Trojan.Win32.FlyStudio_bbe854aeb7

by malwarelabrobot on November 1st, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bbe854aeb7733dc26618020c6206a1c0
SHA1: 224fe46f6c04aed7c548790149166a337736a63a
SHA256: 1c3acf60be720f2686c9730c55c055bd51c23adf0e39a0ff01411e5b1a0f74a3
SSDeep: 24576:9BB/cjOiH8xCA5RMyvihK5rnfAOKRfIpbm68WwaZIY:fhA8cArvqhKlA5tIpbm2ZI
Size: 939520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SecuredDownload
Created at: 2017-10-18 05:02:49
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2028

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2028 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PYRD29GF.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HM4G8Q2E.txt (131 bytes)
C:\.rand (13 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\icon_11[1].gif (913 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pic[1].gif (719 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MO6Y63NS.txt (411 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\17287617[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tongji[1].htm (952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N4LUYIJ2.txt (263 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (2663 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\core[1].js (765 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PYRD29GF.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N4LUYIJ2.txt (0 bytes)

Registry activity

The process %original file name%.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\Tracing\bbe854aeb7733dc26618020c6206a1c0_RASMANCS]
"FileDirectory" = "%windir%\tracing"

"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 4530176 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 4534272 917504 917504 5.49291 af14c24f7ec0ce3f420af14a4efc459e
.rsrc 5451776 24576 20992 3.68382 c471ce0ee310a603296e72be2fefe122

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://d.gutousoft.com/公共软件下载/骨头QQ说说批量删除软件.txt 120.24.75.226
hxxp://d.gutousoft.com/up/tongji.htm 120.24.75.226
hxxp://js.users.51.la/17287617.js 222.187.254.89
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1252975436&show=pic
hxxp://gutou.cc/ 203.195.236.181
hxxp://d.gutousoft.com/ 120.24.75.226
hxxp://z.gds.cnzz.com/stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=2113768219-1509417349-&showp=1276x846&p=http://www.gutou.cc/up/tongji.htm#shanchushuoshuo&t=tongji&umuuid=15f706a8a4339a-09fb5c2812d92d-44703d1f-1078c8-15f706a8a4432a&h=1&rnd=461886552
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1252975436&show=pic&t=z
hxxp://icon.users.51.la/icon_11.gif 42.236.73.3
hxxp://icon.cnzz.com.danuoyi.tbcache.com/img/pic.gif 222.186.49.224
hxxp://grp1.51.la/go.asp?svid=11&id=17287617&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://www.gutou.cc/up/tongji.htm#shanchushuoshuo&vvtime=1509419555808
hxxp://web.users.51.la/go.asp?svid=11&id=17287617&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://www.gutou.cc/up/tongji.htm#shanchushuoshuo&vvtime=1509419555808 42.236.74.238
hxxp://y.gutousoft.com/ 120.24.75.226
hxxp://s23.cnzz.com/stat.php?id=1252975436&show=pic 1.99.192.16
hxxp://c.cnzz.com/core.php?web_id=1252975436&show=pic&t=z 116.253.191.237
hxxp://www.gutou.cc/up/tongji.htm 120.24.75.226
hxxp://z5.cnzz.com/stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=2113768219-1509417349-&showp=1276x846&p=http://www.gutou.cc/up/tongji.htm#shanchushuoshuo&t=tongji&umuuid=15f706a8a4339a-09fb5c2812d92d-44703d1f-1078c8-15f706a8a4432a&h=1&rnd=461886552 1.122.192.15
hxxp://vip.gutou.cc/ 203.195.236.181
hxxp://icon.cnzz.com/img/pic.gif 222.186.49.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=2113768219-1509417349-&showp=1276x846&p=http://VVV.gutou.cc/up/tongji.htm#shanchushuoshuo&t=tongji&umuuid=15f706a8a4339a-09fb5c2812d92d-44703d1f-1078c8-15f706a8a4432a&h=1&rnd=461886552 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: z5.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Tue, 31 Oct 2017 03:12:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Content-Encoding: gzip
16................G..y......0..



GET /公共软件下载/骨头QQ说说批量删除软件.txt HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Language: zh-cn
Referer: hXXp://d.gutousoft.com/公共软件下载/骨头QQ说说批量删除软件.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: d.gutousoft.com


HTTP/1.1 200 OK
Date: Tue, 31 Oct 2017 03:12:22 GMT
Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17
Last-Modified: Sun, 17 Sep 2017 05:06:15 GMT
ETag: "108-5595b95e28b4e"
Accept-Ranges: bytes
Content-Length: 264
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
..........6.7.9..(....................)..............hXXp://d.gutousof
t.com/公共软件下载/骨
头QQ说说批量删除è%B
D¯ä»¶.exe..............................!....HTTP/1.1 200 OK..D
ate: Tue, 31 Oct 2017 03:12:22 GMT..Server: Apache/2.4.10 (Win32) Open
SSL/0.9.8zb PHP/5.2.17..Last-Modified: Sun, 17 Sep 2017 05:06:15 GMT..
ETag: "108-5595b95e28b4e"..Accept-Ranges: bytes..Content-Length: 264..
Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: 
text/plain............6.7.9..(....................)..............http:
//d.gutousoft.com/公共软件下è½%
BD/骨头QQ说说批量删%E
9™¤è½¯ä»¶.exe..............................!....



GET /img/pic.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: icon.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: image/gif
Content-Length: 719
Connection: keep-alive
Date: Mon, 30 Oct 2017 11:30:41 GMT
Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT
Expires: Tue, 31 Oct 2017 11:30:41 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
Via: cache4.l2et15-1[12,304-0,H], cache10.l2et15-1[13,0], kunlun7.cn74[0,200-0,H], kunlun4.cn74[3,0]
Age: 56517
X-Cache: HIT TCP_MEM_HIT dirn:7:211216148 mlen:-1
X-Swift-SaveTime: Mon, 30 Oct 2017 11:30:41 GMT
X-Swift-CacheTime: 86400
Timing-Allow-Origin: *
EagleId: deba319d15094195587398882e
GIF89a2.........f..3...33.............................................
.......................................!..NETSCAPE2.0.....!..Powered b
y AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH.
...,..@8.... -..EQc.8...........`...."....................~"..H.......
.H......"...$....#.........."..........."Z.......*...%!.!.......,....2
...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h....
...7..l..v..-....."....................~"..I........I......"...$....#.
........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p
,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."
....................~"..I........I......"...$....#..........".........
.."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine..Content-Type: ima
ge/gif..Content-Length: 719..Connection: keep-alive..Date: Mon, 30 Oct
 2017 11:30:41 GMT..Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT..Expi
res: Tue, 31 Oct 2017 11:30:41 GMT..Cache-Control: max-age=86400..Acce
pt-Ranges: bytes..Via: cache4.l2et15-1[12,304-0,H], cache10.l2et15-1[1
3,0], kunlun7.cn74[0,200-0,H], kunlun4.cn74[3,0]..Age: 56517..X-Cache:
 HIT TCP_MEM_HIT dirn:7:211216148 mlen:-1..X-Swift-SaveTime: Mon, 30 O
ct 2017 11:30:41 GMT..X-Swift-CacheTime: 86400..Timing-Allow-Origin: *
..EagleId: deba319d15094195587398882e..GIF89a2.........f..3...33......
......................................................................
........!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2...... !.d
i.hjBl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8......
<<< skipped >>>


GET /core.php?web_id=1252975436&show=pic&t=z HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 765
Connection: keep-alive
Date: Tue, 31 Oct 2017 03:00:31 GMT
Last-Modified: Tue, 31 Oct 2017 03:00:31 GMT
Expires: Tue, 31 Oct 2017 03:15:31 GMT
Via: cache19.l2et15[0,200-0,H], cache9.l2et15[0,0], kunlun9.cn133[0,200-0,H], kunlun7.cn133[0,0]
Age: 724
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1
X-Swift-SaveTime: Tue, 31 Oct 2017 03:02:50 GMT
X-Swift-CacheTime: 761
Timing-Allow-Origin: *
EagleId: ab6f9ac715094195556467389e
!function(){var p,q,r,a=encodeURIComponent,b="1252975436",c="pic",d=""
,e="online_v3.php",f="z5.cnzz.com",g="1",h="pic",i="z",j="站&
271;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:"
,m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("
h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m
&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["
createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/webs
ite.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.c
nzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j 
"'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p
="<a href='" q "' target=_blank title='" j "'>" j "</a>",k
["createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Typ
e: application/javascript..Content-Length: 765..Connection: keep-alive
..Date: Tue, 31 Oct 2017 03:00:31 GMT..Last-Modified: Tue, 31 Oct 2017
 03:00:31 GMT..Expires: Tue, 31 Oct 2017 03:15:31 GMT..Via: cache19.l2
et15[0,200-0,H], cache9.l2et15[0,0], kunlun9.cn133[0,200-0,H], kunlun7
.cn133[0,0]..Age: 724..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1..X-
Swift-SaveTime: Tue, 31 Oct 2017 03:02:50 GMT..X-Swift-CacheTime: 761.
.Timing-Allow-Origin: *..EagleId: ab6f9ac715094195556467389e..!functio
n(){var p,q,r,a=encodeURIComponent,b="1252975436",c="pic",d="",e="onli
ne_v3.php",f="z5.cnzz.com",g="1",h="pic",i="z",j="站长 
479;计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="
<<< skipped >>>


GET /stat.php?id=1252975436&show=pic HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s23.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10990
Connection: keep-alive
Date: Tue, 31 Oct 2017 02:35:49 GMT
Last-Modified: Tue, 31 Oct 2017 02:35:49 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache2.l2et15[127,200-0,M], cache1.l2et15[128,0], kunlun6.cn250[0,200-0,H], kunlun2.cn250[1,0]
Age: 2202
X-Cache: HIT TCP_MEM_HIT dirn:9:487013221 mlen:-1
X-Swift-SaveTime: Tue, 31 Oct 2017 02:35:49 GMT
X-Swift-CacheTime: 5400
Timing-Allow-Origin: *
EagleId: 7ae44a8915094195511373039e
(function(){function k(){this.c="1252975436";this.ca="z";this.Z="pic";
this.W="";this.Y="";this.C="1509417349";this.aa="z5.cnzz.com";this.X="
";this.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz
_CV" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";
this.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("si
teid=1252975436");c.push("name=" f(a.name));c.push("msg=" f(a.message)
);c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push
("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" M
ath.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnz
z.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encod
eURIComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function
(){try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.
ua(),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.q
a(),this.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cn
zz_CV")}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc
={push:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP fai
led")}},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toStri
ng.call(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case
 "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1]
)?.c[1]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof 
c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:funct
ion(){try{if("undefined"===typeof e._cz_account||e._cz_account===t
<<< skipped >>>


GET /17287617.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1969
Content-Type: application/x-javascript
Last-Modified: Thu, 08 Jun 2017 08:15:51 GMT
Accept-Ranges: bytes
ETag: "6a45f712fe0d21:6545"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 31 Oct 2017 03:12:31 GMT
Connection: close
document.write ('<a href="hXXps://VVV.51.la/?17287617" target="_bla
nk" title="51.La 网站流量统计|
FB;统"><img alt="51.La 网站流量&#x
7EDF;计系统" src="//icon.users.51.la/icon_11.gif" st
yle="border:none" /></a>\n');..var a7617tf="51la";var a7617pu
="";var a7617pf="51la";var a7617su=window.location;var a7617sf=documen
t.referrer;var a7617of="";var a7617op="";var a7617ops=1;var a7617ot=1;
var a7617d=new Date();var a7617color="";if (navigator.appName=="Netsca
pe"){a7617color=screen.pixelDepth;} else {a7617color=screen.colorDepth
;}..try{a7617tf=top.document.referrer;}catch(e){}..try{a7617pu =window
.parent.location;}catch(e){}..try{a7617pf=window.parent.document.refer
rer;}catch(e){}..try{a7617ops=document.cookie.match(new RegExp("(^| )a
7617_pages=([^;]*)(;|$)"));a7617ops=(a7617ops==null)?1: (parseInt(unes
cape((a7617ops)[2])) 1);var a7617oe =new Date();a7617oe.setTime(a7617o
e.getTime() 60*60*1000);document.cookie="a7617_pages=" a7617ops  ";pat
h=/;expires=" a7617oe.toGMTString();a7617ot=document.cookie.match(new 
RegExp("(^| )a7617_times=([^;]*)(;|$)"));if(a7617ot==null){a7617ot=1;}
else{a7617ot=parseInt(unescape((a7617ot)[2])); a7617ot=(a7617ops==1)?(
a7617ot 1):(a7617ot);}a7617oe.setTime(a7617oe.getTime() 365*24*60*60*1
000);document.cookie="a7617_times=" a7617ot ";path=/;expires=" a7617oe
.toGMTString();}catch(e){}..try{if(document.cookie==""){a7617ops=-1;a7
617ot=-1;}}catch(e){}..a7617of=a7617sf;if(a7617pf!=="51la"){a7617o
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Referer: hXXp://y.gutousoft.com
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: y.gutousoft.com
Cache-Control: no-cache


HTTP/1.1 302 Found
Date: Tue, 31 Oct 2017 03:12:31 GMT
Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=61a858e242a537466688989dfa799cd3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
location: hXXp://gutou.cc/sale.php
Content-Length: 0
Content-Type: text/html;charset=utf-8
HTTP/1.1 302 Found..Date: Tue, 31 Oct 2017 03:12:31 GMT..Server: Apach
e/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..X-Powered-By: PHP/5.2.17.
.Set-Cookie: PHPSESSID=61a858e242a537466688989dfa799cd3; path=/..Expir
es: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, 
must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..location
: hXXp://gutou.cc/sale.php..Content-Length: 0..Content-Type: text/html
;charset=utf-8..



GET /up/tongji.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.gutou.cc
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 31 Oct 2017 03:12:29 GMT
Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17
Last-Modified: Sat, 04 Jul 2015 23:52:47 GMT
ETag: "3b8-51a155e94d1c0"
Accept-Ranges: bytes
Content-Length: 952
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv
="Content-Type" content="text/html; charset=gb2312" />.<title>
;tongji</title>.</head>.<script type="text/javascript"&
gt;var cnzz_protocol = (("https:" == document.location.protocol) ? " h
ttps://" : " hXXp://");document.write(unescape(""));</script>..<script language="javascript
" type="text/javascript" src="hXXp://js.users.51.la/17287617.js">&l
t;/script>.<noscript><a href="hXXp://VVV.51.la/?17287617" 
target="_blank"><img alt="我要啦免࣓
9;统计" src="hXXp://img.users.51.la/17287617.asp" style="b
order:none" /></a></noscript>.<body>.</body>
;.</html>.HTTP/1.1 200 OK..Date: Tue, 31 Oct 2017 03:12:29 GMT..
Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..Last-Modifie
d: Sat, 04 Jul 2015 23:52:47 GMT..ETag: "3b8-51a155e94d1c0"..Accept-Ra
nges: bytes..Content-Length: 952..Keep-Alive: timeout=5, max=100..Conn
ection: Keep-Alive..Content-Type: text/html..<!DOCTYPE html PUBLIC 
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/
DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org
<<< skipped >>>


GET /icon_11.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: icon.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 913
Content-Type: image/gif
Last-Modified: Fri, 26 May 2006 14:21:40 GMT
Accept-Ranges: bytes
ETag: "0f268b4cf80c61:962"
Server: Microsoft-IIS/6.0
Date: Tue, 31 Oct 2017 03:12:45 GMT
Connection: close
GIF89a0............._..@y./h..Y..Q..@........................!..NETSCA
PE2.0.....!.......,....0........I..8S!.....`).....J.....@.........`8..
.F.n......m.D.8.....*.......>1..i........I.l.m.?cs.pQ.Q.......w H=z
.XY.............{.xI2...2............C.8.6.y...........7......9.......
.......!.......,....(.....Z..I..8.A....!.fNW9..%].{....mH......J......
.@P...c.R(....!{.r'........,.{...W.:.v..in[kGD..!.......,....-.....i..
I..8k*.......q..^...o.eC...l. .."..V...6....Q...4&!.......M.S..4Xb.W..
..WUZ ....4..[..j.b'..gzeU.{e{....!.......,....-....._..I..8k:........
.9..%]...m;.k ....&.N...(.a).#...'/i. ......j.]...............X;.s'gxy
..g.Xyz...!.......,....-.....w..I..8k*.......QDE.C.q.%....R..Z..2DI.r!
R-.O...M..o....V#S..v..b.K!#..I.....\.v^(.....F..h.XAr.fy;. ..N&L'.(,j
.G..5..'..!.......,....-.....r..I..8k:.......Q.%..9..%].kM....=.......
....$..&N ..K.$<.QB...]p)..bO.i.`X#..w.-...h<e.g..n.}}yy..~v.we.
ys..r.t....;..



