AIT.Trojan.GenericTKA.48_96072596c7

by malwarelabrobot on November 8th, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), AIT:Trojan.GenericTKA.48 (AdAware), HackTool.Win32.PassView.FD, HackToolPassView.YR (Lavasoft MAS)
Behaviour: Trojan, HackTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 96072596c7dd7c1aaff1c3684d8dd44e
SHA1: 62b525de1b1282ca9b34ad6cb2a453ad0618eea8
SHA256: 52ea3a489c67fcd5f7923134c5cf16a3d238752689c6045ea98137e6833223de
SSDeep: 24576:3tb20pkaCqT5TBWgNQ7abCSiRiIoj95jF/q8s pvPXWjWY7CTtTZ2 iNQr2V6A:0Vg5tQ7a nRR 95jF/qwCv7CTv2 3u5
Size: 1666560 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2017-10-22 22:01:51
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The AIT creates the following process(es):

%original file name%.exe:816
%original file name%.exe:2940
netsh.exe:4048
regsvr32.exe:3968
vbc.exe:3728

The AIT injects its code into the following process(es):

vbc.exe:3532

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:816 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.resource (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8AB3.tmp (7337 bytes)

The AIT deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8AB3.tmp (0 bytes)

The process %original file name%.exe:2940 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.resource (5441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\%original file name%.exe (10864 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut89B9.tmp (7337 bytes)

The AIT deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut89B9.tmp (0 bytes)

The process vbc.exe:3532 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE (17649 bytes)
C:\Windows\System32\System32.exe (16158 bytes)
C:\Windows\System32\MSWINSCK.OCX (218 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (10232 bytes)
C:\Windows (288 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (8192 bytes)
C:\$Directory (768 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (17217 bytes)
C:\Windows\System32 (1120 bytes)

Registry activity

The process %original file name%.exe:816 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the AIT adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\%original file name%.exe"

The process %original file name%.exe:2940 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the AIT adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Startup Name" = "c:\%original file name%.exe"

The process netsh.exe:4048 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-102" = "1.0"
"eapqec.dll,-103" = "Microsoft Corporation"
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"dhcpqec.dll,-102" = "Microsoft Corporation"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"tsgqec.dll,-102" = "1.0"
"tsgqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-3" = "Microsoft Corporation"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-4" = "1.0"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The process regsvr32.exe:3968 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "C:\Windows\System32\MSWINSCK.OCX, 1"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "C:\Windows\System32\MSWINSCK.OCX"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "IMSWinsockControl"

[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "C:\Windows\System32\MSWINSCK.OCX"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32]
"(Default)" = "C:\Windows\System32\MSWINSCK.OCX"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "DMSWinsockControlEvents"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"Version" = "1.0"
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0]
"(Default)" = "Microsoft Winsock Control 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS]
"(Default)" = "2"

[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"

[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"

The AIT deletes the following registry key(s):

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]

The AIT deletes the following value(s) in system registry:

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"

The process vbc.exe:3532 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKCR\MSWinsock.Winsock]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX, 1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1]
"(Default)" = "132497"

[HKCR\MSWinsock.Winsock\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Winsock General Property Page Object"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"(Default)" = "C:\Windows\system32\MSWINSCK.OCX"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID]
"(Default)" = "MSWinsock.Winsock"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}]
"(Default)" = "Microsoft WinSock Control, version 6.0"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version]
"(Default)" = "1.0"

[HKCR\MSWinsock.Winsock\CurVer]
"(Default)" = "MSWinsock.Winsock.1"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus]
"(Default)" = "0"

[HKCR\MSWinsock.Winsock.1\CLSID]
"(Default)" = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib]
"(Default)" = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

[HKCR\MSWinsock.Winsock.1]
"(Default)" = "Microsoft WinSock Control, version 6.0"

To automatically run itself each time Windows is booted, the AIT adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update" = "C:\Windows\System32\System32.exe"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

To automatically run itself each time Windows is booted, the AIT adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update" = "C:\Windows\System32\System32.exe"

The AIT deletes the following registry key(s):

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}]
[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]

The AIT deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCR\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32]
"ThreadingModel"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
9484c04258830aa3c2f2a70eb041414c c:\Windows\System32\MSWINSCK.OCX
f2fc0243c663485d48329bd9cc4ef04d c:\Windows\System32\System32.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Bandicam Company
Product Name: bdcam
Product Version: 4.0.1.1339
Legal Copyright: Copyright(c) 2009-2017 Bandicam.com All rights reserved.
Legal Trademarks:
Original Filename: Bdcam.exe
Internal Name: Bdcam.exe
File Version: 4.0.1.1339
File Description: Bandicam - bdcam.exe
Comments: Developer: denny
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 570703 570880 4.63051 f437a6545e938612764dbb0a314376fc
.rdata 577536 183362 183808 3.99959 827ffd24759e8e420890ecf164be989e
.data 761856 40276 25088 1.38816 e0a519f8e3a35fae0d9c2cfd5a4bacfc
.rsrc 802816 842904 843264 5.45133 fff4971b737951c425d5706277d9c381
.reloc 1646592 42100 42496 3.63585 0bc98f8631ef0bde830a7f83bb06ff08

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
pornohdrat.duckdns.org 78.175.194.5
dns.msftncsi.com 131.107.255.255


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The AIT connects to the servers at the folowing location(s):

vbc.exe_3532:

.text
`.data
.rsrc
USER32.DLL
OLE32.DLL
GDI32.DLL
GDIPLUS.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSWINSCK.OCX
MSWinsockLib.Winsock
MdlCMD
MdlTcp
MdlWebcam
MdlPass
C:\Microsoft Visual Studio\VB98\VB6.OLB
_MmC:\Windows\SysWow64\MSWINSCK.oca
advapi32.dll
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
kernel32.dll
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
GetAsyncKeyState
urlmon
URLDownloadToFileA
VBA6.DLL
shlwapi.dll
winmm.dll
shell32.dll
ShellExecuteA
wtsapi32.dll
PSAPI.DLL
ntdll.dll
user32.dll
CreatePipe
RegEnumKeyExA
advapi32.dll
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyA
RegFlushKey
SHFileOperationA
GetExtendedTcpTable
iphlpapi.dll
GetTcpTable
ws2_32.dll
SetTcpEntry
wsock32.dll
avicap32.dll
msvfw32.dll
GdiplusShutdown
msvbvm60.dll
GdiPlus.dll
oleaut32.dll
keybd_event
comctl32.dll
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
GetWindowsDirectoryA
CreateDialogIndirectParamA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
`.rdata
@.data
D$.SPf
 2 34 567
com.apple.Safari
com.apple.WebKit2WebProcess
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
"Account","Login Name","Password","Web Site","Comments"
3.7.5
SQLite format 3
CREATE TABLE sqlite_master(
sql text
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
PK11_GetInternalKeySlot
PK11_CheckUserPassword
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
%Y-%m-%d %H:%M:%S
%Y-%m-%d
%H:%M:%S
SQLITE_
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
%s-shm
%s\etilqs_
OsError 0x%x (%u)
Recovered %d frames from WAL file %s
%s-mjX
foreign key constraint failed
unable to use function %s in the requested context
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
oversized integer: %s%s
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
%s OR name=%Q
type='trigger' AND (%s)
there is already another table or index with this name: %s
sqlite_
table %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s %T cannot reference objects in database %s
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
view %s is circularly defined
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
automatic extension loading failed: %s
foreign_key_list
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
%s:%d
no such index: %s
sqlite_subquery_%p_
no such table: %s
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unknown database: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
sqlite3_open
sqlite3_prepare
sqlite3_step
sqlite3_column_text
sqlite3_column_int
sqlite3_column_int64
sqlite3_finalize
sqlite3_close
sqlite3_exec
f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb
msvcrt.dll
_wcmdln
COMCTL32.dll
VERSION.dll
FindFirstUrlCacheEntryW
FindCloseUrlCache
FindNextUrlCacheEntryW
WININET.dll
GetWindowsDirectoryW
EnumChildWindows
comdlg32.dll
RegOpenKeyExW
RegEnumKeyExW
ShellExecuteW
SHELL32.dll
5JEw%Xg
<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
support@nirsoft.net0
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
B*\AF:\HAKOPS Rat\Version 2\Server\Project1.vbp
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
127.0.0.1
[CMDKOMUT]
h.bat
[TCPVER]
[TCPKes]
hXXp://
[URLDOWN]
[WEBCAMSTART]
[WEBCAMHATA]
[WEBCAMSTOP]
[KEYBAS]
[PASS_VER]
Win32_OperatingSystem,SerialNumber
SOFTWARE\Microsoft\Windows NT\CurrentVersion
winmgmts:\\.\root\SecurityCenter
2.6.0
Wscript.Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
[CMD]
wscript.shell
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Uninstall
\Microsoft\Windows\Themes\TranscodedWallpaper
\Microsoft\Windows\Themes\TranscodedWallpaper.png
##,###,##0.00
##,###,##0
[TCP_List]
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
\AS1DF2.bat
\SysWOW64\MSWINSCK.OCX
\SysWOW64\regsvr32.exe
/s MSWINSCK.OCX
\System32\MSWINSCK.OCX
\System32\regsvr32.exe
\h4kR4t.exe
\zzxxcc19.txt
[PASS_RAPOR]
[PASSLAR]
@*\AF:\HAKOPS Rat\Version 2\Server\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
WebBrowserPassView
%%0.ß
Apple Computer\Preferences\keychain.plist
LoadPasswordsIE
LoadPasswordsFirefox
LoadPasswordsChrome
LoadPasswordsOpera
LoadPasswordsSafari
UseFirefoxProfileFolder
UseFirefoxInstallFolder
UseChromeProfileFolder
UseOperaPasswordFile
FirefoxProfileFolder
FirefoxInstallFolder
ChromeProfileFolder
OperaPasswordFile
<meta http-equiv='content-type' content='text/html;charset=%s'>
<br><h4>%s <a href="hXXp://VVV.nirsoft.net/" target="newwin">%s</a></h4><p>
Aadvapi32.dll
crypt32.dll
777705555443332
5555443332
5555443332
wand.dat
@nss3.dll
SOFTWARE\Mozilla
mozilla
%s\bin
PathToExe
%programfiles%\Mozilla Firefox
-signons.txt
signons2.txt
signons3.txt
signons.sqlite
netmsg.dll
Error %d: %s
%s (%s)
@dllhost.exe
taskhost.exe
taskhostex.exe
Microsoft\Windows\WebCache\WebCacheV01.dat
Microsoft\Windows\WebCache\WebCacheV24.dat
index.dat
hXXps://VVV.google.com/accounts/servicelogin
hXXp://VVV.facebook.com/
hXXps://login.yahoo.com/config/login
hXXps://
PTF://
menu_%d
dialog_%d
TranslatorURL
_lng.ini
%-18s: %s
%%-%d.%ds
<td bgcolor=#%s nowrap>%s
<td bgcolor=#%s>%s
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
bgcolor="%s"
<font color="%s">%s</font>
<%s>%s</%s>
</%s>
report.html
*.txt
*.csv
*.htm;*.html
*.xml
/skeepass
/deleteregkey
@history.dat
places.sqlite
Mozilla\Profiles
Mozilla\Firefox\Profiles
Mozilla\Firefox
profiles.ini
Profile%d
Exception %8.8X at address %8.8X in module %s
Stack Data: %s
Code Data: %s
sqlite3.dll
mozsqlite3.dll
tntdll.dll
sWeb Data
Login Data
Google\Chrome\User Data
Google\Chrome SxS\User Data
Opera\Opera\wand.dat
Opera\Opera7\profile\wand.dat
Opera
psapi.dll
pstorec.dll
A"%s"
Ashell32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
<html><head>%s<title>%s</title></head>
%s <h3>%s</h3>
size="%d"
color="#%s"
<font color="%s">
<table border="1" cellpadding="5"><tr%s>
width="%s"
<th%s>%s%s%s
\sqlite3.dll
\mozsqlite3.dll
\nss3.dll
.save
vaultcli.dll
abe2869f-9b47-4cd9-a358-c22904dba7f7
Copy &Password
&HTML Report - All Items
HTML R&eport - Selected Items
HTML Report - All Items
HTML Report - Selected Items
Load Passwords From...
Mozilla Firefox
Google Chrome
Firefox Options
Master password:
Firefox Profile:
Firefox Installation:
Chrome Options
Opera Options
wand.dat file:
%d Passwords
, %d Selected
Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)
Loading... %d
KeePass csv file
Opera Password File
Firefox 1.x
Firefox 2.x
Firefox 3.0
Firefox 3.5/4
Chrome
Safari#Internet Explorer 10.0 on Windows 8
Web Browser
Password
Password Strength
Password Field
WebBrowserPassView.exe
2.01.0005
Server.exe

vbc.exe_3532_rwx_00400000_000B7000:

.text
`.data
.rsrc
USER32.DLL
OLE32.DLL
GDI32.DLL
GDIPLUS.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSWINSCK.OCX
MSWinsockLib.Winsock
MdlCMD
MdlTcp
MdlWebcam
MdlPass
C:\Microsoft Visual Studio\VB98\VB6.OLB
_MmC:\Windows\SysWow64\MSWINSCK.oca
advapi32.dll
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
kernel32.dll
SetWindowsHookExA
UnhookWindowsHookEx
GetKeyState
GetAsyncKeyState
urlmon
URLDownloadToFileA
VBA6.DLL
shlwapi.dll
winmm.dll
shell32.dll
ShellExecuteA
wtsapi32.dll
PSAPI.DLL
ntdll.dll
user32.dll
CreatePipe
RegEnumKeyExA
advapi32.dll
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyA
RegFlushKey
SHFileOperationA
GetExtendedTcpTable
iphlpapi.dll
GetTcpTable
ws2_32.dll
SetTcpEntry
wsock32.dll
avicap32.dll
msvfw32.dll
GdiplusShutdown
msvbvm60.dll
GdiPlus.dll
oleaut32.dll
keybd_event
comctl32.dll
.reloc
MSWNSK98.chm
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
"255.255.255.255
"6.00.8169
WSOCK32.dll
KERNEL32.dll
USER32.dll
ole32.dll
ADVAPI32.dll
OLEAUT32.dll
GDI32.dll
GetProcessHeap
GetWindowsDirectoryA
CreateDialogIndirectParamA
GetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
"%s%s.DLL
%s%s.DLL
%u\%s.dll
{lX-X-X-XX-XXXXXX}
CLSID\%s
%s Object
%s.%s.%ld
%s.%s
%s.%s\CurVer
%s\InprocServer
VERSION.DLL
%ld - %s
stdole2.tlbWWW
hsckTCPProtocolWW
FsckUDPProtocolWWd
}|RemotePortWWd
7LocalPortWWWd
0ZBsckGetNotSupportedWW
sckSetNotSupportedWW
sckUnsupportedWW
sckMsgTooBig
sckPortNotSupportedW
MSWinSck.OcxWW
MSWNSK98.chmWW
TCP protocolWW
UDP protocolWW
Returns/Sets the port to be connected to on the remote computerWWW0
Returns/Sets the port used on the local computerWW*
Binds socket to specific port and adapterW:
Occurs connect operation is completedW4
Occurs after a send operation has completedWWW
The argument passed to a function was not in the correct format or in the specified rangeW
Unsupported variant typesW"
Invalid operation at current state
The operation is canceledW
Socket is non-blocking and the specified operation will blockW 
A blocking winsock operation is in progressWWWA
The operation is completed. No blocking operation is in progress.W
The specified port is not supportedWWW
?$?0?6?<?
4'484%5-5
mswinsck.dbg
=VVV.verisign.com/repository/CPS Incorp. by Ref.,LIAB.LTD(c)961>0<
'hXXps://VVV.verisign.com/repository/CPS
This certificate incorporates by reference, and its use is strictly
subject to, the VeriSign Certification Practice Statement (CPS)
hXXps://VVV.verisign.com; by E-mail at CPS-requests@verisign.com; or
USA Copyright (c)1996 VeriSign, Inc. All Rights Reserved. CERTAIN
WARNING: THE USE OF THIS CERTIFICATE IS STRICTLY SUBJECT TO THE
VERISIGN CERTIFICATION PRACTICE STATEMENT. THE ISSUING AUTHORITY
DISCLAIMS CERTAIN IMPLIED AND EXPRESS WARRANTIES, INCLUDING WARRANTIES
BE LIABLE FOR CONSEQUENTIAL, PUNITIVE, AND CERTAIN OTHER DAMAGES. SEE
4hXXps://VVV.verisign.com/repository/verisignlogo.gif0
hXXps://VVV.verisign.com/CPS0b
hXXp://VVV.microsoft.com/vbasic 0
`.rdata
@.data
D$.SPf
 2 34 567
com.apple.Safari
com.apple.WebKit2WebProcess
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins
"Account","Login Name","Password","Web Site","Comments"
3.7.5
SQLite format 3
CREATE TABLE sqlite_master(
sql text
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
PK11_GetInternalKeySlot
PK11_CheckUserPassword
large file support is disabled
unknown operation
SQL logic error or missing database
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
%Y-%m-%d %H:%M:%S
%Y-%m-%d
%H:%M:%S
SQLITE_
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
%s-shm
%s\etilqs_
OsError 0x%x (%u)
Recovered %d frames from WAL file %s
%s-mjX
foreign key constraint failed
unable to use function %s in the requested context
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot rollback transaction - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
oversized integer: %s%s
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
%s OR name=%Q
type='trigger' AND (%s)
there is already another table or index with this name: %s
sqlite_
table %s may not be altered
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE tbl=%Q
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s %T cannot reference objects in database %s
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
no such collation sequence: %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
view %s is circularly defined
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
cannot modify %s because it is a view
foreign key mismatch
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
PRIMARY KEY must be unique
automatic extension loading failed: %s
foreign_key_list
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
%s:%d
no such index: %s
sqlite_subquery_%p_
no such table: %s
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
at most %d tables in a join
cannot use index: %s
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
unknown database: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
sqlite3_open
sqlite3_prepare
sqlite3_step
sqlite3_column_text
sqlite3_column_int
sqlite3_column_int64
sqlite3_finalize
sqlite3_close
sqlite3_exec
f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb
msvcrt.dll
_wcmdln
COMCTL32.dll
VERSION.dll
FindFirstUrlCacheEntryW
FindCloseUrlCache
FindNextUrlCacheEntryW
WININET.dll
GetWindowsDirectoryW
EnumChildWindows
comdlg32.dll
RegOpenKeyExW
RegEnumKeyExW
ShellExecuteW
SHELL32.dll
5JEw%Xg
<assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
support@nirsoft.net0
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
B*\AF:\HAKOPS Rat\Version 2\Server\Project1.vbp
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
127.0.0.1
[CMDKOMUT]
h.bat
[TCPVER]
[TCPKes]
hXXp://
[URLDOWN]
[WEBCAMSTART]
[WEBCAMHATA]
[WEBCAMSTOP]
[KEYBAS]
[PASS_VER]
Win32_OperatingSystem,SerialNumber
SOFTWARE\Microsoft\Windows NT\CurrentVersion
winmgmts:\\.\root\SecurityCenter
2.6.0
Wscript.Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
[CMD]
wscript.shell
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Uninstall
\Microsoft\Windows\Themes\TranscodedWallpaper
\Microsoft\Windows\Themes\TranscodedWallpaper.png
##,###,##0.00
##,###,##0
[TCP_List]
Windows
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Software\Microsoft\Windows\CurrentVersion\Policies\System
\AS1DF2.bat
\SysWOW64\MSWINSCK.OCX
\SysWOW64\regsvr32.exe
/s MSWINSCK.OCX
\System32\MSWINSCK.OCX
\System32\regsvr32.exe
\h4kR4t.exe
\zzxxcc19.txt
[PASS_RAPOR]
[PASSLAR]
@*\AF:\HAKOPS Rat\Version 2\Server\Project1.vbp
RemotePort
LocalPort
YThe argument passed to a function was not in the correct format or in the specified range
6.00.8169
is a registered trademark of Microsoft Corporation. Windows(tm) is a trademark of Microsoft Corporation.
&LocalPort
Socket has encountered an error:Returns/Sets the name used to identify the remote computer?Returns/Sets the port to be connected to on the remote computer0Returns/Sets the port used on the local computer*Returns the state of the socket connection7Returns the number of bytes received on this connection
TCP protocol
UDP protocol
Error occurred;Occurs when data has been received from the remote computer%Occurs connect operation is completed4Occurs when a remote client is attempting to connect*Occurs when the connection has been closed%Occurs during process of sending data Occurs after a send operation has completed
Protocol Constants)Binds socket to specific port and adapter
Unsupported variant types
"Invalid operation at current state
Invalid type for %s property,%s property should be in the range %ld - %ld
The operation is canceled
=Socket is non-blocking and the specified operation will block A blocking winsock operation is in progressAThe operation is completed. No blocking operation is in progress.
Destination address is requiredAThe datagram is too large to fit into the buffer and is truncated3The specified port is the wrong type of this socket
Option unknown, or unsupported#The specified port is not supported0Socket type not supported in this address family>Socket is not a type that supports connection oriented service
Protocol family not supported
Address Family is not supported
Network subsystem is unavailable WINSOCK.DLL version out of range"WinsockInit should be called first
WebBrowserPassView
%%0.ß
Apple Computer\Preferences\keychain.plist
LoadPasswordsIE
LoadPasswordsFirefox
LoadPasswordsChrome
LoadPasswordsOpera
LoadPasswordsSafari
UseFirefoxProfileFolder
UseFirefoxInstallFolder
UseChromeProfileFolder
UseOperaPasswordFile
FirefoxProfileFolder
FirefoxInstallFolder
ChromeProfileFolder
OperaPasswordFile
<meta http-equiv='content-type' content='text/html;charset=%s'>
<br><h4>%s <a href="hXXp://VVV.nirsoft.net/" target="newwin">%s</a></h4><p>
Aadvapi32.dll
crypt32.dll
777705555443332
5555443332
5555443332
wand.dat
@nss3.dll
SOFTWARE\Mozilla
mozilla
%s\bin
PathToExe
%programfiles%\Mozilla Firefox
-signons.txt
signons2.txt
signons3.txt
signons.sqlite
netmsg.dll
Error %d: %s
%s (%s)
@dllhost.exe
taskhost.exe
taskhostex.exe
Microsoft\Windows\WebCache\WebCacheV01.dat
Microsoft\Windows\WebCache\WebCacheV24.dat
index.dat
hXXps://VVV.google.com/accounts/servicelogin
hXXp://VVV.facebook.com/
hXXps://login.yahoo.com/config/login
hXXps://
PTF://
menu_%d
dialog_%d
TranslatorURL
_lng.ini
%-18s: %s
%%-%d.%ds
<td bgcolor=#%s nowrap>%s
<td bgcolor=#%s>%s
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
bgcolor="%s"
<font color="%s">%s</font>
<%s>%s</%s>
</%s>
report.html
*.txt
*.csv
*.htm;*.html
*.xml
/skeepass
/deleteregkey
@history.dat
places.sqlite
Mozilla\Profiles
Mozilla\Firefox\Profiles
Mozilla\Firefox
profiles.ini
Profile%d
Exception %8.8X at address %8.8X in module %s
Stack Data: %s
Code Data: %s
sqlite3.dll
mozsqlite3.dll
tntdll.dll
sWeb Data
Login Data
Google\Chrome\User Data
Google\Chrome SxS\User Data
Opera\Opera\wand.dat
Opera\Opera7\profile\wand.dat
Opera
psapi.dll
pstorec.dll
A"%s"
Ashell32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
<html><head>%s<title>%s</title></head>
%s <h3>%s</h3>
size="%d"
color="#%s"
<font color="%s">
<table border="1" cellpadding="5"><tr%s>
width="%s"
<th%s>%s%s%s
\sqlite3.dll
\mozsqlite3.dll
\nss3.dll
.save
vaultcli.dll
abe2869f-9b47-4cd9-a358-c22904dba7f7
Copy &Password
&HTML Report - All Items
HTML R&eport - Selected Items
HTML Report - All Items
HTML Report - Selected Items
Load Passwords From...
Mozilla Firefox
Google Chrome
Firefox Options
Master password:
Firefox Profile:
Firefox Installation:
Chrome Options
Opera Options
wand.dat file:
%d Passwords
, %d Selected
Web Browser Passwords%Choose another Firefox profile folder)Choose the installation folder of Firefox,Choose another profile of Chrome Web browser,Choose the password file of Opera (wand.dat)
Loading... %d
KeePass csv file
Opera Password File
Firefox 1.x
Firefox 2.x
Firefox 3.0
Firefox 3.5/4
Chrome
Safari#Internet Explorer 10.0 on Windows 8
Web Browser
Password
Password Strength
Password Field
WebBrowserPassView.exe
2.01.0005
Server.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:816
    %original file name%.exe:2940
    netsh.exe:4048
    regsvr32.exe:3968
    vbc.exe:3728

  2. Delete the original AIT file.
  3. Delete or disinfect the following files created/modified by the AIT:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\1.resource (5441 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut8AB3.tmp (7337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\%original file name%.exe (10864 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut89B9.tmp (7337 bytes)
    C:\Windows\System32\config\SOFTWARE (17649 bytes)
    C:\Windows\System32\System32.exe (16158 bytes)
    C:\Windows\System32\MSWINSCK.OCX (218 bytes)
    C:\Users\"%CurrentUserName%"\NTUSER.DAT (10232 bytes)
    C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (8192 bytes)
    C:\$Directory (768 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (17217 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Startup Name" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Startup Name" = "c:\%original file name%.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Google Update" = "C:\Windows\System32\System32.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Google Update" = "C:\Windows\System32\System32.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now