Trojan.Win32.Delphi_079f56ead4 – Adaware

Trojan-Dropper.Win32.Agent.bjw (Kaspersky), Backdoor.Hupigon.64371 (B) (Emsisoft), Backdoor.Hupigon.64371 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, VirTool

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 079f56ead49c756a3b3252c448b9ffd5

SHA1: 591dc67706272cc3301c19bb96b10d22e6cf5573

SHA256: f75b415a68f6d0b292a9f7f2a77bbdb5ca23a78bffac69665a42a7fbe57577e1

SSDeep: 24576:mKsoFg9ZYBcIZld7XgcTmFZO6mYeVfuS/t04u1:IoFdcm8O/hnF03

Size: 846257 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: PECompactV2X, PECompactv20, UPolyXv05_v6

Company: Plus HD

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

soft256.exe:2724
cnnic_1009.exe:2892
m4.exe:2840
update.exe:3408
setup.exe:2200
setup.exe:3476
setup.exe:3264
%original file name%.exe:1712
idnsvr.exe:4052

The Trojan injects its code into the following process(es):

svchost.exe:1992

File activity

The process soft256.exe:2724 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\e1JePg78g.dll (33 bytes)

The process cnnic_1009.exe:2892 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\setup.exe (12214 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)

The process m4.exe:2840 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\MP3\svchost.exe (1281 bytes)

The process update.exe:3408 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\version.dat (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\uninstall.exe (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\srchsp.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\path.dat (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.exe (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.dat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\convf.dll (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\austr.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnrbtn.html (486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.sys (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cuscfg.dat (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ocinfo.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ieaux.dll (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnreg.dll (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwrep.dat (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.ini (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)

The process setup.exe:2200 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\OCINS\convf.dll (1281 bytes)
%Program Files%\OCINS\replace.dat (343 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\cuscfg.dat (145 bytes)
%Program Files%\OCINS\ctrcfg.ini (230 bytes)
%Program Files%\OCINS\cnrbtn.html (486 bytes)
%System%\drivers\idnaux.sys (10 bytes)
%Program Files%\OCINS\version.dat (482 bytes)
%Program Files%\OCINS\kwrep.dat (191 bytes)
%Program Files%\OCINS\idnaux.dat (39 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\srchsp.dll (32 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)
%WinDir%\ocinfo.dat (8 bytes)
%System%\idnreg.dll (36 bytes)
%Program Files%\OCINS\addrmsg.dll (601 bytes)
%Program Files%\OCINS\addrmsg.ini (6 bytes)

The process setup.exe:3476 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\OCINS\cnprovh.dll (601 bytes)
%Program Files%\OCINS\convs.dll (601 bytes)
%Program Files%\OCINS\cndsv.dll (601 bytes)
%Program Files%\OCINS\config.exe (601 bytes)
%Program Files%\OCINS\cuscfg.dat (148 bytes)
%Program Files%\OCINS\ctrcfg.ini (2949 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\idnsvr.exe (601 bytes)
%Program Files%\OCINS\version.dat (479 bytes)
%Program Files%\OCINS\idnsvr.dll (601 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%Program Files%\OCINS\usrcfg.ini (21 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)

The process setup.exe:3264 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.exe (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\ieaux.dll (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\version.dat (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.sys (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnreg.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\uninstall.exe (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\path.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\convs.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\loader.exe (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cuscfg.dat (148 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)

The process %original file name%.exe:1712 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process idnsvr.exe:4052 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\OCINS\update\version.dat (482 bytes)
%Program Files%\OCINS\ctrcfg.ini (4 bytes)
%Program Files%\OCINS\austr.dll (65 bytes)
%Program Files%\OCINS\update\data2.cab (9696 bytes)
%Program Files%\OCINS\update\update.exe (273697 bytes)
%Program Files%\OCINS\update\austr.dll (1568 bytes)
%Program Files%\OCINS\usrcfg.ini (130 bytes)

Registry activity

The process soft256.exe:2724 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 6A BD 7E 02 BF AD 37 FC 88 F7 6F 47 B3 F0 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cnnic_1009.exe:2892 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 FC 7A E9 19 9A 0B 73 CD 3F F6 01 BC D3 68 3D"

[HKLM\SOFTWARE\kmedia\cnnic]
"1.0" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"setup.exe" = "ÃƒÂ¥Ã¢â‚¬ÂºÃ‚Â½ÃƒÂ©Ã¢â€žÂ¢Ã¢â‚¬Â¦ÃƒÂ¥Ã…â€™Ã¢â‚¬â€œÃƒÂ¥Ã…Â¸Ã…Â¸ÃƒÂ¥Ã‚ÂÃ‚ÂÃƒÂ¦Ã¢â‚¬ÂÃ‚Â¯ÃƒÂ¦Ã…â€™Ã‚Â"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process m4.exe:2840 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 32 64 65 C7 93 9C 01 27 E3 B3 E7 E3 4E 94 5F"

The process update.exe:3408 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F F0 AD 61 62 B6 59 56 4D 15 69 3D E1 82 EA FD"

The process setup.exe:2200 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\OCINS]
"Version" = "2.6.0.42"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\idnaux]
"ErrorControl" = "1"
"ImagePath" = "system32\drivers\idnaux.sys"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"HotIcon" = "%Program Files%\OCINS\config.exe,216"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Default Visible" = "Yes"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"

[HKCR\Idnreg.IdnObj.1]
"(Default)" = "IdnObj Class"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
"(Default)" = "IEAux.IEHlprObj.1"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\0\win32]
"(Default)" = "%System%\idnreg.dll"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\TypeLib]
"Version" = "1.0"

