Gen.Trojan.Heur.AutoIT.1_80d963ab8d

by malwarelabrobot on October 10th, 2016 in Malware Descriptions.

Trojan.BAT.StartPage.cu (Kaspersky), Gen:Trojan.Heur.AutoIT.1 (AdAware), Trojan.Win32.IEDummy.FD, Worm.Win32.AutoIt.FD, mzpefinder_pcap_file.YR, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 80d963ab8d48915e3305978f8662bcde
SHA1: 045a633659a4c7a5d0fb71d43e50f4ad1e683f5f
SHA256: 928e9b9ea605a435b815f37adc2eee496f7fceb16d140ae6df4a910f3e179d9e
SSDeep: 49152:t1vqjdi8BajEHAHVpS3NIPO836h7FmutmHgKJ4qtDzG4QXqH:t1vqj5gHVyNIq/mOV4D1QXqH
Size: 2345790 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2010-04-16 10:47:33
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

attrib.exe:2176
attrib.exe:2184
%original file name%.exe:464
tasklist.exe:2192
regedit.exe:1992
regedit.exe:708
regedit.exe:640
regedit.exe:304
regedit.exe:2068
regedit.exe:428
regedit.exe:1692
regedit.exe:1888
regedit.exe:252
regedit.exe:2060
regedit.exe:364
regedit.exe:516
find.exe:2228

The Trojan injects its code into the following process(es):

forqd340.exe:1688

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\vcry\kwsui.dll (3833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d.tmp (91 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autA.tmp (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (3089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1176 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\kws\kws.ini (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pi3603.exe (254330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gou3603.exe (320269 bytes)
%Documents and Settings%\All Users\Application Data\vcry\kswbc.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shishuoxinci[1].htm (23685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (938 bytes)
%Documents and Settings%\All Users\Desktop\forqd340.exe (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut8.tmp (4065 bytes)
%Documents and Settings%\%current user%\Desktop\okregreg.reg (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\location[1].htm (91 bytes)
%Documents and Settings%\%current user%\Desktop\Internat Explorer.ECJ (37 bytes)
%Program Files%\Microsoft Cdobe Emulator\Internat Explorer\target.lnk (168 bytes)
%Documents and Settings%\All Users\Application Data\vcry\kswebshield.dll (4025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut9.tmp (118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\All Users\Application Data\vcry\kwssp.dll (3641 bytes)
%Documents and Settings%\All Users\Application Data\vcry\saes.exe (3417 bytes)
%Program Files%\Microsoft Cdobe Emulator\Internat Explorer\Desktop.ini (75 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\kws\spitesp.dat (2 bytes)
%Documents and Settings%\Administrator\Application Data\Tencent\AXSEF\AXSEF.exe (1742357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (2017 bytes)
%Documents and Settings%\%current user%\Application Data\360se\360se.ini (39 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut8.tmp (0 bytes)
%Documents and Settings%\%current user%\Desktop\okregreg.reg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process tasklist.exe:2192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\tasklist.txt (152367 bytes)

The process find.exe:2228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\find.txt (27 bytes)

The process forqd340.exe:1688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PPTV(pplive)_forqd340[1].exe (148172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

Registry activity

The process attrib.exe:2176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 E7 50 8D D8 B8 5F 9E 24 92 1A 8F 5B F8 B0 DF"

The process attrib.exe:2184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A C6 BA C3 1B 12 15 E3 3B B6 56 04 BD 12 1A 8D"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCR\WXDH\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\WXDH\shell\open\command]
"(Default)" = "explorer %Program Files%\Microsoft %C%8o›Ž Emulator\Internat Explorer"

[HKCR\.ECJ]
"(Default)" = "WXDH"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 E3 32 B3 7B 34 04 58 98 2F 6C 6C 58 E2 E9 B6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tasklist.exe:2192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B CB 7F E3 69 DD 0A 59 ED A8 30 5D E3 E6 BC 74"

The process regedit.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 4B 1C 07 B0 A2 1B 82 38 9D 54 F7 B6 95 52 19"

The process regedit.exe:708 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A BA 20 46 79 1D 1B 66 06 7F 50 11 8B 79 A4 07"

The process regedit.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 4D 3C 5F CD 39 3C 09 3B 74 14 98 44 DF 3E A5"

The process regedit.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 4B 87 44 62 17 48 E9 A8 04 9C DD BF 77 92 12"

The process regedit.exe:2068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 A3 B6 03 3B 9D A8 51 F8 B5 1D BB 2B B7 DC DE"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Atfmon.exe" = "D:\Stion\tmp....................................\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}.. hh.exe"

The process regedit.exe:428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 13 CD AC 62 0D 9D 81 EB C9 80 C1 5E 95 F7 2E"

The process regedit.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 81 53 0D 9E 39 9F 8A DF 45 E8 AA 4F 69 DB FD"

The process regedit.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 B2 D4 9F BF E0 2F 83 94 4D 0E F9 4F 75 4F D5"

The process regedit.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E CF 86 49 2E 06 90 A4 70 75 F3 89 61 F4 D1 66"

The process regedit.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A D2 E9 E0 C7 DF A8 53 9E FC C7 D2 A3 92 A6 12"

The process regedit.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 89 48 54 D8 3A 7A 64 E8 54 EE 64 A2 78 82 76"

The process regedit.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 93 46 57 20 44 48 C9 75 D7 FF AD 04 07 6D 8A"

The process find.exe:2228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 41 BC 48 DC 08 AD 65 4E C0 FE 60 EE FD 74 AF"

The process forqd340.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
f00ba2e2a75e9fb973bf30ddec8c5926	c:\Documents and Settings\Administrator\Application Data\Tencent\AXSEF\AXSEF.exe
76d1736f2bd7405598ddaa7146defdd4	c:\Documents and Settings\All Users\Application Data\vcry\kswbc.dll
7851449473178f9782263d51bc5e3bbc	c:\Documents and Settings\All Users\Application Data\vcry\kswebshield.dll
bf5dcfd9da0514334d41cbd80d2a9138	c:\Documents and Settings\All Users\Application Data\vcry\kwssp.dll
45199dab51eeece95728abfe25e18f35	c:\Documents and Settings\All Users\Application Data\vcry\kwsui.dll
1fa47f5b173cee5ef9c3ee1bda0c321e	c:\Documents and Settings\All Users\Application Data\vcry\saes.exe
f56a9f4fb234f8e9d99d0d1f5df7a7c8	c:\Documents and Settings\All Users\Desktop\forqd340.exe
ad70c21a978613f0d8436476f051c451	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\gou3603.exe
525bf0271b6ef28762b778aade8e4b78	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pi3603.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 6, 1
File Description:
Comments:
Language: English (Canada)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	524311	524800	4.59884	be1208f841dc92012d5f6bbdd832e6d9
.rdata	532480	55644	55808	3.15707	f6f8c907d8737bc8580a33fc54f93268
.data	589824	107800	26624	1.52615	e5d77411f751d28c6eee48a743606795
.rsrc	700416	12144	12288	3.42739	d00bce8ffb9d256f404c92a7bee6d555

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
288f63ed926a2dfea22c60a24d8e5c26
a898555939ce7c53c8d98e4fccca6be8
ae3318944fdd27487fb60e38fa33b443
d086269a5ff40ddca8307ee837524399

URLs

URL	IP
hxxp://www.81830.info/tg14.html	199.59.242.150
hxxp://www.81830.info/glp?r=&u=http://www.81830.info/tg14.html&rw=1276&rh=846&ww=772&wh=467	199.59.242.150
hxxp://www.google.com/adsense/domains/caf.js	216.58.209.68
hxxp://www.81830.info/listing	199.59.242.150
hxxp://download.gslb.pptv.com/PPTV(pplive)_forqd340.exe
hxxp://www.81830.info/gbp?r=&u=http://www.81830.info/listing	199.59.242.150
hxxp://tracking.bodis.com/tbpv?d=eyJkb21haW5fbmFtZSI6IjgxODMwLmluZm8iLCJzZXJ2ZXIiOjExOCwiVVJMIjoiaHR0cDpcL1wvd3d3LjgxODMwLmluZm9cL2xpc3RpbmciLCJyZWZlcnJlciI6IiIsImJyb3dzZXJfdHlwZSI6Ik9MRF9ERVNLVE9QIn0&t=1475979405	199.59.243.122
hxxp://api.liqwei.com/location/	119.254.0.9
hxxp://www.3929.cn/?tn=sun	122.114.60.218
hxxp://www.a.shifen.com/buzz/shishuoxinci.html
hxxp://top.baidu.com/buzz/shishuoxinci.html
hxxp://download.pplive.com/PPTV(pplive)_forqd340.exe	221.194.64.203

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

Traffic

GET /tbpv?d=eyJkb21haW5fbmFtZSI6IjgxODMwLmluZm8iLCJzZXJ2ZXIiOjExOCwiVVJMIjoiaHR0cDpcL1wvd3d3LjgxODMwLmluZm9cL2xpc3RpbmciLCJyZWZlcnJlciI6IiIsImJyb3dzZXJfdHlwZSI6Ik9MRF9ERVNLVE9QIn0&t=1475979405 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.81830.info/listing

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tracking.bodis.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0

Pragma: no-cache

Content-Type: text/plain

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Server: Microsoft-IIS/7.5

Access-Control-Allow-Origin: *

Date: Sun, 09 Oct 2016 02:16:51 GMT

Content-Length: 0

HTTP/1.1 200 OK..Cache-Control: no-store, no-cache, must-revalidate,po
st-check=0, pre-check=0..Pragma: no-cache..Content-Type: text/plain..E
xpires: Mon, 26 Jul 1997 05:00:00 GMT..Server: Microsoft-IIS/7.5..Acce
ss-Control-Allow-Origin: *..Date: Sun, 09 Oct 2016 02:16:51 GMT..Conte
nt-Length: 0..

GET /location/ HTTP/1.1

User-Agent: AutoIt

Host: api.liqwei.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Length: 91

Content-Type: text/html

Content-Location: hXXp://api.liqwei.com/404.html?404;hXXp://api.liqwei.com:80/location/

Last-Modified: Fri, 25 Feb 2011 05:13:24 GMT

Accept-Ranges: bytes

ETag: "ccf928baaad4cb1:46bfb"

Server: Microsoft-IIS/6.0

Date: Sun, 09 Oct 2016 02:16:52 GMT
<html><head><meta http-equiv="refresh" content="0;url=h
ttp://VVV.ibicn.com/"></head></html>HTTP/1.1 200 OK..Co
ntent-Length: 91..Content-Type: text/html..Content-Location: hXXp://ap
i.liqwei.com/404.html?404;hXXp://api.liqwei.com:80/location/..Last-Mod
ified: Fri, 25 Feb 2011 05:13:24 GMT..Accept-Ranges: bytes..ETag: "ccf
928baaad4cb1:46bfb"..Server: Microsoft-IIS/6.0..Date: Sun, 09 Oct 2016
 02:16:52 GMT..<html><head><meta http-equiv="refresh" c
ontent="0;url=hXXp://VVV.ibicn.com/"></head></html>..

GET /adsense/domains/caf.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.81830.info/tg14.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.google.com

Connection: Keep-Alive


HTTP/1.1 200 OK

Vary: Accept-Encoding

Content-Type: text/javascript; charset=UTF-8

Date: Sun, 09 Oct 2016 02:16:45 GMT

Expires: Sun, 09 Oct 2016 02:16:45 GMT

Cache-Control: private, max-age=3600

ETag: "4544112451184822942"

X-Content-Type-Options: nosniff

Content-Encoding: gzip

Transfer-Encoding: chunked

Server: sffe

X-XSS-Protection: 1; mode=block
17a2.............;iw.8... $NV!#....;!..8....9.Iz")y HJ.%R&).k..o....s.
l...........S.7~..7...0........O...^K....!M\U....|...4S...C.......}.9_
E...50Uo.....UkI....?O^..q#..yM........z<...y...3..}..;...>....&
gt;..y..#.......A.X.,)..S7.>'\P?......_..g.z...JV(..,\.>1!v.k..9
..M.7.\e.%..0N...% ...V2.cbS...}JX..j..l[......5}OUB..e.bY......[ UB..
`.QD...MVQ.P.P.:.[.D..l...D....$D.z..'..LuF.s......Z...M...Q..U.8;.j.V
...v#..D..n0Mf.........Q..h...&...F.n....G....=..v....d......c....F...
.'..U.P..J..c.%{....[..y..`.T...,..%[..8.M&..N..).7.*1..%.)...W..9....
.,CJ.eD.&,.IH...r~.R..-Gh4...I......*jS-.E.M.(..H..vg/.'.......-m..w..
.....e. ........u.U..|/..1.....Ci.t....VI#)..T.te....*........._.t.to.
...h._.-.:`I.)5.l.[..K...e.... .#..4o[L......*...)...-.tQOsja....f..Po
7.m)Y....Z.]6 ....mR.vY.(..; [email protected]..]...-..7....F\k.t7...v
..3r.w&V>6r'.S(8..Ifo.).....Z#..7.........BJ...y~...9h.\.s.wrzvr...
...CeBBj.0..k.JA.a.C_A...._...e%,J&.m ..N|...*Z.......9?=R.....1.. ..7
%q..g.uE........Y3%..z.}.w.....z.$..y...'.D.2... .>.#..oK...[....S.
F~.\U= .TjQ..u..RM...`.j.V..W.Q.\.(vO...p.Gh..2%7....D..I....Ia...D.m.
.....d........?n."J..8~...'n..h....}..'..O..x...y.....`z......7....x..
. JV...(.T.b\.... .....m|..o....?....<Q.`\....E........8...y...5r.&
..x{.#.P...T...&..:]?...I...k...U}.x.uq..{w...nV$X...Z..e....sUQ...*..
..&l..#J.QN9...wZ...=k.pm.`.$.......u.Y.!..Sr..EQK.e2.[U..h&.!..DtK.|.
O.i..O.x...m...m.....e.....=....mz..%.....y...........&."U...f..:..7.i
......sv9..S..J...Pk./..*[email protected][email protected].`..<<< skipped >>>

GET /buzz/shishuoxinci.html HTTP/1.1

User-Agent: AutoIt

Host: top.baidu.com

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 09 Oct 2016 02:17:17 GMT

Content-Type: text/html;

Transfer-Encoding: chunked

Connection: Keep-Alive

Set-Cookie: BAIDUID=029FCF222E5A2E8A60B01F194834037D:FG=1; expires=Mon, 09-Oct-17 02:17:17 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1

P3P: CP=" OTI DSP COR IVA OUR IND COM "

Server: PS-DSP/1.0
b2c..<!DOCTYPE html>.<html>.        <head>.        &
lt;meta http-equiv="Content-Type" content="text/html; charset=gb2312" 
/>.        <title>..................--..............</titl
e>.        ..<base href="hXXp://top.baidu.com/" />  .    <
style>.        .icon-xiang-imp {background:url(hXXp://top.bdimg.com
/frontend/static/common/images/xiang.png) center center no-repeat !imp
ortant;}.    </style>.    <script>.                       
                 var href_ps_tn = 'SE_baiduhomet8_jmjb7mjw';.        v
ar href_ps_prep = 'hXXp://VVV.baidu.com/baidu?cl=3&tn=SE_baiduhomet8_j
mjb7mjw&fr=top1000&wd=';.                                    var board
IdsLikeYeYou = ',173,1393,1394,';.        function checkLikeYeYou(boar
dId) {.            if (boardId && boardIdsLikeYeYou.indexOf(','   boar
dId   ',') >= 0) {.                return 1;.            } else {. 
               return 0;.            }.        }..        .        var
 baidu;.    </script>.......<script>var BASE_URL = "http:/
/top.baidu.com/", BASEURL = "hXXp://top.bdimg.com/frontend", FLASH_URL
= "hXXp://top.baidu.com/frontend";</script>.                    
    <link rel="stylesheet" href="hXXp://top.bdimg.com/frontend/stat
ic/common/common.min.css" />.            <script type="text/java
script" src="hXXp://top.bdimg.com/frontend/build/common/lib.js?v=15070
9"></script>.            .<script>var bt = baidu.templa
te;</script>..    ...        <link rel="stylesheet" href=<<< skipped >>>

GET /?tn=sun HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.3929.cn

Connection: Keep-Alive


HTTP/1.1 404 Object not found

Content-Type: text/html; charset=utf-8

Connection: close

Server: Knstat/2.1.1([email protected])

Content-Length: 584
......................................................................
................................<br /><br /><br />&l
t;br /><br /><br /><br /><br /><br />
<br /><br /><br /><br /><br /><br /&g
t;<br /><br /><br /><br /><br /><br /
><br /><br /><br /><br /><br /><br
 /><br /><br /><br /><br /><br /><
br /><br /><br /><br /><br /><br />&l
t;br /><br /><br /><br /><br /><br />
<br /><br /><br /><br /><br /><br /&g
t;<br /><br /><br /><br /><br /><br /
><br /><br /><br /><br /><br /><br
 /><br /><br /><br /><br /><br /><
br /><br /><br /><br /><br /><br />&l
t;br /><br /><br /><br /><br /><br />
<br />....

GET /PPTV(pplive)_forqd340.exe HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: download.pplive.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Date: Sun, 09 Oct 2016 02:16:47 GMT

Content-Type: application/octet-stream

Content-Length: 11553192

Last-Modified: Mon, 13 Jun 2011 09:44:21 GMT

Connection: keep-alive

ETag: "4df5dbf5-b049a8"

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........h.....X...X
...X.q$X...X...X...X.q4X...X.[#X...X.q&X...XRich...X................PE
..L......M.................f..........d8............@.................
.................y..................................................(.
.......... 4..........................................................
.....................................text....d.......f................
.. ..`.rdata..p........ ...j..............@[email protected]...................
[email protected].......`...........................rsrc...(.....
......................@..@............................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected].@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
.|.@._^3.[.....L$...SB...i......T.....tUVW.q.3.;5.SB.sD..i......D..S..
...t.G.....t...O..t .....u...3....3...F.....;5.SB.r.[_^...U..QQ.U.<<< skipped >>>

GET /tg14.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.81830.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Sun, 09 Oct 2016 02:16:43 GMT

Content-Type: text/html

Content-Length: 2423

Last-Modified: Wed, 24 Aug 2016 23:20:13 GMT

Connection: keep-alive

ETag: "57be2bad-977"

Accept-Ranges: bytes
<!DOCTYPE html><!--[if lt IE 7 ]><html class="ie6">&
lt;![endif]--><!--[if IE 7 ]><html class="ie7"><![en
dif]--><!--[if IE 8 ]><html class="ie8"><![endif]--&
gt;<!--[if IE 9 ]><html class="ie9"><![endif]--><
!--[if (gt IE 9)|!(IE)]>--><html><!--<![endif]-->
<head><meta http-equiv="Content-Type" content="text/html; cha
rset=utf-8"><title></title><meta name="viewport" con
tent="width=device-width, initial-scale=1"><noscript><meta
 HTTP-EQUIV="REFRESH" content="0; url=/legacy"></noscript><
;meta name="description" content="See related links to what you are lo
oking for."/></head><body><script type="text/javascr
ipt">g_oW=(function(){var.Dv=document,aBr=location,C_=Dv.createElem
ent('script'),aCz=false,LE;C_.defer=true;C_.async=true;C_.src="//VVV.g
oogle.com/adsense/domains/caf.js";C_.onerror=function(){aBr.href='/leg
acy';};C_.onload=C_.onreadystatechange=function(){if(!aCz&&LE){if(!win
dow['googleNDT_']){aBr.replace('/legacy');}.LE(google.ads.domains.Caf)
;}.aCz=true;};Dv.body.appendChild(C_);return{aBg:function(oe){if(aCz).
oe(google.ads.domains.Caf);else.LE=oe;},bq:function(){if(!aCz){Dv.body
.removeChild(C_);}}};})();g_oX=(function(){var.aBr=window.location,nB=
{},bH,aBq=aBr.search.substring(1),aCr,aCt;if(!aBq).return nB;aCr=aBq.s
plit("&");for(bH=0;bH<aCr.length;bH  ){aCt=aCr[bH].split('=');nB[aC
t[0]]=aCt[1]?aCt[1]:"";}.return nB;})();(function(){var aCl=screen<<< skipped >>>

GET /glp?r=&u=http://VVV.81830.info/tg14.html&rw=1276&rh=846&ww=772&wh=467 HTTP/1.1

Accept: */*

Referer: hXXp://VVV.81830.info/tg14.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.81830.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Sun, 09 Oct 2016 02:16:43 GMT

Content-Type: text/javascript;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache
1787..$GLP={"ac":"81830.info","vr":"81830.info","Wr":118,"Ic":"ec","pc
":true,"Lr":"The domain 81830.info may be for sale. Click here to inqu
ire about this domain.","Mr":"Or","Dn":"as-drid-2294027517368578","Ir"
:"dp-bodis01us_3ph_js","Rr":"eb8290a3e9f4d7ed1bd15330a713df78","Sr":""
,"Dr":"en","Pr":"http:\/\/VVV.81830.info\/tg14.html","Tr":"\/\/trackin
g.bodis.com\/tlpv?d=eyJkb21haW5fbmFtZSI6IjgxODMwLmluZm8iLCJzZXJ2ZXIiOj
ExOCwiVVJMIjoiaHR0cDpcL1wvd3d3LjgxODMwLmluZm9cL3RnMTQuaHRtbCIsInJlZmVy
cmVyIjoiIiwiZHciOjc3MiwiZGgiOjQ2NywicnciOjEyNzYsInJoIjo4NDZ9&t=1475979
403","Hr":"\/\/tracking.bodis.com\/tlpc?d=eyJkb21haW5fbmFtZSI6IjgxODMw
LmluZm8iLCJyZXF1ZXN0X3RpbWUiOjE0NzU5Nzk0MDMsInJlZmVycmVyIjoiIn0&t=1475
979403"};g_oV=(function(){var.Dv=document,aBZ=Dv.body||Dv.getElementsB
yTagName('body')[0],aBX=Dv.head||Dv.getElementsByTagName('head')[0],iU
=$GLP,aCd=0,aAp=0,Ih=encodeURIComponent,Sy='classList'in Dv.documentEl
ement,aBN='hXXp://tracking.bodis.com/';var nL={};function Xj(cE,oe){if
(nL[cE]){throw"aBF";}.nL[cE]=oe;}.function aBs(bF){return Dv.getElemen
tById(bF);}.function Jh(cn,Oc,aK){if(cn.addEventListener){cn.addEventL
istener(Oc,aK,false);}.else if(cn.attachEvent){cn.attachEvent('on' Oc,
aK);}}.function aO(cn,cB){var.NN,Pv,bH;if(!cn.className){cn.className=
cB;}.else if(Sy){NN=(cB||"").split(/\s /);for(bH=0;bH<NN.length;bH 
 ){cn.classList.add(NN[bH]);}}.else{NN=cB.split(/\s /);Pv=" " cn.class
Name " ";for(bH=0;bH<NN.length;bH  ){if(!~Pv.indexOf(" " NN[bH] " "
)){Pv =NN[bH] " ";}}.cn.className=Pv.trim();}}.function aAt(bE,aAY<<< skipped >>>

GET /listing HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.81830.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Sun, 09 Oct 2016 02:16:43 GMT

Content-Type: text/html

Content-Length: 1051

Last-Modified: Wed, 24 Aug 2016 23:20:13 GMT

Connection: keep-alive

ETag: "57be2bad-41b"

Accept-Ranges: bytes
<!DOCTYPE html><!--[if lt IE 7 ]><html class="ie6">&
lt;![endif]--><!--[if IE 7 ]><html class="ie7"><![en
dif]--><!--[if IE 8 ]><html class="ie8"><![endif]--&
gt;<!--[if IE 9 ]><html class="ie9"><![endif]--><
!--[if (gt IE 9)|!(IE)]>--><html><!--<![endif]-->
<head><meta http-equiv="Content-Type" content="text/html; cha
rset=utf-8"><title></title><meta name="viewport" con
tent="width=device-width, initial-scale=1"></head><body>
;<noscript>This domain is for sale. Please enable JavaScript in 
your browser to contact the owner.</noscript><script type="te
xt/javascript">var.aBr=window.location,Dv=document,Ih=encodeURIComp
onent,RH=Dv.getElementsByTagName('body')[0],aCn=new RegExp("[\\?&]cid=
([a-zA-Z0-9._-]*)").exec(aBr.search),aCo=aCn?decodeURIComponent(aCn[1]
):null,aCq,$$,aCp;if(top.location!=aBr).top.location.href=aBr.href;$$=
aBr.href.split('?')[0];aCp=Dv.referrer?Dv.referrer.substr(0,255):'';aC
q=Dv.createElement('script');aCq.type='text/javascript';aCq.src='/gbp'
 '?r=' Ih(aCp) '&u=' Ih($$) .(aCo?'&cid=' aCo:'');RH.appendChild(aCq);
</script></body></html>HTTP/1.1 200 OK..Server: ngin
x/1.6.3..Date: Sun, 09 Oct 2016 02:16:43 GMT..Content-Type: text/html.
.Content-Length: 1051..Last-Modified: Wed, 24 Aug 2016 23:20:13 GMT..C
onnection: keep-alive..ETag: "57be2bad-41b"..Accept-Ranges: bytes..<
;!DOCTYPE html><!--[if lt IE 7 ]><html class="ie6"><<< skipped >>>

GET /gbp?r=&u=http://VVV.81830.info/listing HTTP/1.1

Accept: */*

Referer: hXXp://VVV.81830.info/listing

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.81830.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Sun, 09 Oct 2016 02:16:45 GMT

Content-Type: text/javascript;charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache
1f31..$BP={"ac":"81830.info","vr":"81830.info","Dr":"en","Br":"6LeR2xA
TAAAAAP79w78ybi17YPwFQpcxocXUlECT","Ar":"\/\/tracking.bodis.com\/tbpv?
d=eyJkb21haW5fbmFtZSI6IjgxODMwLmluZm8iLCJzZXJ2ZXIiOjExOCwiVVJMIjoiaHR0
cDpcL1wvd3d3LjgxODMwLmluZm9cL2xpc3RpbmciLCJyZWZlcnJlciI6IiIsImJyb3dzZX
JfdHlwZSI6Ik9MRF9ERVNLVE9QIn0&t=1475979405"};g_oT=(function(){var.Dv=d
ocument,ec=undefined,iU=$BP,az$,aAp=0;function azV(){if(!String.protot
ype.trim){(function(){var aAK=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g;Str
ing.prototype.trim=function(){return this.replace(aAK,'');};})();}.(fu
nction(){if(Dv.querySelectorAll).return;var.aAJ=Dv.styleSheets[0]||Dv.
createStyleSheet(),aAB,aAb,bH,aAc;Dv.querySelectorAll=function(cn){aAJ
.addRule(cn,'f:b');aAb=aAB.length;bH=0;aAc=[];for(;bH<aAb;bH  ).aAB
[bH].currentStyle.f&&aAc.push(aAB[bH]);aAJ.removeRule(0);return aAc;};
})();}.function aAt(bE,aAY,aAL){if(aAp).return;function aAV(){if(aAY==
=undefined||aAY).location.replace(bE);else.location.href=bE;}.if(aAL==
=undefined||aAL).aAV();else.setTimeout(aAV,500);aAp=1;}.function Cg($$
,JU){if(window.XMLHttpRequest&&'withCredentials'in new XMLHttpRequest(
)){var Op=new XMLHttpRequest();Op.onreadystatechange=function(){if(Op.
readyState!=4||Op.status===0).return;if(Op.status==200){if(JU).JU();}}
;Op.open('GET',$$);Op.send();}.else{var aBa=new Image();aBa.src=$$;set
Timeout(JU,3000);}}.function aAg(aK){Cg(iU.Ar,aK);}.function azE(aAM){
var.aAv=Dv.createElement('style');aAv.type='text/css';if(aAv.styleShee
t).aAv.styleSheet.cssText=aAM;else.aAv.appendChild(Dv.createTextNo<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

.text

`.rdata

@.data

.rsrc

s%j.Zf

tGHt.Ht&

tCPh

SSSSh

\$%u#Sj

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

GetProcessWindowStation

USER32.DLL

operator

This is a compiled AutoIt script. AV researchers please email [email protected] for support.

uxtheme.dll

kernel32.dll

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is not compiled with PCRE_UTF8 support

PCRE does not support \L, \l, \N, \U, or \u

support for \P, \p, and \X has not been compiled

(*VERB) with an argument is not supported

ICMP.DLL

advapi32.dll

RegDeleteKeyExW

KERNEL32.DLL

ADVAPI32.dll

COMCTL32.dll

COMDLG32.dll

GDI32.dll

MPR.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

SHELL32.dll

USER32.dll

USERENV.dll

VERSION.dll

WININET.dll

WINMM.dll

WSOCK32.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

GetCPInfo

GetConsoleOutputCP

RegDeleteKeyW

RegCreateKeyExW

RegEnumKeyExW

RegCloseKey

RegOpenKeyExW

SetViewportOrgEx

ShellExecuteExW

SHFileOperationW

ShellExecuteW

RegisterHotKey

GetKeyboardLayoutNameW

ExitWindowsEx

EnumThreadWindows

GetAsyncKeyState

SetKeyboardState

GetKeyboardState

GetKeyState

VkKeyScanW

EnumWindows

EnumChildWindows

MapVirtualKeyW

CloseWindowStation

SetProcessWindowStation

OpenWindowStationW

UnregisterHotKey

keybd_event

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

zcÁ

]X.PV

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"></assemblyIdentity>

mscoree.dll

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

#NoAutoIt3Execute

APPSKEY

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

%s (%d) : ==> %s:

UDPSTARTUP

UDPSHUTDOWN

UDPSEND

UDPRECV

UDPOPEN

UDPCLOSESOCKET

UDPBIND

TRAYGETMSG

TCPSTARTUP

TCPSHUTDOWN

TCPSEND

TCPRECV

TCPNAMETOIP

TCPLISTEN

TCPCONNECT

TCPCLOSESOCKET

TCPACCEPT

SHELLEXECUTEWAIT

SHELLEXECUTE

REGENUMKEY

MSGBOX

ISKEYWORD

HTTPSETUSERAGENT

HTTPSETPROXY

HOTKEYSET

GUIREGISTERMSG

GUIGETMSG

GUICTRLSENDMSG

GUICTRLRECVMSG

FTPSETPROXY

\??\%s

GUI_RUNDEFMSG

SendKeyDelay

SendKeyDownDelay

TCPTimeout

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AutoIt.Error

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

HOTKEYPRESSED

AUTOITEXE

WINDOWSDIR

3, 3, 6, 1

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

c:\%original file name%.exe

:C:\%original file name%.exe

HCan pass constants by reference only to parameters with "Const" keyword.

IEXPLORE.EXE_1076:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

IEXPLORE.EXE_1460:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

IEXPLORE.EXE_1416:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

forqd340.exe_1688:

.text

`.rdata

@.data

.rsrc

FC02893F-0B1D-4095-B49E-1BFF2A1C5CB5

[Loader] Comments:%s

\StringFileInfo\xx\Comments

[Loader] GetFileVersionInfo error:%d

[Loader] nVersionLen:%d

Common Files\PPLiveNetwork\PPAP.exe

PPLiveNetwork\PPAP.exe

"%s" /LoadModule MngModule.dll /T 2 /A "%s "

hXXp://%s/%s?%s

&%s=%s

%s=%s

interface/down_submit.aspx

/Product %s /Custom %s /Channel %s /SoftID %s

ins-stat.pplive.com

interface/load_submit.aspx

[Loader] VerComments:%d

[Loader] StartDownload installURL:%s

[Loader] StartDownload pszUrl:%s

hXXp://

[Loader] Product:%s Custom:%s Channel:%s SoftID:%s

[Loader] argc:%s

[Loader] pszUrl:%s

hXXp://download.pplive.com/PPTV(pplive)_forqd340.exe

kernel32.dll

URLDownloadToFileA

urlmon.dll

[Loader] CreateProcess error %d

[Loader] download successfully runpath:%s

[Loader] pszSleepTime %d

hXXp://127.0.0.1:%d/ppvadownloadbyurl?url=%s

MFC42.DLL

MSVCRT.dll

_acmdln

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExA

RegOpenKeyExA

RegDeleteKeyA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

ole32.dll

OLEAUT32.dll

CreateURLMoniker

MSVCP60.dll

InternetCrackUrlA

WININET.dll

SHLWAPI.dll

VERSION.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\PPTV(pplive)_forqd340.exe

1, 0, 0, 1

Loader.exe

regedit.exe_252:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_708:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_428:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_1888:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_1992:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_304:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_1692:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_640:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_516:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_364:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

regedit.exe_2060:

.text

`.data

.rsrc

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

COMCTL32.dll

comdlg32.dll

SHELL32.dll

AUTHZ.dll

ACLUI.dll

ole32.dll

ulib.dll

clb.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

regedit.pdb

udPj

WSSSSh

WSSSShA

mSSh\

u=SSSShH

uKSSh

_acmdln

RegCloseKey

RegOpenKeyW

RegCreateKeyW

RegEnumKeyW

RegUnLoadKeyW

RegLoadKeyW

RegOpenKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegRestoreKeyW

RegSaveKeyW

RegFlushKey

GetProcessHeap

SetViewportOrgEx

GetKeyState

ntdll.dll

RegOpenKeyExA

version="1.0.0.0"

name="Microsoft.Windows.Regedit" type="win32" />

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites

LastKey

regedit.chm

Software\Microsoft\Windows\CurrentVersion\Policies\System

.classes

Windows Registry Editor Version

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

REGEDIT: CreateFile failed, GetLastError() = %d

x x x x x x x x x - x x x x x x x x %c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c

riched20.dll

0xx

0xxx

x x x x x x x x x

x x x x x

%#08xx

5.1.2600.5512 (xpsp.080413-2111)

REGEDIT.EXE

Windows

Operating System

5.1.2600.5512

Export range

&Keys

Import Registry File

&Key Name:

Channel;Port

Port:

Port

&Import...

&Export...

&Copy Key Name

&Export

New Key #%%u

New Value #%%u

regedit.hlp

Registration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.#Text Files (*.txt)#*.txt#Win9x/NT4 Registration Files (*.reg)#*.reg#All Files#*.*#

If you still see this message, try restarting Windows.

Export Registry FileMRegistration Files (*.reg)#*.reg#Registry Hive Files (*.*)#*.*#All Files#*.*#

All Files#*.*#

9Registry editing has been disabled by your administrator.(Finished searching through the registry.*Click the computer you want to connect to.ACommand line argument requires a filename and none was specified.

@Are you sure you want to delete this key and all of its subkeys?

Confirm Key Delete-Are you sure you want to delete these values?

Confirm Value Delete Are you sure you want to delete this value?GAre you sure you want to unload the current key and all of its subkeys?

The key will be restored on top of key: %1.

All value entries and subkeys of this key will be deleted.

Do you want to continue the operation?

Confirm Restore Key

Error Renaming Key

?The Registry Editor cannot rename %1. Error while renaming key.lThe Registry Editor cannot rename %1. The specified key name is too long. Type a shorter name and try again.mThe Registry Editor cannot rename %1. The specified key name already exists. Type another name and try again.QThe Registry Editor cannot rename %1. Specify a key name without a backslash (\).gThe Registry Editor cannot rename %1. The specified key name is empty. Type another name and try again.

Error Renaming ValueAThe Registry Editor cannot rename %1. Error while renaming value.oThe Registry Editor cannot rename %1. The specified value name already exists. Type another name and try again.iThe Registry Editor cannot rename %1. The specified value name is empty. Type another name and try again.

Error Deleting Key

,Cannot delete %1: Error while deleting key.

Error Opening Key)Cannot open %1: Error while opening key.

4Cannot edit %1: Error reading the value's contents.8Cannot edit %1: Error writing the value's new contents.lData of type REG_MULTI_SZ cannot contain empty strings.

Registry Editor will remove the empty string found.mData of type REG_MULTI_SZ cannot contain empty strings.

If you still see this message, try restarting Windows.|The decimal value entered is greater than the maximum value of a DWORD.

Cannot import %1: The specified file is not a registry script.

You can only import binary registry files from within the registry editor.

.Cannot import %1: The key selected is invalid.*Cannot import %1: Insufficient privileges.

HInformation in %1 has been successfully entered into the registry on %2.SCannot import %1: Error opening the file. There may be a disk or file system error._Cannot import %1: Error reading the file. There may be a disk error or the file may be corrupt.5Cannot import %1: Error accessing the registry on %2.~Cannot import %1: Not all data was successfully written to the registry. Some keys are open by the system or other processes.`Cannot import %1: The specified file is not a registry file. You can import only registry files.ZCannot import %1: The specified file is not intended for use with this version of Windows.:Cannot import %1: The file specified does not exist on %2.

SCannot export %1: Error opening the file. There may be a disk or file system error.

SCannot export %1: Error writing the file. There may be a disk or file system error.*Cannot export %1: Insufficient privileges..Cannot export %1: The key selected is invalid.

/Cannot import %1: Error accessing the registry.

4Cannot import %1: The file specified does not exist.

Cannot print: Insufficient memory to begin job. Try closing down some applications, and try again. If you still see this message, try restarting Windows.|Cannot print: An error occurred during printing. Check your printer and your printer's settings for problems, and try again.9Cannot print: Error reading a registry value's contents.

Unable to connect to all of the roots of the computer's registry. Disconnect from the remote registry and then reconnect before trying again.TUnable to connect to %1. Make sure you have permission to administer this computer.

Cannot save subtree: Insufficient memory. Try closing down some applications, and try again. If you still see this message, try restarting Windows.@Cannot save subtree: Error reading a registry value's contents.\Cannot save subtree to %1: Error writing the file. There may be a disk or file system error.\Cannot save subtree to %1: Error opening the file. There may be a disk or file system error.

Error Creating Key2Cannot create key: Error while opening the key %1.1Cannot create key: Error writing to the registry.4Cannot create key: Unable to generate a unique name.

Adds a new DWORD value.5Copies the name of the selected key to the Clipboard.

Adds a new multi-string value.#Adds a new expandable string value.#Displays the permissions for a key.'Displays a value's data as binary data."Loads a hive file to the registry.!Unloads a hive from the registry.

)Connects to a remote computer's registry.!Imports a file into the registry..Exports all or part of the registry to a file.#Prints all or part of the registry.

Quits the Registry Editor.-Finds a text string in a key, value, or data.

Adds a new key.

.Disconnects from a remote computer's registry.

%Removes keys from the Favorites list. Adds keys to the Favorites list.

6Contains commands for working with the whole registry.-Contains commands for editing values or keys.6Contains commands for customizing the registry window.PContains commands for displaying Help for and information about Registry Editor.2Contains commands for creating new keys or values.5Contains commands for accessing frequently used keys.

Enumerate Subkeys

Create Subkey

Registry &Key'R&eplace Permission on Existing Subkeys$Audit Permission on Existing SubkeysHDo you want to replace the permission on all existing subkeys within %1?4Do you want to audit all existing subkeys within %1?

This key only

This key and subkeys

Subkeys only

The key currently selected does not give you access to retrieve such information.pRegistry Editor could not retrieve the security information.

The key currently selected is marked for deletion.kRegistry Editor could not retrieve the security information.

The key currently selected is not accessible.

The key currently selected does not give you access to save such information.lRegistry Editor could not save the security information.

The key currently selected is marked for deletion.

^Registry Editor could not set security in the key currently selected, or some of its subkeys. [Registry Editor could not set owner on the key currently selected, or some of its subkeys.

Registry Editor could not set security in the key currently selected, or some of its subkeys.

These keys do not give you access to change security information.

Registry Editor could not set security in all subkeys.

The key currently selected contains one or more subkeys marked for deletion.}Registry Editor could not set security in all subkeys.

The key currently selected contains one or more inaccessible subkeys.

Key Name:

Port:

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

attrib.exe:2176
attrib.exe:2184
%original file name%.exe:464
tasklist.exe:2192
regedit.exe:1992
regedit.exe:708
regedit.exe:640
regedit.exe:304
regedit.exe:2068
regedit.exe:428
regedit.exe:1692
regedit.exe:1888
regedit.exe:252
regedit.exe:2060
regedit.exe:364
regedit.exe:516
find.exe:2228
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

%Documents and Settings%\All Users\Application Data\vcry\kwsui.dll (3833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d.tmp (91 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autA.tmp (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut5.tmp (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (3089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (1176 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\kws\kws.ini (723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pi3603.exe (254330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (3185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gou3603.exe (320269 bytes)
%Documents and Settings%\All Users\Application Data\vcry\kswbc.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\shishuoxinci[1].htm (23685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut7.tmp (938 bytes)
%Documents and Settings%\All Users\Desktop\forqd340.exe (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut8.tmp (4065 bytes)
%Documents and Settings%\%current user%\Desktop\okregreg.reg (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\location[1].htm (91 bytes)
%Documents and Settings%\%current user%\Desktop\Internat Explorer.ECJ (37 bytes)
%Program Files%\Microsoft Cdobe Emulator\Internat Explorer\target.lnk (168 bytes)
%Documents and Settings%\All Users\Application Data\vcry\kswebshield.dll (4025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut9.tmp (118 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\All Users\Application Data\vcry\kwssp.dll (3641 bytes)
%Documents and Settings%\All Users\Application Data\vcry\saes.exe (3417 bytes)
%Program Files%\Microsoft Cdobe Emulator\Internat Explorer\Desktop.ini (75 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\kws\spitesp.dat (2 bytes)
%Documents and Settings%\Administrator\Application Data\Tencent\AXSEF\AXSEF.exe (1742357 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut6.tmp (2017 bytes)
%Documents and Settings%\%current user%\Application Data\360se\360se.ini (39 bytes)
%System%\tasklist.txt (152367 bytes)
%System%\find.txt (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PPTV(pplive)_forqd340[1].exe (148172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Atfmon.exe" = "D:\Stion\tmp....................................\a.{D71C5380-D2A0-CD69-E3EE-E1002B3A309E}.. hh.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Gen.Trojan.Heur.AutoIT.1_80d963ab8d

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Gen.Trojan.Heur.AutoIT.1_80d963ab8d

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet