GenericAutorunWorm.YR (Lavasoft MAS)Behaviour: Worm, WormAutorun
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 27978af6bfb56660e238499c89669c3c
SHA1: b3041d1bafb91cc54d22f82a694f8cf5b0ad7d0a
SHA256: ff4a72490d9169de6110c0c175ad5092c02b094f43bc73db21eedafe2626cd15
SSDeep: 24576:b201cUIhefdoW RMchfaT8dROhSpzXLTIY2lgHPUZSZJEDPAtZGAj2wc:b2mrfOB5aTk8YLUYLUZSZJ6APz1c
Size: 1531752 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Blue Squirrel
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7Ada SP1 64-bit
Summary: Worm. A program that is primarily replicating on networks or removable drives.
Dynamic Analysis
Payload
Behaviour | Description |
---|---|
WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer. |
Process activity
The Worm creates the following process(es):
TPAutoConnSvc.exe:1776
grabsite.exe:1040
regsvr32.exe:3644
%original file name%.exe:3716
27978af6bfb56660e238499c89669c3c.tmp:2484
The Worm injects its code into the following process(es):
WORDPAD.EXE:1672
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process grabsite.exe:1040 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Grab-a-Site 5.1\ix.dll (716 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.INI (28 bytes)
The process regsvr32.exe:3644 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Grab-a-Site 5.1\WebGrabber.dll (712 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\pi.dll (131 bytes)
The process %original file name%.exe:3716 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MPIKU.tmp\27978af6bfb56660e238499c89669c3c.tmp (1423 bytes)
The process 27978af6bfb56660e238499c89669c3c.tmp:2484 makes changes in the file system.
The Worm creates and/or writes to the following file(s):
%Program Files% (x86)\Grab-a-Site 5.1\is-ECLB2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-74JU1.tmp (5109 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site Help.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-RL3EB.tmp (11 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T9JMM.tmp (186 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-DG9RB.tmp (14 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site ReadMe.lnk (990 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1ME24.tmp (23 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-D5M1P.tmp (7547 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1093R.tmp (407 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-HLA0C.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-3NKQ3.tmp (30 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-JQC9U.tmp (132 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Blue Squirrel.lnk (836 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T0507.tmp (206 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.dat (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-CBQID.tmp (3073 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-6GA2P.tmp (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-8SVDJ.tmp (603 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-6E51A.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-GOMKQ.tmp (40 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site 5.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe (49 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-99FQ1.tmp (673 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-M90HH.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-EE0M9.tmp (2105 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-IGF3R.tmp (601 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\REGSVR32.EXE (32 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.msg (463 bytes)
Registry activity
The process TPAutoConnSvc.exe:1776 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"
"FormData" = "1,2159,2794,Letter¶40,40,2086,2712, 5,2159,3556,Legal¶40,40,2086,3474, 9,2100,2970,A4¶39,39,2032,2890, 7,1842,2667,Executive¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)¶40,40,2086,3220, 11,1480,2100,A5¶39,39,1408,2020, 70,1050,1480,A6¶39,39,975,1399, 13,1820,2570,B5 (JIS)¶39,39,1747,2490, 264,1950,2700,16K 195x270¶39,39,1882,2620, 263,1840,2600,16K 184x260¶39,39,1761,2520, 257,1970,2730,16K 197x273¶39,39,1896,2650, 43,1000,1480,Japanese Postcard¶39,39,921,1399, 82,1480,2000,Double Japan Postcard Rotated¶39,39,1408,1919, 20,1046,2413,Envelope #10¶40,40,975,2331, 37,983,1905,Envelope Monarch¶40,40,907,1823, 34,1760,2500,Envelope B5¶39,39,1693,2420, 28,1620,2290,Envelope C5¶39,39,1544,2209, 27,1100,2200,Envelope DL¶39,39,1029,2120"
"DelAfterCreate" = "1"
[HKU\.DEFAULT\Printers\DevModes2]
"NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1" = "4E 00 50 00 49 00 34 00 35 00 36 00 41 00 42 00"
The Worm deletes the following registry key(s):
[HKLM\SOFTWARE\ThinPrint\TPPrnUI\NPI456AB0 (HP LaserJet Professional M1212nf MFP)#:1]
The process grabsite.exe:1040 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Wow6432Node\uSSPESOQsu0yNqTumyyPLBWW]
"Xva_h1UE7YrwkGIs" = "bq2ZfC0JSgMnCO_xX3Sj31femCWW"
"haZRuEa_l4wKeRnJG!byuQ0SkJEKRC4KCEeSuwaHkL24cBp6GSmW" = "hkFHua0Bl4kFeRn8HE!yuaDB49EFcRkrCE!guaAS44oFcRx9!HmW"
The process WORDPAD.EXE:1672 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Font Management\Auto Activation Languages]
"en-Latn-US" = "1033"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Font Management]
"Active Languages" = "09 04 00 00"
"Inactive Fonts" = "Large Fonts, 8514oem, Marlett, Andalus, Arial Unicode MS, Arabic Typesetting, HGMaruGothicMPRO, Estrangelo Edessa, Microsoft Uighur, MV Boli, Sakkal Majalla, Simplified Arabic, Simplified Arabic Fixed, Traditional Arabic, FangSong, KaiTi, Microsoft YaHei, NSimSun, SimHei, SimSun, SimSun-ExtB, DFKai-SB, Microsoft JhengHei, MingLiU, MingLiU-ExtB, MingLiU_HKSCS, MingLiU_HKSCS-ExtB, PMingLiU, PMingLiU-ExtB, Euphemia, Lao UI, Plantagenet Cherokee, Aharoni, David, FrankRuehl, Gisha, Levenim MT, Miriam, Miriam Fixed, Narkisim, Rod, Aparajita, Gautami, Iskoola Pota, Kalinga, Kartika, Kokila, Latha, Mangal, Raavi, Shonar Bangla, Shruti, Tunga, Utsaah, Vani, Vijaya, Vrinda, Meiryo, Meiryo UI, MS Gothic, MS Mincho, MS PGothic, MS PMincho, MS UI Gothic, Batang, BatangChe, Dotum, DotumChe, Gulim, GulimChe, Gungsuh, GungsuhChe, Malgun Gothic, Ebrima, Microsoft Himalaya, Microsoft New Tai Lue, Microsoft PhagsPa, Microsoft Tai Le, Microsoft Yi Baiti, Mongolian Baiti, Nyala, Sylfaen, Angsana New, AngsanaUPC, Browallia New, BrowalliaUPC, Cordia New, CordiaUPC, DaunPenh, DilleniaUPC, DokChampa, EucrosiaUPC, FreesiaUPCç²ÈÂÂ"
The process regsvr32.exe:3644 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberEnumFilter"
[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}]
"(Default)" = "IGrabberEnumUrl"
[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}]
"(Default)" = "IGrabberEvents"
[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\"
[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberUrl"
[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\webgrabber.dll"
[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}]
"(Default)" = "IGrabberUrlStatus"
[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberEnumChild"
[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabber"
[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}]
"(Default)" = "IGrabberEnumUrl"
[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberFilter"
[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}]
"(Default)" = "DGrabberEvents"
[HKCR\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberEnumFilter"
[HKCR\Interface\{B3DF250F-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WebGrabber.Grabber]
"(Default)" = "WebGrabber Class"
[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberEnumChild"
[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\ProgID]
"(Default)" = "WebGrabber.Grabber.1"
[HKCR\WebGrabber.Grabber.1\CLSID]
"(Default)" = "{8AA23DB1-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}]
"(Default)" = "IGrabberUrlStatus"
[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabber"
[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "WebGrabber Class"
[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\WebGrabber.Grabber.1]
"(Default)" = "WebGrabber Class"
[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\VersionIndependentProgID]
"(Default)" = "WebGrabber.Grabber"
[HKCR\Wow6432Node\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}]
"(Default)" = "IGrabberPrefs"
[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\WebGrabber.Grabber\CLSID]
"(Default)" = "{8AA23DB1-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}]
"(Default)" = "IGrabberFilter"
[HKCR\Wow6432Node\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\WebGrabber.Grabber\CurVer]
"(Default)" = "WebGrabber.Grabber.1"
[HKCR\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B3DF2506-DF76-11D1-BA52-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}]
"(Default)" = "IGrabberEvents"
[HKCR\Wow6432Node\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\Interface\{8AA23DB2-9CAE-11D1-8648-00A0246D0300}]
"(Default)" = "IGrabberUrl"
[HKCR\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{5BBB7C44-D873-11D1-BA47-00104B1F427E}]
"(Default)" = "IGrabberPrefs"
[HKCR\Interface\{0BFF46C3-C4C6-11D1-BA2E-00104B1F427E}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Wow6432Node\Interface\{ADB18B66-EFFD-11D1-BA6A-00104B1F427E}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\TypeLib\{8AA23DA3-9CAE-11D1-8648-00A0246D0300}\1.0]
"(Default)" = "WebGrabber 1.0 Type Library"
[HKCR\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{8AA23DB5-9CAE-11D1-8648-00A0246D0300}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{8AA23DB1-9CAE-11D1-8648-00A0246D0300}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\webgrabber.dll"
[HKCR\Wow6432Node\Interface\{82630067-FB0C-11D1-BA79-00104B1F427E}]
"(Default)" = "DGrabberEvents"
[HKCR\Interface\{8AA23DB0-9CAE-11D1-8648-00A0246D0300}\TypeLib]
"(Default)" = "{8AA23DA3-9CAE-11D1-8648-00A0246D0300}"
[HKCR\Interface\{D0136EF6-A2F8-11D1-864E-00A0246D0300}\TypeLib]
"Version" = "1.0"
The process 27978af6bfb56660e238499c89669c3c.tmp:2484 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
[HKCR\.gas]
"(Default)" = "Grab-a-Site.Document"
[HKLM\SOFTWARE\Wow6432Node\Blue Squirrel\IX\Settings]
"rootDir" = "c:\Users\Public\IX\"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"QuietUninstallString" = "%Program Files% (x86)\Grab-a-Site 5.1\unins000.exe /SILENT"
[HKCR\webwhacker\shell\open\command]
"(Default)" = "%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe /%1"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"URLInfoAbout" = "http://www.BlueSquirrel.com"
"InstallDate" = "20141216"
"Publisher" = "Blue Squirrel"
"Inno Setup: Language" = "default"
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\Grab-a-Site 5.1]
"iundo.exe" = "RUNASADMIN"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"DisplayVersion" = "5.1"
"MinorVersion" = "1"
"DisplayName" = "Blue Squirrel Grab-a-Site 5.1"
"HelpLink" = "http://www.BlueSquirrel.com"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%Program Files% (x86)\Grab-a-Site 5.1]
"iu.exe" = "RUNASADMIN"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"MajorVersion" = "5"
"Inno Setup: App Path" = "%Program Files% (x86)\Grab-a-Site 5.1"
"Inno Setup: Icon Group" = "Grab-a-Site"
[HKCU\.gas\OpenWithList]
"a" = "grabsite.exe"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"Inno Setup: Setup Version" = "5.3.9 (a)"
[HKCU\.gas\OpenWithList]
"(Default)" = ""
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"EstimatedSize" = "4441"
"NoModify" = "1"
"UninstallString" = "%Program Files% (x86)\Grab-a-Site 5.1\unins000.exe"
"InstallLocation" = "%Program Files% (x86)\Grab-a-Site 5.1\"
[HKCR\Grab-a-Site.Document]
"(Default)" = "Grab-a-Site Document"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"NoRepair" = "1"
[HKCU\.gas\OpenWithList]
"MURList" = "a"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Grab-a-Site_is1]
"URLUpdateInfo" = "http://www.BlueSquirrel.com"
Dropped PE files
MD5 | File path |
---|---|
c8ae2251ef395dddf4e8ec3a84701e5b | c:\Program Files (x86)\Grab-a-Site 5.1\REGSVR32.EXE |
35fbe8ed171b91e312df1b24c91a551e | c:\Program Files (x86)\Grab-a-Site 5.1\WebGrabber.dll |
106eda7931123e6fd3c44c5eed4e4f41 | c:\Program Files (x86)\Grab-a-Site 5.1\autorun.exe |
6dc74d4d670e2f5904a4d92731fc59ed | c:\Program Files (x86)\Grab-a-Site 5.1\grabsite.exe |
710590af15d47364111204e0c5af6ea9 | c:\Program Files (x86)\Grab-a-Site 5.1\iu.exe |
9b5bd8b5b70f6bf240b71bff59dad854 | c:\Program Files (x86)\Grab-a-Site 5.1\iundo.exe |
9b5af98a22740d2eb0180c852aa21a2d | c:\Program Files (x86)\Grab-a-Site 5.1\ix.dll |
14652be5311a039d6e8db6689ee871f1 | c:\Program Files (x86)\Grab-a-Site 5.1\pi.dll |
da6d09a571f57114ced2cc49f05165ac | c:\Program Files (x86)\Grab-a-Site 5.1\unins000.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TPAutoConnSvc.exe:1776
grabsite.exe:1040
regsvr32.exe:3644
%original file name%.exe:3716
27978af6bfb56660e238499c89669c3c.tmp:2484 - Delete the original Worm file.
- Delete or disinfect the following files created/modified by the Worm:
%Program Files% (x86)\Grab-a-Site 5.1\ix.dll (716 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.INI (28 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\WebGrabber.dll (712 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\pi.dll (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-MPIKU.tmp\27978af6bfb56660e238499c89669c3c.tmp (1423 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-ECLB2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_shfoldr.dll (47 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-74JU1.tmp (5109 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site Help.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-RL3EB.tmp (11 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T9JMM.tmp (186 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-DG9RB.tmp (14 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site ReadMe.lnk (990 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1ME24.tmp (23 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-D5M1P.tmp (7547 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-1093R.tmp (407 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-HLA0C.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-3NKQ3.tmp (30 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-JQC9U.tmp (132 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Blue Squirrel.lnk (836 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-T0507.tmp (206 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.dat (1376 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_setup64.tmp (6 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-CBQID.tmp (3073 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\Edge\is-6GA2P.tmp (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-8SVDJ.tmp (603 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-6E51A.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\is-482OA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-GOMKQ.tmp (40 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Grab-a-Site\Grab-a-Site 5.lnk (1 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe (49 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-99FQ1.tmp (673 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-M90HH.tmp (4545 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-EE0M9.tmp (2105 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\is-IGF3R.tmp (601 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\REGSVR32.EXE (32 bytes)
%Program Files% (x86)\Grab-a-Site 5.1\unins000.msg (463 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Blue Squirrel
Product Name: Grab-a-Site
Product Version: 5.1.0.0
Legal Copyright: Copyright (c) 2010 Blue Squirrel
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.1.0.0
File Description: Grab-a-Site Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)
Company Name: Blue SquirrelProduct Name: Grab-a-Site Product Version: 5.1.0.0Legal Copyright: Copyright (c) 2010 Blue Squirrel Legal Trademarks: Original Filename: Internal Name: File Version: 5.1.0.0File Description: Grab-a-Site Setup Comments: This installation was built with Inno Setup.Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
CODE | 4096 | 37504 | 37888 | 4.53167 | 5d87ded351b0b41961d927fb546efca7 |
DATA | 45056 | 588 | 1024 | 1.89606 | e8b4b57d70dce84e92f20fc39f4aa0ce |
BSS | 49152 | 3668 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
.tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
.reloc | 65536 | 2224 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 69632 | 11264 | 11264 | 3.10504 | 800e1f2bb4575d7fa0346bb489692bca |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 2
3a3c56d67684a559adf7d98a549bc424
459db64ac881b403827643aba31a6bc6
Network Activity
URLs
URL | IP |
---|---|
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1 | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://e6845.ce.akamaiedge.net/pca3.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c | 87.245.202.24 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1 | 87.245.202.24 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
hxxp://crl.verisign.com/pca3.crl | 23.43.133.163 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= | 23.43.139.27 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Tue, 16 Dec 2014 14:25:26 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <..........-.....k.$<i{O.<.E...*.......Ow _..J.HTTP/1.1 200 OK..Server: Apache..ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"..Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT..Date: Tue, 16 Dec 2014 14:25:26 GMT..Content-Length: 933..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140922000000Z..141231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....0209231715
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?d5a231e1604969a1 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Tue, 16 Dec 2014 14:25:10 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:25:47 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@...
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=380474, public, no-transform, must-revalidate
Last-Modified: Sun, 14 Dec 2014 00:03:56 GMT
Expires: Sun, 21 Dec 2014 00:03:56 GMT
Date: Tue, 16 Dec 2014 14:25:16 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20141214000356Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20141214000356Z....20141221000356Z0...*.H................t.(:....I.m....0..C...1...5.....3.E._.'=.B...T0...&KN9..[.....'......F....>..o"9T...Jn......]..K....`$_......Rb....K*...ln......F.>/..^.V...]..]..a..2..QO .Jw>....4.Q6..;..S...%4......h.v%...VM......}...on.=,...6..._..\p@4..<R...Pm..XkK..f7U.-...a....2B....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=357331, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:38 GMT
Expires: Sat, 20 Dec 2014 17:38:38 GMT
Date: Tue, 16 Dec 2014 14:25:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141213173838Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20141213173838Z....20141220173838Z0...*.H................;....f...2H.:.v...h.n...1..N4.1..PppH[vj(....I..T.`..!.G..>F.....OK..I.......U4.......qF3qe..'VB.n...X..#..."j:.?......... ..6{e._........l..|.....6...H.4z.Mw6....\.!..B..^A..e....;Gm.BqF.1...Y....L.A...0.T...Tb...n.uC..3.$....^{..@j.Q.v...i...........>...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H
<<< skipped >>>
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 812
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT
If-None-Match: "a2f3ff97eeecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
ETag: "a2f3ff97eeecf1:0"
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:24:55 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT..ETag: "a2f3ff97eeecf1:0"..Cache-Control: max-age=900..Date: Tue, 16 Dec 2014 14:24:55 GMT..Connection: keep-alive......
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT
If-None-Match: "3e1c83923e1cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT
ETag: "3e1c83923e1cf1:0"
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:25:00 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Mon, 06 Oct 2014 05:06:02 GMT..ETag: "3e1c83923e1cf1:0"..Cache-Control: max-age=900..Date: Tue, 16 Dec 2014 14:25:00 GMT..Connection: keep-alive......
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT
If-None-Match: "58cddbea90dfcf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT
ETag: "58cddbea90dfcf1:0"
Cache-Control: max-age=900
Date: Tue, 16 Dec 2014 14:25:05 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Sat, 04 Oct 2014 05:06:12 GMT..ETag: "58cddbea90dfcf1:0"..Cache-Control: max-age=900..Date: Tue, 16 Dec 2014 14:25:05 GMT..Connection: keep-alive..
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?2ccd8f4b9a46853c HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Tue, 16 Dec 2014 14:25:11 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.stl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.....................@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz..!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m..._.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?...........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]<!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!.........`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=...f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=357371, public, no-transform, must-revalidate
Last-Modified: Sat, 13 Dec 2014 17:38:40 GMT
Expires: Sat, 20 Dec 2014 17:38:40 GMT
Date: Tue, 16 Dec 2014 14:25:39 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141213173840Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......l$.%t...............20141213173840Z....20141220173840Z0...*.H.............!..d..........w [7*A.u.&....n.k...Z.@c..5....;5..D....W1.....d....oj....c....R...&....6[._.?..../...(h.......&.C............kL$....|.h$.A.MJ....=%....7.....b....Z.g.W.2.6.t...".....4.4......Y.....,.'=m..#).E_..}.E.L`. ...O....Ruc1:..=.,.$.Sk.is...'K.....PI...#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at https://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H......
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=484303, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 04:54:07 GMT
Expires: Mon, 22 Dec 2014 04:54:07 GMT
Date: Tue, 16 Dec 2014 14:25:32 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder..20141215045407Z0s0q0I0... ........?.@..w.........Y.!......Q...==d6|h.[x....7..`..........cV.!.....20141215045407Z....20141222045407Z0...*.H.............O.1.P*........i..]w.. ..P.Z.....4....t#..LzE8>.4".....:..t9..eUg.U....1..J\=.'...I....?,.mr. |4<I..!..........Vd...m. ......H[x.1H./........f).........}....W8..bv?.CHZ2.hK..wx..ia....z@.f-o8.l....)>..Z..`$.p9.E..p...y..;4.n^.o.........Q....p..3.,..Lz>...3.....0...0...0..{.........[..I|.....Zm..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f..;]s!.\"v...|....].@.....K7m2...N......-S.I......5n...G7. ..W....n..*..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... .......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo......E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|..
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=503590, public, no-transform, must-revalidate
Last-Modified: Mon, 15 Dec 2014 10:19:02 GMT
Expires: Mon, 22 Dec 2014 10:19:02 GMT
Date: Tue, 16 Dec 2014 14:25:53 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20141215101902Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20141215101902Z....20141222101902Z0...*.H.............A.?v....x...R..IV..........9.%...OQ.&lm..L81!.l4......v,.....:e.......m.2\$K.I.GS..E95.J.G;...T...lj.....f.=.5!$..cM..0'....F.k.n.$.6s...V.<.xbrT....).nC...`Q.m18d.....V...?9O..X.$...bZ...[.....%z^.....'...l..e....b.(q..CH. .........T.M.d.:...@4.Sk.d!..-,....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
Map
The Worm connects to the servers at the folowing location(s):
Strings from Dumps
grabsite.exe_1040:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t.HuY
t.HuY
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
@u.Wj
@u.Wj
proxy.htm
proxy.htm
reset.htm
reset.htm
index.html
index.html
index.txt
index.txt
\/:*?"|=&
\/:*?"|=&
/:*?"|=&
/:*?"|=&
broken.gif
broken.gif
broken.jpg
broken.jpg
hXXp://
hXXp://
hXXps://
hXXps://
PTF://
PTF://
hhctrl.ocx
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
GDI32.DLL
GDI32.DLL
CNotSupportedException
CNotSupportedException
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
%*.*f
%*.*f
windows
windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
File%d
File%d
CMDIFrameWnd
CMDIFrameWnd
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
ddeexec
ddeexec
%s\ShellNew
%s\ShellNew
%s\DefaultIcon
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\print\%s
%s\shell\open\%s
%s\shell\open\%s
ole32.dll
ole32.dll
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
portuguese-brazilian
portuguese-brazilian
user32.dll
user32.dll
VERSION.dll
VERSION.dll
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyNameTextA
GetKeyNameTextA
MapVirtualKeyA
MapVirtualKeyA
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyA
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCreateKeyA
RegCreateKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
OLEAUT32.dll
OLEAUT32.dll
c:\snapshot.wwp
c:\snapshot.wwp
snapshot.wwp
snapshot.wwp
notepad.exe
notepad.exe
Export
Export
{C6266CF2-244C-45B8-A37A-DBEE76EE58B2}
{C6266CF2-244C-45B8-A37A-DBEE76EE58B2}
{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}
WebWhacker For Palm Snapshot
WebWhacker For Palm Snapshot
snapshot.htm
snapshot.htm
URL Protocol
URL Protocol
URL: WebWhacker For Palm Protocol
URL: WebWhacker For Palm Protocol
iexplore.exe
iexplore.exe
.PAVCOleException@@
.PAVCOleException@@
Ftp_ProxyPort
Ftp_ProxyPort
FTP_Proxy
FTP_Proxy
Http_ProxyPort
Http_ProxyPort
HTTP_Proxy
HTTP_Proxy
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
http:=
http:=
http=
http=
;http=
;http=
user_pref("network.proxy.http",
user_pref("network.proxy.http",
user_pref("network.proxy.http_port",
user_pref("network.proxy.http_port",
user_pref("network.proxy.type",
user_pref("network.proxy.type",
user_pref("network.proxy.ftp_port",
user_pref("network.proxy.ftp_port",
user_pref("network.proxy.ftp",
user_pref("network.proxy.ftp",
prefs.js
prefs.js
.PAVCFileException@@
.PAVCFileException@@
user_pref("network.proxy.type", 1);
user_pref("network.proxy.type", 1);
.html
.html
mozilla.exe
mozilla.exe
netscape.exe
netscape.exe
grabsite.ini
grabsite.ini
foot.htm
foot.htm
head.htm
head.htm
contents.htm
contents.htm
index.htm
index.htm
export.htm
export.htm
B~.INI
B~.INI
SetUpdateNamePassword
SetUpdateNamePassword
SetPurchaseMsgUpdate
SetPurchaseMsgUpdate
SetPurchaseMsg
SetPurchaseMsg
SetNewLicenseKeyFlag
SetNewLicenseKeyFlag
SetLicenseKey32
SetLicenseKey32
SetClientToServerMsg
SetClientToServerMsg
GetPurchaseMsgUpdate
GetPurchaseMsgUpdate
GetPurchaseMsg
GetPurchaseMsg
GetNewLicenseKeyFlag
GetNewLicenseKeyFlag
GetLicenseKey32
GetLicenseKey32
%s%siu.exe
%s%siu.exe
IX.dll
IX.dll
Application requires Microsoft Windows 32-bit extensions.
Application requires Microsoft Windows 32-bit extensions.
Attempt was made to load a compressed executable file. The file must be decompressed before it can be loaded.
Attempt was made to load a compressed executable file. The file must be decompressed before it can be loaded.
Attempt was made to load a second instance of an executable file containing multiple data segments that were not marked read-only.
Attempt was made to load a second instance of an executable file containing multiple data segments that were not marked read-only.
Attempt was made to load a real-mode application(developed for an earlier version of Windows)
Attempt was made to load a real-mode application(developed for an earlier version of Windows)
Type of executable file was unknown
Type of executable file was unknown
The program is designed for another operating system
The program is designed for another operating system
Invalid executable, corrupt executable or non-Windows executable
Invalid executable, corrupt executable or non-Windows executable
Incorrect version of Windows
Incorrect version of Windows
Path was not found - %s
Path was not found - %s
File not found - %s
File not found - %s
Unable to run %s
Unable to run %s
System out of memory or executable is corrupt
System out of memory or executable is corrupt
C:\Programming\PROJECTS\web2pqa\LeftView.cpp
C:\Programming\PROJECTS\web2pqa\LeftView.cpp
IDispatch error #%d
IDispatch error #%d
d:d:d
d:d:d
grabasite.log
grabasite.log
C:\Programming\PROJECTS\web2pqa\MainFrm.cpp
C:\Programming\PROJECTS\web2pqa\MainFrm.cpp
edge.htm
edge.htm
Need a URL to grab.
Need a URL to grab.
instaide.dll
instaide.dll
%s\x
%s\x
software\microsoft\windows nt\currentversion\perflib
software\microsoft\windows nt\currentversion\perflib
KERNEL32.DLL
KERNEL32.DLL
webwhacker
webwhacker
*.bat
*.bat
CUrlSheet
CUrlSheet
C:\Programming\PROJECTS\web2pqa\UrlSheet.cpp
C:\Programming\PROJECTS\web2pqa\UrlSheet.cpp
%sx%s
%sx%s
URLWiz
URLWiz
C:\Programming\PROJECTS\web2pqa\URLWiz.cpp
C:\Programming\PROJECTS\web2pqa\URLWiz.cpp
URLWizConfig
URLWizConfig
URLWizFilter
URLWizFilter
URLWizSched
URLWizSched
URLWizSelect
URLWizSelect
hXXp://VVV.
hXXp://VVV.
http-equiv="refresh"
http-equiv="refresh"
hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=2
hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=2
\Buy Grab-a-Site.url
\Buy Grab-a-Site.url
hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=1
hXXp://VVV.bluesquirrel.com/cart/cart.asp?P=GAS&k=1
\~backup\ix.dll
\~backup\ix.dll
grabasite.bluesquirrel.com
grabasite.bluesquirrel.com
\iundo.exe "Grab-a-Site"
\iundo.exe "Grab-a-Site"
%i %d %t
%i %d %t
%dReplace
%dReplace
%dSearch
%dSearch
RunCmd
RunCmd
%b Üontents.htm
%b Üontents.htm
command.com /c
command.com /c
(801)352-1551
(801)352-1551
ix.dll
ix.dll
https:
https:
http:
http:
C:\Programming\PROJECTS\web2pqa\Web2PQA.cpp
C:\Programming\PROJECTS\web2pqa\Web2PQA.cpp
CWeb2PQADoc
CWeb2PQADoc
gsurl.dbf
gsurl.dbf
C:\Programming\PROJECTS\web2pqa\Web2PQADoc.cpp
C:\Programming\PROJECTS\web2pqa\Web2PQADoc.cpp
Advise failed: %x
Advise failed: %x
Advise failed(dialog): %x
Advise failed(dialog): %x
Exporting...
Exporting...
pGrabber.CreateInstance FAILED
pGrabber.CreateInstance FAILED
WebGrabber.Grabber
WebGrabber.Grabber
webgrabber.dll
webgrabber.dll
regsvr32.exe
regsvr32.exe
OPEN=autorun.exe
OPEN=autorun.exe
autorun.inf
autorun.inf
autorun.exe
autorun.exe
*.htm*
*.htm*
CWeb2PQAView
CWeb2PQAView
WWW_OpenURL
WWW_OpenURL
WWW_OpenURLResult
WWW_OpenURLResult
An invalid transaction identifier was passed to a DDEML function. Once the application has returned from an XTYP_XACT_COMPLETE callback, the transaction identifier for that callback function is no longer valid.
An invalid transaction identifier was passed to a DDEML function. Once the application has returned from an XTYP_XACT_COMPLETE callback, the transaction identifier for that callback function is no longer valid.
A parameter failed to be validated by the DDEML. Some of the possible causes follow: The application used a data handle initialized with a different item name handle than was required by the transaction.The application used a data handle that was initialized with a different clipboard data format than was required by the transaction.The application used a client-side conversation handle with a server-side function or vice versa.The application used a freed data handle or string handle.More than one instance of the application used the same object.
A parameter failed to be validated by the DDEML. Some of the possible causes follow: The application used a data handle initialized with a different item name handle than was required by the transaction.The application used a data handle that was initialized with a different clipboard data format than was required by the transaction.The application used a client-side conversation handle with a server-side function or vice versa.The application used a freed data handle or string handle.More than one instance of the application used the same object.
A request for a synchronous execute transaction has timed out.
A request for a synchronous execute transaction has timed out.
An application initialized as APPCLASS_MONITOR hasattempted to perform a dynamic data exchange (DDE) transaction, or an application initialized as APPCMD_CLIENTONLY has attempted to perform server transactions.
An application initialized as APPCLASS_MONITOR hasattempted to perform a dynamic data exchange (DDE) transaction, or an application initialized as APPCMD_CLIENTONLY has attempted to perform server transactions.
A DDEML function was called without first callingthe DdeInitialize function, or an invalid instanceidentifier was passed to a DDEML function.
A DDEML function was called without first callingthe DdeInitialize function, or an invalid instanceidentifier was passed to a DDEML function.
Web DDE Error
Web DDE Error
yyFlexLexer::yylex invoked but %option yyclass used
yyFlexLexer::yylex invoked but %option yyclass used
Warning: This program requires comctl32.dll version 4.71 or greater.
Warning: This program requires comctl32.dll version 4.71 or greater.
comctl32.dll
comctl32.dll
&%d %s
&%d %s
%s-SCBar-%d
%s-SCBar-%d
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.PAVCException@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCObject@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCStatusCmdUI@@
.?AVCStatusCmdUI@@
.?AVCToolCmdUI@@
.?AVCToolCmdUI@@
.?AVCMDIFrameWnd@@
.?AVCMDIFrameWnd@@
.PAVCArchiveException@@
.PAVCArchiveException@@
zcÃ
zcÃ
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe
%Program Files% (x86)\Grab-a-Site 5.1\grabsite.exe
{4AFE05E6-595E-42A6-907D-CF3B1AE98720} = s 'Web2Palm'
{4AFE05E6-595E-42A6-907D-CF3B1AE98720} = s 'Web2Palm'
'Web2Palm.EXE'
'Web2Palm.EXE'
val AppID = s {4AFE05E6-595E-42A6-907D-CF3B1AE98720}
val AppID = s {4AFE05E6-595E-42A6-907D-CF3B1AE98720}
Web2Palm.Palmer.1 = s 'Web2Palm Class'
Web2Palm.Palmer.1 = s 'Web2Palm Class'
CLSID = s '{4D1E5FE6-C4B7-42F3-B359-01A110C236BD}'
CLSID = s '{4D1E5FE6-C4B7-42F3-B359-01A110C236BD}'
Web2Palm.Palmer = s 'Web2Palm Class'
Web2Palm.Palmer = s 'Web2Palm Class'
CurVer = s 'Web2Palm.Palmer.1'
CurVer = s 'Web2Palm.Palmer.1'
ForceRemove {4D1E5FE6-C4B7-42F3-B359-01A110C236BD} = s 'Web2Palm Class'
ForceRemove {4D1E5FE6-C4B7-42F3-B359-01A110C236BD} = s 'Web2Palm Class'
ProgID = s 'Web2Palm.Palmer.1'
ProgID = s 'Web2Palm.Palmer.1'
VersionIndependentProgID = s 'Web2Palm.Palmer'
VersionIndependentProgID = s 'Web2Palm.Palmer'
val AppID = s '{4AFE05E6-595E-42A6-907D-CF3B1AE98720}'
val AppID = s '{4AFE05E6-595E-42A6-907D-CF3B1AE98720}'
'TypeLib' = s '{B0149167-787A-4178-BCC7-3CDA49DFC29B}'
'TypeLib' = s '{B0149167-787A-4178-BCC7-3CDA49DFC29B}'
stdole2.tlbWWW
stdole2.tlbWWW
Web2PalmLibW
Web2PalmLibW
AddURLWW
AddURLWW
urlW
urlW
Web2Palm 1.0 Type LibraryW
Web2Palm 1.0 Type LibraryW
Web2Palm Class
Web2Palm Class
method AddURLW
method AddURLW
333333333
333333333
;;
;;
_[__[_[[_[[[[
_[__[_[[_[[[[
[_[__[[[[_[
[_[__[[[[_[
;
;
??=??@?@?@@@@
??=??@?@?@@@@
[____[_[_[[_[[
[____[_[_[[_[[
))))(()))
))))(()))
[[_[_[[_
[[_[_[[_
____[_[_
____[_[_
688869899
688869899
882()))).
882()))).
)&&&&&&&&&&&&&&&&%X
)&&&&&&&&&&&&&&&&%X
&&&&%&%&
&&&&%&%&
>>?>??
>>?>??
'&&&&&&&&&&%&&&&%X
'&&&&&&&&&&%&&&&%X
?
?
/0/02009
/0/02009
/00/20209
/00/20209
))))()))
))))()))
/0/0///0/2/
/0/0///0/2/
;;;>>>
;;;>>>
0/202/0:
0/202/0:
8868869\
8868869\
:::;;;:;;;;
:::;;;:;;;;
223222232355353
223222232355353
:::;:;:;:;;;;>>;>
:::;:;:;:;;;;>>;>
@??@?@@@@
@??@?@@@@
0/00/02202222
0/00/02202222
;>;
;>;
>
>
"[_[__[[_[
"[_[__[[_[
;>;>
;>;>
8588868
8588868
__[[__[_[[
__[[__[_[[
????=?=@?@@@@
????=?=@?@@@@
)%)))()())
)%)))()())
/000//2/2
/000//2/2
--0-0/-/0//02//2
--0-0/-/0//02//2
--.k.kk-k
--.k.kk-k
-)--.----
-)--.----
222225232355535
222225232355535
::;:;::;:;;;;
::;:;::;:;;;;
::;:;:;;;:;;
::;:;:;;;:;;
;
;
-.j--.-.kk-
-.j--.-.kk-
>;>>
>;>>
;;>;>
;;>;>
-..---0.
-..---0.
//0202022
//0202022
;>;>
;>;>
6868868996999
6868868996999
-.-k.kk
-.-k.kk
::::;:;;;;:
::::;:;;;;:
;;>;>>
;;>;>>
:9::::;::;:;;;;
:9::::;::;:;;;;
:9::::;:;;:;;;
:9::::;:;;:;;;
00/0/02000
00/0/02000
22222255235333
22222255235333
)()())))
)()())))
????@?@@?@@
????@?@@?@@
//00/0/0220022
//00/0/0220022
222223225233533
222223225233533
-00-00/00
-00-00/00
//0/2/222/222322525533535
//0/2/222/222322525533535
6888698
6888698
=?=@@@@?@@
=?=@@@@?@@
;;;>>;
;;;>>;
2222523233553353338
2222523233553353338
/002202/2
/002202/2
>
>
??@?=?@?@@@
??@?=?@?@@@
--..kk-0
--..kk-0
::::;;:;:;;;;
::::;;:;:;;;;
>;;
>;;
22222325522355333
22222325522355333
?=?=@@?@@@@
?=?=@@?@@@@
/0/00/02/2/2
/0/00/02/2/2
2222223232533558338
2222223232533558338
888888889
888888889
=??@?@@?@@@@
=??@?@@?@@@@
00//0//202/
00//0//202/
["[_[_[[[
["[_[_[[[
00/0/20222
00/0/20222
?=??=@@?@@@
?=??=@@?@@@
[__[[_[[[
[__[[_[[[
____[__[_
____[__[_
__[["[_[[[
__[["[_[[[
/00/0//2
/00/0//2
))()()))
))()()))
"____[_[[
"____[_[[
//2022/222322323355533
//2022/222322323355533
[[[[_[_[
[[[[_[_[
=??@@?@@@@
=??@@?@@@@
&%&&%%&&&%
&%&&%%&&&%
88888898
88888898
022222252525332553
022222252525332553
/02202223223553555
/02202223223553555
-.jk.-kk-
-.jk.-kk-
;>
;>
0-/-/0/0/00/22/22
0-/-/0/0/00/22/22
:::;:;;:;;;;
:::;:;;:;;;;
--.---0-
--.---0-
;;;>;>
;;;>;>
22222523552335355
22222523552335355
38688886889
38688886889
.kk-k/
.kk-k/
88888888
88888888
[_"[[_[[[
[_"[[_[[[
9999:9::::;::;;;;:
9999:9::::;::;;;;:
[___["[[[
[___["[[[
00/0220//222
00/0220//222
6888888
6888888
[[_[_[[[_[[
[[_[_[[[_[[
[_[[_[[[
[_[[_[[[
_"["__[__[[[[_[[
_"["__[__[[[[_[[
[[_["[[_[[[
[[_["[[_[[[
222223253555
222223253555
8688866
8688866
523555353
523555353
;;;>
;;;>
9999999
9999999
>====|=|?=>
>====|=|?=>
;?
;?
??@?@@?@@@@
??@?@@?@@@@
::::;:;;;;
::::;:;;;;
_[[[\\\__
_[[[\\\__
;;>
;;>
_"[[\[[\\
_"[[\[[\\
:::;:;;;:;;;
:::;:;;;:;;;
>>?
>>?
;>
;>
{>
{>
__["[_[[_[\
__["[_[[_[\
____["[[_
____["[[_
["[[[_[_[
["[[[_[_[
_[[[_[[[
_[[[_[[[
[["[_[[[
[["[_[[[
[__[[[_[[[
[__[[[_[[[
___[[_[_[[[
___[[_[_[[[
"["[__[__[_[[[[
"["[__[__[_[[[[
___[_[[_[[[[
___[_[[_[[[[
[__[_[_[__
[__[_[_[__
__[_[_[[[_
__[_[_[[[_
___[[_[[[
___[[_[[[
2.%&&'&'&&'&&'&&&&&.vc!Z
2.%&&'&'&&'&&'&&&&&.vc!Z
!b*&&&%&&&&&&&&&%&&'&.cg
!b*&&&%&&&&&&&&&%&&'&.cg
'&&&&&&&&&&&&2)'&&&&&&'&&%&&&&&''.wW
'&&&&&&&&&&&&2)'&&&&&&'&&%&&&&&''.wW
v'&&&&&&&&&&&&&&&&&&&%&&&&&&&&&&&&&&%&%X
v'&&&&&&&&&&&&&&&&&&&%&&&&&&&&&&&&&&%&%X
v&&&&&&&%&'&&&&'&&.jh&&&&&&&&&&&&&&&&'P
v&&&&&&&%&'&&&&'&&.jh&&&&&&&&&&&&&&&&'P
c&%&&&&&&&&&&&&&%X
c&%&&&&&&&&&&&&&%X
&&&&'&&&&'&&&&'3
&&&&'&&&&'&&&&'3
d'&&&&&&&&&&%&&&%X
d'&&&&&&&&&&%&&&%X
/'&'&'&''&'&''''2
/'&'&'&''&'&''''2
''&&&'&'&&&''&&&'&'>
''&&&'&'&&&''&&&'&'>
[____[_[_[__[____[[_[
[____[_[_[__[____[[_[
0'''&'&'&''&'&''5
0'''&'&'&''&'&''5
;52-))%)%
;52-))%)%
TU.WRX
TU.WRX
1114445
1114445
InternetExplorer.Application
InternetExplorer.Application
&Import URL(s)...
&Import URL(s)...
&Export Content...
&Export Content...
&URL Properties
&URL Properties
Url Menu
Url Menu
URL Properties
URL Properties
Grab URL
Grab URL
Refresh URL
Refresh URL
Skip URL
Skip URL
Delete URL
Delete URL
Export URL Tree
Export URL Tree
Export URL Page
Export URL Page
New Url
New Url
Large Icon (.BMP):
Large Icon (.BMP):
Small Icon (.BMP):
Small Icon (.BMP):
Please enter the name and location of you're WCA Builder (WCABuild.EXE):
Please enter the name and location of you're WCA Builder (WCABuild.EXE):
Palm's Web Clipping Application (Palm Query Application) Builder is requirred to build PQA files.
Palm's Web Clipping Application (Palm Query Application) Builder is requirred to build PQA files.
(.GIF, .JPG, .HTM, .HTML)
(.GIF, .JPG, .HTM, .HTML)
&Skip this URL
&Skip this URL
&Url:
&Url:
(Example: zip,exe,pdf)
(Example: zip,exe,pdf)
URL Wizard (step 1 of 4)
URL Wizard (step 1 of 4)
&URL to Add:
&URL to Add:
URL Wizard (step 2 of 4)
URL Wizard (step 2 of 4)
Select the number of levels of this web site you wish to download
Select the number of levels of this web site you wish to download
Select the types of files that you do not want to download from this web site
Select the types of files that you do not want to download from this web site
URL Wizard (4 of 4)
URL Wizard (4 of 4)
WebWhacker For Palm
WebWhacker For Palm
Enter a user name and password if required by this site:
Enter a user name and password if required by this site:
&Password:
&Password:
Port:
Port:
Note: Palm's Web Clipping Application Builder is used to create PQA (Palm Query Application) files.
Note: Palm's Web Clipping Application Builder is used to create PQA (Palm Query Application) files.
Web Browser Emulation
Web Browser Emulation
Browse Web Pages With:
Browse Web Pages With:
Shell (command.com /c)
Shell (command.com /c)
Autorun.inf
Autorun.inf
URL Wizard (step 3 of 4)
URL Wizard (step 3 of 4)
Full URL (hXXp://...)
Full URL (hXXp://...)
Enter filename from the edge directory or a fully qualified URL.
Enter filename from the edge directory or a fully qualified URL.
VIP Key Error
VIP Key Error
Error GS0345 - The VIP key you used has been invalidated. Click OK to purchase a new key.
Error GS0345 - The VIP key you used has been invalidated. Click OK to purchase a new key.
jWebWhacker For Palm
jWebWhacker For Palm
WebWhacker For Palm Files (*.wwp)
WebWhacker For Palm Files (*.wwp)
WWPalm.Document
WWPalm.Document
WWPalm DocumentXWeb2Help
WWPalm DocumentXWeb2Help
Web2He
Web2He
Web2Help Files (*.w2h)
Web2Help Files (*.w2h)
Web2Help.Document
Web2Help.Document
Web2Help DocumentdGrab-a-Site
Web2Help DocumentdGrab-a-Site
Grab-a-Site Files (*.gas)
Grab-a-Site Files (*.gas)
Grab-a-Site.Document
Grab-a-Site.Document
WebWhacker For Palm Options
WebWhacker For Palm Options
Browse&WebWhacker For Palm Project Properties
Browse&WebWhacker For Palm Project Properties
%1LFinished downloading web site(s).
%1LFinished downloading web site(s).
Would you like to build the PQA file now?OThe URL you entered is not valid. The format is:
Would you like to build the PQA file now?OThe URL you entered is not valid. The format is:
hXXp:///dir/page.html
hXXp:///dir/page.html
Microsoft Web Proxy Server
Microsoft Web Proxy Server
Wingate SOCKS Proxy Server,Document size filter must be greater that 0.#Levels must be set to 1 or greater.PLevels must be left blank or set to 1 or greater to override
Wingate SOCKS Proxy Server,Document size filter must be greater that 0.#Levels must be set to 1 or greater.PLevels must be left blank or set to 1 or greater to override
inherited behavior.4Would you like to begin downloading web site(s) now?
inherited behavior.4Would you like to begin downloading web site(s) now?
WCABuild.exe
WCABuild.exe
Please enter a positive integerLFinished downloading web site(s).
Please enter a positive integerLFinished downloading web site(s).
Would you like to build the HLP file now?1There has been an error createding the help file.qThe PQA needs to be rebuilt in order for property changes to
Would you like to build the HLP file now?1There has been an error createding the help file.qThe PQA needs to be rebuilt in order for property changes to
take effect. Would you like to rebuild the PQA now?4hXXp://VVV.palmos.com/dev/tech/tools/wca_builder.zip
take effect. Would you like to rebuild the PQA now?4hXXp://VVV.palmos.com/dev/tech/tools/wca_builder.zip
hXXp://VVV.bluesquirrel.com/
hXXp://VVV.bluesquirrel.com/
http:\VVV.palm.comVYou must first enter the URL of at least one
http:\VVV.palm.comVYou must first enter the URL of at least one
web site that you would like to download.
web site that you would like to download.
Import Are you sure you want to delete this URL?
Import Are you sure you want to delete this URL?
Unable to open file for Import.
Unable to open file for Import.
GIF Files (*.gif)
GIF Files (*.gif)
*.gif
*.gif
JPG Files (*.jpg)
JPG Files (*.jpg)
*.jpg
*.jpg
HTML Files (*.htm;*.html)
HTML Files (*.htm;*.html)
*.htm;*.html
*.htm;*.html
Executable (*.exe)
Executable (*.exe)
*.exe
*.exe
PQA Files (*.pqa)
PQA Files (*.pqa)
*.pqa
*.pqa
Bitmap Files (*.bmp)
Bitmap Files (*.bmp)
*.bmp
*.bmp
*.txt
*.txt
Text Files (*.txt)
Text Files (*.txt)
The required component IX.DLL was unable to load.
The required component IX.DLL was unable to load.
It is recommended that you reinstall Grab-a-Site.ySorry, Grab-a-Site is unable to continue due to authentication
It is recommended that you reinstall Grab-a-Site.ySorry, Grab-a-Site is unable to continue due to authentication
problem. Please call technical support at 1-801-352-1551. You have the latest version of Grab-a-Site.
problem. Please call technical support at 1-801-352-1551. You have the latest version of Grab-a-Site.
Unable to launch IUNDO.EXE:hXXp://VVV.bluesquirrel.com/scripts/orderpage.asp?skey=GAS
Unable to launch IUNDO.EXE:hXXp://VVV.bluesquirrel.com/scripts/orderpage.asp?skey=GAS
You can purchase Grab-a-Site at hXXp://VVV.bluesquirrel.com/scripts/orderform.asp?skey=GAS or call at 1-800-403-0925 or 801-352-1551.ChXXp://VVV.bluesquirrel.com/scripts/upgradepage.asp?skey=GASUPGRADE
You can purchase Grab-a-Site at hXXp://VVV.bluesquirrel.com/scripts/orderform.asp?skey=GAS or call at 1-800-403-0925 or 801-352-1551.ChXXp://VVV.bluesquirrel.com/scripts/upgradepage.asp?skey=GASUPGRADE
#Your evaluation period has expired.WWe thank you for evaluating this product and look forward to serving you in the future.
#Your evaluation period has expired.WWe thank you for evaluating this product and look forward to serving you in the future.
1-801-352-1551 Sales:1-800-403-0925>E-mail: info@bluesquirrel.com
1-801-352-1551 Sales:1-800-403-0925>E-mail: info@bluesquirrel.com
WWW: hXXp://VVV.bluesquirrel.com
WWW: hXXp://VVV.bluesquirrel.com
The required component IU.EXE was not found.
The required component IU.EXE was not found.
Printed
Printed
:
:
:
:
:
:
:
:
:
:
How did you find out about WebWhacker For Palm?
How did you find out about WebWhacker For Palm?
WebWhacker For Palm Order Form
WebWhacker For Palm Order Form
: $49.95**
: $49.95**
:
:
:
:
Grab-a-Site V.I.P. Key Form
Grab-a-Site V.I.P. Key Form
WebWhacker For Palm VIP Key Form
WebWhacker For Palm VIP Key Form
V.I.P. Key
V.I.P. Key
:
:
Insert a new URL
Insert a new URL
'Begin Grabbing Web Site(s)
'Begin Grabbing Web Site(s)
Properties"Edit URL Properties
Properties"Edit URL Properties
URL Properties:Open local version of URL in your Browser
URL Properties:Open local version of URL in your Browser
Browse Local URL>Open the PQA version of this URL in you Browser
Browse Local URL>Open the PQA version of this URL in you Browser
Browse PQA URL
Browse PQA URL
.Check for an online update to this application1Revert back to the version before the last update#Invoke the InstantX Settings dialog"Don't include this URL in the PQA.
.Check for an online update to this application1Revert back to the version before the last update#Invoke the InstantX Settings dialog"Don't include this URL in the PQA.
,Begin Refreshing Web Site(s)
,Begin Refreshing Web Site(s)
Refresh Site(s)
Refresh Site(s)
Browse Remote URL
Browse Remote URL
Delete Selected URL
Delete Selected URL
Delete4Visit the Blue Squirrel Web Site
Delete4Visit the Blue Squirrel Web Site
Register WebWhacker For Palm
Register WebWhacker For Palm
*Begin Grabbing Selected Web Site
*Begin Grabbing Selected Web Site
Grab Site/Begin Refreshing Selected Web Site
Grab Site/Begin Refreshing Selected Web Site
View ContentsMImport URL(s) from a Text or HTML file into the current project
View ContentsMImport URL(s) from a Text or HTML file into the current project
Import URL(s)%Export grabbed content
Import URL(s)%Export grabbed content
Export Content
Export Content
Replace%Select the entire document
Replace%Select the entire document
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
5.0.1.1
5.0.1.1
grabsite.exe
grabsite.exe
WORDPAD.EXE_1672:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
ADVAPI32.dll
ADVAPI32.dll
ntdll.DLL
ntdll.DLL
KERNEL32.dll
KERNEL32.dll
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
MFC42u.dll
MFC42u.dll
msvcrt.dll
msvcrt.dll
COMDLG32.dll
COMDLG32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
SHLWAPI.dll
SHLWAPI.dll
COMCTL32.dll
COMCTL32.dll
OLEAUT32.dll
OLEAUT32.dll
PROPSYS.dll
PROPSYS.dll
RPCRT4.dll
RPCRT4.dll
WINMM.dll
WINMM.dll
urlmon.dll
urlmon.dll
XmlLite.dll
XmlLite.dll
VERSION.dll
VERSION.dll
Wordpad.exe
Wordpad.exe
SSSh,
SSSh,
FtPW
FtPW
1.1.4
1.1.4
application/vnd.oasis.opendocument.text
application/vnd.oasis.opendocument.text
u%Sjo
u%Sjo
PVSSh
PVSSh
COMDLG32.DLL
COMDLG32.DLL
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
oledlg.dll
oledlg.dll
gdiplus.dll
gdiplus.dll
WININET.dll
WININET.dll
GdiplusShutdown
GdiplusShutdown
InternetCanonicalizeUrlW
InternetCanonicalizeUrlW
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
GetProcessHeap
GetProcessHeap
GetViewportOrgEx
GetViewportOrgEx
GetKeyboardLayout
GetKeyboardLayout
EnumWindows
EnumWindows
GetKeyState
GetKeyState
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
__crtLCMapStringW
__crtLCMapStringW
__crtGetStringTypeW
__crtGetStringTypeW
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
ShellExecuteExW
ShellExecuteExW
ShellExecuteW
ShellExecuteW
wordpad.pdb
wordpad.pdb
.PAVCException@@
.PAVCException@@
.PAVCFileException@@
.PAVCFileException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCDummyCmdUI@@
.?AVCDummyCmdUI@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCUnsupportedElement@@
.?AVCUnsupportedElement@@
.?AVUnsupportedSaveFormatDialog@@
.?AVUnsupportedSaveFormatDialog@@
.?AVXCmdGalSiteCommandHandler@CCommandGalSite@@
.?AVXCmdGalSiteCommandHandler@CCommandGalSite@@
name="Microsoft.Windows.Shell.wordpad"
name="Microsoft.Windows.Shell.wordpad"
version="5.1.0.0"
version="5.1.0.0"
Windows Shell
Windows Shell
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
;:::999966
;:::999966
-d}y[s
-d}y[s
!$$$%'*,112
!$$$%'*,112
...3.433345
...3.433345
...33335555
...33335555
54445555555
54445555555
45555555555
45555555555
$555-5555&
$555-5555&
4 HuJ.gI
4 HuJ.gI
=7.pp9
=7.pp9
52511515111111115
52511515111111115
)))')')')
)))')')')
.Ess3
.Ess3
/1/1/1//1///
/1/1/1//1///
2222222222
2222222222
22222222220000000
22222222220000000
2222222222000000
2222222222000000
22222220002
22222220002
2222002
2222002
22222222222222222
22222222222222222
22222202
22222202
2222222
2222222
22222222222
22222222222
(''''&%%
(''''&%%
''%%%'%'%
''%%%'%'%
@.lF!=^
@.lF!=^
.pppF
.pppF
/888 888
/888 888
>888)888
>888)888
9888#888
9888#888
888ˆ8/
888ˆ8/
888!888)8881
888!888)8881
888 888$888)88808884
888 888$888)88808884
3888(888
3888(888
7888&888
7888&888
888 888(8881
888 888(8881
888#888(888/8883
888#888(888/8883
>888;88878887888:
>888;88878887888:
2229222
2229222
2220222
2220222
888 888ˆ8 8881
888 888ˆ8 8881
%Mgr.RhY4RfE5Qd:5w
%Mgr.RhY4RfE5Qd:5w
y'MfR Og>-Qh".Sj
y'MfR Og>-Qh".Sj
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Kha"OjR(RkB.Sj42Sh04Re15Re!5Rf
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
Nkh$RnZ)VoH.Wn92Wn.5Vk'6Th 5Qe
poq.uuv
poq.uuv
ppq.qpq
ppq.qpq
[[[%UUU
[[[%UUU
KEYW
KEYW
1 1(14181]1
1 1(14181]1
:,:0:8:<:>
:,:0:8:<:>
9!9&9&:0:5:
9!9&9&:0:5:
8$81878=8
8$81878=8
2&323>3\3
2&323>3\3
6o6x6
6o6x6
4"4(4.4\4
4"4(4.4\4
:(:.:4:_:
:(:.:4:_:
: :$:(:,:0:4:8:
: :$:(:,:0:4:8:
3#3'3 3/3
3#3'3 3/3
11X1
11X1
1'282@2~2
1'282@2~2
3 3$3(3,30343
3 3$3(3,30343
Microsoft\Windows\CurrentVersion\Applets
Microsoft\Windows\CurrentVersion\Applets
WORDPAD.HLP
WORDPAD.HLP
w:tcPr
w:tcPr
w:webSettings
w:webSettings
w:webHidden
w:webHidden
Software\Microsoft\Windows\CurrentVersion\Wordpad\COMChecks
Software\Microsoft\Windows\CurrentVersion\Wordpad\COMChecks
MSFTEDIT.DLL
MSFTEDIT.DLL
DOCX Element With Id: %d,ParentId: %d
DOCX Element With Id: %d,ParentId: %d
Ignoring Error: Func %s Line %d: setting line rule to auto
Ignoring Error: Func %s Line %d: setting line rule to auto
\u%d?
\u%d?
.docx
.docx
#%;\:/|"?*
#%;\:/|"?*
Ignoring Error: Func %s Line %d: unknown tab leader set to none, %ws
Ignoring Error: Func %s Line %d: unknown tab leader set to none, %ws
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://schemas.microsoft.com/office/word/2006/wordml
hXXp://schemas.microsoft.com/office/word/2006/wordml
hXXp://schemas.openxmlformats.org/wordprocessingml/2006/main
hXXp://schemas.openxmlformats.org/wordprocessingml/2006/main
hXXp://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
hXXp://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing
hXXp://schemas.openxmlformats.org/officeDocument/2006/math
hXXp://schemas.openxmlformats.org/officeDocument/2006/math
hXXp://schemas.openxmlformats.org/markup-compatibility/2006
hXXp://schemas.openxmlformats.org/markup-compatibility/2006
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/hyperlink
application/vnd.openxmlformats-package.core-properties xml
application/vnd.openxmlformats-package.core-properties xml
application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings xml
application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings xml
application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable xml
application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable xml
application/vnd.openxmlformats-officedocument.theme xml
application/vnd.openxmlformats-officedocument.theme xml
application/vnd.openxmlformats-officedocument.wordprocessingml.settings xml
application/vnd.openxmlformats-officedocument.wordprocessingml.settings xml
application/vnd.openxmlformats-officedocument.extended-properties xml
application/vnd.openxmlformats-officedocument.extended-properties xml
text:url
text:url
text:report-type
text:report-type
text:use-keys-as-entries
text:use-keys-as-entries
text:protection-key
text:protection-key
text:key2-phonetic
text:key2-phonetic
text:key2
text:key2
text:key1-phonetic
text:key1-phonetic
text:key1
text:key1
text:key
text:key
table:sql-statement
table:sql-statement
table:protection-key
table:protection-key
table:password
table:password
table:parse-sql-statement
table:parse-sql-statement
table:operator
table:operator
table:execute
table:execute
smil:keyTimes
smil:keyTimes
smil:keySplines
smil:keySplines
draw:stroke-linejoin
draw:stroke-linejoin
hXXp://VVV.w3.org/2002/xforms
hXXp://VVV.w3.org/2002/xforms
hXXp://VVV.w3.org/1998/Math/MathML
hXXp://VVV.w3.org/1998/Math/MathML
hXXp://VVV.w3.org/1999/xlink
hXXp://VVV.w3.org/1999/xlink
hXXp://purl.org/dc/elements/1.1/
hXXp://purl.org/dc/elements/1.1/
application/vnd.openxmlformats-officedocument.wordprocessingml.styles xml
application/vnd.openxmlformats-officedocument.wordprocessingml.styles xml
/word/styles.xml
/word/styles.xml
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/styles
application/vnd.openxmlformats-officedocument.wordprocessingml.document.main xml
application/vnd.openxmlformats-officedocument.wordprocessingml.document.main xml
word/document.xml
word/document.xml
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument
application/vnd.openxmlformats-officedocument.wordprocessingml.numbering xml
application/vnd.openxmlformats-officedocument.wordprocessingml.numbering xml
/word/numbering.xml
/word/numbering.xml
numbering.xml
numbering.xml
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/numbering
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/numbering
OLEUI_MSG_HELP
OLEUI_MSG_HELP
text:sort-key
text:sort-key
text:keywords
text:keywords
text:execute-macro
text:execute-macro
table:operation
table:operation
table:database-source-sql
table:database-source-sql
meta:keyword
meta:keyword
form:password
form:password
config:config-item-map-indexed
config:config-item-map-indexed
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for element:%ws
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for element:%ws
Ignoring Error: Func %s Line %d: Picture has size 0.Skipping Picture.
Ignoring Error: Func %s Line %d: Picture has size 0.Skipping Picture.
Ignoring Error: Func %s Line %d: OLE Object has size 0.Skipping OLE Object.
Ignoring Error: Func %s Line %d: OLE Object has size 0.Skipping OLE Object.
Ignoring Error: Func %s Line %d: Failed to Embed an OLE object
Ignoring Error: Func %s Line %d: Failed to Embed an OLE object
Ignoring Error: Func %s Line %d: skipping this oleobject
Ignoring Error: Func %s Line %d: skipping this oleobject
should have fSupported = %d.
should have fSupported = %d.
Ignoring Error: Func %s Line %d: %ws
Ignoring Error: Func %s Line %d: %ws
Ignoring hr=0X%0x for elem=%s attr=%s val=%s
Ignoring hr=0X%0x for elem=%s attr=%s val=%s
Error: Func %s Line %d: Not a Cell Element inside the Table
Error: Func %s Line %d: Not a Cell Element inside the Table
Error: Func %s Line %d: Not a Row Element inside the Table
Error: Func %s Line %d: Not a Row Element inside the Table
Error: Func %s Line %d: No. of cells > richedit maximum!
Error: Func %s Line %d: No. of cells > richedit maximum!
Ignoring Error: Func %s Line %d: %s
Ignoring Error: Func %s Line %d: %s
Error: Func %s Line %d: min cell width 1 twip for RE 4.1
Error: Func %s Line %d: min cell width 1 twip for RE 4.1
Error: Func %s Line %d: insert in map failed, out of memory ?
Error: Func %s Line %d: insert in map failed, out of memory ?
Ignoring Error: Func %s Line %d: Ignoring error on start of elem
Ignoring Error: Func %s Line %d: Ignoring error on start of elem
Error: Func %s Line %d: Out of memory for m_pParaFmtAlloc
Error: Func %s Line %d: Out of memory for m_pParaFmtAlloc
Error: Func %s Line %d: Out of memory for m_pCharFmtAlloc
Error: Func %s Line %d: Out of memory for m_pCharFmtAlloc
Error: Func %s Line %d: Out of memory for m_pRowWithMaskAlloc
Error: Func %s Line %d: Out of memory for m_pRowWithMaskAlloc
Error: Func %s Line %d: Out of memory for m_pCellWithMaskAlloc
Error: Func %s Line %d: Out of memory for m_pCellWithMaskAlloc
Ignoring Error: Func %s Line %d: table row has fewer cells than defined in grid
Ignoring Error: Func %s Line %d: table row has fewer cells than defined in grid
Error: Func %s Line %d: GetTempPath failed
Error: Func %s Line %d: GetTempPath failed
Error: Func %s Line %d: GetTempFileName failed
Error: Func %s Line %d: GetTempFileName failed
Error: Func %s Line %d: Out of memory for temp file name
Error: Func %s Line %d: Out of memory for temp file name
Ignoring Error: Func %s Line %d: Unable to insert style: %s
Ignoring Error: Func %s Line %d: Unable to insert style: %s
Ignoring Error: Func %s Line %d: Unable to insert default format
Ignoring Error: Func %s Line %d: Unable to insert default format
Ignoring Error: Func %s Line %d: mapping bar tab to left aligned tab
Ignoring Error: Func %s Line %d: mapping bar tab to left aligned tab
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\sppsvc.exe
\slui.exe
\slui.exe
\sppuinotify.dll
\sppuinotify.dll
Ignoring Error: Func %s Line %d: Table is corrupt. Ignoring Table.
Ignoring Error: Func %s Line %d: Table is corrupt. Ignoring Table.
Error: Func %s Line %d: invalid value %ws
Error: Func %s Line %d: invalid value %ws
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for table properties.
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for table properties.
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for style:%ws
Ignoring Error: Func %s Line %d: AppendWpadFormat failed for style:%ws
/word/document.xml
/word/document.xml
Error: Func %s Line %d: %ws
Error: Func %s Line %d: %ws
hr=%d from xml lite for string %s
hr=%d from xml lite for string %s
styles.xml
styles.xml
Error: Func %s Line %d: family outside Array!
Error: Func %s Line %d: family outside Array!
Error: Func %s Line %d: Out of memory for pParaFmtAlloc
Error: Func %s Line %d: Out of memory for pParaFmtAlloc
meta.xml
meta.xml
Error: Func %s Line %d: Insert object failed
Error: Func %s Line %d: Insert object failed
Error: Func %s Line %d: Table Style given but not found
Error: Func %s Line %d: Table Style given but not found
Error: Func %s Line %d: No name specified for this formatting element to be used
Error: Func %s Line %d: No name specified for this formatting element to be used
Error: Func %s Line %d: Invalid element
Error: Func %s Line %d: Invalid element
Error: Func %s Line %d: mask not set in parent
Error: Func %s Line %d: mask not set in parent
Error: Func %s Line %d: negative lenght not allowed
Error: Func %s Line %d: negative lenght not allowed
Error: Func %s Line %d: Out of memory
Error: Func %s Line %d: Out of memory
%0.6fin solid #xxx
%0.6fin solid #xxx
>Tabled
>Tabled
TableColumndd
TableColumndd
TableRowdd
TableRowdd
TableCellddd
TableCellddd
mshelp://windows/?id=7479c387-8dc4-40b6-9506-cc7a58c61f0a
mshelp://windows/?id=7479c387-8dc4-40b6-9506-cc7a58c61f0a
xPTF.
xPTF.
https:
https:
http:
http:
Software\Microsoft\Windows\CurrentVersion\Applets\
Software\Microsoft\Windows\CurrentVersion\Applets\
A%s\%s
A%s\%s
pct%d
pct%d
pkgRId%d
pkgRId%d
docRId%d
docRId%d
width:%fpt;height:%fpt
width:%fpt;height:%fpt
rectole%s
rectole%s
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/image
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/image
application/vnd.openxmlformats-officedocument.oleObject
application/vnd.openxmlformats-officedocument.oleObject
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject
hXXp://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject
%s%d%s
%s%d%s
0d
0d
XXX
XXX
?hXXp://xml.org/sax/features/namespace-prefixes
?hXXp://xml.org/sax/features/namespace-prefixes
Ignoring Error: Func %s Line %d: discarding hidden table
Ignoring Error: Func %s Line %d: discarding hidden table
Ignoring Error: Func %s Line %d: %ws not list style
Ignoring Error: Func %s Line %d: %ws not list style
Ignoring Error: Func %s Line %d: failure:%ws
Ignoring Error: Func %s Line %d: failure:%ws
Ignoring Error: Func %s Line %d: list level not found:%ws
Ignoring Error: Func %s Line %d: list level not found:%ws
Ignoring Error: Func %s Line %d: style not found:%ws
Ignoring Error: Func %s Line %d: style not found:%ws
Ignoring Error: Func %s Line %d: Skipped an element inside draw:frame
Ignoring Error: Func %s Line %d: Skipped an element inside draw:frame
Ignoring Error: Func %s Line %d: discarding hidden draw frame
Ignoring Error: Func %s Line %d: discarding hidden draw frame
Ignoring Error: Func %s Line %d: Could not resolve style %ws
Ignoring Error: Func %s Line %d: Could not resolve style %ws
family %d name %s
family %d name %s
Ignoring Error: Func %s Line %d: Could not resolve default style of family %ws
Ignoring Error: Func %s Line %d: Could not resolve default style of family %ws
Error: Func %s Line %d: Row Style element given but not found
Error: Func %s Line %d: Row Style element given but not found
Error: Func %s Line %d: Truncating large count specified for text:s
Error: Func %s Line %d: Truncating large count specified for text:s
Error: Func %s Line %d: No style for Table Found
Error: Func %s Line %d: No style for Table Found
Ignoring Error: Func %s Line %d: Resolve() failed
Ignoring Error: Func %s Line %d: Resolve() failed
Error: Func %s Line %d: duplicate list level
Error: Func %s Line %d: duplicate list level
Error: Func %s Line %d: list level too deep
Error: Func %s Line %d: list level too deep
Ignoring Error: Func %s Line %d: using default bullet char formatting
Ignoring Error: Func %s Line %d: using default bullet char formatting
Ignoring Error: Func %s Line %d: too many tab stops, discarding one
Ignoring Error: Func %s Line %d: too many tab stops, discarding one
Error: Func %s Line %d: level not specified
Error: Func %s Line %d: level not specified
Error: Func %s Line %d: tabstop should be child of tabstops and grandchild of para properties
Error: Func %s Line %d: tabstop should be child of tabstops and grandchild of para properties
Ignoring Error: Func %s Line %d: tab stop alignment or leader was mapped
Ignoring Error: Func %s Line %d: tab stop alignment or leader was mapped
Ignoring Error: Func %s Line %d: unsupported or invalid char for tab type char
Ignoring Error: Func %s Line %d: unsupported or invalid char for tab type char
Ignoring Error: Func %s Line %d: No position for tab stop!
Ignoring Error: Func %s Line %d: No position for tab stop!
Error: Func %s Line %d: parent style not found: %ws
Error: Func %s Line %d: parent style not found: %ws
Ignoring Error: Func %s Line %d: Style not found:%ws
Ignoring Error: Func %s Line %d: Style not found:%ws
Error: Func %s Line %d: font scale/delta without parent char format/size
Error: Func %s Line %d: font scale/delta without parent char format/size
Error: Func %s Line %d: font scale/delta without parent style
Error: Func %s Line %d: font scale/delta without parent style
Error: Func %s Line %d: No paraformat in parent style to resolve
Error: Func %s Line %d: No paraformat in parent style to resolve
Error: Func %s Line %d: No parent style found to resolve
Error: Func %s Line %d: No parent style found to resolve
Ignoring Error: Func %s Line %d: tab char is not one char!
Ignoring Error: Func %s Line %d: tab char is not one char!
Ignoring Error: Func %s Line %d: invalid line style: %ws
Ignoring Error: Func %s Line %d: invalid line style: %ws
Ignoring Error: Func %s Line %d: invalid line type: %ws
Ignoring Error: Func %s Line %d: invalid line type: %ws
Ignoring Error: Func %s Line %d: invalid line Width: %ws
Ignoring Error: Func %s Line %d: invalid line Width: %ws
Ignoring Error: Func %s Line %d: invalid tab position:%ws
Ignoring Error: Func %s Line %d: invalid tab position:%ws
Ignoring Error: Func %s Line %d: invalid tab type:%ws
Ignoring Error: Func %s Line %d: invalid tab type:%ws
Ignoring Error: Func %s Line %d: invalid or unsupported attribute: %ws
Ignoring Error: Func %s Line %d: invalid or unsupported attribute: %ws
Error: Func %s Line %d: unknown attribute %s
Error: Func %s Line %d: unknown attribute %s
Error: Func %s Line %d: invalid style family %s
Error: Func %s Line %d: invalid style family %s
Error: Func %s Line %d: unexpcted parent type
Error: Func %s Line %d: unexpcted parent type
COdtAttributeParser::OdtPfFromMarginLeftParent
COdtAttributeParser::OdtPfFromMarginLeftParent
Error: Func %s Line %d: GetDC Failed
Error: Func %s Line %d: GetDC Failed
Error: Func %s Line %d: percentage not allowed: %ws
Error: Func %s Line %d: percentage not allowed: %ws
Error: Func %s Line %d: doing nothing for conditionally hidden text, will display by default
Error: Func %s Line %d: doing nothing for conditionally hidden text, will display by default
Ignoring Error: Func %s Line %d: Too long font name:%ws
Ignoring Error: Func %s Line %d: Too long font name:%ws
Error: Func %s Line %d: need non-empty font family
Error: Func %s Line %d: need non-empty font family
Error: Func %s Line %d: unsupported or invalid text transform %ws
Error: Func %s Line %d: unsupported or invalid text transform %ws
Error: Func %s Line %d: mapping double strikeout to single strikeout
Error: Func %s Line %d: mapping double strikeout to single strikeout
Ignoring Error: Func %s Line %d: unknown writing mode %ws
Ignoring Error: Func %s Line %d: unknown writing mode %ws
Error: Func %s Line %d: %% font height unsupported for %ws
Error: Func %s Line %d: %% font height unsupported for %ws
Error: Func %s Line %d: Mapping text-position %s to subscript
Error: Func %s Line %d: Mapping text-position %s to subscript
Error: Func %s Line %d: Mapping text-position %s to superscript
Error: Func %s Line %d: Mapping text-position %s to superscript
dODT Element With Id: %d,ParentId: %d
dODT Element With Id: %d,ParentId: %d
2 15 5 2 2 2 4 3 2 4
2 15 5 2 2 2 4 3 2 4
Error: Func %s Line %d: PFM_RTLPARA not set
Error: Func %s Line %d: PFM_RTLPARA not set
Error: Func %s Line %d: PFM_SPACEAFTER not set
Error: Func %s Line %d: PFM_SPACEAFTER not set
Error: Func %s Line %d: PFM_SPACEBEFORE not set
Error: Func %s Line %d: PFM_SPACEBEFORE not set
Error: Func %s Line %d: right indent not set
Error: Func %s Line %d: right indent not set
Error: Func %s Line %d: offset not set
Error: Func %s Line %d: offset not set
Error: Func %s Line %d: start indent not set
Error: Func %s Line %d: start indent not set
Error: Func %s Line %d: alignment not set
Error: Func %s Line %d: alignment not set
Error: Func %s Line %d: line spacing not set
Error: Func %s Line %d: line spacing not set
Error: Func %s Line %d: Unknown line spacing rule
Error: Func %s Line %d: Unknown line spacing rule
Error: Func %s Line %d: CFM_STRIKEOUT not set
Error: Func %s Line %d: CFM_STRIKEOUT not set
Error: Func %s Line %d: CFM_ITALIC not set
Error: Func %s Line %d: CFM_ITALIC not set
Error: Func %s Line %d: CFM_IMPRINT not set
Error: Func %s Line %d: CFM_IMPRINT not set
Error: Func %s Line %d: both CFE_EMBOSS and CFE_IMPRINT are set, discarding imprint
Error: Func %s Line %d: both CFE_EMBOSS and CFE_IMPRINT are set, discarding imprint
Error: Func %s Line %d: CFM_EMBOSS not set
Error: Func %s Line %d: CFM_EMBOSS not set
Error: Func %s Line %d: CFM_SHADOW not set
Error: Func %s Line %d: CFM_SHADOW not set
Error: Func %s Line %d: CFM_OUTLINE not set
Error: Func %s Line %d: CFM_OUTLINE not set
Error: Func %s Line %d: CFM_HIDDEN not set
Error: Func %s Line %d: CFM_HIDDEN not set
Error: Func %s Line %d: CFM_ALLCAPS not set
Error: Func %s Line %d: CFM_ALLCAPS not set
Error: Func %s Line %d: CFM_SMALLCAPS not set
Error: Func %s Line %d: CFM_SMALLCAPS not set
Error: Func %s Line %d: text color not set
Error: Func %s Line %d: text color not set
Error: Func %s Line %d: back color not set
Error: Func %s Line %d: back color not set
#xxx
#xxx
Error: Func %s Line %d: CFM_FACE not set
Error: Func %s Line %d: CFM_FACE not set
Error: Func %s Line %d: weight / bold not set
Error: Func %s Line %d: weight / bold not set
Error: Func %s Line %d: offset/subscript/superscript not set
Error: Func %s Line %d: offset/subscript/superscript not set
Error: Func %s Line %d: conflict for subscript and superscript
Error: Func %s Line %d: conflict for subscript and superscript
Error: Func %s Line %d: CFM_SIZE not set
Error: Func %s Line %d: CFM_SIZE not set
#%2x%2x%2x
#%2x%2x%2x
Error: Func %s Line %d: PFM_NUMBERING not set
Error: Func %s Line %d: PFM_NUMBERING not set
META-INF/manifest.xml
META-INF/manifest.xml
content.xml
content.xml
OleObj%d
OleObj%d
Error: Func %s Line %d: Numbering flag not set
Error: Func %s Line %d: Numbering flag not set
Error: Func %s Line %d: table row end outside table!
Error: Func %s Line %d: table row end outside table!
windows
windows
UIInitPropertyFromString(UIKEY_Title) failed
UIInitPropertyFromString(UIKEY_Title) failed
{mswrd8.wpc
{mswrd8.wpc
write.wpc
write.wpc
mswrd6.wpc
mswrd6.wpc
Windows Wordpad Application
Windows Wordpad Application
6.1.7601.17514 (win7sp1_rtm.101119-1850)
6.1.7601.17514 (win7sp1_rtm.101119-1850)
WORDPAD.EXE
WORDPAD.EXE
Windows
Windows
Operating System
Operating System
6.1.7601.17514
6.1.7601.17514
Microsoft-Windows-Wordpad/Diagnostic
Microsoft-Windows-Wordpad/Diagnostic
Microsoft-Windows-Wordpad/Debug
Microsoft-Windows-Wordpad/Debug
Microsoft-Windows-Wordpad/Admin
Microsoft-Windows-Wordpad/Admin
Wordpad_LivePreviewExecute
Wordpad_LivePreviewExecute