GET / HTTP/1.1
Accept: */*
Referer: hXXp://vip.gutou.cc
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: vip.gutou.cc
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: hXXp://gutou.cc/sale.php
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=vrdjbfm4a5cgqimdq1tt6aei76; path=/
X-Powered-By: ASP.NET
Date: Tue, 31 Oct 2017 03:12:31 GMT
Connection: close
Content-Length: 0



GET /go.asp?svid=11&id=17287617&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://VVV.gutou.cc/up/tongji.htm#shanchushuoshuo&vvtime=1509419555808 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.gutou.cc/up/tongji.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: web.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Expires: Mon, 30 Oct 2017 10:32:44 GMT
Server: Microsoft-IIS/8.5
Date: Tue, 31 Oct 2017 03:12:43 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html..Expi
res: Mon, 30 Oct 2017 10:32:44 GMT..Server: Microsoft-IIS/8.5..Date: T
ue, 31 Oct 2017 03:12:43 GMT..Content-Length: 0..







The Trojan connects to the servers at the folowing location(s):







%original file name%.exe_2028:




`.rsrc
t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
Jiu2.iu
Siua ku~Dku2.iu@
oleaut32.dll
kernel32.dll
wininet.dll
shlwapi.dll
ole32.dll
gdiplus.dll
user32.dll
GdiPlus.dll
Kernel32.dll
dbghelp.dll
classification_dll.dll
GetProcessHeap
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
CreateIoCompletionPort
{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}
42305932-06E6-47a5-AC79-8BDCDC58DF61
h5.qzone.qq.com
; p_skey=
; skey=
hXXps://
skey=
p_skey=
hXXp://r.pengyou.com/fcg-bin/cgi_get_portrait.fcg?uins=
hXXp://q.qlogo.cn/g?b=qq&nk=
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
hXXp://user.qzone.qq.com/
hXXp://user.qzone.qq.com/88882222
.substr(
hXXp://qzone.qq.com/
location = 'url'
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\*.txt
scripting.FileSystemObject
%Documents and Settings%\IBM\Cookies\*.txt
Comet.WndShadow
Comet.WndShadow.Color
Comet.WndShadow.Size
Comet.WndShadow.Proc
SysShadow
@6.7.9
hXXp://d.gutousoft.com/公共软件下载/骨头QQ说说批量删除软件.txt
gutou.cc
C:\.rand
@1970-01-01 08:00:00
.down
hXXp://m.gutousoft.com/down/
classification_dll.dll|957725797956784e068b810f08a07dca
libgcc_s_sjlj-1.dll|b7eeff5907e7d08eca94ca41501b2afd
libgfortran-3.dll|564143a64a70fd4e7dd6b084b7d17ad7
libopenblas.dll|9e5b61e47964f7788b8abbed165d97c1
libquadmath-0.dll|3354b9256750a6b7d97ba30b4ad00717
Tencent4.caffemodel|5b2384014f1b65f0efb47e0428f75c2a
Tencent4.prototxt|02c576c7cdd3a49d4629454a325bbf44
@ping 127.0.0.1 -n
del Restart.bat
\Restart.bat
hXXp://gutou.cc/sale.php#tag92
hXXp://
sale.php?
sale.php#
hXXp://vip.gutou.cc
vip.gutou.cc
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
https
hXXp://y.gutousoft.com
y.gutousoft.com
keye
\data\setsoft.ini
281507611
qzreferrer=http://user.qzone.qq.com/
hXXp://h5.qzone.qq.com/proxy/domain/taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=
hXXp://captcha.qq.com/getimage?aid=8000102&r=0.
\data\yzm.jpg
hXXp://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
msglist
1970.01.01 08:00:00
hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA5NDc0MF80MzUxMjhfODAwMDk0NzQwXzJf
hXXp://gutou.cc
update.temp
b@.bak
hXXp://VVV.gutou.cc
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
hXXp://m.gutousoft.com/20170911/
Tencent4.prototxt
Tencent4.caffemodel
report.php?card=
@point.php?card=
getcode.php?k=
hXXp://VVV.gutou.cc/up/tongji.htm#shanchushuoshuo
07795EB9-2A88-4c87-9406-497851B5C5CE-ABHGDDCHJGC
pz?F%F
312BB368-B477-4ecc-BB39-D644A44B8ECFL
214821178
F9F51895-6A82-4012-A380-31BE87C35394
ExSkinEditWindows$
90B33367-8DC7-4fe9-9368-D4D8BADADC2C
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?daid=5&ptredirect=1&proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&pt_no_auth=1&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&pt_qr_app=
&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.htmlappid=15004501&target=self&f_url=http://cm.qzs.qq.com/ac/qzone/login/error.html&s_url=http://cm.qzs.qq.com/ac/qzone/login/succ.html
A46CAE6A-3EFD-48dc-9E3C-CA251E75E97A
C7DA8792-CB01-4104-8EF5-E08965E12F3C
9D9BB417-6C84-4da0-8B40-D60E4191750B
73C0558A-EC75-4af4-AE00-26C2F3091309
GuTou.Cc
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
__MSVCRT_HEAP_SELECT
GDI32.dll
USER32.dll
KERNEL32.dll
IMM32.dll
ShellExecuteA
SHELL32.dll
SHLWAPI.dll
WINMM.dll
GetCPInfo
exui.dll
1.2.18
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
phlpapi.dll
MPR.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
\u00%c%c
json_tokener_parse_ex: error %s at offset %d
json_tokener_comment: %s
HTTP HTTPS.
VVV.dywt.com.cn
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Windows
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
KERNEL32.DLL
(*.htm;*.html)|*.htm;*.html
10FE000C-ACC4-4d21-BF4D-135DEAAB9175
ex_ui keye
msimg32.dll
F9527F43-AC13-4b6e-B923-C9011E3FE5DC
2A947078-BC9C-48e7-BF4C-A8BD831117C84
C4F42B3E-E268-4841-B178-410077863BF9
VVV.meitu.com
937C8B4E-863C-4915-98DB-1AB7FFC3F0BFL
ryxzxzw@163.com QQ 1060943567 QQ
1:128623809
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]
015621FD-C063-4706-B16E-A8877DC952E1
0FE5D74C-29B7-4980-BC1D-70650F50AA2E
2747873D-7005-4c4e-AAD9-25D85698EFEE
45D194E9-0244-4ea9-8751-813ACF85EEEF
\wke.dll
\lib\ex_ui\wke.dll
C:\exui
wke.dll
D:\exui
\lib\ex_ui\wke.dll)
wke.dll
4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF
FB3DADD5-3E2F-48eb-BD31-AA43D142DA77
vk=15vd=9999vx=0vv= vi=-3}{vt=v?=2vs=
vk=10vd=12vx=1vv= vi=-3}{vt=v?=31vs=
vk=10vd=31vx=1vv= vi=-3}
E53BD398-631F-443d-A550-89085D2E46A6D
gdi32.dll
lib\ex_ui\AttributeEditorexui.dll
Ole32.dll
imm32.dll
shell32.dll
GetAsyncKeyState
EnumChildWindows
wkeKeyDown
wkeKeyUp
wkeCreateWebView
wkeGlobalExec
wkeLoadURLW
wkeDestroyWebView
wkeKeyPress
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
c:\%original file name%.exe
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
<Msg%s>%ld</Msg%s>
0000%d
</Msg0000>
<Msg0000>
EMSG
Recv Sub Packet(%s)..
Recv Packet (%s)...
<Msg0001>4</Msg0001>%s
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
0123456789
#include "l.chs\afxres.rc" // Standard components
WinExec
GetWindowsDirectoryA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
GetViewportOrgEx
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetKeyState
GetKeyboardLayout
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
SqlM
e"gKey!
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
comdlg32.dll
MSVFW32.dll
OLEAUT32.dll
oledlg.dll
RASAPI32.dll
VERSION.dll
WININET.dll
winmm.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)

%original file name%.exe_2028_rwx_00401000_00531000:




t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
Jiu2.iu
Siua ku~Dku2.iu@
oleaut32.dll
kernel32.dll
wininet.dll
shlwapi.dll
ole32.dll
gdiplus.dll
user32.dll
GdiPlus.dll
Kernel32.dll
dbghelp.dll
classification_dll.dll
GetProcessHeap
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
CreateIoCompletionPort
{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}
42305932-06E6-47a5-AC79-8BDCDC58DF61
h5.qzone.qq.com
; p_skey=
; skey=
hXXps://
skey=
p_skey=
hXXp://r.pengyou.com/fcg-bin/cgi_get_portrait.fcg?uins=
hXXp://q.qlogo.cn/g?b=qq&nk=
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Content-Type: application/x-www-form-urlencoded
hXXp://user.qzone.qq.com/
hXXp://user.qzone.qq.com/88882222
.substr(
hXXp://qzone.qq.com/
location = 'url'
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\*.txt
scripting.FileSystemObject
%Documents and Settings%\IBM\Cookies\*.txt
Comet.WndShadow
Comet.WndShadow.Color
Comet.WndShadow.Size
Comet.WndShadow.Proc
SysShadow
@6.7.9
hXXp://d.gutousoft.com/公共软件下载/骨头QQ说说批量删除软件.txt
gutou.cc
C:\.rand
@1970-01-01 08:00:00
.down
hXXp://m.gutousoft.com/down/
classification_dll.dll|957725797956784e068b810f08a07dca
libgcc_s_sjlj-1.dll|b7eeff5907e7d08eca94ca41501b2afd
libgfortran-3.dll|564143a64a70fd4e7dd6b084b7d17ad7
libopenblas.dll|9e5b61e47964f7788b8abbed165d97c1
libquadmath-0.dll|3354b9256750a6b7d97ba30b4ad00717
Tencent4.caffemodel|5b2384014f1b65f0efb47e0428f75c2a
Tencent4.prototxt|02c576c7cdd3a49d4629454a325bbf44
@ping 127.0.0.1 -n
del Restart.bat
\Restart.bat
hXXp://gutou.cc/sale.php#tag92
hXXp://
sale.php?
sale.php#
hXXp://vip.gutou.cc
vip.gutou.cc
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
https
hXXp://y.gutousoft.com
y.gutousoft.com
keye
\data\setsoft.ini
281507611
qzreferrer=http://user.qzone.qq.com/
hXXp://h5.qzone.qq.com/proxy/domain/taotao.qzone.qq.com/cgi-bin/emotion_cgi_delete_v6?g_tk=
hXXp://captcha.qq.com/getimage?aid=8000102&r=0.
\data\yzm.jpg
hXXp://h5.qzone.qq.com/proxy/domain/taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
msglist
1970.01.01 08:00:00
hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA5NDc0MF80MzUxMjhfODAwMDk0NzQwXzJf
hXXp://gutou.cc
update.temp
b@.bak
hXXp://VVV.gutou.cc
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
hXXp://m.gutousoft.com/20170911/
Tencent4.prototxt
Tencent4.caffemodel
report.php?card=
@point.php?card=
getcode.php?k=
hXXp://VVV.gutou.cc/up/tongji.htm#shanchushuoshuo
07795EB9-2A88-4c87-9406-497851B5C5CE-ABHGDDCHJGC
pz?F%F
312BB368-B477-4ecc-BB39-D644A44B8ECFL
214821178
F9F51895-6A82-4012-A380-31BE87C35394
ExSkinEditWindows$
90B33367-8DC7-4fe9-9368-D4D8BADADC2C
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?daid=5&ptredirect=1&proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&pt_no_auth=1&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&pt_qr_app=
&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.htmlappid=15004501&target=self&f_url=http://cm.qzs.qq.com/ac/qzone/login/error.html&s_url=http://cm.qzs.qq.com/ac/qzone/login/succ.html
A46CAE6A-3EFD-48dc-9E3C-CA251E75E97A
C7DA8792-CB01-4104-8EF5-E08965E12F3C
9D9BB417-6C84-4da0-8B40-D60E4191750B
73C0558A-EC75-4af4-AE00-26C2F3091309
GuTou.Cc
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
__MSVCRT_HEAP_SELECT
GDI32.dll
USER32.dll
KERNEL32.dll
IMM32.dll
ShellExecuteA
SHELL32.dll
SHLWAPI.dll
WINMM.dll
GetCPInfo
exui.dll
1.2.18
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
phlpapi.dll
MPR.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
\u00%c%c
json_tokener_parse_ex: error %s at offset %d
json_tokener_comment: %s
HTTP HTTPS.
VVV.dywt.com.cn
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Windows
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
KERNEL32.DLL
(*.htm;*.html)|*.htm;*.html
10FE000C-ACC4-4d21-BF4D-135DEAAB9175
ex_ui keye
msimg32.dll
F9527F43-AC13-4b6e-B923-C9011E3FE5DC
2A947078-BC9C-48e7-BF4C-A8BD831117C84
C4F42B3E-E268-4841-B178-410077863BF9
VVV.meitu.com
937C8B4E-863C-4915-98DB-1AB7FFC3F0BFL
ryxzxzw@163.com QQ 1060943567 QQ
1:128623809
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]
015621FD-C063-4706-B16E-A8877DC952E1
0FE5D74C-29B7-4980-BC1D-70650F50AA2E
2747873D-7005-4c4e-AAD9-25D85698EFEE
45D194E9-0244-4ea9-8751-813ACF85EEEF
\wke.dll
\lib\ex_ui\wke.dll
C:\exui
wke.dll
D:\exui
\lib\ex_ui\wke.dll)
wke.dll
4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF
FB3DADD5-3E2F-48eb-BD31-AA43D142DA77
vk=15vd=9999vx=0vv= vi=-3}{vt=v?=2vs=
vk=10vd=12vx=1vv= vi=-3}{vt=v?=31vs=
vk=10vd=31vx=1vv= vi=-3}
E53BD398-631F-443d-A550-89085D2E46A6D
gdi32.dll
lib\ex_ui\AttributeEditorexui.dll
Ole32.dll
imm32.dll
shell32.dll
GetAsyncKeyState
EnumChildWindows
wkeKeyDown
wkeKeyUp
wkeCreateWebView
wkeGlobalExec
wkeLoadURLW
wkeDestroyWebView
wkeKeyPress
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
zcÁ
c:\%original file name%.exe
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
;3 #>6.&
'2, / 0&7!4-)1#
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
<Msg%s>%ld</Msg%s>
0000%d
</Msg0000>
<Msg0000>
EMSG
Recv Sub Packet(%s)..
Recv Packet (%s)...
<Msg0001>4</Msg0001>%s
hXXp://VVV.eyuyan.com
service@dywt.com.cn
 86(0411)39895834
 86(0411)39895831
This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit VVV.dywt.com.cn/info
DelAllKeyValues
DelKeyValue
GetAllKeys
GetKeyValue
AddKeyValue
DSGetErrMsg
BiTreeGetCurNodeKey
ListGetCurNodeKey
ListUpdateNodeFromKey
ListRemoveNodeFromKey
edatastructure_fnMapDelAllKeyValues
edatastructure_fnMapDelKeyValue
edatastructure_fnMapGetAllKeys
edatastructure_fnMapGetKeyValue
edatastructure_fnMapAddKeyValue
edatastructure_fnBiTreeGetCurNodeKey
edatastructure_fnListGetCurNodeKey
edatastructure_fnListUpdateNodeFromKey
edatastructure_fnListRemoveNodeFromKey
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
right-curly-bracket
left-curly-bracket
0123456789
#include "l.chs\afxres.rc" // Standard components
WinExec
GetWindowsDirectoryA
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
GetViewportOrgEx
GetViewportExtEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
GetKeyState
GetKeyboardLayout
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
SqlM
(*.*)






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PYRD29GF.txt (115 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\HM4G8Q2E.txt (131 bytes)
    C:\.rand (13 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\icon_11[1].gif (913 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[1].htm (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\pic[1].gif (719 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MO6Y63NS.txt (411 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\17287617[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\tongji[1].htm (952 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N4LUYIJ2.txt (263 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (2663 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\core[1].js (765 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2025 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now