Trojan.Win32.FlyStudio_fb19d72726

by malwarelabrobot on October 18th, 2015 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Gen:Variant.Symmi.48377 (B) (Emsisoft), Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: fb19d727263c37bf685e453975c01269
SHA1: 50f32856e588fe9062cf917375ebabefa6c1d532
SHA256: e675ab1c9a5311a2757858be3bc06a3ef72a5076de100ae055787ce245922a32
SSDeep: 12288:MeBy9Zkt/6gHZeAw76sYmhcjeFbgFgHFv:MeBJcg5YSe9lv
Size: 568144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-09-29 06:32:48
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1308
Baidu.exe:968
Baidu.exe:1836
Baidu.exe:2540
Baidu.exe:3220
YouQian_Setup.exe:1488

The Trojan injects its code into the following process(es):

%original file name%.exe:856
Baidu_Setup_1.6.200.359_ftn_1050103060.exe:492
Baidu.exe:808

Mutexes

The following mutexes were created/opened:

WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDTTN6HH\7gj1[1] (991986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F6HGJOR7\7b1[1] (353734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDTTN6HH\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe (688653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F6HGJOR7\2k[1] (205033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDTTN6HH\uc1[1] (984448 bytes)

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\process.cfg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2.tmp (284894 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\YouQian_Setup.exe (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦.ini (1607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\BDMSkin.dll (37727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\InstallHelper.dll (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\132.exe (172202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp (0 bytes)

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_x.png (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp (447624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\349.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Base.dll (77808 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\Software.pb (9984 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall-1.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\arrow.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Utils.dll (23296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\haze.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\executor.xml (233 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\login\login.html (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-logo57x65.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\InstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Update.dll (11040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F6HGJOR7\bdzc_Setup_2.0.3.124[1].dll (18424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-left.png (130 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\PluginSetup.xml (654 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\msgconfig.pb (142 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\icon_xinwen.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-right.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\foggy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\login_mods.js (14 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sleet.png (741 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\pack.bat (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\weixinUI.xml (345 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\request.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-storm.png (926 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download-hover.png (985 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\app-error.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe (18640 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks_z.png (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-rain.png (864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\BDWebDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\executor.xml (310 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\icon_gupiao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sandstorm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\PluginSetup.xml (625 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo57x65.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\crash.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\overcast.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\shower.png (817 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\icon_yinyue.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.woff (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-google.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\mod.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\foggy.png (663 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_m.png (124 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\kuaidi.png (312 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\res_jietu.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dust.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\res_weixin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\default-icon.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dy.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Base.dll (38904 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Protocol.dll (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcr100.dll (51648 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\executor.xml (172 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\advance.png (377 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\44.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\icon_bianqian.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\344.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\respond.min.js (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_m.png (925 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe (13168 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-circle-loading.gif (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder.png (276 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\404.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\vedio_play.png (465 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\res_yinyue.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\main.js (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuDll.dll (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AssociateWnd.rdb (1568 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\UIHandler.dll (120372 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-loading.gif (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\banner.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\gupiaoUI.xml (336 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-unchecked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search-large.png (408 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\history_mods.js (6360 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower-with-hail.png (946 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-ala.png (561 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuUI.xml (347 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Update.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\layout.css (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\settings_mods.js (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\DD_belatedPNG_0.0.8a-min.js (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-left.png (194 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianUI.xml (346 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search.png (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\qq.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-rain.png (963 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\executor.xml (241 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\screensnapshot.exe (20624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\shower.png (481 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\super-ajax.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download.png (991 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\xinwenUI.xml (342 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUI.xml (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\box-shadow.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\res_resou.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-close.png (170 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\366.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-flurry.png (479 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PluginMgr.dll (49664 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LogicMisc.dll (140990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-textbox.png (588 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcp100.dll (28368 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-alert-ok.png (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\png8-ex.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\resouUI.xml (340 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\aladdin.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\auto_complete\top_site.db (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox-active.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-left.png (249 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\map.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\executor.xml (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\yinyueUI.xml (358 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-iconall-1.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-ui-1.10.4.custom.min.js (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\login-success.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\res\js\common.js (990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login.css (7 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\res_xinwen.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\1px.png (947 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\363.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo_blank.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\music_play.png (155 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sunny.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\PluginSetup.xml (622 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings.css (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-right.png (259 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-center.png (143 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general-png8.png (841 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\res_bianqian.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\skinres.rdb (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\new.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-1.11.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\gray1px.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download-hover.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall.gif (94 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\json2.js (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\privacy.png (296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ice-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PWidgetAppCommonBase.dll (14384 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\rpt.dat (222 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login_z.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\MsgPush.dll (31072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\iframe_loading.gif (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\input.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\favicon.ico (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-unchecked.png (361 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\testIO.exe (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\AppHTMLXinWen.xml (442 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Setting.rdb (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\icon_jietu.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\appBlackList.dat (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\executor.xml (234 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BDSearchBar.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\bookmarks.html (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\global.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-checked.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-newtab.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\1.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxinNotify.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\general.png (379 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-taobao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\input.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUINotify.xml (412 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\unknown.png (480 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\vedio_play.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.eot (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-right.png (202 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\arrow-png8.png (260 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Utils.dll (46592 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-png8.png (292 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks.css (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general.png (866 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-checked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\reset.css (826 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dust.png (812 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserCore.dll (67072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\ie-fix.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxinNotify.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\ice-rain.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\bookmarks_mods.js (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu.png (367 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\arrow.png (203 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sf.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading.png (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\executor.xml (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sc_tmp.dll.bdtmp (18424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Report.dll (7232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\365.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-snow.png (992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\icon-tree-search-ie8.png (15 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CommonWorker.dll (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\343.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\unknown.png (851 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading-large.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\368.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages.css (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sleet.png (436 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog-close.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserFrame.dll (67494 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo25x29.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\qxdh20140619.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AppContainer.rdb (10 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Report.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\duststorm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-new.png (977 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower-with-hail.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\skinres.rdb (23424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\app-reload.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\DetectVm.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-flurry.png (847 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-hover-png8.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\AppHTMLReSou.xml (438 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Protocol.dll (12024 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\icon_weixin.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\storm.png (815 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDMSkin.dll (60928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mb_setup.log (2575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\BDMSkin.dll (30464 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Download.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\music_play.png (960 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe (11040 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\GlobalPluginInfo.xml (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-fail.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery.color-2.1.2.min.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\AppHTMLGuPiao.xml (440 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\new.png (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxin.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianDll.dll (16 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BrowserNotify.rdb (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\bdb_scheme.dat (1484 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-refresh.png (215 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\executor.xml (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\res\InstallWnd.zip (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.svg (4992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\AppHTMLXiaoXi.xml (440 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-tooltip-png8.png (329 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower.png (898 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\CommonRes.rdb (74736 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\duststorm.png (811 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db (20 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_g.png (968 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\atl100.dll (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\347.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\dataReport.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerProxy.dll (10128 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\icon_resou.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\head-star-png8.png (450 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDClientProxy.dll (45104 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\overcast.png (680 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ala.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.ttf (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sunny.png (856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-foward.png (156 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-snow.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings_z.png (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-center.png (122 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\res_gupiao.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_g.png (248 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Heartbeat.dll (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\ssl-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-login-success.png (824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-back.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\kuaidi.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sand.png (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp (0 bytes)

The process Baidu.exe:808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\settings\user_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (512 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130895171752697500.dat (314 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\stock.pb (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerExe.exe (63735 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db (284596 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db.bak (10 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (5454 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\novel.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\settings\default_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db (145 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (0 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130895171752697500.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (0 bytes)