[HKCR\Idnreg.IdnObj.1\CLSID]
"(Default)" = "{61DB8FBD-B64B-401E-BDA7-F36E44180805}"

[HKCR\IEAux.IEHlprObj\CurVer]
"(Default)" = "IEAux.IEHlprObj.1"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\HELPDIR]
"(Default)" = "%System%\"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Access Internet Keyword]
"(Default)" = "%Program Files%\OCINS\cnrbtn.html"

[HKLM\System\CurrentControlSet\Services\cnprov]
"Group" = "Boot System Extenders"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}]
"Compatibility Flags" = "1024"

[HKLM\System\CurrentControlSet\Services\idnaux]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

[HKLM\System\CurrentControlSet\Services\idnaux\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKCR\Idnreg.IdnObj]
"(Default)" = "IdnObj Class"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}]
"(Default)" = "IIdnObj"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DescriptionName" = "idnaux"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"MenuStatusBar" = "Chinese Navigation"
"MenuText" = "Chinese Navigation"

[HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Access Internet Keyword]
"Contexts" = "127"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"DisplayName" = "Chinese Navigation"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DependOnService" = "Tcpip"

[HKCR\IEAux.IEHlprObj.1]
"(Default)" = "IEAux Class"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IEAux Class"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0]
"(Default)" = "idnreg 1.0 Type Library"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"exec" = "%Program Files%\OCINS\config.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\VersionIndependentProgID]
"(Default)" = "Idnreg.IdnObj"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
"(Default)" = "IEAux.IEHlprObj"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\TypeLib]
"(Default)" = "{72584095-B0B2-4058-8CDC-6AE69F8B199B}"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}]
"(Default)" = "CNNIC_IDN"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DisplayName" = "idnaux"

[HKCR\IEAux.IEHlprObj.1\CLSID]
"(Default)" = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Flags" = "1"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DescriptionName" = "cnprov"

[HKLM\System\CurrentControlSet\Services\cnprov\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\TypeLib]
"(Default)" = "{72584095-B0B2-4058-8CDC-6AE69F8B199B}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"ButtonText" = "Chinese Navigation"

[HKLM\System\CurrentControlSet\Services\cnprov]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\idnaux]
"Group" = "PNP_TDI"

[HKLM\System\CurrentControlSet\Services\cnprov]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 B5 88 65 78 1A 57 62 B3 A9 DB D6 52 6D B3 41"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\ProgID]
"(Default)" = "Idnreg.IdnObj.1"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot System Extenders, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DisplayName" = "cnprov"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"UninstallString" = "%Program Files%\OCINS\uninstall.exe"

[HKCR\Idnreg.IdnObj\CurVer]
"(Default)" = "Idnreg.IdnObj.1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Icon" = "%Program Files%\OCINS\config.exe,216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Version" = "*"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "@\??\%System%\@c:\windows\system32\setup.exe.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3\idnsvr.exe, !\??\%Program Files%\OCINS\idnsvr.exe"

[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Idnreg.IdnObj\CLSID]
"(Default)" = "{61DB8FBD-B64B-401E-BDA7-F36E44180805}"

[HKCR\IEAux.IEHlprObj]
"(Default)" = "IEAux Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Cdfs]
"SystemRoot" = "%WinDir%"

[HKLM\System\CurrentControlSet\Services\cnprov]
"ImagePath" = "system32\drivers\cnprov.sys"

[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\InprocServer32]
"(Default)" = "%System%\idnreg.dll"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\cnprov]
"Start" = "0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\idnaux]
"Start" = "2"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\Programmable]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\cnprov]
"InstallPath"
"DeleteFlag"

[HKCU\Console]
"KwUnSelf"

[HKLM\System\CurrentControlSet\Services\cnprov]
"SystemRoot"

[HKLM\System\CurrentControlSet\Services\idnaux]
"DeleteFlag"

The process setup.exe:3476 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\OCINS]
"Version" = "2.6.0.0"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot System Extenders, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"HotIcon" = "%Program Files%\OCINS\config.exe,216"
"Default Visible" = "Yes"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\System\CurrentControlSet\Services\Cdfs]
"SystemRoot" = "%WinDir%"

[HKCR\IEAux.IEHlprObj\CurVer]
"(Default)" = "IEAux.IEHlprObj.1"

[HKLM\System\CurrentControlSet\Services\cnprov]
"ImagePath" = "system32\drivers\cnprov.sys"
"Group" = "Boot System Extenders"

[HKLM\SOFTWARE\OCINS]
"InstallPath" = "%Program Files%\OCINS"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"ButtonText" = "Chinese Navigation"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0]
"(Default)" = "IEAux 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"UninstallString" = "%Program Files%\OCINS\uninstall.exe"

[HKLM\System\CurrentControlSet\Services\cnprov\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"MenuStatusBar" = "Chinese Navigation"
"MenuText" = "Chinese Navigation"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"DisplayName" = "Chinese Navigation2.6.0.0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}]
"Compatibility Flags" = "1024"

[HKCR\IEAux.IEHlprObj.1]
"(Default)" = "IEAux Class"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IEAux Class"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DescriptionName" = "cnprov"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"exec" = "%Program Files%\OCINS\config.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IIEHlprObj"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
"(Default)" = "IEAux.IEHlprObj"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\IEAux.IEHlprObj.1\CLSID]
"(Default)" = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Flags" = "1"

[HKLM\System\CurrentControlSet\Services\cnprov]
"DisplayName" = "cnprov"

"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F6 9D 75 AB 13 28 BB D4 5B 87 F2 8A 73 1A 6D"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR]
"(Default)" = "C:\PROGRA~1\OCINS\"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib]
"(Default)" = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}"

