PUP.Win32.PileFile_f553430bf7

by malwarelabrobot on February 24th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.Amonetize.cbd (Kaspersky), Trojan.Win32.Swrort.3.FD, PUPPileFile.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f553430bf722869adf352c70969473ae
SHA1: 6aa7952593b5701c8be271d58347ad4f028578fb
SHA256: 8d2f8774d7db7accfb433f156e1569f0cb8c3682073aa98afee11211965ff488
SSDeep: 98304:q8LKm2JJwl7ryUfmkTtl9dbCPGkkpRbK:q8Opnw8UfrTtZbGkDbK
Size: 5331400 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-04 21:41:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Payload

No specific payload has been found.

Process activity

The PUP creates the following process(es):

tmp6.exe:1956
tmp4.exe:1140
tmp8.exe:1632
tmp2.exe:1492

The PUP injects its code into the following process(es):

%original file name%.exe:228

Mutexes

The following mutexes were created/opened:

ShimCacheMutex
{9AAF2503-6CD5-414A-B5BA-37639B76C91F}
ZonesLockedCacheCounterMutex
ZonesCounterMutex
oleacc-msaa-loaded
ZonesCacheCounterMutex

File activity

The process %original file name%.exe:228 makes changes in the file system.
The PUP creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f553430bf722869adf352c70969473ae_000228.log (57530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp6.exe (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp8.exe (71 bytes)
%Documents and Settings%\%current user%\Application Data\Oxy\config.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (71 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.exe (71 bytes)

Registry activity

The process tmp6.exe:1956 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 BB 74 AE 89 D9 FD F3 E6 98 78 48 9E A6 38 4E"

The process tmp4.exe:1140 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 2A 5C B0 77 30 AC 1A 7B 8C 69 7A A2 25 28 D5"

The process %original file name%.exe:228 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp6.exe" = "tmp6"

[HKCU\Software\Escolade]
"Guid" = "fa68796ada3311e581cc000c298a8b37"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 A9 12 11 16 9E AB 5C 3B 5C FE AE 09 58 95 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp4.exe" = "tmp4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"tmp8.exe" = "tmp8"
"tmp2.exe" = "tmp2"

The PUP modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The PUP modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The PUP modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process tmp8.exe:1632 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E E7 93 00 0B F4 55 A8 63 5F 8A 9F D4 79 09 7E"

The process tmp2.exe:1492 makes changes in the system registry.
The PUP creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 46 B8 01 38 67 8E BF E4 A9 6D F9 A9 7C DD 70"

Dropped PE files

MD5 File path
7222f8144a764f45b21fbc89e007c4c9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\htmlayout.dll
1010065fa13aa6eeaa1df8ee3df01d23 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp2.exe
1010065fa13aa6eeaa1df8ee3df01d23 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp4.exe
1010065fa13aa6eeaa1df8ee3df01d23 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp6.exe
1010065fa13aa6eeaa1df8ee3df01d23 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tmp8.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: PileFile Downloade
Product Version: 1.0.0.2
Legal Copyright:
Legal Trademarks:
Original Filename: xyzHu5YIj.lnk_
Internal Name: xyzHu5YIj.lnk_
File Version: 1.0.0.
File Description: PileFil
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 914468 914944 4.62933 6feb20a206204729f6b5d49c19767d10
.rdata 921600 129074 129536 3.67559 f014c09aaca85680e79559caf123b5ac
.data 1052672 41764 12800 2.65944 6fda6fa32cc8bce99af72490d02d9bf2
.rsrc 1097728 4231168 4227584 3.90728 b1fdf038143e7269269b93e67f4ed2c0
.reloc 5328896 39658 39936 3.83484 877279c1b9ebfb91b3d4b77993a1c95b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.freefilesdownloader.com/api/cc 103.224.182.250
hxxp://9094.searchmagnified.com/api/cc
hxxp://www.chicdownload.com/name.php 141.8.226.14
hxxp://www.freefilesdownloader.com/api/keywordexecute/fa68796ada3311e581cc000c298a8b37/14099804/f553430bf722869adf352c70969473ae 103.224.182.250
hxxp://9094.searchmagnified.com/api/keywordexecute/fa68796ada3311e581cc000c298a8b37/14099804/f553430bf722869adf352c70969473ae
hxxp://www.freefilesdownloader.com/api/firstscreenshown/fa68796ada3311e581cc000c298a8b37/14099804 103.224.182.250
hxxp://9094.searchmagnified.com/api/firstscreenshown/fa68796ada3311e581cc000c298a8b37/14099804
hxxp://ww31.freefilesdownloader.com/api/cc 208.91.196.94
hxxp://ww31.freefilesdownloader.com/api/firstscreenshown/fa68796ada3311e581cc000c298a8b37/14099804 208.91.196.94
hxxp://ww31.freefilesdownloader.com/api/keywordexecute/fa68796ada3311e581cc000c298a8b37/14099804/f553430bf722869adf352c70969473ae 208.91.196.94


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /api/firstscreenshown/fa68796ada3311e581cc000c298a8b37/14099804 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close


HTTP/1.1 302 Found
Date: Tue, 23 Feb 2016 13:49:38 GMT
Server: Apache
X-Powered-By: PHP/5.4.45-0 deb7u2
Set-Cookie: __tad=1456235378.1737110; expires=Fri, 20-Feb-2026 13:49:38 GMT
Location: hXXp://ww31.freefilesdownloader.com/api/firstscreenshown/fa68796ada3311e581cc000c298a8b37/14099804
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /api/keywordexecute/fa68796ada3311e581cc000c298a8b37/14099804/f553430bf722869adf352c70969473ae HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close


HTTP/1.1 302 Found
Date: Tue, 23 Feb 2016 13:49:34 GMT
Server: Apache
X-Powered-By: PHP/5.4.45-0 deb7u2
Set-Cookie: __tad=1456235374.6389392; expires=Fri, 20-Feb-2026 13:49:34 GMT
Location: hXXp://ww31.freefilesdownloader.com/api/keywordexecute/fa68796ada3311e581cc000c298a8b37/14099804/f553430bf722869adf352c70969473ae
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /api/keywordexecute/fa68796ada3311e581cc000c298a8b37/14099804/f553430bf722869adf352c70969473ae HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: ww31.freefilesdownloader.com
Connection: Close


HTTP/1.1 200 OK
Date: Tue, 23 Feb 2016 13:49:34 GMT
Server: Apache
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Jkuzmz3K53X5eNEH0AKV6cjBe55rAjAKVu eHuBioBHxb yTTtKxOie78WC5MYmMPvvJrG1eFZGnDuBMhAIvNQ==
Vary: Accept-Encoding,User-Agent
Content-Length: 3246
Keep-Alive: timeout=5, max=115
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://ww31.freefilesdownloader.com/?fp=da0tfi
7ZflMJchwXjiCX15xsTgoTeDtAQbgciekAH6J0/RwlwZo0NxM7B3mzSQ9Hx/C5OggL
RJZeylKBhKS/7w==&prvtof=+jtLgx9npNuw4rk7a7q+XVBxEhzzYyMGvW%2
F9z1y5HG8=&poru=i5BRnxujcZt0lh0gjaoEdjTWcv6Z9RLCe167S83IquVleyflb15P
R5d0D30JN37ipOIfzm37+hHYOWzOEvVOp8GGQ2HCCMjwc/39NIbaLgFyn6g/4w2x
vLNjXaLJg2Wuk48kON9/caHaarqSaYnLT55BrnNaq4rQqA/j5T7eZhc=&cifr=1&
";.../*..-->..<html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwA
wSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrB
IF6QMyFwXT5CCRyjS2penECAwEAAQ==_Jkuzmz3K53X5eNEH0AKV6cjBe55rAjAKVu eHu
BioBHxb yTTtKxOie78WC5MYmMPvvJrG1eFZGnDuBMhAIvNQ=="><head>...
...  <meta http-equiv="Content-Type" content="text/html; charset=UT
F-8">......  <meta http-equiv="X-UA-Compatible" content="IE=Emul
ateIE7">......  <meta name="viewport" content="width=device-widt
h"><script type="text/javascript">...<!--...dimensionUpdat
ed = 0;...function applyFrameKiller()...{....if(window.top != self)...
.{.....cHeight = 0;.....if( typeof( window.innerHeight ) != 'undefined
' ) {.....//Non-IE.....cHeight = window.innerHeight;.....dimensionUpda
ted = 1;.....} else if( document.documentElement && ( document.documen
tElement.clientWidth || document.documentElement.clientHeight )  ) {..
...//IE 6  in 'standards compliant mode'.....cHeight = document.docume
ntElement.clientHeight;.....dimensionUpdated = 1;.....} else if( docum
ent.body && ( document.body.clientWidth || document.body.clientHei
<<< skipped >>>


GET /api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: ww31.freefilesdownloader.com
Connection: Close


HTTP/1.1 200 OK
Date: Tue, 23 Feb 2016 13:49:32 GMT
Server: Apache
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_RdJVvPaIYJPXYhublLpwPoXMIXAd1ALZVxs0Pkc25pEpK7N0F6mD4uHI9BLdvO FBx3FYn2CyUiF1NpG6XDJ3g==
Vary: Accept-Encoding,User-Agent
Content-Length: 2888
Keep-Alive: timeout=5, max=8
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://ww31.freefilesdownloader.com/?fp=Oc2MHb
LaVpyZ+MDut+7kMZravMUPqNquDOvsuHh991cZxbo+w5NW5cFTV8z5UdmfAsf7mk
t1ZIj3a7N0VBk8tA==&prvtof=Kg6ezEprVbnDLY4TbLvEAzYM2RHHUWEu+CTxaZ
Gh0Ps=&poru=YSMCT+k0wcuA5nXjTHsiXS8nL9Jgrr+8vytx9twZHcSdXbs/vO
eHRDAVLI1NTsWrGZO1RYsGpHtFk2nRKyns7w==&cifr=1&";.../*..-->..<
;html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJp
rcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2pe
nECAwEAAQ==_RdJVvPaIYJPXYhublLpwPoXMIXAd1ALZVxs0Pkc25pEpK7N0F6mD4uHI9B
LdvO FBx3FYn2CyUiF1NpG6XDJ3g=="><head>......  <meta http-e
quiv="Content-Type" content="text/html; charset=UTF-8">......  <
meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">......  &
lt;meta name="viewport" content="width=device-width"><script typ
e="text/javascript">...<!--...dimensionUpdated = 0;...function a
pplyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0;.
....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE..
...cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} else 
if( document.documentElement && ( document.documentElement.clientWidth
 || document.documentElement.clientHeight )  ) {.....//IE 6  in 'stand
ards compliant mode'.....cHeight = document.documentElement.clientHeig
ht;.....dimensionUpdated = 1;.....} else if( document.body && ( docume
nt.body.clientWidth || document.body.clientHeight ) ) {.....//IE 4 com
patible.....cHeight = document.body.clientHeight;.....dimensionUpd
<<< skipped >>>


GET /api/cc HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: VVV.freefilesdownloader.com
Connection: Close


HTTP/1.1 302 Found
Date: Tue, 23 Feb 2016 13:49:30 GMT
Server: Apache
X-Powered-By: PHP/5.4.45-0 deb7u2
Set-Cookie: __tad=1456235370.4321937; expires=Fri, 20-Feb-2026 13:49:30 GMT
Location: hXXp://ww31.freefilesdownloader.com/api/cc
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8



GET /api/firstscreenshown/fa68796ada3311e581cc000c298a8b37/14099804 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: ww31.freefilesdownloader.com
Connection: Close


HTTP/1.1 200 OK
Date: Tue, 23 Feb 2016 13:49:38 GMT
Server: Apache
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_ooE6OTRaHDzPfWC0YJREx  3ZX8K uvnLby8QyEOw0CqvYNtlR/F769kaWkhv5dR/jTaN4tFlna laW14in9WA==
Vary: Accept-Encoding,User-Agent
Content-Length: 3166
Keep-Alive: timeout=5, max=52
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!--...top.location="hXXp://ww31.freefilesdownloader.com/?fp=AlhObh
mJkaRb1gd1+FDgbMTg2qILdkU5/sd2EeO9dPZ4ad/u8vIu7Iv5vZO0kVEHnXrGkk
8K17R6+/IvRyNWjw==&prvtof=97jIOJqgWeqzInRdlxmjwRltnDuF9FHQoBgs
gO3bEIQ=&poru=1vCYa+0/HH8lke2ANhZ4v6n1M2XCVemshKN9P6btLs0tiBqfLM
5SsmZgTktWLKnyD2n8Pa5RrJ5hArwU0lg+RMm/LVG8l+VT59rFHC1hhgRM4qt6ek
07hC79Lxz0EWqWX6e7mmTHvHxWhx+zjqlaaA==&cifr=1&";.../*..-->..&
lt;html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXb
JprcLfbH4psP4 L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2
penECAwEAAQ==_ooE6OTRaHDzPfWC0YJREx  3ZX8K uvnLby8QyEOw0CqvYNtlR/F769k
aWkhv5dR/jTaN4tFlna laW14in9WA=="><head>......  <meta http
-equiv="Content-Type" content="text/html; charset=UTF-8">......  &l
t;meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">...... 
 <meta name="viewport" content="width=device-width"><script t
ype="text/javascript">...<!--...dimensionUpdated = 0;...function
 applyFrameKiller()...{....if(window.top != self)....{.....cHeight = 0
;.....if( typeof( window.innerHeight ) != 'undefined' ) {.....//Non-IE
.....cHeight = window.innerHeight;.....dimensionUpdated = 1;.....} els
e if( document.documentElement && ( document.documentElement.clientWid
th || document.documentElement.clientHeight )  ) {.....//IE 6  in 'sta
ndards compliant mode'.....cHeight = document.documentElement.clientHe
ight;.....dimensionUpdated = 1;.....} else if( document.body && ( docu
ment.body.clientWidth || document.body.clientHeight ) ) {.....//IE
<<< skipped >>>






The PUP connects to the servers at the folowing location(s):







%original file name%.exe_228:




.text
`.rdata
@.data
.rsrc
@.reloc
.FGy"
u u
t.HuI
8X.tL
!|$8!\$<
,4,56,789
9>t.hDnN
FTPQ
xSSSh
FTPjKS
FtPj;S
C.PjRV
WindowsFirewallIsOn failed: 0xlx
PWindowsFirewallAppIsEnabled failed: 0xlx
Port %ld is not open in the firewall.
Port %ld is open in the firewall.
get_GloballyOpenPorts failed: 0xlx
Port %ld is now open in the firewall.
put_Port failed: 0xlx
WindowsFirewallPortIsEnabled failed: 0xlx
PASSWORD
REPORT
RegOpenKeyTransactedW
Cannot put setting information: %x
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
FRegDeleteKeyExW
Product version: 1.0.1.1
1,0,1,1401
urls
3024080357154238
url_rank
HTMLayout.dll
GetProcessWindowStation
operator
portuguese-brazilian
large file support is disabled
unknown operation
SQL logic error or missing database
defer_foreign_keys
foreign_keys
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
sqlite_version
sqlite_attach
sqlite_detach
sqlite_stat1
sqlite_rename_parent
sqlite_rename_trigger
sqlite_rename_table
GetProcessHeap
RowKey
3.8.0.2
SQLite format 3
CREATE TABLE sqlite_master(
sql text
CREATE TEMP TABLE sqlite_temp_master(
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s\etilqs_
%s\%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
foreign key constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
abort at %d in [%s]: %s
constraint failed at %d in [%s]
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
invalid name: "%s"
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
%s %T cannot reference objects in database %s
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
indexed columns are not unique
cannot create a TEMP index on non-TEMP table "%s"
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
foreign key mismatch - "%w" referencing "%w"
table %S has %d columns but %d values were supplied
%d values for %d columns
table %S has no column named %s
%s.%s may not be NULL
constraint %s failed
PRIMARY KEY must be unique
sqlite3_extension_init
%s.%s
unable to open shared library [%s]
sqlite3_
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
%s:%d
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
no such index: %s
sqlite_subquery_%p_
too many references to "%s": max 65535
%s.%s.%s
no such table: %s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
automatic index on %s(%s)
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s TABLE %s
%s AS %s
%s USING AUTOMATIC %sINDEX%.0s%s
%s USING %sINDEX %s%s
%s USING INTEGER PRIMARY KEY
%s (rowid=?)
%s (rowid>? AND rowid<?)
%s (rowid>?)
%s (rowid<?)
%s VIRTUAL TABLE INDEX %d:%s
%s.xBestIndex() malfunction
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
C:\iPumper\iPumper\Installer\Build\Release\TinyInstaller.pdb
HTMLayoutCombineURL
NETAPI32.dll
dbghelp.dll
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
RegQueryInfoKeyW
ADVAPI32.dll
ole32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
WinHttpOpen
WinHttpCloseHandle
WinHttpSetTimeouts
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetOption
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpReceiveResponse
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
Secur32.dll
RPCRT4.dll
PSAPI.DLL
GetCPInfo
.?AUIHttpRequestEvents@Http@CommonLib@@
.?AVCThreadCRT@System@CommonLib@@
zcÁ
8'.Ma
{gm.Tt
toF%C
\%uD:
v}.Fk
0z.cZ
f.yor
-H}jj9
".xn.l1
?KK%s
Ÿ6@
Ír,N
!.rJ-
N?.HO
"".Vi
CrTS
.nn|g
-3o.Vs
.bg?B
xE^.WT
g[s%s_
_.nT_j?
%SU9N
U1m%U#
TZ]7U/.ibMP[
.rKBh
.vmkD1
1`SC~.nr
J1.nQ
.gvsZ
%#%d@G
pin.vUXcY
u.dG)
].skh\
u5/.HIZ 
z-29}r
jtk%xE
%d@b>
.OS8N
.TI*B_
.QHIO
xûU
v*.*e
k2VR;%F
={s.Bd
=AY`5%D#G
2xb.dp.
D$zF.OA
.Vw33
P7.dD
FCA ]%sA[
ux.QS
Spp.lg
E_.HKV
>.fn;
.cA$2
q.GJ?w
/j8.so
CrT^k$
n.Xi[a
_#.PAM
5D1.St
*.vZ\Z~
tE.ii6
Z.CA=
D?pb
.mjj;`
I8Il.nf
cF.XX
.Sd4I
D%uSD
a.JIk
5w%x8L
N.OYK
#n-D}
/~0%C
"%8U}
.qO&t
m!.ER9
oD.kYt,
!;1InrF%D
P,-5q}I*
*xMxr.Nh
6&H.lgrs
.USQ*
o%SBm
Els%D
ACAj%u4
.asK\H
h=%X{
La%s1[
l.Ln@
n..xC,K!
OCmd
l.aGs
h=.DY
2%c-!
Ou.Ghk
_@bl^%C
.FZJd
??-
/ 3.lB
aj.Xm
.B.YT&
=.Wv[
%Foo^j
a.gcX
%Cn`##y
%Xqwb
.WDV"
AMo%u
Yk.rB
(%X}/
`|L#%f
.hm{E
%X: x
.XzWi
:cRTY
).GHO
=.wSd
mv].MRi
R3.dG
_.bky
s|.vZ
o7%cx
.VCk[
oO.Hh
.wNObhR
%X{u}
[email protected]
.XG5|
Z.LxE8
7H%dw
}=.nO
G;\.CU
=Vd|.MU
%fIEb
.bd<.
m%XM!
L'!%cO
P%uv*
$lD.vZa
%xzUr
;Oa.QU
%dO;5z<
0*%X{
6GœO
jg.oe
€d6
[email protected]
%u0}f
8?.%F
.nvH?
%DxTrnM
If%Xx
i.EM8Z@
.pae4
-75U}2
~Qz%Utp
l%d P}
TV.Aa
!.SV7
gj%D_
G;.bT{g
T*ly)".cT3Z
,nE%xL
H,%.c
( .kd_
%1XA&
-78E}
-8I}(-
.tMT-
E?]^zYr.bF4
o%1XI
yÍ[
BemSg
M"BLQ%x
.mYzO
.%cn6
U.hj--
.MT9:B?r
U%s$3
u.Al{
SLy.wo
%5.Yc.
%c-N\Y
X.eXu
L?y%x
_X}exe
e.idq
.ql^N
NHr.Hq
t.lL)
.aFfn
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
= =$=(=,=0=4=(>
2%6U>W?
0$060}0~:
>%>4>8><>@>
283?3"4(4
89^9q9
?!?)?4?{?
4*5054585<5
; ;&;,;2;
< <(<0<(=
1,181@1`1
:,:8:@:`:
Checking is %s installed
Stopped dumping amitest.txt
Started deleting amitest.txt
amitest.txt
Started dumping amitest.txt
/u hXXp://VVV.chicdownload.com/index.php /ta
mism.exe started
Starting mism.exe
AppID\{E5CD9A7C-0DF4-499B-AEB1-81A970A81D03}
SOFTWARE\Wow6432Node\portaldositesSoftware\portaldositeshp
SOFTWARE\portaldositesSoftware\portaldositeshp
TypeLib\{44444444-4444-4444-4444-440344264420}\1.0\0\win32
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WhiteSmoke_New Toolbar
Firefox is installed
Firefox isn't installed
\Mozilla Firefox\firefox.exe
TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}\1.0\0\win32
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Run
VVV.products-placement.com
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
SQL error: %s
Can't open database: %s
chromex
[d/d/d
d:d:d:d]
https:
http:
<div id="under_toolbar"><img src="images/gttoolbar_318.png"></div>
<div id="under_toolbar"><img src="images/intoolbar_318.png"></div>
<div id="under_toolbar"><img src="images/wstoolbar_318.png"></div>
29-03-2013
Advapi32.dll
[ASCTaskScheduler] Error: TaskUrl value is invalid
QueryServiceStatusEx failed (%d)
[ASCTaskScheduler] Error: pExecAction->put_Arguments is failed
[ASCTaskScheduler] Error: pExecAction->put_Path is failed
TaskUrl
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
CreateProcess failed (%d).
Start PileFile %s
Can't delete file: %s
finish_screen.html
Key doesn't exist
Key exists
Checking does %s\%s exists
simapp_id: '%s'
"%s" --elevated --uninstall
"%s",1
Installing from: '%s' to '%s'
Mozilla\FireFox\Extensions
[email protected]
extension_firefox.xpi
Installing firefox extension
Installed: '%s'
Google\Chrome\Extensions\%s
extension_chrome.crx
Installing chrome extension
\iPumper.lnk
Starting distrib uninstaller: '%s'
Usenet.nl.exe
mediaget.exe
iPumper.exe
Uninstalling: '%s'
User global groups: %s
User local groups: %s
Default browser path: '%s'
http\shell\open\command
Windows version: %s
Parent process path: '%s'
Special param --config: '%s'
hXXp://%s/up/?key=%s&where=%s
%domain%
hXXp://%s/log/%s_crashlog
%s%i: %s - 0x%0X
SymFromAddr failed: %d
config.xml
\Updater.exe
Updater.exe was extracted
Extracting Updater.exe
Updater.exe
\extension_firefox.xpi
\extension_chrome.crx
\config.xml
Checking --auto switch: %d
Checking --silent switch: %d
Checking --uninstall switch: %d
Command line: '%s'
hXXp://%s/log/%s
Flushing log to domain: '%s'
"%s" --uninstallReminder
"%s" --elevated --uninstallPileFile
--app=chrome-extension://cgeglcjaapbfihfpfmamaoipnbocnjkl/index.html#q=Cool
\Oxy\Application\TMS.ico
\Oxy\Application\oxy.exe
%s: success
download.lnk
PileFile.lnk
Webmaster url service not available
Webmaster site not available
Webmaster url: %s
Wrong webmaster url
hXXp://%s/geturl/%s
Get webmaster info
CT3272810.startpageurl = %s
CT3272810.startpageurl
HKEY_CURRENT_USER\Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository exists
Software\Conduit\ChromeExtData\ocoombckbcnabpaghmokhaapnbngahck\Repository
wstest.exe started
Starting wstest.exe
Qtrax folder was found: '%s'
\Microsoft\Silverlight\OutOfBrowser\*.portal.qtrax.com
Ping sent. Url: '%s'. Status: %d
secret_key
%s/%s
keywordinstalled
keywordexecute
hXXp://%s/api/%s/%s/%s
hXXp://%s/%s/suddendeath/
Can't find url marker
%s screen: cancel is pressed
%s screen: continue is pressed
%s screen is shown
.html
Start %s screen
Uninstalled started. Self path: '%s'
started: %d
?id_1=%s&id_2=%s&id_3=%s
zid: %s
bid: %s
visitor_id: %s
/s /i SweetImBing /u hXXp://VVV.chicdownload.com/index.php /ta /x_t_b_toolbar
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\avast
Generated GUID: '%s'. Last error: %d
Keyword: '%s'
Programs path: '%s'
Install path: '%s'
Configured affid: '%s'
--app=chrome-extension://cgeglcjaapbfihfpfmamaoipnbocnjkl/index.html#q="
\Oxy\Application\oxy.exe --app=chrome-extension://cgeglcjaapbfihfpfmamaoipnbocnjkl/index.html#q="
oxy-downloader.exe
hXXp://download.microsoft.com/download/c/6/e/c6e88215-0178-4c6c-b5f3-158ff77b1f38/NetFx20SP2_x86.exe
dotnetfx35.exe
v2.0.50727
\iPumper\iPumper.exe
Distrib downloaded: '%s'. Size: '%d'
hXXps://
hXXp://
download_screen.html
{2A4641B4-EDDB-46D1-B34B-F93E19A8B3DB}
{56837588-F559-40CF-91D9-D439D405FB28}
splash_screen.html
Installer started. Self path: '%s'. Self name: '%s'
KERNEL32.DLL
Windows NT 4
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows CE
Windows NT 3.51
Windows 95
Windows 95 SP1
Windows 95 OSR2
Windows 98
Windows 98 SP1
Windows 98 SE
Windows ME
unknown Windows version
Web Server Edition
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
ADVAPI32.DLL
WUSER32.DLL
888816666554443
6666554443
!6666554443
c:\%original file name%.exe
1.0.0.2
1.0.0.22
xyzHu5YIj.lnk_p
Oxy.exe

%original file name%.exe_228_rwx_10001000_0025B000:




D$.QP
%u%8H
t5Ot.Ot
t5Nt.Nt
mt.It It
t"SSh
Y9O u%f
\$ ;\$0}
u 8F%u
<%u'F
\$09\$,~
@t.IIt
.FG;}
tGHt.Ht&
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Arithmetic table 0xx was not defined
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Component index %d: mismatching sampling ratio %d:%d, %d:%d, %c
DCT scaled block size %dx%d not supported
Invalid component ID %d in SOS
Bogus message code %d
%ld%c
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng warning: %s
Buffer error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Unknown zTXt compression type %d
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
Unknown compression type %d
zero length keyword
keyword length must be 1 - 79 characters
Zero length keyword
extra interior spaces removed from keyword
leading spaces removed from keyword
trailing spaces removed from keyword
invalid keyword character 0xX
Out of memory while procesing keyword
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
?#%X.y
GetProcessWindowStation
USER32.DLL
operator
accesskey
user32.dll
CSS ERROR, bad selector in select_elements_by_css: %S
uxtheme.dll
orientation-portrait
composition-supported
1.4.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
file://%s
<html><body style='color:red'>Error: cannot open %s</body></html>
CSSS! RUNTIME ERROR evaluating:%s
SourceUrl
Content-Type: application/x-www-form-urlencoded;charset=utf-8
https
htmlayout 3.3; %s; VVV.terrainformatica.com )
HTTP/1.0
Content-Length: %d
Content-Type: multipart/form-data; boundary=%s
key-on!
key-off!
CSS ERROR in %s at line %d: bad attribute declaration syntax:
CSS ERROR in %s at line %d: bad attribute syntax, ignored:
CSS ERROR in %s at line %d: bad combination of 'display-model' and 'display'
CSS ERROR in %s at line %d: tag %s was already defined
CSS ERROR in %s at line %d: 'display-model' without 'display' definition
CSS ERROR in %s at line %d: bad css selector, following declaration skipped:
CSS ERROR in @import statement at line %d:
CSS ERROR in @include statement at line %d:
CSS ERROR in @font-face statement at line %d, font resource %s is not available
CSS ERROR in @font-face statement at line %d, failed to install font
CSS ERROR in @font-face statement at line %d, declaration is not complete
CSS ERROR in @font-face statement at line %d:
CSS ERROR in @set statement at line %d:
CSS ERROR in @set statement at line %d, parent set %s is not found
CSS ERROR in %s at line %d: AT-rule is not acceptable here, following declaration skipped:
CSS ERROR in %s at line %d: wrong @const declaration, following statement skipped:
CSS ERROR in %s at line %d: invalid @media declaration
crosshair
url()
CSS ERROR in colorize() function: bad color value: %S
CSS ERROR, function '%s' is not supported
CSSS! ERROR in %s at line %d: %s
res:master.css
CSSS! RUNTIME ERROR:%s
<p style='color:red'>ERROR: cyclic INCLUDE of url %s</p>
http-equiv
button.plus
password
-password-char
%u-%u-%u
%u:%u:%u
comctl32.dll
<div.prev-date/>
<div.next-date/>
<text.statusbar>
<span .today-legend/>
<span .today-caption>
</span>: <span .today>
<div .month .button month=
</div><div .year .button>
<th .weekday>
<td .day
.today
.other-month
u-u-u
<td .month
<div .year .button>
<div .decade .button>
<td .year
.other-year
<div .century .button>
<td .decade
.other-decade
%d-<br>%d</td>
image%d%s
http:*
https:*
%d(%d)
cid:%s
<a href="%S">%S</a>
<img src="%s">
Windows-3.11
Windows-95
Windows-95-OSR2
Windows-98
Windows-98-SE
Windows-ME
Windows-CE
Windows-NT4
Windows-2000
Windows-2003
Windows-XP
Windows-Vista
Windows-7
above-Windows-7
%Y-%m-%dZ
%Y-%m-%d
%Y-%m-%dT%H:%MZ
%Y-%m-%dT%H:%M
%Y-%m-%dT%H:%M:%SZ
%Y-%m-%dT%H:%M:%S
%H:%M:%SZ
%H:%M:%S
/:$-_.!*'(),?&=@#%
windows-1250
windows-1253
windows-1256
windows-1255
windows-1251
windows-1252
windows-1257
windows-1258
windows-1254
windows-874
unknown bytecode=%d
attribute '%S' not found or is read only
attribute '%S' not found
function '%S' not found
state flag '%S' not found
state flag '%S' not found or is read only
event '%S' not found
constant '%S' not found
unknown character with code 0x%x
unexpected token '%S'
got '%S' but required %S
bad name token '%S'
unknown variable '%S'
Msimg32.dll
image/vnd.microsoft.icon
UXTHEME.DLL
burlywood
%1x%1x%1x
%1x%1x%1x%1x
%2x%2x%2x
%2x%2x%2x%2x
%s,%u,%d,%d:%dx%d,%d,%d,%d,%d,%d,X
,XXXXXX
url(*)
0123456789
stroke-linejoin
zcÁ
) *,*,* *-*.*.*-*4*5*5*4*<*=*=*<*d*e*e*d*y*z*z*y*}*~*~*}*
.?AUevent_key@html@@
.?AUimage_functor@?1??get_image_urls@document@html@@QAEXAAV?$array@Vstring@tool@@@tool@@@Z@
.?AUexec_env@csss@html@@
.?AUurl_edit_ctl@html@@
.?AUurl_ctl_factory@html@@
.?AUpassword_edit_ctl@html@@
.?AUpassword_ctl_factory@html@@
!"#$%&'()
c:\%original file name%.exe
.www=9Z
style="foreground-image:url(res:edit-undo.png)"
>Undo<span class="accesskey">Ctrl Z</span></li>
style="foreground-image:url(res:edit-cut.png)"
>Cut<span class="accesskey">Ctrl X</span></li>
style="foreground-image:url(res:edit-copy.png)"
>Copy<span class="accesskey">Ctrl C</span></li>
style="foreground-image:url(res:edit-paste.png)"
>Paste<span class="accesskey">Ctrl V</span></li>
>Select All<span class="accesskey">Ctrl A</span></li>
PA<menu .richtext-context>
style="foreground-image:url(res:edit-undo.png)"
>Undo<span class="accesskey">Ctrl Z</span></li>
style="foreground-image:url(res:edit-cut.png)"
>Cut<span class="accesskey">Ctrl X</span></li>
style="foreground-image:url(res:edit-copy.png)"
>Copy<span class="accesskey">Ctrl C</span></li>
style="foreground-image:url(res:edit-paste.png)"
>Paste<span class="accesskey">Ctrl V</span></li>
>Select All<span class="accesskey">Ctrl A</span></li>
<div .cell-selection>
<caption style="color:graytext">Cells:<img.hr/></caption>
>Merge<span class="accesskey">Backspace</span></li>
>Split by rows<span class="accesskey">Ctrl 1</span></li>
>Split by columns<span class="accesskey">Ctrl 2</span></li>
P<menu .plaintext-context>
PADhtml { behavior: accesskeys; }
background-image:url(theme:groupbox-normal);
fieldset > legend:rtl /* see hXXp://terrainformatica.com/forums/topic.php?id=1772 */
widget[type="password"],
input[type="password"],
widget[type="url"],
input[type="url"],
background-image:url(theme:edit-normal);
context-menu:url(res:behavior-edit-menu.htm);
background-image:url(theme:edit-disabled);
:root[type="password"]
behavior:password;
:root[type="url"]
behavior:url;
context-menu:url(res:behavior-edit-menu.htm);
:root > button.minus
background-image:url(theme:v-spin-minus-normal);
:root:rtl > button.minus
:root > button.minus:hover
background-image:url(theme:v-spin-minus-hover);
:root > button.minus:active
background-image:url(theme:v-spin-minus-pressed);
:root > button.minus:disabled
background-image:url(theme:v-spin-minus-disabled);
:root > button.plus
background-image:url(theme:v-spin-plus-normal);
:root:rtl > button.plus
:root > button.plus:hover
background-image:url(theme:v-spin-plus-hover);
:root > button.plus:active
background-image:url(theme:v-spin-plus-pressed);
:root > button.plus:disabled
background-image:url(theme:v-spin-plus-disabled);
background-image:url(theme:button-normal);
background-image:url(theme:button-defaulted);
background-image:url(theme:button-hover);
background-image:url(theme:button-pressed);
background-image:url(theme:button-disabled);
background-image:url(theme:button-pressed); /* ?? */
background-image:url(theme:radio-normal);
background-image:url(theme:radio-hover);
background-image:url(theme:radio-pressed);
background-image:url(theme:radio-disabled);
background-image:url(theme:radio-checked-normal);
background-image:url(theme:radio-checked-hover);
background-image:url(theme:radio-checked-pressed);
background-image:url(theme:radio-checked-disabled);
background-image:url(theme:check-normal);
background-image:url(theme:check-hover);
background-image:url(theme:check-pressed);
background-image:url(theme:check-disabled);
background-image:url(theme:check-checked-normal);
background-image:url(theme:check-checked-hover);
background-image:url(theme:check-checked-pressed);
background-image:url(theme:check-checked-disabled);
background-image:url(theme:check-mixed-normal);
background-image:url(theme:check-mixed-hover);
background-image:url(theme:check-mixed-pressed);
background-image:url(theme:check-mixed-disabled);
foreground-image:url(stock:arrow-down); /* that arrow */
background-image:url(theme:h-progress-back);
foreground-image:url(theme:h-progress-chunk);
background-image:url(theme:edit-normal);
background-image:url(theme:edit-disabled);
foreground-image:url(theme:tree-view-glyph-closed); }
foreground-image:url(theme:tree-view-glyph-open); }
/* tree line support: */
foreground-image:url(theme:check-normal);
option:incomplete > :first-child { foreground-image:url(theme:check-mixed-normal); }
option:checked > :first-child { foreground-image:url(theme:check-checked-normal); }
background-image:url(theme:edit-normal);
background-image:url(theme:edit-disabled);
foreground-image:url(theme:check-normal);
foreground-image:url(theme:check-checked-normal);
/* caption portion of combobox */
/* caption portion of combobox when select is in focus */
:url(theme:combobox-button-normal);
background-image:url(theme:combobox-button-hover);
background-image:url(theme:combobox-button-pressed);
background-image:url(theme:combobox-button-disabled);
:root { background-image:url(theme:button-normal); }
:root:hover { background-image:url(theme:button-hover); }
:root:disabled { background-image:url(theme:button-disabled); }
:root:active { background-image:url(theme:button-pressed); }
:root > button { background: url(stock:arrow-down) center center no-repeat;}
:root > button:hover { background-image:url(stock:arrow-down); background-position: center center; background-repeat: no-repeat;}
:root > button:active { background-image:url(stock:arrow-down); background-position: center center; }
:root:disabled > button { background-image:url(stock:arrow-down); background-position: center center; }
context-menu:url(res:behavior-richtext-menu.htm);
background-image:url(theme:edit-normal);
context-menu:url(res:behavior-text-menu.htm);
background-image:url(theme:h-trackbar-back);
:root > .slider
foreground-image:url(theme:h-trackbar-thumb-normal);
:root:focus > .slider
foreground-image:url(theme:h-trackbar-thumb-focus);
:root > .slider:hover
foreground-image:url(theme:h-trackbar-thumb-hover);
:root > .slider:active
foreground-image:url(theme:h-trackbar-thumb-pressed);
:root:disabled > .slider
foreground-image:url(theme:h-trackbar-thumb-disabled);
background-image:url(theme:v-trackbar-back);
foreground-image:url(theme:v-trackbar-thumb-normal);
foreground-image:url(theme:v-trackbar-thumb-focus);
foreground-image:url(theme:v-trackbar-thumb-hover);
:root > .slider:active
foreground-image:url(theme:v-trackbar-thumb-pressed);
foreground-image:url(theme:v-trackbar-thumb-disabled);
:root > div.page
/*:root > splitter:active { background:transparent url(theme:toolbar-button-checked) stretch; }*/
background-image:url(stock:arrow-right); /* that arrow */
/* accesskey label (span) */
span.accesskey
menu > option:current span.accesskey,
li:current span.accesskey
img.hr
menu.popup,
menu.context,
div.prev-date
background-image:url(theme:h-scrollbar-minus-normal);
div.prev-date:rtl
div.prev-date:active
background-image:url(theme:h-scrollbar-minus-pressed);
div.prev-date:hover {
background-image:url(theme:h-scrollbar-minus-hover);
div.next-date
background-image:url(theme:h-scrollbar-plus-normal);
div.next-date:rtl
div.next-date:active
background-image:url(theme:h-scrollbar-plus-pressed);
div.next-date:hover {
background-image:url(theme:h-scrollbar-plus-hover);
td.month.off,
td.day.off
td.day.other-month,
td.year.other-year,
td.decade.other-decade
:root:current td.month:current,
:root:focus td.month:current,
:root:current td.day:current,
:root:focus td.day:current,
:root:current td.year:current,
:root:focus td.year:current,
:root:current td.decade:current,
:root:focus td.decade:current
td.today
div.button
div.button:hover
background-image:url(theme:toolbar-button-hover);
div.button:active
background-image:url(theme:toolbar-button-pressed);
text.statusbar
span.today
span.today:hover {
background-image:url(theme:toolbar-button-hover);
span.today:active {
background-image:url(theme:toolbar-button-pressed);
span.today-legend
background-image:url(theme:combobox-button-normal);
:root > button.minus:rtl
:root > button.plus:rtl
GetProcessHeap
GetConsoleOutputCP
GetCPInfo
SetViewportOrgEx
SetViewportExtEx
GetViewportExtEx
GetAsyncKeyState
GetKeyboardLayout
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
InternetCombineUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
5.''.''.' ''  $ ';~
&)-),)-))--)--
`<%c}F
"""4.&."
$,((0(($<$$ $$
$$ ($(0,,$( 0($,, $$,\ $
,40000$(((($0($((
40$$$(,,,$
.text
`.rdata
@.data
.rsrc
@.reloc
`<%c}FV
%d%%%%
s*.url
[id='%S'],[name='%S']
frame[id='%s'],frame[name='%s']
#xxx
width(%d%%)
height(%d%%)
url(%S)
import
%S %S %S %S
selector(%S)
%S %S
key-code
key-on
key-off
%s %S
frame[id='%S'],frame[name='%S']
frame[name='%s'],frame#%s
[name='%s']
important
td[value='u-u-u']
div.button.month
div.button.year
tr:nth-child(%d)
All files (*.*)
%S.%s
[command='%s']
ncid:%S
7&#%d;
^(ftp|https?)://((\d \.\d \.\d \.\d |[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*))(:[0-9] )?((/[_a-zA-Z0-9\.\-]*) )*(\?[_a-zA-Z0-9\&\=\%\,\-\!\(\)\{\}] )?(\#[_a-zA-Z0-9\%] )?$
^ftp\.[_a-zA-Z0-9\-] ([\.] [_a-zA-Z0-9\-] )*((/[_a-zA-Z0-9\.\-]*) )*
hXXp://
PTF://
operand stack overflow
operator stack overflow
missing operand for
operator stack underflow
unknown _operator in evaluntil
())(<>><[]][{}}{
&'()* ,-






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    tmp6.exe:1956
    tmp4.exe:1140
    tmp8.exe:1632
    tmp2.exe:1492
    

    2. 

  2. Delete the original PUP file.
    3. 

  3. Delete or disinfect the following files created/modified by the PUP:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\f553430bf722869adf352c70969473ae_000228.log (57530 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp6.exe (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp8.exe (71 bytes)
    %Documents and Settings%\%current user%\Application Data\Oxy\config.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\htmlayout.dll (6388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp2.exe (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmp4.exe (71 bytes)
    

    4. 

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    5. 

  5. Reboot the computer.
    6. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now