Win32.Expiro.Gen.4_0b9fb7e638

by malwarelabrobot on August 13th, 2017 in Malware Descriptions.

Win32.Expiro.Gen.5 (BitDefender), Virus.Win32.Expiro.dp (v) (VIPRE), Win32.Expiro.Gen.5 (B) (Emsisoft), Artemis!0B9FB7E6383E (McAfee), W32.Xpiro.I (Symantec), Win32.Expiro.Gen.5 (FSecure), Win32.Expiro.Gen.4 (AdAware), GenericInjector.YR, GenericPhysicalDrive0.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0b9fb7e6383e8379f45b3c4708f7bc01
SHA1: f6c9c7a6e0a8f8c2e4d160ef3c1bc937bfffedd6
SHA256: 5bb121669591dd44ba121dcf7f6e6dfdbaead6ea74d48a6bf7c67951e8babff0
SSDeep: 24576:b86RAVW9K5A6XXR3GsUGK0jmtuf1AsjhBkJcExX7OIuJR8gbATROBT4EGuc1Zgfd:o6RMW9KfXEGK0jmGqKA80gke4EGH1q
Size: 1826304 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-07-20 04:17:28
Analyzed on: Windows7 SP1 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1900

The Trojan injects its code into the following process(es):

lmi_rescue.exe:2932

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe.manifest (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe (23062 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe.manifest (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (535 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll (128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll (203 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\script (0 bytes)

The process lmi_rescue.exe:2932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log (14640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat (435 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (7564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log (418 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.info (248 bytes)

Registry activity

The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"

The process lmi_rescue.exe:2932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\lmi_rescue_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\lmi_rescue_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
"TrapPollTimeMilliSecs" = "15000"

[HKLM\SOFTWARE\Microsoft\Tracing\lmi_rescue_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Classes\Applications\LMI_Rescue.exe]
"IsHostApp" = "Type: REG_SZ, Length: 0"

[HKLM\SOFTWARE\Microsoft\Tracing\lmi_rescue_RASAPI32]
"FileDirectory" = "%windir%\tracing"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"*LogMeInRescue_822213477" = "C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe -runonce reboot"

Dropped PE files

MD5 File path
928e635169f4377b12de10db270b102b c:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
30e2c563287ea3548ed7e8558f3c657f c:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll
928e635169f4377b12de10db270b102b c:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
1c7e3c43696c013db4c9bb140cb3169f c:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe
c3d5e1417410b7502f7c958c556fcd19 c:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: LogMeIn, Inc.
Product Name: LogMeIn Rescue
Product Version: 7.7.404
Legal Copyright: Copyright (c) 2005-2015 LogMeIn, Inc. US patents pending.
Legal Trademarks:
Original Filename: LMIRescue.exe
Internal Name: Rescue
File Version: 7.7.404
File Description: LogMeIn Rescue
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 40112 40448 4.55481 e79d154bd8614a1ab6e18248e679e6e5
.rdata 45056 20620 20992 3.25072 b2966aa96d4c5d10b926ab245ef1347a
.data 69632 12000 3584 1.60935 dd37cc924da95ecbfd036cbdc8061142
.rsrc 81920 1502124 1502208 5.53316 1c2a02ad2be790ef6fbf98e6a4e1de90
.reloc 1585152 663552 258048 5.3761 081e6640805ad04e7555b7e4540f1df1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://rescue.logmein.com.akadns.net/myrahost/list.aspx?weighed=1
secure.logmeinrescue.com 64.95.128.103
control.app10-03.logmeinrescue.com 95.172.70.144


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Logmein.com/Join.me SSL Remote Control Access
ET POLICY Logmein.com Host List Download

Traffic

GET /myrahost/list.aspx?weighed=1 HTTP/1.0
Host: secure.logmeinrescue.com
Pragma: no-cache
Connection: Keep-Alive
User-Agent: Product=LogMeIn Rescue;Component=Applet;Version=7.7.404.1771;LMIOS=1051392;
Content-Length: 0


HTTP/1.1 200 OK
Cache-Control: public, max-age=9
Content-Type: text/html; charset=utf-8
Expires: Fri, 11 Aug 2017 21:04:52 GMT
Last-Modified: Fri, 11 Aug 2017 21:04:42 GMT
Vary: *
Server: Microsoft-IIS/8.5
X-UA-Compatible: IE=10
Date: Fri, 11 Aug 2017 21:04:43 GMT
Connection: keep-alive
Content-Length: 186
OK..79584 control.app10-03.logmein.com..78873 control.app10-01.logmein
.com..78585 control.app10-04.logmein.com..78251 control.app10-02.logme
in.com..77522 control.app10-05.logmein.com......

The Trojan connects to the servers at the folowing location(s):

lmi_rescue.exe_2932:

.text
`.rdata
@.data
.rsrc
@.reloc
SSSh(
D$ j.Xf
t"SSh
Ht.Ht
\$` |$< \$@
SSSh0
VSSSh
PSSh\
QSSj%S
SSShxa
SSShPp
taSSh
 |$, \$0
t$SSh
FPSSh
Ht`HtHHt.Huj
SSSSh
SSShxD
PSSh(E
uYj.Xf9D^
QSSSSSSh
PSSSSSSSh
Pj.jTS
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by <appro@openssl.org>
AES for Intel AES-NI, CRYPTOGAMS by <appro@openssl.org>
SHA1 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
SHA256 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
SHA512 block transform for x86, CRYPTOGAMS by <appro@openssl.org>
GHASH for x86, CRYPTOGAMS by <appro@openssl.org>
Montgomery Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>
GF(2^m) Multiplication for x86, CRYPTOGAMS by <appro@openssl.org>
j.Yf;
_tcPVj@
.PjRW
RC4 for x86, CRYPTOGAMS by <appro@openssl.org>
Camellia for x86 by <appro@openssl.org>
u.PPjAh
u.jAXj
u.WhD
.FYYOu
9\$ t/SSh
Ht.Hu=
D$,Ht.HHt
.WQUW
u%SSjljuj
FtPWW
FtPUV
FtPU
(t.Ht
_SSh*
vhVj%Sj
u%SPVW
t-SSh
xDj%Sj
.USQV
u2j(]SSh
j2]SSh
j(]SSh
j(]SSh7
]j(]SSh9
j2]SSh[
j/]SShs
\j(]SSh
t%SSh
CEw.AEw
w.SCv
-2w}s2w
MD5 part of OpenSSL 1.0.2d 9 Jul 2015
nkey <= EVP_MAX_KEY_LENGTH
.\crypto\evp\evp_key.c
EVP part of OpenSSL 1.0.2d 9 Jul 2015
X.509 part of OpenSSL 1.0.2d 9 Jul 2015
OPENSSL_ALLOW_PROXY_CERTS
cert_info
ADVAPI32.DLL
KERNEL32.DLL
NETAPI32.DLL
USER32.DLL
error:lX:%s:%s:%s
x509_pkey
evp_pkey
ssl_cert
ssl_sess_cert
%s(%d): OpenSSL internal error, assertion failed: %s
Stack part of OpenSSL 1.0.2d 9 Jul 2015
unable to get issuer certificate
unable to get certificate CRL
unable to decrypt certificate's signature
unable to decode issuer public key
certificate signature failure
certificate is not yet valid
certificate has expired
format error in certificate's notBefore field
format error in certificate's notAfter field
self signed certificate
self signed certificate in certificate chain
unable to get local issuer certificate
unable to verify the first certificate
certificate chain too long
certificate revoked
invalid CA certificate
invalid non-CA certificate (has CA markings)
proxy certificates not allowed, please set the appropriate flag
unsupported certificate purpose
certificate not trusted
certificate rejected
authority and subject key identifier mismatch
key usage does not include certificate signing
unable to get CRL issuer certificate
key usage does not include CRL signing
key usage does not include digital signature
invalid or inconsistent certificate extension
invalid or inconsistent certificate policy extension
Unsupported extension feature
name constraints minimum and maximum not supported
unsupported name constraint type
unsupported or invalid name constraint syntax
unsupported or invalid name syntax
Suite B: certificate version invalid
Suite B: invalid public key algorithm
setct-CertReqTBE
setct-CertReqTBEX
setct-CertResTBE
setCext-certType
setCext-cCertRequired
setAttr-Cert
set-rootKeyThumb
JOINT-ISO-ITU-T
joint-iso-itu-t
msSmartcardLogin
Microsoft Smartcardlogin
proxyCertInfo
Proxy Certificate Information
certicom-arc
certificateIssuer
X509v3 Certificate Issuer
id-PasswordBasedMAC
password based MAC
dhKeyAgreement
id-Gost28147-89-CryptoPro-KeyMeshing
id-Gost28147-89-None-KeyMeshing
challengePassword
extendedCertificateAttributes
nsCertExt
Netscape Certificate Extension
LocalKeySet
Microsoft Local Key set
nsCertType
Netscape Cert Type
nsBaseUrl
Netscape Base Url
nsRevocationUrl
Netscape Revocation Url
nsCaRevocationUrl
Netscape CA Revocation Url
nsRenewalUrl
Netscape Renewal Url
nsCaPolicyUrl
Netscape CA Policy Url
nsCertSequence
supportedApplicationContext
Netscape Certificate Sequence
subjectKeyIdentifier
userPassword
X509v3 Subject Key Identifier
userCertificate
keyUsage
cACertificate
X509v3 Key Usage
privateKeyUsagePeriod
certificateRevocationList
X509v3 Private Key Usage Period
crossCertificatePair
supportedAlgorithms
certificatePolicies
X509v3 Certificate Policies
authorityKeyIdentifier
X509v3 Authority Key Identifier
anyExtendedKeyUsage
Any Extended Key Usage
extendedKeyUsage
dhSinglePass-stdDH-sha1kdf-scheme
X509v3 Extended Key Usage
dhSinglePass-stdDH-sha224kdf-scheme
dhSinglePass-stdDH-sha256kdf-scheme
dhSinglePass-stdDH-sha384kdf-scheme
dhSinglePass-stdDH-sha512kdf-scheme
TLS Web Server Authentication
dhSinglePass-cofactorDH-sha1kdf-scheme
dhSinglePass-cofactorDH-sha224kdf-scheme
TLS Web Client Authentication
dhSinglePass-cofactorDH-sha256kdf-scheme
dhSinglePass-cofactorDH-sha384kdf-scheme
dhSinglePass-cofactorDH-sha512kdf-scheme
ct_precert_scts
CT Precertificate SCTs
ct_precert_poison
CT Precertificate Poison
ct_precert_signer
CT Precertificate Signer
ct_cert_scts
CT Certificate SCTs
pbeWithSHA1And3-KeyTripleDES-CBC
pbeWithSHA1And2-KeyTripleDES-CBC
keyBag
pkcs8ShroudedKeyBag
certBag
x509Certificate
sdsiCertificate
id-smime-mod-msg-v3
id-smime-ct-publishCert
id-smime-aa-msgSigDigest
id-smime-aa-encrypKeyPref
id-smime-aa-signingCertificate
id-smime-aa-smimeEncryptCerts
id-smime-aa-ets-otherSigCert
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-certValues
id-smime-aa-ets-certCRLTimestamp
id-mod-qualified-cert-88
id-mod-qualified-cert-93
id-mod-attribute-cert
id-it-caProtEncCert
id-it-signKeyPairTypes
id-it-encKeyPairTypes
id-it-caKeyUpdateInfo
id-it-unsupportedOIDs
id-it-keyPairParamReq
id-it-keyPairParamRep
id-it-revPassphrase
id-regCtrl-oldCertID
id-regCtrl-protocolEncrKey
id-regInfo-certReq
id-cmc-getCert
id-cmc-confirmCertAcceptance
id-ecPublicKey
set-msgExt
set-certExt
certificate extensions
setct-AcqCardCodeMsg
setct-PCertReqData
setct-PCertResTBS
setct-CertReqData
setct-CertReqTBS
setct-CertResData
setct-CertInqReqTBS
setct-AcqCardCodeMsgTBE
SHA part of OpenSSL 1.0.2d 9 Jul 2015
SHA1 part of OpenSSL 1.0.2d 9 Jul 2015
SHA-256 part of OpenSSL 1.0.2d 9 Jul 2015
SHA-512 part of OpenSSL 1.0.2d 9 Jul 2015
AES part of OpenSSL 1.0.2d 9 Jul 2015
ASN.1 part of OpenSSL 1.0.2d 9 Jul 2015
EC part of OpenSSL 1.0.2d 9 Jul 2015
.\crypto\ec\ec_key.c
public_key
X509_PUBKEY
.\crypto\asn1\x_pubkey.c
ddddddZ
ddddddZ
d.otherName
d.rfc822Name
d.dNSName
d.directoryName
d.ediPartyName
d.uniformResourceIdentifier
d.iPAddress
d.registeredID
%*s%s:
%d.%d.%d.%d/%d.%d.%d.%d
keyid
X509_CERT_AUX
X509_CERT_PAIR
AUTHORITY_KEYID
Key Compromise
keyCompromise
Cessation Of Operation
cessationOfOperation
Certificate Hold
certificateHold
name.fullname
name.relativename
%*sOnly User Certificates
%*sOnly CA Certificates
%*sOnly Attribute Certificates
RAND part of OpenSSL 1.0.2d 9 Jul 2015
You need to read the OpenSSL FAQ, hXXp://VVV.openssl.org/support/faq.html
0123456789
lhash part of OpenSSL 1.0.2d 9 Jul 2015
Big Number part of OpenSSL 1.0.2d 9 Jul 2015
RSA part of OpenSSL 1.0.2d 9 Jul 2015
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
%lu:%s:%s:%d:%s
Verifying - %s
Diffie-Hellman part of OpenSSL 1.0.2d 9 Jul 2015
DSA part of OpenSSL 1.0.2d 9 Jul 2015
value.set
value.single
\X
PROXY_CERT_INFO_EXTENSION
'() ,-./:=?
value.named_curve
value.parameters
value.implicitlyCA
privateKey
publicKey
EC_PRIVATEKEY
p.other
p.onBasis
p.tpBasis
p.ppBasis
p.prime
p.char_two
pub_key
priv_key
d.data
d.sign
d.enveloped
d.signed_and_enveloped
d.digest
d.encrypted
cert
key_enc_algor
enc_key
d.other
pubkey
pkeyalg
pkey
PKCS8_PRIV_KEY_INFO
Content-Length: %d
%s %s HTTP/1.0
<unsupported>
othername:<unsupported>
X400Name:<unsupported>
EdiPartyName:<unsupported>
email:%s
DNS:%s
URI:%s
IP Address:%d.%d.%d.%d
CERTIFICATEPOLICIES
d.cpsuri
d.usernotice
%*sCPS: %s
%*sOrganization: %s
%*sNumber%s:
%*sExplicit Text: %s
%'%1$=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
keyfunc
keylength
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
rsa_keygen_bits
rsa_keygen_pubexp
hexkey
Private-Key: (%d bit)
Public-Key: (%d bit)
Private-Key
Public-Key
%s: (%d bit)
DH Private-Key
DH Public-Key
private-key:
public-key:
x%s
recommended-private-length: %d bits
%s - d:d:d%.*s %d%s
certs
issuerKeyHash
OCSP_CERTID
reqCert
value.byName
value.byKey
value.good
value.revoked
value.unknown
OCSP_CERTSTATUS
certId
certStatus
crlUrl
Key Encipherment
keyEncipherment
Key Agreement
keyAgreement
Certificate Sign
keyCertSign
EXTENDED_KEY_USAGE
PKEY_USAGE_PERIOD
%*sZone: %s, User:
%*scrlUrl:
%*sPolicy Text: %s
XX
%.14s.dZ
%*sSigned Certificate Timestamp:
CONF part of OpenSSL 1.0.2d 9 Jul 2015
/usr/local/ssl/certs
/usr/local/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
ECDSA part of OpenSSL 1.0.2d 9 Jul 2015
%s %s%lu (%s0x%lx)
ASN1 OID: %s
NIST CURVE: %s
Field Type: %s
Basis Type: %s
d.crl
certificates
keyEncryptionAlgorithm
encryptedKey
CMS_KeyTransRecipientInfo
keyAttrId
keyAttr
CMS_OtherKeyAttribute
CMS_RecipientKeyIdentifier
d.rKeyId
CMS_KeyAgreeRecipientIdentifier
CMS_RecipientEncryptedKey
CMS_OriginatorPublicKey
d.originatorKey
CMS_OriginatorIdentifierOrKey
recipientEncryptedKeys
CMS_KeyAgreeRecipientInfo
keyIdentifier
keyDerivationAlgorithm
CMS_PasswordRecipientInfo
d.ktri
d.kari
d.kekri
d.pwri
d.ori
d.signedData
d.envelopedData
d.digestedData
d.encryptedData
d.authenticatedData
d.compressedData
d.allOrFirstTier
d.receiptList
keyInfo
otherCertFormat
otherCert
CMS_OtherCertificateFormat
d.certificate
d.extendedCertificate
d.v1AttrCert
d.v2AttrCert
CMS_CertificateChoices
d.issuerAndSerialNumber
d.subjectKeyIdentifier
X:
CONF_def part of OpenSSL 1.0.2d 9 Jul 2015
[%s] %s=%s
[[%s]]
value.other
value.x509cert
value.sdsicert
value.keybag
value.shkeybag
value.safes
value.bag
ECDH part of OpenSSL 1.0.2d 9 Jul 2015
%s.dll
PEM part of OpenSSL 1.0.2d 9 Jul 2015
Enter PEM pass phrase:
phrase is too short, needs to be at least %d chars
ANY PRIVATE KEY
ENCRYPTED PRIVATE KEY
PRIVATE KEY
X509 CERTIFICATE
CERTIFICATE
NEW CERTIFICATE REQUEST
CERTIFICATE REQUEST
TRUSTED CERTIFICATE
?456789:;<=
!"#$%&'()* ,-./0123
OpenSSL 1.0.2d 9 Jul 2015
ALL:!EXPORT:!aNULL:!eNULL:!SSLv2
os.length <= (int)sizeof(ret->session_id)
%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
EXPORT
EXPORT40
EXPORT56
SSLv3 read server certificate A
SSLv3 read server certificate B
SSLv3 read server key exchange A
SSLv3 read server key exchange B
SSLv3 read server certificate request A
SSLv3 read server certificate request B
SSLv3 write client certificate A
SSLv3 write client certificate B
SSLv3 write client certificate C
SSLv3 write client certificate D
SSLv3 write client key exchange A
SSLv3 write client key exchange B
SSLv3 write certificate verify A
SSLv3 write certificate verify B
SSLv3 write certificate A
SSLv3 write certificate B
SSLv3 write key exchange A
SSLv3 write key exchange B
SSLv3 write certificate request A
SSLv3 write certificate request B
SSLv3 read client certificate A
SSLv3 read client certificate B
SSLv3 read client key exchange A
SSLv3 read client key exchange B
SSLv3 read certificate verify A
SSLv3 read certificate verify B
no certificate
bad certificate
unsupported certificate
certificate expired
certificate unknown
export restriction
unsupported extension
certificate unobtainable
bad certificate status response
bad certificate hash value
.\ssl\ssl_cert.c
TLSv1 part of OpenSSL 1.0.2d 9 Jul 2015
SSLv3 part of OpenSSL 1.0.2d 9 Jul 2015
key expansion
client write key
server write key
%s:%d: rec->data != rec->input
s->init_num == (int)s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH
((long)msg_hdr->msg_len) > 0
invalid state reached %s:%d
s->d1->w_msg_hdr.msg_len   ((s->version==DTLS1_BAD_VER)?3:DTLS1_CCS_HEADER_LENGTH) == (unsigned int)s->init_num
s->d1->w_msg_hdr.msg_len   DTLS1_HM_HEADER_LENGTH == (unsigned int)s->init_num
retransmit: message %d non-existant
GOST signature length is %d
DTLSv1 part of OpenSSL 1.0.2d 9 Jul 2015
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
tcp_init
tcp_input: TCPS_LISTEN
tcp_pulloutofband
Adelayed m_pullup, m->len: %d off: %d p: %d
tcpinp
tcp_hc_entry
tcphdr too big
tcp_setpersist: retransmit pending
tcp_sack_option
.\crypto\engine\eng_pkey.c
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
Load certs from files in a directory
%s%clx.%s%d
DES part of OpenSSL 1.0.2d 9 Jul 2015
libdes part of OpenSSL 1.0.2d 9 Jul 2015
.pp@0
aEÐ
 (#EÚ
ÚE<<0
TXT_DB part of OpenSSL 1.0.2d 9 Jul 2015
NETSCAPE_CERT_SEQUENCE
.\crypto\asn1\x_pkey.c
%cx
rescue.info
cid%ucid
Key size is %d bits - should be 256 bits
kernel32.dll
PendingFileRenameOperations
Software\Microsoft\Windows\CurrentVersion\RunOnce
X.tmp
shell32.dll
shgina.dll
QUIT:%S
REBOOT:%d:%d
OSVERSION:%d
MSG:%d:%d:%d
URL:%d:%d:%d
GHOSTSTATUS:%d:%d
%d:%I64u:%I64u:
CHATENABLED:%d
ISADMIN:%d:%d
LOGINASADMINREPLY:%d:%d:%d
Could not execute.
ScriptDeployExecute
DeployExecute
TECHINVOLVED:%d
OPTIONS:%d
DEPLOYEDAPPS:%d
STARTDESKTOPVIEWREPLY:%d:%d:%d
ENDDESKTOPVIEWREPLY:%d:%d
RAUTHREPLY:%d:%S:%S:%S
RAUTHREPLY:%d:%S:%S:%S:%d
ELEVATION:%d:%d
FXLOG:%d:%S:%S:%s:%s:%S
FXLOG:%d:%S:%S:%s:%s:%S:%d
SCRIPTDEPLOYID:%d:%d:%d:
SCRIPTID:%d:%d:
DEPLOYID:%d:%d:
FILESTATUS:%S:%d:%d:%s:%s:%s
UNATTENDEDPERM:%d
RES:%d:%s:%d:%d
%s:%d
CHATPERM:%d
SESSPARAMS:%d
TECHSTATUS:%d:%d:%d
NICK:
LOGINASADMIN:
SCRIPTEXEC:
TYPING:%d
Component=%s;
Version=%d.%d.%d.%d;
LMIOS=%d;
https
%s%s%sHost: %s
%sContent-Length: %u
HTTP/
hXXp://
hXXps://
Unauthorized request: bad passcode.
%d - %s
&comment%d=%S
SessionType=%d&
PrivateCode=%s
&CompanyID=%d
EntryID=%s&CompanyID=%d&name=%S
hXXps://%s/Customer/StaticAppletSession.aspx?
-ntp %s
%s.%s
%s.%d.%s
http%s://%s/myrahost/list.aspx?weighed=1
.logmein.com
.logmeinrescue.com
.3amlabs.net
rescue-%u
logmeinrescue-enterprise.com
logmeinrescue.com
logmein.com
RESCUE CTRL %s
-NICK:%s
-COMPUTERID:%s
-VER:1.00.532
-APPVER:%d
-OSLMI:%d
-OSSPEC:%d
SETSOCKTYPE:%u:%u
RAWSSLSUPPORT
TIMEOUT %u
TcpFwdSocket
MPING:%d
MPONG:%d
SETCID %d
NATUDP
DIRECTTRAFFIC:%u,%u,%I64u,%I64u,%I64u,%I64u,%u,%s,%d,%u
.logmeinrescue-enterprise.com
GetAutoProxyForURL
https=
http=
http:
https:
Software\Microsoft\Windows\CurrentVersion\Internet Settings
hXXps://%s
szPass
%d@%d:%d
RescueWinRTLib.dll
LogMeInRescue.app.changeMode
LoginAsAdmin
rd /S/Q "%s" > NUL
rd /Q "%s\LogMeIn Rescue Applet"
del "%s"
if not exist "%s" goto :end
_r.bat
rarcc.bin
rarcc.dll
unattended.bin
unattended.exe
unlock.dll
unlock64.dll
dpms32.bin
radpms.cat
radpms.inf
radpms.sys
dpms64.bin
hXXps://%s/Customer/RescueApplet/RescueApplet%ddd/x86/%s
hXXps://%s/Customer/RescueApplet/RescueApplet%ddd/x64/%s
szMsg
szHTTPProxy
bUseHTTPAuth
hXXps://%s/US/Customer/DeclineTermsAndConditions.aspx?companyid=%d&ticket=%s
rescue.log
szNick
nHotKey
szHotKey
szUrl
szURL
eCmd
%s%s%s%S
csurl=
%sLogMeInRescue_mx_%s
LogMeInRescue_mx_gui_%s
-scrto
-screxec
-tosurl
-pahttp
-pacurl
-rhotkey
%s "%s"
%s %s
%s %d
%s %I64u
LogMeInRescue.app.restartStarted
LogMeInRescue.app.restartCanceled
LogMeInRescue.app.restartCommand
boot.ini
operating systems
explorer.exe
"%S" /C ""%S"" >"%S"
%d.%d.%d.%d
Windows %s %u.%u.%u
OperatingSystem
HttpProxy
CertError
%s|x|%s|%s=%s
%d:%S
:%d:%d:%d:%d
:%d:%d
%s_%S
backup.ini
sz[%d]
FATAL ERROR: unable to join thread
\fs%d
rescue.ico
nick
ccPass
password
passwordCount
logo.bmp
rescue_plain.log
\red%u\green%u\blue%u;
Registry Key
Keyed Event
Port
Host: %s
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Proxy-Authorization: NTLM %s
Proxy-Authorization: Basic %s
..\..\..\..\..\RA\Shared\src\CClientSocket.cpp
1.3.6.1.5.5.7.3.1
1.3.6.1.4.1.311.10.3.3
2.16.840.1.113730.4.1
2.5.4.3
2.5.4.4
2.5.4.5
2.5.4.6
2.5.4.7
2.5.4.8
2.5.4.10
2.5.4.11
2.5.4.12
2.5.4.13
2.5.4.16
2.5.4.18
2.5.4.20
2.5.4.31
2.5.4.42
2.5.4.43
2.5.4.46
1.2.840.113549.1.9.20
1.2.840.113549.1.9.21
localKeyID
1.2.840.113549.1.9.1
Load certificates from CryptoAPI stores
user32.dll
gdi32.dll
version.dll
advapi32.dll
wsock32.dll
ntdll.dll
UnicoWS.dll
SetProcessShutdownParameters
SetThreadExecutionState
CreateNamedPipeW
ConnectNamedPipe
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
ReportEventW
psapi.dll
psapi.private.dll
RegOpenKeyExW
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegOverridePredefKey
RegNotifyChangeKeyValue
RegGetKeySecurity
RegSetKeySecurity
RegLoadKeyW
RegUnLoadKeyW
RegSaveKeyW
RegSaveKeyExW
ExitWindowsEx
GetWindowsDirectoryW
uxtheme.dll
wininet.dll
HttpOpenRequestA
HttpOpenRequestW
HttpSendRequestA
HttpSendRequestW
HttpQueryInfoA
HttpQueryInfoW
wtsapi32.dll
WTSShutdownSystem
ShellExecuteW
ShellExecuteExW
SHFileOperationW
GetProcessWindowStation
SetProcessWindowStation
CreateWindowStationW
CloseWindowStation
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyExW
VkKeyScanExW
VkKeyScanW
CryptImportKey
CryptDestroyKey
CryptGetKeyParam
CryptGetUserKey
CryptExportKey
crypt32.dll
CertOpenStore
CertCreateCertificateContext
CertSetCertificateContextProperty
CertAddCertificateContextToStore
CertFreeCertificateContext
CertCloseStore
CertGetIssuerCertificateFromStore
CertEnumCertificatesInStore
CertGetNameStringW
CertGetCertificateContextProperty
CertGetEnhancedKeyUsage
CryptAcquireCertificatePrivateKey
CertFindCertificateInStore
CertDuplicateCertificateContext
CertDeleteCertificateFromStore
CertVerifySubjectCertificateContext
CertEnumCRLsInStore
CertFindAttribute
CertFindExtension
CertGetCertificateChain
CertFreeCertificateChain
CertVerifyCertificateChainPolicy
netapi32.dll
NetUserChangePassword
snmpapi.dll
inetmib1.dll
rassapi.dll
userenv.dll
winspool.drv
rpcrt4.dll
Dnsapi.dll
Comdlg32.dll
comctl32.dll
TaskDialogIndirect
dwmapi.dll
vdmdbg.dll
ddraw.dll
Wevtapi.dll
msi.dll
MsiViewExecute
secur32.dll
security.dll
RegDeleteKeyExW
%4.4d-%2.2d-%2.2d %2.2d:%2.2d:%2.2d.%3.3d - %s - %s%s%s%s%s - %s
<%d>%s - %2.2d:%2.2d:%2.2d %s %s%s%s%s%s - %s
dbghelp.dll
LogMeInRescue 7.7.404 (Jul 20 2015 17:32:48)
Windows
\\.\SMARTVSD
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
jsproxy.dll
LoadLibrary failed: %u
GetProcAddress failed: %u
No slash in URL.
AutoConfigURL
Could not detect proxy config script location: %u
Proxy config script location: %s
URLDownloadToFile failed: 0xx
AutoConfigJSURL
InternetInitializeAutoProxyDll failed: %u
InternetGetProxyInfo failed: %u
InternetGetProxyInfo returned proxy list: %s
NATUDPTAKEOVER
NOPORTOPEN
XTCPv1
InjectIntruderExEnd
wmsgapi.dll
WmsgSendMessage
C:\devicescreen.bmp
C:\backbuffer.bmp
C:\currentscreen.bmp
C:\slowlinkfilter.bmp
ProcessHook
Saving quality settings. (%d)
Unloaded rahook.dll
/remctrldisconnect.html?reason=disconnectbutton
LogMeInRescue.Hook
LogMeInRescue.Hook.Rect
LogMeInRescue.Hook.Fullscreen
LogMeInRescue.Hook.Destroy
LogMeInRescue.Hook.Mouse
LogMeInRescue.Hook.MouseMove
LogMeInRescue.LocalInputEvent
LogMeInRescue.ReqSessionChange
LogMeInRescue.SendAutoClipboard
LogMeInRescue.SendClipboard
LogMeInRescue.LocalDisconnect
LogMeInRescue.RemoteInputBlock
LogMeInRescue.RC.BlankScreen
LogMeInRescue.RC.BlockInput
LogMeInRescue.RC.RemotePrinting
LogMeInRescue.RC.SaveQuality
%s_%d
%u:%u:%u
CONNECTMSGS
MSGBOX
NEW_KEYBOARD
OPTIONNOTSUPPORTED
OPTIONSSUPPORTED
unicows.dll
D:\build.tc\lucania\work\ca02951b723d0f2f\3am\products\rescue\Rescue770_Win10\rescue\Applet\native\bin\x86\LMI_Rescue.pdb
MPR.dll
WS2_32.dll
WINMM.dll
RASAPI32.dll
GetWindowsDirectoryA
GetProcessHeap
KERNEL32.dll
OpenWindowStationW
EnumWindows
UnhookWindowsHookEx
EnumChildWindows
GetKeyboardState
UnregisterHotKey
RegisterHotKey
GetKeyState
EnumDesktopWindows
keybd_event
SetKeyboardState
GetKeyboardLayout
USER32.dll
GDI32.dll
RegOpenKeyExA
RegQueryInfoKeyA
ReportEventA
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
VERSION.dll
DetectAutoProxyUrl
WININET.dll
URLDownloadToFileA
urlmon.dll
GetCPInfo
zcÁ
l}C.we
logmein-gateway.com
secure.logmeinrescue.com
.PAVCFileTransferException@@
.PAVCRemoteMemException@@
control.app10-03.logmeinrescue.com
11ee7e4c-5df4-44ce-95cb-639eb73810bd
C:\Windows\system32\kernel32.dll
C:\Windows\system32\SHELL32.dll
C:\Windows\system32\USER32.dll
C:\Windows\system32\GDI32.dll
C:\Windows\system32\ADVAPI32.dll
C:\Windows\system32\wsock32.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\psapi.dll
C:\Windows\system32\netapi32.dll
C:\Windows\system32\VERSION.dll
C:\Windows\system32\userenv.dll
C:\Windows\system32\snmpapi.dll
C:\Windows\system32\inetmib1.dll
C:\Windows\system32\WININET.dll
C:\Windows\system32\wtsapi32.dll
C:\Windows\system32\winspool.drv
C:\Windows\system32\RPCRT4.dll
C:\Windows\system32\crypt32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\system32\Comdlg32.dll
C:\Windows\system32\secur32.dll
C:\Windows\system32\Wevtapi.dll
C:\Windows\system32\Dnsapi.dll
@Ew.AEw
.Ew;AEwNDEw5
2.bJ0
UE%sv
Vi.yi
e.YD'eV
if%Dg
Cv.TBvM >v
<!DOCTYPE skin SYSTEM "../../../../../Common/res/skin.dtd">
<item name="GrayedWindow" comment="Color modifier for grayed windows">
<item name="PopupInactiveGap" comment="inactive gap around popup windows for dropshadow and other effects">
<item name="ChildAlpha" comment="child windows' alpha">
# !!!!!!!!!!!!! Ë
!',.2379
"',369<>
EHRSXK%FYXJ
'.49<5=;
&-49=*01
y.Hhsttyj
&-4:@"!'
]1.0263%'&
#' ,//3334
#),/234777
$'("#),/234777
")-03477::
#&'"")-03477::
").0379:<=
$('"").0379:<=
")-359;=?@
()("")-359;=?@
-&*.20,)"
55554445430,(%!
55554446430,(%!
?>>???>>
778878887877
##""####""
787777787777
#"#""####"#
"#""#"###""##"###"###
???>?>>?
887878888887
###"####"#"
""#""###"#
222222222222222
22222222222222
2222222
22222222
444444444444444
44444444444444
4444444
44444444
,/,.Nfklkkkkkkkkkkkkklkj_>*//)
::86630-
>><::863,
# 29=>>6
# 3;>@??9
)/59=ADEE<CWdhlkV%UnlhcQ;<DDA=72.
)-2357:;::
/378:;>?>>
>><::863,/378:;>?>>
)/278:<=<
/57;<>@@?
@@=<974 /57;<>@@?
@@=<974 
)0389<=?
,7889:::/
$,--./'0000/$
!),  ***$1= 
#),, *))*
#)-,, ))
 "*))(($
$    )))%
!),  ***$1=*
*"*))(($
"$    )))%
-!""""!!
!),   *-
!),  ***)
8(())))%
$    )))%
(/5885/(
?7;;;968;<98
&$-0;@2~
,..3*5%.S
9366665667;<
03-)()(((
( ###$% 43
$&)*03541/
!$'*/112#
$&(-32(=
('-6;@(@
%').340%
0>=>==<;9987
-3355631//..,
-.000- (&&%%$$%',
-.000- (&&%%$5
*/./01223556678:8
9631/-,, ,,,-026<!
!!!"##$%%'''((),
)*(&$""!"""##%( -
><:765444
.- *))))
8888888
1111111
0000000
.RRRRRR#
.AORRSSSSSSSSSSSSSSSSSRRRRQOOOOQRRRRSSSSSSSSSSSSSSSSSSSSSSRRRRRRSSSSSSSSSSSSS
'. 4663))
5666666665
'//4664 )
stdole2.tlbWWW
IPCSendMsgWW
msgWd
Created by MIDL version 7.00.0555 at Mon Jul 20 17:32:17 2015
#%CX5
< V%U
5.41.15
ig%u!
d{\p%F
hXXp://sc.ge.#
n$w%c!}F?
url#^
.asp?@
cert
keyboK
join
Windows
7r#7Œ
boot.ini/h
, efetue login pa h m
"$1".HC
Msftedit 5.41.15
f5es.Ab
hXXp://sc.ge.$
this url#k
œF i"N
`A%UQ
Msftedit 5.41.15
hXXp://sc.ge.7
iow%xE
u boot.ini. &
ÊGAi!
%F'G!5 ) / ,#
A.hx(
n%S@) h
9%d :
rd%f  
!; )%u ~"
Windows#D SD
boot.ini!
m:\b0\~B=
hXXp://sc.ge..
`=%s4
S@_#W%s- &[0E-
AQ!4Aq%f"
csoport@B
%f iGI@
hXXp://sc.ge.(
%U,I(b
o .K%s
%U@a 2
t i K%c#
& %c"
&<((7.?'!
%.AhA@
certifi7"
.vlC.v&Zg
oot.ini
Windows XP
&\%d%
/k.iB
ka%C E
Certifik?JE_#
i%c#B$
t 5.41.15
,%s \6
1 hXXp://sc.ge.!
32&&'*%Cg
BU%U!
it/R@N%F
I9` %c%
hXXp://sc.ge.!
1%[%f@*
%s \M
h"Æ'
certifi"`
1 hXXp://sc.ge.com/*exp 
boot.ini
Windows#p$&
"k!R-v %d
Windows"
boot.ini
c.Cbl
E.CA!&E
WindowsX
C*J`%xC[A2#
&Z%p@IPjg%d
.DCy@
/o8.Ya
.Hj%A
Windows`
u *%S"
Windowsa
*\generator Msftedit 5.41.15
;%X`G
hXXp://sc.ge.com/*e`j
A.BKCw`WD
@=%d"
0 hXXp://sc.ge.(
!:%dIp
url$x
%F$:g
lig.ikq
.Aa!A
ul hXXp://sc.ge.com/*ea
:@%cT#
(7F2%f
Windows@
).AV#B
Windows#Q@
passw"T
Password:
5.41.15
GE,och 'ñ
2\ul hXXp://sc.)
webbad-(a
(t.ex.
gr%d*,@H!
%d/.)mB;
giltigt cert8
boot.inij
Ø[J]
(hXXp://sc.ge.com/*exportc2&9
9 0@8@ @
@%FO@N :@
Windows`
@%u@)
%C|H'
T$`%X A@
Dk%.Bo
erator Msftedit 5.41.15
n gru%G@.dO
hXXp://sc.ge.com/*exB
url'.#v
Windows-
%F@ec~DM'
dit 5.41.15
hXXp://sc.ge.com/*eb
ssAd E%X
r%s'?`o$
.AmO-'
$3.wK
boot.ini-
hXXp://sc.ge.(J
-Y%f&$ O
upportm3
.inifG
_2/00.,2
637;7*808
4#5.5@5[5
7Œ8v8
4(585?5}5
7‚898>8
2&2-292A2O2T2k2}2
1!1(1-191
=#=)=4=9=
3"3(3.3}3
<3=8=@=}=;>
?"?'?\?|?
>)?.?[?`?
5o6
2-2
7-797N7}7
4 4)454:4@4
6 6$6(6,6064686
8#8'8 8/83878;8
2!2%2)2-2
1(2,2\2`2
0$0(080<0
5 5$5(5,50545<5|6
6 6$6(6,6064686<6
4 4$4(4,4
2 2$2(2,2024282
< <$<(<,<0<4<8<
4 4$4(4,40444
; ;$;(;,;0;4;
>,>8>@>`>|>
combase.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
portuguese-brazilian
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
SOFTWARE\Classes\%s
CreateUserNotifier TechID=%x Type=%x Params=%x Keep_RC=%d
ReleaseUserNotifier TechID=%x
RCSTOPREASON/3: %x
Spawning into [%s] from [%s] to [%s]
RCSTOPREASON/4: %x
Switching in [%s] from [%s] to [%s]
RCSTOPREASON/5: %x
RCSTOPREASON/6: %x
RCSTOPREASON/7: %x
RCSTOPREASON/8: %x
RCSTOPREASON/9: %x
WTS session %d got out of date, RC should go to %d
operation timed out
received successfully with length %d
LookupPrivilegeValue error: %u
AdjustTokenPrivileges error: %u
disable wow 64 file system redirection failed: %d
get system dir error: %d
copy file error (%s): %d
SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{c35ca2f1-3a8a-49e3-9f5d-cae4448a6b8c}
CLSID\{c35ca2f1-3a8a-49e3-9f5d-cae4448a6b8c}
CLSID\{c35ca2f1-3a8a-49e3-9f5d-cae4448a6b8c}\InprocServer32
CLSID\{c35ca2f1-3a8a-49e3-9f5d-cae4448a6b8c}\InprocServer32\ThreadingModel
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Session id: %d, process: %s, command: %s
Find process [%s] in WTS session [%d]
No WTS. Find process [%s]
Process [%s] id: %d
.manifest
Welcome to Windows
zli a Windows
Willkommen bei Windows
Log On to Windows
s a Windows rendszerbe
Windows-Anmeldung
OnRemoteControlEnd (logon initiated: %d, auto logon user: %s, saved user: %s, interactive user: %s, saved screen: '%s')
Current logon screen state: '%s'
Interactive user: '%s'
Auto logon not supported on this OS
"%s" -lock
"%s" -logoff
ExitUser (func: %d) = %d
LogonUI.exe
Input desktop name: %s
Logon with user: '%s'
%s[%d]%s
%s.tmp
\Script_%d
\Script_%d[%d]
URL: %S%S%S
LoadUrl
Sent post data (%u bytes).
received header: %S
Got response status: %d (%S)
received %u bytes.
=not supported
Selected DC: %S - %S
file://%serror.html
response: %S
Could not connect to %S.
There are no active web gateways.
Loaded %u web gateway addresses.
mGateway: %S
Session ID: %S
LLogged in to web gateway.
Opening raw ssl socket to web service gateway (id %u).
Opening data socket to web service gateway (id %u).
Unhandled web service control packet: %S
Request: %S
Internet connection proxy: %S
%sRSCproxy.cfg
/Internet connection flags: 0xx
Internet connection auto proxy config script: %S
InternetQueryOption failed: %u
rApplyProxySettings autoConfig: %d, proxyList: %S, fallbackUrl: %S
GetAutoProxyForURL returned: %S
[%d] Closing previous connection.
Session is being transferred to another technician, aborting chat connection. (%s)
TC Session ID: %s
APOL_PROXYCREDENTIALS received: %d
message read successfully with length %d
broken pipe, other side disconnected, error:
\pipe\
security attributes are valid: %d
start pipe flushing
pipe flushed, result:
pipe disconnected, result:
chat.rtf
[%d] Init chat log "%s".
Failed to save chat log to "%s". %s
r%s%S.log
folder.txt
%s - %s
%ld Ë
%s [%d]
LSA context init failed. %s
DefaultPassword
LMIRDefaultPassword
Store OldPassword failed. %s
Retrieve stored pwd failed. %s
Store DefaultPassword failed. %s
AutoLogon - RestoreDefaultPassword
Retrieve old password failed. %s
Restore old password failed. %s
AutoLogon - IsDefaultPassword
AutoLogon - ReadDefaultPassword
LMIRPasswordExpiryWarning
PasswordExpiryWarning
"%s" -winlogon
WriteDefaultPassword failed. %s
DeleteDefaultPassword failed. %s
LogMeInRescue_WINLOGON_Password_Delete
%sInterface\{%s}
{00020424-0000-0000-C000-000000000046}
%sAppID\{%s}
%sAppID\%s
AppID\%s
%sCLSID\{%s}
RegisterTypeLib failed. %s
LoadTypeLib failed. %s
UnRegisterTypeLib failed. %s
ERR_INVALIDCERT
ERR_SSLCERTERROR
[Error: %s, URL: %s]
[Error: %s]
[URL: %s]
[%s : %s]%s
%s -elevated
ShellExecuteEx failed. %s
GetExitCodeProcess failed. %s
WaitForSingleObject failed. %s
Unable to open service control manager (error="%s")
CLoginAsAdmin::StopAndDeleteServices
Unable to enumerate service (error="%s")
Unable to open service (name="%s", error="%s")
Service (name="%s") stopped
Service (name="%s") deleted
Unable to delete service (name="%s", error="%s")
Unable to delete safe boot settings (%s)
OpenSCManager failed. %s
CLoginAsAdmin::CreateAndStartService
GetFileAttributes failed for %s. %s
Tcpip
ChangeServiceConfig failed. %s
CreateService failed. %s
Failed to set SafeBoot value. %s
Failed to create SafeBoot service key. %s
Failed to open SafeBoot key. %s
StartService failed. %s
"%s" -service -sid %S
"%s" -service
StartThread failed. %s
-regrunsvc -sid %S
%s %s -wd "%s"
ImpersonateLoggedOnUser failed. %s
LogonUser failed. %s
CreateProcessWithLogon failed. %s
CLoginAsAdmin::RunRegistrator
AdjustTokenPrivileges failed. %s
LookupPrivilegeValue failed. %s
-shellexec
LMI_Rescue.exe
LMI_Rescue_srv.exe
rc_params.txt
GUI:X
"%s"%s
Command: %s
CreateProcess failed. %s
m_CleanupMutex_%S
Global\m_CleanupMutex_%S
m_CleanupSemaphore_%S
Global\m_CleanupSemaphore_%S
Rescue Applet: %d.%d.%d.%d
Process ID: 0xX
WTS session ID: %u
OpenProcessToken failed. %s
eula.txt
http\shell\open\command
-new %s
Checking keyboard state...
Keyboard
Keyboard state check failed. %s
/S/C "%S"
%d%d_%d%d%d%d
nCallingCard.exe
Software\LogMeInRescueCallingCard%s%s
sComputer ID: %s (Generated)
Computer ID: %S
Lekh: %S
m_CheckThreadStopEvent_%d
m_CheckThreadEndEvent_%d
3A0E2FB8-7600-46EA-B011-B201F673744F
CECABE12-8E18-4E20-AD1A-4FA992612518
359471F8-E218-4b08-8D1E-8DFBF2F0F700
12BC4FF0-603E-4f21-9F53-F63FF34F6ED4
5B3541FF-D09F-432C-A15B-BDB0F9465A32
%s%S.dat
FM.Local
REBOOT.Normal
REBOOT.Hard
REBOOT.Safe
DEPLOY.Script
DEPLOY.CC
ACTION.OSInfo
ACTION.CPUInfo
ACTION.MemInfo
ACTION.DriveList
ACTION.ProcList
ACTION.AppList
ACTION.AutoRun
ACTION.TaskList
ACTION.SvcList
ACTION.SessToken
ACTION.DrvList
ACTION.EvtDash
ACTION.EvtDump
ACTION.EvtInfo
EVT.Application
EVT.System
EVT.Security
RC.VisualEffects
Language: %s
Script has been executed.
%s\%s
%s%s%s
Could not verify empty password... Asking user.
Cancelled setting logon password.
Password verification failed. (%s)
Logon password has been set for unattended reboot.
Could not set logon password.
%sRescueApplet%ddd
%s\LMI_Rescue.exe
%s\LMI_Rescue_srv.exe
%s\ra64app.exe
%s\rahook.dll
%s\rarcc.dll
%s\RescueWinRTLib.dll
%s\unattended.exe
%s\unlock.dll
%s\unlock64.dll
%s\rescue.ico
%s\logo.bmp
%s\rescue.info
%srescue.info
%sunattended.exe
%sunattended_srv.exe
%sunlock.dll
%sunlock64.dll
%sra64app.exe
%s\params2.txt
%sparams2.txt
%srescue.ico
unattended_srv.exe
%sexpiry.log
-registersvc -unattendedid %d
ReqStartUnattended registrator ret=%x
-registersvc -unattendedid %d
ReqStartUnattended CreateProcessW("%s",%s, ...)
ReqStartUnattended CreateProcessW ret=%x
Unattended service registration exit code: %d
%s%S\
%Su.txx
%d.%d.%d.%d %s
g_pSif is available: %d
apol ipc comm id: %S
socket ipc server deserialization result: %s
LogMeInRescue.Dummy.SC_SCREENSAVE
%s: %s
WM_ENDSESSION wParam: %u, lParam: 0xx
SetProcessShutdownParameters failed. %s
Screen saver hook could not be initialized. %s.
3amlabs.net
Deactivating (%s)...
The session has been ended. (%d)
Name: %s; Domain: %s
LookupAccountSid failed. %s
GetTokenInformation failed. %s
======== STARTED %d.%d.%d.%d ========
======== STOPPED %d.%d.%d.%d ========
d[0xx] %S
cparams.txt
params2.txt
hXXp://%s
Backup Shell value not found. %s
Failed to open HKLM WinLogon key. %s
Assuming original shell is explorer.exe. %s
Execute shell "%s".
Failed to open WinLogon key. %s
Restart hook could not be uninitialized: %s
Restart hook could not be initialized. %s
RegisterServiceProcess failed. %s
\Looking for boot.ini on %S...
GetLogicalDriveStrings failed. %s
Could not locate or load boot.ini
WritePrivateProfileString failed. %s
GetFileAttributes failed on %S. %s
Not supported.
Failed to set Shell value. %s
boot.ini found at %S; OS: %S; current settings: %S
Wow64DisableWow64FsRedirection failed. %s
%s\bcdedit.exe %s
Wow64RevertWowFsRedirection failed. %s
Restart hook could not be initialized: %s
Restart hook could not be uninitialized. %s
cmd.exe
Could not retrieve system directory for shell. %s
command.com
Invalid shell "%s". %s
\%Su.txt
"%s" /S /C ""%s" >"%s" 2>&1"
"%s" /C ""%s" >"%s" 2>&1"
%s\%s.bat
Could not create temporary batch "%s". %s
"%s" /C ""%s""
%s -script "%s" "%s" "%s"
Executing script wrapper "%s".
CreateProcessInWTSession failed. (%s)
RunUnderProcess failed. (%s)
Executing script "%s".
CoInitalizeEx failed. %s
CoInitalizeSecurity failed. %s
AddOrDeleteRestartGUI failed. %s
.DEFAULT
Found user key: %s
RegOpenKeyEx(%s) failed. %s
RegEnumKeyEx(HKEY_USERS) failed. %s
Software\Microsoft\Windows NT\CurrentVersion\ProfileList
Found user hive: %s
ModifyUserHive failed. %s
RegEnumKeyEx(ProfileList) failed. %s
RegOpenKeyEx(ProfileList) failed. %s
Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
RegCreateKeyEx failed. %s
SetPriviliges failed. %s
SetPriviliges fialed. %s
*%s_%u
"%s" %s
RegSetValueEx failed. %s
RegDeleteValue failed (%s). %s
SetRestartValue failed. %s
Get profile path failed. %s
NTUSER.DAT
NTUSER.LMIRescue.TMP
Copy user hive failed. %s
Load user hive from temp failed. %s
Save modified hive failed. %s
Delete user hive failed. %s
RegOpenKeyEx failed. %s
Unload user hive failed. %s
Restore user hive failed. %s
LMIRescue_%s
LogMeIn Rescue (%s)
QueryServiceConfig failed. %s
StartServiceCtrlDispatcher failed. %s
DeleteService failed. %s
OpenService failed. %s
Service control request: %u - %s
RegisterServiceCtrlHandler failed. %s
session.log
0xx
REQ.CHATLOG
Session [x]
FILEXFER.Q.CANTOPEN
FILEXFER.Q.CANTLIST
FILEXFER.Q.CANTDEL
FILEXFER.Q.RMDIR
FILEXFER.Q.DELREADONLY
FILEXFER.Q.CANTRMDIR
FILEXFER.Q.DELFILE
FILEXFER.INVALIDPATH
FILEXFER.PATHTOOLONG
.FIELDS
ENUM.INDEX
ENUM.INDEX1
ENUM.INDEX0
ENUM.COUNT
ENUM.EVEN
ENUM.ODD
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
SOFTWARE\Microsoft\Windows\CurrentVersion\Time Zones
closest detected by matching fields to TZ %s
Software\Microsoft\Windows\DWM
%schatlog.dat
%s\%S
%sskin_default.xml
skin_default.lmirgbamap
skin_default.xml
*.rtf
*.txt
Hotkey (%s) registration succeeded.
CRescueUI::SetupHotkey
notepad.exe
Couldn`t save chat log! %s
%COUNT%
%DONE%
RICHED20.DLL
CreateInstance() failed (0x%x, %s)
CoCreateInstance failed. %s
GetRunningObjectTable failed. %s
__UNATTENDED__APP_MONIKER_%d_%d
CreateFileMoniker failed. %s
IRunningObjectTable::Register failed. %s
IRunningObjectTable::Revoke failed. %s
Thread: 0xx
CoRegisterClassObject failed. %s
CoRevokeClassObject failed. %s
Unable to get running object table (error="%s") %ld
Unable to create bind context (error="%s")
__UNATTENDED__SRV_MONIKER_%d
Unable to get COM interface (error="%s")
0C4DD08C-169A-4ae8-BBD4-AA8D5A398D56
"ra64app.exe" -p %ld -c %s
Failed to start gui launcher application. (%d)
Looking for [%s]...
Could not find executable [%s].
"%s" -gui -fontsize %d %s-sid %S
Cannot find shell "%s" in WTS Session %u.
WTSEnumerateProcesses failed. (%d)
"%s" -startgui
%sPID: 0xX
CreateEvent failed. %s
__RESCUE__SRV_MONIKER_%s_%d
%sLMI_Rescue.exe
C3B591B9-F663-4735-A908-D178DCFA38FC
6E3E7E55-C88E-4f28-B191-A6EC8801AB3B
__RESCUE__SRV_MONIKER_%s
Unable to get RescueSvcCom interface (error="%s")
__RESCUE__CLI_MONIKER_%s_%d
Active USER disconnected. PID: 0xX
WaitUser > Waiting for user login...
WaitUser > OUT [user object %sexists]
WTS console session changed to %u
Deactivating USER in WTS session %u.
USER timed out in WTS session %u.
Activating USER in WTS session %u, PID: 0xX.
Cannot activate USER in WTS session %u. %s
__RESCUE__CLI_MONIKER_%s
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
RUN.NAME
RUN.PATH
RUN.PARAMS
RUN.DESCRIPTION
RUN.LOCATION
RUN.TYPE
desktop.ini
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
CPU.NAME
CPU.CLOCK
CPU.COUNT
CPU.LEVEL
CPU.MODEL
CPU.STEPPING
CPU.USAGE
REQ.SCAN
DRIVE.NAME
DRIVE.TYPE
DRIVE.SCANNED
DRIVE.SIZE
DRIVE.FREE
DRIVE.FREEP
DRIVE.USEDP
DRIVE.ERROR
DRIVE.VOLUME
DRIVE.SERIAL
DRIVE.FSYS
DRIVE.ATTR
DRIVE.MAXN
DRIVES.SIZE
DRIVES.FREE
DRIVES.FREEP
DRIVES.USEDP
REQ.CNT
REQ.IDX
REQ.LOG
REQ.DEEP
EVENTS.OLDEST
EVENTS.NEWEST
PAGE.NUM
PAGE.IDX
PAGE.CURRENT
PAGE.HOME
PAGE.PREV
PAGE.NEXT
PAGE.LAST
PAGE.COUNT
REQ.EVTLOGSIZE
EVENT.LOGTYPE
EVENT.NEXT
EVENT.PREV
EVTLOG.NAME
EVTLOG.DISP
EVENT.INDEX
EVENT.ID
EVENT.RECORDID
EVENT.TYPE
EVENT.TIME
EVENT.LOGGED
EVENT.SOURCE
EVENT.COMPUTER
EVENT.CATEGORY
EVENT.MESSAGE
EVENT.MESSAGE.PRE
EVENT.USER
MEM.LOAD
MEMP.SIZE
MEMP.FREE
MEMP.FREEP
MEMP.USED
MEMP.USEDP
MEMC.SIZE
MEMC.FREE
MEMC.FREEP
MEMC.USED
MEMC.USEDP
Requesting operating system information.
SCREEN.WIDTH
SCREEN.HEIGHT
SCREEN.DEPTH
BIOS.VIDEO.DATE
BIOS.SYSTEM.VER
BIOS.SYSTEM.DATE
COMPUTER.NAME
COMPUTER.DESCR
OS.USER
USER.NAME
USER.WINS
%d.%d
OS.NAME
OS.VER
OS.BUILD
OS.CSD
SYSTEM\CurrentControlSet\Control\Session Manager\Executive
Software\Microsoft\Windows NT\CurrentVersion
OS.INSTALLED
OS.BOOTED
OS.TIME
BROWSER.EXE
BROWSER.DESCR
BROWSER.VERSION
REQ.DASH
REQ.USER
REQ.PASS
REQ.SORT
REQ.PROCLISTSIZE
PROC.PARENT
PROC.THREADS
PROC.HANDLES
PROC.DEPTH
PROC.CPUP
ntvdm.exe
PROC.ID
PROC.NAME
PROC.PATH
PROC.TYPE
PROC.VER
PROC.DESC
PROC.USER
PROC.PRIORITY
PROC.MEMORY
PROC.MEMORYP
PROC.PGFAULTS
PROC.WKSET
PROC.WKSETMAX
PROC.SWAP
PROC.SWAPMAX
PROC.TIMEC
PROC.TIME
PROC.TIMEK
PROC.TIMEU
PROC.CMDLINE
PROC.WORKDIR
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache
APP.NAME
APP.VERSION
APP.PUBLISHER
APP.UNINST
APP.ICON
APP.COMMENT
APP.README
APP.SIZE
APP.DIR
APP.DATE
APP.SRC
APP.URL.HELP
URLInfoAbout
APP.URL.ABOUT
URLUpdateInfo
APP.URL.UPDATE
APP.REG.FIRM
APP.REG.USER
APP.LASTUSED
APP.FREQ
TRIGGER.DAYS
TRIGGER.MONTHS
TRIGGER.INDEX
TRIGGER.STRING
TRIGGER.ENABLED
TRIGGER.SDATE
TRIGGER.SYEAR
TRIGGER.SMON
TRIGGER.SDAY
TRIGGER.EDATE
TRIGGER.EYEAR
TRIGGER.EMON
TRIGGER.EDAY
TRIGGER.HASENDDATE
TRIGGER.HH
TRIGGER.MM
TRIGGER.REPEAT
TRIGGER.DURATION
TRIGGER.DOREPEAT
TRIGGER.KILL
TRIGGER.TYPE
TRIGGER.INTERVAL
TRIGGER.WEEK
REQ.ENABLED
REQ.SYEAR
REQ.SMON
REQ.SDAY
REQ.HASENDDATE
REQ.EYEAR
REQ.EMON
REQ.EDAY
REQ.HH
REQ.MM
REQ.DOREPEAT
REQ.REPEAT
REQ.DURATION
REQ.KILL
REQ.TYPE
REQ.INTERVAL
REQ.DAY
REQ.MON
REQ.WEEK
TASK.STATUS
TASK.APP.NAME
TASK.APP.PATH
TASK.APP.ARGS
TASK.APP.DIR
TASK.APP.USER
TASK.APP.PASS
TASK.LASTRUN
TASK.NEXTRUN
TASK.EXITCODE
TASK.CREATOR
TASK.COMMENT
TASK.MAXTIME
TASK.ENABLED
TASK.DROPDONE
TASK.INTERACT
TASK.ONLYIFON
TASK.HIDDEN
TASK.IDLEONLY
TASK.IDLEKILL
TASK.BATTSKIP
TASK.BATTKILL
TASK.TRIGGERS
TASK.SCHEDULE
REQ.TASK
REQ.TASKLISTSIZE
TASK.NAME
TASK.SHORTNAME
Retrieving scheduled task "%s" details.
Creating scheduled task "%s".
REQ.PATH
REQ.ARGS
REQ.DIR
REQ.COMMENT
REQ.PASS2
REQ.MAXTIME
REQ.DROPDONE
REQ.INTERACT
REQ.ONLYIFON
REQ.HIDDEN
REQ.IDLEONLY
REQ.IDLEKILL
REQ.BATTSKIP
REQ.BATTKILL
Deleting scheduled task "%s".
REQ.TRIGGER
Retrieving trigger %u details from scheduled task "%s".
Updating trigger %u details on scheduled task "%s".
Deleting trigger %u from scheduled task "%s".
SERVICE.NAME
SERVICE.TYPE
SERVICE.WHAT
SERVICE.INTERACTIVE
SERVICE.STATUS
SERVICE.DISPLAY
SERVICE.PATH
SERVICE.USER
SERVICE.OBJECT
SERVICE.GROUP
SERVICE.START
SERVICE.ERRCTL
DEPENDENCY.NAME
DEPENDENCY.DISPLAY
DEPENDENT.NAME
DEPENDENT.DISPLAY
SERVICE.ACCEPT
SERVICE.PROCID
SERVICE.DESCR
REQ.SVC
REQ.WHAT
TOKEN.USER
GROUP.NAME
PRIVILEGE.ENABLED
PRIVILEGE.DEFAULT
PRIVILEGE.NAME
PRIVILEGE.DISPLAY
Connecting to %S on port %d...
Connected (SSL: %s).
Deleting - held for too long (time: %us, refcnt: %d).
SSL: %s, first %d bytes: 0xXXX
Error (in %s): %s
Assigned remote address: %S:%u
portfwd
websvc
natudpreq
httpdl
natudpto
Forward failed recv: %d/%d
Forward failed send: %d
Forward exit (%d)
Forward (reader) failed recv: %d
Forward (reader) failed send: %d/%d
Forward exit (reader) (%d)
Forward (reader) failed cbFwdOut: %d
Using proxy: %S
sent proxy header: %S %S HTTP/1.0
sent proxy header: Host: %S
sent proxy header: Content-Type: application/x-www-form-urlencoded; charset=utf-8
sent proxy header: Content-Length: %d
sent proxy content: %S
received proxy header: %S
RecvLine failed: %s
NTLM proxy authentication failed: %S
Failed to negotiate NTLM token: %s
Failed to prepare NTLM credentials: %s
Proxy Basic authentication protocol failed: %S
Unknown proxy authentication method. Currently only NTLM and Basic proxy authentication protocols are supported.
Proxy error HTTP %u.
received: %S
Could not connect through proxy %S:%d: %s
Takeover Connection ID: %u
Takeover socket registered: %s.
Certificate verification failed.
SSL cipher %S (%u bits) %S selected.
SSL session: %s, timeout is %d seconds
gSSL warning: %S (in %s).
SSL error: %S (in %s).
SSL failure: %S (in %s).
Cannot parse certificate %d. %s
i2d_X509 returned %d for certificate %d.
Cannot create temporary store for intermediate certificates. %s
Cannot add certificate %d to temporary store. %s
Chain verification failed. %s
Chain SSL server policy verification failed. %s
Chain SSL server policy verification failed at certificate %d. %s
Certificate chain verified, trust status: %x/%x.
Certificate chain verification failed, trust status: %x/%x.
%u: %s; trust %x/%x.
The end certificates do not match in the trusted/untrusted chains.
d2i_X509 failed for trusted certificate %d.
Cannot push certificate %d into trusted chain.
%u: %s
SSL certificate verified: %S
SSL cert error (%S): CA not known
SSL cert error (%S): cert not yet valid
SSL cert error (%S): illegal 'not before' field
SSL cert error (%S): cert expired
SSL cert error (%S): invalid 'not after' field
SSL cert error (%S): unable to get issuer cert locally
SSL cert error (%S): certificate untrusted
SSL cert error (%S): unknown error 0x%X: %S
Cipher list: %S
error setting preferred cipher list: %S
error looking up certificate: %s
error opening certificate store 0x%X/%s: %s
looking up certificate by subject: %s
looking up certificate by fingerprint: %s
Invalid command (%d) received. Disconnected.
Read directory contents of "%s".
Created directory "%s".
Renamed "%s" to "%s".
Removed directory "%s".
Deleted "%s".
Reading "%s" failed at %I64u (%u).
Reading "%s" failed at %I64u (internal protocol error).
Sending "%s" failed at %I64u (%u).
Sending "%s" was cancelled at position %I64u.
Sent "%s", %I64u bytes, started at %I64u.
Sent "%s", %I64u bytes.
Writing "%s" failed at %I64u (%u).
Writing "%s" failed at %I64u (protocol error).
Receiving "%s" was cancelled at position %I64u.
Received "%s", %I64u bytes, started at %I64u.
Received "%s", %I64u bytes.
Sent synchronization data of "%s".
Sending synchronization data of "%s" failed (%u).
Read "%s".
Reading of "%s" was cancelled.
Written "%s".
Writing of "%s" was cancelled.
Synchronized "%s".
Synchronization of "%s" failed (%u).
Cannot access directory "%s" (%u).
Reading "%s" failed (%u).
Remote error while creating "%s" (%s).
Creating of "%s" was cancelled.
Protocol error while creating "%s".
Error writing "%s" (%u).
Remote read error while writing "%s" (%s).
Protocol error while writing "%s".
Moving of "%s" was cancelled.
Copying of "%s" was cancelled.
Protocol error: invalid ACK (%d).
.Logger
%s%s%4.4d%2.2d%2.2d.log
Error %d while moving log file from [%s] to [%s]
c%s%s_%s%4.4d%2.2d%2.2d.log
%s.%s.%s
\\.\pipe\LogMeInRescue_rarc_r_%8.8x_%8.8x
\\.\pipe\LogMeInRescue_rarc_w_%8.8x_%8.8x
XTCP connected (SSL: %s).
xtcpConnect
xtcpListen
xtcpShutdown
xtcpClose
xtcpRecv
xtcpSend
xtcpAvailable
xtcpPeek
Concurrent I/O operation pending.
\\.\PhysicalDrive0
\\.\%c:
xxxxxx
Takeover socket cannot find base connection (%u).
Takeover socket found base connection (%u).
Connecting directly to %s:%u
Unsupported client option: %S
Passing control to remote control service...
lsm.exe
REMCTRL.NOPERMISSIONNEEDED
REMCTRL.WAITINGFORPERMISSION
REMCTRL.PERMISSIONGRANTED
REMCTRL.PERMISSIONDENIED
REMCTRL.ACCESSGRANTED_REMCTRL
REMCTRL.ACCESSGRANTED_VIEWONLY
REMCTRL.CONNECTMSG_PERMISSION
REMCTRL.CONNECTMSG_ACCESSGRANTED
REMCTRL.CONNECTMSG_ACCESSDENIED
REMCTRL.TIMEREMAINING
REMCTRL.BLANKDIALOGS.WARNING.LINE1
REMCTRL.BLANKDIALOGS.WARNING.LINE2
REMCTRL.BLANKDIALOGS.WARNING.LINE3
REMCTRL.BLANKDIALOGS.WARNING.LINE4
REMCTRL.BLANKDIALOGS.WARNING.LINE5
REMCTRL.BLANKDIALOGS.NOTFIXED.LINE1
REMCTRL.BLANKDIALOGS.LOOPBACK.LINE1
REMCTRL.BLANKDIALOGS.LOOPBACK.LINE2
REMCTRL.BLANKDIALOGS.INTERACT.LINE1
REMCTRL.BLANKDIALOGS.INTERACT.LINE2
REMCTRL.BLANKDIALOGS.FIXED.LINE1
REMCTRL.BLANKDIALOGS.WAIT.LINE1
REMCTRL.BLANKDIALOGS.BUTTONS.FIX
REMCTRL.BLANKDIALOGS.BUTTONS.IGNORE
REMCTRL.BLANKDIALOGS.BUTTONS.BLANKSCREEN
REMCTRL.BLANKDIALOGS.BUTTONS.OK
REMCTRL.ALLMONITORS
DIALOG.OK
DIALOG.CANCEL
DIALOG.YES
DIALOG.NO
DIALOG.DISCONNECT
RAGUI.GUESTINVITE.CONTROLDLG.LINE1
RAGUI.GUESTINVITE.CONTROLDLG.LINE2
RAGUI.GUESTINVITE.CONTROLDLG.LINE3
RAGUI.GUESTINVITE.CONTROLDLG.ALLOWDRAW
RAGUI.GUESTINVITE.ACCESSDLG.LINE1
RAGUI.GUESTINVITE.ACCESSDLG.LINE2
RAGUI.GUESTINVITE.ACCESSDLG.LINE3
REMCTRL.ONECLICK.LOGIN.TEXT
REMCTRL.ONECLICK.LOGIN.BUTTON
REMCTRL.ONECLICK.UNLOCK.TEXT
REMCTRL.ONECLICK.UNLOCK.BUTTON
REMCTRL.BLANKDIALOGS.KBDLOOPBACK.LINE1
REMCTRL.BLANKDIALOGS.KBDLOOPBACK.LINE2
REMCTRL.BLANKDIALOGS.BUTTONS.DISABLEINPUT
REMCTRL.NOTIFY.DISMISS
RAGUI.INPUTDISABLED.NOTIFY
RAGUI.SCREENBLANKED.NOTIFY
RAGUI.REMPRT.NOTIFY.SHORT
REMCTRL.SOUND.NOTIFY_CONNECTED
REMCTRL.RFS.NOTIFY_CONNECTED
REMCTRL.ONTHEFLY.CLIPBOARD
REMCTRL.ONTHEFLY.SCREENBLANK
REMCTRL.ONTHEFLY.INPUTBLOCK
REMCTRL.ONTHEFLY.PRINTING
RAGUI.GUESTINVITE.CONTROLDLG.ALLOWDND
RemoteControlReqWTS.tmp
%s.manifest
RC.exe
rahook.dll
RCComm: Starts. TechID=%x
RCComm: Loop starts. TechID=%x
RCComm: End loop because lead left session. TechID=%x
RCComm: LoopbackListen failed error: %s
RCComm: OpenRCConnectorMap(%d) hFileMap=%d
"%s" ra_rc multi %d %s
RCComm: before CreateProcessInWTSSession(%d, %s)
%s -shellexec "%s" ra_rc multi %d %s
RCComm: Could not elevate child process [%s], error: %s
RCComm: Could not spawn child process [%s], error: %s
RCComm: New connection TechID=%x NType=%x NParams=%x g_dwReferenceCounter=%d
RCComm: Spawned child process [%s]
Could not create RC mapping mutex: %d
RCComm: Could not map RC object: %d
RCComm: Could not create RC mapping object: %d
RCComm: Forwarding ended with %d
RCComm: RCSTOPREASON/20: %x
RCComm: Failed to get child process exit code, used 0x%x instead
RCComm: RCSTOPREASON/21: %x
RCComm: RCSTOPREASON/22: %x
RCComm: Child process exit code: 0x%x
RCComm: Failed to get child process exit code (g_hChildProcess: %p). %s
RCComm: RCSTOPREASON/23: %x
RCComm: Exit code: 0xx
logoutparams.txt
RCComm: Session state query failed, id:%d
RCComm: Session state check, id: %d connect state: %d
RCComm: Finish. TechID=%x dwExitCode=%x NType=%x bRunsAsService=%d
RCComm: Synchronizing before retry, TechID=%x, dwExitCode=%x, NType=%x g_dwReferenceCounter=%d g_hChildProcess=%x
RCComm: End synchronizing. TechID=%x
RCComm: Ended by TechID=%x
RCComm: Ended due to missin lead. TechID=%x
RCComm: RCSTOPREASON/24: %x
RCComm: Ended by error %d, TechID=%x
RCComm: Restart. TechID=%x
RCComm: Loop ended. TechID=%x
REMCTRL.PROCESSFAILED
RCComm: End for TechID=%x
RCComm: RCSTOPREASON/25: %x
RCComm: Lead left. TechID=%x
RCComm: RCSTOPREASON/26: %x
RCComm: RC exit because lead left. TechID=%x
windows-1257
windows-1258
windows-1250
windows-1251
windows-1252
windows-1253
windows-1254
windows-1255
windows-1256
%d.%2.2d.%4.4d.%4.4d
Looking for [%s] in session %u...
[%s] started in session %u with PID %u...
Looking for [%s] (processes count: %d)...
[%s] started with PID %u...
Allocing %d in %d (%p)
Writing %d from %p to %p
Error creating remote thread: %d
CRemoteMemException %d: %d
Error opening process: %d
esecurity.dll
Web Edition
Windows Preinstallation Environment
Event/System/Keywords
Monitor on display device %s - %s: %s - %s -%s - %s - flags %8.8x
Monitor found: %s (%s - %s) at (%d, %d) - (%d, %d), %s (0x%p)
%d. %s - %s
%d. %s
%d. Monitor
Client option: screen: %dx%d:%d
Cursor cache size: %d
g_nRetCode=%x
Connecting to port %d
Failed to connect to LogMeIn Rescue. Error: %d
Socket buffer size is %d
Console control: %s
Could not set console handler: %d
Could not set shutdown parameters: %d
InitDesktop failed: %d
Failed to load rahook.dll. Error: %d
dFailed to start clipboard thread. Error: %d
Sent clipboard in format 0x%x, size %d / %d
biBitCount.....: %d
biClrImportant.: %d
biClrUsed......: %d
biCompression..: %d
biHeight.......: %d
biPlanes.......: %d
biSize.........: %d
biSizeImage....: %d
biWidth........: %d
biXPelsPerMeter: %d
biYPelsPerMeter: %d
Could not create DC on [%s]
AUTO image quality switching to %s
Init (%s) on %s
Could not create DC on [%s], code %d
Bypass DC created on [%s]
RGB(%d): %8.8x %8.8x %8.8x
Could not allocate %s screen, code %d
Driver does not support DDCAPS_CANBLTSYSMEM
lPitch: %d, lpSurface: 0x%p, dwWidth: %d, dwHeight: %d, dwRGBBitCount: %d
SetCooperativeLevel failed with 0x%8.8x
WM_DISPLAYCHANGE: %d, %dx%d
Reconnecting to WTS session %d. Reinitializing remote control.
RCSTOPREASON/1: %x
winlogon.exe
RCSTOPREASON/2: %x
Could not create bandwidth mapping: %d
Could not open bandwidth mapping: %d
Could not create bandwidth mutex: %d
Client requests quality scale %d
Client requests CPU limit %d
Received a clipboard with format 0x%x, size: %d / %d
Client is requesting slow link mode (reported BPS was %d)
Client is requesting fast link (reported BPS was %d)
Client is requesting %s quality
Client is requesting %s keyboard
Notification TechID:%x Type:%x Params: %x
dOS build # unsupported: %d
csrss.exe
Can't find csrss, error %d
ecsrsrv.dll
Thread failed: %d
RunRemoteThread failed: %d
Exception caught! Exception code: %u
WTSShadow
_RAWTSRegisterNotification failed. %s
    Received msg: %s in %8.8x on session %8.8x
RCSTOPREASON/10: %x
RCSTOPREASON/11: %x
RCSTOPREASON/12: %x
RCSTOPREASON/13: %x
RCSTOPREASON/14: %x
rahook9x.dll
LMIRhook.%3.3d.dll
LMIRhook.???.dll
Failed to created inactive bitmap (%dx%d). %s
Releasing stuck key %2.2x
KeyboardHelper isn't initialized. %s error.
KeyboardEv
Skipping (0): %s: 0x%8.8x = %d, 0x%8.8x = %d
KeyboardEv UC
Skipping (1): %s: 0x%8.8x = %d, 0x%8.8x = %d
Skipping (2): %s: 0x%8.8x = %d, 0x%8.8x = %d
Skipping (3): %s: 0x%8.8x = %d, 0x%8.8x = %d
Client requested a display change to %dx%d (%d bits) on device %s. The change was %ssuccessful. (%d)
Client requested a display change to %d bits, 640x480 forced. The change was successful.
Client requested a display change to %dx%d at 4 bits, 8 bits forced. The change was successful.
Display change return code is %d.
Current settings - %dx%d (%d bits, %dHz) - remain in effect.
Previous display settings (%dx%d, %d bits, %dHz) written to registry.
Previous display settings could not be written to registry, return code 0x%x.
CHAT:%s:%s
Error %d opening then clipboard
Sending client clipboard in format 0x%x, size %d / %d
Could not get clipboard data, error: %d
\\.\DISPLAY
Quality set to %d
LogProcessStates: Session state query failed, sid:%d
LogProcessStates: ProtocolType query failed, sid:%d
FindProcessWithActiveClient(0) dwSessionToFind: %8.8x process: "%s"
WTSSupport
FindProcessWithActiveClient(1): ppi[d].pProcessName=".16s" .pid=0xx .sid=d
FindProcessWithActiveClient(2): sid=d ConnectState: %d ProtocolType=%d
FindProcessWithActiveClient(3): Pid=%x sid=%d
FindProcessWithActiveClient(4): Pid=%x sid=%d
CreateProcessInWTSSession(0) dwRequestedSession: %8.8x, Process: %s
CreateProcessInWTSSession(2) Winlogon.exe: %8.8x in session: %8.8x
CreateProcessInWTSSession(3) Failed to find Winlogon.exe
CreateProcessInWTSSession(4) Session: %8.8x, Winlogon.exe: %8.8x, Process: %s
Could not open Winlogon %8.8x token: %d
Could not open Winlogon %8.8x: %d
Failed DuplicateTokenEx: %s
Could not query process token: %s
Could not adjust process token for session %8.8x: %s
Could not open process token: %d
Spawned process in session %d Process: %s
Could not create process in session %d: %s Process: %s
Error creating vanilla process: %s
Error in %s. %s
%u.%u.%u.%u
%u.%u.%u
(0xX)
Operation timed out.
The requested operation is not supported on the object.
System reboot is required to complete the operation.
The stream has already an operation in progress.
SSL transport failure.
Certificate not trusted.
Certificate name mismatch.
Certificate status is not accessible.
u-u-u u:u:u.u - %s%s%s%s%s%s%s -
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe
C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\
hXXps://secure.logmeinrescue.com/Customer/Survey.aspx?ticket=11ee7e4c-5df4-44ce-95cb-639eb73810bd&source=applet
params.txt
hXXps://secure.logmeinrescue.com/Customer/ReportAbuse.aspx?code=29527&source=applet
LMIRescue_11ee7e4c-5df4-44ce-95cb-639eb73810bd
mi_rescue.exe
"SKIN_DEFAULT.XML"
"SKIN_DEFAULT.LMIRGBAMAP"
Please enter your Windows password, save all open documents and click OK to allow.
7.7.404


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1900

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\LMI_Rescue_srv.exe.manifest (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe (294 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\ra64app.exe (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe.manifest (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\params.txt (535 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\RescueWinRTLib.dll (128 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.ico (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\logo.bmp (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rahook.dll (203 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.log (14640 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\chatlog.dat (435 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\session.log (418 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\rescue.info (248 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "*LogMeInRescue_822213477" = "C:\Users\"%CurrentUserName%"\AppData\Local\LogMeIn Rescue Applet\LMIR0001.tmp\lmi_rescue.exe -runonce reboot"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now