ZeroAccess_96c6c9ac15

by malwarelabrobot on January 26th, 2015 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), ZeroAccess.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 96c6c9ac15a0fe747c030a6601cff987
SHA1: d48bc295adc521188820a5f5a1db7930b36fda65
SHA256: db7b6b17cae8814395e6f2b3bb0632c08bbb77cc15f78f5878449ef839de6393
SSDeep: 24576:oc1tL/Az3 a/ oqnrU14FAbwwF5JOIGOczXo9NMumutJYELng:t p/1OY4FAbwK5JrGOck9OGnU
Size: 1462784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-06 02:36:08
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1952

The Trojan injects its code into the following process(es):

rSwooYMM.exe:912
jWcYYUcg.exe:356
FeEQMIQs.exe:264

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe (3865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GuMkMcow.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pdfcstd.exe (6417 bytes)
%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe (3769 bytes)
%Documents and Settings%\All Users\BOAMIgUE\jWcYYUcg.exe (3697 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GuMkMcow.bat (0 bytes)

The process FeEQMIQs.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (3073 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (31071 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (3073 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3361 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
C:\totalcmd\TcUsbRun.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\MAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3361 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (3073 bytes)
\\STORAGE2\PIPE\srvsvc (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5873 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (3073 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)

Registry activity

The process rSwooYMM.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 64 A3 EA D1 E5 AF 3E 24 A4 98 2B 42 58 2D A0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rSwooYMM.exe" = "%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe"

The process %original file name%.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC B9 B0 97 8A 80 B8 C9 32 5B 57 4B 61 E4 FA 72"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FeEQMIQs.exe" = "%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"rSwooYMM.exe" = "%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe"

The process jWcYYUcg.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 6D E2 9E 9D 3F 4A EF 73 81 08 6B 5B 74 30 86"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FeEQMIQs.exe" = "%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe"

The process FeEQMIQs.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 BC F1 80 4E 43 DA AD 8A D9 46 E4 06 A1 7D EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FeEQMIQs.exe" = "%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe"

Dropped PE files

MD5 File path
73be5930cd459fb97b7f85773fb4052f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
62d114fbc896bcdc8728339b7e9e492b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
369b4c0210aab057fb53a53b72bec015 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
b354ef598e08ab6ccb57e4df7acc88a8 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
b57dab640f34941b6f5bb567cf63afb7 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
cf6a5f57726f28469f99168c641cd974 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
3fe17be675fbd9c353678489c015e56f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
9199c65fa7b6fe4a84db47f4940f43bd c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
8e6a5f9098dd859b7c85d9644d714459 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
5ebb2b689940de28a79ed1509528f419 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
b88f8c66eaf7399371c86993ac9e26f4 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
8537a2eebebc159b0b0d1df35fcc4183 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
daee9dd4891ccfca0a10fa7949478679 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
c074e17c014082029c4004ad83469e4e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
c6ab27a188a0f5c7aa6dbab2210fb815 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
1ef0cbe86fb40c76768332c739971768 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
a5cbe87ff6be6a8e79f361dda32f40d6 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
14688749bf0d5a5721763c65611b0ddf c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
8c8f0ba979bc5eae2e7819276406d70e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
ba6ba4250552e5111cf53947c259a78f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
0b58c65fd0d2f4ac569c9e8fcfe40a01 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
ffee2f42ef772013b2e6d6272529e305 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
8336f4a9612e9c941b5c7ca1f24df0e0 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
fc16c3da68af90476cfdd7f851f6b01f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
1792e95ef5dacd84877e0c9edfb80b78 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
733023151e77d5fbc1369e7dedbac830 c:\Documents and Settings\All Users\BOAMIgUE\jWcYYUcg.exe
f9daf1872ea49c3b1439ff7d8bdfe4ef c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
086ac853a834e212ed276dc842f94998 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
b5f6cd69addd90aebe8e1fe9661b432d c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
9c4b8110805463ddfe582642dc65b711 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
d62ecd69ea321a2f72561db58c2fc713 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
66738bb28a656d5a5a8f8f04ecc8f04b c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
edf0adcbb27454a385cfa79fce6d0410 c:\Documents and Settings\All Users\hUEQccwo\FeEQMIQs.exe
237d2a8699053ee33608e9aca6bc5797 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pdfcstd.exe
0d57d0c8f1563e5f72935ca49f274b06 c:\Documents and Settings\"%CurrentUserName%"\NwIscAww\rSwooYMM.exe
00ddc2a5a94f759cce66cf7feb778509 c:\Perl\eg\IEExamples\ie_animated.gif.exe
cc31b8dca2d413331d8bcf340cf0012c c:\Perl\eg\IEExamples\psbwlogo.gif.exe
327ad8147f54927d5c9a4364ca47f1b5 c:\Perl\eg\aspSamples\ASbanner.gif.exe
0d2be7d0718709395d321234b3e45794 c:\Perl\eg\aspSamples\Main_Banner.gif.exe
a62dbad0034c825403d752011ce329c3 c:\Perl\eg\aspSamples\psbwlogo.gif.exe
dc52bebed145c69f9fcbcccd0d7cddbc c:\Perl\html\images\AS_logo.gif.exe
2c7204898c3c6fbffec7f0e1a180146b c:\Perl\html\images\PerlCritic_run.png.exe
9f90d320de7fc06a49e440abe676ea0c c:\Perl\html\images\aslogo.gif.exe
f78f6d4ace75910b0ca73f1c9dc8c16c c:\Perl\html\images\ppm_gui.png.exe
b3a31042d5e7be9cec7e43ceb38253c1 c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
538df92bca0847d30efe4934e874c07f c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
77ea3210ccf7ee0a28c03f22c403d270 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
5b85aef271a81eceb58b1f0cb6bdf2b6 c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
d69236aee68adc6d2b9780c49ab97f92 c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
eb2775e156af7fa802d71a276e31752e c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
685c88bcb97a957a8308520e1d744203 c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
9c0a09770a2028c858a3ab5c6d060844 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
3387c9747e50a12705b786466fb9e295 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
3df32dca9f17ab2f366663856407f95a c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
4c94c294626e601453ace3c23601dd5c c:\Perl\lib\Mozilla\CA\cacert.pem.exe
23f483dde73244ea42a9e8c4bdad6229 c:\totalcmd\TCMADMIN.EXE.exe
89c20e13305cd629c4c97d40e828cb7b c:\totalcmd\TCMDX32.EXE.exe
07889535e7a78663fd7bc66579fef2e8 c:\totalcmd\TCUNINST.EXE.exe
f104337284dcc72a8ab3698754157148 c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1458176 1455616 5.45963 bd58ff82b4d26a6da806ded5658187d3
.rdata 1462272 4096 512 1.24352 e259c54e0ba78a8928e933b9aeb58e34
.data 1466368 202 512 2.26427 792775e589ab1ea59cf9914b60f25a94
.rsrc 1470464 4444 4608 3.58115 0e3195b197784339127a56b2db722ea1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://google.com/ 173.194.71.101


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
Host: google.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=xGTEVO3AE-KWwAOfo4H4BA
Content-Length: 262
Date: Sun, 25 Jan 2015 03:36:36 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.02
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=xGTEVO3AE-KW
wAOfo4H4BA">here</A>...</BODY></HTML>....



GET / HTTP/1.1
Host: google.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=xGTEVMaxFOS9wAOBiYGgCw
Content-Length: 262
Date: Sun, 25 Jan 2015 03:36:36 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.02
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=xGTEVMaxFOS9
wAOBiYGgCw">here</A>...</BODY></HTML>....

The Trojan connects to the servers at the folowing location(s):

rSwooYMM.exe_912:

.text
`.rdata
@.data
?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
Microsoft Windows
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl
kernel32.dll
advapi32.dll
user32.dll

rSwooYMM.exe_912_rwx_00401000_00072000:

?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
Microsoft Windows
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl

rSwooYMM.exe_912_rwx_00910000_00071000:

?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
}$uDpMs5
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl

rSwooYMM.exe_912_rwx_00BB0000_00001000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

FeEQMIQs.exe_264:

.text
`.rdata
@.data
?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
].mbXo
%D=dJa
%c$JT
Ey.lJ
o[.Cs
.lA#{
#=%dO
o\6%S
.AB%&w
^x]m
.rBx;
.IM3P2D
.Qc^d
(Q$w.El
_F.EQ
jP.tU}
.TBC)
Windows Internet Explorer
Windows Task Manager
taskmgr.exetaskkill /F /IM taskmgr.exe /T
jWcYYUcg.exe
ec.exe
".El/0
Microsoft Windows
%D'~H
_.wW 
_.wW(
_.wW($"
ntdll.dll
user32.dll

rSwooYMM.exe_912_rwx_00BE0000_00001000:

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM

rSwooYMM.exe_912_rwx_00BF0000_00001000:

%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs

rSwooYMM.exe_912_rwx_00C00000_00001000:

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.inf

rSwooYMM.exe_912_rwx_00C10000_00001000:

%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.inf

rSwooYMM.exe_912_rwx_00C20000_00001000:

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe

rSwooYMM.exe_912_rwx_00C30000_00001000:

%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe

rSwooYMM.exe_912_rwx_00C60000_00001000:

rSwooYMM.exe

rSwooYMM.exe_912_rwx_00C70000_00001000:

FeEQMIQs.exe

jWcYYUcg.exe_356:

.text
`.rdata
@.data
?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
}$uDpMs5
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
2software\microsoft\windows\currentversion\run
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl
/!%c 
oleaut32.dll
ntdll.dll
kernel32.dll
GetProcessWindowStation
user32.dll

rSwooYMM.exe_912_rwx_00C80000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM rSwooYMM.exe

rSwooYMM.exe_912_rwx_00C90000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM FeEQMIQs.exe

rSwooYMM.exe_912_rwx_00CA0000_00001000:

%Documents and Settings%\All Users\BOAMIgUE\jWcYYUcg.exe

rSwooYMM.exe_912_rwx_00CB0000_00001000:

%Documents and Settings%\All Users\MAAo.txt

rSwooYMM.exe_912_rwx_00CC0000_00001000:

notepad.exe "%Documents and Settings%\All Users\MAAo.txt"

rSwooYMM.exe_912_rwx_00CD0000_00001000:

%Documents and Settings%\All Users\BOAMIgUE

FeEQMIQs.exe_264_rwx_00401000_00072000:

?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
].mbXo
%D=dJa
%c$JT
Ey.lJ
o[.Cs
.lA#{
#=%dO
o\6%S
.AB%&w
^x]m
.rBx;
.IM3P2D
.Qc^d
(Q$w.El
_F.EQ
jP.tU}
.TBC)
Windows Internet Explorer
Windows Task Manager
taskmgr.exetaskkill /F /IM taskmgr.exe /T
jWcYYUcg.exe
ec.exe
".El/0
Microsoft Windows
%D'~H
_.wW 
_.wW(
_.wW($"

FeEQMIQs.exe_264_rwx_00910000_00071000:

?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
}$uDpMs5
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl

FeEQMIQs.exe_264_rwx_00BB0000_00001000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

FeEQMIQs.exe_264_rwx_00BE0000_00001000:

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM

FeEQMIQs.exe_264_rwx_00BF0000_00001000:

%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs

FeEQMIQs.exe_264_rwx_00C00000_00001000:

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.inf

FeEQMIQs.exe_264_rwx_00C10000_00001000:

%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.inf

FeEQMIQs.exe_264_rwx_00C20000_00001000:

%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe

FeEQMIQs.exe_264_rwx_00C30000_00001000:

%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe

FeEQMIQs.exe_264_rwx_00C60000_00001000:

rSwooYMM.exe

FeEQMIQs.exe_264_rwx_00C70000_00001000:

FeEQMIQs.exe

FeEQMIQs.exe_264_rwx_00C80000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM rSwooYMM.exe

FeEQMIQs.exe_264_rwx_00C90000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM FeEQMIQs.exe

FeEQMIQs.exe_264_rwx_00CA0000_00001000:

%Documents and Settings%\All Users\BOAMIgUE\jWcYYUcg.exe

FeEQMIQs.exe_264_rwx_00CB0000_00001000:

%Documents and Settings%\All Users\MAAo.txt

FeEQMIQs.exe_264_rwx_00CC0000_00001000:

notepad.exe "%Documents and Settings%\All Users\MAAo.txt"

FeEQMIQs.exe_264_rwx_00CD0000_00001000:

%Documents and Settings%\All Users\BOAMIgUE

FeEQMIQs.exe_264_rwx_01110000_02300000:

user32.dll
kernel32.dll
füf
5q.HH4k
h%u~%pHrJ
G.Ys'
2N%Xh^
.Unc;
x.ErDj
.abxc
)vÿ
.jYBr
I<.CK
yH.DPB
.nLB@1
.kK=2PN
Bm.Vn
pt%xJi
.DPRgV
x.eBo
.tAX:
.ae?=
"PÃ
s&uV%u#
G2\s}.aw
.kz=1G
E%-A}(
%fw'i
O8
..nkQ
8;%xlF
;%xlF
4k.np
4=g%s
yG.Gu#
h7.hu#
%.%u#
.Ru#f
\.au#Q
&Z.bu#
W]_%u#
;%0u#X
)%s{ 
o%uDW
.SieD
o%uDWIb
.wWI*
OEy[KEy
"By .By
kz2I %C
W%Cy{&Cyc#Cyk,Cy )CyK
9crt{ 
9cRt{ 
@y E%s
yo%uD
,ly3.ly
_m%C{ 
v[%cg
Z
EmsGGa{ e^
;.DM#
>${;>${[?${ ?${
2${[2${;3${
3${{0${ 
7${[6${;1${[1${{7${ 
&{{4\{ 4${
,${[,${;,${
\${{}${ 
6{k.Yyk
^={#[={#$={
>:{ 8:{ ;:{ ::{
4;{{1;{ >;{
.{k%Xy 
&{k.Zy 
f|0XF%x
%X`F}
H(L%0X
HFTP
Us.fP
]s.fP
u ~%X
.iPg%
'Z;1%x
o }o%D
.eV{K
:1N{ MU;AI.nc
{ %Sz 
|^{#'[{ 
$1{ 5[[ 
[c{3%c{SZc{
xË*
{ %CH
Ta)B%s
;1%X4
b{ %Sx 
e{ %Sx 
zYsQl3
`r|{ %Sz 
6{ %X{!
{ %X{ \
&}Key{le
{{k%x{#
{{k%x{
n{C%X{
`F%x{
%X0OU
_{;#/{ ,_{
^{  ,{[,\{
x%C{ 
W%x#r

FeEQMIQs.exe_264_rwx_03910000_01E00000:




.text
`.rdata
@.data
.rsrc
@.reloc
u%Uh`
QSSSh
QVSSh
t.PSh
T$lRSSh| "
UDPQRh
L$ QSSh
L$,QSSh
QSSShlVU
RVSShlVU
t.Ph\
tGHt.Ht&
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
\N is not supported in a class
inflate 1.2.5 Copyright 1995-2010 Mark Adler
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
RtlRunOnceExecuteOnce
advapi32_hack::try_hack: bad PE passed
advapi32_hack::try_hack: cannot read import table
advapi32_hack::try_hack: cannot find section .text
.data
advapi32_hack::try_hack: cannot find section .data
advapi32_hack::try_hack: cannot read section .text
Cannot read module %s, error %d
Cannot read exports of %s, error %d
advapi32_hack::try_hack: cannot read exports, error %d
.apiset
Bad .apiset catalog - don`t fit in section
String in cat item %d not in section
Value in cat item %d not in section
Bad referred in cat item %d
Double mapped value in cat item %d not in section
Bad double referred in cat item %d
BaseSrvRegisterWowExec
BaseSrvGetProcessShutdownParam
BaseSrvSetProcessShutdownParam
basesrv.dll
Unknown size of BaseServerApiDispatchTable: %d
ServerDll[%d] %p
csrsrv.dll
CsrExecServerThread
ServerDll[%d]:
ApiDispatchTable: %p %s
ConnectRoutine: %p %s
DisconnectRoutine: %p %s
HardErrorRoutine: %p %s
AddProcessRoutine: %p %s
ShutdownProcessRoutine: %p %s
Cannot open dir %S, error %d
clean_old_drvs: error %d on deleting file %S
Cannot find resource %X
Cannot load resource %X
Resource %d has zero length
Cannot lock resource %X
Cannot unpack resource %X
Cannot create file %S, error %d
1.2.5
Decompress buffer %d bytes too small
DxDvpWaitForVideoPortSync
DxDvpUpdateVideoPort
DxDvpGetVideoPortConnectInfo
DxDvpGetVideoPortOutputFormats
DxDvpGetVideoPortLine
DxDvpGetVideoPortInputFormats
DxDvpGetVideoPortFlipStatus
DxDvpGetVideoPortField
DxDvpGetVideoPortBandwidth
DxDvpFlipVideoPort
DxDvpDestroyVideoPort
DxDvpCreateVideoPort
DxDvpCanCreateVideoPort
DxDdSetColorKey
Cannot read gaDxgFuncs handlers, readed %X bytes
.rdata
Cannot read DxgCoreInterface handlers, readed %X bytes
Unknown acpi table version: %X
SBP2PORT_Mask
STORMINIPORT_Mask
STORPORT_Mask
TCPIP6_Mask
WSOCKTRANSPORT_Mask
FCPORT_Mask
SOFTPCI_Mask
TCPIP_Mask
SCSIMINIPORT_Mask
SCSIPORT_Mask
Unknown KdComponentTableSize size %X
dump_kd_masks return %X bytes, error %d, ntstatus %X
dump_kd_masks return %X bytes, error %d
dump_kd_masks(%s) return %X bytes, error %d, ntstatus %X
dump_kd_masks(%s) return %X bytes, error %d
%-*s: %X
read_kopts_length(%s) return %X bytes, error %d, ntstatus %X
read_kopts_length(%s) return %X bytes, error %d
Cannot alloc %X bytes
Cannot realloc %X bytes for %s
read_kopts(%s) return %X bytes, error %d, ntstatus %X
read_kopts(%s) return %X bytes, error %d
%S (%s): %X
%S (%s):
dump_kopts(%s) return %X bytes, error %d, ntstatus %X
dump_kopts(%s) return %X bytes, error %d
MmSupportWriteWatch
KiPassiveWatchdogTimeout
ViImageExecutionOptions
DbgkErrorPortStartTimeout
DbgkErrorPortCommTimeout
MmDisablePagingExecutive
CmDefaultLanguageId
DbgkpMaxModuleMsgs
IoCountOperations
KeDelayExecutionThread
resolve_IoFreeIrp: bad addr of %s
get_interrupt_dispatch: cannot alloc %d bytes
Unknown kernel options: %S
PsGetProcessWin32WindowStation
KeIsExecutingDpc
bad addr of KeIsExecutingDpc
Bad pnp handler item %d (%d)
Cannot find %s
ks.sys: cannot get KoCreateInstance
ImportContext
ExportContext
SpChangeAccountPasswordFn
CallPackagePassthrough
%SystemRoot%\System32\
GetServiceAccountPassword
DPAPIPasswordChangeForGMSA
GetCredentialKey
INotifyPasswordChanged
%s PolicyChangeNotificationCallbacks
PolicyChangeNotificationCallback[%d]: %d items
[%d] %p %p %p %p %s
lsasrv_hack::try_hack: bad PE passed
lsasrv_hack::try_hack: cannot find section .data
lsasrv_hack::try_hack: cannot read section .data
lsasrv_hack::try_hack: bad section passed
lsasrv_hack::try_hack: cannot read exports, error %d
LsaICallPackagePassthrough
lsasrv.dll
VaultLogonSessionNotification: %p %s
Start of driver %S failed !
WSPJoinLeaf
MSAFD_WSPSendMsg
MSAFD_WSPRecvMsg
mswsock.dll
CheckProc: cannot open process PID %d, error %d, ntstatus %X
CheckProc: cannot open process PID %d, error %d
threaded_processes_checker exception occured, error %X
MyWindowsChecker: len %d, kernel name %s
Cannot get kernel name, error %d
Kill process %d
Check processes in %d threads
Cannot find process %d
Usage: %S [options]
-wmi - report about WMI entries
-uem - check for Unknown Executable Memory
-npo - dump RPC Named Pipes Owner
-rdata - check .rdata sections too
-rpc - report about RPC interfaces
DeriveKey
NotifyChangeKey
EnumKeys
IsAlgSupported
FreeKey
DeleteKey
FinalizeKey
SetKeyProperty
CreatePersistedKey
OpenKey
OpenPrivateKey
ImportKey
ImportMasterKey
GetKeyProperty
GenerateSessionKeys
GenerateMasterKey
ExportKey
CreateEphemeralKey
ComputeEapKeyBlock
ncrypt_hack::check_in_proc: cannot alloc %d bytes
GetKeyStorageInterface
Cannot load %s (copy of %s), error %d
Cannot load module %s, error %d
Cannot read module %s import table
NdisMRegisterMiniportDriver
resolve_minidrivers_list: bad addr of NdisMRegisterMiniportDriver
NdisMRegisterMiniport
resolve_minidrivers_list: cannot find NdisMRegisterMiniport
resolve_minidrivers_list: bad addr of NdisMRegisterMiniport
resolve_miniports_list: cannot find NdisIMInitializeDeviceInstanceEx
resolve_miniports_list: bad addr of NdisIMInitializeDeviceInstanceEx
OID_CO_TAPI_DONT_REPORT_DIGITS
OID_CO_TAPI_REPORT_DIGITS
OID_QOS_OPERATIONAL_PARAMETERS
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX
OID_TCP_TASK_IPSEC_OFFLOAD_V2_UPDATE_SA
OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA
OID_TCP_CONNECTION_OFFLOAD_PARAMETERS
OID_FFP_SUPPORT
OID_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
OID_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
OID_TCP_OFFLOAD_HARDWARE_CAPABILITIES
OID_TCP_OFFLOAD_PARAMETERS
OID_TCP_OFFLOAD_CURRENT_CONFIG
OID_TCP6_OFFLOAD_STATS
OID_TCP4_OFFLOAD_STATS
OID_TCP_TASK_IPSEC_DELETE_UDPESP_SA
OID_TCP_TASK_IPSEC_ADD_UDPESP_SA
OID_TCP_SAN_SUPPORT
OID_TCP_TASK_IPSEC_DELETE_SA
OID_TCP_TASK_IPSEC_ADD_SA
OID_TCP_TASK_OFFLOAD
OID_DOT11_SUPPORTED_DSSS_CHANNEL_LIST
OID_DOT11_SUPPORTED_OFDM_FREQUENCY_LIST
OID_DOT11_QOS_TX_QUEUES_SUPPORTED
OID_DOT11_AP_JOIN_REQUEST
OID_DOT11_HR_CCA_MODE_SUPPORTED
OID_DOT11_FREQUENCY_BANDS_SUPPORTED
OID_DOT11_SUPPORTED_DATA_RATES_VALUE
OID_DOT11_SUPPORTED_RX_ANTENNA
OID_DOT11_SUPPORTED_TX_ANTENNA
OID_DOT11_REG_DOMAINS_SUPPORT_VALUE
OID_DOT11_CCA_MODE_SUPPORTED
OID_DOT11_SUPPORTED_POWER_LEVELS
OID_DOT11_DIVERSITY_SUPPORT
OID_DOT11_SUPPORTED_PHY_TYPES
OID_DOT11_OPERATIONAL_RATE_SET
OID_DOT11_JOIN_REQUEST
OID_DOT11_CURRENT_OPERATION_MODE
OID_DOT11_OPERATION_MODE_CAPABILITY
OID_802_11_SUPPORTED_RATES
OID_802_11_NETWORK_TYPES_SUPPORTED
OID_802_11_REMOVE_KEY
OID_802_11_ADD_KEY
OID_IRDA_SUPPORTED_SPEEDS
OID_ATM_SUPPORTED_AAL_TYPES
OID_ATM_SUPPORTED_SERVICE_CATEGORY
OID_ATM_SUPPORTED_VC_RATES
OID_FDDI_PORT_ACTION
OID_FDDI_PORT_HARDWARE_PRESENT
OID_FDDI_PORT_LER_FLAG
OID_FDDI_PORT_PC_WITHHOLD
OID_FDDI_PORT_PCM_STATE
OID_FDDI_PORT_CONNNECT_STATE
OID_FDDI_PORT_LER_ALARM
OID_FDDI_PORT_LER_CUTOFF
OID_FDDI_PORT_LEM_CT
OID_FDDI_PORT_LEM_REJECT_CT
OID_FDDI_PORT_LER_ESTIMATE
OID_FDDI_PORT_LCT_FAIL_CT
OID_FDDI_PORT_EB_ERROR_CT
OID_FDDI_PORT_PC_LS
OID_FDDI_PORT_BS_FLAG
OID_FDDI_PORT_MAINT_LS
OID_FDDI_PORT_INDEX
OID_FDDI_PORT_CONNECTION_CAPABILITIES
OID_FDDI_PORT_PMD_CLASS
OID_FDDI_PORT_MAC_LOOP_TIME
OID_FDDI_PORT_AVAILABLE_PATHS
OID_FDDI_PORT_MAC_PLACEMENT
OID_FDDI_PORT_REQUESTED_PATHS
OID_FDDI_PORT_CURRENT_PATH
OID_FDDI_PORT_MAC_INDICATED
OID_FDDI_PORT_CONNECTION_POLICIES
OID_FDDI_PORT_NEIGHBOR_TYPE
OID_FDDI_PORT_MY_TYPE
OID_FDDI_MAC_DOWNSTREAM_PORT_TYPE
OID_FDDI_SMT_MSG_TIME_STAMP
OID_FDDI_SMT_BYPASS_PRESENT
OID_FDDI_SMT_MAC_INDEXES
OID_FDDI_SMT_PORT_INDEXES
OID_TCP_RSC_STATISTICS
OID_SWITCH_PORT_UPDATED
OID_GEN_OPERATIONAL_STATUS
OID_SWITCH_PORT_TEARDOWN
OID_SWITCH_PORT_FEATURE_STATUS_QUERY
OID_SWITCH_PORT_DELETE
OID_SWITCH_PORT_CREATE
OID_SWITCH_PORT_ARRAY
OID_SWITCH_PORT_PROPERTY_ENUM
OID_SWITCH_PORT_PROPERTY_DELETE
OID_SWITCH_PORT_PROPERTY_UPDATE
OID_SWITCH_PORT_PROPERTY_ADD
OID_NIC_SWITCH_DELETE_VPORT
OID_NIC_SWITCH_ENUM_VPORTS
OID_NIC_SWITCH_VPORT_PARAMETERS
OID_NIC_SWITCH_CREATE_VPORT
OID_GEN_MINIPORT_RESTART_ATTRIBUTES
OID_GEN_PORT_AUTHENTICATION_PARAMETERS
OID_GEN_PORT_STATE
OID_GEN_ENUMERATE_PORTS
OID_GEN_TRANSPORT_HEADER_OFFSET
OID_GEN_SUPPORTED_GUIDS
OID_GEN_MEDIA_SUPPORTED
OID_GEN_SUPPORTED_LIST
Cannot read gWfpGlobal, readed %X bytes
Cannot read Wfp callout count, readed %X bytes
Cannot read Wfp callouts, readed %X bytes
Cannot read WFP index functions, readed %X bytes
iphlpapi.dll
%SystemRoot%\System32\iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
GetExtendedTcpTable
GetExtendedUdpTable
Failed to snapshot TCP endpoints, error %d
Failed to snapshot UDP endpoints, error %d
Cannot alloc %d bytes for UDP extended table
Cannot alloc %d bytes for TCP extended table
ntdll_hack::try_hack: bad PE passed
ntdll_hack::try_hack: cannot find section .text
ntdll_hack::try_hack: cannot read section .text
ntdll_hack::try_hack: bad section passed
ntdll_hack::try_hack: cannot read exports, error %d
%s channel hooks:
ChannelHook[%d]: %p (%p - %s) %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
ChannelHook[%d]: %p (%p) %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
MallocSpy: %p vtbl %p - %s
webclient
msiexec32
msiexec
tftp
ftp32
cmd32
ccmexec32
ccmexec
chrome
opera
firefox
Process PID %d raise dwwin PID %d
Cannot alloc new process PID %d %S
Cannot open svchost process PID %d, error %d
proc_list::read: CreateToolhelp32Snapshot failed with error %d
PID %d Parent PID %d service {%S} %S
PID %d Parent PID %d %S
PID %d Parent PID %d kind {%S} %S
read_service_exe_name(%S): cannot expand string %S
ExWindowStationOpenProcedureCallout
ExWindowStationParseProcedureCallout
ExWindowStationDeleteProcedureCallout
ExWindowStationCloseProcedureCallout
ExWindowStationOkToCloseProcedureCallout
read_w8_callout failed, len %d, returned %d bytes, error %d, ntstatus %X
read_w8_callout failed, len %d, returned %d bytes, error %d
PsWin32CallBack: %p %p %s
check_callouts: cannot alloc %X bytes (size %d)
check_callouts failed, error %d, status %X
check_callouts failed, error %d
Callouts (%d):
%s: %p %s
ark_check_callbacks: cannot read size of callbacks list, error %d, ntstatus %X
ark_check_callbacks: cannot read size of callbacks list, error %d
ark_check_callbacks: cannot read %d bytes (readed %d), error %d, ntstatus %X
ark_check_callbacks: cannot read %d bytes (readed %d), error %d
CB: %S, total %X:
%p (%s)
check_shutdown_callbacks: cannot read size of callbacks list, error %d, ntstatus %X
check_shutdown_callbacks: cannot read size of callbacks list, error %d
check_shutdown_callbacks: cannot read callbacks list of %s, error %d, ntstatus %X
check_shutdown_callbacks: cannot read callbacks list of %s, error %d
%s - %d:
FastIoUnlockAllByKey
MJ_CREATE_NAMED_PIPE
%s!%s.%s patched by %s, addr %p
%s!%s[%d] patched by %s, addr %p
Cannot open driver dumpfile %s, error %d
Cannot open kernel dumpfile %s, error %d
Cannot read driver %s, error %d
hal.dll
Shadow SDT: %p, limit %X
win32k.sys
Cannot relocate section %s.%s
Cannot alloc %X bytes for reading driver section %s.%s
Driver %s!%s has %X patched bytes !
.orig
.kmem
Cannot read driver section %s.%s (flags %X) at %p size %X readed %X, error %d, ntstatus %X
Cannot read driver section %s.%s (flags %X) at %p size %X readed %X, error %d
Cannot read kernel %s, error %d
ntoskrnl.exe
Cannot alloc %X bytes for reading kernel sections
Cannot relocate section %s
KernelSection %s rva %X, size %X, 0x%X relocs has 0x%X patched bytes !
Cannot read (whole) section %s (flags %X) at %p size %X (readed %X), error %d
\SystemRoot\system32\hal.dll
\SystemRoot\system32\halapic.dll
\SystemRoot\system32\halmps.dll
\SystemRoot\system32\halacpi.dll
\SystemRoot\system32\halaacpi.dll
\SystemRoot\system32\halmacpi.dll
%SystemRoot%\System32\hal.dll
halapic.dll
halmps.dll
halacpi.dll
halaacpi.dll
halmacpi.dll
Driver %S DrvObj %p:
DriverUnload patched by %s, addr %p
DriverStartIo patched by %s, addr %p
AddDevice patched by %s, addr %p
Handler %s patched by %s, addr %p
Handler %s patched, addr %p
Handler %d patched by %s, addr %p
Handler %d patched, addr %p
FastIOHandler %s patched by %s, addr %p
FastIOHandler %s patched, addr %p
FastIOHandler %d patched by %s, addr %p
FastIOHandler %d patched, addr %p
FS_FILTER_CALLBACKS %s patched by %s, addr %p
FS_FILTER_CALLBACKS %s patched, addr %p
FS_FILTER_CALLBACKS %d patched by %s, addr %p
FS_FILTER_CALLBACKS %d patched, addr %p
StartIo patched by %s, addr %p
read_fsmjxxx(%S): cannot make full driver name
read_fsmjxxx(%S) failed, error %d, ntstatus %X
read_fsmjxxx(%S) failed, error %d
read_mjxxx(%s): cannot make full driver name
read_mjxxx(%S) failed, error %d, ntstatus %X
read_mjxxx(%S) failed, error %d
Cannot alloc %X bytes for driver %s EAT checking
read_driver_eat %s failed, error %d, status %X
read_driver_eat %s failed, error %d
Export addr %s.%s patched by %s !
Export addr %s.%s patched !
Export addr %s.%d patched by %s !
Export addr %s.%d patched!
\hal.dll
\SystemRoot\system32\drivers\ndis.sys
ndis.sys
drivers\ndis.sys
\SystemRoot\system32\DRIVERS\tdi.sys
tdi.sys
drivers\tdi.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
tcpip.sys
drivers\tcpip.sys
\SystemRoot\system32\DRIVERS\netio.sys
netio.sys
drivers\netio.sys
\SystemRoot\system32\DRIVERS\fltmgr.sys
fltmgr.sys
drivers\fltmgr.sys
\SystemRoot\system32\DRIVERS\ks.sys
ks.sys
drivers\ks.sys
\SystemRoot\system32\DRIVERS\dxg.sys
drivers\dxg.sys
\SystemRoot\system32\DRIVERS\dxgkrnl.sys
drivers\dxgkrnl.sys
\SystemRoot\system32\DRIVERS\watchdog.sys
drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\ksecdd.sys
ksecdd.sys
drivers\ksecdd.sys
\SystemRoot\System32\Drivers\Ntfs.sys
ntfs.sys
\SystemRoot\system32\CLFS.SYS
CLFS.SYS
\SystemRoot\system32\drivers\ataport.sys
ataport.sys
\SystemRoot\system32\drivers\atapi.sys
atapi.sys
\SystemRoot\system32\drivers\peauth.sys
peauth.sys
\SystemRoot\system32\drivers\WDFLDR.sys
WDFLDR.sys
\SystemRoot\system32\drivers\usbstor.sys
usbstor.sys
\SystemRoot\system32\drivers\usbd.sys
usbd.sys
\SystemRoot\system32\drivers\USBPORT.sys
USBPORT.sys
\SystemRoot\system32\drivers\usbohci.sys
usbohci.sys
\SystemRoot\system32\drivers\usbehci.sys
usbehci.sys
\SystemRoot\system32\drivers\usbhub.sys
usbhub.sys
\SystemRoot\system32\drivers\usbccgp.sys
usbccgp.sys
\SystemRoot\system32\drivers\discache.sys
discache.sys
\SystemRoot\system32\drivers\termdd.sys
termdd.sys
\SystemRoot\system32\drivers\rdppr.sys
rdppr.sys
\SystemRoot\system32\drivers\mssmbios.sys
mssmbios.sys
\SystemRoot\system32\drivers\1394BUS.SYS
1394BUS.SYS
\SystemRoot\system32\drivers\BATTC.SYS
BATTC.SYS
\SystemRoot\system32\drivers\bthport.sys
bthport.sys
\SystemRoot\system32\drivers\drmk.sys
drmk.sys
\SystemRoot\system32\drivers\HIDPARSE.SYS
HIDPARSE.SYS
\SystemRoot\system32\drivers\HIDCLASS.SYS
HIDCLASS.SYS
\SystemRoot\system32\drivers\msiscsi.sys
msiscsi.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
PCIIDEX.SYS
\SystemRoot\system32\drivers\portcls.sys
portcls.sys
\SystemRoot\system32\drivers\smsmdm.sys
smsmdm.sys
\SystemRoot\system32\drivers\STREAM.SYS
STREAM.SYS
\SystemRoot\system32\drivers\vga.sys
vga.sys
\SystemRoot\system32\drivers\VIDEOPRT.SYS
VIDEOPRT.SYS
\SystemRoot\system32\drivers\vmstorfl.sys
vmstorfl.sys
\SystemRoot\system32\drivers\Dxapi.sys
Dxapi.sys
\SystemRoot\system32\drivers\dxgthk.sys
dxgthk.sys
\SystemRoot\system32\drivers\dxgmms1.sys
dxgmms1.sys
\SystemRoot\system32\drivers\spsys.sys
spsys.sys
\SystemRoot\system32\drivers\winhv.sys
winhv.sys
\SystemRoot\system32\drivers\HdAudio.sys
HdAudio.sys
\SystemRoot\System32\cdd.dll
cdd.dll
\SystemRoot\System32\ATMFD.DLL
ATMFD.DLL
\SystemRoot\System32\RDPDD.dll
RDPDD.dll
\SystemRoot\system32\drivers\vwifibus.sys
vwifibus.sys
\SystemRoot\system32\drivers\nwifi.sys
nwifi.sys
\SystemRoot\system32\drivers\vwififlt.sys
vwififlt.sys
\SystemRoot\system32\drivers\wfplwf.sys
wfplwf.sys
\SystemRoot\system32\drivers\wfplwfs.sys
wfplwfs.sys
\SystemRoot\system32\drivers\tmtdi.sys
tmtdi.sys
\SystemRoot\system32\drivers\netvsc60.sys
netvsc60.sys
\SystemRoot\system32\drivers\mslldp.sys
mslldp.sys
\SystemRoot\system32\drivers\netvsc63.sys
netvsc63.sys
\SystemRoot\system32\drivers\ndiscap.sys
ndiscap.sys
\SystemRoot\system32\drivers\agilevpn.sys
agilevpn.sys
\SystemRoot\system32\drivers\asyncmac.sys
asyncmac.sys
\SystemRoot\system32\drivers\mpsdrv.sys
mpsdrv.sys
\SystemRoot\system32\drivers\rspndr.sys
rspndr.sys
\SystemRoot\system32\drivers\ndisuio.sys
ndisuio.sys
\SystemRoot\system32\drivers\lltdio.sys
lltdio.sys
\SystemRoot\system32\drivers\NDProxy.sys
NDProxy.sys
\SystemRoot\system32\drivers\raspppoe.sys
raspppoe.sys
\SystemRoot\system32\drivers\ndiswan.sys
ndiswan.sys
\SystemRoot\system32\drivers\wanarp.sys
wanarp.sys
\SystemRoot\system32\drivers\bthpan.sys
bthpan.sys
\SystemRoot\system32\drivers\rassstp.sys
rassstp.sys
\SystemRoot\system32\drivers\raspptp.sys
raspptp.sys
\SystemRoot\system32\drivers\rasl2tp.sys
rasl2tp.sys
\SystemRoot\system32\drivers\rasacd.sys
rasacd.sys
\SystemRoot\system32\drivers\tunnel.sys
tunnel.sys
\SystemRoot\system32\drivers\tunmp.sys
tunmp.sys
\SystemRoot\system32\drivers\pacer.sys
pacer.sys
\SystemRoot\system32\drivers\NDISTAPI.SYS
NDISTAPI.SYS
\SystemRoot\system32\drivers\msgpc.sys
