Analysis Date2015-10-30 15:06:25
MD52217d16b109ea25a430d501ed4896ec0
SHA1faed92f5f2d2de2eb06419fbc9d0a641dac894d9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.rdata md5: e17e5f44217af0f53247cc43897815ae sha1: 442a16723ba0065b859a69a9b0407a08157c949f size: 8192
Section.data md5: e8d3e3e2c50827fd769ee5f2ece0dd45 sha1: 9e26dd9fc0a79e4fa21071f4cd5c6ee6516d0a3c size: 73728
Section.rsrc md5: 64a80f6fb2134ee9f3c819db80e6fb52 sha1: fdbecd81e68522f6fc7a9e071fa4d41472620a63 size: 40960
Timestamp2013-07-20 09:35:50
VersionLegalCopyright: (C) 360.cn Inc. All Rights Reserved.
InternalName: 360ApkInstaller
FileVersion: 1, 6, 0, 1620
CompanyName: 360.cn
ProductName: 360手机助手
ProductVersion: 1, 6, 0, 1620
FileDescription: 360手机助手
OriginalFilename: 360ApkInstaller.exe
PackerMicrosoft Visual C++ v6.0
PEhash5a56cf93bca358ef2b90693bde57b234bfea118d
IMPhash7f586655d07154a7f2c5170e697b53e0
AVRisingBackdoor.Overie!486D
AVMcafeeGenericR-ECI!2217D16B109E
AVAvira (antivir)WORM/Rbot.Gen
AVTwisterVirus.7195086702160658
AVAd-AwareGeneric.ServStart.AA53D39E
AVAlwil (avast)Lapka-A [Trj]:ServStart-C [Trj]
AVEset (nod32)Win32/ServStart.ER
AVGrisoft (avg)DDoS.AC
AVSymantecBackdoor.Trojan
AVFortinetW32/ServStart.CL!tr
AVBitDefenderGeneric.ServStart.AA53D39E
AVK7Trojan ( 0040f8ac1 )
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.B
AVMicroWorld (escan)Generic.ServStart.AA53D39E
AVMalwareBytesTrojan.ServStart
AVAuthentiumW32/A-4bcfabc1!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.DoS.CKP
AVEmsisoftGeneric.ServStart.AA53D39E
AVZillya!Rootkit.Lapka.Win32.1078
AVKasperskyTrojan.Win32.Generic:Rootkit.Win32.Lapka.bw
AVTrend MicroTROJ_SPNR.1AG213
AVCAT (quickheal)Trojan.Nitol.A
AVVirusBlokAda (vba32)SScope.Trojan.Unigo
AVPadvishMalware.SubId.28425637
AVBullGuardGeneric.ServStart.AA53D39E
AVArcabit (arcavir)Generic.ServStart.AA53D39E:Gen:Variant.Kazy.194867
AVClamAVno_virus
AVDr. WebTrojan.Click2.60400
AVF-SecureGeneric.ServStart.AA53D39E
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\shilei\Description ➝
Distribuitv Transaction Coordinator Service.
Creates FileC:\WINDOWS\system32\360.exe
Creates ServiceDistribudjn Transaction Coordinator Service - C:\WINDOWS\system32\360.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1164

Process
↳ C:\WINDOWS\system32\360.exe

Creates FileC:\Program Files\Windows Media Player\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\lpk.dll
Creates FileC:\Program Files\Messenger\lpk.dll
Creates FileC:\Program Files\MSN Gaming Zone\Windows\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
Creates FileC:\Program Files\Windows NT\Accessories\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\lpk.dll
Creates FileC:\Program Files\Outlook Express\lpk.dll
Creates FileC:\temp\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
Creates FileC:\Program Files\Internet Explorer\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\lpk.dll
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Windows NT\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\lpk.dll
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\lpk.dll
Creates FileC:\Program Files\Movie Maker\lpk.dll
Creates Filehra864.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll
Creates FileC:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\d35c221f74db5d48b3aa3ad663400c85\lpk.dll
Creates FileC:\Program Files\Windows NT\Pinball\lpk.dll
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\lpk.dll
Creates Filehra33.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\lpk.dll
Creates FileC:\Program Files\NetMeeting\lpk.dll
Deletes Filehra33.dll
Creates Mutexshilei

Network Details:

DNSgucaijuan.eicp.net
Type: A
174.128.255.231
Flows TCP192.168.1.1:1031 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1032 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1033 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1034 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1035 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1036 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1037 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1038 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1039 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1040 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1041 ➝ 174.128.255.231:8080
Flows TCP192.168.1.1:1042 ➝ 174.128.255.231:8080

Raw Pcap
0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.

0x00000000 (00000)   6401                                  d.


Strings
.1
ExitThrad
sndto
ExitThrea
sento
ExitThread
ExitThreadsendto
ExitThread
ExitThread
ExitThreadExitThread
ExitThread
ExitThread
ExitThread
ExitThreadsendtoE
P
ExitThreadsendtoE
P
ExitThreadsendtoE
P
ExitThreadsendtoE..ExitThrea
sento
ExitThread
slhyz.cm
DtFi
wsprintf
wsprintfA
urlmon.ll
URLDownloaToFileA
lstrcpynA
ExitProcess
wsprintfA
ShellExecuteA
urlmon.ll
URLDownloaToFileA
lstrcpynA
ExitProcess
wsprintfA
ShellExecuteA
MovFilExAFindRsourcA
LoadRsourc
LockRsourc
CratFilA
WritFil
wsprintfA
EnuRourcNaA
GlobalFr
UpdatRsourcA
EndUpdatRsourcA
CratFilA
RgQuryValuExA
RgOpnKyExA
WaForSnglObjc
WaitForSingleObjectwsprintfAExitProcessExitProce
RgOpnKyExA
ClosSrvicHandl
RgStValuExA
wsprintfA
RgQryValExA
RgOpnKyExA
wsprintfA
00-+ 
\
.
 
080404b0
1, 6, 0, 1620
360ApkInstaller
360ApkInstaller.exe
360.cn
(C) 360.cn Inc. All Rights Reserved.
CompanyName
FileDescription
FileVersion
         (((((                  H
InternalName
@jjj
jjjjj
LegalCopyright
(null)
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
= =$=(=,=
            
010;0@0J0O0[0`0k0x0
0123456789abcdefghijklmnopqrstuvwxyz
; ;$;(;,;0;4;8;
%04d%02d%02d
< <'<,<0<4<Q<{<
1%141@1F1a1x1
192.168.1.244
:":2:x:
360.exe
374K4u4
3D3O3g3p3w3
5-5G5P5
737=7L7Z7w7
81779538177953
8!8)8/888?8J8S8Y8
9)9E9P9V9_9d9j9s9{9
abnormal program termination
Accept-Encoding: gzip, deflate
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: zh-cn
Accept: text/html, */*
ADVAPI32.dll
_AheadLib_ftsWordBreak
_AheadLib_LpkDllInitialize
_AheadLib_LpkDrawTextEx
_AheadLib_LpkExtTextOut
"_AheadLib_LpkGetCharacterPlacement
!_AheadLib_LpkGetTextExtentExPoint&
_AheadLib_LpkInitialize
_AheadLib_LpkPSMTextOut
_AheadLib_LpkTabbedTextOut
_AheadLib_LpkUseGDIWidthCache"
        </application>
        <application>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
August
.?AVtype_info@@
BeginUpdateResourceA
../Bin/Release/Plug/Infect.addon
bpk%c%c%c%c%ccn.exe
build\intel\mt_obj\memmove.obj
??_C@_01FDHG@?$CK?$AA@
??_C@_01PJCK@?4?$AA@
??_C@_02OOND@?4?4?$AA@
??_C@_03CBC@A?3?2?$AA@
??_C@_03GGAF@hrl?$AA@2
??_C@_03ONJP@?47Z?$AA@
??_C@_04BAIL@?4EXE?$AA@
??_C@_04LKEC@?4RAR?$AA@
??_C@_04MKIN@?4ZIP?$AA@
??_C@_04OIJD@?2lpk?$AA@
??_C@_04OMOF@?4TMP?$AA@
??_C@_07JKEF@lpk?4dll?$AA@
$??_C@_0BB@KAAA@LpkTabbedTextOut?$AA@
$??_C@_0BB@MPGK@LpkDllInitialize?$AA@
'??_C@_0BE@JEIC@LpkUseGDIWidthCache?$AA@
+??_C@_0BI@GLDB@LpkGetTextExtentExPoint?$AA@
,??_C@_0BJ@ENAK@LpkGetCharacterPlacement?$AA@
??_C@_0N@HIHH@ftsWordBreak?$AA@
 ??_C@_0O@BEPG@LpkPSMTextOut?$AA@
 ??_C@_0O@DKBP@LpkDrawTextEx?$AA@
??_C@_0O@EFO@LpkInitialize?$AA@
 ??_C@_0O@MLOE@LpkExtTextOut?$AA@
!??_C@_0P@MHLB@LpkEditControl?$AA@:
Cache-Control: no-cache
'C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\lnk2&
ChangeServiceConfig2A
CloseHandle
CompareStringA
CompareStringW
    </compatibility></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
Connection: Close
Connection: Keep-Alive
Content-Type: text/html
CopyFileA
?CopySvcName@@YAHXZ
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateServiceA
CreateThread
@.data
%d.%d.%d.%d
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DeleteService
Description
DisableThreadLibraryCalls
Distribudjn Transaction Coordinator Service
Distribuitv Transaction Coordinator Service.
_DllMain@12
?DoInfect@@YAXXZ
DOMAIN error
D$$RPUUUUU
D:\VC98\LIB\advapi32.lib
D:\VC98\LIB\comdlg32.lib
D:\VC98\LIB\gdi32.lib
D:\VC98\LIB\kernel32.lib
D:\VC98\LIB\LIBCMT.lib
D:\VC98\LIB\odbc32.lib
D:\VC98\LIB\odbccp32.lib
D:\VC98\LIB\OLDNAMES.lib
D:\VC98\LIB\ole32.lib
D:\VC98\LIB\oleaut32.lib
D:\VC98\LIB\shell32.lib
D:\VC98\LIB\shlwapi.lib
D:\VC98\LIB\user32.lib
D:\VC98\LIB\uuid.lib
D:\VC98\LIB\winspool.lib
EnterCriticalSection
?EnumAllDisk@@YAXXZ
?EnumDiskFiles@@YGHPBD@Z
ExitProcess
February
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
- floating point not loaded
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
ftsWordBreak
GetACP
GetActiveWindow
?GetAddress@@YGP6GHXZPBD@Z
?GetAllAddress@@YAXXZ&
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDesktopWindow
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileType
GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm
GetLastActivePopup
GetLastError
GetLocaleInfoW
GetLocalTime
GetLogicalDrives
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GET %s HTTP/1.1
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GlobalAlloc
__GLOBAL_HEAP_SELECTED
GlobalMemoryStatusEx
`h````
HARDWARE\DESCRIPTION\System\CentralProcessor\0
?hDllModule@@3PAUHINSTANCE__@@A
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
?hExitEvent@@3PAXA
HHtpHHtl
?hLpkModule@@3PAUHINSTANCE__@@A
H:mm:ss
Host: %s
Host: %s:%d
hra%u.dll
HSVHWtgHHtF
?hThread@@3PAXA
iexplore.exe
ImagePath
__imp__CloseHandle@4
__imp__CopyFileA@12
__imp__CreateEventA@16
__imp__CreateFileA@28
__imp__CreateMutexA@12
__imp__CreateProcessA@40
__imp__CreateThread@24
"__imp__DisableThreadLibraryCalls@4
__imp__DriveType@4
__imp__ExitProcess@4
__imp__FindClose@4
__imp__FindFirstFileA@8
__imp__FindNextFileA@8
__imp__FindResourceA@12
__imp__FreeLibrary@4
__imp__GetFileAttributesA@4
__imp__GetLastError@0&
__imp__GetLogicalDrives@0&
__imp__GetModuleFileNameA@12
__imp__GetProcAddress@8
__imp__GetSystemDirectoryA@8
__imp__GetTempFileNameA@16
__imp__GetTempPathA@8&
__imp__GetTickCount@0&
__imp__LoadLibraryA@4&
__imp__LoadResource@8*
__imp__LockResource@4&
__imp__lstrcatA@8"
__imp__lstrcmpiA@8
__imp__lstrcpyA@8&
__imp__lstrcpynA@12
__IMPORT_DESCRIPTOR_KERNEL32
__IMPORT_DESCRIPTOR_SHELL32
__IMPORT_DESCRIPTOR_SHLWAPI
__imp__PathAppendA@8
__imp__PathFindExtensionA@4
__imp__PathFindFileNameA@4
__imp__ResumeThread@4*
__imp__SetEvent@4"
__imp__SetFileAttributesA@8
__imp__SetThreadPriority@8
__imp__SizeofResource@8
__imp__TerminateThread@8
 __imp__WaitForMultipleObjects@16
__imp__WaitForSingleObject@8
__imp__WriteFile@20
?InfectRAR@@YAXPAD@Z
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
IQh<9@
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
?IsLoadedBySvc@@YAHXZ
?IsSvcAddon@@YAHXZ
?IsSvcExists@@YAHXZ
JanFebMarAprMayJunJulAugSepOctNovDec
January
j Ph@2
kernel32.dll
KERNEL32.dll
KERNEL32_NULL_THUNK_DATA.
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadResource
LocalAlloc
LockResource
LockServiceDatabase
lpk.addon
lpk.dll
LpkDllInitialize
LpkDrawTextEx
LpkEditControl
LpkExtTextOut
LpkGetCharacterPlacement
LpkGetTextExtentExPoint
LpkInitialize
LpkPSMTextOut
LpkTabbedTextOut
LpkUseGDIWidthCache
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
M/d/yy
_memmove
MessageBoxA
Microsoft CVTRES 5.00.1735.1
Microsoft (R) LINK
Microsoft Visual C++ Runtime Library
Monday
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
NB11H>
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
__NULL_IMPORT_DESCRIPTOR
October
OpenMutexA
OpenSCManagerA
OpenServiceA
PathAppendA
PathFindExtensionA
PathFindFileNameA
?pfnftsWordBreak@@3PAXA
?pfnLpkDllInitialize@@3PAXA
?pfnLpkDrawTextEx@@3PAXA
?pfnLpkEditControl@@3PAPAXA
?pfnLpkExtTextOut@@3PAXA
#?pfnLpkGetCharacterPlacement@@3PAXA
"?pfnLpkGetTextExtentExPoint@@3PAXA
?pfnLpkInitialize@@3PAXA
?pfnLpkPSMTextOut@@3PAXA
?pfnLpkTabbedTextOut@@3PAXA
?pfnLpkUseGDIWidthCache@@3PAXA
PPPPPPPP
ppxxxx
PQh$4@
PQhx3@
ProductName
Program: 
\Program Files\Internet Explorer\iexplore.exe
<program name unknown>
- pure virtual function call
PWh(>@
Qf9=@FA
QQSVW3
QQSVWd
QQSVWj
QRh`k@
RaiseException
`.rdata
.rdata
ReadFile
Referer: http://%s:80/http://%s
RegCloseKey
RegisterServiceCtrlHandlerA
RegOpenKeyA
Release/Addon_Infect.exp
.\Release\Addon_Infect.obj
.\Release\Addon_Infect.res
ReleaseMutex
@.reloc
ResumeThread
RPh85@
RtlUnwind
runtime error 
Runtime Error!
Saturday
?SaveBinDataAndExecute@@YAHXZ&
September
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLastError
SetServiceStatus
SetStdHandle
SetThreadPriority
SetUnhandledExceptionFilter
SHELL32.dll
SHELL32.dll*
SHELL32_NULL_THUNK_DATA
shilei
SHLWAPI.dll
SHLWAPI.dll*
SHLWAPI_NULL_THUNK_DATA
SING error
SizeofResource
sO;>|C;~
SOFTWARE.LOG
SOFTWARE\Microsoft\Windows NT\CurrentVersion
%s %s%s
SS@SSPVSS
StartServiceA
StartServiceCtrlDispatcherA
StartWork
StopWork
?strDllPath@@3PADA
Sunday
SunMonTueWedThuFriSat
            <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
            <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
?svcname@@3PADA
SYSTEM\CurrentControlSet\Services\
T$ _^]3
TerminateProcess
TerminateThread
t`h<<@
!This program cannot be run in DOS mode.
T$hQUh
Thursday
timeGetTime
TLOSS error
TlsAlloc
TlsGetValue
TlsSetValue
tMhL<@
t#SSUP
t.;t$$t(
Tuesday
t$$VSS
t/WWUPj
>:u#FV
%u MHz
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
UnlockServiceDatabase
user32.dll
USER32.dll
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
VC20XC00U
VirtualAlloc
VirtualFree
VWuBhT
?WaitDiskChanged@@YAHXZ
WaitForMultipleObjects
WaitForSingleObject
Wednesday
WideCharToMultiByte
Windows 2000
Windows 2003
Windows 2008
Windows 7
Windows NT
Windows Vista
Windows XP
WinExec
WINMM.dll
wPhd<@
WriteFile
WS2_32
WS2_32.dll
WSAIoctl
WSASocketA
wsprintfA
_^][YY
YYh00@
z<>6>6