Trojan.Win32.FlyStudio_c1ccb52a21

by malwarelabrobot on August 4th, 2016 in Malware Descriptions.

Trojan.Generic.17861907 (BitDefender), UDS:DangerousObject.Multi.Generic (Kaspersky), Trojan.Win32.Generic.pak!cobra (VIPRE), Trojan.DownLoad3.42983 (DrWeb), Trojan.Generic.17861907 (B) (Emsisoft), Artemis!C1CCB52A21CD (McAfee), Trojan.Gen (Symantec), Trojan.Win32.QQWare (Ikarus), Trojan.Generic.17861907 (FSecure), Win32:Malware-gen (Avast), TROJ_GEN.R00JC0OGP16 (TrendMicro), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, VirTool, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c1ccb52a21cde445ddbd4e9fb081cb22
SHA1: 1b61c2c30390f5cce284bc63af3f23f343d44ad6
SHA256: ff5be99bf552ecc3e7e915afae519f010b6858b30aa676c41206bc76cf9285d1
SSDeep: 24576:Dndt1nHVlZqobkMDD80WcnoLIS1biS7ncLvnRJNG4sRup6A8VL6peXw:BHWMP5oIS1b57cLvnfNGloB8F6YX
Size: 1054208 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Oracle Corporation
Created at: 2016-07-15 14:14:29
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:272

The Trojan injects its code into the following process(es):

%original file name%.exe:868

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
RasPbFile
ini_read_write
_!MSFTHISTORY!_
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!history!history.ie5!
WininetStartupMutex
WininetConnectionMutex
WininetProxyRegistryMutex
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex
CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003

File activity

The process %original file name%.exe:868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\core[1].php (765 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_11[1].gif (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tongji[1].htm (952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (352 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

The process %original file name%.exe:272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\%original file name%.exe (7433 bytes)

Registry activity

The process %original file name%.exe:868 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 85 9F A8 39 90 28 39 01 86 CB 17 17 96 23 7F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 40 4B 1D 4A 32 CB D1 C0 D5 61 96 43 36 88 BF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"%original file name%.exe" = "c1ccb52a21cde445ddbd4e9fb081cb22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
5715267f6e951b7571ef946eebdde536	c:\%original file name%.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	3842048	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	3846144	1036288	1032704	5.47808	514a3ff592d40a7164c3ed13dfd227fa
.rsrc	4882432	20480	20480	3.73876	d2a26a09d835a5d5cfa3969681986a5c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.txt	120.24.75.226
hxxp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.exe	120.24.75.226
hxxp://vip.gutou.cc/	203.195.236.181
hxxp://d.gutousoft.com/up/tongji.htm	120.24.75.226
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1252975436&show=pic
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1252975436&show=pic&t=z
hxxp://all.cnzz.com.danuoyi.tbcache.com/img/pic.gif
hxxp://z.gds.cnzz.com/stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=341619600-1470206171-&showp=1276x846&p=http://www.gutou.cc/up/tongji.htm#xiangcexiazai_V11.1&t=tongji&h=1&rnd=1317160113
hxxp://js.users.51.la/17287617.js	42.236.74.213
hxxp://icon.51.la/icon_11.gif	42.236.73.3
hxxp://icon.cnzz.com/img/pic.gif	42.81.4.53
hxxp://y.gutousoft.com/	120.24.75.226
hxxp://c.cnzz.com/core.php?web_id=1252975436&show=pic&t=z	42.81.4.53
hxxp://s23.cnzz.com/stat.php?id=1252975436&show=pic	1.99.192.16
hxxp://www.gutou.cc/up/tongji.htm	120.24.75.226
hxxp://z5.cnzz.com/stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=341619600-1470206171-&showp=1276x846&p=http://www.gutou.cc/up/tongji.htm#xiangcexiazai_V11.1&t=tongji&h=1&rnd=1317160113	1.122.192.15
web.51.la	42.236.74.194

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /stat.htm?id=1252975436&r=&lg=en-us&ntime=none&cnzz_eid=341619600-1470206171-&showp=1276x846&p=http://VVV.gutou.cc/up/tongji.htm#xiangcexiazai_V11.1&t=tongji&h=1&rnd=1317160113 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z5.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Wed, 03 Aug 2016 08:04:47 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Thu, 16 Apr 2015 02:22:34 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /up/tongji.htm HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.gutou.cc

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 03 Aug 2016 08:04:42 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

Last-Modified: Sat, 04 Jul 2015 23:52:47 GMT

ETag: "3b8-51a155e94d1c0"

Accept-Ranges: bytes

Content-Length: 952

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv
="Content-Type" content="text/html; charset=gb2312" />.<title>
;tongji</title>.</head>.<script type="text/javascript"&
gt;var cnzz_protocol = (("https:" == document.location.protocol) ? " h
ttps://" : " hXXp://");document.write(unescape(""));</script>..<script language="javascript
" type="text/javascript" src="hXXp://js.users.51.la/17287617.js">&l
t;/script>.<noscript><a href="hXXp://VVV.51.la/?17287617" 
target="_blank"><img alt="我要啦免࣓
9;统计" src="hXXp://img.users.51.la/17287617.asp" style="b
order:none" /></a></noscript>.<body>.</body>
;.</html>.HTTP/1.1 200 OK..Date: Wed, 03 Aug 2016 08:04:42 GMT..
Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..Last-Modifie
d: Sat, 04 Jul 2015 23:52:47 GMT..ETag: "3b8-51a155e94d1c0"..Accept-Ra
nges: bytes..Content-Length: 952..Keep-Alive: timeout=5, max=100..Conn
ection: Keep-Alive..Content-Type: text/html..<!DOCTYPE html PUBLIC 
"-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/
DTD/xhtml1-transitional.dtd">.<html xmlns="hXXp://VVV.w3.org<<< skipped >>>

GET /stat.php?id=1252975436&show=pic HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s23.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 9944

Connection: keep-alive

Date: Wed, 03 Aug 2016 06:36:11 GMT

Last-Modified: Wed, 03 Aug 2016 06:36:11 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache2.l2et15[0,200-0,H], cache11.l2et15[1,0], kunlun9.cn44[0,200-0,H], kunlun10.cn44[1,0]

Age: 5312

X-Cache: HIT TCP_MEM_HIT dirn:10:462487798

X-Swift-SaveTime: Wed, 03 Aug 2016 07:20:34 GMT

X-Swift-CacheTime: 2737

Timing-Allow-Origin: *

EagleId: 7522074a14702114834724174e
(function(){function k(){this.c="1252975436";this.R="z";this.N="pic";t
his.K="";this.M="";this.r="1470206171";this.P="z5.cnzz.com";this.L="";
this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_C
V" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.
la()}function g(a,b){try{var c=.[];c.push("siteid=1252975436");c.push(
"name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referre
r));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.u
serAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math
.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&
")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURI
Component,n=unescape;k.prototype={la:function(){try{this.U(),this.J(),
this.ia(),this.H(),this.o(),this.ga(),.this.fa(),this.ja(),this.j(),th
is.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.pa(),e[
this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},n
a:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a
,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._c
zc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length
;b  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[objec
t String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_se
tAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}ca
tch(d){g(d,"cS failed")}},pa:function(){try{if("undefined"===typeof e.
_cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[obj<<< skipped >>>

GET /å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.exe HTTP/1.1

Host: d.gutousoft.com

Accept: */*

Referer: hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Pragma: no-cache

Cache-Control: no-cache

Connection: close


HTTP/1.1 200 OK

Date: Wed, 03 Aug 2016 08:04:27 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

Last-Modified: Tue, 02 Aug 2016 23:36:32 GMT

ETag: "101400-5391f2fc8a000"

Accept-Ranges: bytes

Content-Length: 1053696

Connection: close

Content-Type: application/x-msdownload

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......Y......P...P
...Pf..P...Pr..P...Pr..P...PK..P0..P...P...P...P1..P...P...P...P...P .
.P...P ..P...P...P...P...P,..P...P...P...P...PRich...P................
PE..L......W.....................P....:..mJ...:..pJ...@...............
............J.............................................l.J.h....pJ.
lK....................................................................
......................................UPX0......:.....................
........UPX1..........:[email protected]....
..............@.......................................................
......................................................................
......................................................................
......................................................................
......................................................................
.......3.07.UPX!.....F.K...YCOJ.......E.&/.O....3...U......./.!..V....
.........].A..E...?H...j..u.....\.m.o_...E...P..(...]...t.S...k...'...
.$...}....V..d..m. pf..P..l#.....i....1n].H...z.#......@*G ....T....P.
....`..........P..}.fH....f..m...m..}&m.~.U.M.u.....3.........t....It.
.............hL.....78A......*.......8Sh.A[..<....#i^...N.D...{y...
.h...)..6...C.........S.%....w[E|.k..I.x$H.S...HZ...Q..).{..[Y.u.[[S..
.........H...........x.e.h....&..to.. ...P...9Ft.h.a.^n...hh.je....u..
[email protected]....@.@n@..`.{t[P.].r.E...C......_...D

<<< skipped >>>

GET /img/pic.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: icon.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: image/gif

Content-Length: 719

Connection: keep-alive

Date: Tue, 02 Aug 2016 01:48:54 GMT

Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT

Expires: Wed, 03 Aug 2016 01:48:54 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

Via: cache19.l2cm12-1[0,304-0,H], cache39.l2cm12-1[0,0], kunlun10.cn249[0,200-0,H], kunlun10.cn249[0,0]

Age: 108953

X-Cache: HIT TCP_MEM_HIT dirn:2:398605580

X-Swift-SaveTime: Tue, 02 Aug 2016 13:51:49 GMT

X-Swift-CacheTime: 86400

Timing-Allow-Origin: *

EagleId: 2a51040a14702114870465215e

GIF89a2.........f..3...33.............................................
.......................................!..NETSCAPE2.0.....!..Powered b
y AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH.
...,..@8.... -..EQc.8...........`...."....................~"..H.......
.H......"...$....#.........."..........."Z.......*...%!.!.......,....2
...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h....
...7..l..v..-....."....................~"..I........I......"...$....#.
........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p
,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."
....................~"..I........I......"...$....#..........".........
.."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine..Content-Type: ima
ge/gif..Content-Length: 719..Connection: keep-alive..Date: Tue, 02 Aug
 2016 01:48:54 GMT..Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT..Expi
res: Wed, 03 Aug 2016 01:48:54 GMT..Cache-Control: max-age=86400..Acce
pt-Ranges: bytes..Via: cache19.l2cm12-1[0,304-0,H], cache39.l2cm12-1[0
,0], kunlun10.cn249[0,200-0,H], kunlun10.cn249[0,0]..Age: 108953..X-Ca
che: HIT TCP_MEM_HIT dirn:2:398605580..X-Swift-SaveTime: Tue, 02 Aug 2
016 13:51:49 GMT..X-Swift-CacheTime: 86400..Timing-Allow-Origin: *..Ea
gleId: 2a51040a14702114870465215e..GIF89a2.........f..3...33..........
......................................................................
....!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2...... !.di.hj
Bl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8..........

<<< skipped >>>

GET / HTTP/1.1

Accept: */*

Referer: hXXp://vip.gutou.cc

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: vip.gutou.cc

Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/html;charset=utf-8

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Location: hXXp://gutou.cc/sale.php

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.2.17

Set-Cookie: PHPSESSID=agmodv1rn29akba8fhhkuii795; path=/

X-Powered-By: ASP.NET

Date: Wed, 03 Aug 2016 08:04:39 GMT

Connection: close

Content-Length: 0

GET /å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.txt HTTP/1.1

Accept: */*

Referer: hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.txt

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Content-Type: application/x-www-form-urlencoded

Host: d.gutousoft.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Wed, 03 Aug 2016 08:04:26 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

Last-Modified: Fri, 15 Jul 2016 11:14:17 GMT

ETag: "119-537aab8290fe4"

Accept-Ranges: bytes

Content-Length: 281

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/plain

..........11.1..(....................)..............hXXp://d.gutousoft
.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨%
E5¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™
¨ä¸“ä¸šç‰ˆ.exe..............................!....H
TTP/1.1 200 OK..Date: Wed, 03 Aug 2016 08:04:26 GMT..Server: Apache/2.
4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..Last-Modified: Fri, 15 Jul 20
16 11:14:17 GMT..ETag: "119-537aab8290fe4"..Accept-Ranges: bytes..Cont
ent-Length: 281..Keep-Alive: timeout=5, max=100..Connection: Keep-Aliv
e..Content-Type: text/plain............11.1..(....................)...
...........hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶
ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é%
87ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.exe.......
.......................!....

GET / HTTP/1.1

Accept: */*

Referer: hXXp://y.gutousoft.com

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: y.gutousoft.com

Cache-Control: no-cache


HTTP/1.1 302 Found

Date: Wed, 03 Aug 2016 08:04:38 GMT

Server: Apache/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17

X-Powered-By: PHP/5.2.17

Set-Cookie: PHPSESSID=c6d54e646de2d57c1b92304c330cbaa6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

location: hXXp://gutou.cc/sale.php

Content-Length: 0

Content-Type: text/html;charset=utf-8

HTTP/1.1 302 Found..Date: Wed, 03 Aug 2016 08:04:38 GMT..Server: Apach
e/2.4.10 (Win32) OpenSSL/0.9.8zb PHP/5.2.17..X-Powered-By: PHP/5.2.17.
.Set-Cookie: PHPSESSID=c6d54e646de2d57c1b92304c330cbaa6; path=/..Expir
es: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, 
must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..location
: hXXp://gutou.cc/sale.php..Content-Length: 0..Content-Type: text/html
;charset=utf-8..

GET /icon_11.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: icon.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Leng

GET /17287617.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Type: application/javascript

Content-Encoding: gzip

Last-Modified: Wed, 29 Jun 2016 18:14:36 GMT

Accept-Ranges: bytes

ETag: "8898f1832d2d11:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/8.5

Date: Wed, 03 Aug 2016 08:04:50 GMT

Content-Length: 1010
.............`.I.%&/m.{.J.J..t...`[email protected]#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt
..................|..............Rf...w...g.Q..Y......g.w.....C....>
;..p...~>8}.?......N.=.........".J.....6.....VK..~..ww...9.i.1.IU..
...Z...w.....~...w....2....h.<.w...C..j..G........b9...e5...Zz...f'
....u^.o ....V.?..v.?[...g..*}........*[email protected].]..Y[..l.z.-..>..E.6
.l..t..{/4.:...U../...v~.K..l.4....F.q.....(.V.q....H2.o.w~..|.N..VY..
,..^8...mO..m;...E>^pC..U~q.n......3..n.......l.{.....ug..g~.;...s.
.........,......-.......z.3}.l.;.....;..z.T..?{.....7.".7.1.".}..Ow.E.
.....s...g.qs...O./......U..?.{..[...e>n...x........}?*.....C..\.o.
::.`._.....R....*.Z...w~...%.>2..9.%..&........AG..FR.....OnM....9.
}.p.....w-..._.../.?........w%(...$m.:?.%.U;...V......Z...2 ..5.....m.
5k...JJ.cU.W.Dt.......8kV.GsY.>.....WM./l.C?V...~..[!....G? .L.l.l.
.33.....s...;w?.......1..?...u..@P}uU...'......... .8... .......v.Y.7.
.....,~4..qB...j.n}._..}.B....Pf.>......r..h.....0..g....HTTP/1.1 2
00 OK..Cache-Control: no-cache..Content-Type: application/javascript..
Content-Encoding: gzip..Last-Modified: Wed, 29 Jun 2016 18:14:36 GMT..
Accept-Ranges: bytes..ETag: "8898f1832d2d11:0"..Vary: Accept-Encoding.
.Server: Microsoft-IIS/8.5..Date: Wed, 03 Aug 2016 08:04:50 GMT..Conte
nt-Length: 1010...............`.I.%&/m.{.J.J..t...`[email protected]#).
*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<
;...q........m.zt..................|..............Rf...w...g.Q..Y.<<< skipped >>>

GET /core.php?web_id=1252975436&show=pic&t=z HTTP/1.1

Accept: */*

Referer: hXXp://VVV.gutou.cc/up/tongji.htm

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 765

Connection: keep-alive

Date: Wed, 03 Aug 2016 07:59:43 GMT

Last-Modified: Wed, 03 Aug 2016 07:59:43 GMT

Expires: Wed, 03 Aug 2016 08:14:43 GMT

Via: cache19.l2et15[0,200-0,H], cache7.l2et15[1,0], kunlun8.cn249[34,200-0,M], kunlun10.cn249[35,0]

Age: 302

X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 03 Aug 2016 08:04:45 GMT

X-Swift-CacheTime: 598

Timing-Allow-Origin: *

EagleId: 2a51040a14702114850812029e
!function(){var p,q,r,a=encodeURIComponent,b="1252975436",c="pic",d=""
,e="online_v3.php",f="z5.cnzz.com",g="1",h="pic",i="z",j="站&
271;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:"
,m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("
h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m
&&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["
createScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/webs
ite.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.c
nzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j 
"'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p
="<a href='" q "' target=_blank title='" j "'>" j "</a>",k
["createIcon"]([p])))}();..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_868:

`.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

kernel32.dll

shlwapi.dll

wininet.dll

ntdll.dll

shell32.dll

user32.dll

advapi32.dll

ole32.dll

gdiplus.dll

Ole32.dll

Kernel32.dll

GdiPlus.dll

Gdiplus.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

ShellExecuteA

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegOpenKeyExA

GdiplusShutdown

CreateIoCompletionPort

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

42305932-06E6-47a5-AC79-8BDCDC58DF61

HttpClient

.rsrc

\.pL.

Windows

0,8999($

.SCK_LINES/9

.jJ^\

.ERZDLL$

%fLH^A

n.ef"

g%s_%d

=.Xh"

.Hjsp"

ANSI_CHARSE.Dc

O7E(AL("%s

KeywnF

.cu%t

\-ú

.NDFR8P

 Ix.Lv?h]#

keysK<

A.DHq*-

8X%Fx

L.@%u

.QunW

.da]o

.PP`

.pas8

6.Pob

oOV?.DD@

.ChS-v

#yfP.re

KERNEL32.DLL

comctl32.dll

gdi32.dll

oleaut32.dll

version.dll

wsock32.dll

rsadll.dll

hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.txt

hXXp://y.gutousoft.com/sale.php#tag45

hXXp://

hXXp://vip.gutou.cc

vip.gutou.cc

hXXps://

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXp://y.gutousoft.com

y.gutousoft.com

@ping 127.0.0.1 -n

del Restart.bat

\Restart.bat

hXXp://VVV.gutou.cc

\data\setsoft.ini

0@hXXp://gutou.cc

C:\Windows\Gtphoto.ini

C:\Windows

1970-1-1 00:00:01

001A2B3C4D5Ec:\kss.ini

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

ServiceName\\.\

@gutousoft.com

gutou.cc

A1yWwtUixtgj9gnDMUUISlY0Elm8fH2Xgwng3ro8MHs4og5BmZdt1cHkSAPX8sFDiVmkLp1Ycv1jfxGNX2yKK3sDQUaNBKmRPOwh3ngD6czrytZsBRY6yejy6Wmb8OUYbflN lZmF02OBWfFnDhtvlgfXgOfZXzu0yjgCZzjBdK0IOdNU5VBmnEg9b1puMo0Rt/rGCRZAsdYymSpqPVD8WFsUWPySk2AefWYtQ3NFju tAYVIWIqmtpwScK5hOfXSXiCk0jthyk/1MHMmBqRZm4NUoVSP29U8NURhC9qmD9GYB/o9Vn9BSenpsyHXDDAcX72zEbn2RDQqD0l4gabn/pPllB7nDOXRfnMAxHmUUYxvHCtPIYLDRRg25YDjAsMZqCOLQS tZU/ vw65PgpPiPHC A9KqsCCVrYwwFcjhEMc9bP25esSGERNX5v8WlsREOrfY9/saOV3g8mUQ/FMzqokUtFQ3mGSPlOWmbCx66iB/zl7GJC0v1sduP0m6z1kv2clHSrkD5N0z VnTfhcf565o D0anX1RaJFcpMFvZTxyhupBG8GfYyCjfaARXZUgNV97faSX63T 1RcxTKUJ78hc9Wpr54Ud4y6svK9/jk5DUTcMULHO4yUNI aneNgGrXRK/i4fidArJqtkc5mYNTJCBAXrKERMojnFwpliUq9C6s6 LPIwB/5Yns/E0cpFp4Ep0/CZ lmiO5vdS1soFKXTVieYESplJ 9p28UWbOew9U6ZLTxNijwA3W7SHuT/5rekE5m3atcpLbpZff6ZMylNsdzyx8TF16vo VLXGdCX/3577uo8kdeHLHwBFLVoOh7SqxZFMDr5lkW/3XiTiL3TNmpZ4Vh1nhMqQEek8YMGcGStfN0mI23abFInwLmjV6N/PLM19Zprpi4nVM22X47VlGUeVNjk jKcNsBLSnGkdVtv55YEvNVMtDRYEqvZ1GLY0CTnzWThMxz6nJfJBLmLraBTgj1wpLiW5FU2rlf2LCuI4tB0/N1iNreMvHXgYhDZtZ2p2wpo tFDgx5ZyHsFSnSWh99Bt99gAWe0TCosnqlPSERGT4bXhhlzYzgZ18w5voJ8NM6kZnFTJ8zcnpVWcPpw2PnSuzoNElUq4C hLmj7r Tl fOL8OIPr/z0KpySnOT2U1OxvnZnc7hP2CWMrNfFt8r9bpZlf0RkFtT4sG1/7zJRC6El6m9KrHPtQtn8v8ESuQZ8t04rYsgKNWsHJD7vXF8z8iT4WcuCEhYCwn SPh487i6XS0USOWDZBVk6FVPQYv9 kEK98L8cV90Ty UYCVw8wCe54y5OmzOoz7Pl/Ea9Z7f7FN7Ke3EobpW5c20PdYstl7XEufeEwwripsre6FiYKRFlElw onXZay/mfYawx32N/F0keF046qkNip3vfg/tSg2P2CFcsWWkzrqResw3aOw MP 2yE3WnkcknIWk7Qo6TLhByvq/LJ6UF8iv7Z4TMynvu2rYK5FG1uJw7qqXPeoISPFT7a6UPhnJM3rPDTvk/utz2vAtgwGXXoqysDIGa 1i4fwRo0QLN46ovlyzciWOq9GndGZuPi8DN30xEN2En/J rAlf2QADqPJZP1m/LgjYVA7Ekqhru wtbYYspEaIigvx7nNDdm6ZqXIw4NBlZvPW1XHW7/t7jyyebT7aecpBWF F60PCPinI9yfhe6HIQAjBI=

MSXML2.XMLHTTP

Microsoft.XMLHTTP

Can't create XMLHTTP connection object

Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)

application/x-www-form-urlencoded

errmsg_s

x.yvr

x.yvkd

password

hXXp://VVV.gutou.cc/up/tongji.htm#

VBScript.RegExp

user.qzone.qq.com

skey=

qq.com

/photo

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?daid=5&hide_title_bar=1&no_verifyimg=1&link_target=blank&appid=15004501&target=self&f_url=http://ctc.qzs.qq.com/ac/qzone/login/error.html&s_url=http://user.qzone.qq.com/

hXXp://route.store.qq.com/GetRoute?UIN=

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.802.30 Safari/535.1 SE 2.X MetaSr 1.0

origin_url

scripting.FileSystemObject

&pageNum=30&skipCmtCount=0&singleurl=1&batchId=¬ice=0&appid=4&inCharset=utf-8&outCharset=gbk&source=qzone&plat=qzone&outstyle=json&format=jsonp&json_esc=1&question=&answer=&callbackFun=shine0&_=1410646849242

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

{B96B3CB0-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}

{B96B3CB5-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAC-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAD-0728-11D3-9D7B-0000F81EF32E}

{B96B3CB1-0728-11D3-9D7B-0000F81EF32E}

.tiff

BM{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

\update.exe

:|:czkey:|:

tem.vbs

fso.DeleteFile("

Set fso = CreateObject("Scripting.FileSystemObject")

Wscript.Sleep(1000)

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

update.temp

[email protected]

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

@kernel32.dll

hXXp://VVV.gutou.cc/up/tongji.htm#xiangchexiazai_B

keye

&iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:7E542999DCEF11E49F809666608E8CD2" xmpMM:InstanceID="xmp.iid:7E542998DCEF11E49F809666608E8CD2" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:159E0BA3D74E11E4AF36A15C3B130BA5" stRef:documentID="xmp.did:159E0BA4D74E11E4AF36A15C3B130BA5"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>r

pz?F%F

hXXp://vip.gutou.cc/sale.php#tag42

D5DF1031-A6A0-4d96-8E6E-9E4865669D0D

.pi]\L}L

1124723920

[email protected] QQ 1060943567 QQ

1:128623809

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

EnumChildWindows

EnumWindows

USER32.dll

GetProcessHeap

KERNEL32.dll

GDI32.dll

IMM32.dll

SHELL32.dll

comdlg32.dll

WINSPOOL.DRV

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

SHLWAPI.dll

WINMM.dll

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

GetCPInfo

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

exui.dll

exui_yuansukeyouziji_kuozhanjiekou

1.2.18

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

\u00%c%c

json_tokener_parse_ex: error %s at offset %d

json_tokener_comment: %s

HTTP HTTPS.

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/7.0.536.2 Safari/534.10

Content-Length: %d

(*.htm;*.html)|*.htm;*.html

its:%s::%s

iexui.com =====

[email protected] QQ 1060943567

2015. 05.30.1

\lib\ex_ui\AttributeEditorexui.dll

ex_ui keye

msimg32.dll

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:3C6D95F3EFEA11E4A90A99F39E3C2643" xmpMM:DocumentID="xmp.did:3C6D95F4EFEA11E4A90A99F39E3C2643"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3C6D95F1EFEA11E4A90A99F39E3C2643" stRef:documentID="xmp.did:3C6D95F2EFEA11E4A90A99F39E3C2643"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>O

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:643FD483EFEA11E4ACEAE14F48F716F7" xmpMM:DocumentID="xmp.did:643FD484EFEA11E4ACEAE14F48F716F7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:643FD481EFEA11E4ACEAE14F48F716F7" stRef:documentID="xmp.did:643FD482EFEA11E4ACEAE14F48F716F7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:955837E3EFE711E493C8C26092811C81" xmpMM:DocumentID="xmp.did:955837E4EFE711E493C8C26092811C81"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:955837E1EFE711E493C8C26092811C81" stRef:documentID="xmp.did:955837E2EFE711E493C8C26092811C81"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A3160C67F01D11E494A69C2025C6FDD6" xmpMM:DocumentID="xmp.did:A3160C68F01D11E494A69C2025C6FDD6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A3160C65F01D11E494A69C2025C6FDD6" stRef:documentID="xmp.did:A3160C66F01D11E494A69C2025C6FDD6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:558A092BF01D11E4937B826B8C3A42BA" xmpMM:DocumentID="xmp.did:558A092CF01D11E4937B826B8C3A42BA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:558A0929F01D11E4937B826B8C3A42BA" stRef:documentID="xmp.did:558A092AF01D11E4937B826B8C3A42BA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7355437BF01D11E4A0D689F533F2C8D4" xmpMM:DocumentID="xmp.did:7355437CF01D11E4A0D689F533F2C8D4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:73554379F01D11E4A0D689F533F2C8D4" stRef:documentID="xmp.did:7355437AF01D11E4A0D689F533F2C8D4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8B4B1D1BF01D11E4A724B297CA8A29E0" xmpMM:DocumentID="xmp.did:8B4B1D1CF01D11E4A724B297CA8A29E0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8B4B1D19F01D11E4A724B297CA8A29E0" stRef:documentID="xmp.did:8B4B1D1AF01D11E4A724B297CA8A29E0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~/#

9D1569BC-D691-4216-844E-5DFE5D2EF825

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CD0B3A4F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CD0B3A3F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>P

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CD0B3A8F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CD0B3A7F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7D00C452F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7D00C451F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE42819F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE42818F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE4281DF00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE4281CF00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE42821F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE42820F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

C715A368-6E3F-4e61-9991-E99EB74D5EFA

VVV.meitu.com

6A8E5D6D-16C0-498f-A605-0E5DA96DF355D

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

\wke.dll

\lib\ex_ui\wke.dll

wke.dll

wke.dll

4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF

c.gff

.cLI)A)%

015621FD-C063-4706-B16E-A8877DC952E1

CB0AFE2E-CF04-4e82-9C0E-7A4351B79ABF

04E4727F-C770-4f9c-B9BF-7A2805295C7B

lib\ex_ui\AttributeEditorexui.dll

imm32.dll

GetAsyncKeyState

wkeKeyDown

wkeKeyUp

wkeCreateWebView

wkeGlobalExec

wkeLoadURLW

wkeDestroyWebView

wkeKeyPress

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

.?AVCCmdTarget@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

zcÁ

c:\%original file name%.exe

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

VVV.dywt.com.cn

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

.PAVCOleException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

WinExec

GetViewportOrgEx

GetViewportExtEx

CreateDialogIndirectParamA

InternetCrackUrlA

HttpEndRequestA

HttpAddRequestHeadersA

.text

`.rdata

@.data

Url$-

.BNcUnp

B"1q`.rl

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>

AVIFIL32.dll

MSVFW32.dll

OLEAUT32.dll

oledlg.dll

RASAPI32.dll

WININET.dll

winspool.drv

WS2_32.dll

(*.*)

%original file name%.exe_868_rwx_00401000_004A5000:

t%SVh

t$(SSh

~%UVW

u$SShe

kernel32.dll

shlwapi.dll

wininet.dll

ntdll.dll

shell32.dll

user32.dll

advapi32.dll

ole32.dll

gdiplus.dll

Ole32.dll

Kernel32.dll

GdiPlus.dll

Gdiplus.dll

MsgWaitForMultipleObjects

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

ShellExecuteA

RegOpenKeyA

RegEnumKeyA

RegCloseKey

RegOpenKeyExA

GdiplusShutdown

CreateIoCompletionPort

{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}

42305932-06E6-47a5-AC79-8BDCDC58DF61

HttpClient

.rsrc

\.pL.

Windows

0,8999($

.SCK_LINES/9

.jJ^\

.ERZDLL$

%fLH^A

n.ef"

g%s_%d

=.Xh"

.Hjsp"

ANSI_CHARSE.Dc

O7E(AL("%s

KeywnF

.cu%t

\-ú

.NDFR8P

 Ix.Lv?h]#

keysK<

A.DHq*-

8X%Fx

L.@%u

.QunW

.da]o

.PP`

.pas8

6.Pob

oOV?.DD@

.ChS-v

#yfP.re

KERNEL32.DLL

comctl32.dll

gdi32.dll

oleaut32.dll

version.dll

wsock32.dll

rsadll.dll

hXXp://d.gutousoft.com/å…¬å…±è½¯ä»¶ä¸‹è½½/éª¨å¤´QQç›¸å†Œæ‰¹é‡ä¸‹è½½å™¨ä¸“ä¸šç‰ˆ.txt

hXXp://y.gutousoft.com/sale.php#tag45

hXXp://

hXXp://vip.gutou.cc

vip.gutou.cc

hXXps://

https

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXp://y.gutousoft.com

y.gutousoft.com

@ping 127.0.0.1 -n

del Restart.bat

\Restart.bat

hXXp://VVV.gutou.cc

\data\setsoft.ini

0@hXXp://gutou.cc

C:\Windows\Gtphoto.ini

C:\Windows

1970-1-1 00:00:01

001A2B3C4D5Ec:\kss.ini

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\

ServiceName\\.\

@gutousoft.com

gutou.cc

A1yWwtUixtgj9gnDMUUISlY0Elm8fH2Xgwng3ro8MHs4og5BmZdt1cHkSAPX8sFDiVmkLp1Ycv1jfxGNX2yKK3sDQUaNBKmRPOwh3ngD6czrytZsBRY6yejy6Wmb8OUYbflN lZmF02OBWfFnDhtvlgfXgOfZXzu0yjgCZzjBdK0IOdNU5VBmnEg9b1puMo0Rt/rGCRZAsdYymSpqPVD8WFsUWPySk2AefWYtQ3NFju tAYVIWIqmtpwScK5hOfXSXiCk0jthyk/1MHMmBqRZm4NUoVSP29U8NURhC9qmD9GYB/o9Vn9BSenpsyHXDDAcX72zEbn2RDQqD0l4gabn/pPllB7nDOXRfnMAxHmUUYxvHCtPIYLDRRg25YDjAsMZqCOLQS tZU/ vw65PgpPiPHC A9KqsCCVrYwwFcjhEMc9bP25esSGERNX5v8WlsREOrfY9/saOV3g8mUQ/FMzqokUtFQ3mGSPlOWmbCx66iB/zl7GJC0v1sduP0m6z1kv2clHSrkD5N0z VnTfhcf565o D0anX1RaJFcpMFvZTxyhupBG8GfYyCjfaARXZUgNV97faSX63T 1RcxTKUJ78hc9Wpr54Ud4y6svK9/jk5DUTcMULHO4yUNI aneNgGrXRK/i4fidArJqtkc5mYNTJCBAXrKERMojnFwpliUq9C6s6 LPIwB/5Yns/E0cpFp4Ep0/CZ lmiO5vdS1soFKXTVieYESplJ 9p28UWbOew9U6ZLTxNijwA3W7SHuT/5rekE5m3atcpLbpZff6ZMylNsdzyx8TF16vo VLXGdCX/3577uo8kdeHLHwBFLVoOh7SqxZFMDr5lkW/3XiTiL3TNmpZ4Vh1nhMqQEek8YMGcGStfN0mI23abFInwLmjV6N/PLM19Zprpi4nVM22X47VlGUeVNjk jKcNsBLSnGkdVtv55YEvNVMtDRYEqvZ1GLY0CTnzWThMxz6nJfJBLmLraBTgj1wpLiW5FU2rlf2LCuI4tB0/N1iNreMvHXgYhDZtZ2p2wpo tFDgx5ZyHsFSnSWh99Bt99gAWe0TCosnqlPSERGT4bXhhlzYzgZ18w5voJ8NM6kZnFTJ8zcnpVWcPpw2PnSuzoNElUq4C hLmj7r Tl fOL8OIPr/z0KpySnOT2U1OxvnZnc7hP2CWMrNfFt8r9bpZlf0RkFtT4sG1/7zJRC6El6m9KrHPtQtn8v8ESuQZ8t04rYsgKNWsHJD7vXF8z8iT4WcuCEhYCwn SPh487i6XS0USOWDZBVk6FVPQYv9 kEK98L8cV90Ty UYCVw8wCe54y5OmzOoz7Pl/Ea9Z7f7FN7Ke3EobpW5c20PdYstl7XEufeEwwripsre6FiYKRFlElw onXZay/mfYawx32N/F0keF046qkNip3vfg/tSg2P2CFcsWWkzrqResw3aOw MP 2yE3WnkcknIWk7Qo6TLhByvq/LJ6UF8iv7Z4TMynvu2rYK5FG1uJw7qqXPeoISPFT7a6UPhnJM3rPDTvk/utz2vAtgwGXXoqysDIGa 1i4fwRo0QLN46ovlyzciWOq9GndGZuPi8DN30xEN2En/J rAlf2QADqPJZP1m/LgjYVA7Ekqhru wtbYYspEaIigvx7nNDdm6ZqXIw4NBlZvPW1XHW7/t7jyyebT7aecpBWF F60PCPinI9yfhe6HIQAjBI=

MSXML2.XMLHTTP

Microsoft.XMLHTTP

Can't create XMLHTTP connection object

Mozilla/4.0 (compatible; MSiE 6.0; Windows NT 5.1;)

application/x-www-form-urlencoded

errmsg_s

x.yvr

x.yvkd

password

hXXp://VVV.gutou.cc/up/tongji.htm#

VBScript.RegExp

user.qzone.qq.com

skey=

qq.com

/photo

hXXp://ui.ptlogin2.qq.com/cgi-bin/login?daid=5&hide_title_bar=1&no_verifyimg=1&link_target=blank&appid=15004501&target=self&f_url=http://ctc.qzs.qq.com/ac/qzone/login/error.html&s_url=http://user.qzone.qq.com/

hXXp://route.store.qq.com/GetRoute?UIN=

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.802.30 Safari/535.1 SE 2.X MetaSr 1.0

origin_url

scripting.FileSystemObject

&pageNum=30&skipCmtCount=0&singleurl=1&batchId=¬ice=0&appid=4&inCharset=utf-8&outCharset=gbk&source=qzone&plat=qzone&outstyle=json&format=jsonp&json_esc=1&question=&answer=&callbackFun=shine0&_=1410646849242

{B96B3CAB-0728-11D3-9D7B-0000F81EF32E}

{B96B3CB0-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAE-0728-11D3-9D7B-0000F81EF32E}

{B96B3CB5-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAC-0728-11D3-9D7B-0000F81EF32E}

{B96B3CAD-0728-11D3-9D7B-0000F81EF32E}

{B96B3CB1-0728-11D3-9D7B-0000F81EF32E}

.tiff

BM{557CF400-1A04-11D3-9A73-0000F81EF32E}

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{557CF402-1A04-11D3-9A73-0000F81EF32E}

{557CF405-1A04-11D3-9A73-0000F81EF32E}

{557CF406-1A04-11D3-9A73-0000F81EF32E}

\update.exe

:|:czkey:|:

tem.vbs

fso.DeleteFile("

Set fso = CreateObject("Scripting.FileSystemObject")

Wscript.Sleep(1000)

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

update.temp

[email protected]

[email protected]

.exe|.rar|.zip|.gif|.jpg|.mp3|.rm

@kernel32.dll

hXXp://VVV.gutou.cc/up/tongji.htm#xiangchexiazai_B

keye

&iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:DocumentID="xmp.did:7E542999DCEF11E49F809666608E8CD2" xmpMM:InstanceID="xmp.iid:7E542998DCEF11E49F809666608E8CD2" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:159E0BA3D74E11E4AF36A15C3B130BA5" stRef:documentID="xmp.did:159E0BA4D74E11E4AF36A15C3B130BA5"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>r

pz?F%F

hXXp://vip.gutou.cc/sale.php#tag42

D5DF1031-A6A0-4d96-8E6E-9E4865669D0D

.pi]\L}L

1124723920

[email protected] QQ 1060943567 QQ

1:128623809

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

__MSVCRT_HEAP_SELECT

EnumChildWindows

EnumWindows

USER32.dll

GetProcessHeap

KERNEL32.dll

GDI32.dll

IMM32.dll

SHELL32.dll

comdlg32.dll

WINSPOOL.DRV

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

SHLWAPI.dll

WINMM.dll

SetWindowsHookExA

GetKeyState

UnhookWindowsHookEx

GetCPInfo

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

exui.dll

exui_yuansukeyouziji_kuozhanjiekou

1.2.18

%*.*f

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

MSWHEEL_ROLLMSG

Broken pipe

Inappropriate I/O control operation

Operation not permitted

iphlpapi.dll

MPR.dll

VERSION.dll

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

\u00%c%c

json_tokener_parse_ex: error %s at offset %d

json_tokener_comment: %s

HTTP HTTPS.

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/7.0.536.2 Safari/534.10

Content-Length: %d

(*.htm;*.html)|*.htm;*.html

its:%s::%s

iexui.com =====

[email protected] QQ 1060943567

2015. 05.30.1

\lib\ex_ui\AttributeEditorexui.dll

ex_ui keye

msimg32.dll

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:3C6D95F3EFEA11E4A90A99F39E3C2643" xmpMM:DocumentID="xmp.did:3C6D95F4EFEA11E4A90A99F39E3C2643"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3C6D95F1EFEA11E4A90A99F39E3C2643" stRef:documentID="xmp.did:3C6D95F2EFEA11E4A90A99F39E3C2643"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>O

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:643FD483EFEA11E4ACEAE14F48F716F7" xmpMM:DocumentID="xmp.did:643FD484EFEA11E4ACEAE14F48F716F7"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:643FD481EFEA11E4ACEAE14F48F716F7" stRef:documentID="xmp.did:643FD482EFEA11E4ACEAE14F48F716F7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:955837E3EFE711E493C8C26092811C81" xmpMM:DocumentID="xmp.did:955837E4EFE711E493C8C26092811C81"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:955837E1EFE711E493C8C26092811C81" stRef:documentID="xmp.did:955837E2EFE711E493C8C26092811C81"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:A3160C67F01D11E494A69C2025C6FDD6" xmpMM:DocumentID="xmp.did:A3160C68F01D11E494A69C2025C6FDD6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:A3160C65F01D11E494A69C2025C6FDD6" stRef:documentID="xmp.did:A3160C66F01D11E494A69C2025C6FDD6"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:558A092BF01D11E4937B826B8C3A42BA" xmpMM:DocumentID="xmp.did:558A092CF01D11E4937B826B8C3A42BA"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:558A0929F01D11E4937B826B8C3A42BA" stRef:documentID="xmp.did:558A092AF01D11E4937B826B8C3A42BA"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:7355437BF01D11E4A0D689F533F2C8D4" xmpMM:DocumentID="xmp.did:7355437CF01D11E4A0D689F533F2C8D4"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:73554379F01D11E4A0D689F533F2C8D4" stRef:documentID="xmp.did:7355437AF01D11E4A0D689F533F2C8D4"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8B4B1D1BF01D11E4A724B297CA8A29E0" xmpMM:DocumentID="xmp.did:8B4B1D1CF01D11E4A724B297CA8A29E0"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8B4B1D19F01D11E4A724B297CA8A29E0" stRef:documentID="xmp.did:8B4B1D1AF01D11E4A724B297CA8A29E0"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>~/#

9D1569BC-D691-4216-844E-5DFE5D2EF825

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CD0B3A4F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CD0B3A3F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>P

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CD0B3A8F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CD0B3A7F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7D00C452F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7D00C451F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE42819F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE42818F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE4281DF00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE4281CF00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D" xmpMM:DocumentID="xmp.did:7CE42821F00011E4A668CB899C602E40" xmpMM:InstanceID="xmp.iid:7CE42820F00011E4A668CB899C602E40" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FD658F9BFBEFE411ABAEC90FF9AAB1AA" stRef:documentID="xmp.did:3DD7B3C0F5EFE41197D5CB752474416D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

C715A368-6E3F-4e61-9991-E99EB74D5EFA

VVV.meitu.com

6A8E5D6D-16C0-498f-A605-0E5DA96DF355D

{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}

\wke.dll

\lib\ex_ui\wke.dll

wke.dll

wke.dll

4F4232B4-AE1B-449c-BF6F-1B3DD0351CBF

c.gff

.cLI)A)%

015621FD-C063-4706-B16E-A8877DC952E1

CB0AFE2E-CF04-4e82-9C0E-7A4351B79ABF

04E4727F-C770-4f9c-B9BF-7A2805295C7B

lib\ex_ui\AttributeEditorexui.dll

imm32.dll

GetAsyncKeyState

wkeKeyDown

wkeKeyUp

wkeCreateWebView

wkeGlobalExec

wkeLoadURLW

wkeDestroyWebView

wkeKeyPress

program internal error number is %d.

%s%x.tmp

:"%s"

:"%s".

.?AVCCmdTarget@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

zcÁ

c:\%original file name%.exe

(*.avi)|*.avi

RICHED32.DLL

RICHED20.DLL

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

operator

keywords

VVV.dywt.com.cn

;3 #>6.&

'2, / 0&7!4-)1#

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

[%s:%d]

Range: bytes=%s-

[%s:%d]

PASS %s

PASS ******

USER %s

E:\e5\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp

SIZE %s

PORT

User-Agent: %s

Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Referer: %s

Host: %s

GET %s HTTP/1.1

HTTP/1.0

Cookie: %s

%d, %s

\\192.168.0.129\TCP\1037

NSPlayer/9.0.0.2980; {%s}; Host: %s

rmff_fix_header: assuming data.size=%i

rmff_fix_header: assuming data.num_packets=%i

rmff_fix_header: assuming prop.num_packets=%i

rmff_fix_header: setting prop.data_offset from %i to %i

rmff_fix_header: correcting prop.num_streams from %i to %i

rmff_fix_header: correcting prop.size from %i to %i

%s %s %s

Session: %s

Cseq: %u

%*s %s

%*s %u

CSeq: %u

rtsp://%s:%i

rtsp://%s:%i/%s

ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586

GUID: 00000000-0000-0000-0000-000000000000

[%s:%d]

User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)

Range: npt=%s-

%s/streamid=1

%s/streamid=0

Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play

If-Match: %s

RealChallenge2: %s, sd=%s

Title: %s

Copyright: %s

Author: %s

real: Content-length for description too big (> %uMB)!

Require: com.real.retain-entity-for-setup

SupportsMaximumASMBandwidth: 1

Bandwidth: %u

Challenge1: %s

hash output: %x %x %x %x

hash input: %x %x %x %x

stream=%u;rule=%u,

Illegal character '%c' in input.

.PAVCOleException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

#include "l.chs\afxres.rc" // Standard components

WinExec

GetViewportOrgEx

GetViewportExtEx

CreateDialogIndirectParamA

InternetCrackUrlA

HttpEndRequestA

HttpAddRequestHeadersA

.text

`.rdata

@.data

(*.*)

%original file name%.exe_868_rwx_00FB0000_00072000:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

USER32.DLL

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

comctl32.dll

uxtheme.dll

MAPI32.DLL

!"#$%xi

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDown

OnKeyPressl

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

AutoHotkeys

TMainMenuDp

TKeyEvent

TKeyPressEvent

HelpKeyword,

crSQLWait

%s (%s)

imm32.dll

readnowid.mtx

D:\ksreg_delphi\V9\_rsa_delphi_dll\UnitSock.pas

333333333333333333

33333833

3333333333333338

:*"*"$3338

33333333

33333333333

3333333333338

33338?383

333333333333

:*3:"$3338

333333333333333

KWindows

UrlMon

GetCPInfo

RegOpenKeyExA

RegCloseKey

SetViewportOrgEx

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

38000=344

.idata

.edata

P.reloc

P.rsrc

#yfP.re

KERNEL32.DLL

advapi32.dll

gdi32.dll

user32.dll

version.dll

wsock32.dll

rsadll.dll

No help keyword specified.

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt  Clipboard does not support Icons/Menu '%s' is already being used by another form

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

Unsupported clipboard format

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d) Out of memory while expanding memory stream

Error reading %s%s%s: %s

Ancestor for '%s' not found

Cannot assign a %s to a %s

Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:272
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\core[1].php (765 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_11[1].gif (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tongji[1].htm (952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (352 bytes)
C:\%original file name%.exe (7433 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.