MD5: ac1c9a6db7ad2d21e1a0435e19b917e0
SHA1: 0fadf908dd7dae0185344ebd42d06d669c3783c0
SHA256: 6879a379d4d2e8d334479786878e57e6ab9d9e37ec0470918103df7982155116
SSDeep: 393216:8kIK/MPTmaPbX5GKN2kdFORK65MFxKrXFbqmR:zIaMLmSbEKNEKBMFbq2
Size: 18419984 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-11 00:25:12
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

sgvrfy32.exe:1760
sgvrfy32.exe:484
%original file name%.exe:1872

The Worm injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process sgvrfy32.exe:1760 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%System%\wbem\Logs\wbemprox.log (76 bytes)

The process %original file name%.exe:1872 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (15801 bytes)
%WinDir%\winipbin\cmproxfr.dll (286 bytes)
%WinDir%\winipbin\rcxaemap.dll (1797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU3.tmp (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU2.tmp (106 bytes)
%WinDir%\winipbin\bissimo.dll (245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU1.tmp (106 bytes)
%WinDir%\winipbin\eanipw.dll (3875 bytes)
%WinDir%\winipbin\svrltwp.dll (3692 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (15021 bytes)
%WinDir%\winipbin\quasimo.dll (245 bytes)
%WinDir%\Logs\splog.txt (19384 bytes)
%WinDir%\winipbin\vdorctrl.dll (15021 bytes)
%WinDir%\winipbin\mossimo.dll (245 bytes)
%WinDir%\winipbin\sgvrfy32.exe (15021 bytes)
%WinDir%\winipbin\catuxvoc32.dll (4279 bytes)
%WinDir%\winipbin\svrltmgr.dll (15801 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU2.tmp (0 bytes)

Registry activity

The process sgvrfy32.exe:1760 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 5E 90 97 96 C1 C1 1F 26 D3 AD DB 28 D8 B6 1A"

The process sgvrfy32.exe:484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 07 9F 55 FD E7 5A F9 69 5D 3C DF 68 5C ED D1"

[HKLM\System\CurrentControlSet\Services\System Event Dispatcher]
"Description" = "Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSVxRsc.dll, , \??\%WinDir%\winipbin\msocxusys.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ra.dll, , \??\c:\windows\winipbin\sgvrfy32.log,"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\System Event Dispatcher]
"EventMessageFile" = "%WinDir%\winipbin\sgvrfy32.exe"
"TypesSupported" = "7"
"ParameterMessageFile" = "%WinDir%\winipbin\sgvrfy32.exe"

The process %original file name%.exe:1872 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSVxRsc.dll,"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\winipbin]
"sgvrfy32.exe" = "sgvrfy32"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCR\CLSID\{7072AF5D-43BA-49D7-BA0E-EE4FC76FF1A2}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\svrltmgr.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{7072AF5D-43BA-49D7-BA0E-EE4FC76FF1A2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{64FE9304-2B3B-4A60-BB62-910C016C4A89}]
"(Default)" = "docewmad"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{64FE9304-2B3B-4A60-BB62-910C016C4A89}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Winipdat" = "{64FE9304-2B3B-4A60-BB62-910C016C4A89}"

[HKCR\Fatunmid]
"(Default)" = "Tmpikvox"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Fatunmid\CLSID]
"(Default)" = "{7072AF5D-43BA-49D7-BA0E-EE4FC76FF1A2}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 60 E6 98 CD 33 89 0A 78 DD 4A B3 4E 18 C8 96"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCR\CLSID\{64FE9304-2B3B-4A60-BB62-910C016C4A89}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\vdorctrl.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\wzodlg32.dll"

[HKCR\CLSID\{7072AF5D-43BA-49D7-BA0E-EE4FC76FF1A2}\ProgID]
"(Default)" = "Fatunmid"

[HKCR\CLSID\{7072AF5D-43BA-49D7-BA0E-EE4FC76FF1A2}]
"(Default)" = "Tmpikvox"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm deletes the following registry key(s):

[HKCR\CLSID\{Cb8DE863-0561-4ffd-9B86-5BA2E941BA52}]

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"(Default)"
"WebExtLocation"

The Worm disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCheckStub"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

tcPh

SSh|'[

t.WVh8

VSShL

SSh\ \

SSht \

SShD$\

SShl(\

u"SSSh

XXSSh

.FGy,

u&u

SSh(i]

SSh0i]

8sqliu

 2 34 567

tCPQW

SRSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

kernel32.dll

%s_%s

Global\%s

0x%p,%d,%d

secur32.dll

WriteSettingsWebMailStrings

locmlurl

locmsurl

locmrmsg

loclurl

locmurl

INTRWEB

AgentSettings.Drives

AgentSettings.YPagerPorts

AgentSettings.XMPPPorts

AgentSettings.SMTPPorts

AgentSettings.POPPorts

AgentSettings.OSCARPorts

AgentSettings.MSNPorts

AgentSettings.IRCPorts

AgentSettings.IMAPPorts

AgentSettings.HTTPSPorts

AgentSettings.HTTPPorts

AgentSettings.GnutellaPorts

AgentSettings.FTPPorts

MSG_Owner

WebMail

SMTPPOP

vKey

szKeyword

KeyEventDef

PortRange

KeywordRecord

ExportXMLSystem

ImportXMLSetting

\\.\%s%d

Windows-1252

%s %dx%dx%d

WindowsVersion

%d.%d.%d %s

" webmailrev="

WebMailRevLevel

svrapi.dll

netapi32.dll

\\%s\%s

AgentSettings.XMPPCaptureType

AgentSettings.IRCCaptureType

ValidatePortsCallback

%systemroot%

sprui\msnetsys.xxx

sprui\msnetsys.dll

microsoft\..\*32.dll

%d,0x%p

SvrUrlItemLegacy

SvrUrlItem

Stop.Time

Start.Time

PortRangeLegacy

ValidateServerCert

AuthenPassword

SmtpAuthType

KeywordRecordLegacy

KeyEventDefLegacy

Msg_Owner

LastMsgRcvdTime

AgentSettings.pRecordURLList

AgentSettings.pSvrBlockUrlList

AgentSettings.pDriveFiltersList

AgentSettings.pPortPortsList

AgentSettings.pPortAppsList

AgentSettings.pEmailLastRecvTimeList

AgentSettings.pEmailFilterList

AgentSettings.pBlockAllAppsList

AgentSettings.pBlockInPortsList

AgentSettings.pBlockOutPortsList

AgentSettings.pBlockUsersList

AgentSettings.pKeyEventList

AgentSettings.pUsersList

AgentSettings.pAppsList

AgentSettings.pBlockedProgramsList

AgentSettings.pBlockIMsList

AgentSettings.pURLList

pKeywordsList

MYSPACE_HTTP

FACEBOOK_HTTP

GTALK_HTTP

MSN_HTTP

KEYSTROKES

bNetLogin

UrlID

UrlType

UrlData

KeyData

KeywordData

KeyStrokeCount

URLCount

ReportData

strErrMsg

RemotePort

DesktopDataBase.Size

DesktopDataBase.Type

KEYWORD

BLK_WEB

WEBMAIL

SMTP

%s\%s

254.254.254.254

CUSTWEB

sys.dll

%d-%X

spddd

0x%p,0x%p,%d

0x%p,%d

Get-Crypt-Keys

DecompressData: Memory Sanity Check Failed, file %s

wsock32.dll

Unable to recover from corrupt file %s !

Corrupt file (%s, type %d) accessed for write access. Resetting.

CreateFileNewPassword2

CreateFileNewPassword

Connect - Unable to load CommDll library, %s

Connect - Unable to load client object: %s !

Connect to LicenseManager - Attempting to connect via IP address (%s, %d).

RequestLicense - Invalid response packet size, %u

%s %d

%s -sa

Manual Start Service pending local (%d)

Stop service '%s' on '%s' (%d)

Service %sstopped '%s' on '%s'

Unable to QueryServiceStatus on '%S' err=%d

Unexpected service state %d after STOP command

Unable to send STOP command to '%S', err=%d

Unable to open handle to '%S', err=%d

Unable to open SCM stopping '%S', err=%d

StopService: %S

StopEXE

Failed to Stop EXE service (%d)

Service EXE Stopped (%d)

SendMsgService

Failed to send service control message: %d (%d) to '%s'

Service control messsage sent: %d to '%s'

%s -r%d

ServiceRestart: (%d)

WFAddServiceToCollection: ERROR %d

WFAddServiceToCollection: %d (%d)

WFRemoveServiceFromCollection: ERROR %d

WFRemoveServiceFromCollection: %d

WFDisableServiceInCollection: ERROR %d

WFDisableServiceInCollection: %d

0x%p,0x%p,%d,0x%p,%d,0x%p

0x%p,0x%p,%d,0x%p,%d

%s: invalid data type (%s)

%s: pData NULL

0x%p,0x%p,%d,0x%p,%d,0x%p,%d

ServiceBase::WriteServiceSetting(): error saving "%s"

0x%p,0x%p,%d,0x%p,%d,%d

0x%p,%d,0x%p,0x%p,0x%p,0x%p,%d

System\CurrentControlSet\Services\%s\Parameters

Service User Control Message: %u (%d)

TypesSupported

regsmtp

useRunKey

lulweb

lulport

PortFileName

URLFileName

KeystrokeFileName

mswshostport

WebServiceListenPort

mschostport

CCSListenPort

mswhostport

WFSListenPort

HostListenPort

msdhostport

DSListenPort

mslhostport

LMListenPort

mswebole

mswebcom

mswebrev

mswebext

HtmlMsg

SuspendMsg

webinetmask

AgentSettings.MaskProgramTitles

AgentSettings.ProgramInactivityTimeout

webinetprg

AgentSettings.CapturePrograms

webcap64

AgentSettings.CaptureContentIE

webcap32

AgentSettings.CaptureContentFF

webcap16

AgentSettings.CaptureContentChrome

webinturl

AgentSettings.IncludeAOLCSURLS

weblocposts

AgentSettings.CapturePOSTS

weblocaolse

AgentSettings.CaptureAOLSE

weblocxpcom

AgentSettings.CaptureXPCOM

URLOldestData

URLMaxDataSize

webloccheck

AgentSettings.IncludeLocalURLS

webnetcheck

AgentSettings.IncludeNetURLS

webinetcheck

AgentSettings.CaptureINetURLS

AgentSettings.MaskPasswords

AgentSettings.CaptureChars

KeyStrokesOldestData

KeyStrokesMaxDataSize

AgentSettings.CaptureKeyStrokes

portPortLst

portPortInc

AgentSettings.PortPortsInclude

portAppLst

portAppInc

AgentSettings.PortAppsInclude

portIAF

PortInactivityFlush

portOld

PortOldestData

portMDS

PortMaxDataSize

portCap

AgentSettings.CapturePort

AgentSettings.DriveFileTracking

AgentSettings.DriveDefault.Types

AgentSettings.CaptureCloud

AgentSettings.DriveFiltersInclude

AgentSettings.DriveDefault.Disposition

AgentSettings.CaptureIMAPI

AgentSettings.CapturePrintPages

AgentSettings.CapturePrinters

AgentSettings.CaptureDrives

hlpvsbftp

webcaphtml

AgentSettings.CaptureINetHTMLUploads

webinetipxp

AgentSettings.CaptureP2P

AgentSettings.StampChat

AgentSettings.CaptureSkype

AgentSettings.CaptureINetMSNExchange

AgentSettings.YPagerCaptureType

AgentSettings.AOLProcessCaptureType

AgentSettings.OSCARCaptureType

AgentSettings.MSNCaptureType

AgentSettings.CaptureINetMySpace443

AgentSettings.CaptureINetOSCAR

AgentSettings.CaptureINetAimExpress

webinetipx

AgentSettings.CaptureChat

AgentSettings.NotesPollingInterval

AgentSettings.NotesLastMsgRcvdTime

AgentSettings.LastMsgRcvdTime

webfiltlst

webfiltdef

AgentSettings.EmailFilterDefaultIgnore

AgentSettings.UseAltMAPICapture

webineticmp

AgentSettings.CaptureINetWebEMail

AgentSettings.MailAttachMaxDataSize

webinetudp

AgentSettings.CaptureAttachments

webinetxde

AgentSettings.CaptureAOLEMail

webinettimap

AgentSettings.CaptureINetIMAPEMail

webinettcp

AgentSettings.CaptureINetSMTPEMail

WebMapiBox

AgentSettings.MAPIInboxOnly

webnotes

AgentSettings.CaptureNotesEMail

webmapi

AgentSettings.CaptureMAPIEMail

webemap

AgentSettings.CaptureEMail

portusb6

portusb5

AgentSettings.SendVScroll

portusb3

AgentSettings.SendEnterEvent

portusb4

AgentSettings.SendMouseWheel

portusb7

AgentSettings.SendMouseRightClick

portusb2

AgentSettings.SendMouseDoubleClick

portusb1

AgentSettings.SendMouseClick

portpnp3

SnapTriggerKeyEnter

portpnp4

portpnp5

portpnp2

portpnp1

SnapTriggerHttpPost

SnapTriggerUrl

AgentSettings.InactivityTimeout

AgentSettings.BlockUsers

AgentSettings.SvrBlockRevertLocal

AgentSettings.SvrBlockEnable

AgentSettings.BlockIMsAccess

AgentSettings.BlockUrlsAccess

AgentSettings.BlockIMsList

AgentSettings.BlockUrlsList

AgentSettings.BlockInternetAccessAll

AgentSettings.BlockInternetAccess

AgentSettings.RecordUrlsList

AgentSettings.RecordUrls

AgentSettings.DenyListedUsers

AgentSettings.RecordUsers

AgentSettings.DenyListedApps

AgentSettings.RecordApps

SnapshotHotkey

ToggleRecordHotkey

HostLoginType

HostLoginPassword

HostLoginUsername

KeywordEmailSubjectStrPRogramWindowCaption

KeywordEmailSubjectStrProgramName

KeywordEmailSubjectStrP2P

KeywordEmailSubjectStrUrls

KeywordEmailSubjectStrKeyStrokes

KeywordEmailSubjectStrWebPages

KeywordEmailSubjectStrChat

KeywordEmailSubjectStrEmail

KeywordEmailFormatStrPRogramWindowCaption

KeywordEmailFormatStrProgramName

KeywordEmailFormatStrP2P

KeywordEmailFormatStrUrls

KeywordEmailFormatStrKeyStrokes

KeywordEmailFormatStrWebPages

KeywordEmailFormatStrChat

KeywordEmailFormatStrEmail

KeywordEmailTimeout

KeywordScreenshotPeriod

KeywordScreenshotRate

ScanWebPages

AgentSettings.CaptureINetWebPages

ScanUrls

ScanKeystrokes

TakeKeywordScreenshot

SendKeywordEmail

SendServerKeywords

AgentSettings.PoliciesPath

shellsvcmsg

TerminalServiceMsgSent

AgentSettings.DecoyFile

AgentSettings.ComAddinName

AgentSettings.ComAddinID

AgentSettings.MapiClsId

AgentSettings.BhoClsId

AgentSettings.pBlockFilesList

SentimentWebPort

SentimentWebURL

SentimentWebHost

AgentSettings.SAFProcessorPath

AgentSettings.FirefoxCaptureESRPath

AgentSettings.FirefoxCaptureLastPath

AgentSettings.FirefoxCapturePath

AgentSettings.DynProcessorWOW64Path

AgentSettings.DynProcessorPath

AgentSettings.AgentWOW64Path

AgentSettings.AgentPath

keydele

DeleteKey

keydeleroot

DeleteKeyRoot

AgentSettings.DeviceName

AgentSettings.DriverPath

KeywordMAPIPath

KeywordServerInfo

LCFireWallHTTPPort

SMTPPort

rmtporttok

RmtPortalToken

rmtportpass

RmtPortalPassword

rmtportlog

RmtPortalLogin

rmts3seckey

RmtS3SecretKey

rmts3keyid

RmtS3KeyID

AgentSettings.CaptureConsoles

AgentSettings.LFMaskShared

AgentSettings.BhoActive

WinAdminPassword

StartRecordingWithWindows

DataFilePasswordHash

AgentSettings.NetInitDelay

AgentSettings.ClearFF

AgentSettings.BlockFileAccess

AdminHotkey

AdminPasswordHash

AdminPassword

AgentSettings.LogFileMask

AgentSettings.LogFileLevel

AgentSettings.LogFilePath

AgentSettings.UseLogFile

DisallowKeystrokeCapture

ineturls

ineturlsn

msocxushell.dll

wwfwnetex.drv

tudmdxiufrm.drv

winfatiosys32.drv

winnetkernel32.drv

winkernel32hlp.drv

wwfwnetex.dll

udmdxiufrm.dll

msfatiosys32.dll

msnetKernel32.dll

mskernel32hlp.dll

-0561-4ffd-9B86-5BA2E941BA52}\OLE\Shell\Commands

MapiAuthentication.Addin

0x%p,%d,0x%p,0x%p,%d

SetAdminPasswordHash

SnapshotHotkeyDisplayable

ToggleRecordHotkeyDisplayable

AdminHotkeyDisplayable

CEAdmin.cfg

GetComputerInfo - Unable to load NETAPI32.DLL library.

GetComputerInfo - Unable to get NETAPI32.DLL function pointers.

GetComputerInfo - NetWkstaGetInfo error (%d,0x%p).

NETAPI32.DLL

-0561-4ffd-9B86-5BA2E941BA52}

SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

WebExtLocation

bSOFTWARE\Microsoft\Windows\CurrentVersion\Run

WebCheckStub

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

CLSID\%s

%s -u

CLSID\%s\InProcServer32

SCHTASKS /CREATE /SC ONSTART /RU SYSTEM /TN %s /TR "%s"

RD /Q "%s"

clntprxyio.dll

clntprxy.dll

SCHTASKS /DELETE /F /TN %s

RD /S /Q "%s"

xxxxx

xxxxxxxxxxxxxxxxx.cmd

SpectorCNE.chm

SOFTWARE\Wow6432Node\Classes\CLSID\{4A85C0C0-C52C-4C08-9E88-F012BF35623A}

SOFTWARE\Classes\CLSID\{7640DFF4-252C-470E-ACB7-1922EA57A0B9}

CKeywordLists

CKeywordLists::MakeKeywordInfo

CKeywordLists::FindKWListInUserList

KeywordListNames

KeywordUserLists

KeywordList

ERROR GetList: Keyword List:%s size:%d

ERROR GetList: Keyword List:%s ReadValue failed

GetList: Keyword List:%s Section:%s size:%d

GetList: Keyword List:%s Section:%s failed, no lists!

%s_%d

L:%s\%s\%s

N:%s\%s

GetSetupFileContent '%s' (0x%p,%d) (%d)

ProcessGetIPAddress (%d,%d) '%s - %s'

%d.%d.%d.%d

GetLogFileContent '%s' (0x%p,%d) (%d)

Calling TermClient from ExecuteUninstall

0x%p, %d, 0x%p, %d

ProcessGetSetupFileIni (%d,%d)

ProcessGetLogFile (%d,%d)

CheckSettingsImport1

CheckSettingsImport

msnwcfg.ini

0x%p, %d, 0x%p

CommHost: Received RemoteCommand (%d) from computer %s SN %s MachineID %s

EnumKeys

Failed to load communications library (%s).

Failed to load server object: %s

Started listening on port %d (%d).

Checking Pushed Data ended, total time: %d msecs

AddKeystrokesToList

ProcessKeystrokeFile1

ProcessKeystrokeFile

CheckUrlCategory

SendDataRecord: Returned no URL page category for (%s).

SendDataRecord: Returned URL page category: %d for (%s).

InitClient: Unable to load CommDLL (%s)

InitWFSClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient: Unable to create client object: %s

InitClient: Attempting to connect via IP address (%s, %d).

InitClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient Comm Path %s

DataPush::ProcessDisplayFile CreateFileNewPassword (%s,%s) failed!!!

DataPush::ProcessDisplayFile SendFile (%s,%s) failed!!!

DataPush::ProcessDisplayFile End, '%s'

Unable to delete file (%s) : %s

snapshotXX.%s

PushData: Failed to send all users to server - sent %d/%d records.

PushData: Unable to open User data file %s - error %d !!!

ProcessDF: Could not find any transactions for transmission (%s, %d, %d).

ProcessDF: Failed to send record to server (%s)

Score send failed with response code %d

Attempting to send sentiment scores to %s:d/%s

Unable to create sentiment scoring web request

Unable to create sentiment scoring web client

Found %d unsent sentiment scores

PushData: Failed to initialize client communications (Port %d on %s).

PushData: Session complete. Sent %d data transactions, %d snapshot files.

PushData: Session complete. Sent %d data transactions, %d snapshot files, %d sentiment scores.

Unable to signal sentiment scoring mutex - will attempt again on next data push (%d)

d-%x.sdf

PushData: Pushing, maximum %d seconds.

ALERT DATA: [username = %s, User Hash = %d, Source: %s, Keywords %s]

ALERT DATA: no. of alerts %d

RunSetupExe

RunSetupExe End (%d)

RunSetupExe Start '%s' '%s'

ExecUninstallThread End '%s'

GetClientInfo '%s' (%d,%d,%d,%d,%d) ( %s )

GetRecordState '%s' (%d-%d-%d,%d,%d,%d,%d,%d,%d,%d,%d,%d)

GetClientOSInfo '%s' (%d) '%s' '%s' '%s'

%s\%s\%s

Windows NT

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

Error deleting m_pUdp object

PushOSInfo: Pushing info to server end '%s\%s' (%d,0x%p) (%d) (0x%p)

PushOSInfo: Pushing info to server start (%d,%d,%d)

ExecUninstallRequest Abort '%s'

InitCommClient: Unable to load CommDLL (%s)

InitCommClient: Unable to create client object: %s

InitCommClient: Attempting to connect via IP address (%s, %d).

InitCommClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitCommClient: Initializing TCP client using '%s'

ExecChangeModeThread End '%s' - (%d,%d)

Error communicating with CCS to retrieve new mode [%d]

Got new mode from CCS [Mode = %d, Wrote Setting = %d]

%s End

%s Start

InfoPush::ExecNotifyOfLicenseRecheck

ExecUpdateThread End '%s' - (%d,%d,%d)

ExecInstallThread End '%s' - (%d,%d,%d,%d) (%d,%d)

spsetup.exe

Unable to write alert definitions for [%s] [Erase = %d] [Sync = %d, ews = %p]

Error writing alert definitions [Erase = %d]

Erase alert definitions done for [%s] [Erase = %d] [Sync = %d, ews = %p]

Write alert definitions done for [%s] [Erase = %d] [Sync = %d, ews = %p]

ExecUpdateRequest Abort '%s'

ExecInstallRequest Abort '%s'

ExecUpdateSyncThread End '%s' - (%d,%d)

%s#%s

Unable to update alert definitions for user [%s] [Erase = %s]

PushRecordInfo: Pushing info to server end S(%d,%d) R(%d,%d,%d) (%d,%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server check S(%d,%d,%d,%d,%d) R(%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server message out of sync flush (%d, %d, %d, %d)

PushRecordInfo: Pushing info to server start [Port = %d, Stop = %d, Uninstalling = %d, Bootstrap = %d]

Alert definitions received with [Flags %d ] [ NumOfDefaultUserKeywords %d ] [NumOfUserKeywords %d ]

EWSCCSimulate.exe

InfoPushInput.txt

Starting alert definition fetch for user [%s]

InitPushClient: CCS Host Initialize Success '%s' in %d secs on Port: %d (%d)

InitPushClient: CCS Host Initialize Failed '%s' in %d secs (WSAErr: %d) (%d)!!!

%s - Addr HostEntEntry = [AddrType = %d, HostLength = %d, Name = %s, AddrPtr = %p]

%s - Reverting to IP Addr [%s (%d)]

InitPushClient: CCS Host resolve '%s' (%d) %d.%d.%d.%d

%s - HostEntEntry = [AddrType = %d, HostLength = %d, Name = %s, AddrPtr = %p]

InitPushClient: CCS Host gethostbyname Failed '%s' (WSAErr: %d)!!!

%s - Resolved %s [ %p ]

InitPushClient: Initializing UDP client to '%s' on Port: %d AltIP:(%d) '%s'

%s - WSA Startup returned [%d]

Unable to create user information state for user [%s]

Skipping user [%s] for EWS definitions update. 5 minute interval has not elapsed.

%s - Found dns domain [%s]

Kernel32.dll

%s - Found domain [%s]InfoPush::Initialize

%s - Found computer name [%s]

CKeywordDBLists::Init

Recorder::getKeywordsFromDB

<KWListReq listid="%d" serialnumber="%s"/>

<KWListNameReq serialnumber="%s"/>

CKeywordLists::getListUserFromDB

(KWS) getListUserFromDB: number of list:%d

(KWS) getListUserFromDB: Adding list:%d

<KWListUserReq user="%s" serialnumber="%s"/>

CKeywordLists::DisplayCacheListsInfo

(KWS) DisplayCacheListsInfo: List:%s ID:%d Version:%d

CKeywordLists::CacheKWList

(KWS)CacheKWList: %s

CKeywordLists::deleteCachedKWList

CKeywordLists::AddNewListFromDB

(KWS)AddCachedListFromDB: Update Keyword list:%s,ID:%d, Version:%d

(KWS) AddCachedListFromDB: Adding list:%s

(KWS)cacheKeywords:Done

Recorder::cacheKeywords

(KWS)cacheKeywords: SetKWListNames failed!

(KWS)cacheKeywords: Update Keyword version list

(KWS) cacheKeywords: Adding list:%s

(KWS)cacheKeywords: Adding list:%s

(KWS) cacheKeywords: list:%s version difference %d :%d

(KWS) cacheKeywords: Removing list:%s No longer in DB!

(KWS) cacheKeywords: Checking list: %s

(KWS) cacheKeywords: Checking %d lists

(KWS) cacheKeywords: Unable to get lists from DB

KeywordMgr

KeywordMgrThread deleting objs

KeywordMgrThread

(KWS) Caching Keywords complete!!!

(KWS) Checking current list :%d with user list:%d

(KWS) Reload CurrUser:count:%d != User:count:%d

(KWS) Request recieved from :%s

(KWS) Request recieved size %d

(KWS) GetLastError error result:%d

(KWS) GetOverlappedResult bytes returned:%d

(KWS) Keyword server waiting...

(KWS) Unable to create named pipe: %s

\\.\PIPE\kwordlist

(KWS) Unable to create KeywordList Object

KeywordMgr::Initialize: Unable to create keyword loader event

(KWS) KeywordMgr::Initialize: Thread Started...

Global\SPxKeywordLoadNoChange

Global\SPxKeywordLoadComplete

KeywordMgr: Starting

%s - Request to force recheck of license

0x%x,%d,0x%x,0x%x

GetLicenseResponse returned a license handle, 0x%X

GetLicenseResponse returned a remote error status(0x%X): %s !!!

About to check license status [Current License Information = %d]

Uninstall service name (%s) on (%s)

Uninstalling service...service only

Client Service Name (%s)

Client Service Path (%s)

%SystemRoot%\System32\

Client Install Machine Name (%s)

Start of Client Service code (%s)

msocxushell2.dll

user32.dll

advapi32.dll

Could not instantiate user policy web service communications thread.

Could not create user policy web service communications object.

Policy file: %s

User policy info: %s, %d

No web service port specified - using default value

Invalid web service port specified: %lu

Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications.

Failed: Client Service initializing. %s Version %s Build %d

Client Service initializing. %s Version %s Build %d

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

SQLiteManager

cSQLiteRow::GetColumnValueT

No SQL statement specified.

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

3.7.7.1

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

922337203685477580

SQLITE_

FAPI call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

%s\etilqs_

2nd reference to page %d

invalid page number %d

%s(%d)

keyinfo(%d

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

no such index: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

sqlite_master

sqlite_temp_master

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

%s (rowid<?)

%s (rowid>?)

%s (rowid>? AND rowid<?)

%s (rowid=?)

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s AS %s

%s TABLE %s

%s SUBQUERY %d

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

zipvfs database is corrupt. Line %d of [%.10s]

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

foreign key constraint failed

unable to use function %s in the requested context

zeroblob(%d)

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

%s %T cannot reference objects in database %s

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

no such collation sequence: %s

%s - %s

malformed database schema (%s)

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

%s.%s

%s-shm

bind on a busy prepared statement: [%s]

%s: %s

%s: %s.%s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

too many terms in %s BY clause

EXECUTE %s%s SUBQUERY %d

%.*s"%w"%s

%s%.*s"%w"

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

invalid name: "%s"

automatic extension loading failed: %s

d-d-d d:d:d

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

BmTunknown database: %s

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

indexed columns are not unique

%s-mjX

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

unknown database %s

database %s is locked

cannot detach database %s

no such database: %s

PRIMARY KEY must be unique

%s.%s may not be NULL

unable to close due to unfinished backup operation

ZV-%s

cannot read zipvfs version: %d

no such zipvfs module: %s

misuse of aggregate: %s()

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

cannot use index: %s

at most %d tables in a join

constraint failed at %d in [%s]

abort at %d in [%s]: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot %s savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

statement aborts at %d: [%s] %s

cannot open value of type %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such trigger: %S

unable to open database: %s

database %s is already in use

too many attached databases - max %d

sqlite_sequence

there is already an index named %s

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

no such table: %s

sqlite_subquery_%p_

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

indexed

foreign key

sqlite_altertab_%s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

view %s is circularly defined

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

*** in database %s ***

unsupported encoding: %s

foreign_key_list

no such column: %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

-- TRIGGER %s

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

%d.%d.%d

CryptGetKeyParam

CryptImportKey

CryptExportKey

CryptDeriveKey

CryptGetUserKey

CryptDestroyKey

CryptGenKey

ADVAPI32.dll

CRYPT32.dll

::AquireKeyContainer

0x%p,%d,%d,%d

%d,%d,%d

0x%x,0x%p,%d,0x%p,0x%p,%d

0x%p,0x%p,%d,%d

::ResetKeyBlob

::IsKeySpecValid

::DeriveSessionKey

0x%p,%d,0x%p,%d,%d,%d

Error encrypting data getting data size (0x%x) (%x)

Error encrypting data while encrypting (0x%x) (%x) (%d,%d,%d)

Data encrypted successfully (%d, %d, %d)

Error decrypting data while decrypting (0x%x) (%x) (%d,%d,%d)

Data decrypted successfully (%d, %d, %d)

X:

% 03dd

default.log

ddd d:d:d%s M m m .10s %-8.8s %-4.4s %-12.12s %-12.12s %-7.7s =>

ws2_32.dll

%*.*f

MSMSGS

FTP Voyager

Ftpvoyager

Windows Messaging

Cute FTP

Cutftp32

\wininit.ini

PendingFileRenameOperations

CWindowsFirewall

::DisablePort

FDisableAppAndPort

::IsPortEnabled

::AddPort

::RemovePort

AddAppAndPort

RemoveAppAndPort

Advapi32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

dbghelp.dll

%s\%s_ddd-ddd-%ld-%ld.dmp

QA1Q0ZWQIE_%d

CreateAlertKeyword

Visual C   CRT: Not enough memory to complete call to strerror.

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

Property not supported

src\DateTime.cpp

https

bad or invalid port number

%<>{}|\"^`

src\NumberFormatter.cpp

%I64d%c

%I64u%c

%I64x%c

Invalid HTTP version string

HTTP request URI invalid or too long

HTTP request method invalid or too long

No HTTP request header

HTTP reason string too long

Invalid HTTP status code

No HTTP response header

Unsupported Media Type

HTTP Version not supported

Cannot set the port number for an already connected session

Cannot set the proxy host and port for an already connected session

Cannot set the proxy port number for an already connected session

hXXp://

src\MessageHeader.cpp

HTTP Exception

Unsupported HTTP redirect (protocol change)

FTP Exception

SMTP Exception

WebSocket Exception

HttpOnly

; HttpOnly

()[]/|\',;

src\Socket.cpp

No IPv6 support available

src\SocketImpl.cpp

Address family not supported

Protocol family not supported

Operation not supported

Socket type not supported

Protocol not supported

Socket operation attempted on non-socket

Operation already in progress

Operation now in progress

Operation would block

Missing port number

!hostAndPort.empty()

src\SocketAddress.cpp

Invalid address length passed to SocketAddress()

unsupported IP address family

src\IPAddress.cpp

Invalid or unsupported address family passed to IPAddress()

255.255.255.255

Invalid address length passed to IPAddress()

Invalid or unsupported address family passed to StreamSocketImpl

src\HostEntry.cpp

%Y-%m-%dT%H:%M:%S%z

%Y-%m-%dT%H:%M:%s%z

%w, %e %b %y %H:%M:%S %Z

%w, %e %b %Y %H:%M:%S %Z

%w, %d %b %Y %H:%M:%S %Z

%W, %e-%b-%y %H:%M:%S %Z

%W, %e %b %y %H:%M:%S %Z

%w %b %f %H:%M:%S %Y

%Y-%m-%d %H:%M:%S

Unsupported or invalid date/time format

%W, %e %b %r %H:%M:%S %Z

%w, %e %b %r %H:%M:%S %Z

src\MemoryPool.cpp

src\UnicodeConverter.cpp

src\TextIterator.cpp

src\TextConverter.cpp

Windows

import

parse_url

fpassthru

is_executable

Windows_vfs

array_key_exists

JX9_URL_FRAGMENT

JX9_URL_QUERY

JX9_URL_PATH

JX9_URL_PASS

JX9_URL_USER

JX9_URL_PORT

JX9_URL_HOST

JX9_URL_SCHEME

rawurldecode

rawurlencode

urldecode

urlencode

join_recursive

join

01234567

0123456789

1.1.6

unqlite/1.1.6

Copyright (C) Symisc Systems, S.U.A.R.L [Mrad Chems Eddine <[email protected]>] 2012-2013, hXXp://unqlite.org/

Empty key

Jx9/1.7.2

%d.%d Ë

%.3s, d %.3s M d:d:d

M-d-dTd:d:d% 05d

d:d:d

d:d

d:d:d %s

d/d/d

%d-d-d

%d-d-d d:d:d

JSON Object: Unexpected expression, key must be of type string, literal or simple variable

JSON Object: Missing entry key

[lambda_%d]

Expected '(' after 'while' keyword

Expected expression after 'while' keyword

Expected '(' after 'for' keyword

foreach: Missing $key => $value pair

foreach: Missing $key

Expected variable after 'static' keyword

Expected '(' after 'switch' keyword

Expected expression after 'switch' keyword

Syntax error: Unexpected keyword '%z'

%u Error count limit reached, JX9 is aborting compilation

%u %s:

d-d-d

printegereturnconstaticaselseifloatincludefaultDIEXITcontinuediewhileASPRINTbooleanbreakforeachfunctionimportstringswitchuplink

2147483648

2147483647

9223372036854775808

9223372036854775807

'%z': Expecting a variable as left operand

'%z' operator needs l-value

'%z': Missing operand

'%z': Missing/Invalid operand

'%z': Left operand must be a modifiable l-value

IO routine(%s) not implemented in the underlying VFS, JX9 is returning FALSE

IO routine(%s) not implemented in the underlying VFS

Microsoft Windows

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows 8

%u.%u build %u

%s localhost %u.%u build %u x86

IO routine(%s) not implemented in the underlying stream(%s) device, JX9 is returning FALSE

IO routine(%s) not implemented in the underlying stream(%s) device

%z%c%z

No stream device is associated with the given path(%s)

IO error while opening '%s'

Read-only stream(%s): Cannot perform write operation

IO error while opening source: '%s'

IO error while opening destination: '%s'

Expecting a file path or URL

No stream device is associated with the given URI(%s)

C:\Windows\Temp

} }/* Close the handle */closedir($pHandle);if( ($iFlags & GLOB_NOSORT) == 0 ){ /* Sort the array */ sort($pArray);}if( ($iFlags & GLOB_NOCHECK) && sizeof($pArray) < 1 ){ /* Return the search pattern if no files matching were found */ $pArray[] = $pattern;}/* Return the created array */return $pArray;}/* Creates a temporary file */function tmpfile(){ /* Extract the temp directory */ $zTempDir = sys_get_temp_dir(); if( strlen($zTempDir) < 1 ){ /* Use the current dir */ $zTempDir = '.'; } /* Create the file */ $pHandle = fopen($zTempDir.DIRECTORY_SEPARATOR.'JX9'.rand_str(12), 'w '); return $pHandle;}/* Creates a temporary filename */function tempnam(string $zDir = sys_get_temp_dir() /* Symisc eXtension */, string $zPrefix = 'JX9'){ return $zDir.DIRECTORY_SEPARATOR.$zPrefix.rand_str(12);}function max(){ $pArgs = func_get_args(); if( sizeof($pArgs) < 1 ){ return null; } if( sizeof($pArgs) < 2 ){ $pArg = $pArgs[0]; if( !is_array($pArg) ){ return $pArg; } if( sizeof($pArg) < 1 ){ return null; } $pArg = array_copy($pArgs[0]); reset($pArg); $max = current($pArg); while( FALSE !== ($val = next($pArg)) ){ if( $val > $max ){ $max = $val; } } return $max; } $max = $pArgs[0]; for( $i = 1; $i < sizeof($pArgs) ;   $i ){ $val = $pArgs[$i];if( $val > $max ){ $max = $val;} } return $max;}function min(){ $pArgs = func_get_args(); if( sizeof($pArgs) < 1 ){ return null; } if( sizeof($pArgs) < 2 ){ $pArg = $pArgs[0]; if( !is_array($pArg) ){ return $pArg; } if( sizeof($pArg) < 1 ){ return null; } $pArg = array_copy($pArgs[0]); reset($pArg); $min = current($pArg); while( FALSE !== ($val = next($pArg)) ){ if( $val < $min ){ $min = $val; } } return $min; } $min = $pArgs[0]; for( $i = 1; $i < sizeof($pArgs) ;   $i ){ $val = $pArgs[$i];if( $val < $min ){ $min = $val; } } return $min;}

hXXp://jx9.symisc.net/

%s  %8u %#8x [%u]

Fatal, JX9 engine is running out of memory while loading JSON array/object at instruction #:%d

[%u]apArg

Copyright (C) Symisc Systems 2012-2013, hXXp://jx9.symisc.net/

1.7.2

%s %s, %s

port

IO error while importing: '%z'

http/1.0

HTTP/1.0

HTTP/1.1

HTTP_ACCEPT

HTTP_ACCEPT_CHARSET

HTTP_ACCEPT_ENCODING

HTTP_ACCEPT_LANGUAGE

HTTP_CONNECTION

HTTP_HOST

HTTP_REFERER

HTTP_USER_AGENT

application/x-www-form-urlencoded

Append operation will cause data overflow

IO error while reading journal file '%s' header

Cannot rollback journal file '%s' due to a read-only database handle

IO error while opening journal file: '%s'

No such Key/Value storage engine '%z'

IO error while opening the target database file: %s

IO error while opening journal file: %s

Storage engine '%s' does not support cursors

Cannot install a default Key/Value storage engine

Cannot create new collection '%z' due to a read-only Key/Value storage engine

Cannot store record into collection '%z' due to a read-only Key/Value storage engine

Cannot delete record from collection '%z' due to a read-only Key/Value storage engine

Cannot remove collection '%z' due to a read-only Key/Value storage engine

%d-%d-%d d:d:d

Error while storing record %d in collection '%z'

CaptureKeystrokes

CaptureKeywords

CapturePort

CaptureINetURLS

Service32.pdb

GDI32.dll

WSOCK32.dll

WTSAPI32.dll

NETAPI32.dll

GetKeyNameTextA

MapVirtualKeyA

GetKeyboardLayout

USER32.dll

Secur32.dll

GetWindowsDirectoryA

WinExec

DisconnectNamedPipe

ConnectNamedPipe

CreateNamedPipeA

GetProcessHeap

KERNEL32.dll

MapVirtualKeyExA

ExitWindowsEx

ReportEventA

RegOpenKeyExA

RegDeleteKeyA

RegCreateKeyExA

RegCloseKey

RegCreateKeyA

RegEnumKeyExA

RegGetKeySecurity

RegSetKeySecurity

ole32.dll

SHELL32.dll

OLEAUT32.dll

SHLWAPI.dll

WS2_32.dll

GetCPInfo

PeekNamedPipe

Service32.exe

unqlite_array_add_strkey_elem

unqlite_kv_cursor_key

unqlite_kv_cursor_key_callback

unqlite_vm_exec

vdorctrl.dll

vdorctrl2.dll

svrltmgr.dll

svrltmgr64.dll

mxcrsc32.exe

snxapi.exe

vdorctrl.sys

wshvtx.exe

secadtr.dll

cmproxfr.dll

ashl16.dll

ashl32.dll

sgvrfy32.exe

nmcpusym.dll

xsysym.dll

svrltwp.dll

svrltwp64.dll

svrlser.dll

vidithnk.dll

wzodlg32.dll

winipdat.log

safser32.dll

ntvshl.exe

mzsyk32.dll

eanipw.dll

qasapmov.db

qasapavi.db

rcxaemap.dll

quasimo.dll

mossimo.dll

pfwizard.dll

bissimo.dll

ssbtc.dat

ssbtg.dat

ssbtl.dll

ssbtd.dir

spssd.db

SOFTWARE\Classes\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}

zcÁ

.?AVPropertyNotSupportedException@Poco@@

.?AVHTTPRequest@Net@Poco@@

.?AVHTTPMessage@Net@Poco@@

.?AVHTTPException@Net@Poco@@

.?AVHTTPResponse@Net@Poco@@

.?AVHTTPSession@Net@Poco@@

.?AVHTTPClientSession@Net@Poco@@

.?AVUnsupportedRedirectException@Net@Poco@@

.?AVFTPException@Net@Poco@@

.?AVSMTPException@Net@Poco@@

.?AVWebSocketException@Net@Poco@@

.?AVHTTPStreamBuf@Net@Poco@@

.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@

.?AVHTTPIOS@Net@Poco@@

.?AVHTTPInputStream@Net@Poco@@

.?AVHTTPOutputStream@Net@Poco@@

.?AVHTTPFixedLengthStreamBuf@Net@Poco@@

.?AVHTTPFixedLengthIOS@Net@Poco@@

.?AVHTTPFixedLengthInputStream@Net@Poco@@

.?AVHTTPFixedLengthOutputStream@Net@Poco@@

.?AVHTTPChunkedStreamBuf@Net@Poco@@

.?AVHTTPChunkedIOS@Net@Poco@@

.?AVHTTPChunkedInputStream@Net@Poco@@

.?AVHTTPChunkedOutputStream@Net@Poco@@

.?AVHTTPHeaderStreamBuf@Net@Poco@@

.?AVHTTPHeaderIOS@Net@Poco@@

.?AVHTTPHeaderInputStream@Net@Poco@@

.?AVHTTPHeaderOutputStream@Net@Poco@@

.?AVWindows1252Encoding@Poco@@

%WinDir%\winipbin

catuxvoc32.dll

8.2.1121

nipbin\sgvrfy32.exe

%WinDir%\winipbin\sgvrfy32.exe

: :$:(:,:0:4:8:<:

9%9X:i;|;

1)2F2X2z2

1*121;1]1

9!:&:5:;:

:*;2;;;|;

5Q5C5]5f5

^70888"9-9

4"5)50575=5

1|3054585<5@5

7 7$7)9::

4*444:4@4|4

0090?0

\364<5|6

< =2=;=]=

9 9$9(9,9

9 9$9(9,9094989

1 1$1(1,1014181<1

;(;,;0;4;8;<;@;

7 7$7(7,7

=(?,?0?4?

: :4:<:\:

7(747<7\7

0(00080@0`0

9(949<9\9

?(?4?<?\?

:(:4:<:\:

0(040<0\0

4(444<4\4

<(<4<<<\<

=,=8=@=`=

=$=<=@=\=`=

1 1(101<1

set[@name="%S"]

IhXXp://%S:%i

777705555443332

5555443332

5555443332

Spector Web Filter Server

Spector 360 SQL Server

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

wUSER32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   sgvrfy32.exe:1760
   sgvrfy32.exe:484
   %original file name%.exe:1872

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   %System%\wbem\Logs\wbemprox.log (76 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (15801 bytes)
   %WinDir%\winipbin\cmproxfr.dll (286 bytes)
   %WinDir%\winipbin\rcxaemap.dll (1797 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU3.tmp (106 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU2.tmp (106 bytes)
   %WinDir%\winipbin\bissimo.dll (245 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU1.tmp (106 bytes)
   %WinDir%\winipbin\eanipw.dll (3875 bytes)
   %WinDir%\winipbin\svrltwp.dll (3692 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (15021 bytes)
   %WinDir%\winipbin\quasimo.dll (245 bytes)
   %WinDir%\Logs\splog.txt (19384 bytes)
   %WinDir%\winipbin\vdorctrl.dll (15021 bytes)
   %WinDir%\winipbin\mossimo.dll (245 bytes)
   %WinDir%\winipbin\sgvrfy32.exe (15021 bytes)
   %WinDir%\winipbin\catuxvoc32.dll (4279 bytes)
   %WinDir%\winipbin\svrltmgr.dll (15801 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.