Worm.Win32.Rebhip_8a75cba2f8

by malwarelabrobot on June 12th, 2015 in Malware Descriptions.

Trojan.Win32.Llac.jvqw (Kaspersky), Trojan-Banker.Win32.Brasil.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, WormRebhip.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, VirTool, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 8a75cba2f86d2ed3b4686b99161a59e4
SHA1: 0de9e93fbb87ae8ebd99b11c816265c66b71efb4
SHA256: 59de5fd5ed609dd246c6ae00a3dc651812ad0a43b9a9766194e775b196fc88ca
SSDeep: 49152:we2 5 MT06hHVNlkYZtMoYEFZ9fTSTYYqwt26gFKv:weQMT0GHzlgoYEDBTK wXgC
Size: 1898496 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-01 01:20:50
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Worm creates the following process(es):

Temprundll.exe:1932
Temprundll.exe:1228
cscript.exe:1976
%original file name%.exe:484
cffmon.exe:544
cffmon.exe:1452

The Worm injects its code into the following process(es):

Tempg.exe:1224
Explorer.EXE:532
iexplore.exe:1304

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Temprundll.exe:1932 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wixflvv (1769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (588 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wixflvv (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)

The process Temprundll.exe:1228 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Program Files%\Fonts\cffmon.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (235 bytes)

The process cscript.exe:1976 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\teste.txt (2 bytes)

The process %original file name%.exe:484 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Tempg.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temprundll.exe (3806 bytes)

The process cffmon.exe:1452 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nqfmenb (1769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (588 bytes)

The Worm deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nqfmenb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

Registry activity

The process Temprundll.exe:1932 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 5F 6F 8E 1F 8F 79 86 EF 11 26 05 AE 51 95 11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Temprundll.exe:1228 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 68 7A FF 61 8D CD D2 E1 1E E8 9A AE CC 63 CF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"cffmon" = "%Program Files%\Fonts\cffmon.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"cffmon" = "%Program Files%\Fonts\cffmon.exe"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{G4HW06YE-181V-T1NH-J2F6-LQCMBR712TR1}]
"StubPath" = "%Program Files%\Fonts\cffmon.exe Restart"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%Program Files%\Fonts\cffmon.exe"

The process cscript.exe:1976 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 69 36 A0 97 3F 92 2B B2 E5 3A CA 03 69 3A 36"

The process %original file name%.exe:484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 AE 6B EB 02 80 69 0D 63 26 2A 5D D3 7F 82 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings]
"Temprundll.exe" = "Temprundll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings]
"Tempg.exe" = "GalaxyLogger"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Tempg.exe:1224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 8A 21 46 1F 6F 59 B3 D8 79 63 8D 9E F2 2C 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process cffmon.exe:544 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF B6 EC 45 16 B8 77 5F C5 F7 8B AC 2D CB 07 CA"

The process cffmon.exe:1452 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 A0 D8 F1 BF AE B8 10 1B 04 77 AB E1 98 8C 68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
6d42dd978d83a7fa49abe9cfb297ce74 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Tempg.exe
4e341068cde197c928fe574cefb0f58a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temprundll.exe
4e341068cde197c928fe574cefb0f58a c:\Program Files\Fonts\cffmon.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name:
Product Name: Galaksi logger
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2015
Legal Trademarks:
Original Filename: Galaksi logger.exe
Internal Name: Galaksi logger.exe
File Version: 1.0.0.0
File Description: Galaksi logger
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 1882756 1883136 5.53471 0c822d128c0001bb98c648e390e6a2b1
.sdata 1892352 488 512 4.59195 1acc026a3221bd19d15ede6e61eb9034
.rsrc 1900544 13244 13312 5.35771 5ad3be6445b06b2a21be3bc4947c5a2e
.reloc 1916928 12 512 0.070639 4a54ae9fd6d5e81931e8b206f3ee4f5b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
kralcoder.no-ip.org 212.154.81.158


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive
ET TROJAN Cybergate/Rebhip/Spyrat Backdoor Keepalive Response

Traffic

The Worm connects to the servers at the folowing location(s):

Tempg.exe_1224_rwx_00402000_00045000:

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aBj
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
System.Drawing.Icon
System.Drawing.Size
.text
`.rsrc
@.reloc
v4.0.30319
Microsoft.VisualBasic
MyWebServices
Microsoft.VisualBasic.ApplicationServices
.ctor
Microsoft.VisualBasic.Devices
.cctor
get_WebServices
m_MyWebServicesObjectProvider
WebServices
System.ComponentModel
System.CodeDom.Compiler
System.Diagnostics
Microsoft.VisualBasic.CompilerServices
System.ComponentModel.Design
HelpKeywordAttribute
System.Runtime.CompilerServices
System.Runtime.InteropServices
Microsoft.VisualBasic.MyServices
System.Windows.Forms
get_ExecutablePath
System.IO
MsgBoxResult
MsgBoxStyle
MsgBox
System.Reflection
stub.exe
12.0.0.0
My.WebServices
My.User
My.Computer
My.Application
4System.Web.Services.Protocols.SoapHttpClientProtocol
0.0.0.0
_CorExeMain
mscoree.dll
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
fSystem.Drawing.Icon, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ahSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPADPBj
System.Drawing.Bitmap
i.gFS
BgwwwUUZ[[
w.wc6
.Nwo[
v2.0.50727
GalaxyLogger.exe
System.Drawing
kernel32.dll
ns1.News.resources
ns3.Binder.resources
ns4.Spoofer.resources
ns6.Pumper.resources
ns0.Keylogger.resources
GalaxyLogger.Resources.resources
ns4.Form1.resources
WindowsFormsApplicationBase
System.Collections.Generic
System.Threading
Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnCreateMainForm
keylogger_0
System.Collections
ContainsKey
InvalidOperationException
System.Object.Equals
System.Object.GetHashCode
System.Object.ToString
System.Windows.Forms.Form.Dispose
System.Resources
set_TransparencyKey
Operators
ISupportInitialize
set_WindowState
FormWindowState
Keylogger
System.Net
System.Net.Mail
SmtpClient
set_Password
set_Port
FtpWebRequest
FtpWebResponse
WebRequest
System.Text
WebResponse
WebClient
System.Collections.Specialized
set_GenerateExecutable
remoteCertificateValidationCallback_0
RemoteCertificateValidationCallback
System.Net.Security
System.Security.Cryptography
ImportCspBlob
set_UseShellExecute
System.IO.Compression
GetPublicKeyToken
X509Certificate
System.Security.Cryptography.X509Certificates
x509Certificate_0
get_ServerCertificateValidationCallback
set_ServerCertificateValidationCallback
httpWebRequest_0
HttpWebRequest
GetWebRequest
IWebProxy
System.Net.WebClient.GetWebRequest
System.Globalization
GalaxyLogger.My
System.Configuration
System.Drawing.Drawing2D
get_WindowState
get_Msg
KeyValuePair`2
get_Key
System.Drawing.Imaging
System.IDisposable.Dispose
System.Windows.Forms.TabControl.CreateHandle
System.Windows.Forms.Control.OnPaint
System.Windows.Forms.Control.OnMouseEnter
System.Windows.Forms.Control.OnMouseDown
System.Windows.Forms.Control.OnMouseLeave
System.Windows.Forms.Control.OnMouseUp
System.Windows.Forms.Control.OnEnter
System.Windows.Forms.Control.OnLeave
set_UseSystemPasswordChar
System.Windows.Forms.Control.get_Text
System.Windows.Forms.Control.set_Text
System.Windows.Forms.Control.get_Font
System.Windows.Forms.Control.set_Font
System.Windows.Forms.Control.OnCreateControl
KeyEventArgs
get_KeyCode
Keys
set_SuppressKeyPress
textBox_0_KeyDown
System.Windows.Forms.Control.OnResize
KeyEventHandler
add_KeyDown
System.Drawing.Text
System.Windows.Forms.Control.Text
System.Windows.Forms.Control.Font
System.Windows.Forms.ComboBox.OnDrawItem
System.Windows.Forms.Control.OnSizeChanged
get_ModifierKeys
System.Windows.Forms.Control.OnMouseWheel
System.Windows.Forms.Control.OnMouseMove
set_Key
fLaSh.Dissembler
NotSupportedException
biClrImportant
GetPublicKey
GetExecutingAssembly
8.0.0.0
$D332DB9E-B9B3-4125-8207-A14884F53216
$BD39D1D2-BA2F-486A-89B0-B4B0CB466891
$9FD93CCF-3280-4391-B3A9-96E1CDE77C8D
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
11.0.0.0
$b32adae0-3b74-4d45-a846-ec509de5bb28
1.0.0.0
$this.Icon
\file1.exe
\file2.exe
PictureBox6.Image
PictureBox3.Image
PictureBox2.Image
PictureBox5.Image
PictureBox4.Image
PictureBox1.Image
Executables | *.exe
Executables (.exe)|.exe
btn_keylogger
Keylogger
Upload Logs to FTP
Test FTP
Pass:
Port:
SMTP:
Password:
Clear FireFox Data
Clear Google Chrome Data
Visit Website:
Delay Execution:
Disable CMD
Download & Execute
Please enter a direct link to an .exe!
Password Recovery
Opera
Firefox
Chrome
Record Costum Keystrokes
PTF://
/Galaxy_Logger_Success.txt
\test.txt
Sample File was uploaded, please goto your FTP Server and check if you find 'Galaxy_Logger_Success.txt' !
hXXp://pastebin.com/raw.php?i=cLw7amN1
System.dll
System.Windows.Forms.dll
Microsoft.VisualBasic.dll
System.Drawing.dll
/target:winexe /optimize  /filealign:512
Icon | *.ico
2.0.0.6
loader.log
Unable to continue due to an error. Exception written to 'loader.log' file.
hXXp://seal.nimoru.com/Base/checksumSE.php
hXXps://s3.amazonaws.com/nimoru/checksumSE.txt
9280188D-0E8E-4867-B30C-7FA83884E8DE
B79B0ACD-F5CD-409B-B5A5-A16244610B92
GalaxyLogger.Resources
.data
.docx
.html
.jpeg
.mp4v
.mpeg
.pptx
.torrent
\Icons\7z.ico
\Icons\aac.ico
\Icons\bat.ico
\Icons\bmp.ico
\Icons\data.ico
\Icons\docx.ico
\Icons\html.ico
\Icons\ini.ico
\Icons\iso.ico
\Icons\jpeg.ico
\Icons\jpg.ico
\Icons\jar.ico
\Icons\m4a.ico
\Icons\m4v.ico
\Icons\mp3.ico
\Icons\mp4v.ico
\Icons\mpeg.ico
\Icons\pdf.ico
\Icons\ppt.ico
\Icons\pptx.ico
\Icons\py.ico
\Icons\rar.ico
\Icons\swf.ico
\Icons\torrent.ico
\Icons\ttf.ico
\Icons\txt.ico
\Icons\vbs.ico
\Icons\wav.ico
\Icons\wma.ico
\Icons\wmv.ico
{0}.{1}.{2}.{3}
System.Core, Version=2.0.5.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e
System.Security.Cryptography.AesManaged
System.Security.Cryptography.RijndaelManaged
System.Security.Cryptography.DESCryptoServiceProvider

Tempg.exe_1224_rwx_00452000_0040E000:

.idata
.edata
P.reloc
P.rsrc
.reloc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadVarTypeError|%F
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
W:\3rdparty\ScreamSec\SecUtils.pas
TCipher.CreateIntf: Algorithm mismatch
TBlockCipher.CreateIntf: Wrong VectorSize
Cipher mode not supported
The vector for %s is %d blocks. Cannot initialize with a %d block vector.
The block size for %s is %d bytes and the key is %d bytes. Cannot initialize with a %d block vector.
The minimum key and IV size for %s is %d bytes.
Not supported
TRijndael_PipedPCFB
Rijndael: Invalid key size - %d
2.16.840.1.101.3.4.1.1
2.16.840.1.101.3.4.1.21
2.16.840.1.101.3.4.1.41
1.3.6.1.4.1.13085.1.22
1.3.6.1.4.1.13085.1.23
1.3.6.1.4.1.13085.1.24
2.16.840.1.101.3.4.1.4
2.16.840.1.101.3.4.1.24
2.16.840.1.101.3.4.1.44
1.3.6.1.4.1.13085.1.7
1.3.6.1.4.1.13085.1.8
1.3.6.1.4.1.13085.1.9
1.3.6.1.4.1.13085.1.4
1.3.6.1.4.1.13085.1.5
1.3.6.1.4.1.13085.1.6
1.3.6.1.4.1.13085.1.10
1.3.6.1.4.1.13085.1.11
1.3.6.1.4.1.13085.1.12
1.3.6.1.4.1.13085.1.1
1.3.6.1.4.1.13085.1.2
1.3.6.1.4.1.13085.1.3
1.3.6.1.4.1.13085.1.16
1.3.6.1.4.1.13085.1.17
1.3.6.1.4.1.13085.1.18
2.16.840.1.101.3.4.1.2
2.16.840.1.101.3.4.1.22
2.16.840.1.101.3.4.1.42
1.3.6.1.4.1.13085.1.19
1.3.6.1.4.1.13085.1.20
1.3.6.1.4.1.13085.1.21
2.16.840.1.101.3.4.1.3
2.16.840.1.101.3.4.1.23
2.16.840.1.101.3.4.1.43
2.16.840.1.101.3.4.1.5
2.16.840.1.101.3.4.1.25
2.16.840.1.101.3.4.1.45
/* Dr Brian Gladman ([email protected]) 14th January 1999 */
TGenerator.Create: Cipher mode must be cmCTR.
TMPPool.CheckThreadID: Called from the wrong thread.
TMPPool.Cache: Invalid pointer
TMPPool.Obtain: Out of memory
TMPPool.InternalCheck: Invalid pointer
Portugal
Turkey
TKeyVerifyParams
12345678-
Windows 95
WIN_VER_WINDOWS95
Windows 95 OSR2
WIN_VER_WINDOWS95OSR2
Windows 98
WIN_VER_WINDOWS98
Windows 98 SE
WIN_VER_WINDOWS98SE
Windows ME
WIN_VER_WINDOWSME
Windows 2000
WIN_VER_WINDOWS2000
Windows 2000 Professional
WIN_VER_WINDOWS2000PROF
Windows 2000 Data Server
WIN_VER_WINDOWS2000DATASERVER
Windows 2000 Advanced Server
WIN_VER_WINDOWS2000ADVSERVER
Windows 2000 Server
WIN_VER_WINDOWS2000SERVER
Windows XP
WIN_VER_WINDOWSXP
Windows XP Home
WIN_VER_WINDOWSXPHOME
Windows XP Professional
WIN_VER_WINDOWSXPPROF
Windows XP Professional x64
WIN_VER_WINDOWSXPPROFx64
Windows XP Professional Datacenter x64
WIN_VER_WINDOWSXPPROFDATACENTERx64
Windows XP Professional Enterprise x64
WIN_VER_WINDOWSXPPROFENERPRICEx64
Windows XP Professional Standart x64
WIN_VER_WINDOWSXPPROFSTANDARTx64
Windows 2003
Windows 2003 Server
WIN_VER_WINDOWS2003SERVER
Windows 2003 Server R2
WIN_VER_WINDOWS2003SERVERR2
Windows 2003 Storage Server
WIN_VER_WINDOWS2003STORAGESERVER
Windows 2003 Datacenter Itanium
WIN_VER_WINDOWS2003DATACENTERITANIUM
Windows 2003 Enterprise Itanium
WIN_VER_WINDOWS2003ENTERPRICEITANIUM
Windows 2003 Datacenter x64
WIN_VER_WINDOWS2003DATACENTERx64
Windows 2003 Enterprise x64
WIN_VER_WINDOWS2003ENERPRICEx64
Windows 2003 Standart x64
WIN_VER_WINDOWS2003STANDARTx64
Windows 2003 Compute
WIN_VER_WINDOWS2003COMPUTE
Windows 2003 Datacenter
WIN_VER_WINDOWS2003DATACENTER
Windows 2003 Enterprise
WIN_VER_WINDOWS2003ENTERPRICE
Windows 2003 Web
WIN_VER_WINDOWS2003WEB
Windows 2003 Standart
WIN_VER_WINDOWS2003STANDART
Windows Vista
WIN_VER_WINDOWSVISTA
Windows Vista Business
WIN_VER_WINDOWSVISTA_BUSINESS
Windows Vista Cluster Server
WIN_VER_WINDOWSVISTA_CLUSTER_SERVER
Windows Vista Datacenter Server
WIN_VER_WINDOWSVISTA_DATACENTER_SERVER
Windows Vista Datacenter Server Core
WIN_VER_WINDOWSVISTA_DATACENTER_SERVER_CORE
Windows Vista Datacenter Server Core V
WIN_VER_WINDOWSVISTA_DATACENTER_SERVER_CORE_V
Windows Vista Datacenter Server V
WIN_VER_WINDOWSVISTA_DATACENTER_SERVER_V
Windows Vista Enterprise
WIN_VER_WINDOWSVISTA_ENTERPRICE
Windows Vista Enterprise Server
WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER
Windows Vista Enterprise Server Core
WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_CORE
Windows Vista Enterprise Server V
WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_V
Windows Vista Enterprise Server Core V
WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_CORE_V
Windows Vista Enterprise Server IA64
WIN_VER_WINDOWSVISTA_ENTERPRISE_SERVER_IA64
Windows Vista Home Basic
WIN_VER_WINDOWSVISTA_HOME_BASIC
Windows Vista Home Premium
WIN_VER_WINDOWSVISTA_HOME_PREMIUM
Windows Vista Home Server
WIN_VER_WINDOWSVISTA_HOME_SERVER
Windows Vista Server For Small Business
WIN_VER_WINDOWSVISTA_SERVER_FOR_SMALLBUSINESS
Windows Vista Small Business Server
WIN_VER_WINDOWSVISTA_SMALLBUSINESS_SERVER
Windows Vista Small Business Server Premium
WIN_VER_WINDOWSVISTA_SMALLBUSINESS_SERVER_PREMIUM
Windows Vista Medium Business Server Management
WIN_VER_WINDOWSVISTA_MEDIUMBUSINESS_SERVER_MANAGEMENT
Windows Vista Medium Business Server Messaging
WIN_VER_WINDOWSVISTA_MEDIUMBUSINESS_SERVER_MESSAGING
Windows Vista Medium Business Server Security
WIN_VER_WINDOWSVISTA_MEDIUMBUSINESS_SERVER_SECURITY
Windows Vista Standard Server
WIN_VER_WINDOWSVISTA_STANDARD_SERVER
Windows Vista Standard Server V
WIN_VER_WINDOWSVISTA_STANDARD_SERVER_V
Windows Vista Standard Server Core
WIN_VER_WINDOWSVISTA_STANDARD_SERVER_CORE
Windows Vista Standard Server Core V
WIN_VER_WINDOWSVISTA_STANDARD_SERVER_CORE_V
Windows Vista Starter
WIN_VER_WINDOWSVISTA_STARTER
Windows Vista Storage Enterprise Server
WIN_VER_WINDOWSVISTA_STORAGE_ENTERPRISE_SERVER
Windows Vista Storage Express Server
WIN_VER_WINDOWSVISTA_STORAGE_EXPRESS_SERVER
Windows Vista Storage Standard Server
WIN_VER_WINDOWSVISTA_STORAGE_STANDARD_SERVER
Windows Vista Storage Workgroup Server
WIN_VER_WINDOWSVISTA_STORAGE_WORKGROUP_SERVER
Windows Vista Undefined
WIN_VER_WINDOWSVISTA_UNDEFINED
Windows Vista Ultimate
WIN_VER_WINDOWSVISTA_ULTIMATE
Windows Vista Web Server
WIN_VER_WINDOWSVISTA_WEB_SERVER
Windows Vista Web Server Core
WIN_VER_WINDOWSVISTA_WEB_SERVER_CORE
Windows Vista Unlicensed
WIN_VER_WINDOWSVISTA_UNLICENSED
Windows 2008
WIN_VER_WINDOWS2008
Windows 2008 Business
WIN_VER_WINDOWS2008_BUSINESS
Windows 2008 Cluster Server
WIN_VER_WINDOWS2008_CLUSTER_SERVER
Windows 2008 Datacenter Server
WIN_VER_WINDOWS2008_DATACENTER_SERVER
Windows 2008 Datacenter Server Core
WIN_VER_WINDOWS2008_DATACENTER_SERVER_CORE
Windows 2008 Datacenter Server Core V
WIN_VER_WINDOWS2008_DATACENTER_SERVER_CORE_V
Windows 2008 Datacenter Server V
WIN_VER_WINDOWS2008_DATACENTER_SERVER_V
Windows 2008 Enterprise
WIN_VER_WINDOWS2008_ENTERPRICE
Windows 2008 Enterprise Server
WIN_VER_WINDOWS2008_ENTERPRISE_SERVER
Windows 2008 Enterprise Server Core
WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_CORE
Windows 2008 Enterprise Server V
WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_V
Windows 2008 Enterprise Server Core V
WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_CORE_V
Windows 2008 Enterprise Server IA64
WIN_VER_WINDOWS2008_ENTERPRISE_SERVER_IA64
Windows 2008 Home Basic
WIN_VER_WINDOWS2008_HOME_BASIC
Windows 2008 Home Premium
WIN_VER_WINDOWS2008_HOME_PREMIUM
Windows 2008 Home Server
WIN_VER_WINDOWS2008_HOME_SERVER
Windows 2008 Server For Small Business
WIN_VER_WINDOWS2008_SERVER_FOR_SMALLBUSINESS
Windows 2008 Small Business Server
WIN_VER_WINDOWS2008_SMALLBUSINESS_SERVER
Windows 2008 Small Business Server Premium
WIN_VER_WINDOWS2008_SMALLBUSINESS_SERVER_PREMIUM
Windows 2008 Medium Business Server Management
WIN_VER_WINDOWS2008_MEDIUMBUSINESS_SERVER_MANAGEMENT
Windows 2008 Medium Business Server Messaging
WIN_VER_WINDOWS2008_MEDIUMBUSINESS_SERVER_MESSAGING
Windows 2008 Medium Business Server Security
WIN_VER_WINDOWS2008_MEDIUMBUSINESS_SERVER_SECURITY
Windows 2008 Standard Server
WIN_VER_WINDOWS2008_STANDARD_SERVER
Windows 2008 Standard Server V
WIN_VER_WINDOWS2008_STANDARD_SERVER_V
Windows 2008 Standard Server Core
WIN_VER_WINDOWS2008_STANDARD_SERVER_CORE
Windows 2008 Standard Server Core V
WIN_VER_WINDOWS2008_STANDARD_SERVER_CORE_V
Windows 2008 Starter
WIN_VER_WINDOWS2008_STARTER
Windows 2008 Storage Enterprise Server
WIN_VER_WINDOWS2008_STORAGE_ENTERPRISE_SERVER
Windows 2008 Storage Express Server
WIN_VER_WINDOWS2008_STORAGE_EXPRESS_SERVER
Windows 2008 Storage Standard Server
WIN_VER_WINDOWS2008_STORAGE_STANDARD_SERVER
Windows 2008 Storage Workgroup Server
WIN_VER_WINDOWS2008_STORAGE_WORKGROUP_SERVER
Windows 2008 Undefined
WIN_VER_WINDOWS2008_UNDEFINED
Windows 2008 Ultimate
WIN_VER_WINDOWS2008_ULTIMATE
Windows 2008 Web Server
WIN_VER_WINDOWS2008_WEB_SERVER
Windows 2008 Web Server Core
WIN_VER_WINDOWS2008_WEB_SERVER_CORE
Windows 2008 Unlicensed
WIN_VER_WINDOWS2008_UNLICENSED
Windows 2008 R2
WIN_VER_WINDOWS2008R2
Windows 2008 R2 Business
WIN_VER_WINDOWS2008R2_BUSINESS
Windows 2008 R2 Cluster Server
WIN_VER_WINDOWS2008R2_CLUSTER_SERVER
Windows 2008 R2 Datacenter Server
WIN_VER_WINDOWS2008R2_DATACENTER_SERVER
Windows 2008 R2 Datacenter Server Core
WIN_VER_WINDOWS2008R2_DATACENTER_SERVER_CORE
Windows 2008 R2 Datacenter Server Core V
WIN_VER_WINDOWS2008R2_DATACENTER_SERVER_CORE_V
Windows 2008 R2 Datacenter Server V
WIN_VER_WINDOWS2008R2_DATACENTER_SERVER_V
Windows 2008 R2 Enterprise
WIN_VER_WINDOWS2008R2_ENTERPRICE
Windows 2008 R2 Enterprise Server
WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER
Windows 2008 R2 Enterprise Server Core
WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_CORE
Windows 2008 R2 Enterprise Server V
WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_V
Windows 2008 R2 Enterprise Server Core V
WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_CORE_V
Windows 2008 R2 Enterprise Server IA64
WIN_VER_WINDOWS2008R2_ENTERPRISE_SERVER_IA64
Windows 2008 R2 Home Basic
WIN_VER_WINDOWS2008R2_HOME_BASIC
Windows 2008 R2 Home Premium
WIN_VER_WINDOWS2008R2_HOME_PREMIUM
Windows 2008 R2 Home Server
WIN_VER_WINDOWS2008R2_HOME_SERVER
Windows 2008 R2 Server For Small Business
WIN_VER_WINDOWS2008R2_SERVER_FOR_SMALLBUSINESS
Windows 2008 R2 Small Business Server
WIN_VER_WINDOWS2008R2_SMALLBUSINESS_SERVER
Windows 2008 R2 Small Business Server Premium
WIN_VER_WINDOWS2008R2_SMALLBUSINESS_SERVER_PREMIUM
Windows 2008 R2 Medium Business Server Management
WIN_VER_WINDOWS2008R2_MEDIUMBUSINESS_SERVER_MANAGEMENT
Windows 2008 R2 Medium Business Server Messaging
WIN_VER_WINDOWS2008R2_MEDIUMBUSINESS_SERVER_MESSAGING
Windows 2008 R2 Medium Business Server Security
WIN_VER_WINDOWS2008R2_MEDIUMBUSINESS_SERVER_SECURITY
Windows 2008 R2 Standard Server
WIN_VER_WINDOWS2008R2_STANDARD_SERVER
Windows 2008 R2 Standard Server V
WIN_VER_WINDOWS2008R2_STANDARD_SERVER_V
Windows 2008 R2 Standard Server Core
WIN_VER_WINDOWS2008R2_STANDARD_SERVER_CORE
Windows 2008 R2 Standard Server Core V
WIN_VER_WINDOWS2008R2_STANDARD_SERVER_CORE_V
Windows 2008 R2 Starter
WIN_VER_WINDOWS2008R2_STARTER
Windows 2008 R2 Storage Enterprise Server
WIN_VER_WINDOWS2008R2_STORAGE_ENTERPRISE_SERVER
Windows 2008 R2 Storage Express Server
WIN_VER_WINDOWS2008R2_STORAGE_EXPRESS_SERVER
Windows 2008 R2 Storage Standard Server
WIN_VER_WINDOWS2008R2_STORAGE_STANDARD_SERVER
Windows 2008 R2 Storage Workgroup Server
WIN_VER_WINDOWS2008R2_STORAGE_WORKGROUP_SERVER
Windows 2008 R2 Undefined
WIN_VER_WINDOWS2008R2_UNDEFINED
Windows 2008 R2 Ultimate
WIN_VER_WINDOWS2008R2_ULTIMATE
Windows 2008 R2 Web Server
WIN_VER_WINDOWS2008R2_WEB_SERVER
Windows 2008 R2 Web Server Core
WIN_VER_WINDOWS2008R2_WEB_SERVER_CORE
Windows 2008 R2 Unlicensed
WIN_VER_WINDOWS2008R2_UNLICENSED
Windows 7
WIN_VER_WINDOWSSEVEN
Windows 7 Business
WIN_VER_WINDOWSSEVEN_BUSINESS
Windows 7 Cluster Server
WIN_VER_WINDOWSSEVEN_CLUSTER_SERVER
Windows 7 Datacenter Server
WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER
Windows 7 Datacenter Server Core
WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER_CORE
Windows 7 Datacenter Server Core V
WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER_CORE_V
Windows 7 Datacenter Server V
WIN_VER_WINDOWSSEVEN_DATACENTER_SERVER_V
Windows 7 Enterprise
WIN_VER_WINDOWSSEVEN_ENTERPRICE
Windows 7 Enterprise Server
WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER
Windows 7 Enterprise Server Core
WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_CORE
Windows 7 Enterprise Server V
WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_V
Windows 7 Enterprise Server Core V
WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_CORE_V
Windows 7 Enterprise Server IA64
WIN_VER_WINDOWSSEVEN_ENTERPRISE_SERVER_IA64
Windows 7 Home Basic
WIN_VER_WINDOWSSEVEN_HOME_BASIC
Windows 7 Home Premium
WIN_VER_WINDOWSSEVEN_HOME_PREMIUM
Windows 7 Home Server
WIN_VER_WINDOWSSEVEN_HOME_SERVER
Windows 7 Server For Small Business
WIN_VER_WINDOWSSEVEN_SERVER_FOR_SMALLBUSINESS
Windows 7 Small Business Server
WIN_VER_WINDOWSSEVEN_SMALLBUSINESS_SERVER
Windows 7 Small Business Server Premium
WIN_VER_WINDOWSSEVEN_SMALLBUSINESS_SERVER_PREMIUM
Windows 7 Medium Business Server Management
WIN_VER_WINDOWSSEVEN_MEDIUMBUSINESS_SERVER_MANAGEMENT
Windows 7 Medium Business Server Messaging
WIN_VER_WINDOWSSEVEN_MEDIUMBUSINESS_SERVER_MESSAGING
Windows 7 Medium Business Server Security
WIN_VER_WINDOWSSEVEN_MEDIUMBUSINESS_SERVER_SECURITY
Windows 7 Standard Server
WIN_VER_WINDOWSSEVEN_STANDARD_SERVER
Windows 7 Standard Server V
WIN_VER_WINDOWSSEVEN_STANDARD_SERVER_V
Windows 7 Standard Server Core
WIN_VER_WINDOWSSEVEN_STANDARD_SERVER_CORE
Windows 7 Standard Server Core V
WIN_VER_WINDOWSSEVEN_STANDARD_SERVER_CORE_V
Windows 7 Starter
WIN_VER_WINDOWSSEVEN_STARTER
Windows 7 Storage Enterprise Server
WIN_VER_WINDOWSSEVEN_STORAGE_ENTERPRISE_SERVER
Windows 7 Storage Express Server
WIN_VER_WINDOWSSEVEN_STORAGE_EXPRESS_SERVER
Windows 7 Storage Standard Server
WIN_VER_WINDOWSSEVEN_STORAGE_STANDARD_SERVER
Windows 7 Storage Workgroup Server
WIN_VER_WINDOWSSEVEN_STORAGE_WORKGROUP_SERVER
Windows 7 Undefined
WIN_VER_WINDOWSSEVEN_UNDEFINED
Windows 7 Ultimate
WIN_VER_WINDOWSSEVEN_ULTIMATE
Windows 7 Web Server
WIN_VER_WINDOWSSEVEN_WEB_SERVER
Windows 7 Web Server Core
WIN_VER_WINDOWSSEVEN_WEB_SERVER_CORE
Windows 7 Unlicensed
WIN_VER_WINDOWSSEVEN_UNLICENSED
Portuguese (Brazil)
Portuguese (Portugal)
Enigma_Plugin_OnSaveKey
Enigma_Plugin_OnLoadKey
ntdll.dll
LS_Enigma_Plugin_OnDeleteKey
ole32.dll
comctl32.dll
!"#$%&*;<=>@[]^_`{|}
TNT Internal Error: TWideComponentHelper.Create should never be encountered.
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntClasses.pas
Library not found: %s
Function not found: %s.%s
RtlFormatCurrentUserKeyPath
TExported0
gN%Fj
USER32.DLL
EInvalidGraphicOperation
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TComboBoxExEnumerator
ssHorizontal
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
HelpKeyword(
OnExecute
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
AutoHotkeys
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntActnList.pas
PasswordChar
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntStdCtrls.pas
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntForms.pas
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntMenus.pas
Internal Error: SyncHotKeyPosition Failed ("%s" <> "%s").
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntControls.pas
Internal Error: SubClassUnicodeControl.Control is not Unicode.
.UnicodeClass
TntUnicodeVcl.DestroyWindow
Internal Error: Control does not support ITntGlyphButton.
dtPostMsg
Software\Microsoft\Windows\CurrentVersion
ProductKey
Software\Microsoft\Windows NT\CurrentVersion
\\.\PhysicalDrive0
\\.\%s
\\.\Scsi0:
\\.\SMARTVSD
%Program Files% (x86)\TntWare\Delphi Unicode Controls\Source\TntRegistry.pas
#$%&'()* ,-./01234
PSAPI.dll
I*Rc<)%sHMJ 
VBoxService.exe
ÞFAULT FOLDER%
%SYSTEM FOLDER%
%WINDOWS FOLDER%
Mutex object: Unique: %d-%d. Number: %d
^%V!%X
THookWindowsAPI
EP_RegCheckKey
EP_RegCheckKeyA
EP_RegCheckKeyW
EP_RegSaveKey
EP_RegSaveKeyA
EP_RegSaveKeyW
EP_RegLoadKey
EP_RegLoadKeyA
EP_RegLoadKeyW
EP_RegLoadAndCheckKey
EP_RegCheckAndSaveKey
EP_RegCheckAndSaveKeyA
EP_RegCheckAndSaveKeyW
EP_RegDeleteKey
EP_RegKeyExpirationDate
EP_RegKeyExpirationDateEx
EP_RegKeyCreationDate
EP_RegKeyCreationDateEx
EP_RegKeyExecutions
EP_RegKeyExecutionsTotal
EP_RegKeyExecutionsLeft
EP_RegKeyDays
EP_RegKeyDaysTotal
EP_RegKeyDaysLeft
EP_RegKeyRuntime
EP_RegKeyRuntimeTotal
EP_RegKeyRuntimeLeft
EP_RegKeyGlobalTime
EP_RegKeyGlobalTimeTotal
EP_RegKeyGlobalTimeLeft
EP_RegKeyRegisterAfterDate
EP_RegKeyRegisterAfterDateEx
EP_RegKeyRegisterBeforeDate
EP_RegKeyRegisterBeforeDateEx
EP_TrialExecutions
EP_TrialExecutionsTotal
EP_TrialExecutionsLeft
EP_TrialExecutionTime
EP_TrialExecutionTimeTotal
EP_TrialExecutionTimeLeft
EP_RegCheckKeyEx
EP_RegSaveKeyEx
EP_RegLoadKeyEx
EP_CheckUpStartupPasswordHashString
EP_ProtectedStringByKey
EP_RegKeyInformation
EP_RegKeyInformationA
EP_RegKeyInformationW
EP_RegKeyStatus
DLL_Loader_Import_Unit
TInitImport
Could not load library: %s
.gnu}
Function %s not found in module %s
File not found: %s
Can't find DLL entry point %s in %s
"%s" %s
%s %s
mscorwks.dll
mscoreei.dll
Jo.Ys
C9=O.WA
B.JAZ
coRegistratioKey
ZwOpenKey
ZwEnumerateValueKey
ZwQueryKey
ZwQueryValueKey
ZwCreateKey
ZwEnumerateKey
ZwSetValueKey
ZwDeleteKey
ZwDeleteValueKey
ZwFlushKey
ZwLoadKey
ZwLoadKey2
ZwNotifyChangeKey
ZwQueryMultipleValueKey
ZwReplaceKey
ZwRestoreKey
ZwSaveKey
ZwSetInformationKey
ZwUnloadKey
ZwOpenKeyEx
ZwQuerySection, Unsupported class %d
KeySetValue unsupported value type
ZwQueryValueKey, unsupported class %d
ZwQueryKey, unsupported class %d
ZwQueryObject with unsupported class
Uh.hR
ZwReadFileInformation with unsupported class
ZwSetInformationFile with unsupported class
THookWindowsAPI
E.oNhZC
\\.\NTICE
\\.\SICE
\\.\SIWDEBUG
R.fm6$C
)O.bVJ
\.Na)
.xDHT
%s\%.8x%.8x-%.8x%.8x
)TEnigmaProtectorLoaderFormStartuppassword
DLL_Loader_RunPassword_Unit
^5(
b.HNNM
decrypt_on_execute_begin
ECRONEXECB
decrypt_on_execute_end
ECRONEXECE
.section
DLL_Loader.dll
@``@``@``@``@``@``@``@
@``@``@``@``@``
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
_enigma_keygen_routines
TntWindows
UrlMon
virtualboximportunit
KeyRoutines
nJwaWindows
 DLL_Loader_Import_Unit
%UD`t
I<%3xohf
|.NhL
q.yCh
*i2 .ah
%cmFX<Q
.pT}h
 S.hY
user32.dll
advapi32.dll
version.dll
gdi32.dll
shell32.dll
SHFolder.dll
shlwapi.dll
GetWindowsDirectoryW
GetWindowsDirectoryA
GetCPInfo
GetKeyboardType
VkKeyScanW
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
RegOpenKeyExA
RegCloseKey
RegOpenKeyA
RegFlushKey
RegCreateKeyExA
SetViewportOrgEx
ShellExecuteW
ShellExecuteA
2-3i3}3
:&:.:6:>:
>!>%>)>->1>5>9>=>
; ;$;(;,;0;
1#1'1 1/13171;162\2
$141$3:3
? ?$?(?,?0?
8 :`:{:,;>;
?*?.???`?
4 4$4(4,4044484<4@4
6h6X6g6r6
70848<8@8
8!9%9)9-949
9&9*9=9^9
4]5R5`5
4G4C4O4X4a4f4y4
0 0$0(0,000
=!=$=)=-=1=5=9===
6%7x9
1 1$1(1,1
: :(:,:0:4:|:
mscoree.dll
_CorExeMain
.idat
}&@_~"$)
.Jx1?
:z.dk>d
%SJBy$1!
%U%>_
?qkX%SX
>h.MR
%s[idr,
%s_id]9x
aY.sG
1BK%u
DE.BY
0123456
S.ANR
Prkey
P{rþ_)
88E8F8A8U8L6T)
2.qSne
),-./:? 
&*;<=>@[
]^_`{|}>
tPSsh
)O3k%D
xport
%u<x$P&
$p.xH
)0XVÜ
.)%FX(
$U%f(  
.PR$/
].t%CTQ
U%C<_
keys&
%xiED!%m${
?,?3:4;8'9
.ctj.
u\P%sx
d%D&i.
f;2%u[
M.Bd:\P
tl=
(.Sxr
VRl.Afs$Ry
k.Cf~
* ,-./01
e.UqOL&
I*Rc<)%s
ÞFAUL;T :O
W*@.DW(
[MisLr%s
UY.Dl
-'6{~%X
.TMP@
 j.gB
%F bh
\".DV~
("%D<&
}1)JO%c
"ÕD
%UD`t
`-ua}h
A|.NhL
i2 .ah
%cmFX<Q\
.pT}hV
cA.GX
!H_%uG
V%9sUo
(=h%Uo`V
~N.kP
.GJ8W
8}%5x
"ÓD
-3rit}v
t&v.xCzK|h~u,R<
98 :$;(<,(0
~#~'~ ~/~3~7
LLl2?T%XP
%.X~DS
T.zZ%
f%Cu'
RPl%C~j
:A;M%U
Site : hXXp://VVV.enigmaprotector.com/
E-mail : [email protected]
Lisence holder: %s
%Cookies FOLDER%
Unspecified error (%d) from %s.
debug.log
enigma_ide.dll
ÚysToKeyExp%
%RegKey%
%KeyExpYear%
%KeyExpMonth%
%KeyExpDay%
%CU_EXTFILES%
%CU_EXECPR%
%CU_INSTSERV%
%CU_WINVER%
%CU_VIRTTOOLS%
%TrialExecsTotal%
%TrialExecsLeft%
%TrialExecMinsTotal%
%TrialExecMinsLeft%
hh.exe
write.exe
attrib.exe
chkdsk.exe
compact.exe
find.exe
help.exe
winver.exe
regsvr32.exe
replace.exe
dllhost.exe
ntvdm.exe
tcpsvcs.exe
Was not able to create virtual value at ImportCall_ZwSetValueKey
Was not able to create virtual key at ImportCall_ZwSetValueKey
ImportCall_ZwLoadKey
ImportCall_ZwLoadKey2
ImportCall_ZwNotifyChangeKey
ImportCall_ZwQueryMultipleValueKey
ImportCall_ZwReplaceKey
ImportCall_ZwRestoreKey
ImportCall_ZwSaveKey
ImportCall_ZwSetInformationKey
ImportCall_ZwUnloadKey
evb*.tmp
Unsupported call of ZwSetVolumeInformationFile
Application requires password to start
Enter password
Change password
New password:
Confirm new password:
% )*0./(&'312-,
RichEdit line insertion error=This control requires version 4.70 or greater of COMCTL32.DLL
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread creation error: %s
Thread Error: %s (%d)7CreateClone not implemented for class %s with source %s
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Unsupported clipboard format
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
'%s' is an invalid mask at (%d)$''%s'' is not a valid component name
Ancestor for '%s' not found
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation
Invalid NULL variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

Tempg.exe_1224_rwx_00D90000_00004000:

Invalid NULL variant operation
Invalid variant operation
Variant method calls not supported
Access violation at address %p. %s of address %p
Invalid pointer operation
Invalid floating point operation
I/O error %d
'%s' is not a valid integer value

Tempg.exe_1224_rwx_00F20000_00034000:

/* Dr Brian Gladman ([email protected]) 14th January 1999 */
1.0.0.0
"%Documents and Settings%\%current user%\Local Settings\Tempg.exe"
GalaxyLogger\license.dat
application.exe

DW20.EXE_1072:

.text
`.data
.cdata
.rsrc
watson.microsoft.com
.mdmp
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
/dw/stagetwo.asp
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
Failed to fill report params from generic params
Not offering reporting
%s Mode
Failed to get a reporting destination
Nothing to report from queue
No reports left to send. Removing queue triggers and bailing.
Failed to plug UI; LCID=%u
Ignoring %S due to unknown queue version
Reporting is disabled
SignOff queue reporting is disabled
Queued Reporting Mode called but still want to report to the queue
Bad queue type to report from
No reports for given queue mask - %u
Invalid queue mask - %u
Suspending: Force cancel to queued reporting
Suspending: Force cancel to network reporting
CreateWindowExA failed with %d.
Application Error Reporting %d
WatsonQueuedReportingInstanceVerification
riched20.dll
qMicrosoft\PCHealth\ErrorReporting\DW
msaccess.exe
hXXp://watson.microsoft.com/dw/dcp.asp
hXXp://watson.microsoft.com/dw/watsoninfo.asp
dwintl20.dll
Launching lightweight browser with URL
mshtml.dll
Not reporting
Reporting
DWBypassQueue
DWExplainerURL
DWNoSignOffQueueReporting
DWAlwaysReport
DWReporteeName
DWURLLaunch
DWNoExternalURL
DWStressReport
ole32.dll
imm32.dll
BTLog.dll
Microsoft\PCHealth\ErrorReporting\DW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
hXXp://
hXXps://
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
%s\%s
https
DwBTLog.log
Failed to get minidump for %S!
szAppName=%s
szAppVer=%d.%d.%d.%d
szAppStamp=x
szModName=%s
szModVer=%d.%d.%d.%d
szModStamp=x
fDebug=%s
offset=x
microsoft.com
.msn.com
.microsoft.com
d:d:d d-d-d
/dw/generictwo.asp
kernel32.dll
psapi.dll
mso.dll
MsoDWRecover%x
MsoDWHang%x
Launching browser with URL
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d.x.%d.%d
shfolder.dll
unknown.sig
%s dw20.exe %d.%d.%d.%d
RegKey=
ResponseURL=
URLLaunch=
NoExternalURL=
%s:(%s) XX
%s:(%s) X
%s:(%s)
%s:(%s) %s
registry.txt
wql.txt
Windows NT Version %d.%d Build: %d
Stage 1 server response: %s
Stage 2 server response: %s
Stage 4 server response: %s
StatusCode: %d
Opening server: %s
HttpOpen failed.
Opening %s Request:
HTTPS
HttpSend Failed.
HttpWrite Failed, GLE=%d.
HttpEndReq failed.
Count filename length greater than MAX_PATH, can't report.
Filesystem reporting: count file updated
FReportToQueue: GetLastError=%u
FReportToQueue: File Tree Root does not exist: %S
Failed to add heap file to cab: %S
memory.dmp
mdmpmem.hdmp
version.txt
Network reporting complete.
Network reporting failed.
Application Error Reporting Transfer %d
Filesystem reporting complete
Filesystem reporting: cab successfully written
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: improper file tree root
Filesystem reporting cancelled
Filesystem reporting: file tree root is too long
Record: 0xxx
Address: 0xxx
Code: 0xx
Flags: 0xx
x:x
(%d.%d:%d.%d)
Checksum: 0xx
Time Stamp: 0xx
Image Base: 0xx
Image Size: 0xx
Module %d
Windows NT %d.%d Build: %d
CPU AMD Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Vendor Code: X - X - X
0xx:
0xx: x x x x
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
Thread ID: 0xx
Thread %d
Memory Range %d
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to obtain queue mutex. GetLastError=%u
FGetQueueMutex: WaitForSingleObject returned %u
Failed to open or create queue mutex. GetLastError=%u
Failed queued reporting pester check
Failed to create run reg key
Persistent run key is set.
CoInitializeEx() returned 0x%x.
Reporting to Admin Queue
Reporting to Regular Queue
Reporting to SignOff Queue
Reporting to Headless Queue
Reporting from Regular Queue
Reporting from SignOff Queue
Reporting from Headless Queue
OOM Failed to alloc QueuedReportData
FAllocSD: GetLastError=%u
%s%s%s
FEnsureQueueDirW: GetLastError=%u
Failed to write snt. GLE: %u
Failed to create snt. GLE: %u
Failed to set info; bad queue type: %u
Failed to open reg key for queue
Failed to get windows folder path for queue: %u
Failed to move instr file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Did not move any reports from admin q to user q
Did not move any reports from user q to headless q
Queue types that have reports: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtLogon to: %u
Setting the queue trigger based upon: %u
SUCCESS adding report to queue
Launched (%S)
Failed to store the SensSubscription. hr: %d
failed to allocate PROGID string: %S
Failed putting SubscriberInterface. hr: %d
Failed putting PerUser. hr: %d
Failed putting Enabled. hr: %d
Failed putting MachineName. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting Description. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting MethodName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting PublisherID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
failed to allocate query string: %S
Failed CoCreateInstance on EventSystem. hr: %d
SENS: StringFromIID() returned <%x>
DWSHARED: SysAllocString(%s) failed!
Failed to subscribe subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to query install reg key
Failed to open install reg key
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
creating CDwAccessible: hwnd %x, idc %d
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
Kernel minidump write failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record parameter count (0x%x)
Invalid exception record size (0x%x)
Invalid CPU type (0x%x)
Invalid function table size (0x%x)
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetCpuType failed, 0xx
Write.Start failed, 0xx
Dump type requires streaming but output provider does not support streaming
Invalid dump type 0x%x
dbghelp.dll
Alloc(0x%x) failed
Thread(0x%x) will not be included
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
version.dll
ntdll.dll
%$%,%4%<%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
!"#$%&'()* ,-./0123456789:;<=
!!!!2222
%%%f||||
!!!!2222||||
!"#$%&'(
'()* ,-./0
&'()* ,-./
&'()* ,-./012345
3456789
.ASex
!"#$%&'()* ,-./012
!"#$%&'()
?msodatad.dat
msodatalast.dat
Unicows.dll
Kernel32.dll
SHLWAPI.DLL
GDI32.DLL
wintrust.dll
1108160
0u.hN
0SSh 
t.WWWj
PSSh07
t5SSh(
PSSSSSSh
0SSSSh
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEACC.dll
OLEAUT32.dll
MSVCRT.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WININET.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ReportEventA
ReportEventW
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyW
GetProcessHeap
GetSystemWindowsDirectoryW
_amsg_exit
_acmdln
ShellExecuteExA
UrlGetPartA
CreateURLMoniker
CreateDialogIndirectParamA
EnumWindows
HttpQueryInfoA
HttpSendRequestExA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpEndRequestA
dw20.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
winword.exe
wwordlt.exe
excel.exe
excellt.exe
mspub.exe
frontpg.exe
outlook.exe
powerpnt.exe
powpntlt.exe
onenote.exe
infopath.exe
winproj.exe
ois.exe
visio.exe
`!`'`)` `
e%f-f|3 f'f/f
]!^"^#^ ^$^
t.uGuHu
x4x7x%x-x x
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
ichczc]eVeQeYeWe_UOeXeUeTe
{1{ {-{/{2{8{
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
duewexei
kCpDpJpHpIpEpFp
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
nRsSsh
evg%f
m.tRa
gtr%x
Q%SKg
f.ebp>QI
y.yxT
fn:q%uN
aw.Toiz
RMeXe
S#S$S%S;ScSdSrSsStSuS
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
^ ^!^"^#^$^%^&^'^.^}^
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
f f!f"f#f$f%f&f'f(f)f*f f,f-f
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;m<m=m>m?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
U U!U"U#U$U%U&U'U(U4UJU
](^)^*^ ^,^-^/^0^1^
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;x<x=x>x?x@xAxXy_yaycydyeygyiyjykylynyoy
} }!}"}#}$}%}&}'}
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
]2^3^4^5^6^7^8^9^:^;^<^>^
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;X<X>X?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
u$u%u&u/ujukulumunuouqurusutu
duewexeyeze{e
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
{3~3}3|3
eZl%u
Q.YeY
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
s4s/s)s%s>sNsOs
s&t*t)t.tbt
2%2.bx
{ | }9},
d6exe9j
]%sOu4](n
m.t.zB}
w%xIyWy
^vcÓv
%f?iCt
U>_.lE
f.ebp
.nrR=
{fn:q%uN
tempg.exe
name="Microsoft.Windows.ErrorReporter"
version="5.1.0.0"
publicKeyToken="6595b64144ccf1df" />
<description>Windows Error Reporting</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
1%s\%s\%s\%s\%s\%s\%s\%s
AppName: %s AppVer: %s AppStamp:%s
ModName: %s ModVer: %s ModStamp:%s
fDebug: %s Offset: %s
Main_AlwaysReportBtn=
Main_NoReportBtn=
Main_ReportBtn=
General_Reportee=
CheckBoxRegKey=
ReportingFlags=
Stage1URL=
Stage2URL=
%General_Reportee%
%u %s
%u.%u %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
Bucket: d
BucketTable %d
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
\dw.log
policy.txt
crash.log
status.txt
hits.log
count.txt
%s\%s\%s
%s\%s\%s\%s
eDWQueuedReporting
DWPersistentQueuedReporting
"%s\%s" -%c
dwtrig20.exe
ReportSize=
\*.cab
dwq.snt
"%s" -%c %u
SEventSystem.EventSubscription
SubscriptionID=%s
#$%&%&'(
Comctl32.dll
Tempg.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CC401.dmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
.NET Runtime 2.0 Error Reporting
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log
Microsoft Application Error Reporting
11.0.8160
Windows
DW20.Exe

Tempg.exe_1224_rwx_00F60000_00014000:

|ntdll.dll
|kernel32.dll
A~user32.dll
wgdi32.dll
wadvapi32.dll
wrpcrt4.dll
wsecur32.dll
woleaut32.dll
wmsvcrt.dll
Nwole32.dll
|shell32.dll
wshlwapi.dll
wversion.dll
ymscoree.dll
9vimm32.dll
blpk.dll
tusp10.dll
=wcomctl32.dll
]comctl32.dll
xvshfolder.dll
7\culture.dll
C:\WINDO
ntdll.dll
1.0.0.0
32.DLL
Windows
Operating System
6.00.2900.5512

iexplore.exe_1304:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

Explorer.EXE_532_rwx_00FF0000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_00150000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_00290000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_002D0000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_00310000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_00350000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_00390000_00001000:

KERNEL32.DLL

iexplore.exe_1304_rwx_00C40000_00001000:

advapi32.dll

iexplore.exe_1304_rwx_00D70000_00001000:

RegOpenKeyA

iexplore.exe_1304_rwx_00D80000_00001000:

advapi32.dll

iexplore.exe_1304_rwx_00DB0000_00001000:

AVICAP32.DLL

iexplore.exe_1304_rwx_00EF0000_00001000:

AVICAP32.DLL

iexplore.exe_1304_rwx_00F20000_00001000:

gdi32.dll

iexplore.exe_1304_rwx_00F60000_00001000:

gdi32.dll

iexplore.exe_1304_rwx_00F90000_00001000:

gdiplus.dll

iexplore.exe_1304_rwx_00FD0000_00001000:

gdiplus.dll

iexplore.exe_1304_rwx_01010000_00001000:

mpr.dll

iexplore.exe_1304_rwx_01060000_00001000:

mpr.dll

iexplore.exe_1304_rwx_01090000_00001000:

msacm32.dll

iexplore.exe_1304_rwx_014E0000_00001000:

msacm32.dll

iexplore.exe_1304_rwx_01510000_00001000:

ntdll.dll

iexplore.exe_1304_rwx_01650000_00001000:

ntdll.dll

iexplore.exe_1304_rwx_01680000_00001000:

ole32.dll

iexplore.exe_1304_rwx_017C0000_00001000:

ole32.dll

iexplore.exe_1304_rwx_017F0000_00001000:

oleaut32.dll

iexplore.exe_1304_rwx_01830000_00001000:

oleaut32.dll

iexplore.exe_1304_rwx_01970000_00001000:

powrprof.dll

iexplore.exe_1304_rwx_01AB0000_00001000:

powrprof.dll

iexplore.exe_1304_rwx_01AE0000_00001000:

shell32.dll

iexplore.exe_1304_rwx_01C20000_00001000:

shell32.dll

iexplore.exe_1304_rwx_01C50000_00001000:

user32.dll

iexplore.exe_1304_rwx_01D90000_00001000:

user32.dll

iexplore.exe_1304_rwx_01DC0000_00001000:

wininet.dll

iexplore.exe_1304_rwx_01EF0000_00001000:

FtpOpenFileA

iexplore.exe_1304_rwx_01F00000_00001000:

wininet.dll

iexplore.exe_1304_rwx_01F30000_00001000:

winmm.dll

iexplore.exe_1304_rwx_02070000_00001000:

winmm.dll

iexplore.exe_1304_rwx_020A0000_00001000:

wsock32.dll

iexplore.exe_1304_rwx_021E0000_00001000:

wsock32.dll

iexplore.exe_1304_rwx_02AD0000_0004B000:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
ESQLiteException
TSQLiteDatabasex
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Mozilla
Firefox
sqlite3.dll
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
ole32.dll
##@@## ##@@## ##@@##
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins
password_value
origin_url
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMaxh
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password<
Porth
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
EIdObjectTypeNotSupported
TIdTCPServer
IdTCPServer
CmdDelimiterh
TIdTCPServerConnection
DefaultPort
OnExecuteL
EIdTCPServerError
EIdNoExecuteSpecified
TIdTCPClient
IdTCPClient
BoundPorth
PortU
TOnHTTPDocument
TIdHTTPProxyServer
TIdHTTPProxyServer0
IdHTTPProxyServer
DefaultPortd
OnHTTPDocument
HTTP/1.0
Windows Firewall Update
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
KWindows
IdTCPStream
 IdTCPServer
SQLiteTable3
SQLite3
DIdHTTPProxyServer
UnitChrome
UnitFireFox3_5
GetCPInfo
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
GetKeyboardType
MsgWaitForMultipleObjects
((&)))!&$
"#$$&-)01$$'&,--%.&,
4\@%c
.idata
.edata
P.reloc
P.rsrc
$>.icR9
KERNEL32.DLL
advapi32.dll
crypt32.dll
user32.dll
funcoes.dll
GetChromePass
Mozilla3_5Password
StartHttpProxy
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
Object type not supported.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
No command handler found.*Error on call Winsock2 library function %s
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation

iexplore.exe_1304_rwx_02C50000_0004B000:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
ESQLiteException
TSQLiteDatabasex
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Mozilla
Firefox
sqlite3.dll
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
ole32.dll
##@@## ##@@## ##@@##
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins
password_value
origin_url
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMaxh
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password<
Porth
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
EIdObjectTypeNotSupported
TIdTCPServer
IdTCPServer
CmdDelimiterh
TIdTCPServerConnection
DefaultPort
OnExecuteL
EIdTCPServerError
EIdNoExecuteSpecified
TIdTCPClient
IdTCPClient
BoundPorth
PortU
TOnHTTPDocument
TIdHTTPProxyServer
TIdHTTPProxyServer0
IdHTTPProxyServer
DefaultPortd
OnHTTPDocument
HTTP/1.0
Windows Firewall Update
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
KWindows
IdTCPStream
 IdTCPServer
SQLiteTable3
SQLite3
DIdHTTPProxyServer
UnitChrome
UnitFireFox3_5
GetCPInfo
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
GetKeyboardType
MsgWaitForMultipleObjects
((&)))!&$
"#$$&-)01$$'&,--%.&,
4\@%c
.idata
.edata
P.reloc
P.rsrc
$>.icR9
KERNEL32.DLL
advapi32.dll
crypt32.dll
user32.dll
funcoes.dll
GetChromePass
Mozilla3_5Password
StartHttpProxy
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
Object type not supported.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
No command handler found.*Error on call Winsock2 library function %s
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation

iexplore.exe_1304_rwx_02DA0000_0004B000:

`.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
sqlite3_bind_blob
sqlite3_bind_text
sqlite3_bind_double
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_null
sqlite3_bind_parameter_index
sqlite3_open
sqlite3_close
sqlite3_errmsg
sqlite3_errcode
sqlite3_free
sqlite3_prepare_v2
sqlite3_column_count
sqlite3_column_name
sqlite3_column_decltype
sqlite3_step
sqlite3_column_blob
sqlite3_column_bytes
sqlite3_column_double
sqlite3_column_text
sqlite3_column_type
sqlite3_column_int64
sqlite3_finalize
sqlite3_reset
SQL error or missing database
An internal logic error in SQLite
Operation terminated by sqlite3_interrupt()
Uses OS features not supported on host
2nd parameter to sqlite3_bind out of range
sqlite3_step() has another row ready
sqlite3_step() has finished executing
Unknown SQLite Error Code "
oleaut32.dll
EVariantBadIndexError
u%CNu
%s[%d]
ESQLiteException
TSQLiteDatabasex
TSQLiteTable
Failed to open database "%s" : %s
Failed to open database "%s" : unknown error
Error [%d]: %s.
"%s": %s
Error executing SQL
Could not prepare SQL statement
Error executing SQL statement
SQLite is Busy
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Mozilla
Firefox
sqlite3.dll
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
nss3.dll
PK11_GetInternalKeySlot
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
signons.sqlite
SELECT * FROM moz_logins
encryptedPassword
ole32.dll
##@@## ##@@## ##@@##
\Google\Chrome\User Data\Default\Web Data
SELECT * FROM logins
password_value
origin_url
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMaxh
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password<
Porth
0.0.0.1
TIdTCPConnection
IdTCPConnection
EIdTCPConnectionError
EIdObjectTypeNotSupported
TIdTCPServer
IdTCPServer
CmdDelimiterh
TIdTCPServerConnection
DefaultPort
OnExecuteL
EIdTCPServerError
EIdNoExecuteSpecified
TIdTCPClient
IdTCPClient
BoundPorth
PortU
TOnHTTPDocument
TIdHTTPProxyServer
TIdHTTPProxyServer0
IdHTTPProxyServer
DefaultPortd
OnHTTPDocument
HTTP/1.0
Windows Firewall Update
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
KWindows
IdTCPStream
 IdTCPServer
SQLiteTable3
SQLite3
DIdHTTPProxyServer
UnitChrome
UnitFireFox3_5
GetCPInfo
RegOpenKeyExA
RegFlushKey
RegCreateKeyExA
RegCloseKey
GetKeyboardType
MsgWaitForMultipleObjects
((&)))!&$
"#$$&-)01$$'&,--%.&,
4\@%c
.idata
.edata
P.reloc
P.rsrc
$>.icR9
KERNEL32.DLL
advapi32.dll
crypt32.dll
user32.dll
funcoes.dll
GetChromePass
Mozilla3_5Password
StartHttpProxy
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
%s is not a valid service.
Socket Error # %d
File "%s" not found1Only one TIdAntiFreeze can exist per application.
Object type not supported.
No execute handler found.
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
No command handler found.*Error on call Winsock2 library function %s
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Ancestor for '%s' not found
Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value('%s' is not a valid floating point value
I/O error %d
Integer overflow Invalid floating point operation

iexplore.exe_1304_rwx_24080000_00062000:

`.rsrc
/w)f%u/
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearch
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
getpassword
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
updateservidorweb
##@@## ##@@## ##@@##
Windows\CurrentVersion\Uninstall\eDonkey2000
UNWISE.EXE
ntdll.dll
icon=shell32.dll,4
shellexecute=
autorun.inf
XX--XX--XX.txt
logs.dat
SQLite3.dll
$1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll

Explorer.EXE_532_rwx_01F00000_00001000:

KERNEL32.DLL

Explorer.EXE_532_rwx_01FD0000_00001000:

KERNEL32.DLL

Explorer.EXE_532_rwx_02020000_00001000:

KERNEL32.DLL

Explorer.EXE_532_rwx_020A0000_00001000:

KERNEL32.DLL

Explorer.EXE_532_rwx_02120000_00001000:

KERNEL32.DLL

Explorer.EXE_532_rwx_02360000_00001000:

advapi32.dll

Explorer.EXE_532_rwx_02390000_00001000:

RegOpenKeyA

Explorer.EXE_532_rwx_023A0000_00001000:

advapi32.dll

Explorer.EXE_532_rwx_023D0000_00001000:

AVICAP32.DLL

Explorer.EXE_532_rwx_02410000_00001000:

AVICAP32.DLL

Explorer.EXE_532_rwx_02890000_00001000:

gdi32.dll

Explorer.EXE_532_rwx_029B0000_00001000:

gdi32.dll

Explorer.EXE_532_rwx_029E0000_00001000:

gdiplus.dll

Explorer.EXE_532_rwx_02AB0000_00001000:

gdiplus.dll

Explorer.EXE_532_rwx_02F10000_00001000:

mpr.dll

Explorer.EXE_532_rwx_03050000_00001000:

mpr.dll

Explorer.EXE_532_rwx_030C0000_00001000:

msacm32.dll

Explorer.EXE_532_rwx_03400000_00001000:

msacm32.dll

Explorer.EXE_532_rwx_03430000_00001000:

ntdll.dll

Explorer.EXE_532_rwx_03470000_00001000:

ntdll.dll

Explorer.EXE_532_rwx_034A0000_00001000:

ole32.dll

Explorer.EXE_532_rwx_034E0000_00001000:

ole32.dll

Explorer.EXE_532_rwx_03B10000_00001000:

oleaut32.dll

Explorer.EXE_532_rwx_03C50000_00001000:

oleaut32.dll

Explorer.EXE_532_rwx_03C80000_00001000:

powrprof.dll

Explorer.EXE_532_rwx_03DC0000_00001000:

powrprof.dll

Explorer.EXE_532_rwx_03DF0000_00001000:

shell32.dll

Explorer.EXE_532_rwx_03F30000_00001000:

shell32.dll

Explorer.EXE_532_rwx_03F60000_00001000:

user32.dll

Explorer.EXE_532_rwx_040A0000_00001000:

user32.dll

Explorer.EXE_532_rwx_040D0000_00001000:

wininet.dll

Explorer.EXE_532_rwx_04200000_00001000:

FtpOpenFileA

Explorer.EXE_532_rwx_04210000_00001000:

wininet.dll

Explorer.EXE_532_rwx_04240000_00001000:

winmm.dll

Explorer.EXE_532_rwx_04380000_00001000:

winmm.dll

Explorer.EXE_532_rwx_043B0000_00001000:

wsock32.dll

Explorer.EXE_532_rwx_044F0000_00001000:

wsock32.dll

Explorer.EXE_532_rwx_24010000_00062000:

`.rsrc
/w)f%u/
kernel32.dll
Portions Copyright (c) 1999,2003 Avenger by NhT
SHFileOperationA
shell32.dll
URLDownloadToFileA
urlmon.dll
ShellExecuteA
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
GetWindowsDirectoryA
SOFTWARE\Microsoft\Windows\CurrentVersion
http\shell\open\command
\Internet Explorer\iexplore.exe
####@####
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
Portugal
Turkey
Windows 3.1
Windows 95 (Release 2)
Windows 95
Windows 98 SE
Windows 98
Windows ME
Windows 7
Windows Vista
%s %s
Windows XP Professional x64
Windows XP Home
Windows XP Professional
Windows 2000 Professional
Windows NT %d.%d
Windows 2008
%s %s Server
Windows 2003 Server Datacenter
Windows 2003 Server Enterprise
Windows 2003 Server Web Edition
Windows 2003 Server
Windows Home Server
Windows 2003 Server (Release 2)
Windows 2000 Server Datacenter
Windows 2000 Server Enterprise
Windows 2000 Server Web Edition
Windows 2000 Server
Windows NT 4.0 Server Datacenter
Windows NT 4.0 Server Enterprise
Windows NT 4.0 Server Web Edition
Windows NT 4.0 Server
Unknown Platform ID (%d)
%d.%d
%s (Build: %d
- Service Pack: %s
KERNEL32.DLL
teste.vbs
teste.txt
Set objSecurityCenter = GetObject("winmgmts:\\.\root\SecurityCenter")
Set colFirewall = objSecurityCenter.ExecQuery("Select * From FirewallProduct",,48)
Set colAntiVirus = objSecurityCenter.ExecQuery("Select * From AntiVirusProduct",,48)
Set objFileSystem = CreateObject("Scripting.fileSystemObject")
Set objFile = objFileSystem.CreateTextFile("
Info = Info & "F" & CountFw & ") " & objFirewall.displayName & " v" & objFirewall.versionNumber & Enter
Info = Info & "A" & CountAV & ") " & objAntiVirus.displayName & " v" & objAntiVirus.versionNumber & Enter
objFile.WriteLine(Info)
objFile.Close
cscript.exe
AVICAP32.dll
tFtpAccess
BuildImportTable: can't load library:
BuildImportTable: ReallocMemory failed
BuildImportTable: GetProcAddress failed
BTMemoryLoadLibary: BuildImportTable failed
BTMemoryGetProcAddress: no export table found
BTMemoryGetProcAddress: DLL doesn't export anything
BTMemoryGetProcAddress: exported symbol not found
SetupApi.dll
SetupDiOpenClassRegKey
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKeyExW
SetupDiCreateDeviceInterfaceRegKeyA
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiOpenDeviceInterfaceRegKey
SetupDiDeleteDeviceInterfaceRegKey
SetupDiCreateDevRegKeyA
SetupDiCreateDevRegKeyW
SetupDiOpenDevRegKey
SetupDiDeleteDevRegKey
CM_DEVCAP_LOCKSUPPORTED
CM_DEVCAP_EJECTSUPPORTED
PDCAP_D0_SUPPORTED
PDCAP_D1_SUPPORTED
PDCAP_D2_SUPPORTED
PDCAP_D3_SUPPORTED
PDCAP_WAKE_FROM_D0_SUPPORTED
PDCAP_WAKE_FROM_D1_SUPPORTED
PDCAP_WAKE_FROM_D2_SUPPORTED
PDCAP_WAKE_FROM_D3_SUPPORTED
PDCAP_WARM_EJECT_SUPPORTED
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
127.0.0.1
iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
Mozilla3_5Password
GetChromePass
StartHttpProxy
1.2.3
XxX.xXx
UuU.uUu
keyboardkey
webcaminactive
webcamgetbuffer
webcam
enviarexecnormal
enviarexechidden
openweb
downexec
sendftp
keylogger
keyloggergetlog
keyloggereraselog
keyloggerativar
keyloggerdesativar
renamekey
windowsfechar
windowsmax
windowsmin
windowsmostrar
windowsocultar
windowsmintodas
windowscaption
listarportas
listarportasdns
finalizarprocessoportas
webcamsettings
chatmsg
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
PSAPI.dll
\config\SteamAppData.vdf
AutoLoginUser
/ClientRegistry.Blob
\ClientRegistry.blob
\steam.dll
%SYS%
ÞSKTOP%
FirstExecution
chatmsg|
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
listarjanelas|windowsfechar|
listarjanelas|windowsmax|
listarjanelas|windowsmin|
listarjanelas|windowsmostrar|
listarjanelas|windowsocultar|
listarjanelas|windowsmintodas|
listarjanelas|windowscaption|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
listarportas|listadeportaspronta|
listarportas|finalizarconexao|
listarportas|finalizarprocessoportas|Y|
listarportas|finalizarprocessoportas|N|
registro|renamekey|
keylogger|keylogger|keyloggerativar|
keylogger|keylogger|keyloggerdesativar|
keylogger|keyloggergetlog|
keylogger|keylogger|keyloggervazio|
keyloggersearch
keyloggersearchok|
webcam|webcaminactive|
webcam|webcamactive|
getpassword
_x_X_PASSWORDLIST_X_x_
NOIP.abc
MSN.abc
FIREFOX.abc
IELOGIN.abc
IEPASS.abc
IEAUTO.abc
IEWEB.abc
SOFTWARE\Mozilla\Mozilla Firefox
getfirefox
getielogin
getiepass
getieweb
getchrome
getpassword|getpasswordlist|
getpassword|getpassworderror|
updateservidorweb
##@@## ##@@## ##@@##
Windows\CurrentVersion\Uninstall\eDonkey2000
UNWISE.EXE
ntdll.dll
icon=shell32.dll,4
shellexecute=
autorun.inf
XX--XX--XX.txt
logs.dat
SQLite3.dll
$1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
KWindows
UnitExecutarComandos
uftp
UrlMon
.UnitBytesSize
UnitListarPortasAtivas
UnitWebcam
UnitKeylogger
WinExec
SetNamedPipeHandleState
GetProcessHeap
CreatePipe
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyA
RegCloseKey
GdiplusShutdown
keybd_event
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
FtpGetFileSize
FtpSetCurrentDirectoryA
FtpOpenFileA
%( % & % % % ]
.idata
.reloc
P.rsrc
advapi32.dll
AVICAP32.DLL
gdi32.dll
gdiplus.dll
mpr.dll
msacm32.dll
ole32.dll
oleaut32.dll
powrprof.dll
user32.dll
wininet.dll
winmm.dll
wsock32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Temprundll.exe:1932
    Temprundll.exe:1228
    cscript.exe:1976
    %original file name%.exe:484
    cffmon.exe:544
    cffmon.exe:1452

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    %Documents and Settings%\%current user%\Local Settings\Temp\wixflvv (1769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (588 bytes)
    %Program Files%\Fonts\cffmon.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XX--XX--XX.txt (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\teste.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Tempg.exe (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temprundll.exe (3806 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nqfmenb (1769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (588 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKCU" = "%Program Files%\Fonts\cffmon.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now