[HKLM\System\CurrentControlSet\Services\cnprov]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Icon" = "%Program Files%\OCINS\config.exe,216"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Version" = "*"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
"(Default)" = "IEAux.IEHlprObj.1"

[HKCR\IEAux.IEHlprObj]
"(Default)" = "IEAux Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = "http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"
"SearchAssistant" = "http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\cnprov]
"Start" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IdnSvr" = "%Program Files%\OCINS\idnsvr.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\cnprov]
"InstallPath"
"DeleteFlag"

"SystemRoot"

[HKCU\Console]
"KwUnSelf"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"uninsrest"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"renewup"

"ExFilter"

The process setup.exe:3264 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 62 4C 73 7C 66 E1 4B 61 7E 2D 32 FB 5D 52 AA"

The process %original file name%.exe:1712 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"soft256.exe" = "soft256"

"cnnic_1009.exe" = "cnnic_1009"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process idnsvr.exe:4052 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 04 AB 01 43 81 A1 56 B7 94 93 23 C0 0F C3 E8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

The Trojan deletes the following value(s) in system registry:

[HKCU\Console]
"KwUnSelf"

Dropped PE files

MD5	File path
9f230f967a8607b7565cfcb83d963a96	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cndsv.dll
b06090ee2881c1bac0d275b17d140d3b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cnprov.sys
3d8a11f1dc9127afc415a3c5aa0f4ab8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cnprovh.dll
bc69dffa76af3297b653bfc814f7b87f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\config.exe
57b46fc2b9cb59275cdcfb5e1722f48f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\convs.dll
135ab6cf712cd9fc4b5cd55d71e781c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnreg.dll
70019002fdac4580e81d7ff75fb598db	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnsvr.dll
2312b02cf8c50bc32cdb0686a9c3ac96	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnsvr.exe
59edc983e52851d195e7c61e8efad602	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\ieaux.dll
c8d32d9ce600888693ccb1864bf6bdd2	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\loader.exe
088efc555a77d8d35a9ff367ca48d86f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\setup.dll
a4bf929fdcb401b8cfd9fd212686907e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\setup.exe
5af44e42174649b95758b0e5ef79adf6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\uninstall.exe
6401dc5833d65f4d95bd6e8f78fdf8a1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cnnic_1009.exe
f2324a0a589478957b66b967c8d95d8c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\m4.exe
3872b1238b8e6c1b92c20e63b6560009	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\soft256.exe
f2324a0a589478957b66b967c8d95d8c	c:\MP3\svchost.exe
0a96acb043f1c72e088a46358bb1b5a3	c:\Program Files\OCINS\austr.dll
9f230f967a8607b7565cfcb83d963a96	c:\Program Files\OCINS\cndsv.dll
3d8a11f1dc9127afc415a3c5aa0f4ab8	c:\Program Files\OCINS\cnprovh.dll
bc69dffa76af3297b653bfc814f7b87f	c:\Program Files\OCINS\config.exe
57b46fc2b9cb59275cdcfb5e1722f48f	c:\Program Files\OCINS\convs.dll
70019002fdac4580e81d7ff75fb598db	c:\Program Files\OCINS\idnsvr.dll
2312b02cf8c50bc32cdb0686a9c3ac96	c:\Program Files\OCINS\idnsvr.exe
05cc443897f1b818b45ee0678c9e506f	c:\Program Files\OCINS\ieaux.dll
764abdae9880ab1c3ea725a9bb62b784	c:\Program Files\OCINS\uninstall.exe
0a96acb043f1c72e088a46358bb1b5a3	c:\Program Files\OCINS\update\austr.dll
f6a405cded18319b910822cfceb03af7	c:\Program Files\OCINS\update\update.exe
041f9424d638ddc0ff8f21d44ded7c72	c:\WINDOWS\system32\drivers\cnprov.sys
d5bb1996768ed9f61915be739a1fcc43	c:\WINDOWS\system32\setup.exe.tmp

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\cnprov.sys" the Trojan controls creation and closing of processes by installing the process notifier.

Using the driver "%System%\drivers\cnprov.sys" the Trojan controls creation and closing of threads by installing the thread notifier.

Using the driver "%System%\drivers\cnprov.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

ZwClose
ZwCreateKey
ZwCreateThread
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwOpenKey
ZwQueryValueKey
ZwReplaceKey
ZwRestoreKey
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetValueKey

Using the driver "%System%\drivers\cnprov.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_SET_INFORMATION

Using the driver "%System%\drivers\idnaux.sys" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:

MJ_CLOSE
MJ_DEVICE_CONTROL
MJ_INTERNAL_DEVICE_CONTROL

Using the driver "%System%\drivers\cnprov.sys" the Trojan substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:

MJ_CREATE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_SET_INFORMATION

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Scan a system with an anti-rootkit tool.
Terminate malicious process(es) (How to End a Process With the Task Manager):
soft256.exe:2724
cnnic_1009.exe:2892
m4.exe:2840
update.exe:3408
setup.exe:2200
setup.exe:3476
setup.exe:3264
%original file name%.exe:1712
idnsvr.exe:4052
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%System%\e1JePg78g.dll (33 bytes)
%System%\setup.exe (12214 bytes)
C:\MP3\svchost.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\version.dat (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\uninstall.exe (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\srchsp.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\path.dat (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.exe (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.dat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\convf.dll (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\austr.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnrbtn.html (486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.sys (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cuscfg.dat (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ocinfo.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ieaux.dll (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnreg.dll (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwrep.dat (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.ini (6 bytes)
%Program Files%\OCINS\convf.dll (1281 bytes)
%Program Files%\OCINS\replace.dat (343 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\cuscfg.dat (145 bytes)
%Program Files%\OCINS\ctrcfg.ini (230 bytes)
%Program Files%\OCINS\cnrbtn.html (486 bytes)
%System%\drivers\idnaux.sys (10 bytes)
%Program Files%\OCINS\version.dat (482 bytes)
%Program Files%\OCINS\kwrep.dat (191 bytes)
%Program Files%\OCINS\idnaux.dat (39 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\srchsp.dll (32 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)
%WinDir%\ocinfo.dat (8 bytes)
%System%\idnreg.dll (36 bytes)
%Program Files%\OCINS\addrmsg.dll (601 bytes)
%Program Files%\OCINS\addrmsg.ini (6 bytes)
%Program Files%\OCINS\cnprovh.dll (601 bytes)
%Program Files%\OCINS\convs.dll (601 bytes)
%Program Files%\OCINS\cndsv.dll (601 bytes)
%Program Files%\OCINS\config.exe (601 bytes)
%Program Files%\OCINS\idnsvr.exe (601 bytes)
%Program Files%\OCINS\idnsvr.dll (601 bytes)
%Program Files%\OCINS\usrcfg.ini (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.exe (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\ieaux.dll (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\version.dat (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.sys (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnreg.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\uninstall.exe (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\path.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\convs.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\loader.exe (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cuscfg.dat (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\OCINS\update\version.dat (482 bytes)
%Program Files%\OCINS\austr.dll (65 bytes)
%Program Files%\OCINS\update\data2.cab (9696 bytes)
%Program Files%\OCINS\update\update.exe (273697 bytes)
%Program Files%\OCINS\update\austr.dll (1568 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IdnSvr" = "%Program Files%\OCINS\idnsvr.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	114688	35840	5.5358	5b547387783d91b4b3e6beaaea639923
.rsrc	118784	12288	9728	4.02815	11196967b6fe974fa5d94b67be64252e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://update.jogo.cn/cdnClient/update/v26_p/version.dat
hxxp://update.jogo.cn/cdnClient/update/v26_p/data2.cab
hxxp://50.117.116.117/down/wxpSetup256.txt
hxxp://jump.knet.cn/stat/stat
hxxp://jump.knet.cn/stat/first
hxxp://50.117.120.254/down/wxpSetup256.txt
hxxp://update.jogo.cn/cdnClient/update/v26_p/update.exe
hxxp://www5.softuu.cn/down/wxpSetup256.txt	50.117.116.117
update.cnnic.cn	202.173.11.10
jump.cnnic.cn	202.173.11.132

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /stat/first HTTP/1.1

Host: jump.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 53

sid=1001&pid=0000&sw=C_gr294&sp=002.006.000.000&drv=1

HTTP/1.1 200 OK

Server: Apache-Coyote/1.1

Content-Length: 0

Date: Wed, 16 Apr 2014 08:33:48 GMT

POST /stat/stat HTTP/1.1

Host: jump.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 183

sid=0102&pid=C_gr294&sp=002.006.000.000&cid=aaamcjdlnpcpaaamcjdlnpcpdadadadadadadadadadadadadadadadadadadadbmdilgeogeapgmjlebcngahefeaommfomlhgempgjljdpjaggoogjhoifimlgpjhb0003&bind=0

HTTP/1.1 500 Internal Server Error

Server: Apache-Coyote/1.1

Content-Type: text/html;charset=utf-8

Content-Length: 1806

Date: Wed, 16 Apr 2014 08:33:48 GMT

Connection: close

<html><head><title>Apache Tomcat/7.0.22 - Error report</title><style></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade">type Exception reportmessage description The server encountered an internal error () that prevented it from fulfilling this request.exception <pre>java.io.FileNotFoundException: /home/knet/stat/cfg/url.properties (No such file or directory)..java.io.FileInputStream.open(Native Method)..java.io.FileInputStream.<init>(FileInputStream.java:120)..java.io.FileInputStream.<init>(FileInputStream.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).

<<< skipped >>>

GET /cdnClient/update/v26_p/data2.cab HTTP/1.1

Host: update.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

<<< skipped >>>

GET /cdnClient/update/v26_p/version.dat HTTP/1.1

Host: update.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 16 Apr 2014 08:33:46 GMT

Server: Apache

Last-Modified: Fri, 16 Jul 2010 08:54:32 GMT

ETag: "292a0e9-1e2-48b7d5e0e2200"

Accept-Ranges: bytes

Content-Length: 482

Connection: close

Content-Type: text/plain; charset=UTF-8

[version]..ver=2.6.0.42..[update]..url=hXXp://update.cnnic.cn/cdnClient/update/v26_p/version.dat..[stat]..stat=hXXp://jump.cnnic.cn/stat/stat..live=hXXp://jump.cnnic.cn/stat/first..uninstall=hXXp://jump.cnnic.cn/stat/uninstall..[exe]..version=2.6.0.12..url=hXXp://update.cnnic.cn/cdnClient/update/v26_p/update.exe..[cab]..version=2.6.0.32..url=http://update.cnnic.cn/cdnClient/update/v26_p/data.cab..[relay]..url=hXXp://update.cnnic.cn/cdnClient/update/v26_p/data2.cab..

