MD5: aa4588cfaa775cc923b71b0f7816856d
SHA1: 4dcabbda71d24d717411753e0c9626257ccf6921
SHA256: dceb2094f3b7ca892a3afeccc7709bb61082645a46e9f755e52a4beabebfdb47
SSDeep: 49152:Z MZCTp2voG9DoYBbCeH/FPUSz/yyh5FDPhRadYiHs:Z/ tB6/tbnhfDPhRadYiHs
Size: 1871872 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: SQXBP
Created at: 2012-04-19 23:30:59
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1872
csc.exe:1296
csc.exe:1684
ǢҧƁƣǎ.exe:832
cvtres.exe:2024
cvtres.exe:332
rundll32.exe:1460
ƜƳƂǍƕ.exe:2004
Eric22.exe:364
dumprep.exe:212
dumprep.exe:348

The Trojan injects its code into the following process(es):

svchost.exe:340
svchost.exe:1064

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.cmdline (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.out (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.0.cs (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Eric22.exe (3687 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.0.cs (0 bytes)

The process csc.exe:1296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ǢҧƁƣǎ.exe (3442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.out (396 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (0 bytes)

The process csc.exe:1684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ƜƳƂǍƕ.exe (3410 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (0 bytes)

The process cvtres.exe:2024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (2864 bytes)

The process cvtres.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (2864 bytes)

The process ƜƳƂǍƕ.exe:2004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MsMpEng.exe (13122 bytes)

The process Eric22.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.0.cs (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.cmdline (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.out (362 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.out (0 bytes)

The process dumprep.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WER51cb.dir00\svchost.exe.hdmp (215703 bytes)

The process dumprep.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WER51cb.dir00\svchost.exe.mdmp (102001 bytes)

Registry activity

The process %original file name%.exe:1872 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 C3 AB DA 03 FC F9 D1 68 DD 12 10 4A 6A 67 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"Eric22.exe" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"ƜƳƂǍƕ.exe" = ""

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process csc.exe:1296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 12 63 15 BE 4F 44 18 0A E8 21 A0 C9 31 29 D5"

The process csc.exe:1684 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A B6 68 D1 CF D4 A7 8E 47 09 4F 56 A3 81 1B 55"

The process ǢҧƁƣǎ.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 92 A4 B4 6A E9 45 04 03 6D F7 2F 32 5E 0E 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Essentials" = "%Documents and Settings%\%current user%\Local Settings\Temp\MsMpEng.exe"

The process cvtres.exe:2024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 8B 6A 7A C8 EF F8 60 34 71 9E A6 57 46 7F 01"

The process cvtres.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 4D AE 56 98 B2 98 67 BB FD 24 60 AD 71 C7 BF"

The process rundll32.exe:1460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 40 BA 46 C1 B5 42 1E 10 40 2D BB 1F 6D 45 9D"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Documents and Settings%\%current user%\Local Settings\Temp]
"svchost.exe" = "EnableNXShowUI"

[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"

The process ƜƳƂǍƕ.exe:2004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 74 EB E1 14 9D 5F B4 72 68 33 85 E8 97 D4 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Essentials" = "%Documents and Settings%\%current user%\Local Settings\Temp\MsMpEng.exe"

The process Eric22.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 91 6B 8A 72 BA 66 96 23 33 7B 54 6A CA BC 07"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"ǢҧƁƣǎ.exe" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process dumprep.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 70 6F 03 80 1B A6 65 93 FC D1 26 F0 1E B8 38"

The process dumprep.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 42 49 50 0D A6 7D 78 C1 F6 55 05 88 DA F6 4D"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name:
Product Version: 0.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename: setup.exe
Internal Name: setup.exe
File Version: 0.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

OperationCancelled

AuthSchemeNotSupported

WinHttpQueryAuthSchemesFailed

WinHttpSetOptionFailed

FailedToObtainFileURL

WinHttpSetProxyOptionFailed

WinHttpSetCredentialsFailed

WinHttpStatusDenied

WinHttpQueryHeadersFailed

OHttpReadTruncated

WinHttpDataTruncated

WinHttpReadDataFailed

WinHttpNoData

WinHttpReceiveResponseFailed

WinHttpSendRequestFailed

WinHttpOpenRequestFailed

WinHttpConnectFailed

WinHttpCloseFailed

WinHttpOpenFailed

InvalidServiceOperation

SQLFailedToSetAttribute

SQLFailedToRetrieveData

SQLFailedToExecuteStatement

SQLFailedToConnect

SQLFailedToAllocateHandle

SQLAlreadyConnected

NoSupportedCulture

InvalidOperation

InvalidCDKey

.CoInitializeEx(0, %d) failed. Error code: 0xx.

CoInitializeEx(0, %d) failed; Appartment type: current=%d,requested=%d. Error code: 0xx.

OLog not initialized for reporting events

Log intialized to report Event Logs

shared_ptr cannot apply operator '->' to an empty object pointer

d:\office\source\ocfx\olog.cpp

Log already intialized to report Event Logs

d:\office\source\otools\inc\ocfx\ocominterface.h

d:\office\source\otools\inc\ocfx\osmartpointer.h

d:\office\source\otools\inc\ocfx\oalloc.h

OCOMInterface cannot apply operator '->' to NULL interface pointer

cannot load kernel32.dll

OSmartPointer cannot apply operator '->' to an empty object pointer

.Cannot load sysem string for error x in language %i

d:\office\source\ocfx\osecurity.cpp

d:\office\source\ocfx\oversion.cpp

.Unicows.dll

Kernel32.dll

Failed to free DLL: %S

d:\office\source\ocfx\olibrary.cpp

.Failed to get procedure: %S

Failed to load DLL: %S

Cannot set file %S attbutes to %u

failed to open file '%S'

failed to delete file %S

Failed to copy file src: %S, dest: %S

.d:\office\source\ocfx\ofile.cpp

Path passed in is too long.

ASHCreateDirectoryEx failed for directory: %S

GetDirectories: search path %S does not exist

GetFiles: search path %S does not exist

failed to set current directory to: %S, error %d

d:\office\source\otools\inc\ocfx\othreadlocal.h

tlsIndex out of indexes

OSmartPointer cannot apply operator '*' to an empty object pointer

d:\office\source\ocfx\oexceptionmanager.cpp

d:\office\source\ocfx\oblob.cpp

ORegistryKey.GetValue failure: Cannot get registry %S value %S

Failed to create registry key: %d

Failed to create registry key: registry key name "%S" is too long

ORegistryKey.Open failure: The length of subkey %S is longer than the maximum length allowed

ORegistryKey.Open failure: Parent key is NULL

d:\office\source\ocfx\oregistrykey.cpp

root hkey is expected

ORegistryKey.GetValue failure: Cannot get String value. The registry key is closed or not set

.Cannot detect whether the current machine is a domain controller

.back_ptr cannot apply operator '->' to an empty object pointer

d:\office\source\setupexe\lis\logic\lis.h

%S element specified in config.xml without a Value attribute.

d:\office\source\setupexe\catalyst\catcore\catconfig.cpp

InstallTrial %S is an unknown value

ShowUI %S is an unknown value

CACHEACTION %S is an unknow value

State attribute missing from OptionState element id: %S

Invalid value specified for OptionState State attribute: %S

Invalid product: %S specified in config.xml when product %S has already been selected

Invalid value specified for Command Execute attribute: %S

Invalid value specified for Command ChainPosition attribute: %S

Invalid value specified for Path attribute: %S

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

CorporateSQMURL

HKEY_CLASSES_ROOT

sftldr_wow64.dll

sftldr.dll

verifier.dll

.Software\Microsoft\Office\14.0

msodatad.dat

SYSTEM\CurrentControlSet\Control\Windows

NetGetJoinInformation

1404730

Found Office Product Version %S.

Could not get version registry key.

BCryptDestroyKey

BCryptGenerateSymmetricKey

HttpEndRequestW

HttpSendRequestExW

HttpAddRequestHeadersA

HttpAddRequestHeadersW

InternetOpenUrlA

InternetOpenUrlW

SetUrlCacheEntryGroup

SetUrlCacheEntryGroupW

FindCloseUrlCache

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryExA

FindNextUrlCacheEntryExW

FindFirstUrlCacheEntryExA

FindFirstUrlCacheEntryExW

GetUrlCacheEntryInfoA

GetUrlCacheEntryInfoW

CommitUrlCacheEntryA

CommitUrlCacheEntryW

CreateUrlCacheEntryA

CreateUrlCacheEntryW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestA

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

InternetCrackUrlW

InternetCrackUrlA

FtpRemoveDirectoryA

FtpCreateDirectoryA

FtpDeleteFileA

FtpRenameFileA

InternetCanonicalizeUrlW

InternetCanonicalizeUrlA

InternetCombineUrlA

FtpFindFirstFileA

FtpGetCurrentDirectoryA

FtpSetCurrentDirectoryA

FtpGetFileA

FtpOpenFileA

%$%,%4%<%

S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%

b%c%d%e%f%g%h%i%j%k%l%

!"#$%&'()* ,-./0123456789:;<=

!!!!2222

%%%f||||

!!!!2222||||

!"#$%&'(

'()* ,-./0

&'()* ,-./

&'()* ,-./012345

3456789

.ASex

!"#$%&'()* ,-./012

!"#$%&'()

.Delete fails in DeleteArea

.*** Software Failure: %s ***

Bucket can't get a size key in UpdateBucket

.Unknown exception

.CorExitProcess

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.bad exception

?GetProcessWindowStation

USER32.DLL

.msxml.domdocument

DetectionOperation

No such interface supported

Operation aborted

.General_AppName

General_Reportee

ReportingFlags

Stage1URL

Stage2URL

Main_ReportBtn

Main_NoReportBtn

_dw2_0.txt

Reportee

ReportButton

NoReportButton

_dw1_5.txt

.Software\Policies\Microsoft\Windows\Installer

.PatchInstalled

.SELECT `Property`, `Value` FROM `Property`

/dw/SetupStageTwo.asp

.d:\office\source\ocfx\oxmlnode.cpp

.get_attributes failed

SelectNodes: %s called for OXmlNode with null interface

d:\office\source\ocfx\oxmlelement.cpp

.d:\office\source\ocfx\oxmldocument.cpp

XML document load failed for file: %S

.d:\office\source\ocfx\oxmlnodelist.cpp

.Count get property called for OXmlNodeList with null interface

.d:\office\source\ocfx\oxmlnamednodemap.cpp

.VVVVj

.jtSj=

t.Ht$Ht

.tMSWV

.jDPh

.jxX9

.wKShqrf7

.uFWVj

.WhTA

.VVVVVVVVj

.Ph8ga3P

.Vha441V

.tCSVW

.hgqawh

.hhqawh

.PhqssqP

.Phz6g5

.Phjvuq

.Phua46P

.Phwa46P

.SSS 

.wIVSP

setup.exe

msi.dll

GDI32.dll

dbghelp.dll

WINTRUST.dll

SHLWAPI.dll

USER32.dll

SHELL32.dll

OLEAUT32.dll

ole32.dll

KERNEL32.dll

ADVAPI32.dll

RPCRT4.dll

Secur32.dll

VERSION.dll

ReportEventW

RegQueryInfoKeyW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegOpenKeyExA

RegEnumKeyW

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

GetKeyboardLayout

GetKeyboardLayoutList

t:\setupexe\x86\ship\0\setup.pdb

x86\ship\0\setup.exe\bbtopt\setupO.pdb

.?AVORegistryKey@@

.PAVCMspError@@

`!`'`)` `

e%f-f|3 f'f/f

]!^"^#^ ^$^

t.uGuHu

x4x7x%x-x x

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

ichczc]eVeQeYeWe_UOeXeUeTe

{1{ {-{/{2{8{

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

WHX%X

`IaJa aEa6a2a.aFa/aOa)a@a bh

d@d%d'd

duewexei

kCpDpJpHpIpEpFp

S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S

U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU

c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c

m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm

nRsSsh

evg%f

m.tRa

gtr%x

Q%SKg

f.ebp>QI

y.yxT

fn:q%uN

aw.Toiz

RMeXe

S#S$S%S;ScSdSrSsStSuS

`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`

^ ^!^"^#^$^%^&^'^.^}^

c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe

f f!f"f#f$f%f&f'f(f)f*f f,f-f

m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m=m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm

u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu

U U!U"U#U$U%U&U'U(U4UJU

](^)^*^ ^,^-^/^0^1^

m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m

x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x=x>x?x@xAxXy_yaycydyeygyiyjykylynyoy

} }!}"}#}$}%}&}'}

] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]

]2^3^4^5^6^7^8^9^:^;^<^>^

cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX

d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele

s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs

u$u%u&u/ujukulumunuouqurusutu

duewexeyeze{e

~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0

| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|

{3~3}3|3

eZl%u

Q.YeY

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei

s4s/s)s%s>sNsOs

s&t*t)t.tbt

2%2.bx

{ | }9},

d6exe9j

]%sOu4](n

m.t.zB}

w%xIyWy

^vcÓv

%f?iCt

U>_.lE

f.ebp

.nrR=

{fn:q%uN

h$%fh$%

a$%$h$%FW$%

zcÁ

.PAVCMspErrorState@@

.PAVCMspErrorPropertyValue@@

.PAVCMspErrorProperty@@

.PAVCMspErrorPropertyProtected@@

.PAVCMspErrorPropertyName@@

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe

<assemblyIdentity processorArchitecture="x86" type="win32" name="Setup" version="14.0.4734.1000" />

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.1.0" publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

'') ()*!***%,.-$(((

2 2$2(2,2

034383<3@3

3M4}4

7%7U7

: :$:(:,:0:4:~:

< <$<(<,<

01

<,<8<@<`<

%s digital signature does not validate or is not present.

A required %s cannot be loaded. This may indicate that the file is missing or damaged.

The Setup configuration file %s is not valid. Run Setup again without using a Setup configuration file, or fix the configuration file.

Verify file signature in "%s"

Cannot get Operating System version info. Error %u. Error is not critical. Continuing Setup.

Operating System version: %s %s. Platform ID: %u

Failed to load the selected setup controller dll in location "%s"

Using setup controller dll at [%s].

"%s" is verified to be an invalid file. Skipping signature verification on setup controller dll file and continuing setup

Failed to verify file signature from the selected setup controller dll in location "%s"

Using setup controller dll at location [%s].

Copied setup controller dll to "%s"

Uninstall or MMode product detected. Copying setup controller dll from "%s" to "%s"

Cannot find the selected setup controller dll from location "%s"

Version [%s].

Found setup controller dll at [%s].

Checking for setup controller dll at [%s].

Cannot find the specified config.xml file. %s

config.xml

FILES\SETUP\config.xml

Running 32-bit setup on a 32-bit operating system.

Running %s setup on a 64-bit operating system.

WSSSETUP.DLL

SVRSETUP.DLL

PSETUP.DLL

OSETUP.DLL

Log level changed from: %S to: %S

PERF: TickCount=%u Name=%s Description=%s

dddddd%X

Office(*).log

Log path %s is not valid (Error 0x%x). Reverting to default log path

Error: %S Type: %d::%S. %s

Error: Type: %S. %S ErrorCode: %d(0x%x). %s

Error: %S ErrorCode: %d(0x%x). %s

Error: %S HResult: 0x%x. %s

%s::[%d] %s

kernel32.dll

d/d/d d:d:d:d

%s is trusted.

Warning: %s is not signed.

Error: %s is not trusted.

Comctl32.dll

%s%d%s

_-%[]{}`~!@#$^&() =,;

_-%\.[]{}`~!@#$^&() =,;

hXXp://

[WindowsFolder]

x:x

%S [%S:%d]

__tmainCRTStartup

mainCRTStartup

Corrupt stack frame: frameCount = %d

OS check result: 0xu

PIDKEY

Invalid value display level specified in config.xml: %s. Leaving display level at: %S

Display level full specified in config.xml.

Display level basic specified in config.xml.

Display level none specified in config.xml.

Invalid value log type specified in config.xml: %s. Leaving log type at: %S

Logging type debug specified in config.xml.

Logging type verbose specified in config.xml.

Logging type standard specified in config.xml.

Logging type off specified in config.xml.

Setting value of locked setting '%s'!

%s specified in config.xml.

%s: "%s" specified in config.xml.

SetupExe(*).log

TRIAL InstallTrial = %s

TRIAL ShowUI = %s

LIS CACHEACTION = %s

Parsed MinOSRequirement: ServicePackLevel with value: %s in config.xml.

Parsed MinOSRequirement: WindowsBuild with value: %s in config.xml.

WindowsBuild

Parsed MinOSRequirement: VersionNT with value: %s in config.xml.

SUpdateLocation path specified in config.xml: %s

ShowSUpdateUI=Yes specified in config.xml.

ShowSUpdateUI=No specified in config.xml.

GetWebUpdates=Yes specified in config.xml.

GetWebUpdates=No specified in config.xml.

GetWebUpdates

CheckForSUpdate=Yes specified in config.xml.

CheckForSUpdate=No specified in config.xml.

DistributionPoint parsed. The distribution point is now set to: %s

Invalid pidkey specified in config.xml. Ignoring value from config.xml

PIDKEY element successfully parsed in config.xml

/Configuration/PIDKEY

Show cancel button specified in config.xml.

Disable of cancel button specified in config.xml.

No auto accept license specified in config.xml.

Auto accept license specified in config.xml.

Hide completion notice specified in config.xml.

Show completion notice specified in config.xml with UI level set to none. Forcing modal dialogs to be shown as well.

Show completion notice specified in config.xml.

Show modal dialogs specified in config.xml.

Suppression of modal dialogs specified in config.xml.

Parsed ARPHELPTELEPHONE value: %s

Parsed ARPHELPLINK value: %s

Parsed ARPURLUPDATEINFO value: %s

ARPURLUPDATEINFO

Parsed ARPURLINFOABOUT value: %s

ARPURLINFOABOUT

Parsed ARPCONTACT value: '%s'.

Parsed ARPCOMMENTS value: '%s'.

Log file template: %s specified in config.xml

Log directory: %s specified in config.xml

Parsed setting: %s with value: %s under package: %s in config.xml

Parsed RemoveLangauge: CultureTag with value: %s in config.xml. Warning : this Culture is specified more than once.

Parsed RemoveLangauge: CultureTag with value: %s in config.xml. NOTE: this Culture will not be removed because it is in the AddLanguage List.

Parsed RemoveLangauge: CultureTag with value: %s in config.xml.

Parsed RemoveLangauge: CultureTag with value: %s in config.xml. Can not specify this value in RemoveLanguage Node; ignoring.

Parsed AddLangauge: CultureTag with value: %s in config.xml. Warning : this Culture is specified more than once.

Parsed AddLangauge: CultureTag with value: %s in config.xml.

Parsed AddLangauge: Found request to include Current-User's Locale, in config.xml.

Parsed setting: %s with value: %s in config.xml.

Unsupported setting: %s specified in config.xml.

Preferred product specified in config.xml to be: %s

Parsing config.xml at: %s

BRANDING.XML

SETUP.CHM

Keyword

Warning: changing setup temp folder from [%s] to [%s].

Setup temp folder set to [%s].

Setupx

Uninstall requested for product: %s

Repair requested for product: %s

Modify requested for product: %s

Unrecognized command line parameter: %s

Invalid command line arguments. The preferred dll is already set when parsing '%s'.

Invalid command line arguments. The active Product ID is already set when parsing '%s'.

Invalid command line argument: /config used without specifying a config.xml file.

Running SETUPEXE as a COM server.

Admin patch file/path specified: %s

Config XML file specified: %s

Handling command line option: %s

Command line: %s

aero.msstyles

luna.msstyles

tmsodatalast.dat

%ComponentLang%

%WebLocale%

%UILang%

oleacc.dll

POWRPROF.dll

KERNEL32.DLL

NETAPI32.dll

mso.dll

SspiCli.DLL

NCrypt.dll

BCrypt.dll

Wscapi.DLL

DwmApi.DLL

PropSys.DLL

OSPPCEXT.DLL

OSPPC.DLL

DavClnt.DLL

Rasdlg.DLL

Rasapi32.DLL

MsoXev.DLL

Sensapi.DLL

Secur32.DLL

Setupapi.DLL

WsmEng.DLL

Credui.DLL

gdi32.DLL

UxTheme.DLL

Mscat32.DLL

Wtsapi32.DLL

Netapi32.DLL

WFF.DLL

Activeds.DLL

Shlwapi.DLL

Kernel32.DLL

Winspool.DRV

Mssign32.DLL

MsoHev.DLL

Riched20.DLL

VBE7.DLL

Advapi32.DLL

Softpub.DLL

Wintrust.DLL

WININET.DLL

ODMA32.DLL

OLEACC.DLL

MSJET40.DLL

URLMON.DLL

HLINK.DLL

MAPI32.DLL

WINMM.DLL

VERSION.DLL

COMDLG32.DLL

COMCTL32.DLL

SHELL32.DLL

WINNLS.DLL

GDI32.DLL

comctl32.dll

#$%&%&'(

mscoree.dll

.XPath

LIS SOURCELIST = %s

14.0.4734.1000

Windows

svchost.exe_340_rwx_2E000000_00119000:

.text

`.data

.rsrc

@.reloc

OperationCancelled

AuthSchemeNotSupported

WinHttpQueryAuthSchemesFailed

WinHttpSetOptionFailed

FailedToObtainFileURL

WinHttpSetProxyOptionFailed

WinHttpSetCredentialsFailed

WinHttpStatusDenied

WinHttpQueryHeadersFailed

OHttpReadTruncated

WinHttpDataTruncated

WinHttpReadDataFailed

WinHttpNoData

WinHttpReceiveResponseFailed

WinHttpSendRequestFailed

WinHttpOpenRequestFailed

WinHttpConnectFailed

WinHttpCloseFailed

WinHttpOpenFailed

InvalidServiceOperation

SQLFailedToSetAttribute

SQLFailedToRetrieveData

SQLFailedToExecuteStatement

SQLFailedToConnect

SQLFailedToAllocateHandle

SQLAlreadyConnected

NoSupportedCulture

InvalidOperation

InvalidCDKey

.CoInitializeEx(0, %d) failed. Error code: 0xx.

CoInitializeEx(0, %d) failed; Appartment type: current=%d,requested=%d. Error code: 0xx.

OLog not initialized for reporting events

Log intialized to report Event Logs

shared_ptr cannot apply operator '->' to an empty object pointer

d:\office\source\ocfx\olog.cpp

Log already intialized to report Event Logs

d:\office\source\otools\inc\ocfx\ocominterface.h

d:\office\source\otools\inc\ocfx\osmartpointer.h

d:\office\source\otools\inc\ocfx\oalloc.h

OCOMInterface cannot apply operator '->' to NULL interface pointer

cannot load kernel32.dll

OSmartPointer cannot apply operator '->' to an empty object pointer

.Cannot load sysem string for error x in language %i

d:\office\source\ocfx\osecurity.cpp

d:\office\source\ocfx\oversion.cpp

.Unicows.dll

Kernel32.dll

Failed to free DLL: %S

d:\office\source\ocfx\olibrary.cpp

.Failed to get procedure: %S

Failed to load DLL: %S

Cannot set file %S attbutes to %u

failed to open file '%S'

failed to delete file %S

Failed to copy file src: %S, dest: %S

.d:\office\source\ocfx\ofile.cpp

Path passed in is too long.

ASHCreateDirectoryEx failed for directory: %S

GetDirectories: search path %S does not exist

GetFiles: search path %S does not exist

failed to set current directory to: %S, error %d

d:\office\source\otools\inc\ocfx\othreadlocal.h

tlsIndex out of indexes

OSmartPointer cannot apply operator '*' to an empty object pointer

d:\office\source\ocfx\oexceptionmanager.cpp

d:\office\source\ocfx\oblob.cpp

ORegistryKey.GetValue failure: Cannot get registry %S value %S

Failed to create registry key: %d

Failed to create registry key: registry key name "%S" is too long

ORegistryKey.Open failure: The length of subkey %S is longer than the maximum length allowed

ORegistryKey.Open failure: Parent key is NULL

d:\office\source\ocfx\oregistrykey.cpp

root hkey is expected

ORegistryKey.GetValue failure: Cannot get String value. The registry key is closed or not set

.Cannot detect whether the current machine is a domain controller

.back_ptr cannot apply operator '->' to an empty object pointer

d:\office\source\setupexe\lis\logic\lis.h

%S element specified in config.xml without a Value attribute.

d:\office\source\setupexe\catalyst\catcore\catconfig.cpp

InstallTrial %S is an unknown value

ShowUI %S is an unknown value

CACHEACTION %S is an unknow value

State attribute missing from OptionState element id: %S

Invalid value specified for OptionState State attribute: %S

Invalid product: %S specified in config.xml when product %S has already been selected

Invalid value specified for Command Execute attribute: %S

Invalid value specified for Command ChainPosition attribute: %S

Invalid value specified for Path attribute: %S

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

CorporateSQMURL

HKEY_CLASSES_ROOT

sftldr_wow64.dll

sftldr.dll

verifier.dll

.Software\Microsoft\Office\14.0

msodatad.dat

SYSTEM\CurrentControlSet\Control\Windows

NetGetJoinInformation

1404730

Found Office Product Version %S.

Could not get version registry key.

BCryptDestroyKey

BCryptGenerateSymmetricKey

HttpEndRequestW

HttpSendRequestExW

HttpAddRequestHeadersA

HttpAddRequestHeadersW

InternetOpenUrlA

InternetOpenUrlW

SetUrlCacheEntryGroup

SetUrlCacheEntryGroupW

FindCloseUrlCache

FindNextUrlCacheEntryW

FindFirstUrlCacheEntryW

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

FindNextUrlCacheEntryExA

FindNextUrlCacheEntryExW

FindFirstUrlCacheEntryExA

FindFirstUrlCacheEntryExW

GetUrlCacheEntryInfoA

GetUrlCacheEntryInfoW

CommitUrlCacheEntryA

CommitUrlCacheEntryW

CreateUrlCacheEntryA

CreateUrlCacheEntryW

HttpQueryInfoA

HttpQueryInfoW

HttpSendRequestA

HttpSendRequestW

HttpOpenRequestA

HttpOpenRequestW

InternetCrackUrlW

InternetCrackUrlA

FtpRemoveDirectoryA

FtpCreateDirectoryA

FtpDeleteFileA

FtpRenameFileA

InternetCanonicalizeUrlW

InternetCanonicalizeUrlA

InternetCombineUrlA

FtpFindFirstFileA

FtpGetCurrentDirectoryA

FtpSetCurrentDirectoryA

FtpGetFileA

FtpOpenFileA

%$%,%4%<%

S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%

b%c%d%e%f%g%h%i%j%k%l%

!"#$%&'()* ,-./0123456789:;<=

!!!!2222

%%%f||||

!!!!2222||||

!"#$%&'(

'()* ,-./0

&'()* ,-./

&'()* ,-./012345

3456789

.ASex

!"#$%&'()* ,-./012

!"#$%&'()

.Delete fails in DeleteArea

.*** Software Failure: %s ***

Bucket can't get a size key in UpdateBucket

.Unknown exception

.CorExitProcess

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

.bad exception

?GetProcessWindowStation

USER32.DLL

.msxml.domdocument

DetectionOperation

No such interface supported

Operation aborted

.General_AppName

General_Reportee

ReportingFlags

Stage1URL

Stage2URL

Main_ReportBtn

Main_NoReportBtn

_dw2_0.txt

Reportee

ReportButton

NoReportButton

_dw1_5.txt

.Software\Policies\Microsoft\Windows\Installer

.PatchInstalled

.SELECT `Property`, `Value` FROM `Property`

/dw/SetupStageTwo.asp

.d:\office\source\ocfx\oxmlnode.cpp

.get_attributes failed

SelectNodes: %s called for OXmlNode with null interface

d:\office\source\ocfx\oxmlelement.cpp

.d:\office\source\ocfx\oxmldocument.cpp

XML document load failed for file: %S

.d:\office\source\ocfx\oxmlnodelist.cpp

.Count get property called for OXmlNodeList with null interface

.d:\office\source\ocfx\oxmlnamednodemap.cpp

.VVVVj

.jtSj=

t.Ht$Ht

.tMSWV

.jDPh

.jxX9

.wKShqrf7

.uFWVj

.WhTA

.VVVVVVVVj

.Ph8ga3P

.Vha441V

.tCSVW

.hgqawh

.hhqawh

.PhqssqP

.Phz6g5

.Phjvuq

.Phua46P

.Phwa46P

.SSS 

.wIVSP

setup.exe

msi.dll

GDI32.dll

dbghelp.dll

WINTRUST.dll

SHLWAPI.dll

USER32.dll

SHELL32.dll

OLEAUT32.dll

ole32.dll

KERNEL32.dll

ADVAPI32.dll

RPCRT4.dll

Secur32.dll

VERSION.dll

ReportEventW

RegQueryInfoKeyW

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

RegOpenKeyExA

RegEnumKeyW

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

GetKeyboardLayout

GetKeyboardLayoutList

t:\setupexe\x86\ship\0\setup.pdb

x86\ship\0\setup.exe\bbtopt\setupO.pdb

.?AVORegistryKey@@

.PAVCMspError@@

`!`'`)` `

e%f-f|3 f'f/f

]!^"^#^ ^$^

t.uGuHu

x4x7x%x-x x

h&h(h.hMh:h%h h,k/k-k1k4kmk

k%lzmcmdmvm

^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP

]8^6^3^7^

ichczc]eVeQeYeWe_UOeXeUeTe

{1{ {-{/{2{8{

r6s%s4s)s:t*t3t"t%t5t6t4t/t

t&t(t%u&ukuju

WHX%X

`IaJa aEa6a2a.aFa/aOa)a@a bh

d@d%d'd

duewexei

kCpDpJpHpIpEpFp

S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S

U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU

c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c

m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm

nRsSsh

evg%f

m.tRa

gtr%x

Q%SKg

f.ebp>QI

y.yxT

fn:q%uN

aw.Toiz

RMeXe

S#S$S%S;ScSdSrSsStSuS

`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`

^ ^!^"^#^$^%^&^'^.^}^

c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe

f f!f"f#f$f%f&f'f(f)f*f f,f-f

m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m=m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm

u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu

U U!U"U#U$U%U&U'U(U4UJU

](^)^*^ ^,^-^/^0^1^

m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m

x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x=x>x?x@xAxXy_yaycydyeygyiyjykylynyoy

} }!}"}#}$}%}&}'}

] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]

]2^3^4^5^6^7^8^9^:^;^<^>^

cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe

X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX

d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele

s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs

u$u%u&u/ujukulumunuouqurusutu

duewexeyeze{e

~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0

| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|

{3~3}3|3

eZl%u

Q.YeY

R:\Sg|p5rL

e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei

s4s/s)s%s>sNsOs

s&t*t)t.tbt

2%2.bx

{ | }9},

d6exe9j

]%sOu4](n

m.t.zB}

w%xIyWy

^vcÓv

%f?iCt

U>_.lE

f.ebp

.nrR=

{fn:q%uN

h$%fh$%

a$%$h$%FW$%

zcÁ

.PAVCMspErrorState@@

.PAVCMspErrorPropertyValue@@

.PAVCMspErrorProperty@@

.PAVCMspErrorPropertyProtected@@

.PAVCMspErrorPropertyName@@

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe

<assemblyIdentity processorArchitecture="x86" type="win32" name="Setup" version="14.0.4734.1000" />

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.1.0" publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

'') ()*!***%,.-$(((

2 2$2(2,2

034383<3@3

3M4}4

7%7U7

: :$:(:,:0:4:~:

< <$<(<,<

01

<,<8<@<`<

%s digital signature does not validate or is not present.

A required %s cannot be loaded. This may indicate that the file is missing or damaged.

The Setup configuration file %s is not valid. Run Setup again without using a Setup configuration file, or fix the configuration file.

Verify file signature in "%s"

Cannot get Operating System version info. Error %u. Error is not critical. Continuing Setup.

Operating System version: %s %s. Platform ID: %u

Failed to load the selected setup controller dll in location "%s"

Using setup controller dll at [%s].

"%s" is verified to be an invalid file. Skipping signature verification on setup controller dll file and continuing setup

Failed to verify file signature from the selected setup controller dll in location "%s"

Using setup controller dll at location [%s].

Copied setup controller dll to "%s"

Uninstall or MMode product detected. Copying setup controller dll from "%s" to "%s"

Cannot find the selected setup controller dll from location "%s"

Version [%s].

Found setup controller dll at [%s].

Checking for setup controller dll at [%s].

Cannot find the specified config.xml file. %s

config.xml

FILES\SETUP\config.xml

Running 32-bit setup on a 32-bit operating system.

Running %s setup on a 64-bit operating system.

WSSSETUP.DLL

SVRSETUP.DLL

PSETUP.DLL

OSETUP.DLL

Log level changed from: %S to: %S

PERF: TickCount=%u Name=%s Description=%s

dddddd%X

Office(*).log

Log path %s is not valid (Error 0x%x). Reverting to default log path

Error: %S Type: %d::%S. %s

Error: Type: %S. %S ErrorCode: %d(0x%x). %s

Error: %S ErrorCode: %d(0x%x). %s

Error: %S HResult: 0x%x. %s

%s::[%d] %s

kernel32.dll

d/d/d d:d:d:d

%s is trusted.

Warning: %s is not signed.

Error: %s is not trusted.

Comctl32.dll

%s%d%s

_-%[]{}`~!@#$^&() =,;

_-%\.[]{}`~!@#$^&() =,;

hXXp://

[WindowsFolder]

x:x

%S [%S:%d]

__tmainCRTStartup

mainCRTStartup

Corrupt stack frame: frameCount = %d

OS check result: 0xu

PIDKEY

Invalid value display level specified in config.xml: %s. Leaving display level at: %S

Display level full specified in config.xml.

Display level basic specified in config.xml.

Display level none specified in config.xml.

Invalid value log type specified in config.xml: %s. Leaving log type at: %S

Logging type debug specified in config.xml.

Logging type verbose specified in config.xml.

Logging type standard specified in config.xml.

Logging type off specified in config.xml.

Setting value of locked setting '%s'!

%s specified in config.xml.

%s: "%s" specified in config.xml.

SetupExe(*).log

TRIAL InstallTrial = %s

TRIAL ShowUI = %s

LIS CACHEACTION = %s

Parsed MinOSRequirement: ServicePackLevel with value: %s in config.xml.

Parsed MinOSRequirement: WindowsBuild with value: %s in config.xml.

WindowsBuild

Parsed MinOSRequirement: VersionNT with value: %s in config.xml.

SUpdateLocation path specified in config.xml: %s

ShowSUpdateUI=Yes specified in config.xml.

ShowSUpdateUI=No specified in config.xml.

GetWebUpdates=Yes specified in config.xml.

GetWebUpdates=No specified in config.xml.

GetWebUpdates

CheckForSUpdate=Yes specified in config.xml.

CheckForSUpdate=No specified in config.xml.

DistributionPoint parsed. The distribution point is now set to: %s

Invalid pidkey specified in config.xml. Ignoring value from config.xml

PIDKEY element successfully parsed in config.xml

/Configuration/PIDKEY

Show cancel button specified in config.xml.

Disable of cancel button specified in config.xml.

No auto accept license specified in config.xml.

Auto accept license specified in config.xml.

Hide completion notice specified in config.xml.

Show completion notice specified in config.xml with UI level set to none. Forcing modal dialogs to be shown as well.

Show completion notice specified in config.xml.

Show modal dialogs specified in config.xml.

Suppression of modal dialogs specified in config.xml.

Parsed ARPHELPTELEPHONE value: %s

Parsed ARPHELPLINK value: %s

Parsed ARPURLUPDATEINFO value: %s

ARPURLUPDATEINFO

Parsed ARPURLINFOABOUT value: %s

ARPURLINFOABOUT

Parsed ARPCONTACT value: '%s'.

Parsed ARPCOMMENTS value: '%s'.

Log file template: %s specified in config.xml

Log directory: %s specified in config.xml

Parsed setting: %s with value: %s under package: %s in config.xml

Parsed RemoveLangauge: CultureTag with value: %s in config.xml. Warning : this Culture is specified more than once.

Parsed RemoveLangauge: CultureTag with value: %s in config.xml. NOTE: this Culture will not be removed because it is in the AddLanguage List.

Parsed RemoveLangauge: CultureTag with value: %s in config.xml.

Parsed RemoveLangauge: CultureTag with value: %s in config.xml. Can not specify this value in RemoveLanguage Node; ignoring.

Parsed AddLangauge: CultureTag with value: %s in config.xml. Warning : this Culture is specified more than once.

Parsed AddLangauge: CultureTag with value: %s in config.xml.

Parsed AddLangauge: Found request to include Current-User's Locale, in config.xml.

Parsed setting: %s with value: %s in config.xml.

Unsupported setting: %s specified in config.xml.

Preferred product specified in config.xml to be: %s

Parsing config.xml at: %s

BRANDING.XML

SETUP.CHM

Keyword

Warning: changing setup temp folder from [%s] to [%s].

Setup temp folder set to [%s].

Setupx

Uninstall requested for product: %s

Repair requested for product: %s

Modify requested for product: %s

Unrecognized command line parameter: %s

Invalid command line arguments. The preferred dll is already set when parsing '%s'.

Invalid command line arguments. The active Product ID is already set when parsing '%s'.

Invalid command line argument: /config used without specifying a config.xml file.

Running SETUPEXE as a COM server.

Admin patch file/path specified: %s

Config XML file specified: %s

Handling command line option: %s

Command line: %s

aero.msstyles

luna.msstyles

tmsodatalast.dat

%ComponentLang%

%WebLocale%

%UILang%

oleacc.dll

POWRPROF.dll

KERNEL32.DLL

NETAPI32.dll

mso.dll

SspiCli.DLL

NCrypt.dll

BCrypt.dll

Wscapi.DLL

DwmApi.DLL

PropSys.DLL

OSPPCEXT.DLL

OSPPC.DLL

DavClnt.DLL

Rasdlg.DLL

Rasapi32.DLL

MsoXev.DLL

Sensapi.DLL

Secur32.DLL

Setupapi.DLL

WsmEng.DLL

Credui.DLL

gdi32.DLL

UxTheme.DLL

Mscat32.DLL

Wtsapi32.DLL

Netapi32.DLL

WFF.DLL

Activeds.DLL

Shlwapi.DLL

Kernel32.DLL

Winspool.DRV

Mssign32.DLL

MsoHev.DLL

Riched20.DLL

VBE7.DLL

Advapi32.DLL

Softpub.DLL

Wintrust.DLL

WININET.DLL

ODMA32.DLL

OLEACC.DLL

MSJET40.DLL

URLMON.DLL

HLINK.DLL

MAPI32.DLL

WINMM.DLL

VERSION.DLL

COMDLG32.DLL

COMCTL32.DLL

SHELL32.DLL

WINNLS.DLL

GDI32.DLL

comctl32.dll

#$%&%&'(

mscoree.dll

.XPath

LIS SOURCELIST = %s

14.0.4734.1000

Windows

svchost.exe_1064:

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

mswinsck.ocx

MSWinsockLib.Winsock

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

AddMsg

CHAT_ADDMSG

VBA6.DLL

C:\Windows\SysWow64\msvbvm60.dll\3

ws2_32.dll

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

6tmrTCP

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

FtpDownload

InternetOpenUrlA

FtpUpload

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

tmrTCP

?8??8??8??8??8?

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

*\AD:\Blackshades Project\Blackshades NET\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

ADVAPI32.dll

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

WScript.Shell

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

explorer.exe

\system32\userinit.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

steam.exe

hl.exe

\rspad.dat

@*\AD:\Blackshades Project\Blackshades NET\server\server.vbp

svchost.exe_1064_rwx_00400000_00078000:

.text

`.data

.rsrc

MSVBVM60.DLL

bss_server.usrReverseRelay

tmrWebHide

bss_server.Socket

bss_server.usrRelay

mswinsck.ocx

MSWinsockLib.Winsock

ieframe.dll

SHDocVwCtl.WebBrowser

WebBrowser

modLaunchWeb

%Program Files% (x86)\Microsoft Visual Studio\VB98\VB6.OLB

C:\Windows\SysWOW64\ieframe.dll

winmm.dll

user32.dll

advapi32.dll

shell32.dll

kernel32.dll

avicap32.dll

advpack.dll

GetAsyncKeyState

SetWindowsHookExA

UnhookWindowsHookEx

GetKeyboardLayout

GetKeyboardState

GetKeyState

SHFileOperationA

CreatePipe

PSAPI.DLL

GetTcpTable

ExitWindowsEx

EnumWindows

WinInet.dll

DeleteUrlCacheEntryA

urlmon

URLDownloadToFileA

ShellExecuteA

keybd_event

AddMsg

CHAT_ADDMSG

VBA6.DLL

C:\Windows\SysWow64\msvbvm60.dll\3

ws2_32.dll

olepro32.dll

GdiplusShutdown

RemotePort

LocalPort

WSOCK32.DLL

RegCloseKey

RegOpenKeyExA

ntdll.dll

C:\Windows\SysWOW64\ieframe.oca

6tmrTCP

%Program Files% (x86)\Microsoft Visual Studio\VB98\mswinsck.oca

tmrUDP

UDPSocket

UDPFlood

ole32.dll

crypt32.dll

oleaut32.dll

RegOpenKeyA

FindNextUrlCacheEntryA

FindFirstUrlCacheEntryA

txtPassword

imgLoginPressed

imgLogin

RegCreateKeyA

RegDeleteKeyA

RegEnumKeyExA

gdi32.dll

FtpDownload

InternetOpenUrlA

FtpUpload

FtpGetFileA

FtpPutFileA

FtpSetCurrentDirectoryA

FtpGetCurrentDirectoryA

FtpOpenFileA

FtpGetFileSize

FtpDeleteFileA

FtpCreateDirectoryA

FtpRemoveDirectoryA

FtpRenameFileA

FtpGetDirectory

Http_DownloadFile

cmdShowfiles

msvbvm60.dll

tmrTCP

?8??8??8??8??8?

2>e%Xdq

uMsg

strMsg

MsgNum

AllMsgs

lngPort

URL_TARGET

Port

Password

WebURL

Returns/Sets the port to be connected to on the remote computer

Returns/Sets the port used on the local computer

Binds socket to specific port and adapter

Occurs after a send operation has completed

*\AD:\Blackshades Project\Blackshades NET\server\server.vbp

2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5

{00020404-0000-0000-C000-000000000046}

\nir_cmd.bss speak text

\nir_cmd.bss setsysvolume 65535

\nir_cmd.bss mutesysvolume 1

\nir_cmd.bss mutesysvolume 0

\nir_cmd.bss screensaver

\nir_cmd.bss monitor off

\nir_cmd.bss monitor on

PORT

TRANSFERPORT

\rsout.tmp

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\

Keylog

Wscript.Shell

HKEY_CLASSES_ROOT\HTTP\shell\open\command\

\winlogon.exe

iexplore.exe

ADVAPI32.dll

hXXp://VVV.facebook.com/?ref=home

hXXp://VVV.facebook.com

Windows Firewall/Internet Connection Sharing (ICS)

WebCamCapture

\Vuze\Azureus.exe

\LimeWire\LimeWire.exe

\uTorrent\uTorrent.exe

\uTorrent\uTorrent.exe /HIDE

\BitTorrent\bittorrent.exe

\MSWINSCK.OCX

\cmd.exe

\data.dat

\steam\steam.exe

nkey

dkey

regsvr32.exe

\pws_mail.bss

\pws_mess.bss

\pws_cdk.bss

\pws_ff.bss

\pws_chro.bss

\nir_cmd.bss

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "

:*:Enabled:Windows Messanger" /f

winmgmts:{impersonationLevel=Impersonate}!\\.\root\cimv2

00000000

winmgmts:\\.\root\cimv2

Select * from Win32_Keyboard

api.ipinfodb.com

GET /v2/ip_query.php?key=

&timezone=off HTTP/1.1

Host: api.ipinfodb.com

GET /v2/ip_query_country.php?key=

Portable

WScript.Shell

winmgmts:\\.\root\SecurityCenter

\wallpaper.bmp

\wallpaper.jpg

WinServer 2003, Web Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName

__oxFrame.class__

Scripting.FileSystemObject

Autorun.ini

{557CF401-1A04-11D3-9A73-0000F81EF32E}

{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}

Address family not supported by protocol family.

Operation already in progress.

Operation now in progress.

Socket operation on nonsocket.

Operation not supported.

Protocol family not supported.

Protocol not supported.

Socket type not supported.

Winsock.dll version out of range.

CSocketMaster.SocketExists

CSocketMaster.PostSocket

CSocketMaster.ConnectToIP

CSocketMaster.ResolveIfHostname

CSocketMaster.SendBufferedDataUDP

CSocketMaster.SendBufferedData

abe2869f-9b47-4cd9-a358-c22904dba7f7

/stext mess.dat

\mess.dat

/stext mail.dat

\mail.dat

/stext ffpw.dat

\ffpw.dat

Web Site

Password

/stext chro.dat

\chro.dat

Action URL

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion

Windows

SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command

http\shell\open\command

127.0.0.1

\dump.txt

\uTorrent\uTorrent.exe /DIRECTORY

255.255.255.255

finalizarprocessoportas

CONNECT %s:%i HTTP/1.0

SOFTWARE\Classes\http\shell\open\command

Software\Classes\http\shell\open\command

Software\Microsoft\Windows NT\CurrentVersion\SystemRestore

code.is.a.winner

Software\Microsoft\Windows\CurrentVersion\Uninstall\eMule

SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\DigitalProductId

bps1.exe

bhookpl.dll

bnfa.exe

drvloadn.dll

drvloadx.dll

VNCHooks.dll

xr4tdwa.exe

shutdown.exe

TCnRawKeyBoard

HuntHTTPDownload

autorun.inf

hXXps://onlineeast#.bankofamerica.com

winlogon.exe

moz_logins

WEBCAMLIVE

explorer.exe

\system32\userinit.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

\system32\userinit.exe,

notepad.exe

steam.exe

hl.exe

\rspad.dat

@*\AD:\Blackshades Project\Blackshades NET\server\server.vbp

rundll32.exe_1460:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1872
   csc.exe:1296
   csc.exe:1684
   ǢҧƁƣǎ.exe:832
   cvtres.exe:2024
   cvtres.exe:332
   rundll32.exe:1460
   ƜƳƂǍƕ.exe:2004
   Eric22.exe:364
   dumprep.exe:212
   dumprep.exe:348
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (35 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.cmdline (295 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.out (362 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\5z2hceo3.0.cs (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Eric22.exe (3687 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ǢҧƁƣǎ.exe (3442 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CSC3.tmp (636 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.out (396 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\CSC1.tmp (636 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ƜƳƂǍƕ.exe (3410 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RES2.tmp (2864 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\RES4.tmp (2864 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MsMpEng.exe (13122 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.0.cs (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\fx32-c4c.cmdline (295 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WER51cb.dir00\svchost.exe.hdmp (215703 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\WER51cb.dir00\svchost.exe.mdmp (102001 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft Essentials" = "%Documents and Settings%\%current user%\Local Settings\Temp\MsMpEng.exe"
   
   

5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.