Gen.Variant.FAkeAlert.105_ef9ef7587a

by malwarelabrobot on August 7th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (B) (Emsisoft), Gen:Variant.FAkeAlert.105 (AdAware), Trojan.Win32.Swrort.3.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ef9ef7587a43ca988371cf5ab19c2737
SHA1: 2b9828017d39c4631a2c41b0dd1ab13fb03d4ccd
SHA256: 7e3601377c381b9db0693c8ff2e51b5782276c85a0bd2312cd77b397d897b9a5
SSDeep: 98304:IMXgIe49r6PDq7HOCouowSP7qq75l2KmyEnVaDk :I ne3bnuNaleyEsb
Size: 4166144 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-04-12 22:49:14
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ef9ef7587a43ca9:1036
GEW.exe:756

The Trojan injects its code into the following process(es):

MSango_Dll.exe:476

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MSango_Dll.exe:476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process ef9ef7587a43ca9:1036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\MSango_Dll.exe (7386 bytes)
%Documents and Settings%\All Users\Application Data\EKPTBR\GEW.exe (17629 bytes)
%Documents and Settings%\All Users\Application Data\EKPTBR\GEW.02 (55 bytes)
%Documents and Settings%\All Users\Application Data\EKPTBR\GEW.01 (81 bytes)
%Documents and Settings%\All Users\Application Data\EKPTBR\GEW.00 (2 bytes)

Registry activity

The process MSango_Dll.exe:476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 3B 5E 59 06 74 81 2E 2C 2C A2 18 36 AE DF FE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ef9ef7587a43ca9:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B4 FD 24 9A 13 D2 3F 3D 1F 4A 7F B0 EB 9B C4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"MSango_Dll.exe" = "MSango"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\EKPTBR]
"GEW.exe" = "GEW"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process GEW.exe:756 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 D0 1E 52 04 04 CB 8F 06 1C 02 4F 48 5B 59 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEW Start" = "%Documents and Settings%\All Users\Application Data\EKPTBR\GEW.exe"

Dropped PE files

MD5 File path
8b55503bc54186c7592a0a68218ab881 c:\Documents and Settings\All Users\Application Data\EKPTBR\GEW.01
f9a8dd8f8b38b8a9d03fb66a8d0df4de c:\Documents and Settings\All Users\Application Data\EKPTBR\GEW.02
5fa30c535081694f3fce3a298b294b31 c:\Documents and Settings\All Users\Application Data\EKPTBR\GEW.exe
22a2f4aa9cd472c7b57e162b497bf10c c:\MSango_Dll.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 39972 40448 4.42322 d757b5377d52e6b5321b79d7a3a82774
.rdata 45056 9122 9216 3.83132 153268f01def965db6f339c3a76b7fa8
.data 57344 8000 3584 1.59546 d74c536cb49fae160bed11f31867c3b7
.rsrc 65536 4106424 4106752 5.19815 bc3608451bdd7a3d2722223de04bbaf6
.reloc 4173824 4742 5120 2.51978 526ef451c025897e25a21986c03c6774

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.520521.com/ 60.191.231.21


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.520521.com
Connection: Keep-Alive


HTTP/1.1 401 Unauthorized
Content-Length: 1251
Content-Type: text/html
Server: Microsoft-IIS/6.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 06 Aug 2015 11:30:55 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.............</TITLE>..<META HTTP-EQUIV="Content-Type" Conten
t="text/html; charset=GB2312">..<STYLE type="text/css">..  BO
DY { font: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font
: 9pt/12pt .... }..  A:link { color: red }..  A:visited { color: maroo
n }..</STYLE>..</HEAD><BODY><TABLE width=500 bord
er=0 cellspacing=10><TR><TD>..<h1>...............
...</h1>..................................................<hr
>..<p>................</p>..<ul>..<li>.....
.......................................................</li>..&l
t;li>....<a href="javascript:location.reload()">....</a>
;..........................</li>..</ul>..<h2>HTTP ..
.. 401.1 - ..................................<br>Internet ......
.. (IIS)</h2>..<hr>..<p>............................
..</p>..<ul>..<li>.... <a href="hXXp://go.microso
ft.com/fwlink/?linkid=8180">Microsoft ............</a>.......
...“HTTP”..“401”........</li>..<li>
;....“IIS ....”...... IIS ...... (inetmgr) ...............
.........“........”..“........”..“......
............”........</li>..</ul>..</TD></T
R></TABLE></BODY></HTML>....
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

MSango_Dll.exe_476:

`.rsrc
tFHt:Ht.Ht"Hu`
QSShh
j%XtL9E
tWSShW
tl9_ tgSSh
t'SShl
SSSSh
FTCP
u.Ph|
tAHt.HHt
u$SShe
@ SSHPWj
<SShG
FtPW
SSh@B
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
comctl32.dll
comdlg32.dll
shell32.dll
kernel32.dll
mfcm100.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
RegDeleteKeyExA
lXXxXXXXXXXX
Shell32.dll
%s:%x:%x:%x:%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
MFCLink_UrlPrefix
MFCLink_Url
ole32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d%x
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d
windows
ShowCmd
%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
Hex={X,X,X}
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
operator
GetProcessWindowStation
%s %s-%s
%s, %s
pEntryPoint = %x
%Program Files%\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
hXXp://VVV.520521.com/
.\New\MSango.bin
MSango_Dll.dll
new\msvcp100.dll
new\msvcr100.dll
%s\New\
%sMSango.bin
%s\New\MSango.bin ./MSango.bin" -FalseFull
%s\MSango_Dll.dll
./MSango.bin -ExecuteMSangoNew
G:\WorkBase\Release\MSango.pdb
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.PAVCFileException@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.?AVCCmdTarget@@
.PAVCException@@
c:\MSango_Dll.exe
.text
`.rdata
@.data
.rsrc
@.reloc
8.uKj
8.uwS
V%SRj
libprotobuf %s %s:%d] %s
%d.%d.%d
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
CHECK failed: (from.GetDescriptor()) == (descriptor):
..\src\google\protobuf\message.cc
: Tried to copy from a message with a different type.to:
..\src\google\protobuf\descriptor.cc
". To use it here, please add the necessary import.
", which is not imported by "
.PLACEHOLDER_VALUE
.placeholder.proto
map key must name a scalar or string field.
map_key must not name a repeated field.
Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "
$0$1 = $2
.dummy
FieldDescriptorProto.extendee set for non-extension field.
FieldDescriptorProto.extendee not set for extension field.
$0$1 $2 $3 = $4
CHECK failed: dynamic.get() != NULL:
.foo = value".
CHECK failed: !out.HadError():
" is repeated. Repeated options are not supported.
Import "
Missing field: FileDescriptorProto.name.
File recursively imports itself:
..\src\google\protobuf\generated_message_reflection.cc
..\src\google\protobuf\wire_format.cc
..\src\google\protobuf\reflection_ops.cc
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
\xx
..\src\google\protobuf\stubs\strutil.cc
?..\src\google\protobuf\descriptor.pb.cc
google/protobuf/descriptor.proto
google/protobuf/descriptor.proto
google.protobuf"G
2$.google.protobuf.FileDescriptorProto"
2 .google.protobuf.DescriptorProto
2$.google.protobuf.EnumDescriptorProto
2'.google.protobuf.ServiceDescriptorProto
2%.google.protobuf.FieldDescriptorProto
.google.protobuf.FileOptions
.google.protobuf.SourceCodeInfo"
2/.google.protobuf.DescriptorProto.ExtensionRange
.google.protobuf.MessageOptions
2 .google.protobuf.FieldDescriptorProto.Label
2*.google.protobuf.FieldDescriptorProto.Type
.google.protobuf.FieldOptions"
2).google.protobuf.EnumValueDescriptorProto
.google.protobuf.EnumOptions"l
2!.google.protobuf.EnumValueOptions"
2&.google.protobuf.MethodDescriptorProto
.google.protobuf.ServiceOptions"
.google.protobuf.MethodOptions"
2).google.protobuf.FileOptions.OptimizeMode:
2$.google.protobuf.UninterpretedOption":
2$.google.protobuf.UninterpretedOption*
2#.google.protobuf.FieldOptions.CType:
experimental_map_key
2$.google.protobuf.UninterpretedOption"/
2-.google.protobuf.UninterpretedOption.NamePart
2(.google.protobuf.SourceCodeInfo.Location
com.google.protobufB
Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:
..\src\google\protobuf\io\tokenizer.cc
Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:
Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:
..\src\google\protobuf\dynamic_message.cc
..\src\google\protobuf\text_format.cc
..\src\google\protobuf\stubs\substitute.cc
..\src\google\protobuf\descriptor_database.cc
Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().
..\src\google\protobuf\extension_set.cc
CHECK failed: iter != extensions_.end():
..\src\google\protobuf\extension_set_heavy.cc
Mail.ini
Reach Login_Server Failed!!
Reach Login_Role Failed!!
Login_Channel Failed!!
Start GameRobotThread!! %s
Login_Channel22 Failed!!
MSG_CloseGame %s
%s --%s
Login_Channel Failed!!
\Pass Game Protect\google/protobuf/repeated_field.h
RoleLv = %d
09:00:00
GetTaskNum = %d
TransactionState = %d -- %s
OpenNPC %s
NPC.ini
Skip %s
NPC[%s]
Gamer[%s]
NPC --- %s -ID---%X
%s Failed!! %x
11!!--%s
22!!--%s
StartTransaction1 --ID = %x
ID = %x
_ebx = %x
Confirm--%d--%s
PassWord
RandomName %s
Start Login_Role :%d
Delete_Role :%d
Login_Channel %d
Not Reach Channel %s
Windows 7
Found MSangoClientNew -- %x,%s
%u.%u.%u.%u (%d)>
TcpMsg.proto
TcpMsg.cpp
TcpMsg.proto"V
TcpMsg
.TcpMsg.Body
WriteI on %X Failed!!
WriteF on %X Failed!!
%d/%d/%d %d:%d:%d
%d:%d:%d
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Web Server Edition
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003,
Web Edition
Windows XP
Windows 2000
(build %d)
This sample does not support this version of Windows.
$Lua: Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio $
$URL: VVV.lua.org $
bad argument #%d (%s)
calling '%s' on bad self (%s)
bad argument #%d to '%s' (%s)
%s expected, got %s
%s:%d:
invalid option '%s'
stack overflow (%s)
name conflict for module '%s'
cannot %s %s: %s
attempt to %s %s '%s' (a %s value)
attempt to %s a %s value
attempt to compare two %s values
attempt to compare %s with %s
%s:%d: %s
invalid key to 'next'
in function '%s'
in function <%s:%d>
missing '[' after '%%f' in pattern
^$* ?.([%-
'string.gfind' was renamed to 'string.gmatch'
invalid replacement value (a %s)
invalid option '%%%c' to 'format'
no function environment for tail call at level %d
%s: %p
cannot resume %s coroutine
%s: %s
standard %s file is closed
field '%s' missing in date table
system error %d
'package.%s' must be a string
no file '%s'
error loading module '%s' from file '%s':
luaopen_%s
no module '%s' in file '%s'
'package.preload' must be a table
no field package.preload['%s']
loop or previous error loading module '%s'
'package.loaders' must be a table
module '%s' not found:%s
.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua
.\?.dll;!\?.dll;!\loadall.dll
invalid value (%s) at index %d in table for 'concat'
%s: %s in precompiled chunk
'%s' expected
main function has more than %d %s
function at line %d has more than %d %s
'%s' expected (to close '%s' at line %d)
char(%d)
%s near '%s'
\Pass Game Protect\Release\GameDll.pdb
MSVCP100.dll
MSVCR100.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
EnumWindows
USER32.dll
WS2_32.dll
KERNEL32.dll
.?AVTcpMsg_Body@@
.?AVTcpMsg@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
2/2h2x2~2
6-626=6&757
88u8
1 1$1(1,10141
< <$<(<:<
8$9(9,90949
0 0$0(0,0004080
2 2$2(2,2024282<2
2&2F263G3
3-4X4}4
4 4'4.444
8%9 91979
8 8$8(8,8084888
1(101<1`1
`.data
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
msvcp100.i386.pdb
X<%u2j
<%u7j
_realloc_crt
__crtCompareStringA
__crtLCMapStringA
??0operation_timed_out@Concurrency@@QAE@XZ
??0invalid_operation@Concurrency@@QAE@PBD@Z
_calloc_crt
__crtLCMapStringW
__crtCompareStringW
?status_port@agent@Concurrency@@QAEPAV?$ISource@W4agent_status@Concurrency@@@2@XZ
_Wcrtomb
__Wcrtomb_lk
.?AVinvalid_operation@Concurrency@@
.?AVoperation_timed_out@Concurrency@@
8*90989=9
2$2)2@2~2
:":&:*:.:2:6::: ;2;
343C3R3a3p3
3hXXp://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
,hXXp://VVV.microsoft.com/pki/certs/CSPCA.crt0
3hXXp://crl.microsoft.com/pki/crl/products/tspca.crl0H
,hXXp://VVV.microsoft.com/pki/certs/tspca.crt0
hXXp://microsoft.com0
Broken pipe
Inappropriate I/O control operation
Operation not permitted
??0invalid_operation@Concurrency@@QAE@XZ
??0invalid_oversubscribe_operation@Concurrency@@QAE@PBD@Z
??0invalid_oversubscribe_operation@Concurrency@@QAE@XZ
??0invalid_scheduler_policy_key@Concurrency@@QAE@PBD@Z
??0invalid_scheduler_policy_key@Concurrency@@QAE@XZ
??0operation_timed_out@Concurrency@@QAE@PBD@Z
??0unsupported_os@Concurrency@@QAE@PBD@Z
??0unsupported_os@Concurrency@@QAE@XZ
?GetExecutionContextId@Concurrency@@YAIXZ
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z
?SetPolicyValue@SchedulerPolicy@Concurrency@@QAEIW4PolicyElementKey@2@I@Z
?_ConcRT_Assert@details@Concurrency@@YAXPBD0H@Z
?_ConcRT_CoreAssert@details@Concurrency@@YAXPBD0H@Z
?_ConcRT_DumpMessage@details@Concurrency@@YAXPB_WZZ
?_ConcRT_Trace@details@Concurrency@@YAXHPB_WZZ
?_Trace_ppl_function@Concurrency@@YAXABU_GUID@@EW4ConcRT_EventType@1@@Z
?_ValidateExecute@@YAHP6GHXZ@Z
_CRT_RTC_INIT
_CRT_RTC_INITW
__p__acmdln
__p__wcmdln
__report_gsfailure
_acmdln
_execl
_execle
_execlp
_execlpe
_execv
_execve
_execvp
_execvpe
_pipe
_recalloc_crt
_set_malloc_crt_max_wait
_wcmdln
_wexecl
_wexecle
_wexeclp
_wexeclpe
_wexecv
_wexecve
_wexecvp
_wexecvpe
wcrtomb
wcrtomb_s
FTPjKS
FtPj;S
C.PjRV
%S#[k
?#%X.y
cmd.exe
portuguese-brazilian
xMaxPolicyElementKey
pExecutionResource
s.SVW
Visual C   CRT: Not enough memory to complete call to strerror.
*Yp3.CP 
GetCPInfo
PeekNamedPipe
CreatePipe
GetProcessHeap
msvcr100.i386.pdb
.?AUIExecutionContext@Concurrency@@
Assertion failed: %s, file %s, line %d
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.PAVscheduler_resource_allocation_error@Concurrency@@
.PAVexception@std@@
1 1$1(1,1014181<1
0%0 020=0^0
<!< <5<`<
9$9*90969]9
2-2}2
<"=(=-=>=]>
4M4I4Z4h4p4u4}4
GetWindowsDirectoryA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyA
RegDeleteKeyA
RegCreateKeyExA
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
GdiplusShutdown
ShellExecuteA
GetKeyboardState
GetKeyboardLayout
MapVirtualKeyA
GetAsyncKeyState
GetKeyNameTextA
CreateDialogIndirectParamA
SetWindowsHookExA
UnhookWindowsHookEx
MapVirtualKeyExA
GetKeyState
2;%SK
]<%X[
##0#3131%& 
.QICN,8# @I3>##Jl;>C3I=I6lIC6$-
$ 0 0 ,4$,0 0,
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>
ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
gdiplus.dll
imagehlp.dll
IMM32.dll
MSIMG32.dll
OLEACC.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
SHLWAPI.dll
WINMM.dll
WINSPOOL.DRV
accKeyboardShortcut
hhctrl.ocx
SHELL32.DLL
dwmapi.dll
UxTheme.dll
USER32.DLL
ORICHED20.DLL
ekernel32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
10.00.30319.1
msvcp100.dll
msvcp100.dl
wUSER32.DLL
advapi32.dll
[%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d)
[%d] %S: !!!!!!!Assert Failed(%S: %d)
[%d:%d:%d:%d(%d)]
ADVAPI32.DLL
msvcr100_clr0400.dll
msvcr100.dl
{8856F961-340A-11D0-A96B-00C04FD705A2}
(*.*)
1.0.0.5
MSango.exe

MSango_Dll.exe_476_rwx_00401000_00376000:

tFHt:Ht.Ht"Hu`
QSShh
j%XtL9E
tWSShW
tl9_ tgSSh
t'SShl
SSSSh
FTCP
u.Ph|
tAHt.HHt
u$SShe
@ SSHPWj
<SShG
FtPW
SSh@B
user32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CNotSupportedException
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
RegOpenKeyTransactedA
Advapi32.dll
RegCreateKeyTransactedA
RegDeleteKeyTransactedA
comctl32.dll
comdlg32.dll
shell32.dll
kernel32.dll
mfcm100.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
RegDeleteKeyExA
lXXxXXXXXXXX
Shell32.dll
%s:%x:%x:%x:%x
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
&%d %s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
MFCLink_UrlPrefix
MFCLink_Url
ole32.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
%sPane-%d%x
%sPane-%d
%sBasePane-%d%x
%sBasePane-%d
windows
ShowCmd
%c%d%c%s
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
Hex={X,X,X}
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
CMFCToolBarsKeyboardPropertyPage
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
RGB(%d, %d, %d)
ENABLE_KEYS
KEYS_MENU
KEYS
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
operator
GetProcessWindowStation
%s %s-%s
%s, %s
pEntryPoint = %x
%Program Files%\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
%s (%s:%d)
hXXp://VVV.520521.com/
.\New\MSango.bin
MSango_Dll.dll
new\msvcp100.dll
new\msvcr100.dll
%s\New\
%sMSango.bin
%s\New\MSango.bin ./MSango.bin" -FalseFull
%s\MSango_Dll.dll
./MSango.bin -ExecuteMSangoNew
G:\WorkBase\Release\MSango.pdb
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCOleException@@
.PAVCObject@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AVCMFCToolBarCmdUI@@
.PAVCFileException@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.?AVCCmdTarget@@
.PAVCException@@
c:\MSango_Dll.exe
.text
`.rdata
@.data
.rsrc
@.reloc
8.uKj
8.uwS
V%SRj
libprotobuf %s %s:%d] %s
%d.%d.%d
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
CHECK failed: (from.GetDescriptor()) == (descriptor):
..\src\google\protobuf\message.cc
: Tried to copy from a message with a different type.to:
..\src\google\protobuf\descriptor.cc
". To use it here, please add the necessary import.
", which is not imported by "
.PLACEHOLDER_VALUE
.placeholder.proto
map key must name a scalar or string field.
map_key must not name a repeated field.
Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "
$0$1 = $2
.dummy
FieldDescriptorProto.extendee set for non-extension field.
FieldDescriptorProto.extendee not set for extension field.
$0$1 $2 $3 = $4
CHECK failed: dynamic.get() != NULL:
.foo = value".
CHECK failed: !out.HadError():
" is repeated. Repeated options are not supported.
Import "
Missing field: FileDescriptorProto.name.
File recursively imports itself:
..\src\google\protobuf\generated_message_reflection.cc
..\src\google\protobuf\wire_format.cc
..\src\google\protobuf\reflection_ops.cc
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
\xx
..\src\google\protobuf\stubs\strutil.cc
?..\src\google\protobuf\descriptor.pb.cc
google/protobuf/descriptor.proto
google/protobuf/descriptor.proto
google.protobuf"G
2$.google.protobuf.FileDescriptorProto"
2 .google.protobuf.DescriptorProto
2$.google.protobuf.EnumDescriptorProto
2'.google.protobuf.ServiceDescriptorProto
2%.google.protobuf.FieldDescriptorProto
.google.protobuf.FileOptions
.google.protobuf.SourceCodeInfo"
2/.google.protobuf.DescriptorProto.ExtensionRange
.google.protobuf.MessageOptions
2 .google.protobuf.FieldDescriptorProto.Label
2*.google.protobuf.FieldDescriptorProto.Type
.google.protobuf.FieldOptions"
2).google.protobuf.EnumValueDescriptorProto
.google.protobuf.EnumOptions"l
2!.google.protobuf.EnumValueOptions"
2&.google.protobuf.MethodDescriptorProto
.google.protobuf.ServiceOptions"
.google.protobuf.MethodOptions"
2).google.protobuf.FileOptions.OptimizeMode:
2$.google.protobuf.UninterpretedOption":
2$.google.protobuf.UninterpretedOption*
2#.google.protobuf.FieldOptions.CType:
experimental_map_key
2$.google.protobuf.UninterpretedOption"/
2-.google.protobuf.UninterpretedOption.NamePart
2(.google.protobuf.SourceCodeInfo.Location
com.google.protobufB
Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:
..\src\google\protobuf\io\tokenizer.cc
Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:
Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:
..\src\google\protobuf\dynamic_message.cc
..\src\google\protobuf\text_format.cc
..\src\google\protobuf\stubs\substitute.cc
..\src\google\protobuf\descriptor_database.cc
Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().
..\src\google\protobuf\extension_set.cc
CHECK failed: iter != extensions_.end():
..\src\google\protobuf\extension_set_heavy.cc
Mail.ini
Reach Login_Server Failed!!
Reach Login_Role Failed!!
Login_Channel Failed!!
Start GameRobotThread!! %s
Login_Channel22 Failed!!
MSG_CloseGame %s
%s --%s
Login_Channel Failed!!
\Pass Game Protect\google/protobuf/repeated_field.h
RoleLv = %d
09:00:00
GetTaskNum = %d
TransactionState = %d -- %s
OpenNPC %s
NPC.ini
Skip %s
NPC[%s]
Gamer[%s]
NPC --- %s -ID---%X
%s Failed!! %x
11!!--%s
22!!--%s
StartTransaction1 --ID = %x
ID = %x
_ebx = %x
Confirm--%d--%s
PassWord
RandomName %s
Start Login_Role :%d
Delete_Role :%d
Login_Channel %d
Not Reach Channel %s
Windows 7
Found MSangoClientNew -- %x,%s
%u.%u.%u.%u (%d)>
TcpMsg.proto
TcpMsg.cpp
TcpMsg.proto"V
TcpMsg
.TcpMsg.Body
WriteI on %X Failed!!
WriteF on %X Failed!!
%d/%d/%d %d:%d:%d
%d:%d:%d
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Web Server Edition
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003,
Web Edition
Windows XP
Windows 2000
(build %d)
This sample does not support this version of Windows.
$Lua: Lua 5.1.4 Copyright (C) 1994-2008 Lua.org, PUC-Rio $
$URL: VVV.lua.org $
bad argument #%d (%s)
calling '%s' on bad self (%s)
bad argument #%d to '%s' (%s)
%s expected, got %s
%s:%d:
invalid option '%s'
stack overflow (%s)
name conflict for module '%s'
cannot %s %s: %s
attempt to %s %s '%s' (a %s value)
attempt to %s a %s value
attempt to compare two %s values
attempt to compare %s with %s
%s:%d: %s
invalid key to 'next'
in function '%s'
in function <%s:%d>
missing '[' after '%%f' in pattern
^$* ?.([%-
'string.gfind' was renamed to 'string.gmatch'
invalid replacement value (a %s)
invalid option '%%%c' to 'format'
no function environment for tail call at level %d
%s: %p
cannot resume %s coroutine
%s: %s
standard %s file is closed
field '%s' missing in date table
system error %d
'package.%s' must be a string
no file '%s'
error loading module '%s' from file '%s':
luaopen_%s
no module '%s' in file '%s'
'package.preload' must be a table
no field package.preload['%s']
loop or previous error loading module '%s'
'package.loaders' must be a table
module '%s' not found:%s
.\?.lua;!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua
.\?.dll;!\?.dll;!\loadall.dll
invalid value (%s) at index %d in table for 'concat'
%s: %s in precompiled chunk
'%s' expected
main function has more than %d %s
function at line %d has more than %d %s
'%s' expected (to close '%s' at line %d)
char(%d)
%s near '%s'
\Pass Game Protect\Release\GameDll.pdb
MSVCP100.dll
MSVCR100.dll
_malloc_crt
_amsg_exit
_crt_debugger_hook
EnumWindows
USER32.dll
WS2_32.dll
KERNEL32.dll
.?AVTcpMsg_Body@@
.?AVTcpMsg@@
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
2/2h2x2~2
6-626=6&757
88u8
1 1$1(1,10141
< <$<(<:<
8$9(9,90949
0 0$0(0,0004080
2 2$2(2,2024282<2
2&2F263G3
3-4X4}4
4 4'4.444
8%9 91979
8 8$8(8,8084888
1(101<1`1
`.data
%d / %m / %y
%I : %M : %S %p
%m / %d / %y
%b %d %H : %M : %S %Y
msvcp100.i386.pdb
X<%u2j
<%u7j
_realloc_crt
__crtCompareStringA
__crtLCMapStringA
??0operation_timed_out@Concurrency@@QAE@XZ
??0invalid_operation@Concurrency@@QAE@PBD@Z
_calloc_crt
__crtLCMapStringW
__crtCompareStringW
?status_port@agent@Concurrency@@QAEPAV?$ISource@W4agent_status@Concurrency@@@2@XZ
_Wcrtomb
__Wcrtomb_lk
.?AVinvalid_operation@Concurrency@@
.?AVoperation_timed_out@Concurrency@@
8*90989=9
2$2)2@2~2
:":&:*:.:2:6::: ;2;
343C3R3a3p3
3hXXp://crl.microsoft.com/pki/crl/products/CSPCA.crl0H
,hXXp://VVV.microsoft.com/pki/certs/CSPCA.crt0
3hXXp://crl.microsoft.com/pki/crl/products/tspca.crl0H
,hXXp://VVV.microsoft.com/pki/certs/tspca.crt0
hXXp://microsoft.com0
Broken pipe
Inappropriate I/O control operation
Operation not permitted
??0invalid_operation@Concurrency@@QAE@XZ
??0invalid_oversubscribe_operation@Concurrency@@QAE@PBD@Z
??0invalid_oversubscribe_operation@Concurrency@@QAE@XZ
??0invalid_scheduler_policy_key@Concurrency@@QAE@PBD@Z
??0invalid_scheduler_policy_key@Concurrency@@QAE@XZ
??0operation_timed_out@Concurrency@@QAE@PBD@Z
??0unsupported_os@Concurrency@@QAE@PBD@Z
??0unsupported_os@Concurrency@@QAE@XZ
?GetExecutionContextId@Concurrency@@YAIXZ
?GetPolicyValue@SchedulerPolicy@Concurrency@@QBEIW4PolicyElementKey@2@@Z
?SetPolicyValue@SchedulerPolicy@Concurrency@@QAEIW4PolicyElementKey@2@I@Z
?_ConcRT_Assert@details@Concurrency@@YAXPBD0H@Z
?_ConcRT_CoreAssert@details@Concurrency@@YAXPBD0H@Z
?_ConcRT_DumpMessage@details@Concurrency@@YAXPB_WZZ
?_ConcRT_Trace@details@Concurrency@@YAXHPB_WZZ
?_Trace_ppl_function@Concurrency@@YAXABU_GUID@@EW4ConcRT_EventType@1@@Z
?_ValidateExecute@@YAHP6GHXZ@Z
_CRT_RTC_INIT
_CRT_RTC_INITW
__p__acmdln
__p__wcmdln
__report_gsfailure
_acmdln
_execl
_execle
_execlp
_execlpe
_execv
_execve
_execvp
_execvpe
_pipe
_recalloc_crt
_set_malloc_crt_max_wait
_wcmdln
_wexecl
_wexecle
_wexeclp
_wexeclpe
_wexecv
_wexecve
_wexecvp
_wexecvpe
wcrtomb
wcrtomb_s
FTPjKS
FtPj;S
C.PjRV
%S#[k
?#%X.y
cmd.exe
portuguese-brazilian
xMaxPolicyElementKey
pExecutionResource
s.SVW
Visual C   CRT: Not enough memory to complete call to strerror.
*Yp3.CP 
GetCPInfo
PeekNamedPipe
CreatePipe
GetProcessHeap
msvcr100.i386.pdb
.?AUIExecutionContext@Concurrency@@
Assertion failed: %s, file %s, line %d
.?AVinvalid_oversubscribe_operation@Concurrency@@
.?AVinvalid_scheduler_policy_key@Concurrency@@
.?AVunsupported_os@Concurrency@@
.?AUIExecutionResource@Concurrency@@
.?AVExecutionResource@details@Concurrency@@
.PAVscheduler_resource_allocation_error@Concurrency@@
.PAVexception@std@@
1 1$1(1,1014181<1
0%0 020=0^0
<!< <5<`<
9$9*90969]9
2-2}2
<"=(=-=>=]>
4M4I4Z4h4p4u4}4
GetWindowsDirectoryA
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegEnumKeyA
RegDeleteKeyA
RegCreateKeyExA
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
GetViewportExtEx
SetViewportOrgEx
GdiplusShutdown
ShellExecuteA
GetKeyboardState
GetKeyboardLayout
MapVirtualKeyA
GetAsyncKeyState
GetKeyNameTextA
CreateDialogIndirectParamA
SetWindowsHookExA
UnhookWindowsHookEx
MapVirtualKeyExA
GetKeyState
2;%SK
]<%X[
##0#3131%& 
.QICN,8# @I3>##Jl;>C3I=I6lIC6$-
$ 0 0 ,4$,0 0,
accKeyboardShortcut
hhctrl.ocx
SHELL32.DLL
dwmapi.dll
UxTheme.dll
USER32.DLL
ORICHED20.DLL
ekernel32.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
10.00.30319.1
msvcp100.dll
msvcp100.dl
wUSER32.DLL
advapi32.dll
[%d:%d:%d:%d(%d)] %S: !!!!!!!Assert Failed(%S: %d)
[%d] %S: !!!!!!!Assert Failed(%S: %d)
[%d:%d:%d:%d(%d)]
ADVAPI32.DLL
msvcr100_clr0400.dll
msvcr100.dl
{8856F961-340A-11D0-A96B-00C04FD705A2}
(*.*)


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ef9ef7587a43ca9:1036
    GEW.exe:756

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\MSango_Dll.exe (7386 bytes)
    %Documents and Settings%\All Users\Application Data\EKPTBR\GEW.exe (17629 bytes)
    %Documents and Settings%\All Users\Application Data\EKPTBR\GEW.02 (55 bytes)
    %Documents and Settings%\All Users\Application Data\EKPTBR\GEW.01 (81 bytes)
    %Documents and Settings%\All Users\Application Data\EKPTBR\GEW.00 (2 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GEW Start" = "%Documents and Settings%\All Users\Application Data\EKPTBR\GEW.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now