MD5: 8412aea0c55fa45fcc10caf8131704f6
SHA1: fa58682844be5a13ed2e56907b1d890d290ae019
SHA256: 7be9035ad1311dee2b2e3d89529793fa508049eb2c8653a78f6783f804c9e14a
SSDeep: 49152:GTWqOgRzC4Zbg6ptyGFh WLiseOIV2WeX8kWVhBx3jZ599AgZPEol:BMz9FpIVb9jTbZPE8
Size: 2808188 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Appinstallr
Created at: 2009-06-07 00:41:48
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

net1.exe:1436
net1.exe:1736
net1.exe:1988
net1.exe:1952
net.exe:428
net.exe:596
net.exe:1352
net.exe:1772
%original file name%.exe:1800
svchost06.exe:1200

The Trojan injects its code into the following process(es):

DNFµ¶¿Í0606A.exe:344
MZRTdKAQ.exe:1732
xslxtnl.exe:968
svchost06.exe:816

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process DNFµ¶¿Í0606A.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\5a8ff7a6ad7e38ec83dcaa35f9967198_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (48 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\5f20925ad2c5776d06c97fc8ee4a524c_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (51 bytes)

The process MZRTdKAQ.exe:1732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\x666[1].txt (114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\h666[1].txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hmsx[1].txt (126 bytes)

The process xslxtnl.exe:968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index[1].htm (3683 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MZRTdKAQ.exe (5442 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index[2].htm (3683 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index[1].htm (0 bytes)

The process %original file name%.exe:1800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost06.exe (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DNFµ¶¿Í0606A.exe (76913 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse3F.tmp (0 bytes)

The process svchost06.exe:1200 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xslxtnl.exe (171767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\HM[1].css (219603 bytes)

Registry activity

The process DNFµ¶¿Í0606A.exe:344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\wn1107778097c.vch]
"(Default)" = "91 EA 48 9D 43 A2 61 FD 80 05 EF DB AF 28 AA 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 66 D1 EA E7 C9 42 FD 0D 54 B4 72 AB 09 E4 4A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process net1.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F ED 28 EF E7 09 DD 53 EB 8F E4 2B AA FA 62 A5"

The process net1.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 E3 6B 91 8A E1 DC 89 E5 24 91 9F 44 4A 89 53"

The process net1.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 46 1D 8C 5A CB AD DA 0E 9C 5D EF 2F BB 28 5C"

The process net1.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 4A 79 33 01 82 FF 4E 2C A5 7F 21 DF 4B 70 2C"

The process net.exe:428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD B6 CA 7A 65 F6 72 48 CA 00 09 C6 EF A0 6F 9A"

The process net.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 51 E9 D0 5F 4D B9 E4 C1 95 7F 4B C1 92 DA 0A"

The process net.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F D6 6B 63 24 D1 43 39 AD B6 3E EA A4 BE 33 CC"

The process net.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 54 90 A3 9F 95 BC E3 6A D5 53 BB 3A B3 31 75"

The process MZRTdKAQ.exe:1732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 57 E8 15 16 E1 33 AB 0D DE 10 60 D6 BB 5C DA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process xslxtnl.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 21 A9 13 36 9B A3 2F 89 31 B6 07 40 13 ED 33"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F CD B5 60 3B BB 4D E5 9E 52 24 C0 AC 0B B0 4E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"DNFµ¶¿Í0606A.exe" = "YY:5667"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"svchost06.exe" = "svchost06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process svchost06.exe:1200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 37 A3 78 F2 37 DA 72 5E D1 21 EC B2 32 44 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process svchost06.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 82 61 CD 88 82 CA DB 18 BF F3 3F 0F 66 FF 13"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
7f819cc1e471371baed4715c2f0216dc
90a060fc6d8de441020e3e715f834db2

URLs

URL	IP
hxxp://www.a.shifen.com/
hxxp://a1574.b.akamai.net/453198928/blog/1344939460
hxxp://ip.qq.com/cgi-bin/index	112.90.83.44
hxxp://user.qzone.qq.com/453198928/blog/1344939460	165.254.149.51
hxxp://www.baidu.com/	180.76.3.151

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /453198928/blog/1344939460 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: user.qzone.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: QZHTTP-2.38.18

X-Frame-Options: SAMEORIGIN

X-UA-Compatible: IE=Edge

Last-Modified: Thu, 03 Jul 2014 05:07:18 GMT

Cache-Control: max-age=0, no-transform, proxy-revalidate

Content-Type: text/html; charset=utf-8

Date: Thu, 03 Jul 2014 05:07:18 GMT

Content-Length: 26815

Connection: keep-alive

Set-Cookie: _qz_referrer=; expires=Mon, 26 Jul 1997 05:00:00 GMT; PATH=/; DOMAIN=qq.com
<!DOCTYPE HTML><html lang="zh-cn" class="skin-dark pg-profile
"><head><noscript><meta http-equiv="refresh" content
="0; url=hXXp://os.qzs.qq.com/qzone/v6/troubleshooter/noscript.html" /
></noscript><meta charset="UTF-8" /><meta http-equiv
="content-type" content="text/html; charset=UTF-8" /><title>.
.............. [hXXp://453198928.qzone.qq.com]</title><meta n
ame="keywords" content="QQ......,......,............,............,QQ..
....,QQ......" /><meta name="description" content=".............
.....@......!MY name Chief A20140126pig" /><script type="text/ja
vascript">    var g_domain = "qq.com";        document.domain=g_dom
ain;    var _s_=new Date(),g_T={},siDomain="os.qzonestyle.gtimg.cn",im
gcacheDomain="os.qzs." g_domain,g_iUin=453198928,g_iLoginUin=0;g_T.fwp
=[_s_];document.namespaces&&document.namespaces.add&&(document.namespa
ces.add('qz', 'hXXp://qzone.qq.com/'),document.namespaces.add('x', 'ht
tp://qzone.qq.com/'));</script>    <link href="hXXp://os.qzon
estyle.gtimg.cn/aoi/old-qz_qzone_lv.css" rel="stylesheet" /><lin
k href="hXXp://os.qzonestyle.gtimg.cn/aoi/skin/31.css" rel="stylesheet
"/><link href="hXXp://os.qzonestyle.gtimg.cn/aoi/profile.css" re
l="stylesheet"/><style id="mainJSTitleBar" type="text/css">.l
ayout-head-inner {height:190px;}</style><style type="text/css
"></style><style type="text/css" id="dynamicStyle">.own
ermode{display:none;}.clientmode{display:;}.editmode{display:none;
<<< skipped >>>

GET /453198928/blog/1344939460 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: user.qzone.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: QZHTTP-2.38.18

X-Frame-Options: SAMEORIGIN

X-UA-Compatible: IE=Edge

Last-Modified: Thu, 03 Jul 2014 05:07:19 GMT

Cache-Control: max-age=0, no-transform, proxy-revalidate

Content-Type: text/html; charset=utf-8

Date: Thu, 03 Jul 2014 05:07:19 GMT

Content-Length: 26815

Connection: keep-alive

Set-Cookie: _qz_referrer=; expires=Mon, 26 Jul 1997 05:00:00 GMT; PATH=/; DOMAIN=qq.com
<!DOCTYPE HTML><html lang="zh-cn" class="skin-dark pg-profile
"><head><noscript><meta http-equiv="refresh" content
="0; url=hXXp://os.qzs.qq.com/qzone/v6/troubleshooter/noscript.html" /
></noscript><meta charset="UTF-8" /><meta http-equiv
="content-type" content="text/html; charset=UTF-8" /><title>.
.............. [hXXp://453198928.qzone.qq.com]</title><meta n
ame="keywords" content="QQ......,......,............,............,QQ..
....,QQ......" /><meta name="description" content=".............
.....@......!MY name Chief A20140126pig" /><script type="text/ja
vascript">    var g_domain = "qq.com";        document.domain=g_dom
ain;    var _s_=new Date(),g_T={},siDomain="os.qzonestyle.gtimg.cn",im
gcacheDomain="os.qzs." g_domain,g_iUin=453198928,g_iLoginUin=0;g_T.fwp
=[_s_];document.namespaces&&document.namespaces.add&&(document.namespa
ces.add('qz', 'hXXp://qzone.qq.com/'),document.namespaces.add('x', 'ht
tp://qzone.qq.com/'));</script>    <link href="hXXp://os.qzon
estyle.gtimg.cn/aoi/old-qz_qzone_lv.css" rel="stylesheet" /><lin
k href="hXXp://os.qzonestyle.gtimg.cn/aoi/skin/31.css" rel="stylesheet
"/><link href="hXXp://os.qzonestyle.gtimg.cn/aoi/profile.css" re
l="stylesheet"/><style id="mainJSTitleBar" type="text/css">.l
ayout-head-inner {height:190px;}</style><style type="text/css
"></style><style type="text/css" id="dynamicStyle">.own
ermode{display:none;}.clientmode{display:;}.editmode{display:none;
<<< skipped >>>

GET /453198928/blog/1344939460 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: user.qzone.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: QZHTTP-2.38.18

X-Frame-Options: SAMEORIGIN

X-UA-Compatible: IE=Edge

Last-Modified: Thu, 03 Jul 2014 05:07:20 GMT

Cache-Control: max-age=0, no-transform, proxy-revalidate

Content-Type: text/html; charset=utf-8

Date: Thu, 03 Jul 2014 05:07:21 GMT

Content-Length: 26815

Connection: keep-alive

Set-Cookie: _qz_referrer=; expires=Mon, 26 Jul 1997 05:00:00 GMT; PATH=/; DOMAIN=qq.com
<!DOCTYPE HTML><html lang="zh-cn" class="skin-dark pg-profile
"><head><noscript><meta http-equiv="refresh" content
="0; url=hXXp://os.qzs.qq.com/qzone/v6/troubleshooter/noscript.html" /
></noscript><meta charset="UTF-8" /><meta http-equiv
="content-type" content="text/html; charset=UTF-8" /><title>.
.............. [hXXp://453198928.qzone.qq.com]</title><meta n
ame="keywords" content="QQ......,......,............,............,QQ..
....,QQ......" /><meta name="description" content=".............
.....@......!MY name Chief A20140126pig" /><script type="text/ja
vascript">    var g_domain = "qq.com";        document.domain=g_dom
ain;    var _s_=new Date(),g_T={},siDomain="os.qzonestyle.gtimg.cn",im
gcacheDomain="os.qzs." g_domain,g_iUin=453198928,g_iLoginUin=0;g_T.fwp
=[_s_];document.namespaces&&document.namespaces.add&&(document.namespa
ces.add('qz', 'hXXp://qzone.qq.com/'),document.namespaces.add('x', 'ht
tp://qzone.qq.com/'));</script>    <link href="hXXp://os.qzon
estyle.gtimg.cn/aoi/old-qz_qzone_lv.css" rel="stylesheet" /><lin
k href="hXXp://os.qzonestyle.gtimg.cn/aoi/skin/31.css" rel="stylesheet
"/><link href="hXXp://os.qzonestyle.gtimg.cn/aoi/profile.css" re
l="stylesheet"/><style id="mainJSTitleBar" type="text/css">.l
ayout-head-inner {height:190px;}</style><style type="text/css
"></style><style type="text/css" id="dynamicStyle">.own
ermode{display:none;}.clientmode{display:;}.editmode{display:none;
<<< skipped >>>

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 05:07:17 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=4D18A2D2641742024364B1CA13A18B7B:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: H_PS_PSSID=7430_1420_5223_6995_7442_6506_7232_6018_7202_7133_7390_6888; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Cache-Control: private

Cxy_all: baidu ca7061de80364c977b16aa643d875919

Expires: Thu, 03 Jul 2014 05:06:25 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xc3792b130001226d

BDUSERID: 0
d088..<!DOCTYPE html><!--STATUS OK--><html><head&
gt;<meta http-equiv="content-type" content="text/html;charset=utf-8
"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><li
nk rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-p
refetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="/
/t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/&
gt;<link rel="dns-prefetch" href="//t10.baidu.com"/><link rel
="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch"
 href="//t12.baidu.com"/><title>...........................&l
t;/title><style index="index" >html,body{height:100%}html{ove
rflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#co
ntent{padding-bottom:100px;text-align:center}#ftCon{height:100px;posit
ion:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-
index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12
px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;paddin
g:0;list-style:none}body,form,#fm{position:relative}td{text-align:left
}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:ur
l(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_e540198d.
png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdsta
tic.com/r/www/cache/static/global/img/icons_d2618985.gif)}.bg_tuiguang
_browser{width:16px;height:16px;background-position:-600px 0;display:i
nline-block;vertical-align:text-bottom;font-style:normal;overflow:
<<< skipped >>>

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

Cookie: BAIDUID=4D18A2D2641742024364B1CA13A18B7B:FG=1; H_PS_PSSID=7430_1420_5223_6995_7442_6506_7232_6018_7202_7133_7390_6888; BDSVRTM=0

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 05:07:20 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu c46ee175679f5ed3a8513c6a769a1aa8

Expires: Thu, 03 Jul 2014 05:07:18 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xa0da8ce50000fd0c

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: H_PS_PSSID=7430_1420_5223_6995_7442_6506_7232_6018_7202_7133_7390_6888; path=/; domain=.baidu.com
d07e..<!DOCTYPE html><!--STATUS OK--><html><head&
gt;<meta http-equiv="content-type" content="text/html;charset=utf-8
"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><li
nk rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-p
refetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="/
/t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/&
gt;<link rel="dns-prefetch" href="//t10.baidu.com"/><link rel
="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch"
 href="//t12.baidu.com"/><title>...........................&l
t;/title><style index="index" >html,body{height:100%}html{ove
rflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#co
ntent{padding-bottom:100px;text-align:center}#ftCon{height:100px;posit
ion:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-
index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12
px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;paddin
g:0;list-style:none}body,form,#fm{position:relative}td{text-align:left
}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:ur
l(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_e540198d.
png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdsta
tic.com/r/www/cache/static/global/img/icons_d2618985.gif)}.bg_tuiguang
_browser{width:16px;height:16px;background-position:-600px 0;display:i
nline-block;vertical-align:text-bottom;font-style:normal;overflow:
<<< skipped >>>

GET /cgi-bin/index HTTP/1.1

Referer: hXXp://ip.qq.com/cgi-bin/index

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: ip.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 05:07:27 GMT

Server: Apache/2.4.2 (Unix)

Cache-Control: max-age=0, must-revalidate

Set-Cookie: ipqqcom_user_id=121871; Domain=ip.qq.com; Expires=Fri, 04 Jul 2014 05:07:27 GMT; Path=/; HTTPOnly

Transfer-Encoding: chunked

Content-Type: text/html
f4c..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..    <met
a http-equiv="Content-Type" content="text/html; charset=gb2312" />.
.    <link rel="stylesheet" type="text/css" href="/css/global.css" 
/>..    <link rel="stylesheet" type="text/css" href="/css/ip.css
" />..    <link rel="stylesheet" href="/css/thickbox.css" type="
text/css" media="screen" />..    <link href="/css/help.css" rel=
"stylesheet" type="text/css" />..    <title>IP............<
;/title>..    <script language="JavaScript" type="text/javascrip
t" src="/js/jquery.js"></script>..    <script language="Ja
vaScript" type="text/javascript" src="/js/showlayer.js"></script
>..    <script language="JavaScript" type="text/javascript" src=
"/js/iplist_thickbox.js"></script>..    <script language="
JavaScript" type="text/javascript" src="/js/public.js"></script&
gt;..    <script language="JavaScript" type="text/javascript" src="
/js/geo.js"></script>..</head>..<body onload="setup(
);Change_Hide_bak(1);login_in(0);status();preselect('');">..<div
 class="header">..    <div class="padder">..        <a cla
ss="logo" title="...." style="background-image:url(/img/logo.jpg); wid
th: 300px; height: 72px;"> </a>..        <div class="links
">..            <div class="outerLink">..                
<<< skipped >>>

GET /cgi-bin/index HTTP/1.1

Referer: hXXp://ip.qq.com/cgi-bin/index

Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: ip.qq.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 05:07:27 GMT

Server: Apache/2.4.2 (Unix)

Cache-Control: max-age=0, must-revalidate

Set-Cookie: ipqqcom_user_id=651030; Domain=ip.qq.com; Expires=Fri, 04 Jul 2014 05:07:27 GMT; Path=/; HTTPOnly

Transfer-Encoding: chunked

Content-Type: text/html
f4c..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..    <met
a http-equiv="Content-Type" content="text/html; charset=gb2312" />.
.    <link rel="stylesheet" type="text/css" href="/css/global.css" 
/>..    <link rel="stylesheet" type="text/css" href="/css/ip.css
" />..    <link rel="stylesheet" href="/css/thickbox.css" type="
text/css" media="screen" />..    <link href="/css/help.css" rel=
"stylesheet" type="text/css" />..    <title>IP............<
;/title>..    <script language="JavaScript" type="text/javascrip
t" src="/js/jquery.js"></script>..    <script language="Ja
vaScript" type="text/javascript" src="/js/showlayer.js"></script
>..    <script language="JavaScript" type="text/javascript" src=
"/js/iplist_thickbox.js"></script>..    <script language="
JavaScript" type="text/javascript" src="/js/public.js"></script&
gt;..    <script language="JavaScript" type="text/javascript" src="
/js/geo.js"></script>..</head>..<body onload="setup(
);Change_Hide_bak(1);login_in(0);status();preselect('');">..<div
 class="header">..    <div class="padder">..        <a cla
ss="logo" title="...." style="background-image:url(/img/logo.jpg); wid
th: 300px; height: 72px;"> </a>..        <div class="links
">..            <div class="outerLink">..                
<<< skipped >>>

GET / HTTP/1.1

User-Agent: test

Host: VVV.baidu.com

Cache-Control: no-cache

Cookie: BAIDUID=4D18A2D2641742024364B1CA13A18B7B:FG=1; H_PS_PSSID=7430_1420_5223_6995_7442_6506_7232_6018_7202_7133_7390_6888; BDSVRTM=0

HTTP/1.1 200 OK

Date: Thu, 03 Jul 2014 05:07:19 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu 618145d1d528fd6e8aede38cee489f69

Expires: Thu, 03 Jul 2014 05:06:24 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xa3ea36ba0000a149

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: H_PS_PSSID=7430_1420_5223_6995_7442_6506_7232_6018_7202_7133_7390_6888; path=/; domain=.baidu.com
d06a..<!DOCTYPE html><!--STATUS OK--><html><head&
gt;<meta http-equiv="content-type" content="text/html;charset=utf-8
"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><li
nk rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-p
refetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="/
/t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/&
gt;<link rel="dns-prefetch" href="//t10.baidu.com"/><link rel
="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch"
 href="//t12.baidu.com"/><title>...........................&l
t;/title><style index="index" >html,body{height:100%}html{ove
rflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#co
ntent{padding-bottom:100px;text-align:center}#ftCon{height:100px;posit
ion:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-
index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12
px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;paddin
g:0;list-style:none}body,form,#fm{position:relative}td{text-align:left
}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:ur
l(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_e540198d.
png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdsta
tic.com/r/www/cache/static/global/img/icons_d2618985.gif)}.bg_tuiguang
_browser{width:16px;height:16px;background-position:-600px 0;display:i
nline-block;vertical-align:text-bottom;font-style:normal;overflow:
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.itext

`.data

.idata

.rsrc

t$(SSh

~%UVW

u$SShe

psapi.dll

comdlg32.dll

advapi32.dll

kernel32.dll

user32.dll

ntdll.dll

Kernel32.dll

EnumWindows

CreateWindowStationA

CloseWindowStation

NtYieldExecution

GetProcessHeap

{A068799B-7551-46b9-8CA8-EEF8357AFEA4}

csrss.exe

20140126

http://user.qzone.qq.com/453198928/blog/1344939460

klekle.cccpan.com

vmp.exe

.rdata

P.rsrc

@.reloc

oleaut32.dll

'Z6Sv.Qo#=_DNc]H<^E;]D:\C9XB7WA6V@5T>3Q=2P<1N:/N;/TA5bP?

ugJ_O8L8,G4)D1)A0'5I](?g2Jt,Lo ;_LQgoTImSGlQEkPEfNBeMAcK?bJ>`H<`H
cP{[email protected]'AeW^p
eUGWh(?c.Jo3Vp
gXGWh 6[.Ip.Pp
qaN[n';b.Jn-Lj#=`\at
vfMZm&<`.Ip(Mk
{kKZn!.[.Io&Ll
~pM^p$2b.Jo/Pk">aO[xxuvwww{~w~
>Rx;Nr7Lw;Uy9Uw4Ss2St4Rs4Qr4Rr4Qq*Bh.Eo:Vw9Su
w.fwEd
<%C^A
E\6-s}$
-cg}k
.rqDKq
2.mC3
GÝg
KeY/_EF
UWG.Ps 4
?T?A.QN
4.o %S
.ZRAF!`
T.EIg
..yW~
r.KoQ
KcP4%U/
%F-J}
J.Ndyp
.uI2Em
q.dzO
.Iür
_X.wc
C|P%Sv
3.zC/
.xsxD
.jYRR
[E%u{
x<.HBR
'N.mI
CK.fP
.MP>(
R.pb>*
P".py
.Yhoj
:.de6qn
Õ0p
]Q.Jw3
.PcqvyeO`
..YGN
.ZF J
.qnHr
d.tD/
hz.tK~
4>A%F
?e%u4
v.pLWS${
}$PLH%X
u)%SSP
".zF/
`q.rb4
St%s8
$r!u.AL
<7%Xr
3.lwK
o.GJ}
.KF12
-4;.lE
yt%cr%
_.Hp,
| J>"%F
].xS3gfG:
.Bu' ]H
.Gigr
u$/.xY
.Mo}_p
.VCK3~
=X%9U
D%X]T
D.qZl
}q.Scc
fg|%s
Gl_
\svchost.vmp.exe
.text
`.rdata
@.data
@.vmp0
`.vmp1
cS%dR
\ B>.vd,
%UY]Q/
%d=|4_
QW .LE
.DmHi
POz.iLc
X.RZ.
^%xx,8
N.RD(
(stf.RWF/o
.Ya_q
y@%fz
.roFD
q*.qP
KV.me
w'IY.kgA
rA.mv
%uXkJE
GDI32.dll
KERNEL32.dll
COMCTL32.dll
oledlg.dll
iJcomdlg32.dll
aKWINSPOOL.DRV
:Urld
.aX`L
bX .lQ
/a.Oy
-F}bV{6:
.BrJ3
anV%S
Jl.leB ,U
.BN!V
! .Fr'
j.mJ #
/U.qE"
WINMM.dll
WS2_32.dll
mWSHELL32.dll
h.FrP`
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
yUSER32.dll
ShellExecuteA
5%%cG
YY.exe
ImProtocol.dll
winmm.dll
ws2_32.dll
WinINet.dll
gdi32.dll
GLU32.DLL
aclui.dll
acsmib.dll
activeds.dll
AcXtrnal.dll
adimage.dll
adptif.dll
ADVAPI32.DLL
advpack.dll
atl.dll
authz.dll
avicap32.dll
avifil32.dll
browseui.dll
CABINET.DLL
clusapi.dll
comctl32.dll
comsvcs.dll
crtdll.dll
crypt32.dll
cryptnet.dll
D3DRM.DLL
dbghelp.dll
ddraw.dll
DHCPCSVC.DLL
digest.dll
DINPUT.DLL
dplay.dll
dplayx.dll
dsound.dll
dsprop.dll
dsuiext.dll
ftsrch.dll
gpedit.dll
hhctrl.ocx
hlink.dll
iasperf.dll
icm32.dll
ICMP.DLL
icmui.dll
idq.dll
iedkcs32.dll
iissuba.dll
IMAGEHLP.DLL
imm32.dll
inetcpl.cpl
IPHLPAPI.DLL
iprop.dll
KSUSER.DLL
loadperf.dll
lz32.dll
mapi32.dll
mgmtapi.dll
MOBSYNC.DLL
mpg4dmod.dll
mpr.dll
mprapi.dll
mqrt.dll
msacm32.dll
msafd.dll
mscms.dll
mscpxl32.dLL
msgina.dll
MSHTML.DLL
MSI.DLL
msimg32.dll
msorcl32.dll
MSPATCHA.DLL
msrating.dll
mstlsapi.dll
msvbvm50.dll
msvfw32.dll
MSWSOCK.DLL
MTXDM.DLL
MTXOCI.DLL
NDDEAPI.DLL
ndisnpp.dll
netapi32.dll
npptools.dll
ntdsapi.dll
ntdsbcli.dll
ntmsapi.dll
nwprovau.dll
odbc32.dll
ODBCBCP.DLL
odbccp32.dll
ODBCTRAC.DLL
OLEACC.DLL
olecli32.dll
olesvr32.dll
opengl32.dll
password.cpl
pdh.dll
Powrprof.dll
qosname.dll
query.dll
rasapi32.dll
raschap.dll
rasdlg.dll
rasman.dll
rassapi.dll
rastls.dll
resutils.dll
RICHED20.DLL
rpcns4.dll
rpcrt4.dll
RSRC32.dll
rtm.dll
rtutils.dll
scarddlg.dll
secur32.dll
SENSAPI.DLL
setupapi.dll
SFC.DLL
shdocvw.dll
shell32.dll
shlwapi.dll
snmpapi.dll
softpub.dll
spoolss.dll
SVRAPI.DLL
tapi32.dll
TLBINF32.dll
traffic.dll
url.dll
URLMON.DLL
userenv.dll
USP10.DLL
uxtheme.dll
VB5STKIT.DLL
vba6.dll
VDMDBG.DLL
version.dll
winfax.dll
wininet.dll
winscard.dll
winspool.dll
winspool.drv
wintrust.dll
wldap32.dll
WOW32.DLL
wsnmp32.dll
wtsapi32.dll
xolehlp.dll
cmd.exe /c del
ActivateKeyboardLayout
ArrangeIconicWindows
CallMsgFilter
CallMsgFilterA
CallMsgFilterW
CascadeChildWindows
CascadeWindows
CliImmSetHotKey
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateWindowStationW
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
EnumChildWindows
EnumDesktopWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsW
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextW
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardType
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LockWindowStation
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OemKeyScan
OpenWindowStationA
OpenWindowStationW
RegisterErrorReportingDialog
RegisterHotKey
RegisterSessionPort
SetKeyboardState
SetProcessWindowStation
SetWindowStationUser
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookW
SfmDxReportPendingBindingsToDwm
TileChildWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHookEx
UnloadKeyboardLayout
UnlockWindowStation
UnregisterHotKey
UnregisterSessionPort
VkKeyScanA
VkKeyScanExA
VkKeyScanExW
VkKeyScanW
WINNLSGetIMEHotkey
keybd_event
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
CallNamedPipeA
CallNamedPipeW
CmdBatNotification
ConnectNamedPipe
CreateIoCompletionPort
CreateMutexExA
CreateMutexExW
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
EnumCalendarInfoExEx
EnumDateFormatsExEx
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetCalendarSupportedDateRange
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetLargestConsoleWindowSize
GetNamedPipeAttribute
GetNamedPipeClientComputerNameA
GetNamedPipeClientComputerNameW
GetNamedPipeClientProcessId
GetNamedPipeClientSessionId
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetNamedPipeServerProcessId
GetNamedPipeServerSessionId
GetProcessHandleCount
GetProcessHeaps
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryW
InitOnceExecuteOnce
NeedCurrentDirectoryForExePathA
NeedCurrentDirectoryForExePathW
PeekNamedPipe
RegCloseKey
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyExA
RegDeleteKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegFlushKey
RegGetKeySecurity
RegLoadKeyA
RegLoadKeyW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyExA
RegSaveKeyExW
RegSetKeySecurity
RegUnLoadKeyA
RegUnLoadKeyW
RegisterWowExec
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetNamedPipeAttribute
SetNamedPipeHandleState
SetProcessShutdownParameters
SetThreadExecutionState
TransactNamedPipe
VDMConsoleOperation
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeW
WinExec
EtwpGetCpuSpeed
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
LdrOpenImageFileOptionsKey
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
NtAcceptConnectPort
NtAlpcAcceptConnectPort
NtAlpcConnectPort
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcDeletePortSection
NtAlpcDisconnectPort
NtAlpcImpersonateClientOfPort
NtAlpcSendWaitReceivePort
NtCompactKeys
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtCreateKey
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateNamedPipeFile
NtCreatePort
NtCreateWaitablePort
NtDelayExecution
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtFlushKey
NtImpersonateClientOfPort
NtListenPort
NtLoadKey
NtLoadKey2
NtLoadKeyEx
NtLockProductActivationKeys
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtQueryInformationPort
NtQueryKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryPortInformationProcess
NtQueryValueKey
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtRenameKey
NtReplaceKey
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtRequestPort
NtRequestWaitReplyPort
NtRestoreKey
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSetDefaultHardErrorPort
NtSetInformationKey
NtSetThreadExecutionState
NtSetValueKey
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
NtWaitForKeyedEvent
RtlCheckRegistryKey
RtlCmDecodeMemIoResource
RtlComputeImportTableHash
RtlCreateRegistryKey
RtlEnumProcessHeaps
RtlExecuteUmsThread
RtlFormatCurrentUserKeyPath
RtlGetProcessHeaps
RtlIsCurrentThreadAttachExempt
RtlQueryProcessHeapInformation
RtlReportException
RtlReportSilentProcessExit
RtlReportSqmEscalation
RtlRunOnceExecuteOnce
RtlSendMsgToSm
RtlValidateProcessHeaps
RtlWerpReportException
RtlpCleanupRegistryKeys
RtlpExecuteUmsThread
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
RtlpUmsExecuteYieldThreadEnd
SbExecuteProcedure
ShipAssert
ShipAssertGetBufferInfo
ShipAssertMsgA
ShipAssertMsgW
TpCancelAsyncIoOperation
TpStartAsyncIoOperation
WerReportSQMEvent
ZwAcceptConnectPort
ZwAlpcAcceptConnectPort
ZwAlpcConnectPort
ZwAlpcCreatePort
ZwAlpcCreatePortSection
ZwAlpcDeletePortSection
ZwAlpcDisconnectPort
ZwAlpcImpersonateClientOfPort
ZwAlpcSendWaitReceivePort
ZwCompactKeys
ZwCompleteConnectPort
ZwCompressKey
ZwConnectPort
ZwCreateKey
ZwCreateKeyTransacted
ZwCreateKeyedEvent
ZwCreateNamedPipeFile
ZwCreatePort
ZwCreateWaitablePort
ZwDelayExecution
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwImpersonateClientOfPort
ZwListenPort
ZwLoadKey
ZwLoadKey2
ZwLoadKeyEx
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwOpenKey
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwOpenKeyTransactedEx
ZwOpenKeyedEvent
ZwQueryInformationPort
ZwQueryKey
ZwQueryMultipleValueKey
ZwQueryOpenSubKeys
ZwQueryOpenSubKeysEx
ZwQueryPortInformationProcess
ZwQueryValueKey
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwRenameKey
ZwReplaceKey
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSaveKey
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSetDefaultHardErrorPort
ZwSetInformationKey
ZwSetThreadExecutionState
ZwSetValueKey
ZwUnloadKey
ZwUnloadKey2
ZwUnloadKeyEx
ZwWaitForKeyedEvent
ZwYieldExecution
D3DKMTAcquireKeyedMutex
D3DKMTCreateKeyedMutex
D3DKMTDestroyKeyedMutex
D3DKMTOpenKeyedMutex
D3DKMTReleaseKeyedMutex
DDCCIGetTimingReport
GetCertificate
GetCertificateSize
GetViewportExtEx
GetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
SetOPMSigningKeyAndSequenceNumbers
SetViewportExtEx
SetViewportOrgEx
UpdateICMRegKeyA
UpdateICMRegKeyW
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptGetUserKey
CryptHashSessionKey
CryptImportKey
CryptSetKeyParam
ElfReportEventA
ElfReportEventAndSourceW
ElfReportEventW
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameW
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
LogonUserExExW
MSChapSrvChangePassword
MSChapSrvChangePassword2
RegCreateKeyA
RegCreateKeyTransactedA
RegCreateKeyTransactedW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedW
RegDeleteKeyValueA
RegDeleteKeyValueW
RegDeleteKeyW
RegDisableReflectionKey
RegEnableReflectionKey
RegEnumKeyA
RegEnumKeyW
RegLoadAppKeyA
RegLoadAppKeyW
RegOpenKeyA
RegOpenKeyTransactedA
RegOpenKeyTransactedW
RegOpenKeyW
RegOverridePredefKey
RegQueryReflectionKey
RegRenameKey
RegReplaceKeyA
RegReplaceKeyW
RegSaveKeyA
RegSaveKeyW
RegSetKeyValueA
RegSetKeyValueW
ReportEventA
ReportEventW
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SetUserFileEncryptionKeyEx
WmiExecuteMethodA
WmiExecuteMethodW
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
http://www.baidu.com
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
SVCHOST06.EXE
C.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DNF
0606A.exe
%xbN4
JfRp%X
t.Ht2Ht6Ht:Ht>
F&{00000000-0000-0000-C000-000000000046}
3This binary has no widestrings support compiled in.
6This binary has no unicodestrings support compiled in.
ENoThreadSupport
ENoWideStringSupport
=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer
ENoThreadSupportt
&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}
.Owner
1.2.5
sysconst.sabstracterror
sysconst.saccessdenied
sysconst.saccessviolation
Missing argument in format "%s"
sysconst.sargumentmissing
%s (%s, line %d)
sysconst.sasserterror
sysconst.sassertionfailed
sysconst.sbuserror
sysconst.scontrolc
sysconst.sdiskfull
sysconst.sdispatcherror
sysconst.sdivbyzero
sysconst.sendoffile
External exception %x
sysconst.sexternalexception
sysconst.sfilenotassigned
sysconst.sfilenotfound
sysconst.sfilenotopen
sysconst.sfilenotopenforinput
sysconst.sfilenotopenforoutput
sysconst.sinvalidfilename
sysconst.sintoverflow
Interface not supported
sysconst.sintfcasterror
Invalid argument index in format "%s"
sysconst.sinvalidargindex
sysconst.sinvalidcast
sysconst.sinvaliddrive
sysconst.sinvalidfilehandle
Invalid format specifier : "%s"
sysconst.sinvalidformat
sysconst.sinvalidinput
Invalid floating point operation
sysconst.sinvalidop
Invalid pointer operation
sysconst.sinvalidpointer
sysconst.sinvalidvarcast
Invalid variant operation
sysconst.sinvalidvarop
Threads not supported. Recompile program with thread driver.
sysconst.snothreadsupport
sysconst.smissingwstringmanager
sysconst.ssigquit
System error, (OS Code %d):
sysconst.soserror
sysconst.soutofmemory
sysconst.soverflow
sysconst.sprivilege
sysconst.srangeerror
sysconst.ssafecallexception
sysconst.siconverror
sysconst.stoomanyopenfiles
sysconst.sunknownruntimeerror
sysconst.sunderflow
An operating system call failed.
sysconst.sunkoserror
sysconst.svararraybounds
sysconst.svararraycreate
sysconst.svarnotarray
Ancestor class for "%s" not found.
rtlconsts.sancestornotfound
Cannot assign a %s to a %s.
rtlconsts.sassignerror
Class "%s" not found
rtlconsts.sclassnotfound
Duplicate name: A component named "%s" already exists
rtlconsts.sduplicatename
rtlconsts.sduplicatestring
rtlconsts.semptystreamillegalreader
rtlconsts.semptystreamillegalwriter
No variant support for properties. Please use the variants unit in your project and recompile
rtlconsts.serrnovariantsupport
Unable to create file "%s"
rtlconsts.sfcreateerror
Unable to open file "%s"
rtlconsts.sfopenerror
rtlconsts.sinvalidimage
"%s" is not a valid component name
rtlconsts.sinvalidname
rtlconsts.sinvalidpropertypath
rtlconsts.sinvalidpropertyvalue
List capacity (%d) exceeded.
rtlconsts.slistcapacityerror
List count (%d) out of bounds.
rtlconsts.slistcounterror
List index (%d) out of bounds
rtlconsts.slistindexerror
rtlconsts.smemorystreamerror
Error reading %s%s%s: %s
rtlconsts.spropertyexception
rtlconsts.sreaderror
rtlconsts.sreadonlyproperty
Resource "%s" not found
rtlconsts.sresnotfound
%s.Seek not implemented
rtlconsts.sseeknotimplemented
Operation not allowed on sorted list
rtlconsts.ssortedlisterror
Reading from %s is not supported
rtlconsts.sstreamnoreading
Writing to %s is not supported
rtlconsts.sstreamnowriting
Unknown property: "%s"
rtlconsts.sunknownproperty
Unknown property type %d
rtlconsts.sunknownpropertytype
Unsupported property variant type %d
rtlconsts.sunsupportedpropertyvarianttype
rtlconsts.swriteerror
inflate 1.2.5 Copyright 1995-2010 Mark Adler
ShellExecuteW
ay7|
.CN:?
b..cHp
%S ^ip
^V .Hy
F{.VFG
UZ.IQ
'.gOd^
P.Cl]
S%s(1P
b
j
k5XO.JQ
XGm.fV
'.ARV/
|.LSK;
Y.er7e$
JI.SU
(uRLw
R#.Oy\
.NT%w
XÛCE
Xf.dJ
HV.Lq?
f4S%X
.nb6Df
*<=%sMD>
GLWaL%F
tb)*.rh
fQo.vq
%u5[ir
v.ygt2f
4T==H,%x
zK.ax\
%8u#k
^RA[-:N%d:
N]ø
%.mPG
A`.cK-
IXMY%.F
.cZ 4
w$.Ne|
I/dz%C
]722=3>`5,
@h.Ze
s\.qYS
k:\V;
[W.oj
x.pq53_N
z.Wd1*
)[1%cu:Mm1
#I.ra
d:\8@
P.VLe
k<.zV
0?h%S
.yGY??
]5.GDA
cVßu
.Xj#,
0.wMK
, q.Po
No|%C
2:e(.ij
u!.HV
.EN &
O.slg7`
;Y%u^T
Q\K%u%
0:hAazH%C
H.pAl
V4%3U
X#.lm
%Fuj,
'oo39.nY
[vB%s
X5/.ca
}w%ci
^gGTÍV.]}
qPZ%S
\0%Cs
.yM^7
-:.UWzy"
$.YB-%
i.YRL
.sC'7i=
"Ud%X
~.mE 
X.jK]un
=nk%C
.Oy-^
O 8%F
%R.qFi
Y.ZBT
D.RMQ
.jb9._V
=^d%u
ghR%CSld
%$%Sc
.VW1[
.SVtl
P.hW!
hs.nP
_dc.Om
v%S_G
/m|%f
.lq$;
%s&?W
tcmDK
gz.yZ 
A;.kz
c=%x/O
%C; P
.Uqro
P"P%%c
LUj.BD
>4\.EQ|
u%DSeu
&{.XRn
o%U(!
J<%UEwb
-7SVH}L
:_.ZN
%dN{S
X/-K}
#%f`%
YK.OYr'
.UhM'
-:.Fe
l#%cxk$,
~D,%u7
.ovQ@
LUrl
.jaB?
%Ck]V
_26.Gr
'Dv.FK
TE%CU1.
%XnG]
N.R%.d?
x.WD;*
( .qQ
#SU.EX
&%U(fD
-n}}a7
;`D~.fW
MEXe
uRC%x
|.Rufu1
.iyC;
c%f)GY
.OZ
%.DC_
B%7sH
.cF9|
El.Mk
!<.kQC
%x(gM
W=R%3U
&K.HN@
"4.BY r
R.MW0
X.Fo/L
R|.hX
<'<.OAm\
OyÝX
USER32.DLL
|GDI32.dll
WINSPOOL.DRV
OLEAUT32.DLL
uKERNEL32.DLL
d~RASAPI32.dll
SHELL32.DLL
WININET.DLL
z*WS2_32.dll
ADVAPI32.dll
WYCOMDLG32.DLL
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
InternetCrackUrlA
InternetOpenUrlA
#include "l.chs\afxres.rc" // Standard components
1.12.52.41
123456789
(*.*)
1.2.0.0

DNFµ¶¿Í0606A.exe_344_rwx_00401000_0050E000:


t$(SSh
~%UVW
u$SShe
psapi.dll
comdlg32.dll
advapi32.dll
kernel32.dll
user32.dll
ntdll.dll
Kernel32.dll
EnumWindows
CreateWindowStationA
CloseWindowStation
NtYieldExecution
GetProcessHeap
{A068799B-7551-46b9-8CA8-EEF8357AFEA4}
csrss.exe
20140126
http://user.qzone.qq.com/453198928/blog/1344939460
klekle.cccpan.com
vmp.exe
.idata
.rdata
P.rsrc
@.reloc
oleaut32.dll
'Z6Sv.Qo#=_DNc]H<^E;]D:\C9XB7WA6V@5T>3Q=2P<1N:/N;/TA5bP?
ugJ_O8L8,G4)D1)A0'5I](?g2Jt,Lo ;_LQgoTImSGlQEkPEfNBeMAcK?bJ>`H<`H
cP{[email protected]'AeW^p
eUGWh(?c.Jo3Vp
gXGWh 6[.Ip.Pp
qaN[n';b.Jn-Lj#=`\at
vfMZm&<`.Ip(Mk
{kKZn!.[.Io&Ll
~pM^p$2b.Jo/Pk">aO[xxuvwww{~w~
>Rx;Nr7Lw;Uy9Uw4Ss2St4Rs4Qr4Rr4Qq*Bh.Eo:Vw9Su
w.fwEd
<%C^A
E\6-s}$
-cg}k
.rqDKq
2.mC3
GÝg
KeY/_EF
UWG.Ps 4
?T?A.QN
4.o %S
.ZRAF!`
T.EIg
..yW~
r.KoQ
KcP4%U/
%F-J}
J.Ndyp
.uI2Em
q.dzO
.Iür
_X.wc
C|P%Sv
3.zC/
.xsxD
.jYRR
[E%u{
x<.HBR
'N.mI
CK.fP
.MP>(
R.pb>*
P".py
.Yhoj
:.de6qn
Õ0p
]Q.Jw3
.PcqvyeO`
..YGN
.ZF J
.qnHr
d.tD/
hz.tK~
4>A%F
?e%u4
v.pLWS${
}$PLH%X
u)%SSP
".zF/
`q.rb4
St%s8
$r!u.AL
<7%Xr
3.lwK
o.GJ}
.KF12
-4;.lE
yt%cr%
_.Hp,
| J>"%F
].xS3gfG:
.Bu' ]H
.Gigr
u$/.xY
.Mo}_p
.VCK3~
=X%9U
D%X]T
D.qZl
}q.Scc
fg|%s
Gl_
\svchost.vmp.exe
.text
`.rdata
@.data
.rsrc
@.vmp0
`.vmp1
cS%dR
\ B>.vd,
%UY]Q/
%d=|4_
QW .LE
.DmHi
POz.iLc
X.RZ.
^%xx,8
N.RD(
(stf.RWF/o
.Ya_q
y@%fz
.roFD
q*.qP
KV.me
w'IY.kgA
rA.mv
%uXkJE
GDI32.dll
KERNEL32.dll
COMCTL32.dll
oledlg.dll
iJcomdlg32.dll
aKWINSPOOL.DRV
:Urld
.aX`L
bX .lQ
/a.Oy
-F}bV{6:
.BrJ3
anV%S
Jl.leB ,U
.BN!V
! .Fr'
j.mJ #
/U.qE"
WINMM.dll
WS2_32.dll
mWSHELL32.dll
h.FrP`
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
yUSER32.dll
ShellExecuteA
5%%cG
YY.exe
ImProtocol.dll
winmm.dll
ws2_32.dll
WinINet.dll
gdi32.dll
GLU32.DLL
aclui.dll
acsmib.dll
activeds.dll
AcXtrnal.dll
adimage.dll
adptif.dll
ADVAPI32.DLL
advpack.dll
atl.dll
authz.dll
avicap32.dll
avifil32.dll
browseui.dll
CABINET.DLL
clusapi.dll
comctl32.dll
comsvcs.dll
crtdll.dll
crypt32.dll
cryptnet.dll
D3DRM.DLL
dbghelp.dll
ddraw.dll
DHCPCSVC.DLL
digest.dll
DINPUT.DLL
dplay.dll
dplayx.dll
dsound.dll
dsprop.dll
dsuiext.dll
ftsrch.dll
gpedit.dll
hhctrl.ocx
hlink.dll
iasperf.dll
icm32.dll
ICMP.DLL
icmui.dll
idq.dll
iedkcs32.dll
iissuba.dll
IMAGEHLP.DLL
imm32.dll
inetcpl.cpl
IPHLPAPI.DLL
iprop.dll
KSUSER.DLL
loadperf.dll
lz32.dll
mapi32.dll
mgmtapi.dll
MOBSYNC.DLL
mpg4dmod.dll
mpr.dll
mprapi.dll
mqrt.dll
msacm32.dll
msafd.dll
mscms.dll
mscpxl32.dLL
msgina.dll
MSHTML.DLL
MSI.DLL
msimg32.dll
msorcl32.dll
MSPATCHA.DLL
msrating.dll
mstlsapi.dll
msvbvm50.dll
msvfw32.dll
MSWSOCK.DLL
MTXDM.DLL
MTXOCI.DLL
NDDEAPI.DLL
ndisnpp.dll
netapi32.dll
npptools.dll
ntdsapi.dll
ntdsbcli.dll
ntmsapi.dll
nwprovau.dll
odbc32.dll
ODBCBCP.DLL
odbccp32.dll
ODBCTRAC.DLL
OLEACC.DLL
olecli32.dll
olesvr32.dll
opengl32.dll
password.cpl
pdh.dll
Powrprof.dll
qosname.dll
query.dll
rasapi32.dll
raschap.dll
rasdlg.dll
rasman.dll
rassapi.dll
rastls.dll
resutils.dll
RICHED20.DLL
rpcns4.dll
rpcrt4.dll
RSRC32.dll
rtm.dll
rtutils.dll
scarddlg.dll
secur32.dll
SENSAPI.DLL
setupapi.dll
SFC.DLL
shdocvw.dll
shell32.dll
shlwapi.dll
snmpapi.dll
softpub.dll
spoolss.dll
SVRAPI.DLL
tapi32.dll
TLBINF32.dll
traffic.dll
url.dll
URLMON.DLL
userenv.dll
USP10.DLL
uxtheme.dll
VB5STKIT.DLL
vba6.dll
VDMDBG.DLL
version.dll
winfax.dll
wininet.dll
winscard.dll
winspool.dll
winspool.drv
wintrust.dll
wldap32.dll
WOW32.DLL
wsnmp32.dll
wtsapi32.dll
xolehlp.dll
cmd.exe /c del
ActivateKeyboardLayout
ArrangeIconicWindows
CallMsgFilter
CallMsgFilterA
CallMsgFilterW
CascadeChildWindows
CascadeWindows
CliImmSetHotKey
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateWindowStationW
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
EnumChildWindows
EnumDesktopWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsW
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextW
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardType
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LockWindowStation
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OemKeyScan
OpenWindowStationA
OpenWindowStationW
RegisterErrorReportingDialog
RegisterHotKey
RegisterSessionPort
SetKeyboardState
SetProcessWindowStation
SetWindowStationUser
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookW
SfmDxReportPendingBindingsToDwm
TileChildWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHookEx
UnloadKeyboardLayout
UnlockWindowStation
UnregisterHotKey
UnregisterSessionPort
VkKeyScanA
VkKeyScanExA
VkKeyScanExW
VkKeyScanW
WINNLSGetIMEHotkey
keybd_event
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
CallNamedPipeA
CallNamedPipeW
CmdBatNotification
ConnectNamedPipe
CreateIoCompletionPort
CreateMutexExA
CreateMutexExW
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
EnumCalendarInfoExEx
EnumDateFormatsExEx
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetCalendarSupportedDateRange
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetLargestConsoleWindowSize
GetNamedPipeAttribute
GetNamedPipeClientComputerNameA
GetNamedPipeClientComputerNameW
GetNamedPipeClientProcessId
GetNamedPipeClientSessionId
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetNamedPipeServerProcessId
GetNamedPipeServerSessionId
GetProcessHandleCount
GetProcessHeaps
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryW
InitOnceExecuteOnce
NeedCurrentDirectoryForExePathA
NeedCurrentDirectoryForExePathW
PeekNamedPipe
RegCloseKey
RegCreateKeyExA
RegCreateKeyExW
RegDeleteKeyExA
RegDeleteKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegFlushKey
RegGetKeySecurity
RegLoadKeyA
RegLoadKeyW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyExA
RegSaveKeyExW
RegSetKeySecurity
RegUnLoadKeyA
RegUnLoadKeyW
RegisterWowExec
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetNamedPipeAttribute
SetNamedPipeHandleState
SetProcessShutdownParameters
SetThreadExecutionState
TransactNamedPipe
VDMConsoleOperation
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeW
WinExec
EtwpGetCpuSpeed
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
LdrOpenImageFileOptionsKey
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
NtAcceptConnectPort
NtAlpcAcceptConnectPort
NtAlpcConnectPort
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcDeletePortSection
NtAlpcDisconnectPort
NtAlpcImpersonateClientOfPort
NtAlpcSendWaitReceivePort
NtCompactKeys
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtCreateKey
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateNamedPipeFile
NtCreatePort
NtCreateWaitablePort
NtDelayExecution
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtFlushKey
NtImpersonateClientOfPort
NtListenPort
NtLoadKey
NtLoadKey2
NtLoadKeyEx
NtLockProductActivationKeys
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtQueryInformationPort
NtQueryKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryPortInformationProcess
NtQueryValueKey
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtRenameKey
NtReplaceKey
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtRequestPort
NtRequestWaitReplyPort
NtRestoreKey
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSetDefaultHardErrorPort
NtSetInformationKey
NtSetThreadExecutionState
NtSetValueKey
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
NtWaitForKeyedEvent
RtlCheckRegistryKey
RtlCmDecodeMemIoResource
RtlComputeImportTableHash
RtlCreateRegistryKey
RtlEnumProcessHeaps
RtlExecuteUmsThread
RtlFormatCurrentUserKeyPath
RtlGetProcessHeaps
RtlIsCurrentThreadAttachExempt
RtlQueryProcessHeapInformation
RtlReportException
RtlReportSilentProcessExit
RtlReportSqmEscalation
RtlRunOnceExecuteOnce
RtlSendMsgToSm
RtlValidateProcessHeaps
RtlWerpReportException
RtlpCleanupRegistryKeys
RtlpExecuteUmsThread
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
RtlpUmsExecuteYieldThreadEnd
SbExecuteProcedure
ShipAssert
ShipAssertGetBufferInfo
ShipAssertMsgA
ShipAssertMsgW
TpCancelAsyncIoOperation
TpStartAsyncIoOperation
WerReportSQMEvent
ZwAcceptConnectPort
ZwAlpcAcceptConnectPort
ZwAlpcConnectPort
ZwAlpcCreatePort
ZwAlpcCreatePortSection
ZwAlpcDeletePortSection
ZwAlpcDisconnectPort
ZwAlpcImpersonateClientOfPort
ZwAlpcSendWaitReceivePort
ZwCompactKeys
ZwCompleteConnectPort
ZwCompressKey
ZwConnectPort
ZwCreateKey
ZwCreateKeyTransacted
ZwCreateKeyedEvent
ZwCreateNamedPipeFile
ZwCreatePort
ZwCreateWaitablePort
ZwDelayExecution
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwImpersonateClientOfPort
ZwListenPort
ZwLoadKey
ZwLoadKey2
ZwLoadKeyEx
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwOpenKey
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwOpenKeyTransactedEx
ZwOpenKeyedEvent
ZwQueryInformationPort
ZwQueryKey
ZwQueryMultipleValueKey
ZwQueryOpenSubKeys
ZwQueryOpenSubKeysEx
ZwQueryPortInformationProcess
ZwQueryValueKey
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwRenameKey
ZwReplaceKey
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSaveKey
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSetDefaultHardErrorPort
ZwSetInformationKey
ZwSetThreadExecutionState
ZwSetValueKey
ZwUnloadKey
ZwUnloadKey2
ZwUnloadKeyEx
ZwWaitForKeyedEvent
ZwYieldExecution
D3DKMTAcquireKeyedMutex
D3DKMTCreateKeyedMutex
D3DKMTDestroyKeyedMutex
D3DKMTOpenKeyedMutex
D3DKMTReleaseKeyedMutex
DDCCIGetTimingReport
GetCertificate
GetCertificateSize
GetViewportExtEx
GetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
SetOPMSigningKeyAndSequenceNumbers
SetViewportExtEx
SetViewportOrgEx
UpdateICMRegKeyA
UpdateICMRegKeyW
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptGetUserKey
CryptHashSessionKey
CryptImportKey
CryptSetKeyParam
ElfReportEventA
ElfReportEventAndSourceW
ElfReportEventW
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameW
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
LogonUserExExW
MSChapSrvChangePassword
MSChapSrvChangePassword2
RegCreateKeyA
RegCreateKeyTransactedA
RegCreateKeyTransactedW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedW
RegDeleteKeyValueA
RegDeleteKeyValueW
RegDeleteKeyW
RegDisableReflectionKey
RegEnableReflectionKey
RegEnumKeyA
RegEnumKeyW
RegLoadAppKeyA
RegLoadAppKeyW
RegOpenKeyA
RegOpenKeyTransactedA
RegOpenKeyTransactedW
RegOpenKeyW
RegOverridePredefKey
RegQueryReflectionKey
RegRenameKey
RegReplaceKeyA
RegReplaceKeyW
RegSaveKeyA
RegSaveKeyW
RegSetKeyValueA
RegSetKeyValueW
ReportEventA
ReportEventW
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SetUserFileEncryptionKeyEx
WmiExecuteMethodA
WmiExecuteMethodW
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
http://www.baidu.com
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
SVCHOST06.EXE
C.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DNF
0606A.exe
%xbN4
JfRp%X
t.Ht2Ht6Ht:Ht>
F&{00000000-0000-0000-C000-000000000046}
3This binary has no widestrings support compiled in.
6This binary has no unicodestrings support compiled in.
ENoThreadSupport
ENoWideStringSupport
=?&{7B108C52-1D8F-4CDB-9CDF-57E071193D3F}$TMultiReadExclusiveWriteSynchronizer
ENoThreadSupportt
&{3FEEC8E1-E400-4A24-BCAC-1F01476439B1}
.Owner
1.2.5
sysconst.sabstracterror
sysconst.saccessdenied
sysconst.saccessviolation
Missing argument in format "%s"
sysconst.sargumentmissing
%s (%s, line %d)
sysconst.sasserterror
sysconst.sassertionfailed
sysconst.sbuserror
sysconst.scontrolc
sysconst.sdiskfull
sysconst.sdispatcherror
sysconst.sdivbyzero
sysconst.sendoffile
External exception %x
sysconst.sexternalexception
sysconst.sfilenotassigned
sysconst.sfilenotfound
sysconst.sfilenotopen
sysconst.sfilenotopenforinput
sysconst.sfilenotopenforoutput
sysconst.sinvalidfilename
sysconst.sintoverflow
Interface not supported
sysconst.sintfcasterror
Invalid argument index in format "%s"
sysconst.sinvalidargindex
sysconst.sinvalidcast
sysconst.sinvaliddrive
sysconst.sinvalidfilehandle
Invalid format specifier : "%s"
sysconst.sinvalidformat
sysconst.sinvalidinput
Invalid floating point operation
sysconst.sinvalidop
Invalid pointer operation
sysconst.sinvalidpointer
sysconst.sinvalidvarcast
Invalid variant operation
sysconst.sinvalidvarop
Threads not supported. Recompile program with thread driver.
sysconst.snothreadsupport
sysconst.smissingwstringmanager
sysconst.ssigquit
System error, (OS Code %d):
sysconst.soserror
sysconst.soutofmemory
sysconst.soverflow
sysconst.sprivilege
sysconst.srangeerror
sysconst.ssafecallexception
sysconst.siconverror
sysconst.stoomanyopenfiles
sysconst.sunknownruntimeerror
sysconst.sunderflow
An operating system call failed.
sysconst.sunkoserror
sysconst.svararraybounds
sysconst.svararraycreate
sysconst.svarnotarray
Ancestor class for "%s" not found.
rtlconsts.sancestornotfound
Cannot assign a %s to a %s.
rtlconsts.sassignerror
Class "%s" not found
rtlconsts.sclassnotfound
Duplicate name: A component named "%s" already exists
rtlconsts.sduplicatename
rtlconsts.sduplicatestring
rtlconsts.semptystreamillegalreader
rtlconsts.semptystreamillegalwriter
No variant support for properties. Please use the variants unit in your project and recompile
rtlconsts.serrnovariantsupport
Unable to create file "%s"
rtlconsts.sfcreateerror
Unable to open file "%s"
rtlconsts.sfopenerror
rtlconsts.sinvalidimage
"%s" is not a valid component name
rtlconsts.sinvalidname
rtlconsts.sinvalidpropertypath
rtlconsts.sinvalidpropertyvalue
List capacity (%d) exceeded.
rtlconsts.slistcapacityerror
List count (%d) out of bounds.
rtlconsts.slistcounterror
List index (%d) out of bounds
rtlconsts.slistindexerror
rtlconsts.smemorystreamerror
Error reading %s%s%s: %s
rtlconsts.spropertyexception
rtlconsts.sreaderror
rtlconsts.sreadonlyproperty
Resource "%s" not found
rtlconsts.sresnotfound
%s.Seek not implemented
rtlconsts.sseeknotimplemented
Operation not allowed on sorted list
rtlconsts.ssortedlisterror
Reading from %s is not supported
rtlconsts.sstreamnoreading
Writing to %s is not supported
rtlconsts.sstreamnowriting
Unknown property: "%s"
rtlconsts.sunknownproperty
Unknown property type %d
rtlconsts.sunknownpropertytype
Unsupported property variant type %d
rtlconsts.sunsupportedpropertyvarianttype
rtlconsts.swriteerror
inflate 1.2.5 Copyright 1995-2010 Mark Adler
ShellExecuteW
ay7|
.CN:?
b..cHp
%S ^ip
^V .Hy
F{.VFG
UZ.IQ
'.gOd^
P.Cl]
S%s(1P
b
j
k5XO.JQ
XGm.fV
'.ARV/
|.LSK;
Y.er7e$
JI.SU
(uRLw
R#.Oy\
.NT%w
XÛCE
Xf.dJ
HV.Lq?
f4S%X
.nb6Df
*<=%sMD>
GLWaL%F
tb)*.rh
fQo.vq
%u5[ir
v.ygt2f
4T==H,%x
zK.ax\
%8u#k
^RA[-:N%d:
N]ø
%.mPG
A`.cK-
IXMY%.F
.cZ 4
w$.Ne|
I/dz%C
]722=3>`5,
@h.Ze
s\.qYS
k:\V;
[W.oj
x.pq53_N
z.Wd1*
)[1%cu:Mm1
#I.ra
d:\8@
P.VLe
k<.zV
0?h%S
.yGY??
]5.GDA
cVßu
.Xj#,
0.wMK
, q.Po
No|%C
2:e(.ij
u!.HV
.EN &
O.slg7`
;Y%u^T
Q\K%u%
0:hAazH%C
H.pAl
V4%3U
X#.lm
%Fuj,
'oo39.nY
[vB%s
X5/.ca
}w%ci
^gGTÍV.]}
qPZ%S
\0%Cs
.yM^7
-:.UWzy"
$.YB-%
i.YRL
.sC'7i=
"Ud%X
~.mE 
X.jK]un
=nk%C
.Oy-^
O 8%F
%R.qFi
Y.ZBT
D.RMQ
.jb9._V
=^d%u
ghR%CSld
%$%Sc
.VW1[
.SVtl
P.hW!
hs.nP
_dc.Om
v%S_G
/m|%f
.lq$;
%s&?W
tcmDK
gz.yZ 
A;.kz
c=%x/O
%C; P
.Uqro
P"P%%c
LUj.BD
>4\.EQ|
u%DSeu
&{.XRn
o%U(!
J<%UEwb
-7SVH}L
:_.ZN
%dN{S
X/-K}
#%f`%
YK.OYr'
.UhM'
-:.Fe
l#%cxk$,
~D,%u7
.ovQ@
LUrl
.jaB?
%Ck]V
_26.Gr
'Dv.FK
TE%CU1.
%XnG]
N.R%.d?
x.WD;*
( .qQ
#SU.EX
&%U(fD
-n}}a7
;`D~.fW
MEXe
uRC%x
|.Rufu1
.iyC;
c%f)GY
.OZ
%.DC_
B%7sH
.cF9|
El.Mk
!<.kQC
%x(gM
W=R%3U
&K.HN@
"4.BY r
R.MW0
X.Fo/L
R|.hX
<'<.OAm\
OyÝX
1.12.52.41
123456789

svchost06.exe_816:


.kb!Y
f9z.vk
cmd /c net stop alg /y&net stop sharedaccess
dnf.exe
\hfnto.exe
\bvfi.exe
123456789
123456789
Microsoft.XMLHTTP
%WinDir%\
{00000117-0000-0000-C000-000000000046}
[email protected]
urlmon
user32.dll
atl.dll
ole32.dll
MsgWaitForMultipleObjects
URLDownloadToFileA
program internal error number is %d. (0x%Xh)
:"%s"
:"%s".
GetProcessHeap
.text
`.rdata
@.data
cmd /c net
cess*dnf.exe
urlm
URLDownG
s %d. (0x%Xh)<
_`.rd
KERNEL32.DLL
ATL.DLL
MSVCRT.dll
OLEAUT32.dll
USER32.dll

svchost06.exe_816_rwx_00401000_00019000:


f9z.vk
cmd /c net stop alg /y&net stop sharedaccess
dnf.exe
\hfnto.exe
\bvfi.exe
123456789
123456789
Microsoft.XMLHTTP
%WinDir%\
{00000117-0000-0000-C000-000000000046}
[email protected]
urlmon
user32.dll
atl.dll
ole32.dll
MsgWaitForMultipleObjects
URLDownloadToFileA
program internal error number is %d. (0x%Xh)
:"%s"
:"%s".
GetProcessHeap
.text
`.rdata
@.data

xslxtnl.exe_968:


`.rsrc
t$(SSh
~%UVW
u$SShe
wininet.dll
kernel32.dll
user32.dll
ole32.dll
advapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
GetProcessHeap
MsgWaitForMultipleObjects
http://
https://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
@Client.exe
ptlogin4.game.qq.com
&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
&service=login&nodirect=0&ptsig=
http://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
0@\DNF.exe
\TCLS\config\LoginQ.dat
LastLogin=
$@LastLogin=(\d*)
LastLogin=(\d*)
http://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
&msg=
&Pass=
ftb.exe
\dlipms.exe
.rsrc
RU.LZ'
.HEL`pV
B%S2H\pS2%S
\\%SHK
%fpmCl
\UWSSHh
$%FNH
7.ovt
T.JX$
~Lh"4%D$
%FK%t
\.yjS
"&HK.fv
_.oh=x
G:.HH
n.WD7\2/x
ac 5ld%X
Þ[(
.mh)d:
 $.CwB
57$]<#<*
.uP.u
t;.tMlaw
%FGlC
C.kwFt
%uTi'%,m
92r@h$`s.PtQ8
E.ppU`
Wr%S(Px
Msg!ForMultip.Objects
cmd.exe
.rdataU
%u?#3
P %s could
%*.*f
_CmdT"
nxJ.oE0
ELECTE,.MS
VCRTgr
%D]-D
(&07-034/)7
7%s:%dkQ
zcÁ
?l.chs\S
mpon%s
c.AA%
g]Key
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
RegCloseKey
ShellExecuteA
DNF.exe
TASLogin.exe
I?}%X
w"%CH
$8%S2%<@2%S2DHLS2%SPTX%S2%\`2%S2dhlR2%Sp|[
)J.Ijn
X&.RM
s<\%S{
Y%u9]
%f
Qa>.GZ@
Z.AxU
x.ht!
?Ú"
.Be$>;
vF08{%D^k
Y,t.Kk
\7%Cl
9.gO#
J .HT
A.tCD
.im=L
$,",0044
~g%XH
Rt%3s
ùp`t
FQ-8Y}P
RdØ
.KH#I#
:{.osCg
afT.Aga
W].Fh
kadvapi32.dll
%xOatl
OLEACC.DLL
Http5F
'lTcpyn
xKeyk
h2://dnf.qq.com/act
g.btn.5}g
forum.phpI
HTTPV
.MLo%
:/
<(($%>);,(
L.pr("\\x" s@sub
.toUpL
6Áî
pz.Bi
Ft0ó
&'$-. 02-24/350
,/0 * ("#
"%F#^>;
%u@H./!
JlA%U
G1Î3
J%A%S-
!U9%UV
aD'kM jM(hK.fI1L-
prO%X-
IiK%fL&
xU%DN
|32:<745
02.sTml#mk0
.onjBYXTK:
R9!T<"W=#X@#ZB#^E$^F%bH%cI&eL'hM
\:-];.]:
.vo:m
.">&"$%0$;
\.eF*v
6%F, 7
6# 3&$%xzu
4=,*;û@
(*7)*5()
/(.A.BAL
/~..Jw
hD`A-4z[= tR.tP
.BV9"Z|Z/
{Z)~\.bE
V6{c%S~
s %d.
x%Xh)7
`.rd9a
MSVCRT]
n?.mD
\H%U8 U:-JWS
D-b%x:F
*9.(6-&7.'
v.uA`XybZ
6,8-wB.yC
)*Í?
&( .0(1:$
(0 #6,";2&=
):@.KV
*;C.LI2U 
^.HL)
B BG.GI.FF.C(5
o&5A*BH.IG.
F.SE.QD-P(
MF.UC/S.OI.Q
J.D.YC.VA,TA VB
Ã?r`m)_
90z6.tB7
6.lC9~C8
B/v> qB.uH.
P9}E.pH3tXD
H.yK/y[>
!3~#5~)9
#.Sma
"X.DP
O>PL=OH6ND0K?-FE.KZ7^}N~uTukRjaHP
HB.IJ5NV0Tx#s
T*[email protected]?.B
 @9((<7';6&;7
52$96(=9 ?
81&:1$:3$<;
,3 *0#12'9/#9
.8%/3&50%8
7'$;($<,&:-
9)!6,$:,
"1,$7".'
&6-.UNKmgh0
-&!3("4' 5%
,% 2'"4(!5
&D(5Z ?n.Dx/H
9$!/(!3%"5&
$? $=)!8%!5
A..UGW
l^Tp`Xt.POLlVR{[V
.WSmOMgGC_]Vsa[xRMmFBc9<[06U%*M
_.QNiIFcXVsQQp8=d! U
B. 33Ÿ# 2
1*(2*'3'!
.KwHh
8)'1)&2(#"
.% 11,=B
{MT{9;g#%S
=7I.MIZ
@÷H
;&$ '%,$! 
&$#)&%4.& /&
0)#-)$.*%/(#/&"&
-( ,(!,)"
*'  (",(
*.'"-$ -# ,#!-'%4
TPa^[lXUh.QOcJI]^^s^]tO
!7&#-*%& %$)' 
$)& &&,%&-
02&-4*/-*3"
4Bh8Hm.Bp7P
3 %5(#2$
  #-3)1:0972:
(! /!!5"
o>%D@:HEDUVX
.CY(:PHXzANw4At*6n
;i.XE
k(WWkTVkOSfGK`W\rW[rPUn%S
!2#"-.'.0%.
&-',-&  ! 
.yYZzJOp9Gh2Ej?Y
&1-#-,"  
 ..-0<8
),$,2$.3"/4"16
/&-1&/3%/6&26#23!27%9>.AA5C:0:7/
!."*.!*/
,1#08 67
.Cx(9i6Js
.Ky*Kv(Iv,K}
;.PTJ/
D%0W%Dv(N
`@.Oe
.FBSnH]
9Jj.Bh-A
?k.Df
Hj.LwHa
%D~7Q
R %uA
#Cb.JoMg
%U*DkR
*Gd%DnNo
*U.IzNk
(@q%Co=^
.hhe1. 
@7nN%s
-B}AU
r%X^'LI'O?(N< K;.J~
.AvHP
1Iw
':p%9k(=r.Bx9H
A#,:%Dr
;u.OtfA0m
J.GG?
4[.Ls8]
/!-T<
@A>01.YYV{{xaa^X
=T{.Cl
%.;=557/()$
_`];<9* (
 U.Do?]
%Xj)_
%C=TwVp
vn.ed_ab]]_WZ
TQITNJXPMSGJFCWFg
%CnHn
))*001#&(
O4>j:BjPWs
(H=Po?Xw.Hk<[
9`.Jo&Fi0Sx0V
b.Ob`s
.BeRa~u
 TŒ#5d'7j7I|8M~Xp
Fs4N{.Lu1RyPp
Id.MS
7j.JtKm
8Gc 9[3Bj8Ht.Cq2Jz<
*
?n.Dv
(Ez%Cw/O
GnN^v.Xp
J.hDDjJU
=&}:#{3$
.GnKb~
*:w%9s
>}1El$
;n.Hy\&
-0-(0%()(
Cjm.eb
'9=82<.342
%.dn.
-o.SRx-
.Xmw[p
OSQ%c|<
FQf.xwB
\`.cu
m:\JcH
;y$F%flr==G^
.BRC&
o.gQ<
wz|.DFM
Pm.Ac
v/D.Fu
.ml@fBT
JO.OPX
CNotSupportedExceptionk
COMLZ.DL
CmdT"
~.INI
.MSVCRTg8U
.PAVGHTh
-f.De
7%s:%d
xX
mEZ.YM
%fpoj
.Quip
oledlg.dll
notepad1.exe
183.57.57.192
http://ip.qq.com/cgi-bin/index
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Millenium Edition
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT 3.51
Microsoft Windows NT 4.0
Microsoft Windows Vista
Microsoft Windows 7
TP3Helper.exe
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=bind_qqtoken_revry&PTime=0.2534901067286
http://aq.qq.com/cn2/unionverify/pc/pc_uv_send_sms
[email protected]
/hmsx.txt
http://captcha.qq.com/getimage?aid=21000127&r=
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=modifymobile&PTime=0.01982586313531
http://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
window.location.href='(.*)';
?Action=Bind&Type=°ó¶¨Ãܱ£ÊÖ»ú&User=
dxfpz.ini
http://aq.qq.com/cn2/manage/mobile/query_same_mobile_ajax
http://aq.qq.com/cn2/manage/mobile/query_bind_uins_ajax
http://aq.qq.com/cn2/manage/mobile/query_station_ajax
http://aq.qq.com/cn2/manage/mobile/active_sms_ajax?flow_type=change&mobile_number=
http://aq.qq.com/cn2/manage/mobile/verify_mobile_ajax
{result:-1}
http://aq.qq.com/cn2/manage/mobile/change_mobile
QQ.exe
?Action=Bind&Type=°ó¶¨QQÁîÅÆ&User=
http://aq.qq.com/cn2/manage/qqtoken/bind_qqtoken?tlbox_src_id=0
http://aq.qq.com/cn2/unionverify/pc/pc_uv_sms_query
http://captcha.qq.com/getimage?uin=http://tenxunnimabi/sema&aid=21000127&0.8854733550862719
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=8
&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
http://ptlogin2.qq.com/login?u=
http://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
http://aq.qq.com/cn/services/abnormal/abnormal_index
&s_url
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<>>(32-B))}function str2binl(D){var C=Array();var A=(1<>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
GetPassword
http://aq.qq.com/cn2/index
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Y@&msg
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=2
(\d.*)<.dd>
https://aq.qq.com/cn2/unionverify/pc/pc_uv_dtmsg_query
https://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
http://check.ptlogin2.qq.com/check?uin=
VBScript.RegExp
"&$&&$&&$&&
"$%&$%&$%&
"&$&&$&&
$%&$%&$%&
&3<$%&$&&$%&
"!&$%&$%&
"!&!%&$%&
"!&$%&!%&
"!&!%&!%&
999999999999999
999999999999
.J~-J}-I|-I|,I{,Hz,Gz,Gy,Gw Gw*Fw*Fu*Eu*Eu*Es*Ds)Ds)Cr)Cq(Cq'Cp'Bp'Bo'Ao&@n&@m&?m%?m%>l%>l%>j%>j%>i%>i$=h$=h$
IU%ct
IV%ct
JW%ct
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "7($<)$/$#% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "1$
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ",!
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ":&
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "' !`=)
]/< #(!"% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "1"
12$58(.3"
`*gA%U4
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ".
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "1# \8
)0-&8 -E%U
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ".#!`7#
% "% "% "% "% "% "% "% "% "% "% "% "% "% "2#
% "% "% "% "% "% "% "% "% "% "% "% "' !G0%d@)
% "% "% "% "% "% "% "% "% "% " !
% "% "% "% "% "% "% "% "% "-"
% "% "% "% "% "% "% "% "% "3&#
% "% "% "% "% "% "% "% "% "?-%
\,\8$1%"% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% ":*$
% "% "% "% "% "% "% "5'"
% "% "% "% "% "% "*!
% "% "% "% "% "% "0#
% "% "% "% "% "% "6&!
% "% "% "% "% "% "> "
% "% "% "% "% "
% "% "% "% "% "*""
% "% "% "% "% ",""
% "% "% "% "% "-##
% "% "% "% "% ",#"
[(9)"% "% "% "% "% "
% "% "% "% "% " #"
[(9*"% "% "% "% "% "
Y%uM*
[*:*"% "% "% "% "% "
% "% "% "% "% "(!"
^-9)"% "% "% "% "% "
% "% "% "% "% ")""
^-<*"% "% "% "% "% "
^-> "% "% "% "% "% "
% "% "% "% "% "-$"
% "% "% "% "% "-#"
% "% "% "% "% "/$"
% "% "% "% "% "0$"
% "% "% "% "% "0$!
" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "
" " " " " " " " " " " " " " "
" " " " " "
" " " " " " #! "
" " " " #! "
" " " " " " #!!"
" " " " #!!" " #! "
" " " ! "
""" """ """ """ """ """ ""# """ ""# ""# """ """ """ ""# """ ""# ""# """ """ """ ""# """ ""# !! #$
"#!!!!"#
"#!!!!"" "#
!$!"'!!####!#$!#$ "$!"&!!#"##!#$!#$ "$!#$
!$!"'!!####!#$!#$ "$!"&!!####!#$!#$!#$!#$
!$!"(!!####!#$!#$ "$!"&!!####!#$!#$!#$!#$
!$!"(!!#"##!#$!#$
!$!"(!"#!"$!#$
!$!"(!!#"## #&
$#% &!"&#! $!
'"!&! '#"%#"
#$ '($ "
&"!$#"$#"$""&! )!
&"!$#"%"!%""&"!&
&"!$#"$#"$#"&"!&
&"!$#"%"!&
0*#0$".!
 '"*"" $'' #)#$*!
'$ (# )"
&"!)$"&%#%&#%&"'
'"!)$"&%#%%"&&"'"!'! (
'"!)$"&%#%&#%&"'"!'! (
&"!)$"&%"&#!'! (
&"!)%"&#"'! (
#$ #$"#$"%#"$#
$"!#"""%##%##'#(&"(' '&"(*#*($)*$)'#()#('#()")'#))! '" )! '" '#(%$&'#(%$&(#('"*)! '" '#(%$&'#(%$&'$&'$&'$&&#%'"$(&&($''$&'$&&#%'"$(&&)$'&$&'$&'$&'$&&#%'"$(&&*%&(#$)$% &' &')$%*%'*$)*$)*$& &')$%*%'*$)*$))#&)$& &' &')$%*$()#'*%'*$)*$))#()#(*$))#*'#')$'*$))#(*$))#*'#')$'*$)*$))#()#()$)("(*$))#*&#)&"('"(("(*$))#*&#)$"(
#'$)("&*$))#*%"(#!&%"(("&*$))#*&#)$"(
#%"(&!%)$))#*%"(#!&%"(("&*$))#*&#)$"(
#%"($ $'$)%"(
#&"('%*#"'
#$"&$%) #&
88,,/ $'
.6 (0&#*# 1,%*)% *#. #0(%0('0&'/$'0#&0#$0$"0% /'%3-#3,
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
USER32.DLL
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
q.com
651030; Domain=ip.qq.com; Expires=Fri, 04 Jul 2014 05:07:27 GMT; Path=/; HTTPOnly
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xslxtnl.exe
#include "l.chs\afxres.rc" // Standard components
WinExec
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
cbKey
(*.*)

xslxtnl.exe_968_rwx_00401000_00289000:


t$(SSh
~%UVW
u$SShe
wininet.dll
kernel32.dll
user32.dll
ole32.dll
advapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
GetProcessHeap
MsgWaitForMultipleObjects
http://
https://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
@Client.exe
ptlogin4.game.qq.com
&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
&service=login&nodirect=0&ptsig=
http://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
0@\DNF.exe
\TCLS\config\LoginQ.dat
LastLogin=
$@LastLogin=(\d*)
LastLogin=(\d*)
http://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
&msg=
&Pass=
ftb.exe
\dlipms.exe
.rsrc
RU.LZ'
.HEL`pV
B%S2H\pS2%S
\\%SHK
%fpmCl
\UWSSHh
$%FNH
7.ovt
T.JX$
~Lh"4%D$
%FK%t
\.yjS
"&HK.fv
_.oh=x
G:.HH
n.WD7\2/x
ac 5ld%X
Þ[(
.mh)d:
 $.CwB
57$]<#<*
.uP.u
t;.tMlaw
%FGlC
C.kwFt
%uTi'%,m
92r@h$`s.PtQ8
E.ppU`
Wr%S(Px
Msg!ForMultip.Objects
cmd.exe
.rdataU
%u?#3
P %s could
%*.*f
_CmdT"
nxJ.oE0
ELECTE,.MS
VCRTgr
%D]-D
(&07-034/)7
7%s:%dkQ
zcÁ
?l.chs\S
mpon%s
c.AA%
g]Key
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
RegCloseKey
ShellExecuteA
DNF.exe
TASLogin.exe
I?}%X
w"%CH
$8%S2%<@2%S2DHLS2%SPTX%S2%\`2%S2dhlR2%Sp|[
)J.Ijn
X&.RM
s<\%S{
Y%u9]
%f
Qa>.GZ@
Z.AxU
x.ht!
?Ú"
.Be$>;
vF08{%D^k
Y,t.Kk
\7%Cl
9.gO#
J .HT
A.tCD
.im=L
$,",0044
~g%XH
Rt%3s
ùp`t
FQ-8Y}P
RdØ
.KH#I#
:{.osCg
afT.Aga
W].Fh
kadvapi32.dll
%xOatl
OLEACC.DLL
Http5F
'lTcpyn
xKeyk
h2://dnf.qq.com/act
g.btn.5}g
forum.phpI
HTTPV
.MLo%
:/
<(($%>);,(
L.pr("\\x" s@sub
.toUpL
6Áî
pz.Bi
Ft0ó
&'$-. 02-24/350
,/0 * ("#
"%F#^>;
%u@H./!
JlA%U
G1Î3
J%A%S-
!U9%UV
aD'kM jM(hK.fI1L-
prO%X-
IiK%fL&
xU%DN
|32:<745
02.sTml#mk0
.onjBYXTK:
R9!T<"W=#X@#ZB#^E$^F%bH%cI&eL'hM
\:-];.]:
.vo:m
.">&"$%0$;
\.eF*v
6%F, 7
6# 3&$%xzu
4=,*;û@
(*7)*5()
/(.A.BAL
/~..Jw
hD`A-4z[= tR.tP
.BV9"Z|Z/
{Z)~\.bE
V6{c%S~
s %d.
x%Xh)7
`.rd9a
MSVCRT]
n?.mD
\H%U8 U:-JWS
D-b%x:F
*9.(6-&7.'
v.uA`XybZ
6,8-wB.yC
)*Í?
&( .0(1:$
(0 #6,";2&=
):@.KV
*;C.LI2U 
^.HL)
B BG.GI.FF.C(5
o&5A*BH.IG.
F.SE.QD-P(
MF.UC/S.OI.Q
J.D.YC.VA,TA VB
Ã?r`m)_
90z6.tB7
6.lC9~C8
B/v> qB.uH.
P9}E.pH3tXD
H.yK/y[>
!3~#5~)9
#.Sma
"X.DP
O>PL=OH6ND0K?-FE.KZ7^}N~uTukRjaHP
HB.IJ5NV0Tx#s
T*[email protected]?.B
 @9((<7';6&;7
52$96(=9 ?
81&:1$:3$<;
,3 *0#12'9/#9
.8%/3&50%8
7'$;($<,&:-
9)!6,$:,
"1,$7".'
&6-.UNKmgh0
-&!3("4' 5%
,% 2'"4(!5
&D(5Z ?n.Dx/H
9$!/(!3%"5&
$? $=)!8%!5
A..UGW
l^Tp`Xt.POLlVR{[V
.WSmOMgGC_]Vsa[xRMmFBc9<[06U%*M
_.QNiIFcXVsQQp8=d! U
B. 33Ÿ# 2
1*(2*'3'!
.KwHh
8)'1)&2(#"
.% 11,=B
{MT{9;g#%S
=7I.MIZ
@÷H
;&$ '%,$! 
&$#)&%4.& /&
0)#-)$.*%/(#/&"&
-( ,(!,)"
*'  (",(
*.'"-$ -# ,#!-'%4
TPa^[lXUh.QOcJI]^^s^]tO
!7&#-*%& %$)' 
$)& &&,%&-
02&-4*/-*3"
4Bh8Hm.Bp7P
3 %5(#2$
  #-3)1:0972:
(! /!!5"
o>%D@:HEDUVX
.CY(:PHXzANw4At*6n
;i.XE
k(WWkTVkOSfGK`W\rW[rPUn%S
!2#"-.'.0%.
&-',-&  ! 
.yYZzJOp9Gh2Ej?Y
&1-#-,"  
 ..-0<8
),$,2$.3"/4"16
/&-1&/3%/6&26#23!27%9>.AA5C:0:7/
!."*.!*/
,1#08 67
.Cx(9i6Js
.Ky*Kv(Iv,K}
;.PTJ/
D%0W%Dv(N
`@.Oe
.FBSnH]
9Jj.Bh-A
?k.Df
Hj.LwHa
%D~7Q
R %uA
#Cb.JoMg
%U*DkR
*Gd%DnNo
*U.IzNk
(@q%Co=^
.hhe1. 
@7nN%s
-B}AU
r%X^'LI'O?(N< K;.J~
.AvHP
1Iw
':p%9k(=r.Bx9H
A#,:%Dr
;u.OtfA0m
J.GG?
4[.Ls8]
/!-T<
@A>01.YYV{{xaa^X
=T{.Cl
%.;=557/()$
_`];<9* (
 U.Do?]
%Xj)_
%C=TwVp
vn.ed_ab]]_WZ
TQITNJXPMSGJFCWFg
%CnHn
))*001#&(
O4>j:BjPWs
(H=Po?Xw.Hk<[
9`.Jo&Fi0Sx0V
b.Ob`s
.BeRa~u
 TŒ#5d'7j7I|8M~Xp
Fs4N{.Lu1RyPp
Id.MS
7j.JtKm
8Gc 9[3Bj8Ht.Cq2Jz<
*
?n.Dv
(Ez%Cw/O
GnN^v.Xp
J.hDDjJU
=&}:#{3$
.GnKb~
*:w%9s
>}1El$
;n.Hy\&
-0-(0%()(
Cjm.eb
'9=82<.342
%.dn.
-o.SRx-
.Xmw[p
OSQ%c|<
FQf.xwB
\`.cu
m:\JcH
;y$F%flr==G^
.BRC&
o.gQ<
wz|.DFM
Pm.Ac
v/D.Fu
.ml@fBT
JO.OPX
CNotSupportedExceptionk
COMLZ.DL
CmdT"
~.INI
.MSVCRTg8U
.PAVGHTh
-f.De
7%s:%d
xX
mEZ.YM
%fpoj
.Quip
oledlg.dll
notepad1.exe
183.57.57.192
http://ip.qq.com/cgi-bin/index
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Millenium Edition
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT 3.51
Microsoft Windows NT 4.0
Microsoft Windows Vista
Microsoft Windows 7
TP3Helper.exe
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=bind_qqtoken_revry&PTime=0.2534901067286
http://aq.qq.com/cn2/unionverify/pc/pc_uv_send_sms
[email protected]
/hmsx.txt
http://captcha.qq.com/getimage?aid=21000127&r=
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=modifymobile&PTime=0.01982586313531
http://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
window.location.href='(.*)';
?Action=Bind&Type=°ó¶¨Ãܱ£ÊÖ»ú&User=
dxfpz.ini
http://aq.qq.com/cn2/manage/mobile/query_same_mobile_ajax
http://aq.qq.com/cn2/manage/mobile/query_bind_uins_ajax
http://aq.qq.com/cn2/manage/mobile/query_station_ajax
http://aq.qq.com/cn2/manage/mobile/active_sms_ajax?flow_type=change&mobile_number=
http://aq.qq.com/cn2/manage/mobile/verify_mobile_ajax
{result:-1}
http://aq.qq.com/cn2/manage/mobile/change_mobile
QQ.exe
?Action=Bind&Type=°ó¶¨QQÁîÅÆ&User=
http://aq.qq.com/cn2/manage/qqtoken/bind_qqtoken?tlbox_src_id=0
http://aq.qq.com/cn2/unionverify/pc/pc_uv_sms_query
http://captcha.qq.com/getimage?uin=http://tenxunnimabi/sema&aid=21000127&0.8854733550862719
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=8
&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
http://ptlogin2.qq.com/login?u=
http://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
http://aq.qq.com/cn/services/abnormal/abnormal_index
&s_url
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<>>(32-B))}function str2binl(D){var C=Array();var A=(1<>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
GetPassword
http://aq.qq.com/cn2/index
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Y@&msg
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=2
(\d.*)<.dd>
https://aq.qq.com/cn2/unionverify/pc/pc_uv_dtmsg_query
https://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
http://check.ptlogin2.qq.com/check?uin=
VBScript.RegExp
"&$&&$&&$&&
"$%&$%&$%&
"&$&&$&&
$%&$%&$%&
&3<$%&$&&$%&
"!&$%&$%&
"!&!%&$%&
"!&$%&!%&
"!&!%&!%&
999999999999999
999999999999
.J~-J}-I|-I|,I{,Hz,Gz,Gy,Gw Gw*Fw*Fu*Eu*Eu*Es*Ds)Ds)Cr)Cq(Cq'Cp'Bp'Bo'Ao&@n&@m&?m%?m%>l%>l%>j%>j%>i%>i$=h$=h$
IU%ct
IV%ct
JW%ct
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "7($<)$/$#% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "1$
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ",!
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ":&
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "' !`=)
]/< #(!"% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "1"
12$58(.3"
`*gA%U4
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ".
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "% "1# \8
)0-&8 -E%U
% "% "% "% "% "% "% "% "% "% "% "% "% "% "% ".#!`7#
% "% "% "% "% "% "% "% "% "% "% "% "% "% "2#
% "% "% "% "% "% "% "% "% "% "% "% "' !G0%d@)
% "% "% "% "% "% "% "% "% "% " !
% "% "% "% "% "% "% "% "% "-"
% "% "% "% "% "% "% "% "% "3&#
% "% "% "% "% "% "% "% "% "?-%
\,\8$1%"% "% "% "% "% "% "% "% "
% "% "% "% "% "% "% "% ":*$
% "% "% "% "% "% "% "5'"
% "% "% "% "% "% "*!
% "% "% "% "% "% "0#
% "% "% "% "% "% "6&!
% "% "% "% "% "% "> "
% "% "% "% "% "
% "% "% "% "% "*""
% "% "% "% "% ",""
% "% "% "% "% "-##
% "% "% "% "% ",#"
[(9)"% "% "% "% "% "
% "% "% "% "% " #"
[(9*"% "% "% "% "% "
Y%uM*
[*:*"% "% "% "% "% "
% "% "% "% "% "(!"
^-9)"% "% "% "% "% "
% "% "% "% "% ")""
^-<*"% "% "% "% "% "
^-> "% "% "% "% "% "
% "% "% "% "% "-$"
% "% "% "% "% "-#"
% "% "% "% "% "/$"
% "% "% "% "% "0$"
% "% "% "% "% "0$!
" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "
" " " " " " " " " " " " " " "
" " " " " "
" " " " " " #! "
" " " " #! "
" " " " " " #!!"
" " " " #!!" " #! "
" " " ! "
""" """ """ """ """ """ ""# """ ""# ""# """ """ """ ""# """ ""# ""# """ """ """ ""# """ ""# !! #$
"#!!!!"#
"#!!!!"" "#
!$!"'!!####!#$!#$ "$!"&!!#"##!#$!#$ "$!#$
!$!"'!!####!#$!#$ "$!"&!!####!#$!#$!#$!#$
!$!"(!!####!#$!#$ "$!"&!!####!#$!#$!#$!#$
!$!"(!!#"##!#$!#$
!$!"(!"#!"$!#$
!$!"(!!#"## #&
$#% &!"&#! $!
'"!&! '#"%#"
#$ '($ "
&"!$#"$#"$""&! )!
&"!$#"%"!%""&"!&
&"!$#"$#"$#"&"!&
&"!$#"%"!&
0*#0$".!
 '"*"" $'' #)#$*!
'$ (# )"
&"!)$"&%#%&#%&"'
'"!)$"&%#%%"&&"'"!'! (
'"!)$"&%#%&#%&"'"!'! (
&"!)$"&%"&#!'! (
&"!)%"&#"'! (
#$ #$"#$"%#"$#
$"!#"""%##%##'#(&"(' '&"(*#*($)*$)'#()#('#()")'#))! '" )! '" '#(%$&'#(%$&(#('"*)! '" '#(%$&'#(%$&'$&'$&'$&&#%'"$(&&($''$&'$&&#%'"$(&&)$'&$&'$&'$&'$&&#%'"$(&&*%&(#$)$% &' &')$%*%'*$)*$)*$& &')$%*%'*$)*$))#&)$& &' &')$%*$()#'*%'*$)*$))#()#(*$))#*'#')$'*$))#(*$))#*'#')$'*$)*$))#()#()$)("(*$))#*&#)&"('"(("(*$))#*&#)$"(
#'$)("&*$))#*%"(#!&%"(("&*$))#*&#)$"(
#%"(&!%)$))#*%"(#!&%"(("&*$))#*&#)$"(
#%"($ $'$)%"(
#&"('%*#"'
#$"&$%) #&
88,,/ $'
.6 (0&#*# 1,%*)% *#. #0(%0('0&'/$'0#&0#$0$"0% /'%3-#3,
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
USER32.DLL
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
q.com
651030; Domain=ip.qq.com; Expires=Fri, 04 Jul 2014 05:07:27 GMT; Path=/; HTTPOnly
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\xslxtnl.exe
#include "l.chs\afxres.rc" // Standard components
WinExec
GetCPInfo
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
cbKey
(*.*)

MZRTdKAQ.exe_1732:


`.rsrc
t$(SSh
~%UVW
u$SShe
advapi32.dll
kernel32.dll
wininet.dll
user32.dll
ole32.dll
atl.dll
OLEACC.DLL
gdi32.dll
MsgWaitForMultipleObjects
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegDeleteKeyA
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
http://dnf.qq.com/act/a20110523safe/?ADTAG=ied.client.btn.safe
http://dnf.gamebbs.qq.com/forum.php?ADTAG=ied.client.btn.bbs
127.0.0.1
http://117.27.251.199:8082/xia/123.txt
http://
/hmsx.txt
/x666.txt
https://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
http://crm2.qq.com/page/portalpage/wpa.php?uin=40012345&f=1&ty=1&ap=000011:400994:|m:11|f:Gdnf2
http://check.ptlogin2.qq.com/check?uin=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http://captcha.qq.com/getimage?uin=http://tenxunnimabi/sema&aid=21000127&0.8854733550862719
Client.exe
&Pass=
&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
&service=login&nodirect=0&ptsig=
http://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=bind_qqtoken_revry&PTime=0.2534901067286
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=8
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=verifyque_risk&PTime=0.04489820876613
https://aq.qq.com/cn2/manage/question/set_question_sel?mb_flow_type=dna&PcacheTime=1394608667
&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
http://ptlogin2.qq.com/login?u=
http://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
http://aq.qq.com/cn/services/abnormal/abnormal_index
&s_url
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<>>(32-B))}function str2binl(D){var C=Array();var A=(1<>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
GetPassword
http://aq.qq.com/cn2/index
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
&keyindex=9&pt_aid=21000127&daid=8&u1=http://dnf.qq.com/act/a20090219dltb/&ptopt=1
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
&Index=³¬¼¶ÁîÅÆģʽ
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=modifymobile&PTime=0.2534901067286
http://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=2
http://aq.qq.com/cn2/unionverify/pc/pc_uv_send_sms
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=dnasetmobile&PTime=3660091457787
http://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
javascript:for(var C=0;C
http://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
msg:'ok'
https://aq.qq.com/cn2/unionverify/pc/pc_uv_dtmsg_query
https://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
window.location.href='(.*)';
dxfpz.ini
?Action=Bind&Type=°ó¶¨QQÁîÅÆ&User=
888888888888
https://aq.qq.com/cn2/manage/question/set_question_sel?mb_flow_type=dna&PcacheTime=139509
http://aq.qq.com/cn2/manage/qqtoken/bind_qqtoken?tlbox_src_id=0
QQ.exe
application/x-www-form-urlencoded
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 663; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)
DNF.exe
TASLogin.exe
http://dnf.qq.com/comm-htdocs/pay/new_index.htm?t=dnf&ADTAG=IED.GameClient.button.pay
\TCLS\config\LoginQ.dat
\DNF.exe
LastLogin=
LastLogin=(\d*)
23.ac[wvq:;6
9& 9& ;&
<<4=<754/#$
'(#--3 63 ?<466.
:'!<&!<&!:(
9& 9& 8%
4" 5#!5$
5#!5#!3$
8% 6% 6% 7$
9& 8'!9& <&!<&!9& :(
<&!<&!<&!=( =( =( >'
:'!:'!<&!<&!:(
:'!:'!9& 9& 8%
8% 8% 7& :'!<&!='"9& :'!<&!<&!<'
?'"=( =( >'
33 99154/## !"
**"22*44,44,66-11)
00(44,34/#$
'(#..&63 65055-44,/.)
..&33 44,34/
&( 00(74,46.77/51-.-(
W>1\?.\@1W@5C-#C-#C-#A-#A-#C-#D.$D.$B,"D.$E.$F/%G0&E.$E.$E.$F/%F/%E.$C,$C,$C-#= ">'
=( A !D,$E-%E-%E/%E.&E/%C-#C-#E.$G0&H1&I2(I2(G0&E/%@ #C-#C-#C-#A-#A-#E.#Z>/\>0Z=0<"
W>1\?.\@1W@5C-#C-#C-#A-#A-#C-#D-%D.$B,"D.$E.$F/%G0&E.$E-%E-%F.&F.&E-%C,$C,$B #? !?)
,-(13 44,
(( 33 74-57.66.51-.,)
X=0^?.\@1\E:F/%F/%G0&F0%H2'G0&H1'G0%G0%G0%G1&I2'L2(K1(I2(H1'H1'K1(K1(I2(F/'D-%A,$A)!;$
@* E.#H1'H1'K1(L5*K4*I2(I2(H1'J0'K1(J3(N4*O5 N4*I3(G1'F/%F/%F/%E/%E/%H1&Y?0[?0X=0<"
X=0^?.\@1\E:F/%F/%G0&F0%H2'G0&H1'G0&G0&G0%G1&I2'L2)K1(I2(H1'H1'K1(K1(H1'F/'D-%@,"?)
=( D-%G0&J0'K1(L5 K4*K1(I2(H1'H1'K1(J3(N4*O5 N4*I3(G1'F/%F/%F/%E/%E/%H1&Y?0[?0X=0<"
Y>1`?.aA3~aTN4 L5 N4 N4*N4*N4 N4*N4*P6,R8.U9/V:0Y;2aB6gG9gF5bD6_A7Y=3V:0W;1Y;1Q7-F/$7%
Y>1`?.aA3~aTN4 L5 N4 N4*N4*N4 N4*N4*P6,R8.U9/V:1Y;2aA8gG9gE7bC7_A7X<2V:0X<2Y;1S9/L0&?(
,.‰400-
W>1`?.dC2
 .4/00-
W>1`?.gC3
..&34///,
W>1`?.gC2
..&34/.. 
..&34/,,)
W=3`?.jF5
..&650,,)
..&761,,)
X?2c?.pG5
..&983  (
..&54/))&
..&54/ )&
0-&54/ )&
..&43.))&
..&650))&
..&761))&
..&872))&
..&650''$
..&54/&&#
..&54/''$
..&650&&#
//'650''$
,,$761''$
**"54/''$
  #54/''$
  #54/((%
  #43.''$
  #650''$
  #872''$
  #761$$!
  #43.##
  #54/$$!
,,$761$$!
,,$872##
  #650!!
  #54/!!
[<%uXA:$
 -g2!!
[<%sXA:$
4$"4% 1&
3%"4$"1$#
3%"3%"1$#
1%"4$"1%"
1$#4##-&"
/%"4$"1%"
3%"6$"1%"
/%"3%"1%"
1%"3%"/%"
1$#4$"1%"
3$#4$"1$#
1%"6$"1%"
/%"3%"4$"
1%"4$"3$#
3%"3%"-&"
/%"4$"3%"
4$"4$"1$#
1$#6##-&"
1%"4$"3%"
6% 6% 3& !
4$"8$"4##
8% 6$"3$#
4$"8$"4$"
3%":#"/%"
3%"8$"4$"
6$"8$"3%"
4$"8$"3%"
3$#8$"4$"
3%":#"4$"
1%"6$":#"
4% 8$"4##
3$#8$"4%
6$"8$"1%"
3%":#"6$"
4$"<#"/%"
4$"6$"3%"
3%"6$"4$"
1%"4$"-&"
0$"3%"
/%"1%".&$
0%"1%"
1%"3%"0&#
0%$4$"3%"
/%"1%".'#
-&"3%"/%"
1%"4$"/%"
.&$1$#4$"
/& 3%"0%$
.&$1%"/&
3$#3$#0%$
0%$4##3$#
3& 1%".&$
/%"3%"/%"
1%"6$"-&"
2%$3%"/%"
/$#4##3%"
1%"3$#1$#
4% 3%"/$#
(*"34/**'
(*"34/))&
(*"450))&
(*"23.((%
(*"561))&
(*"561%%"
S8%U;)E0#3$
R7%U;)E/#3$
S8%U;)E/#4$
S8%U;)E0#4$
G1Î3X;&>'
R7%U;)E/#5#
S8%U;*E/$4#
-(".'".&".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'"/(#3)%/$!
R7%U;)E0$5$
S8%U;)E.#4$
S7%U9*E/$4$
S8%U;*E.#4#
S7%U;*E/$4$
S8%U;)E.#5$
S8%U;)E/"4#
S8%U;(E/#3"
S8%U;)E/!1"
S8%U;)E/#2!
S8%U;)E/#3#
O4"O3"P4"P4!U9%U8&U9%T8&T8&T8&V9%T8&T8&T8&T9%T9%T8&T8&T8&V9%T9%T8&T9%T8&T8&T8&V9%T8&T8&T8&T9%T9%T8&T8&T8&V9%T9%T8&V9%T8&T8&T8&T9%T9%T8&T8&T9%T8%T7&T7&T7&S6%Q4"O4!N3!M2
N3 Q5!Q5!S5#U7&U7%U8$U8$T7%T7&T7%T8$T8$T7%V8$T7%T7%T7%T7%U7#S4"P3!N1
N3 N3 P5"Q6#R5#Q6#P5"P5"N5"Q6#R7$T6$T7#U8$U8$W7%W7%W8$T8$T8$V7%U8$U7%U7%U7%W8$U7%U7%T7%T8$T8$T7%T7%T7%V8$U9%T7%T8$T7%T7%T7%V8$T7%T7%T7%T8$T8$T7%T7%T7%V8$T8$T7%T8$T7%T7%T7%V8$T7%T7%T7%T8$T8$T7%T7%T7%V8$T8$T7%T8$T7%T7%O2!O3 O2!N2!M1 K0
! $&!')!', &,
"' "'!"&""%"!"
%- '.% 1).2')*
#$!$$"%$"$$
aD'kM jM(hK.fI1L-
vU%sR(S5!/
hK.vT&~[&
c1vU%xV$
jL8z[=nL%xV/
p.wT*1
IiK%fL&
R:%uW1
&'"&'"!"
 *%1-).-(
')!33 41*.-(
68055-55-12-
33*41*.-(
&( 46.33 55-
33*41*- (
()$.0(44,22*"#
//'3/   (
()$./*44,33 )(#"#
, &) &#$!
''$/0 55-44,0/*12-
''$./*55-55-983
) #13 55,==5??7
"?.6;54/
(*27033000
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=2
(\d.*)<.dd>
aq.qq.com/cn2/manage/question/set_question_sel
aq.qq.com/cn2/manage/question/set_question_vry
aq.qq.com/cn2/manage/question/dna_question_imp
aq.qq.com/cn2/manage/question/set_question_sel?mb_flow_type=setdir&outurl=setdir&mb_up_from=from_set_question&
aq.qq.com/cn2/manage/question/set_question_mobile
aq.qq.com/cn2/manage/question/setdir_question_imp
aq.qq.com/cn2/unionverify/pc/pc_uv_show?
aq.qq.com/cn2/manage/question/vry_question_imp
http://dnf.qq.com/?ADTAG=ied.client.btn.index
\TCLS\Client.exe
http://dnf.qq.com/cp/a20140106mzhd/page02.shtml#mk04
http://captcha.qq.com/getimage?aid=21000127&r=
(&–2XUQZYU,)%
=:6>;652-&#
('#. &41,52->;6540
41-:7263.&#
$"!)($30 52-52-74/10,
/.*52-63.$#
'&"-,(52-63.63.52-.-)
-,(41,52-43/
'&"1.*63.74/85030 -,(
-,(41,52-
)&"41-63.85074/41-- *
 ($52.onjQPLYXTHGC/-,
H0 I2 M4 N5!Q8"R9!T<"W=#X@#ZB#^E$^F%bH%cI&eL'hM)iN'kP)oR*sV*tW*uX*w[ z\*{] }`,
 ,(<9410,
 ,(63.0/ 
-,(740//)
?( ?( ?( >'
-,(:73--'
?( ?( ?( =( >'
=( =( >'
-,(851**$
@)!B(!A*"A*"B #D*#E $B #B #D*#F,%F-#F-#E $C,$B #A*"A*"A*"A*"A*"A*"D !Z=/Z=/X<15"
@)!A*"@)!A*"B #D*#C,$B #B #D*#F,%F-#F-#E $C,$B #A*"A*"A*"A*"A*"A*"D !Z=/Z=/X<15"
-,(63/**$
X=3[>0\>3Z@4E $C,$C,$C,$C,$C,$D-%D-%B #D-%F,%G-&H.'F,%F,%F,%G-&G-&F,%C,$C,$C,$A*"<'
?( A*"E $F,%F,%G-&G-&G-&E $E $F,%H.'I0&J1'J1'H.'G-&B #C,$C,$C,$C,$C,$F-#Z=/[>0X<15"
X=3[>0\>3Z@4E $C,$C,$C,$C,$C,$D-%D-%B #D-%F,%G-&H.'F,%F,%F,%G-&G-&F,%C,$C,$B #A  ?)
- *63/*)%
W<2[>0\>3_E9G-&G-&H/%H/%J1'H/%I0&H/%H/%H/%I0&J1'M2(L1'J1'I0&K0&L1'L1'J1'H.'D-%C,$>)!9#
|oQ5*O4*N3)P5 P5 O4*O4*O4*O4*O4*P5 O4*R5,W9.dB5uRDySGtL@oI=nJ@fC9\;2S6-K1*> $aRO
|oQ5*O4*N3)P5 P5 O4*O4*O4*O4*O4*P5 O4*R5,W9.cA4uRDxSEtM?oI=nK>fC9^>3X90Q6,H.'6$
H/%X;2[<3_>5eE:iI>hH=dD9dD9dD9cC8cC8fD7oM@jH;iG:cC6aA4`B7Y;0aC8S7,Q7 S7,[>0[>0Z=45"
vR6 P5 Q6,P5 P5 Q6,P5 P5 P5 P5 P5 Q6,Q7 Q5*W9.aA4
S5*P5 M4*N5 O4*O4*M4*M4*O4*O4*Q6,Q6,O4*O4*O4*Q5*[8.zWJ~ZJvO@xQCoL?bB7P3*@)!2"
; %> $>)!8&
Z8 Z8 Z8 Y7*Z8 Z8 Z8 Z8 [8.Z7-Z7-X8-Z7-X8-Z7-X8-Z7-Z7-Z7-Z8 a?2eD5dC4`@3^>1^>3]=2W7,U5*T4)V6 S5*R4)Q3(Q3(W9.S5*X8-\:-];.]:0Y9.W7,U5*T4)T4)U5*W7,^>3Z:/W7*U5(V3)Y7*\:-^
Z8 Z8 Z8 Y7*Z8 Z8 Z8 Z8 [8.Z7-Z7-X8-Z7-X8-Z7-X8-Z7-Z7-Z7-Z8 a?2eD5bB5`@3^>1\?1Z=/R7)Q3(Q3(R4)S5*S5*R4)S5*Y;0W7,X8-W:,X;-Y9.X8-V6 T4)Q3(Q3(Q3(R4)X:/R6 O3(O1&Q1&S3&U5(X8 _=0^
- *740*)%
- *962*)%
- *851('#
- *63/('#
-,(63/(("
-,(74/(("
, '850(("
*)t/(("
*)c.(("
*)R-(("
*)…0(("
*)–1''!
*)…0%$
*)c/%$
:"#Q6.kVG'
7! P6.mVG0
()c/%$
()–2%$
)*&962$#
7#"9$ 9%
 *&740"!
*)c/"!
*)c/#"
, '851$!
 *&851-*&
 *&740,)%
 *&63/,)%
,*)740,)%
'(&740)&"
!9 #:!$; #8
"4 !4 !6
#4 !4 !6
#4 !5"!8!!8!!7 8"":!$9 #8
\.eF*5
32.ZYU
'&"&%! "
 *&-,(,*)
('#41-41,-,(
'%$96263.63.30 
&%!52-30 , '
'%$74030 63.
&%!41,30 , '
)'&1.*63/30,%"
0-(2/*, '!
)($1.*63/41-*'##!
 *&, '(%!
('#1.*63/52-1.*20/
(("1.*63/63.:73
*)A,63.>;7>=9
32.ba]utp=:6
(&v2UTP[ZV,('
;84;:6$#
 *&, '#"
*'#. '41,52->;6740
21-660$$
 ($30,52-52-74/30 
0/ 33-$$
'&", '($#
'&"-,(33-63.63.52-0-(
/.*33-44.
'&"//)44.74/85041,/,'
'&"52-52-85174011 /,'
-,(43//.*
-,(32.-,(
-,(43/.-)
-,(43/*)%
-,(32.*)%
-,(43/ *&
-,(540*)%
-,(651*)%
-,(762)($
-,(540)($
-,(43/('#
-,(32.('#
.-)43/('#
-,(540('#
.-)540('#
-,(651('#
*)e1('#
*)C/('#
*)2.('#
,)e1('#
,)v2('#
,)t0&%!
,)C/%$
 ($43/%$
*)C/%$
*)R.%$
*)…1%$
*)–2$#
*)t0"!
*)C/"!
 *&43/"!
*)D."!
*)D.""
)($44."!
 *&32."!
 *&762#"
@)À,'
@)ó.(
A*ó-(
. 0 !/!!.!!/!!. !. !- -
. / !/!!/! / !0"!0!!0"!0""2#"2$#3$"3$#4$#5&$6&$4%$4$#3##0#!/"!.
2!!2!!3!!2! 2!!2!!4 !2 2 2 3!!2 2 0
mO2rR)uS%zX*wS%uR&
[= tR.tP*_?
\.eF*7
 *&/,(1.*/,(
.-)1.)//)-,(
('#41-52.41-/,(
, '2/*63.
'&"52-41,22,-,(
'&"2/*2/*#"
o1/.vuq
&%!41,52-33-, '
)($0-)41,%$
0-(52-30,, '
)($1.*52-'&"('#
/,'2/ -,(&$#
('#1.*41,)($
 *&.-)'%$
('#1.*2/*, '
*)0,1.)
, '21-10,
0/ - *$"!
'&"/.*/.*
'&"21-*)%"
32.ba]usr=98
984984$#
*)%, '#"
('#-,(41,52->;663/
21-651$#
"#!)($30 52-52-74/41,
0.-52.&#
'&".-)&%!
('#/,'52-63.63.53 0-(
/-,52.63/
)&"1.)63.74/85041,/,'
)&"41,63.85074/41,0-(
)($52.pmiONJVUQGD@1.*
- *740:95
- *52. *&
., 32.*)%
- *32.*)%
 ,*32.*)%
- *63/ *&
- *52.*)%
-,(63/*)%
.-)962*)%
-,(850('#
-,(63.('#
-,(63/)($
-,(63/('#
-,(74/('#
, '850('#
*)c.('#
*)c.)($
*)…0('#
*)–1'&"
)($740%$
*('63/%$
 )(962%$
 )(962#"
*('63/"!
D-%S@6,
 )(740"!
E*#E %F,'G-(E %F $A( ?&
"6 !7!"7! 4
^@&qQ.sR ]=
bA {Z)~\.bE-3
`.iI'9
p:\
  %/,'1.*0-)
.-)1.*1.*-,(
('#41,52-41-/,(
&%!41,41,21-/,(
'&"2/ 2/*"!
&%!41,52-41-. '
)($1.*30,&%!
0-)52-30,. '
'(&1.*52.'&"('#
-,(1.*/,(&$#
&'#1.*41-)($
,)%.-)'%$
('#1.*2/ , '
*)%2/*1.)
, '30 30 
0/ , '$#
)&"1.*1.*
'%$32.*)% !
~}ylkgVUQED@<;765154032.32.43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/54043/43/43/43/54043/43/43/43/43/43/43/43/32.43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/651984BA=RPOged}|x
http://aq.qq.com/cn2/unionverify/pc/pc_uv_sms_query
http://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
?Action=Bind&Type=°ó¶¨Ãܱ£ÊÖ»ú&User=
88888888888
http://aq.qq.com/cn2/manage/mobile/query_same_mobile_ajax
http://aq.qq.com/cn2/manage/mobile/query_bind_uins_ajax
http://aq.qq.com/cn2/manage/mobile/query_station_ajax
http://aq.qq.com/cn2/manage/mobile/active_sms_ajax?flow_type=change&mobile_number=
http://aq.qq.com/cn2/manage/mobile/verify_mobile_ajax
{result:-1}
http://aq.qq.com/cn2/manage/mobile/change_mobile
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=modifymobile&PTime=0.01982586313531
\TCLS\ui\DNFClient.swf
V6{c%S~
s %d. (0x%Xh)7
ProcessHeap?H.l
.text
`.rd9a
KERNEL32.DLL
ATL.DLL
MSVCRT.dll
OLEAUT32.dll
USER32.dll
CreateActiveX.dll
VBScript.RegExp
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
%System%\Macromed\Flash\Flash10q.ocx
%System%\Macromed\Flash\Flash10s.ocx
{D27CDB6E-AE6D-11CF-96B8-444553540000}
ProfilePort
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
H2~F0}E/|C0{B/zE.zE.}E/~F0|D.xC,t? s> s> q? q?*q?*r=)s>*r@ r@ t? wA.wA-v@-t>.t?,s>*t?,s=-t=-s> q?*q?*xB.
G1zE.vE-p@,p@,o? o?*n>)q?*sA-p@,o? r@,[email protected]@-sA-sA-q?*q? p=,o< p>*n>*n>*xB.
G1yE.rB.qA-p@,p@ qA-sA-r@,n>*o? r?.u?/uC/uC/vD0tB-qA,o? m>-o>-p@,m? m>-yD1
WCl?-m? n@,[email protected]@.n?.mA,n?.n?.n?.n?.o@/qB1qB1q@/p?.q@/r@1qA2o@/m>-p?.mB0~D.
J6{F2rB.n?.qA-sC/uE1tC2sB1rA0n?.q@/s?0tD0uE1tF2sE1qC/n?.m>-m>-m? l?-l>.xF2
[Gi>,[email protected][email protected]/nA/nA/o@/[email protected]/qB1sC4tB3qA2o?0p@1qA2rB3pA0rA0jC3
gSwG3vF2uD3qB1oC.lA/k?/zH4
R;yG2mB0i?/l>.qD2pC1lA/j?-lA/qD2~L8
R
N;~N:sE1oC.qD2vJ5uG3uF5sD3uF5vH4{K7
F0&J0&F/'A,$F0&G0%G0%D/'F0&G1&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&G0&G0&G0&G0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&2
E0(G0&F0&A-#G1'G0&F/%F/'F/'F0&G0&G0&G0&F0&F0&F0&G0&G0&G0&G0&G0&G0&G0&G0&F0&F0ð&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&G0&G0&F0&F0&G0&F0&G1'F0&F0&F0&F0&G1'F0&F0&F0&F0&F0&G0&G0&G0&F/'E0(F0&G0&F0&F0&F0&G0&G0&F0&F0&G1'H1'G1'G1'G1'H1&H1'H1'G1'G1'G1'F0&H1'G0&F0&F0&F0&G0&G0&G0&E0(-
@* >* @* @)
A* A !B,"B,"C-#B,"? !? !@,"C-#E.#E.$E/%C-#B,"A !@* A* A* @* >* @* H1'H0(D/'.
@* B !D-"C-"G0%F/%E.$D.#B,!C-"C,$H/"I/%H1&F/$D.#B,"B !B !A !A !B,"A* I2(G1'D/'.
? !B !B,"@,"A-#C,$C-#D-#D-#C-#C-#C-#E/ð&E/ð&D-#G-$F/ð&D.$B,"A*
C,"H.%F/%H1&G0%E.$F/%H1&H2$J3(J0'K0#L1$T8.hNDK1'H1&H1&E.$D.$C-#C-#D-#H1'F0&D0&,
=( C #C #D-#E/%D.$B,"B,"D.$G0%N4*T8.R7*T6,jLB
?*"C,"A !?*"?*"C*%C-#D.$E.&E.&E/%E/%F/$M3)Q6)Q5 R6,L2)F/%G0%J3(H1&C,"8%
?( @)!A*"@)!E/%D.$C-#@,"D-%F/%M3)U8 U:-T8.W9/X:0Y
?*"A !B,"?*"?)$A)$@ #C,$D-%C,$E/%G0&G0&O5 V:0T8.R6,O5 I2'E.#G0&J0'C-#9& 0
@,"@ #>)!?*"B #E/%D.$C-#B,"B,"D.$M3*Q5 V;.S7-Q5 S7-S7-S7-K1'G-$E-%D-%C,$D-%H1'F0&C.& 
@,"D0&>* =( B #E/%E.#F/$D.$C-#F/%H1'L1*W
? !G1'G1'B #C-#I2'J0&J0&H1&J3(L2(K1(I.'T8)Y
C/%C/%;-$"
;) ;("='"?)
@,!E/$F/%C.&*
C/%C/$9 "
;) ;) ;*
=( ='";) 9) =)
A*"F.&L2)T:0R9,K1(G/'F0&C/%@,"@ #B-%C-(G0&I2(R;1H1&I2'H1&J3)D-#L6,>* ;*
;) ;) ?)
=( =( @)
? !D.$H.%G-#G.!H.$F/%E.$D-"D-"C,"B*"C #D-#E.$D-#F/%D-"M3)L2(M3*G-$B !?)
F/%F.&8)#
>* >)!>'
=( ;) ;) :)
=,!<  ? !>* ;*
B  C,!B,!A  A  A  C-#F/%F/%H.$I0#E/!B,!A  B,"B,!B,!B,!?  @*
C,"C,"B,"? !?  A  E.#F/%C.&)
>* >* @)
7& 9) :*!= "?-$>,#?-$>,#= "; "; "; "= "= "= "= "?*":*!:*!:*!;) = "= "<*!>,#?-$>,#= "@ #E/ð&D/'*
D.zE.|C0
M9t?,t> s> p>*q? t> q?*s>*s> t? r@ r@ t?,r=*q? r@,s>*s>*q?*o?*q? s> r@ t? u@,vA-wB.yC/
H2|C0xB.sA-r@,s=-q>-q? q?*r=)s> r@,r@ r@ vA-wA-v@-t>.t?,s>*t?,s=-t=-s> q?*q?*xB.
P*q? q? o>-o? q? o? q? q? o? p@,sA-r@,r@,o? p@,sA-r=*q? o? p@,p@,p@,vA.wA-zD0~E2
G4zD0wB.r@,p?.o>-o? n>*q? sA-r@,o? r@,vA.vA.u@-sA-sA-q?*q? p=,o< p>*n>*n>*xB.
H2zD0tB.qA-p@,p@,qA-sA-r@,p>*o? p?.s@/uC/uC/vD0tB-qA,o? m>-o>-p@,m? m>-yD1
WCl?-m? n@,[email protected]@.n?.mA,[email protected]@/qB1sB1q@/n?.o@/p@1qA2o@/m>-p?.qB1|C0
J3~E2qB1o@/qA-sB1sD3tC2sC/rB.n?.o@/q@/tD0uE1tF2sE1qC/n?.m>-m>-m? l?-l>.xF2
[Gi>,[email protected][email protected]/nA/nA/nA/[email protected]@.nA/pC1sC4qA2rB3o?0oA1pB2rB3pA0rA0rE3}G3
L6tF6l@1n?.qB1nA/j>.m?/nA/rD0{K7
K5rE3l@0m>-rC2nC1j@0j>.lA/qE0~L8
E0(G0&F0&A-#G1'G0&F/%F/'F/'F0&G0&G0&G0&F0&F0&F0&G0&G0&H1'G0&G0&G0&G0&G0&F0&F0&F0ð&F0&G0&G0&F0&F0&F0&G0%G0%G0&F0&F0&F0&F0&E/$F/'G1'F0&F0&F0&F0&G1'F0ðð%G0&G0&G0&G0&F0ð%F/'F0&F0&F0&G0&H1'G0&G0&G0&G0&H1'H1'G1'G1'G1'G1'H1'H1'G1'G1'G1'F0&H1'G0&F0&F0&F0&G0&G0&G0&E0(-
@* @* @,"B,"C-#B,"A !? !B,"C-#E.#E.$E/%C-#B,"A !@* A* A* @* >* @* H1'H0(D/'.
B  D-"D-"G0%F/%E.$E.$C,!D-"C-#H/"I/%H1&F/$D.#B,"B !B !A !A !B,"A* I2(G1'D/'.
? !B !B,"@,"A-#C,$C-#C-#C-#C-#C-#C-#E/ð&E/%E/%D-#G-$F/%G0&D.$B,"@)
A !F/%F/%H1&G0%E.$F/%H1'J0&L2(J0'K0#L1$T8.hNDK1'H1&H1&E.$D.$C-#C-#D-#H1'F0&D0&,
?*"C,"A !?*"?*"C*%C-#D.$E/%E/%E/%E/%F/%M3)Q5 Q5 Q5 L2)F/%G0&J3)H1'C-"8'
@)!A)$C.&D.$C-#@,"B-%E/%O3)U7-U:-T8.W9/X:0Y
?*"A !B,"?*"?)$A)$@,"C,$D-%D-#E/%G0&G0&O5 W;1T8.R6,O5 I2'F/%G0&J3)E.#:(
>)!@*%C.&D.$C-#@,"@ #D.$M3)S5 V;.S7-Q5 S7-S7-S7-K1'G-$E-%D-%C,$D-%H1'F0&C.& 
=( @ #E/%E.#F/%D.$C-#F/$J0'L2)W
B,"A !C-#I2'L0&J0&H1'J3(L2(K1(I/&T8)Y
B  C,!F/%F.&E.$D-"C-"C,"B !C,"C-#E.$D-#F/%D-"M3)L2(M3*G-$B !?)
=,!>-"?*"@* E.#F0%C/%B.$@,"@,"=,!? !>)!<  >* D/'G0(D.$>* ;*
9) :*!>-">,#>,#; "; "= "?*"?*"= "= "= ":*!:*!:*!;) = "= "<*!>,#?-$>,#= "@ #E/ð&D/'*
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%?)
Y>1^?.[?0U;1@* A !@* ?  ? !A !F/%F/%A !B  C,!E.#D-"C,!C,!E !D-"C,!A  @*
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%? !C,!Z>/]>-Z=0:#
W>1\?.\@1W@5C-#C-#C-#A-#A-#F/%F/%F/%F/%D.$E.$F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%A-#E.#Z>/\>0Z=0<"
X=0^?.\@1\E:F/%F/%G0&F0%
G1&F/%F/%F/%
F/%F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%
F/%F/%
F/%F/%F/%F/%
F/%F/%F/%F/%E/%H1&Y?0[?0X=0<"
F/%F/%F/%F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%
F/%F/%F/%
F/%F/%F/%J3(L2(Y?0[?0X=0:#
F/%F/%F/%K4)L3&[?0\>0Y>1:#
F/%F/%F/%L5*O6)\>0]?1Y=3:#
Y>1`?.aA3~aTN4 L5 F/%F/%F/%
F/%F/%F/%F/%F/%F/%F/%
F/%F/%F/%M6 R7*[?0\=1Z>4:#
h\P4*N4 F/%F/%F/%F/%
F/%F/%F/%P6,T9,[?0Z=0Y>1<"
F/%F/%F/%O5 S8 [?0\>0Y>1:#
}oQ6)N4*F/%F/%
F/%F/%F/%F/%F/%P6,Q8 \>0^?.Z?2:#
vR7*O5 F/%F/%F/%
F/%F/%F/%F/%F/%P6,S7-Z>/\@1W>1:#
Q6)N7-F/%F/%
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%N7,Q7-Y>1\@1Y>1<"
Q6)M6,F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%M6,P6,Y>1\@1Y>1<"
F/%F/%F/%F/%F/%O5,Q5 \=1\?2Y=39"
F/%F/%F/%S5 P4 N4 S5 ]>2]?1X>48#
N2(G3)H2(I2'I2'H2'J3)I3)H2(H1&F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%O5 L5 K4*O5 ]>2^@2Y=38$
M1'F2(E1'I2'H1&F0&H0(G0(G1'G1'F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%L5*N4*L5 H2(J3(^B3_A3[@3:$
F/%F/%F/%F/%F/%F/%F/%F/%F/%B(
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%I0#I/%N2(Q4'O4'K2%L1$^B3`C2\A4:#
Y:)]9)[:)X8*Y9 [8,Y:)Y9 \:,Y8,Y8,Y8,Y8,Y8,Y8,Y8,[8,Y8,Y8,Y9 `A0fE4cD3aB1_?1_?1^>0Z8*X6(W5'W7)S7(R6'R4&T4&\:,V5)W8,_; ^<.^;/\9-Z7 V6(U4(U5'V6(V7 ]>2Y;-X9(X7%W5'F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%Y9 Y:)Y:)Z8*]:.b@2`>0\<.U5'^=,cD3]B5:#
14:50:59
)*Í?
8:29;3#% $$!* &,-(#$
()$/.)44,55->>6761
23.680$&
#% )*3 55-55-77/32-
01,66.#%
'(#,-(&'"
''$-.)55-55,66-55-./*
/0 55-66. !
)'$10 66.77.88/44,,,)
)'$43.66.88077/43.--*
.0 23.GGD
,.)35-/0 
,.)35--.)
,/'35--/'
,/'35,-/'
,/'46--/'
-/'66-//'
-/'66.//'
-/'66./.)
-/'66--.)
-/'66-/.)
,/'66./.)
-.)66./.)
--*982/-*
0 #6,";2&=3)90$3,
6):@.KG1RE2RG4TG4TF3SG4TI4R
7*;C.LI2UE2RF3SF3SF3SI3TG4T
8 9D.HL3PJ3PL3PK2OK1LJ1JI0H
6)6B BG.GI.FF.CH/GG.FI0HK0H
5(6?)CF/LG1KH1IF/GI.GI.GI0H
5(6@*DI0MI2JJ3KI0II.GM0IH0E
6&5A*BH.IG.GH/GJ/HH-FL/HH0E
6&5@'@F-FE,DF-EI.GI.GJ/HH/G
6&5@)AF,GF-FG.GG-HH.II/JH/H
4'8>)FF/MG.KH/LH/LH/LH/LI0M
5(9@ HG0NI0MI0MG.KH/LH0JH/L
5(6?)CG.KG.KG.KH/LI0MH1NI0N
6):?-JF.SE.QD-PG/PG/PG0NF/M
7'=A*MF.UC/QG/PH.OI.QF.OE0N
5':?(KE-RD-PF.OG-NF-PF.OD/M
3%8='HE,OF.OH.OG/PG.QG0SG/P
5':>)GF-PF.OF.OF-PF-PG.QE/P
6(;?)JH/RG.QE/PE.QG.QH/RG1R
3&<=)KD,SE.QE.QF,QF,QH,QB-Q
3&<=)KE-RF/RG-RF,SF,SF.SE-R
2&9<)ID,QD,QG-RE-TE-TF.SF.S
2&9<)IE-RE-RE-RE-TF.UF.SF.S
4'==)KE-TE-RF.SD/UF.UH.UF.U
%D;Cqfr
2%;<(LE,UE-TE-TE-TD,SH.UF.U
2%;<(LB,WC-UE-TG-TE-TC.TE-T
4%;=(LC-UC-UE-TG-TE-TC.TE-T
2'?;(PB,WB.TB-UB,WC,WC-UC.T
1&>;(PD.YC.VA,TA VC,WB,TB-Q
Ã?r`m)
90z6.tB7
;3u6.lC9~C8
B/v> qB.uH.
P9}E.pH3tXD
H.yK/y[>
!3~#5~)9
iXp[FZXAUO>PL=OH6ND0K?-FE.KZ7^}N~uTukRjaHbgQrcQy\R
KDrJ8KQ:ET9MR8PJ6PC3M?.J?-I?-HB.IJ5NV0Tx#s
T*[email protected]?.B:*>9*=:)>;)?;*@=-BG6KE5ORHhZStZRvRJoQGm_TydWzdSyhTzjW|hW{cV{XOxMFsIHyW[
P*[email protected]/EB/E>-B;*?9)=8'=9'>9(>E4I\K`bQl_Sv]Sz\QyWLtK?f\OtaRtdQuiTvjUvjXyhZ{\SvQJqIEqIJ{Wb
_/_D4GC4F?1E<,D='D;Ä";,
 *"5,%9,%9,$9'
- #8,%9*"7'
(( 4,$9*"7)"7 "9'
&6-.UNKmgh0
-&!3("4' 4' 5%
,% 2'"4(!5(!5'
0:{);}%;
0(!4)"5)"6)!7)
/'!4)"6(!6(!7*!9)
&D(5Z ?n.Dx/H
/)"6(!6%
1*"7)!7$
2)"7( 6$
,( 1$!4&!4'!5* 7  7 
A..UGW
9'#;'"7"
1*(2*'3'!3'
4( 4(!4("4(!3$
.KwHh
8)'1)&2(#4'!4'!4'!4'!4(!4(!3& 2#
2& 2' 2' 2&
.)#5>8J?9KLGYOL^QWjU^tRZ{MT{9;g#%S
1' 2' 2%
.( 2(!2&
/) 2)!2&
/' 0(!1( 3%
;&$ '%,$! 
/' 0(!1)!4&
&$#)&% '%.& /&
0' 0' 0' 0(!0'!1'"2#
,! '$")'$.)#1(!/(!/(!0(!0'!0' 0& 0&!1#
8-!3)!-( ,(!,)"-(#.&".#
*'  (",&"-#
*(",'"-$ -# ,#!-'%4D<
!7&#-*%& %$)' &% !!'
02&-4*/-*3"#.
$,"0,"1#
"M&4`4Bh8Hm.Bp7P
$(" ,#1(
!'! *#2& 0#
&%"-*$/*$3 %5(#2$
#$"/(#1*"2,%4(#3#
,"!.$!/(!0%
(! /!!5"!5("0)!/'
.! 4" 4& .%
.,"/) )%
0 "/)",*",(
/&!.)!.."2.
.*!.)!2)!3*
OA.ENIWGCRNJ\]Xma\tZWqRRrEIl'3X
-)!.(!2'
%( *)!-( .&
o>%D@:HEDUVXnTXxJOsHMqMSuNVnLVmCQl2Cc#:f;W
( "..%3.4 :2):%
$-$$-)!- 
/ !1.&5'#.!
$0%#- !/-
/. 1/"2%
.CY(:PHXzANw4At*6n
 )!,*$-& *%
*)". %.&!)%
)("-*$,& ('
*'!,'"*%
 ' .' -$
(!% !,) ,' -%
!2#"-.'.0%.- /)
% &-',-&  ! )
1% /'"/'"/'"/'"/'"/("/)"/(!-$
*(!-*!-'
1% .'".'".'".'".'".(".)!-(!-%
5(!0)"-)"-)"-)"-)"-*"-*!,*!,,#/,#/ ". "/,#0*!-)
,)"-)"-)"-)"-)"-*"-*!,(
 ) ,*!.) -(
 ) ,1'59,?-
*,", ", ", ", "- "- "-,#/*!.) -&
)-&1-#-,"  "  "  ", "- "-)  &
,$* "* #*/&-1&/3%/6&26#23!27%9>.AA5C:0:7/90(370<93A4/=A=LLHX- <0.AKJ]HI]QRghh~aaw\]q]_q]as\auEPh'5S"7d/G~?_
>.BfXjbVh_Vk]VmXUmVUnSRlRQlRRmIJc7@T8CTT^k`iuR\jDQb
.Cx(9i6JsI]
.Ky*Kv(Iv,K}.K
D%0W%Dv(N
.FBSnH]
9Jj.Bh-Am*@x%;w
Hj.LwHa
%D~7Q
#Cb.JoMg
%U*DkRo
*Gd%DnNo
*U.IzNk
(@q%Co=^
@7nN%s
23.jjg ,)
-B}AU
r%X^'LI'O?(N< K;.J?2NB5QD7SC6R?/N?-NA-PC-RC-RD.SD.SC,QF)RI(SN(US(VX'W^%[j#b~ t
.AvHP
%F~$Bu
':p%9k(=r.Bx9H
#,:%Dr
4[.Ls8]
/!-T<
@A>01.YYV{{xaa^
=T{.Cl
---666350./,((%''$00-&&#
 U.Do?]
)*'%&#/3/12/---/0 22////,,,***%&#&'$12/,,)""
350&'$.. -. 
)*'* ($$!#$!()&
%C=TwVp
"W'*?54045035-65064166.65065054/66.66.54/54/55-66.65053054/66.55-54/66.54/54/65066.66.65065056.66.55064165066.66.65055-65065065066.66.65065066.66.65064165066.66.65055.65065065066.66.65065066.66.65053054/66.66.65066.54/65054/66.55-54/65066.66.65064165066.66.65066.65054/65066.66.65065055-66.65064165066.66.54/66.65065065066.55-65065066.66.65064165066.66.54/66.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65046.65084065046.66.65065046.46.65065045046.46.65046.65065065046.46.65065046.46.65064165046.46.76166.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65046.65065066.46.54/42/31.
"# '&&))&**'##
000 ,)#$!
-/'32-53065066.44,32-/-*
0/*32-31./.)* &"#
$ * (***
! '&&%&#
32-55-65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.221-3AESmR`}(-H));42565066.66.65066.43.48?Ha}Wz
#$!.. 20-20-  (
* &44155255244122//..!%!
HWTMOIUTOUTOTTLVTMVTMTQITNJXPMSGJFCWFg
((Ï>_`[yzu
%CnHn
))*001#&&
01.EEBJJGMNIOOLFFC&&#
"Dl&Cd
O4>j:BjPWs
(H=Po?Xw.Hk<[
HHE01.YZW
9`.Jo&Fi0Sx0V
.BeRa~u
.Bz)ArLf
 TŒ#5d'7j7I|8M~Xp
,W&=j.Fs4N{.Lu1RyPp
4M|.JtKm
\n|8Gc 9[3Bj8Ht.Cq2Jz9U
*
.Ns(Km(Lm-Op)Gh#:[&<[(B]*Fa$@c
(Ez%Cw/O
6^v.Xp6`xKt
J.hDDjJU
%D|#Bw$Bu'Cs
.GnKb~
0z#2y*:w%9s
%D~$F
\%uD;lF\
 Ax.EyE^
I%x2Gu'@t1M
T>}1El$
;n.Hy\&v
.comment {color:green}
, #&')*)
-0-(0%()(
.rzz{V
ÿRT
Cjm.eb
(7),01444
'9=82<.342
%.dn.
-o.SRx-
PQIE%d
.Xmw[p
OSQ%c|
Qf.xwB
-BK}B
:!.erK
m:\JcH
%flr==G^
.BRC&
w=.ek
o.gQ<
wz|.DFM
Pm.Ac
.ml@fBT
F%D,3
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
USER32.DLL
(*.htm;*.html)|*.htm;*.html
its:%s::%s
Y%d
X%d
Height%d
Width%d
RECT(%d, %d)-(%d, %d)
Styles0xX
Control ID%d
Handle0xX
%s
burlywood
\winhlp32.exe
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
client.exe
c.exe
66.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MZRTdKAQ.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
`.rdata
@.data
.rsrc
.Quip
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
oledlg.dll
SHELL32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

MZRTdKAQ.exe_1732_rwx_00401000_008BD000:


t$(SSh
~%UVW
u$SShe
advapi32.dll
kernel32.dll
wininet.dll
user32.dll
ole32.dll
atl.dll
OLEACC.DLL
gdi32.dll
MsgWaitForMultipleObjects
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
EnumWindows
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegDeleteKeyA
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
http://dnf.qq.com/act/a20110523safe/?ADTAG=ied.client.btn.safe
http://dnf.gamebbs.qq.com/forum.php?ADTAG=ied.client.btn.bbs
127.0.0.1
http://117.27.251.199:8082/xia/123.txt
http://
/hmsx.txt
/x666.txt
https://
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
HTTP/1.1
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
http://crm2.qq.com/page/portalpage/wpa.php?uin=40012345&f=1&ty=1&ap=000011:400994:|m:11|f:Gdnf2
http://check.ptlogin2.qq.com/check?uin=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http://captcha.qq.com/getimage?uin=http://tenxunnimabi/sema&aid=21000127&0.8854733550862719
Client.exe
&Pass=
&s_url=http://dnf.qq.com/act/a20090219dltb/&f_url=&ptlang=2052&ptredirect=101&aid=21000127&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0
&service=login&nodirect=0&ptsig=
http://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=bind_qqtoken_revry&PTime=0.2534901067286
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=8
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=verifyque_risk&PTime=0.04489820876613
https://aq.qq.com/cn2/manage/question/set_question_sel?mb_flow_type=dna&PcacheTime=1394608667
&aid=21000127&u1=http://dnf.qq.com/act/a20090219dltb/&h=1&ptredirect=1&ptlang=2052&daid=8&from_ui=1&dumy=&low_login_enable=0®master=&fp=loginerroralert&action=16-116-1389436820937&mibao_css=&t=2&g=1&js_ver=10063&js_type=1&login_sig=knHhTNFwQthq*GSFdpsyF6EaS8*jMteBFqJBsJiCmMR8bkYQuLD6LJlF-7k4h0Qx&pt_rsa=0
http://ptlogin2.qq.com/login?u=
http://ui.ptlogin2.qq.com/cgi-bin/mibao_vry
http://aq.qq.com/cn/services/abnormal/abnormal_index
&s_url
var hexcase=1;var b64pad="";var chrsz=8;var mode=32;function md5(A){return hex_md5(A)}function hex_md5(A){return binl2hex(core_md5(str2binl(A),A.length*chrsz))}function str_md5(A){return binl2str(core_md5(str2binl(A),A.length*chrsz))}function hex_hmac_md5(A,B){return binl2hex(core_hmac_md5(A,B))}function b64_hmac_md5(A,B){return binl2b64(core_hmac_md5(A,B))}function str_hmac_md5(A,B){return binl2str(core_hmac_md5(A,B))}function core_md5(K,F){K[F>>5]|=128<<((F)2);K[(((F 64)>>>9)<<4) 14]=F;var J=1732584193;var I=-271733879;var H=-1732584194;var G=271733878;for(var C=0;C16){E=core_md5(E,C.length*chrsz)}var A=Array(16),D=Array(16);for(var B=0;B<16;B  ){A[B]=E[B]^909522486;D[B]=E[B]^1549556828}var G=core_md5(A.concat(str2binl(F)),512 F.length*chrsz);return core_md5(D.concat(G),512 128)}function safe_add(A,D){var C=(A&65535) (D&65535);var B=(A>>16) (D>>16) (C>>16);return(B<<16)|(C&65535)}function bit_rol(A,B){return(A<>>(32-B))}function str2binl(D){var C=Array();var A=(1<>5]|=(D.charCodeAt(B/chrsz)&A)<<(B2)}return C}function binl2str(C){var D="";var A=(1<>5]>>>(B2))&A)}return D}function binl2hex(C){var B=hexcase?"0123456789ABCDEF":"0123456789abcdef";var D="";for(var A=0;A>2]>>((A%4)*8 4))&15) B.charAt((C[A>>2]>>((A%4)*8))&15)}return D}function binl2b64(D){var C="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /";var F="";for(var B=0;B>2]>>8*(B%4))&255)<<16)|(((D[B 1>>2]>>8*((B 1)%4))&255)<<8)|((D[B 2>>2]>>8*((B 2)%4))&255);for(var A=0;A<4;A  ){if(B*8 A*6>D.length*32){F =b64pad}else{F =C.charAt((E>>6*(3-A))&63)}}}return F}function hexchar2bin(str){var arr=[];for(var i=0;i
GetPassword
http://aq.qq.com/cn2/index
WinHttp.WinHttpRequest.5.1
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
&keyindex=9&pt_aid=21000127&daid=8&u1=http://dnf.qq.com/act/a20090219dltb/&ptopt=1
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
&Index=³¬¼¶ÁîÅÆģʽ
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=modifymobile&PTime=0.2534901067286
http://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=2
http://aq.qq.com/cn2/unionverify/pc/pc_uv_send_sms
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=dnasetmobile&PTime=3660091457787
http://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=0&jumpname=&ptcss=¶m=u1%3Dhttp%253A%252F%252Fwww.qq.com%252Fqq2012%252FloginSuccess.htm&css=&mibao_css=&low_login=0
javascript:for(var C=0;C
http://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=dnf&area=
msg:'ok'
https://aq.qq.com/cn2/unionverify/pc/pc_uv_dtmsg_query
https://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
window.location.href='(.*)';
dxfpz.ini
?Action=Bind&Type=°ó¶¨QQÁîÅÆ&User=
888888888888
https://aq.qq.com/cn2/manage/question/set_question_sel?mb_flow_type=dna&PcacheTime=139509
http://aq.qq.com/cn2/manage/qqtoken/bind_qqtoken?tlbox_src_id=0
QQ.exe
application/x-www-form-urlencoded
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; QQDownload 663; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727)
DNF.exe
TASLogin.exe
http://dnf.qq.com/comm-htdocs/pay/new_index.htm?t=dnf&ADTAG=IED.GameClient.button.pay
\TCLS\config\LoginQ.dat
\DNF.exe
LastLogin=
LastLogin=(\d*)
23.ac[wvq:;6
9& 9& ;&
<<4=<754/#$
'(#--3 63 ?<466.
:'!<&!<&!:(
9& 9& 8%
4" 5#!5$
5#!5#!3$
8% 6% 6% 7$
9& 8'!9& <&!<&!9& :(
<&!<&!<&!=( =( =( >'
:'!:'!<&!<&!:(
:'!:'!9& 9& 8%
8% 8% 7& :'!<&!='"9& :'!<&!<&!<'
?'"=( =( >'
33 99154/## !"
**"22*44,44,66-11)
00(44,34/#$
'(#..&63 65055-44,/.)
..&33 44,34/
&( 00(74,46.77/51-.-(
W>1\?.\@1W@5C-#C-#C-#A-#A-#C-#D.$D.$B,"D.$E.$F/%G0&E.$E.$E.$F/%F/%E.$C,$C,$C-#= ">'
=( A !D,$E-%E-%E/%E.&E/%C-#C-#E.$G0&H1&I2(I2(G0&E/%@ #C-#C-#C-#A-#A-#E.#Z>/\>0Z=0<"
W>1\?.\@1W@5C-#C-#C-#A-#A-#C-#D-%D.$B,"D.$E.$F/%G0&E.$E-%E-%F.&F.&E-%C,$C,$B #? !?)
,-(13 44,
(( 33 74-57.66.51-.,)
X=0^?.\@1\E:F/%F/%G0&F0%H2'G0&H1'G0%G0%G0%G1&I2'L2(K1(I2(H1'H1'K1(K1(I2(F/'D-%A,$A)!;$
@* E.#H1'H1'K1(L5*K4*I2(I2(H1'J0'K1(J3(N4*O5 N4*I3(G1'F/%F/%F/%E/%E/%H1&Y?0[?0X=0<"
X=0^?.\@1\E:F/%F/%G0&F0%H2'G0&H1'G0&G0&G0%G1&I2'L2)K1(I2(H1'H1'K1(K1(H1'F/'D-%@,"?)
=( D-%G0&J0'K1(L5 K4*K1(I2(H1'H1'K1(J3(N4*O5 N4*I3(G1'F/%F/%F/%E/%E/%H1&Y?0[?0X=0<"
Y>1`?.aA3~aTN4 L5 N4 N4*N4*N4 N4*N4*P6,R8.U9/V:0Y;2aB6gG9gF5bD6_A7Y=3V:0W;1Y;1Q7-F/$7%
Y>1`?.aA3~aTN4 L5 N4 N4*N4*N4 N4*N4*P6,R8.U9/V:1Y;2aA8gG9gE7bC7_A7X<2V:0X<2Y;1S9/L0&?(
,.‰400-
W>1`?.dC2
 .4/00-
W>1`?.gC3
..&34///,
W>1`?.gC2
..&34/.. 
..&34/,,)
W=3`?.jF5
..&650,,)
..&761,,)
X?2c?.pG5
..&983  (
..&54/))&
..&54/ )&
0-&54/ )&
..&43.))&
..&650))&
..&761))&
..&872))&
..&650''$
..&54/&&#
..&54/''$
..&650&&#
//'650''$
,,$761''$
**"54/''$
  #54/''$
  #54/((%
  #43.''$
  #650''$
  #872''$
  #761$$!
  #43.##
  #54/$$!
,,$761$$!
,,$872##
  #650!!
  #54/!!
[<%uXA:$
 -g2!!
[<%sXA:$
4$"4% 1&
3%"4$"1$#
3%"3%"1$#
1%"4$"1%"
1$#4##-&"
/%"4$"1%"
3%"6$"1%"
/%"3%"1%"
1%"3%"/%"
1$#4$"1%"
3$#4$"1$#
1%"6$"1%"
/%"3%"4$"
1%"4$"3$#
3%"3%"-&"
/%"4$"3%"
4$"4$"1$#
1$#6##-&"
1%"4$"3%"
6% 6% 3& !
4$"8$"4##
8% 6$"3$#
4$"8$"4$"
3%":#"/%"
3%"8$"4$"
6$"8$"3%"
4$"8$"3%"
3$#8$"4$"
3%":#"4$"
1%"6$":#"
4% 8$"4##
3$#8$"4%
6$"8$"1%"
3%":#"6$"
4$"<#"/%"
4$"6$"3%"
3%"6$"4$"
1%"4$"-&"
0$"3%"
/%"1%".&$
0%"1%"
1%"3%"0&#
0%$4$"3%"
/%"1%".'#
-&"3%"/%"
1%"4$"/%"
.&$1$#4$"
/& 3%"0%$
.&$1%"/&
3$#3$#0%$
0%$4##3$#
3& 1%".&$
/%"3%"/%"
1%"6$"-&"
2%$3%"/%"
/$#4##3%"
1%"3$#1$#
4% 3%"/$#
(*"34/**'
(*"34/))&
(*"450))&
(*"23.((%
(*"561))&
(*"561%%"
S8%U;)E0#3$
R7%U;)E/#3$
S8%U;)E/#4$
S8%U;)E0#4$
G1Î3X;&>'
R7%U;)E/#5#
S8%U;*E/$4#
-(".'".&".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'".'"/(#3)%/$!
R7%U;)E0$5$
S8%U;)E.#4$
S7%U9*E/$4$
S8%U;*E.#4#
S7%U;*E/$4$
S8%U;)E.#5$
S8%U;)E/"4#
S8%U;(E/#3"
S8%U;)E/!1"
S8%U;)E/#2!
S8%U;)E/#3#
O4"O3"P4"P4!U9%U8&U9%T8&T8&T8&V9%T8&T8&T8&T9%T9%T8&T8&T8&V9%T9%T8&T9%T8&T8&T8&V9%T8&T8&T8&T9%T9%T8&T8&T8&V9%T9%T8&V9%T8&T8&T8&T9%T9%T8&T8&T9%T8%T7&T7&T7&S6%Q4"O4!N3!M2
N3 Q5!Q5!S5#U7&U7%U8$U8$T7%T7&T7%T8$T8$T7%V8$T7%T7%T7%T7%U7#S4"P3!N1
N3 N3 P5"Q6#R5#Q6#P5"P5"N5"Q6#R7$T6$T7#U8$U8$W7%W7%W8$T8$T8$V7%U8$U7%U7%U7%W8$U7%U7%T7%T8$T8$T7%T7%T7%V8$U9%T7%T8$T7%T7%T7%V8$T7%T7%T7%T8$T8$T7%T7%T7%V8$T8$T7%T8$T7%T7%T7%V8$T7%T7%T7%T8$T8$T7%T7%T7%V8$T8$T7%T8$T7%T7%O2!O3 O2!N2!M1 K0
! $&!')!', &,
"' "'!"&""%"!"
%- '.% 1).2')*
#$!$$"%$"$$
aD'kM jM(hK.fI1L-
vU%sR(S5!/
hK.vT&~[&
c1vU%xV$
jL8z[=nL%xV/
p.wT*1
IiK%fL&
R:%uW1
&'"&'"!"
 *%1-).-(
')!33 41*.-(
68055-55-12-
33*41*.-(
&( 46.33 55-
33*41*- (
()$.0(44,22*"#
//'3/   (
()$./*44,33 )(#"#
, &) &#$!
''$/0 55-44,0/*12-
''$./*55-55-983
) #13 55,==5??7
"?.6;54/
(*27033000
https://aq.qq.com/cn2/unionverify/pc/pc_uv_show?type=2
(\d.*)<.dd>
aq.qq.com/cn2/manage/question/set_question_sel
aq.qq.com/cn2/manage/question/set_question_vry
aq.qq.com/cn2/manage/question/dna_question_imp
aq.qq.com/cn2/manage/question/set_question_sel?mb_flow_type=setdir&outurl=setdir&mb_up_from=from_set_question&
aq.qq.com/cn2/manage/question/set_question_mobile
aq.qq.com/cn2/manage/question/setdir_question_imp
aq.qq.com/cn2/unionverify/pc/pc_uv_show?
aq.qq.com/cn2/manage/question/vry_question_imp
http://dnf.qq.com/?ADTAG=ied.client.btn.index
\TCLS\Client.exe
http://dnf.qq.com/cp/a20140106mzhd/page02.shtml#mk04
http://captcha.qq.com/getimage?aid=21000127&r=
(&–2XUQZYU,)%
=:6>;652-&#
('#. &41,52->;6540
41-:7263.&#
$"!)($30 52-52-74/10,
/.*52-63.$#
'&"-,(52-63.63.52-.-)
-,(41,52-43/
'&"1.*63.74/85030 -,(
-,(41,52-
)&"41-63.85074/41-- *
 ($52.onjQPLYXTHGC/-,
H0 I2 M4 N5!Q8"R9!T<"W=#X@#ZB#^E$^F%bH%cI&eL'hM)iN'kP)oR*sV*tW*uX*w[ z\*{] }`,
 ,(<9410,
 ,(63.0/ 
-,(740//)
?( ?( ?( >'
-,(:73--'
?( ?( ?( =( >'
=( =( >'
-,(851**$
@)!B(!A*"A*"B #D*#E $B #B #D*#F,%F-#F-#E $C,$B #A*"A*"A*"A*"A*"A*"D !Z=/Z=/X<15"
@)!A*"@)!A*"B #D*#C,$B #B #D*#F,%F-#F-#E $C,$B #A*"A*"A*"A*"A*"A*"D !Z=/Z=/X<15"
-,(63/**$
X=3[>0\>3Z@4E $C,$C,$C,$C,$C,$D-%D-%B #D-%F,%G-&H.'F,%F,%F,%G-&G-&F,%C,$C,$C,$A*"<'
?( A*"E $F,%F,%G-&G-&G-&E $E $F,%H.'I0&J1'J1'H.'G-&B #C,$C,$C,$C,$C,$F-#Z=/[>0X<15"
X=3[>0\>3Z@4E $C,$C,$C,$C,$C,$D-%D-%B #D-%F,%G-&H.'F,%F,%F,%G-&G-&F,%C,$C,$B #A  ?)
- *63/*)%
W<2[>0\>3_E9G-&G-&H/%H/%J1'H/%I0&H/%H/%H/%I0&J1'M2(L1'J1'I0&K0&L1'L1'J1'H.'D-%C,$>)!9#
|oQ5*O4*N3)P5 P5 O4*O4*O4*O4*O4*P5 O4*R5,W9.dB5uRDySGtL@oI=nJ@fC9\;2S6-K1*> $aRO
|oQ5*O4*N3)P5 P5 O4*O4*O4*O4*O4*P5 O4*R5,W9.cA4uRDxSEtM?oI=nK>fC9^>3X90Q6,H.'6$
H/%X;2[<3_>5eE:iI>hH=dD9dD9dD9cC8cC8fD7oM@jH;iG:cC6aA4`B7Y;0aC8S7,Q7 S7,[>0[>0Z=45"
vR6 P5 Q6,P5 P5 Q6,P5 P5 P5 P5 P5 Q6,Q7 Q5*W9.aA4
S5*P5 M4*N5 O4*O4*M4*M4*O4*O4*Q6,Q6,O4*O4*O4*Q5*[8.zWJ~ZJvO@xQCoL?bB7P3*@)!2"
; %> $>)!8&
Z8 Z8 Z8 Y7*Z8 Z8 Z8 Z8 [8.Z7-Z7-X8-Z7-X8-Z7-X8-Z7-Z7-Z7-Z8 a?2eD5dC4`@3^>1^>3]=2W7,U5*T4)V6 S5*R4)Q3(Q3(W9.S5*X8-\:-];.]:0Y9.W7,U5*T4)T4)U5*W7,^>3Z:/W7*U5(V3)Y7*\:-^
Z8 Z8 Z8 Y7*Z8 Z8 Z8 Z8 [8.Z7-Z7-X8-Z7-X8-Z7-X8-Z7-Z7-Z7-Z8 a?2eD5bB5`@3^>1\?1Z=/R7)Q3(Q3(R4)S5*S5*R4)S5*Y;0W7,X8-W:,X;-Y9.X8-V6 T4)Q3(Q3(Q3(R4)X:/R6 O3(O1&Q1&S3&U5(X8 _=0^
- *740*)%
- *962*)%
- *851('#
- *63/('#
-,(63/(("
-,(74/(("
, '850(("
*)t/(("
*)c.(("
*)R-(("
*)…0(("
*)–1''!
*)…0%$
*)c/%$
:"#Q6.kVG'
7! P6.mVG0
()c/%$
()–2%$
)*&962$#
7#"9$ 9%
 *&740"!
*)c/"!
*)c/#"
, '851$!
 *&851-*&
 *&740,)%
 *&63/,)%
,*)740,)%
'(&740)&"
!9 #:!$; #8
"4 !4 !6
#4 !4 !6
#4 !5"!8!!8!!7 8"":!$9 #8
\.eF*5
32.ZYU
'&"&%! "
 *&-,(,*)
('#41-41,-,(
'%$96263.63.30 
&%!52-30 , '
'%$74030 63.
&%!41,30 , '
)'&1.*63/30,%"
0-(2/*, '!
)($1.*63/41-*'##!
 *&, '(%!
('#1.*63/52-1.*20/
(("1.*63/63.:73
*)A,63.>;7>=9
32.ba]utp=:6
(&v2UTP[ZV,('
;84;:6$#
 *&, '#"
*'#. '41,52->;6740
21-660$$
 ($30,52-52-74/30 
0/ 33-$$
'&", '($#
'&"-,(33-63.63.52-0-(
/.*33-44.
'&"//)44.74/85041,/,'
'&"52-52-85174011 /,'
-,(43//.*
-,(32.-,(
-,(43/.-)
-,(43/*)%
-,(32.*)%
-,(43/ *&
-,(540*)%
-,(651*)%
-,(762)($
-,(540)($
-,(43/('#
-,(32.('#
.-)43/('#
-,(540('#
.-)540('#
-,(651('#
*)e1('#
*)C/('#
*)2.('#
,)e1('#
,)v2('#
,)t0&%!
,)C/%$
 ($43/%$
*)C/%$
*)R.%$
*)…1%$
*)–2$#
*)t0"!
*)C/"!
 *&43/"!
*)D."!
*)D.""
)($44."!
 *&32."!
 *&762#"
@)À,'
@)ó.(
A*ó-(
. 0 !/!!.!!/!!. !. !- -
. / !/!!/! / !0"!0!!0"!0""2#"2$#3$"3$#4$#5&$6&$4%$4$#3##0#!/"!.
2!!2!!3!!2! 2!!2!!4 !2 2 2 3!!2 2 0
mO2rR)uS%zX*wS%uR&
[= tR.tP*_?
\.eF*7
 *&/,(1.*/,(
.-)1.)//)-,(
('#41-52.41-/,(
, '2/*63.
'&"52-41,22,-,(
'&"2/*2/*#"
o1/.vuq
&%!41,52-33-, '
)($0-)41,%$
0-(52-30,, '
)($1.*52-'&"('#
/,'2/ -,(&$#
('#1.*41,)($
 *&.-)'%$
('#1.*2/*, '
*)0,1.)
, '21-10,
0/ - *$"!
'&"/.*/.*
'&"21-*)%"
32.ba]usr=98
984984$#
*)%, '#"
('#-,(41,52->;663/
21-651$#
"#!)($30 52-52-74/41,
0.-52.&#
'&".-)&%!
('#/,'52-63.63.53 0-(
/-,52.63/
)&"1.)63.74/85041,/,'
)&"41,63.85074/41,0-(
)($52.pmiONJVUQGD@1.*
- *740:95
- *52. *&
., 32.*)%
- *32.*)%
 ,*32.*)%
- *63/ *&
- *52.*)%
-,(63/*)%
.-)962*)%
-,(850('#
-,(63.('#
-,(63/)($
-,(63/('#
-,(74/('#
, '850('#
*)c.('#
*)c.)($
*)…0('#
*)–1'&"
)($740%$
*('63/%$
 )(962%$
 )(962#"
*('63/"!
D-%S@6,
 )(740"!
E*#E %F,'G-(E %F $A( ?&
"6 !7!"7! 4
^@&qQ.sR ]=
bA {Z)~\.bE-3
`.iI'9
p:\
  %/,'1.*0-)
.-)1.*1.*-,(
('#41,52-41-/,(
&%!41,41,21-/,(
'&"2/ 2/*"!
&%!41,52-41-. '
)($1.*30,&%!
0-)52-30,. '
'(&1.*52.'&"('#
-,(1.*/,(&$#
&'#1.*41-)($
,)%.-)'%$
('#1.*2/ , '
*)%2/*1.)
, '30 30 
0/ , '$#
)&"1.*1.*
'%$32.*)% !
~}ylkgVUQED@<;765154032.32.43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/54043/43/43/43/54043/43/43/43/43/43/43/43/32.43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/43/651984BA=RPOged}|x
http://aq.qq.com/cn2/unionverify/pc/pc_uv_sms_query
http://aq.qq.com/cn2/unionverify/pc/pc_uv_verify
?Action=Bind&Type=°ó¶¨Ãܱ£ÊÖ»ú&User=
88888888888
http://aq.qq.com/cn2/manage/mobile/query_same_mobile_ajax
http://aq.qq.com/cn2/manage/mobile/query_bind_uins_ajax
http://aq.qq.com/cn2/manage/mobile/query_station_ajax
http://aq.qq.com/cn2/manage/mobile/active_sms_ajax?flow_type=change&mobile_number=
http://aq.qq.com/cn2/manage/mobile/verify_mobile_ajax
{result:-1}
http://aq.qq.com/cn2/manage/mobile/change_mobile
http://aq.qq.com/cn2/unionverify/unionverify_jump?jumpname=modifymobile&PTime=0.01982586313531
\TCLS\ui\DNFClient.swf
V6{c%S~
s %d. (0x%Xh)7
ProcessHeap?H.l
.text
`.rd9a
KERNEL32.DLL
ATL.DLL
MSVCRT.dll
OLEAUT32.dll
USER32.dll
CreateActiveX.dll
VBScript.RegExp
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
comdlg32.dll
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
%System%\Macromed\Flash\Flash10q.ocx
%System%\Macromed\Flash\Flash10s.ocx
{D27CDB6E-AE6D-11CF-96B8-444553540000}
ProfilePort
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
H2~F0}E/|C0{B/zE.zE.}E/~F0|D.xC,t? s> s> q? q?*q?*r=)s>*r@ r@ t? wA.wA-v@-t>.t?,s>*t?,s=-t=-s> q?*q?*xB.
G1zE.vE-p@,p@,o? o?*n>)q?*sA-p@,o? r@,[email protected]@-sA-sA-q?*q? p=,o< p>*n>*n>*xB.
G1yE.rB.qA-p@,p@ qA-sA-r@,n>*o? r?.u?/uC/uC/vD0tB-qA,o? m>-o>-p@,m? m>-yD1
WCl?-m? n@,[email protected]@.n?.mA,n?.n?.n?.n?.o@/qB1qB1q@/p?.q@/r@1qA2o@/m>-p?.mB0~D.
J6{F2rB.n?.qA-sC/uE1tC2sB1rA0n?.q@/s?0tD0uE1tF2sE1qC/n?.m>-m>-m? l?-l>.xF2
[Gi>,[email protected][email protected]/nA/nA/o@/[email protected]/qB1sC4tB3qA2o?0p@1qA2rB3pA0rA0jC3
gSwG3vF2uD3qB1oC.lA/k?/zH4
R;yG2mB0i?/l>.qD2pC1lA/j?-lA/qD2~L8
R
N;~N:sE1oC.qD2vJ5uG3uF5sD3uF5vH4{K7
F0&J0&F/'A,$F0&G0%G0%D/'F0&G1&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&G0&G0&G0&G0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&2
E0(G0&F0&A-#G1'G0&F/%F/'F/'F0&G0&G0&G0&F0&F0&F0&G0&G0&G0&G0&G0&G0&G0&G0&F0&F0ð&F0&F0&F0&F0&F0&F0&F0&F0&F0&F0&G0&G0&F0&F0&G0&F0&G1'F0&F0&F0&F0&G1'F0&F0&F0&F0&F0&G0&G0&G0&F/'E0(F0&G0&F0&F0&F0&G0&G0&F0&F0&G1'H1'G1'G1'G1'H1&H1'H1'G1'G1'G1'F0&H1'G0&F0&F0&F0&G0&G0&G0&E0(-
@* >* @* @)
A* A !B,"B,"C-#B,"? !? !@,"C-#E.#E.$E/%C-#B,"A !@* A* A* @* >* @* H1'H0(D/'.
@* B !D-"C-"G0%F/%E.$D.#B,!C-"C,$H/"I/%H1&F/$D.#B,"B !B !A !A !B,"A* I2(G1'D/'.
? !B !B,"@,"A-#C,$C-#D-#D-#C-#C-#C-#E/ð&E/ð&D-#G-$F/ð&D.$B,"A*
C,"H.%F/%H1&G0%E.$F/%H1&H2$J3(J0'K0#L1$T8.hNDK1'H1&H1&E.$D.$C-#C-#D-#H1'F0&D0&,
=( C #C #D-#E/%D.$B,"B,"D.$G0%N4*T8.R7*T6,jLB
?*"C,"A !?*"?*"C*%C-#D.$E.&E.&E/%E/%F/$M3)Q6)Q5 R6,L2)F/%G0%J3(H1&C,"8%
?( @)!A*"@)!E/%D.$C-#@,"D-%F/%M3)U8 U:-T8.W9/X:0Y
?*"A !B,"?*"?)$A)$@ #C,$D-%C,$E/%G0&G0&O5 V:0T8.R6,O5 I2'E.#G0&J0'C-#9& 0
@,"@ #>)!?*"B #E/%D.$C-#B,"B,"D.$M3*Q5 V;.S7-Q5 S7-S7-S7-K1'G-$E-%D-%C,$D-%H1'F0&C.& 
@,"D0&>* =( B #E/%E.#F/$D.$C-#F/%H1'L1*W
? !G1'G1'B #C-#I2'J0&J0&H1&J3(L2(K1(I.'T8)Y
C/%C/%;-$"
;) ;("='"?)
@,!E/$F/%C.&*
C/%C/$9 "
;) ;) ;*
=( ='";) 9) =)
A*"F.&L2)T:0R9,K1(G/'F0&C/%@,"@ #B-%C-(G0&I2(R;1H1&I2'H1&J3)D-#L6,>* ;*
;) ;) ?)
=( =( @)
? !D.$H.%G-#G.!H.$F/%E.$D-"D-"C,"B*"C #D-#E.$D-#F/%D-"M3)L2(M3*G-$B !?)
F/%F.&8)#
>* >)!>'
=( ;) ;) :)
=,!<  ? !>* ;*
B  C,!B,!A  A  A  C-#F/%F/%H.$I0#E/!B,!A  B,"B,!B,!B,!?  @*
C,"C,"B,"? !?  A  E.#F/%C.&)
>* >* @)
7& 9) :*!= "?-$>,#?-$>,#= "; "; "; "= "= "= "= "?*":*!:*!:*!;) = "= "<*!>,#?-$>,#= "@ #E/ð&D/'*
D.zE.|C0
M9t?,t> s> p>*q? t> q?*s>*s> t? r@ r@ t?,r=*q? r@,s>*s>*q?*o?*q? s> r@ t? u@,vA-wB.yC/
H2|C0xB.sA-r@,s=-q>-q? q?*r=)s> r@,r@ r@ vA-wA-v@-t>.t?,s>*t?,s=-t=-s> q?*q?*xB.
P*q? q? o>-o? q? o? q? q? o? p@,sA-r@,r@,o? p@,sA-r=*q? o? p@,p@,p@,vA.wA-zD0~E2
G4zD0wB.r@,p?.o>-o? n>*q? sA-r@,o? r@,vA.vA.u@-sA-sA-q?*q? p=,o< p>*n>*n>*xB.
H2zD0tB.qA-p@,p@,qA-sA-r@,p>*o? p?.s@/uC/uC/vD0tB-qA,o? m>-o>-p@,m? m>-yD1
WCl?-m? n@,[email protected]@.n?.mA,[email protected]@/qB1sB1q@/n?.o@/p@1qA2o@/m>-p?.qB1|C0
J3~E2qB1o@/qA-sB1sD3tC2sC/rB.n?.o@/q@/tD0uE1tF2sE1qC/n?.m>-m>-m? l?-l>.xF2
[Gi>,[email protected][email protected]/nA/nA/nA/[email protected]@.nA/pC1sC4qA2rB3o?0oA1pB2rB3pA0rA0rE3}G3
L6tF6l@1n?.qB1nA/j>.m?/nA/rD0{K7
K5rE3l@0m>-rC2nC1j@0j>.lA/qE0~L8
E0(G0&F0&A-#G1'G0&F/%F/'F/'F0&G0&G0&G0&F0&F0&F0&G0&G0&H1'G0&G0&G0&G0&G0&F0&F0&F0ð&F0&G0&G0&F0&F0&F0&G0%G0%G0&F0&F0&F0&F0&E/$F/'G1'F0&F0&F0&F0&G1'F0ðð%G0&G0&G0&G0&F0ð%F/'F0&F0&F0&G0&H1'G0&G0&G0&G0&H1'H1'G1'G1'G1'G1'H1'H1'G1'G1'G1'F0&H1'G0&F0&F0&F0&G0&G0&G0&E0(-
@* @* @,"B,"C-#B,"A !? !B,"C-#E.#E.$E/%C-#B,"A !@* A* A* @* >* @* H1'H0(D/'.
B  D-"D-"G0%F/%E.$E.$C,!D-"C-#H/"I/%H1&F/$D.#B,"B !B !A !A !B,"A* I2(G1'D/'.
? !B !B,"@,"A-#C,$C-#C-#C-#C-#C-#C-#E/ð&E/%E/%D-#G-$F/%G0&D.$B,"@)
A !F/%F/%H1&G0%E.$F/%H1'J0&L2(J0'K0#L1$T8.hNDK1'H1&H1&E.$D.$C-#C-#D-#H1'F0&D0&,
?*"C,"A !?*"?*"C*%C-#D.$E/%E/%E/%E/%F/%M3)Q5 Q5 Q5 L2)F/%G0&J3)H1'C-"8'
@)!A)$C.&D.$C-#@,"B-%E/%O3)U7-U:-T8.W9/X:0Y
?*"A !B,"?*"?)$A)$@,"C,$D-%D-#E/%G0&G0&O5 W;1T8.R6,O5 I2'F/%G0&J3)E.#:(
>)!@*%C.&D.$C-#@,"@ #D.$M3)S5 V;.S7-Q5 S7-S7-S7-K1'G-$E-%D-%C,$D-%H1'F0&C.& 
=( @ #E/%E.#F/%D.$C-#F/$J0'L2)W
B,"A !C-#I2'L0&J0&H1'J3(L2(K1(I/&T8)Y
B  C,!F/%F.&E.$D-"C-"C,"B !C,"C-#E.$D-#F/%D-"M3)L2(M3*G-$B !?)
=,!>-"?*"@* E.#F0%C/%B.$@,"@,"=,!? !>)!<  >* D/'G0(D.$>* ;*
9) :*!>-">,#>,#; "; "= "?*"?*"= "= "= ":*!:*!:*!;) = "= "<*!>,#?-$>,#= "@ #E/ð&D/'*
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%?)
Y>1^?.[?0U;1@* A !@* ?  ? !A !F/%F/%A !B  C,!E.#D-"C,!C,!E !D-"C,!A  @*
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%? !C,!Z>/]>-Z=0:#
W>1\?.\@1W@5C-#C-#C-#A-#A-#F/%F/%F/%F/%D.$E.$F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%A-#E.#Z>/\>0Z=0<"
X=0^?.\@1\E:F/%F/%G0&F0%
G1&F/%F/%F/%
F/%F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%
F/%F/%
F/%F/%F/%F/%
F/%F/%F/%F/%E/%H1&Y?0[?0X=0<"
F/%F/%F/%F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%
F/%F/%F/%
F/%F/%F/%J3(L2(Y?0[?0X=0:#
F/%F/%F/%K4)L3&[?0\>0Y>1:#
F/%F/%F/%L5*O6)\>0]?1Y=3:#
Y>1`?.aA3~aTN4 L5 F/%F/%F/%
F/%F/%F/%F/%F/%F/%F/%
F/%F/%F/%M6 R7*[?0\=1Z>4:#
h\P4*N4 F/%F/%F/%F/%
F/%F/%F/%P6,T9,[?0Z=0Y>1<"
F/%F/%F/%O5 S8 [?0\>0Y>1:#
}oQ6)N4*F/%F/%
F/%F/%F/%F/%F/%P6,Q8 \>0^?.Z?2:#
vR7*O5 F/%F/%F/%
F/%F/%F/%F/%F/%P6,S7-Z>/\@1W>1:#
Q6)N7-F/%F/%
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%N7,Q7-Y>1\@1Y>1<"
Q6)M6,F/%F/%F/%F/%F/%
F/%F/%F/%F/%F/%M6,P6,Y>1\@1Y>1<"
F/%F/%F/%F/%F/%O5,Q5 \=1\?2Y=39"
F/%F/%F/%S5 P4 N4 S5 ]>2]?1X>48#
N2(G3)H2(I2'I2'H2'J3)I3)H2(H1&F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%O5 L5 K4*O5 ]>2^@2Y=38$
M1'F2(E1'I2'H1&F0&H0(G0(G1'G1'F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%L5*N4*L5 H2(J3(^B3_A3[@3:$
F/%F/%F/%F/%F/%F/%F/%F/%F/%B(
F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%I0#I/%N2(Q4'O4'K2%L1$^B3`C2\A4:#
Y:)]9)[:)X8*Y9 [8,Y:)Y9 \:,Y8,Y8,Y8,Y8,Y8,Y8,Y8,[8,Y8,Y8,Y9 `A0fE4cD3aB1_?1_?1^>0Z8*X6(W5'W7)S7(R6'R4&T4&\:,V5)W8,_; ^<.^;/\9-Z7 V6(U4(U5'V6(V7 ]>2Y;-X9(X7%W5'F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%F/%Y9 Y:)Y:)Z8*]:.b@2`>0\<.U5'^=,cD3]B5:#
14:50:59
)*Í?
8:29;3#% $$!* &,-(#$
()$/.)44,55->>6761
23.680$&
#% )*3 55-55-77/32-
01,66.#%
'(#,-(&'"
''$-.)55-55,66-55-./*
/0 55-66. !
)'$10 66.77.88/44,,,)
)'$43.66.88077/43.--*
.0 23.GGD
,.)35-/0 
,.)35--.)
,/'35--/'
,/'35,-/'
,/'46--/'
-/'66-//'
-/'66.//'
-/'66./.)
-/'66--.)
-/'66-/.)
,/'66./.)
-.)66./.)
--*982/-*
0 #6,";2&=3)90$3,
6):@.KG1RE2RG4TG4TF3SG4TI4R
7*;C.LI2UE2RF3SF3SF3SI3TG4T
8 9D.HL3PJ3PL3PK2OK1LJ1JI0H
6)6B BG.GI.FF.CH/GG.FI0HK0H
5(6?)CF/LG1KH1IF/GI.GI.GI0H
5(6@*DI0MI2JJ3KI0II.GM0IH0E
6&5A*BH.IG.GH/GJ/HH-FL/HH0E
6&5@'@F-FE,DF-EI.GI.GJ/HH/G
6&5@)AF,GF-FG.GG-HH.II/JH/H
4'8>)FF/MG.KH/LH/LH/LH/LI0M
5(9@ HG0NI0MI0MG.KH/LH0JH/L
5(6?)CG.KG.KG.KH/LI0MH1NI0N
6):?-JF.SE.QD-PG/PG/PG0NF/M
7'=A*MF.UC/QG/PH.OI.QF.OE0N
5':?(KE-RD-PF.OG-NF-PF.OD/M
3%8='HE,OF.OH.OG/PG.QG0SG/P
5':>)GF-PF.OF.OF-PF-PG.QE/P
6(;?)JH/RG.QE/PE.QG.QH/RG1R
3&<=)KD,SE.QE.QF,QF,QH,QB-Q
3&<=)KE-RF/RG-RF,SF,SF.SE-R
2&9<)ID,QD,QG-RE-TE-TF.SF.S
2&9<)IE-RE-RE-RE-TF.UF.SF.S
4'==)KE-TE-RF.SD/UF.UH.UF.U
%D;Cqfr
2%;<(LE,UE-TE-TE-TD,SH.UF.U
2%;<(LB,WC-UE-TG-TE-TC.TE-T
4%;=(LC-UC-UE-TG-TE-TC.TE-T
2'?;(PB,WB.TB-UB,WC,WC-UC.T
1&>;(PD.YC.VA,TA VC,WB,TB-Q
Ã?r`m)
90z6.tB7
;3u6.lC9~C8
B/v> qB.uH.
P9}E.pH3tXD
H.yK/y[>
!3~#5~)9
iXp[FZXAUO>PL=OH6ND0K?-FE.KZ7^}N~uTukRjaHbgQrcQy\R
KDrJ8KQ:ET9MR8PJ6PC3M?.J?-I?-HB.IJ5NV0Tx#s
T*[email protected]?.B:*>9*=:)>;)?;*@=-BG6KE5ORHhZStZRvRJoQGm_TydWzdSyhTzjW|hW{cV{XOxMFsIHyW[
P*[email protected]/EB/E>-B;*?9)=8'=9'>9(>E4I\K`bQl_Sv]Sz\QyWLtK?f\OtaRtdQuiTvjUvjXyhZ{\SvQJqIEqIJ{Wb
_/_D4GC4F?1E<,D='D;Ä";,
 *"5,%9,%9,$9'
- #8,%9*"7'
(( 4,$9*"7)"7 "9'
&6-.UNKmgh0
-&!3("4' 4' 5%
,% 2'"4(!5(!5'
0:{);}%;
0(!4)"5)"6)!7)
/'!4)"6(!6(!7*!9)
&D(5Z ?n.Dx/H
/)"6(!6%
1*"7)!7$
2)"7( 6$
,( 1$!4&!4'!5* 7  7 
A..UGW
9'#;'"7"
1*(2*'3'!3'
4( 4(!4("4(!3$
.KwHh
8)'1)&2(#4'!4'!4'!4'!4(!4(!3& 2#
2& 2' 2' 2&
.)#5>8J?9KLGYOL^QWjU^tRZ{MT{9;g#%S
1' 2' 2%
.( 2(!2&
/) 2)!2&
/' 0(!1( 3%
;&$ '%,$! 
/' 0(!1)!4&
&$#)&% '%.& /&
0' 0' 0' 0(!0'!1'"2#
,! '$")'$.)#1(!/(!/(!0(!0'!0' 0& 0&!1#
8-!3)!-( ,(!,)"-(#.&".#
*'  (",&"-#
*(",'"-$ -# ,#!-'%4D<
!7&#-*%& %$)' &% !!'
02&-4*/-*3"#.
$,"0,"1#
"M&4`4Bh8Hm.Bp7P
$(" ,#1(
!'! *#2& 0#
&%"-*$/*$3 %5(#2$
#$"/(#1*"2,%4(#3#
,"!.$!/(!0%
(! /!!5"!5("0)!/'
.! 4" 4& .%
.,"/) )%
0 "/)",*",(
/&!.)!.."2.
.*!.)!2)!3*
OA.ENIWGCRNJ\]Xma\tZWqRRrEIl'3X
-)!.(!2'
%( *)!-( .&
o>%D@:HEDUVXnTXxJOsHMqMSuNVnLVmCQl2Cc#:f;W
( "..%3.4 :2):%
$-$$-)!- 
/ !1.&5'#.!
$0%#- !/-
/. 1/"2%
.CY(:PHXzANw4At*6n
 )!,*$-& *%
*)". %.&!)%
)("-*$,& ('
*'!,'"*%
 ' .' -$
(!% !,) ,' -%
!2#"-.'.0%.- /)
% &-',-&  ! )
1% /'"/'"/'"/'"/'"/("/)"/(!-$
*(!-*!-'
1% .'".'".'".'".'".(".)!-(!-%
5(!0)"-)"-)"-)"-)"-*"-*!,*!,,#/,#/ ". "/,#0*!-)
,)"-)"-)"-)"-)"-*"-*!,(
 ) ,*!.) -(
 ) ,1'59,?-
*,", ", ", ", "- "- "-,#/*!.) -&
)-&1-#-,"  "  "  ", "- "-)  &
,$* "* #*/&-1&/3%/6&26#23!27%9>.AA5C:0:7/90(370<93A4/=A=LLHX- <0.AKJ]HI]QRghh~aaw\]q]_q]as\auEPh'5S"7d/G~?_
>.BfXjbVh_Vk]VmXUmVUnSRlRQlRRmIJc7@T8CTT^k`iuR\jDQb
.Cx(9i6JsI]
.Ky*Kv(Iv,K}.K
D%0W%Dv(N
.FBSnH]
9Jj.Bh-Am*@x%;w
Hj.LwHa
%D~7Q
#Cb.JoMg
%U*DkRo
*Gd%DnNo
*U.IzNk
(@q%Co=^
@7nN%s
23.jjg ,)
-B}AU
r%X^'LI'O?(N< K;.J?2NB5QD7SC6R?/N?-NA-PC-RC-RD.SD.SC,QF)RI(SN(US(VX'W^%[j#b~ t
.AvHP
%F~$Bu
':p%9k(=r.Bx9H
#,:%Dr
4[.Ls8]
/!-T<
@A>01.YYV{{xaa^
=T{.Cl
---666350./,((%''$00-&&#
 U.Do?]
)*'%&#/3/12/---/0 22////,,,***%&#&'$12/,,)""
350&'$.. -. 
)*'* ($$!#$!()&
%C=TwVp
"W'*?54045035-65064166.65065054/66.66.54/54/55-66.65053054/66.55-54/66.54/54/65066.66.65065056.66.55064165066.66.65055-65065065066.66.65065066.66.65064165066.66.65055.65065065066.66.65065066.66.65053054/66.66.65066.54/65054/66.55-54/65066.66.65064165066.66.65066.65054/65066.66.65065055-66.65064165066.66.54/66.65065065066.55-65065066.66.65064165066.66.54/66.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65046.65084065046.66.65065046.46.65065045046.46.65046.65065065046.46.65065046.46.65064165046.46.76166.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65046.65065066.46.54/42/31.
"# '&&))&**'##
000 ,)#$!
-/'32-53065066.44,32-/-*
0/*32-31./.)* &"#
$ * (***
! '&&%&#
32-55-65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.66.65065066.66.65064165066.66.65066.65065065066.221-3AESmR`}(-H));42565066.66.65066.43.48?Ha}Wz
#$!.. 20-20-  (
* &44155255244122//..!%!
HWTMOIUTOUTOTTLVTMVTMTQITNJXPMSGJFCWFg
((Ï>_`[yzu
%CnHn
))*001#&&
01.EEBJJGMNIOOLFFC&&#
"Dl&Cd
O4>j:BjPWs
(H=Po?Xw.Hk<[
HHE01.YZW
9`.Jo&Fi0Sx0V
.BeRa~u
.Bz)ArLf
 TŒ#5d'7j7I|8M~Xp
,W&=j.Fs4N{.Lu1RyPp
4M|.JtKm
\n|8Gc 9[3Bj8Ht.Cq2Jz9U
*
.Ns(Km(Lm-Op)Gh#:[&<[(B]*Fa$@c
(Ez%Cw/O
6^v.Xp6`xKt
J.hDDjJU
%D|#Bw$Bu'Cs
.GnKb~
0z#2y*:w%9s
%D~$F
\%uD;lF\
 Ax.EyE^
I%x2Gu'@t1M
T>}1El$
;n.Hy\&v
.comment {color:green}
, #&')*)
-0-(0%()(
.rzz{V
ÿRT
Cjm.eb
(7),01444
'9=82<.342
%.dn.
-o.SRx-
PQIE%d
.Xmw[p
OSQ%c|
Qf.xwB
-BK}B
:!.erK
m:\JcH
%flr==G^
.BRC&
w=.ek
o.gQ<
wz|.DFM
Pm.Ac
.ml@fBT
F%D,3
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
USER32.DLL
(*.htm;*.html)|*.htm;*.html
its:%s::%s
Y%d
X%d
Height%d
Width%d
RECT(%d, %d)-(%d, %d)
Styles0xX
Control ID%d
Handle0xX
%s
burlywood
\winhlp32.exe
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
client.exe
c.exe
66.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MZRTdKAQ.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
`.rdata
@.data
.rsrc
(*.*)

MZRTdKAQ.exe_1732_rwx_10000000_00017000:


program internal error number is %d. (0x%Xh)
GetProcessHeap
.text
`.rdata
@.data
.rsrc
.reloc
V6{c%S~
s %d. (0x%Xh)7
ProcessHeap?H.l
`.rd9a
KERNEL32.DLL
ATL.DLL
MSVCRT.dll
ole32.dll
OLEAUT32.dll
USER32.dll
CreateActiveX.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   net1.exe:1436
   net1.exe:1736
   net1.exe:1988
   net1.exe:1952
   net.exe:428
   net.exe:596
   net.exe:1352
   net.exe:1772
   %original file name%.exe:1800
   svchost06.exe:1200
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\5a8ff7a6ad7e38ec83dcaa35f9967198_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (48 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1844237615-1960408961-1801674531-1003\5f20925ad2c5776d06c97fc8ee4a524c_75ed9567-aa58-4c8e-a8ea-3cad7c47ab03 (51 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123[1].txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\x666[1].txt (114 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\h666[1].txt (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hmsx[1].txt (126 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index[1].htm (3683 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MZRTdKAQ.exe (5442 bytes)
   %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index[2].htm (3683 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\svchost06.exe (16 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\DNFµ¶¿Í0606A.exe (76913 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\xslxtnl.exe (171767 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\HM[1].css (219603 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.