Adware.Win32.Webalta_ba9d2fcc39

by malwarelabrobot on June 20th, 2017 in Malware Descriptions.

Trojan.GenericKD.4714675 (BitDefender), Trojan:Win32/Dynamer!ac (Microsoft), HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), BackDoor.Infector.50 (DrWeb), Trojan.GenericKD.4714675 (B) (Emsisoft), Artemis!BA9D2FCC3968 (McAfee), Trojan.Gen.2 (Symantec), Trojan.GenericKD.4714675 (FSecure), MSIL:Banker-CF [Trj] (Avast), TROJ_GEN.R00JC0EDA17 (TrendMicro), Adware.Win32.Webalta.FD, Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, EmailWorm, VirTool, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ba9d2fcc39687e8649837b1abbe44fa7
SHA1: c95b2f0936a48a07ecde83ff09775d91c9e8dae1
SHA256: 597b1b5d289f66e25c12999ec1a21e7be09a0e4a04338ca5f7491ef2e8994c49
SSDeep: 196608:peHuL4vDZ/icMu3ZUZeCTRDZ/icMu3ZUZegi:peHuL4vDZ/muJ6eCNDZ/muJ6egi
Size: 9002075 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-08-14 22:15:54
Analyzed on: Windows7 SP1 32-bit


Summary:

Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Adware creates the following process(es):

%original file name%.exe:1908

The Adware injects its code into the following process(es):

tpostgroups.exe:316

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1908 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\1.png (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.ico (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.lim (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.exe (23062 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.exe (23353 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.lim (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 5.ico (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 1.exe (7345 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 1.ico (2105 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 5.exe (7345 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.ico (2105 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_439735 (0 bytes)

The process tpostgroups.exe:316 makes changes in the file system.
The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D5.nbr (5348 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D4.nbr (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.bgm (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.ttf (9341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.nbp (3507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.nbr (3789 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D8.nbr (9619 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.mnz (250 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D6.nbr (5327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.zip (810859 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.png (2141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.mnu (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D7.nbr (9400 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.ico (372 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.bgm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.mnu (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.zip (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.mnz (0 bytes)

Registry activity

The process %original file name%.exe:1908 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Adware deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process tpostgroups.exe:316 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"(Default)" = ""

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"tpostgroups.exe" = "9999"

Dropped PE files

MD5 File path
d4a6b9defc9aa7fedb842f6f77ec2242 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.nbp
914ec8ab93b34cf93b317319629053fd c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.nbr
1bcc4757386324175746a5eb4605d7c9 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D4.nbr
e3160d0ad76263dccfa4bc2473f96f5d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D5.nbr
02cc8c64cce546a536cfc88419ae4cb1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D6.nbr
779161882b958496eae1ba6fdd5c51b3 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D7.nbr
a2827dc468b5daaaceb889b32b34ad07 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D8.nbr
17e50bb427e0ef39f65af48bb19642cc c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 1.exe
e62881a31ded15518e7aff90a725ad1f c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 5.exe
4e3c5f87f9f86e0ee94d8ca320128c2c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.exe
4e3c5f87f9f86e0ee94d8ca320128c2c c:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 135031 135168 4.58976 792daf1ebbf0f019d3486580dfe317d1
.rdata 139264 36820 36864 3.55965 9d62ca750ab21611bd69d7a3e5333d52
.data 176128 185200 3072 1.91669 ab0f244b352be8b4c7ffac28b0999542
.gfids 364544 252 512 1.49939 7af9f45b4511d68a2575fde63622b162
.rsrc 368640 383464 383488 4.5742 44045ed0927b754a7dc8be894bd10e11
.reloc 753664 9044 9216 4.64072 f61d7f0f6bcc5a445f5126dff171e1c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Adware connects to the servers at the folowing location(s):

%original file name%.exe_1908:

