
aaa :%s,%s
DWJ Error: PsLookupProcessByProcessId Failed: x
Error: ObOpenObjectByPointer Failed: x
GetParentProcessId PsLookupProcessByProcessId failed pid:%u , x
ZwQueryInformationProcess info failed :x
PsLookupProcessByProcessId() faild x
Writeof of service failed: x
Proctect of service failed: x
ZwReadFile failed with:x
..Host:Connection:
HTTP/1.1 200 OK
GET /index.html?pid=
Host: VVV.sogou.com
Host: VVV.hao123.com
fwchrome.exe
360chrome.exe
flyie.exe
jsy.exe
caiyun.exe
xttbrowser.exe
zbrowser.exe
aegis.exe
miniie_2.exe
krbrowser.exe
myiq.exe
vu.exe
tfybrowser.exe
coral.exe
roamb.exe
rsbrowser.exe
alibrowser.exe
cell.exe
cyie.exe
hxbrowser.exe
piluo.exe
cheerbrowser.exe
gesearch.exe
webstrip.exe
ttraveler.exe
scheduler.exe
iron.exe
s3browser-win32.exe
qqbrowser.exe
xplorer.exe
crazy browser.exe
barsmedia.exe
avant.exe
8uexplorer.exe
114ie.exe
gamesbrowser.exe
languang.exe
ucbrowser.exe
myie9.exe
2291browser.exe
pbbrowser.exe
browser.exe
qtweb.exe
yyexplorer.exe
seemao.exe
jx.exe
jwbrowser.exe
caimao.exe
se.exe
huaer.exe
airview.exe
seamonkey.exe
palemoon.exe
luna.exe
webgamegt.exe
gosurf.exe
dragon.exe
acoobrowser.exe
saayaa.exe
srie.exe
ftbr.exe
sbframe.exe
dybrowser.exe
ruiying.exe
taomeebrowser.exe
taobrowser.exe
kchrome.exe
cometbrowser.exe
chgreenbrowser.exe
duoping.exe
greenbrowser.exe
2345explorer.exe
xbrowser.exe
07073ge.exe
netscape.exe
maxthon.exe
safari.exe
chrome.exe
opera.exe
firefox.exe
the world .exe
sogouexplorer.exe
iexplore.exe
tango3.exe
juzi.exe
2345chrome.exe
theworld.exe
360se.exe
e:\code\rili_8_29\win7_fw_sys\winxp_fw_sys\objfre_wxp_x86\i386\tdi_sys.pdb
ZwOpenKey
RtlCreateRegistryKey
ZwQueryValueKey
ntoskrnl.exe
HAL.dll
TDI.SYS
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
[email protected](0&
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
whilte list item: %s,%s,%d
setRulesNode: %s,%s,%s
RegistryMonitor: ERROR CmRegisterCallback - x
HTTP/1.1 301 Moved Permanently
hXXp://VVV.sogou.com/index.html?pid=sogou-netb-5481b2f34a74e427-8780
twchrome.exe
<p>The document has moved <a href="hXXp://VVV.baidu.com/search/error.html">here</a>.</p>
GET /?tn=93550978_hao_pg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
GET /index.php?tn=
GET /index.html HTTP/1.1
f:\codejd\rinimeirili\win7_fw_sys\objfre_win7_x86\i386\fw_win7_.pdb
ZwSetValueKey
ZwEnumerateKey
ZwQueryKey
fwpkclnt.sys
2 2(2,282
.pdata
f:\codejd\rinimeirili\win7_fw_sys\objfre_win7_amd64\amd64\fw_win7_.pdb
GetWindowsDirectoryW
GetProcessHeap
GetWindowsDirectoryA
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
ScaleViewportExtEx
OffsetViewportOrgEx
SetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
ShellExecuteW
UrlUnescapeW
CreateDialogIndirectParamW
GetAsyncKeyState
MapVirtualKeyW
GetKeyNameTextW
MapVirtualKeyExW
SetWindowsHookExW
InternetOpenUrlW
HttpQueryInfoW
InternetCanonicalizeUrlW
InternetCrackUrlW
%%c("
%F?=Kj/99
9IO%X8.
`7P0.HD
0u.Hn
&%S j
.Fa[@
3#->33I-#--I33?Q [-3#;.#3I;--##0 .AG?L
.CA1# [M,# I?11?Y435#S#.Z-##-3?H3W-3-7w #M$--50>6-#
($ ($ ( (
\ $$$$,$$(,(4
800 $ ($$
$ ,$$(0,, $00($<
(0,0,(,($$,$,
`.rdata
@.data
.rsrc
@.reloc
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
IMM32.dll
MSIMG32.dll
NETAPI32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
UxTheme.dll
VERSION.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
WTSAPI32.dll
@WININET.DLL
@.CHM
UKernel32.dll
UComdlg32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
Advapi32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
xuser32.dll
dwmapi.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
accKeyboardShortcut
commctrl_DragListMsg
Afx:%p:%x
Afx:%p:%x:%p:%p:%p
AD2D1.dll
DWrite.dll
UMFCLink_Url
MFCLink_UrlPrefix
%s:%x:%x:%x:%x
D%d%%
&%d %s
Uf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
EHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
TOOLBAR_RESETKEYBAORD
%sMFCToolBar-%d
%sMFCToolBar-%d%x
%sMFCToolBarParameters
KEYTIP
IDB_OFFICE2007_RIBBON_KEYTIP_BACK
GMSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d
%sPane-%d%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
%c%d%c%s
%sBasePane-%d
%sBasePane-%d%x
VRGB(%d, %d, %d)
Lwindows
H1&0 %s
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d%x
Wf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
W%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d%x
Pwindows
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
PMSFTEDIT.DLL
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sMFCTasksPane-%d
%sMFCTasksPane-%d%x
KEYS
KEYS_MENU
ENABLE_KEYS
Rmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
\\.\CsTracker
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
urls:%s
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
errorUrl
jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
JPEG error #%d
JPEG Image FilejThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
 Cannot focus a disabled or invisible window!Control '%s' has no parent window
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
!'%s' is not a valid integer value('%s' is not a valid floating point value
1.0.14.1001
1.0.0.0
\Device\Udp
\Device\Tcp
\ZMRL\configtn.dat
%s%s%s
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion
Filter that finds and replaces a token from a TCP stream
Callout that finds and replaces a token from a TCP stream
VVV.hao123.com/?tn=90189843_hao_pg
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\
zmplatform.exe

ZmPlatform.exe_1748_rwx_00401000_0030C000:

t.SSj
u$SShe
SSQSSSSh
SSSSh
t%9x t
SSSShP
u SSh
t.hAp
t6Ht.Ht&
Lj.hLlX
n%XpX
CHttpFile
CNotSupportedException
Kernel32.dll
Comdlg32.dll
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
CCmdTarget
Comctl32.dll
CMDIFrameWndEx
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWnd
CMDIChildWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
operator
GetProcessWindowStation
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
\SysWow64\drivers\BootIME7.sys
\system32\drivers\BootIME7.sys
PortMoniterServices
%s@%s@%s
