Trojan.Ranapama.QH_97d7721dbb

by malwarelabrobot on November 16th, 2016 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Ranapama.QH (B) (Emsisoft), Trojan.Ranapama.QH (AdAware), Backdoor.Win32.Kelihos.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 97d7721dbb8fbd73f8ae7f311a8d097e
SHA1: 94329793f1b03bf1da997a43ce778511688bfa30
SHA256: 92ecb2bda20056d5f4a2e13d65a22bc00db55edf22713ec2680c385ab1636b76
SSDeep: 24576:GR6DFzT6nmgdFckq7QVlFc42qYVlyo28UWK/oKr7SwO3:GRWFzT6nmgn6KFcLlt2N/nnXO3
Size: 1088718 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: ??????????? ???????????, 2007-2009
Created at: 2016-08-30 09:47:37
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2388

The Trojan injects its code into the following process(es):

%original file name%.exe:3756

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3756 makes changes in the file system.
The Trojan deletes the following file(s):

C:\tmp.exe (0 bytes)

Registry activity

The process %original file name%.exe:3756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"PersistentLocalizedName" = "CB 80 F9 7F 7A C3 FC 0E F6 7E A0 8B 42 6E 01 E3"

[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"SizeCompletedValid" = "DJY7KDPoc/oVtJRc9oN4FOMkdfmGYFppJuXlhrypwpK/ dPX45YzHbssAJKhkCTd4A=="

[HKCU\Software\Microsoft\Internet Explorer\Main]
"FlagsModifiedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"LineLoadedQuick" = "DJY7KDPoc/oVtJRc9oN4FOMkdfmGYFppJuXlhrypwpK/ dPX45YzHbssAJKhkCTd4A=="

[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"ActiveModifiedTheme" = "CB 80 F9 7F 87 4B 60 C2 74 B3 B3 82 72 FD A4 F1"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"RecordModifiedMax" = "DJY7KDPoc/oVtJRc9oN4FOMkdfmGYFppJuXlhrypwpK/ dPX45YzHbssAJKhkCTd4A=="

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"PlatformCompressedValid" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\IMEJP\10.0\MSIME\AutoCharWidth]
"InfoPlayedCurrent" = "00 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"DefaultCompressedRecord" = "CB 80 F9 7F 73 9F E0 46 95 A3 28 3B C1 D6 98 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70]
"DBSavedUse" = "A2 49 4D F3 D9 1E 9F 88 01 01 08 6A 00 03 F0 01"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetworkVerifyer" = "c:\%original file name%.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 31702 32768 3.91422 a96a92f1a22e13bd2c0af1ba7fe5f9b1
.rdata 36864 3049 4096 2.00797 4a1086f51662afdd4df41418207d4f34
.data 40960 578 4096 0.408055 8e6a72b4b0d290351b41a709e1559045
.idata 45056 3047 4096 2.98493 f5ea46144d39649285d28d773d90b776
.rsrc 49152 2272 4096 1.31578 79a23282f3d88f822b407b79f1ae280f
.reloc 53248 1853 4096 2.21907 915194c4e62a60b03de6669744081d07

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 11
1bcdd9b756ea76955106859fb5534c12
aaee42a1e85bc8da7c61c2642f07949a
87a831f6f579c332d84b3d3c5fa4a8e3
754cb899777e43b42071539a484193c4
643d9a66c7d8da72f2a4fb647876c5d8
ff81d583f56a7545fed5bba20daa099f
ffb699642c9c490ba27c1ab85374898a
f60bfe39109220328fd52df16de413e7
addb459b0cee29aa4e1cd3744a72170f
9be073eac7d834d4d3aebde0e8275d3d
869169cea6717f7c5d7d21421c851186

URLs

URL IP
hxxp://14.172.154.71/index.htm


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32/Kelihos.F Checkin

Traffic

..P4lUUE..H@Y....Z.{.B...s;.0F.A.......;...~...T...s.K...'...p....`.?]
>.B.Q...t...l...~U..... ..E...Z...R40.g...Y.............h..Ho.....-
'...z.=.......@..C..(-Q..D.




MmUs.UUE.@..$...>0>W...u..B.Rh....v .OR.m.hl.....42.7..Xe...^.5.
.M...m..o$.....h...DH.B.m.yQ.r.7..@...t.?...f[.9.-i.K...Y.M.Q..Pq..=.}
.......j..U.}.i..r`.....T..kq..N\......?.....|i......q...%M....:O._..`
h.....|...xIY.N.....:...4x.Ap......




R.V..g..Q.............&T'....-%QIIK....V.>$...W_1.@w...-%.F]..P.`k&
lt;.......[N.$.....Dcz.......#..ZZ.._Z...j.T....R$d[...)\.....K.^..VEm
..sGw.).:X..K......i.U..RR......v...#............m.}...rj.....Q.[.s..P
.!.........b.L.j.W_..X.{..$..G.]...ol.o.Kf.fOH...j....~...0.cv}<.].
....e...x.=..p.nxEL_qC..........!.......|t...@.$...V.. {......1. .I...
 ....h&L...S...N...^....gy..fz4. .....i..g.....{..63..w.X..h.3.ej...ij
.j.P.t...`._D....E......\.j2..49...... .D?..I..AW.y.......f.(:y.T2^...
..K...VM.....y#.a..d..),AH..35..k..A..6.................a.M.{.g......&
gt;. ..~.68.....Y\{x0L...^.euP.h.'..a.......P..-....@..\.3".$.y.%.....
/^tl.B..<:0._8..-....q!..Id:Tc-..s@.......:.6.q.....'.k.4..o.'.. ..
H)96.b..A3...1......p.[...z_.m..4B...5.uQ#.7........fp..........&..h..
E.[|.n.U.D%.$...4.......e.... *"'.B..7....@..{.....t.jL5}4).CT.\.P....
It..".Q..Y.X......u..)Tc".g........{.0aY..g...........Q.k.ix....l.....
....B.2l...P....^.).`fG..F...U,.0]u....Y.."(m..........[.g.]..G...A.S.
.S....I.a..A.j......t.]..1.(..u..&.)g..>JV........H..r.P...y:.q....
4C\..'..\....|............y.{.'QW.T.Bc.D.}....g.v..E...K.P.S..k#..]]..
K.c.........nS.."..!..W.`R.k.3...AmS..Y.......}.pq.6.QW.Y.....#..f.u..
.>.%.._.f.O.....&..>....&.4....#..jI.<......^w..$[..z&^P..K.J
_.!...`.......H.....\.. /....Y.....~.....8{....2F........w..^M7....L..
Vz.{=T:.X.0Y.o.,k.EU.;.r.] [uO ....]......J^.if.....*._..L.;..9.F.G.Ck
.q.Tjc..F..e[..L&...=.G.....D/.x....w.`..;8.E<....B.:...7.~.....|.&
lt; ....>I..`...y|m..z3..V...;.. ......bj..4....1O@r..1....7.YE
<<< skipped >>>



...:.......5..8....8888.........w.........."...$...W_1.@w...-%...UV...
...wb.?....B.9.....d1.9.T....f9...3/.H......P....O.....5..vO.`.oc.4..%
.Q.dB..:...D..HV.8.Ao..s..A.V5...,....A..r.Y.}R_.2...6.!Z.0.?.H..R..|&
gt;.(.v......0....k..'..<^...cr./..M.m..p...B1.. s..2...8l..";.....
..].k,>T...1..e...}....x7............x...|B.\.n..........2.\....Z..
...y>. 5*. W.D..[.../...!...i..L.....`p%...K..2Y.0...Z..q.....D...9
."..t.%.<...Y2d..Q...W.QO.C'.=E.2......ND*. . ..n..V.....kkt.1/...z
...{.......g..L..a.H.........Vt..k..gZ(.0...D.M.. .....z.Gy.....A....f
c4N.<..c.!u<.....{.......,.\z....<.5...6.(........o........}l
2...t @2.....1;.b-....g)..#..78..w....M.o]@...-..&L...j.{o..O...y...G.
.....y..;.....1...iUw........YR/.q.^....8n...3....HC.]...P'4j...O._'ct
@..M...p..........Xaa...;.WY KH..>...!7....|..m....6.n...."."Vp....
.N.....@X..4......y%N.MVkQ.y\......&..m...y&@...l.A4.>1...n...C.U?.
.../.3lO...#.....u ..P.._... O.f..e.Q......~..s....[4.......\ ........
.~.n...q..}... ..J...`j.M...r...m..Bc...G....'.9....#.#2..i.:...k....E
.]U.U.u*.v.....^....u. .D...LF.E.%....qC....-..?.....(.....y3....v..u.
C.......y.FM.F....J..f........W.......>....6...A4..{. ....?.K6Q.F..
....".G ...M.G..ei2k.r.g..r..!}.t..s..V:u.......'......S..........[.6w
b.jS..iiu.....4._....;...*..$....c.i..rYh...=...).g.@...Fm.?...!Iy....
fg.g..:..kCH...kP.A......L..vJ%..W...2.....G.UE'... .v6I......b.....0.
CZ....H.........50.!....nP-.v..N....DW{ 1..l.....L.9B0.=..)w.....h$QB.
....[..k..9...6..F.B.....l...b.@...?......2,R.G..o..H... ...:W..`.
<<< skipped >>>


..ctlUUE..H@....^...i].....q0F.A....@)...........'.d.~.N...p.......J.D
.....)..^..Ak........6?.......R..cW..h...G.....GE.VOD7.....^!E&}..o<
;...aZ.yh..5S.H..w).AkQ..Db




......{...L..H.<.>.j.*`x..E).........>.0.1C.....uc.g@.t....7.
.<.~....{yy..Ea4/. .=.....,.`..i.I/........c

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3756:

FTPQ
PSSSSSSh
FTPS
~$)~()|$
3|$83|$0
3|$<3|$0
3|$@3|$4
.QZ^&
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
Jv.AKv
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Can't terminate a sub-expression with an alternation operator |.
A regular expression can start with the alternation operator |.
Alternation operators are not allowed inside a DEFINE block.
More than one alternation operator | was encountered inside a conditional expression.
A repetition operator cannot be applied to a zero-width assertion.
Invalid alternation operators within (?...) block.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
Found a closing repetition operator } with no corresponding {.
The repeat operator " " cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator "*" cannot start a regular expression.
right-curly-bracket
left-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
boost::filesystem::directory_iterator::operator  
Visual C   CRT: Not enough memory to complete call to strerror.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
USER32.DLL
login
Mozilla/5.0 (Windows NT 5.1) Gecko/20100101 Firefox/14.0 Opera/12.0
Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00
Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; da-dk) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13  (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; chromeframe/12.0.742.112)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)
Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 5.0; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130328 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130330 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130326 Firefox/21.0
Mozilla/5.0 (X11; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130405 Firefox/22.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1464.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Acoo Browser 1.98.744; .NET CLR 3.5.30729)
asio.misc
asio.misc error
thread.entry_event
thread.exit_event
255.255.255.255
0.0.0.0
127.0.0.1
%d.%m.%Y %H:%M:%S
%a, %d %b %Y %H:%M:%S GMT
<4,$?7/'
(3-!0,1'8"5.*2$
.text
h.rdata
H.data
.rsrc
B.reloc
DriverEntry: TCP-IP not found, quitting.
DriverEntry: Adapters not found in the registry, try to copy the bindings of TCP-IP.
DriverEntry: OS Version: %d.%d
Device %d = %ws
Status of %x querying key value
Status of %x querying key value for size
OpenKey Failed, %d!
Key name=%ws
Status of %x opening %ws
Mac %u = %ws
Tcpip bind value not REG_MULTI_SZ but %u
Querying key value result len = %u but previous len = %u
IoCreateDevice status = %x
NPF_IoControl: BIOCQUERYOID completed, BytesWritten = %u
NPF_IoControl: Bogus return from NdisRequest (query): Bytes Written (%u) > InfoBufferLength (%u)!!
NPF_IoControl: BIOCSETOID completed, BytesRead = %u
NPF_IoControl: Error installing the BPF filter. The filter contains TME extensions, not supported on 64bit platforms.
NPF_IoControl: Operative instructions=%u
KeGetCurrentIrql() == PASSIVE_LEVEL
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\openclos.c
NPF_Open: Opened Instances: %u
NPF_Open: Opened the device, Status=%x
NPF_Cleanup: Opened Instances: %u
Received on CPU %d
HeaderBufferSize=%u, LookAheadBuffer=%p, LookaheadBufferSize=%u, PacketSize=%u
NPF_Write: Max frame size = %u, packet size = %u
NPF_Write: Another Send operation is in progress, aborting.
NPF: BufferedWrite, UserBuff=%p, Size=%u
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\bin\i386\npf.pdb
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ntoskrnl.exe
HAL.dll
NDIS.SYS
0$0)02090
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,
hXXps://VVV.verisign.com/rpa01
hXXp://crl.verisign.com/pca3.crl0
.Class 3 Public Primary Certification Authority
/hXXp://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0?
3hXXp://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
`.rdata
@.data
@.reloc
L$.Qf
mscoree.dll
.mixcrt
KERNEL32.DLL
kernel32.dll
@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)
4.1.1
WinPcap version %s, based on %s
WinPcap version %s (packet.dll version %s), based on %s
@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)
$$$88$$$8
"#-./0123
@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)
%u %u %u %u
{ 0x%x, %d, %d, 0xx },
[x   %d]
#0x%x
4*([%d]&0xf)
M[%d]
(d) %-8s %-16s jt %d
jf %d
(d) %-8s %s
malloc: %s
PacketGetAdapterNames: %s
pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.
unknown data link type %d
unsupported protocol over mpls
IEEE 802.15.4 link-layer type filtering not implemented
'tcp' modifier applied to %s
'sctp' modifier applied to %s
'udp' modifier applied to %s
'icmp' modifier applied to %s
'igmp' modifier applied to %s
'igrp' modifier applied to %s
'pim' modifier applied to %s
'vrrp' modifier applied to %s
'icmp6' modifier applied to %s
'ah' modifier applied to %s
'esp' modifier applied to %s
'esis' modifier applied to %s
'isis' modifier applied to %s
'clnp' modifier applied to %s
'stp' modifier applied to %s
'netbeui' modifier applied to %s
'radio' modifier applied to %s
'ip' modifier applied to ip6 %s
'rarp' modifier applied to ip6 %s
'arp' modifier applied to ip6 %s
'decnet' modifier applied to ip6 %s
unknown ip proto '%s'
unknown ether proto '%s'
unknown osi proto '%s'
'protochain' not supported with 802.11
unsupported proto to gen_protochain
'udp proto' is bogus
'tcp proto' is bogus
unknown network '%s'
unknown ether host '%s'
unknown FDDI host '%s'
unknown token ring host '%s'
unknown 802.11 host '%s'
unknown Fibre Channel host '%s'
only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name
unknown host '%s'
unknown host '%s'%s
illegal qualifier of 'port'
unknown port '%s'
port '%s' is tcp
port '%s' is sctp
port '%s' is udp
illegal qualifier of 'portrange'
unknown port in range '%s'
port in range '%s' is tcp
port in range '%s' is sctp
port in range '%s' is udp
'gateway' not supported in this configuration
unknown protocol: %s
non-network bits set in "%s mask %s"
non-network bits set in "%s/%d"
invalid ip6 address %s
%s resolved to multiple address
mask length must be <= %u
ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
unsupported index operation
IPv6 upper-layer protocol is not supported by proto[x]
only link-layer/IP broadcast filters supported
link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel
inbound/outbound not supported on linktype %d
libpcap was compiled without pf support
libpcap was compiled on a machine without pf support
802.11 link-layer types supported only on 802.11
frame direction supported only with 802.11 headers
aid supported only on ARCnet
no VLAN support for data link type %d
no MPLS support for data link type %d
'vpi' supported only on raw ATM
'vci' supported only on raw ATM
'callref' supported only on raw ATM
'metac' supported only on raw ATM
'bcc' supported only on raw ATM
'oam4sc' supported only on raw ATM
'oam4ec' supported only on raw ATM
'sc' supported only on raw ATM
'ilmic' supported only on raw ATM
'lane' supported only on raw ATM
'llc' supported only on raw ATM
'fisu' supported only on MTP2
'lssu' supported only on MTP2
'msu' supported only on MTP2
'sio' supported only on SS7
sio value %u too big; max value = 255
'opc' supported only on SS7
opc value %u too big; max value = 16383
'dpc' supported only on SS7
dpc value %u too big; max value = 16383
'sls' supported only on SS7
sls value %u too big; max value = 15
'oam' supported only on raw ATM
'oamf4' supported only on raw ATM
'connectmsg' supported only on raw ATM
'metaconnect' supported only on raw ATM
'port' modifier applied to ip host
'portrange' modifier applied to ip host
%d-%d
%d.%d
malformed decnet address '%s'
decnet name support not included, '%s' cannot be translated
%s for block-local relative jump: off=%d
malloc() failed: %s
%s '%s' %s
Error when listing files: does folder '%s' exist?
%s '%s' %s %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
TcApi.dll
TcQueryPortList
TcFreePortList
TcPortGetName
TcPortGetDescription
TcPacketsBufferCreate
TcPacketsBufferDestroy
TcPacketsBufferQueryNextPacket
TcPacketsBufferCommitNextPacket
Error opening TurboCap adapter: %s
Error enabling reception on a TurboCap instance: %s
Error setting the read timeout a TurboCap instance: %s
Getting the non blocking status is not available for TurboCap ports
Setting the non blocking status is not available for TurboCap ports
send error: the TurboCap API does not support packets larger than 64k
send error: TcPacketsBufferCreate failure: %s (x)
send error: TcInstanceTransmitPackets failure: %s (x)
send error: TcPacketsBufferCommitNextPacket failure: %s (x)
read error, TcInstanceReceivePackets failure: %s (x)
read error, TcPacketsBufferQueryNextPacket failure: %s (x)
TurboCap error setting the mintocopy: %s (x)
Mode %u not supported by TurboCap devices. TurboCap only supports capture.
TurboCap error in TcInstanceQueryStatistics: %s (x)
TurboCap error in TcStatisticsQueryValue: %s (x)
setfilter, unable to install the filter: %s
PacketGetStats error: %s
Error opening adapter: %s
Cannot determine the network type: %s
Error calling PacketSetMinToCopy: %s
Driver error: cannot set bpf filter: %s
PacketSetReadTimeout: %s
IEEE 802.15.4 with non-ASK PHY data
Bluetooth HCI UART transport layer plus pseudo-header
IEEE 802.15.4
IEEE 802.15.4 with Linux padding
Bluetooth HCI UART transport layer
Juniper Passive Monitor PIC
can't perform operation on activated capture
%s: %s
%s is not one of the DLTs supported by this device
DLT %d is not one of the DLTs supported by this device
That device doesn't support promiscuous mode
That device doesn't support monitor mode
That operation is supported only in monitor mode
Unknown error: %d
Sending packets isn't supported on savefiles
Setting direction is not supported on savefiles
error reading dump file: %s
truncated dump file; tried to read %u captured bytes, only got %lu
Can't write to %s: %s
%s: link-layer type %d isn't supported in savefiles
bogus IPv6 address %s
bogus ethernet address %s
illegal token: %s
illegal char '%c'
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
Cannot retrieve the extended statistics from a file or a TurboCap port
PacketGetStatsEx error: %s
Cannot transmit a queue to an offline capture or to a TurboCap port
Impossible to set user buffer while reading from a file or on a TurboCap port
Error: invalid size %d
live dump needs a physical interface supported by the NPF driver
wrong interface type. A physical interface supported by the NPF driver is needed
e:\releases\winpcap_4_1_0_1753\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb
WS2_32.dll
packet.dll
KERNEL32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
wpcap.dll
> >$>(>,>
: :$:(:,:0:4:
7*848=8`8
?'?,?0?4?]?
3 3<3@3`3
.Xa6(
Export
system32\drivers\NPF.sys
SYSTEM\CurrentControlSet\Services\%s
\\.\%s
\\.\Global\%s
npp\ndisnpp.dll
e:\releases\winpcap_4_1_0_1753\winpcap\packetNtx\Dll\Project\Release\x86\Packet.pdb
VERSION.dll
NPPTools.dll
iphlpapi.dll
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
1"1 141;1
435:5`5|5
0&10191\1
9.:4:8:<:@:
= =@=`=|=
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
PK_MessageEncodingMethod: this signature scheme does not support message recovery
/index.html
HTTP/1.1
text/html; charset=windows-1251
<p>The requested URL
HTTP/1.1
Clean up all keys.
Use next keys:
REG keys[
Use REG keys:
Gen new port key!
Gen new job key!
Gen new list key!
/dev/index.html
No i key:
No m key:
No p key:
No j key:
No r key:
Err in ID key: decr:
Err in ID key: check
Err in ID key: invalid
goloduha.info
Check Compromzed REG key:
Compromzed REG key:
C:\boost\include\boost-1_47\boost/exception/detail/exception_ptr.hpp
Keys3
Appkey
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
webscanx
hkcmd
firefox
em_exec
CrashReport
\tmp.exe
*.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mozilla/5.0 (Windows; U; Windows NT
; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17
SMTP:
%d.%d.%d.%d
!#$%&'* -/=?^_`{|}~
.in-addr.arpa
: Maximum attempts exeeded
%s, %d %s %d d:d:d %cdd
dddddd
ddddd
x.8lx$.8lx$x@%s
----=_NextPart_d_X_.8lX..8lX
password
F/c "start Í%\
&& %windir%\explorer Í%\
%SystemRoot%\system32\shell32.dll
npf.sys
Packet.dll
( tcp dst port 21 ) or ( tcp dst port 110 ) or ( tcp dst port 25 )
smtp
pop3_smtp
HostPassword
HostPort
32BitFtp.ini
0003DFTP
3D-FTP
sites.ini
\3D-FTP
Password
Port
port
QData.dat
ESTdb2.dat
\Estsoft\ALFTP
TYPE = SFTP
sftp
SET PASS
bitkinex.ds
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
Software\FlashPeak\BlazeFtp\Settings
*.dat
*.bps
Software\BPFTP
Chrome
PTF://
origin_url
password_value
logins
SQLite format 3
Web Data
Login Data
Google\Chrome
ChromePlus
Nichrome
MapleStudio\ChromePlus
browser.yandex
Software\ChromePlus
_Password
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
FtpDescription
Software\NCH Software\ClassicFTP\FTPAccounts
FTP destination server
FTP destination user
FTP destination password
FTP destination catalog
FTP destination port
FTP profiles
Software\FTPWare\COREFTP\Sites
ftps
CSMFTPItem
sm.dat
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
user.config
*.duck
Nickname
sites.xml
DeluxeFTP
FTP-Now
FTPNow
FTP Now
LOGIN
PASSWORD
PORT
*.oxc
*.oll
ftplast.osd
EasyFTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
\Plugins\FTP\Hosts
\SavedDialogHistory\FTPHost
FTPList.db
DefaultPassword
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Server.Port
Server.Pass
Server.User
Server.Host
Last Server Port
Last Server Pass
Sites.dat
Quick.dat
History.dat
ServerPass
SharedSettings.ccs
SharedSettings_1_0_5.ccs
SharedSettings.sqlite
SharedSettings_1_0_5.sqlite
FreshFTP
*.SMF
FtpSite.xml
QuickFtp
FTP Commander
usessh
ftplist.txt
FTP Navigator
*.prf
FTP CONTROL
Login
PasswordType
CFTPToolBarComboBoxButton
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
ftpx
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
RushSite.xml
\FTPRush
FTPShell
ftpshell.fsi
servers.xml
\FTPGetter
server_user_password
server_port
SM.arch
GoFTP
Goftp Rocks 91802sfaiolpqikeu39
Connections.txt
MS IE FTP Passwords
pstorec.dll
advapi32.dll
sites.dat
unleap.exe
\LeapWare\LeapFTP
LeechFTP Bookmark File.
bookmark.dat
Software\LeechFTP
LeechFTP
LINASFTP1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
Software\LinasFTP\Site Manager
Mozilla
nss3.dll
PK11_GetInternalKeySlot
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_prepare
sqlite3_step
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
mozsqlite3.dll
sqlite3.dll
sqlite3_open
signons.sqlite
signons.txt
signons2.txt
signons3.txt
\profiles.ini
PathToExe
Mozilla\Firefox
Firefox
Software\Mozilla
SeaMonkey
Mozilla\SeaMonkey
Mozilla\Profiles
remote password
remote port
My FTP
project.ini
klfhuw%$#%fgjlvf
NDSites.ini
FTP  .Link\shell\open\command
*.fpl
xxx.xiles.net
ftpsite.ini
NppFTP.xml
nppftp
MasterPass
user_pass
host_port
SQLite3
bmk_ftp
NovaFTP.db
\INSoftware\NovaFTP
SiteInfo.QFP
PortNumber
SOFTWARE\Robo-FTP 3.8\FTPServers
SOFTWARE\Robo-FTP 3.7\FTPServers
S:"Password"
D:"Transfer Port"
*.ini
*.xml
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\SmartFTP
Favorites.dat
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
Staff-FTP
C87BC961-AAF9-11d2-8A80-0080ADB32FF4
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
\Whisper Technology\FTP Surfer
TurboFTP@
TurboFTP@usa.net
turboPTF@
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
PassWord
Software\South River Technologies\WebDrive\Connections
Software\Cryer\WebSitePublisher
WinFTP
your.name@your.server.com
FTPServers.Servers1_FTPServers
_PassWord
_Port
wiseftpsrvs.bin
wiseftpsrvs.ini
wisePTF.ini
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
WS_FTP
\win.ini
Ipswitch\WS_FTP
Software\Ghisler\Windows Commander
\Windows Commander
\wcx_PTF.ini
FtpIniName
*.xfp
FAR Manager FTP
Windows/Total Commander
TurboFTP
WebSitePublisher
SoftX FTP Client
LeapFTP
32bit FTP
FTP Control
CuteFTP
FFFTP
Core FTP
WebDrive
Classic FTP
FTP Explorer
SmartFTP
FreeFTP/DirectFTP
FTPRush
FTPGetter
ALFTP
3DFTP
XFTP
TFTPInfo
MyFTP
NovaFTP
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
crypt32.dll
%Documents and Settings%
\Application Data\Bitcoin\wallet.dat
C:\Users
\AppData\Roaming\Bitcoin\wallet.dat
GetKeyboardState
SetKeyboardState
KeySize
: this object does't support a special last block
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
: this object doesn't support multiple channels
is not a valid key length
InvertibleRSAFunction: computational error during private key operation
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
TF_SignerBase: the recoverable message part is too long for the given key and algorithm
for this key
: this key is too short to encrypt any messages
for this public key
PK_Signer: key too short for this signature scheme
operation failed with error
?#%X.y
.?AVwindows_file_codecvt@@
zcÁ
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$sp_ms_deleter@V?$connection@Vhttp_simple_client@http@net_utils@@@net_keys@@@detail@boost@@
.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AVmoniker_helper@monkeys@@
.?AVmonkey_swap_nibbles@monkeys@@
.?AVmonkey_xor@monkeys@@
.?AVmonkey_running_xor@monkeys@@
.?AVmonkey_swap@monkeys@@
.?AVmonkey_reverse@monkeys@@
.?AVmonkey_roll_n@monkeys@@
.?AVmonkey_bits_pack@monkeys@@
.?AVmonkey_wave@monkeys@@
.?AV?$bind_t@_NV?$mf4@_NVhttp_simple_client@http@net_utils@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@HII@_mfi@boost@@V?$list5@U?$arg@$00@boost@@V?$value@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@_bi@2@V?$value@H@42@V542@V542@@_bi@3@@_bi@boost@@
.?AV?$bind_t@_NV?$mf2@_NV?$proxy@Vhttp_simple_client@http@net_utils@@@net_keys@@II@_mfi@boost@@V?$list3@V?$value@PAV?$proxy@Vhttp_simple_client@http@net_utils@@@net_keys@@@_bi@boost@@V?$value@I@23@V423@@_bi@3@@_bi@boost@@
.?AV?$typeid_wrapper@V?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@
.?AV?$bind_t@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$cmf0@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Vreg_keys_holder@reg_win@@@_mfi@boost@@V?$list1@U?$arg@$00@boost@@@_bi@5@@_bi@boost@@
.?AV?$bind_t@_NP6A_NAAVholder_key@reg_win@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVparser_holder@ftp_locker@ftp_parser@@@ZV?$list3@U?$arg@$00@boost@@U?$arg@$01@2@V?$value@Vparser_holder@ftp_locker@ftp_parser@@@_bi@2@@_bi@boost@@@_bi@boost@@
.?AV?$bind_t@_NP6A_NAAVholder_key@reg_win@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@11ABVparser_holder@ftp_locker@ftp_parser@@@ZV?$list5@U?$arg@$00@boost@@U?$arg@$01@2@V?$value@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@_bi@2@V452@V?$value@Vparser_holder@ftp_locker@ftp_parser@@@52@@_bi@boost@@@_bi@boost@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.?AVInvalidKeyLength@PK_SignatureScheme@CryptoPP@@
.?AVKeyTooShort@PK_SignatureScheme@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0BAA@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@VARC4_Base@Weak1@2@@CryptoPP@@
c:\%original file name%.exe
CreateIoCompletionPort
GetWindowsDirectoryA
GetSystemWindowsDirectoryA
RegQueryInfoKeyA
RegCreateKeyExA
RegEnumKeyExA
MapVirtualKeyA
HttpOpenRequestA
HttpSendRequestA
InternetCrackUrlA
HttpQueryInfoA
%m5V%L%d%h%w%9º"1@f[:B
3,#9'/($*
]<%cW
.-/&00((00
5-9,0000
###03# 1#
!&]#### -###))558)
##-;##=4--#
# 0-\# ; ;####3<
[5#>=@5#
#)0#3#>#
###66## . 
# #-#1?6)
"- -#%-)
(88($(80@
8$,$ $0 80(,,
,4840$,(\8$$@(
<004(@4$0$0($<8,($
.reloc
%7xh#_
.-/&00((
'9';ð
XJuCRN\!;4R.Ea
`.rd&
DNSAPI.dll
IPHLPAPI.DLL
MSWSOCK.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
WININET.dll
.BBJBBJ
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
npf.sys (NT5/6 x86) Kernel Driver
4.1.0.1753
5755555555
5555555
577777555555
0000001111111
11111122222222
6666668
88888888
,-./0123456789
$567$$=>
.pqrst
$%&'()* ,
wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
TcpIp
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
drivers\NPF.sys
airpcap.dll
\StringFileInfo\xx\FileVersion
PACKET.DLL
packet.dll (NT5) Dynamic Link Library
abe2869f-9b47-4cd9-a358-c22904dba7f7

%original file name%.exe_3756_rwx_00400000_0E2F4000:

FTPQ
PSSSSSSh
FTPS
~$)~()|$
3|$83|$0
3|$<3|$0
3|$@3|$4
.QZ^&
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
Jv.AKv
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Can't terminate a sub-expression with an alternation operator |.
A regular expression can start with the alternation operator |.
Alternation operators are not allowed inside a DEFINE block.
More than one alternation operator | was encountered inside a conditional expression.
A repetition operator cannot be applied to a zero-width assertion.
Invalid alternation operators within (?...) block.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
Found a closing repetition operator } with no corresponding {.
The repeat operator " " cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator "*" cannot start a regular expression.
right-curly-bracket
left-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
boost::filesystem::directory_iterator::operator  
Visual C   CRT: Not enough memory to complete call to strerror.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
USER32.DLL
login
Mozilla/5.0 (Windows NT 5.1) Gecko/20100101 Firefox/14.0 Opera/12.0
Opera/9.80 (Windows NT 5.1; U; zh-sg) Presto/2.9.181 Version/12.00
Opera/9.80 (Windows NT 6.1; U; es-ES) Presto/2.9.181 Version/12.00
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
Mozilla/5.0 (Windows NT 6.0; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.14
Opera/9.80 (Windows NT 6.0) Presto/2.12.388 Version/12.14
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; da-dk) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; de-at) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
Mozilla/5.0 (iPad; CPU OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko ) Version/5.1 Mobile/9B176 Safari/7534.48.3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13  (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; chromeframe/12.0.742.112)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; Media Center PC 6.0; InfoPath.3; MS-RTC LM 8; Zune 4.7)
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 7.1; Trident/5.0)
Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)
Mozilla/1.22 (compatible; MSIE 10.0; Windows 3.1)
Mozilla/4.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Macintosh; Intel Mac OS X 10_7_3; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 5.0; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130331 Firefox/21.0
Mozilla/5.0 (Windows NT 5.1; rv:21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130328 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130330 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130331 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20130401 Firefox/21.0
Mozilla/5.0 (Windows NT 6.2; rv:21.0) Gecko/20130326 Firefox/21.0
Mozilla/5.0 (X11; Linux i686; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:21.0) Gecko/20130331 Firefox/21.0
Mozilla/5.0 (Windows NT 6.1; rv:22.0) Gecko/20130405 Firefox/22.0
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1464.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1467.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1468.0 Safari/537.36
Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.2 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0; FunWebProducts)
Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; Acoo Browser 1.98.744; .NET CLR 3.5.30729)
asio.misc
asio.misc error
thread.entry_event
thread.exit_event
255.255.255.255
0.0.0.0
127.0.0.1
%d.%m.%Y %H:%M:%S
%a, %d %b %Y %H:%M:%S GMT
<4,$?7/'
(3-!0,1'8"5.*2$
.text
h.rdata
H.data
.rsrc
B.reloc
DriverEntry: TCP-IP not found, quitting.
DriverEntry: Adapters not found in the registry, try to copy the bindings of TCP-IP.
DriverEntry: OS Version: %d.%d
Device %d = %ws
Status of %x querying key value
Status of %x querying key value for size
OpenKey Failed, %d!
Key name=%ws
Status of %x opening %ws
Mac %u = %ws
Tcpip bind value not REG_MULTI_SZ but %u
Querying key value result len = %u but previous len = %u
IoCreateDevice status = %x
NPF_IoControl: BIOCQUERYOID completed, BytesWritten = %u
NPF_IoControl: Bogus return from NdisRequest (query): Bytes Written (%u) > InfoBufferLength (%u)!!
NPF_IoControl: BIOCSETOID completed, BytesRead = %u
NPF_IoControl: Error installing the BPF filter. The filter contains TME extensions, not supported on 64bit platforms.
NPF_IoControl: Operative instructions=%u
KeGetCurrentIrql() == PASSIVE_LEVEL
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\openclos.c
NPF_Open: Opened Instances: %u
NPF_Open: Opened the device, Status=%x
NPF_Cleanup: Opened Instances: %u
Received on CPU %d
HeaderBufferSize=%u, LookAheadBuffer=%p, LookaheadBufferSize=%u, PacketSize=%u
NPF_Write: Max frame size = %u, packet size = %u
NPF_Write: Another Send operation is in progress, aborting.
NPF: BufferedWrite, UserBuff=%p, Size=%u
e:\releases\winpcap_4_1_0_1753\winpcap\packetntx\driver\bin\i386\npf.pdb
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
ntoskrnl.exe
HAL.dll
NDIS.SYS
0$0)02090
hXXp://ocsp.verisign.com0
"hXXp://crl.verisign.com/tss-ca.crl0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,
hXXps://VVV.verisign.com/rpa01
hXXp://crl.verisign.com/pca3.crl0
.Class 3 Public Primary Certification Authority
/hXXp://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0?
3hXXp://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
`.rdata
@.data
@.reloc
L$.Qf
mscoree.dll
.mixcrt
KERNEL32.DLL
kernel32.dll
@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)
4.1.1
WinPcap version %s, based on %s
WinPcap version %s (packet.dll version %s), based on %s
@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)
$$$88$$$8
"#-./0123
@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)
%u %u %u %u
{ 0x%x, %d, %d, 0xx },
[x   %d]
#0x%x
4*([%d]&0xf)
M[%d]
(d) %-8s %-16s jt %d
jf %d
(d) %-8s %s
malloc: %s
PacketGetAdapterNames: %s
pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.
unknown data link type %d
unsupported protocol over mpls
IEEE 802.15.4 link-layer type filtering not implemented
'tcp' modifier applied to %s
'sctp' modifier applied to %s
'udp' modifier applied to %s
'icmp' modifier applied to %s
'igmp' modifier applied to %s
'igrp' modifier applied to %s
'pim' modifier applied to %s
'vrrp' modifier applied to %s
'icmp6' modifier applied to %s
'ah' modifier applied to %s
'esp' modifier applied to %s
'esis' modifier applied to %s
'isis' modifier applied to %s
'clnp' modifier applied to %s
'stp' modifier applied to %s
'netbeui' modifier applied to %s
'radio' modifier applied to %s
'ip' modifier applied to ip6 %s
'rarp' modifier applied to ip6 %s
'arp' modifier applied to ip6 %s
'decnet' modifier applied to ip6 %s
unknown ip proto '%s'
unknown ether proto '%s'
unknown osi proto '%s'
'protochain' not supported with 802.11
unsupported proto to gen_protochain
'udp proto' is bogus
'tcp proto' is bogus
unknown network '%s'
unknown ether host '%s'
unknown FDDI host '%s'
unknown token ring host '%s'
unknown 802.11 host '%s'
unknown Fibre Channel host '%s'
only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name
unknown host '%s'
unknown host '%s'%s
illegal qualifier of 'port'
unknown port '%s'
port '%s' is tcp
port '%s' is sctp
port '%s' is udp
illegal qualifier of 'portrange'
unknown port in range '%s'
port in range '%s' is tcp
port in range '%s' is sctp
port in range '%s' is udp
'gateway' not supported in this configuration
unknown protocol: %s
non-network bits set in "%s mask %s"
non-network bits set in "%s/%d"
invalid ip6 address %s
%s resolved to multiple address
mask length must be <= %u
ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
unsupported index operation
IPv6 upper-layer protocol is not supported by proto[x]
only link-layer/IP broadcast filters supported
link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel
inbound/outbound not supported on linktype %d
libpcap was compiled without pf support
libpcap was compiled on a machine without pf support
802.11 link-layer types supported only on 802.11
frame direction supported only with 802.11 headers
aid supported only on ARCnet
no VLAN support for data link type %d
no MPLS support for data link type %d
'vpi' supported only on raw ATM
'vci' supported only on raw ATM
'callref' supported only on raw ATM
'metac' supported only on raw ATM
'bcc' supported only on raw ATM
'oam4sc' supported only on raw ATM
'oam4ec' supported only on raw ATM
'sc' supported only on raw ATM
'ilmic' supported only on raw ATM
'lane' supported only on raw ATM
'llc' supported only on raw ATM
'fisu' supported only on MTP2
'lssu' supported only on MTP2
'msu' supported only on MTP2
'sio' supported only on SS7
sio value %u too big; max value = 255
'opc' supported only on SS7
opc value %u too big; max value = 16383
'dpc' supported only on SS7
dpc value %u too big; max value = 16383
'sls' supported only on SS7
sls value %u too big; max value = 15
'oam' supported only on raw ATM
'oamf4' supported only on raw ATM
'connectmsg' supported only on raw ATM
'metaconnect' supported only on raw ATM
'port' modifier applied to ip host
'portrange' modifier applied to ip host
%d-%d
%d.%d
malformed decnet address '%s'
decnet name support not included, '%s' cannot be translated
%s for block-local relative jump: off=%d
malloc() failed: %s
%s '%s' %s
Error when listing files: does folder '%s' exist?
%s '%s' %s %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
TcApi.dll
TcQueryPortList
TcFreePortList
TcPortGetName
TcPortGetDescription
TcPacketsBufferCreate
TcPacketsBufferDestroy
TcPacketsBufferQueryNextPacket
TcPacketsBufferCommitNextPacket
Error opening TurboCap adapter: %s
Error enabling reception on a TurboCap instance: %s
Error setting the read timeout a TurboCap instance: %s
Getting the non blocking status is not available for TurboCap ports
Setting the non blocking status is not available for TurboCap ports
send error: the TurboCap API does not support packets larger than 64k
send error: TcPacketsBufferCreate failure: %s (x)
send error: TcInstanceTransmitPackets failure: %s (x)
send error: TcPacketsBufferCommitNextPacket failure: %s (x)
read error, TcInstanceReceivePackets failure: %s (x)
read error, TcPacketsBufferQueryNextPacket failure: %s (x)
TurboCap error setting the mintocopy: %s (x)
Mode %u not supported by TurboCap devices. TurboCap only supports capture.
TurboCap error in TcInstanceQueryStatistics: %s (x)
TurboCap error in TcStatisticsQueryValue: %s (x)
setfilter, unable to install the filter: %s
PacketGetStats error: %s
Error opening adapter: %s
Cannot determine the network type: %s
Error calling PacketSetMinToCopy: %s
Driver error: cannot set bpf filter: %s
PacketSetReadTimeout: %s
IEEE 802.15.4 with non-ASK PHY data
Bluetooth HCI UART transport layer plus pseudo-header
IEEE 802.15.4
IEEE 802.15.4 with Linux padding
Bluetooth HCI UART transport layer
Juniper Passive Monitor PIC
can't perform operation on activated capture
%s: %s
%s is not one of the DLTs supported by this device
DLT %d is not one of the DLTs supported by this device
That device doesn't support promiscuous mode
That device doesn't support monitor mode
That operation is supported only in monitor mode
Unknown error: %d
Sending packets isn't supported on savefiles
Setting direction is not supported on savefiles
error reading dump file: %s
truncated dump file; tried to read %u captured bytes, only got %lu
Can't write to %s: %s
%s: link-layer type %d isn't supported in savefiles
bogus IPv6 address %s
bogus ethernet address %s
illegal token: %s
illegal char '%c'
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
Cannot retrieve the extended statistics from a file or a TurboCap port
PacketGetStatsEx error: %s
Cannot transmit a queue to an offline capture or to a TurboCap port
Impossible to set user buffer while reading from a file or on a TurboCap port
Error: invalid size %d
live dump needs a physical interface supported by the NPF driver
wrong interface type. A physical interface supported by the NPF driver is needed
e:\releases\winpcap_4_1_0_1753\winpcap\wpcap\PRJ\Release\x86\wpcap.pdb
WS2_32.dll
packet.dll
KERNEL32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
wpcap.dll
> >$>(>,>
: :$:(:,:0:4:
7*848=8`8
?'?,?0?4?]?
3 3<3@3`3
.Xa6(
Export
system32\drivers\NPF.sys
SYSTEM\CurrentControlSet\Services\%s
\\.\%s
\\.\Global\%s
npp\ndisnpp.dll
e:\releases\winpcap_4_1_0_1753\winpcap\packetNtx\Dll\Project\Release\x86\Packet.pdb
VERSION.dll
NPPTools.dll
iphlpapi.dll
RegOpenKeyExW
RegCloseKey
RegEnumKeyW
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
1"1 141;1
435:5`5|5
0&10191\1
9.:4:8:<:@:
= =@=`=|=
: this object doesn't support resynchronization
StreamTransformation: this object doesn't support random access
CryptoMaterial: this object does not support precomputation
GeneratableCryptoMaterial: this object does not support key/parameter generation
PK_MessageEncodingMethod: this signature scheme does not support message recovery
/index.html
HTTP/1.1
text/html; charset=windows-1251
<p>The requested URL
HTTP/1.1
Clean up all keys.
Use next keys:
REG keys[
Use REG keys:
Gen new port key!
Gen new job key!
Gen new list key!
/dev/index.html
No i key:
No m key:
No p key:
No j key:
No r key:
Err in ID key: decr:
Err in ID key: check
Err in ID key: invalid
goloduha.info
Check Compromzed REG key:
Compromzed REG key:
C:\boost\include\boost-1_47\boost/exception/detail/exception_ptr.hpp
Keys3
Appkey
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
webscanx
hkcmd
firefox
em_exec
CrashReport
\tmp.exe
*.exe
explorer.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Mozilla/5.0 (Windows; U; Windows NT
; rv:1.9.2.17) Gecko/20110420 Firefox/3.6.17
SMTP:
%d.%d.%d.%d
!#$%&'* -/=?^_`{|}~
.in-addr.arpa
: Maximum attempts exeeded
%s, %d %s %d d:d:d %cdd
dddddd
ddddd
x.8lx$.8lx$x@%s
----=_NextPart_d_X_.8lX..8lX
password
F/c "start Í%\
&& %windir%\explorer Í%\
%SystemRoot%\system32\shell32.dll
npf.sys
Packet.dll
( tcp dst port 21 ) or ( tcp dst port 110 ) or ( tcp dst port 25 )
smtp
pop3_smtp
HostPassword
HostPort
32BitFtp.ini
0003DFTP
3D-FTP
sites.ini
\3D-FTP
Password
Port
port
QData.dat
ESTdb2.dat
\Estsoft\ALFTP
TYPE = SFTP
sftp
SET PASS
bitkinex.ds
LastPassword
LastPort
BlazeFtp
site.dat
\BlazeFtp
Software\FlashPeak\BlazeFtp\Settings
*.dat
*.bps
Software\BPFTP
Chrome
PTF://
origin_url
password_value
logins
SQLite format 3
Web Data
Login Data
Google\Chrome
ChromePlus
Nichrome
MapleStudio\ChromePlus
browser.yandex
Software\ChromePlus
_Password
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
FtpDescription
Software\NCH Software\ClassicFTP\FTPAccounts
FTP destination server
FTP destination user
FTP destination password
FTP destination catalog
FTP destination port
FTP profiles
Software\FTPWare\COREFTP\Sites
ftps
CSMFTPItem
sm.dat
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
CUTEFTP
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
user.config
*.duck
Nickname
sites.xml
DeluxeFTP
FTP-Now
FTPNow
FTP Now
LOGIN
PASSWORD
PORT
*.oxc
*.oll
ftplast.osd
EasyFTP
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
\Plugins\FTP\Hosts
\SavedDialogHistory\FTPHost
FTPList.db
DefaultPassword
Software\Sota\FFFTP
Software\Sota\FFFTP\Options
Server.Port
Server.Pass
Server.User
Server.Host
Last Server Port
Last Server Pass
Sites.dat
Quick.dat
History.dat
ServerPass
SharedSettings.ccs
SharedSettings_1_0_5.ccs
SharedSettings.sqlite
SharedSettings_1_0_5.sqlite
FreshFTP
*.SMF
FtpSite.xml
QuickFtp
FTP Commander
usessh
ftplist.txt
FTP Navigator
*.prf
FTP CONTROL
Login
PasswordType
CFTPToolBarComboBoxButton
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Software\FTP Explorer\Profiles
ftpx
Software\MAS-Soft\FTPInfo\Setup
ServerList.xml
\FTPInfo
RushSite.xml
\FTPRush
FTPShell
ftpshell.fsi
servers.xml
\FTPGetter
server_user_password
server_port
SM.arch
GoFTP
Goftp Rocks 91802sfaiolpqikeu39
Connections.txt
MS IE FTP Passwords
pstorec.dll
advapi32.dll
sites.dat
unleap.exe
\LeapWare\LeapFTP
LeechFTP Bookmark File.
bookmark.dat
Software\LeechFTP
LeechFTP
LINASFTP1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
Software\LinasFTP\Site Manager
Mozilla
nss3.dll
PK11_GetInternalKeySlot
sqlite3_close
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_prepare
sqlite3_step
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
mozsqlite3.dll
sqlite3.dll
sqlite3_open
signons.sqlite
signons.txt
signons2.txt
signons3.txt
\profiles.ini
PathToExe
Mozilla\Firefox
Firefox
Software\Mozilla
SeaMonkey
Mozilla\SeaMonkey
Mozilla\Profiles
remote password
remote port
My FTP
project.ini
klfhuw%$#%fgjlvf
NDSites.ini
FTP  .Link\shell\open\command
*.fpl
xxx.xiles.net
ftpsite.ini
NppFTP.xml
nppftp
MasterPass
user_pass
host_port
SQLite3
bmk_ftp
NovaFTP.db
\INSoftware\NovaFTP
SiteInfo.QFP
PortNumber
SOFTWARE\Robo-FTP 3.8\FTPServers
SOFTWARE\Robo-FTP 3.7\FTPServers
S:"Password"
D:"Transfer Port"
*.ini
*.xml
Msi.dll
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
\SmartFTP
Favorites.dat
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
Staff-FTP
C87BC961-AAF9-11d2-8A80-0080ADB32FF4
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
\Whisper Technology\FTP Surfer
TurboFTP@
TurboFTP@usa.net
turboPTF@
Software\TurboFTP
\TurboFTP
addrbk.dat
quick.dat
PassWord
Software\South River Technologies\WebDrive\Connections
Software\Cryer\WebSitePublisher
WinFTP
your.name@your.server.com
FTPServers.Servers1_FTPServers
_PassWord
_Port
wiseftpsrvs.bin
wiseftpsrvs.ini
wisePTF.ini
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
WS_FTP
\win.ini
Ipswitch\WS_FTP
Software\Ghisler\Windows Commander
\Windows Commander
\wcx_PTF.ini
FtpIniName
*.xfp
FAR Manager FTP
Windows/Total Commander
TurboFTP
WebSitePublisher
SoftX FTP Client
LeapFTP
32bit FTP
FTP Control
CuteFTP
FFFTP
Core FTP
WebDrive
Classic FTP
FTP Explorer
SmartFTP
FreeFTP/DirectFTP
FTPRush
FTPGetter
ALFTP
3DFTP
XFTP
TFTPInfo
MyFTP
NovaFTP
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
crypt32.dll
%Documents and Settings%
\Application Data\Bitcoin\wallet.dat
C:\Users
\AppData\Roaming\Bitcoin\wallet.dat
GetKeyboardState
SetKeyboardState
KeySize
: this object does't support a special last block
NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes
: this object doesn't support multiple channels
is not a valid key length
InvertibleRSAFunction: computational error during private key operation
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
TF_SignerBase: the recoverable message part is too long for the given key and algorithm
for this key
: this key is too short to encrypt any messages
for this public key
PK_Signer: key too short for this signature scheme
operation failed with error
?#%X.y
.?AVwindows_file_codecvt@@
zcÁ
.PAV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
.?AV?$sp_ms_deleter@V?$connection@Vhttp_simple_client@http@net_utils@@@net_keys@@@detail@boost@@
.?AV?$typeid_wrapper@V?$stream_socket_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AVmoniker_helper@monkeys@@
.?AVmonkey_swap_nibbles@monkeys@@
.?AVmonkey_xor@monkeys@@
.?AVmonkey_running_xor@monkeys@@
.?AVmonkey_swap@monkeys@@
.?AVmonkey_reverse@monkeys@@
.?AVmonkey_roll_n@monkeys@@
.?AVmonkey_bits_pack@monkeys@@
.?AVmonkey_wave@monkeys@@
.?AV?$bind_t@_NV?$mf4@_NVhttp_simple_client@http@net_utils@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@HII@_mfi@boost@@V?$list5@U?$arg@$00@boost@@V?$value@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@_bi@2@V?$value@H@42@V542@V542@@_bi@3@@_bi@boost@@
.?AV?$bind_t@_NV?$mf2@_NV?$proxy@Vhttp_simple_client@http@net_utils@@@net_keys@@II@_mfi@boost@@V?$list3@V?$value@PAV?$proxy@Vhttp_simple_client@http@net_utils@@@net_keys@@@_bi@boost@@V?$value@I@23@V423@@_bi@3@@_bi@boost@@
.?AV?$typeid_wrapper@V?$socket_acceptor_service@Vtcp@ip@asio@boost@@@asio@boost@@@detail@asio@boost@@
.?AV?$typeid_wrapper@V?$resolver_service@Vtcp@ip@asio@boost@@@ip@asio@boost@@@detail@asio@boost@@
.?AV?$bind_t@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$cmf0@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Vreg_keys_holder@reg_win@@@_mfi@boost@@V?$list1@U?$arg@$00@boost@@@_bi@5@@_bi@boost@@
.?AV?$bind_t@_NP6A_NAAVholder_key@reg_win@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@ABVparser_holder@ftp_locker@ftp_parser@@@ZV?$list3@U?$arg@$00@boost@@U?$arg@$01@2@V?$value@Vparser_holder@ftp_locker@ftp_parser@@@_bi@2@@_bi@boost@@@_bi@boost@@
.?AV?$bind_t@_NP6A_NAAVholder_key@reg_win@@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@11ABVparser_holder@ftp_locker@ftp_parser@@@ZV?$list5@U?$arg@$00@boost@@U?$arg@$01@2@V?$value@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@_bi@2@V452@V?$value@Vparser_holder@ftp_locker@ftp_parser@@@52@@_bi@boost@@@_bi@boost@@
.?AUNoChannelSupport@BufferedTransformation@CryptoPP@@
.?AVInvalidKeyLength@CryptoPP@@
.?AVPublicKeyAlgorithm@CryptoPP@@
.?AVPrivateKeyAlgorithm@CryptoPP@@
.?AVPrivateKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPrivateKey@CryptoPP@@@CryptoPP@@
.?AVPKCS8PrivateKey@CryptoPP@@
.?AVPublicKey@CryptoPP@@
.?AV?$ASN1CryptoMaterial@VPublicKey@CryptoPP@@@CryptoPP@@
.?AVX509PublicKey@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$0BA@$0CA@$07$03$0A@@CryptoPP@@
.?AVSimpleKeyingInterface@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@V?$TwoBases@VBlockCipher@CryptoPP@@URijndael_Info@2@@CryptoPP@@V12@@CryptoPP@@V12@@CryptoPP@@
.PAVRSAFunction@CryptoPP@@
.PAVInvertibleRSAFunction@CryptoPP@@
.PBVPrimeSelector@CryptoPP@@
.?AVInvalidKeyLength@PK_SignatureScheme@CryptoPP@@
.?AVKeyTooShort@PK_SignatureScheme@CryptoPP@@
.?AV?$VariableKeyLength@$0BA@$00$0BAA@$00$03$0A@@CryptoPP@@
.?AV?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@
.?AV?$AlgorithmImpl@V?$SimpleKeyingInterfaceImpl@VARC4_Base@Weak1@CryptoPP@@V123@@CryptoPP@@VARC4_Base@Weak1@2@@CryptoPP@@
c:\%original file name%.exe
CreateIoCompletionPort
GetWindowsDirectoryA
GetSystemWindowsDirectoryA
RegQueryInfoKeyA
RegCreateKeyExA
RegEnumKeyExA
MapVirtualKeyA
HttpOpenRequestA
HttpSendRequestA
InternetCrackUrlA
HttpQueryInfoA
%m5V%L%d%h%w%9º"1@f[:B
3,#9'/($*
]<%cW
.-/&00((00
5-9,0000
###03# 1#
!&]#### -###))558)
##-;##=4--#
# 0-\# ; ;####3<
[5#>=@5#
#)0#3#>#
###66## . 
# #-#1?6)
"- -#%-)
(88($(80@
8$,$ $0 80(,,
,4840$,(\8$$@(
<004(@4$0$0($<8,($
.reloc
%7xh#_
.-/&00((
'9';ð
XJuCRN\!;4R.Ea
`.rd&
DNSAPI.dll
IPHLPAPI.DLL
MSWSOCK.dll
OLEAUT32.dll
PSAPI.DLL
SHELL32.dll
USER32.dll
WININET.dll
.BBJBBJ
%So6o
u.IRE
Ö_\
%xhFG
/@.zi
R.KsM
.GHL\OWl
]D.vj
7Aa.fa
r.Jok.
r.bl2
D.ik^
!b(%X
.Ij53
D%s&K}t
@/jd.Rb
b%%xg
.bGqwY
~òJe
J.RN\0
.YvFo
VW.AxL
%c[C#
59XÖ
i.oaD
F%cu)T
r !<%D
0Qv%.bD
.TsRV
.LVS^
2>%xL
T.KbY
Oj%FR
%x>r9<
W.pGcl
g.SKE(G
-po0}
pI%7U
`_nñyH
#Võ
.vQ> 
O&F%FS
.nF~x
/%c o
.mOC5i
S^Hu%F
O}F%S
P.OC{
-n.kH
G/.YU
.oD?c
3.hB$
6-.qE
` _NM}.zj
kN.bB
.Ie5im~Q,
%u_NXa
~$<.yv
x{.MAy
3'.md
'iMSg-@4K
.Hypn#a"x
K^)'.Su
[`.QK
TJ;%s
T.yb?=
F%FW]
V.Zm1lO[
.nys(
lV .iM`
-Ah}O
w.Tl_
@T.uMM
:.rV\/
J*%sV
KuDp
%u5D>
3-fj}
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
npf.sys (NT5/6 x86) Kernel Driver
4.1.0.1753
5755555555
5555555
577777555555
0000001111111
11111122222222
6666668
88888888
,-./0123456789
$567$$=>
.pqrst
$%&'()* ,
wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
TcpIp
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
drivers\NPF.sys
airpcap.dll
\StringFileInfo\xx\FileVersion
PACKET.DLL
packet.dll (NT5) Dynamic Link Library
abe2869f-9b47-4cd9-a358-c22904dba7f7
5.1.0.0333
DTAgent.exe

taskhost.exe_992:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
ole32.dll
OLEAUT32.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
USER32.dll
RPCRT4.dll
d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp
The likely culprit task is stuck on the same stack with %S.
d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp
Invalid parameter passed to C runtime function.
taskhost.pdb
_wcmdln
_amsg_exit
InitOnceExecuteOnce
SetProcessShutdownParameters
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
ntdll.dll
GetProcessHeap
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
bStartComTask() --> h=0x%x ret=%d
StopComTask(0x%x) --> ret=%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()
wComTaskMgrWnd(0x%x)::Shutdown(%ws)
gCleanupSet()::Remove(0x%x)
wComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x
ComTaskHost(0x%x)::WaitForTaskStartCompletion()
ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)
ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StopTaskWorker()
ComTaskHost(0x%x)::Shutdown()
ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x
ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x
ITaskHandler::Start(0x%x,"%ws") --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")
ComTaskHost(0x%x)::StartTaskWorker()
ComTaskHost(0x%x)::Stop --> 0x%x
ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x
StartTaskThread(0x%x) bailed out because of shutdown
ComTaskHost(0x%x)::~ComTaskHost()
ComTaskHost(0x%x)::Start --> 0x%x
ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown
ComTaskHost(0x%x)::TaskCompleted(0x%x)
ComTaskHost(0x%x)::AddRef -> m_cRef = %d
ComTaskHost(0x%x)::Release -> m_cRef = %d
WinAppTerminator: found wnd 0x%x for pid %d.
WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.
WinAppTerminator: EnumThreadWindows failed err=%d.
Host Process for Windows Tasks
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskhost.exe
Windows
Operating System
6.1.7601.17514


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2388

  2. Delete the original Trojan file.
  3. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NetworkVerifyer" = "c:\%original file name%.exe"

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now