.text
`.rdata
@.data
.gfids
@.rsrc
@.reloc
t,j.Xj\f
w.SCv
COMCTL32.dll
SHLWAPI.dll
USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
operator
operator ""
%S#[k
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
SHFileOperationW
ShellExecuteExW
sfxzip.exe
GetCPInfo
KERNEL32.dll
GetProcessHeap
tpostgroups1e5.mnu
bG0%1x
tpostgroups1e5.mnuPK
vqE wqE!vpG"wpG"unI$vmK%ukK%vlM$ulM$vlM$ulO$ulQ$vmQ$umQ"tmQ"tlS!tmS!tmU!tnW smY tnY uo[ tn[
c:\%original file name%.exe
mK.~lM.~lM.|kM.{iO0{hQ1{fS3{dW3{dY3{e[2{e]1zf]0zf_/zga.yhc-yie yjg*ykk)zmm(zno&yoq%yps$yqw#yry"ys{"yt}"yt
vE&~sG)}qI*}oK*|nK*{mK zlM zjM,yiO,yiQ.ygS/yfU2yeW3zeY4zd[3yc]3yd]3zd_3ze_3zda3yec3zec4zeg6{ei7|dm8|eo8}eo8|eq7|fq7|fq7|gs8|fs8}gu;
toG tnI"tnK#tlK#tlK$tlM%ulM&ukO&ujO&tjO%siO%ukO%tkQ$tkQ&ukS&tjS&tjS&ukU&tjU&sjU&sjU&tkW&tkW'tjY(tjY)vk[*vj] vj_ vj_,wi_,xja,xja,wic,wic,vic vjc,wjc,wjc vke wke vke,wke,vje-wkg.xki0yki2zjk3zhm4ygm5zgo5zgo6{gm7{go7{go7zgo7zgo7zfm7zfm8zgm7zgm7zgk7ygk6ygi4yig3xjc1wja0wk_.wm],um[*tnY(tqU$suQ rwM
version="1.0.0.0"
<requestedExecutionLevel level="asInvoker"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates application support for Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates application support for Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
1"1&1*1.121[3
6#6'6 6/636
0 0$0(0,00040
Crypt32.dll
Maximum allowed array size (%u) is exceeded
version.dll
DXGIDebug.dll
sfc_os.dll
SSPICLI.DLL
rsaenh.dll
UXTheme.dll
dwmapi.dll
cryptbase.dll
lpk.dll
usp10.dll
clbcatq.dll
comres.dll
ws2_32.dll
ws2help.dll
psapi.dll
ieframe.dll
ntshrui.dll
atl.dll
setupapi.dll
apphelp.dll
userenv.dll
netapi32.dll
shdocvw.dll
crypt32.dll
msasn1.dll
cryptui.dll
wintrust.dll
shell32.dll
secur32.dll
cabinet.dll
oleaccrc.dll
ntmarta.dll
profapi.dll
WindowsCodecs.dll
srvcli.dll
cscapi.dll
slc.dll
imageres.dll
dnsapi.DLL
iphlpapi.DLL
WINNSI.DLL
netutils.dll
mpr.dll
devrtl.dll
propsys.dll
mlang.dll
samcli.dll
samlib.dll
wkscli.dll
dfscli.dll
browcli.dll
rasadhlp.dll
dhcpcsvc6.dll
dhcpcsvc.dll
XmlLite.dll
linkinfo.dll
cryptsp.dll
RpcRtRemote.dll
aclui.dll
dsrole.dll
peerdist.dll
uxtheme.dll
Please remove %s from %s folder. It is unsecure to run %s until it is done.
.zipx
z%s%d
z%sd
Shell.Explorer
<head><meta http-equiv="content-type" content="text/html; charset=
riched20.dll
%s %s %s
%s %s
GETPASSWORD1
winrarsfxmappingfile.tmp
M-d-d-d-d-d-d
sfxcmd
__tmp_rar_sfx_access_check_%u
-el -s2 "-d%s" "-p%s" "-sp%s"
%s.%d.tmp
Software\Microsoft\Windows\CurrentVersion
%s%s%d
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
Extracting %s
tpostgroups1e5.lim
Enter password
&Enter password for the encrypted file:
Skipping %s
The file "%s" header is corrupt
Unknown method in %s
Cannot open %s
Cannot create %s
Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password.
Checksum error in %s Packed data checksum error in %s
5Write error in the file %s. Probably the disk is full
Read error in the file %s
Extracting from %s
ErroraErrors encountered while performing the operation
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Extracting files to %s folder$Extracting files to temporary folder
=Total path and file name length must not exceed %d characters
Unknown encryption method in %s$The specified password is incorrect.
Cannot copy %s to %s.
Cannot create symbolic link %s
Cannot create hard link %s
Security warningKPlease remove %s from folder %s. It is unsecure to run %s until it is done.

tpostgroups.exe_316:

`.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
Uh.QA
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
Uhl
windows
comctl32.dll
uxtheme.dll
PasswordChart
OnKeyDown
OnKeyPresst
OnKeyUp
ssHorizontal
OnKeyUp4eC
Proportional
Uh
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
.html
HHCtrl.ocx
%s: %s
Invalid stream operation
SakMsg
SakMsgd$G
TSakMsg
TSakMsgd$G
Uh%CG
Port
TSakSMTP
SakSMTP
UserPasswd
AUTH LOGIN
L_PWORDMSG
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
NBPlay5.exe
gdiplus.dll
GdiplusShutdown
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipSetCustomLineCapStrokeJoin
GdipGetCustomLineCapStrokeJoin
GdipSetImageAttributesColorKeys
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
%d.%d
ole32.dll
olepro32.dll
1.1.4
Invalid ZStream operation!
1.2.5
L$$:L$%u
.jpeg
.tiff
wp_Executive
wpActivateUndoHotkey
wpStreamUndoOperation
wpActivateRedoHotkey
webdings
3.0.9
t.HtQHtq
@.Ht5HtDHt
IMPORT
keywords
operator
\red%d\green%d\blue%d;
htCP
.HTML
DragAndDropSupportP
TMonochromeLookup
shfolder.dll
shell32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable8
OnWindowSetLeft|
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeightH
ErrorUrl
CmdID
TGetOverrideKeyPathEvent
pchKey
pcmdtReserved
lpMsg
PMsg
pguidCmdGroup
nCmdID
TGetOptionKeyPathEvent
TTranslateUrlEvent
pchURLIn
ppchURLOut
DLCTL_URL_ENCODING_DISABLE_UTF8
DLCTL_URL_ENCODING_ENABLE_UTF8
URL_ENCODING_DISABLE_UTF8
URL_ENCODING_ENABLE_UTF8
OnGetOverrideKeyPathh
OnGetOptionKeyPathH
OnTranslateUrl`
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
htmlfile\shell\open\ddeexec\application
htmlfile\shell\open\ddeexec\topic
Folder\shell\open\ddeexec\application
Folder\shell\open\ddeexec\topic
Folder\shell\open\ddeexec
Folder\shell\explore\ddeexec
Directory\shell\find\ddeexec
Uh5%S
ProfilePort
TNeoHTTP
hXXp://
hXXps://
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
FtpOpenFileA
EXITPASSWORD=
WINDOWSTYLE=
BYPASSPRINTDLG=
STARTPASSWORD=
MSGBOXIMAGE=
WINDOWREGKEY=
EDITPASSWORD=
URLVARNAME=
MENUKEY=
NBDebug.dll
Debug_ErrorReport
KERNEL32.DLL
OnExecuteMacro
Service %s
Topic %s
urlmon.dll
CreateURLMoniker
OLEAUT32.DLL
PasswordPanel
Password
PasswordChange
TPasswordEntryForm
SMTPError
SMTPSendProgress
FormKeyDown
NEOBOOKDDESERVERExecuteMacro
[WINDOWSTATE]
SMTP Server
[MailPort]
[MailUserPassword]
HTTP:
HTTPS:
;$u%f
Software\Microsoft\Windows\CurrentVersion\Policies\System
[HTTPAgent]
[HTTPReferrer]
[HTTPUserID]
[HTTPUserPassword]
[HTTPTimeOut]
[HTTPPort]
RUNTIME.PUB
WindowsDir
.ExitCode
.WinHandle
.ProcessHandle
.ProcessID
PSAPI.dll
DIR.COPY.DEL.TYPE.VER.ERASE.TREE.CHCP.CHDIR.CD.DATE.MKDIR.MD.RENAME.REN.RMDIR.RD.TIME.VOL.
CMD.EXE
COMMAND.COM
Control.exe
.EXE.COM.BAT.LNK.PIF.URL.SCR.MSI.HLP.CHM.
.HTML.HTM.
explorer.exe
MPR.DLL
PwdChangePasswordA
ScreenSaveUsePassword
PASSWORD.CPL
MsgPanel
.MID.RMI
CLOSEWINDOWS
nbExecAction
_nbExecAction
BrowserExport
BrowserExecScript
SendKeys
HotKey
TNeoBookWebBrowser
TrapPopupWindows
DefaultURL
URLVarName
TNeoBookMediaPlayer4%X
HTTP:/
HTTPS:/
HTTP:\
HTTPS:\
BrowserPrevBtn.png
BrowserNextBtn.png
BrowserStopBtn.png
BrowserRefreshBtn.png
http:
https:
.WMF.EMF
MediaPlayerPlayBtn.png
MediaPlayerPauseBtn.png
MediaPlayerStopBtn.png
MediaPlayerTrack.png
MediaPlayerThumb.png
.fsCommand
.fsArgs
CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
embedded:\\\flash.ocx
C:\My Documents\
%Program Files%\
WindowState=W
WindowsDir=R
WindowsPlatform=R
WindowsVer=R
WindowsVerName=R
SOFTWARE\Microsoft\Windows NT\CurrentVersion
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
1.0.6 or earlier
iTXt chunk not supported.
libpng version 1.2.5 - October 3, 2002
libpng version 1.2.5 - October 3, 2002 (header)
Only compression windows <= 32k supported by PNG
Only compression windows >= 256 supported by PNG
Only compression method 8 is supported by PNG
Empty keyword in iCCP chunk
Empty keyword in sPLT chunk
zero length keyword
invalid character in keyword
trailing spaces removed from keyword
leading spaces removed from keyword
extra interior spaces removed from keyword
Zero length keyword
keyword length must be 1 - 79 characters
Empty keyword in tEXt chunk
Empty keyword in zTXt chunk
DBv}.Bv
&=J@/ .CJ=&
KWindows
UrlMon
.NeoHeadPanel
UAppKeys
NeoBookIEExeProtocol
NBUrlMon
OSakMsg
.ScktComp
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
HorzScrollBar.Smooth
HorzScrollBar.Tracking
VertScrollBar.Smooth
VertScrollBar.Tracking
PasswordEntryForm
Picture.Data
PasswordChar
VVV.neosoftware.com
WinExec
GetWindowsDirectoryA
GetCPInfo
RegOpenKeyExA
RegFlushKey
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
SetViewportExtEx
ShellExecuteExA
ShellExecuteA
FindExecutableA
keybd_event
VkKeyScanA
UnregisterHotKey
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
RegisterHotKey
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
stdole2.tlbWWW
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
advapi32.dll
comdlg32.dll
gdi32.dll
MsVfW32.dll
user32.dll
version.dll
winmm.dll
winspool.drv
wsock32.dll
TPASSWORDENTRYFORM
Invalid drive! Cannot remove current directory.%Disk read error! File may be damaged.
This application was created with a trial version of NeoBook 5.|Applications created with the trial version are limited to 2 days|of use. This application has exceeded that time and will no|longer function.%Sending eMail. Do you want to cancel?%This action requires %s parameter(s).3Action references a subroutine that does not exist.,This expression is missing a quotation mark.
Unable to load image..Action references a label that does not exist.)A function with this name does not exist.
Invalid registry key! Loop action requires a variable.)Page change actions are not allowed here.
1This is not an application! Try another exe file.
Cannot copy file.CYou do not have enough memory or the|program is corrupt or invalid.
Path does not exist.fAn attempt was made to dynamically link to a task,|or there was a sharing or network-protection error.7There is insufficient memory to start this application.9This application requires a different version of Windows.lThe application's executable file is invalid. Either|it is not a Windows application or the file is corrupt.?This application was designed for a different operating system.?This application is already running and cannot be loaded twice.VThis application is compressed. The file must|be decompressed before it can be loaded.FA dynamic-link library (DLL) required by this application was invalid.4This application requires Windows 32-bit extensions.,No application is associated with this file! Unable to load this application.
Downloading...0Invalid input value. Use ESC to abandon changes.7The %s action cannot originate from a Web Browser link.
Unable to initialize debugger.3This mathematical equation contains a syntax error.""%s" is not a valid integer value.#"%s" is not a valid currency value.""%s" is not a valid decimal value.""%s" is not a valid boolean value.
"%s" is not a valid date value./Cannot change the type of global variable "%s".""%s" is not a valid variable type.-Could not identify application's main window.
Cannot find application.)An application is already attached to %s.&This application does not have a menu.*Application does not accept dropped files.
Invalid key
%s is not a valid operator."Expression is missing an operator.
Action requires visible object..Only one Internet action is allowed at a time.
Unknown GIF block type'Object type not supported for operation
Unsupported PixelFormat
NUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Unsupported GIF version
Invalid extension introducerúiled to allocate memory for GIF DIB
Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size
#Object factory for class %s missing%Type information missing for class %s'Incorrect type information for class %s(Dispatch interface missing from class %s.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design mode
No help keyword specified.$Error creating system registry entry
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count
Cannot drag a form"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Invalid input value7Invalid input value. Use escape key to abandon changes
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s on %s
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
No help found for %s#No context-sensitive help installed$No topic-based help system installed
$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
'%s' is an invalid mask at (%d)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
<unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
04090000
3.0.1.57

tpostgroups.exe_316_rwx_00401000_001E8000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
Uh.QA
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
USER32.DLL
Uhl
windows
comctl32.dll
uxtheme.dll
PasswordChart
OnKeyDown
OnKeyPresst
OnKeyUp
ssHorizontal
OnKeyUp4eC
Proportional
Uh
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
.html
HHCtrl.ocx
%s: %s
Invalid stream operation
SakMsg
SakMsgd$G
TSakMsg
TSakMsgd$G
Uh%CG
Port
TSakSMTP
SakSMTP
UserPasswd
AUTH LOGIN
L_PWORDMSG
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
NBPlay5.exe
gdiplus.dll
GdiplusShutdown
GdipSetPenLineJoin
GdipGetPenLineJoin
GdipSetCustomLineCapStrokeJoin
GdipGetCustomLineCapStrokeJoin
GdipSetImageAttributesColorKeys
GdipSetStringFormatHotkeyPrefix
GdipGetStringFormatHotkeyPrefix
%d.%d
ole32.dll
olepro32.dll
1.1.4
Invalid ZStream operation!
1.2.5
L$$:L$%u
.jpeg
.tiff
wp_Executive
wpActivateUndoHotkey
wpStreamUndoOperation
wpActivateRedoHotkey
webdings
3.0.9
t.HtQHtq
@.Ht5HtDHt
IMPORT
keywords
operator
\red%d\green%d\blue%d;
htCP
.HTML
DragAndDropSupportP
TMonochromeLookup
shfolder.dll
shell32.dll
IWebBrowser
IWebBrowserApp
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable8
OnWindowSetLeft|
OnWindowSetTop
OnWindowSetWidth
OnWindowSetHeightH
ErrorUrl
CmdID
TGetOverrideKeyPathEvent
pchKey
pcmdtReserved
lpMsg
PMsg
pguidCmdGroup
nCmdID
TGetOptionKeyPathEvent
TTranslateUrlEvent
pchURLIn
ppchURLOut
DLCTL_URL_ENCODING_DISABLE_UTF8
DLCTL_URL_ENCODING_ENABLE_UTF8
URL_ENCODING_DISABLE_UTF8
URL_ENCODING_ENABLE_UTF8
OnGetOverrideKeyPathh
OnGetOptionKeyPathH
OnTranslateUrl`
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
htmlfile\shell\open\ddeexec\application
htmlfile\shell\open\ddeexec\topic
Folder\shell\open\ddeexec\application
Folder\shell\open\ddeexec\topic
Folder\shell\open\ddeexec
Folder\shell\explore\ddeexec
Directory\shell\find\ddeexec
Uh5%S
ProfilePort
TNeoHTTP
hXXp://
hXXps://
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
wininet.dll
InternetOpenUrlA
HttpQueryInfoA
HttpOpenRequestA
HttpSendRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
FtpOpenFileA
EXITPASSWORD=
WINDOWSTYLE=
BYPASSPRINTDLG=
STARTPASSWORD=
MSGBOXIMAGE=
WINDOWREGKEY=
EDITPASSWORD=
URLVARNAME=
MENUKEY=
NBDebug.dll
Debug_ErrorReport
KERNEL32.DLL
OnExecuteMacro
Service %s
Topic %s
urlmon.dll
CreateURLMoniker
OLEAUT32.DLL
PasswordPanel
Password
PasswordChange
TPasswordEntryForm
SMTPError
SMTPSendProgress
FormKeyDown
NEOBOOKDDESERVERExecuteMacro
[WINDOWSTATE]
SMTP Server
[MailPort]
[MailUserPassword]
HTTP:
HTTPS:
;$u%f
Software\Microsoft\Windows\CurrentVersion\Policies\System
[HTTPAgent]
[HTTPReferrer]
[HTTPUserID]
[HTTPUserPassword]
[HTTPTimeOut]
[HTTPPort]
RUNTIME.PUB
WindowsDir
.ExitCode
.WinHandle
.ProcessHandle
.ProcessID
PSAPI.dll
DIR.COPY.DEL.TYPE.VER.ERASE.TREE.CHCP.CHDIR.CD.DATE.MKDIR.MD.RENAME.REN.RMDIR.RD.TIME.VOL.
CMD.EXE
COMMAND.COM
Control.exe
.EXE.COM.BAT.LNK.PIF.URL.SCR.MSI.HLP.CHM.
.HTML.HTM.
explorer.exe
MPR.DLL
PwdChangePasswordA
ScreenSaveUsePassword
PASSWORD.CPL
MsgPanel
.MID.RMI
CLOSEWINDOWS
nbExecAction
_nbExecAction
BrowserExport
BrowserExecScript
SendKeys
HotKey
TNeoBookWebBrowser
TrapPopupWindows
DefaultURL
URLVarName
TNeoBookMediaPlayer4%X
HTTP:/
HTTPS:/
HTTP:\
HTTPS:\
BrowserPrevBtn.png
BrowserNextBtn.png
BrowserStopBtn.png
BrowserRefreshBtn.png
http:
https:
.WMF.EMF
MediaPlayerPlayBtn.png
MediaPlayerPauseBtn.png
MediaPlayerStopBtn.png
MediaPlayerTrack.png
MediaPlayerThumb.png
.fsCommand
.fsArgs
CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
embedded:\\\flash.ocx
C:\My Documents\
%Program Files%\
WindowState=W
WindowsDir=R
WindowsPlatform=R
WindowsVer=R
WindowsVerName=R
SOFTWARE\Microsoft\Windows NT\CurrentVersion
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
1.0.6 or earlier
iTXt chunk not supported.
libpng version 1.2.5 - October 3, 2002
libpng version 1.2.5 - October 3, 2002 (header)
Only compression windows <= 32k supported by PNG
Only compression windows >= 256 supported by PNG
Only compression method 8 is supported by PNG
Empty keyword in iCCP chunk
Empty keyword in sPLT chunk
zero length keyword
invalid character in keyword
trailing spaces removed from keyword
leading spaces removed from keyword
extra interior spaces removed from keyword
Zero length keyword
keyword length must be 1 - 79 characters
Empty keyword in tEXt chunk
Empty keyword in zTXt chunk
DBv}.Bv
&=J@/ .CJ=&
KWindows
UrlMon
.NeoHeadPanel
UAppKeys
NeoBookIEExeProtocol
NBUrlMon
OSakMsg
.ScktComp
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
HorzScrollBar.Smooth
HorzScrollBar.Tracking
VertScrollBar.Smooth
VertScrollBar.Tracking
PasswordEntryForm
Picture.Data
PasswordChar
VVV.neosoftware.com
WinExec
GetWindowsDirectoryA
GetCPInfo
RegOpenKeyExA
RegFlushKey
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
SetViewportExtEx
ShellExecuteExA
ShellExecuteA
FindExecutableA
keybd_event
VkKeyScanA
UnregisterHotKey
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
RegisterHotKey
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
.idata
.rdata
P.reloc
P.rsrc
TPASSWORDENTRYFORM
Invalid drive! Cannot remove current directory.%Disk read error! File may be damaged.
This application was created with a trial version of NeoBook 5.|Applications created with the trial version are limited to 2 days|of use. This application has exceeded that time and will no|longer function.%Sending eMail. Do you want to cancel?%This action requires %s parameter(s).3Action references a subroutine that does not exist.,This expression is missing a quotation mark.
Unable to load image..Action references a label that does not exist.)A function with this name does not exist.
Invalid registry key! Loop action requires a variable.)Page change actions are not allowed here.
1This is not an application! Try another exe file.
Cannot copy file.CYou do not have enough memory or the|program is corrupt or invalid.
Path does not exist.fAn attempt was made to dynamically link to a task,|or there was a sharing or network-protection error.7There is insufficient memory to start this application.9This application requires a different version of Windows.lThe application's executable file is invalid. Either|it is not a Windows application or the file is corrupt.?This application was designed for a different operating system.?This application is already running and cannot be loaded twice.VThis application is compressed. The file must|be decompressed before it can be loaded.FA dynamic-link library (DLL) required by this application was invalid.4This application requires Windows 32-bit extensions.,No application is associated with this file! Unable to load this application.
Downloading...0Invalid input value. Use ESC to abandon changes.7The %s action cannot originate from a Web Browser link.
Unable to initialize debugger.3This mathematical equation contains a syntax error.""%s" is not a valid integer value.#"%s" is not a valid currency value.""%s" is not a valid decimal value.""%s" is not a valid boolean value.
"%s" is not a valid date value./Cannot change the type of global variable "%s".""%s" is not a valid variable type.-Could not identify application's main window.
Cannot find application.)An application is already attached to %s.&This application does not have a menu.*Application does not accept dropped files.
Invalid key
%s is not a valid operator."Expression is missing an operator.
Action requires visible object..Only one Internet action is allowed at a time.
Unknown GIF block type'Object type not supported for operation
Unsupported PixelFormat
NUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Unsupported GIF version
Invalid extension introducerúiled to allocate memory for GIF DIB
Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size
#Object factory for class %s missing%Type information missing for class %s'Incorrect type information for class %s(Dispatch interface missing from class %s.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design mode
No help keyword specified.$Error creating system registry entry
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard Operation not supported on selected printer.There is no default printer currently selected/Menu '%s' is already being used by another form
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count
Cannot drag a form"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Invalid input value7Invalid input value. Use escape key to abandon changes
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s on %s
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
No help found for %s#No context-sensitive help installed$No topic-based help system installed
$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
'%s' is an invalid mask at (%d)
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
<unknown>!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d

tpostgroups.exe_316_rwx_01541000_00026000:

kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
PSAPI.dll
SendKeys32
Invalid Key Name
Invalid KeyName
TFindWindowStruct
[hpwSendKeysMode32]
[hpwSendKeys32Wait]
[WindowsPlatform]
ntdll.dll
[*/*hpwSendKeysDllName]
Plugin to Sendkeys to windows title/handles.
hpwSendKeys 1.23
H.P.Wickern
hpwSendKeys
hpwSendKeysToHandle
hpwSendKeysToTitle
hpwFindWindows
$#&(%'!"-.
;hpwSendKeys
Usndkey32
KWindows
SendKeys
GetCPInfo
RegOpenKeyExA
RegCloseKey
keybd_event
VkKeyScanA
SetKeyboardState
MapVirtualKeyA
GetKeyboardState
GetKeyState
EnumWindows
GetKeyboardType
.idata
.edata
P.reloc
P.rsrc
/In der Stringliste sind Duplikate nicht erlaubt)Datei "%s" kann nicht erstellt werden. %s'Datei %s kann nicht ge
ffnet werden. %s#In %s kann nicht geschrieben werden
pft (%d)#Zu viele Eintr
ge in der Liste (%d)*Listenindex
berschreitet das Maximum (%d)BExpandieren des Speicher-Stream wegen Speichermangel nicht m
%s.Seek nicht implementiert-Operation f
Samstag%%s kann nicht zu %s zugewiesen werden
Externe Exception %x$Auswertung von assert fehlgeschlagen
%s (%s, Zeile %d)
Abstrakter FehlerBZugriffsverletzung bei Adresse %p in Modul '%s'. %s von Adresse %p
Systemfehler. Code: %d.
%s:Ein Aufruf einer Betriebssystemfunktion ist fehlgeschlagen
ltige Variant-Operation'Ung
ltige Variant-Operation (%s%.8x)
%sBVariante des Typs (%s) konnte nicht in Typ (%s) konvertiert werdenF
berlauf bei der Konvertierung einer Variante vom Typ (%s) in Typ (%s)
Operation nicht unterst
ltige Gleitkommaoperation
ltige Zeigeroperation
ltige Typumwandlung4Zugriffsverletzung bei Adresse %p. %s von Adresse %p
Privilegierte Anweisung(Exception %s in Modul %s bei %p.
Anwendungsfehler7Format '%s' ung
r Format '%s'
"'%s' ist kein g
ltiger Integerwert%'%s' ist kein g
'%s' ist kein g
'%s' ist keine g
ltige Uhrzeit0'%s' ist keine g
E/A-Fehler %d

tpostgroups.exe_316_rwx_024D1000_00131000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
%s%.8x
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
SOFTWARE\Microsoft\Windows Messaging Subsystem
OnKeyDown
OnKeyPresst
OnKeyUp
PasswordChar
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Uh%cR
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
%s: %s
%s:%s
user32.dll
ole32.dll
olepro32.dll
and send it back to krug@sdm.de
1.2.3
Portable Network Graphics
1.1.4
Invalid ZStream operation!
Type not supported
Not supported
Software\Microsoft\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
MAPI Error %d: %s
ComboKeyDown
8%u9h
_KeyDownShift]
_KeyDownAlt]
_KeyDownCtrl]
_KeyDownKey]
_KeyDownAction]
ListBox1KeyDown
Uh.YW
>%u<hp
FormKeyDown
Class <%s> not registered
Source Class <%s> not registered
tObject %s not in item list
srBadPassword
TBadPassword
NewPassword
Password
OnBadPassword
.zip.
\\.\vwin32
Uh.PY
-2147483647
-2147483646
-2147483645
-2147483644
-2147483643
-2147483642
-2147483641
-2147483640
-2147483639
-2147483638
-2147483637
-2147483636
-2147483635
-2147483634
-2147483633
-2147483632
-2147483631
-2147483630
-2147483629
-2147483628
-2147483627
-2147483626
-2147483625
-2147483624
not supported!
.MimeStreamContent]
.MimeStreamCreator]
.MimeStreamType]
.MimeStreamLength]
.Width]
.Height]
This function requires NeoBook 4.0.9 or higher.
dd.mm.yyyy
This feature requires NeoBook 5.0.0 or higher.
Uh.XZ
=%s
Scripting.FileSystemObject
H.P.Wickern
hpwGetWindowState
hpwIniKeyDel
hpwShellOpenUrl
hpwListBoxFindItemByHotkey
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
Fv}.Bv
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
%DIMimeStreams
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
GetCPInfo
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
ShellExecuteA
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
"$ %),'8
)%%%$$&&$%&)
)%%$$"!&
#%)%%%%$$$"!*(&&$#&&& (
)-%%%$$!&&$
)%%$$"!&&$&'
$#)%%%%$$"!$%"&&}
)%%%$$&&$''&&
)%%%$$"!$%"&&$&)^
)%%$$"!$%"&&$&&
)%%%$$"!$%"&&$&'
)!%'%%%%$$"!$%"(&&$&@
38000=344
)%%%$"!$%"&&$(
)%%%%$"!$%"(
>;<7=3?4
,&, *,$ ,-'%/)(#*(**$%1-
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ## 0
00%&"%!%))"$"$"$
!#'#$#$ ! !#'#'#$ ! !&'&'#' ! !&'&'&' ! !&'&'#' ! !#'#'#$ ! !#'#$#$ ! !"$"$"$
!#&#$#$ ! !#&#&#$ ! !%&%&#& ! !%&%&%& ! !%&%&"& ! !"&"&"# ! !"&"#"# ! !!#!#!#
!"&"#"# ! !"&"&"# ! !%&%&"& ! !%&%&%& ! !%&%&#& ! !#&#&#$ ! !#&#$#$ ! !!!))&&
.idata
.edata
P.reloc
P.rsrc
1n.eP
sJ.Cr
Open a Zip File[Zip Files (*.ZIP)|*.zip|SFX Files (*.EXE)|*.exe|Jar Files (*.JAR)|*.jar|All Files (*.*)|*.*&User canceled Set Desination Directory
Index %d is out of range
User Aborted Operation
User canceled Zip operation%Select a new name for the fixed file.
Zip Files (*.ZIP)
Invalid seek origin (%d)
jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
JPEG-Fehler #%d
JPEG-GrafikdateijThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.
;Registerseite '%s' mit Index %d konnte nicht gesetzt werden/Objekt mit Index %d konnte nicht gesetzt werden;Bei TabPosition tpLeft und tpRight muss MultiLine True seinCDieses Element ben
tigt COMCTL32.DLL in der Version 4.70 oder h
berschreitet das Maximum von %s Das Datum unterschreitet das Minimum von %s=Um das Datum zu setzen, m
OLE-Fehler %.8xBDie Methode '%s' wird vom Automatisierungsobjekt nicht unterst
Fenstertext,Register-Element konnte nicht geleert werden7Registerseite mit Index %d konnte nicht gel
scht werden6Registerseite mit Index %d konnte nicht gelesen werden/Objekt mit Index %d konnte nicht gelesen werden
'%s' wird bereits von einem anderen Formular benutzt1Angedocktes Steuerelement muss einen Namen haben.BFehler beim Entfernen des Steuerelements aus der Andock-Hierarchie
Fehler beim Setzen von %s.CountNStil des Listenfeldes (%s) muss virtuell sein, damit Count gesetzt werden kann/Inhaltsverzeichnis konnte nicht gefunden werden/F
r %s sind keine Hilfeinformationen vorhanden.(Keine kontextsensitive Hilfe installiert.Es ist keine themenbasierte Hilfe installiert.
Alt #Wert muss zwischen %d und %d liegen!Zeile kann nicht eingef
&Dateien: (*.*)
%Formulare k
tekontexts(Fehler beim Erzeugen einer FensterklasseIEin deaktiviertes oder unsichtbares Fenster kann nicht den Fokus erhalten,Element '%s' hat kein
bergeordnetes Element von '%s'8Untergeordnetes MDI-Formular kann nicht verborgen werdenEEigenschaft Visible kann in OnShow oder OnHide nicht ver
ndert werden=Aus einem sichtbaren Fenster kann kein modales gemacht werden.Eigenschaft %s au
%s.Seek nicht implementiert-Operation f
ssigA%s befindet sich nicht in einer Gruppe f
Eigenschaft %s existiert nicht.
ltige Operation f
ltiger Dateiname - %s
ltiges Stream-Format(''%s'' ist kein g
r '%s'&Kapazit
pft (%d)#Zu viele Eintr
ge in der Liste (%d)*Listenindex
berschreitet das Maximum (%d)BExpandieren des Speicher-Stream wegen Speichermangel nicht m
glich Fehler beim Lesen von %s%s%s: %s
r '%s'!Ressource %s wurde nicht gefunden
r '%s' nicht gefunden%%s kann nicht zu %s zugewiesen werden,Bits-Index au
ffneten Ressourcen-Stream kann nicht geschrieben werdenQCheckSynchronize wurde vom Thread $%x aufgerufen, der NICHT der Haupt-Thread ist.
Klasse %s nicht gefunden/Klasse mit der Bezeichnung %s existiert bereits/Liste gestattet keine doppelten Eintr
ge ($0%x)3Komponente mit der Bezeichnung %s existiert bereits/In der Stringliste sind Duplikate nicht erlaubt)Datei "%s" kann nicht erstellt werden. %s'Datei %s kann nicht ge
ffnet werden. %s#In %s kann nicht geschrieben werden
Operation nicht unterst
Externe Exception %x$Auswertung von assert fehlgeschlagen
%s (%s, Zeile %d)
Abstrakter FehlerBZugriffsverletzung bei Adresse %p in Modul '%s'. %s von Adresse %p
Systemfehler. Code: %d.
%s:Ein Aufruf einer Betriebssystemfunktion ist fehlgeschlagen
7Format '%s' ung
r Format '%s'(Variant-Methodenaufruf nicht unterst
ltige Variant-Operation Ung
ltige NULL-Variant-Operation'Ung
ltige Variant-Operation (%s%.8x)
%sBVariante des Typs (%s) konnte nicht in Typ (%s) konvertiert werdenF
berlauf bei der Konvertierung einer Variante vom Typ (%s) in Typ (%s)
ltige Gleitkommaoperation
ltige Zeigeroperation
ltige Typumwandlung4Zugriffsverletzung bei Adresse %p. %s von Adresse %p
Privilegierte Anweisung(Exception %s in Modul %s bei %p.
"'%s' ist kein g
ltiger Integerwert%'%s' ist kein g
'%s' ist kein g
'%s' ist keine g
ltige Uhrzeit0'%s' ist keine g
E/A-Fehler %d

tpostgroups.exe_316_rwx_02811000_000DB000:

kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
PasswordChar4
OnKeyDown
OnKeyPress\E
OnKeyUp
ssHorizontal
OnKeyUp8
Proportional
%s%s%s%s%s%s%s%s%s%s
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreviewH
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeysT
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyworddW
crSQLWait
%s (%s)
imm32.dll
ole32.dll
MAPI32.DLL
FilterGraph %p pid %x
WMFLIB.DLL
WMCreateCertificate
WMCreateIndexer
TWMKeyProvider
Operation
NEOBOOK.EXE
NEOBOOKDX.NBP
1.0.4
TKEY=Initial key
WOAF=Official audio file webpage
WOAR=Official artist/performer webpage
WOAS=Official audio source webpage
WPUB=Publishers official webpage
WXXX=User defined URL link frame
- Toolbar2000 version 2.1.8/D7, Copyright (C) 1998-2006 by Jordan Russell -
user32.dll
msimg32.dll
Theme %s is already registered
dwmapi.dll
NeoBookDX.chm
LeftPrompt(
Action_Command_Reference.html#dxPlayVideoFile
Action_Command_Reference.html#
.html
HHCtrl.ocx
%s: %s
0123456789
TNeoBookURL
NeoBookURL
NeoBookURL1
NeoBookURL2
NeoBookURL3
NeoBookURL10
NeoBookURL24
NeoSoft Corp. - VVV.neosoftware.com
DXWEBCURRSOR
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
inflate 1.0.4 Copyright 1995-1996 Mark Adler
TBv}.Bv
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
3333333333
T.//F.feojy
0>>==<<8!
KWindows
UrlMon
.NeoHeadPanel
.DXSplash
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Picture.Data
info@neosoftware.com
Web Site:
VVV.neosoftware.com
Lines.Strings
Glyph.Data
'988663311//.
'88663311//..
'8663311//..,
'663311//..,,
'63311//..,, 
'3311//..,,  
'311//..,,  *
'11//..,,  **
'1//..,,  **)
'//..,,  **))
'/..,, "
">==<<555
"==<<5555
)=<<55553
)<<555533
)<5555333
/55553333
The object specified here must be of type Rectangle or may be left blank to create an non-visible media player. This action requires NeoBook version 4.0.9 or higher.
<< 12233)<
<< 87233)<
<< 6623')<
<< 67233)<
<< 7923')<
<< 9:233)<
,hXXp://VVV.neosoftware.com/order.htmlplugins
mailto:info@neosoftware.com
$hXXp://VVV.neosoftware.com/nbw1.html
hXXp://VVV.neosoftware.com
LeftPrompt
HorzScrollBar.Range
VertScrollBar.Range
GetCPInfo
RegQueryInfoKeyA
RegOpenKeyExA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
SetViewportOrgEx
ShellExecuteA
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
GetKeyboardType
)%%%$$&&$''&&
)%%%$$"!$%"&&$&)
)%%%$$"!$%"&&$&)^
)%%$$"!$%"&&$&&
)%%$$"!$%"&&$&)
)%%%$$"!$%"&&$&'
)!%'%%%%$$"!$%"(&&$&@
)%%%$$&&$"&)
)%%%$$&&$%&)
38000=344
&%$/.*,.3,0)*-0(//0.6694 235,
.idata
.edata
P.reloc
P.rsrc
.Nbni
Create a new DirectX media player and optionally specify a script from NeoBook's Subroutine Action that you want executed if the current media file plays all the way to the end.. You can leave the Rectangle Object field blank to create a non-visible media player. A unique identification number for the player will be returned in the player ID variable.0Load an audio or video file into a media player.
Set a media player's balance.ZSet a media player's playback rate/speed. (Some media formats do not support this option.)
When True automatically displays error messages. When, False no messages are displayed when an error occurs. The most recent error is also stored in the global [dxError] variable.CPlay the current media file starting and ending at specific points.YPlay an audio file. This is a DirectX version of NeoBook's built-in PlaySoundFile action.XPlay a video file. This is a DirectX version of NeoBook's built-in PlayVideoFile action.
Stop an individual or all currently playing video or audio files. This is a DirectX version of NeoBook's built-in StopMedia action.qToggle the current video file between full screen and normal/windowed mode. This action only affects video files.
Set a media player's video display mode. Options are NORMAL (actual size), STRETCH (fit in window), ASPECT (fit in window but maintain aspect ratio) or OPTIMIZE (stretch only if needed).>Stop the currently playing media file after fading the volume.SSlowley reduce a media player's volume from the current level down to zero deciblesjSlowley increase a media player's volume from the current level up to the system's default volume setting."Remove a media player from memory.
Add a position marker to a media player. The marker is assigned a specific time index and assocaited with a script from your publication's Subroutine Action. The subroutine will automatically execute when the marker is reached during playback.;Remove all position markers associated with a media player.
Mute the master volume.BGet the master volume mute state. Returns True if volume is muted.BPause an individual or all currently playing video or audio files.aRemove a position marker from a media player. Specify the time index of the marker to be removed.XSelect between logarithmic and linear volume scales. The default volume scale is linear.
 Unable to find a rectangle object named %s.)A media player is already attached to %s./This function requires NeoBook 4.0.9 or higher.
Invalid player ID: %s.CUse this plug-in to add DirectX video and audio support to NeoBook.
Marker Position:1Name of Subroutine to Execute when Marker is Hit:
Unknown.Fade target volume must be between 0 and 1000.
Thank you for registering NeoBookDX.||Be sure to keep a copy of your registration code in|your records. If you need to reinstall NeoBookDX|in the future, you may need it.gObviously the serial number that you are attempting|to enter is not valid! Please contact NeoSoft Corp.dThe serial number that you entered is not valid!|Please check your entry for mistakes and try again.
MiscellaneousDCould not find help file (NeoBookDX.chm).|Please reinstall NeoBookDX
Opera
Invalid stream operation
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
DCOM not installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Unable to insert a line Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
!Control '%s' has no parent window
Unsupported clipboard format
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
ECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1908

  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\1.png (1281 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.ico (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.lim (673 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.exe (23062 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.exe (23353 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups1e5.lim (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 5.ico (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 1.exe (7345 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 1.ico (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\setup 5.exe (7345 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RarSFX0\tpostgroups.ico (2105 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D5.nbr (5348 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D4.nbr (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.bgm (2784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.ttf (9341 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.nbp (3507 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D3.nbr (3789 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D8.nbr (9619 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.mnz (250 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D6.nbr (5327 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.zip (810859 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.png (2141 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tpostgroups.mnu (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\866E70D7.nbr (9400 bytes)

  4. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now