The process Baidu.exe:1836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ã§â„¢Â¾Ã¥ÂºÂ¦\Ã¥ÂÂ¸Ã¨Â½Â½Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ã§â„¢Â¾Ã¥ÂºÂ¦\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)

The process YouQian_Setup.exe:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)

Registry activity

The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 8F 1D B3 33 71 2A 29 F8 42 02 F5 12 48 40 E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 4A 86 52 67 75 0D F3 B0 95 A1 D3 7C BF 36 EB"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Baidu\BaiduYouQian\packageinstall]
"param" = "Xxjh9G0tXMLez7O2T5upZbVkEFeGSirxy9dYQekwVzz3Z1ikJ jGDPSC0WRykW8aBmNrUQLi0OivztreQTX3edZTHioyulIhwOqiMyhdNK5MIUOU gYtMOfnR5maiaU9pCLak4mk2g7IGTEYLRGOkoo0QxbHsGj8Iv7jDuuJCgpSTL4Y2DQ0HuRIvWnwySHLybfpSRZkg29W8v/4oj0Bw2BJW6DWTg9VdBGmSEvZ1Ts8wvoZ41Dg nELDVclUFp2ihqcJPWYwTXJCCUc98tEqHuPf1CmzlAFFQaavUCwz/Geq45ALZiGAvlfHXZEJ5fQ50uD7lzwPCim6hqqGPp ra6HcmESFC6V1MGyIxU4kJzPtnT2xv67aOTXPT8nGfpbFBbAHxoLdmNabYU fdZPJ c U3HbzBeoO/qJaLe5hDaCjLD0a9EnDBDJ1izfKUw/Wxw0t3hDna1QSle7Y9kQ6bW GTxGl/lceIohXMputK67QsdQZRh QJ6EkgMFnwwh"

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"Policy" = "3"

[HKLM\SOFTWARE\Baidu\Baidu]
"TN" = "SE_Baiduclient_9vpgkwv8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "Ã§â„¢Â¾Ã¥ÂºÂ¦Ã¤Â¸Â»Ã§Â¨â€¹Ã¥ÂºÂ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"AppPath" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ã§â„¢Â¾Ã¥ÂºÂ¦]
"UninstallString" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ã§â„¢Â¾Ã¥ÂºÂ¦]
"DisplayName" = "Ã§â„¢Â¾Ã¥ÂºÂ¦"

[HKLM\SOFTWARE\Baidu\Baidu]
"SupplyID" = "1050103060"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Baidu\Baidu\ConStatus]
"AutoRun" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Baidu\Baidu]
"BrowserSelected" = "2"

"INSTLANG" = "2052"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ã§â„¢Â¾Ã¥ÂºÂ¦]
"Publisher" = "Ã§â„¢Â¾Ã¥ÂºÂ¦Ã¥Å“Â¨Ã§ÂºÂ¿Ã§Â½â€˜Ã§Â»Å“Ã¦Å â‚¬Ã¦Å“Â¯Ã¯Â¼Ë†Ã¥Å’â€”Ã¤ÂºÂ¬Ã¯Â¼â€°Ã¦Å“â€°Ã©â„¢ÂÃ¥â€¦Â¬Ã¥ÂÂ¸"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Baidu\Baidu]
"InstallDir" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Baidu\Baidu]
"Version" = "1.6.200.359"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 F3 D4 F5 5C 98 BD FA 37 40 BE 0D 0F 88 FE 78"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"AppName" = "Baidu.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ã§â„¢Â¾Ã¥ÂºÂ¦]
"DisplayVersion" = "1.6.200.359"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Baidu\Baidu]
"InstallDate" = "2015-10-17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Baidu\Baidu]
"channel" = "MainFrame=0,SearchBar=1,Tray=1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ã§â„¢Â¾Ã¥ÂºÂ¦]
"DisplayIcon" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe,0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BaiduClient" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe -noclient"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Baidu.exe:968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 DA D8 51 00 8E 89 5F C8 C9 5B 45 F3 B5 A3 F4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe:*:Enabled:BaiduUpdate.exe"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe:*:Enabled:BaiduUpdate.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe:*:Enabled:Baidu.exe"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduBugRpt.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe:*:Enabled:BaiduBugRpt.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduBugRpt.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe:*:Enabled:BaiduBugRpt.exe"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe:*:Enabled:Baidu.exe"

The process Baidu.exe:808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 6E 45 87 80 A4 B7 06 F3 B9 81 4B 11 14 64 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process Baidu.exe:1836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 49 05 4F EF DA A3 46 F1 A0 FB 5D 34 81 09 82"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process Baidu.exe:2540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 7B 70 4F E5 0D 60 A8 C0 2F DA 6B 06 69 05 BE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process Baidu.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 51 9D B6 76 06 C0 43 91 E1 D8 6D 30 13 E1 38"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process YouQian_Setup.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 91 78 4A 9A B4 DF DB F7 0C A0 31 00 18 DD 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Soft
Product Name: ?????
Product Version: 5.2.1.0
Legal Copyright: Soft ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.2.1.0
File Description: dc CAD
Comments: ????
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	2248704	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	2252800	536576	534528	5.47189	1878ef6ce51cdfb4fdd621cc3b91633b
.rsrc	2789376	24576	24576	3.09822	001b173ba8ca5bdeefda647e026db3f3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://cnrdn.com/rd.htm?id=1384659&r=http://www.baidu.com/	42.156.140.191
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1
hxxp://brdlsw.jomodns.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423
hxxp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe	118.123.210.46

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dlsw.br.baidu.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: JSP3/2.0.13

Date: Sat, 17 Oct 2015 00:57:53 GMT

Content-Type: application/octet-stream

Content-Length: 6831104

Connection: keep-alive

ETag: "554c7256-683c00"

Last-Modified: Fri, 08 May 2015 08:22:46 GMT

Expires: Tue, 24 Nov 2015 10:30:54 GMT

Age: 5322419

Cache-Control: max-age=8640000

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
[email protected]..........
.Hq............h..#...................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc...Hq.
......r..................@[email protected].......@[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ<<< skipped >>>

GET /rd.htm?id=1384659&r=http://VVV.baidu.com/ HTTP/1.1

Referer: hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/

Accept: */*

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

Host: cnrdn.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Sat, 17 Oct 2015 00:57:52 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding
186f..<!DOCTYPE html>.<html>.<head>..<title>CN
ZZ...............................................................</
title>..<meta charset="utf-8" />..<meta http-equiv="X-UA-C
ompatible" content="IE=edge,chrome=1" />..<meta content="yes" na
me="apple-mobile-web-app-capable"/>..<meta content="yes" name="a
pple-touch-fullscreen" />..<meta name="keywords" content="cnzz,.
...........,............,............,............,.........,......,..
..........,............,......,............,seo,............,.........
,.........,............" />..<meta name="description" content="C
NZZ...................................................................
......................................................................
................................................." />..<meta nam
e="author" content="cnzz" />..<meta name="copyright" content="ww
w.cnzz.com" />..<link href="hXXp://VVV.cnzz.com/favicon.ico" rel
="shortcut icon" />..<link href="hXXp://img.cnzz.net/adt/cnzz_rd
/transfer.css" rel="stylesheet"/>.</head>.<body><scr
ipt>.with(document)with(body)with(insertBefore(createElement("scrip
t"),firstChild))setAttribute("exparams","category=&userid=&aplus&yunid
=&&trid=0a930d6b14450434725695389e&asid=AQAAAAAQnSFWbs2PJwAAAACoR 2/bG
zDiA==",id="tb-beacon-aplus",src=(location>"https"?"//g":"//g") ".a
licdn.com/alilog/mlog/aplus_v2.js").</script>...<div class="t
ransfer">...<div class="transfer-inn">....<img src="ht<<< skipped >>>