-run -minitips -url=%s -link="" -id=%d -width=%d -height=%d -mini=1
-run -minitips -url=%s -link="" -id=%d -width=%d -height=%d -mini=0
%s can't be opened
@#%&_123
XXXXXX
Error in GetFileVersionInfoSize: %d
Error in GetFileVersionInfo: %d
Error in VerQueryValue: %d
%d.%d.%d.%d
udo.exe
iprotect.exe
clsmn.exe
wxcltaidex.exe
rsclient.exe
winscript.exe
sendcmd.exe
BarClient.exe
wwm.exe
shortcut.exe
HClient.exe
entry.exe
ssp.exe
NSdominated.exe
PubwinClient.exe
partyclient.exe
wxGlw2CltPlg.wxe
WxCultureCli.exe
BarClientView.exe
BarClientSafeCenter.exe
Recreation.exe
DrvDefender.exe
BarOnline.exe
KHLauncher.exe
rwyNCM.exe
HintSafe.exe
wxprolife.wxe
mainpro.exe
VVV.baidu.com
\Mini.exe
\nStatic.dll
\ZMRL\config.dat
\ZMRL\ZmPlatform.exe
hXXp://yay.zmrili.com/api/z.php?cn=%s&id=%s&os=%s&ver=%s&md=%s&c=%s
url:%s
FhXXp://update.zmrili.com/update/update.php?version=%s
ZmPlatform.exe
%s%s_%x\
E:\2013_project\des\service\Release\ZmPlatform.pdb
zcÁ
VVV.tao123.com
HTTP/1.1
hao.360.cn
.PAVCException@@
.PAVCInternetException@@
.PAVCObject@@
.PAVCOleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCArchiveException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMFCColorBarCmdUI@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDITabProxyWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCRibbonCmdUI@@
.?AV?$CArray@PAVCMFCRibbonKeyTip@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
.PAVCFileException@@
.?AVCHttpFile@@
baidubrowser.exe
hao123.com
VVV.sogou.com
VVV.hao123.com
union.click.jd.com
VVV.jd.com
%Documents and Settings%\%current user%\Application Data\Cache\Mini.exe
%Program Files%\Common Files\ZMRL\ZmPlatform.exe
1.0.14.1015
%Program Files%\Common Files\ZMRL\config.dat
GET / HTTP/1.1
VVV.duba.com
123.sogou.com
cn.msn.com
VVV.2345.com
VVV.apple.com
hao.160.com
VVV.25298.com
VVV.z7755.com
VVV.wz58.com
VVV.3600.com
VVV.91ni.com
hao.qq.com
VVV.baiduso.com
1.huo99.com
GET HTTP/1.1
hao.rising.cn
123.duba.net
VVV.kd1000.com
hao.360.cn/src
VVV.qq.net
VVV.114la.com
VVV.1616.net
.idata
.edata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
%Program Files%\Borland\Delphi7\Source\Rtl\sys\SysUtils.pas
oleaut32.dll
EVariantBadIndexError
TWinHTTPLib
rpcrt4.dll
TAsyncWinHTTPThread
hXXp://h.811166.com/api/s.php?mid=%s&type=%s&id=%s
hXXp://h.811166.com/api/s.php?mid=%s&type=%s
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetCPInfo
MsgWaitForMultipleObjects
wininet.dll
InternetCombineUrlA
winhttp.dll
WinHttpCloseHandle
WinHttpReadData
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpSendRequest
WinHttpOpenRequest
WinHttpConnect
WinHttpOpen
WinHttpGetIEProxyConfigForCurrentUser
WinHttpCrackUrl
WinHttpAddRequestHeaders
WinHttpSetOption
netapi32.dll
nStatic.dll
getURL
> >$>(>,>
5&5.565>5
;!;%;);-;1;
KWindows
WinHTTPLibUnit
ALWinHttpWrapper
UrlMon
UAsyncWinHTTPThread
[email protected] 0
'hXXp://ocsp1.wosign.com/class3/code/ca106
*hXXp://aia1.wosign.com/class3.code.ca1.cer07
&hXXp://crls1.wosign.com/ca1-code-3.crl0Q
hXXp://VVV.wosign.com/policy/0
!Certification Authority of WoSign0
hXXp://crls1.wosign.com/ca1.crl0g
hXXp://ocsp1.wosign.com/ca10.
"hXXp://aia1.wosign.com/ca1-tsa.cer0
hXXp://VVV.usertrust.com1
6hXXp://crl.trust-provider.com/UTN-USERFirst-Object.crl0:
hXXp://ocsp.trust-provider.com0
Þe3F
hXXp://crls1.wosign.com/ca1.crl0o
hXXp://ocsp1.wosign.com/ca106
*hXXp://aia1.wosign.com/ca1-class3-code.cer0
!Certification Authority of WoSign
.rdata
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
%Program Files%\Borland\Delphi7\Source\Rtl\common\TypInfo.pas
ssShift
htKeyword
EInvalidOperation
u%CNu
%s_%d
%Program Files%\Borland\Delphi7\Source\Rtl\common\Classes.pas
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
MAPI32.DLL
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
Uhc%D
AutoHotkeys
Uh.vD
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewx:D
WindowState
OnKeyDown
OnKeyPress8
OnKeyUp\
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
%s, ClassID: %s
ole32.dll
olepro32.dll
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable0
OnWindowSetLeftt
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight@
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath`
OnTranslateUrl
OnCommandExec
'%s' is not supported.
!THTMLDocumentEventsonkeydownEvent
THTMLDocumentEventsonkeyupEvent
"THTMLDocumentEventsonkeypressEvent
onkeydown
onkeyup
onkeypressL5F
%s only supports sinking of method calls!
WebocPopupManagement
ValidateNavigateUrl
HttpUsernamePasswordDisable
GetUrlDomFilePathUnencoded
XmlHttp
PTF://
hXXp://
hXXps://
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
.Current
\ieframe.dll
\shdocvw.dll
\StringFileInfo\%0.4x%0.4x\%s
TMsgEvent
TKeyEventEx
Port
Password
poPortrait
OnKeyDown4
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
EmbeddedWB hXXp://bsalsa.com/
1.2.3
Portable Network Graphics
-url=
Internet Explorer\iexplore.exe
RunCMDTimer
RunCMDTimerTimer
52BB8691-C40A-4801-AFAA-D04DD37E9D3E
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteExA
ShellExecuteA
gdiplus.dll
GdiplusShutdown
6)7.7<7_7
6|7`7r7
2 2$2(2,2024282<2@2\2|2
2 2$2(2,2024282<2
8 8%8s8
9 9$9(9,9094989<9
1$2(2,202
0 0$0(0,0
3 4A4D4I4V4
6-6}6
3/43474<4
: ;/;3;7;<;
3,41484{4
>$?(?,?0?4?8?<?
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
DialogBoxes.DisableAll
PrintOptions.Margins.Left
PrintOptions.Margins.Right
PrintOptions.Margins.Top
PrintOptions.Margins.Bottom
PrintOptions.HTMLHeader.Strings
PrintOptions.Orientation
Picture.Data
!iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:BE9CA1D91AD411E385DDCCF2EF62535D" xmpMM:DocumentID="xmp.did:BE9CA1DA1AD411E385DDCCF2EF62535D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BE9CA1D71AD411E385DDCCF2EF62535D" stRef:documentID="xmp.did:BE9CA1D81AD411E385DDCCF2EF62535D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>v(
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:C7EF29DA1AD411E3B10CD290FE9B4D30" xmpMM:DocumentID="xmp.did:C7EF29DB1AD411E3B10CD290FE9B4D30"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:C7EF29D81AD411E3B10CD290FE9B4D30" stRef:documentID="xmp.did:C7EF29D91AD411E3B10CD290FE9B4D30"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.5
VisualEffects.DisableSounds
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:029BB9E416B011E491B2FBD891EFCE9E" xmpMM:DocumentID="xmp.did:029BB9E516B011E491B2FBD891EFCE9E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:029BB9E216B011E491B2FBD891EFCE9E" stRef:documentID="xmp.did:029BB9E316B011E491B2FBD891EFCE9E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
.text
h.rdata
H.data
.reloc
TransportAddress
irpStack:%x
HTTP/1.1 302 Moved Permanently
Location: %s
HTTP/1.1 302 Found
hXXp://VVV.baidu.com/
Host: VVV.baidu.com
HTTP/1.1
find refer len:%d
Now %d, Old: %d, Now : %d, Old %d,%s,%s
Extern called :%d, %s
explorer.exe
this :%d, %s %d, %s
hXXp://VVV.hao123.com/?tn=90189843_hao_pg
find the mylink:%s
In the white list :%s
aaa :%s,%s
DWJ Error: PsLookupProcessByProcessId Failed: x
Error: ObOpenObjectByPointer Failed: x
GetParentProcessId PsLookupProcessByProcessId failed pid:%u , x
ZwQueryInformationProcess info failed :x
PsLookupProcessByProcessId() faild x
Writeof of service failed: x
Proctect of service failed: x
ZwReadFile failed with:x
..Host:Connection:
HTTP/1.1 200 OK
GET /index.html?pid=
Host: VVV.sogou.com
Host: VVV.hao123.com
fwchrome.exe
360chrome.exe
flyie.exe
jsy.exe
caiyun.exe
xttbrowser.exe
zbrowser.exe
aegis.exe
miniie_2.exe
krbrowser.exe
myiq.exe
vu.exe
tfybrowser.exe
coral.exe
roamb.exe
rsbrowser.exe
alibrowser.exe
cell.exe
cyie.exe
hxbrowser.exe
piluo.exe
cheerbrowser.exe
gesearch.exe
webstrip.exe
ttraveler.exe
scheduler.exe
iron.exe
s3browser-win32.exe
qqbrowser.exe
xplorer.exe
crazy browser.exe
barsmedia.exe
avant.exe
8uexplorer.exe
114ie.exe
gamesbrowser.exe
languang.exe
ucbrowser.exe
myie9.exe
2291browser.exe
pbbrowser.exe
browser.exe
qtweb.exe
yyexplorer.exe
seemao.exe
jx.exe
jwbrowser.exe
caimao.exe
se.exe
huaer.exe
airview.exe
seamonkey.exe
palemoon.exe
luna.exe
webgamegt.exe
gosurf.exe
dragon.exe
acoobrowser.exe
saayaa.exe
srie.exe
ftbr.exe
sbframe.exe
dybrowser.exe
ruiying.exe
taomeebrowser.exe
taobrowser.exe
kchrome.exe
cometbrowser.exe
chgreenbrowser.exe
duoping.exe
greenbrowser.exe
2345explorer.exe
xbrowser.exe
07073ge.exe
netscape.exe
maxthon.exe
safari.exe
chrome.exe
opera.exe
firefox.exe
the world .exe
sogouexplorer.exe
iexplore.exe
tango3.exe
juzi.exe
2345chrome.exe
theworld.exe
360se.exe
e:\code\rili_8_29\win7_fw_sys\winxp_fw_sys\objfre_wxp_x86\i386\tdi_sys.pdb
ZwOpenKey
RtlCreateRegistryKey
ZwQueryValueKey
ntoskrnl.exe
HAL.dll
TDI.SYS
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
[email protected](0&
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
whilte list item: %s,%s,%d
setRulesNode: %s,%s,%s
RegistryMonitor: ERROR CmRegisterCallback - x
HTTP/1.1 301 Moved Permanently
hXXp://VVV.sogou.com/index.html?pid=sogou-netb-5481b2f34a74e427-8780
twchrome.exe
<p>The document has moved <a href="hXXp://VVV.baidu.com/search/error.html">here</a>.</p>
GET /?tn=93550978_hao_pg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
GET /index.php?tn=
GET /index.html HTTP/1.1
f:\codejd\rinimeirili\win7_fw_sys\objfre_win7_x86\i386\fw_win7_.pdb
ZwSetValueKey
ZwEnumerateKey
ZwQueryKey
fwpkclnt.sys
2 2(2,282
.pdata
f:\codejd\rinimeirili\win7_fw_sys\objfre_win7_amd64\amd64\fw_win7_.pdb
GetWindowsDirectoryW
GetProcessHeap
GetWindowsDirectoryA
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
ScaleViewportExtEx
OffsetViewportOrgEx
SetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
ShellExecuteW
UrlUnescapeW
CreateDialogIndirectParamW
GetAsyncKeyState
MapVirtualKeyW
GetKeyNameTextW
MapVirtualKeyExW
SetWindowsHookExW
InternetOpenUrlW
HttpQueryInfoW
InternetCanonicalizeUrlW
InternetCrackUrlW
%%c("
%F?=Kj/99
9IO%X8.
`7P0.HD
0u.Hn
&%S j
.Fa[@
3#->33I-#--I33?Q [-3#;.#3I;--##0 .AG?L
.CA1# [M,# I?11?Y435#S#.Z-##-3?H3W-3-7w #M$--50>6-#
($ ($ ( (
\ $$$$,$$(,(4
800 $ ($$
$ ,$$(0,, $00($<
(0,0,(,($$,$,
`.rdata
@.data
.rsrc
@.reloc
@WININET.DLL
@.CHM
UKernel32.dll
UComdlg32.dll
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
Advapi32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
xuser32.dll
dwmapi.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
accKeyboardShortcut
commctrl_DragListMsg
Afx:%p:%x
Afx:%p:%x:%p:%p:%p
AD2D1.dll
DWrite.dll
UMFCLink_Url
MFCLink_UrlPrefix
%s:%x:%x:%x:%x
D%d%%
&%d %s
Uf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
EHex={X,X,X}
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
TOOLBAR_RESETKEYBAORD
%sMFCToolBar-%d
%sMFCToolBar-%d%x
%sMFCToolBarParameters
KEYTIP
IDB_OFFICE2007_RIBBON_KEYTIP_BACK
GMSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d
%sPane-%d%x
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
%c%d%c%s
%sBasePane-%d
%sBasePane-%d%x
VRGB(%d, %d, %d)
Lwindows
H1&0 %s
%sMFCOutlookBar-%d
%sMFCOutlookBar-%d%x
Wf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
W%sDockablePaneAdapter-%d
%sDockablePaneAdapter-%d%x
Pwindows
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
PMSFTEDIT.DLL
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sMFCTasksPane-%d
%sMFCTasksPane-%d%x
KEYS
KEYS_MENU
ENABLE_KEYS
Rmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
\\.\CsTracker
hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=json
urls:%s
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; .NET CLR 2.0.50727)
Content-Type: application/x-www-form-urlencoded
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
%s.Seek not implemented$Operation not allowed on sorted list
Thread creation error: %s
Thread Error: %s (%d)
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
errorUrl
jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
JPEG error #%d
JPEG Image FilejThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form
 Cannot focus a disabled or invisible window!Control '%s' has no parent window
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
!'%s' is not a valid integer value('%s' is not a valid floating point value
1.0.14.1001
1.0.0.0
\Device\Udp
\Device\Tcp
\ZMRL\configtn.dat
%s%s%s
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion
Filter that finds and replaces a token from a TCP stream
Callout that finds and replaces a token from a TCP stream
VVV.hao123.com/?tn=90189843_hao_pg
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:568
    ZmPlatform.exe:1500

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Common Files\ZMRL\config.dat (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %WinDir%\system\7z.dll (6391 bytes)
    %Program Files%\Common Files\ZMRL\ZmPlatform.exe (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ini001\setupres.7z (180 bytes)
    %WinDir%\system\Client7z.dll (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zmsetup\ires.7z (12288 bytes)
    %WinDir%\Temp\~gm_1254\ZmPlatform.exe (631235 bytes)
    %Documents and Settings%\%current user%\Application Data\Cache\Mini.exe (3849 bytes)
    %System%\drivers\BootIME7.sys (51 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ZmPlatform1212[1].exe (631235 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "calendar" = "%Program Files%\zmrili\zmrili.exe -start"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now