Trojan.Win32.FlyStudio_7ca92dfc2a – Adaware

Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 7ca92dfc2a2bdf53e79c2dc53d46985b

SHA1: 6b1d18e146b51fdaeceaddc8bcc9d4947995c2e0

SHA256: 4bdd959c2212e91b976c22713f7976ad9ba8d720233b7cdc711ee0c3c8ebc851

SSDeep: 98304:E9BV5D6WD8pe80B8YNuWp7FXGLGMfLeKxmm4adMw7NRcHSQCPxjvLLLLLLLLLLL :IVEWQpr2F2L9L2ae8FPx

Size: 9486336 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6

Company: no certificate found

Created at: 2013-01-21 07:28:32

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

WMIADAP.EXE:1568
GetOS.dll:1376

The Trojan injects its code into the following process(es):

%original file name%.exe:800

File activity

The process WMIADAP.EXE:1568 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\PerfStringBackup.INI (3361 bytes)
%System%\wbem\Performance\WmiApRpl_new.ini (10 bytes)
%System%\perfc009.dat (151 bytes)
%System%\perfh009.dat (3509 bytes)
%System%\PerfStringBackup.TMP (1471032 bytes)

The Trojan deletes the following file(s):

%System%\wbem\Performance\WmiApRpl.ini (0 bytes)
%System%\PerfStringBackup.TMP (0 bytes)

The process %original file name%.exe:800 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4922a.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492f7.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49480.tmp (3361 bytes)
C:\GetOS.dll (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492a8.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49431.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\494bf.tmp (1425 bytes)
%System%\fayasys.sys (32 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\4922a.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492f7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49480.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492a8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49431.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\494bf.tmp (0 bytes)

Registry activity

The process WMIADAP.EXE:1568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"ACPI.sys[ACPIMOFResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"
"intelppm.sys[PROCESSORWMI]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Refresh" = "0"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"HTTP.sys[UlMofResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%]
"advapi32.dll[MofResourceName]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"ipnat.sys[IPNATMofResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating" = "WmiApRpl"

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"First Help" = "3675"
"Last Counter" = "3702"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Help" = "3673"

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE\%System%\DRIVERS]
"mssmbios.sys[MofResource]" = "LowDateTime:904845312,HighDateTime:29924928***Binary mof compiled successfully"

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Data" = "60 04 00 00 02 00 00 00 00 00 00 00 10 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Last Counter" = "3672"

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"Last Help" = "3703"
"First Counter" = "3674"
"Object List" = "3674 3680 3696"

[HKLM\SOFTWARE\Microsoft\WBEM\PROVIDERS\Performance]
"Performance Refreshed" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\WBEM\WDM\DREDGE]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"Disable Performance Counters"
"Library Validation Code"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib]
"Updating"

[HKLM\System\CurrentControlSet\Services\WmiApRpl\Performance]
"First Help"
"Last Counter"
"Last Help"
"First Counter"
"Object List"

The process GetOS.dll:1376 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 6B DF 69 55 BA 5B DB 6F E2 0D 79 F0 D1 79 C9"

[HKLM]
"OS" = "XP"

The process %original file name%.exe:800 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 9E 0D F2 50 35 FF 31 02 AC 6B 9D FD 31 74 4A"

[HKLM]
"fb" = "fy"
"lujing" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

Dropped PE files

MD5	File path
45b8b90724475331d294d2a44b4180fe	c:\GetOS.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\fayasys.sys" the Trojan controls creation and closing of processes by installing the process notifier.

The Trojan installs the following kernel-mode hooks:

ZwDeviceIoControlFile

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
WMIADAP.EXE:1568
GetOS.dll:1376
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%System%\PerfStringBackup.INI (3361 bytes)
%System%\wbem\Performance\WmiApRpl_new.ini (10 bytes)
%System%\perfc009.dat (151 bytes)
%System%\perfh009.dat (3509 bytes)
%System%\PerfStringBackup.TMP (1471032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4922a.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492f7.tmp (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49480.tmp (3361 bytes)
C:\GetOS.dll (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\492a8.tmp (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49431.tmp (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\494bf.tmp (1425 bytes)
%System%\fayasys.sys (32 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: ??????????(http://www.eyuyan.com)Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1216290	1216512	4.45287	f47f649b866b87e2397e76f59d5fd4d2
.rdata	1220608	8129576	8130560	4.74923	d60df483b84923986bbf34a165621efe
.data	9351168	416106	90112	3.63693	5302b97a807367e52a10e1e0ef6cd359
.rsrc	9768960	41886	45056	3.53013	0f0dd4d56db4a299579f6a4c18590e5e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=150166555	58.250.135.157
hxxp://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=156839889	58.250.135.157
img8.ph.126.net	209.170.78.73

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /cgi-bin/cgi_rss_out?uin=150166555 HTTP/1.1

User-Agent: ObjGameData

Host: feeds.qzone.qq.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: close

Server: QZHTTP-2.38.18

Date: Fri, 09 May 2014 14:55:25 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 590

GET /cgi-bin/cgi_rss_out?uin=156839889 HTTP/1.1

User-Agent: ObjGameData

Host: feeds.qzone.qq.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Connection: close

Server: QZHTTP-2.38.18

Date: Fri, 09 May 2014 14:55:30 GMT

Content-Type: text/xml; charset=utf-8

Content-Length: 2828

<?xml version="1.0" encoding="utf-8"?>..<?xml-stylesheet type="text/xsl" href="hXXp://feeds.qzone.qq.com/rss.xsl" version="1.0"?>..<rss version="2.0" xmlns:qz="hXXp://qzone.qq.com">..<channel>..<title><![CDATA[Speed]]></title>..<description><![CDATA[Asm.........]]></description>..<link>hXXp://156839889.qzone.qq.com</link>..<lastBuildDate>Fri, 09 May 2014 14:55:30 GMT</lastBuildDate>..<generator>Qzone</generator>..<language>zh-cn</language>..<copyright>Copyright (C), 2005-2013, Tencent Tech. Co., Ltd.</copyright>..<pubDate>Fri, 25 Jan 2013 11:07:42 GMT</pubDate>..<item>..<title><![CDATA[......OK]]></title>..<link>hXXp://user.qzone.qq.com/156839889/blog/1359112062</link>..<description><![CDATA[******687474703A2F2F696D67382E70682E3132362E6E65742F776B4334574D4953794D56315F506B546F514E696F773D3D2F363539373730393638323432343333323336382E6A7067 ...]]></description>..<category><![CDATA[............]]></category>..<author><![CDATA[156839889@qq.com(Speed)]]></author>..<comments>hXXp://user.qzone.qq.com/156839889/blog/1359112062#comment</comments>..<qz:effect>8389120</qz:effect>..<pubDate>Fri, 25 Jan 2013 11:07:42 GMT</pubDate>..<guid>hXXp://user.qzone.qq.com/156839889/blog/1359112062</guid>..</item>..<item>..<title><![CDATA[123]]&

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_800:

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

shell32.dll

kernel32.dll

KERNEL32.DLL

ntdll.dll

user32.dll

Shlwapi.dll

psapi.dll

shlwapi.dll

advapi32.dll

123.dll

XLDownload.dll

ShellExecuteA

RtlFormatCurrentUserKeyPath

MsgWaitForMultipleObjects

XLURLDownloadToFile

{15EB1853-EE4C-468f-BAA5-63D186FDB911}

{B6F7542F-B8FE-46a8-9605-98856A687097}

www.941qq.com

EnumWindows

http://www.941cq.com

http://www.941qq.com/ly.txt

http://218.60.65.138:81

http://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=283634178

http://www.btcha.com/time.php?t=1

http://www.time.ac.cn/timeflash.asp?user=flash

http://www.000fy.com/time.txt

http://www1.941cq.com/time.txt

http://www.941cq.com/time.txt

/Main1.rar

/Main2.rar

\Map\3.map

\*.Fhmwy

.Fhmwy

00000000941qq.com

941qq.com

Map\3.map

\sf.dll

.nsp0

.nsp1

.nsp2

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32" /><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

USER32.DLL

GDI32.DLL

WINMM.DLL

WINSPOOL.DRV

ADVAPI32.DLL

SHELL32.DLL

OLE32.DLL

OLEAUT32.DLL

COMCTL32.DLL

WS2_32.DLL

COMDLG32.DLL

RegCloseKey

jXe~%f

*|%x|

%.lX}

el.wR5

.pdR/

J.ld`

{C%FS

X" $%F

*g.FEn

.VUy/:

O.lj0

"$%sV

fß(t^

Ft%f:

2JA%ct

ñ4<</pre><pre>-.BQ)</pre><pre>-SShQ?</pre><pre>|W.nIc</pre><pre>Ì^pf</pre><pre>I6lF%s</pre><pre>mk.Sc</pre><pre>.Jccp</pre><pre>40.zU]5</pre><pre>*d%sL</pre><pre>cÀM</pre><pre>Y>_%C</pre><pre>pu.LA</pre><pre>M0d`%ch</pre><pre>:%XFH</pre><pre>=w.uS8;5r</pre><pre>q%sJZx%</pre><pre>V1.LW</pre><pre>`.WFd5</pre><pre>_-z.XAS/</pre><pre>.EFA-$</pre><pre>%f(k,\</pre><pre>z?P".Io</pre><pre>U/.xj</pre><pre>>t.Ql</pre><pre>YZ}g{B%U</pre><pre>7c7</pre><pre>.zy\G</pre><pre>.Ar^=</pre><pre>6y%stgZ</pre><pre>M%q$%D</pre><pre>CC%fO</pre><pre>=ÍA</pre><pre>tP.hs</pre><pre>-k.ayy</pre><pre>>j.lN</pre><pre>\123.dll</pre><pre>.idata</pre><pre>.reloc</pre><pre>dbgdel.cpp</pre><pre>%s(%d) : %s</pre><pre>_CrtDbgReport: String too long or IO Error</pre><pre>Second Chance Assertion Failed: File %s, Line %d</pre><pre>Debug %s!</pre><pre>Program: %s%s%s%s%s%s%s%s%s%s%s</pre><pre>Invalid allocation size: %u bytes.</pre><pre>Client hook allocation failure at file %hs line %d.</pre><pre>_CrtCheckMemory()</pre><pre>_CrtIsValidHeapPointer(pUserData)</pre><pre>Allocation too large or negative: %u bytes.</pre><pre>Client hook re-allocation failure at file %hs line %d.</pre><pre>DAMAGE: after %hs block (#%d) at 0xX.</pre><pre>DAMAGE: before %hs block (#%d) at 0xX.</pre><pre>memory check error at 0xX = 0xX, should be 0xX.</pre><pre>%hs located at 0xX is %u bytes long.</pre><pre>%hs allocated at file %hs(%d).</pre><pre>DAMAGE: on top of Free block at 0xX.</pre><pre>Bad memory block found at 0xX.</pre><pre>_CrtMemCheckPoint: NULL state pointer.</pre><pre>_CrtMemDifference: NULL state pointer.</pre><pre>crt block at 0xX, subtype %x, %u bytes long.</pre><pre>normal block at 0xX, %u bytes long.</pre><pre>client block at 0xX, subtype %x, %u bytes long.</pre><pre>%hs(%d) :</pre><pre>#File Error#(%d) :</pre><pre>Data: <%s> %s</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>portuguese-brazilian</pre><pre>KERNEL32.dll</pre><pre>GetCPInfo</pre><pre>2008\123\Debug\123.pdb</pre><pre>\Main1.dll</pre><pre>\Main2.dll</pre><pre>:Mian1.dll</pre><pre>:Mian2.dll</pre><pre>@.reloc</pre><pre>GetKeyState</pre><pre>GetAsyncKeyState</pre><pre>GetKeyboardLayout</pre><pre>MapVirtualKeyExA</pre><pre>lymir2.dat</pre><pre>00605453</pre><pre>00605450</pre><pre>00000000</pre><pre>\*.exe</pre><pre>\1.txt</pre><pre>\2.txt</pre><pre>Kernel32.dll</pre><pre>www.94185.com</pre><pre>90 90 90 90 90 90</pre><pre>http://www.941qq.com/hanhua.txt</pre><pre>http://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=150166555</pre><pre>00517634</pre><pre>00517138</pre><pre>!www.zaosf.com</pre><pre>www.zaosf.com</pre><pre>00761848</pre><pre>00634604</pre><pre>00768260</pre><pre><www></www></pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>F%*.*f</pre><pre>CNotSupportedException</pre><pre>commctrl_DragListMsg</pre><pre>Afx:%x:%x:%x:%x:%x</pre><pre>Afx:%x:%x</pre><pre>CCmdTarget</pre><pre>iphlpapi.dll</pre><pre>SHLWAPI.dll</pre><pre>MPR.dll</pre><pre>WINMM.dll</pre><pre>WS2_32.dll</pre><pre>VERSION.dll</pre><pre>RASAPI32.dll</pre><pre>GetProcessHeap</pre><pre>WinExec</pre><pre>USER32.dll</pre><pre>GetViewportOrgEx</pre><pre>GDI32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegDeleteKeyA</pre><pre>RegEnumKeyA</pre><pre>RegOpenKeyA</pre><pre>RegCreateKeyExA</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>COMCTL32.dll</pre><pre>WSOCK32.dll</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestA</pre><pre>InternetCrackUrlA</pre><pre>InternetCanonicalizeUrlA</pre><pre>WININET.dll</pre><pre>CreateDialogIndirectParamA</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>SetViewportOrgEx</pre><pre>OffsetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>ScaleViewportExtEx</pre><pre>GetViewportExtEx</pre><pre>comdlg32.dll</pre><pre>GetMsgProc</pre><pre>%x.tmp</pre><pre>.PAVCException@@</pre><pre>.PAVCNotSupportedException@@</pre><pre>.PAVCFileException@@</pre><pre>(*.prn)|*.prn|</pre><pre>(*.*)|*.*||</pre><pre>Shell32.dll</pre><pre>Mpr.dll</pre><pre>Advapi32.dll</pre><pre>User32.dll</pre><pre>Gdi32.dll</pre><pre>(&07-034/)7 '</pre><pre>?? / %d]</pre><pre>%d / %d]</pre><pre>: %d]</pre><pre>(*.WAV;*.MID)|*.WAV;*.MID|WAV</pre><pre>(*.WAV)|*.WAV|MIDI</pre><pre>(*.MID)|*.MID|</pre><pre>(*.txt)|*.txt|</pre><pre>(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG</pre><pre>(*.JPG)|*.JPG|BMP</pre><pre>(*.BMP)|*.BMP|GIF</pre><pre>(*.GIF)|*.GIF|</pre><pre>(*.ICO)|*.ICO|</pre><pre>(*.CUR)|*.CUR|</pre><pre>%s:%d</pre><pre>windows</pre><pre>out.prn</pre><pre>%d.%d</pre><pre>%d / %d</pre><pre>%d/%d</pre><pre>Bogus message code %d</pre><pre>(%d-%d):</pre><pre>%ld%c</pre><pre>\StringFileInfo\%s\Comments</pre><pre>\StringFileInfo\%s\ProductVersion</pre><pre>\StringFileInfo\%s\ProductName</pre><pre>\StringFileInfo\%s\OriginalFilename</pre><pre>\StringFileInfo\%s\LegalTrademarks</pre><pre>\StringFileInfo\%s\LegalCopyright</pre><pre>\StringFileInfo\%s\InternalName</pre><pre>\StringFileInfo\%s\FileDescription</pre><pre>\StringFileInfo\%s\CompanyName</pre><pre>\StringFileInfo\%s\FileVersion</pre><pre>000%x</pre><pre>http://dywt.com.cn</pre><pre>service@dywt.com.cn</pre><pre> 86(0411)88995834</pre><pre> 86(0411)88995831</pre><pre>Windows</pre><pre>(ESPINN.dll(NN</pre><pre>This is a runtime library file for EPL applications. The EPL is a software development environment. For details please visit www.dywt.com.cn/info</pre><pre>CallerInfoCopyCmd</pre><pre>SetIPPort</pre><pre>GetIPPort</pre><pre>"C:\Windows\System32\ESPI11.dll"</pre><pre>ProviderInstallCopyCmd</pre><pre>SockDataCopyCmd</pre><pre>SockAddrCopyCmd</pre><pre>enetintercept_fnSockAddrSetIPPort</pre><pre>enetintercept_fnSockAddrGetIPPort</pre><pre>enetintercept_fnInstallCopyCmd</pre><pre>enetintercept_fnSockDataCopyCmd</pre><pre>enetintercept_fnSockAddrCopyCmd</pre><pre>enetintercept_fnCallerInfoCopyCmd</pre><pre>%s\ESPI%d.dll</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)</pre><pre>HTTP/1.0</pre><pre>%s <%s></pre><pre>Reply-To: %s</pre><pre>From: %s</pre><pre>To: %s</pre><pre>Subject: %s</pre><pre>Date: %s</pre><pre>Cc: %s</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>SMTP</pre><pre>LOCK CMPXCHG8B may crash some processors when executed</pre><pre>Win95/98 may crash when VxD call is executed in user mode</pre><pre>Win95/98 may crash when NOT ESP is executed</pre><pre>Win95/98 may crash when NEG ESP is executed</pre><pre>.PAVCObject@@</pre><pre>.PAVCSimpleException@@</pre><pre>.PAVCMemoryException@@</pre><pre>.?AVCNotSupportedException@@</pre><pre>.PAVCResourceException@@</pre><pre>.PAVCUserException@@</pre><pre>.?AVCCmdTarget@@</pre><pre>.?AVCCmdUI@@</pre><pre>.?AVCTestCmdUI@@</pre><pre>.PAVCArchiveException@@</pre><pre>zcÁ</pre><pre>#include "l.chs\afxres.rc" // Standard components</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32" /><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX</pre><pre>1!2,203</pre><pre>8#9-9~:9<</pre><pre>11N1</pre><pre>5%5S5^5</pre><pre>7*80809<9</pre><pre><&<7<=<\<</pre><pre>4%4s4</pre><pre>7G8Â9</pre><pre>0!0&0 02090?0</pre><pre>5^6#7*7:7</pre><pre>7$8(8,80848</pre><pre>:$;(;,;0;4;</pre><pre>4.595?5]5</pre><pre>6x7F7b7</pre><pre>2%2D2^2r2}2</pre><pre>0 141@1\1|1</pre><pre>000400444</pre><pre>> >$>(>,></pre><pre>6 6$6(6,6064686<6`6</pre><pre>^}• </</pre><pre>61.164.116.107</pre><pre>60.191.248.29</pre><pre>121.14.154.17</pre><pre>124.232.153.162</pre><pre>1.0.4.89</pre><pre>wool.dll</pre><pre>http://www.789is.com/gg.txt</pre><pre>tempq.itm</pre><pre>http://hi.baidu.com/12345667666666/blog/item/1d47552a4e9d0aba023bf651.html</pre><pre>Data\Hum.wil</pre><pre>Data\hum.wzl</pre><pre>20111214</pre><pre>20111211-1</pre><pre>2012-01-11</pre><pre>2012-01-07</pre><pre>2012-01-04</pre><pre>2012-01-02(1)</pre><pre>2011-12-23</pre><pre>20111221</pre><pre>20111216</pre><pre>20111215</pre><pre>20111206</pre><pre>20111127</pre><pre>20111118</pre><pre>20111203</pre><pre>O.xS#</pre><pre>-F}WA</pre><pre>.lm|%wg </pre><pre>-6}kS</pre><pre>.YU^v</pre><pre>.UYVxY</pre><pre>FB.rFk</pre><pre>5]F(%xc</pre><pre>/.cdu</pre><pre>~%x?H</pre><pre>r:\I#</pre><pre>.dhYT</pre><pre>zy^k.PW</pre><pre>$H%s;</pre><pre>%w.Wt</pre><pre>.Rn5 </pre><pre>h.PM3</pre><pre>".OvfU</pre><pre>.QkpI</pre><pre>.SGIe</pre><pre>S$.cV</pre><pre>.Wq5s</pre><pre>1.2.18</pre><pre>inflate 1.1.3 Copyright 1995-1998 Mark Adler</pre><pre>%*.*f</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSVFW32.dll</pre><pre>AVIFIL32.dll</pre><pre>EnumChildWindows</pre><pre>MSIMG32.dll</pre><pre>(*.avi)|*.avi</pre><pre>RICHED32.DLL</pre><pre>RICHED20.DLL</pre><pre>WPFT532.CNV</pre><pre>WPFT632.CNV</pre><pre>EXCEL32.CNV</pre><pre>write32.wpc</pre><pre>Windows Write</pre><pre>mswrd632.wpc</pre><pre>Word for Windows 6.0</pre><pre>wword5.cnv</pre><pre>Word for Windows 5.0</pre><pre>mswrd832.cnv</pre><pre>mswrd632.cnv</pre><pre>Word 6.0/95 for Windows & Macintosh</pre><pre>html32.cnv</pre><pre>glViewport</pre><pre>glTexEnvfv</pre><pre>glTexEnvf</pre><pre>\glu32.dll</pre><pre>\Opengl32.dll</pre><pre>glPassThrough</pre><pre><?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.1.0.0" type="win32" /><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING</pre><pre>93:9:|:4;</pre><pre>=%>9>?>{></pre><pre>1%1u1</pre><pre>=!>1>7>=></pre><pre>9%9.9:9`9</pre><pre>8'848:8}8</pre><pre>4L4o4</pre><pre>00N0</pre><pre>9)949?9|9</pre><pre>2 2U2_2}2</pre><pre>1!2f2</pre><pre>3H4D4M4s4</pre><pre>9%9X9o9</pre><pre>7%8U8</pre><pre>213F3Q3</pre><pre>8”9D9</pre><pre>8%8u8</pre><pre>:";';2;<;</pre><pre>00D0M0X0r0</pre><pre>01D1l1</pre><pre>11P1\1q1|1</pre><pre>9%9S9`9l9</pre><pre>5Y5?5{5</pre><pre>9Â9x9</pre><pre>3 3-393N3Y3}3</pre><pre>11F1Q1</pre><pre>;#;/;8;^;</pre><pre>1 2S2</pre><pre>8!8&8 82898?8</pre><pre>1,2024282<2</pre><pre>8 8$8(8,8084888<8</pre><pre>=">6>=>}></pre><pre>0!232 424</pre><pre>2 2$2(2,2024282</pre><pre>4 4$4(4,4</pre><pre>6#7 72797</pre><pre>6 6$6(6,6</pre><pre>7$8(84888</pre><pre>\jz.dat</pre><pre>http://www.070wg.com/wushuang.txt</pre><pre>http://www.941cq.com/tongyi.txt</pre><pre>http://www.941cq.com/m6.txt</pre><pre>http://www.941cq.com/hanhua.txt</pre><pre>RASAPI32.DLL</pre><pre>WININET.DLL</pre><pre>%fQ-!</pre><pre>.cLE3</pre><pre>~y.En</pre><pre>D l&%F`</pre><pre>c.Aef</pre><pre>v<.AX</pre><pre>.Bd/()</pre><pre>m8.kt!</pre><pre>O{%d*k</pre><pre>h%u|=</pre><pre>v.HzF</pre><pre>9%u%1</pre><pre>v.KW_h</pre><pre>%F Li</pre><pre>F.-uB}QP</pre><pre>$UP*%U</pre><pre>$.mJ"</pre><pre>^.iJB</pre><pre>tp<B%S><pre>.Zq*w</pre><pre>pc'%x</pre><pre>.OWD/</pre><pre>MM.NQ</pre><pre>E%SXUM</pre><pre>#%d&__</pre><pre>2-dV}</pre><pre>'-W}& </pre><pre>.xQ, </pre><pre>!.VY1</pre><pre>.my)E</pre><pre>Y2</pre><pre>.EKE;K</pre><pre>%x<t7w><pre>.pv)O</pre><pre>BCw.LR5</pre><pre>d:i</pre><pre>`t.jo</pre><pre>.XhT:G</pre><pre>yW"%U</pre><pre>Ws.ou?</pre><pre>IS?%U</pre><pre>{%X5)</pre><pre>%SmyA</pre><pre>_amUY%U</pre><pre>.MrQ%</pre><pre>%S|}Z</pre><pre>.lclf</pre><pre>DÅ:%</pre><pre>]W.Yf</pre><pre>.dt.v</pre><pre>.lri7z,</pre><pre>:ognK%D</pre><pre>.Kb<T><pre>5.Yet*V</pre><pre>v.hI></pre><pre>~F-y}</pre><pre>.fO()"</pre><pre>%f@$E</pre><pre>(-n}m</pre><pre>C.RfOC</pre><pre>bHD%F</pre><pre>1%Xwo</pre><pre>2(1%X</pre><pre>9.ybZ</pre><pre>%So1s</pre><pre>.oMjn</pre><pre>-6.JU</pre><pre>%Senz</pre><pre>|.TPa]</pre><pre>?I%x]</pre><pre>.uMUz</pre><pre>.Xuf'^Z</pre><pre>.JE)D</pre><pre>;i.mW</pre><pre>>`Qc[ý</pre><pre>p%Ù</pre><pre>CftP</pre><pre>G\.cR</pre><pre>h.oI#R</pre><pre>p2.ZH</pre><pre>|rA*N%x</pre><pre>C.JFo</pre><pre>.myxNW</pre><pre>M%CGmF</pre><pre>r%XDj</pre><pre>y;-s}</pre><pre>..BPZ]</pre><pre>*<*.ks</pre><pre>.Th-CP</pre><pre>Go~%XBa</pre><pre>`49&%U</pre><pre>T.QVk</pre><pre><Fs0%f><pre>Y\*.nkL</pre><pre>.fIpp</pre><pre>~x8%x</pre><pre>R&-.WhTVzX</pre><pre>%sgh/ja</pre><pre>%4U !</pre><pre>LH.IOij</pre><pre>-Wd}P~</pre><pre>,.yo"</pre><pre>pJ!%dp</pre><pre>.sGNc"</pre><pre>>c%Up</pre><pre>s.CVODCj</pre><pre>tlbCx;I]%u</pre><pre>Q.Lm*</pre><pre>^1%C$I</pre><pre>~.IR`</pre><pre>s<>P\1.txt</pre><pre>\\.\JJDD</pre><pre>\\.\JJDD1</pre><pre>\*.sys</pre><pre>h.rdata</pre><pre>H.data</pre><pre>\Debug\Win32DriveModule.pdb</pre><pre>\??\%System%\MYKERNEL</pre><pre>status%d</pre><pre>ntoskrnl.exe</pre><pre>HAL.dll</pre><pre>6$6-6E6K6Z6c6s6}6</pre><pre>5!5'50555</pre><pre>? ?*?4?9???</pre><pre>%System%\</pre><pre>\fayasys.sys</pre><pre>\FyOk\WinDDK\FXGameProtect.pdb</pre><pre>HTTP/1.1 301 Moved Permanently</pre><pre>Location: %s</pre><pre>explorer.exe</pre><pre>Wininet.dll</pre><pre>InternetOpenUrlA</pre><pre>http://feeds.qzone.qq.com/cgi-bin/cgi_rss_out?uin=156839889</pre><pre>F:\WINDDK\7600.16385.1\inc\ddk\wdm.h</pre><pre>ZwSetValueKey</pre><pre>ZwCreateKey</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>KeDelayExecutionThread</pre><pre>ZwDeleteKey</pre><pre>ZwDeleteValueKey</pre><pre>fayasys.sys</pre><pre>\GetOS.dll</pre><pre>Us.rK</pre><pre>`~.wK2</pre><pre>.UTjr</pre><pre>>D%xByM</pre><pre>_T.XL</pre><pre>.lfsv</pre><pre>K%x: </pre><pre>E.twJ</pre><pre>%c=^|</pre><pre>OIT%u</pre><pre>VN.Mf{$</pre><pre>=%f T</pre><pre>Ûe{</pre><pre>3L".po</pre><pre>.Rr;#</pre><pre>5.VpWzx</pre><pre>o%x&"n]</pre><pre>~go!.zDw</pre><pre>v#.kN*</pre><pre>u%X\X</pre><pre>\AFx.sys</pre><pre>\asdkjsfie.sys</pre><pre>\dasdwerwetfsd.sys</pre><pre>\win3.sys</pre><pre>\win5.sys</pre><pre>\win6.sys</pre><pre>\win7.sys</pre><pre>win3.sys</pre><pre>win5.sys</pre><pre>AFx.sys</pre><pre>asdkjsfie.sys</pre><pre>dasdwerwetfsd.sys</pre><pre>360sd.exe</pre><pre>qqpctray.exe</pre><pre>360safe.exe</pre><pre>ksafetray.exe</pre><pre>kxetray.exe</pre><pre>\temp1.exe</pre><pre>http://61.160.207.134:8888</pre><pre>\temp2.exe</pre><pre>\XLDownload.dll</pre><pre>tFSSSh</pre><pre>v.Ht$Ht</pre><pre>SSSSh</pre><pre>udPj</pre><pre>.tgPV</pre><pre>C.PjRVj</pre><pre>u.VV3</pre><pre>90000000</pre><pre>1.2.1.0</pre><pre>client.stat.xunlei.com</pre><pre>XXXXXX</pre><pre>\pub_store.dat</pre><pre>c:\windows\temp</pre><pre>101111111111</pre><pre>222222222222</pre><pre>111111111111</pre><pre>000000000000</pre><pre>filter%u</pre><pre>\\.\PhysicalDrive0</pre><pre>\\.\Scsi0:</pre><pre>\\.\IDE21201.VXD</pre><pre>.\UnknownBase.cpp</pre><pre>HTTP/1.1</pre><pre>.stat</pre><pre>*.stat</pre><pre>%a, %d %b %Y %H:%M:%S GMT</pre><pre>HTTP-Version</pre><pre>HTTP/1.1</pre><pre>http://</pre><pre>HTTP Version not supported</pre><pre>Unsupported Media Type</pre><pre>mscoree.dll</pre><pre>- This application cannot run using the active version of the Microsoft .NET Runtime</pre><pre>Please contact the application's support team for more information.</pre><pre>internal state. The program cannot safely continue execution and must</pre><pre>continue execution and must now be terminated.</pre><pre>GetProcessWindowStation</pre><pre>f:\svn\XL7\xl7_client\src\XLDownload\FirstParttern\src\XLDownload\ProductRelease\XLDownload.pdb</pre><pre>SETUPAPI.dll</pre><pre>zlib1.dll</pre><pre>RegDeleteKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegOpenKeyExW</pre><pre>RegQueryInfoKeyW</pre><pre>RegEnumKeyExW</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>dbghelp.dll</pre><pre>XLGetErrorMsg</pre><pre>* *-33>'</pre><pre># .24::.QR</pre><pre>.AGFFF[U[XX^^^vX</pre><pre>.db\i\bdx</pre><pre>[[;<11&%</pre><pre>89 ;84>11&&%4</pre><pre>41/71&%></pre><pre>"!!!""""#"""#!!!"!!!"!!!""""#!!!""""#"""#!!!"!</pre><pre>"!! "!!!"!</pre><pre>""""#!!!"!!!"!!!"!</pre><pre>.- *.--,.,%</pre><pre>.---.-,*.,$</pre><pre>----.---.---.---.---.---.---.---.---.,,,----. '#-</pre><pre> (#----.</pre><pre>.,,,-,'".</pre><pre>,(#.---. $</pre><pre>,)$.---.---.---.,,,-,,,----.---.---.,,,-</pre><pre>,*'-,,,- #</pre><pre>81*:999::87;81):7-":840:999:81*:</pre><pre>7.#:84/:999:975:987:7.$:70':974:7/':</pre><pre>83.:999:</pre><pre>7.%:999:82 :</pre><pre>70(:999:998:976:</pre><pre>83.:999:7-#:7-#:83.:999:7.$:7-#:84/:999:</pre><pre>7.$:999:963:</pre><pre>mXArmaSqlZFq</pre><pre>%CO#f</pre><pre>666~444y111r--.gA2</pre><pre>J!!!M"""O###R###S$$$U%%%V%%%W%%%X%%%W%#"T$HN}</pre><pre>G K"""P###S%%%V&&&Y'''\(((^(((_)))`)))`)))`)))`(((^(((]&&&Z%%%X%%%V###R!!!N</pre><pre>G!!!M###S%%%X(((_ d---i///n111r222v444y555|666~666</pre><pre>G!!!M$$$U'''\***c---j000q333w555}888</pre><pre>=(>.>5>?></pre><pre>6)7/757<7</pre><pre>8 8$8(8,8084888</pre><pre>9&:,:0:4:8:</pre><pre>2 2$2(2,202</pre><pre>http://ocsp.verisign.com0</pre><pre>"http://crl.verisign.com/tss-ca.crl0</pre><pre>Thawte Certification1</pre><pre>0http://crl.verisign.com/ThawteTimestampingCA.crl0</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)091.0,</pre><pre>/http://csc3-2009-crl.verisign.com/CSC3-2009.crl0D</pre><pre>https://www.verisign.com/rpa0</pre><pre>http://ocsp.verisign.com0;</pre><pre>/http://csc3-2009-aia.verisign.com/CSC3-2009.cer0</pre><pre>3Class 3 Public Primary Certification Authority - G21:08</pre><pre>https://www.verisign.com/cps0*</pre><pre>https://www.verisign.com/rpa04</pre><pre>#http://crl.verisign.com/pca3-g2.crl0</pre><pre>#http://logo.verisign.com/vslogo.gif04</pre><pre>http://www.xunlei.com 0</pre><pre>\zlib1.dll</pre><pre>1.2.5</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre><fd:%d></fd:%d></pre><pre>inflate 1.2.5 Copyright 1995-2010 Mark Adler</pre><pre>MSVCR71.dll</pre><pre>:941qq.com</pre><pre>:941qq.com</pre><pre>:www.941qq.com</pre><pre>:www.008fy.com</pre><pre>.hl3r</pre><pre>(.Yr%o</pre><pre>GetWindowsDirectoryA</pre><pre>RegCreateKeyA</pre><pre>oledlg.dll</pre><pre>www.dywt.com.cn</pre><pre>Service Pack %d</pre><pre>Windows 2003</pre><pre>Windows XP</pre><pre>Windows 2000</pre><pre>Windows NT</pre><pre>Windows ??</pre><pre>Windows Millenium Edition</pre><pre>Windows 98 Second Edition</pre><pre>Windows 98 SP1</pre><pre>Windows 98</pre><pre>Windows 95 OSR2</pre><pre>Windows 95 SP1</pre><pre>Windows 95</pre><pre>Windows CE</pre><pre>Microsoft Windows Me</pre><pre>Microsoft Windows 98</pre><pre>Microsoft Windows 95</pre><pre>Microsoft Windows 2003</pre><pre>Microsoft Windows XP</pre><pre>Microsoft Windows 2000</pre><pre>Microsoft Windows NT</pre><pre>1.1.3</pre><pre>;3 #>6.&</pre><pre>'2, / 0&7!4-)1#</pre><pre>(*.htm;*.html)|*.htm;*.html</pre><pre>.PAVCOleException@@</pre><pre>.PAVCOleDispatchException@@</pre><pre>2dfc2a2bdf53e79c2dc53d46985b.exe</pre><pre>c:\%original file name%.exe</pre><pre><requestedExecutionLevel level="requireAdministrator" /></pre><pre>1.0.0.0</pre><pre>(http://www.eyuyan.com)</pre><pre>(*.*)</pre><pre>\DosDevices\%System%\drivers\etc\hosts</pre><pre>http://helpbbs.xunlei.com/thread.php?fid=189</pre><pre>2003-2010</pre><pre>.td.cfg</pre><pre>http://thunderplatform.xunlei.com</pre><pre>%s_%d</pre><pre>http://www.xunlei.com</pre><pre>http://down.sandai.net/thunder7/ThunderPlatform.exe</pre><pre>(123448)</pre><pre>http://interface.thunderplatform.xunlei.com/img/UpdateAdvertise.cab</pre><pre>version.txt</pre><pre>download_interface.dll</pre><pre>DownloadServerNeedFileList.dat</pre><pre>HKEY_CURRENT_CONFIG</pre><pre>HKEY_DYN_DATA</pre><pre>HKEY_PERFORMANCE_DATA</pre><pre>HKEY_USERS</pre><pre>HKEY_LOCAL_MACHINE</pre><pre>HKEY_CURRENT_USER</pre><pre>HKEY_CLASSES_ROOT</pre><pre>asyn_tcp_socket</pre><pre>\/*:?"<>|</pre><pre>1, 2, 1, 0</pre><pre>!"#$%&'()* ,-./0123456789:;<=>?@</pre><pre>For more information visit http://www.zlib.net/</pre></Fs0%f></pre></T></pre></t7w></pre></B%S></pre></pre></pre></pre>