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.153.147.73

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 17 Oct 2015 00:31:11 GMT

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31

Content-Disposition: attachment; filename="uc1"

Accept-Ranges: bytes

x-cdmi-object-size: 10222796

x-cdmi-create-time: 2015-08-20 15:47:19

Content-Length: 10222796

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream;charset=UTF-8

........W...list_soft.xml.............................................
......................................................................
......................................................................
..............................................................t...blue
box.png...............................................................
......................................................................
......................................................................
..............................................g...ucweb.png...........
......................................................................
......................................................................
......................................................................
...............................WO.BlueBoxSetup.exe....................
......................................................................
......................................................................
......................................................................
..............PuX.Browser_V3.2.2937.0_f_4070_(Build14120411).exe......
......................................................................
......................................................................
......................................................................
.<?xml version="1.0" encoding="UTF-8" ?>..<Profile>..    &
lt;SoftwareList SuitLabel="............;............;">..        &l
t;Group GroupId="0" name="............">..            <Softw

<<< skipped >>>

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.153.147.73

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sat, 17 Oct 2015 00:31:11 GMT

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31

Content-Disposition: attachment; filename="7gj1"

Accept-Ranges: bytes

x-cdmi-object-size: 9894214

x-cdmi-create-time: 2015-09-21 09:04:14

Content-Length: 9894214

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream;charset=UTF-8

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......b.6 &.Xs&.Xs
&.Xs.r*s*.Xs.p&s/.Xs.r%s..Xs.r5sa.Xs...s .Xs/..s$.Xs&.Ys..Xs...s..Xs.r
6s..Xs.r"s'.Xs.r$s'.Xs&.Xs'.Xs.r s'.XsRich&.Xs........................
PE..L......U................. ..........p........0....@...............
........... ..........................................Au......h.......
.1..............`............8..................................@.....
.......0...............................text............ ..............
.... ..`.rdata.......0.......0..............@[email protected]........@...@...@
[email protected].......@..................@..@............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_856:

`.rsrc

t$(SSh

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

user32.dll

urlmon

ole32.dll

shell32.dll

RegOpenKeyA

RegEnumKeyA

MsgWaitForMultipleObjects

URLDownloadToFileA

D:\dream

D:\dream\win1.log

QQPCTray.exe

D:\dream\winky.log

360tray.exe

D:\dream\win2.log

D:\dream\winzmbd.log

C:\Users\Public\Desktop\UC

%Documents and Settings%\All Users\

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall\

Windows

C:\Users\Public\Desktop\2345

C:\Users\Public\Desktop\

D:\dream\b2.bat

D:\dream\2k

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f

D:\dream\2345pic_k1252705.exe

D:\dream\2345pic_k1252705.exe -s1

2345pic_k1252705.exe

C:\Users\

%Documents and Settings%\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall

D:\dream\1.bat

hXXp://cnrdn.com/rd.htm?id=1434474&r=http://VVV.baidu.com/

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

D:\dream\ky

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa

D:\dream\Kuaizip_Setup_7654_1061607.exe

D:\dream\Kuaizip_Setup_7654_1061607.exe /JingMo

hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/

D:\dream\b.bat

D:\dream\2b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b1?public&code=afee9a3d69bbe1feef1f6dc8cfde1cbf

D:\dream\2b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b2?public&code=02bb6661abd99ff72259707a9b53c750

D:\dream\2b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b3?public&code=8ce18dbc7b1a421fa4d0ffe8392ee432

D:\dream\2b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b4?public&code=b3a42642be7f0a15054e0695b2b9447f

D:\dream\2b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b5?public&code=c9e36403780d6acd5f66e1bc35d1838d

D:\dream\2345explorer_k1252705.exe

D:\dream\2345explorer_k1252705.exe -s1

2345explorer_k1252705.exe

hXXp://cnrdn.com/rd.htm?id=1438531&r=http://VVV.baidu.com/

D:\dream\zy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078

D:\dream\lgezy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/3/lge?public&code=84c5751f6a57ab5839dc76a83b46d24d

D:\dream\BlueInstaller_bsvalkkx_101101_.exe

D:\dream\BlueResource.bpk

set "w71=Microsoft\Windows\Start Menu\Programs"

set "w72=Microsoft\Windows\Start Menu"

"%USERPROFILE%\%xp1%"

"%ALLUSERSPROFILE%\%xp1%"

"%USERPROFILE%\%xp2%"

"%ALLUSERSPROFILE%\%xp2%"

reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f

D:\dream\2.bat

hXXp://cnrdn.com/rd.htm?id=1491046&r=http://VVV.baidu.com/

D:\dream\7b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b1?public&code=65e1f8bb6a35d835ac36afb3fe114df0

D:\dream\7b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b2?public&code=75e1b53f8002b8fcbef1533ddcf838f3

D:\dream\7b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b3?public&code=2bb598cb60451c4b4c1930932c14c586

D:\dream\7b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b4?public&code=4cdbf863df18a09984db8531c4f8dac0

D:\dream\7b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b5?public&code=192609a39126a61929211de82ef70fd6

D:\dream\bdBrowserSetup-5956-ftn_1050103060.exe

hXXp://cnrdn.com/rd.htm?id=1483547&r=http://VVV.baidu.com/

D:\dream\uc1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423

D:\dream\uc2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc2?public&code=fc17f9c282f24d1cb0252ce893cddb8f

D:\dream\uc3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc3?public&code=950c1793575761983e9f4158bbce1bc5

D:\dream\uc4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc4?public&code=4521c8d77cc1a0a675996ecf979e172c

D:\dream\uc5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc5?public&code=7ec7b3ccb21e6f94450c8a28eeed7c0e

D:\dream\uc6

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc6?public&code=d05b6e4a191a5f39789a63a568014257

D:\dream\lgeuc

D:\dream\3.bat

hXXp://cnrdn.com/rd.htm?id=1438530&r=http://VVV.baidu.com/

D:\dream\7GJ1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1

D:\dream\7GJ2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj2?public&code=559f2fd5eae8a65b9c76b7e06baadf9f

D:\dream\7GJ3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj3?public&code=90f7aa8c1fe3f4c7fb2afcb21556be79

D:\dream\7GJ4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj4?public&code=c707ac8ce76d6128340264348878791d

D:\dream\7GJ5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj5?public&code=8be55fde74c8db8826421a15c32e49a3

D:\dream\PCMgr_Setup_10_8_16208_227(123004164).exe

hXXp://cnrdn.com/rd.htm?id=1486784&r=http://VVV.baidu.com/

D:\dream\zmbd

hXXp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe

D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

hXXp://cnrdn.com/rd.htm?id=1442397&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1489464&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1384177&r=http://VVV.baidu.com/

D:\MM-liao9728.exe

D:\MM-liao

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424

hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/

%Ui,)

tüV

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

portuguese-brazilian

iphlpapi.dll

SHLWAPI.dll

MPR.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

Service Pack %d

Windows 2003

Windows XP

Windows 2000

Windows NT

Windows ??

Windows Millenium Edition

Windows 98 Second Edition

Windows 98 SP1

Windows 98

Windows 95 OSR2

Windows 95 SP1

Windows 95

Windows CE

Microsoft Windows Me

Microsoft Windows 98

Microsoft Windows 95

Microsoft Windows 2003

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows NT

KERNEL32.DLL

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

perl.exe

63c37bf685e453975c01269.exe

cmd.exe

263c37bf685e453975c01269.exe

x86 9.0.30729.4148

c:\%original file name%.exe

GetCPInfo

GetWindowsDirectoryA

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

ShellExecuteA

GetKeyboardLayout

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

.text

.rdata

@.data

.rsrc

<assemblyIdentity version="1.0.0.0" name=".add"/>

????????<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

ADVAPI32.dll

AVIFIL32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

MSVFW32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

USER32.dll

VERSION.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

(*.*)

5.2.1.0

%original file name%.exe_856_rwx_00401000_002A7000:

t$(SSh

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

user32.dll

urlmon

ole32.dll

shell32.dll

RegOpenKeyA

RegEnumKeyA

MsgWaitForMultipleObjects

URLDownloadToFileA

D:\dream

D:\dream\win1.log

QQPCTray.exe

D:\dream\winky.log

360tray.exe

D:\dream\win2.log

D:\dream\winzmbd.log

C:\Users\Public\Desktop\UC

%Documents and Settings%\All Users\

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall\

Windows

C:\Users\Public\Desktop\2345

C:\Users\Public\Desktop\

D:\dream\b2.bat

D:\dream\2k

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f

D:\dream\2345pic_k1252705.exe

D:\dream\2345pic_k1252705.exe -s1

2345pic_k1252705.exe

C:\Users\

%Documents and Settings%\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall

D:\dream\1.bat

hXXp://cnrdn.com/rd.htm?id=1434474&r=http://VVV.baidu.com/

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

D:\dream\ky

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa

D:\dream\Kuaizip_Setup_7654_1061607.exe

D:\dream\Kuaizip_Setup_7654_1061607.exe /JingMo

hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/

D:\dream\b.bat

D:\dream\2b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b1?public&code=afee9a3d69bbe1feef1f6dc8cfde1cbf

D:\dream\2b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b2?public&code=02bb6661abd99ff72259707a9b53c750

D:\dream\2b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b3?public&code=8ce18dbc7b1a421fa4d0ffe8392ee432

D:\dream\2b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b4?public&code=b3a42642be7f0a15054e0695b2b9447f

D:\dream\2b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b5?public&code=c9e36403780d6acd5f66e1bc35d1838d

D:\dream\2345explorer_k1252705.exe

D:\dream\2345explorer_k1252705.exe -s1

2345explorer_k1252705.exe

hXXp://cnrdn.com/rd.htm?id=1438531&r=http://VVV.baidu.com/

D:\dream\zy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078

D:\dream\lgezy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/3/lge?public&code=84c5751f6a57ab5839dc76a83b46d24d

D:\dream\BlueInstaller_bsvalkkx_101101_.exe

D:\dream\BlueResource.bpk

set "w71=Microsoft\Windows\Start Menu\Programs"

set "w72=Microsoft\Windows\Start Menu"

"%USERPROFILE%\%xp1%"

"%ALLUSERSPROFILE%\%xp1%"

"%USERPROFILE%\%xp2%"

"%ALLUSERSPROFILE%\%xp2%"

reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f

D:\dream\2.bat

hXXp://cnrdn.com/rd.htm?id=1491046&r=http://VVV.baidu.com/

D:\dream\7b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b1?public&code=65e1f8bb6a35d835ac36afb3fe114df0

D:\dream\7b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b2?public&code=75e1b53f8002b8fcbef1533ddcf838f3

D:\dream\7b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b3?public&code=2bb598cb60451c4b4c1930932c14c586

D:\dream\7b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b4?public&code=4cdbf863df18a09984db8531c4f8dac0

D:\dream\7b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b5?public&code=192609a39126a61929211de82ef70fd6

D:\dream\bdBrowserSetup-5956-ftn_1050103060.exe

hXXp://cnrdn.com/rd.htm?id=1483547&r=http://VVV.baidu.com/

D:\dream\uc1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423

D:\dream\uc2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc2?public&code=fc17f9c282f24d1cb0252ce893cddb8f

D:\dream\uc3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc3?public&code=950c1793575761983e9f4158bbce1bc5

D:\dream\uc4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc4?public&code=4521c8d77cc1a0a675996ecf979e172c

D:\dream\uc5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc5?public&code=7ec7b3ccb21e6f94450c8a28eeed7c0e

D:\dream\uc6

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc6?public&code=d05b6e4a191a5f39789a63a568014257

D:\dream\lgeuc

D:\dream\3.bat

hXXp://cnrdn.com/rd.htm?id=1438530&r=http://VVV.baidu.com/

D:\dream\7GJ1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1

D:\dream\7GJ2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj2?public&code=559f2fd5eae8a65b9c76b7e06baadf9f

D:\dream\7GJ3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj3?public&code=90f7aa8c1fe3f4c7fb2afcb21556be79

D:\dream\7GJ4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj4?public&code=c707ac8ce76d6128340264348878791d

D:\dream\7GJ5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj5?public&code=8be55fde74c8db8826421a15c32e49a3

D:\dream\PCMgr_Setup_10_8_16208_227(123004164).exe

hXXp://cnrdn.com/rd.htm?id=1486784&r=http://VVV.baidu.com/

D:\dream\zmbd

hXXp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe

D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

hXXp://cnrdn.com/rd.htm?id=1442397&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1489464&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1384177&r=http://VVV.baidu.com/

D:\MM-liao9728.exe

D:\MM-liao

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424

hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/

%Ui,)

tüV

1.2.18

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

portuguese-brazilian

iphlpapi.dll

SHLWAPI.dll

MPR.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

Service Pack %d

Windows 2003

Windows XP

Windows 2000

Windows NT

Windows ??

Windows Millenium Edition

Windows 98 Second Edition

Windows 98 SP1

Windows 98

Windows 95 OSR2

Windows 95 SP1

Windows 95

Windows CE

Microsoft Windows Me

Microsoft Windows 98

Microsoft Windows 95

Microsoft Windows 2003

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows NT

KERNEL32.DLL

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÁ

perl.exe

63c37bf685e453975c01269.exe

cmd.exe

263c37bf685e453975c01269.exe

x86 9.0.30729.4148

c:\%original file name%.exe

GetCPInfo

GetWindowsDirectoryA

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

ShellExecuteA

GetKeyboardLayout

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

.text

.rdata

@.data

.rsrc

(*.*)

Baidu_Setup_1.6.200.359_ftn_1050103060.exe_1308:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

uKeY

) %s#

OZ.nfwV

5m6c6

8$8@8_8~8

= =)=4=;=

6o6s6z6

6)646*959

3"4'4.434:4?4

0 0(050<0{0

7%7s7

4 4$4(4,404

; ;$;(;3;

7 7$7(7,707

5 5$5(5,505

: :$:(:,:

; ;$;,;@;`;

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

S~1\Temp\nsq3.tmp\InstallHelper.dll

\msvcr80.dll

80.CRT.manifest

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3.tmp\InstallHelper.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3.tmp

nsq3.tmp

File: wrote 802816 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3.tmp\InstallHelper.dll"

nsq3.tmp\InstallHelper.dll"

1.6.200.359

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq3.tmp

D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

%WinDir%\Temp\baidu\youqian

%WinDir%\Temp\baidu\youqian\

Microsoft.VC80.CRT

D:\dream

Baidu_Setup_1.6.200.359_ftn_1050103060.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

1.6.200.359

Baidu_Setup_1.6.200.359_ftn_1050103060.exe_492:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

>ÌW

s.Zn|

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

&hXXps://VVV.globalsign.com/repository/03

"hXXp://crl.globalsign.net/root.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

&hXXps://VVV.globalsign.com/repository/0

-hXXp://crl.globalsign.com/gs/gscodesigng2.crl0

4hXXp://secure.globalsign.com/cacert/gscodesigng2.crt04

(hXXp://ocsp2.globalsign.com/gscodesigng20

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://mini.baidu.com 0

System.dll

2Beijing baidu Netcom science and technology co.ltd1>0<

2Beijing baidu Netcom science and technology co.ltd0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

K7.cX?

>>>.AAA

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp\InstallHelper.dll

lient\1.6.200.359\Baidu.exe" -i 2#"%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359" -p 3

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp\InstallHelper.dll

Poicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp

aidu\BaiduClient\1.6.200.359

\Baidu.exe" -noclient

ient\1.6.200.359

callback%d

kernel32.dll

nsr6.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr6.tmp\InstallHelper.dll" (overwriteflag=1)

stallHelper.dll"

:\Documents and Settings\"%CurrentUserName%"\AppData\Local\Baidu\BaiduClient\1.6.200.359" -p 3")

\Local\Baidu\BaiduClient\1.6.200.359"

ient\1.6.200.359\BDClientProxy.dll

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359" -p 3

1050103060

.200.359_ftn_1050103060.exe

\WINDOWS\Temp\baidu\youqian\

\Baidu_Setup_1.6.200.359_ftn_1050103060.exe" /S

050103060.exe

"%WinDir%\Temp\baidu\youqian\

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359

yinyue\1.0.0.0

1.0.0.2

%WinDir%\Temp\baidu\youqian\

Baidu_Setup_1.6.200.359_ftn_1050103060.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

%Documents and Settings%\%current user%\Desktop

%Documents and Settings%\%current user%\Start Menu\Programs

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient

%Documents and Settings%\All Users

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\Application Data

1.6.200.359

Baidu.exe_808:

.text

`.rdata

@.data

.rsrc

@.reloc

Base.dll

Utils.dll

WS2_32.dll

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

unsupported version

asio.misc

asio.misc error

thread.entry_event

thread.exit_event

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/IPCMessager.h

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/ChildProcess.h

CChildProcess::HandleMsg() invalid message id.

Base::Process::CChildProcess::HandleMsg

BrowserProcess.cpp

NeedInstallNewVersion:%d

DecodeMsgContent() serialization error

DecodeMsgContent

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/IPCMessageDef.h

E:\MiniBaidu\minibaidu_stable_proj\Include\boost/exception/detail/exception_ptr.hpp

EncodeMsgContent() serialization error

EncodeMsgContent

BrowserShell.cpp

Heartbeat.dll

BDMSkin.dll

Skins\CommonRes.rdb

UIHandler.dll

BrowserFrame.dll

C:\Windows\System32\riched20.dll

e:\minibaidu\minibaidu_client_proj\source\brbrowser\AppPrefetcher.h

open file error: %x

BrowserShellMain.cpp

CommonWorkerProcess.cpp

CCommonWorkerProcess::HandleMsg Fail to handle %d message.

CCommonWorkerProcess::HandleMsg

CCommonWorkerProcess::GetInstance Fail to get %d instance

Report %d data

CCommonWorkerProcess::HandleReportJob

CCommonWorkerProcess::HandleReportJob Fail to handle %d message

GetReportMgr

ReleaseReportMgr

CCommonWorkerProcess::HandleProtocolJob Fail to handle %d message

boost thread: trying joining itself

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/AsyncTask.h

PluginMgrProcess.cpp

RendererProcess.cpp

E:\MiniBaidu\Basic\Output\BinRelease\Baidu.pdb

?QueryKeyValue@Register@Base@@YAHPAUHKEY__@@PB_W1PA_WPAK@Z

Report.dll

MSVCP100.dll

MSVCR100.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

CreateIoCompletionPort

KERNEL32.dll

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

ADVAPI32.dll

ole32.dll

ShellExecuteW

SHELL32.dll

SHLWAPI.dll

WINMM.dll

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@

.?AV?$oserializer@Vbinary_oarchive@archive@boost@@USRunDone@ControlMsg@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$oserializer@Vbinary_oarchive@archive@boost@@USRunDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$oserializer@Vbinary_oarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$oserializer@Vbinary_oarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$bind_t@_NV?$mf1@_NVCChildProcess@Process@Base@@ABUSIPCMsg@IPCMessager@3@@_mfi@boost@@V?$list2@V?$value@V?$shared_ptr@VCChildProcess@Process@Base@@@boost@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AUSLaunchDone@ControlMsg@@

.?AUSRunDone@ControlMsg@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USHostLoginNotification@CommonServiceMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USHostDoReport@CommonServiceMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USHostLoginNotification@CommonServiceMsg@@@detail@archive@boost@@

.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USHostDoReport@CommonServiceMsg@@@detail@archive@boost@@

.?AV?$bind_t@XV?$mf1@XVCCommonWorkerProcess@@ABUSIPCMsg@IPCMessager@Base@@@_mfi@boost@@V?$list2@V?$value@V?$shared_ptr@VCCommonWorkerProcess@@@boost@@@_bi@boost@@V?$value@USIPCMsg@IPCMessager@Base@@@23@@_bi@3@@_bi@boost@@

.?AUSHostDoReport@CommonServiceMsg@@

.?AUSHostLoginNotification@CommonServiceMsg@@

%uuqb

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

?"?4?;?|?

;%;*;2;{;

5T5C5R5a5p5

= =$=(=,=0=4=8=<=@=

9 9@9`9|9

3 3$3(3,30343<3@3

A8706990-9490-4106-8033-12E64714B86B

Protocol.dll

CHROMECORE_PROCESS

\WebkitEngine.dll

\TridentEngine.dll

chrome-extension

login

url-safe

res://LocalPages.dll/

.html

.br.baidu.com

.bdl.brs

--default-chromecore-path=

--disable-chromecore

Reply msg to parent

Start hearbeat and send heartbeat msg.

password

C1BB4C06-D91C-47D8-B28E-E76B943205E9

user32.dll

\LogicMisc.dll

\UIHandler.dll

Upd.dat

BaiduUpdate.exe

\BrowserFrame.dll

\Heartbeat.dll

%ws\Utils.dll

%ws\Base.dll

Leave PrefetchData:readFile error code=%d

Enter Base::MemoryOptimizer::Instance().Start()

Leave Base::MemoryOptimizer::Instance().Start()

Baidu.exe

@\CommonWorker.dll

Failed in init CommonWorker.dll instance.

pCCommonWorkerProcess::Run installationTask = %s

CCommonWorkerProcess::Run customid = %d shmoffset = %d

CCommonWorkerProcess::HandleInstallationTask() strTaskType=%s strTaskParam=%s

BaiduBugRpt.exe

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

uninst.exe

HandleSCNotifyTask ItemID = %d shmoffset = %d

HandleSCNotifyTask wszSrcFileName = %s

HandleSCNotifyTask monitorid = %d

HandleSCNotifyTask eventType = %d

ShellExecute result = %d

sBDClientProxy.dll

Software\Microsoft\Windows\CurrentVersion\Run

ClientRegAddValueToList result = %d

nClientRegSetValueEx result = %d

GetDefenseSwitch value = %s

GetDefenseSwitch Read Reg failed! err = %d

\PluginMgr.dll

p\BrowserCore.dll

1.6.200.359

CheckerExe.exe_2864:

.text

`.rdata

@.data

.rsrc

@.reloc

t6;.u%Sj

aSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

t.Wh,

Visual C   CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

mscoree.dll

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

USER32.DLL

kernel32.dll

portuguese-brazilian

..\src\google\protobuf\message_lite.cc

CHECK failed: !coded_out.HadError():

libprotobuf %s %s:%d] %s

%d.%d.%d

..\src\google\protobuf\stubs\common.cc

..\src\google\protobuf\io\coded_stream.cc

..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

CHECK failed: (from.GetDescriptor()) == (descriptor):

..\src\google\protobuf\message.cc

: Tried to copy from a message with a different type.to:

..\src\google\protobuf\descriptor.cc

". To use it here, please add the necessary import.

", which is not imported by "

.PLACEHOLDER_VALUE

.placeholder.proto

map key must name a scalar or string field.

map_key must not name a repeated field.

$0$1 = $2

.dummy

FieldDescriptorProto.extendee set for non-extension field.

FieldDescriptorProto.extendee not set for extension field.

Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "

$0$1 $2 $3 = $4

CHECK failed: dynamic.get() != NULL:

.foo = value".

CHECK failed: !out.HadError():

" is repeated. Repeated options are not supported.

Import "

Missing field: FileDescriptorProto.name.

File recursively imports itself:

..\src\google\protobuf\wire_format.cc

..\src\google\protobuf\reflection_ops.cc

..\src\google\protobuf\generated_message_reflection.cc

\xx

..\src\google\protobuf\stubs\strutil.cc

?..\src\google\protobuf\descriptor.pb.cc

google/protobuf/descriptor.proto

google/protobuf/descriptor.proto

google.protobuf"G

2$.google.protobuf.FileDescriptorProto"

2 .google.protobuf.DescriptorProto

2$.google.protobuf.EnumDescriptorProto

2'.google.protobuf.ServiceDescriptorProto

2%.google.protobuf.FieldDescriptorProto

.google.protobuf.FileOptions

.google.protobuf.SourceCodeInfo"

2/.google.protobuf.DescriptorProto.ExtensionRange

.google.protobuf.MessageOptions

2 .google.protobuf.FieldDescriptorProto.Label

2*.google.protobuf.FieldDescriptorProto.Type

.google.protobuf.FieldOptions"

2).google.protobuf.EnumValueDescriptorProto

.google.protobuf.EnumOptions"l

2!.google.protobuf.EnumValueOptions"

2&.google.protobuf.MethodDescriptorProto

.google.protobuf.ServiceOptions"

.google.protobuf.MethodOptions"

2).google.protobuf.FileOptions.OptimizeMode:

2$.google.protobuf.UninterpretedOption":

2$.google.protobuf.UninterpretedOption*

2#.google.protobuf.FieldOptions.CType:

experimental_map_key

2$.google.protobuf.UninterpretedOption"/

2-.google.protobuf.UninterpretedOption.NamePart

2(.google.protobuf.SourceCodeInfo.Location

com.google.protobufB

Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:

..\src\google\protobuf\io\tokenizer.cc

Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:

Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:

..\src\google\protobuf\dynamic_message.cc

..\src\google\protobuf\text_format.cc

..\src\google\protobuf\stubs\substitute.cc

..\src\google\protobuf\descriptor_database.cc

Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().

..\src\google\protobuf\extension_set.cc

CHECK failed: iter != extensions_.end():

..\src\google\protobuf\extension_set_heavy.cc

inflate 1.2.5 Copyright 1995-2010 Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

CustomId: %u, %ls: %d, %u

- unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

.\main.cpp

CustomId: %u, %ls, %ls

D:\bdzc\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp

asio.misc

asio.misc error

Report::CReportData::PackToProtoDataItem

.\ReportMgr.cpp

val(%s):

Report::CReportData::PackReportData

..\..\Include\msg.pb.cc

datapkg.FieldsList

datapkg.DataType

datapkg.ResPonse

DataReport --- Server Disable Report !!

Report::CReportClient::CanReport

.\ReportClient.cpp

DataReport --- ReportID %u Banned !!

DataReport --- AsyncReport : Not Allowed !!

Report::CReportClient::AsyncReport

DataReport --- AsyncReport : AddPacketToQueue cmdid=%u length=%u

DataReport --- AsyncReport : End

DataReport --- SyncReport : Not Allowed !!

Report::CReportClient::SyncReport

DataReport --- SyncReport : begin

DataReport --- SyncReport : CreateEvent

DataReport --- SyncReport : AddPacketToQueue cmdid=%u length=%u

DataReport --- SyncReport : WaitForSingleObject wait=%u

DataReport --- SyncReport : WaitForSingleObject result=%d

DataReport --- SyncReport : End

DataReport::AddPacketToQueue

.\PacketQueue.cpp

DataReport::AddPacketToQueue %u records

Report::TransportMgr::TransportMgr

.\TransportMgr.cpp

DataReport::StopTransportThread 1, uiWaitTime=%u

Report::TransportMgr::StopTransportThread

DataReport::StopTransportThread 2

TransportMgr::OnResponse errorcode = %d

Report::TransportMgr::OnResponse

Report::TransportMgr::LoadPacketData

DataReport::LoadPacketData Change file success, new filesize = %u

DataReport::LoadPacketData Change file failed! Clear file

DataReport::LoadPacketData Clear file

DataReport::SaveAndErasePacket cache file is full!

Report::TransportMgr::SaveAndErasePacket

DataReport::SaveAndErasePacket save %d records

Report::TransportMgr::SaveAndEraseQueuePacket

DataReport::SaveAndEraseQueuePacket save %d records

DataReport::start!

Report::TransportMgr::Working

DataReport::TransportPacket success

DataReport::TransportPacket failed[%d], buffer is full, try save [%u] records to file!

DataReport::TransportPacket failed[%d], save it to buffer! buffer size = %u

DataReport::TransportPacket failed becouse of server error, we abandon it!

DataReport::TransportPacket Deal Cache !!

DataReport::TransportPacket DealCacheLimit=%u LastCacheNum=%u NewCacheNum=%u

DataReport::TransportPacket Decrease Limit !! DealCacheLimit=%u

DataReport::TransportPacket Increase Limit !! DealCacheLimit=%u

DataReport::TransportPacket buffer size = %u

DataReport::TransportPacket Load [%u] buffer Packet to Queue!

DataReport::stop!

DataReport::TransportPacket Begin!

Report::TransportMgr::TransportPacket

DataReport::TransportPacket SendPacket error = %d tryCount = %d

DataReport::SendPacket Error: %d, Wait %u seconds, then try again

DataReport::SendPacket Error: %d, MAX_TRY_COUNT return

DataReport::SendPacket Connect error: lost %u ms, sleep 10 s!

Report::TransportMgr::SendPacket

DataReport::SendPacket success: use %u ms!

DataReport::SendPacket Get Svr Response: use %u ms! errcode = %u

HandleResponse Static response cnt = %d MsgType = %d errorCode = %d

Report::CReportResponseHandler::HandleResponse

.\ReportNetComm.cpp

Report::CReportNetComm::CReportNetComm

hXXp://dr.zc.baidu.com

CBDMReportNetComm::RpcRequestData CmdID=%u Length=%u

Report::CReportNetComm::RpcRequestData

CBDMReportNetComm::RpcRequestData Fail !!

Basic_Report

Basic_BugReport

(%d/%d)%d-d-d_d:d:d.d_%s %s_%s:%s

(%d) d:d:d.d %s %s_%s: %s

{7AFAC7CE-6A89-4385-8861-5075F44ECC7F}

.\Config\Config.cpp

.\Config\CompoundDoc\CompoundDoc.cpp

SetCrypt service_id=%d url=%s

SetServiceUrl

.\src\Protocol\AuroraServiceImpl.cpp

InitProductParam ver=%s soft_id=%d supply_id=%d product_id=%d

.\src\Protocol\AuroraProtocol.cpp

1234567890111111

bena::protocol::ProtobufPack::UpdateSoftParam

\NetService.ini

ServiceUrl.%d

D:\bdzc\stable_proj\include\thirdInclude\boost/property_tree/ini_parser.hpp

key expected

duplicate key name

D:\bdzc\stable_proj\include\thirdInclude\boost/property_tree/string_path.hpp

thread.entry_event

thread.exit_event

.\src\Protocol\RpcClient.cpp

boost thread: trying joining itself

header.proto

.\bena\Protocol\proto\header.pb.cc

header.proto"

127.0.0.1

bena::http::client::do_async_request

D:\bdzc\BasicModule\Source\Protocol\bena/http/client.h

bena::http::client::~client

.\src\http\client.cpp

bena::http::client::close_for_destruct

bena::http::client::close

bena::http::client::async_connect_coro

async_connect_coro connect error !! error: %s

bena::http::client::async_request_coro

bena::http::client::hanle_timeout

error_happened error: %s

bena::http::client::error_happened

Unsupported Media Type

HTTP Version not supported

HTTP/1.0

HTTP/1.1

https

ftpes

ftps

tftp

% ;?:@=&,$/-_!.~*()

System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

%s\Connection

d:\bdzc\Basic\outputmt\binreleasemt\CheckerExe.pdb

KERNEL32.dll

RegEnumKeyExW

RegOpenKeyExW

RegCloseKey

ADVAPI32.dll

WS2_32.dll

WTSAPI32.dll

SHLWAPI.dll

PSAPI.DLL

WINMM.dll

GetProcessHeap

GetCPInfo

CreateIoCompletionPort

USER32.dll

SHELL32.dll

ole32.dll

VERSION.dll

NETAPI32.dll

GetConsoleOutputCP

GetWindowsDirectoryW

GetSystemWindowsDirectoryW

RegCreateKeyExW

RegDeleteKeyW

RegOpenKeyExA

zcÁ

.?AV?$Singleton@VCReportMgr@Report@@$00@@

.?AVCReportMgr@Report@@

.?AVCReportData@Report@@

.?AVIReportMgr@Report@@

.?AVIReportData@Report@@

.?AV?$sp_counted_impl_p@VTransportMgr@Report@@@detail@boost@@

.?AVCReportClient@Report@@

.?AV?$Thread@U?$BindMember0@VTransportMgr@Report@@P812@AEXPAX@Z@fund@@@fund@@

.?AV?$EnableIntrusive@VCReportResponseHandler@Report@@@@

.?AVCReportResponseHandler@Report@@

.?AVCReportNetComm@Report@@

.?AV?$enable_shared_from_this@Vclient@http@bena@@@boost@@

.?AVclient@http@bena@@

.?AVrequest@http@bena@@

.?AVheader@http@bena@@

.?AV?$bind_t@XV?$mf5@XVRpcClient@protocol@bena@@ABVresponse@http@3@Vconst_buffer@asio@boost@@IVerror_code@system@8@H@_mfi@boost@@V?$list6@V?$value@V?$shared_ptr@VRpcClient@protocol@bena@@@boost@@@_bi@boost@@U?$arg@$00@3@U?$arg@$01@3@U?$arg@$02@3@U?$arg@$03@3@V?$value@H@23@@_bi@3@@_bi@boost@@

.?AV?$service_base@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@

.?AV?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@

.?AV?$service_base@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AV?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@

.?AV?$sp_counted_impl_p@V?$vector@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@V?$allocator@V?$basic_resolver_entry@Vtcp@ip@asio@boost@@@ip@asio@boost@@@std@@@std@@@detail@boost@@

.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@

.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@

.?AVresponse@http@bena@@

1,2r2

42696@6_6

7*8084888<8

? ?$?(?,?0?4?~?

1 1$1(1,1

1 2<3R3t3

8 8$8(8,8084888

8%9x9

8 8$8(8,808

Firefox

Opera

Chrome

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

http\shell\open\command

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

explorer.exe

subkey(%d):

pkey(%d):

val(%d):

<--- Pack(%d) Begin--->

a<----Pack(%d) End--->

@CanReport

BanReportID

TransportMgr create

rpt.dat

TransportMgr CacheFileName=%s

DataReport::LoadPacketData Read %s failed, error=%u!

DataReport::LoadPacketData Read %s success, but the file is empty!

DataReport::LoadPacketData Read %s success, filesize = %u

DataReport::LoadPacketData Read %s success, get %d records!

pCReportNetComm create

uGlobal\{17ED6DA0-0902-461c-B763-F00FF209066B}

Global\{FA6FBBB1-8C8E-43b1-B8EC-35573A94C231}

Global\{599D3D74-AA1A-4473-A004-B724A8018505}

t%d.dat

bbservice.exe

UtilsDll.dll

%u.%u.%u.%u

---COMPOUDDOC---pStream->Stat error %x

---COMPOUDDOC---pStream->Write error %x

---COMPOUDDOC---pStream->SetSize error %x

APack addr=%p split_value=%d uid=%I64u

Init SoftParam local_ver=%d g_ver=%d

Init AccountParam local_ver=%d g_ver=%d

InitRequestPortoHeader sig_len=%d split_value=%d uid=%I64u

InitRequestPortoHeader Clear AccountParam

Update AccountParam local_ver=%d g_ver=%d

UpdateAccountParam sig_len=%d split_value=%d uid=%I64u

UpdateSoftParam local_ver=%d g_ver=%d

~RpcClient request_times=%d timeout_times=%d internal_req_times=%d

tRpcClient request_times=%d

AsyncRpcRequest serviceID=%d msgType=%d seq=%d

HandleRecv UnpackOK !! serviceID=%d msgType=%d seq=%d error=%d transfer_costtime=%d

HandleRecv Unpack Error !! serviceID=%d error=%d

HandleRecv CallBack !! serviceID=%d msgType=%d seq=%d error=%d callback_costtime=%d

eHandleRecv CallBack !! serviceID=%d msgType=%d error=%d callback_costtime=%d

tRpcClient timeout_times=%d

client internal_req_times=%d

close_for_destruct session=%d

close session=%d

async_request_coro send request !! seqno=%d

\StringFileInfo\xx\FileVersion

Kernel32.dll

Software\Microsoft\Windows NT\CurrentVersion\Time Zones\

Software\Microsoft\Windows NT\CurrentVersion\ProfileList\

Software\Microsoft\Windows NT\CurrentVersion\Print\

Software\Microsoft\Windows NT\CurrentVersion\Ports\

Software\Microsoft\Windows NT\CurrentVersion\Perflib\

Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\

Software\Microsoft\Windows NT\CurrentVersion\Language Pack\

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\

Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\

Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\

Software\Microsoft\Windows NT\CurrentVersion\Fonts\

Software\Microsoft\Windows NT\CurrentVersion\FontMapper\

Software\Microsoft\Windows NT\CurrentVersion\FontLink\

Software\Microsoft\Windows NT\CurrentVersion\FontDpi\

Software\Microsoft\Windows NT\CurrentVersion\Console\

Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\

Software\Microsoft\Windows\CurrentVersion\Setup\

Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\

Software\Microsoft\Windows\CurrentVersion\Policies\

Software\Microsoft\Windows\CurrentVersion\Group Policy\

Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\

Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\

Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\

Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\

Software\Microsoft\Windows\CurrentVersion\App Paths\

Software\Microsoft\SystemCertificates\

Software\Microsoft\EnterpriseCertificates\

system32\winlogon.exe

\Global.db

iphlpapi.dll

C\\.\PhysicalDrive%d

\\.\Scsi%d:

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerExe.exe

%Documents and Settings%\All Users\Application Data\Baidu\bbservice\Config\

1, 1, 0, 2

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1308
Baidu.exe:968
Baidu.exe:1836
Baidu.exe:2540
Baidu.exe:3220
YouQian_Setup.exe:1488
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDTTN6HH\7gj1[1] (991986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F6HGJOR7\7b1[1] (353734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDTTN6HH\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe (688653 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F6HGJOR7\2k[1] (205033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EDTTN6HH\uc1[1] (984448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\process.cfg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa2.tmp (284894 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\YouQian_Setup.exe (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦.ini (1607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\BDMSkin.dll (37727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\InstallHelper.dll (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%WinDir%\Temp\baidu\youqian\Ã¦Â¡Å’Ã©ÂÂ¢Ã§â„¢Â¾Ã¥ÂºÂ¦\132.exe (172202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq3.tmp\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_x.png (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm5.tmp (447624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\349.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Base.dll (77808 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\Software.pb (9984 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall-1.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\arrow.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Utils.dll (23296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\haze.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\executor.xml (233 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\login\login.html (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-logo57x65.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\InstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Update.dll (11040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F6HGJOR7\bdzc_Setup_2.0.3.124[1].dll (18424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-left.png (130 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\PluginSetup.xml (654 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\msgconfig.pb (142 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\icon_xinwen.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-right.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\foggy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\login_mods.js (14 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sleet.png (741 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\pack.bat (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\weixinUI.xml (345 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\request.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-storm.png (926 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download-hover.png (985 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\app-error.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe (18640 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks_z.png (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-rain.png (864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\BDWebDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\executor.xml (310 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\icon_gupiao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sandstorm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\PluginSetup.xml (625 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo57x65.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\crash.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\overcast.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\shower.png (817 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\icon_yinyue.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.woff (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-google.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\mod.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\foggy.png (663 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_m.png (124 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\kuaidi.png (312 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\res_jietu.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dust.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\res_weixin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\default-icon.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dy.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Base.dll (38904 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Protocol.dll (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcr100.dll (51648 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\executor.xml (172 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\advance.png (377 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\44.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\icon_bianqian.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\344.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\respond.min.js (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_m.png (925 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe (13168 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-circle-loading.gif (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder.png (276 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\404.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\vedio_play.png (465 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\res_yinyue.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\main.js (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuDll.dll (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AssociateWnd.rdb (1568 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\UIHandler.dll (120372 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-loading.gif (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\banner.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\gupiaoUI.xml (336 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-unchecked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search-large.png (408 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\history_mods.js (6360 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower-with-hail.png (946 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-ala.png (561 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuUI.xml (347 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Update.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\layout.css (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\settings_mods.js (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\DD_belatedPNG_0.0.8a-min.js (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-left.png (194 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianUI.xml (346 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search.png (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\qq.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-rain.png (963 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\executor.xml (241 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\screensnapshot.exe (20624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\shower.png (481 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\super-ajax.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download.png (991 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\xinwenUI.xml (342 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUI.xml (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\box-shadow.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\res_resou.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-close.png (170 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\366.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-flurry.png (479 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PluginMgr.dll (49664 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LogicMisc.dll (140990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-textbox.png (588 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcp100.dll (28368 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-alert-ok.png (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\png8-ex.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\resouUI.xml (340 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\aladdin.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\auto_complete\top_site.db (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox-active.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-left.png (249 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\map.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\executor.xml (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\yinyueUI.xml (358 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-iconall-1.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-ui-1.10.4.custom.min.js (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\login-success.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\res\js\common.js (990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login.css (7 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\res_xinwen.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\1px.png (947 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\363.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo_blank.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\music_play.png (155 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sunny.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\PluginSetup.xml (622 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings.css (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-right.png (259 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-center.png (143 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general-png8.png (841 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\res_bianqian.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\skinres.rdb (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\new.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-1.11.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\gray1px.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download-hover.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall.gif (94 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\json2.js (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\privacy.png (296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ice-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PWidgetAppCommonBase.dll (14384 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\rpt.dat (222 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login_z.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\MsgPush.dll (31072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\iframe_loading.gif (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\input.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\favicon.ico (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-unchecked.png (361 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\testIO.exe (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\AppHTMLXinWen.xml (442 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Setting.rdb (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\icon_jietu.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\appBlackList.dat (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\executor.xml (234 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BDSearchBar.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\bookmarks.html (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\global.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-checked.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-newtab.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\1.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxinNotify.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\general.png (379 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-taobao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\input.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUINotify.xml (412 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\unknown.png (480 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\vedio_play.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.eot (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-right.png (202 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\arrow-png8.png (260 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Utils.dll (46592 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-png8.png (292 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks.css (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general.png (866 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-checked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\reset.css (826 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dust.png (812 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserCore.dll (67072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\ie-fix.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxinNotify.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\ice-rain.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\bookmarks_mods.js (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu.png (367 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\arrow.png (203 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sf.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading.png (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\executor.xml (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sc_tmp.dll.bdtmp (18424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Report.dll (7232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\365.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-snow.png (992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\icon-tree-search-ie8.png (15 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CommonWorker.dll (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\343.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\unknown.png (851 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading-large.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\368.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages.css (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sleet.png (436 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog-close.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserFrame.dll (67494 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo25x29.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\qxdh20140619.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AppContainer.rdb (10 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Report.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\duststorm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-new.png (977 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower-with-hail.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\skinres.rdb (23424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\app-reload.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\DetectVm.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-flurry.png (847 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-hover-png8.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\AppHTMLReSou.xml (438 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\Protocol.dll (12024 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\icon_weixin.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\storm.png (815 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDMSkin.dll (60928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mb_setup.log (2575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\BDMSkin.dll (30464 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Download.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\music_play.png (960 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe (11040 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\GlobalPluginInfo.xml (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-fail.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery.color-2.1.2.min.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\AppHTMLGuPiao.xml (440 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\new.png (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxin.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianDll.dll (16 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BrowserNotify.rdb (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\bdb_scheme.dat (1484 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-refresh.png (215 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\executor.xml (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr6.tmp\res\InstallWnd.zip (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.svg (4992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\AppHTMLXiaoXi.xml (440 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-tooltip-png8.png (329 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower.png (898 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\CommonRes.rdb (74736 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\duststorm.png (811 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db (20 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_g.png (968 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\atl100.dll (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\347.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\dataReport.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerProxy.dll (10128 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\icon_resou.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\head-star-png8.png (450 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDClientProxy.dll (45104 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\overcast.png (680 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ala.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.ttf (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sunny.png (856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-foward.png (156 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-snow.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings_z.png (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-center.png (122 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\res_gupiao.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_g.png (248 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Heartbeat.dll (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\ssl-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-login-success.png (824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-back.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\kuaidi.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sand.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\settings\user_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (512 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130895171752697500.dat (314 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\stock.pb (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerExe.exe (63735 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db (284596 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db.bak (10 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (5454 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\novel.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\settings\default_setting.db (24 bytes)
%Documents and Settings%\%current user%\Desktop\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ã§â„¢Â¾Ã¥ÂºÂ¦\Ã¥ÂÂ¸Ã¨Â½Â½Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Ã§â„¢Â¾Ã¥ÂºÂ¦\Ã§â„¢Â¾Ã¥ÂºÂ¦.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BaiduClient" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe -noclient"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.FlyStudio_fb19d72726

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.FlyStudio_fb19d72726

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet