Trojan.Win32.Swrort.3_07090b5ab6

by malwarelabrobot on October 31st, 2016 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 07090b5ab626578737333d3365cc2bc7
SHA1: 2891e6ef0e542f81ead844ac185d506f6a248ecf
SHA256: 718ffaa619fa1955cda12aefa3d3867bbf47f8893430259855b5f26422e50f20
SSDeep: 12288:OylTYa2MrcGK20CrDoxcuA mnyUbfDNEglcTI7:pTYa2kZracn mnVv6sMI7
Size: 770800 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-29 10:57:57
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

lsl.exe:2740
lsl.exe:1596
lsl.exe:956
SoftUpd.exe:3052
clock32.exe:3528
%original file name%.exe:440
Power.exe:2020
luoshen.exe:3732

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process lsl.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¥ÂÂ¸Ã¨Â½Â½Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ .lnk (924 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¥Å“Â¨Ã§ÂºÂ¿Ã¥Ââ€¡Ã§ÂºÂ§.lnk (929 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¥Â®ËœÃ¦â€“Â¹Ã§Â½â€˜Ã§Â«â„¢.url (208 bytes)
%Program Files%\luoshenli\uninst.exe (245 bytes)
%Program Files%\luoshenli\SoftUpd.exe (823 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ .lnk (905 bytes)
%Program Files%\luoshenli\Ã¥Â®ËœÃ¦â€“Â¹Ã§Â½â€˜Ã§Â«â„¢.url (208 bytes)

The process lsl.exe:956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\luoshenli\SoftApp.ini (5166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip2city[1].htm (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TempRilibiao.xml (981 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\z_stat[1].js (1081 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\z_stat[1].js (1081 bytes)
%Program Files%\luoshenli\clock32.exe (770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016103020161031\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\27GJJPJ3.txt (391 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\service_log.txt (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_configex[1].xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\core[1].js (764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4QMV1WTE.txt (131 bytes)
%Program Files%\luoshenli\Vstart32.dll (81 bytes)
%Program Files%\luoshenli\Config.ini (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\lsl_active[1].htm (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\netipaddress.json (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NetPublicIp.html (211 bytes)
%Program Files%\luoshenli\Power.exe (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\all_active[1].htm (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\luoshen[1].xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\switch_config[1].xml (981 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\InfoOnServerConf.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\getIpInfo[1].htm (277 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\InfoOnServerConf.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TempRilibiao.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\luoshen[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4QMV1WTE.txt (0 bytes)

The process SoftUpd.exe:3052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\luoshenli\Config.ini (34 bytes)

The process clock32.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\luoshenli\Clock32.dll (225 bytes)

The process %original file name%.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\luoshen.gif (2335208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\luoshen[1].gif (2297671 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\luoshen[1].xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\luoshen.exe (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ver.xml (433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ver[1].xml (433 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ver.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\luoshen.exe (0 bytes)

The process luoshen.exe:3732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\luoshenli\SoftApp.ini (172 bytes)
%Program Files%\luoshenli\mini\RiliPlugin.dll (68229 bytes)
%Program Files%\luoshenli\Vstart64.dll (12088 bytes)
%Program Files%\luoshenli\online_c.html (504 bytes)
%Program Files%\luoshenli\Clock32.dll (8184 bytes)
%Program Files%\luoshenli\mini\DuiLib32.dll (27504 bytes)
%Program Files%\luoshenli\Data\2014JieQi.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn99B1.tmp\System.dll (23 bytes)
%Program Files%\luoshenli\clock32.exe (25776 bytes)
%Program Files%\luoshenli\Data\index.html (298 bytes)
%Program Files%\luoshenli\Data\2014.xml (1 bytes)
%Program Files%\luoshenli\clock64.exe (32784 bytes)
%Program Files%\luoshenli\Vstart32.dll (2392 bytes)
%Program Files%\luoshenli\uninst.exe (8560 bytes)
%Program Files%\luoshenli\Data\HuangLi.mdb (230044 bytes)
%Program Files%\luoshenli\lsl.exe (109287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn99B0.tmp (391209 bytes)
%Program Files%\luoshenli\Data\2013JieQi.xml (1 bytes)
%Program Files%\luoshenli\SoftUpd.exe (27704 bytes)
%Program Files%\luoshenli\Vstart64.exe (15 bytes)
%Program Files%\luoshenli\mini\RiliMini.exe (15168 bytes)
%Program Files%\luoshenli\Data\2013.xml (1 bytes)
%Program Files%\luoshenli\Data\UserNoteText.xml (132 bytes)
%Program Files%\luoshenli\Power.exe (8560 bytes)
%Program Files%\luoshenli\Clock64.dll (10136 bytes)
%Program Files%\luoshenli\DuiLib32.dll (15536 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsy99A0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn99B1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn99B1.tmp\System.dll (0 bytes)

Registry activity

The process lsl.exe:2740 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rlbRunByWindowsStart" = "%Program Files%\luoshenli\lsl.exe RunDateByStartAuto"

The process lsl.exe:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016103020161031]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016103020161031]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016103020161031]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016103020161031"

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASMANCS]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASAPI32]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016103020161031]
"CachePrefix" = ":2016103020161031:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016103020161031]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASMANCS]
"ConsoleTracingMask" = "4294901760"

"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\lsl_RASAPI32]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\07090b5ab626578737333d3365cc2bc7_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process Power.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process luoshen.exe:3732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lsl.exe]
"Path" = "%Program Files%\luoshenli"
"(Default)" = "%Program Files%\luoshenli\lsl.exe"

Dropped PE files

MD5	File path
3994511b9d1bd19d0e983d49bae0b8c2	c:\Program Files\luoshenli\Clock32.dll
3aa875ecbc3ab3025f2df8f5e80a7749	c:\Program Files\luoshenli\Clock64.dll
06843b3b6156c8436eba9aa19b34d6a2	c:\Program Files\luoshenli\DuiLib32.dll
72630d226ddad1dac7fb70b8f5cd52e8	c:\Program Files\luoshenli\Power.exe
bb70c2f2cea313613a36c73c19d658cd	c:\Program Files\luoshenli\SoftUpd.exe
7440416713ecfe7c8a12dd84dcae3fc8	c:\Program Files\luoshenli\Vstart32.dll
6fbc99b67435fdf486232100a7f0230c	c:\Program Files\luoshenli\Vstart64.dll
74517684204c6d88cae0fa2dec23bf9d	c:\Program Files\luoshenli\Vstart64.exe
1f34437d6f33934937e07f9bcdbbfe28	c:\Program Files\luoshenli\clock32.exe
e63587ebf0b483115be60d9ec765264f	c:\Program Files\luoshenli\clock64.exe
1809e4b0534de0f066f220dab1d2e32a	c:\Program Files\luoshenli\lsl.exe
375ec8a492029b1714b797ffb25235b3	c:\Program Files\luoshenli\mini\DuiLib32.dll
7112439e0c3ae87ea3313705260040af	c:\Program Files\luoshenli\mini\RiliMini.exe
af932078e533e8d7e607897fb866c8ed	c:\Program Files\luoshenli\mini\RiliPlugin.dll
f78ddb8917462a47d4ea25a872da7b47	c:\Program Files\luoshenli\uninst.exe
45eb1a232d6fac031c52049ab4e74272	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\luoshen[1].gif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ????
Product Version: 1, 2, 2, 0
Legal Copyright: (C)????????
Legal Trademarks:
Original Filename: SoftUpd.exe
Internal Name: SoftUpd
File Version: 1, 2, 2, 0
File Description: ??????
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	480742	483328	4.56969	e3be9d485e928e5052d45d183c90bd77
.rdata	487424	204430	204800	3.93662	e8360635974aa65bce4ecccfb92a6cb9
.data	692224	36412	20480	2.57572	777dd28abb508d9409a68582a19cd1d1
.rsrc	729088	46304	49152	5.15982	ff920a4600699f0a5542d77a1e91fc21

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://c01.i07.rpnic.lv3.cloudglb.com/update/luoshen.xml
hxxp://mnslb.dns-vip.net/luoshen/ver.xml
hxxp://c01.i07.rpnic.lv3.cloudglb.com/update/luoshen.gif
hxxp://mylocal.xdwscache.ourwebpic.com/shichangbu/lsl_active.html
hxxp://mylocal.xdwscache.ourwebpic.com/shichangbu/all_active.html
hxxp://statistics.haharili.com/weatherapi	180.150.178.118
hxxp://all.cnzz.com.danuoyi.tbcache.com/z_stat.php?id=1253415983&web_id=1253415983
hxxp://all.cnzz.com.danuoyi.tbcache.com/z_stat.php?id=1253458909&web_id=1253458909
hxxp://z.gds.cnzz.com/stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=2107318454-1477833061-&showp=1276x846&t=&h=1&rnd=486769921
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1253415983&t=z
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1253458909&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=1253458909&r=&lg=en-us&ntime=none&cnzz_eid=752107317-1477837921-&showp=1276x846&t=&h=1&rnd=1987988124
hxxp://statistic.haharili.com/weatherapi	120.26.151.215
hxxp://statistic.haharili.com/weatherapi/	120.26.151.215
hxxp://c01.i07.rpnic.lv3.cloudglb.com/xml/switch_config.xml
hxxp://110.tc.sp.cdntip.com/ip2city.asp
hxxp://ip.taobao.com/service/getIpInfo.php?ip=182.239.98.205	140.205.140.33
hxxp://c01.i07.rpnic.lv3.cloudglb.com/xml/info_configex.xml
hxxp://down.wannianli365.com/update/luoshen.xml	123.147.166.37
hxxp://update.wannianli365.com/luoshen/ver.xml	115.28.105.76
hxxp://z10.cnzz.com/stat.htm?id=1253458909&r=&lg=en-us&ntime=none&cnzz_eid=752107317-1477837921-&showp=1276x846&t=&h=1&rnd=1987988124	1.122.192.16
hxxp://s6.cnzz.com/z_stat.php?id=1253415983&web_id=1253415983	1.99.192.15
hxxp://z6.cnzz.com/stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=2107318454-1477833061-&showp=1276x846&t=&h=1&rnd=486769921	1.122.192.15
hxxp://city.ip138.com/ip2city.asp	113.6.237.66
hxxp://downcdn1.shgaoxin.net/shichangbu/all_active.html	220.162.97.209
hxxp://s6.cnzz.com/z_stat.php?id=1253458909&web_id=1253458909	1.99.192.15
hxxp://downcdn1.shgaoxin.net/shichangbu/lsl_active.html	220.162.97.209
hxxp://c.cnzz.com/core.php?web_id=1253458909&t=z	221.204.226.158
hxxp://c.cnzz.com/core.php?web_id=1253415983&t=z	221.204.226.158
hxxp://xiazai.rilibiao.com.cn/xml/info_configex.xml	123.147.166.37
hxxp://xiazai.rilibiao.com.cn/xml/switch_config.xml	123.147.166.37
hxxp://down.wannianli365.com/update/luoshen.gif	123.147.166.37

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY Internal Host Getting External IP Address - ip2city.asp

Traffic

GET /shichangbu/all_active.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: downcdn1.shgaoxin.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 09:48:15 GMT

Content-Type: text/html

Last-Modified: Wed, 15 Oct 2014 06:33:46 GMT

Accept-Ranges: bytes

ETag: "081b2f841e8cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 107

Age: 17097

X-Via: 1.1 zhshx16:8105 (Cdn Cache Server V2.0), 1.1 jqzh233:0 (Cdn Cache Server V2.0)

Connection: keep-alive
<script src="hXXp://s6.cnzz.com/z_stat.php?id=1253415983&web_id=125
3415983" language="JavaScript"></script>HTTP/1.1 200 OK..Date
: Sun, 30 Oct 2016 09:48:15 GMT..Content-Type: text/html..Last-Modifie
d: Wed, 15 Oct 2014 06:33:46 GMT..Accept-Ranges: bytes..ETag: "081b2f8
41e8cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-
Length: 107..Age: 17097..X-Via: 1.1 zhshx16:8105 (Cdn Cache Server V2.
0), 1.1 jqzh233:0 (Cdn Cache Server V2.0)..Connection: keep-alive..<
;script src="hXXp://s6.cnzz.com/z_stat.php?id=1253415983&web_id=125341
5983" language="JavaScript"></script>..

GET /z_stat.php?id=1253415983&web_id=1253415983 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s6.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 9941

Connection: keep-alive

Date: Sun, 30 Oct 2016 13:11:01 GMT

Last-Modified: Sun, 30 Oct 2016 13:11:01 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache31.l2nu16-1[33,200-0,M], cache49.l2nu16-1[34,0], kunlun3.cn102[0,200-0,H], kunlun4.cn102[0,0]

Age: 4932

X-Cache: HIT TCP_MEM_HIT dirn:9:361869057

X-Swift-SaveTime: Sun, 30 Oct 2016 13:11:01 GMT

X-Swift-CacheTime: 5400

Timing-Allow-Origin: *

EagleId: ddcce28414778379932798581e
(function(){function k(){this.c="1253415983";this.R="z";this.N="";this
.K="";this.M="";this.r="1477833061";this.P="z6.cnzz.com";this.L="";thi
s.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" 
this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la(
)}function g(a,b){try{var c=.[];c.push("siteid=1253415983");c.push("na
me=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer))
;c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.user
Agent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.ra
ndom()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}
catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURICom
ponent,n=unescape;k.prototype={la:function(){try{this.U(),this.J(),thi
s.ia(),this.H(),this.o(),this.ga(),.this.fa(),this.ja(),this.j(),this.
ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.pa(),e[thi
s.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},na:f
unction(){try{var a=this;e._czc={push:function(){return a.B.apply(a,ar
guments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;
if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b 
 ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object S
tring]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAu
toPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch
(d){g(d,"cS failed")}},pa:function(){try{if("undefined"===typeof e._cz
_account||e._cz_account===this.c){e._cz_account=this.c;if("[object<<< skipped >>>

GET /service/getIpInfo.php?ip=182.239.98.205 HTTP/1.1

User-Agent: lsl

Host: ip.taobao.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: Tengine

Date: Sun, 30 Oct 2016 14:33:20 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.6

115..{"code":0,"data":{"country":"\u9999\u6e2f","country_id":"HK","are
a":"","area_id":"","region":"\u9999\u6e2f\u7279\u522b\u884c\u653f\u533
a","region_id":"HK_01","city":"","city_id":"","county":"","county_id":
"","isp":"Hurricane Electric","isp_id":"2000206","ip":"182.239.98.205"
}}..0..HTTP/1.1 200 OK..Server: Tengine..Date: Sun, 30 Oct 2016 14:33:
20 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connectio
n: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.3.6..115..{"
code":0,"data":{"country":"\u9999\u6e2f","country_id":"HK","area":"","
area_id":"","region":"\u9999\u6e2f\u7279\u522b\u884c\u653f\u533a","reg
ion_id":"HK_01","city":"","city_id":"","county":"","county_id":"","isp
":"Hurricane Electric","isp_id":"2000206","ip":"182.239.98.205"}}..0..

GET /z_stat.php?id=1253458909&web_id=1253458909 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/lsl_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s6.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 9942

Connection: keep-alive

Date: Sun, 30 Oct 2016 14:32:01 GMT

Last-Modified: Sun, 30 Oct 2016 14:32:01 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache16.l2nu16-1[0,200-0,H], cache60.l2nu16-1[0,0], kunlun1.cn102[0,200-0,H], kunlun1.cn102[0,0]

Age: 72

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Sun, 30 Oct 2016 14:32:26 GMT

X-Swift-CacheTime: 5375

Timing-Allow-Origin: *

EagleId: ddcce28114778379932817395e
(function(){function k(){this.c="1253458909";this.R="z";this.N="";this
.K="";this.M="";this.r="1477837921";this.P="z10.cnzz.com";this.L="";th
is.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV"
 this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la
()}function g(a,b){try{var c=.[];c.push("siteid=1253458909");c.push("n
ame=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer)
);c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.use
rAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.r
andom()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")
}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURICo
mponent,n=unescape;k.prototype={la:function(){try{this.U(),this.J(),th
is.ia(),this.H(),this.o(),this.ga(),.this.fa(),this.ja(),this.j(),this
.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.pa(),e[th
is.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},na:
function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,a
rguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc
;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b
  ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object 
String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setA
utoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catc
h(d){g(d,"cS failed")}},pa:function(){try{if("undefined"===typeof e._c
z_account||e._cz_account===this.c){e._cz_account=this.c;if("[objec<<< skipped >>>

GET /luoshen/ver.xml HTTP/1.1

User-Agent: DownFileSession

Host: update.wannianli365.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Thu, 17 Sep 2015 10:10:07 GMT

Accept-Ranges: bytes

ETag: "80a92f731f1d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sun, 30 Oct 2016 14:32:31 GMT

Content-Length: 433
<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigure versio
n="1.0">..  <AppUpdate>..    <NewVer>1.2</NewVer>
..    <NewMinVer>3.1</NewMinVer>..    <Exe>hXXp://do
wn.wannianli365.com/update/luoshen.gif</Exe>..    <UpdLog>
..      <![CDATA[\r\n]]>..    </UpdLog>..  </AppUpdate&
gt;..  <UpdateSet>..    <IsLimitSpeed>0</IsLimitSpeed&g
t;..    <UpdateSpeed>1024</UpdateSpeed>..    <IntervalT
ime>10</IntervalTime>..  </UpdateSet>..</TheConfigur
e>HTTP/1.1 200 OK..Content-Type: text/xml..Last-Modified: Thu, 17 S
ep 2015 10:10:07 GMT..Accept-Ranges: bytes..ETag: "80a92f731f1d01:0"..
Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Sun, 30 Oct 20
16 14:32:31 GMT..Content-Length: 433..<?xml version="1.0" encoding=
"UTF-8" ?>..<TheConfigure version="1.0">..  <AppUpdate>
..    <NewVer>1.2</NewVer>..    <NewMinVer>3.1</N
ewMinVer>..    <Exe>hXXp://down.wannianli365.com/update/luosh
en.gif</Exe>..    <UpdLog>..      <![CDATA[\r\n]]>..
    </UpdLog>..  </AppUpdate>..  <UpdateSet>..    &l
t;IsLimitSpeed>0</IsLimitSpeed>..    <UpdateSpeed>1024&
lt;/UpdateSpeed>..    <IntervalTime>10</IntervalTime>..
  </UpdateSet>..</TheConfigure>..<<< skipped >>>

GET /stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=2107318454-1477833061-&showp=1276x846&t=&h=1&rnd=486769921 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: z6.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Sun, 30 Oct 2016 14:33:14 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Thu, 16 Apr 2015 02:22:33 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /core.php?web_id=1253458909&t=z HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/lsl_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 764

Connection: keep-alive

Date: Sun, 30 Oct 2016 14:26:16 GMT

Last-Modified: Sun, 30 Oct 2016 14:26:16 GMT

Expires: Sun, 30 Oct 2016 14:41:16 GMT

Via: cache7.l2nu16-1[33,200-0,M], cache13.l2nu16-1[34,0], kunlun3.cn102[0,200-0,H], kunlun9.cn102[0,0]

Age: 418

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Sun, 30 Oct 2016 14:26:16 GMT

X-Swift-CacheTime: 900

Timing-Allow-Origin: *

EagleId: ddcce28914778379944291254e
!function(){var p,q,r,a=encodeURIComponent,b="1253458909",c="",d="",e=
"online_v3.php",f="z10.cnzz.com",g="1",h="text",i="z",j="站ž
71;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",
m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h
=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&
&k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["c
reateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/websi
te.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cn
zz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "
'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p=
"<a href='" q "' target=_blank title='" j "'>" j "</a>",k[
"createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type
: application/javascript..Content-Length: 764..Connection: keep-alive.
.Date: Sun, 30 Oct 2016 14:26:16 GMT..Last-Modified: Sun, 30 Oct 2016 
14:26:16 GMT..Expires: Sun, 30 Oct 2016 14:41:16 GMT..Via: cache7.l2nu
16-1[33,200-0,M], cache13.l2nu16-1[34,0], kunlun3.cn102[0,200-0,H], ku
nlun9.cn102[0,0]..Age: 418..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swi
ft-SaveTime: Sun, 30 Oct 2016 14:26:16 GMT..X-Swift-CacheTime: 900..Ti
ming-Allow-Origin: *..EagleId: ddcce28914778379944291254e..!function()
{var p,q,r,a=encodeURIComponent,b="1253458909",c="",d="",e="online_v3.
php",f="z10.cnzz.com",g="1",h="text",i="z",j="站长统
计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="1",n<<< skipped >>>

GET /update/luoshen.xml HTTP/1.1

User-Agent: DownFileSession

Host: down.wannianli365.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 14:32:29 GMT

Content-Length: 248

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Mon, 21 Sep 2015 00:41:09 GMT

Connection: Keep-Alive

ETag: "80401356f4d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 42.236.6.162, Configured MISS from 42.236.6.165, DISK HIT from 125.39.5.36
<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigure versio
n="1.0">..  <AppUpdate>..    <NewVer>1.2</NewVer>
..    <NewMinVer>3.1</NewMinVer>..    <Default>http:
//update.wannianli365.com/luoshen/ver.xml</Default>..  </AppU
pdate>..</TheConfigure>......


GET /update/luoshen.gif HTTP/1.1

User-Agent: DownFileSession

Host: down.wannianli365.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 14:32:33 GMT

Content-Length: 4851736

Accept-Ranges: bytes

Content-Type: image/gif

Last-Modified: Thu, 17 Sep 2015 10:14:01 GMT

Connection: Keep-Alive

ETag: "803aa99231f1d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 42.236.6.163, Configured MISS from 42.236.6.165, DISK HIT from 125.39.5.36

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.yex..6x
..6x..6_Pz6{..6_Pl6i..6x..6...6q..6s..6q..6y..6q..6y..6Richx..6.......
.........PE..L...f..T.................\...........3.......p....@......
...........................$.J.....................................pv.
......0...h..........p.I..............................................
................p...............................text...N[.......\.....
............. ..`.rdata..\....p.......`..............@[email protected]........
........v..............@....ndata.......0...........................rs
rc....h...0...j...x..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
..... [email protected]. [email protected]...
Pr@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...Hp@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected]@[email protected] [email protected].
u...\r@._^3.[.....L$... C...i......T.....tUVW.q.3.;5. C.sD..i......D..
S.....t.G.....t...O..t .....u...3....3...F.....;5. C.r.[_^...U..QQ

<<< skipped >>>

GET /weatherapi HTTP/1.1

Host: statistic.haharili.com

Accept: */*


HTTP/1.1 301 Moved Permanently

Date: Sun, 30 Oct 2016 14:33:16 GMT

Content-Type: text/html; charset=UTF-8

Content-Length: 164

Connection: keep-alive

Location: hXXp://statistic.haharili.com/weatherapi/

X-Powered-By: ASP.NET
<head><title>...............</title></head>.&l
t;body><h1>...............</h1>......<a HREF="http:/
/statistic.haharili.com/weatherapi/">......</a>..............
.</body>....


GET /weatherapi/ HTTP/1.1

Host: statistic.haharili.com

Accept: */*


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 14:33:16 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 125

Connection: keep-alive

X-Powered-By: PHP/5.3.28

X-Powered-By: ASP.NET

{"ip":"194.242.96.218","city_name":"\u4e4c\u514b\u5170 CZ88.NET ","msg
":"ip\u5730\u7406\u4f4d\u7f6e\u5224\u65ad\u5931\u8d25"}..

GET /xml/switch_config.xml HTTP/1.1

User-Agent: lsl

Host: xiazai.rilibiao.com.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 14:33:17 GMT

Content-Length: 981

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Thu, 20 Oct 2016 10:29:40 GMT

Connection: Keep-Alive

ETag: "0822bddbc2ad21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 42.236.6.164, Configured MISS from 42.236.6.162, DISK HIT from 123.147.166.36
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>..<Sw
itchconfig>..  .<EngineControl>....<bUse>1</bUse>
...</EngineControl>...<DeviceInfoControl>...<bUse>1&
lt;/bUse>...</DeviceInfoControl>...<DefaultLinkControl>
....<bUse>0</bUse>...</DefaultLinkControl>...<Adv
ertisingControl>....<bUse>1</bUse>....<bUseTime>1
</bUseTime>....<bInterval>25</bInterval>....<bBro
wserUseTime>960</bBrowserUseTime>...</AdvertisingControl&g
t;...<MiniControl>....<bUse>1</bUse>....<bUseTime
>10</bUseTime>....<bInterval>120</bInterval>....&
lt;bBrowserUseTime>0</bBrowserUseTime>...</MiniControl>
...<MiniExtra>....<Enable>1</Enable>...</MiniExtr
a>...<BindOfFirstControl>....<bUse>1</bUse>....&l
t;bShowMoreBtn>0</bShowMoreBtn>....<bUseTime>180</bU
seTime>...</BindOfFirstControl>...<iCheckBtnControl>...
.<iCheckIndex>4</iCheckIndex>...</iCheckBtnControl>.
..<VerControl>....<VerNum>1.2.3.0</VerNum>.  ....<
;/VerControl>...<UrlLinkControl>....<bUse>0</bUse>
;.....<iTime>30</iTime>  ....</UrlLinkControl>..<
/Switchconfig>....
<<< skipped >>>

GET /xml/info_configex.xml HTTP/1.1

User-Agent: lsl

Host: xiazai.rilibiao.com.cn

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 14:33:23 GMT

Content-Length: 2460

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Fri, 28 Oct 2016 10:36:51 GMT

Connection: Keep-Alive

ETag: "80e35e31731d21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 42.236.6.165, Configured MISS from 42.236.6.164, DISK HIT from 123.147.166.36

PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Inllcy
IgPz4KPEluZm9jb25maWc Cgk8RGVmYXVsdExpbms CgkJPHVybCBtYXg9IjEwMDAwMDAi
IHR5cGU9IjAiIG1hc2s9IiIgcmVmPSJodHRwOi8vd3d3LmJhaWR1LmNvbS8iPmh0dHA6Ly
93d3cuaXFpeWkuY29tL3ZfMTlycm01ajIyOC5odG1sP2ZjPTg3NDUxYmZmM2Y3ZDJmNGEj
dmZybT0yLTMtMC0xPC91cmw CgkJPG1heD4xMDAwMDAwPC9tYXg CgkJPHJlZlVybD5odH
RwOi8vd3d3LmJhaWR1LmNvbS88L3JlZlVybD4KCTwvRGVmYXVsdExpbms Cgk8QWR2ZXJ0
aXNpbmc CgkJPHBsaXN0PkZRRURIQjhORlZZV0VBSlVPeHdUQ0RJR0JoUUtFZ0lLSUJ3RE
xrUkdBZ0FXUkRBUkFRMFVFQklhREZZV0VBSlVGZ2tVQVFBWUhsWVdFQUpVSkRzaUFBTUVD
QW9XR2trZEN3MUxNUU04Q0JjZlJnSUFGa1FVRlFBR0RoNFZSZ0lBRmtRb0tCWU5ERllXRU
FJPTwvcGxpc3Q CgkJPHJsaXN0PkpBRUpLQkFKRnpFZEd4TlVKQUVWSFFBQUJnb1k8L3Js
aXN0PgoJCTx1cmw aHR0cDovL2Rvd24uc2hnMjAuY29tL3NoaWNoYW5nYnUveHliL2V0ZT
A3MjEuaHRtbDwvdXJsPgoJCTx1cmxleD5odHRwOi8vZG93bi5zaGcyMC5jb20vc2hpY2hh
bmdidS94eWIvZXRlMDcyMS5odG1sPC91cmxleD4KCQk8d2lkdGg MzAwPC93aWR0aD4KCQ
k8aGVpZ2h0PjI1MDwvaGVpZ2h0PgoJCTxyZWZVcmw aHR0cDovL3d3dy5iYWlkdS5jb20v
PC9yZWZVcmw Cgk8L0FkdmVydGlzaW5nPgoJPFNob3J0Q3V0PgoJCTxzY2FkZHIxPmh0dH
A6Ly9oYW8uMzYwLmNuLz9zcmM9bG0mbHM9bjY4ZmM0Y2VhOWI8L3NjYWRkcjE CgkJPHNj
YWRkcjI aHR0cDovL2hhby4zNjAuY24vP3NyYz1sbSZscz1uMWU2YjczNjg5Nzwvc2NhZG
RyMj4KCTwvU2hvcnRDdXQ Cgk8TWluaUNvbnRyb2w CgkJPHVybD5odHRwOi8vbWluaS5l
YXN0ZGF5LmNvbS9yaWxpYmlhby9pbmRleC5odG1sPC91cmw Cgk8L01pbmlDb250cm9sPg
oJPExvY2tVcmw CgkJPHJsYj5odHRwOi8vaGFvLjM2MC5jbi8/c3JjPWxtJmxzPW4xNzRm
OWVmMTkzPC9ybGI CgkJPGxobD5odHRwOi8vaGFvLjM2MC5jbi8/c3JjPWxtJmxzPW4xNz
RmOWVmMTkzPC9saGw CgkJPG5scmw aHR0cDovL2hhby4zNjAuY24vP3NyYz1sbSZs

<<< skipped >>>

GET /stat.htm?id=1253458909&r=&lg=en-us&ntime=none&cnzz_eid=752107317-1477837921-&showp=1276x846&t=&h=1&rnd=1987988124 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/lsl_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: z10.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Date: Sun, 30 Oct 2016 14:33:14 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Thu, 16 Apr 2015 02:22:37 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /weatherapi HTTP/1.1

Host: statistics.haharili.com

Accept: */*


HTTP/1.1 302 Moved Temporarily

Server: nginx/1.4.1

Date: Sun, 30 Oct 2016 14:33:12 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.5.4

location: hXXp://statistic.haharili.com/weatherapi

0..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.4.1..Date: Sun, 30 
Oct 2016 14:33:12 GMT..Content-Type: text/html..Transfer-Encoding: chu
nked..X-Powered-By: PHP/5.5.4..location: hXXp://statistic.haharili.com
/weatherapi..0..

GET /core.php?web_id=1253415983&t=z HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 763

Connection: keep-alive

Date: Sun, 30 Oct 2016 14:24:06 GMT

Last-Modified: Sun, 30 Oct 2016 14:24:06 GMT

Expires: Sun, 30 Oct 2016 14:39:06 GMT

Via: cache30.l2nu16-1[33,200-0,M], cache26.l2nu16-1[33,0], kunlun6.cn102[0,200-0,H], kunlun1.cn102[0,0]

Age: 548

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Sun, 30 Oct 2016 14:24:06 GMT

X-Swift-CacheTime: 900

Timing-Allow-Origin: *

EagleId: ddcce28114778379944254119e
!function(){var p,q,r,a=encodeURIComponent,b="1253415983",c="",d="",e=
"online_v3.php",f="z6.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m
="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=
" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&
k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["cr
eateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/websit
e.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnz
z.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'
><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="
<a href='" q "' target=_blank title='" j "'>" j "</a>",k["
createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type:
 application/javascript..Content-Length: 763..Connection: keep-alive..
Date: Sun, 30 Oct 2016 14:24:06 GMT..Last-Modified: Sun, 30 Oct 2016 1
4:24:06 GMT..Expires: Sun, 30 Oct 2016 14:39:06 GMT..Via: cache30.l2nu
16-1[33,200-0,M], cache26.l2nu16-1[33,0], kunlun6.cn102[0,200-0,H], ku
nlun1.cn102[0,0]..Age: 548..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swi
ft-SaveTime: Sun, 30 Oct 2016 14:24:06 GMT..X-Swift-CacheTime: 900..Ti
ming-Allow-Origin: *..EagleId: ddcce28114778379944254119e..!function()
{var p,q,r,a=encodeURIComponent,b="1253415983",c="",d="",e="online_v3.
php",f="z6.cnzz.com",g="1",h="text",i="z",j="站长统&
#35745;",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="1",n=<<< skipped >>>

GET /shichangbu/lsl_active.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: downcdn1.shgaoxin.net

Connection: Keep-Alive


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 13:10:42 GMT

Content-Type: text/html

Last-Modified: Thu, 23 Oct 2014 06:15:42 GMT

Accept-Ranges: bytes

ETag: "03be3c588eecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 107

Age: 4950

X-Via: 1.1 zhshx17:88 (Cdn Cache Server V2.0), 1.1 jqzh233:1 (Cdn Cache Server V2.0)

Connection: keep-alive
<script src="hXXp://s6.cnzz.com/z_stat.php?id=1253458909&web_id=125
3458909" language="JavaScript"></script>HTTP/1.1 200 OK..Date
: Sun, 30 Oct 2016 13:10:42 GMT..Content-Type: text/html..Last-Modifie
d: Thu, 23 Oct 2014 06:15:42 GMT..Accept-Ranges: bytes..ETag: "03be3c5
88eecf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-
Length: 107..Age: 4950..X-Via: 1.1 zhshx17:88 (Cdn Cache Server V2.0),
 1.1 jqzh233:1 (Cdn Cache Server V2.0)..Connection: keep-alive..<sc
ript src="hXXp://s6.cnzz.com/z_stat.php?id=1253458909&web_id=125345890
9" language="JavaScript"></script>..

GET /ip2city.asp HTTP/1.1

User-Agent: lsl

Host: city.ip138.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: NWS_SP

Connection: keep-alive

Date: Sun, 30 Oct 2016 14:33:18 GMT

Cache-Control: max-age=600

Expires: Sun, 30 Oct 2016 14:43:18 GMT

Last-Modified: Wed, 26 Oct 2016 02:30:00 GMT

Content-Type: text/html

Content-Length: 211

X-Cache-Lookup: Hit From MemCache
<html>..<head>..<meta http-equiv="content-type" content
="text/html; charset=gb2312">..<title> ....IP.... </title&
gt;..</head>..<body style="margin:0px"><center>....I
P........[182.239.98.205] </center></body></html>HTT
P/1.1 200 OK..Server: NWS_SP..Connection: keep-alive..Date: Sun, 30 Oc
t 2016 14:33:18 GMT..Cache-Control: max-age=600..Expires: Sun, 30 Oct 
2016 14:43:18 GMT..Last-Modified: Wed, 26 Oct 2016 02:30:00 GMT..Conte
nt-Type: text/html..Content-Length: 211..X-Cache-Lookup: Hit From MemC
ache..<html>..<head>..<meta http-equiv="content-type" c
ontent="text/html; charset=gb2312">..<title> ....IP.... </
title>..</head>..<body style="margin:0px"><center>
;....IP........[182.239.98.205] </center></body></html&
gt;..

GET /update/luoshen.xml HTTP/1.1

User-Agent: lsl

Host: down.wannianli365.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 30 Oct 2016 14:33:23 GMT

Content-Length: 248

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Mon, 21 Sep 2015 00:41:09 GMT

Connection: Keep-Alive

ETag: "80401356f4d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 42.236.6.162, Configured MISS from 42.236.6.165, DISK HIT from 125.39.5.36
<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigure versio
n="1.0">..  <AppUpdate>..    <NewVer>1.2</NewVer>
..    <NewMinVer>3.1</NewMinVer>..    <Default>http:
//update.wannianli365.com/luoshen/ver.xml</Default>..  </AppU
pdate>..</TheConfigure>....

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_440:

.text

`.rdata

@.data

.rsrc

D$.WPf

8%uMP

N@SSSh

RSShx

SSSSh

YYu.hT

aSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

monochrome

unsupported bit depth

CNotSupportedException

CHttpConnection

CHttpFile

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

CCmdTarget

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

mscoree.dll

.mixcrt

KERNEL32.DLL

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

kernel32.dll

operator

GetProcessWindowStation

USER32.DLL

hXXp://down.wannianli365.com/update/luoshen.xml

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection

121.40.152.197

qudaoadmin.3lsoft.com

hXXp://xiazai.rilibiao.com.cn/update/mobilephoneassist.gif

inflate 1.1.3 Copyright 1995-1998 Mark Adler

hXXp://confignew.3lsoft.com/rili/first.html

hXXp://xiazai.rilibiao.com.cn/update/skin.gif

hXXp://xiazai.rilibiao.com.cn/xml/rldata.xml

\Calendar\Bin\qingfengrili\SoftUpd.pdb

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCloseKey

RegOpenKeyExA

RegCreateKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

GdiplusShutdown

gdiplus.dll

IPHLPAPI.DLL

WS2_32.dll

VERSION.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

WININET.dll

OLEACC.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

COMDLG32.dll

SoftUpd.exe

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTransShadow1@CLabelUI@DuiLib@@QAEHXZ

?GetTransShadow@CLabelUI@DuiLib@@QAEHXZ

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_WPAUtagVARIANT@@@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnDocumentCompleted@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@PAUtagVARIANT@@@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@IAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetTransShadow1@CLabelUI@DuiLib@@QAEXH@Z

?SetTransShadow@CLabelUI@DuiLib@@QAEXH@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

.?AVCWebBrowserUI@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

#*1892 $

%,3:;4-&

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.PAVCFileException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

zcÁ

%,%@%>%.%

%/%0%1%#%2%3%

%-% %"%?%

%4%H%F%6%&%7%8%9% %:%;%

%$%'%5%(%*%G%%%E%)%D%

.PAVCException@@

progress_fore.png

ShowBind.xml

ui_bind_frame.xml

ui_hide_bind.xml]P

ui_show_bind.xml

UIPrompt.xml

.xmlup

jo.QH

CRT_5

check2.png

check3.png

close.png

Font.xml

HideBind.xml

huojian.png

.rvmQ

logo.png

main_button.png

main_frame.xml

jF\%SYn#c

.nZ\y

main_frameN.xml

minmize.png

ui_hide_bind.xml

.xmlPK

<assemblyIdentity name="Microsoft.Windows.Common-Controls" version="6.0.0.0" type="win32" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />

<!-- Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />

<!-- Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />

<!-- Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />

<!-- Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />

<!-- Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />

<windowsSettings>

<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">false</dpiAware>

</windowsSettings>

transshadow1

transshadow

dest='%d,%d,%d,%d'

keyboard

User32.dll

msimg32.dll

J0xX

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYDOWN

password

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

M-d-d

WebBrowserUI

WebBrowser

errorUrl

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

hXXp://

BWININET.DLL

DHTTP/1.0

Dcomctl32.dll

Dcomdlg32.dll

%s (%s:%d)

accKeyboardShortcut

commctrl_DragListMsg

guangsu_website4

guangsu_website

SoftApp.ini

%sSoftApp.ini

normalimage="file='check2.png' source='0,0,13,13'" selectedimage="file='check2.png' source='0,13,13,26'"

normalimage="file='check2.png' source='26,0,39,13'" selectedimage="file='check2.png' source='26,13,39,26'"

normalimage="file='check2.png' source='39,0,52,13'" selectedimage="file='check2.png' source='39,13,52,26'"

normalimage="file='check2.png' source='13,0,26,13'" selectedimage="file='check2.png' source='13,13,26,26'"

%s.%s

"%s" /S /D=%s

Ver%s.%s

Ver%s

update.xml

%sVstart32.dll

hXXp://hao.360.cn/?src=lm&ls=n174f9ef193

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='0,0,13,13'" selectedimage="file='check2.png' source='0,13,13,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='26,0,39,13'" selectedimage="file='check2.png' source='26,13,39,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='39,0,52,13'" selectedimage="file='check2.png' source='39,13,52,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='13,0,26,13'" selectedimage="file='check2.png' source='13,13,26,26'"

hXXp://downcdn1.shgaoxin.net/shichangbu/xyb/tuijian_tj.html

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

Riched20.dll

IosMobilePhoneAssist.exe

mobilephoneassist.zip

%sConfig.ini

lRiliFirstBindData.ini

gaoxin.qingfengrili

RiliSkin.zip

skin.zip

RiliDingTui.xml

lTempRiLiData.zip

%s%s%s

0000000000

00000000000

c:\%original file name%.exe

1, 2, 2, 0

lsl.exe_956:

.text

`.rdata

@.data

.rsrc

N@SSSh

N@SSSh4

RSShx

SSSSh

SSSSSSSSh

Vh.pI

vSSSh

s%j.Zf

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

PP P!"PP#$PPPP%&'PPP(P)*P PPP,-.PP/0123PPPPPP4PPPPPPP5PPPPPP6789:;PPPPPPPP<PPP=>?@ABCDPPPPEPPPPFPPPPPPGPPHIPPPPPJKPPPLLPPMPPPPPPPPPNPPOY

!"DDD#D$DÝ&D'()DDDDDDDDDDDDD*DDDDDDDDDDDD DD,-DDDDDDDDDDD.D/DDDDDDDDDDDDDD01DD234DD56789DDDDDDDD:;DD<=>DD?DDDDD@ABDDDDDCV

>%u Wj%

_u.Ph

tX9.uT

FLu$

-./01234$5567

|$$u.WS

*1*1**234

%[^,],%[^,]

UrlLinkControl

refUrl

url%d

LockUrl

hXXp://down.wannianli365.com/update/luoshen.xml

RegDeleteKeyExW

rundll32.exe shell32.dll, Control_RunDLL Timedate.cpl, 0

?456789:;<=

!"#$%&'()* ,-./0123

img%d

weather%d

wind%d

temp%d

monochrome

unsupported bit depth

CCmdTarget

CNotSupportedException

hhctrl.ocx

CHttpConnection

CHttpFile

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

GetProcessWindowStation

USER32.DLL

operator

CPPSQLITE_ERROR

SQLITE_DONE

SQLITE_ROW

SQLITE_RANGE

SQLITE_FORMAT

SQLITE_AUTH

SQLITE_NOLFS

SQLITE_MISUSE

SQLITE_MISMATCH

SQLITE_CONSTRAINT

SQLITE_TOOBIG

SQLITE_SCHEMA

SQLITE_EMPTY

SQLITE_PROTOCOL

SQLITE_CANTOPEN

SQLITE_FULL

SQLITE_NOTFOUND

SQLITE_CORRUPT

SQLITE_IOERR

SQLITE_INTERRUPT

SQLITE_READONLY

SQLITE_NOMEM

SQLITE_LOCKED

SQLITE_BUSY

SQLITE_ABORT

SQLITE_PERM

SQLITE_INTERNAL

SQLITE_ERROR

SQLITE_OK

%s[%d]: %s

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

<url> malformed

:]://%[^

[^:]:%[^

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

User-Agent: %s

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Rewinding stream by : %zd bytes on url %s (zero-length body)

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

WARNING: failed to save cookies in %s

[%s %s %s]

Send failure: %s

Recv failure: %s

bind failed with errno %d: %s

Local port: %hu

getsockname() failed with errno %d: %s

Bind to local port %hu failed, trying next

Couldn't bind to '%s'

Name '%s' family %i resolved to '%s' family %i

Local Interface %s is ip %s using address family %i

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getpeername() failed with errno %d: %s

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Internal error removing splay node = %d

Internal error clearing splay node = %d

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTP

LOGIN

EHLO %s

HELO %s

AUTH %s

No known auth mechanisms supported!

AUTH %s %s

Access denied: %d

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

MAIL FROM:%s SIZE=%s

MAIL FROM:%s

RCPT TO:<%s>

RCPT TO:%s

SMTPS not supported!

STARTTLS denied. %c

Got unexpected smtp-server response: %d

USER %s

PASS %s

Access denied. %c

Invalid message. %c

RETR %s

LIST %s

POP3S not supported!

%s LOGIN %s %s

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

IMAPS not supported!

%s STARTTLS

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

%s (%d) %s (%d)

got option=(%s) value=(%s)

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

Received unexpected DATA packet block %d, expecting block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

TFTP response timeout

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.23.1

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

Failure sending PORT command: %s

%s %s

,%d,%d

Failure sending EPRT command: %s

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

bind(port=%hu) on non-local address failed: %s

socket failure: %s

failed to resolve the address provided to PORT: %s

getsockname() failed: %s

Connect data stream passively

PRET RETR %s

PRET STOR %s

PRET %s

REST %d

SIZE %s

STOR %s

APPE %s

Failed to do PORT

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload:

RETR response: d

PBSZ %d

Access denied: d

ACCT %s

ACCT rejected by server: d

TYPE %c

Connecting to %s (%s) port %d

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

MDTM %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

QUOT string not accepted: %s

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

CWD %s

PRET command not accepted: d

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

server did not report OK, got %d

Failure sending ABOR command: %s

Remembering we are in dir "%s"

%sAuthorization: Basic %s

%s:%s

%s auth using %s with user '%s'

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

password

login

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

d:d

d:d:d

%c%c==

%c%c%c=

Received HTTP code %d from proxy after CONNECT

HTTP/1.%d %d

CONNECT %s:%hu HTTP/%s

%s%s%s%s

Host: %s

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

0123456789-

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

OLEACC.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

@unable to use function %s in the requested context

3.5.9

large file support is disabled

SQL logic error or missing database

no such vfs: %s

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

SELECT name, rootpage, sql FROM '%q'.%s

unsupported file format

sqlite_master

sqlite_temp_master

database schema is locked: %s

%s(%d)

keyinfo(%d

%s-mjX

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s

transaction - SQL statements in progress

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

automatic extension loading failed: %s

SQLite format 3

invalid page number %d

2nd reference to page %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

Fragmented space is %d byte reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

sqlite3BtreeInitPage() returns error code %d

unable to get the page. error code=%d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

Unable to malloc %d bytes

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

%s: %s

%s: %s.%s

object name reserved for internal use: %s

sqlite_

duplicate column name: %s

too many columns on %s

default value of column [%s] is not constant

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

sqlite_sequence

there is already an index named %s

view %s is circularly defined

table %s may not be dropped

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

sqlite_stat1

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

indexed columns are not unique

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.%s WHERE name=%Q

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

no such collation sequence: %s

sqlite_version

CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)

SELECT idx, stat FROM %Q.sqlite_stat1

BEFOREIGNOREGEXPLAINSTEADDESCAPEACHECKEYCONSTRAINTERSECTABLEFTHENDATABASELECTRANSACTIONATURALTERAISELSEXCEPTRIGGEREFERENCESUNIQUERYATTACHAVINGROUPDATEMPORARYBEGINNEREINDEXCLUSIVEXISTSBETWEENOTNULLIKECASCADEFERRABLECASECOLLATECREATECURRENT_DATEDELETEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFINTOFFSETISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

RowKey

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

-- TRIGGER %s

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

%s\etilqs_

cannot open value of type %s

cannot open indexed column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

sqlite3_get_table() called with two or more incompatible queries

unknown or unsupported join type: %T%s%T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

cannot join using column %s - column not present in both tables

column%d

%z:%d

no such table: %s

%s.%s

sqlite_subquery_%p_

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

%r ORDER BY term out of range - should be between 1 and %d

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

Expression tree is too large (maximum depth %d)

cannot modify %s because it is a view

table %s may not be modified

unable to open database: %s

database %s is already in use

too many attached databases - max %d

database %s is locked

cannot detach database %s

no such database: %s

sqlite_detach

sqlite_attach

%s %T cannot reference objects in database %s

d-d-d d:d:d

d-d-d

M@sqlite_rename_trigger

sqlite_rename_table

%.*s"%w"%s

%s OR name=%Q

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

view %s may not be altered

table %s may not be altered

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

.NOPQRSTXY|}~

PRIMARY KEY must be unique

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

no such column: %s

table %s: xBestIndex returned an invalid plan

%z VIRTUAL TABLE INDEX %d:%s

%z USING PRIMARY KEY

%z WITH INDEX %s

%z AS %s

TABLE %s

at most %d tables in a join

*** in database %s ***

unsupported encoding: %s

foreign_key_list

\Branch(newest)\Temp\Release\lsl.pdb

GetWindowsDirectoryW

WinExec

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

KERNEL32.dll

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

COMDLG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExW

RegCreateKeyExA

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

RegEnumKeyW

RegOpenKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

WSOCK32.dll

GdiplusShutdown

gdiplus.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

WININET.dll

WS2_32.dll

WINMM.dll

WLDAP32.dll

PeekNamedPipe

lsl.exe

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTransShadow1@CLabelUI@DuiLib@@QAEHXZ

?GetTransShadow@CLabelUI@DuiLib@@QAEHXZ

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_WPAUtagVARIANT@@@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnDocumentCompleted@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@PAUtagVARIANT@@@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@IAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetTransShadow1@CLabelUI@DuiLib@@QAEXH@Z

?SetTransShadow@CLabelUI@DuiLib@@QAEXH@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

.?AVCCmdTarget@@

.?AVCNullCmd@@

.?AVCRunDateByServiceAutoCmd@@

.?AVCRunDateByStartAutoCmd@@

.?AVCRunInstallCliockCmd@@

.?AVCInstallServiceCmd@@

.?AVCStartServiceCmd@@

.?AVCUnInstallServiceCmd@@

.?AVCInstallStartCmd@@

.?AVCUnInstallStartCmd@@

.?AVCRunSendSoftInstallInfoCmd@@

.?AVCRunSendSoftOnlineInfoCmd@@

.?AVCRunSendSoftUninstInfoCmd@@

.?AVCRunSendSoftClickInfoCmd@@

.?AVCTestServiceCmd@@

.?AVCInstallExtraOperateCmd@@

.?AVCInstallStartMenuCmd@@

.?AVCInstallSpreadOperateCmd@@

.?AVCUninstOperateCmd@@

.?AVCSetAdminPermissionCmd@@

.?AVCSetLocalTimeCmd@@

%,%@%>%.%

%/%0%1%#%2%3%

%-% %"%?%

%4%H%F%6%&%7%8%9% %:%;%

%$%'%5%(%*%G%%%E%)%D%

.PAVCException@@

.PAVCFileException@@

.?AVCWebBrowserUI@DuiLib@@

.?AVCDownloadHttp@@

.?AVCHttpPageClient@@

.?AVCHttpPageRequest@@

.?AVCHttpPageResponse@@

.?AVCWebBrowserEventHandlerEx@@

.?AVCWebBrowserEventHandler@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

#*1892 $

%,3:;4-&

.?AVCCmdUI@@

.PAVCMemoryException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCOleDispatchException@@

zcÁ

.?AVISqlDataReader@@

.?AVSQLiteDataReader@@

.?AVCSQLiteException@@

.?AVISqlConnection@@

.?AVSQLiteConnection@@

.?AVISqlCommand@@

.?AVSQLiteCommand@@

12/09/13

_6.aB

S7G%UW

2!iTXtXML:com.adobe.xmp

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/">

<xmp:CreatorTool>Adobe Fireworks CS5 11.0.0.484 Windows</xmp:CreatorTool>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

.jF2J4a

01/23/14

bg.png

bg0.png|

-^"sgg{.zz777:7f:;G3zFNN

-FL}"

L.Jl>

.dZVm

G9.sG

.qJy.

%3u4-Z

bg0_EB.png}Yw4

.PFR2

bg0_small.png}Vy8

bg1.png|

 (]%U2

Hhb%c

vo.Lxu

fURL

bg1_EB.png}YeT

9{i.KF

.ggeXB

bg1_small.png}Vy8

bg2.png

)s%s\

bg2_EB.png}Xy4

.ddSp

bg2_small.png}V{T

bg3.png}

;r>i%xWMwt

p.QOp

~%US|

bg3_EB.png

bg3_small.png

7).KYu

bg4.png|

X@J%f

p#V|TH%f

\R.Xi

%cZ6z_H

bg4_EB.png

 .rmHL

.qx'!

bg4_EB--.png}Y

'<.lMd_;g

bg4_small.png}V

bg5.png

\.oll

?Y[-q}7

A%FU>

dp .CF\c0

%D`F*

%F~pyp

bg5--.png|

{'Z.oK

2ÎDt

.GV[M

bg5_EB.png

Ws%C;W

bg5_EB--.png}X

bg5_small.png}V

bg6.png|

.uY:.rSU

bg6_EB.png}Xy8

bg6_small.png}Vy8

bg7.png|

ymsg

.wIXE

bg7_EB.png}Xy8

%d)<r

bg7_small.png}V

$%d)K

bg8.png|

-%x 't

Pw.kP

5.qX]6Cu

<p.hU

V .ZM

I.VA_

_b.rR

r%Us"

bg8_EB.png}XwTS

bg8_small.png}V

bg9.png

joINN

RXh .sT

tcrt&

6%dhd

~MmSGn

&:.mby

HWxT%uT

bg9--.png|

>dVÜ@

>.xl2;&

.FX5}

%FM$z

Y"o;%D

3EQ;%f

bg9_EB.png

bg9_EB--.png}Xy8

bg9_small.png}VgT

bg10.png

%uMWR

.pYA/

%F<)iP;D

t%s`p

ub.EG~0

[ .nDuq

[Él&

 url8

#l%do

.UicHA

bg10--.png|

C&-%S

 `}5,{#6

WCKeYk$8

oMcX.Off

fBJ1.ncu

.jvCR

.UcU8l

bg10_EB.png

bg10_EB--.png}YgTS

bg10_small.png}Vy8

bg11.png|

Sz%Sg{W'

[.sGC[

!F0%ds

{\K%dGT

j!-Rf}

j.rnF

!)^.uT

bg11_EB.png}XwT

WeBuV

bg11_small.png}V{8

bg12.png|

%x[VsL/

W.vsZS'319

A.Kes

bg12_EB.png}X

e!!5Q)ae%uI

%ST,2

bg12_small.png}V

/X]x;%x

bg13.png|

I[CsS%SC

T&%Xs

_.yU3f

J7%fG

:.AABX

bg13_EB.png}WwTS

MI.Kr

bg13_small.png}V{8

bg14.png|

F.wwO

bg14_EB.png}Yw4\]

bg14_small.png}Vy8

bg15.png}

%s@y"

%s%j{;

\%f%f_

bg15_EB.png}X

bg15_small.png}V

book.png

border.png

border_.png

btn_close_down.png

btn_close_highlight.png

btn_close_normal.png

btn_hot.png

calendar.png

Pa^E%sO

Calendar_bt.png

$.xt-x

Calendar_htrl.png

ezzz.hBA

Calendar_lhl.png

Calendar_lsl.png

Calendar_mrl.png

Calendar_nlrl.png

Calendar_nsl.png

.MSFFF

Calendar_shrl.png

Calendar_wnl.png

Calendar_xmrl.png

change1.png

change2.png

change3.png

change4.png

change5.png

change6.png

change7.png

change8.png

chat_mid.png

checkbox.png

checkbox_h.png

checkbox_p.png

checkbox3.png

closed_d.png

closed_h.png

closed_n.png

ColorWnd.xml

ConfirmExit.xml

d00.png

%uZ(2

d00_.png

d01.png

d01_.png

d02.png

d02_.png

d03.png

d03_.png

37.Ph

d04.png

d04_.png

d05.png

d05_.png

d06.png

d06_.png

d07.png

d07_.png

d08.png

d08_.png

d09.png

d09_.png

d10.png

d10_.png

d11.png

d11_.png

d12.png

d12_.png

N/.qrr

d13.png

d13_.png

d14.png

d14_.png

d15.png

d15_.png

d16.png

0üAoJK

d16_.png

d17.png

d17_.png

O.ZEf

9\xl%s

d18.png

SRR.Bp

d18_.png

d19.png

d19_.png

9F%ut

d20.png

d20_.png

d21.png

d21_.png

d22.png

d22_.png

d23.png

d23_.png

K.nj5

d24.png

d24_.png

d25.png

d25_.png

%u%^#

d26.png

d26_.png

d27.png

d27_.png

d28.png

d28_.png

d29.png

d29_.png

d30.png

d30_.png

.IDATXG

d31.png

d31_.png

d32.png

d32_.png

d33.png

d33_.png

dianying.png5W

edit_bg.png

ExitPrompt.png

fg.bmp

h6%CX

Font.xml

icon_a.png

IELock.xml

.zW,o76

IELock_EditBk.png

Jia.png

line.png

Lottery ticket.pngUVg4\]

.BN\R

lottery.png

main_button.png

main_frame.xml

news.png

Next.png

Note.png

Noted.png

OnSave.png

OnSave_notext.png

Prev.png

Refresh_d.png

Refresh_h.png

Refresh_n.png

scroll.png

scrollbar.png

SelectColor_SliderBar_Thumb.png

Selected-d.png

Selected-h.png

Selected-n.png

Setting1.png

Setting2.png

Setting3.png

skin_d.png

skin_h.png

skin_n.png

small_date_bar.xml

small_detail_bar.xml

small_month_day_bar.xml

small_timer_bar.xml

small_weather_bar.xml

small_year_month_bar.xml

SmallDetailWndBackground.png

suoding.png

`%FKmj

tejia.png%V

a.vcViBi

text.png

thumb.bmpe

Today.png

tongbu.png

tongbu2.png

ui_list_month.xml

ui_list_year.xml

ui_user_account.xml

ui_user_chage_password.xml

ui_user_info.xml

kH.je

ui_user_login.xml

ui_user_password.xml

ui_user_pic_password.png

04/15/14

ui_user_pic_user.png

.AWN&

:R%DW3

]L.Iy

NX.DlZ

uibg.png

UIDistrictExpand.xml

UIExpandBackground.xml

UIFutureWeather.xml

uilismonthtbg.png

UIListDistrict.xml

uilisyeartbg.png

UIMenu.xml

UINewTip.xml

UINoteText.xmlmSK

unsel.bmp

user.png

user_login_buttom.png

%8x40*2R

Verification.png

.LT#U

.ieZa`P

6..JL

xingzuo.png

{8;.TvtTc8i

youxi.png

7654money.pngUW

.omm9f

ad_bottom_title.png

AdOnRightBottom.xml}RMo

Almanac.png

AlmanacFi.png

AlmanacSe.png

AlmanacTh.png

baidu.png

þf1f

bg.bmps

bg0.png

bg0_EB.png

bg0_small.png

bg1.png

bg1_EB.png

bg1_small.png

bg2_EB.png

bg2_small.png

bg3.png

bg4.png

bg4_EB--.png

bg4_small.png

bg5--.png

bg5_EB--.png

bg5_small.png

bg6.png

bg6_EB.png

bg6_small.png

bg7.png

bg7_EB.png

bg7_small.png

bg8.png

bg8_EB.png

bg8_small.png

bg9--.png

bg9_EB--.png

bg9_small.png

bg10--.png

bg10_EB--.png

bg10_small.png

bg11.png

bg11_EB.png

bg11_small.png

bg12.png

bg12_EB.png

bg12_small.png

bg13.png

bg13_EB.png

bg13_small.png

bg14.png

bg14_EB.png

bg14_small.png

bg15.png

bg15_EB.png

bg15_small.png

dianying.png

Lottery ticket.png

tejia.png

thumb.bmp

UINoteText.xml

7654money.png

AdOnRightBottom.xml

bg.bmp

Ge.EKb

t.Me*

{jD`%F

b.xH#

.Fxy1D

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

%s%s\

Config.ini

%sUseData\

%sUseData.ini

%sSoftApp.ini

%s\%s\

skin.zip

SoftApp.ini

DBGHELP.DLL

%s%s.dmp

rkernel32.dll

kernel32.dll

advapi32.dll

CNullCmd %d-%d-%d-%d

clock64.exe

szClockExe = %s

clock32.exe

CRunDateByStartAutoCmd %d-%d-%d-%d

%s,%s.%s,%s,0,0

Statistics.dll

%s,%s.%s,%s

%s,%s.%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s

SkinStylebg%d

%sConfig.ini

Service.dll

RunByWindowsStart

"%s" RunDateByStartAuto

nSOFTWARE\Microsoft\Windows\CurrentVersion

rlbRunByWindowsStart

SOFTWARE\Microsoft\Windows\CurrentVersion

nrlbRunByWindowsStart

UninstOperate

Clock.dll

hXXp://VVV.hao123.com/?tn=74015059_28_hao_pg

%sdataengine_.dll

@RunSendSoftInstallInfoCmd

@InstallExtraOperate

@InstallSpreadOperate

@UninstOperate

software\Microsoft\Windows\CurrentVersion\Uninstall

%s %s.%s

Uninst.exe

URLInfoAbout

\Internet Explorer\iexplore.exe

HotKey

%s%s.lnk

SoftUpd.exe

%s.lnk

%s*.*

%s.del

%s.del%d

hXXp://statistics.haharili.com/server_time

SoftWare\Microsoft\Windows\CurrentVersion\Uninstall

gaoxin.clockdll

%d-%.2d-%.2d

%d-%.2d-%.2d %.2d:%.2d:%.2d

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

"%s" %s

\Program Files\Internet Explorer\iexplore.exe

%d,%d,%d

%s\service_log.txt

A"%s" RunSendSoftOnlineInfo

gaoxin.luoshenli

gaoxin.clockframe

%s360Ini.dll

Riched20.dll

%sVstart64.exe

ddd

hXXp://xiazai.rilibiao.com.cn/xml/switch_configex.xml

hXXp://xiazai.rilibiao.com.cn/xml/switch_config.xml

TempRilibiao.xml

switchex.xml

AdverOfBottomRefUrl

AdverOfBottomUrl

gDefaultLinkUrlRef

DefaultLinkUrl%d

kInfoOnServerConf.xml

DefaultLinkUrl

hXXp://xiazai.rilibiao.com.cn/xml/info_configex.xml

lupdate.xml

netipaddress.json

hXXp://ip.taobao.com/service/getIpInfo.php?ip=

NetPublicIp.html

hXXp://city.ip138.com/ip2city.asp

%s%s /InstallStart

Power.exe

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

WAdvapi32.dll

\branch(newest)\common\json\json_value.cpp

\branch(newest)\common\json\json_reader.cpp

D.download

CMYDownloadProc::DoRequestHttpFileTimeProc Start

CMYDownloadProc::HandleDownloadFinished CFile::Rename(%s,%s)

[%d-%d-%d %d-%d-%d]: %s

%slog.txt

UNickName

\Config.ini

"%s%s" UpUserCfg %d

Mutual.exe

UData\UserNoteText.xml

Data\UserTempNoteText.xml

UData\2014JieQi.xml

Data\2013JieQi.xml

UData\2014.xml

Data\2013.xml

Mini//RiLiMini.exe RunMiNiNewsByServer

file='%s.png' corner='0,194,0,46'

file='bg%d.png' corner='0,194,0,46'

bg%d.png

file='bg%d.png' corner='600,200,1,1'

hXXp://url.wannianli365.com/?id=

taskmgr.exe

%sData/*index.html

%sVstart32.dll

ehXXp://hao.360.cn/?src=lm&ls=n174f9ef193

hXXp://

Referer:%s

width="1" height="1" clsid="{8856F961-340A-11D0-A96B-00C04FD705A2}" delaycreate="false"

/*.lnk

http\shell\open\command

CCDownloadHttp::DownloadOnce End

CDownloadHttp::DownloadOnce RequestHttpData Is FALSE

CDownloadHttp::DownloadOnce CDownloadInfo::DownloadOnce Is FALSE

CDownloadHttp::DownloadOnce CDownloadInfo::nDownloadedSize >= nWillDownloadSize Is TRUE

CDownloadHttp::DownloadOnce Start

Range: bytes=%d-%s

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

HTTP/1.1

CDownloadInfo::SaveDataToFile Start[nWriteSize:%d]

CDownloadInfo::SaveThreadDataToFile[nWillDownloadStartPos:%d][nWillDownloadSize:%d][nDownloadedSize:%d]

CDownloadInfo::RecvDataAndSaveToFile SaveDataToFile (bDownloadFinished:%d) (nTempSaveBytes is %d)

CDownloadInfo::RecvDataAndSaveToFile::Receive End(nReadSize:%d)

CDownloadInfo::RecvDataAndSaveToFile::DownloadFinished(nWillDownloadSize:%d,nRecvTotalBytes:%d)

[nWillDownloadStartPos:%d][nWillDownloadSize:%d][nDownloadedSize:%d]

DoDownloadProcedure DownloadOnce(%d)

CDownloadInfo::DoRequestPageContentProcedure DownloadOnce(%d)

%slog_%d.txt

passwordempty

passwordwrong

ui_user_login_bg

ui_user_login_button_name

ui_user_login_forget_password_name

ui_user_login_new_account_name

file='%s_EB.png' corner='0,31,0,0'

Dsmall_month_day_bar.xml

%d%.2d%.2d

Dsmall_weather_bar.xml

hXXp://statistics.haharili.com/weatherapi

file='%s.png'

%d - %.2d

ui_future_weather_tem_0%d

ui_future_weather_wind_0%d

ui_future_weather_week_0%d

ui_future_weather_wea_0%d

file='%s_.png'

ui_future_weather_pic_0%d

normalimage="file='OnSave.png' source='0,0,75,30'" hotimage="file='OnSave.png' source='75,0,150,30'" pushedimage="OnSave='OnSave.png' source='150,0,225,30'"

normalimage="file='OnSave_notext.png' source='0,0,75,30'" hotimage="file='OnSave_notext.png' source='0,0,75,30'" pushedimage="OnSave='OnSave_notext.png' source='0,0,75,30'"

Data\HuangLi.mdb

UIExpand_Official_Website

ECalendar_lsl.png

: %s.%s

%s%s /UnInstallStart

"%s" /SetLocalTime

FFXXX

SkinStyle%s

ConnectWeb

Uui_user_password_sure_button

ui_user_password_code

"%s%s" DownCfg %d

EIELock.xml

Eui_list_month.xml

EAdOnRightBottom.xml

0711 723

EUINewTip.xml

file='tongbu2.png' corner='3,3,3,3'

[0xX

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYDOWN

keyboard

WebBrowserUI

WebBrowser

errorUrl

dest='%d,%d,%d,%d'

User32.dll

msimg32.dll

transshadow1

transshadow

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

M-d-d

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

I%s (%s:%d)

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\sockcore.cpp

Icomctl32.dll

Icomdlg32.dll

Ishell32.dll

Kf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

@WININET.DLL

JHTTP/1.0

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

mfcm90u.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

mscoree.dll

KERNEL32.DLL

WUSER32.DLL

0000000000

00000000000

iexplore.exe

360se.exe

360chrome.exe

chrome.exe

firefox.exe

oprea.exe

baidubrowser.exe

QQBrowser.exe

SogouExplorer.exe

Maxthon.exe

liebao.exe

2345Explorer.exe

UCBrowser.exe

TheWorld.exe

Juzi.exe

hao123Juzi.exe

115chrome.exe

Tango3.exe

TaoBrowser.exe

TTraveler.exe

cometbrowser.exe

Assertion failed: %s, file %s, line %d

%Program Files%\luoshenli\lsl.exe

WebGame

WebGame(&A)...

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

1, 2, 3, 0

SearchProtocolHost.exe_3796:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

clock32.exe_3528:

.text

`.rdata

@.data

.rsrc

t'SShl

.VVVVVSRSSj

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

CCmdTarget

hhctrl.ocx

f:\sp\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

CNotSupportedException

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

OLEACC.dll

20150121

\Branch(newest)\Temp\Release\Clock.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

UnhookWindowsHookEx

GetKeyState

SetWindowsHookExW

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

RegEnumKeyW

RegOpenKeyW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

gdiplus.dll

.PAVCMemoryException@@

.PAVCException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.PAVCFileException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

.?AVCRunInstallCliockCmd@@

.?AVCNullCmd@@

12/16/13

_6.aA

2!iTXtXML:com.adobe.xmp

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/">

<xmp:CreatorTool>Adobe Fireworks CS5 11.0.0.484 Windows</xmp:CreatorTool>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

09/15/09

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

A%s (%s:%d)

%s (%s:%d)

Acomctl32.dll

Acomdlg32.dll

accKeyboardShortcut

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

MSWHEEL_ROLLMSG

mfcm80u.dll

user32.dll

clock.exe

gaoxin.clockframe

gaoxin.luoshenli

%sConfig.ini

gaoxin.clockdll

clock64.dll

clock32.dll

%sSrc

%s %s

advapi32.dll

OnExecuteExit

%Program Files%\luoshenli\clock32.exe

WebGame

WebGame(&A)...

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

1, 0, 1, 0

Clock.exe

SearchFilterHost.exe_2528:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

SoftUpd.exe_3052:

.text

`.rdata

@.data

.rsrc

@.reloc

PSShx{2

8%u3P

N@SSSh

SSShh

RSShx

SSSSh

vSSSh

s%j.Zf

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

monochrome

unsupported bit depth

CNotSupportedException

CHttpConnection

CHttpFile

CCmdTarget

hhctrl.ocx

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

hXXp://down.wannianli365.com/update/luoshen.xml

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection

121.40.152.197

qudaoadmin.3lsoft.com

hXXp://xiazai.rilibiao.com.cn/update/mobilephoneassist.gif

RegDeleteKeyExW

inflate 1.1.3 Copyright 1995-1998 Mark Adler

hXXp://confignew.3lsoft.com/rili/first.html

hXXp://xiazai.rilibiao.com.cn/update/skin.gif

hXXp://xiazai.rilibiao.com.cn/xml/rldata.xml

\Branch(newest)\Bin\luoshenli\SoftUpd.pdb

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCloseKey

RegOpenKeyExA

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

GdiplusShutdown

gdiplus.dll

IPHLPAPI.DLL

WS2_32.dll

VERSION.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

WININET.dll

OLEACC.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

COMDLG32.dll

SoftUpd.exe

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTransShadow1@CLabelUI@DuiLib@@QAEHXZ

?GetTransShadow@CLabelUI@DuiLib@@QAEHXZ

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_WPAUtagVARIANT@@@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnDocumentCompleted@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@PAUtagVARIANT@@@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@IAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetTransShadow1@CLabelUI@DuiLib@@QAEXH@Z

?SetTransShadow@CLabelUI@DuiLib@@QAEXH@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

.?AVCWebBrowserUI@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

#*1892 $

%,3:;4-&

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.PAVCFileException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

zcÁ

%,%@%>%.%

%/%0%1%#%2%3%

%-% %"%?%

%4%H%F%6%&%7%8%9% %:%;%

%$%'%5%(%*%G%%%E%)%D%

.PAVCException@@

progress_fore.png

ShowBind.xml

ui_bind_frame.xml

ui_hide_bind.xml]P

ui_show_bind.xml

UIPrompt.xml

.xmlup

jo.QH

CRT_5

check2.png

check3.png

close.png

Font.xml

HideBind.xml

huojian.png

.rvmQ

logo.png

main_button.png

main_frame.xml

jF\%SYn#c

.nZ\y

main_frameN.xml

minmize.png

ui_hide_bind.xml

.xmlPK

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

<%<*</<5<

9 9$9(9,9094989

< <$<(<,<0<

5 5(50585@5064686<6

1 1$1(1,1014181

>(>4><>|>

3 4@4`4|4

transshadow1

transshadow

keyboard

User32.dll

msimg32.dll

dest='%d,%d,%d,%d'

50xX

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYDOWN

password

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

M-d-d

WebBrowserUI

WebBrowser

errorUrl

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

hXXp://

-WININET.DLL

.HTTP/1.0

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

.comctl32.dll

.comdlg32.dll

.shell32.dll

.f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

/f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

mscoree.dll

KERNEL32.DLL

kernel32.dll

guangsu_website4

guangsu_website

SoftApp.ini

%sSoftApp.ini

normalimage="file='check2.png' source='0,0,13,13'" selectedimage="file='check2.png' source='0,13,13,26'"

normalimage="file='check2.png' source='26,0,39,13'" selectedimage="file='check2.png' source='26,13,39,26'"

normalimage="file='check2.png' source='39,0,52,13'" selectedimage="file='check2.png' source='39,13,52,26'"

normalimage="file='check2.png' source='13,0,26,13'" selectedimage="file='check2.png' source='13,13,26,26'"

%s.%s

"%s" /S /D=%s

Ver%s.%s

Ver%s

update.xml

%sVstart32.dll

ehXXp://hao.360.cn/?src=lm&ls=n174f9ef193

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='0,0,13,13'" selectedimage="file='check2.png' source='0,13,13,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='26,0,39,13'" selectedimage="file='check2.png' source='26,13,39,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='39,0,52,13'" selectedimage="file='check2.png' source='39,13,52,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='13,0,26,13'" selectedimage="file='check2.png' source='13,13,26,26'"

hXXp://downcdn1.shgaoxin.net/shichangbu/xyb/tuijian_tj.html

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

Riched20.dll

IosMobilePhoneAssist.exe

mobilephoneassist.zip

Advapi32.dll

%sConfig.ini

lRiliFirstBindData.ini

gaoxin.luoshenli

RiliSkin.zip

skin.zip

RiliDingTui.xml

lTempRiLiData.zip

%s%s%s

0000000000

00000000000

%Program Files%\luoshenli\SoftUpd.exe

1, 2, 2, 0

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

lsl.exe:2740
lsl.exe:1596
lsl.exe:956
SoftUpd.exe:3052
clock32.exe:3528
%original file name%.exe:440
Power.exe:2020
luoshen.exe:3732
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¥ÂÂ¸Ã¨Â½Â½Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ .lnk (924 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¥Å“Â¨Ã§ÂºÂ¿Ã¥Ââ€¡Ã§ÂºÂ§.lnk (929 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¥Â®ËœÃ¦â€“Â¹Ã§Â½â€˜Ã§Â«â„¢.url (208 bytes)
%Program Files%\luoshenli\uninst.exe (245 bytes)
%Program Files%\luoshenli\SoftUpd.exe (823 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ \Ã¦Â´â€ºÃ§Â¥Å¾Ã¥Å½â€ .lnk (905 bytes)
%Program Files%\luoshenli\Ã¥Â®ËœÃ¦â€“Â¹Ã§Â½â€˜Ã§Â«â„¢.url (208 bytes)
%Program Files%\luoshenli\SoftApp.ini (5166 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip2city[1].htm (211 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TempRilibiao.xml (981 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\z_stat[1].js (1081 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\z_stat[1].js (1081 bytes)
%Program Files%\luoshenli\clock32.exe (770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016103020161031\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\27GJJPJ3.txt (391 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\service_log.txt (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\info_configex[1].xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\core[1].js (764 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\4QMV1WTE.txt (131 bytes)
%Program Files%\luoshenli\Vstart32.dll (81 bytes)
%Program Files%\luoshenli\Config.ini (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\lsl_active[1].htm (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\netipaddress.json (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NetPublicIp.html (211 bytes)
%Program Files%\luoshenli\Power.exe (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\all_active[1].htm (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\luoshen[1].xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\switch_config[1].xml (981 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\InfoOnServerConf.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\getIpInfo[1].htm (277 bytes)
%Program Files%\luoshenli\Clock32.dll (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\luoshen.gif (2335208 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\luoshen[1].gif (2297671 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\luoshen[1].xml (248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\luoshen.exe (616 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ver.xml (433 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ver[1].xml (433 bytes)
%Program Files%\luoshenli\mini\RiliPlugin.dll (68229 bytes)
%Program Files%\luoshenli\Vstart64.dll (12088 bytes)
%Program Files%\luoshenli\online_c.html (504 bytes)
%Program Files%\luoshenli\mini\DuiLib32.dll (27504 bytes)
%Program Files%\luoshenli\Data\2014JieQi.xml (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn99B1.tmp\System.dll (23 bytes)
%Program Files%\luoshenli\Data\index.html (298 bytes)
%Program Files%\luoshenli\Data\2014.xml (1 bytes)
%Program Files%\luoshenli\clock64.exe (32784 bytes)
%Program Files%\luoshenli\Data\HuangLi.mdb (230044 bytes)
%Program Files%\luoshenli\lsl.exe (109287 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn99B0.tmp (391209 bytes)
%Program Files%\luoshenli\Data\2013JieQi.xml (1 bytes)
%Program Files%\luoshenli\Vstart64.exe (15 bytes)
%Program Files%\luoshenli\mini\RiliMini.exe (15168 bytes)
%Program Files%\luoshenli\Data\2013.xml (1 bytes)
%Program Files%\luoshenli\Data\UserNoteText.xml (132 bytes)
%Program Files%\luoshenli\Clock64.dll (10136 bytes)
%Program Files%\luoshenli\DuiLib32.dll (15536 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rlbRunByWindowsStart" = "%Program Files%\luoshenli\lsl.exe RunDateByStartAuto"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.Swrort.3_07090b5ab6

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.Swrort.3_07090b5ab6

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet