MD5: 62bc2691929e4d8ceeeafdd17d26300c
SHA1: e2cf963cbb996038c86b5a80ae5c824d7cf47f7e
SHA256: ed18b909bc198831bc1cf3d0055aed17c257ffc74fec3d4cb2ef5959f9346fff
SSDeep: 24576:sv5BMvQ3uhEQ1La3w8YdR/t7GCAsI6yZqRhapSlAru3xs:cQvUuhE44wtt7KuBhapSKru3x
Size: 1496064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: XtremeProtectorv105, UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-07 18:59:53
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:980

The Backdoor injects its code into the following process(es):

msdcsc.exe:1780

File activity

The process %original file name%.exe:980 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\MSDCSC\msdcsc.exe (9098 bytes)
%System%\drivers\etc\hosts (31 bytes)

Registry activity

The process msdcsc.exe:1780 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 EF 02 FB A8 F4 8A 78 18 D3 3E F9 C4 7C 62 89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

User account control (UAC) is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA" = "0"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Firewall notifications are enabled:

"DisableNotifications" = "0"

The process %original file name%.exe:980 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 F4 AB D0 4C 67 A5 3E 5E 80 E5 CF CB 95 2D 71"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Start Menu\MSDCSC]
"msdcsc.exe" = "Remote Service Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MicroUpdate" = "%Documents and Settings%\All Users\Start Menu\MSDCSC\msdcsc.exe"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\MSDCSC\msdcsc.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Backdoor modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 31 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corp.
Product Name: Remote Service Application
Product Version: 4, 0, 0, 0
Legal Copyright: Copyright (C) 1999
Legal Trademarks:
Original Filename: MSRSAAP.EXE
Internal Name: MSRSAAPP
File Version: 1, 0, 0, 1
File Description: Remote Service Application
Comments: Remote Service Application
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

`.rsrc

.idata

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

%s_%d

EInvalidGraphicOperation

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes

%s, ClassID: %s

%s, ProgID: "%s"

ole32.dll

USER32.DLL

uxtheme.dll

DWMAPI.DLL

clWebSnow

clWebFloralWhite

clWebLavenderBlush

clWebOldLace

clWebIvory

clWebCornSilk

clWebBeige

clWebAntiqueWhite

clWebWheat

clWebAliceBlue

clWebGhostWhite

clWebLavender

clWebSeashell

clWebLightYellow

clWebPapayaWhip

clWebNavajoWhite

clWebMoccasin

clWebBurlywood

clWebAzure

clWebMintcream

clWebHoneydew

clWebLinen

clWebLemonChiffon

clWebBlanchedAlmond

clWebBisque

clWebPeachPuff

clWebTan

clWebYellow

clWebDarkOrange

clWebRed

clWebDarkRed

clWebMaroon

clWebIndianRed

clWebSalmon

clWebCoral

clWebGold

clWebTomato

clWebCrimson

clWebBrown

clWebChocolate

clWebSandyBrown

clWebLightSalmon

clWebLightCoral

clWebOrange

clWebOrangeRed

clWebFirebrick

clWebSaddleBrown

clWebSienna

clWebPeru

clWebDarkSalmon

clWebRosyBrown

clWebPaleGoldenrod

clWebLightGoldenrodYellow

clWebOlive

clWebForestGreen

clWebGreenYellow

clWebChartreuse

clWebLightGreen

clWebAquamarine

clWebSeaGreen

clWebGoldenRod

clWebKhaki

clWebOliveDrab

clWebGreen

clWebYellowGreen

clWebLawnGreen

clWebPaleGreen

clWebMediumAquamarine

clWebMediumSeaGreen

clWebDarkGoldenRod

clWebDarkKhaki

clWebDarkOliveGreen

clWebDarkgreen

clWebLimeGreen

clWebLime

clWebSpringGreen

clWebMediumSpringGreen

clWebDarkSeaGreen

clWebLightSeaGreen

clWebPaleTurquoise

clWebLightCyan

clWebLightBlue

clWebLightSkyBlue

clWebCornFlowerBlue

clWebDarkBlue

clWebIndigo

clWebMediumTurquoise

clWebTurquoise

clWebCyan

clWebPowderBlue

clWebSkyBlue

clWebRoyalBlue

clWebMediumBlue

clWebMidnightBlue

clWebDarkTurquoise

clWebCadetBlue

clWebDarkCyan

clWebTeal

clWebDeepskyBlue

clWebDodgerBlue

clWebBlue

clWebNavy

clWebDarkViolet

clWebDarkOrchid

clWebMagenta

clWebDarkMagenta

clWebMediumVioletRed

clWebPaleVioletRed

clWebBlueViolet

clWebMediumOrchid

clWebMediumPurple

clWebPurple

clWebDeepPink

clWebLightPink

clWebViolet

clWebOrchid

clWebPlum

clWebThistle

clWebHotPink

clWebPink

clWebLightSteelBlue

clWebMediumSlateBlue

clWebLightSlateGray

clWebWhite

clWebLightgrey

clWebGray

clWebSteelBlue

clWebSlateBlue

clWebSlateGray

clWebWhiteSmoke

clWebSilver

clWebDimGray

clWebMistyRose

clWebDarkSlateBlue

clWebDarkSlategray

clWebGainsboro

clWebDarkGray

clWebBlack

comctl32.dll

AutoHotkeysd-C

AutoHotkeys

\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowState

OnKeyDownL

OnKeyPress

OnKeyUpH

GlassFrame.Bottom

GlassFrame.Enabled

GlassFrame.Left

GlassFrame.Right

GlassFrame.SheetOfGlass

GlassFrame.Top

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

Uh.ID

User32.dll

TKeyEvent

TKeyPressEvent

HelpKeyword nA

crSQLWait

%s (%s)

imm32.dll

TSocketPort

%d.%d.%d.%d

0.0.0.0

PSAPI.dll

TDCWebCam

127.0.0.1

BuildImportTable: can't load library:

BuildImportTable: ReallocMemory failed

BuildImportTable: GetProcAddress failed

BTMemoryLoadLibary: BuildImportTable failed

BTMemoryGetProcAddress: no export table found

BTMemoryGetProcAddress: DLL doesn't export anything

BTMemoryGetProcAddress: exported symbol not found

1.2.3

127.0.0.1:1604

#KCMDDC51#-

5.3.0

cmd.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

hkey

\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

*.torrent

\Internet Explorer\iexplore.exe

explorer.exe

wlanapi.dll

80211_SHARED_KEY

user32.dll

TUploadFTP

notepad.exe

KEYNAME

%ShortCut#

RELATEDCMD

ping 127.0.0.1 -n 4 > NUL && "

DRKey

CRKey

DelMSKey

InstallHKEY

ActiveOnlineKeylogger

UnActiveOnlineKeylogger

KeylogOn

ActiveOfflineKeylogger

UnActiveOfflineKeylogger

ActiveOnlineKeyStrokes

UnActiveOnlineKeyStrokes

OpenWebPage

tmpprint.txt

URLUpdate

MSGBOX

#BOT#VisitUrl

#BOT#OpenUrl

HTTP://

http://

BTRESULTOpen URL|

Command successfully executed!|

#BOT#URLUpdate

BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|

BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|

#BOT#URLDownload

GetActivePorts

out.txt

tmp.txt

DDOSHTTPFLOOD

DDOSUDPFLOOD

%IPPORTSCAN

SAPI.SpVoice

WEBCAMLIVE

WEBCAMSTOP

PASSWORD

FTPFILEUPLOAD

URLDOWNLOADTOFILE

UPLOADEXEC

UPANDEXEC

FTPPORT

FTPPASS

FTPUSER

FTPHOST

FTPROOT

FTPUPLOADK

FTPSIZE

BTRESULTUDP Flood|UDP Flood task finished!|

PortScanAdd

BTRESULTVisit URL|finished to visit

BTERRORVisit URL|An exception occured in the thread|

POST /index.php/1.0

BTRESULTHTTP Flood|Http Flood task finished!|

Mozilla

BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|

BTERRORDownload File| Error on downloading file check if you type the correct url...|

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

ERR|Cannot listen to port, try another one..|

TCaptureWebcam

taskmgr.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

DC3_FEXEC

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista

Windows 7

Windows 95

Windows 98

Windows Me

S-%u-

FAKEMSG

MSGICON

MSGTITLE

MSGCORE

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

%Documents and Settings%\%current user%\Application Data\dclogs\2014-04-10-5.dc

1!1,1=1|1

6 6$6(6,606

=!=%=)=-=1=

01m1

0 0$0(0,0004080<0@0

;"
; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
UntKeylogger
KWindows
UntActivePorts
UntControlKey
UntCaptureWebcam
UntWebCam
UrlMon
(UntUploadFTPThread
UntFTP
_UntUDPFlood
YUntScanPorts
0UntPasswordAndData
XUntHTTPFlood
UntCPU
KERNEL32.dll
COMCTL32.dll
%System%\ntdll.dll
%userappdata%\RestartApp.exe
Exit Status = %d
34$14$34$
3<$1<$3<$
3,$1,$3,$
3<$1<$3<$\
3,$1,$3,$\
_34$14$34$
34$14$34$\
-nU5}
^3,$1,$3,$
$\34$14$34$\
{Ì>
]34$14$34$
$\3<$1<$
[3<$1<$3<$\
$\3<$1<$3<$
_3,$1,$3,$
.woZ3
[3,$1,$3,$
L%dnG
1<$3<$1<$
34$14$34$\0
$\34$14$
[34$14$34$
U8e5%x
,%fYRP
fh%Uf
^3<$1<$3<$
d:USER32.dll
ADVAPI32.dll
NTDLL.dll
\\.\SICE
\\.\SIWVID
\\.\NTICE
3Cannot write oreans.vxd
\Oreans.vxd
ADVAPI32.DLL
oreans32.sys
oreansx64.sys
\\.\oreans32
\\.\Global\oreans32
\\.\Global\oreansx64
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
3Cannot open oreans.vxd driver. Make sure that oreans.vxd
\\.\Oreans.vxd
%s\Oreans.vxd
contact info@oreans.com for this error
winmm.dll
Version = %s
CheckIN = %d
CheckOUT = %d
ProcIN = %d
ProcOUT = %d
ExitIN = %d
ExitOUT = %d
TPin = %d
HWIn = %d
IntV = %x, %x, %x, %x
!.bz.a
3An internal exception occured (Address: 0x%x)
Please, contact support@oreans.com. Thank you!
8.afk
;%9S-
xÕ<
LProcess Monitor - test.pml
m/ %D
%Um!T
<9.EXEu
6.KCI
D(E!A.ZTm
msdcsc.exe
3Cannot find '%s'. Please, re-install this application
ntdll.dll
$5l.bY
!$Xp.bf
n0).bz
%Um J
.bz."
)Yq%X
66006666
No help found for %s#No context-sensitive help installed
No help found for context$No topic-based help system installedNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Not enough timers available@GroupIndex cannot be less than a previous menu item's GroupIndex5Cannot create form. No MDI forms are currently active$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
1, 0, 0, 1
MSRSAAP.EXE
4, 0, 0, 0

msdcsc.exe_1780_rwx_00401000_000AC000:


kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
EInvalidGraphicOperation
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
%s, ClassID: %s
%s, ProgID: "%s"
ole32.dll
USER32.DLL
uxtheme.dll
DWMAPI.DLL
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeysd-C
AutoHotkeys
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
OnKeyDownL
OnKeyPress
OnKeyUpH
GlassFrame.Bottom
GlassFrame.Enabled
GlassFrame.Left
GlassFrame.Right
GlassFrame.SheetOfGlass
GlassFrame.Top
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Uh.ID
User32.dll
TKeyEvent
TKeyPressEvent
HelpKeyword nA
crSQLWait
%s (%s)
imm32.dll
TSocketPort
%d.%d.%d.%d
0.0.0.0
PSAPI.dll
TDCWebCam
127.0.0.1
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
1.2.3
127.0.0.1:1604
#KCMDDC51#-
5.3.0
cmd.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
*.torrent
\Internet Explorer\iexplore.exe
explorer.exe
wlanapi.dll
80211_SHARED_KEY
user32.dll
TUploadFTP
notepad.exe
KEYNAME
%ShortCut#
RELATEDCMD
ping 127.0.0.1 -n 4 > NUL && "
DRKey
CRKey
DelMSKey
InstallHKEY
ActiveOnlineKeylogger
UnActiveOnlineKeylogger
KeylogOn
ActiveOfflineKeylogger
UnActiveOfflineKeylogger
ActiveOnlineKeyStrokes
UnActiveOnlineKeyStrokes
OpenWebPage
tmpprint.txt
URLUpdate
MSGBOX
#BOT#VisitUrl
#BOT#OpenUrl
HTTP://
http://
BTRESULTOpen URL|
Command successfully executed!|
#BOT#URLUpdate
BTERRORUpdate from URL| Error on downloading file check if you type the correct url...|
BTRESULTUpdate from URL|Update : File Downloaded , Executing new one in temp dir...|
#BOT#URLDownload
GetActivePorts
out.txt
tmp.txt
DDOSHTTPFLOOD
DDOSUDPFLOOD
%IPPORTSCAN
SAPI.SpVoice
WEBCAMLIVE
WEBCAMSTOP
PASSWORD
FTPFILEUPLOAD
URLDOWNLOADTOFILE
UPLOADEXEC
UPANDEXEC
FTPPORT
FTPPASS
FTPUSER
FTPHOST
FTPROOT
FTPUPLOADK
FTPSIZE
BTRESULTUDP Flood|UDP Flood task finished!|
PortScanAdd
BTRESULTVisit URL|finished to visit
BTERRORVisit URL|An exception occured in the thread|
POST /index.php/1.0
BTRESULTHTTP Flood|Http Flood task finished!|
Mozilla
BTRESULTDownload File|Mass Download : File Downloaded , Executing new one in temp dir...|
BTERRORDownload File| Error on downloading file check if you type the correct url...|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
ERR|Cannot listen to port, try another one..|
TCaptureWebcam
taskmgr.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
DC3_FEXEC
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows 95
Windows 98
Windows Me
S-%u-
FAKEMSG
MSGICON
MSGTITLE
MSGCORE
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%Documents and Settings%\%current user%\Application Data\dclogs\2014-04-10-5.dc
1!1,1=1|1
6 6$6(6,606
=!=%=)=-=1=
01m1
0 0$0(0,0004080<0@0
;"
; ;$;(;,;0;4;8;<;@;
7 8$888<8
= =$=(=,=0=4=8=
66006666

msdcsc.exe_1780_rwx_004B3000_0000C000:


%System%\ntdll.dll
%userappdata%\RestartApp.exe
Exit Status = %d
34$14$34$
3<$1<$3<$

msdcsc.exe_1780_rwx_004CF000_00001000:


$\34$14$34$\

msdcsc.exe_1780_rwx_004E4000_00002000:


34$14$34$\
34$14$34$
1<$3<$1<$
34$14$34$\0

msdcsc.exe_1780_rwx_004F1000_00028000:


3,$1,$3,$
_34$14$34$
d:USER32.dll
ADVAPI32.dll
NTDLL.dll
\\.\SICE
\\.\SIWVID
\\.\NTICE
3Cannot write oreans.vxd
\Oreans.vxd
ADVAPI32.DLL
oreans32.sys
oreansx64.sys
\\.\oreans32
\\.\Global\oreans32
\\.\Global\oreansx64
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
3Cannot open oreans.vxd driver. Make sure that oreans.vxd
\\.\Oreans.vxd
%s\Oreans.vxd
contact info@oreans.com for this error
winmm.dll
Version = %s
CheckIN = %d
CheckOUT = %d
ProcIN = %d
ProcOUT = %d
ExitIN = %d
ExitOUT = %d
TPin = %d
HWIn = %d
IntV = %x, %x, %x, %x
!.bz.a
3An internal exception occured (Address: 0x%x)
Please, contact support@oreans.com. Thank you!
8.afk

msdcsc.exe_1780_rwx_00524000_0004B000:


xÕ<
LProcess Monitor - test.pml
m/ %D
%Um!T
<9.EXEu
6.KCI
D(E!A.ZTm
msdcsc.exe
3Cannot find '%s'. Please, re-install this application
ntdll.dll
$5l.bY
!$Xp.bf
n0).bz
%Um J
.bz."
)Yq%X

msdcsc.exe_1780_rwx_009E0000_0008E000:


.text
`.data
.rsrc
@.reloc
GDI32.dll
KERNEL32.dll
NTDLL.DLL
ImmProcessKey
USER32.dll
ActivateKeyboardLayout
ArrangeIconicWindows
CallMsgFilter
CallMsgFilterA
CallMsgFilterW
CascadeChildWindows
CascadeWindows
CliImmSetHotKey
CloseWindowStation
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateWindowStationA
CreateWindowStationW
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
EnumChildWindows
EnumDesktopWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsW
EnumWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextW
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardType
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LockWindowStation
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OemKeyScan
OpenWindowStationA
OpenWindowStationW
RegisterHotKey
SetConsoleReserveKeys
SetKeyboardState
SetProcessWindowStation
SetWindowStationUser
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookW
TileChildWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHookEx
UnloadKeyboardLayout
UnlockWindowStation
UnregisterHotKey
VkKeyScanA
VkKeyScanExA
VkKeyScanExW
VkKeyScanW
WINNLSGetIMEHotkey
keybd_event
=.cmd
=.pif
=.lnk
=.com
=.bat
F\ FTP
s.RPRP
tcPV
*9]0t#SSh
u.KKt*
~,SSSh
SSSSh
SSSh$6A~P
6SSSSh
t>SSh`
u"SSh`
ADVAPI32.dll
MSIMG32.dll
POWRPROF.dll
WINSTA.dll
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
ReportEventW
RegQueryInfoKeyW
ntdll.dll
GetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetCPInfo
GetSystemWindowsDirectoryW
NtQueryKey
NtEnumerateValueKey
NtYieldExecution
NtCreateKey
NtSetValueKey
NtDeleteValueKey
NtEnumerateKey
NtOpenKey
NtQueryValueKey
user32.pdb
windows.hlp
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
$$$006666
&$%Uooqkezs
['$$#%&(4
2<===@@=
0 00@0[0
0V0
9œ9S9|9
;";&;*;.;2;6;:;
8$8-858E8L8S8Z8a8h8o8v8}8
;(;7;>;};
2$3 363@3
;#<)<4<:<
7 8$8(8,8|8
IMM32.DLL
SETUPAPI.DLL
&%d %ws
Control Panel\Input Method\Hot Keys
Virtual Key
Key Modifiers
kbdus.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\
$winnt$.inf
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Fonts
Keyboard Layout\Preload
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\LastFontSweep
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1 Fonts
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Upgraded Type1
keyboardlayout.ini
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\LastType1Sweep
\Windows\WindowStations
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Windows
Keyboard Layout
kbdkor.dll
kbdjpn.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout
imm32.dll
Hot Keys
00000409
x:\...\
OLE32.DLL
%SystemRoot%\System32\user32.dll
Software\Microsoft\Windows\CurrentVersion\Reliability
hh.exe
indicdll.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
IgnoreRemoteKeyboardLayout
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Reliability
\snapshot.dll
Windows XP USER API Client DLL
5.1.2600.5512 (xpsp.080413-2105)
Windows
Operating System
5.1.2600.5512
Error Instrument: ProcessName: %1 WindowTitle: %2 MsgCaption: %3 MsgText: %4 CallerModuleName: %5 BaseAddr: %6 ImageSize: %7 ReturnAddr: %8
Zero width &joiner
Zero width &non-joiner
&More Windows...gInsufficient memory to create the bitmap. Close one or more applications to increase available memory.
Op&en Soft Keyboard
Close So&ft Keyboard
Windows
Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Other people are logged on to this computer. Shutting down Windows might cause them to lose data.
Other people are logged on to this computer. Restarting Windows might cause them to lose data.
Hardware: Maintenance (Planned)"Hardware: Installation (Unplanned) Hardware: Installation (Planned)%Operating System: Upgrade (Unplanned)#Operating System: Upgrade (Planned)
-Operating System: Reconfiguration (Unplanned) Operating System: Reconfiguration (Planned)
8A restart or shutdown to service hardware on the system.AA restart or shutdown to begin or complete hardware installation.6A restart or shutdown to upgrade the operating system.CA restart or shutdown to change the operating system configuration.BA restart or shutdown to troubleshoot an unresponsive application.>A restart or shutdown to troubleshoot an unstable application.0A restart or shutdown to service an application. A shutdown or restart for an unknown reason1The computer displayed a blue screen crash event.
The system became unresponsive.GA restart or shutdown to perform planned maintenance on an application.

msdcsc.exe_1780_rwx_00A90000_000F2000:


.text
`.data
.rsrc
@.reloc
ntdll.dll
KERNEL32.dll
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
BaseProcessInitPostImport
CallNamedPipeA
CallNamedPipeW
CmdBatNotification
ConnectNamedPipe
CreateIoCompletionPort
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
GetCPFileNameFromRegistry
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetDefaultSortkeySize
GetLargestConsoleWindowSize
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetProcessHandleCount
GetProcessHeap
GetProcessHeaps
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryW
PeekNamedPipe
RegisterWowExec
SetCPGlobal
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetNamedPipeHandleState
SetProcessShutdownParameters
SetThreadExecutionState
TransactNamedPipe
VDMConsoleOperation
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeW
WinExec
NTDLL.RtlAddVectoredExceptionHandler
NTDLL.RtlDecodePointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDeleteCriticalSection
NTDLL.RtlEncodePointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEnterCriticalSection
NTDLL.RtlGetLastWin32Error
NTDLL.RtlAllocateHeap
NTDLL.RtlFreeHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlSizeHeap
NTDLL.RtlInitializeSListHead
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlLeaveCriticalSection
NTDLL.RtlQueryDepthSList
NTDLL.RtlRemoveVectoredExceptionHandler
NTDLL.RtlRestoreLastWin32Error
NTDLL.RtlCaptureContext
NTDLL.RtlCaptureStackBackTrace
NTDLL.RtlFillMemory
NTDLL.RtlMoveMemory
NTDLL.RtlUnwind
NTDLL.RtlZeroMemory
NTDLL.RtlSetCriticalSectionSpinCount
NTDLL.RtlSetLastWin32Error
NTDLL.RtlTryEnterCriticalSection
NTDLL.VerSetConditionMask
DirOperationControl
UrlCanonicalizeW
SHDeleteKeyW
PathCreateFromUrlW
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
EnumDesktopWindows
CloseWindowStation
twain_32.dll
Jt.HH;
midiOutShortMsg
SXS: %s() LdrFindOutOfProcessResource failed; nt status = lx
advapi32.dll
ReportEventW
RegSaveKeyW
RegSaveKeyExW
RegSaveKeyA
RegRestoreKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegNotifyChangeKeyValue
RegEnumKeyW
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
RegCloseKey
ElfReportEventW
CryptExportKey
CryptDestroyKey
\Device\NamedPipe\Win32Pipes.x.x
CM_Open_DevNode_Key
CryptCATCatalogInfoFromContext
SetPortW
EnumPrinterKeyW
EnumPortsW
DeletePrinterKeyW
DeletePortW
ConfigurePortW
AddPortW
ShellExecuteW
ShellExecuteExW
ShellExecuteExA
ShellExecuteA
SHFileOperationW
SHFileOperationA
FindExecutableW
FindExecutableA
ImportPrivacySettings
MprConfigTransportGetInfo
MprConfigTransportGetHandle
MprConfigTransportDelete
MprConfigTransportCreate
MprConfigInterfaceTransportRemove
MprConfigInterfaceTransportGetInfo
MprConfigInterfaceTransportGetHandle
MprConfigInterfaceTransportEnum
MprConfigInterfaceTransportAdd
MprAdminTransportCreate
MprAdminPortGetInfo
MprAdminPortEnum
MprAdminInterfaceTransportAdd
MimeOleParseMhtmlUrl
ImmGetVirtualKey
ImageGetCertificateHeader
ImageGetCertificateData
ImageEnumerateCertificates
GdiplusShutdown
|CAGetCertTypePropertyEx
CAGetCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeFlagsEx
CAGetCertTypeFlags
CAGetCertTypeExtensionsEx
CAGetCertTypeExtensions
CAGetCertTypeExpiration
CAGetCACertificate
CAFreeCertTypeProperty
CAFreeCertTypeExtensions
CAFindCertTypeByName
CAEnumNextCertType
CAEnumCertTypesForCAEx
CAEnumCertTypesForCA
CACountCertTypes
CACloseCertType
CACertTypeAccessCheck
ApphelpCheckExe
WZCPassword2Key
EapcfgNodeFromKey
SetupDiOpenDevRegKey
SetupDiCreateDevRegKeyW
SXS: %s() BasepSxsCreateStreams() failed
winlogon.EXE
PWVSSh
SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx
SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx
SXS: %s - Failing thread create becuase NtQueryInformationThread() failed with status lx
u\SSh
kernel32: No mapping for ImageInformation.Machine == x
TermsrvLogInstallIniFile
TermsrvGetWindowsDirectoryW
TermsrvGetWindowsDirectoryA
SXS: %s failing because RtlQueryInformationActivationContext() returned status lx
SXS: %s - Failure getting active activation context; ntstatus lx
SXS: %s() LdrAccessOutOfProcessResource failed; nt status = lx
SXS: %s() LdrCreateOutOfProcessImage failed
SXS: %s() NtQueryInformationFile failed
SXS: %s() empty lpSource %ls
SXS: %s() Calling csrss server failed
SXS: %s() RtlMultiAppendUnicodeStringBuffer failed
SXS: %s() NtMapViewOfSection failed
SXS: %s() AssemblyDirectory is not null terminated
SXS: %s() BaseDllMapResourceIdW failed
SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0
SXS: %s() Bad lpAssemblyDirectory %ls
SXS: %s() Bad lpSource PathType %ls, 0x%lx
SXS: %s() Bad lpAssemblyDirectory PathType %ls, 0x%lx
SXS: %s() bad wProcessorArchitecture 0x%x
SXS: Invalid parameter(s) passed to FindActCtxSection*()
->cbSize = %u
SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed
QSSSSh
\twain_32.dll
ReportFault
SXS: %s() NtCreateSection() failed
SXS: %s() NtOpenFile(%wZ) failed
SXS: %s() Null %p or size 0x%lx too small
SXS: %s() Bad flags/size 0x%lx/0x%lx
.debug
.reloc
.rsrc1
|wzcsapi.dll
wzcdlg.dll
wtsapi32.dll
ws2_32.dll
wmvcore.dll
wmi.dll
wldap32.dll
wintrust.dll
winsta.dll
winspool.drv
winscard.dll
winmm.dll
wininet.dll
winhttp.dll
version.dll
uxtheme.dll
utildll.dll
usp10.dll
userenv.dll
user32.dll
urlmon.dll
tapi32.dll
syssetup.dll
sti.dll
shsvcs.dll
shlwapi.dll
shell32.dll
shdocvw.dll
sfc.dll
setupapi.dll
secur32.dll
scecli.dll
samlib.dll
rtutils.dll
rpcrt4.dll
regapi.dll
rasman.dll
rasdlg.dll
rasapi32.dll
query.dll
pstorec.dll
psapi.dll
printui.dll
powrprof.dll
pidgen.dll
pautoenr.dll
oleaut32.dll
oleacc.dll
ole32.dll
odbc32.dll
ocmanage.dll
ntmarta.dll
ntlsapi.dll
ntlanman.dll
ntdsapi.dll
ntdsa.dll
netshell.dll
netrap.dll
netplwiz.dll
netman.dll
netcfgx.dll
netapi32.dll
mswsock.dll
mssign32.dll
msrating.dll
msimg32.dll
msi.dll
mshtml.dll
msgina.dll
mscat32.dll
msacm32.dll
mprui.dll
mprapi.dll
mpr.dll
mobsync.dll
mlang.dll
lz32.dll
linkinfo.dll
keymgr.dll
kdcsvc.dll
iphlpapi.dll
inetcomm.dll
imm32.dll
imgutil.dll
imagehlp.dll
hnetcfg.dll
gdiplus.dll
gdi32.dll
esent.dll
efsadu.dll
duser.dll
dnsapi.dll
dhcpcsvc.dll
devmgr.dll
ddraw.dll
d3dxof.dll
cscdll.dll
cryptui.dll
crypt32.dll
credui.dll
comdlg32.dll
comctl32.dll
certcli.dll
cdfview.dll
cabinet.dll
browseui.dll
authz.dll
apphelp.dll
advpack.dll
activeds.dll
WinStationIsHelpAssistantSession
WinStationEnumerate_IndexedW
|UnlockUrlCacheEntryStream
UnlockUrlCacheEntryFileW
UnlockUrlCacheEntryFileA
SetUrlCacheEntryInfoW
SetUrlCacheEntryGroupW
SetUrlCacheConfigInfoA
RetrieveUrlCacheEntryStreamW
RetrieveUrlCacheEntryFileW
RetrieveUrlCacheEntryFileA
RegisterUrlCacheNotification
ReadUrlCacheEntryStream
LoadUrlCacheContent
IsHostInProxyBypassList
InternetShowSecurityInfoByURLW
InternetOpenUrlW
InternetOpenUrlA
InternetCreateUrlW
InternetCreateUrlA
InternetCrackUrlW
InternetCrackUrlA
InternetCombineUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlA
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoW
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestW
HttpEndRequestA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoExW
GetUrlCacheEntryInfoExA
GetUrlCacheEntryInfoA
GetUrlCacheConfigInfoW
GetUrlCacheConfigInfoA
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpRemoveDirectoryA
FtpPutFileEx
FtpOpenFileW
FtpOpenFileA
FtpGetFileSize
FtpGetFileEx
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryA
FtpFindFirstFileW
FtpFindFirstFileA
FtpDeleteFileW
FtpDeleteFileA
FtpCreateDirectoryW
FtpCreateDirectoryA
FtpCommandA
FreeUrlCacheSpaceW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryExW
FindNextUrlCacheEntryExA
FindNextUrlCacheEntryA
FindNextUrlCacheContainerW
FindNextUrlCacheContainerA
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryExW
FindFirstUrlCacheEntryExA
FindFirstUrlCacheEntryA
FindFirstUrlCacheContainerW
FindFirstUrlCacheContainerA
FindCloseUrlCache
DeleteUrlCacheGroup
DeleteUrlCacheEntryW
DeleteUrlCacheEntryA
DeleteUrlCacheContainerA
CreateUrlCacheGroup
CreateUrlCacheEntryW
CreateUrlCacheEntryA
CreateUrlCacheContainerW
CreateUrlCacheContainerA
CommitUrlCacheEntryW
CommitUrlCacheEntryA
|WinHttpSetTimeouts
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpOpenRequest
WinHttpOpen
WinHttpCrackUrl
WinHttpConnect
WinHttpCloseHandle
|UrlMkSetSessionOption
UrlMkGetSessionOption
URLOpenBlockingStreamW
URLDownloadToFileW
URLDownloadToCacheFileW
IsValidURL
GetMarkOfTheWeb
CreateURLMoniker
CoInternetParseUrl
CoInternetIsFeatureEnabledForUrl
CoInternetGetSecurityUrl
CoInternetCombineUrl
SceSetupUpdateSecurityKey
RasShareConnection
RasIsSharedConnection
DsMakePasswordCredentialsW
DsFreePasswordCredentials
|NetpUpgradePreNT5JoinInfo
NetUserChangePassword
NetUnjoinDomain
NetJoinDomain
NetGetJoinInformation
|SpcGetCertFromKey
GetCryptProvFromCert
FreeCryptProvFromCert
|ShowModelessHTMLDialog
MPRUI_DoPasswordDialog
PRShowSaveFromMsginaW
PRShowRestoreFromMsginaW
KRShowKeyMgr
GetUdpStatistics
GetTcpStatistics
|IcfGetOperationalMode
SetViewportOrgEx
SetViewportExtEx
JetMakeKey
CryptUIDlgViewCertificateW
CryptVerifyCertificateSignature
CryptSignAndEncodeCertificate
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgClose
CryptImportPublicKeyInfoEx
CryptImportPublicKeyInfo
CryptHashPublicKeyInfo
CryptExportPublicKeyInfo
CertVerifySubjectCertificateContext
CertVerifyCertificateChainPolicy
CertStrToNameW
CertSetCertificateContextProperty
CertRegisterPhysicalStore
CertRDNValueToStrW
CertOpenSystemStoreW
CertOpenStore
CertNameToStrW
CertGetPublicKeyLength
CertGetNameStringW
CertGetIssuerCertificateFromStore
CertGetEnhancedKeyUsage
CertGetCertificateContextProperty
CertGetCertificateChain
CertFreeCertificateContext
CertFreeCertificateChain
CertFreeCTLContext
CertFindSubjectInCTL
CertFindExtension
CertFindCertificateInStore
CertFindCTLInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCTLContext
CertDeleteCertificateFromStore
CertCreateCertificateContext
CertCreateCTLContext
CertControlStore
CertCompareCertificateName
CertCloseStore
CertAddCertificateContextToStore
CredUICmdLinePromptForCredentialsW
SSSSh
PSSSSSSh
t.PSW
mem16.dll
ImpersonateNamedPipeClient
VWSSh
t.hlt
hypertrm.exe"
hypertrm.exe
.exr (exception record)
.cxr (context record)
serialui.dll
mekr386.exe
PVWSSh
SXS: %s() BaseDllMapResourceIdA failed
-. "%ls" %ld
(LRU) (Exe Name) (FileSize)
Total Entries = 0x%x
xpsp2res.dll
xpsp3res.dll
?456789:;<=
!"#$%&'()* ,-./0123
|CertAutoEnrollment
VSSHP
NtQueryValueKey
NtOpenKey
NtFlushKey
NtSetValueKey
NtCreateKey
NtEnumerateKey
NtEnumerateValueKey
RtlFormatCurrentUserKeyPath
NtQueryKey
NtDeleteValueKey
RtlGetProcessHeaps
NtCreateNamedPipeFile
NtSetThreadExecutionState
LdrQueryImageFileExecutionOptions
NtDelayExecution
NtYieldExecution
kernel32.pdb
0!1'1;1|1
;,<0<8<<<
67
2,242<2}2@3
: :$:(:,:0:4:8:<:
8 8$8(8,8084888<8
< <$<(<,<0<4<8<<<@<]<
$0(040:0
<%=`=[?~?
1!202<2|2
4 4$4(4,4044484
sShortDate
win.ini
.Config
.Manifest
\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\Windows
\NLS\NlsSectionSortkey
\system32\Apphelp.dll
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
ADVAPI32.DLL
\\.\MountPointManager
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
hotkey.%u %s
wowexec.pif
cmd /c
hotkey.
setup.exe
\DosDevices\pipe\
\\.\pipe\
\REGISTRY\USER\.DEFAULT
WUSER32.DLL
~RF%4x.TMP
netmsg.dll
pipe\
c:\temp\
EmbdTrst.DLL
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
%ws%u\DosDevices\%ws
WINDOWS
\\?\GLOBALROOT
Application.Manifest
"/\[]:|<> =;,?
\REGISTRY\Machine\Software\Microsoft\Windows NT\currentVersion\Time Zones
\Registry\Machine\Software\Policies\Microsoft\Windows\System
AppCertDlls
tsappcmp.dll
\inifile.upd
t\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
DRMHeader.SubscriptionContentID
DRMHeader.ContentDistributor
DRMHeader.SECURITYVERSION
DRMHeader.CID
DRMHeader.LAINFO
DRMHeader.KID
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Print.redbook
LicenseStateData.Play
ActionAllowed.Backup
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Print.redbook
ActionAllowed.Play
BaseLAURL
Transfer.NONSDMI
Transfer.SDMI
Print.redbook
Software\Microsoft\Windows NT\CurrentVersion\Time Zones
TimeZoneKeyName
PendingFileRenameOperations%d
PendingFileRenameOperations
%s\system32\
\system32\faultrep.dll
mwowcmdline
cmdline
CONSOLE.DLL
conime.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console
\INF\INTL.INF
DNSAPI.DLL
cfgmgr32.dll
The operation completed successfully.
Not enough storage is available to complete this operation.
The process cannot access the file because another process has locked a portion of the file.
The request is not supported.
Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.
The specified server cannot perform the requested operation.
The specified network password is not correct.
The pipe has been ended.
The system does not support the command requested.
This function is not supported on this system.
The data area passed to a system call is too small.
Attempt to use a file handle to an open disk partition for an operation other than raw disk I/O.
A JOIN or SUBST command cannot be used for a drive that contains previously joined drives.
An attempt was made to use a JOIN or SUBST command on a drive that has already been joined.
An attempt was made to use a JOIN or SUBST command on a drive that has already been substituted.
The system tried to delete the JOIN of a drive that is not joined.
The system tried to join a drive to a directory on a joined drive.
The system tried to join a drive to a directory on a substituted drive.
The system tried to SUBST a drive to a directory on a joined drive.
The system cannot perform a JOIN or SUBST at this time.
The system cannot join or substitute a drive to or for a directory on the same drive.
An attempt was made to join or substitute a drive for which a directory on the drive is the target of a previous substitute.
System trace information was not specified in your CONFIG.SYS file, or tracing is disallowed.
DosMuxSemWait did not execute; too many semaphores are already set.
The file system does not support atomic changes to the lock type.
The operating system cannot run %1.
The flag passed is not correct.
The operating system cannot run this application program.
The operating system is not presently configured to run this application.
The pipe state is invalid.
All pipe instances are busy.
The pipe is being closed.
No process is on the other end of the pipe.
The wait operation timed out.
The mounted file system does not support extended attributes.
The volume is too fragmented to complete this operation.
There is a process on other end of the pipe.
Waiting for a process to open the other end of the pipe.
The I/O operation has been aborted because of either a thread exit or an application request.
Overlapped I/O operation is in progress.
Error performing inpage operation.
The requested operation cannot be performed in full-screen mode.
The configuration registry key is invalid.
The configuration registry key could not be opened.
The configuration registry key could not be read.
The configuration registry key could not be written.
An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry.
Illegal operation attempted on a registry key that has been marked for deletion.
Cannot create a symbolic link in a registry key that already has subkeys or values.
Cannot create a stable subkey under a volatile parent key.
The account name is invalid or does not exist, or the password is invalid for the account name specified.
The executable program that this service is configured to run in does not implement the service.
A serial I/O operation was completed by another write to the serial port.
A serial I/O operation completed because the timeout period expired.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
An attempt was made to create more links on a file than the file system supports.
The specified program requires a newer version of Windows.
The specified program is not a Windows or MS-DOS program.
The specified program was written for an earlier version of Windows.
No application is associated with the specified file for this operation.
The message can be used only with synchronous operations.
The device has indicated that cleaning is required before further operations are attempted.
There was no match for the specified key in the index.
The point passed to GetMouseMovePoints is not in the buffer.
The format of the specified password is invalid.
The operation was canceled by the user.
The requested operation cannot be performed on a file with a user-mapped section open.
The network transport endpoint already has an address associated with it.
An operation was attempted on a nonexistent network connection.
An invalid operation was attempted on an active network connection.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
No service is operating at the destination network endpoint on the remote system.
The operation could not be completed. A retry should be performed.
The network address could not be used for the operation requested.
The operation being requested was not performed because the user has not been authenticated.
The operation being requested was not performed because the user has not logged on to the network.
An attempt was made to perform an initialization operation when initialization has already been completed.
This operation is supported only when you are connected to the server.
This operation is not supported on a Microsoft Small Business Server
The remote system is not available. For information about network troubleshooting, see Windows Help.
Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
KDC certificate during smartcard logon.
The smartcard certificate used for authentication has been revoked.
An untrusted certificate authority was detected While processing the
smartcard certificate used for authentication. Please contact your system
The revocation status of the smartcard certificate used for
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication has expired. Please
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
No encryption key is available. A well-known encryption key was returned.
The password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Unable to update the password. The value provided as the current password is incorrect.
Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.
Logon failure: unknown user name or bad password.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
Logon failure: the specified account password has expired.
Unable to perform a security operation on an object that has no associated security.
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
The domain was in the wrong state to perform the security operation.
This operation is only allowed for the Primary Domain Controller of the domain.
Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk.
The logon session is not in a state that is consistent with the requested operation.
Unable to impersonate using a named pipe until data has been read from that pipe.
The transaction state of a registry subtree is incompatible with the requested operation.
Cannot perform this operation on built-in accounts.
Cannot perform this operation on this built-in special group.
Cannot perform this operation on this built-in special user.
A cross-encrypted password is necessary to change a user password.
A cross-encrypted password is necessary to change this user password.
There is no user session key for the specified logon session.
Mutual Authentication failed. The server's password is out of date at the domain controller.
This operation can not be performed on the current domain.
Hot key is already registered.
Class still has open windows.
Hot key is not registered.
This list box does not support tab stops.
Child windows cannot have menus.
All handles to windows in a multiple-window position structure must have the same parent.
The paging file is too small for this operation to complete.
Invalid keyboard layout handle.
This operation requires an interactive window station.
This operation returned because the timeout period expired.
The event log file has changed between read operations.
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
The configuration data for this product is corrupt. Contact your support personnel.
This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
SQL query syntax invalid or unsupported.
This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
There was an error starting the Windows Installer service user interface. Contact your support personnel.
The language of this installation package is not supported by your system.
Function could not be executed.
Function failed during execution.
Data of this type is not supported.
The Windows Installer service failed to start. Contact your support personnel.
This installation package is not supported by this processor type. Contact your product vendor.
This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
Invalid command line argument. Consult the Windows Installer SDK for detailed command line help.
The requested operation completed successfully. The system will be restarted so the changes can take effect.
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer an
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The universal unique identifier (UUID) type is not supported.
The name syntax is not supported.
The server endpoint cannot perform the operation.
No interfaces have been exported.
There is nothing to unexport.
The requested operation is not supported.
A floating-point operation at the RPC server caused a division by zero.
A null context handle was passed from the client to the host during a remote procedure call.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
The supplied user buffer is not valid for the requested operation.
The specified port is unknown.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
The user's password must be changed before logging on the first time.
The object exporter specified was not found.
Invalid asynchronous RPC call handle for this operation.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
Not all object UUIDs could be exported to the specified entry.
Interface could not be exported to the specified entry.
The window style or class attribute is invalid for this operation.
The requested metafile operation is not supported.
The requested transformation operation is not supported.
The requested clipping operation is not supported.
The network connection was made successfully, but the user had to be prompted for a password other than the one originally specified.
The requested operation is not allowed when there are jobs queued to the printer.
The requested operation is successful. Changes will not be effective until the system is rebooted.
The requested operation is successful. Changes will not be effective until the service is restarted.
The importation from the file failed.
The GUID passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item ID passed was not recognized as valid by a WMI data provider.
The medium currently exists in an offline library and must be online to perform this operation.
The operation cannot be performed on an offline library.
The library, drive, or media pool must be empty to perform this operation.
A resource required for this operation is disabled.
The drive cannot be cleaned or does not support cleaning.
The resource required for this operation does not exist.
The operation identifier is not valid.
The operator or administrator has refused the request.
The transport cannot access the medium.
Unable to retrieve status about the transport.
Cannot use the transport because it is already in use.
Unable to open or close the inject/eject port.
The media type cannot be removed from this library since at least one drive in the library reports it can support this media type.
The remote storage service is not operational at this time.
A cluster node is not available for this operation.
The operation could not be completed because the cluster group is not online.
The operation could not be completed because the cluster resource is online.
The group or resource is not in the correct state to perform the requested operation.
A cluster network is not available for this operation.
All cluster nodes must be running to perform this operation.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
This operation cannot be performed on the cluster resource as it the quorum resource. You may not bring the quorum resource offline or modify its possible owners list.
The cluster node is not ready to perform the requested operation.
The cluster join operation was aborted.
The cluster join operation failed due to incompatible software versions between the joining node and its sponsor.
The system configuration changed during the cluster join or form operation. The join or form operation was aborted.
The specified node does not support a resource of this type. This may be due to version inconsistencies or due to the absence of the resource DLL on this node.
The specified resource name is not supported by this resource DLL. This may be due to a bad (or changed) name supplied to the resource DLL.
The join operation failed because the cluster database sequence number has changed or is incompatible with the locker node. This may happen during a join operation if the cluster database was changing during the join.
The resource monitor will not allow the fail operation to be performed while the resource is in its current state. This may happen if the resource is in a pending state.
An operation was attempted that is incompatible with the current membership state of the node.
The join operation failed because the cluster instance ID of the joining node does not match the cluster instance ID of the sponsor node.
This computer cannot be made a member of a cluster because it does not have the correct version of Windows installed.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The server is not trusted for remote encryption operation.
Recovery policy configured for this system contains invalid recovery certificate.
The encryption algorithm used on the source file needs a bigger key buffer than the one on the destination file.
The disk partition does not support file encryption.
A registry key for event logging could not be created for this session.
A close operation is pending on the session.
The MODEM.INF file was not found.
The modem name was not found in MODEM.INF.
Transport driver error
The requested operation cannot be completed because the terminal connection is currently busy processing a connect, disconnect, reset, or delete operation.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the RDN attribute of an object.
The requested cross-domain move operation could not be performed.
An operations error occurred.
The requested authentication method is not supported by the server.
The server does not support the requested critical extension.
The operation affects multiple DSAs
The server is not operational.
The specified method is not supported.
The specified control is not supported by the server.
The add replica operation cannot be performed. The naming context must be writable in order to create the replica.
The attribute specified in the operation is not present on the object.
Illegal modify operation. Some aspect of the modification is not permitted.
The operation must be performed at a master DSA.
The operation could not be performed because the object's parent is either uninstantiated or deleted.
The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.
The operation is out of scope.
The operation cannot continue because the object is in the process of being removed.
The operation can only be performed on an internal master DSA object.
Insufficient access rights to perform the operation.
The operation cannot be performed on a back link.
The operation could not be performed because the directory service is shutting down.
The requested FSMO operation failed. The current FSMO holder could not be contacted.
Subtree notifications are only supported on NC heads.
The requested delete operation could not be performed.
The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available.
The replication operation failed because of a schema mismatch between the servers involved.
The operation cannot replace the hidden record.
This directory server is shutting down, and cannot take ownership of new floating single-master operation roles.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers.
The replication operation failed.
An invalid parameter was specified for this replication operation.
The directory service is too busy to complete the replication operation at this time.
The distinguished name specified for this replication operation is invalid.
The naming context specified for this replication operation is invalid.
The distinguished name specified for this replication operation already exists.
The replication operation encountered a database inconsistency.
The server specified for this replication operation could not be contacted.
The replication operation encountered an object with an invalid instance type.
The replication operation failed to allocate memory.
The replication operation encountered an error with the mail system.
The replication operation encountered a database error.
The requested operation is not supported by this version of the directory service.
The replication operation failed due to a collision of object names.
The replication operation failed because a required parent object is missing.
The replication operation was preempted.
The replication operation was terminated because the system is shutting down.
The server specified for this replication operation was contacted, but that server was unable to contact an additional server needed to complete the operation.
The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer. You must upgrade the operating system on a domain controller in the source forest before this computer can be added as a domain controller to that forest.
The requested operation requires a directory service, and none was available.
The requested search operation is only supported for base searches.
The schema update operation tried to add a backward link attribute that has no corresponding forward link.
Source and destination for the cross-domain move operation are identical. Caller should use local move operation instead of cross-domain move operation.
Another operation which requires exclusive access to the PDC FSMO is already in progress.
A cross-domain move operation failed such that two versions of the moved object exist - one each in the source and destination domains. The destination object needs to be removed to restore the system to a consistent state.
The directory cannot validate the proposed naming context name because it does not hold a replica of the naming context above the proposed naming context. Please ensure that the domain naming master role is held by a server that is configured as a global catalog server, and that the server is up to date with its replication partners. (Applies only to Windows 2000 Domain Naming masters)
The operation can not be performed because the server does not have an infrastructure container in the domain of interest.
The replica/child install failed to read the objectVersion attribute in the SCHEMA section of the file schema.ini in the system32 directory.
Only DSAs configured to be Global Catalog servers should be allowed to hold the Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)
The DSA operation is unable to proceed because of a DNS lookup failure.
The object requested was not found, but an object with that key was found.
The syntax of the linked attribute being added is incorrect. Forward links can only have syntax 2.5.5.1, 2.5.5.7, and 2.5.5.14, and backlinks can only have syntax 2.5.5.1
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
The operation requires that destination domain auditing be enabled.
The operation couldn't locate a DC for the source domain.
The replication operation could not be completed due to a schema incompatibility.
The replication operation could not be completed due to a previous schema incompatibility.
The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.
The requested operation can be performed only on a global catalog server.
The operation requires that source domain auditing be enabled.
A Filter was passed that uses constructed attributes.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
For security reasons, the operation must be run on the destination DC.
Critical Directory Service System objects cannot be deleted during tree delete operations. The tree delete may have been partially performed.
This version of Windows is too old to support the current directory forest behavior. You must upgrade the operating system on this server before it can become a domain controller in this forest.
This version of Windows is too old to support the current domain behavior. You must upgrade the operating system on this server before it can become a domain controller in this domain.
This version of Windows no longer supports the behavior version in use in this directory forest. You must advance the forest behavior version before this server can become a domain controller in the forest.
This version of Windows no longer supports the behavior version in use in this domain. You must advance the domain behavior version before this server can become a domain controller in the domain.
The version of Windows is incompatible with the behavior version of the domain or forest.
The sort order requested is not supported.
Unable to continue operation because multiple conflicting controls were used.
Rename or move operations on naming context heads or read-only objects are not allowed.
Move operations on objects in the schema naming context are not allowed.
The requested action is not supported on standard server.
The directory service cannot perform the requested operation because the servers
Operation not allowed on a disabled cross ref.
Schema update failed: Duplicate msDS-INtId. Retry the operation.
The remote create cross reference operation failed on the Domain Naming Master FSMO. The operation's error is in the extended data.
DNS request not supported by name server.
DNS operation refused.
DNS bad key.
Try DNS operation again later.
The operation requested is not permitted on a DNS root server.
Invalid operation for DNS zone.
The operation cannot be performed because this zone is shutdown.
TCP/IP network protocol not installed.
A blocking operation was interrupted by a call to WSACancelBlockingCall.
A non-blocking socket operation could not be completed immediately.
A blocking operation is currently executing.
An operation was attempted on a non-blocking socket that already had an operation in progress.
An operation was attempted on something that is not a socket.
A required address was omitted from an operation on a socket.
A protocol was specified in the socket function call that does not support the semantics of the socket type requested.
An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call.
The support for the specified socket type does not exist in this address family.
The attempted operation is not supported for the type of object referenced.
Only one usage of each socket address (protocol/network address/port) is normally permitted.
A socket operation encountered a dead network.
A socket operation was attempted to an unreachable network.
The connection has been broken due to keep-alive activity detecting a failure while the operation was in progress.
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
A socket operation failed because the destination host was down.
A socket operation was attempted to an unreachable host.
A Windows Sockets implementation may have a limit on the number of applications that may use it simultaneously.
The Windows Sockets version requested is not supported.
The specified transport mode filter already exists.
The specified transport mode filter does not exist.
The requested lookup key was not found in any active activation context.
The transport filter is pending deletion.
IKE failed to find valid machine certificate
Certificate Revocation Check failed
Invalid certificate key usage
Invalid certificate type
No private key associated with machine certificate
Peer's certificate did not have a public key
Error processing Cert payload
Error processing Certificate Request payload
Peer failed to send valid machine certificate
Certification Revocation check of peer's certificate failed
Failed to load SECURITY.DLL.
Unsupported ID
Invalid certificate signature
The lifetime value received in the Responder Lifetime Notify is below the Windows 2000 configured minimum value. Please fix the policy on the peer machine.
Key length in certificate is too small for configured security requirements.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
Manifest Parse Error : System does not support the specified encoding.
Manifest Parse Error : Switch from current encoding to specified encoding not supported.
Assembly Protection Error : The public key for an assembly was too short to be allowed.
The storage operation should block until more data is available.
The storage operation should retry immediately.
The notified event sink will not influence the storage operation.
Drag-drop operation canceled
FORMATETC not supported
Invalid window handle passed
An asynchronous operation was specified. The operation has begun, but its outcome is not known yet.
The transaction was successfully aborted. However, this is a coordinated transaction, and some number of enlisted resources were aborted outright because they could not support abort-retaining semantics
An abort operation was already in progress.
No such interface supported
Operation aborted
The data necessary to complete this operation is not yet available.
Use of Ole1 services requiring DDE windows is disabled
The server process could not be started because the configured identity is incorrect. Check the username and password.
The operation attempted is not supported.
Unable to complete the call since there is no COM  security context inside IObjectControl.Activate.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call may have executed.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call did not execute.
Impersonate on unsecure calls is not supported.
Unable to obtain the Windows directory
The version of ACL format in the stream is not supported by this implementation of IAccessControl
Does not support a collection.
Wrong module kind for the operation.
Unable to perform requested operation.
Attempted an operation on an invalid object.
There is insufficient memory available to complete operation.
An error occurred during a seek operation.
A disk error occurred during a write operation.
A disk error occurred during a read operation.
There is insufficient disk space to complete operation.
Share.exe or equivalent is required for operation.
Illegal operation called on non-file based storage.
Illegal operation called on object with extant marshallings.
OLE32.DLL has been loaded at the wrong address.
Copy Protection Error - The given sector does not have a valid CSS key.
Copy Protection Error - DVD session key not established.
Need to run the object to perform this operation
There is no cache to operate on
Object is static; operation not allowed
compobj.dll is too old for the ole2.dll initialized
Not able to perform the operation because object is not given storage yet
Object doesn't support IViewObject interface
Class does not support aggregation (or class object is remote)
Could not read key from registry
Could not write key to registry
Could not find the key in the registry
A network error interrupted the operation.
There was an error in a Windows GDI call while converting the bitmap to a DIB
There was an error in a Windows GDI call while converting the DIB to a bitmap.
Operation exceeded deadline
Operation unavailable
Intermediate operation failed
User input required for operation to succeed
COM  is required for this operation, but is not installed
Task Scheduler security services are available only on Windows NT.
The task object version is either unsupported or invalid.
The task has been configured with an unsupported combination of account settings and run time options.
A retaining commit or abort is not supported
The requested isolation level is not valid or supported.
The transaction manager doesn't support an asynchronous operation for this method.
The requested semantics of retention of isolation across retaining commit and abort boundaries cannot be supported by this transaction implementation, or isoFlags was not equal to zero.
An import object for the transaction could not be found.
A time-out was specified, but time-outs are not supported.
The requested operation is already in progress for the transaction.
The Transaction Manager has disabled its support for TIP.
The transaction manager has disabled its support for remote/network transactions.
The partner transaction manager has disabled its support for remote/network transactions.
The transaction manager has disabled its support for XA transactions.
The requested operation requires that JIT be in the current context and it is not
The requested operation requires that the current context have a Transaction, and it does not
Server execution failed
Bad Key.
Key not valid for use in specified state.
Key does not exist.
Insufficient memory available for the operation.
Provider's public key is invalid.
Keyset does not exist
The keyset is not defined.
Keyset as registered is invalid.
The Keyset parameter is invalid.
The key parameters could not be set because the CSP uses fixed parameters.
The function requested is not supported
The per-message Quality of Protection is not supported by the security package
The certificate chain was issued by an authority that is not trusted.
An unknown error occurred while processing the certificate.
The received certificate has expired.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client cert name does not matches the user name or the KDC name is incorrect.
The encryption type requested is not supported by the KDC.
An unsupported preauthentication mechanism was presented to the kerberos package.
The requested operation requires delegation to be enabled on the machine.
The received certificate was mapped to multiple accounts.
SEC_E_NO_KERB_KEY
An error occurred while performing an operation on a cryptographic message.
The streamed cryptographic message requires more data to complete the decode operation.
An error occurred during encode or decode operation.
The specified certificate is self signed.
The previous certificate or CRL context was deleted.
The certificate does not have a property that references a private key.
Cannot find the certificate and private key for decryption.
Cannot find the certificate and private key to use for decryption.
The certificate is revoked.
No Dll or exported function was found to verify revocation.
The revocation function was unable to check revocation for the certificate.
The certificate is not in the revocation server's database.
The string contains an invalid X500 name attribute key, oid, value or delimiter.
The dwValueType for the CERT_NAME_VALUE is not one of the character strings. Most likely it is either a CERT_RDN_ENCODED_BLOB or CERT_TDN_OCTED_STRING.
The Put operation can not continue. The file needs to be resized. However, there is already a signature present. A complete signing operation must be done.
The cryptographic operation failed due to a local security option setting.
No DLL or exported function was found to verify subject usage.
The subject was not found in a Certificate Trust List (CTL).
None of the signers of the cryptographic message or certificate trust list is trusted.
The public key's algorithm parameters are missing.
OSS Certificate encode/decode error code base
OSS ASN.1 Error: Unsupported BER indefinite-length encoding.
ASN1 Certificate encode/decode error code base.
ASN1 function not supported for this PDU.
The request's current status does not allow this operation.
The certification authority's certificate contains invalid data.
Certificate service has been suspended for a database restore operation.
The certificate contains an encoded length that is potentially incompatible with older enrollment software.
The operation is denied. The user has multiple roles assigned and the certification authority is configured to enforce role separation.
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Cannot archive private key. The certification authority is not configured for key archival.
Cannot archive private key. The certification authority could not verify one or more key recovery certificates.
The request is incorrectly formatted. The encrypted private key must be in an unauthenticated attribute in an outermost signature.
The request contains an invalid renewal certificate attribute.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
The permissions on this certification authority do not allow the current user to enroll for certificates.
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
The requested certificate template is not supported by this CA.
The request contains no certificate template information.
The request is missing a required private key for archival by the server.
The request was made on behalf of a subject other than the caller. The certificate template must be configured to require at least one signature to authorize the request.
The request template version is newer than the supported template version.
The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template.
The public key does not meet the minimum size required by the specified certificate template.
The key is not exportable.
You cannot add the root CA certificate into your local store.
The key archival hash attribute was not found in the response.
An unexpetced key archival hash attribute was found in the response.
There is a key archival hash mismatch between the request and the response.
Signing certificate cannot include SMIME extension.
The certificate for the signer of the message is invalid or not found.
The signature of the certificate can not be verified.
The timestamp signature and/or certificate could not be verified or is malformed.
A certificate's basic constraint extension has not been observed.
The certificate does not meet or contain the Authenticode financial extensions.
The file did not pass the hints check.
Failed on a file operation (open, map, read, write).
The trust verification action specified is not supported by the specified trust provider.
The form specified for the subject is not one supported or known by the specified trust provider.
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
The validity periods of the certification chain do not nest correctly.
A certificate that can only be used as an end-entity is being used as a CA or visa versa.
A path length constraint in the certification chain has been violated.
A certificate contains an unknown extension that is marked 'critical'.
A certificate being used for a purpose other than the ones specified by its CA.
A parent of a given certificate in fact did not issue that child certificate.
A certificate is missing or has an empty value for an important field, such as a subject or issuer name.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
An internal certificate chaining error has occurred.
A certificate was explicitly revoked by its issuer.
The certification path terminates with the test root which is not trusted with the current policy settings.
The revocation process could not continue - the certificate(s) could not be checked.
The certificate's CN name does not match the passed value.
The certificate is not valid for the requested usage.
The certificate was explicitly marked as untrusted by the user.
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
The certificate has invalid policy.
The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.
The requested device registry key does not exist.
The operation cannot be performed on a device information element that has not been registered.
The operation does not require any files to be copied.
The operation cannot be performed because the device information set is locked.
The operation cannot be performed because the device information element is locked.
The operation cannot be performed because the file queue is locked.
The operation cannot be performed because the device interface is currently active.
The operation cannot be performed because the device interface has been removed from the system.
The driver selected for this device does not support Windows XP.
The driver selected for this device does not support Windows.
Operation not allowed in WOW64.
The operation involving unsigned file copying was rolled back, so that a system restore point could be set.
An INF was copied into the Windows INF directory in an improper manner.
The operation requires a Smart Card, but no Smart Card is currently in the device.
The operation has been aborted to allow the server application to exit.
The reader driver does not meet minimal requirements for support.
The smart card does not meet minimal requirements for support.
The requested order of object creation is not supported.
This smart card does not support the requested feature.
The requested certificate does not exist.
The requested certificate could not be obtained.
A communications error with the smart card has been detected. Retry the operation.
The requested key container does not exist on the smart card.
The identity or password set on the application is not valid
The DLL does not support the components listed in the TypeLib
The server catalog version is not supported
This operation can not be performed on the system application
This operation is not enabled on this platform
Application Proxy is not exportable
System application is not exportable
Can not subscribe to this component (the component may have been imported)
The partition cannot be exported, because one or more components in the partition have the same file name
Applications that contain one or more imported components cannot be installed into a non-base partition
The COM  Catalog Server threw an exception during execution
MSMQ is required for the requested operation and is not installed
Unable to marshal an interface that does not support IPersistStream
The ProgID provided to the copy operation is invalid. The ProgID is in use by another registered CLSID.
Only Application Files (*.MSI files) can be installed into partitions.
Applications containing one or more legacy components may not be exported to 1.0 format.
The SID filtering operation removed all SIDs.
Windows NT BASE API Client DLL
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
$$$$Guinea$Republic of Guinea)$$$$Guyana$Cooperative Republic of Guyana
$$$$Panama$Republic of Panama $$$$Portugal$Portuguese Republic:$$$$Papua New Guinea$Independent State of Papua New Guinea
$$$$Turkey$Republic of Turkey
$$$860 (OEM - Portuguese)
Portuguese (Brazil)$Brazil $$$1047 (IBM EBCDIC - Latin-1/Open System)
Turkish$Turkey
Portuguese (Portugal)$Portugal

msdcsc.exe_1780_rwx_00B90000_00097000:


.text
`.data
.rsrc
@.reloc
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
ADVAPI32.dll
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptGetUserKey
CryptHashSessionKey
CryptImportKey
CryptSetKeyParam
ElfReportEventA
ElfReportEventW
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameW
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
MSChapSrvChangePassword
MSChapSrvChangePassword2
QueryWindows31FilesMigration
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyW
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegFlushKey
RegGetKeySecurity
RegLoadKeyA
RegLoadKeyW
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegOverridePredefKey
RegQueryInfoKeyA
RegQueryInfoKeyW
RegReplaceKeyA
RegReplaceKeyW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyA
RegSaveKeyExA
RegSaveKeyExW
RegSaveKeyW
RegSetKeySecurity
RegUnLoadKeyA
RegUnLoadKeyW
ReportEventA
ReportEventW
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SynchronizeWindows31FilesAndWindowsNTRegistry
WmiExecuteMethodA
WmiExecuteMethodW
PSSSSSSh
PSSSSSSh#
PSSSSSSh
PSSSSSSh
(PSSSSSSh
0PSSSSSSh
8PSSSSSSh
wSSSSSSh
PSSSSSSh!
CPDuplicateKey
CPGetUserKey
CPHashSessionKey
CPImportKey
CPExportKey
CPGetKeyParam
CPSetKeyParam
CPDestroyKey
CPDeriveKey
CPGenKey
kernel32.dll
PSSSh
PSShZ
CloseWindowStation
GetProcessWindowStation
MsgWaitForMultipleObjects
8.YYu
TermsrvSetKeySecurity
TermsrvRestoreKey
TermsrvDeleteKey
TermsrvSetValueKey
tsappcmp.dll
Windows Setup
user32.dll
sndrec32.exe
soundrec.exe
packgr32.exe
packager.exe
mplay32.exe
mplayer.exe
mciole16.dll
mciole.dll
$Microsoft Root Certificate Authority
Windows 3.1 Migration
t%SVW)E
mpr.dll
Unable to locate init routine, error = %d
Unable to load client dll, error = %d
ldap_msgfree
1.2.840.113556.1.4.529
wldap32.dll
SamiChangePasswordUser2
SamiChangePasswordUser
SetProcessWindowStation
OpenWindowStationW
It.Iu
PSShL
t.Ht#Ht Ht
ShellExecuteExW
AccProvGetOperationResults
AccProvCancelOperation
WINREG: Frame %d = 0x%x
Frames %d
WINREG: Name: %S
WINREG: Unable to retrieve object name error 0x%x
WINREG: Tracked key data for object 0x%x
imagehlp.dll
SSSSSh
WINTRUST.dll
Secur32.dll
ntdll.dll
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
SetNamedPipeHandleState
GetProcessHeap
WaitNamedPipeW
NtQueryKey
NtEnumerateKey
RtlFormatCurrentUserKeyPath
NtNotifyChangeKey
NtDeleteValueKey
NtEnumerateValueKey
NtDeleteKey
NtQueryValueKey
NtSetValueKey
NtOpenKey
NtCreateKey
NtFlushKey
NtLoadKey
NtUnloadKey
NtReplaceKey
NtNotifyChangeMultipleKeys
NtQueryMultipleValueKey
NtRestoreKey
NtSaveKey
NtSaveMergedKeys
NtSaveKeyEx
advapi32.pdb
0p.yx
%x~O>
%D$#>
7,7<7\7}7
9#:*:@:{:
3 3%3.3=3
8$9(90949@9
1&2,263@3
:,:0:<:_:
3 3$303;3
3M4H4Z4`4e4
3"3'333<3
<"<)
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer
\Software\Policies\Microsoft\Windows\Safer
\UrlZones
%HKEY_CURRENT_USER
\PIPE\
NTMARTA.DLL
%SystemRoot%\
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%s\u
REG.DAT
Windows 3.1 Migration Status
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
t\\.\pipe\net\NtControlPipe
lX-X-X-XX-XXXXXX
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt
nuser32.dll
msi.dll
\PIPE\InitShutdown
.u
system.ini
reg.dat
%SystemRoot%\Debug\UserMode\appmgmt.log
%SystemRoot%\Debug\UserMode\appmgmt.bak
%HKEY_LOCAL_MACHINE
%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}
certificate
%SystemRoot%\System32\Drivers\
\pipe\svcctl
Group%d
ncacn_ip_tcp
UrlZones
DisallowExecution
iphlpapi.dll
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
perfh004.dat
perfc004.dat
progman.ini
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\Settings
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\UNICODE Groups
Windows NT Network Provider
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
W\winsta.dll
feclient.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
samlib.dll
SupportUrl
Wshell32.dll
CEvents::Report called with more params then expected!
APPMGMT (%x.%x) d:d:d:d
appmgmts.dll
%s_%d
{x-x-x-xx-xxxxxx}
setupapi.dll
%ws\%u
\\.\%s
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Device\Harddisk%d\Partition0
\\.\PhysicalDrive%d
W%s\%s
\Device\Video%d
DefaultSettings.YResolution
DefaultSettings.XResolution
DefaultSettings.VRefresh
DefaultSettings.BitsPerPel
HardwareInformation.BiosString
HardwareInformation.AdapterString
HardwareInformation.DacType
HardwareInformation.ChipType
HardwareInformation.MemorySize
SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
PerfDbg.Etl
C:\perfdbg.etl
$winnt$.inf
Export
ncacn_nb_tcp
\PIPE\winreg
\SystemRoot\system32\perf0000.dat
\SystemRoot\system32\prf00000.dat
Advanced Windows 32 Base API
5.1.2600.5512 (xpsp.080413-2113)
advapi32.dll
Windows
Operating System
5.1.2600.5512
An exception occurred while performing Windows 3.1 migration. Some data
The entire contents of %1 was migrated into the Windows NT registry.
Windows NT registry.
the Windows NT registry.
The contents of the Windows 3.X Program Manager group file %1 was not
migrated into the Windows NT registry, as a group of that name, %2,
Contents of %1 migrated to the Windows NT registry.
Unable to migrate all or part of the %1 file into the Windows NT registry.
Unable to migrate all or part of the %1 section of %2 into the Windows
into the Windows NT registry.
Unable to load the contents of the Windows 3.1 Program Manager group file %1.
Error Code was %2. Group not migrated to the Windows NT registry.
Unable to convert the contents of the Windows 3.1 Program Manager group
file %1. into the Windows NT format. Error Code was %2. Group not
migrated to the Windows NT registry.
Unable to migrate all or part of %1 to the Windows NT registry.
the Windows NT registry. It is incompatible with Windows NT.
Allows programs to execute with only access to resources granted to open well-known groups, blocking access Administrator and Power User privileges, and personally granted rights.
Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.
Allows programs to execute as a user that does not have Administrator or Power User access rights, but can still access resouces accessible by normal users.

msdcsc.exe_1780_rwx_025D0000_00001000:


%S^aZX

msdcsc.exe_1780_rwx_027C0000_00001000:


%X`aaZX

msdcsc.exe_1780_rwx_02820000_00001000:


i .ma

msdcsc.exe_1780_rwx_02A30000_00002000:


.PR`f

msdcsc.exe_1780_rwx_02BB0000_00002000:


n%uPR`
l%uPRPR`a
a%uPR

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:980

2. Delete the original Backdoor file.
   
3. Delete or disinfect the following files created/modified by the Backdoor:
   

   %Documents and Settings%\All Users\Start Menu\MSDCSC\msdcsc.exe (9098 bytes)
   %System%\drivers\etc\hosts (31 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "MicroUpdate" = "%Documents and Settings%\All Users\Start Menu\MSDCSC\msdcsc.exe"

5. Remove the references to the Backdoor by modifying the following registry value(s) (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   "UserInit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Start Menu\MSDCSC\msdcsc.exe"

6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.