MD5: 92b1c35d97a72be51093cf9100f163ce
SHA1: ce0f9a8eefe654fd35c6aaf682a98804b7adb774
SHA256: ac048e37c720d49c4d5343d3e4be3819a0d9bd1f8430db6cb3f471166137ac9c
SSDeep: 12288:8DHScI/LodxL8kwooXt6SZSzIIkaj0xRtDlDstmzxOyZrLe4m:s0Lm8kXoXt6S4zSjplemzxOytet
Size: 818328 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company:
Created at: 2014-10-14 12:30:43
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

shanhu.exe:3088
%original file name%.exe:1504
SoftUpd.exe:2292
clock32.exe:2960
Power.exe:544
shrl.exe:3012
shrl.exe:3700
shrl.exe:1844

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process shanhu.exe:3088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\shanhurili\Data\2013.xml (1 bytes)
%Program Files%\shanhurili\Vstart64.dll (12088 bytes)
%Program Files%\shanhurili\shrl.exe (108732 bytes)
%Program Files%\shanhurili\mini\RiliPlugin.dll (68229 bytes)
%Program Files%\shanhurili\mini\DuiLib32.dll (27504 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsgE9E3.tmp (398927 bytes)
%Program Files%\shanhurili\Data\2013JieQi.xml (1 bytes)
%Program Files%\shanhurili\clock32.exe (25776 bytes)
%Program Files%\shanhurili\online_c.html (505 bytes)
%Program Files%\shanhurili\uninst.exe (8560 bytes)
%Program Files%\shanhurili\mini\RiliMini.exe (15168 bytes)
%Program Files%\shanhurili\Vstart32.dll (2392 bytes)
%Program Files%\shanhurili\Data\UserNoteText.xml (132 bytes)
%Program Files%\shanhurili\Clock64.dll (10136 bytes)
%Program Files%\shanhurili\Clock32.dll (8184 bytes)
%Program Files%\shanhurili\DuiLib32.dll (15536 bytes)
%Program Files%\shanhurili\Data\2014JieQi.xml (1 bytes)
%Program Files%\shanhurili\Data\HuangLi.mdb (230044 bytes)
%Program Files%\shanhurili\Power.exe (8560 bytes)
%Program Files%\shanhurili\SoftApp.ini (172 bytes)
%Program Files%\shanhurili\SoftUpd.exe (29256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsgE9E4.tmp\System.dll (23 bytes)
%Program Files%\shanhurili\clock64.exe (32784 bytes)
%Program Files%\shanhurili\Vstart64.exe (15 bytes)
%Program Files%\shanhurili\Data\index.html (942 bytes)
%Program Files%\shanhurili\Data\2014.xml (1 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsgE9E4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrE9D3.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsgE9E4.tmp\System.dll (0 bytes)

The process %original file name%.exe:1504 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ver[1].xml (432 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\shanhu[1].xml (251 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\shanhu.exe (246 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ver.xml (432 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\shanhu[1].gif (2287525 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\shanhu.gif (2324213 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ver.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\shanhu.exe (0 bytes)

The process SoftUpd.exe:2292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\shanhurili\Config.ini (34 bytes)

The process clock32.exe:2960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\shanhurili\Clock32.dll (225 bytes)

The process shrl.exe:3012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\shanhurili\官方网站.url (208 bytes)
%Program Files%\shanhurili\SoftUpd.exe (868 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\官方网站.url (208 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\在线升级.lnk (934 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\卸载珊瑚日历.lnk (929 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\珊瑚日历.lnk (917 bytes)
%Program Files%\shanhurili\uninst.exe (245 bytes)

The process shrl.exe:1844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (251 bytes)
%Program Files%\shanhurili\SoftApp.ini (4870 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UEF8VFST.txt (143 bytes)
%Program Files%\shanhurili\Vstart32.dll (81 bytes)
%Program Files%\shanhurili\Power.exe (237 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (763 bytes)
%Program Files%\shanhurili\Config.ini (86 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TempRilibiao.xml (972 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\all_active[1].htm (107 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MRT6UDH9.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\switch_config[1].xml (972 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\InfoOnServerConf.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2LLHQZ9Q.txt (92 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\shanhu[2].xml (251 bytes)
%Program Files%\shanhurili\clock32.exe (770 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\app[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_configex[1].xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\service_log.txt (154 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7UG6M58V.txt (130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\z_stat[1].js (2473 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\InfoOnServerConf.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\shanhu[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TempRilibiao.xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\app[1].gif (0 bytes)

Registry activity

The process shanhu.exe:3088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\shrl.exe]
"(Default)" = "%Program Files%\shanhurili\shrl.exe"
"Path" = "%Program Files%\shanhurili"

The process %original file name%.exe:1504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\92b1c35d97a72be51093cf9100f163ce_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process Power.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process shrl.exe:3700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"rlbRunByWindowsStart" = "%Program Files%\shanhurili\shrl.exe RunDateByStartAuto"

The process shrl.exe:1844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\shrl_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\shrl_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\shrl_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\shrl_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\shrl_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"

"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: SoftUpd ????
Product Version: 1, 0, 1, 0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: SoftUpd.exe
Internal Name: SoftUpd
File Version: 1, 0, 1, 0
File Description: SoftUpd ????
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://c01.i07.rpnic.lv3.cloudglb.com/update/shanhu.xml
hxxp://mnslb.dns-vip.net/shanhurili/ver.xml
hxxp://c01.i07.rpnic.lv3.cloudglb.com/update/shanhu.gif
hxxp://aly.ys.dns-vip.net/rili/config.html
hxxp://statistics.haharili.com/weatherapi	180.150.178.118
hxxp://mylocal.xdwscache.ourwebpic.com/shichangbu/shrl_active.html
hxxp://mylocal.xdwscache.ourwebpic.com/shichangbu/all_active.html
hxxp://all.cnzz.com.danuoyi.tbcache.com/z_stat.php?id=1253415983&web_id=1253415983
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1253415983&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=563808717-1509387585-&showp=1276x846&t=&umuuid=15f6e830961386-04096be55c7da84-44703d1f-1078c8-15f6e8309622dc&h=1&rnd=650969394
hxxp://statistic.haharili.com/weatherapi	120.26.151.215
hxxp://statistic.haharili.com/weatherapi/	120.26.151.215
hxxp://gm.gds.mmstat.com/9.gif?abc=1&rnd=597896237
hxxp://pcookie.gds.taobao.com/app.gif?&cna=Ult EgIofW8CAcLyYNpiybtj
hxxp://c01.i07.rpnic.lv3.cloudglb.com/xml/switch_config.xml
hxxp://c01.i07.rpnic.lv3.cloudglb.com/xml/info_configex.xml
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=597896237	106.11.249.202
hxxp://xiazai.rilibiao.com.cn/xml/info_configex.xml	123.147.166.36
hxxp://down.wannianli365.com/update/shanhu.gif	123.147.166.36
hxxp://confignew.3lsoft.com/rili/config.html	121.40.77.49
hxxp://xiazai.rilibiao.com.cn/xml/switch_config.xml	123.147.166.36
hxxp://downcdn1.shgaoxin.net/shichangbu/all_active.html	180.97.244.193
hxxp://z6.cnzz.com/stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=563808717-1509387585-&showp=1276x846&t=&umuuid=15f6e830961386-04096be55c7da84-44703d1f-1078c8-15f6e8309622dc&h=1&rnd=650969394	1.122.192.15
hxxp://pcookie.cnzz.com/app.gif?&cna=Ult EgIofW8CAcLyYNpiybtj	106.11.92.6
hxxp://s6.cnzz.com/z_stat.php?id=1253415983&web_id=1253415983	1.99.192.15
hxxp://update.wannianli365.com/shanhurili/ver.xml	115.29.200.128
hxxp://down.wannianli365.com/update/shanhu.xml	123.147.166.36
hxxp://c.cnzz.com/core.php?web_id=1253415983&t=z	222.186.49.224
hxxp://downcdn1.shgaoxin.net/shichangbu/shrl_active.html	180.97.244.193
city.ip138.com	211.103.147.6

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /rili/config.html HTTP/1.1

User-Agent: DownFileSession

Host: confignew.3lsoft.com

Cache-Control: no-cache

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 30 Oct 2017 18:19:58 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>....

GET /update/shanhu.xml HTTP/1.1

User-Agent: shrl

Host: down.wannianli365.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:20:07 GMT

Content-Length: 251

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Mon, 21 Sep 2015 00:41:09 GMT

Connection: Keep-Alive

ETag: "80401356f4d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 218.58.225.35, Configured MISS from 218.58.225.37, DISK HIT from 123.147.166.36
<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigure versio
n="1.0">..  <AppUpdate>..    <NewVer>1.2</NewVer>
..    <NewMinVer>3.1</NewMinVer>..    <Default>http:
//update.wannianli365.com/shanhurili/ver.xml</Default>..  </A
ppUpdate>..</TheConfigure>..HTTP/1.1 200 OK..Date: Mon, 30 Oc
t 2017 18:20:07 GMT..Content-Length: 251..Accept-Ranges: bytes..Conten
t-Type: text/xml..Last-Modified: Mon, 21 Sep 2015 00:41:09 GMT..Connec
tion: Keep-Alive..ETag: "80401356f4d01:0"..Server: Microsoft-IIS/7.5..
X-Powered-By: ASP.NET..Fw-Cache-Status: hit..Fw-Via: DISK HIT from 218
.58.225.35, Configured MISS from 218.58.225.37, DISK HIT from 123.147.
166.36..<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigur
e version="1.0">..  <AppUpdate>..    <NewVer>1.2</Ne
wVer>..    <NewMinVer>3.1</NewMinVer>..    <Default&
gt;hXXp://update.wannianli365.com/shanhurili/ver.xml</Default>..
  </AppUpdate>..</TheConfigure>....

GET /weatherapi HTTP/1.1

Host: statistic.haharili.com

Accept: */*

HTTP/1.1 301 Moved Permanently

Date: Mon, 30 Oct 2017 18:20:02 GMT

Content-Type: text/html; charset=UTF-8

Content-Length: 164

Connection: keep-alive

Location: hXXp://statistic.haharili.com/weatherapi/

X-Powered-By: ASP.NET
<head><title>...............</title></head>.&l
t;body><h1>...............</h1>......<a HREF="http:/
/statistic.haharili.com/weatherapi/">......</a>..............
.</body>....


GET /weatherapi/ HTTP/1.1

Host: statistic.haharili.com

Accept: */*

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:20:02 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 125

Connection: keep-alive

X-Powered-By: PHP/5.3.28

X-Powered-By: ASP.NET
{"ip":"194.242.96.218","city_name":"\u4e4c\u514b\u5170 CZ88.NET ","msg
":"ip\u5730\u7406\u4f4d\u7f6e\u5224\u65ad\u5931\u8d25"}..

GET /xml/switch_config.xml HTTP/1.1

User-Agent: shrl

Host: xiazai.rilibiao.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:20:04 GMT

Content-Length: 972

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Tue, 06 Jun 2017 03:27:16 GMT

Connection: Keep-Alive

ETag: "0c290cb74ded21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 123.133.84.40, Configured MISS from 123.133.84.36, DISK HIT from 123.147.166.36
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>..<Sw
itchconfig>...<EngineControl>....<bUse>0</bUse>..
.</EngineControl>...<DeviceInfoControl>....<bUse>1&l
t;/bUse>...</DeviceInfoControl>...<DefaultLinkControl>.
...<bUse>0</bUse>...</DefaultLinkControl>...<Adve
rtisingControl>....<bUse>1</bUse>....<bUseTime>1&
lt;/bUseTime>....<bInterval>25</bInterval>....<bBrow
serUseTime>960</bBrowserUseTime>...</AdvertisingControl>
;...<MiniControl>....<bUse>1</bUse>....<bUseTime&
gt;10</bUseTime>....<bInterval>120</bInterval>....&l
t;bBrowserUseTime>0</bBrowserUseTime>...</MiniControl>.
..<MiniExtra>....<Enable>0</Enable>...</MiniExtra
>...<BindOfFirstControl>....<bUse>1</bUse>....<
;bShowMoreBtn>0</bShowMoreBtn>....<bUseTime>180</bUs
eTime>...</BindOfFirstControl>...<iCheckBtnControl>....
<iCheckIndex>4</iCheckIndex>...</iCheckBtnControl>..
.<VerControl>....<VerNum>1.2.3.0</VerNum>...</Ver
Control>...<UrlLinkControl>....<bUse>0</bUse>....
<iTime>30</iTime>...</UrlLinkControl>..</Switchco
nfig>HTTP/1.1 200 OK..Date: Mon, 30 Oct 2017 18:20:04 GMT..Content-
Length: 972..Accept-Ranges: bytes..Content-Type: text/xml..Last-Modifi
ed: Tue, 06 Jun 2017 03:27:16 GMT..Connection: Keep-Alive..ETag: "
<<< skipped >>>

GET /xml/info_configex.xml HTTP/1.1

User-Agent: shrl

Host: xiazai.rilibiao.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:20:07 GMT

Content-Length: 2368

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Wed, 18 Oct 2017 10:25:07 GMT

Connection: Keep-Alive

ETag: "8043665efb47d31:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 123.133.84.36, Configured MISS from 123.133.84.38, DISK HIT from 123.147.166.36
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiIHN0YW5kYWxvbmU9Inllcy
IgPz4KPEluZm9jb25maWc Cgk8RGVmYXVsdExpbms CgkJPHVybCBtYXg9IjEwMDAwMDAi
IHR5cGU9IjAiIG1hc2s9IuWMl S6rCIgcmVmPSIiPmh0dHA6Ly93d3cuaXFpeWkuY29tL3
ZfMTlycjhzYXl3by5odG1sPC91cmw CgkJPG1heD4xMDAwMDAwPC9tYXg CgkJPHJlZlVy
bD48L3JlZlVybD4KCTwvRGVmYXVsdExpbms Cgk8QWR2ZXJ0aXNpbmc CgkJPHBsaXN0Pk
ZRRURIQjhORlZZV0VBSlVPeHdUQ0RJR0JoUUtFZ0lLSUJ3RExrUkdBZ0FXUkRBUkFRMFVF
QklhREZZV0VBSlVGZ2tVQVFBWUhsWVdFQUpVSkRzaUFBTUVDQW9XR2trZEN3MUxNUU04Q0
JjZlJnSUFGa1FVRlFBR0RoNFZSZ0lBRmtRb0tCWU5ERllXRUFJPTwvcGxpc3Q CgkJPHJs
aXN0PkpBRUpLQkFKRnpFZEd4TlVKQUVWSFFBQUJnb1k8L3JsaXN0PgoJCTx1cmw aHR0cD
ovL2Rvd24uc2hnMjAuY29tL3NoaWNoYW5nYnUveHliL2V0ZTA3MjEuaHRtbDwvdXJsPgoJ
CTx1cmxleD5odHRwOi8vZG93bi5zaGcyMC5jb20vc2hpY2hhbmdidS94eWIvZXRlMDcyMS
5odG1sPC91cmxleD4KCQk8d2lkdGg MzAwPC93aWR0aD4KCQk8aGVpZ2h0PjI1MDwvaGVp
Z2h0PgoJCTxyZWZVcmw aHR0cDovL3d3dy5iYWlkdS5jb20vPC9yZWZVcmw Cgk8L0Fkdm
VydGlzaW5nPgoJPFNob3J0Q3V0PgoJCTxzY2FkZHIxPmh0dHA6Ly9oYW8uMzYwLmNuLz9z
cmM9bG0mbHM9bjY4ZmM0Y2VhOWI8L3NjYWRkcjE CgkJPHNjYWRkcjI aHR0cDovL2hhby
4zNjAuY24vP3NyYz1sbSZscz1uMWU2YjczNjg5Nzwvc2NhZGRyMj4KCTwvU2hvcnRDdXQ 
Cgk8TWluaUNvbnRyb2w CgkJPHVybD5odHRwOi8vbWluaS5lYXN0ZGF5LmNvbS9yaWxpYm
lhby9p..
<<< skipped >>>

GET /core.php?web_id=1253415983&t=z HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 763

Connection: keep-alive

Date: Mon, 30 Oct 2017 18:13:12 GMT

Last-Modified: Mon, 30 Oct 2017 18:13:12 GMT

Expires: Mon, 30 Oct 2017 18:28:12 GMT

Via: cache17.l2et15[71,200-0,M], cache4.l2et15[72,0], kunlun10.cn74[0,200-0,H], kunlun4.cn74[0,0]

Age: 409

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1

X-Swift-SaveTime: Mon, 30 Oct 2017 18:13:12 GMT

X-Swift-CacheTime: 900

Timing-Allow-Origin: *

EagleId: deba319d15093876019014574e
!function(){var p,q,r,a=encodeURIComponent,b="1253415983",c="",d="",e=
"online_v3.php",f="z6.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m
="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=
" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&
k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["cr
eateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/websit
e.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnz
z.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'
><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="
<a href='" q "' target=_blank title='" j "'>" j "</a>",k["
createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type:
 application/javascript..Content-Length: 763..Connection: keep-alive..
Date: Mon, 30 Oct 2017 18:13:12 GMT..Last-Modified: Mon, 30 Oct 2017 1
8:13:12 GMT..Expires: Mon, 30 Oct 2017 18:28:12 GMT..Via: cache17.l2et
15[71,200-0,M], cache4.l2et15[72,0], kunlun10.cn74[0,200-0,H], kunlun4
.cn74[0,0]..Age: 409..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1..X-S
wift-SaveTime: Mon, 30 Oct 2017 18:13:12 GMT..X-Swift-CacheTime: 900..
Timing-Allow-Origin: *..EagleId: deba319d15093876019014574e..!function
(){var p,q,r,a=encodeURIComponent,b="1253415983",c="",d="",e="online_v
3.php",f="z6.cnzz.com",g="1",h="text",i="z",j="站长统
;计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="0",
<<< skipped >>>

GET /9.gif?abc=1&rnd=597896237 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Mon, 30 Oct 2017 18:20:02 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=Ult EgIofW8CAcLyYNpiybtj; expires=Thu, 28-Oct-27 18:20:02 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=9e372e51; path=/; domain=.cnzz.mmstat.com

Set-Cookie: atpsida=3618fe5f4d7d93606aafeb40_1509387602_1; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=Ult EgIofW8CAcLyYNpiybtj

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;..

GET /weatherapi HTTP/1.1

Host: statistics.haharili.com

Accept: */*

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.4.1

Date: Mon, 30 Oct 2017 18:19:58 GMT

Content-Type: text/html

Transfer-Encoding: chunked

X-Powered-By: PHP/5.5.4

location: hXXp://statistic.haharili.com/weatherapi
0..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.4.1..Date: Mon, 30 
Oct 2017 18:19:58 GMT..Content-Type: text/html..Transfer-Encoding: chu
nked..X-Powered-By: PHP/5.5.4..location: hXXp://statistic.haharili.com
/weatherapi..0..

GET /stat.htm?id=1253415983&r=&lg=en-us&ntime=none&cnzz_eid=563808717-1509387585-&showp=1276x846&t=&umuuid=15f6e830961386-04096be55c7da84-44703d1f-1078c8-15f6e8309622dc&h=1&rnd=650969394 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: z6.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Mon, 30 Oct 2017 18:20:01 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: close

Vary: Accept-Encoding

Content-Encoding: gzip
16................G..y......0..

GET /shanhurili/ver.xml HTTP/1.1

User-Agent: DownFileSession

Host: update.wannianli365.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Thu, 17 Sep 2015 10:12:57 GMT

Accept-Ranges: bytes

ETag: "809a836c31f1d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Mon, 30 Oct 2017 18:19:25 GMT

Content-Length: 432
<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigure versio
n="1.0">..  <AppUpdate>..    <NewVer>1.2</NewVer>
..    <NewMinVer>3.1</NewMinVer>..    <Exe>hXXp://do
wn.wannianli365.com/update/shanhu.gif</Exe>..    <UpdLog>.
.      <![CDATA[\r\n]]>..    </UpdLog>..  </AppUpdate&g
t;..  <UpdateSet>..    <IsLimitSpeed>0</IsLimitSpeed>
;..    <UpdateSpeed>1024</UpdateSpeed>..    <IntervalTi
me>10</IntervalTime>..  </UpdateSet>..</TheConfigure
>HTTP/1.1 200 OK..Content-Type: text/xml..Last-Modified: Thu, 17 Se
p 2015 10:12:57 GMT..Accept-Ranges: bytes..ETag: "809a836c31f1d01:0"..
Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Mon, 30 Oct 20
17 18:19:25 GMT..Content-Length: 432..<?xml version="1.0" encoding=
"UTF-8" ?>..<TheConfigure version="1.0">..  <AppUpdate>
..    <NewVer>1.2</NewVer>..    <NewMinVer>3.1</N
ewMinVer>..    <Exe>hXXp://down.wannianli365.com/update/shanh
u.gif</Exe>..    <UpdLog>..      <![CDATA[\r\n]]>.. 
   </UpdLog>..  </AppUpdate>..  <UpdateSet>..    <
;IsLimitSpeed>0</IsLimitSpeed>..    <UpdateSpeed>1024&l
t;/UpdateSpeed>..    <IntervalTime>10</IntervalTime>.. 
 </UpdateSet>..</TheConfigure>..
<<< skipped >>>

GET /update/shanhu.xml HTTP/1.1

User-Agent: DownFileSession

Host: down.wannianli365.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:19:22 GMT

Content-Length: 251

Accept-Ranges: bytes

Content-Type: text/xml

Last-Modified: Mon, 21 Sep 2015 00:41:09 GMT

Connection: Keep-Alive

ETag: "80401356f4d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 218.58.225.35, Configured MISS from 218.58.225.37, DISK HIT from 123.147.166.36
<?xml version="1.0" encoding="UTF-8" ?>..<TheConfigure versio
n="1.0">..  <AppUpdate>..    <NewVer>1.2</NewVer>
..    <NewMinVer>3.1</NewMinVer>..    <Default>http:
//update.wannianli365.com/shanhurili/ver.xml</Default>..  </A
ppUpdate>..</TheConfigure>......


GET /update/shanhu.gif HTTP/1.1

User-Agent: DownFileSession

Host: down.wannianli365.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:19:25 GMT

Content-Length: 4839856

Accept-Ranges: bytes

Content-Type: image/gif

Last-Modified: Thu, 17 Sep 2015 10:14:47 GMT

Connection: Keep-Alive

ETag: "804514ae31f1d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Fw-Cache-Status: hit

Fw-Via: DISK HIT from 123.133.84.38, Configured MISS from 123.133.84.91, LRefresh MISS from 123.147.166.36
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.yex..6x
..6x..6_Pz6{..6_Pl6i..6x..6...6q..6s..6q..6y..6q..6y..6Richx..6.......
.........PE..L...f..T.................\...........3.......p....@......
............................?J.....................................pv.
......0...h............I..............................................
................p...............................text...N[.......\.....
............. ..`.rdata..\....p.......`..............@..@.data........
........v..............@....ndata.......0...........................rs
rc....h...0...j...x..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
..... C..H.P.u..u..u...Hr@..K...SV.5. C.W.E.P.u...Lr@..e...E..E.P.u...
Pr@..}..e....Dp@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...Hp@..E..P.E..E.
P.u...Tr@..u....E..9}...n....~X.te.v4..Lp@..E...tU.}.j.W.E......E.....
..Pp@..vXW..Tp@..u..5Xp@.W..h ....E..E.Pj.h..C.W..Xr@..u.W...u....E.P.
u...\r@._^3.[.....L$... C...i......T.....tUVW.q.3.;5. C.sD..i......D..
S.....t.G.....t...O..t .....u...3....3...F.....;5. C.r.[_^...U..QQ
<<< skipped >>>

GET /z_stat.php?id=1253415983&web_id=1253415983 HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: s6.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10987

Connection: keep-alive

Date: Mon, 30 Oct 2017 18:19:45 GMT

Last-Modified: Mon, 30 Oct 2017 18:19:45 GMT

Cache-Control: max-age=5400,s-maxage=5400

Via: cache4.l2et15[54,200-0,M], cache12.l2et15[55,0], kunlun7.cn250[0,200-0,H], kunlun2.cn250[1,0]

Age: 15

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2 mlen:-1

X-Swift-SaveTime: Mon, 30 Oct 2017 18:19:45 GMT

X-Swift-CacheTime: 5400

Timing-Allow-Origin: *

EagleId: 7ae44a8915093876006833551e
(function(){function k(){this.c="1253415983";this.ca="z";this.Z="";thi
s.W="";this.Y="";this.C="1509387585";this.aa="z6.cnzz.com";this.X="";t
his.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV
" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";thi
s.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("sitei
d=1253415983");c.push("name=" f(a.name));c.push("msg=" f(a.message));c
.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("a
gent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math
.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.c
om/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeUR
IComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){
try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(
),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa()
,this.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cnzz_
CV")}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc={p
ush:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP failed
")}},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.
call(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case "_
setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?.
c[1]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof c[1
]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:function
(){try{if("undefined"===typeof e._cz_account||e._cz_account===this
<<< skipped >>>

GET /app.gif?&cna=Ult EgIofW8CAcLyYNpiybtj HTTP/1.1

Accept: */*

Referer: hXXp://downcdn1.shgaoxin.net/shichangbu/all_active.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Connection: Keep-Alive

Host: pcookie.cnzz.com

HTTP/1.1 200 OK

Date: Mon, 30 Oct 2017 18:20:03 GMT

Content-Type: image/gif

Content-Length: 43

Connection: close

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=Ult EgIofW8CAcLyYNpiybtj; expires=Thu, 28-Oct-27 18:20:03 GMT; path=/; domain=.cnzz.com

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache
GIF89a.............!.......,...........L..;..

GET /shichangbu/shrl_active.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: downcdn1.shgaoxin.net

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Date: Mon, 30 Oct 2017 18:19:59 GMT

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 5122

X-Via: 1.1 zhshx18:8 (Cdn Cache Server V2.0), 1.1 nxiazai54:7 (Cdn Cache Server V2.0)

Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> .<html xmlns="hXXp://
VVV.w3.org/1999/xhtml"> .<head> .<title>IIS 7.5 .......
..... - 404.0 - Not Found</title> .<style type="text/css">
 .<!-- .body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helv
etica,sans-serif;background:#CBE1EF;} .code{margin:0;color:#006600;fon
t-size:1.1em;font-weight:bold;} ..config_source code{font-size:.8em;co
lor:#000000;} .pre{margin:0;font-size:1.4em;word-wrap:break-word;} .ul
,ol{margin:10px 0 10px 40px;} .ul.first,ol.first{margin-top:5px;} .fie
ldset{padding:0 15px 10px 15px;} ..summary-container fieldset{padding-
bottom:5px;margin-top:4px;} .legend.no-expand-all{padding:2px 15px 4px
 10px;margin:0 0 0 -12px;} .legend{color:#333333;padding:4px 15px 4px 
10px;margin:4px 0 8px -12px;_margin-top:0px; . border-top:1px solid #E
DEDED;border-left:1px solid #EDEDED;border-right:1px solid #969696; . 
border-bottom:1px solid #969696;background:#E7ECF0;font-weight:bold;fo
nt-size:1em;} .a:link,a:visited{color:#007EFF;font-weight:bold;} .a:ho
ver{text-decoration:none;} .h1{font-size:2.4em;margin:0;color:#FFF;} .
h2{font-size:1.7em;margin:0;color:#CC0000;} .h3{font-size:1.4em;margin
:10px 0 0 0;color:#CC0000;} .h4{font-size:1.2em;margin:10px 0 5px 0; .
}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"t
rebuchet MS",Verdana,sans-serif; . color:#FFF;background-color:#5C87B2
; .}#content{margin:0 0 0 2%;position:relative;} ..summary-contain
<<< skipped >>>

GET /shichangbu/all_active.html HTTP/1.1

Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: downcdn1.shgaoxin.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sun, 29 Oct 2017 23:05:30 GMT

Content-Type: text/html

Last-Modified: Wed, 15 Oct 2014 06:33:46 GMT

Accept-Ranges: bytes

ETag: "081b2f841e8cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 107

Age: 69269

X-Via: 1.1 zhshx17:10 (Cdn Cache Server V2.0), 1.1 nxiazai47:7 (Cdn Cache Server V2.0)

Connection: keep-alive
<script src="hXXp://s6.cnzz.com/z_stat.php?id=1253415983&web_id=125
3415983" language="JavaScript"></script>HTTP/1.1 200 OK..Date
: Sun, 29 Oct 2017 23:05:30 GMT..Content-Type: text/html..Last-Modifie
d: Wed, 15 Oct 2014 06:33:46 GMT..Accept-Ranges: bytes..ETag: "081b2f8
41e8cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-
Length: 107..Age: 69269..X-Via: 1.1 zhshx17:10 (Cdn Cache Server V2.0)
, 1.1 nxiazai47:7 (Cdn Cache Server V2.0)..Connection: keep-alive..<
;script src="hXXp://s6.cnzz.com/z_stat.php?id=1253415983&web_id=125341
5983" language="JavaScript"></script>..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

L$.Qf

8%u3P

N@SSSh

N@SSSh0w

SSShTv

RSShx

SSSSh

vSSSh

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

monochrome

unsupported bit depth

CNotSupportedException

CHttpConnection

CHttpFile

CCmdTarget

hhctrl.ocx

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

hXXp://down.wannianli365.com/update/shanhu.xml

hXXp://confignew.3lsoft.com/rili/config.html

hXXp://VVV.hao123.com/?tn=99636721_hao_pg

RegDeleteKeyExW

hXXp://confignew.3lsoft.com/rili/first.html

\Branch\Bin\shanhurili\SoftUpd.pdb

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCloseKey

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

GdiplusShutdown

gdiplus.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

WININET.dll

OLEACC.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

COMDLG32.dll

SoftUpd.exe

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTransShadow1@CLabelUI@DuiLib@@QAEHXZ

?GetTransShadow@CLabelUI@DuiLib@@QAEHXZ

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnDocumentCompleted@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@PAUtagVARIANT@@@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@IAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetTransShadow1@CLabelUI@DuiLib@@QAEXH@Z

?SetTransShadow@CLabelUI@DuiLib@@QAEXH@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

.?AVCWebBrowserUI@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

#*1892 $

%,3:;4-&

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.PAVCFileException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

zcÁ

%,%@%>%.%

%/%0%1%#%2%3%

%-% %"%?%

%4%H%F%6%&%7%8%9% %:%;%

%$%'%5%(%*%G%%%E%)%D%

.PAVCException@@

ui_bind_frame.xml

ui_hide_bind.xml]

ui_show_bind.xml

UIPrompt.xml

.xmlup

jo.QH

CRT_5

check3.png

close.png

Font.xml

HideBind.xml

huojian.png

.rvmQ

logo.png

main_button.png

main_frame.xml

main_frameN.xml

.bUA*Y

yS*%s;Hn

minmize.png

progress_fore.png

ShowBind.xml

ui_hide_bind.xml

.xmlPK

Ge.EKb

t.Me*

{jD`%F

b.xH#

.Fxy1D

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

90:5:::@:&;

;#;4;8;<;@;

%0S2W2[2_2c2g2k2o2{2

:";(;4;8<

0)01070=0

0 0$0(0,0004080<0

3 3@3`3|3

4 4$4@4`4

transshadow1

transshadow

keyboard

User32.dll

msimg32.dll

dest='%d,%d,%d,%d'

0xX

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYDOWN

password

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

M-d-d

WebBrowserUI

WebBrowser

errorUrl

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

hXXp://

WININET.DLL

HTTP/1.0

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

comctl32.dll

comdlg32.dll

shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

mscoree.dll

KERNEL32.DLL

kernel32.dll

guangsu_website4

guangsu_website

SoftApp.ini

%s.%s

"%s" /S /D=%s

Ver%s.%s

Ver%s

update.xml

BindData.ini

%sVstart32.dll

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check3.png' source='0,0,13,13'" selectedimage="file='check3.png' source='13,13,26,26'"

%sSoftApp.ini

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

Riched20.dll

Advapi32.dll

%sConfig.ini

lRiliFirstBindData.ini

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check3.png' source='39,0,52,13'" selectedimage="file='check3.png' source='39,13,52,26'"

0000000000

00000000000

c:\WBUpdSkin\

c:\%original file name%.exe

1, 0, 1, 0

shrl.exe_1844:

.text

`.rdata

@.data

.rsrc

SSSh =V

SSShp

N@SSSh

N@SSSh

SSSh(TV

RSShx

SSSSh

SSSSSSSSh|

Vh.pI

vSSSh

s%j.Zf

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

PP P!"PP#$PPPP%&'PPP(P)*P PPP,-.PP/0123PPPPPP4PPPPPPP5PPPPPP6789:;PPPPPPPP<PPP=>?@ABCDPPPPEPPPPFPPPPPPGPPHIPPPPPJKPPPLLPPMPPPPPPPPPNPPOY

!"DDD#D$DÝ&D'()DDDDDDDDDDDDD*DDDDDDDDDDDD DD,-DDDDDDDDDDD.D/DDDDDDDDDDDDDD01DD234DD56789DDDDDDDD:;DD<=>DD?DDDDD@ABDDDDDCV

>%u Wj%

_u.Ph

tX9.uT

.QhP.W

.Rh(.W

FLu$

t.PhXfU

-./01234$5567

|$$u.WS

*1*1**234

%[^,],%[^,]

UrlLinkControl

refUrl

url%d

LockUrl

hXXp://down.wannianli365.com/update/shanhu.xml

RegDeleteKeyExW

rundll32.exe shell32.dll, Control_RunDLL Timedate.cpl, 0

?456789:;<=

!"#$%&'()* ,-./0123

img%d

weather%d

wind%d

temp%d

monochrome

unsupported bit depth

CCmdTarget

CNotSupportedException

hhctrl.ocx

CHttpConnection

CHttpFile

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

GetProcessWindowStation

USER32.DLL

operator

CPPSQLITE_ERROR

SQLITE_DONE

SQLITE_ROW

SQLITE_RANGE

SQLITE_FORMAT

SQLITE_AUTH

SQLITE_NOLFS

SQLITE_MISUSE

SQLITE_MISMATCH

SQLITE_CONSTRAINT

SQLITE_TOOBIG

SQLITE_SCHEMA

SQLITE_EMPTY

SQLITE_PROTOCOL

SQLITE_CANTOPEN

SQLITE_FULL

SQLITE_NOTFOUND

SQLITE_CORRUPT

SQLITE_IOERR

SQLITE_INTERRUPT

SQLITE_READONLY

SQLITE_NOMEM

SQLITE_LOCKED

SQLITE_BUSY

SQLITE_ABORT

SQLITE_PERM

SQLITE_INTERNAL

SQLITE_ERROR

SQLITE_OK

%s[%d]: %s

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

<url> malformed

:]://%[^

[^:]:%[^

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

PTF@example.com

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

User-Agent: %s

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Rewinding stream by : %zd bytes on url %s (zero-length body)

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

WARNING: failed to save cookies in %s

[%s %s %s]

Send failure: %s

Recv failure: %s

bind failed with errno %d: %s

Local port: %hu

getsockname() failed with errno %d: %s

Bind to local port %hu failed, trying next

Couldn't bind to '%s'

Name '%s' family %i resolved to '%s' family %i

Local Interface %s is ip %s using address family %i

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getpeername() failed with errno %d: %s

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Internal error removing splay node = %d

Internal error clearing splay node = %d

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTP

LOGIN

EHLO %s

HELO %s

AUTH %s

No known auth mechanisms supported!

AUTH %s %s

Access denied: %d

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

MAIL FROM:%s SIZE=%s

MAIL FROM:%s

RCPT TO:<%s>

RCPT TO:%s

SMTPS not supported!

STARTTLS denied. %c

Got unexpected smtp-server response: %d

USER %s

PASS %s

Access denied. %c

Invalid message. %c

RETR %s

LIST %s

POP3S not supported!

%s LOGIN %s %s

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

IMAPS not supported!

%s STARTTLS

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

%s (%d) %s (%d)

got option=(%s) value=(%s)

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

Received unexpected DATA packet block %d, expecting block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

TFTP response timeout

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.23.1

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

Failure sending PORT command: %s

%s %s

,%d,%d

Failure sending EPRT command: %s

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

bind(port=%hu) on non-local address failed: %s

socket failure: %s

failed to resolve the address provided to PORT: %s

getsockname() failed: %s

Connect data stream passively

PRET RETR %s

PRET STOR %s

PRET %s

REST %d

SIZE %s

STOR %s

APPE %s

Failed to do PORT

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

Access denied: d

ACCT %s

ACCT rejected by server: d

TYPE %c

Connecting to %s (%s) port %d

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

MDTM %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

QUOT string not accepted: %s

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

CWD %s

PRET command not accepted: d

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

server did not report OK, got %d

Failure sending ABOR command: %s

Remembering we are in dir "%s"

%sAuthorization: Basic %s

%s:%s

%s auth using %s with user '%s'

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

password

login

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

d:d

d:d:d

%c%c==

%c%c%c=

Received HTTP code %d from proxy after CONNECT

HTTP/1.%d %d

CONNECT %s:%hu HTTP/%s

%s%s%s%s

Host: %s

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

0123456789-

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

OLEACC.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

@unable to use function %s in the requested context

3.5.9

large file support is disabled

SQL logic error or missing database

no such vfs: %s

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

SELECT name, rootpage, sql FROM '%q'.%s

unsupported file format

sqlite_master

sqlite_temp_master

database schema is locked: %s

%s(%d)

keyinfo(%d

%s-mjX

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s

transaction - SQL statements in progress

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

automatic extension loading failed: %s

SQLite format 3

invalid page number %d

2nd reference to page %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

Fragmented space is %d byte reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

sqlite3BtreeInitPage() returns error code %d

unable to get the page. error code=%d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

Unable to malloc %d bytes

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

%s: %s

%s: %s.%s

object name reserved for internal use: %s

sqlite_

duplicate column name: %s

too many columns on %s

default value of column [%s] is not constant

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

sqlite_sequence

there is already an index named %s

view %s is circularly defined

table %s may not be dropped

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

sqlite_stat1

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

indexed columns are not unique

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.%s WHERE name=%Q

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

no such collation sequence: %s

sqlite_version

CREATE TABLE %Q.sqlite_stat1(tbl,idx,stat)

SELECT idx, stat FROM %Q.sqlite_stat1

BEFOREIGNOREGEXPLAINSTEADDESCAPEACHECKEYCONSTRAINTERSECTABLEFTHENDATABASELECTRANSACTIONATURALTERAISELSEXCEPTRIGGEREFERENCESUNIQUERYATTACHAVINGROUPDATEMPORARYBEGINNEREINDEXCLUSIVEXISTSBETWEENOTNULLIKECASCADEFERRABLECASECOLLATECREATECURRENT_DATEDELETEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFINTOFFSETISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

RowKey

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM ' || quote(name) || ';'FROM sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

-- TRIGGER %s

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

%s\etilqs_

cannot open value of type %s

cannot open indexed column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

illegal return value (%d) from the authorization function - should be SQLITE_OK, SQLITE_IGNORE, or SQLITE_DENY

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

sqlite3_get_table() called with two or more incompatible queries

unknown or unsupported join type: %T%s%T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

cannot join using column %s - column not present in both tables

column%d

%z:%d

no such table: %s

%s.%s

sqlite_subquery_%p_

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

%r ORDER BY term out of range - should be between 1 and %d

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

Expression tree is too large (maximum depth %d)

cannot modify %s because it is a view

table %s may not be modified

unable to open database: %s

database %s is already in use

too many attached databases - max %d

database %s is locked

cannot detach database %s

no such database: %s

sqlite_detach

sqlite_attach

%s %T cannot reference objects in database %s

d-d-d d:d:d

d-d-d

M@sqlite_rename_trigger

sqlite_rename_table

%.*s"%w"%s

%s OR name=%Q

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

view %s may not be altered

table %s may not be altered

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

.NOPQRSTXY|}~

PRIMARY KEY must be unique

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

no such column: %s

table %s: xBestIndex returned an invalid plan

%z VIRTUAL TABLE INDEX %d:%s

%z USING PRIMARY KEY

%z WITH INDEX %s

%z AS %s

TABLE %s

at most %d tables in a join

*** in database %s ***

unsupported encoding: %s

foreign_key_list

\Branch(newest)\Temp\Release\shrl.pdb

GetWindowsDirectoryW

WinExec

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

KERNEL32.dll

GetKeyState

SetWindowsHookExW

UnhookWindowsHookEx

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

COMDLG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExW

RegCreateKeyExA

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

RegEnumKeyW

RegOpenKeyW

ADVAPI32.dll

ShellExecuteW

ShellExecuteExW

SHELL32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

WSOCK32.dll

GdiplusShutdown

gdiplus.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

WININET.dll

WS2_32.dll

WINMM.dll

WLDAP32.dll

PeekNamedPipe

shrl.exe

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTransShadow1@CLabelUI@DuiLib@@QAEHXZ

?GetTransShadow@CLabelUI@DuiLib@@QAEHXZ

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_WPAUtagVARIANT@@@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnDocumentCompleted@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@PAUtagVARIANT@@@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@IAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetTransShadow1@CLabelUI@DuiLib@@QAEXH@Z

?SetTransShadow@CLabelUI@DuiLib@@QAEXH@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

.?AVCCmdTarget@@

.?AVCNullCmd@@

.?AVCRunDateByServiceAutoCmd@@

.?AVCRunDateByStartAutoCmd@@

.?AVCRunInstallCliockCmd@@

.?AVCInstallServiceCmd@@

.?AVCStartServiceCmd@@

.?AVCUnInstallServiceCmd@@

.?AVCInstallStartCmd@@

.?AVCUnInstallStartCmd@@

.?AVCRunSendSoftInstallInfoCmd@@

.?AVCRunSendSoftOnlineInfoCmd@@

.?AVCRunSendSoftUninstInfoCmd@@

.?AVCRunSendSoftClickInfoCmd@@

.?AVCTestServiceCmd@@

.?AVCInstallExtraOperateCmd@@

.?AVCInstallStartMenuCmd@@

.?AVCInstallSpreadOperateCmd@@

.?AVCUninstOperateCmd@@

.?AVCSetAdminPermissionCmd@@

.?AVCSetLocalTimeCmd@@

%,%@%>%.%

%/%0%1%#%2%3%

%-% %"%?%

%4%H%F%6%&%7%8%9% %:%;%

%$%'%5%(%*%G%%%E%)%D%

.PAVCException@@

.PAVCFileException@@

.?AVCWebBrowserUI@DuiLib@@

.?AVCDownloadHttp@@

.?AVCHttpPageClient@@

.?AVCHttpPageRequest@@

.?AVCHttpPageResponse@@

.?AVCWebBrowserEventHandlerEx@@

.?AVCWebBrowserEventHandler@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

#*1892 $

%,3:;4-&

.?AVCCmdUI@@

.PAVCMemoryException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCOleDispatchException@@

zcÁ

.?AVISqlDataReader@@

.?AVSQLiteDataReader@@

.?AVCSQLiteException@@

.?AVISqlConnection@@

.?AVSQLiteConnection@@

.?AVISqlCommand@@

.?AVSQLiteCommand@@

12/09/13

_6.aB

S7G%UW

2!iTXtXML:com.adobe.xmp

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/">

<xmp:CreatorTool>Adobe Fireworks CS5 11.0.0.484 Windows</xmp:CreatorTool>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

.jF2J4a

01/23/14

bg.png

bg0.png}

;r>i%xWMwt

p.QOp

~%US|

bg0_EB.png

bg0_small.png

7).KYu

bg1.png|

 (]%U2

Hhb%c

vo.Lxu

fURL

bg1_EB.png}YeT

9{i.KF

.ggeXB

bg1_small.png}Vy8

bg2.png

)s%s\

bg2_EB.png}Xy4

.ddSp

bg2_small.png}V{T

bg3.png|

F.wwO

bg3_EB.png}Yw4\]

bg3_small.png}Vy8

bg4.png|

X@J%f

p#V|TH%f

\R.Xi

%cZ6z_H

bg4_EB.png

 .rmHL

.qx'!

bg4_EB--.png}Y

'<.lMd_;g

bg4_small.png}V

bg5.png

\.oll

?Y[-q}7

A%FU>

dp .CF\c0

%D`F*

%F~pyp

bg5--.png|

{'Z.oK

2ÎDt

.GV[M

bg5_EB.png

Ws%C;W

bg5_EB--.png}X

bg5_small.png}V

bg6.png|

.uY:.rSU

bg6_EB.png}Xy8

bg6_small.png}Vy8

bg7.png|

ymsg

.wIXE

bg7_EB.png}Xy8

%d)<r

bg7_small.png}V

$%d)K

bg8.png|

-%x 't

Pw.kP

5.qX]6Cu

<p.hU

V .ZM

I.VA_

_b.rR

r%Us"

bg8_EB.png}XwTS

bg8_small.png}V

bg9.png

joINN

RXh .sT

tcrt&

6%dhd

~MmSGn

&:.mby

HWxT%uT

bg9--.png|

>dVÜ@

>.xl2;&

.FX5}

%FM$z

Y"o;%D

3EQ;%f

bg9_EB.png

bg9_EB--.png}Xy8

bg9_small.png}VgT

bg10.png

%uMWR

.pYA/

%F<)iP;D 

t%s`p

ub.EG~0

[ .nDuq

[Él&

 url8

#l%do

.UicHA

bg10--.png|

C&-%S

 `}5,{#6

WCKeYk$8

oMcX.Off

fBJ1.ncu

.jvCR

.UcU8l

bg10_EB.png

bg10_EB--.png}YgTS

bg10_small.png}Vy8

bg11.png|

Sz%Sg{W'

[.sGC[

!F0%ds

{\K%dGT

j!-Rf}

j.rnF

!)^.uT

bg11_EB.png}XwT

WeBuV

bg11_small.png}V{8

bg12.png|

%x[VsL/

W.vsZS'319

A.Kes

bg12_EB.png}X

e!!5Q)ae%uI

%ST,2

bg12_small.png}V

/X]x;%x

bg13.png|

I[CsS%SC

T&%Xs

_.yU3f

J7%fG

:.AABX

bg13_EB.png}WwTS

MI.Kr

bg13_small.png}V{8

bg14.png}

%s@y"

%s%j{;

\%f%f_

bg14_EB.png}X

bg14_small.png}V

bg15.png|

-^"sgg{.zz777:7f:;G3zFNN

-FL}"

L.Jl>

.dZVm

G9.sG

.qJy.

%3u4-Z

bg15_EB.png}Yw4

.PFR2

bg15_small.png}Vy8

book.png

border.png

border_.png

btn_close_down.png

btn_close_highlight.png

btn_close_normal.png

btn_hot.png

calendar.png

Pa^E%sO

Calendar_bt.png

$.xt-x

Calendar_htrl.png

ezzz.hBA

Calendar_lhl.png

Calendar_nlrl.png

Calendar_shrl.png

Calendar_wnl.png

Calendar_xmrl.png

change1.png

change2.png

change3.png

change4.png

change5.png

change6.png

change7.png

change8.png

chat_mid.png

checkbox.png

checkbox_h.png

checkbox_p.png

checkbox3.png

closed_d.png

closed_h.png

closed_n.png

ColorWnd.xml

ConfirmExit.xml

d00.png

%uZ(2

d00_.png

d01.png

d01_.png

d02.png

d02_.png

d03.png

d03_.png

37.Ph

d04.png

d04_.png

d05.png

d05_.png

d06.png

d06_.png

d07.png

d07_.png

d08.png

d08_.png

d09.png

d09_.png

d10.png

d10_.png

d11.png

d11_.png

d12.png

d12_.png

N/.qrr

d13.png

d13_.png

d14.png

d14_.png

d15.png

d15_.png

d16.png

0üAoJK

d16_.png

d17.png

d17_.png

O.ZEf

9\xl%s

d18.png

SRR.Bp

d18_.png

d19.png

d19_.png

9F%ut

d20.png

d20_.png

d21.png

d21_.png

d22.png

d22_.png

d23.png

d23_.png

K.nj5

d24.png

d24_.png

d25.png

d25_.png

%u%^#

d26.png

d26_.png

d27.png

d27_.png

d28.png

d28_.png

d29.png

d29_.png

d30.png

d30_.png

.IDATXG

d31.png

d31_.png

d32.png

d32_.png

d33.png

d33_.png

dianying.png5W

edit_bg.png

ExitPrompt.png

fg.bmp

h6%CX

Font.xml

icon_a.png

IELock.xml

.zW,o76

IELock_EditBk.png

Jia.png

line.png

Lottery ticket.pngUVg4\]

.BN\R

lottery.png

main_button.png

main_frame.xml

news.png

Next.png

Note.png

Noted.png

OnSave.png

OnSave_notext.png

Prev.png

Refresh_d.png

Refresh_h.png

Refresh_n.png

scroll.png

scrollbar.png

SelectColor_SliderBar_Thumb.png

Selected-d.png

Selected-h.png

Selected-n.png

Setting1.png

Setting2.png

Setting3.png

skin_d.png

skin_h.png

skin_n.png

small_date_bar.xml

small_detail_bar.xml

small_month_day_bar.xml

small_timer_bar.xml

small_weather_bar.xml

small_year_month_bar.xml

SmallDetailWndBackground.png

suoding.png

`%FKmj

tejia.png%V

a.vcViBi

text.png

thumb.bmpe

Today.png

tongbu.png

tongbu2.png

ui_list_month.xml

ui_list_year.xml

ui_user_account.xml

ui_user_chage_password.xml

ui_user_info.xml

kH.je

ui_user_login.xml

ui_user_password.xml

ui_user_pic_password.png

04/15/14

ui_user_pic_user.png

.AWN&

:R%DW3

]L.Iy

NX.DlZ

uibg.png

UIDistrictExpand.xml

UIExpandBackground.xml

UIFutureWeather.xml

uilismonthtbg.png

UIListDistrict.xml

uilisyeartbg.png

UIMenu.xml

UINewTip.xml

UINoteText.xmlmSK

unsel.bmp

user.png

user_login_buttom.png

%8x40*2R

Verification.png

.LT#U

.ieZa`P

6..JL

xingzuo.png

{8;.TvtTc8i

youxi.png

7654money.pngUW

.omm9f

ad_bottom_title.png

AdOnRightBottom.xml}RMo

Almanac.png

AlmanacFi.png

AlmanacSe.png

AlmanacTh.png

baidu.png

þf1f

bg.bmps

bg0.png

bg1.png

bg1_EB.png

bg1_small.png

bg2_EB.png

bg2_small.png

bg3.png

bg3_EB.png

bg3_small.png

bg4.png

bg4_EB--.png

bg4_small.png

bg5--.png

bg5_EB--.png

bg5_small.png

bg6.png

bg6_EB.png

bg6_small.png

bg7.png

bg7_EB.png

bg7_small.png

bg8.png

bg8_EB.png

bg8_small.png

bg9--.png

bg9_EB--.png

bg9_small.png

bg10--.png

bg10_EB--.png

bg10_small.png

bg11.png

bg11_EB.png

bg11_small.png

bg12.png

bg12_EB.png

bg12_small.png

bg13.png

bg13_EB.png

bg13_small.png

bg14.png

bg14_EB.png

bg14_small.png

bg15.png

bg15_EB.png

bg15_small.png

dianying.png

Lottery ticket.png

tejia.png

thumb.bmp

UINoteText.xml

7654money.png

AdOnRightBottom.xml

bg.bmp

Ge.EKb

t.Me*

{jD`%F

b.xH#

.Fxy1D

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

%s%s\

Config.ini

%sUseData\

%sUseData.ini

%sSoftApp.ini

%s\%s\

skin.zip

SoftApp.ini

DBGHELP.DLL

%s%s.dmp

rkernel32.dll

kernel32.dll

advapi32.dll

CNullCmd %d-%d-%d-%d

clock64.exe

szClockExe = %s

clock32.exe

CRunDateByStartAutoCmd %d-%d-%d-%d

%s,%s.%s,%s,0,0

Statistics.dll

%s,%s.%s,%s

%s,%s.%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s

SkinStylebg%d

%sConfig.ini

Service.dll

RunByWindowsStart

"%s" RunDateByStartAuto

nSOFTWARE\Microsoft\Windows\CurrentVersion

rlbRunByWindowsStart

SOFTWARE\Microsoft\Windows\CurrentVersion

nrlbRunByWindowsStart

UninstOperate

Clock.dll

hXXp://VVV.hao123.com/?tn=74015059_28_hao_pg

%sdataengine_.dll

@RunSendSoftInstallInfoCmd

@InstallExtraOperate

@InstallSpreadOperate

@UninstOperate

software\Microsoft\Windows\CurrentVersion\Uninstall

%s %s.%s

Uninst.exe

URLInfoAbout

\Internet Explorer\iexplore.exe

HotKey

%s%s.lnk

SoftUpd.exe

%s.lnk

%s*.*

%s.del

%s.del%d

hXXp://statistics.haharili.com/server_time

SoftWare\Microsoft\Windows\CurrentVersion\Uninstall

gaoxin.clockdll

%d-%.2d-%.2d

%d-%.2d-%.2d %.2d:%.2d:%.2d

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

"%s" %s

\Program Files\Internet Explorer\iexplore.exe

%d,%d,%d

%s\service_log.txt

A"%s" RunSendSoftOnlineInfo

gaoxin.shanhurili

gaoxin.clockframe

%s360Ini.dll

Riched20.dll

%sVstart64.exe

ddd

hXXp://xiazai.rilibiao.com.cn/xml/switch_configex.xml

hXXp://xiazai.rilibiao.com.cn/xml/switch_config.xml

TempRilibiao.xml

switchex.xml

AdverOfBottomRefUrl

AdverOfBottomUrl

gDefaultLinkUrlRef

DefaultLinkUrl%d

kInfoOnServerConf.xml

DefaultLinkUrl

hXXp://xiazai.rilibiao.com.cn/xml/info_configex.xml

update.xml

netipaddress.json

hXXp://ip.taobao.com/service/getIpInfo.php?ip=

NetPublicIp.html

hXXp://city.ip138.com/ip2city.asp

%s%s /InstallStart

Power.exe

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

WAdvapi32.dll

\branch(newest)\common\json\json_value.cpp

\branch(newest)\common\json\json_reader.cpp

D.download

CMYDownloadProc::DoRequestHttpFileTimeProc Start

CMYDownloadProc::HandleDownloadFinished CFile::Rename(%s,%s)

[%d-%d-%d %d-%d-%d]: %s

%slog.txt

UNickName

\Config.ini

"%s%s" UpUserCfg %d

Mutual.exe

UData\UserNoteText.xml

Data\UserTempNoteText.xml

UData\2014JieQi.xml

Data\2013JieQi.xml

UData\2014.xml

Data\2013.xml

Mini//RiLiMini.exe RunMiNiNewsByServer

file='%s.png' corner='0,194,0,46'

file='bg%d.png' corner='0,194,0,46'

bg%d.png

file='bg%d.png' corner='600,200,1,1'

hXXp://url.wannianli365.com/?id=

taskmgr.exe

%sData/*index.html

%sVstart32.dll

ehXXp://hao.360.cn/?src=lm&ls=n174f9ef193

hXXp://

Referer:%s

width="1" height="1" clsid="{8856F961-340A-11D0-A96B-00C04FD705A2}" delaycreate="false"

/*.lnk

http\shell\open\command

CCDownloadHttp::DownloadOnce End

CDownloadHttp::DownloadOnce RequestHttpData Is FALSE

CDownloadHttp::DownloadOnce CDownloadInfo::DownloadOnce Is FALSE

CDownloadHttp::DownloadOnce CDownloadInfo::nDownloadedSize >= nWillDownloadSize Is TRUE

CDownloadHttp::DownloadOnce Start

Range: bytes=%d-%s

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

HTTP/1.1

CDownloadInfo::SaveDataToFile Start[nWriteSize:%d]

CDownloadInfo::SaveThreadDataToFile[nWillDownloadStartPos:%d][nWillDownloadSize:%d][nDownloadedSize:%d]

CDownloadInfo::RecvDataAndSaveToFile SaveDataToFile (bDownloadFinished:%d) (nTempSaveBytes is %d)

CDownloadInfo::RecvDataAndSaveToFile::Receive End(nReadSize:%d)

CDownloadInfo::RecvDataAndSaveToFile::DownloadFinished(nWillDownloadSize:%d,nRecvTotalBytes:%d)

[nWillDownloadStartPos:%d][nWillDownloadSize:%d][nDownloadedSize:%d]

DoDownloadProcedure DownloadOnce(%d)

CDownloadInfo::DoRequestPageContentProcedure DownloadOnce(%d)

%slog_%d.txt

passwordempty

passwordwrong

ui_user_login_bg

ui_user_login_button_name

ui_user_login_forget_password_name

ui_user_login_new_account_name

file='%s_EB.png' corner='0,31,0,0'

Dsmall_month_day_bar.xml

%d%.2d%.2d

Dsmall_weather_bar.xml

hXXp://statistics.haharili.com/weatherapi

file='%s.png'

%d - %.2d

ui_future_weather_tem_0%d

ui_future_weather_wind_0%d

ui_future_weather_week_0%d

ui_future_weather_wea_0%d

file='%s_.png'

ui_future_weather_pic_0%d

normalimage="file='OnSave.png' source='0,0,75,30'" hotimage="file='OnSave.png' source='75,0,150,30'" pushedimage="OnSave='OnSave.png' source='150,0,225,30'"

normalimage="file='OnSave_notext.png' source='0,0,75,30'" hotimage="file='OnSave_notext.png' source='0,0,75,30'" pushedimage="OnSave='OnSave_notext.png' source='0,0,75,30'"

Data\HuangLi.mdb

UIExpand_Official_Website

ECalendar_shrl.png

: %s.%s

%s%s /UnInstallStart

"%s" /SetLocalTime

FFXXX

SkinStyle%s

ConnectWeb

Uui_user_password_sure_button

ui_user_password_code

"%s%s" DownCfg %d

EIELock.xml

Eui_list_month.xml

EAdOnRightBottom.xml

0711 723

EUINewTip.xml

file='tongbu2.png' corner='3,3,3,3'

[0xX

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYDOWN

keyboard

WebBrowserUI

WebBrowser

errorUrl

dest='%d,%d,%d,%d'

User32.dll

msimg32.dll

transshadow1

transshadow

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

M-d-d

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

I%s (%s:%d)

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\sockcore.cpp

Icomctl32.dll

Icomdlg32.dll

Ishell32.dll

Kf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

@WININET.DLL

JHTTP/1.0

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

mfcm90u.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

mscoree.dll

KERNEL32.DLL

WUSER32.DLL

0000000000

00000000000

iexplore.exe

360se.exe

360chrome.exe

chrome.exe

firefox.exe

oprea.exe

baidubrowser.exe

QQBrowser.exe

SogouExplorer.exe

Maxthon.exe

liebao.exe

2345Explorer.exe

UCBrowser.exe

TheWorld.exe

Juzi.exe

hao123Juzi.exe

115chrome.exe

Tango3.exe

TaoBrowser.exe

TTraveler.exe

cometbrowser.exe

Assertion failed: %s, file %s, line %d

%Program Files%\shanhurili\shrl.exe

WebGame

WebGame(&A)...

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

1, 2, 3, 0

SearchProtocolHost.exe_2256:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

clock32.exe_2960:

.text

`.rdata

@.data

.rsrc

t'SShl

.VVVVVSRSSj

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

CCmdTarget

hhctrl.ocx

f:\sp\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

CNotSupportedException

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

GetProcessWindowStation

USER32.DLL

operator

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

OLEACC.dll

20150121

\Branch(newest)\Temp\Release\Clock.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

UnhookWindowsHookEx

GetKeyState

SetWindowsHookExW

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExW

RegDeleteKeyW

RegEnumKeyW

RegOpenKeyW

RegCreateKeyExW

ADVAPI32.dll

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

WS2_32.dll

gdiplus.dll

.PAVCMemoryException@@

.PAVCException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.PAVCFileException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCOleDispatchException@@

zcÁ

.?AVCCmdTarget@@

.?AVCRunInstallCliockCmd@@

.?AVCNullCmd@@

12/16/13

_6.aA

2!iTXtXML:com.adobe.xmp

<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">

xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/">

<xmp:CreatorTool>Adobe Fireworks CS5 11.0.0.484 Windows</xmp:CreatorTool>

xmlns:dc="hXXp://purl.org/dc/elements/1.1/">

09/15/09

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

A%s (%s:%d)

%s (%s:%d)

Acomctl32.dll

Acomdlg32.dll

accKeyboardShortcut

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

MSWHEEL_ROLLMSG

mfcm80u.dll

user32.dll

clock.exe

gaoxin.clockframe

gaoxin.shanhurili

%sConfig.ini

gaoxin.clockdll

clock64.dll

clock32.dll

%sSrc

%s %s

advapi32.dll

OnExecuteExit

%Program Files%\shanhurili\clock32.exe

WebGame

WebGame(&A)...

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

1, 0, 1, 0

Clock.exe

SearchFilterHost.exe_948:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

SoftUpd.exe_2292:

.text

`.rdata

@.data

.rsrc

@.reloc

8%u3P

N@SSSh

SSShh

RSShx

SSSSh

vSSSh

s%j.Zf

FTPjK

FtPj;

C.PjRV

tGHt.Ht&

<!--%s-->

standalone="%s"

encoding="%s"

version="%s"

&#xX;

</%s>

%s='%s'

%s="%s"

monochrome

unsupported bit depth

CNotSupportedException

CHttpConnection

CHttpFile

CCmdTarget

hhctrl.ocx

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

hXXp://down.wannianli365.com/update/shanhu.xml

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection

121.40.152.197

qudaoadmin.3lsoft.com

hXXp://xiazai.rilibiao.com.cn/update/mobilephoneassist.gif

RegDeleteKeyExW

inflate 1.1.3 Copyright 1995-1998 Mark Adler

hXXp://confignew.3lsoft.com/rili/first.html

hXXp://xiazai.rilibiao.com.cn/update/skin.gif

hXXp://xiazai.rilibiao.com.cn/xml/rldata.xml

\Branch(newest)\Bin\shanhurili\SoftUpd.pdb

KERNEL32.dll

USER32.dll

RegOpenKeyExW

RegCloseKey

RegOpenKeyExA

RegDeleteKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

COMCTL32.dll

UrlUnescapeW

SHLWAPI.dll

GdiplusShutdown

gdiplus.dll

IPHLPAPI.DLL

WS2_32.dll

VERSION.dll

InternetCrackUrlW

InternetCanonicalizeUrlW

HttpQueryInfoW

HttpSendRequestW

HttpOpenRequestW

WININET.dll

OLEACC.dll

GetCPInfo

GetConsoleOutputCP

GetProcessHeap

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

WINSPOOL.DRV

COMDLG32.dll

SoftUpd.exe

??0CWebBrowserUI@DuiLib@@QAE@ABV01@@Z

??0CWebBrowserUI@DuiLib@@QAE@XZ

??1CWebBrowserUI@DuiLib@@UAE@XZ

??4CWebBrowserUI@DuiLib@@QAEAAV01@ABV01@@Z

??_7CWebBrowserUI@DuiLib@@6BCControlUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIDispatch@@@

??_7CWebBrowserUI@DuiLib@@6BIDocHostUIHandler@@@

??_7CWebBrowserUI@DuiLib@@6BIMessageFilterUI@1@@

??_7CWebBrowserUI@DuiLib@@6BIOleCommandTarget@@@

??_7CWebBrowserUI@DuiLib@@6BIServiceProvider@@@

??_7CWebBrowserUI@DuiLib@@6BITranslateAccelerator@1@@

?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ

?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z

?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z

?DUI__TraceMsg@DuiLib@@YAPB_WI@Z

?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ

?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z

?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z

?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z

?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z

?FindId@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_W@Z

?GetAutoURLDetect@CRichEditUI@DuiLib@@QBE_NXZ

?GetClass@CWebBrowserUI@DuiLib@@UBEPB_WXZ

?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z

?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z

?GetHomePage@CWebBrowserUI@DuiLib@@QAEPB_WXZ

?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z

?GetHtmlWindow@CWebBrowserUI@DuiLib@@QAEPAUIDispatch@@XZ

?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z

?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPB_W@Z

?GetMessageMap@CNotifyPump@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z

?GetPasswordChar@CEditUI@DuiLib@@QBE_WXZ

?GetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?GetTransShadow1@CLabelUI@DuiLib@@QAEHXZ

?GetTransShadow@CLabelUI@DuiLib@@QAEHXZ

?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z

?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z

?GetWebBrowser2@CWebBrowserUI@DuiLib@@QAEPAUIWebBrowser2@@XZ

?GetWindowStyls@CEditUI@DuiLib@@QBEHXZ

?GoBack@CWebBrowserUI@DuiLib@@QAEXXZ

?GoForward@CWebBrowserUI@DuiLib@@QAEXXZ

?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ

?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z

?InvokeMethod@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@2H@Z

?IsAutoNavigation@CWebBrowserUI@DuiLib@@QAE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsPasswordMode@CEditUI@DuiLib@@QBE_NXZ

?IsShowHtml@CLabelUI@DuiLib@@QAE_NXZ

?IsShowHtml@CListHeaderItemUI@DuiLib@@QAE_NXZ

?IsShowUpdateRect@CPaintManagerUI@DuiLib@@QBE_NXZ

?Join@CDuiRect@DuiLib@@QAEXABUtagRECT@@@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPB_WPAUtagVARIANT@@@Z

?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z

?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z

?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ

?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z

?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnDocumentCompleted@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@PAUtagVARIANT@@@Z

?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?ProgressChange@CWebBrowserUI@DuiLib@@IAEXJJ@Z

?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z

?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z

?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z

?Refresh2@CWebBrowserUI@DuiLib@@QAEXH@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?RegisterEventHandler@CWebBrowserUI@DuiLib@@IAEJH@Z

?Release@CWebBrowserUI@DuiLib@@UAGKXZ

?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ

?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z

?ResponseDefaultKeyEvent@WindowImplBase@DuiLib@@IAEJI@Z

?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPB_W0@Z

?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z

?SetAutoURLDetect@CRichEditUI@DuiLib@@QAE_N_N@Z

?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPB_W@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetPasswordChar@CEditUI@DuiLib@@QAEX_W@Z

?SetPasswordMode@CEditUI@DuiLib@@QAEX_N@Z

?SetProperty@CWebBrowserUI@DuiLib@@SAJPAUIDispatch@@PA_WPAUtagVARIANT@@@Z

?SetTransShadow1@CLabelUI@DuiLib@@QAEXH@Z

?SetTransShadow@CLabelUI@DuiLib@@QAEXH@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z

?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z

?TranslateAcceleratorW@CPaintManagerUI@DuiLib@@QAE_NPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z

?TranslateAcceleratorW@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z

?TranslateMessage@CPaintManagerUI@DuiLib@@SA_NQAUtagMSG@@@Z

?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z

?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ

?_GetBaseMessageMap@CNotifyPump@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_GetBaseMessageMap@WindowImplBase@DuiLib@@KGPBUDUI_MSGMAP@2@XZ

?_messageEntries@CNotifyPump@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?_messageEntries@WindowImplBase@DuiLib@@0QBUDUI_MSGMAP_ENTRY@2@B

?messageMap@CNotifyPump@DuiLib@@1UDUI_MSGMAP@2@B

?messageMap@WindowImplBase@DuiLib@@1UDUI_MSGMAP@2@B

.?AVCWebBrowserUI@DuiLib@@

.?AVCActiveXEnum@DuiLib@@

#*1892 $

%,3:;4-&

.PAVCOleException@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCArchiveException@@

.?AVCCmdTarget@@

.PAVCFileException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

zcÁ

%,%@%>%.%

%/%0%1%#%2%3%

%-% %"%?%

%4%H%F%6%&%7%8%9% %:%;%

%$%'%5%(%*%G%%%E%)%D%

.PAVCException@@

progress_fore.png

ShowBind.xml

ui_bind_frame.xml

ui_hide_bind.xml]P

ui_show_bind.xml

UIPrompt.xml

.xmlup

jo.QH

CRT_5

check2.png

check3.png

close.png

Font.xml

HideBind.xml

huojian.png

.rvmQ

logo.png

main_button.png

main_frame.xml

jF\%SYn#c

.nZ\y

main_frameN.xml

minmize.png

ui_hide_bind.xml

.xmlPK

Ge.EKb

t.Me*

{jD`%F

b.xH#

.Fxy1D

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

<%<*</<5<

9 9$9(9,9094989

< <$<(<,<0<

5 5(50585@5064686<6

1 1$1(1,1014181<1@1

3,383\3|3

3 4@4`4|4

transshadow1

transshadow

keyboard

User32.dll

msimg32.dll

dest='%d,%d,%d,%d'

0xX

WM_SYSKEYUP

WM_SYSKEYDOWN

WM_KEYUP

WM_KEYDOWN

password

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

M-d-d

WebBrowserUI

WebBrowser

errorUrl

source='%d,%d,%d,%d' dest='%d,%d,%d,%d'

hXXp://

WININET.DLL

HTTP/1.0

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

comctl32.dll

comdlg32.dll

shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

accKeyboardShortcut

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

mscoree.dll

KERNEL32.DLL

kernel32.dll

guangsu_website4

guangsu_website

SoftApp.ini

%sSoftApp.ini

normalimage="file='check2.png' source='0,0,13,13'" selectedimage="file='check2.png' source='0,13,13,26'"

normalimage="file='check2.png' source='26,0,39,13'" selectedimage="file='check2.png' source='26,13,39,26'"

normalimage="file='check2.png' source='39,0,52,13'" selectedimage="file='check2.png' source='39,13,52,26'"

normalimage="file='check2.png' source='13,0,26,13'" selectedimage="file='check2.png' source='13,13,26,26'"

%s.%s

"%s" /S /D=%s

Ver%s.%s

Ver%s

update.xml

%sVstart32.dll

hXXp://hao.360.cn/?src=lm&ls=n174f9ef193

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='0,0,13,13'" selectedimage="file='check2.png' source='0,13,13,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='26,0,39,13'" selectedimage="file='check2.png' source='26,13,39,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='39,0,52,13'" selectedimage="file='check2.png' source='39,13,52,26'"

name="bind_data_checkbox" float="true" pos="0,3" width="13" height="13" selected="true" normalimage="file='check2.png' source='13,0,26,13'" selectedimage="file='check2.png' source='13,13,26,26'"

hXXp://downcdn1.shgaoxin.net/shichangbu/xyb/tuijian_tj.html

\uninstall.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

Riched20.dll

IosMobilePhoneAssist.exe

mobilephoneassist.zip

Advapi32.dll

%sConfig.ini

lRiliFirstBindData.ini

gaoxin.shanhurili

RiliSkin.zip

skin.zip

RiliDingTui.xml

lTempRiLiData.zip

%s%s%s

0000000000

00000000000

%Program Files%\shanhurili\WBUpdSkin\

%Program Files%\shanhurili\SoftUpd.exe

1, 2, 2, 0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   shanhu.exe:3088
   %original file name%.exe:1504
   SoftUpd.exe:2292
   clock32.exe:2960
   Power.exe:544
   shrl.exe:3012
   shrl.exe:3700
   shrl.exe:1844

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\shanhurili\Data\2013.xml (1 bytes)
   %Program Files%\shanhurili\Vstart64.dll (12088 bytes)
   %Program Files%\shanhurili\shrl.exe (108732 bytes)
   %Program Files%\shanhurili\mini\RiliPlugin.dll (68229 bytes)
   %Program Files%\shanhurili\mini\DuiLib32.dll (27504 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsgE9E3.tmp (398927 bytes)
   %Program Files%\shanhurili\Data\2013JieQi.xml (1 bytes)
   %Program Files%\shanhurili\clock32.exe (25776 bytes)
   %Program Files%\shanhurili\online_c.html (505 bytes)
   %Program Files%\shanhurili\uninst.exe (8560 bytes)
   %Program Files%\shanhurili\mini\RiliMini.exe (15168 bytes)
   %Program Files%\shanhurili\Vstart32.dll (2392 bytes)
   %Program Files%\shanhurili\Data\UserNoteText.xml (132 bytes)
   %Program Files%\shanhurili\Clock64.dll (10136 bytes)
   %Program Files%\shanhurili\Clock32.dll (8184 bytes)
   %Program Files%\shanhurili\DuiLib32.dll (15536 bytes)
   %Program Files%\shanhurili\Data\2014JieQi.xml (1 bytes)
   %Program Files%\shanhurili\Data\HuangLi.mdb (230044 bytes)
   %Program Files%\shanhurili\Power.exe (8560 bytes)
   %Program Files%\shanhurili\SoftApp.ini (172 bytes)
   %Program Files%\shanhurili\SoftUpd.exe (29256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsgE9E4.tmp\System.dll (23 bytes)
   %Program Files%\shanhurili\clock64.exe (32784 bytes)
   %Program Files%\shanhurili\Vstart64.exe (15 bytes)
   %Program Files%\shanhurili\Data\index.html (942 bytes)
   %Program Files%\shanhurili\Data\2014.xml (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\update.xml (251 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ver[1].xml (432 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\shanhu[1].xml (251 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\shanhu.exe (246 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ver.xml (432 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\shanhu[1].gif (2287525 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\shanhu.gif (2324213 bytes)
   %Program Files%\shanhurili\Config.ini (34 bytes)
   %Program Files%\shanhurili\官方网站.url (208 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\官方网站.url (208 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\在线升级.lnk (934 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\卸载珊瑚日历.lnk (929 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\珊瑚日历\珊瑚日历.lnk (917 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].htm (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\UEF8VFST.txt (143 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (763 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TempRilibiao.xml (972 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\all_active[1].htm (107 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\MRT6UDH9.txt (94 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\switch_config[1].xml (972 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\InfoOnServerConf.xml (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2LLHQZ9Q.txt (92 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\shanhu[2].xml (251 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\app[1].gif (43 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\info_configex[1].xml (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\service_log.txt (154 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\7UG6M58V.txt (130 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\z_stat[1].js (2473 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "rlbRunByWindowsStart" = "%Program Files%\shanhurili\shrl.exe RunDateByStartAuto"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.