Susp_Dropper (Kaspersky), Trojan.GenericKD.2781107 (AdAware), Backdoor.Win32.Farfli.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.IEDummy.FD, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a12b063dee95d77e53618c86168e9486
SHA1: fca875a33d25b51649152c30969456f36d5c46ce
SHA256: f9c8e0a92b3a555e40259d8e5f46276c6fb41267c22790e3d1b521c78c5049d2
SSDeep: 393216:QT5jJo2 X HeKg0Ou2mTrD0eswywv3cIn7Ky6KlUU:Ia Hq0OPmTrZswy2dL6KlUU
Size: 15493120 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-07-12 07:33:22
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
autorun.exe:2016
write.exe:544
%original file name%.exe:276
Media.exe:1632
Programme.exe:1996
bis.exe:1748
bis.exe:1232
cefal.exe:504
cefal.exe:644
The Trojan injects its code into the following process(es):
write.exe:496
svchost.exe:716
svchost.exe:268
iexplore.exe:1860
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process autorun.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Arial_1.TFT (3824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Edwardian Script ITC.TFT (64 bytes)
The process write.exe:496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.dat (290 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
The process %original file name%.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Programme.exe (96836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Media.exe (9606 bytes)
The process Media.exe:1632 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bis.exe (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cefal.exe (5442 bytes)
The process Programme.exe:1996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\Disc 01.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\1 AM.rar (9241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\19.btn (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\autorun.exe (19594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\6.btn (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010_1.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\5.btn (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.8.btn (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\11.btn (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Icons\Disc 01.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Plugins\SLIDER\SLIDER.APO (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\3 AM.rar (11034 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\2 AM.rar (11034 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd (13454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Diamond-3.btn (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T.png (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\20120.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T_1.png (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.9.btn (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\1.btn (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\01.mp3 (40935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\9.btn (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\machine2.btn (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\012.bmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Perspective Diamond 1.btn (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\Sans titre.bmp (20 bytes)
The process bis.exe:1748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\MCMP\mncxd.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg (2 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\x.html (0 bytes)
The process cefal.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\MXPMX\mcigm.exe (7385 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg (2 bytes)
Registry activity
The process autorun.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 D6 7C B4 54 DB B1 90 23 AC FB 9D B6 FC 24 F8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process write.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 69 E6 40 23 A6 6E FD C7 B6 89 E5 4C 33 F0 CB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process write.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 64 24 3E 7C A6 CB E0 11 79 CC 4C 62 30 DF 9D"
The process %original file name%.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 68 38 42 FA 0B BE F4 D6 45 C0 B1 08 D9 FA 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"programme.exe" = "AutoPlay Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Media.exe:1632 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "99 8F 04 41 85 FA CE CD AC 07 58 24 82 02 CF 5F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"cefal.exe" = "cefal"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Programme.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 B3 EB 09 D9 E7 7F E5 9A CF 33 92 B7 C6 FA BE"
The process bis.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 0A B5 EF 0C 8A 71 5D 5F 3B 25 CE 7B F0 B5 A7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}]
"StubPath" = "%System%\MCMP\mncxd.exe restart"
[HKCU\Software\H7R4X9Y]
"ServerStarted" = "11/29/2015 3:48:14 AM"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\H7R4X9Y]
"InstalledServer" = "%System%\MCMP\mncxd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"MNCXD" = "%System%\MCMP\mncxd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MCMP\mncxd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MNCXD" = "%System%\MCMP\mncxd.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MCMP\mncxd.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MNCXD" = "%System%\MCMP\mncxd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JKML" = "%System%\MCMP\mncxd.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MCMP\mncxd.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JKLL" = "%System%\MCMP\mncxd.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MCMP\mncxd.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MNCXD" = "%System%\MCMP\mncxd.exe"
The process bis.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 1E 5B 82 4F E7 BB 83 F8 F4 67 F0 D0 C1 3B 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process cefal.exe:504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 7D 03 6B 80 99 76 0B 07 BA 34 5D 6C 45 45 00"
The process cefal.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 2E 33 C2 85 78 FE BB 6D EA 1A 30 F0 C0 3F C9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\H5JCKLMWAV]
"InstalledServer" = "%System%\MXPMX\mcigm.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}]
"StubPath" = "%System%\MXPMX\mcigm.exe restart"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\H5JCKLMWAV]
"ServerStarted" = "11/29/2015 3:48:12 AM"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"MCIGM" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"MCIGM" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%System%\MXPMX\mcigm.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MCIGM" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MCIGM" = "%System%\MXPMX\mcigm.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMPM" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SPMMX" = "%System%\MXPMX\mcigm.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"
Dropped PE files
MD5 | File path |
---|---|
d24d14a9f5a94ce5fb541ee1d2f4399d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Media.exe |
b57bbc44ced38af7634508a1f925b7c9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Programme.exe |
9c3f7e5ac6dd57b8cc4bff253f5729e5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Plugins\SLIDER\SLIDER.APO |
62ec194cb53963811bdeb7102e7622a3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ir_ext_temp_0\autorun.exe |
e828f8f685317b451192dd2d34b304cd | c:\WINDOWS\system32\MCMP\mncxd.exe |
179b4693099c3db426e6c5aee38fba3f | c:\WINDOWS\system32\MXPMX\mcigm.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
autorun.exe:2016
write.exe:544
%original file name%.exe:276
Media.exe:1632
Programme.exe:1996
bis.exe:1748
bis.exe:1232
cefal.exe:504
cefal.exe:644 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Arial_1.TFT (3824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_tmpfnt_1\Edwardian Script ITC.TFT (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.dat (290 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Programme.exe (96836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Media.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bis.exe (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cefal.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\Disc 01.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\1 AM.rar (9241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\19.btn (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\autorun.exe (19594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\6.btn (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010_1.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\5.btn (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\Click1.ogg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.8.btn (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\11.btn (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\High1.ogg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Icons\Disc 01.ico (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Plugins\SLIDER\SLIDER.APO (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\3 AM.rar (11034 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\2 AM.rar (11034 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd (13454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Diamond-3.btn (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T.png (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\button.btn (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\20120.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\open_face_book_blank_T_1.png (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\17.9.btn (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\1.btn (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Audio\01.mp3 (40935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\9.btn (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\2010.bmp (8737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\machine2.btn (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\012.bmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Buttons\Perspective Diamond 1.btn (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Images\Sans titre.bmp (20 bytes)
%System%\MCMP\mncxd.exe (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg (2 bytes)
%System%\MXPMX\mcigm.exe (7385 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg (2 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MNCXD" = "%System%\MCMP\mncxd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JKML" = "%System%\MCMP\mncxd.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"JKLL" = "%System%\MCMP\mncxd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MNCXD" = "%System%\MCMP\mncxd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"MCIGM" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MCIGM" = "%System%\MXPMX\mcigm.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMPM" = "%System%\MXPMX\mcigm.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SPMMX" = "%System%\MXPMX\mcigm.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MCMP\mncxd.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MCMP\mncxd.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MXPMX\mcigm.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe %System%\MXPMX\mcigm.exe" - Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.1.22.03
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.22.03
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1.1.22.03Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.22.03File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 609521 | 609792 | 4.60546 | c396d323876086049d868cf5a433f8ed |
.rdata | 614400 | 58862 | 58880 | 3.76537 | 675c39c4d49c6af57c9bb434b89fc8c4 |
.data | 675840 | 37336 | 11264 | 2.5949 | ba878620fda1aef1e8809380dfebbff6 |
.rsrc | 716800 | 14812024 | 14812160 | 5.53295 | 744711110ac1a2a111a5f8e783b42871 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Programme.exe_1996:
)!Krz!Krz!Krz!Krz3KrzCTaz.Krz!Ksz
)!Krz!Krz!Krz!Krz3KrzCTaz.Krz!Ksz
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
u.hD3C
u.hD3C
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
%*.*f
CCmdTarget
CCmdTarget
commctrl_DragListMsg
commctrl_DragListMsg
COMCTL32.DLL
COMCTL32.DLL
CNotSupportedException
CNotSupportedException
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
GetKeyState
GetKeyState
CreateDialogIndirectParamA
CreateDialogIndirectParamA
USER32.dll
USER32.dll
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
SetViewportExtEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
End tag not completed for element %s
End tag not completed for element %s
End tag does not correspond to %s
End tag does not correspond to %s
Expecting end tag of element %s
Expecting end tag of element %s
End tag of %s element not found
End tag of %s element not found
.PAVCException@@
.PAVCException@@
"SFXSOURCE:%s"
"SFXSOURCE:%s"
%s\ir_ext_temp_%d
%s\ir_ext_temp_%d
"%s" %s
"%s" %s
.PAVCObject@@
.PAVCObject@@
.PAVCZipException@@
.PAVCZipException@@
1.1.3
1.1.3
.PAVCFileException@@
.PAVCFileException@@
%s (%s)
%s (%s)
Incorrect password set for the file being decrypted
Incorrect password set for the file being decrypted
\\?\unc\
\\?\unc\
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCCmdTarget@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
zcÃ
zcÃ
windows
windows
KERNEL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Programme.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Programme.exe
.bXXXA
.bXXXA
|.%rW{{{{{{{{{{{~/%se
|.%rW{{{{{{{{{{{~/%se
{.vv.
{.vv.
W.öd
W.öd
version="7.1.1000.0"
version="7.1.1000.0"
name="autorun.exe"/>
name="autorun.exe"/>
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
7.1.1000.0
7.1.1000.0
2007 Indigo Rose Corporation (VVV.indigorose.com)
2007 Indigo Rose Corporation (VVV.indigorose.com)
ams70_launch.exe
ams70_launch.exe
autorun.exe_2016:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
t.Ht&
t.Ht&
<.uef>
<.uef>
<.uoca>
<.uoca>
u.WWWWSW
u.WWWWSW
u SSSSh?
u SSSSh?
u)SSSSh?
u)SSSSh?
uUSSh
uUSSh
.FG;}
.FG;}
Ht.Ht!
Ht.Ht!
t.It"
t.It"
INIt.It
INIt.It
u.Jt$Jt
u.Jt$Jt
t.Ht Ht
t.Ht Ht
QhX%d
QhX%d
F
F
t,SSh
t,SSh
t'SSSSSSSSh
t'SSSSSSSSh
uASSh
uASSh
It.It#Iuy
It.It#Iuy
%UUUU3
%UUUU3
n%dGj
n%dGj
Pj.VQ
Pj.VQ
Qj.WP
Qj.WP
.tTPV
.tTPV
FTPjK
FTPjK
FtPj;
FtPj;
F.PjRWj
F.PjRWj
u.hhea
u.hhea
u.WWj
u.WWj
u.VVj
u.VVj
u$SShe
u$SShe
On Key
On Key
>1.2.8
>1.2.8
LIBTIFF, Version 3.7.0
LIBTIFF, Version 3.7.0
deflate 1.2.3 Copyright 1995-2003 Jean-loup Gailly
deflate 1.2.3 Copyright 1995-2003 Jean-loup Gailly
1.2.3
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
inflate 1.2.3 Copyright 1995-2005 Mark Adler
%u BitsPerSample not allowed for JPEG
%u BitsPerSample not allowed for JPEG
PhotometricInterpretation %u not allowed for JPEG
PhotometricInterpretation %u not allowed for JPEG
$Lua: Lua 5.0.2 Copyright (C) 1994-2004 Tecgraf, PUC-Rio $
$Lua: Lua 5.0.2 Copyright (C) 1994-2004 Tecgraf, PUC-Rio $
$URL: VVV.lua.org $
$URL: VVV.lua.org $
#
#
GetASPI32SupportInfo
GetASPI32SupportInfo
commctrl_DragListMsg
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
Afx:%x:%x
COMCTL32.DLL
COMCTL32.DLL
CCmdTarget
CCmdTarget
CNotSupportedException
CNotSupportedException
{X-X-X-XX-XXXXXX}
{X-X-X-XX-XXXXXX}
%*.*f
%*.*f
CHttpConnection
CHttpConnection
CHttpFile
CHttpFile
hXXp://
hXXp://
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
ddeexec
ddeexec
%s\ShellNew
%s\ShellNew
%s\DefaultIcon
%s\DefaultIcon
%s\shell\printto\%s
%s\shell\printto\%s
%s\shell\print\%s
%s\shell\print\%s
%s\shell\open\%s
%s\shell\open\%s
ole32.dll
ole32.dll
cmd.exe
cmd.exe
command.com
command.com
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
user32.dll
user32.dll
FWININET.dll
FWININET.dll
InternetCrackUrlA
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetOpenUrlA
InternetOpenUrlA
FtpDeleteFileA
FtpDeleteFileA
FtpRenameFileA
FtpRenameFileA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpRemoveDirectoryA
FtpSetCurrentDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpOpenFileA
FtpPutFileA
FtpPutFileA
FtpGetFileA
FtpGetFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpSendRequestA
HttpSendRequestA
HttpEndRequestA
HttpEndRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpFindFirstFileA
FtpFindFirstFileA
WINMM.dll
WINMM.dll
WSOCK32.dll
WSOCK32.dll
VERSION.dll
VERSION.dll
MSACM32.dll
MSACM32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
KERNEL32.dll
KERNEL32.dll
GetKeyState
GetKeyState
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
EnumWindows
EnumWindows
GetAsyncKeyState
GetAsyncKeyState
ExitWindowsEx
ExitWindowsEx
EnumChildWindows
EnumChildWindows
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
CreateDialogIndirectParamA
CreateDialogIndirectParamA
USER32.dll
USER32.dll
GetViewportExtEx
GetViewportExtEx
SetViewportExtEx
SetViewportExtEx
SetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
OffsetViewportOrgEx
ScaleViewportExtEx
ScaleViewportExtEx
GDI32.dll
GDI32.dll
comdlg32.dll
comdlg32.dll
WINSPOOL.DRV
WINSPOOL.DRV
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegOpenKeyA
RegOpenKeyA
RegCreateKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
RegEnumKeyA
RegEnumKeyA
RegCreateKeyA
RegCreateKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
oledlg.dll
oledlg.dll
OLEPRO32.DLL
OLEPRO32.DLL
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileA
URLDownloadToFileA
urlmon.dll
urlmon.dll
NETAPI32.dll
NETAPI32.dll
CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32
.?AVCCmdTarget@@
.?AVCCmdTarget@@
Error evaluating stack - operand stack is empty.
Error evaluating stack - operand stack is empty.
%s.%d
%s.%d
A value was expected at position %d.
A value was expected at position %d.
Missing operator before open parenthesis.
Missing operator before open parenthesis.
There is an operator missing before the open parenthesis at position %d.
There is an operator missing before the open parenthesis at position %d.
The quotation mark at position %d is missing a match.
The quotation mark at position %d is missing a match.
Operator:
Operator:
The backslash (\) at position %d must be followed by another backslash (\) or a quote (") to form a valid escape sequence.
The backslash (\) at position %d must be followed by another backslash (\) or a quote (") to form a valid escape sequence.
The closed parenthesis at position %d does not have a matching open parenthesis.
The closed parenthesis at position %d does not have a matching open parenthesis.
The open parenthesis at position %d does not have a matching closed parenthesis.
The open parenthesis at position %d does not have a matching closed parenthesis.
The closed parenthesis at position %d needs something else to the left of it.
The closed parenthesis at position %d needs something else to the left of it.
The open parenthesis at position %d needs something else to the left of it.
The open parenthesis at position %d needs something else to the left of it.
The operator at position %d needs a value to the left of it.
The operator at position %d needs a value to the left of it.
Values must be separated by operators.
Values must be separated by operators.
The value at position %d needs something else to the left of it.
The value at position %d needs something else to the left of it.
The operator at position %d needs a value to the right of it.
The operator at position %d needs a value to the right of it.
Operators must be separated by values.
Operators must be separated by values.
There can't be two %s operators in a row.
There can't be two %s operators in a row.
"%s"%s
"%s"%s
%s"%s"
%s"%s"
"%s" %s "%s"
"%s" %s "%s"
Error in operate(): no value on the operand stack
Error in operate(): no value on the operand stack
Error in operate(): not enough values on the operand stack
Error in operate(): not enough values on the operand stack
%s: %s
%s: %s
Error loading .btn file.
Error loading .btn file.
Error loading URL
Error loading URL
Unable to display object: %s is not installed.
Unable to display object: %s is not installed.
Web Object
Web Object
Windows Media Player
Windows Media Player
Failed to load button file (#%d): %d
Failed to load button file (#%d): %d
_manifest.xml
_manifest.xml
The file "%s" does not exist.
The file "%s" does not exist.
Could not load Down > Disabled image: "%s".
Could not load Down > Disabled image: "%s".
Could not load Down > Highlight image: "%s".
Could not load Down > Highlight image: "%s".
Could not load Down > Normal image: "%s".
Could not load Down > Normal image: "%s".
Could not load Up > Disabled image: "%s".
Could not load Up > Disabled image: "%s".
Could not load Up > Highlight image: "%s".
Could not load Up > Highlight image: "%s".
Could not load Up > Normal image: "%s".
Could not load Up > Normal image: "%s".
Copying "%s"
Copying "%s"
.PAVCFileException@@
.PAVCFileException@@
kernel32.dll
kernel32.dll
"%s" %s
"%s" %s
%d.%d.%d.%d
%d.%d.%d.%d
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\PrivateBuild
\StringFileInfo\xx\PrivateBuild
.bak%d
.bak%d
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
%%x
%%x
%s %s %s %s
%s %s %s %s
%s %s
%s %s
%s v%d.%d
%s v%d.%d
Windows ME
Windows ME
Windows 98
Windows 98
Windows 95
Windows 95
Windows Vista
Windows Vista
Windows XP
Windows XP
Windows Server,XP x64
Windows Server,XP x64
Windows 2000
Windows 2000
Windows NT 4
Windows NT 4
Windows NT 3
Windows NT 3
%s\shell\open\command
%s\shell\open\command
\WININIT.INI
\WININIT.INI
NUL=%s
NUL=%s
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows\CurrentVersion\Fonts
***!!!***@@
***!!!***@@
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%s\%s.lnk
%s\%s.lnk
%s\%s.url
%s\%s.url
%s\%s.pif
%s\%s.pif
*.tns
*.tns
_fonts.dat
_fonts.dat
%s_%d
%s_%d
/\:*?"|
/\:*?"|
gdi32.dll
gdi32.dll
%s\_ir_tmpfnt_%d
%s\_ir_tmpfnt_%d
MSG_INITIALIZING
MSG_INITIALIZING
Incorrect HTTP status returned by server: %d
Incorrect HTTP status returned by server: %d
.PAVCInternetException@@
.PAVCInternetException@@
Could not create Internet session: %u
Could not create Internet session: %u
Could not create HTTP connection: %u
Could not create HTTP connection: %u
Could not open request: %u
Could not open request: %u
Send request failed: %u
Send request failed: %u
WinINet.dll
WinINet.dll
d:d
d:d
.PAVCMemoryException@@
.PAVCMemoryException@@
Error downloading file: %u
Error downloading file: %u
Error writing the destination file: %d-%u
Error writing the destination file: %d-%u
Could not create HTTP connection
Could not create HTTP connection
Could not HTTP file: %u
Could not HTTP file: %u
Could not open HTTP file: %s
Could not open HTTP file: %s
.PAVCException@@
.PAVCException@@
PTF://
PTF://
hXXps://
hXXps://
jsproxy.dll
jsproxy.dll
DetectAutoProxyUrl
DetectAutoProxyUrl
wininet.dll
wininet.dll
.tiff
.tiff
.jpeg
.jpeg
.wbmp
.wbmp
End tag not completed for element %s
End tag not completed for element %s
End tag does not correspond to %s
End tag does not correspond to %s
Expecting end tag of element %s
Expecting end tag of element %s
End tag of %s element not found
End tag of %s element not found
UxTheme.dll
UxTheme.dll
*.gif
*.gif
*.pcd
*.pcd
*.psd
*.psd
*.emf
*.emf
*.apm
*.apm
*.wmf
*.wmf
*.tif
*.tif
*.tga
*.tga
*.png
*.png
*.pcx
*.pcx
*.jpg
*.jpg
*.bmp
*.bmp
.PAVCObject@@
.PAVCObject@@
.PAVCThreadException@@
.PAVCThreadException@@
local this="%s";
local this="%s";
%s -> %s -> %s
%s -> %s -> %s
local this="%s";local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s
local this="%s";local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s
local e_NodeIndex="%s";local this="%s";
local e_NodeIndex="%s";local this="%s";
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s;local this="%s";
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s;local this="%s";
local e_NodeIndex="%s";local e_Expanded=%s;local this="%s";
local e_NodeIndex="%s";local e_Expanded=%s;local this="%s";
local e_NodeIndex="%s";local e_Checked=%s;local this="%s";
local e_NodeIndex="%s";local e_Checked=%s;local this="%s";
local e_NodeIndex="%s";local e_NewText="%s";local e_OldText ="%s";local this="%s";
local e_NodeIndex="%s";local e_NewText="%s";local e_OldText ="%s";local this="%s";
%s%s1
%s%s1
number e_Key, table e_Modifiers
number e_Key, table e_Modifiers
local this="%s";local e_Index = %d; local e_FilePath = "%s"
local this="%s";local e_Index = %d; local e_FilePath = "%s"
%s -> %s ->
%s -> %s ->
CAutoPlayWebObject
CAutoPlayWebObject
.?AVCAutoPlayWebObject@@
.?AVCAutoPlayWebObject@@
hXXp://VVV.indigorose.com
hXXp://VVV.indigorose.com
string e_URL
string e_URL
.?AVCWebBrowser2@@
.?AVCWebBrowser2@@
WebWindow
WebWindow
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s;local this="%s"
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s;local this="%s"
local e_Selection=%d;local this="%s"
local e_Selection=%d;local this="%s"
%s;local this="%s"
%s;local this="%s"
local e_Min=%d;local e_Max = %d;local e_Link = "%s";local this="%s"
local e_Min=%d;local e_Max = %d;local e_Link = "%s";local this="%s"
local e_Min=%d;local e_Max = %d;local this="%s"
local e_Min=%d;local e_Max = %d;local this="%s"
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s
local e_Key=%d;local e_Modifiers = {};e_Modifiers.ctrl=%s;e_Modifiers.alt=%s;e_Modifiers.shift=%s
Proxy-Authorization: Basic %s
Proxy-Authorization: Basic %s
KERNEL32.DLL
KERNEL32.DLL
PSAPI.DLL
PSAPI.DLL
WS2_32.DLL
WS2_32.DLL
windows
windows
CWebBrowser2
CWebBrowser2
MakeKeywordIndex
MakeKeywordIndex
SearchKeywords
SearchKeywords
__NOREPORT__
__NOREPORT__
Keywords
Keywords
TRACE: LastError = %d ("%s")
TRACE: LastError = %d ("%s")
PasswordInput
PasswordInput
All Files (*.*)|*.*|
All Files (*.*)|*.*|
Page.Jump("
Page.Jump("
.PAVCResourceException@@
.PAVCResourceException@@
MSG_MOVING
MSG_MOVING
MSG_COPYING
MSG_COPYING
MSG_FROM_CAP
MSG_FROM_CAP
MSG_TO_CAP
MSG_TO_CAP
MSG_DELETING
MSG_DELETING
MSG_SEARCHING
MSG_SEARCHING
OpenURL
OpenURL
\StringFileInfo\xx\SpecialBuild
\StringFileInfo\xx\SpecialBuild
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\OriginalFilename
\StringFileInfo\xx\Comments
\StringFileInfo\xx\Comments
\StringFileInfo\xx\LegalTrademarks
\StringFileInfo\xx\LegalTrademarks
\StringFileInfo\xx\LegalCopyright
\StringFileInfo\xx\LegalCopyright
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\ProductName
\StringFileInfo\xx\InternalName
\StringFileInfo\xx\InternalName
\StringFileInfo\xx\FileDescription
\StringFileInfo\xx\FileDescription
\StringFileInfo\xx\CompanyName
\StringFileInfo\xx\CompanyName
ErrorMsg
ErrorMsg
%Y-%m-%dT%H:%M:%S
%Y-%m-%dT%H:%M:%S
%A, %B %d, %Y
%A, %B %d, %Y
MSG_NOTICE
MSG_NOTICE
MSG_INSTALL_DO_YOU_WANT_OVERWRITE
MSG_INSTALL_DO_YOU_WANT_OVERWRITE
MSG_INSTALL_ALWAYS_ASK_OVERWRITE_MSG
MSG_INSTALL_ALWAYS_ASK_OVERWRITE_MSG
MSG_INSTALL_FILE_OLDER_MSG
MSG_INSTALL_FILE_OLDER_MSG
MSG_INSTALLING
MSG_INSTALLING
RunMsiexec
RunMsiexec
\msi.dll
\msi.dll
msi.dll
msi.dll
Software\Microsoft\Windows\CurrentVersion\Installer
Software\Microsoft\Windows\CurrentVersion\Installer
\msiexec.exe
\msiexec.exe
Page.Jump does not work during a Page Preview
Page.Jump does not work during a Page Preview
Page.Navigate does not work during a Page Preview
Page.Navigate does not work during a Page Preview
AutoDetectURL
AutoDetectURL
AlwaysShowSelection
AlwaysShowSelection
GetKeyNames
GetKeyNames
DoesKeyExist
DoesKeyExist
DeleteKey
DeleteKey
CreateKey
CreateKey
keycode
keycode
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
MSG_SIZE_GIGABYTES
MSG_SIZE_GIGABYTES
MSG_SIZE_MEGABYTES
MSG_SIZE_MEGABYTES
MSG_SIZE_KILOBYTES
MSG_SIZE_KILOBYTES
MSG_SIZE_BYTES
MSG_SIZE_BYTES
IsKeyDown
IsKeyDown
%s-%s-%s
%s-%s-%s
%s/%s/%s
%s/%s/%s
%d:%s:%s AM
%d:%s:%s AM
%d:%s:%s PM
%d:%s:%s PM
%s:%s:%s
%s:%s:%s
Windows Server 2003
Windows Server 2003
xxxxxx
xxxxxx
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
MSG_ERROR
MSG_ERROR
MSG_REBOOT_FAILED
MSG_REBOOT_FAILED
LoadURL
LoadURL
GetURL
GetURL
GetHTTPErrorInfo
GetHTTPErrorInfo
PPassword
PPassword
Password
Password
%s %s %s %s (%0.2f %s)
%s %s %s %s (%0.2f %s)
%0.1f %s/%0.1f %s
%0.1f %s/%0.1f %s
%u %s/%u %s
%u %s/%u %s
MSG_KB_PER_SEC
MSG_KB_PER_SEC
MSG_ESTIMATED_TIME_LEFT
MSG_ESTIMATED_TIME_LEFT
MSG_FROM
MSG_FROM
MSG_SAVING
MSG_SAVING
MSG_DOWNLOADING
MSG_DOWNLOADING
WININET.DLL
WININET.DLL
MSG_QUERYING_INTERNET
MSG_QUERYING_INTERNET
MSG_READING
MSG_READING
%s/%s
%s/%s
%s (0x%2x)
%s (0x%2x)
Cannot play back the video stream: format 'RPZA' is not supported.
Cannot play back the video stream: format 'RPZA' is not supported.
Some of the streams in this movie are in an unsupported format.
Some of the streams in this movie are in an unsupported format.
Use of this filter is restricted by a software key. The application must unlock the filter.
Use of this filter is restricted by a software key. The application must unlock the filter.
Frame stepping is not supported.
Frame stepping is not supported.
This operation is not permitted in the current domain.
This operation is not permitted in the current domain.
This user operation is inhibited by DVD content at this time.
This user operation is inhibited by DVD content at this time.
No video port hardware is available, or the hardware is not responding.
No video port hardware is available, or the hardware is not responding.
The video port connection negotiation process has failed.
The video port connection negotiation process has failed.
Pins cannot connect because they don't support the same transport.
Pins cannot connect because they don't support the same transport.
Cannot play back the file: the format is not supported.
Cannot play back the file: the format is not supported.
Cannot play back the video stream: the video format is not supported.
Cannot play back the video stream: the video format is not supported.
Cannot play back the audio stream: the audio format is not supported.
Cannot play back the audio stream: the audio format is not supported.
Cannot play back the audio stream: no audio hardware is available, or the hardware is not supported.
Cannot play back the audio stream: no audio hardware is available, or the hardware is not supported.
The operation could not be performed because the filter is in the wrong state
The operation could not be performed because the filter is in the wrong state
The operation could not be performed because the filter is not running.
The operation could not be performed because the filter is not running.
The operation could not be performed because the filter is not paused.
The operation could not be performed because the filter is not paused.
The operation could not be performed because the filter is not stopped.
The operation could not be performed because the filter is not stopped.
No matching color key is available.
No matching color key is available.
Setting a palette would conflict with the color key already set.
Setting a palette would conflict with the color key already set.
Setting a color key would conflict with the palette already set.
Setting a color key would conflict with the palette already set.
Current pin connection is not using the IMemInputPin transport.
Current pin connection is not using the IMemInputPin transport.
Current pin connection is not using the IOverlay transport.
Current pin connection is not using the IOverlay transport.
No color key has been set.
No color key has been set.
The operation cannot be performed because the pins are not connected.
The operation cannot be performed because the pins are not connected.
One of the specified pins supports no media types.
One of the specified pins supports no media types.
At least one of the pins involved in the operation is already connected.
At least one of the pins involved in the operation is already connected.
This operation cannot be performed because the filter is active.
This operation cannot be performed because the filter is active.
font%d.dat
font%d.dat
Advapi32.dll
Advapi32.dll
MSG_REDIRECTING
MSG_REDIRECTING
MSG_STATUS_REQUEST_COMPLETE
MSG_STATUS_REQUEST_COMPLETE
MSG_STATUS_HANDLE_CLOSING
MSG_STATUS_HANDLE_CLOSING
MSG_STATUS_HANDLE_CREATED
MSG_STATUS_HANDLE_CREATED
MSG_CONNECTION_CLOSED
MSG_CONNECTION_CLOSED
MSG_CLOSING_CONNECTION
MSG_CLOSING_CONNECTION
MSG_CONNECTED_TO_SERVER
MSG_CONNECTED_TO_SERVER
MSG_CONNECTING_TO_SERVER
MSG_CONNECTING_TO_SERVER
MSG_HOST_NAME_RESOLVED
MSG_HOST_NAME_RESOLVED
MSG_RESOLVING_HOST_NAME
MSG_RESOLVING_HOST_NAME
%s, Line %d: %s
%s, Line %d: %s
[%d]: %s
[%d]: %s
*** LOCATION: %s
*** LOCATION: %s
local e_WindowWidth = %d; local e_WindowHeight = %d; local e_PageWidth = %d; local e_PageHeight = %d; local e_Type = %d;local this="%s";
local e_WindowWidth = %d; local e_WindowHeight = %d; local e_PageWidth = %d; local e_PageHeight = %d; local e_Type = %d;local this="%s";
%s -> %s
%s -> %s
local e_WindowWidth = %d; local e_WindowHeight = %d; local e_PageWidth = %d; local e_PageHeight = %d; local e_Type = %d;
local e_WindowWidth = %d; local e_WindowHeight = %d; local e_PageWidth = %d; local e_PageHeight = %d; local e_Type = %d;
Project -> %s
Project -> %s
local e_ID = %d;%s;local this="%s"
local e_ID = %d;%s;local this="%s"
local e_ID = %d;%s
local e_ID = %d;%s
local e_ItemInfo = {}; e_ItemInfo.Text="%s";e_ItemInfo.ID=%d; e_ItemInfo.Checked=%s;e_ItemInfo.Enabled=%s
local e_ItemInfo = {}; e_ItemInfo.Text="%s";e_ItemInfo.ID=%d; e_ItemInfo.Checked=%s;e_ItemInfo.Enabled=%s
0.0.0.0
0.0.0.0
%s >= %s
%s >= %s
__IR_TEMP_DETECT_VER = %s();
__IR_TEMP_DETECT_VER = %s();
RICHED32.DLL
RICHED32.DLL
RICHED20.DLL
RICHED20.DLL
comctl32.dll
comctl32.dll
Failed to initialize sound system: %s
Failed to initialize sound system: %s
{19813504-68A4-EFEC-925D-B3CD087B8175}
{19813504-68A4-EFEC-925D-B3CD087B8175}
_proj.dat
_proj.dat
Recording not supported on this device
Recording not supported on this device
An invalid parameter was passed to this function
An invalid parameter was passed to this function
The version number of this file format is not supported
The version number of this file format is not supported
Error setting cooperative level for hardware.
Error setting cooperative level for hardware.
Soundcard does not support the features needed for this soundsystem (16bit stereo output)
Soundcard does not support the features needed for this soundsystem (16bit stereo output)
and can not be run with the commercial version's runtime executable.
and can not be run with the commercial version's runtime executable.
Detection script: %s
Detection script: %s
_detect.dat
_detect.dat
MissingAXHelpURL
MissingAXHelpURL
?;%s\AutoPlay\Scripts\?;%s\AutoPlay\Scripts\?.lua;%s\?.lua;%s\?;
?;%s\AutoPlay\Scripts\?;%s\AutoPlay\Scripts\?.lua;%s\?.lua;%s\?;
Failed to load plugin: %s (#%d)
Failed to load plugin: %s (#%d)
Debug.ShowWindow(true);
Debug.ShowWindow(true);
Debug.SetTraceMode(true);
Debug.SetTraceMode(true);
%s\menu1.dah
%s\menu1.dah
local e_X = %d; local e_Y = %d;local this="%s";
local e_X = %d; local e_Y = %d;local this="%s";
local e_Type = %d; local e_X = %d; local e_Y = %d;local this="%s";
local e_Type = %d; local e_X = %d; local e_Y = %d;local this="%s";
local e_Type = %d; local e_X = %d; local e_Y = %d; local this="%s";
local e_Type = %d; local e_X = %d; local e_Y = %d; local this="%s";
local this="%s";local e_FSCommand="%s";local e_FSArgs="%s";
local this="%s";local e_FSCommand="%s";local e_FSArgs="%s";
local this="%s";local e_URL="%s";
local this="%s";local e_URL="%s";
local this="%s";local e_Channel=%d;local e_State="%s"
local this="%s";local e_Channel=%d;local e_State="%s"
local e_Type = %d; local e_X = %d; local e_Y = %d;local this="%s"
local e_Type = %d; local e_X = %d; local e_Y = %d;local this="%s"
local e_Type = %d; local e_X = %d; local e_Y = %d
local e_Type = %d; local e_X = %d; local e_Y = %d
Created with AutoPlay Media Studio 7.0 Trial - hXXp://VVV.indigorose.com
Created with AutoPlay Media Studio 7.0 Trial - hXXp://VVV.indigorose.com
%Program Files%
%Program Files%
C:\Temp
C:\Temp
_WindowsFolder
_WindowsFolder
IS 3.0.58.3
IS 3.0.58.3
DIBToHBITMAP error: GetLastError = %d
DIBToHBITMAP error: GetLastError = %d
SetWinMetaFileBits failed GetLastError = %d
SetWinMetaFileBits failed GetLastError = %d
read %d. layersLen %d
read %d. layersLen %d
ISLib PNG Error : %s
ISLib PNG Error : %s
1.2.8
1.2.8
Reading PCD sub-image #%d (%d x %d)
Reading PCD sub-image #%d (%d x %d)
ISLib JPG Error : %s
ISLib JPG Error : %s
ISLib JPG marker # %d, len: %d
ISLib JPG marker # %d, len: %d
ISLib JPG comment : %s
ISLib JPG comment : %s
Found bad IPTC data resource (len exceeds block end). ID=%d
Found bad IPTC data resource (len exceeds block end). ID=%d
NULL row buffer for row %ld, pass %d
NULL row buffer for row %ld, pass %d
libpng error: %s
libpng error: %s
libpng error: %s, offset=%d
libpng error: %s, offset=%d
libpng error no. %s: %s
libpng error no. %s: %s
libpng warning: %s
libpng warning: %s
libpng warning no. %s: %s
libpng warning no. %s: %s
iTXt chunk not supported.
iTXt chunk not supported.
GeoKeyDirectory
GeoKeyDirectory
%s: Cannot modify tag "%s" while writing
%s: Cannot modify tag "%s" while writing
%s: Unknown %stag %u
%s: Unknown %stag %u
%s: Bad value %f for "%s"
%s: Bad value %f for "%s"
%s: Invalid %stag "%s" (not supported by codec)
%s: Invalid %stag "%s" (not supported by codec)
%s: Bad field type %d for "%s"
%s: Bad field type %d for "%s"
%s: Pass by value is not implemented.
%s: Pass by value is not implemented.
%s: Failed to allocate space for list of custom values
%s: Failed to allocate space for list of custom values
%s: Bad value %ld for "%s"
%s: Bad value %ld for "%s"
%s: Bad value %d for "%s"
%s: Bad value %d for "%s"
%s: Sorry, cannot nest SubIFDs
%s: Sorry, cannot nest SubIFDs
Nonstandard tile length %d, convert file
Nonstandard tile length %d, convert file
Nonstandard tile width %d, convert file
Nonstandard tile width %d, convert file
Bad value %ld for "%s" tag ignored
Bad value %ld for "%s" tag ignored
%s: Invalid InkNames value; expecting %d names, found %d
%s: Invalid InkNames value; expecting %d names, found %d
%s: Error fetching directory count
%s: Error fetching directory count
%s: Error fetching directory link
%s: Error fetching directory link
Sorry, can not handle images with %d-bit samples
Sorry, can not handle images with %d-bit samples
Sorry, LogL data must have %s=%d
Sorry, LogL data must have %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, can not handle LogLuv images with %s=%d
Sorry, LogLuv data must have %s=%d or %d
Sorry, LogLuv data must have %s=%d or %d
Sorry, can not handle image with %s=%d
Sorry, can not handle image with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle YCbCr images with %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle contiguous data with %s=%d, and %s=%d and Bits/Sample=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle RGB image with %s=%d
Sorry, can not handle separated image with %s=%d
Sorry, can not handle separated image with %s=%d
Missing needed %s tag
Missing needed %s tag
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu, strip %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Read error at scanline %lu; got %lu bytes, expected %lu
%s: Seek error at scanline %lu, strip %lu
%s: Seek error at scanline %lu, strip %lu
%s: Data buffer too small to hold strip %lu
%s: Data buffer too small to hold strip %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error on strip %lu; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld, tile %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Read error at row %ld, col %ld; got %lu bytes, expected %lu
%s: Seek error at row %ld, col %ld, tile %ld
%s: Seek error at row %ld, col %ld, tile %ld
%s: Data buffer too small to hold tile %ld
%s: Data buffer too small to hold tile %ld
%s: No space for data buffer at scanline %ld
%s: No space for data buffer at scanline %ld
Integer overflow in %s
Integer overflow in %s
"%s": Bad mode
"%s": Bad mode
Not a TIFF file, bad version number %d (0x%x)
Not a TIFF file, bad version number %d (0x%x)
This is a BigTIFF file. This format not supported
This is a BigTIFF file. This format not supported
Not a TIFF file, bad magic number %d (0x%x)
Not a TIFF file, bad magic number %d (0x%x)
%s: Out of memory (TIFF structure)
%s: Out of memory (TIFF structure)
Corrupt JPEG data: found marker 0xx instead of RST%d
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Obtained XMS handle %u
Freed XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Opened temporary file %s
Closed temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
Smoothing not supported with nonstandard sampling ratios
RST%d
RST%d
At marker 0xx, recovery action %d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
= = = = = = = =
Obtained EMS handle %u
Obtained EMS handle %u
Freed EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Unsupported marker type 0xx
Failed to create temporary file %s
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Cannot quantize more than %d color components
Insufficient memory (case %d)
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DQT index %d
Bogus DHT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC value 0x%x
Bogus DAC index %d
Bogus DAC index %d
Unsupported color conversion request
Unsupported color conversion request
Too many color components: %d, max %d
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
IDCT output block size %d not supported
Invalid component ID %d in SOS
Invalid component ID %d in SOS
Bogus message code %d
Bogus message code %d
%s: Write error at scanline %lu
%s: Write error at scanline %lu
%s: Seek error at scanline %lu
%s: Seek error at scanline %lu
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
"%s": Information lost writing value (%g) as (unsigned) RATIONAL
Error writing data for field "%s"
Error writing data for field "%s"
%s: Error writing SubIFD directory link
%s: Error writing SubIFD directory link
ExifInteroperabilityOffset
ExifInteroperabilityOffset
InteroperabilityIndex
InteroperabilityIndex
InteroperabilityVersion
InteroperabilityVersion
Unknown zTXt compression type %d
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
incorrect gamma=(%d/100000)
Internal error, unknown tag 0x%x
Internal error, unknown tag 0x%x
Tag %d
Tag %d
Compression scheme %u %s encoding is not implemented
Compression scheme %u %s encoding is not implemented
%s %s encoding is not implemented
%s %s encoding is not implemented
Compression scheme %u %s decoding is not implemented
Compression scheme %u %s decoding is not implemented
%s %s decoding is not implemented
%s %s decoding is not implemented
Compression algorithm does not support random access
Compression algorithm does not support random access
%s: cannot handle zero strip size
%s: cannot handle zero strip size
%s: cannot handle zero tile size
%s: cannot handle zero tile size
%s: cannot handle zero scanline size
%s: cannot handle zero scanline size
%s: Bogus "%s" field, ignoring and calculating from imagelength
%s: Bogus "%s" field, ignoring and calculating from imagelength
%s: TIFF directory is missing required "%s" field, calculating from imagelength
%s: TIFF directory is missing required "%s" field, calculating from imagelength
%s: cannot handle zero number of %s
%s: cannot handle zero number of %s
%s: wrong data type %d for "%s"; tag ignored
%s: wrong data type %d for "%s"; tag ignored
%s: unknown field with tag %d (0x%x) encountered
%s: unknown field with tag %d (0x%x) encountered
%s: invalid TIFF directory; tags are not sorted in ascending order
%s: invalid TIFF directory; tags are not sorted in ascending order
%s: Can not read TIFF directory
%s: Can not read TIFF directory
%s: Can not read TIFF directory count
%s: Can not read TIFF directory count
%s: Seek error accessing TIFF directory
%s: Seek error accessing TIFF directory
%s: Failed to allocate space for IFD list
%s: Failed to allocate space for IFD list
No space %s
No space %s
%s: Cannot determine size of unknown tag type %d
%s: Cannot determine size of unknown tag type %d
%s: TIFF directory is missing required "%s" field
%s: TIFF directory is missing required "%s" field
incorrect count for field "%s" (%lu, expecting %lu); tag trimmed
incorrect count for field "%s" (%lu, expecting %lu); tag trimmed
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
incorrect count for field "%s" (%lu, expecting %lu); tag ignored
Error fetching data for field "%s"
Error fetching data for field "%s"
%s: Rational with zero denominator (num = %lu)
%s: Rational with zero denominator (num = %lu)
Cannot handle different per-sample values for field "%s"
Cannot handle different per-sample values for field "%s"
cannot read TIFF_ANY type %d for field "%s"
cannot read TIFF_ANY type %d for field "%s"
%ld%c
%ld%c
%s compression support is not configured
%s compression support is not configured
?%s: No space for LogLuv state block
?%s: No space for LogLuv state block
Inappropriate photometric interpretation %d for SGILog compression; %s
Inappropriate photometric interpretation %d for SGILog compression; %s
LogL16Decode: Not enough data at row %d (short %d pixels)
LogL16Decode: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode24: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
LogLuvDecode32: Not enough data at row %d (short %d pixels)
%s: No space for SGILog translation buffer
%s: No space for SGILog translation buffer
No support for converting user data format to LogL
No support for converting user data format to LogL
No support for converting user data format to LogLuv
No support for converting user data format to LogLuv
SGILog compression supported only for %s, or raw data
SGILog compression supported only for %s, or raw data
Unknown data format %d for LogLuv compression
Unknown data format %d for LogLuv compression
Unknown encoding %d for LogLuv compression
Unknown encoding %d for LogLuv compression
PixarLog compression can't handle bits depth/data format combination (depth: %d)
PixarLog compression can't handle bits depth/data format combination (depth: %d)
%d bit input not supported in PixarLog
%d bit input not supported in PixarLog
PixarLogDecode: unsupported bits/sample: %d
PixarLogDecode: unsupported bits/sample: %d
%s: zlib error: %s
%s: zlib error: %s
%s: Not enough data at scanline %d (short %d bytes)
%s: Not enough data at scanline %d (short %d bytes)
%s: Decoding error at scanline %d, %s
%s: Decoding error at scanline %d, %s
PixarLog compression can't handle %d bit linear encodings
PixarLog compression can't handle %d bit linear encodings
%s: Encoder error: %s
%s: Encoder error: %s
%s: No space for state block
%s: No space for state block
%s: Bad code word at scanline %d (x %lu)
%s: Bad code word at scanline %d (x %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: %s at scanline %d (got %lu, expected %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: Premature EOF at scanline %d (x %lu)
%s: No space for Group 3/4 reference line
%s: No space for Group 3/4 reference line
%s: Uncompressed data (not supported) at scanline %d (x %lu)
%s: Uncompressed data (not supported) at scanline %d (x %lu)
Fax SubAddress: %s
Fax SubAddress: %s
(%u = 0x%x)
(%u = 0x%x)
%suncompressed data
%suncompressed data
%sEOL padding
%sEOL padding
%s2-d encoding
%s2-d encoding
%s compression not supported
%s compression not supported
Tiled Wang image not supported in libtiff
Tiled Wang image not supported in libtiff
Does not support lossless Huffman coding
Does not support lossless Huffman coding
Decompressor will try reading with sampling %d,%d.
Decompressor will try reading with sampling %d,%d.
Improper JPEG sampling factors %d,%d
Improper JPEG sampling factors %d,%d
Apparently should be %d,%d.
Apparently should be %d,%d.
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
Improper JPEG strip/tile size, expected %dx%d, got %dx%d
RowsPerStrip must be multiple of %d for JPEG
RowsPerStrip must be multiple of %d for JPEG
JPEG tile width must be multiple of %d
JPEG tile width must be multiple of %d
JPEG tile height must be multiple of %d
JPEG tile height must be multiple of %d
BitsPerSample %d not allowed for JPEG
BitsPerSample %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
PhotometricInterpretation %d not allowed for JPEG
ThunderDecode: %s data at scanline %ld (%lu != %lu)
ThunderDecode: %s data at scanline %ld (%lu != %lu)
PackBitsDecode: discarding %d bytes to avoid buffer overrun
PackBitsDecode: discarding %d bytes to avoid buffer overrun
LZWDecode: Corrupted LZW table at scanline %d
LZWDecode: Corrupted LZW table at scanline %d
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Not enough data at scanline %d (short %d bytes)
LZWDecode: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecode: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Strip %d not terminated with EOI code
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecode: Bogus encoding, loop in the code table; scanline %d
LZWDecodeCompat: Corrupted LZW table at scanline %d
LZWDecodeCompat: Corrupted LZW table at scanline %d
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
LZWDecodeCompat: Not enough data at scanline %d (short %d bytes)
LZWDecodeCompat: Wrong length of decoded string: data probably corrupted at scanline %d
LZWDecodeCompat: Wrong length of decoded string: data probably corrupted at scanline %d
DumpModeDecode: Not enough data for scanline %d
DumpModeDecode: Not enough data for scanline %d
Horizontal differencing "Predictor" not supported with %d-bit samples
Horizontal differencing "Predictor" not supported with %d-bit samples
"Predictor" value %d not supported
"Predictor" value %d not supported
%u (0x%x)
%u (0x%x)
Lua 5.0.2
Lua 5.0.2
bad argument #%d to `%s' (%s)
bad argument #%d to `%s' (%s)
calling `%s' on bad self (%s)
calling `%s' on bad self (%s)
%s expected, got %s
%s expected, got %s
%s:%d:
%s:%d:
stack overflow (%s)
stack overflow (%s)
cannot read %s: %s
cannot read %s: %s
attempt to %s a %s value
attempt to %s a %s value
attempt to %s %s `%s' (a %s value)
attempt to %s %s `%s' (a %s value)
attempt to compare %s with %s
attempt to compare %s with %s
attempt to compare two %s values
attempt to compare two %s values
%s:%d: %s
%s:%d: %s
system error %d
system error %d
file (%s)
file (%s)
`popen' not supported
`popen' not supported
field `%s' missing in date table
field `%s' missing in date table
^$* ?.([%-
^$* ?.([%-
missing `[' after `%%f' in pattern
missing `[' after `%%f' in pattern
no function environment for tail call at level %d
no function environment for tail call at level %d
could not load package `%s' from path `%s'
could not load package `%s' from path `%s'
error loading package `%s' (%s)
error loading package `%s' (%s)
?;?.lua
?;?.lua
`__pow' (`^' operator) is not a function
`__pow' (`^' operator) is not a function
invalid key for `next'
invalid key for `next'
too many %s (limit=%d)
too many %s (limit=%d)
%s:%d: %s near `%s'
%s:%d: %s near `%s'
char(%d)
char(%d)
`%s' expected (to close `%s' at line %d)
`%s' expected (to close `%s' at line %d)
`%s' expected
`%s' expected
bad code in %s
bad code in %s
unexpected end of file in %s
unexpected end of file in %s
bad integer in %s
bad integer in %s
bad nupvalues in %s: read %d; expected %d
bad nupvalues in %s: read %d; expected %d
bad constant type (%d) in %s
bad constant type (%d) in %s
unknown number format in %s
unknown number format in %s
%s too old: read version %d.%d; expected at least %d.%d
%s too old: read version %d.%d; expected at least %d.%d
%s too new: read version %d.%d; expected at most %d.%d
%s too new: read version %d.%d; expected at most %d.%d
bad signature in %s
bad signature in %s
virtual machine mismatch in %s: size of %s is %d but read %d
virtual machine mismatch in %s: size of %s is %d but read %d
C:\Dev\fmodsrc375win\src\fsound_stream.c
C:\Dev\fmodsrc375win\src\fsound_stream.c
http:\\
http:\\
C:\Dev\fmodsrc375win\src\fsound.c
C:\Dev\fmodsrc375win\src\fsound.c
C:\Dev\fmodsrc375win\src\fsound_tag.c
C:\Dev\fmodsrc375win\src\fsound_tag.c
C:\Dev\fmodsrc375win\src\system_memory.c
C:\Dev\fmodsrc375win\src\system_memory.c
C:\Dev\fmodsrc375win\src\fsound_dsp.c
C:\Dev\fmodsrc375win\src\fsound_dsp.c
C:\Dev\fmodsrc375win\src\system_thread.c
C:\Dev\fmodsrc375win\src\system_thread.c
C:\Dev\fmodsrc375win\src\system_file.c
C:\Dev\fmodsrc375win\src\system_file.c
The DLLs/EXEs of ASPI don't version check
The DLLs/EXEs of ASPI don't version check
No resources available to execute cmd
No resources available to execute cmd
ASPI for windows failed init
ASPI for windows failed init
Unsupported Windows mode
Unsupported Windows mode
ASPI manager doesn't support Windows
ASPI manager doesn't support Windows
C:\Dev\fmodsrc375win\win\src\fsound_cdda.c
C:\Dev\fmodsrc375win\win\src\fsound_cdda.c
\\.\%c:
\\.\%c:
ERROR: %c: already open
ERROR: %c: already open
ERROR: Couldn't access CD/DVD device at %c:
ERROR: Couldn't access CD/DVD device at %c:
ERROR: %s
ERROR: %s
ERROR: Failed to initialise ASPI (%s)
ERROR: Failed to initialise ASPI (%s)
wmvcore.dll
wmvcore.dll
C:\Dev\fmodsrc375win\win\src\format_asf.cpp
C:\Dev\fmodsrc375win\win\src\format_asf.cpp
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\vorbisfile.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\vorbisfile.c
C:\Dev\fmodsrc375win\win\src\format_dshow.c
C:\Dev\fmodsrc375win\win\src\format_dshow.c
C:\Dev\fmodsrc375win\src\fsound_sample.c
C:\Dev\fmodsrc375win\src\fsound_sample.c
C:\Dev\fmodsrc375win\src\format_mpeg.c
C:\Dev\fmodsrc375win\src\format_mpeg.c
C:\Dev\fmodsrc375win\src\format_oggvorbis.c
C:\Dev\fmodsrc375win\src\format_oggvorbis.c
C:\Dev\fmodsrc375win\src\format_wav.c
C:\Dev\fmodsrc375win\src\format_wav.c
C:\Dev\fmodsrc375win\src\format_fsb.c
C:\Dev\fmodsrc375win\src\format_fsb.c
C:\Dev\fmodsrc375win\src\format_oggvorbis_net.c
C:\Dev\fmodsrc375win\src\format_oggvorbis_net.c
C:\Dev\fmodsrc375win\src\format_mpeg_net.c
C:\Dev\fmodsrc375win\src\format_mpeg_net.c
StreamUrl='
StreamUrl='
HTTP/1.1
HTTP/1.1
HTTP/1.0
HTTP/1.0
C:\Dev\fmodsrc375win\src\fsound_stream_net.c
C:\Dev\fmodsrc375win\src\fsound_stream_net.c
ice-url
ice-url
ice-url:
ice-url:
icy-url
icy-url
icy-url:
icy-url:
Authorization: Basic %s
Authorization: Basic %s
Host: %s
Host: %s
GET %s HTTP/1.1
GET %s HTTP/1.1
C:\Dev\fmodsrc375win\src\sound_software.c
C:\Dev\fmodsrc375win\src\sound_software.c
C:\Dev\fmodsrc375win\win\src\output_winmm.c
C:\Dev\fmodsrc375win\win\src\output_winmm.c
ddraw.dll
ddraw.dll
\d3d9.dll
\d3d9.dll
dsound3d.dll
dsound3d.dll
dsound.dll
dsound.dll
%s: Left = ASIO CH %d Right = ASIO CH %d
%s: Left = ASIO CH %d Right = ASIO CH %d
C:\Dev\fmodsrc375win\win\src\output_asio.cpp
C:\Dev\fmodsrc375win\win\src\output_asio.cpp
C:\Dev\fmodsrc375win\win\src\fsound_systemmixer_win32.c
C:\Dev\fmodsrc375win\win\src\fsound_systemmixer_win32.c
Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
Software\Microsoft\Windows\CurrentVersion\Multimedia\MIDIMap
C:\Dev\fmodsrc375win\win\src\music_formatmidi.c
C:\Dev\fmodsrc375win\win\src\music_formatmidi.c
C:\Dev\fmodsrc375win\src\fsound_dsp_fft.c
C:\Dev\fmodsrc375win\src\fsound_dsp_fft.c
C:\Dev\fmodsrc375win\ogg_vorbis\ogg\src\framing.c
C:\Dev\fmodsrc375win\ogg_vorbis\ogg\src\framing.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\info.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\info.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\block.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\block.c
C:\Dev\fmodsrc375win\src\format_it.c
C:\Dev\fmodsrc375win\src\format_it.c
C:\Dev\fmodsrc375win\src\system_net.c
C:\Dev\fmodsrc375win\src\system_net.c
C:\Dev\fmodsrc375win\src\music_formatmod.c
C:\Dev\fmodsrc375win\src\music_formatmod.c
C:\Dev\fmodsrc375win\src\music_formatit.c
C:\Dev\fmodsrc375win\src\music_formatit.c
C:\Dev\fmodsrc375win\src\music_formatxm.c
C:\Dev\fmodsrc375win\src\music_formatxm.c
C:\Dev\fmodsrc375win\src\music_formats3m.c
C:\Dev\fmodsrc375win\src\music_formats3m.c
C:\Dev\fmodsrc375win\src\music_formatfsb.c
C:\Dev\fmodsrc375win\src\music_formatfsb.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\psy.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\psy.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\sharedbook.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\sharedbook.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\codebook.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\codebook.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\mdct.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\mdct.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\envelope.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\envelope.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\mapping0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\mapping0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\res0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\res0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\floor1.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\floor1.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\floor0.c
C:\Dev\fmodsrc375win\ogg_vorbis\vorbis\lib\floor0.c
%s %s
%s %s
%s %s (%s)
%s %s (%s)
u/u/u u:u
u/u/u u:u
%s %lx
%s %lx
%s %d %s
%s %d %s
All Files|*.*||
All Files|*.*||
dzprog32 /%c /u /T=%s
dzprog32 /%c /u /T=%s
Version: 4.00.04 - %s %s
Version: 4.00.04 - %s %s
%s [Memory]
%s [Memory]
%s [Tested]
%s [Tested]
%s [Extracted]
%s [Extracted]
--- DynaZIP UnZIP Log - %s ---
--- DynaZIP UnZIP Log - %s ---
\DUNZLOG.TXT
\DUNZLOG.TXT
%s exists and is Read Only, do you want to overwrite it?
%s exists and is Read Only, do you want to overwrite it?
Decryption key not provided, or too long
Decryption key not provided, or too long
UNZIPCMDSTRUCT Size is incorrect.
UNZIPCMDSTRUCT Size is incorrect.
\DYNAZIP.LOG
\DYNAZIP.LOG
decryptFlag: %d
decryptFlag: %d
returnCount: %d
returnCount: %d
noDirectoryItemsFlag: %d
noDirectoryItemsFlag: %d
recurseFlag: %d
recurseFlag: %d
noDirectoryNamesFlag: %d
noDirectoryNamesFlag: %d
testFlag: %d
testFlag: %d
quietFlag: %d
quietFlag: %d
overWriteFlag: %d
overWriteFlag: %d
updateFlag: %d
updateFlag: %d
freshenFlag: %d
freshenFlag: %d
index: %d
index: %d
Function: %d
Function: %d
--- DynaZIP UnZIP Diagnostic Log - %s ---
--- DynaZIP UnZIP Diagnostic Log - %s ---
returnCount: %d
returnCount: %d
File to Memory: %s
File to Memory: %s
Testing: %s
Testing: %s
Extracting: %s
Extracting: %s
Item %d of %d
Item %d of %d
%s is encrypted, and you have not provided the correct code. Go to next item (if any)?
%s is encrypted, and you have not provided the correct code. Go to next item (if any)?
%s exists, do you want to overwrite it?
%s exists, do you want to overwrite it?
User skipped this operation
User skipped this operation
User cancelled this operation
User cancelled this operation
Bad or missing decryption key
Bad or missing decryption key
Application cancelled operation
Application cancelled operation
Multi-disk archive, not supported
Multi-disk archive, not supported
Target Media is NON-Removable and can not be used for a Multi-Volume operation.
Target Media is NON-Removable and can not be used for a Multi-Volume operation.
Please insert Disk Volume %d of %d.
Please insert Disk Volume %d of %d.
Please insert Disk Volume %d.
Please insert Disk Volume %d.
PKBACK# d
PKBACK# d
dzprog32.exe /%c /z /T=%s
dzprog32.exe /%c /z /T=%s
:;,= "[]|
:;,= "[]|
-.Z:.zip:.zoo:.arc:.lzh:.arj
-.Z:.zip:.zoo:.arc:.lzh:.arj
PKBACK# .d
PKBACK# .d
%s [Deleted]
%s [Deleted]
%s [Added]
%s [Added]
--- DynaZIP ZIP Log - %s ---
--- DynaZIP ZIP Log - %s ---
\DZIPLOG.TXT
\DZIPLOG.TXT
Wiping Drive %c:...
Wiping Drive %c:...
Formatting Cylinder %d
Formatting Cylinder %d
Formatting Drive %c:...
Formatting Drive %c:...
zip error: STORE not supported for pipes or devices
zip error: STORE not supported for pipes or devices
local extra (%d bytes) != central extra (%d bytes):
local extra (%d bytes) != central extra (%d bytes):
has %d bytes of extra data:
has %d bytes of extra data:
unknown internal attributes = 0xx:
unknown internal attributes = 0xx:
starts on disk %u:
starts on disk %u:
unknown compression method %u:
unknown compression method %u:
undefined bits used in flags = 0xx:
undefined bits used in flags = 0xx:
local flags = 0xx, central = 0xx:
local flags = 0xx, central = 0xx:
needs unzip %d.%d on system type %d:
needs unzip %d.%d on system type %d:
made by version %d.%d on system type %d:
made by version %d.%d on system type %d:
Could not complete operation
Could not complete operation
Operation interrupted by application
Operation interrupted by application
encryptFlag: %d
encryptFlag: %d
dontCompressTheseSuffixesFlag: %d
dontCompressTheseSuffixesFlag: %d
includeSysHiddenFlag: %d
includeSysHiddenFlag: %d
noDirectoryEntriesFlag: %d
noDirectoryEntriesFlag: %d
excludeFollowingFlag: %d
excludeFollowingFlag: %d
includeOnlyFollowingFlag: %d
includeOnlyFollowingFlag: %d
oldAsLatestFlag: %d
oldAsLatestFlag: %d
afterDateFlag: %d
afterDateFlag: %d
addCommentFlag: %d
addCommentFlag: %d
convertLFtoCRLFFlag: %d
convertLFtoCRLFFlag: %d
growExistingFlag: %d
growExistingFlag: %d
deleteOriginalFlag: %d
deleteOriginalFlag: %d
includeVolumeFlag: %d
includeVolumeFlag: %d
fixHarderFlag: %d
fixHarderFlag: %d
fixFlag: %d
fixFlag: %d
pathForTempFlag: %d
pathForTempFlag: %d
compFactor: %d
compFactor: %d
dosifyFlag: %d
dosifyFlag: %d
Function: %d
Function: %d
--- DynaZIP ZIP Diagnostic Log - %s ---
--- DynaZIP ZIP Diagnostic Log - %s ---
was getting encryption password
was getting encryption password
encryption not supported
encryption not supported
\\.\vwin32
\\.\vwin32
.?AVCCmdUI@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCUserException@@
.PAVCSimpleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCNotSupportedException@@
.PAVCArchiveException@@
.PAVCArchiveException@@
.?AVCHttpConnection@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.?AVCHttpFile@@
.PAVCOleException@@
.PAVCOleException@@
.PAVCOleDispatchException@@
.PAVCOleDispatchException@@
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ir_ext_temp_0\autorun.exe
333333334
333333334
.nM(aL8
.nM(aL8
(H7.www
(H7.www
.bXXXA
.bXXXA
|.%rW{{{{{{{{{{{~/%se
|.%rW{{{{{{{{{{{~/%se
{.vv.
{.vv.
W.öd
W.öd
version="7.1.1000.0"
version="7.1.1000.0"
name="autorun.exe"/>
name="autorun.exe"/>
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
eDRMHeader.SubscriptionContentID
eDRMHeader.SubscriptionContentID
DRMHeader.ContentDistributor
DRMHeader.ContentDistributor
DRMHeader.SECURITYVERSION
DRMHeader.SECURITYVERSION
DRMHeader.CID
DRMHeader.CID
DRMHeader.LAINFO
DRMHeader.LAINFO
DRMHeader.KID
DRMHeader.KID
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Print.redbook
LicenseStateData.Print.redbook
LicenseStateData.Play
LicenseStateData.Play
ActionAllowed.Backup
ActionAllowed.Backup
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Print.redbook
ActionAllowed.Print.redbook
ActionAllowed.Play
ActionAllowed.Play
BaseLAURL
BaseLAURL
Transfer.NONSDMI
Transfer.NONSDMI
Transfer.SDMI
Transfer.SDMI
Print.redbook
Print.redbook
CopyrightURL
CopyrightURL
BannerImageURL
BannerImageURL
WM/AlbumCoverURL
WM/AlbumCoverURL
WM/PromotionURL
WM/PromotionURL
To see what data this error report contains,
To see what data this error report contains,
We have created an error report which will help us to improve this product. We will treat this report as confidential and anonymous. No personal data will be transmitted other than what you provide to us.
We have created an error report which will help us to improve this product. We will treat this report as confidential and anonymous. No personal data will be transmitted other than what you provide to us.
Jump target not found2The operating system is out of memory or resources!The specified file was not found.!The specified path was not found.AThe .exe file is invalid (non-Win32 .exe or error in .exe image).9The operating system denied access to the specified file.3The file name association is incomplete or invalid._The DDE transaction could not be completed because other DDE transactions were being processed.
Jump target not found2The operating system is out of memory or resources!The specified file was not found.!The specified path was not found.AThe .exe file is invalid (non-Win32 .exe or error in .exe image).9The operating system denied access to the specified file.3The file name association is incomplete or invalid._The DDE transaction could not be completed because other DDE transactions were being processed.
The DDE transaction failed.IThe DDE transaction could not be completed because the request timed out.1The specified dynamic-link library was not found.FThere is no application associated with the given file name extension.6There was not enough memory to complete the operation.
The DDE transaction failed.IThe DDE transaction could not be completed because the request timed out.1The specified dynamic-link library was not found.FThere is no application associated with the given file name extension.6There was not enough memory to complete the operation.
Unidentified execution error.=Could not find the startup page specified in Project|Settings
Unidentified execution error.=Could not find the startup page specified in Project|Settings
Page does not exist:#The specified object was not found.EThe action could not be performed because the content file is closed.:The Video Object's state was incompatible with the action.2The "SeekTime" value is to large for Video Object.6The "SeekTime" value cannot be less than negative one.
Page does not exist:#The specified object was not found.EThe action could not be performed because the content file is closed.:The Video Object's state was incompatible with the action.2The "SeekTime" value is to large for Video Object.6The "SeekTime" value cannot be less than negative one.
%d arguments required.
%d arguments required.
Argument %d must be of type %s.
Argument %d must be of type %s.
Confirm Abort2Are you sure that you want to abort the operation?
Confirm Abort2Are you sure that you want to abort the operation?
Replace%Select the entire document
Replace%Select the entire document
All Files (*.*)
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Page %u
Page %u
Pages %u-%u
Pages %u-%u
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.
Access to %1 was denied..An invalid file handle was associated with %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
7.1.1000.0
7.1.1000.0
2007 Indigo Rose Corporation (VVV.indigorose.com)
2007 Indigo Rose Corporation (VVV.indigorose.com)
ams70_runtime.exe
ams70_runtime.exe
svchost.exe_716:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_716_rwx_00C80000_00016000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
789:;
789:;
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
KWindows
KWindows
UnitKeylogger
UnitKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
DURLDnV
DURLDnV
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
PSAPI.dll
PSAPI.dll
x.html
x.html
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
flashplayerupdate.sytes.net
flashplayerupdate.sytes.net
mcigm.exe
mcigm.exe
write.exe
write.exe
fil{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
fil{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
ftppass
ftppass
%System%\MXPMX\mcigm.exe
%System%\MXPMX\mcigm.exe
%System%\MXPMX\
%System%\MXPMX\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg
Software\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
Software\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
write.exe_496:
.text
.text
`.data
`.data
.rsrc
.rsrc
SHELL32.dll
SHELL32.dll
KERNEL32.dll
KERNEL32.dll
msvcrt.dll
msvcrt.dll
wordpad.exe
wordpad.exe
write.pdb
write.pdb
ShellExecuteA
ShellExecuteA
_acmdln
_acmdln
Windows Write
Windows Write
5.1.2600.0 (xpclient.010817-1148)
5.1.2600.0 (xpclient.010817-1148)
Windows
Windows
Operating System
Operating System
5.1.2600.0
5.1.2600.0
write.exe_496_rwx_00C80000_00016000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
789:;
789:;
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
KWindows
KWindows
UnitKeylogger
UnitKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
DURLDnV
DURLDnV
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
PSAPI.dll
PSAPI.dll
x.html
x.html
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
flashplayerupdate.sytes.net
flashplayerupdate.sytes.net
mcigm.exe
mcigm.exe
write.exe
write.exe
fil{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
fil{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
ftppass
ftppass
%System%\MXPMX\mcigm.exe
%System%\MXPMX\mcigm.exe
%System%\MXPMX\
%System%\MXPMX\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H5JCKLMWAV.cfg
Software\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
Software\Microsoft\Active Setup\Installed Components\{J5D61A3M-KFBD-7F2K-GLU1-K7S5MBIBK0T8}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cefal.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\cefal.exe
svchost.exe_268:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
svchost.exe_268_rwx_00C80000_00016000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
789:;
789:;
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
KWindows
KWindows
UnitKeylogger
UnitKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
4DURLDr
4DURLDr
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
PSAPI.dll
PSAPI.dll
x.html
x.html
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
flashplayerupdate.sytes.net
flashplayerupdate.sytes.net
C:\User
C:\User
mncxd.exe
mncxd.exe
igfxsrvc.exe
igfxsrvc.exe
{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
ftppass
ftppass
%System%\MCMP\mncxd.exe
%System%\MCMP\mncxd.exe
%System%\MCMP\
%System%\MCMP\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg
Software\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
Software\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
iexplore.exe_1860:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
iexplore.exe_1860_rwx_00C80000_00016000:
`.rsrc
`.rsrc
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
Kernel32.dll
Kernel32.dll
ntdll.dll
ntdll.dll
kernel32.dll
kernel32.dll
789:;
789:;
user32.dll
user32.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
advapi32.dll
advapi32.dll
Shell32.dll
Shell32.dll
shell32.dll
shell32.dll
shlwapi.dll
shlwapi.dll
KWindows
KWindows
UnitKeylogger
UnitKeylogger
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegCreateKeyW
RegCreateKeyW
RegCloseKey
RegCloseKey
FindExecutableW
FindExecutableW
ShellExecuteW
ShellExecuteW
SHDeleteKeyW
SHDeleteKeyW
URLDownloadToFileW
URLDownloadToFileW
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
MapVirtualKeyW
MapVirtualKeyW
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyboardState
GetKeyboardState
FtpPutFileW
FtpPutFileW
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryW
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
4DURLDr
4DURLDr
KERNEL32.DLL
KERNEL32.DLL
oleaut32.dll
oleaut32.dll
PSAPI.dll
PSAPI.dll
x.html
x.html
explorer.exe
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows NT\CurrentVersion\Windows
explorer.exe
explorer.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[Execute]
[Execute]
KeyDelBackspace
KeyDelBackspace
XtremeKeylogger
XtremeKeylogger
hXXp://
hXXp://
.functions
.functions
ÞFAULTBROWSER%
ÞFAULTBROWSER%
\Microsoft\Windows\
\Microsoft\Windows\
svchost.exe
svchost.exe
flashplayerupdate.sytes.net
flashplayerupdate.sytes.net
C:\User
C:\User
mncxd.exe
mncxd.exe
igfxsrvc.exe
igfxsrvc.exe
{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
PTF.ftpserver.com
PTF.ftpserver.com
ftpuser
ftpuser
ftppass
ftppass
%System%\MCMP\mncxd.exe
%System%\MCMP\mncxd.exe
%System%\MCMP\
%System%\MCMP\
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg
%Documents and Settings%\%current user%\Application Data\Microsoft\Windows\H7R4X9Y.cfg
Software\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
Software\Microsoft\Active Setup\Installed Components\{7EVAL775-6E0K-4C23-21G5-M0Q18MWC7472}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bis.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\bis.exe