msgpc.sys
\SystemRoot\system32\drivers\partmgr.sys
partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
volmgr.sys
\SystemRoot\system32\drivers\volmgrx.sys
volmgrx.sys
\SystemRoot\system32\drivers\mountmgr.sys
mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
iaStor.sys
\SystemRoot\system32\drivers\volsnap.sys
volsnap.sys
\SystemRoot\system32\drivers\ACPI.sys
acpi.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
WppRecorder.sys
\SystemRoot\System32\Drivers\Mouclass.sys
Mouclass.sys
\SystemRoot\System32\Drivers\kbdclass.sys
kbdclass.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
Fastfat.sys
\SystemRoot\System32\Drivers\bowser.sys
bowser.sys
\SystemRoot\System32\Drivers\rdbss.sys
rdbss.sys
\SystemRoot\System32\Drivers\msfs.sys
msfs.sys
\SystemRoot\System32\Drivers\NetBIOS.sys
NetBIOS.sys
\SystemRoot\System32\Drivers\mup.sys
mup.sys
\SystemRoot\System32\Drivers\dfs.sys
dfs.sys
\SystemRoot\System32\Drivers\dfsc.sys
dfsc.sys
\SystemRoot\System32\Drivers\npfs.SYS
npfs.sys
\SystemRoot\System32\Drivers\luafv.SYS
luafv.sys
\SystemRoot\System32\Drivers\MRxSmb.SYS
MRxSmb.sys
\SystemRoot\System32\Drivers\MRxSmb10.SYS
MRxSmb10.sys
\SystemRoot\System32\Drivers\MRxSmb20.SYS
MRxSmb20.sys
\SystemRoot\System32\Drivers\MRxDAV.SYS
MRxDAV.sys
\SystemRoot\system32\Drivers\fltmgr.sys
\SystemRoot\system32\Drivers\TDI.SYS
\SystemRoot\system32\Drivers\tdx.sys
\SystemRoot\system32\Drivers\ipfltdrv.sys
\SystemRoot\system32\Drivers\tcpip.sys
\SystemRoot\System32\drivers\afd.sys
afd.sys
\SystemRoot\System32\drivers\netbt.sys
\SystemRoot\System32\drivers\NETIO.sys
\SystemRoot\System32\drivers\srv.sys
srv.sys
\SystemRoot\System32\drivers\srv2.sys
srv2.sys
\SystemRoot\System32\drivers\srvnet.sys
\SystemRoot\System32\drivers\sr.sys
sr.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\http.sys
http.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\msrpc.sys
msrpc.sys
\SystemRoot\system32\DRIVERS\disk.sys
disk.sys
\SystemRoot\system32\DRIVERS\ftdisk.sys
ftdisk.sys
\SystemRoot\system32\DRIVERS\Storport.SYS
Storport.SYS
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
CLASSPNP.SYS
\SystemRoot\system32\Drivers\ks.sys
\SystemRoot\System32\Drivers\ksecdd.sys
ksecdd.SYS
\SystemRoot\system32\kdcom.dll
kdcom.dll
\SystemRoot\System32\Drivers\cng.sys
cng.sys
\SystemRoot\system32\PSHED.dll
PSHED.dll
\SystemRoot\system32\CI.dll
CI.dll
\SystemRoot\system32\DRIVERS\WMILIB.SYS
wmilib.sys
Cannot find %s for IAT resolving of %s
Cannot alloc %X bytes for drivers IAT checking
Cannot find %s import %s.%s
Cannot find %s import %s.%d
IAT %s %s.%s patched, addr %p
IAT %s %s.%d patched, addr %p
IAT %s %s.%s patched by %s, addr %p
IAT %s %s.%d patched by %s, addr %p
%s has %d patched IAT entries (total %d)
reading of IAT %s failed, readed %X, actual IAT size %X, error %d
check_exts count failed, error %d, ntstatus %X
check_exts count failed, error %d
check_exts: cannot alloc %X bytes
check_exts failed, error %d, ntstatus %X
check_exts failed, error %d
Ext[%X]:
Handler1: %p %s
Handler2: %p %s
Handler3: %p %s
Table: %X items %p %s
Item[%X]: %p %s
IRP_MJ_CREATE_NAMED_PIPE
Unknown fltmgr: FrameList %X FilterSize %X cbn %X
Unknown fltmgr: FrameList %X FilterSize %X
FltMgr: index %d
FRAME[%d] %p
%s: %p
NormalizeNameComponent: %p %s
NormalizeContextCleanup: %p %s
PreOperation: %p %s
PostOperation: %p %s
check_ks: cannot read size of ks list, error %d, ntstatus %X
check_ks: cannot read size of ks list, error %d
ks count: %X
check_ks: cannot alloc %X bytes
check_ks: cannot read ks list, error %d, ntstatus %X
check_ks: cannot read ks list, error %d
ks[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
ChangeAccountPassword
ImportSecurityContext
ExportSecurityContext
gKsecpBCryptExtension: %p %s
gKsecpSslExtension: %p %s
SecTable.%s patched %p %s
dxg.sys
dxgkrnl.sys
Win32kCallout: %p %s
SessionStartCallout: %p %s
KTIMER %p DPC %p DefRoutine %p %s
Cannot find KPRCB.DpcRoutineActive
Unknown KPRCB: DpcRoutineActive %X WorkerRoutine %X
Unknown KPRCB: DpcRoutineActive %X
Processor %d:
KTIMERS[%d]: %X
Patched %s   %X by %s
Patched ord.%d   %X by %s
Patched %s   %X
Patched ord.%d   %X
Patched %s by %s
Patched ord.%d by %s
Patched %s
Patched ord.%d
Exception %X occured during EAT checking of %s
check_module_iat(%s) - cannot find exports for %s
check_module_iat(%s): zeroed ImportLookUp, cannot check import
Cannot find ordinal %X in module %s (%s) in import table of %s
Cannot find symbol %s in module %s (%s) in import table of %s
(%s) %s.%s hooked in %s: my IAT %p, must be %p
(%s) %s.%d hooked in %s: my IAT %p, must be %p
apfn %s patched by %s, addr %p
apfn[%d] patched by %s, addr %p
apfn %s patched, addr %p
apfn[%d] patched, addr %p
%s%s!%s patched by %s, addr %p
%s%s![%d] patched by %s, addr %p
%s%s!%s patched, addr %p
%s%s![%d] patched, addr %p
LSA SP %s has %d patched functions in SECPKG_FUNCTION_TABLE:
PID %d: LSA SP %s has %d patched functions in SECPKG_USER_FUNCTION_TABLE:
PID %d: LSA SP %s has %d patched functions in CallPackageDispatch:
ole32 hooked by %s
Cannot relocate section %s!%s
Exception %X occured on checking %s!%s
Module %s!%s has %X patched bytes !
Exception %X occured on check_module_iat(%s)
MyModule: %p %s
%SystemRoot%\System32\ncrypt.dll
%SystemRoot%\System32\ntdsa.dll
%SystemRoot%\System32\kernelbase.dll
%SystemRoot%\System32\kernel32.dll
%SystemRoot%\System32\user32.dll
%SystemRoot%\System32\umpnpmgr.dll
%SystemRoot%\System32\combase.dll
%SystemRoot%\System32\ole32.dll
%SystemRoot%\System32\imm32.dll
%SystemRoot%\System32\rpcrt4.dll
%SystemRoot%\System32\mswsock.dll
%SystemRoot%\System32\advapi32.dll
%SystemRoot%\System32\cryptbase.dll
%SystemRoot%\System32\apisetschema.dll
read_ndis_oid_handlers failed, returned %d bytes, error %d, ntstatus %X
read_ndis_oid_handlers failed, returned %d bytes, error %d
[%X] %s: post %p %s
[%X] %s: pre %p %s
[%X] %s: pre %p (%s) post %p (%s)
[%X] %X: post %p %s
[%X] %X: pre %p %s
[%X] %X: pre %p (%s) post %p (%s)
read_tcp_off_handlers failed, returned %d bytes, error %d, ntstatus %X
read_tcp_off_handlers failed, returned %d bytes, error %d
TcpOfflineHandlers:
TcpOffloadEventIndicate: %p %s
TcpOffloadReceiveIndicate: %p %s
TcpOffloadSendComplete: %p %s
TcpOffloadReceiveComplete: %p %s
TcpOffloadDisconnectComplete: %p %s
TcpOffloadForwardComplete: %p %s
Cannot alloc %X bytes from reading filter block
read_ndis_filter_block: len %d, returned %d bytes, error %d, ntstatus %X
read_ndis_filter_block: len %d, returned %d bytes, error %d
check_ndis - reading of TDI callback failed, error %d, ntstatus %X
check_ndis - reading of TDI callback failed, error %d
check_ndis - reading of TDI PnP handler failed, error %d, ntstatus %X
check_ndis - reading of TDI PnP handler failed, error %d
TDI callback %p patched by %s
TDI PnP handler %p patched by %s
check_ndis - reading of providers count failed, error %d, ntstatus %X
check_ndis - reading of providers count failed, error %d
check_ndis: %d providers
check_ndis: cannot alloc %X bytes
Cannot store provider_block %p (%d)
check_ndis: stored %d provider_blocks
check_ndis - reading of interfaces count failed, error %d, ntstatus %X
check_ndis - reading of interfaces count failed, error %d
check_ndis: %d interfaces, size of miniport %X
Interface[%d]:
check_ndis - reading of protocols count failed, error %d, ntstatus %X
check_ndis - reading of protocols count failed, error %d
check_ndis: %d protocols, size of protocol %X
check_ndis: stored %d protocols
check_ndis - reading of minidrivers count failed, error %d, ntstatus %X
check_ndis - reading of minidrivers count failed, error %d
check_ndis: %d minidrivers, size of minidriver %X, sizeof(ndis50) %X, sizeof(ndis52) %X
Cannot store minidriver %d (%p)
Stored %d mini-drivers
check_ndis - reading of miniports count failed, error %d, ntstatus %X
check_ndis - reading of miniports count failed, error %d
check_ndis: %d miniports, size of miniport %X
check_ndis: read %d miniports, total %X
Miniport[%d] %p:
check_ndis: stored %d miniports, sizeof(miniport_block_w7) %X
check_ndis - reading of open_blocks count failed, error %d, ntstatus %X
check_ndis - reading of open_blocks count failed, error %d
check_ndis: %d open_blocks, size of open_block %X
check_ndis: read %d open_blocks, total %X
Open_Block[%d]:
Cannot store open_block %p (%d)
check_ndis: stored %d open_blocks
check_ndis - reading of filter_drivers count failed, error %d, ntstatus %X
check_ndis - reading of filter_drivers count failed, error %d
check_ndis: %d filter_drivers, size of open_block %X
check_ndis: read %d filter_drivers, total %X
FilterDriver[%d]:
check_ndis: stored %d filter_drivers, %d filter_blocks
Passive
read_punicode_string failed, len %d, returned %d bytes, error %d, ntstatus %X
read_punicode_string failed, len %d, returned %d bytes, error %d
Cannot read NDIS_MINIPORT_INTERRUPT %p
NDIS_MINIPORT_INTERRUPT:
MiniportIsr: %p %s
MiniportDpc: %p %s
Cannot read NDIS_MINIPORT_INTERRUPT_CHARACTERISTICS %p
NDIS_MINIPORT_INTERRUPT_CHARACTERISTICS:
InterruptHandler: %p %s
InterruptDpcHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
MessageInterruptHandler: %p %s
MessageInterruptDpcHandler: %p %s
DisableMessageInterruptHandler: %p %s
EnableMessageInterruptHandler: %p %s
MiniportIsr: %p %s
MiniportDpc: %p %s
MiniportMessageIsr: %p %s
MiniportMessageInterruptDpc: %p %s
MiniportIsr: %p %s
MiniportDpc: %p %s
MiniportEnableInterrupt: %p %s
MiniportDisableInterrupt: %p %s
MiniportMessageIsr: %p %s
MiniportMessageInterruptDpc: %p %s
MiniportDisableMessageInterrupt: %p %s
MiniportEnableMessageInterrupt: %p %s
NDIS Protocol[%d]: %S
MajorNdisVersion %d
MinorNdisVersion %d
Flags %X
OpenAdapterCompleteHandler: %p %s
CloseAdapterCompleteHandler: %p %s
SendCompleteHandler: %p %s
TransferDataCompleteHandler: %p %s
ResetCompleteHandler: %p %s
RequestCompleteHandler: %p %s
ReceiveHandler: %p %s
ReceiveCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
ReceivePacketHandler: %p %s
BindAdapterHandler: %p %s
UnbindAdapterHandler: %p %s
PnPEventHandler: %p %s
UnloadHandler: %p %s
CoSendCompleteHandler: %p %s
CoStatusHandler: %p %s
CoReceivePacketHandler: %p %s
CoAfRegisterNotifyHandler: %p %s
MajorNdisVersion %d
MinorNdisVersion %d
MajorDriverVersion %d
MinorDriverVersion %d
Flags %X
IsIPv4 %d
IsIPv6 %d
IsNdisTest6 %d
BindAdapterHandlerEx: %p %s
UnbindAdapterHandlerEx: %p %s
OpenAdapterCompleteHandlerEx: %p %s
CloseAdapterCompleteHandlerEx: %p %s
PnPEventHandler: %p %s
UnloadHandler: %p %s
UninstallHandler: %p %s
RequestCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
ReceiveNetBufferListsHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
CoStatusHandler: %p %s
CoAfRegisterNotifyHandler: %p %s
CoReceiveNetBufferListsHandler: %p %s
CoSendNetBufferListsCompleteHandler: %p %s
OpenAdapterCompleteHandler: %p %s
CloseAdapterCompleteHandler: %p %s
SendCompleteHandler: %p %s
TransferDataCompleteHandler: %p %s
ResetCompleteHandler: %p %s
ReceiveHandler: %p %s
ReceiveCompleteHandler: %p %s
ReceivePacketHandler: %p %s
BindAdapterHandler: %p %s
UnbindAdapterHandler: %p %s
CoSendCompleteHandler: %p %s
CoReceivePacketHandler: %p %s
OidRequestCompleteHandler: %p %s
InitiateOffloadCompleteHandler: %p %s
TerminateOffloadCompleteHandler: %p %s
UpdateOffloadCompleteHandler: %p %s
InvalidateOffloadCompleteHandler: %p %s
QueryOffloadCompleteHandler: %p %s
IndicateOffloadEventHandler: %p %s
TcpOffloadSendCompleteHandler: %p %s
TcpOffloadReceiveCompleteHandler: %p %s
TcpOffloadDisconnectCompleteHandler: %p %s
TcpOffloadForwardCompleteHandler: %p %s
TcpOffloadEventHandler: %p %s
TcpOffloadReceiveIndicateHandler: %p %s
Unknown NDIS Type %X and Size %X
DirectOidRequestCompleteHandler: %p %s
AllocateSharedMemoryHandler: %p %s
FreeSharedMemoryHandler: %p %s
Unknown ndis protocol size: %X
NDIS MiniDriver[%d] %p
MajorNdisVersion: %d
MinorNdisVersion: %d
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CancelSendPacketsHandler: %p %s
PnPEventNotifyHandler: %p %s
AdapterShutdownHandler: %p %s
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CancelSendPacketsHandler: %p %s
PnPEventNotifyHandler: %p %s
AdapterShutdownHandler: %p %s
ISRHandlerEx: %p %s
HandleInterruptHandlerEx: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
ReturnPacketsHandlerEx: %p %s
RequestTimeoutDpcHandler: %p %s
MajorNdisVersion: %d
MinorNdisVersion: %d
MajorDriverVersion: %d
MinorDriverVersion: %d
Flags: %X
SetOptionsHandler: %p %s
InitializeHandlerEx: %p %s
HaltHandlerEx: %p %s
UnloadHandler: %p %s
PauseHandler: %p %s
RestartHandler: %p %s
OidRequestHandler: %p %s
SendNetBufferListsHandler: %p %s
ReturnNetBufferListsHandler: %p %s
CancelSendHandler: %p %s
CheckForHangHandlerEx: %p %s
ResetHandlerEx: %p %s
DevicePnPEventNotifyHandler: %p %s
ShutdownHandlerEx: %p %s
CancelOidRequestHandler: %p %s
DirectOidRequestHandler: %p %s
CancelDirectOidRequestHandler: %p %s
NDIS MiniPort[%d] %p
State: %s
MediaType: %s
AdapterType: %s
DefaultSendAuthorizationState: %s
DefaultRcvAuthorizationState: %s
DefaultPortSendAuthorizationState: %s
DefaultPortRcvAuthorizationState: %s
NextCancelSendNetBufferListsHandler: %p %s
PacketIndicateHandler: %p %s
SendCompleteHandler: %p %s
SendResourcesHandler: %p %s
ResetCompleteHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
SendPacketsHandler: %p %s
DeferredSendHandler: %p %s
EthRxIndicateHandler: %p %s
NextSendNetBufferListsHandler: %p %s
EthRxCompleteHandler: %p %s
SavedNextSendNetBufferListsHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
TDCompleteHandler: %p %s
QueryCompleteHandler: %p %s
SetCompleteHandler: %p %s
WanSendCompleteHandler: %p %s
WanRcvHandler: %p %s
WanRcvCompleteHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
WSendPacketsHandler: %p %s
NextSendPacketsHandler: %p %s
FinalSendPacketsHandler: %p %s
TopIndicateNetBufferListsHandler: %p %s
TopIndicateLoopbackNetBufferListsHandler: %p %s
Ndis5PacketIndicateHandler: %p %s
MiniportReturnPacketHandler: %p %s
SynchronousReturnPacketHandler: %p %s
TopNdis5PacketIndicateHandler: %p %s
AllocateSharedMemoryHandler: %p %s
FreeSharedMemoryHandler: %p %s
SetBusData: %p %s
GetBusData: %p %s
NoFilter.CancelSendHandler %p %s
NoFilter.SendNetBufferListsCompleteHandler %p %s
NoFilter.IndicateNetBufferListsHandler %p %s
NoFilter.SaveIndicateNetBufferListsHandler %p %s
NoFilter.ReturnNetBufferListsHandler %p %s
NoFilter.SendNetBufferListsHandler %p %s
Next.CancelSendHandler %p %s
Next.SendNetBufferListsCompleteHandler %p %s
Next.IndicateNetBufferListsHandler %p %s
Next.SaveIndicateNetBufferListsHandler %p %s
Next.ReturnNetBufferListsHandler %p %s
Next.SendNetBufferListsHandler %p %s
Name: %S
BaseName: %S
SymbolicLinkName: %S
NextCancelSendNetBufferListsHandler %p %s
TrRxIndicateHandler: %p %s
TrRxCompleteHandler: %p %s
IndicateNetBufferListsHandler: %p %s
NextReturnNetBufferLists: %p %s
SavedIndicateNetBufferListsHandler: %p %s
SavedPacketIndicateHandler: %p %s
ShutdownHandler: %p %s
NDIS MiniPort[%d] %S
BusType: %s
PacketIndicateHandler: %p %s
SendCompleteHandler: %p %s
SendResourcesHandler: %p %s
ResetCompleteHandler: %p %s
DeferredSendHandler: %p %s
EthRxIndicateHandler: %p %s
TrRxIndicateHandler: %p %s
FddiRxIndicateHandler: %p %s
EthRxCompleteHandler: %p %s
TrRxCompleteHandler: %p %s
FddiRxCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
TDCompleteHandler: %p %s
QueryCompleteHandler: %p %s
SetCompleteHandler: %p %s
WanSendCompleteHandler: %p %s
WanRcvHandler: %p %s
WanRcvCompleteHandler: %p %s
AdapterInstanceName: %S
OpenBlock [%d] %p
RootName: %S
BindName: %S
ProtocolMajorVersion: %X
NextSendHandler: %p %s
NextReturnNetBufferListsHandler: %p %s
SendHandler: %p %s
TransferDataHandler: %p %s
WanReceiveHandler: %p %s
SendPacketsHandler: %p %s
ResetHandler: %p %s
RequestHandler: %p %s
OidRequestHandler: %p %s
WSendHandler: %p %s
WTransferDataHandler: %p %s
WSendPacketsHandler: %p %s
CancelSendPacketsHandler: %p %s
ProtSendNetBufferListsComplete: %p %s
NextSendNetBufferListsComplete: %p %s
ReceiveNetBufferLists: %p %s
SavedSendNBLHandler: %p %s
SavedSendPacketsHandler: %p %s
SavedCancelSendPacketsHandler: %p %s
SavedSendHandler: %p %s
Ndis5WanSendHandler: %p %s
ProtSendCompleteHandler: %p %s
OidRequestCompleteHandler %p %s
OpenFlags: %X
DirectOidRequestHandler: %p %s
RootName: %S
BindName: %S
Flags: %X
SendHandler: %p %s
WanSendHandler: %p %s
TransferDataHandler: %p %s
WanReceiveHandler: %p %s
SendPacketsHandler: %p %s
ResetHandler: %p %s
RequestHandler: %p %s
WSendHandler: %p %s
WTransferDataHandler: %p %s
WSendPacketsHandler: %p %s
CancelSendPacketsHandler: %p %s
Flags %X
Mtu %X
PromiscuousMode %d
AccessType %s
DirectionType %s
ConnectionType %s
MediaType %s
MediaConnectState %s
AdminStatus %s
OperStatus %s
InterfaceGuid %s
NetworkGuid %s
ifIndex %X
ifDescr %S
ifAlias %S
FilterDriverCharacteristics[%d]:
FriendlyName: %S
UniqueName: %S
ServiceName: %S
SetOptionsHandler: %p %s
SetFilterModuleOptionsHandler: %p %s
AttachHandler: %p %s
DetachHandler: %p %s
RestartHandler: %p %s
PauseHandler: %p %s
SendNetBufferListsHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
CancelSendNetBufferListsHandler: %p %s
ReceiveNetBufferListsHandler: %p %s
ReturnNetBufferListsHandler: %p %s
OidRequestHandler: %p %s
OidRequestCompleteHandler: %p %s
CancelOidRequestHandler: %p %s
DevicePnPEventNotifyHandler: %p %s
NetPnPEventHandler: %p %s
StatusHandler: %p %s
DirectOidRequestHandler: %p %s
DirectOidRequestCompleteHandler: %p %s
CancelDirectOidRequestHandler: %p %s
InterfaceGuid: %s
FilterState: %s
NextSendNetBufferListsHandler: %p %s
NextSendNetBufferListsCompleteHandler: %p %s
NextIndicateReceiveNetBufferListsHandler: %p %s
NextReturnNetBufferListsHandler: %p %s
NextCancelSendNetBufferListsHandler: %p %s
SetFilterModuleOptionalHandlers: %p %s
OidRequestHandler: %p %s
OidRequestCompleteHandler: %p %s
CancelRequestHandler: %p %s
DevicePnPEventNotifyHandler: %p %s
NetPnPEventHandler: %p %s
StatusHandler: %p %s
FilterSendNetBufferListsHandler: %p %s
FilterIndicateReceiveNetBufferListsHandler: %p %s
FilterCancelSendNetBufferListsHandler: %p %s
InitiateOffloadCompleteHandler: %p %s
TerminateOffloadCompleteHandler: %p %s
UpdateOffloadCompleteHandler: %p %s
InvalidateOffloadCompleteHandler: %p %s
QueryOffloadCompleteHandler: %p %s
IndicateOffloadEventHandler: %p %s
TcpOffloadSendCompleteHandler: %p %s
TcpOffloadReceiveCompleteHandler: %p %s
TcpOffloadDisconnectCompleteHandler: %p %s
TcpOffloadForwardCompleteHandler: %p %s
TcpOffloadEventHandler: %p %s
TcpOffloadReceiveIndicateHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
DirectOidRequestHandler: %p %s
DirectOidRequestCompleteHandler: %p %s
CancelDirectOidRequestHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
Provider[%d]: %p
QueryObjectHandler: %p %s
SetObjectHandler: %p %s
FilterDriverBlock[%d]
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
ClCreateVcHandler: %p %s
ClDeleteVcHandler: %p %s
ClOidRequestHandler: %p %s
ClOidRequestCompleteHandler: %p %s
ClOpenAfCompleteHandlerEx: %p %s
ClCloseAfCompleteHandler: %p %s
ClRegisterSapCompleteHandler: %p %s
ClDeregisterSapCompleteHandler: %p %s
ClMakeCallCompleteHandler: %p %s
ClModifyCallQoSCompleteHandler: %p %s
ClCloseCallCompleteHandler: %p %s
ClAddPartyCompleteHandler: %p %s
ClDropPartyCompleteHandler: %p %s
ClIncomingCallHandler: %p %s
ClIncomingCallQoSChangeHandler: %p %s
ClIncomingCloseCallHandler: %p %s
ClIncomingDropPartyHandler: %p %s
ClCallConnectedHandler: %p %s
ClNotifyCloseAfHandler: %p %s
CmCreateVcHandler: %p %s
CmDeleteVcHandler: %p %s
CmOpenAfHandler: %p %s
CmCloseAfHandler: %p %s
CmRegisterSapHandler: %p %s
CmDeregisterSapHandler: %p %s
CmMakeCallHandler: %p %s
CmCloseCallHandler: %p %s
CmIncomingCallCompleteHandler: %p %s
CmAddPartyHandler: %p %s
CmDropPartyHandler: %p %s
CmActivateVcCompleteHandler: %p %s
CmDeactivateVcCompleteHandler: %p %s
CmModifyCallQoSHandler: %p %s
CmOidRequestHandler: %p %s
CmOidRequestCompleteHandler: %p %s
CmNotifyCloseAfCompleteHandler: %p %s
DriverVersion: %X
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendNetBufferListsHandler: %p %s
CoRequestHandler: %p %s
CoOidRequestHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
AddDeviceHandler: %p %s
RemoveDeviceHandler: %p %s
FilterResourceRequirementsHandler: %p %s
StartDeviceHandler: %p %s
ServiceName: %S
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendNetBufferListsHandler: %p %s
CoRequestHandler: %p %s
CoOidRequestHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
AddDeviceHandler: %p %s
RemoveDeviceHandler: %p %s
FilterResourceRequirementsHandler: %p %s
StartDeviceHandler: %p %s
OpenNDKAdapterHandler: %p %s
CloseNDKAdapterHandler: %p %s
IdleNotificationHandler: %p %s
CancelIdleNotificationHandler: %p %s
AllocateNetBufferListForwardingContextHandler: %p %s
FreeNetBufferListForwardingContextHandler: %p %s
AddNetBufferListDestinationHandler: %p %s
SetNetBufferListSourceHandler: %p %s
GrowNetBufferListDestinationsHandler: %p %s
GetNetBufferListDestinationsHandler: %p %s
UpdateNetBufferListDestinationsHandler: %p %s
CopyNetBufferListInfoHandler: %p %s
ReferenceSwitchNicHandler: %p %s
DereferenceSwitchNicHandler: %p %s
ReferenceSwitchPortHandler: %p %s
DereferenceSwitchPortHandler: %p %s
ReportFilteredNetBufferListsHandler: %p %s
ImageName: %S
SetNetBufferListSwitchContextHandler: %p %s
GetNetBufferListSwitchContextHandler: %p %s
netio legacy handler %p %s
read netio legacy handler failed, error %d, status %X
read netio legacy handler failed, error %d
%p %s
read netio WfpNblInfoDispTable failed, error %d, status %X
read netio WfpNblInfoDispTable failed, error %d
netio MacShim %p %s
WfpShim[%d] %p %s
Unknown WFP callout size %d
WFP callout[%d]:
ClassifyCallback: %p %s
NotifyCallback: %p %s
uFlowDeleteFunction: %p %s
Exception %X on sysptr seed reading at %p
Decode system scheme - %s
Decode scheme - %s
Cannot read my process cookie, error %X
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X (%p) %s
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X %p
SystemFunction%3.3d (%p) %s
PFNCLIENT.%s patched by %s (%p)
PFNCLIENT.%s patched %p
check_user32_pfnclient: exception %X occured
PFNCLIENTWORKER.%s patched by %s (%p)
PFNCLIENTWORKER.%s patched %p
ConsoleCtrlHandler[%d]: %s (%p)
ConsoleCtrlHandler[%d]: %p UNKNOWN
ConsoleCtrlHandler: %s (%p)
UnhandledExceptionFilter: %s (%p)
ShimModule: %s (%p)
RtlpStartThreadFunc: %s (%p)
RtlpExitThreadFunc: %s (%p)
RtlpUnhandledExceptionFilter: %s (%p)
RtlSecureMemoryCacheCallback: %s (%p)
TppLogpRoutine: %s (%p)
CsrServerApiRoutine: %s (%p)
LdrpManifestProberRoutine: %s (%p)
LdrpCreateActCtxLanguage: %s (%p)
LdrpReleaseActCtx: %s (%p)
LdrpAppCompatDllRedirectionCallbackFunction: %s (%p)
%s%s!%s patched by %s (addr %p)
%s%s.%d patched by %s (addr %p)
%s%s.%d patched, addr %p
PID %d trace callbacks: %d
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X %p %s
Process PID %d has the same token as system process: %p !!!
Process PID %d token: %p
%p %s %8X
%p %s %8X
CheckProc: cannot get modules list for PID %d (%S), error %d, ntstatus %X
CheckProc: cannot get modules list for PID %d (%S), error %d
CheckProcess PID %d (%S):
PEB.PostProcessInitRoutine: %p %s
PEB.PostProcessInitRoutine: %p UNKNOWN
PEB.pShimData: %p
PEB.AppCompat: %p
PEB.FastPebLockRoutine: %p %s
PEB.FastPebLockRoutine: %p UNKNOWN
PEB.FastPebUnlockRoutine: %p %s
PEB.FastPebUnlockRoutine: %p UNKNOWN
Module: %s at %p
Cannot read %s, PID %d, error %d
PID %d: LSA SP %s has %d patched functions in SECPKG_FUNCTION_TABLE:
PID %d: ncrypt has %d patched functions
PID %d: mswsock has %d patched functions in SockProcTable
PID %d: mswsock has %d patched functions in NspVector
PID %d: mswsock has %d patched MSAFD functions
SHAREDINFO.aheList: %p
PID %d: ntdsa has %d patched functions
PID %d - ole32 hooked by %s
PID %d - ole32 hooked by unknown module, addr %p
PID %d: rpcrt4 has %d patched functions
PID %d: basesrv has %d patched user functions
PID %d: winsrv has %d patched user functions
PID %d: winsrv has %d patched cons functions
PID %d: lsasrv has %d patched functions
PID %d: lsasrv has %d patched functions in LsapSspiExtension
PID %d: lsasrv has %d patched functions in LsapLookupExtension
PID %d: lsasrv has %d patched functions in LsapLsasrvIfTable
Cannot alloc %X bytes for EAT checking of %s, PID %d
Cannot read EAT of %s, PID %d
Cannot alloc %X bytes for checking section %s of %s, PID %d
Cannot read section %s content %X bytes of %s, PID %d
Cannot make section %s of %s, PID %d
Module %s section %s has %X patched bytes, PID %d
PID %d: user32 has %d patched imm32 functions
PID %d: advapi32 has %d patched functions
PID %d: kernel32 has %d patched functions
ShimHandler[%d]: %p %s
ShimHandler[%d]: %p UNKNOWN, located at %p
ApplicationRecoveryCallback: %s (%p)
%s, PID %d:
Cannot alloc %X bytes for IAT checking of %s, PID %d
Cannot read IAT (size %X at %p) of %s, PID %d
Cannot find function %s.%s for module %s process %d
Cannot find function %s.%d for module %s process %d
IAT Patched %s.%s in module %s process %d by %s
IAT Patched %s.%s in module %s process %d, addr %p
IAT Patched %s.%d in module %s process %d by %s
IAT Patched %s.%d in module %s process %d
Cannot alloc %X bytes for delayed IAT checking of %s, PID %d
Cannot read delayed IAT (size %X at %p) of %s, PID %d
Cannot find delayed function %s.%s for module %s process %d
Cannot find delayed function %s.%d for module %s process %d
LdrpDllNotificationList: %d
%p %s
Read %d QueuedWorkerItems:
[%d] %p %s
check_drivers_reinit: cannot read size of list, error %d, status %X
check_drivers_reinit: cannot read size of list, error %d
check_drivers_reinit: cannot alloc %X bytes
check_drivers_reinit: cannot read list, error %d, ntstatus %X
check_drivers_reinit: cannot read list, error %d
[%d] Drv %p %s routine %p %s
read_shutdown_notificators: cannot read size of %s, error %d, status %X
read_shutdown_notificators: cannot read size of %s, error %d
read_shutdown_notificators: cannot alloc %X bytes
read_shutdown_notificators: cannot read %s, error %d, ntstatus %X
read_shutdown_notificators: cannot read %s, error %d
[%d] DevObj %p Drv %p (addr %p) %s
[%d] DevObj %p Drv %p %s
MailSlot: %S, server %d (%S)
MailSlot: %S, server %d
NamedPipe: %S, server %d (%S)
NamedPipe: %S, server %d
Flags: %X, server %d (%S)
Flags: %X, creator %d, server %d
Flags: %X, server %d
Endpoints: %d
Endpoint %S PID %d (%S):
Endpoint %S:
RPC controls: %d
%S: %S
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d
Cannot load kernel %s
Unknown scheduler: ReadySummary %X DispatcherReadyListHead %X
Unknown scheduler: ReadySummary %X DeferredReadyListHead %X
Unknown scheduler: ReadySummary %X
Readed %d threads, total %d
Thread %p ProcID %X ThreadID %X Win32Thread %p %s
Thread %p ProcID %X ThreadID %X Priority %d Win32Thread %p
Thread %p ProcID %X ThreadID %X %s
Thread %p ProcID %X ThreadID %X Priority %d
reading count of threads on processor %d failed, error %X
%d threads
reading of threads on processor %d failed, error %X
Scheduler index %d
reading count of threads failed, error %X
reading of threads failed, error %X
Cannot find ETHREAD.ServiceTable
Unknown version of ETHREAD, offset %X
Cannot alloc %X bytes for ProcessesAndThreadsInformation
Cannot realloc %X bytes for ProcessesAndThreadsInformation
ProcessesAndThreadsInformation failed, error %X
read_sdt for threadID %X failed, error %d, status %X
read_sdt for threadID %X failed, error %d
ProcessID %X (%S) ThreadID %X SDT %p %s
ProcessID %X ThreadID %X SDT %p %s
read_thread_token for threadID %X failed, error %d, status %X
read_thread_token for threadID %X failed, error %d
ProcessID %X (%S) ThreadID %X token %p ImpersonationLevel %d
ProcessID %X ThreadID %X token %p ImpersonationLevel %d
Cannot detect ETHREAD.StartAddress
Unknown kernel %s, StartAddress %X, IrpList %X, StackLimit %X, StackBase %X
Unknown kernel %s, StartAddress %X, StackLimit %X, StackBase %X
Unknown kernel %s, StartAddress %X, IrpList %X
Unknown kernel %s, StartAddress %X
Cannot read count of system threads, ntstatus %X
Cannot alloc %d bytes
Cannot read system threads, ntstatus %X
%d System Threads
Thread %p Start %p %c stack %p limit %p %s
read IPSec status failed, error %d, status %X
read IPSec status failed, error %d
IPSec status %X
IPSecHandler: %p %s
IPSecQueryStatus: %p %s
IPSecSendCmplt: %p %s
IPSecNdisStatus: %p %s
IPSecRcvFWPacket: %p %s
check_tdi_pnp_clnts: cannot read size of clnts list, error %d, ntstatus %X
check_tdi_pnp_clnts: cannot read size of clnts list, error %d
check_tdi_pnp_clnts: cannot alloc %X bytes
check_tdi_pnp_clnts: cannot read clnts list, error %d, ntstatus %X
check_tdi_pnp_clnts: cannot read clnts list, error %d
TDI PnP clients: %d (readed %d)
[%d]: version %X %S
PnPPowerHandler: %p %s
BindHandler: %p %s
UnBindHandler: %p %s
AddAddressHandler: %p %s
DelAddressHandler: %p %s
Microsoft-Windows-Windows Firewall With Advanced Security
Microsoft-Windows-Kernel-Boot
Microsoft-Windows-EQoS
Microsoft-Windows-XWizards
ASP.NET Events
Microsoft-Windows-UIRibbon
Microsoft-Windows-WPD-CompositeClassDriver
Microsoft-Windows-Wired-AutoConfig
Microsoft-Windows-PrintService
Microsoft-Windows-ApplicationExperience-LookupServiceTrigger
Microsoft-Windows-IDCRL
Microsoft-Windows-MPS-DRV
Microsoft-Windows-P2P-Mesh
Microsoft-Windows-TabletPC-MathRecognizer
Microsoft-Windows-Spell-Checking
Microsoft-Windows-Fax
Microsoft-Windows-GroupPolicy
Microsoft-Windows-Crashdump
Microsoft-Windows-PrintSpooler
Microsoft-Windows-LanguagePackSetup
Microsoft-Windows-OneX
Microsoft-Windows-OfflineFiles-CscApi
Microsoft-Windows-ADSI
Microsoft-Windows-Dhcp-Client
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Microsoft-Windows-NlaSvc
Microsoft-Windows-Diagnosis-MSDE
Microsoft-Windows-SpoolerWin32SPL
Microsoft-Windows-SPB-ClassExtension
Microsoft-Windows-Kernel-Memory
Microsoft-Windows-Application Server-Applications
Microsoft-Windows-MUI
Microsoft-Windows-P2P-Collab
Microsoft-Windows-Security-Netlogon
Microsoft-Windows-SQM-Events
Microsoft-Windows-USB-USBPORT
Microsoft-Windows-SendTo
Microsoft-Windows-AIT
Microsoft-Windows-P2P-CRP
PrintFilterPipelineSvc_ObjectsGuid
Microsoft-Windows-IME-JPPRED
Microsoft-Windows-WMP
Microsoft-Windows-Eqos-SQM-Provider
MSDADIAG.ETW
Microsoft-Windows-Processor-Aggregator
Microsoft-Windows-ErrorReportingConsole
Microsoft-Windows-SmartCard-TPM-VCard-Module
Microsoft-Windows-User Profiles Service
Microsoft-Windows-Crypto-CNG
Microsoft-Windows-LinkLayerDiscoveryProtocol
Microsoft-Windows-TaskbarCPL
Microsoft-Windows-Networking-Correlation
Microsoft-Windows-RestartManager
Microsoft-Windows-WMPDMCCore
Microsoft-Windows-TCPIP
Microsoft-Windows-MSDTC
Microsoft-Windows-Resources-MrmBc
Microsoft-Windows-Time-Service
Microsoft-Windows-HomeGroup-ProviderService
Microsoft-Windows-DriverFrameworks-UserMode
Microsoft-Windows-Runtime-Networking
Microsoft-Windows-Network-Connection-Broker
Microsoft-Windows-Shell-AppWizCpl
Microsoft-Windows-PDC
Microsoft-Windows-Biometrics
Microsoft-Windows-IME-SCDICCOMPILER
Microsoft-Windows-Wininit
Microsoft-Windows-Dwm-Dwm
Microsoft-Windows-Photo-Image-Codec
Microsoft-Windows-TaskScheduler
Microsoft-Windows-osk
Microsoft-Windows-Kernel-PowerTrigger
Microsoft-Windows-EventLog-WMIProvider
Microsoft-Windows-IME-OEDCompiler
Microsoft-Windows-WER-SystemErrorReporting
Microsoft-Windows-Deplorch
Microsoft-Windows-SPB-HIDI2C
Microsoft-Windows-UxTheme
Microsoft-Windows-BfeTriggerProvider
Microsoft-Windows-Media-Streaming
Microsoft-Windows-Remotefs-UTProvider
Microsoft-Windows-Ntfs-SQM
Microsoft-Windows-User-PnP
Microsoft-Windows-AltTab
Microsoft-Windows-Kernel-StoreMgr
Microsoft-Windows-WindowsColorSystem
Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport
Microsoft-Windows-MSMPEG2ADEC
Microsoft-Windows-TerminalServices-PnPDevices
Microsoft-Windows-GettingStarted
Microsoft-Windows-Narrator
Windows Wininit Trace
Microsoft-Windows-FileHistory-UI
Microsoft-Windows-MediaFoundation-PlayAPI
Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Microsoft-Windows-BitLocker-Driver-Performance
Microsoft-Windows-PerfProc
Microsoft-Windows-Resource-Leak-Diagnostic
Microsoft-Windows-WebServices
Microsoft-Windows-FileHistory-Service
Microsoft-Windows-MediaEngine
Microsoft-Windows-StartupRepair
Microsoft-Windows-Security-IdentityStore
Microsoft-Windows-IME-SCSetting
Microsoft-Windows-FileHistory-EventListener
Microsoft-Windows-Program-Compatibility-Assistant
Microsoft-Windows-DesktopActivityModerator
Microsoft-Windows-MemoryDiagnostics-Schedule
Microsoft-Windows-FileHistory-Engine
Microsoft-Windows-PerfDisk
Microsoft-Windows-OOBE-Machine-Core
Microsoft-Windows-WLAN-AutoConfig
Microsoft-Windows-FileHistory-ConfigManager
Microsoft-Windows-Search-ProfileNotify
Microsoft-Windows-PerfCtrs
UMPass Driver Trace
Microsoft-Windows-FileHistory-Catalog
Microsoft-Windows-WlanDlg
Microsoft-Windows-CDROM
Microsoft-Windows-Crypto-NCrypt
Certificate Services Client CredentialRoaming Trace
Microsoft-Windows-CredUI
Windows Firewall Service
Microsoft-Windows-FileHistory-Core
Microsoft-Windows-Direct3D11
Microsoft-Windows-DirectoryServices-Deployment
Microsoft-Windows-All-User-Install-Agent
Microsoft-Windows-Kernel-Licensing-StartServiceTrigger
Microsoft-Windows-ServerManager-ManagementProvider
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider
Microsoft-Windows-IIS-W3SVC-WP
Microsoft-Windows-TerminalServices-MediaRedirection-DShow
Microsoft-Windows-Rdms-UI
Microsoft-Windows-Feedback-Service-TriggerProvider
Microsoft-Windows-Eventlog
Microsoft-Windows-CodeIntegrity
Microsoft-Windows-WPDClassInstaller
Microsoft-Windows-NetworkAccessProtection
Microsoft-Windows-UIAutomationCore
Microsoft-Windows-StartLmhosts
Microsoft-Windows-IME-Broker
Microsoft-Windows-Kernel-Process
Microsoft-Windows-CertificateServicesClient
Microsoft-Windows-AppXDeployment
Microsoft-Windows-Shell-Core
Microsoft-Windows-Anytime-Upgrade
Microsoft-Windows-PCI
Microsoft-Windows-WPD-MTPBT
Microsoft-Windows-CertificationAuthorityClient-CertCli
Microsoft-Windows-Srv2
Microsoft-Windows-TunnelDriver-SQM-Provider
Microsoft-Windows-Security-Licensing-SLC
Microsoft-Windows-ATAPort
Microsoft-Windows-Recovery
Microsoft-Windows-GenericRoaming
Microsoft-Windows-Sdbus-SQM
Microsoft-Windows-DirectComposition
Microsoft-Windows-P2PIMSvc
Microsoft-Windows-WCN-Config-Registrar
Microsoft-Windows-WPD-API
Microsoft-Windows-P2P-PNRP
Microsoft-Windows-DeviceUx
Windows Mobile Performance Hooks
Microsoft-Windows-ProcessStateManager
Windows Connect Now
Microsoft-Windows-Networking-RealTimeCommunication
Microsoft-Windows-EventSystem
Microsoft-Windows-Spaceport
Windows Mobile Remote API
Microsoft-Windows-Dhcp-Nap-Enforcement-Client
Microsoft-Windows-WinNat
Windows Mobile AirSync Engine 2
Microsoft-Windows-WCN-Config-Registrar-Secure
Windows Mobile AirSync Engine 1
Microsoft-Windows-Security-Kerberos
Windows Mobile ActiveSync Engine
Microsoft-Windows-WSC-SRV
Microsoft-Windows-Eventlog-ForwardPlugin
Windows Mobile Serial Connectivity
Microsoft-Windows-TerminalServices-SessionBroker-Client
Microsoft-Windows-WMPNSS-PublicAPI
Windows Mobile Desktop Passthrough
Microsoft-Windows-RPC-Events
Microsoft-Windows-LanguageProfile
Microsoft-Windows-Anytime-Upgrade-Events
Microsoft-Windows-Management-UI
Microsoft-Windows-SMBClient
Microsoft-Windows-TerminalServices-RdpSoundDriver
Microsoft-Windows-Dwm-Api
Microsoft-Windows-QoS-qWAVE
Microsoft-Windows-Kernel-Tm-Trigger
Microsoft-Windows-IPNAT
Microsoft-Windows-NetworkBridge
Microsoft-Windows-MPS-CLNT
Microsoft-Windows-Diagnosis-Scheduled
Microsoft-Windows-WMPNSS-Service
Microsoft-Windows-DxpTaskRingtone
Microsoft-Windows-Kernel-AppCompat
Microsoft-Windows-TimeBroker
Microsoft-Windows-DeviceConfidence
Microsoft-Windows-Shell-Shwebsvc
Microsoft-Windows-Diagnostics-Performance
Windows NetworkMap Trace
Microsoft-Windows-TerminalServices-Printers
Microsoft-Windows-AppLocker
Microsoft-Windows-Audio
Microsoft-Windows-LLTD-MapperIO
Microsoft-Windows-HotspotAuth
Microsoft-Windows-Firewall-CPL
Microsoft-Windows-Kernel-IoTrace
Microsoft-Windows-Perflib
Microsoft-Windows-BootUX
Microsoft-Windows-WMPDMCUI
Microsoft-Windows-Disk
Microsoft-Windows-IME-JPLMP
Microsoft-Windows-Security-SPP-UX-Notifications
Microsoft-Windows-TerminalServices-ClientActiveXCore
Microsoft-Windows-IIS-IISReset
Microsoft-Windows-WindowsUIImmersive
Windows Firewall Control Panel
Microsoft-Windows-DeviceSetupManager
Microsoft-Windows-EnrollmentPolicyWebService
Microsoft-Windows-IME-Roaming
Microsoft-Windows-SetupQueue
Microsoft-Windows-SmartCard-Audit
Microsoft-Windows-Servicing
Microsoft-Windows-ACL-UI
Microsoft-Windows-WWAN-CFE
Microsoft-Windows-FCRegSvc
Microsoft-Windows-IIS-IisMetabaseAudit
Microsoft-Windows-Kernel-WDI
Microsoft-Windows-TabletPC-MathInput
Microsoft-Windows-Kernel-General
Windows Media Player Trace
Microsoft-Windows-DxpTaskDLNA
Microsoft-Windows-User Profiles General
Microsoft-Windows-Kernel-WSService-StartServiceTrigger
Microsoft-Windows-WebAuth
Microsoft-Windows-API-Tracing
Microsoft-Windows-FunctionDiscovery
Microsoft-Windows-StickyNotes
Microsoft-Windows-WCN-WscEapPeer-Trace
Microsoft-Windows-QoS-WMI-Diag
Microsoft-Windows-NetworkProvisioning
Microsoft-Windows-Network-DataUsage
Microsoft-Windows-AppSruProv
Microsoft-Windows-WebcamExperience
Microsoft-Windows-EaseOfAccess
Microsoft-Windows-Spellchecking-Host
Microsoft-Windows-IME-CandidateUI
Microsoft-Windows-TPM-WMI
Microsoft-Windows-Security-SPP
Microsoft-Windows-DirectShow-KernelSupport
Microsoft-Windows-Diagnosis-AdvancedTaskManager
Microsoft-Windows-ThemeCPL
Windows Mobile Co-installer
Microsoft-Windows-MPRMSG
Microsoft-Windows-EnhancedStorage-EhStorCertDrv
Microsoft-Windows-NdisImPlatformEventProvider
Microsoft-Windows-FunctionDiscoveryHost
Microsoft-Windows-MediaFoundation-MSVideoDSP
Microsoft-Windows-IME-JPTIP
Windows Kernel Trace
Microsoft-SQLServerDataTools
Microsoft-Windows-ASN1
Microsoft-Windows-Crypto-BCrypt
Microsoft-Windows-HealthCenterCPL
Microsoft-Windows-XAML
Microsoft-Windows-PDFReader
Microsoft-Windows-TerminalServices-ServerUSBDevices
Microsoft-Windows-WWAN-SVC-EVENTS
Microsoft-Windows-Search-ProtocolHandlers
Microsoft-Windows-IdCtrls
Microsoft-Windows-User-ControlPanel
Microsoft-Windows-Runtime-Media
Microsoft-Windows-CAPI2
Windows Mobile Sync Handlers
Microsoft-Windows-PowerCfg
Microsoft-Windows-SrumTelemetry
Microsoft-Windows-Base-Filtering-Engine-Connections
Microsoft-Windows-Sidebar
Microsoft-Windows-NDF-HelperClassDiscovery
Microsoft-Windows-PerfNet
Microsoft-Windows-PortableDeviceStatusProvider
Microsoft-Windows-TabletPC-Platform-Manipulations
Microsoft-Windows-Subsys-SMSS
Microsoft-Windows-LDAP-Client
Microsoft-Windows-Security-SPP-UX-GC
Microsoft-Windows-Media Center Extender
Microsoft-Windows-DiskDiagnostic
Microsoft-Windows-TSF-msutb
Microsoft-Windows-Reliability-Analysis-Agent
{B6501BA0-C61A-C4E6-6FA2-A4E7F8C8E7A0}
Microsoft-Windows-Kernel-Processor-Power
Microsoft-Windows-NCSI
Microsoft-Windows-NetworkConnectivityStatus
Microsoft-Windows-wmvdecod
Microsoft-Windows-ServiceTriggerPerfEventProvider
Microsoft-Windows-Service Pack Installer
Microsoft-Windows-Bluetooth-HidGatt
Microsoft-Windows-TabletPC-Platform-Input-Ninput
Microsoft-Windows-Tcpip-SQM-Provider
Microsoft-Windows-MPS-SRV
Microsoft-Windows-KnownFolders
Microsoft-Windows-NAPIPSecEnf
Microsoft-Windows-EnrollmentWebService
Microsoft-Windows-Deduplication-Change
Microsoft-Windows-OfflineFiles-CscFastSync
Microsoft-Windows-UxInit
Microsoft-Windows-BranchCacheClientEventProvider
Microsoft-Windows-Forwarding
Microsoft-Windows-RPC-Proxy-LBS
Microsoft-Windows-Kernel-Disk
Microsoft-Windows-TriggerEmulatorProvider
Microsoft-Windows-SystemHealthAgent
Microsoft-Windows-Memory-Diagnostic-Task-Handler
Microsoft-Windows-Winsock-WS2HELP
Microsoft-Windows-ThemeUI
Microsoft-Windows-TerminalServices-MediaRedirection
Microsoft-Windows-TerminalServices-ClientUSBDevices
Microsoft-Windows-TabletPC-CoreInkRecognition
Microsoft-Windows-COM
Microsoft-Windows-PnPMgrTriggerProvider
Microsoft-Windows-LoadPerf
Microsoft-Windows-System-Restore
Microsoft-Windows-UserAccountControl
Microsoft-Windows-Services-Svchost
Microsoft-Windows-PushNotifications-Developer
Microsoft-Windows-LiveId
Microsoft-Windows-Security-SPP-UX
Microsoft-Windows-VAN
Microsoft-Windows-FirstUX-PerfInstrumentation
Microsoft-Windows-Kernel-Tm
Microsoft-Windows-Kernel-ShimEngine
Microsoft-Windows-EapHost
Microsoft-Windows-CertPolEng
Microsoft-Windows-MsLbfoEventProvider
Microsoft-Windows-Complus
Microsoft-Windows-EFS
Microsoft-Windows-WwaHost
Microsoft-Windows-ServerManager
Microsoft-Windows-ComDlg32
Microsoft-Windows-MP4SDECD
Microsoft-Windows-PeopleNearMe
Microsoft-Windows-SmartCard-Bluetooth-Profile
Microsoft-Windows-TZUtil
Microsoft-Windows-ApplicationExperience-SwitchBack
Microsoft-Windows-UI-Input-Inking
Microsoft-Windows-VDRVROOT
Windows Firewall NetShell Plugin
Windows Firewall API
Microsoft-Windows-Kernel-Acpi
Microsoft-Windows-WinRM
Microsoft-Windows-Direct3D10_1
Microsoft-Windows-Kernel-LicensingSqm
Microsoft-Windows-SpoolerSpoolss
Microsoft-Windows-FilterManager
Microsoft-Windows-ActionQueue
Microsoft-Windows-IME-KRAPI
Microsoft-Windows-Resource-Exhaustion-Detector
Microsoft-Windows-ApplicationExperienceInfrastructure
Microsoft-Windows-StorSqm
Microsoft-Windows-Search
Microsoft-Windows-HttpEvent
Microsoft-Windows-AxInstallService
Microsoft-Windows-Diagnosis-PerfHost
Microsoft-Windows-International
Microsoft-Windows-CertificateServicesClient-CredentialRoaming
Microsoft-Windows-SoftwareRestrictionPolicies
Microsoft-Windows-Windows Defender
Microsoft-Windows-ShareMedia-ControlPanel
Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Microsoft-Windows-WPD-MTPUS
Microsoft-Windows-DirectWrite
Microsoft-Windows-RPCSS
Microsoft-Windows-DeviceSync
Microsoft-Windows-NcdAutoSetup
Microsoft-Windows-Diagnosis-PCW
Microsoft-Windows-DistributedCOM
ATA Port Driver Tracing Provider
Microsoft-Windows-WebdavClient-LookupServiceTrigger
Microsoft-Windows-USB-USBXHCI
Microsoft-Windows-Diagnosis-PLA
Microsoft-Windows-WlanConn
Microsoft-Windows-Winlogon
Microsoft-Windows-stobject
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter
Microsoft-Windows-D3D10Level9
Microsoft-Windows-WAS-ListenerAdapter
Microsoft-Windows-ServerManager-MultiMachine
Microsoft-Windows-AppxPackagingOM
Microsoft-Windows-PushNotifications-Platform
Microsoft-Windows-OOBE-Machine-Plugins-Wireless
Microsoft-Windows-IME-JPAPI
SBP2 Port Driver Tracing Provider
Microsoft-Windows-BranchCacheEventProvider
Microsoft-Windows-Immersive-Shell-API
Microsoft-Windows-ntshrui
Microsoft-Windows-KPSSVC
Microsoft-Windows-BitLocker-DrivePreparationTool
Microsoft-Windows-EapMethods-Sim
Microsoft-Windows-Shell-ZipFolder
Microsoft-Windows-Search-Core
Microsoft-Windows-OfflineFiles-CscNetApi
Microsoft-Windows-Diagnosis-WDI
Microsoft-Windows-PortableDeviceSyncProvider
Microsoft-Windows-Diagnostics-PerfTrack-Counters
Microsoft-Windows-Speech-TTS
Microsoft-Windows-Component-Resources-MrmCore-Events
Microsoft-Windows-BranchCache
Microsoft-Windows-SystemEventsBroker
Microsoft-Windows-VolumeControl
Microsoft-Windows-Win32k
Microsoft-Windows-Kernel-WHEA
Microsoft-Windows-P2P-Meetings
Microsoft-Windows-Diagnosis-WDC
Microsoft-Windows-Serial-ClassExtension
Microsoft-Windows-KPSSVC-WPP
Microsoft-Windows-CertificateServices-Deployment
Microsoft-Windows-PerfOS
Microsoft-Windows-ResetEng
Microsoft-Windows-Runtime-Graphics
Microsoft-Windows-IPSEC-SRV
Microsoft-Windows-CorruptedFileRecovery-Server
Windows Mobile Bluetooth Connectivity
Microsoft-Windows-DLNA-Namespace
Microsoft-Windows-WLAN-MediaManager
Certificate Services Client Trace
Microsoft-Windows-BranchCacheSMB
Microsoft-Windows-PrintService-USBMon
Microsoft-Windows-OOBE-Machine
Microsoft-Windows-DXP
Microsoft-Windows-Immersive-Shell
Microsoft-Windows-OOBE-Machine-Plugins
Microsoft-Windows-Reliability-Analysis-Engine
Microsoft-Windows-Application-Experience
Microsoft-Windows-KdsSvc
Microsoft-Windows-MediaFoundation-Platform
Microsoft-Windows-Security-Configuration-Wizard
Microsoft-Windows-DisplayColorCalibration
Windows Mobile Device Center Base
Microsoft-Windows-WPD-MTPClassDriver
Microsoft-Windows-DNS-Client
Microsoft-Windows-MSDTC Client
Microsoft-Windows-NDIS-PacketCapture
Windows Remote Management Trace
Microsoft-Windows-MSPaint
Microsoft-Windows-HomeGroup-ListenerService
Microsoft-Windows-Sensor-Service-Trigger
Microsoft-Windows-EapMethods-Ttls
Microsoft-Windows-Remotefs-Smb
Microsoft-Windows-SMBWitnessClient
Microsoft-Windows-USB-USBHUB
Microsoft-Windows-DirectWrite-FontCache
Microsoft-Windows-WindowsBackup
Microsoft-Windows-NWiFi
Microsoft-Windows-WER-Diag
Microsoft-Windows-UAC
Microsoft-Windows-LUA
Microsoft-Windows-AppID
Microsoft-Windows-IIS-WMSVC
Microsoft-Windows-Shell-OpenWith
Microsoft-Windows-MediaFoundation-MFReadWrite
Microsoft-Windows-BrokerInfrastructure
Microsoft-Windows-Fault-Tolerant-Heap
Microsoft-Windows-Shell-DefaultPrograms
Microsoft-Windows-Dism-Cli
Microsoft-Windows-SMBDirect
Microsoft-Windows-IME-SCTIP
Microsoft-Windows-EnergyEfficiencyWizard
Microsoft-Windows-ParentalControls
Microsoft-Windows-Smartcard-Server
Microsoft-Windows-FMS
Microsoft-Windows-Devices-Location
Microsoft-Windows-LLTD-Responder
Microsoft-Windows-MsLbfoSysEvtProvider
sqlos
Microsoft-Windows-TerminalServices-RemoteConnectionManager
Microsoft-Windows-SCPNP
Microsoft-Windows-Wordpad
WMI_Tracing_Client_Operations
Microsoft-Windows-Security-Audit-Configuration-Client
Microsoft-Windows-EFSADU
Windows Notification Facility Provider
Microsoft-Windows-DiagCpl
Windows NetworkItemFactory Trace
Microsoft-Windows-ApplicationExperience-Cache
Microsoft-Windows-ResourcePublication
Microsoft-Windows-FailoverClustering-Client
Microsoft-Windows-Runtime-Networking-BackgroundTransfer
Microsoft-Windows-AppHost
Microsoft-Windows-NetAdapterCim-Diag
Microsoft-Windows-IIS-FTP
Microsoft-Windows-Iphlpsvc
Microsoft-Windows-WinINet
Microsoft-Windows-TabletPC-InputPersonalization
Microsoft-Windows-SpoolerFilterPipelineSVC
Microsoft-Windows-Globalization
Microsoft-Windows-Bits-Client
Microsoft-Windows-WFP
Microsoft-Windows-Services
Microsoft-Windows-IdleTriggerProvider
Microsoft-Windows-DxgKrnl
Microsoft-Windows-HealthCenter
Microsoft-Windows-OtpCredentialProviderEvt
Microsoft-Windows-MemoryDiagnostics-Results
Microsoft-Windows-Ncasvc
Microsoft-Windows-SystemSettings
Microsoft-Windows-PDH
Microsoft-Windows-WMPNSSUI
Microsoft-Windows-BdeTriggerProvider
Microsoft-Windows-Diagnostics-PerfTrack
Microsoft-Windows-IIS-APPHOSTSVC
Microsoft-Windows-CoreWindow
Microsoft-Windows-Help
Microsoft-Windows-WindowsUpdateClient
Microsoft-Windows-IIS-W3SVC-PerfCounters
Microsoft-Windows-WMI
Microsoft-Windows-TabletPC-Platform-Input-Wisp
Microsoft-Windows-ProcessExitMonitor
Microsoft-Windows-IME-JPSetting
Microsoft-Windows-Diagnosis-Scripted
Microsoft-Windows-GroupPolicyTriggerProvider
File Kernel Trace; Operation Set 2
Microsoft-Windows-IIS-Configuration
Microsoft-Windows-Diagnosis-TaskManager
Microsoft-Windows-Diagnosis-DPS
Microsoft-Windows-UserPnp
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging
Microsoft-Windows-Schannel-Events
NetJoin
Microsoft-Windows-TabletPC-InputPanel
Microsoft-Windows-FileServices-ServerManager-EventProvider
Microsoft-Windows-MediaFoundation-Performance
Microsoft-Windows-EndpointTriggerProvider
Microsoft-Windows-IME-KRTIP
Microsoft-Windows-Mobile-Broadband-Experience-SmsApi
Microsoft-Windows-Hyper-V-Netvsc
Microsoft-Windows-DirectSound
Microsoft-Windows-TabletPC-Platform-Input-Core
Microsoft-Windows-PushNotifications-InProc
Microsoft-Windows-Kernel-Network
Microsoft-Windows-DiskDiagnosticResolver
Microsoft-Windows-NdisImPlatformSysEvtProvider
Microsoft-Windows-MeetingSpace
Microsoft-Windows-Base-Filtering-Engine-Resource-Flows
Microsoft-Windows-RasServer
Microsoft-Windows-VHDMP
Microsoft-Windows-WindowsSystemAssessmentTool
Microsoft-Windows-DCLocator
Microsoft-Windows-Diagnosis-MSDT
Microsoft-Windows-WLGPA
SQLSRV32.1
Microsoft-Windows-CertificateServicesClient-CertEnroll
Microsoft-Windows-IME-TCCORE
Microsoft-Windows-SmartCard-Bluetooth-Transport
Microsoft-Windows-WMVENCOD
Microsoft-Windows-mobsync
Microsoft-Windows-EFSTriggerProvider
Microsoft-Windows-DUSER
Microsoft-Windows-DiskDiagnosticDataCollector
Microsoft-Windows-DirectAccess-MediaManager
Microsoft-Windows-DisplaySwitch
Microsoft-Windows-PackageStateRoaming
Microsoft-Windows-Crypto-DPAPI
Microsoft-Windows-IME-CustomerFeedbackManagerUI
sqlserver
Microsoft-Windows-User-Loader
Microsoft-Windows-NetworkProfileTriggerProvider
Microsoft-Windows-NetworkProfile
Windows Firewall API - GP
Microsoft-Windows-CmiSetup
Microsoft-Windows-Sysprep
Microsoft-Windows-Windeploy
Microsoft-Windows-Setup
Microsoft-Windows-OobeLdr
Microsoft-Windows-SetupUGC
Microsoft-Windows-Audit
Microsoft-Windows-SetupCl
Microsoft-Windows-Winsrv
Microsoft-Windows-WinHttp
Microsoft-Windows-RadioManager
Microsoft-Windows-Websocket-Protocol-Component
Microsoft-Windows-WebIO
Microsoft-Windows-Dwm-Core
Microsoft-Windows-Registry-SQM-Provider
Microsoft-Windows-WHEA-Logger
Microsoft-Windows-PeerToPeerDrtEventProvider
Microsoft-Windows-BitLocker-Driver
Microsoft-Windows-SettingSync
Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal
Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
Microsoft-Windows-PowerShell
Microsoft-Windows-DirectShow-Core
Microsoft-Windows-Kernel-Power
Microsoft-Windows-msmpeg2venc
Microsoft-Windows-MPEG2_DLNA-Encoder
Microsoft-Windows-Remote-FileSystem-Log
Microsoft-Windows-Kernel-PnP
Microsoft-Windows-AppXDeployment-Server
Microsoft-Windows-Folder Redirection
Microsoft-Windows-OfflineFiles-CscUM
Microsoft-Windows-ServerManager-DeploymentProvider
Microsoft-Windows-ServiceReportingApi
Microsoft-Windows-StorDiag
Microsoft-Windows-IME-CustomerFeedbackManager
Microsoft-Windows-Kernel-EventTracing
Microsoft-Windows-Kernel-BootDiagnostics
Microsoft-Windows-DXGI
Microsoft-Windows-Build-RegDll
Microsoft-Windows-PNRPSvc
Microsoft-Windows-Ndu
Microsoft-Windows-Firewall
Microsoft-Windows-Wcmsvc
Microsoft-Windows-OLEACC
Microsoft-Windows-MSDTC Client 2
Microsoft-Windows-InputSwitch
Microsoft-Windows-Runtime-WebAPI
Microsoft-Windows-HAL
Microsoft-Windows-International-RegionalOptionsControlPanel
Microsoft-Windows-RPC
Microsoft-Windows-MFH264Enc
Microsoft-Windows-SharedAccess_NAT
Microsoft-Windows-DeviceAssociationService
Microsoft-Windows-Bluetooth-MTPEnum
Microsoft-Windows-BitLocker-API
{C5BFFE2E-9D87-D568-A09E-08FC83D0C7C2}
Microsoft-Windows-IPMIProvider
Microsoft-Windows-IME-TIP
Microsoft-Windows-WindowsToGo-StartupOptions
Microsoft-Windows-Backup
Microsoft-Windows-WMP-MediaDeliveryEngine
Microsoft-Windows-PrintBRM
Microsoft-Windows-ServerManager-ConfigureSMRemoting
Microsoft-Windows-Video-For-Windows
Microsoft-Windows-ClearTypeTextTuner
Microsoft-Windows-Subsys-Csr
Microsoft-Windows-USB-UCX
Microsoft-Windows-RemoteApp and Desktop Connections
Windows Winlogon Trace
Microsoft-Windows-RasSstp
Microsoft-Windows-UAC-FileVirtualization
Microsoft-Windows-ClassicSruMon
Microsoft-Windows-Security-IdentityListener
Microsoft-Windows-WWAN-MM-EVENTS
Microsoft-Windows-MsiServer
Microsoft-Windows-PhotoAcq
Microsoft-Windows-Power-Troubleshooter
Microsoft-Windows-DxpTaskSyncProvider
Microsoft-Windows-Remotefs-Rdbss
Microsoft-Windows-AppIDServiceTrigger
Microsoft-Windows-Kernel-File
Microsoft-Windows-TSF-msctf
Microsoft-Windows-PowerCpl
Microsoft-Windows-LanGPA
Microsoft-Windows-WWAN-MediaManager
Microsoft-Windows-PrimaryNetworkIcon
Microsoft-Windows-OfflineFiles
Microsoft-Windows-UIAnimation
Microsoft-Windows-Security-Auditing
Microsoft-Windows-WCN-Config-Registrar-Wizard-Trace
Microsoft-Windows-WWAN-NDISUIO-EVENTS
Microsoft-Windows-NetworkManagerTriggerProvider
Microsoft-Windows-Winsock-AFD
Microsoft-Windows-Remote-FileSystem-Monitor
Microsoft-Windows-WABSyncProvider
.NET Common Language Runtime
Microsoft-Windows-MSMPEG2VDEC
Microsoft-Windows-DateTimeControlPanel
Windows Firewall Driver
Microsoft-Windows-IIS-W3SVC
Microsoft-Windows-WWAN-UI-EVENTS
Microsoft-Windows-Speech-UserExperience
Microsoft-Windows-Dism-Api
Microsoft-Windows-Store-Client-UI
Microsoft-Windows-Calculator
Microsoft-Windows-Shell-ConnectedAccountState
Microsoft-Windows-PrintDialogs
Microsoft-Windows-Network-and-Sharing-Center
Microsoft-Windows-Crypto-RNG
Microsoft-Windows-MSDTC 2
Microsoft-Windows-SpellChecker
Microsoft-Windows-propsys
Microsoft-Windows-WPD-MTPIP
Microsoft-Windows-Documents
Microsoft-Windows-StorPort
Microsoft-Windows-Magnification
Microsoft-Windows-Shell-AuthUI
Microsoft-Windows-Dwm-Redir
Microsoft-Windows-BTH-BTHUSB
Microsoft-Windows-Ntfs
Microsoft-Windows-Sens
Microsoft-Windows-UserAccessLogging
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Microsoft-Windows-COM-Perf
Microsoft-Windows-StorageSpaces-BackgroundAgent
Microsoft-Windows-Kernel-Prefetch
Portable Device Connectivity API Trace
Microsoft-Windows-RemoteAssistance
Microsoft-Windows-MF
Microsoft-Windows-MediaFoundation-MSVProc
Microsoft-Windows-TBS
Microsoft-Windows-FeedbackTool
Microsoft-Windows-WlanPref
Microsoft-Windows-OfflineFiles-CscDclUser
Microsoft-Windows-Http-SQM-Provider
Microsoft-Windows-Wireless-Network-Setup-Wizard-Trace
Microsoft-Windows-MCT
Microsoft-Windows-HotStart
Microsoft-Windows-Diagnostics-Networking
Microsoft-Windows-Sensors
Microsoft-Windows-SmbServer
Microsoft-Windows-USB-USBHUB3
Microsoft-Windows-Dot3MM
Microsoft-Windows-KernelStreaming
Microsoft-Windows-Mobile-Broadband-Experience-Api
Microsoft-Windows-VolumeSnapshot-Driver
Microsoft-Windows-MobilityCenter
Microsoft-Windows-OfflineFiles-CscService
Microsoft-Windows-Superfetch
Microsoft-Windows-IPBusEnum
Microsoft-Windows-Mprddm
Microsoft-Windows-Dwm-Udwm
Microsoft-Windows-AppModel-State
Microsoft-Windows-WCN-FD-Provider-Trace
Microsoft-Windows-Resource-Exhaustion-Resolver
Microsoft-Windows-Iphlpsvc-Trace
Microsoft-Windows-WUSA
Microsoft-Windows-TerminalServices-LocalSessionManager
Microsoft-Windows-RPC-FirewallManager
Microsoft-Windows-WCN-Common-Trace
Microsoft-Windows-MediaFoundation-MFCaptureEngine
Microsoft-Windows-ReadyBoostDriver
Microsoft-Windows-DUI
Microsoft-Windows-WMP-Setup_WM
Microsoft-Windows-Direct3D10
Microsoft-Windows-DfsSvc
Microsoft-Windows-IME-SCCORE
Microsoft-Windows-NTLM
Microsoft-Windows-VWiFi
Microsoft-Windows-Kernel-PnPConfig
Microsoft-Windows-Winsock-SQM
Microsoft-Windows-SpoolerSpoolSV
Microsoft-Windows-Netshell
Microsoft-Windows-UserModePowerService
Microsoft-Windows-HttpService
HTTP Service Trace
Microsoft-Windows-D3D9
Microsoft-Windows-AppModel-Runtime
Microsoft-Windows-CEIP
Microsoft-Windows-Directory-Services-SAM
Microsoft-Windows-SpoolerTCPMon
Microsoft-Windows-ReadyBoost
Microsoft-Windows-L2NACP
Microsoft-Windows-LLTD-Mapper
Microsoft-Windows-Deduplication
Microsoft-Windows-HomeGroup-ControlPanel
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task
Microsoft-Windows-DomainJoinManagerTriggerProvider
Microsoft-Windows-SruMon
Microsoft-Windows-ELS-Hyphenation
TCPIP Service Trace
Microsoft-Windows-DriverFrameworks-KernelMode
Microsoft-Windows-CorruptedFileRecovery-Client
Microsoft-Windows-WMI-Activity
Microsoft-Windows-COMRuntime
Microsoft-Windows-WAS
Microsoft-Windows-Wnv
Microsoft-Windows-Shsvcs
Microsoft-Windows-NDIS
Microsoft-Windows-WinMDE
File Kernel Trace; Operation Set 1
Microsoft-Windows-Proximity-Common
Microsoft-Windows-Ntfs-UBPM
Microsoft-Windows-Kernel-Registry
Microsoft-Windows-RemoteDesktopServices-RemoteDesktopSessionManager
Microsoft-Windows-TunnelDriver
Microsoft-Windows-QoS-Pacer
Microsoft-Windows-EventCollector
Microsoft-Windows-OOBE-Machine-DUI
Microsoft-Windows-IME-TCTIP
Microsoft-Windows-WCNWiz
Microsoft-Windows-Display
Microsoft-Windows-OcSetup
Microsoft-Windows-DesktopWindowManager-Diag
Microsoft-Windows-FileInfoMinifilter
Microsoft-Windows-TextPredictionEngine
Microsoft-Windows-NetworkGCW
Microsoft-Windows-DHCPv6-Client
Microsoft-Windows-PlayToManager
NDIS_STATUS_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
NDIS_STATUS_PORT_STATE
MS_Windows_AeLookupServiceTrigger_Provider
Microsoft_Windows_SQM_Provider
MS_Windows_AIT_Provider
NDIS_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
NDIS_TCP_OFFLOAD_CURRENT_CONFIG
PARPORT_WMI_ALLOCATE_FREE_COUNTS_GUID
NDIS_GEN_ENUMERATE_PORTS
GUID_QOS_TC_SUPPORTED
MS1394_PortVendorRegisterAccessGuid
iSCSI_PersistentLoginsGuid
iSCSI_PortalInfoClassGuid
SerailPortPerfGuid
PortClsEvent
UdpIpGuid
TcpIpGuid
iSCSI_OperationsGuid
CTLGUID_usbport
NDIS_STATUS_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
iSCSI_DiscoveryOperationsGuid
SerialPortNameGuid
CTLGUID_WebClntTrace
POINTER_PORT_WMI_STD_DATA_GUID
KEYBOARD_PORT_WMI_STD_DATA_GUID
MSKeyboard_ClassInformationGuid
NDIS_GEN_CO_MEDIA_SUPPORTED
MS_Windows_AeSwitchBack_Provider
SerialPortHWGuid
MS_SM_PortInformationMethods
ataport_CtlGuid
storport_CtlGuid
MS1394_PortDriverInformationGuid
BTHPORT_WMI_HCI_PACKET_INFO
SerialPortCommGuid
iScsiLBOperationsGuid
MS_Windows_AeCache_Provider
NDIS_GEN_PORT_STATE
WindowsBackup TracingControlGuid
WmiMonitorListedSupportedSourceModes_GUID
NDIS_GEN_MEDIA_SUPPORTED
CTLGUID_certprop
BTHPORT_WMI_SDP_SERVER_LOG_INFO
KEYBOARD_PORT_WMI_EXTENDED_ID
iSCSIRedirectPortalGuid
NDIS_GEN_PORT_AUTHENTICATION_PARAMETERS
BTHPORT_WMI_SDP_DATABASE_EVENT
NDIS_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
iSCSI_TCPIPConfigGuid
SerialPortPropertiesGuid
PortCls_IrpProcessing
iSCSI_SecurityConfigOperationsGuid
NDIS_TCP_OFFLOAD_PARAMETERS
PortCls_PowerState
Microsoft_Windows_GameUx
iSCSI_InitiatorLoginStatisticsGuid
MS1394_PortErrorInformationGuid
PortCls_PinState
CTLGUID_PortCls
NDIS_TCP_OFFLOAD_HARDWARE_CAPABILITIES
CTRLGUID_MF_PIPELINE
.PX`i`
`.HBS
&{%UD(_
dump_wmi_guidentries failed, error %d, status %X
dump_wmi_guidentries failed, error %d
dump_wmi_guidentries: cannot alloc %X bytes (total %d)
dump_wmi_guidentries: read failed, error %d, status %X
dump_wmi_guidentries: read failed, error %d
WMI guidentries: total %X readed %X:
[%X] %X flag %X refcnt %X - %s
[%X] %X flag %X refcnt %X %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
dump_wmi_regentries failed, error %d, status %X
dump_wmi_regentries failed, error %d
dump_wmi_regentries: cannot alloc %X bytes (total %d)
dump_wmi_regentries: read failed, error %d, status %X
dump_wmi_regentries: read failed, error %d
WMI regentries: total %X readed %X:
[%X] flags %X refcnt %X dev %p prov %X DS %p %s
[%X] flags %X refcnt %X cb %p prov %X DS %p %s
Etw[%d]:
Type %X Index %X InternalCB %p (%s) %s
Type %X Index %X InternalCB %p %s
Type %X Index %X InternalCB %p (%s) ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Type %X Index %X InternalCB %p ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
dump_Etw: exception occured, code %X
dump_Etws: exception occured, code %X
KPRCB.EtwSupport %p:
KPRCB[%d].EtwSupport %p:
read_kernel_etws count failed, error %d, ntstatus %X
read_kernel_etws count failed, error %d
read_kernel_etws: cannot alloc %X bytes
read_kernel_etws failed, error %d, ntstatus %X
read_kernel_etws failed, error %d
KEtw[%X]:
KEtw[%X]: RefCount %d, KProvider - %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
KEtw[%X]: RefCount %d %s
[%X] %p %s
Type %X InUse %d Index %X InternalCB %p (%s) %s
Type %X InUse %d Index %X InternalCB %p %s
Type %X InUse %d Index %X InternalCB %p (%s) ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Type %X InUse %d Index %X InternalCB %p ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
EtwCallback[%d] %p %s:
EtwCallback[%d]:
EtwTrace[%d] %p Ctx %p %s:
EtwTrace[%d] %p Ctx %p %s - %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Unknown type %d for Etw[%d]
DEVINTERFACE_MT_TRANSPORT
DEVINTERFACE_KEYBOARD
DEVINTERFACE_COMPORT
DEVINTERFACE_VIAMINIPORT
DEVINTERFACE_STORAGEPORT
DEVINTERFACE_IRPORT
check_pnp_notifiers failed, error %d, status %X
check_pnp_notifiers failed, error %d
check_pnp_notifiers: cannot alloc %X bytes (total %d)
check_pnp_notifiers: read failed, error %d, status %X
check_pnp_notifiers: read failed, error %d
Pnp Notifiers: total %d, readed %d
Pnp[%d] %p %s %s addr %p
Pnp[%d] %s %s addr %p %s
check_pnp_handlers failed, error %d, status %X
check_pnp_handlers failed, error %d
PlugPlayHandlerTable: %d items
PlugPlayHandlerTable[%d] %p %s
PlugPlayHandlerTable[%d] %p
check_sess_notify, error %d, status %X
check_sess_notify, error %d
check_sess_notify: cannot alloc %X bytes (total %d)
check_sess_notify: read failed, error %d, status %X
check_sess_notify: read failed, error %d
IopSessionNotifications: %d
SessionNotifier[%d]: class %d len %X session %p cb %p %s
check_sess_term_ntfs failed, error %d, status %X
check_sess_term_ntfs failed, error %d
check_sess_term_ntfs: cannot alloc %X bytes (total %d)
check_sess_term_ntfs: read failed, error %d, status %X
check_sess_term_ntfs: read failed, error %d
LogonSessionTerminatedRoutines: %d
[%d] %p %s
check_fs_changes failed, error %d, status %X
check_fs_changes failed, error %d
check_fs_changes: cannot alloc %X bytes (total %d)
check_fs_changes: read failed, error %d, status %X
check_fs_changes: read failed, error %d
FS Change notifiers: %d (actual %d)
DriverObj %p addr %p %s
Cannot read count for %s, error %d
Count of %s is too big - %X
Cannot read %s table, error %d
Cannot read entry %d from table of %s, error %d
check_vista_cmp_list get count failed, error %d, status %X
check_vista_cmp_list get count failed, error %d
check_vista_cmp_list failed, error %d, status %X
check_vista_cmp_list failed, error %d
check_ai_cbs: cannot read ExpDisQueryAttributeInformation, error %d, ntstatus %X
check_ai_cbs: cannot read ExpDisQueryAttributeInformation, error %d
ExpDisQueryAttributeInformation %p %s
check_ai_cbs: cannot read ExpDisSetAttributeInformation, error %d, ntstatus %X
check_ai_cbs: cannot read ExpDisSetAttributeInformation, error %d
ExpDisSetAttributeInformation %p %s
check_dbgk_lkmd: cannot read DbgkLkmd_cblist, error %d, ntstatus %X
check_dbgk_lkmd: cannot read DbgkLkmd_cblist, error %d
DbgkLkmd[%d] callback %p %s
check_fsrtl: cannot read FltMgrCallbacks, error %d, ntstatus %X
check_fsrtl: cannot read FltMgrCallbacks, error %d
FltMgrCallbacks: %p %s
check_fsrtl: cannot read FsRtlpMupCalls, error %d, ntstatus %X
check_fsrtl: cannot read FsRtlpMupCalls, error %d
FsRtlpMupCalls: %p %s
check_Iof: cannot read pIofCallDriver, error %d, ntstatus %X
check_Iof: cannot read pIofCallDriver, error %d
pIofCallDriver %p patched by %s
check_Iof: cannot read pIofCompleteRequest, error %d, ntstatus %X
check_Iof: cannot read pIofCompleteRequest, error %d
pIofCompleteRequest %p patched by %s
check_Iof: cannot read pIoAllocateIrp, error %d, ntstatus %X
check_Iof: cannot read pIoAllocateIrp, error %d
pIoAllocateIrp %p patched by %s
check_Iof: cannot read pIoFreeIrp, error %d, ntstatus %X
check_Iof: cannot read pIoFreeIrp, error %d
pIoFreeIrp %p patched by %s
check_Iof: cannot read HvlpHypercallCodeVa, error %d, ntstatus %X
check_Iof: cannot read HvlpHypercallCodeVa, error %d
HvlpHypercallCodeVa %p patched by %s
%SystemRoot%\System32\sxssrv.dll
%SystemRoot%\System32\csrsrv.dll
%SystemRoot%\System32\basesrv.dll
%SystemRoot%\System32\winsrv.dll
%SystemRoot%\System32\lsasrv.dll
%SystemRoot%\System32\ntdll.dll
KiDebugRoutine %p hooked by %s
PspLegoNotifyRoutine %p hooked by %s
KiTimeUpdateNotifyRoutine %p hooked by %s
KiSwapContextNotifyRoutine %p hooked by %s
KiThreadSelectNotifyRoutine %p hooked by %s
Sysenter patched, addr %p not in %s !!!
Mailslot: %S
NamedPipe: %S
DEVCLASS_MULTIPORTSERIAL
DEVCLASS_PORTS
DEVCLASS_KEYBOARD
DEVCLASS_APMSUPPORT
read_dev_chrs(%S) failed, ntstatus %X
DrvObj %p name %S %s
DrvObj %p nameLen %X %s
dev_props failed, status %X
ClassGUID: %S
ClassGUID: %S - %s
Cannot open directory %S, error %X
Cannot realloc %d bytes
Cannot open device directory, error %X
Cannot open driver directory, error %X
Cannot open FileSystem directory, error %X
Unknown HAL private dispatch table version %X
HalAcpiTimerInit: %p %s
HalAcpiTimerCarry: %p %s
HalAcpiMachineStateInit: %p %s
HalAcpiQueryFlags: %p %s
HalAcpiPicStateIntact: %p %s
HalRestoreInterruptControllerState: %p %s
HalPciInterfaceReadConfig: %p %s
HalPciInterfaceWriteConfig: %p %s
HalSetVectorState: %p %s
HalGetApicVersion: %p %s
HalSetMaxLegacyPciBusNumber: %p %s
HalIsVectorValid: %p %s
HalAcpiGetTableDispatch: %p %s
HalAcpiGetRsdpDispatch: %p %s
HalAcpiGetFacsMappingDispatch: %p %s
HalAcpiGetAllTablesDispatch: %p %s
HalAcpiPmRegisterAvailable: %p %s
HalAcpiPmRegisterRead: %p %s
HalAcpiPmRegisterWrite: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
HalMmMemoryUsage: %p %s
HalAllocateMapRegisters: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalAllocateMapRegisters: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalTscSynchronization: %p %s
HalWheaInitProcessorGenericSection: %p %s
HalStopLegacyUsbInterrupts: %p %s
HalReadWheaPhysicalMemory: %p %s
HalWriteWheaPhysicalMemory: %p %s
HalDpMaskLevelTriggeredInterrupts: %p %s
HalDpUnmaskLevelTriggeredInterrupts: %p %s
HalDpGetInterruptReplayState: %p %s
HalDpReplayInterrupts: %p %s
HalQueryIoPortAccessSupported: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalAllocateMapRegisters: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalTscSynchronization: %p %s
HalWheaInitProcessorGenericSection: %p %s
HalStopLegacyUsbInterrupts: %p %s
HalReadWheaPhysicalMemory: %p %s
HalWriteWheaPhysicalMemory: %p %s
HalInterruptMaskLevelTriggeredLines: %p %s
HalInterruptUnmaskLevelTriggeredLines: %p %s
HalDpGetInterruptReplayState: %p %s
HalDpReplayInterrupts: %p %s
HalQueryIoPortAccessSupported: %p %s
KdSetupIntegratedDeviceForDebugging: %p %s
KdReleaseIntegratedDeviceForDebugging: %p %s
HalEnlightenmentInitialize: %p %s
HalAllocateEarlyPages: %p %s
HalMapEarlyPages: %p %s
HalTimerGetClockOwner: %p %s
HalTimerGetClockConfiguration: %p %s
HalTimerNotifyProcessorFreeze: %p %s
HalTimerPrepareProcessorForIdle: %p %s
HalDiagRegisterLogRoutine: %p %s
HalTimerResumeProcessorFromIdle: %p %s
HalTimerResetLastClockTick: %p %s
HalVectorToIDTEntryEx: %p %s
HalSecondaryInterruptQueryPrimaryInformation: %p %s
HalMaskInterrupt: %p %s
HalUnmaskInterrupt: %p %s
HalIsInterruptTypeSecondary: %p %s
HalAllocateGsivForSecondaryInterrupt: %p %s
HalAddInterruptRemapping: %p %s
HalRemoveInterruptRemapping: %p %s
HalSaveAndDisableEnlightenment: %p %s
HalRestoreHvEnlightenment: %p %s
HalPciEarlyRestore: %p %s
HalInterruptGetLocalIdentifier: %p %s
HalAllocatePmcCounterSet: %p %s
HalCollectPmcCounters: %p %s
HalFreePmcCounterSet: %p %s
HalTimerQueryCycleCounter: %p %s
HalTimerGetNextTickDuration: %p %s
HalPciMarkHiberPhase: %p %s
HalInterruptQueryProcessorRestartEntryPoint: %p %s
HalInterruptRequestSecondaryInterrupt: %p %s
HalInterruptEnumerateUnmaskedInterrupts: %p %s
HalBiosDisplayReset: %p %s
HalGetDmaAdapter: %p %s
HalCheckPowerButton: %p %s
HalMapPhysicalMemoryWriteThrough64: %p %s
HalUnmapVirtualAddress: %p %s
HalKdReadPCIConfig: %p %s
HalKdWritePCIConfig: %p %s
HalTimerQueryWakeTime: %p %s
HalTimerReportIdleStateUsage: %p %s
HalKdEnumerateDebuggingDevices: %p %s
HalFlushIoRectangleExternalCache: %p %s
HalPowerEarlyRestore: %p %s
HalQueryCapsuleCapabilities: %p %s
HalUpdateCapsule: %p %s
HalPciMultiStageResumeCapable: %p %s
check_hal_private_disp_table: cannot read table, error %d, ntstatus %X
check_hal_private_disp_table: cannot read table, error %d
check_hal_disp_table: cannot read table, error %d, ntstatus %X
check_hal_disp_table: cannot read table, error %d
HalQuerySystemInformation: %p %s
HalSetSystemInformation: %p %s
HalQueryBusSlots: %p %s
HalExamineMBR: %p %s
HalIoReadPartitionTable: %p %s
HalIoSetPartitionInformation: %p %s
HalIoWritePartitionTable: %p %s
HalReferenceHandlerForBus %p %s
HalReferenceBusHandler %p %s
HalDereferenceBusHandler %p %s
HalInitPnpDriver %p %s
HalInitPowerManagement %p %s
HalGetDmaAdapter %p %s
HalGetInterruptTranslator %p %s
HalStartMirroring %p %s
HalEndMirroring %p %s
HalMirrorPhysicalMemory %p %s
HalEndOfBoot %p %s
HalMirrorVerify %p %s
HalGetCachedAcpiTable %p %s
HalSetPciErrorHandlerCallback %p %s
read_hal_apci_disp_table return %X bytes, error %d, ntstatus %X
read_hal_apci_disp_table return %X bytes, error %d
Bad HalAcpiDispatchTable version: %X
read_gdt_size failed, error %d, ntstatus %X
read_gdt_size failed, error %d
Cannot alloc %d bytes for GDT entries
read_gdt failed, error %d, ntstatus %X
read_gdt failed, error %d
Descriptor[%d] %s S %d DPL %d type %X base %X limit %X
WinChecker::dump_ldt failed, error %X, ntstatus %X
WinChecker::dump_ldt failed, error %X
WinChecker::dump_ldt: cannot alloc ldt array, size %X
Ldt[%d]:
Base: X
Limit: X
AVL: %d
D/B: %d
DPL: %d
G: %d
P: %d
S: %d
Type: %d
Cannot read code for kinterrupt(%X) thunk, error %d
IDT patched: unknown type %X selector %X addr %p for int%X
IDT patched: unknown selector %X for int%X
IDT patched: int%X has unknown selector %X base %X limit %X addr %p
IDT patched: int%X addr %p by module %s
IDT int%X addr %p KINTERRUPT %p
IDT patched: int%X addr %p
Int%X: selector %X type TASK DPL %X base %X limit %X
Int%X: selector %X type %X DPL %X addr %p base %X limit %X
Int%X: selector %X type %X DPL %X addr %p
read_idt_size failed, error %d, ntstatus %X
read_idt_size failed, error %d
read_idt: cannot alloc %d bytes for IDT storage
read_idt failed, error %d, ntstatus %X
read_idt failed, error %d
Cannot read kinterrupt (%X), error %d
KInterrupt %X (%p):
Size %X type %X
ServiceRoutine %p %s
DispatchAddress %p %s
check_ob_types: cannot read size of ObTypes list, error %d, ntstatus %X
check_ob_types: cannot read size of ObTypes list, error %d
check_ob_types: cannot read %d bytes (readed %d), error %d, ntstatus %X
check_ob_types: cannot read %d bytes (readed %d), error %d
fill_ob_type: cannot read ObType %S (%X), error %d
Cannot read ObType %S (%X), error %d
ObType %S:
DumpProcedure: %p %s
OpenProcedure: %p %s
CloseProcedure: %p %s
DeleteProcedure: %p %s
ParseProcedure: %p %s
SecurityProcedure: %p %s
QueryNameProcedure: %p %s
OkayToCloseProcedure: %p %s
ZwAlpcConnectPortEx
ZwOpenKeyTransactedEx
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwCreateKeyTransacted
ZwAlpcSendWaitReceivePort
ZwAlpcImpersonateClientOfPort
ZwAlpcDisconnectPort
ZwAlpcDeletePortSection
ZwAlpcCreatePortSection
ZwAlpcCreatePort
ZwAlpcConnectPort
ZwAlpcAcceptConnectPort
ZwUnloadKey2
ZwQueryOpenSubKeysEx
ZwLoadKeyEx
ZwQueryPortInformationProcess
ZwWaitForKeyedEvent
ZwReleaseKeyedEvent
ZwOpenKeyedEvent
ZwCreateKeyedEvent
ZwUnloadKeyEx
ZwSaveKeyEx
ZwRenameKey
ZwLockRegistryKey
ZwLockProductActivationKeys
ZwCompressKey
ZwCompactKeys
ZwYieldExecution
ZwUnloadKey
ZwSetValueKey
ZwSetThreadExecutionState
ZwSetInformationKey
ZwSetDefaultHardErrorPort
ZwSecureConnectPort
ZwSaveMergedKeys
ZwSaveKey
ZwRestoreKey
ZwRequestWaitReplyPort
ZwRequestPort
ZwReplyWaitReplyPort
ZwReplyWaitReceivePortEx
ZwReplyWaitReceivePort
ZwReplyPort
ZwReplaceKey
ZwRegisterThreadTerminatePort
ZwQueryValueKey
ZwQueryOpenSubKeys
ZwQueryMultipleValueKey
ZwQueryKey
ZwQueryInformationPort
ZwOpenKey
ZwNotifyChangeMultipleKeys
ZwNotifyChangeKey
ZwLoadKey2
ZwLoadKey
ZwListenPort
ZwImpersonateClientOfPort
ZwFlushKey
ZwEnumerateValueKey
ZwEnumerateKey
ZwDeleteValueKey
ZwDeleteKey
ZwDelayExecution
ZwCreateWaitablePort
ZwCreatePort
ZwCreateNamedPipeFile
ZwCreateKey
ZwConnectPort
ZwCompleteConnectPort
ZwAcceptConnectPort
FindKiServiceTable: relocation type %d found at X
Cannot read body of %s !
Cannot extract index of %s, error %d
kernel %s don`t contains KeServiceDescriptorTable function !
Cannot find SDT in %s
Cannot read ntdll.dll
Cannot read body of %s!
Cannot read body of ZwYieldExecution!
Cannot extract index of ZwYieldExecution, error %d
Cannot extract index of ZwPlugPlayControl , error %d
%s: %p
SDT entry %X (%s) hooked %p %s!
SDT entry %X hooked %p %s!
Need unhook %d items in SSDT
UNHOOK_ITEM: Index %X Offset %X
Unhook SSDT failed, lasterror %d
Unhooked %d SSDT items
NtUserSetProcessRestrictionExemption
NtUserAcquireIAMKey
NtGdiDdDDICreateKeyedMutex2
NtGdiDdDDIOpenKeyedMutex2
NtGdiDdDDIAcquireKeyedMutex2
NtGdiDdDDIReleaseKeyedMutex2
NtUserSetTHQAPublicKey
NtGdiDdDDIReleaseKeyedMutex
NtGdiDdDDIAcquireKeyedMutex
NtGdiDdDDIDestroyKeyedMutex
NtGdiDdDDIOpenKeyedMutex
NtGdiDdDDICreateKeyedMutex
NtUserEndTouchOperation
NtUserSfmDxReportPendingBindingsToDwm
NtGdiDDCCIGetTimingReport
NtUserUnregisterSessionPort
NtUserRegisterSessionPort
NtUserRegisterErrorReportingDialog
NtGdiSetOPMSigningKeyAndSequenceNumbers
NtGdiGetCertificateSize
NtGdiGetCertificate
NtUserWaitForMsgAndEvent
NtUserVkKeyScanEx
NtUserUnregisterHotKey
NtUserUnlockWindowStation
NtUserUnloadKeyboardLayout
NtUserUnhookWindowsHookEx
NtUserSetWindowStationUser
NtUserSetWindowsHookEx
NtUserSetWindowsHookAW
NtUserSetProcessWindowStation
NtUserSetKeyboardState
NtUserSetImeHotKey
NtUserSetConsoleReserveKeys
NtUserRegisterHotKey
NtUserOpenWindowStation
NtUserMapVirtualKeyEx
NtUserLockWindowStation
NtUserLoadKeyboardLayoutEx
NtUserGetProcessWindowStation
NtUserGetKeyState
NtUserGetKeyNameText
NtUserGetKeyboardState
NtUserGetKeyboardLayoutName
NtUserGetKeyboardLayoutList
NtUserGetImeHotKey
NtUserGetCPD
NtUserGetAsyncKeyState
NtUserCreateWindowStation
NtUserCloseWindowStation
NtUserCheckImeHotKey
NtUserCallMsgFilter
NtUserAlterWindowStyle
NtUserActivateKeyboardLayout
NtGdiScaleViewportExtEx
NtGdiDvpWaitForVideoPortSync
NtGdiDvpUpdateVideoPort
NtGdiDvpGetVideoPortConnectInfo
NtGdiDvpGetVideoPortOutputFormats
NtGdiDvpGetVideoPortLine
NtGdiDvpGetVideoPortInputFormats
NtGdiDvpGetVideoPortFlipStatus
NtGdiDvpGetVideoPortField
NtGdiDvpGetVideoPortBandwidth
NtGdiDvpFlipVideoPort
NtGdiDvpDestroyVideoPort
NtGdiDvpCreateVideoPort
NtGdiDvpCanCreateVideoPort
NtGdiDdSetColorKey
read_shadow_sdt failed, error %d
check_win32k_sdt: cannot alloc %d bytes
Cannot read win32k_sdt at %p size %X, error %d
win32k_sdt[%d] (%s) hooked, addr %p %s
win32k_sdt[%d] hooked, addr %p %s
GetNamedPipeServerProcessId
read_kddb read %X bytes, error %d
cannot read MmNonPagedPoolStart (%p), error %d
cannot read MmNonPagedPoolEnd (%p), error %d
cannot read MmPagedPoolStart (%p), error %d
cannot read MmPagedPoolEnd (%p), error %d
cannot read KernelVerifier (%p), error %d
WindowsType: %S
ETHREAD.StartAddress %X
KiProcessorBlock: %p (%X)
KernelVerifier: %X
KeBugCheckCallbackList: %p (%X)
WorkerRoutine: %p %s
IdleFunction: %p %s
IdleFunction: %p %s
KPRCB[%d].WorkerRoutine: %p %s
KPRCB[%d].IdleFunction: %p %s
KPRCB[%d].IdleFunction: %p %s
read_kpcr return %X bytes, error %d, ntstatus %X
read_kpcr return %X bytes, error %d
KPCR[%d] %p major %X minor %X
KPCR[%d] %p
get_os_info return %X bytes, error %d, ntstatus %X
get_os_info return %X bytes, error %d
NtMajorVersion: %d
NtMinorVersion: %d
BuildNumber: %d
GlobalFlag: %X
Processors: %d
MmVerifierFlags %d
MmSystemSize %d %s
DebuggerEnabled %d
DebuggerNotPresent %d
SafeBootMode %d
NXSupportPolicy %X
CR0 %8.8X %s
CR4 %8.8X %s
Cannot open mailslot %S, error %d
get_mail_slot_owner(%S): returned %d bytes, error %d, ntstatus %X
get_mail_slot_owner(%S): returned %d bytes, error %d
Cannot open named pipe %S, error %d
GetNamedPipeServerProcessId(%S) failed, error %d
get_named_pipe_owner(%S): returned %d bytes, error %d, ntstatus %X
get_named_pipe_owner(%S): returned %d bytes, error %d
read_lpc_port_chars: len %d, returned %d bytes, error %d, ntstatus %X
read_lpc_port_chars: len %d, returned %d bytes, error %d
read_unicode_string: len %d, returned %d bytes, error %d, ntstatus %X
read_unicode_string: len %d, returned %d bytes, error %d
read_drivers_list: cannot get size of drivers list, returned %d bytes, error %d, ntstatus %X
read_drivers_list: cannot get size of drivers list, returned %d bytes, error %d
read_drivers_list: cannot alloc %X bytes for driver list
read_drivers_list: cannot read drivers list, error %d, ntstatus %X
read_drivers_list: cannot read drivers list, error %d
%p:%X flags %X LoadCount %d %s
read_KiThreadSelectNotifyRoutine failed, error %d
read_KiSwapContextNotifyRoutine failed, error %d
read_KiTimeUpdateNotifyRoutine failed, error %d
read_PspLegoNotifyRoutine failed, error %d
read_KiDebugRoutine failed, error %d
read_msrs failed, error %d, ntstatus %X
read_msrs failed, error %d
IManageProcess: Cannot OpenProcess %d
IManageProcess: Cannot open process %d
read_win32_process for PID %X failed, error %d, status %X
read_win32_process for PID %X failed, error %d
read_dword(%p, PID %d) failed, error %d, ntstatus %X
read_dword(%p, PID %d) failed, error %d
read_ptr(%p, PID %d) failed, error %d, ntstatus %X
read_ptr(%p, PID %d) failed, error %d
rp_ReadProcessMemory(%p size %X) from %p error %d
read_token for PID %X failed, error %d, status %X
read_token for PID %X failed, error %d
open_proc(%d, access %X) failed, error %d, ntstatus %X
open_proc(%d, access %X) failed, error %d
rp_OpenProcess(%d, access %X) dwRet %d, error %d
rp_TerminateProcess(%p, %X) dwRet %d, error %d
Major %d Minor %d BuildNumber %d PlatformId %d ServicePackMajor %d ServicePackMinor %d SuiteMask %d ProductType %d CSDVersion %S
ProductType: %X
Cannot open RPC control, error %X
msgsvcsend
_ILocalObjectExporter
IVsShell
IWbemLoginClientID
ICertProtect
_IBTFTPApiEvents
_s_PasswordRecovery
wininet_UrlCache
_IObjectExporter
WMsgAPIs
WMsgKAPIs
INCryptKeyIso
HttpProxyMgrProvider
IKeySvcR
WcnTransportRpc
IPortResolve
IWbemLoginHelper
LRpcSIDKey
ISmartCardRootCerts
IDebugPortSupplier2
IAsyncOperation
IPipelineElement
OnlineProviderCertInterface
IBackgroundCopyJobHttpOptions
HttpProxyMgrClient
IStaticPortMappingCollection
IKeySvc
s_WindowsShutdown
IWebBrowser2
IDebugPortSupplierLocale2
IUPnPHttpHeaderControl
WINHTTP_AUTOPROXY_SERVICE
IErcLuaSupport
IDebugPortSupplier3
IKeySvc2
BackupKey
IWerReport
ICertPassage
IStaticPortMapping
IDebugPortSupplierEx2
IWbemLevel1Login
IWebBrowserApp
msgsvc
IShellWindows
RpcBindingFromStringBinding(%S) failed: %d
RpcMgmtInqIfIds(%S) failed: %d
RpcStringBindingCompose failed: %d
RpcBindingFromStringBinding failed: %d
RpcMgmtInqIfIds failed: %d
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d : %s
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d : (%s)
RpcMgmtEpEltInqBegin failed: %d
Cannot read npc table, readed %X bytes
rpcrt4
%s.AddressChangeFn: %p %s
rpcrt4_hack::check_myself: exception %d occured
rpcrt4_hack::try_hack: cannot find RpcServerRegisterIfEx
I_RpcInitNdrImports
load_driver(%S) returned %X
Loaded kernel driver: %S
Error loading kernel driver: %ls - 0xx
Error loading kernel driver: %S - 0xx
Error loading kernel driver: %S - OpenSCManager 0xx
tcpip
ClientImmProcessKey
fnHkOPTINLPEVENTMSG
fnHkINLPMSG
fnSENTDDEMSG
fnDWORDOPTINLPMSG
RealMsgWaitForMultipleObjectsEx
PEB.KernelCallbackTable patched, %p
user32_hack::try_hack: bad PE passed
user32_hack::try_hack: cannot read import table
pfnWowMsgBoxIndirectCallback
Unknown apfnDispatch size: %d
%s_hack::try_hack: bad PE passed
%s_hack::try_hack: cannot read exports, error %d
%s_hack::try_hack: cannot find section .data
%s_hack::try_hack: cannot read section .data
%s_hack::try_hack: cannot read section .rdata
%s_hack::try_hack: cannot find section .text
%s_hack::try_hack: cannot read section .text
DxgkReleaseKeyedMutex2
DxgkAcquireKeyedMutex2
DxgkOpenKeyedMutex2
DxgkCreateKeyedMutex2
DxgkReleaseKeyedMutex
DxgkAcquireKeyedMutex
DxgkDestroyKeyedMutex
DxgkOpenKeyedMutex
DxgkCreateKeyedMutex
Cannot read gDxgkInterface, readed %X bytes
WindowHasShadow
DisableProcessWindowsGhosting
zzzUnhookWindowsHook
xxxUpdateWindows
xxxArrangeIconicWindows
SetWindowState
ClearWindowState
SetMsgBox
GetKeyboardType
GetKeyboardLayout
RemotePassthruDisable
xxxRemotePassthruEnable
Cannot read gpsi, readed %X bytes
Cannot read gpsi handlers, readed %X bytes
Cannot read apfnSimpleCall, readed %X bytes
Cannot read gapfnMessageCall, readed %X bytes
Cannot read gapfnScSendMessage, readed %X bytes
Cannot read gaNewProcAddresses, readed %X bytes
Cannot open logfile %S
Cannot create stop event, error %d
Driver %S loaded from %S
SrvGetConsoleKeyboardLayoutName
SrvSetConsoleKeyShortcuts
SrvGetConsoleAliasExes
SrvGetConsoleAliasExesLength
SrvVDMConsoleOperation
SrvGetLargestConsoleWindowSize
SrvExitWindowsEx
winsrv.dll
Unknown size of ConsoleServerApiDispatchTable: %d
Unknown size of UserServerApiDispatchTable: %d
CallUserpExitWindowsEx
GetConsoleAliasExesInternal
GetConsoleAliasExesLengthInternal
SetConsoleKeyShortcuts
GetConsoleKeyboardLayoutNameWorker
SetConsoleOutputCPInternal
GetConsoleOutputCP
GetLargestConsoleWindowSize
reg_ccs_services::read failed - error %d
Cannot open key %S, error %d
SafeSecondaryLog(%d) failed, error %d
SafeSecondaryLog failed, error %d
SafeSendLog(%d) failed, error %d
SafeSendLog failed, error %d
Bad memory %p len %X in dump_hex_buffer
Cannot alloc %d bytes for delayed imports
Cannot alloc %d bytes for imports
read_import_safe(%s) failed %X
Cannot realloc %d bytes for iat
read_delayed_safe(%s) failed %X
store2md_cache: cannot alloc %d bytes
store2md_cache: cannot realloc, alloced %d bytes
wdigest.dll
tspkg.dll
schannel.dll
pku2u.dll
negoexts.dll
msv1_0.dll
livessp.dll
kerberos.dll
umpnpmgr.dll
combase.dll
ntdsa.dll
ntdll.dll
cryptbase.dll
ncrypt.dll
rpcrt4.dll
imm32.dll
user32.dll
kernelbase.dll
kernel32.dll
advapi32.dll
ole32.dll
Cannot alloc %X bytes for relocs
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
WS2_32.dll
RPCRT4.dll
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
RegCloseKey
RegOpenKeyExW
RegOpenKeyExA
RegCreateKeyExW
ADVAPI32.dll
GetWindowsDirectoryW
GetCPInfo
RegQueryInfoKeyW
RegEnumKeyW
zcÁ
.?AVMyWindowsChecker@@
.?AV?$rpcrt4_hack@U_IMAGE_NT_HEADERS@@@@
.?AVtcpip_hack@@
.?AV?$import_holder@U_IMAGE_NT_HEADERS@@@CMN@@
.?AVinmem_import_holder@CMN@@
.?AVimport_holder_intf@CMN@@
.?AVmodule_import@CMN@@
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
aR.Rn
X.UJ^A
w%xyW
f.Gkf
%0X0m0
>$?(?,?0?
3&4;456?90:
77g7
7>7[7`7|7
6#8*878^8~8
<#<0<^<@=
11_1
0#101#202
0 11h1J3
< <$<(<,<0<
6%7S7
7*717>7[8
=!>&>9>>>
7&7@7l78N8V8z8
:);4;>;\;
0%0X0
= >$>(>,>0>
?,?4?<?\?|?
.----/01/01/01
KERNEL32.DLL
mscoree.dll
U%SystemRoot%\system32\svchost.exe
%SystemRoot%\system32\svchost
WSOCKTRANSPORT
TCPIP6
TCPIP
STORPORT
STORMINIPORT
SOFTPCI
SCSIPORT
SCSIMINIPORT
SBP2PORT
FCPORT
PassiveWatchdogTimeout
sImageExecutionOptions
ErrorPortStartTimeout
ErrorPortCommTimeout
DisablePagingExecutive
DebuggerMaxModuleMsgs
CountOperations
B\\.\
Psapi.dll
sWindows PowerShell
tHost Process for Windows Tasks
Windows Problem Reporting 32 bit
Windows Problem Reporting
Windows Modules Installer
mWindows Start-Up Application
tWindows Search Indexer
sWindows Server Initial Configuration Tasks
Windows Media Player
Dump Reporting Tool
Error Reporter
rWindows Control Panel 32 bit
Windows Control Panel
Windows Connect Now - Config Registrar Service
Windows Media Player Network Sharing Service
Windows firewall
Windows Error Reporting Service
tWindows Defender
vError reporting service
eWindows update service
Windows Image Acquisition
WebClient
tWindows Security Center Notification App
yWindows Based Script Host
Windows installer 32 bit
Windows installer
Windows 16-bit Virtual Machine
Windows Management Instrumentation
Windows User Mode Driver Manager
MS tftp
MS ftp 32 bit
MS ftp
Microsoft Help and Support Center
Cmd.exe 32 bit
Cmd.exe
Windows Logon User Interface Host
Windows update
tGoogle Chrome
rOpera Internet Browser
Mozilla Thunderbird Mail and News Client
dFirefox browser
Services.exe
%SystemRoot%\msagent\agentsvr.exe
%SystemRoot%\System32\dfrgfat.exe
%SystemRoot%\System32\dfrgntfs.exe
%SystemRoot%\System32\services.exe
%SystemRoot%\System32\svchost.exe
%SystemRoot%\System32\alg.exe
%SystemRoot%\System32\spoolsv.exe
%SystemRoot%\System32\net.exe
%SystemRoot%\System32\net1.exe
%SystemRoot%\System32\cmd.exe
%SystemRoot%\System32\notepad.exe
%SystemRoot%\System32\calc.exe
%SystemRoot%\System32\PTF.exe
%SystemRoot%\System32\tPTF.exe
%SystemRoot%\System32\telnet.exe
%SystemRoot%\System32\taskkill.exe
%SystemRoot%\System32\ctfmon.exe
%SystemRoot%\System32\wdfmgr.exe
%SystemRoot%\System32\mmc.exe
%SystemRoot%\System32\userinit.exe
%SystemRoot%\System32\wbem\wmiprvse.exe
%SystemRoot%\System32\wbem\wmiadap.exe
%SystemRoot%\explorer.exe
%SystemRoot%\System32\lsass.exe
%SystemRoot%\System32\winlogon.exe
%SystemRoot%\System32\LogonUI.exe
%SystemRoot%\System32\wuauclt.exe
%SystemRoot%\System32\wuauclt1.exe
%SystemRoot%\System32\CCM\CcmExec.exe
%SystemRoot%\System32\csrss.exe
%SystemRoot%\System32\smss.exe
\SystemRoot\System32\smss.exe
%SystemRoot%\System32\inetsrv\w3wp.exe
%SystemRoot%\System32\schtasks.exe
%SystemRoot%\System32\tstheme.exe
%SystemRoot%\System32\control.exe
%SystemRoot%\System32\taskmgr.exe
%SystemRoot%\System32\dwwin.exe
%SystemRoot%\System32\drwtsn32.exe
%SystemRoot%\System32\dumprep.exe
%SystemRoot%\System32\dfssvc.exe
%SystemRoot%\System32\dllhost.exe
%SystemRoot%\System32\ntvdm.exe
%SystemRoot%\System32\rundll32.exe
%SystemRoot%\System32\msiexec.exe
%SystemRoot%\System32\mshta.exe
%SystemRoot%\System32\regsvr32.exe
%SystemRoot%\System32\cscript.exe
%SystemRoot%\System32\wscript.exe
%SystemRoot%\System32\wscntfy.exe
%SystemRoot%\System32\mstsc.exe
%SystemRoot%\System32\dashost.exe
far.exe
Far.exe
CLSID\{FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32
CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\LocalServer32
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
iedw.exe
%SystemRoot%\System32\oobechk.exe
%SystemRoot%\System32\oobe.exe
%SystemRoot%\System32\psxss.exe
%SystemRoot%\System32\internat.exe
AcroRd32.exe
excel.exe
outlook.exe
winword.exe
powerpnt.exe
wmplayer.exe
firefox.exe
thunderbird.exe
Opera.exe
WinRAR.exe
%SystemRoot%\System32\wininit.exe
%SystemRoot%\System32\lsm.exe
%SystemRoot%\System32\dwm.exe
%SystemRoot%\System32\werfault.exe
%SystemRoot%\System32\taskeng.exe
%SystemRoot%\System32\conime.exe
%SystemRoot%\System32\wudfhost.exe
%SystemRoot%\System32\taskhost.exe
%SystemRoot%\System32\conhost.exe
%SystemRoot%\System32\rdpclip.exe
%SystemRoot%\System32\SearchFilterHost.exe
%SystemRoot%\System32\SearchProtocolHost.exe
csrss.exe
svchost.exe
alg.exe
sPptpMiniport
Tcpip
psapi.dll
127.0.0.1
\\.\pipe\
\\.\mailslot\
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\\.\Pipe\
\\.\Mailslot\
ncacn_ip_tcp:
ncadg_ip_udp:
\\pipe\\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
RemediationExe
SOFTWARE\Classes\SCCM.VAppLauncher\shell\Open\command
SOFTWARE\Classes\CLSID\{00AAB372-0D6D-4976-B5F5-9BC7605E30BB}\LocalServer32
SOFTWARE\Classes\CLSID\{3C296D07-90AE-4FAC-86F9-65EAA8B82D22}\LocalServer32
SOFTWARE\Classes\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}\LocalServer32
SOFTWARE\Classes\CLSID\{03e64e17-b220-4052-9b9b-155f9cb8e016}\LocalServer32
SOFTWARE\Classes\CLSID\{1F69F884-285E-418E-9715-B9EEE402DD5F}\LocalServer32
Software\Microsoft\Windows\CurrentVersion\WINEVT\publishers
Windows checker
1.0.0.3432
wincheck.exe
0, 0, 8, 16

FeEQMIQs.exe_264_rwx_05760000_00001000:




.text
`.rdata
@.data

FeEQMIQs.exe_264_rwx_05770000_00001000:




.text
`.rdata
@.data

FeEQMIQs.exe_264_rwx_06000000_00001000:




notepad.exe "%Documents and Settings%\%current user%\myfile"

FeEQMIQs.exe_264_rwx_06010000_00001000:




%Documents and Settings%\%current user%\myfile

FeEQMIQs.exe_264_rwx_06880000_00020000:




smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
vmacthlp.exe
svchost.exe
spoolsv.exe
jqs.exe
vmtoolsd.exe
VMUpgradeHelper.exe
alg.exe
explorer.exe
VMwareTray.exe
VMwareUser.exe
disablejavawarnsec.exe
sandbox_svc.exe
cmd.exe
Procmon.exe
wmiprvse.exe
rSwooYMM.exe
FeEQMIQs.exe
jWcYYUcg.exe

jWcYYUcg.exe_356_rwx_00401000_00072000:




?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
}$uDpMs5
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
2software\microsoft\windows\currentversion\run
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl

jWcYYUcg.exe_356_rwx_00690000_00071000:




?uKU:I.BcS
.om@Z
R$e7.vn
&'/'< ;<
9>.*>- dr.ok h
->: 72.;
.dEmk
}$uDpMs5
%Uc'\>
eou
.aZ$^
ÃBQ|
HTA.fb
X_e.Gx
MS|.TF7
x.EugxxDX&
.diOG
/:)<%D
%s2:%ej:|
_R<%U
.tXqwCAV1
.SeA]
|ge%s
YQ.vG
?%fp1
I.gk}
*X%1S(
{F|%{F|%{F|%c
(v0%U
0][w%U
k1%FQ
yo1%FQ
al1%U
%D'~H
oR%x{
J %dl
oi%sw
p.pTl
o?-S}
o}v).Wn
ob .kgo
o<.tvbl

jWcYYUcg.exe_356_rwx_00930000_00001000:




%WinDir%\TEMP

jWcYYUcg.exe_356_rwx_00960000_00001000:




%Documents and Settings%\LocalService\NwIscAww\rSwooYMM

jWcYYUcg.exe_356_rwx_00970000_00001000:




%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs

jWcYYUcg.exe_356_rwx_00980000_00001000:




%Documents and Settings%\LocalService\NwIscAww\rSwooYMM.inf

jWcYYUcg.exe_356_rwx_00990000_00001000:




%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.inf

jWcYYUcg.exe_356_rwx_009A0000_00001000:




%Documents and Settings%\LocalService\NwIscAww\rSwooYMM.exe

jWcYYUcg.exe_356_rwx_009B0000_00001000:




%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe

jWcYYUcg.exe_356_rwx_009E0000_00001000:




rSwooYMM.exe

jWcYYUcg.exe_356_rwx_009F0000_00001000:




FeEQMIQs.exe

jWcYYUcg.exe_356_rwx_00A00000_00001000:




taskkill /FI "USERNAME eq SYSTEM" /F /IM rSwooYMM.exe

jWcYYUcg.exe_356_rwx_00A10000_00001000:




taskkill /FI "USERNAME eq SYSTEM" /F /IM FeEQMIQs.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1952

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe (3865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GuMkMcow.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pdfcstd.exe (6417 bytes)
    %Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe (3769 bytes)
    %Documents and Settings%\All Users\BOAMIgUE\jWcYYUcg.exe (3697 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (3073 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (31071 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (3073 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (3361 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
    C:\totalcmd\TcUsbRun.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\MAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3361 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (3073 bytes)
    \\STORAGE2\PIPE\srvsvc (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5873 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (3073 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "rSwooYMM.exe" = "%Documents and Settings%\%current user%\NwIscAww\rSwooYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FeEQMIQs.exe" = "%Documents and Settings%\All Users\hUEQccwo\FeEQMIQs.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now