GET /down/wxpSetup256.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: www2.softuu.cn

Connection: Keep-Alive

Cookie: PHPSESSID=hpu1peah8f6ekmonnpelhl7k24

HTTP/1.1 404 Not Found

Server: Tengine/1.4.2

Date: Wed, 16 Apr 2014 08:31:30 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

1224.............Z[o.Hv. 5l.e.)....ey!K.[m[v[..` PdQ,.7.E]..H...`..d......y.Kv. .6.v~.\v.ENU..lw{:....c.R.Xu......j...Q...x...u..>..>%.r(...M..6.b/...Q....JP....3..Y....4..z...k@.Q...[.........O....O6z.Y....p(..=X..us{..T.N. .oc2iJm......y.%C<4%.g....@.......Z9......nJ7x>.C3Z....E.?.._7..Y..!...a..b..yH.H>.Ji...q...Tx@........[Q.b..]....G...3y.Q...bb4.c4%.F..R..X......CWg.P..6...?p.lt.c.....].3...,Xa.-........C......J#..&..V(L...ZT....._Gy&...n3.-..y.{..F.^....V).. .\.......(..J...Tvv*j.%..|.N.....d:1J.......9_...f .sx.F.9.M2.MG6.l.r...#;D.U...vI...].....X6|....2..1.0.....d..1......r ......}.ej....P.............$*..U.D@ql......h...C.A...C?.d.{....9..o..O.....1.4....I.1.F.[.B.. .;d.i.l....\`.......=g..........b0k.GKw.3..Cb.>...._c"..._..O...w...w....8 . .X..>......VHt...0...l5.....T*5.?"l.Z.....7......"H..pH..a".<....gM<...)0A....L0c..$ u.i:..X..S.x)..5A....6......M1..T[...<HP.-2.t........6[!.6.....$..}.!...c(.d'...f.[{.....C(..a-........h...".....:^.J].....r.'.3.0....'....f......Z.....I.1..t(.h...(!.9...g.\...$...h....pV/...o8.F.q......E.!%.BW..7"w..qm.R.LK.R....8?&..E!....a....bJLjk.*...c......pV.*......../'...@".Am5.\.cE.W.Z.k4........".........x(2f......N.....b*.T.hk.Kf.^...IE...t. ..?E%.;.@ko6.%6..>...L.E.CL....O.%@H.0j0'.-.Hr.)...B)..b.....R..*l.......#$.-...X..RJ'..a...."..w.d......fD..jc....3.96.y..}....a..t(....1...s......8(WR..v..P...,..J*Y...zQo..z.....W.7..K..W....I...B.K..$.T..KH0...TtB..&.[.qi>...P.K......./X...\..S6(...]...P.*!T..A.T.Y.m..3c...bK%z.M.:*h.M05....

<<< skipped >>>

GET /down/wxpSetup256.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: www3.softuu.cn

Connection: Keep-Alive

Cookie: PHPSESSID=qekkaf4qlu6hc6dmgbnt9onfp1

HTTP/1.1 404 Not Found

Server: Tengine/1.4.2

Date: Wed, 16 Apr 2014 08:31:27 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

1224.............Z[o.Hv. .6....D....B.,.....|..@...X6o&..X1.....b'.>........."@.l.........SU.$.mwg0..`l@,..NU....Um~.9l.\...6q....d.sl...z;BU.bK........)bT......gb..Y^.H.?h]}.u..?h]{.u.q....7.l..._~.....(...C....2l..[..":p..2....).}. ..'.....i...H...!...F.4cb.0.N..]....|..f...s.#...s|..vf...(...I..!...........p.G.t...H.(2B...{ .S.............4EB...l"a.....[pA.\.......Y~.......-.l..8Q:........\.3..@.`.9....s...C.."[...V.q.4.D.|~:......U.=.*.Q...t..o.8...K.0..b.U(..r....R..#oW;..S..[Ue{..._.P...T.*H.H..#.8h..O...e3.k6#2....7...'..H&.LS...w$.K.*....JvI...]...I.o"..Y..;&.Fr..6... &...."]......7.O.Dl....J.......`.A...D%.....(...A..c....w(QH..8..@r..K.>."d..t.../\=.cOS..n...Ci..E!...d..cO3`.......^.}p.E..K..l.9..HS....^-...\.....TP....aQ.....?.......................?...Z!......?.a..._...b.......B...&.q'..A. .T(..G0.*2..=.....g.R4.&(.r...D..;.J]l.........^Jb}M..F!&..x...uS..6...wB.$....i...].Wm.....i.M..rM...>....{c(..N.C..N^{.........a-........h...".....:V.J...D..2.'.3.0.....).hK...s.....108...c.%.P...._..8..=&>m.... Q&~...@....@.....7..k.o...P..b.)t5gz#|k.... ....(..9..scl.Y!D...#....]L.Il.^a..s...l.i.c....0[ ..\......HD...f*'8V.z......6&.c..`...O......{x(Pfq.....N..t..|*.T.hk.Kf%.((.?..4.... ....d.p..}...t"\}p..05!..l./...o.........|....b....P.`...p......2./a..(.A..vK..1.6*...GC...i..].VN......gF..\m.7.px.3..3.A.....!......s.7. {...,....G..J....$..(.....J...'...........'.o../..]}.Rn$u\.r..i...RY./.A9Qc.....M......@..C.,E\Rk., .`..|r..N....^t._:C...P...eR.fy.}.....^.[*.Stb.Q..t..A.?.....K....O.PR..(".#.Q

<<< skipped >>>

GET /cdnClient/update/v26_p/update.exe HTTP/1.1

Host: update.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Wed, 16 Apr 2014 08:33:51 GMT

Server: Apache

Last-Modified: Fri, 16 Jul 2010 09:00:08 GMT

ETag: "292a0e8-6bc80-48b7d72151600"

Accept-Ranges: bytes

Content-Length: 441472

Connection: close

Content-Type: application/octet-stream

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u........=.uN.:.h........&.../....p....`.Q..6D..(N......{.".D......S.4.(....o..x........................PE..L.....@L.................P...P...............`....@.................................9.......................................................................T........................................................................................text....P.......*..................@....rdata.......`.......0..............@....data....0...p...l...6..............@....rsrc...............................@....aspack.. ..........................@....adata..............................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /down/wxpSetup256.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: www5.softuu.cn

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Server: Tengine/1.4.2

Date: Wed, 16 Apr 2014 08:31:57 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10

Set-Cookie: PHPSESSID=l0471imf8i68j3bo1abkea0tm3; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

<<< skipped >>>

GET /down/wxpSetup256.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)

Host: www4.softuu.cn

Connection: Keep-Alive

Cookie: PHPSESSID=kc4506f6moav0eu2hecipfahm4

HTTP/1.1 404 Not Found

Server: Tengine/1.4.2

Date: Wed, 16 Apr 2014 08:31:46 GMT

Content-Type: text/html;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.3.10

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Encoding: gzip

1224.............Z[o.Hv. 5l.e.)....ey!K.[m[v[..` PdQ,.7.E]..H...`..d......y.Kv. .6.v~.\v.ENU..lw{:....c.b.Xu......j...Q...x...u..>..>%.r(...M..6.b....Q....JP....3..Y....4..z...k@.Q...[.........O....O6z.Y....p(..=X..us{..T.N. .oc2iJm......y.%C.4%.g....@.......Z9......nJ7x>.C3Z....E.?.._7..Y..!...a..b..yH.H>.Ji...q...Tx@........[Q.b..]....G...3y.Q...bb4.c4%.F..R..X......CWg.P..6...?p.lt.c.....].3...,Xa.-........C......J#..&..V(L...ZT....._Gy&...n3.-..y.{..F.^....V).. .\.......(..J...Tvv*j.%..|.N.....d:1J.......9_...f .s..F.9.M2.MG6.l.r...#;D.U...vI...].....X6|....2..1.0.....d..1......r ......}.ej....P.............$*..U.D@ql......h...C.A.=.......X....a.7f.'.x....x...t.$..J#.-.......2.4.......0.....[...da...E..kj1.5......k.!1B...]..1.d../...?..._.....[x..w.{..w......B $...z..S.....E{Q*.......-..Hh......R...BY8$..0.i......&..K... ....&.1Vw....4.FQ,...C........CB...t......m.-k.Q.$....i...].Wm.S...k.M..rM...>..G..1.....Pd....OHDF.!.......Z.LL..4..X.U.lnI./C..Dkb..9....q...Q.....R.}..Bpu.C.......lI:.C.X.......c..f.U...s..4...>8..l../.p#..a..L......M..y...;.....)..%E)...h...K....X..0...w1%&..z.cC.1....Lk8.D.......r....QB .....i......F-.5...r....V..O..B....<.....S.yL..}z..1.D*..5.%.B/...OE...t. ..?E%.;.@k_6.%6..>...L.E.CL......J..6`.`N.[$...S../.R.....#=\.h.U.x..UE..FH.[.5...Q..N>....N.E...r..a.R....4$..z...g>sl<............P.1.xc........0.qP.........E.X...T.D.?...b..E...WOQ.@./.B\}.Sn$uB....i..`RY./!.\..R..9$.Ll)...H..C.,E\Vk., .`..br..N....^t._:C...P...eR.f..}....J..-..)61...M6.. ..c..M

<<< skipped >>>

POST /stat/stat HTTP/1.1

Host: jump.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 25

sid=1005&pid=0&sw=C_gr294

HTTP/1.1 500 Internal Server Error

Server: Apache-Coyote/1.1

Content-Type: text/html;charset=utf-8

Content-Length: 1806

Date: Wed, 16 Apr 2014 08:33:49 GMT

Connection: close

<<< skipped >>>

POST /stat/stat HTTP/1.1

Host: jump.cnnic.cn

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*

Content-Type: application/x-www-form-urlencoded

Cache-Control: no-cache

Content-Length: 54

sid=0104&os=6&FromTo=(002.006.000.000-002.006.000.042)

HTTP/1.1 500 Internal Server Error

Server: Apache-Coyote/1.1

Content-Type: text/html;charset=utf-8

Content-Length: 1806

Date: Wed, 16 Apr 2014 08:33:49 GMT

Connection: close

<<< skipped >>>

Map

Strings from Dumps

svchost.exe_1992:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s[%d]

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

%s%s%s%s%s%s%s%s%s%s

Proportional

MAPI32.DLL

OnKeyDown

OnKeyPress

OnKeyUp

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

Password

OnExecute4

ole32.dll

olepro32.dll

supports

importNode

%s="%s"

%s%s%s: %d%s%s

getservbyport

WSAAsyncGetServByPort

WSAJoinLeaf

WS2_32.DLL

127.0.0.1

TIdSocketListWindows

TIdStackWindowsU

IdStackWindows

%s, %d %s %d %s %s

password

IdHTTPHeaderInfo

ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>PortT</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPasswordPeH</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient4</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>IdHTTP4</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions0</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>IWebBrowser</pre><pre>IWebBrowserApp</pre><pre>IWebBrowser2P</pre><pre>TWebBrowserStatusTextChange</pre><pre>TWebBrowserProgressChange</pre><pre>TWebBrowserCommandStateChange</pre><pre>TWebBrowserTitleChange</pre><pre>TWebBrowserPropertyChange</pre><pre>TWebBrowserBeforeNavigate2</pre><pre>TWebBrowserNewWindow2</pre><pre>TWebBrowserNavigateComplete2</pre><pre>TWebBrowserDocumentComplete</pre><pre>TWebBrowserOnVisible</pre><pre>TWebBrowserOnToolBar</pre><pre>TWebBrowserOnMenuBar</pre><pre>TWebBrowserOnStatusBar</pre><pre>TWebBrowserOnFullScreen</pre><pre>TWebBrowserOnTheaterMode</pre><pre>TWebBrowserWindowSetResizable</pre><pre>TWebBrowserWindowSetLeft</pre><pre>TWebBrowserWindowSetTop</pre><pre>TWebBrowserWindowSetWidth</pre><pre>TWebBrowserWindowSetHeight</pre><pre>TWebBrowserWindowClosing</pre><pre>TWebBrowserClientToHostWindow</pre><pre>TWebBrowserSetSecureLockIcon</pre><pre>TWebBrowserFileDownload</pre><pre>TWebBrowserNavigateError</pre><pre>%TWebBrowserPrintTemplateInstantiation</pre><pre>TWebBrowserPrintTemplateTeardown</pre><pre>TWebBrowserUpdatePageStatus</pre><pre>%TWebBrowserPrivacyImpactedStateChange</pre><pre>TWebBrowserNewWindow3</pre><pre>bstrUrlContext</pre><pre>bstrUrl</pre><pre>TWebBrowser</pre><pre>TWebBrowserX</pre><pre>OnWindowSetResizable</pre><pre>OnWindowSetLeft</pre><pre>OnWindowSetTop4</pre><pre>OnWindowSetWidth</pre><pre>OnWindowSetHeight</pre><pre>DLCTL_URL_ENCODING_DISABLE_UTF8</pre><pre>DLCTL_URL_ENCODING_ENABLE_UTF8</pre><pre>FzWebBrowser</pre><pre>TFzWebBrowser</pre><pre>WebBrowser1</pre><pre>WebBrowser1NavigateError</pre><pre>WebBrowser1NewWindow2</pre><pre>WebBrowser1NewWindow3</pre><pre>http://www.wodiandian.com/client_submit_click_data.do?username=aaajjj&password=</pre><pre>&key=</pre><pre>WebBrowser1NewWindow2"</pre><pre>WebBrowser1StatusTextChange</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</pre><pre>AppEvents\Schemes\Apps\Explorer\Navigating\.Current</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>*.txt</pre><pre>http://www.wodiandian.com/client_reload_urls_data.do?username=aaajjj&password=</pre><pre><?xml version="1.0" encoding="gb2312" ?><data><data_start>%s</data_start></data></pre><pre>\Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>http://</pre><pre><data_click><data_key>%s</data_key><url_id>%s</url_id><usr_id>%s</usr_id><type>%s</type><check>%S</check></data_click></pre><pre>ServiceExecute</pre><pre>c:\MP3\svchost.exe</pre><pre>c:\MP3</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ReportEventA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>wininet.dll</pre><pre>333333333333333333</pre><pre>33333833</pre><pre>3333339</pre><pre>3333333333333338</pre><pre>:*"*"$3338</pre><pre>3333333</pre><pre>33333333</pre><pre>33333333333</pre><pre>3333333333338</pre><pre>33338?383</pre><pre>333333333333</pre><pre>:*3:"$3338</pre><pre>333333333333333</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>.SHDocVw_TLB</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>OnExecute</pre><pre>http://www.w3.org/2001/XMLSchema</pre><pre>http://www.w3.org/2000/xmlns/</pre><pre>http://www.w3.org/2001/XMLSchema-instance</pre><pre>http://www.easy78.cn</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>0Address family not supported by protocol family.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre><Selected DOM Vendor does not support this property or method><pre>Node "%s" not found</pre><pre>IDOMNode required.Attributes are not supported on this node type</pre><pre>Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions</pre><pre>Node is readonlyCRefresh is only supported if the FileName or XML properties are set</pre><pre>No help keyword specified.</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s)"%s" DOMImplementation already registered</pre><pre>No matching DOM Vendor: "%s"</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>shutdown(Service failed in custom message(%d): %s</pre><pre>Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"</pre><pre>Alt Clipboard does not support Icons</pre><pre>Cannot open clipboard/Menu '%s' is already being used by another form</pre><pre>Service failed on %s: %s</pre><pre> Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>Thread Error: %s (%d)</pre><pre>Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic</pre><pre>Unsupported clipboard format</pre><pre>List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s'</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre>svchost.exe_1992_rwx_003D0000_00002000:<pre>The procedure %s could not be located in the DLL %s.</pre><pre>The ordinal %d could not be located in the DLL %s.</pre>svchost.exe_1992_rwx_00401000_000B5000:<pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>%s%s%s%s%s%s%s%s%s%s</pre><pre>Proportional</pre><pre>MAPI32.DLL</pre><pre>OnKeyDown</pre><pre>OnKeyPress</pre><pre>OnKeyUp</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>Password</pre><pre>OnExecute4</pre><pre>ole32.dll</pre><pre>olepro32.dll</pre><pre>supports</pre><pre>importNode</pre><pre>%s="%s"</pre><pre>%s%s%s: %d%s%s</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>%s, %d %s %d %s %s</pre><pre>password</pre><pre>IdHTTPHeaderInfo</pre><pre>ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>PortT</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPasswordPeH</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient4</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>IdHTTP4</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions0</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>IWebBrowser</pre><pre>IWebBrowserApp</pre><pre>IWebBrowser2P</pre><pre>TWebBrowserStatusTextChange</pre><pre>TWebBrowserProgressChange</pre><pre>TWebBrowserCommandStateChange</pre><pre>TWebBrowserTitleChange</pre><pre>TWebBrowserPropertyChange</pre><pre>TWebBrowserBeforeNavigate2</pre><pre>TWebBrowserNewWindow2</pre><pre>TWebBrowserNavigateComplete2</pre><pre>TWebBrowserDocumentComplete</pre><pre>TWebBrowserOnVisible</pre><pre>TWebBrowserOnToolBar</pre><pre>TWebBrowserOnMenuBar</pre><pre>TWebBrowserOnStatusBar</pre><pre>TWebBrowserOnFullScreen</pre><pre>TWebBrowserOnTheaterMode</pre><pre>TWebBrowserWindowSetResizable</pre><pre>TWebBrowserWindowSetLeft</pre><pre>TWebBrowserWindowSetTop</pre><pre>TWebBrowserWindowSetWidth</pre><pre>TWebBrowserWindowSetHeight</pre><pre>TWebBrowserWindowClosing</pre><pre>TWebBrowserClientToHostWindow</pre><pre>TWebBrowserSetSecureLockIcon</pre><pre>TWebBrowserFileDownload</pre><pre>TWebBrowserNavigateError</pre><pre>%TWebBrowserPrintTemplateInstantiation</pre><pre>TWebBrowserPrintTemplateTeardown</pre><pre>TWebBrowserUpdatePageStatus</pre><pre>%TWebBrowserPrivacyImpactedStateChange</pre><pre>TWebBrowserNewWindow3</pre><pre>bstrUrlContext</pre><pre>bstrUrl</pre><pre>TWebBrowser</pre><pre>TWebBrowserX</pre><pre>OnWindowSetResizable</pre><pre>OnWindowSetLeft</pre><pre>OnWindowSetTop4</pre><pre>OnWindowSetWidth</pre><pre>OnWindowSetHeight</pre><pre>DLCTL_URL_ENCODING_DISABLE_UTF8</pre><pre>DLCTL_URL_ENCODING_ENABLE_UTF8</pre><pre>FzWebBrowser</pre><pre>TFzWebBrowser</pre><pre>WebBrowser1</pre><pre>WebBrowser1NavigateError</pre><pre>WebBrowser1NewWindow2</pre><pre>WebBrowser1NewWindow3</pre><pre>http://www.wodiandian.com/client_submit_click_data.do?username=aaajjj&password=</pre><pre>&key=</pre><pre>WebBrowser1NewWindow2"</pre><pre>WebBrowser1StatusTextChange</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</pre><pre>AppEvents\Schemes\Apps\Explorer\Navigating\.Current</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>*.txt</pre><pre>http://www.wodiandian.com/client_reload_urls_data.do?username=aaajjj&password=</pre><pre><?xml version="1.0" encoding="gb2312" ?><data><data_start>%s</data_start></data></pre><pre>\Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>http://</pre><pre><data_click><data_key>%s</data_key><url_id>%s</url_id><usr_id>%s</usr_id><type>%s</type><check>%S</check></data_click></pre><pre>ServiceExecute</pre><pre>c:\MP3\svchost.exe</pre><pre>c:\MP3</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ReportEventA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>wininet.dll</pre><pre>333333333333333333</pre><pre>33333833</pre><pre>3333339</pre><pre>3333333333333338</pre><pre>:*"*"$3338</pre><pre>3333333</pre><pre>33333333</pre><pre>33333333333</pre><pre>3333333333338</pre><pre>33338?383</pre><pre>333333333333</pre><pre>:*3:"$3338</pre><pre>333333333333333</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>.SHDocVw_TLB</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>OnExecute</pre><pre>http://www.w3.org/2001/XMLSchema</pre><pre>http://www.w3.org/2000/xmlns/</pre><pre>http://www.w3.org/2001/XMLSchema-instance</pre><pre>http://www.easy78.cn</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>0Address family not supported by protocol family.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre><Selected DOM Vendor does not support this property or method><pre>Node "%s" not found</pre><pre>IDOMNode required.Attributes are not supported on this node type</pre><pre>Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions</pre><pre>Node is readonlyCRefresh is only supported if the FileName or XML properties are set</pre><pre>No help keyword specified.</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s)"%s" DOMImplementation already registered</pre><pre>No matching DOM Vendor: "%s"</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>shutdown(Service failed in custom message(%d): %s</pre><pre>Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"</pre><pre>Alt Clipboard does not support Icons</pre><pre>Cannot open clipboard/Menu '%s' is already being used by another form</pre><pre>Service failed on %s: %s</pre><pre> Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>Thread Error: %s (%d)</pre><pre>Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic</pre><pre>Unsupported clipboard format</pre><pre>List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s'</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre>idnsvr.exe_4052:<pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>user32.dll</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegNotifyChangeKeyValue</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>SHLWAPI.dll</pre><pre>COMCTL32.dll</pre><pre>WS2_32.dll</pre><pre>GetCPInfo</pre><pre>advapi32.dll</pre><pre>cnprovh.dll</pre><pre>FinalMsg</pre><pre>repreg.dat</pre><pre>replace.dat</pre><pre>ctrcfg.ini</pre><pre>usrcfg.ini</pre><pre>idnsvr.dll</pre><pre>\\.\CnTran</pre><pre>159.226.1.19</pre><pre>xn--cnnic-vo0ll97o.xn--fiqs8s</pre><pre>ipconfig.exe /flushdns</pre><pre>SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</pre><pre>%Program Files%\OCINS\</pre><pre>dnsvr.exe</pre><pre>%Program Files%\OCINS\idnsvr.exe</pre><pre>.Xtnz</pre><pre>version="1.0.0.0"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>2, 6, 0, 0</pre><pre>idnsvr.exe</pre><pre>1.2.6.7</pre><pre>Arrange Icons/Arrange windows so they overlap</pre><pre>Cascade Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows(Split the active window into panes</pre><pre>Replace%Select the entire document</pre></Selected></pre></pre></pre></pre></Selected></pre></pre></pre>