Trojan.Win32.FlyStudio_4a8e6ecbd9

by malwarelabrobot on July 3rd, 2014 in Malware Descriptions.

Trojan.Generic.11348234 (AdAware), Packed.Win32.Themida.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan-PSW.Win32.Bzub.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4a8e6ecbd99caa4dba4ddac09d212eeb
SHA1: cad18c7c42e6e9a59fc7c3c25dad7ac911ea2fa7
SHA256: c30222eda2006417a0a7f30a641cf5d8fd4376226f97ba12bf5fd78613b8d813
SSDeep: 24576:CEl9/ZBGZp4uw1s2ZihpPHuTjFCH3H81Ow8gcdX8n oSY5RExNEXOq:CEl9gpfQKpOjFyc1Ow8gO8dSY5 q
Size: 1404928 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2014-04-22 20:23:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

mscorsvw.exe:1924
%original file name%.exe:1692

The Trojan injects its code into the following process(es):

.exe:1728

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\ .bat (109 bytes)
C:\jm_c (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\404[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\desktop.ini (67 bytes)
C:\.exe (9605 bytes)

The Trojan deletes the following file(s):

C:\jm_c (0 bytes)

The process .exe:1728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\km[1].gif (18723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\desktop.ini (67 bytes)
%WinDir%\Code2.txt (96 bytes)
C:\jm_c (3929 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\Cookies[1].txt (369209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\gg[1].htm (557 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214\index.dat (0 bytes)
C:\jm_c (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216 (0 bytes)

Registry activity

The process mscorsvw.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"

The process %original file name%.exe:1692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 E9 32 3D FE 8E 39 D4 2A F2 02 9B C0 8E FF EB"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache" = "A8 03 00 00 02 00 00 00 E3 04 00 00 01 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process .exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014070220140703]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014070220140703\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014070220140703]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 87 CE 31 93 A1 FF 71 61 CE 68 18 FD BA 8C 29"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014070220140703]
"CacheLimit" = "8192"
"CachePrefix" = ":2014070220140703:"
"CacheRepair" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130212]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021320130214]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
282b54d682e75a42e561891bfe07d433 c:\.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????
Product Name: ??QQ?????????V1.3.0
Product Version: 1.3.0.0
Legal Copyright: ???? - ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.3.0.0
File Description: ??QQ?????????V1.3.0
Comments: ??????????(http://www.eyuyan.com)
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 1642496 577536 5.5436 a6697e5932cda643ce315bb809a859a8
.sedata 1646592 794624 794624 5.42841 bb1757da7191f60e5859cff5e4386b64
.idata 2441216 4096 4096 1.09609 e3308f4047e3c634f67aee72d22603ef
.rsrc 2445312 20480 20480 2.69547 19f8b603ca07a7531ea380017513fd06
.sedata 2465792 4096 4096 5.53265 aa9ea5a3001ca79f3730d9267cb5a2c3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://404.safedog.cn/images/safedogsite/404.jpg 222.76.215.181
hxxp://www.nn06.com/gg/sszan/gg.html 112.90.232.187
hxxp://www.nn06.com/shuoshuozan/Config.txt 112.90.232.187
hxxp://www.nn06.com/gg/sszan/km.gif 112.90.232.187
hxxp://www.nn06.com/Cookies.txt 112.90.232.187
hxxp://xxoo.nn06.com/shuoshuozan/Config.txt 112.90.232.187
hxxp://xxoo.nn06.com/Cookies.txt 112.90.232.187


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET SHELLCODE Possible Call with No Offset TCP Shellcode

Traffic

GET /shuoshuozan/Config.txt HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: xxoo.nn06.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 100
Content-Type: text/plain
Content-Location: hXXp://xxoo.nn06.com/shuoshuozan/Config.txt
Last-Modified: Fri, 27 Jun 2014 10:15:27 GMT
Accept-Ranges: bytes
ETag: "c883c1b7f091cf1:591"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 02 Jul 2014 05:12:17 GMT
....B....Q..KR...=...F..c..`.V....~.k..m./........Qs..![.`}...n. ./'0.
.......J....f.).ul.5ot"..I......


GET /images/safedogsite/404.jpg HTTP/1.1
Accept: */*
Referer: hXXp://VVV.tt3gp.com/zyz.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 404.safedog.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 02 Jul 2014 05:11:26 GMT
Content-Type: image/jpeg
Content-Length: 12365
Last-Modified: Tue, 29 Apr 2014 09:10:40 GMT
Connection: keep-alive
ETag: "535f6c90-304d"
Expires: Fri, 01 Aug 2014 05:11:26 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
......Exif..II*.................Ducky.......P.....mhXXp://ns.adobe.com
/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c06
0 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="h
ttp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rd
f:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="
hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.a
dobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:287202D08D9EE311A
85ADB0FE75D8CDE" xmpMM:DocumentID="xmp.did:8EDD7128CACC11E39F518D75847
616F3" xmpMM:InstanceID="xmp.iid:8EDD7127CACC11E39F518D75847616F3" xmp
:CreatorTool="Adobe Photoshop CS5 Windows"> <xmpMM:DerivedFrom s
tRef:instanceID="xmp.iid:57FF5184B4CAE311AC17AAED9A157652" stRef:docum
entID="xmp.did:287202D08D9EE311A85ADB0FE75D8CDE"/> </rdf:Descrip
tion> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
....Adobe.d...........................................................
......................................................................
..................K...................................................
........................................!1Q.Aaq.".....2B...R#C.b3..r..
...Ss4..........................!1AQ..aq......"2BR.br#.......$........
....?......................................r..%..............bb.g..n..
..Y.[.'.......&.|8.U..L.....z0...tk..Qs...;....p{...VOwd_.....b.=.j.tV
...>.....d.D.x.....|.......aam9.oa..r.az...i.i...O.#.....).1.f%

<<< skipped >>>

GET /gg/sszan/gg.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.nn06.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 557
Content-Type: text/html
Content-Location: hXXp://VVV.nn06.com/gg/sszan/gg.html
Last-Modified: Tue, 17 Jun 2014 13:32:57 GMT
Accept-Ranges: bytes
ETag: "daec4ca6308acf1:591"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 02 Jul 2014 05:12:17 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>..........</title>..<style type="text/css">..<!--.
.body {...margin-left: 0px;...margin-top: 0px;...margin-right: 0px;...
margin-bottom: 0px;..}..-->..</style></head>..<body&
gt;<a href="hXXp://VVV.zchkm.com" target="_blank"><img src="k
m.gif" width="500" height="70" border="0" /></a>..</body&g
t;..</html>..
....



GET /gg/sszan/km.gif HTTP/1.1

Accept: */*
Referer: hXXp://VVV.nn06.com/gg/sszan/gg.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.nn06.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 50595
Content-Type: image/gif
Content-Location: hXXp://VVV.nn06.com/gg/sszan/km.gif
Last-Modified: Tue, 17 Jun 2014 13:11:55 GMT
Accept-Ranges: bytes
ETag: "30239ab62d8acf1:591"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 02 Jul 2014 05:12:17 GMT
GIF89a..F............,.........b.....................PN....R`.$ ......
.....#.............*1....7H.5;.#6r.....BBB.iQS.....a``qpp.CI.2.....mq.
..........t...............QPPB.....................o|.`n.LR.2C......D.
.........G.......I..2:.UZ.~...X............................z..........
....u|....~."!!....hm.Y^.g.....vz....DK......111....v8.;A....PV....fk.
:B....bd..*1...."..l.lv..#....z~..........fj.qv..........]a....KQ.....
-..&.............%2..4.......... 9.!....................-;.gr.......R[
.............MW.......pt........._^^..........AR......A........AAA....
..........(..................{zz......%..544........."..............ml
l...5.................-.......................N.....{..]..?..l........
....}......G..........v..PV.s..x........%8..................'&&.......
...........!..NETSCAPE2.0.....!.......,......F........H......*\......#
.t.M....-..W.... C..I....(S.\.....0c..Is...8s....!..@...7....H.*]...S.
=.J.J.......y.....`..eY....h.b......p...K.#..x.JT....au...L...... ^.X$
.........7..3...V.5j.C..........N.Z.i..G.....k..C.t..L..........~|....
.%b.S.I'...t..%{<,....!._.w...v.....~x.x....|..t.)@.1. A.........1a
.7!.. .... .....G9]...FXA. V.....\v..w%..>.L..5..`.h ..A....cH.."..
.t.Q5.|...Dz..H.........G..)%..4..7.X...).$.3.(0.y. ...Z...H..@#.G.T..
Z...5A..M5"|.........l.M...w..2.@...>JN..:*)9....G.Z:)9@T*)..2....H
..>...H....!G.`.1.=9X..4..H..R...>..IR7.....bx..3..##...cm4....5
....5.Z...g@.j4...,..xTA... ...`.M...#...~.K.....8..P..5.._.b...4n.sF.
....8.HF...*po4b@!.>.Js.jA...."(C......."...LSP.....AN.=..@....

<<< skipped >>>

GET /Cookies.txt HTTP/1.1
Referer: hXXp://xxoo.nn06.com/Cookies.txt
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: xxoo.nn06.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 756480
Content-Type: text/plain
Content-Location: hXXp://xxoo.nn06.com/Cookies.txt
Last-Modified: Wed, 02 Jul 2014 05:10:29 GMT
Accept-Ranges: bytes
ETag: "525a4cf1b395cf1:591"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 02 Jul 2014 05:12:18 GMT
....A.:v.e.m.....$.iU.r....)..._..X.d......gP.>x.]7z.^.q(6%h.o~.c.A
..K`....?J^.%.zC.%.hgW.......l....&:...t....H.....'z.pr..R.2....@.|Q^.
..Lx..g...`&..?....C....O......8.T~f...T..lX\.b.d..|.].sz..........|E.
....}.b..4g....g.......[Q...e"m.....C...20.<..v... ..|..!...k......
.A........$.k._.<..].K..W..,@.*.A.....@......U.5...d.....Y...._....
.S...h.h..`..%. hP.$JB@.?@.Y'4X..u......A..]9...aGU....@sDEf..{...b...
..m"wV.I...z........o.*.cf-.n...|......A6..C..a.l.......AYk.*.r..m.8qX
..9U.7f}.."t(=.z-.-.^.|...........D...#>....6.3....2.........R.x.]h
.#...u`[.G..8......;..i...V..*..._..n`.>L=n..Hb. ..!..^5{..\eU....~
t..j..d.b....._...R....`[lv.................0.T.....:.W.......q..7)Y ~
..A.....%.T^ &^.../.....c..p..gs>...g.i.:..4..I..;......3B...31.*.;
..}..*.f[....)...%..il...K..'C1.x.y.RYM..0...s...rb.jW..H.......I..i7T
...@N.H,..;.i..w ..(U.G#HE!0....y`....Q..|. ....Q..|/..A.]..`7.!1..d.[
m....RL.mP.]..|/em...6........><..;e..]. .!A.Vu...'..O..D<...
.P.....=..>....]A.wuH...S...{.o....3Z..a..........K.k....$X.f..&.}.
..q..}..&..tR.O.......`.3...C...4.[...y...9$.4.#s.d..Am.=._....."...x.
.n...\.L..'#RO.h.v...C v#..*..Y&N.H..~.g..bmo,....\..q...}J.........|.
...-..:cja...KNK......2.x......;...N....A......5..'B%....M._..u7L. li.
X.......Q.H{..1....M\`....v9.m$._.ZH.).g....!x.W..gk.W.l....lC.i......
..... ....`....I.....c..r.zz./..).i.=y.j..g.v.K.. .X..$<...X.......
l....i7..@.x*...?s.....9X...t.q<...X.?\.d7t....!.~.....>..h}8.P.
......$p....[z..u.x...K..!h.].A....r..\...... p.0u...........8..p.

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.exe_1728:

`.sedata
h.idata
H.rsrc
@.sedata
{82B46959-3065-46a0-8340-3BB58B77A259}
bywayboy@gmail.com
http://www.ecodeproject.cn/bbs
:16882569
kernel32.dll
ole32.dll
msvcrt.dll
fne.dll
3h.NQ
t%SVh
t$(SSh
~%UVW
QRht%U
PQh\%U
U\RhH%U
PQh0%U
u$SShe
shlwapi.dll
user32.dll
user32.dll
advapi32.dll
wininet.dll
gdiplus.dll
GdiPlus.dll
Psapi.dll
ntdll.dll
MsgWaitForMultipleObjects
EnumWindows
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GdiplusShutdown
EnumChildWindows
.1<.>http://user.qzone.qq.com/278366872/mood/
/mood/
/mood/988a9710c13c1d510cf50e00.1<|>http://user.qzone.qq.com/
/mood/988a9710c13c1d510cf50e00.1<.>http://user.qzone.qq.com/
http://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?_stp=&unikey=http://user.qzone.qq.com/
http://w.cnc.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
.1&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
%26pfid%3D2%26qz_ver%3D6%26appcanvas%3D0%26qz_style%3Dv6%2F31%26params%3D%26entertime%3D1361334604288%26canvastype%3D&opuin=
&ADSESSION=1361327327&ADTAG=CLIENT.QQ.4855_FriendTip.0&ADPUBNO=26095&ptlang=2052#!app=311&url=http%3A%2F%2Fcnc.qzs.qq.com%2Fqzone%2Fapp%2Fmood_v6%2Fhtml%2Findex.html%3Fmood%23uin%3D
?ADUIN=
qzreferrer=http://user.qzone.qq.com/
skey=(.*?);
http://taotao.qq.com/cgi-bin/emotion_cgi_msglist?uin=
zu.ew
D/.nT
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
bbs.125.la
V1.5.0.exe
C:\Windows\Code2.txt
/Config.ini
login
http://check.ptlogin2.qq.com/check?uin=
&aid=15004501&u1=http://ctc.qzs.qq.com/ac/qzone/login/succ.html#para=mall&&h=1&ptredirect=0&ptlang=2052&from_ui=1&dumy=&fp=loginerroralert&action=8-22-28491&mibao_css=&t=1&g=1
http://ptlogin2.qq.com/login?u=
skey=
; skey=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
https://
http://
2013-8-8
http://xxoo.nn06.com/add.php
&Submit=Ìá½»
http://aq.qq.com/cn/safe_score_ajax
http://captcha.qq.com/getimage?aid=15004501&r=0.
http://xxoo.nn06.com/Cookies.txt
V1.5.0 www.nn06.com
\SkinH_EL.dll
http://www.nn06.com/
:http://www.tmd.la
http://xxoo.nn06.com/shuoshuozan/Config.txt
\ .bat
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
www.baidu.com
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
HTTP_X_FORWARDED_FOR
https://wallet.tenpay.com/cgi-bin/v1.0/queryqb.cgi
Adodb.Stream
MSScriptControl.ScriptControl
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i<10; i  ) digits["0".charCodeAt(0) i] = i 52
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val  = (digits[string.substr(0,1).charCodeAt(0)] << 2)
val  = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val  = (digits[string.substr(1,1).charCodeAt(0)] & 0xf) << 12
val  = ((digits[string.substr(2,1).charCodeAt(0)] >> 2) << 8)
val  = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3) << 22)
val  = (digits[string.substr(3,1).charCodeAt(0)] << 16)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString  = encodingString.substring(stringIndex, scriptIndex)
scriptIndex  = marker.length
unEncodingString  = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex  = (6   "==".length)
stringIndex = scriptIndex   "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0) < 0xFF)
unEncodingString  = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString  = unescape(encodingString.substr(  scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext   RegExp.$1   RegExp.rightContext
strdec(AdodbStream.ReadText);
0.0.0.0
0000000000
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
len = str.length;
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i  );
out[j  ] = str.charAt(i - 1);
c2 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x1f) << 6) |
c3 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x0f) << 12) |
c4 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
c = str.charCodeAt(i  ) << 16 |
str.charCodeAt(i  ) << 8 |
str.charCodeAt(i  );
c = str.charCodeAt(i  );
c = str.charCodeAt(i  ) << 8 |
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i  )];
c2 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
c3 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
c4 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c3 & 0x03) << 6) | c4);
var length = data.length;
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('');
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i   1) << 8 |
string.charCodeAt(i   2) << 16 |
string.charCodeAt(i   3) << 24;
result[result.length] = length;
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
if (k.length < 4) {
k.length = 4;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = 0;
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = q * delta & 0xffffffff;
* See http://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i < x.length; i  = 16)
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512   data.length * chrsz);
return core_sha1(opad.concat(hash), 512   160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i < str.length * chrsz; i  = chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i2);
for(var i = 0; i < bin.length * 32; i  = chrsz)
str  = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i < binarray.length * 4; i  )
str  = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)  
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i < binarray.length * 4; i  = 3)
if(i * 8   j * 6 > binarray.length * 32) str  = b64pad;
else str  = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
return Lobj.length;
function GetAllKey(){
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
? this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z'
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
v = partial.length === 0
? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'
: '['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'
: '{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
Lobj.push("
Lobj.push(
Lobj.push('
Lobj.length
JSON.stringify(Lobj[
Lobj.splice(
GetAllKey
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i < indent_level; i  ) {output.push(indent_string);}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i < arr.length; i  ) {if (arr[i] === what) {return true;}}return false;}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos  = 1;if (c === "\n") {n_newlines  = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i < 2; i  ) {print_newline(i === 0);}}var wanted_newline = n_newlines === 1;if (in_array(c, wordchar)) {if (parser_pos < input.length) {while (in_array(input.charAt(parser_pos), wordchar)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos === input.length) {break;}}}if (parser_pos !== input.length && c.match(/^[0-9] [Ee]$/) && input.charAt(parser_pos) === "-") {parser_pos  = 1;var t = get_next_token(parser_pos);c  = "-"   t[0];return [c, "TK_WORD"];}if (c === "in") {return [c, "TK_OPERATOR"];}return [c, "TK_WORD"];}if (c === "(" || c === "[") {return [c, "TK_START_EXPR"];}if (c === ")" || c === "]") {return [c, "TK_END_EXPR"];}if (c === "{") {return [c, "TK_START_BLOCK"];}if (c === "}") {return [c, "TK_END_BLOCK"];}if (c === ";") {return [c, "TK_END_COMMAND"];}if (c === "/") {var comment = "";if (input.charAt(parser_pos) === "*") {parser_pos  = 1;if (parser_pos < input.length) {while (!(input.charAt(parser_pos) === "*" && input.charAt(parser_pos   1) && input.charAt(parser_pos   1) === "/") && parser_pos < input.length) {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 2;return ["/*"   comment   "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}parser_pos  = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos < input.length) {while (esc || input.charAt(parser_pos) !== sep) {c  = input.charAt(parser_pos);if (!esc) {esc = input.charAt(parser_pos) === "\\";} else {esc = false;}parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep   c   sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos < input.length && in_array(c   input.charAt(parser_pos), punct)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string  = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = "  - * / % &    -- =  = -= *= /= %= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |=".split(" ");line_starters = "continue,try,throw,return,var,if,switch,case,default,for,while,break,function".split(",");current_mode = "BLOCK";modes = [current_mode];indent_level = indent_level || 0;parser_pos = 0;in_case = false;while (true) {var t = get_next_token(parser_pos);token_text = t[0];token_type = t[1];if (token_type === "TK_EOF") {break;}switch (token_type) {case "TK_START_EXPR":var_line = false;set_mode("EXPRESSION");if (last_type === "TK_END_EXPR" || last_type === "TK_START_EXPR") {} else if (last_type !== "TK_WORD" && last_type !== "TK_OPERATOR") {print_space();} else if (in_array(last_word, line_starters) && last_word !== "function") {print_space();}print_token();break;case "TK_END_EXPR":print_token();restore_mode();break;case "TK_START_BLOCK":if (last_word === "do") {set_mode("DO_BLOCK");} else {set_mode("BLOCK");}if (last_type !== "TK_OPERATOR" && last_type !== "TK_START_EXPR") {if (last_type === "TK_START_BLOCK") {print_newline();} else {print_space();}}print_token();indent();break;case "TK_END_BLOCK":if (last_type === "TK_START_BLOCK") {trim_output();unindent();} else {unindent();print_newline();}print_token();restore_mode();break;case "TK_WORD":if (do_block_just_closed) {print_space();print_token();print_space();break;}if (token_text === "case" || token_text === "default") {if (last_text === ":") {remove_indent();} else {unindent();print_newline();indent();}print_token();in_case = true;break;}prefix = "NONE";if (last_type === "TK_END_BLOCK") {if (!in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {prefix = "NEWLINE";} else {prefix = "SPACE";print_space();}} else if (last_type === "TK_END_COMMAND" && (current_mode === "BLOCK" || current_mode === "DO_BLOCK")) {prefix = "NEWLINE";} else if (last_type === "TK_END_COMMAND" && current_mode === "EXPRESSION") {prefix = "SPACE";} else if (last_type === "TK_WORD") {prefix = "SPACE";} else if (last_type === "TK_START_BLOCK") {prefix = "NEWLINE";} else if (last_type === "TK_END_EXPR") {print_space();prefix = "NEWLINE";}if (last_type !== "TK_END_BLOCK" && in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {print_newline();} else if (in_array(token_text, line_starters) || prefix === "NEWLINE") {if (last_text === "else") {print_space();} else if ((last_type === "TK_START_EXPR" || last_text === "=") && token_text === "function") {} else if (last_type === "TK_WORD" && (last_text === "return" || last_text === "throw")) {print_space();} else if (last_type !== "TK_END_EXPR") {if ((last_type !== "TK_START_EXPR" || token_text !== "var") && last_text !== ":") {if (token_text === "if" && last_type === "TK_WORD" && last_word === "else") {print_space();} else {print_newline();}}} else {if (in_array(token_text, line_starters) && last_text !== ")") {print_newline();}}} else if (prefix === "SPACE") {print_space();}print_token();last_word = token_text;if (token_text === "var") {var_line = true;var_line_tainted = false;}break;case "TK_END_COMMAND":print_token();var_line = false;break;case "TK_STRING":if (last_type === "TK_START_BLOCK" || last_type === "TK_END_BLOCK") {print_newline();} else if (last_type === "TK_WORD") {print_space();}print_token();break;case "TK_OPERATOR":var start_delim = true;var end_delim = true;if (var_line && token_text !== ",") {var_line_tainted = true;if (token_text === ":") {var_line = false;}}if (token_text === ":" && in_case) {print_token();print_newline();break;}in_case = false;if (token_text === ",") {if (var_line) {if (var_line_tainted) {print_token();print_newline();var_line_tainted = false;} else {print_token();print_space();}} else if (last_type === "TK_END_BLOCK") {print_token();print_newline();} else {if (current_mode === "BLOCK") {print_token();print_newline();} else {print_token();print_space();}}break;} else if (token_text === "--" || token_text === "  ") {if (last_text === ";") {start_delim = true;end_delim = false;} else {start_delim = false;end_delim = false;}} else if (token_text === "!" && last_type === "TK_START_EXPR") {start_delim = false;end_delim = false;} else if (last_type === "TK_OPERATOR") {start_delim = false;end_delim = false;} else if (last_type === "TK_END_EXPR") {start_delim = true;end_delim = true;} else if (token_text === ".") {start_delim = false;end_delim = false;} else if (token_text === ":") {if (last_text.match(/^\d $/)) {start_delim = true;} else {start_delim = false;}}if (start_delim) {print_space();}print_token();if (end_delim) {print_space();}break;case "TK_BLOCK_COMMENT":print_newline();print_token();print_newline();break;case "TK_COMMENT":print_space();print_token();print_newline();break;case "TK_UNKNOWN":print_token();break;default:;}last_type = token_type;last_text = token_text;}return output.join("");}
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
http://www.nn06.com
shueiniu@yeah.net
www.nn06.com/gg/sszan/gg.html?
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
"103*2-<
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
icmp.dll
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
www.dywt.com.cn
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
c:\.exe
#include "l.chs\afxres.rc" // Standard components
iwz%f$
.hg%Zg
8%c}i
GetProcessHeap
hid.dll
mscoree.dll
mscorwks.dll
mscorsvr.dll
KernelBase.dll
mscoreei.dll
clr.dll
diasymreader.dll
SEGetNumExecUsed
SEGetNumExecLeft
SESetNumExecUsed
SEGetExecTimeUsed
SEGetExecTimeLeft
SESetExecTime
SEGetTotalExecTimeUsed
SEGetTotalExecTimeLeft
SESetTotalExecTime
SECheckExecTime
SECheckTotalExecTime
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
SHELL32.dll
~.oM\
f.jVk
%J
.Nv"[0
.Nm|O
}~.oM
A.fmHv
{S_"%D
;X.qO
%S!t.
z.Nb%
".Tnw-
rO).fE
.cXx 
.uhsr
y.Lha{:
/-pn%X
J.JQ*S
xTK%x[
R.%D'
.oNCc
LC.th
%x["$=
WINMM.dll
WS2_32.dll
$RASAPI32.dll
GetCPInfo
WinExec
.LockResource
SetWindowsHookExA
GetKeyState
ÞleteMenu
CreateDialogIndirectParamA
UnhookWindowsHookEx
/6!GetViewportExtEx
SetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
OffsetViewportOrgEx
GetViewportOrgEx
WINSPOOL.DRV
ShellExecuteA
>RegCreateKeyExA
OLEAUT32.dll
oledlg.dll
InternetCrackUrlA
WININET.dll
InternetCanonicalizeUrlA
comdlg32.dll
x[IPHLPAPI.DLL
Safengine Shielden v2.2.8.0
2-WINMM.dll
RASAPI32.dll
1, 0, 6, 6
- Skin.dll
(*.*)
1.5.0.0
V1.5.0
(http://www.eyuyan.com)

.exe_1728_rwx_00401000_001B0000:

{82B46959-3065-46a0-8340-3BB58B77A259}
bywayboy@gmail.com
http://www.ecodeproject.cn/bbs
:16882569
kernel32.dll
ole32.dll
msvcrt.dll
fne.dll
3h.NQ
t%SVh
t$(SSh
~%UVW
QRht%U
PQh\%U
U\RhH%U
PQh0%U
u$SShe
shlwapi.dll
user32.dll
user32.dll
advapi32.dll
wininet.dll
gdiplus.dll
GdiPlus.dll
Psapi.dll
ntdll.dll
MsgWaitForMultipleObjects
EnumWindows
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
GdiplusShutdown
EnumChildWindows
.1<.>http://user.qzone.qq.com/278366872/mood/
/mood/
/mood/988a9710c13c1d510cf50e00.1<|>http://user.qzone.qq.com/
/mood/988a9710c13c1d510cf50e00.1<.>http://user.qzone.qq.com/
http://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?_stp=&unikey=http://user.qzone.qq.com/
http://w.cnc.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
.1&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
%26pfid%3D2%26qz_ver%3D6%26appcanvas%3D0%26qz_style%3Dv6%2F31%26params%3D%26entertime%3D1361334604288%26canvastype%3D&opuin=
&ADSESSION=1361327327&ADTAG=CLIENT.QQ.4855_FriendTip.0&ADPUBNO=26095&ptlang=2052#!app=311&url=http%3A%2F%2Fcnc.qzs.qq.com%2Fqzone%2Fapp%2Fmood_v6%2Fhtml%2Findex.html%3Fmood%23uin%3D
?ADUIN=
qzreferrer=http://user.qzone.qq.com/
skey=(.*?);
http://taotao.qq.com/cgi-bin/emotion_cgi_msglist?uin=
zu.ew
D/.nT
.rsrc
%S4WD
hg%fpM
S.Ac9SR
0.I%3s
,wAe.kI
aiUy'4xu
%c*@j
.eH'y
{&%U)
lj%4U
xe%CNs
9F.cLe
hJK.ZH
O.qt0
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
SkinH_EL.dll
bbs.125.la
V1.5.0.exe
C:\Windows\Code2.txt
/Config.ini
login
http://check.ptlogin2.qq.com/check?uin=
&aid=15004501&u1=http://ctc.qzs.qq.com/ac/qzone/login/succ.html#para=mall&&h=1&ptredirect=0&ptlang=2052&from_ui=1&dumy=&fp=loginerroralert&action=8-22-28491&mibao_css=&t=1&g=1
http://ptlogin2.qq.com/login?u=
skey=
; skey=
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
https://
http://
2013-8-8
http://xxoo.nn06.com/add.php
&Submit=Ìá½»
http://aq.qq.com/cn/safe_score_ajax
http://captcha.qq.com/getimage?aid=15004501&r=0.
http://xxoo.nn06.com/Cookies.txt
V1.5.0 www.nn06.com
\SkinH_EL.dll
http://www.nn06.com/
:http://www.tmd.la
http://xxoo.nn06.com/shuoshuozan/Config.txt
\ .bat
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
WinHttp.WinHttpRequest.5.1
application/x-www-form-urlencoded
www.baidu.com
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3; Alexa Toolbar)
HTTP_X_FORWARDED_FOR
https://wallet.tenpay.com/cgi-bin/v1.0/queryqb.cgi
Adodb.Stream
MSScriptControl.ScriptControl
Scripting.Encoder
1, 2, 0, 1, 2, 0, 2, 0, 0, 2, 0, 2, 1, 0, 2, 0,
1, 0, 2, 0, 1, 1, 2, 0, 0, 2, 1, 0, 2, 0, 0, 2,
1, 1, 0, 2, 0, 2, 0, 1, 0, 1, 1, 2, 0, 1, 0, 2,
1, 0, 2, 0, 1, 1, 2, 0, 0, 1, 1, 2, 0, 1, 0, 2
digits["A".charCodeAt(0) i] = i
digits["a".charCodeAt(0) i] = i 26
for (var i=0; i<10; i  ) digits["0".charCodeAt(0) i] = i 52
if (char.charCodeAt(0) > 126) return char
if (escapes.indexOf(char) != -1) return escaped.substr(escapes.indexOf(char), 1)
val  = (digits[string.substr(0,1).charCodeAt(0)] << 2)
val  = (digits[string.substr(1,1).charCodeAt(0)] >> 4)
val  = (digits[string.substr(1,1).charCodeAt(0)] & 0xf) << 12
val  = ((digits[string.substr(2,1).charCodeAt(0)] >> 2) << 8)
val  = ((digits[string.substr(2,1).charCodeAt(0)] & 0x3) << 22)
val  = (digits[string.substr(3,1).charCodeAt(0)] << 16)
scriptIndex = encodingString.indexOf(marker, stringIndex)
unEncodingString  = encodingString.substring(stringIndex, scriptIndex)
scriptIndex  = marker.length
unEncodingString  = encodingString.substr(stringIndex, encodingString.length)
encodingLength = encodingString.substr(scriptIndex, 6)
scriptIndex  = (6   "==".length)
stringIndex = scriptIndex   "DQgAAA==^#~@".length
char = encodingString.substr(scriptIndex, 1)
if (char.charCodeAt(0) < 0xFF)
unEncodingString  = String.fromCharCode(transformed[pick_encoding[unEncodingIndexd]][char.charCodeAt(0)])
unEncodingString  = unescape(encodingString.substr(  scriptIndex, 1))
re = new RegExp("(JScript|VBscript).encode", "gmi")
while(arr = re.exec(unEncodingString)) unEncodingString = RegExp.leftContext   RegExp.$1   RegExp.rightContext
strdec(AdodbStream.ReadText);
0.0.0.0
0000000000
function encrypt(str,pass){
data = m_xxtea.encrypt(str, pass);
function decrypt(str,pass){
data = m_xxtea.decrypt(str, pass);
if (str.match(/^[\x00-\x7f]*$/) != null) {
return str.toString();
len = str.length;
c = str.charCodeAt(i);
out[j] = str.charAt(i);
out[j] = String.fromCharCode(0xc0 | (c >>> 6),
out[j] = String.fromCharCode(0xe0 | (c >>> 12),
c2 = str.charCodeAt(i);
out[j] = String.fromCharCode(0xf0 | ((c >>> 18) & 0x3f),
return out.join('');
if ((str.match(/^[\x00-\x7f]*$/) != null) ||
(str.match(/^[\x00-\xff]*$/) == null)) {
c = str.charCodeAt(i  );
out[j  ] = str.charAt(i - 1);
c2 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x1f) << 6) |
c3 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((c & 0x0f) << 12) |
c4 = str.charCodeAt(i  );
out[j  ] = String.fromCharCode(((s >>> 10) & 0x03ff) | 0xd800,
var base64EncodeChars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /'.split('');
len = str.length;
c = str.charCodeAt(i  ) << 16 |
str.charCodeAt(i  ) << 8 |
str.charCodeAt(i  );
c = str.charCodeAt(i  );
c = str.charCodeAt(i  ) << 8 |
return out.join('');
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63,
if (/[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\ \/\=]/.test(str)) {
if (str.charAt(len - 2) == '=') {
else if (str.charAt(len - 1) == '=') {
c1 = base64DecodeChars[str.charCodeAt(i  )];
c2 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode((c1 << 2) | ((c2 & 0x30) >> 4));
c3 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2));
c4 = base64DecodeChars[str.charCodeAt(i  )];
out[j  ] = String.fromCharCode(((c3 & 0x03) << 6) | c4);
var length = data.length;
data[i] = String.fromCharCode(
return data.join('').substring(0, n);
return data.join('');
var length = string.length;
result[i >> 2] = string.charCodeAt(i) |
string.charCodeAt(i   1) << 8 |
string.charCodeAt(i   2) << 16 |
string.charCodeAt(i   3) << 24;
result[result.length] = length;
this.encrypt = function(string, key) {
var k = stringToLongArray(key, false);
if (k.length < 4) {
k.length = 4;
var n = v.length - 1;
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = 0;
this.decrypt = function(string, key) {
var mx, e, p, q = Math.floor(6   52 / (n   1)), sum = q * delta & 0xffffffff;
* See http://pajhome.org.uk/crypt/md5 for details.
function hex_sha1(s){return binb2hex(core_sha1(str2binb(s),s.length * chrsz));}
function b64_sha1(s){return binb2b64(core_sha1(str2binb(s),s.length * chrsz));}
function str_sha1(s){return binb2str(core_sha1(str2binb(s),s.length * chrsz));}
function hex_hmac_sha1(key, data){ return binb2hex(core_hmac_sha1(key, data));}
function b64_hmac_sha1(key, data){ return binb2b64(core_hmac_sha1(key, data));}
function str_hmac_sha1(key, data){ return binb2str(core_hmac_sha1(key, data));}
for(var i = 0; i < x.length; i  = 16)
* Calculate the HMAC-SHA1 of a key and some data
function core_hmac_sha1(key, data)
var bkey = str2binb(key);
if(bkey.length > 16) bkey = core_sha1(bkey, key.length * chrsz);
ipad[i] = bkey[i] ^ 0x36363636;
opad[i] = bkey[i] ^ 0x5C5C5C5C;
var hash = core_sha1(ipad.concat(str2binb(data)), 512   data.length * chrsz);
return core_sha1(opad.concat(hash), 512   160);
* Add integers, wrapping at 2^32. This uses 16-bit operations internally
for(var i = 0; i < str.length * chrsz; i  = chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (32 - chrsz - i2);
for(var i = 0; i < bin.length * 32; i  = chrsz)
str  = String.fromCharCode((bin[i>>5] >>> (32 - chrsz - i2)) & mask);
for(var i = 0; i < binarray.length * 4; i  )
str  = hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 4)) & 0xF)  
hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
for(var i = 0; i < binarray.length * 4; i  = 3)
if(i * 8   j * 6 > binarray.length * 32) str  = b64pad;
else str  = tab.charAt((triplet >> 6*(3-j)) & 0x3F);
TempObj=JSON.parse(str);
var obj=JSON.parse(str);
Lobj.push(obj);
return Lobj.length;
function GetAllKey(){
Lobj = JSON.parse(str);
var str=JSON.stringify(Lobj);
return Lobj.str;
if (typeof Date.prototype.toJSON !== 'function') {
Date.prototype.toJSON = function (key) {
return isFinite(this.valueOf())
? this.getUTCFullYear()   '-'  
f(this.getUTCMonth()   1)   '-'  
f(this.getUTCDate())   'T'  
f(this.getUTCHours())   ':'  
f(this.getUTCMinutes())   ':'  
f(this.getUTCSeconds())   'Z'
String.prototype.toJSON =
Number.prototype.toJSON =
Boolean.prototype.toJSON = function (key) {
return this.valueOf();
'"' : '\\"',
'\\': '\\\\'
escapable.lastIndex = 0;
return escapable.test(string) ? '"'   string.replace(escapable, function (a) {
: '\\u'   ('0000'   a.charCodeAt(0).toString(16)).slice(-4);
function str(key, holder) {
k, // The member key.
value = holder[key];
typeof value.toJSON === 'function') {
value = value.toJSON(key);
value = rep.call(holder, key, value);
if (Object.prototype.toString.apply(value) === '[object Array]') {
length = value.length;
v = partial.length === 0
? '[\n'   gap   partial.join(',\n'   gap)   '\n'   mind   ']'
: '['   partial.join(',')   ']';
length = rep.length;
partial.push(quote(k)   (gap ? ': ' : ':')   v);
if (Object.prototype.hasOwnProperty.call(value, k)) {
v = partial.length === 0
? '{\n'   gap   partial.join(',\n'   gap)   '\n'   mind   '}'
: '{'   partial.join(',')   '}';
if (typeof JSON.stringify !== 'function') {
JSON.stringify = function (value, replacer, space) {
typeof replacer.length !== 'number')) {
throw new Error('JSON.stringify');
if (typeof JSON.parse !== 'function') {
JSON.parse = function (text, reviver) {
function walk(holder, key) {
var k, v, value = holder[key];
if (Object.prototype.hasOwnProperty.call(value, k)) {
return reviver.call(holder, key, value);
cx.lastIndex = 0;
if (cx.test(text)) {
text = text.replace(cx, function (a) {
('0000'   a.charCodeAt(0).toString(16)).slice(-4);
.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@')
.replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g, ']')
.replace(/(?:^|:|,)(?:\s*\[) /g, ''))) {
throw new SyntaxError('JSON.parse');
JSON.stringify(Lobj['
Lobj.push("
Lobj.push(
Lobj.push('
Lobj.length
JSON.stringify(Lobj[
Lobj.splice(
GetAllKey
Math.round(new Date().getTime()/1000)
Math.round(new Date().getTime())
Math.round(new Date().getTime() * 100)
7 9 10 5 8 4 2 1 6 3 7 9 10 5 8 4 2
WScript.Shell
rundll32.exe url.dll,FileProtocolHandler
function trim_output() {while (output.length && (output[output.length - 1] === " " || output[output.length - 1] === indent_string)) {output.pop();}}
function print_newline(ignore_repeated) {ignore_repeated = typeof ignore_repeated === "undefined" ? true : ignore_repeated;trim_output();if (!output.length) {return;}if (output[output.length - 1] !== "\n" || !ignore_repeated) {output.push("\n");}for (var i = 0; i < indent_level; i  ) {output.push(indent_string);}}
function print_space() {var last_output = output.length ? output[output.length - 1] : " ";if (last_output !== " " && last_output !== "\n" && last_output !== indent_string) {output.push(" ");}}
function print_token() {output.push(token_text);}
function remove_indent() {if (output.length && output[output.length - 1] === indent_string) {output.pop();}}
function set_mode(mode) {modes.push(current_mode);current_mode = mode;}
function restore_mode() {do_block_just_closed = current_mode === "DO_BLOCK";current_mode = modes.pop();}
function in_array(what, arr) {for (var i = 0; i < arr.length; i  ) {if (arr[i] === what) {return true;}}return false;}
function get_next_token() {var n_newlines = 0;var c = "";do {if (parser_pos >= input.length) {return ["", "TK_EOF"];}c = input.charAt(parser_pos);parser_pos  = 1;if (c === "\n") {n_newlines  = 1;}} while (in_array(c, whitespace));if (n_newlines > 1) {for (var i = 0; i < 2; i  ) {print_newline(i === 0);}}var wanted_newline = n_newlines === 1;if (in_array(c, wordchar)) {if (parser_pos < input.length) {while (in_array(input.charAt(parser_pos), wordchar)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos === input.length) {break;}}}if (parser_pos !== input.length && c.match(/^[0-9] [Ee]$/) && input.charAt(parser_pos) === "-") {parser_pos  = 1;var t = get_next_token(parser_pos);c  = "-"   t[0];return [c, "TK_WORD"];}if (c === "in") {return [c, "TK_OPERATOR"];}return [c, "TK_WORD"];}if (c === "(" || c === "[") {return [c, "TK_START_EXPR"];}if (c === ")" || c === "]") {return [c, "TK_END_EXPR"];}if (c === "{") {return [c, "TK_START_BLOCK"];}if (c === "}") {return [c, "TK_END_BLOCK"];}if (c === ";") {return [c, "TK_END_COMMAND"];}if (c === "/") {var comment = "";if (input.charAt(parser_pos) === "*") {parser_pos  = 1;if (parser_pos < input.length) {while (!(input.charAt(parser_pos) === "*" && input.charAt(parser_pos   1) && input.charAt(parser_pos   1) === "/") && parser_pos < input.length) {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 2;return ["/*"   comment   "*/", "TK_BLOCK_COMMENT"];}if (input.charAt(parser_pos) === "/") {comment = c;while (input.charAt(parser_pos) !== "\r" && input.charAt(parser_pos) !== "\n") {comment  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}parser_pos  = 1;if (wanted_newline) {print_newline();}return [comment, "TK_COMMENT"];}}if (c === "'" || c === "\"" || c === "/" && (last_type === "TK_WORD" && last_text === "return" || last_type === "TK_START_EXPR" || last_type === "TK_END_BLOCK" || last_type === "TK_OPERATOR" || last_type === "TK_EOF" || last_type === "TK_END_COMMAND")) {var sep = c;var esc = false;c = "";if (parser_pos < input.length) {while (esc || input.charAt(parser_pos) !== sep) {c  = input.charAt(parser_pos);if (!esc) {esc = input.charAt(parser_pos) === "\\";} else {esc = false;}parser_pos  = 1;if (parser_pos >= input.length) {break;}}}parser_pos  = 1;if (last_type === "TK_END_COMMAND") {print_newline();}return [sep   c   sep, "TK_STRING"];}if (in_array(c, punct)) {while (parser_pos < input.length && in_array(c   input.charAt(parser_pos), punct)) {c  = input.charAt(parser_pos);parser_pos  = 1;if (parser_pos >= input.length) {break;}}return [c, "TK_OPERATOR"];}return [c, "TK_UNKNOWN"];}
indent_character = indent_character || " ";indent_size = indent_size || 4;indent_string = "";while (indent_size--) {indent_string  = indent_character;}input = js_source_text;last_word = "";last_type = "TK_START_EXPR";last_text = "";output = [];do_block_just_closed = false;var_line = false;var_line_tainted = false;whitespace = "\n\r\t ".split("");wordchar = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_$".split("");punct = "  - * / % &    -- =  = -= *= /= %= == === != !== > < >= <= >> << >>> >>>= >>= <<= && &= | || ! !! , : ? ^ ^= |=".split(" ");line_starters = "continue,try,throw,return,var,if,switch,case,default,for,while,break,function".split(",");current_mode = "BLOCK";modes = [current_mode];indent_level = indent_level || 0;parser_pos = 0;in_case = false;while (true) {var t = get_next_token(parser_pos);token_text = t[0];token_type = t[1];if (token_type === "TK_EOF") {break;}switch (token_type) {case "TK_START_EXPR":var_line = false;set_mode("EXPRESSION");if (last_type === "TK_END_EXPR" || last_type === "TK_START_EXPR") {} else if (last_type !== "TK_WORD" && last_type !== "TK_OPERATOR") {print_space();} else if (in_array(last_word, line_starters) && last_word !== "function") {print_space();}print_token();break;case "TK_END_EXPR":print_token();restore_mode();break;case "TK_START_BLOCK":if (last_word === "do") {set_mode("DO_BLOCK");} else {set_mode("BLOCK");}if (last_type !== "TK_OPERATOR" && last_type !== "TK_START_EXPR") {if (last_type === "TK_START_BLOCK") {print_newline();} else {print_space();}}print_token();indent();break;case "TK_END_BLOCK":if (last_type === "TK_START_BLOCK") {trim_output();unindent();} else {unindent();print_newline();}print_token();restore_mode();break;case "TK_WORD":if (do_block_just_closed) {print_space();print_token();print_space();break;}if (token_text === "case" || token_text === "default") {if (last_text === ":") {remove_indent();} else {unindent();print_newline();indent();}print_token();in_case = true;break;}prefix = "NONE";if (last_type === "TK_END_BLOCK") {if (!in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {prefix = "NEWLINE";} else {prefix = "SPACE";print_space();}} else if (last_type === "TK_END_COMMAND" && (current_mode === "BLOCK" || current_mode === "DO_BLOCK")) {prefix = "NEWLINE";} else if (last_type === "TK_END_COMMAND" && current_mode === "EXPRESSION") {prefix = "SPACE";} else if (last_type === "TK_WORD") {prefix = "SPACE";} else if (last_type === "TK_START_BLOCK") {prefix = "NEWLINE";} else if (last_type === "TK_END_EXPR") {print_space();prefix = "NEWLINE";}if (last_type !== "TK_END_BLOCK" && in_array(token_text.toLowerCase(), ["else", "catch", "finally"])) {print_newline();} else if (in_array(token_text, line_starters) || prefix === "NEWLINE") {if (last_text === "else") {print_space();} else if ((last_type === "TK_START_EXPR" || last_text === "=") && token_text === "function") {} else if (last_type === "TK_WORD" && (last_text === "return" || last_text === "throw")) {print_space();} else if (last_type !== "TK_END_EXPR") {if ((last_type !== "TK_START_EXPR" || token_text !== "var") && last_text !== ":") {if (token_text === "if" && last_type === "TK_WORD" && last_word === "else") {print_space();} else {print_newline();}}} else {if (in_array(token_text, line_starters) && last_text !== ")") {print_newline();}}} else if (prefix === "SPACE") {print_space();}print_token();last_word = token_text;if (token_text === "var") {var_line = true;var_line_tainted = false;}break;case "TK_END_COMMAND":print_token();var_line = false;break;case "TK_STRING":if (last_type === "TK_START_BLOCK" || last_type === "TK_END_BLOCK") {print_newline();} else if (last_type === "TK_WORD") {print_space();}print_token();break;case "TK_OPERATOR":var start_delim = true;var end_delim = true;if (var_line && token_text !== ",") {var_line_tainted = true;if (token_text === ":") {var_line = false;}}if (token_text === ":" && in_case) {print_token();print_newline();break;}in_case = false;if (token_text === ",") {if (var_line) {if (var_line_tainted) {print_token();print_newline();var_line_tainted = false;} else {print_token();print_space();}} else if (last_type === "TK_END_BLOCK") {print_token();print_newline();} else {if (current_mode === "BLOCK") {print_token();print_newline();} else {print_token();print_space();}}break;} else if (token_text === "--" || token_text === "  ") {if (last_text === ";") {start_delim = true;end_delim = false;} else {start_delim = false;end_delim = false;}} else if (token_text === "!" && last_type === "TK_START_EXPR") {start_delim = false;end_delim = false;} else if (last_type === "TK_OPERATOR") {start_delim = false;end_delim = false;} else if (last_type === "TK_END_EXPR") {start_delim = true;end_delim = true;} else if (token_text === ".") {start_delim = false;end_delim = false;} else if (token_text === ":") {if (last_text.match(/^\d $/)) {start_delim = true;} else {start_delim = false;}}if (start_delim) {print_space();}print_token();if (end_delim) {print_space();}break;case "TK_BLOCK_COMMENT":print_newline();print_token();print_newline();break;case "TK_COMMENT":print_space();print_token();print_newline();break;case "TK_UNKNOWN":print_token();break;default:;}last_type = token_type;last_text = token_text;}return output.join("");}
x =a.replace(/^\s /, '')
1970/01/01 00:00:00
http://www.nn06.com
shueiniu@yeah.net
www.nn06.com/gg/sszan/gg.html?
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
"103*2-<
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
icmp.dll
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
www.dywt.com.cn
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.0
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
c:\.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
- Skin.dll
(*.*)

.exe_1728_rwx_005C4000_00001000:

MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
SHELL32.dll

.exe_1728_rwx_005CE000_00002000:

MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll

.exe_1728_rwx_00667000_00004000:

KERNEL32.dll
ole32.dll

.exe_1728_rwx_0066D000_00002000:

.LockResource
USER32.dll
SetWindowsHookExA
GetKeyState
ÞleteMenu
CreateDialogIndirectParamA
GDI32.dll
UnhookWindowsHookEx
/6!GetViewportExtEx
SetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
OffsetViewportOrgEx
GetProcessHeap
GetViewportOrgEx
WINSPOOL.DRV

.exe_1728_rwx_00B50000_0001D000:

iphlpapi.dll
AllocateAndGetTcpExTable2FromStack
AllocateAndGetTcpExTableFromStack
AllocateAndGetTcpTableFromStack
AllocateAndGetUdpExTable2FromStack
AllocateAndGetUdpExTableFromStack
AllocateAndGetUdpTableFromStack
GetExtendedTcpTable
GetExtendedUdpTable
GetOwnerModuleFromTcp6Entry
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromUdp6Entry
GetOwnerModuleFromUdpEntry
GetTcpExTable2FromStack
GetTcpStatistics
GetTcpStatisticsEx
GetTcpStatsFromStack
GetTcpStatsFromStackEx
GetTcpTable
GetTcpTableFromStack
GetUdpExTable2FromStack
GetUdpStatistics
GetUdpStatisticsEx
GetUdpStatsFromStack
GetUdpStatsFromStackEx
GetUdpTable
GetUdpTableFromStack
InternalGetTcpTable
InternalGetUdpTable
InternalSetTcpEntry
SetTcpEntry
SetTcpEntryToStack
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
\Device\NetBT_Tcpip_
%d.%d.%d.%d
\\.\Ip
TCP/IP not bound to any adapters
Cannot access adapter bindings registry key
TCP/IP is not running on this system
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
PSSSSh8
wsock32.dll
\\.\Ip6
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
advapi32.dll
PSSSSh
uùH
{lX-X-X-XX-XXXXXX}
DHCPCSVC.DLL
MPRAPI.dll
netman.dll
ole32.dll
PSAPI.DLL
RASAPI32.dll
ADVAPI32.dll
KERNEL32.dll
msvcrt.dll
ntdll.dll
USER32.dll
WS2_32.dll
RegOpenKeyExA
RegOpenKeyExW
RegCloseKey
GetProcessHeap
iphlpapi.pdb
MS TCP Loopback interface
1!2C2V2
\Device\Tcp6
\Device\Tcp
rundll32.exe
wininet.dll
ipnathlp.dll
ntoskrnl.exe
RPCRT4.dll
ws2_32.dll
\DEVICE\TCPIP_
svchost.exe
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
\ras\router.pbk
router.pbk
System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces
5.1.2600.5512 (xpsp.080413-0852)
Windows
Operating System
5.1.2600.5512
Destination port unreachable.
Parallel Port
ATM Logical Port
ISO 802.5r DTR$Ext Position Locaction Report System Appletalk Remote Access Protocol#Proprietary Connectionless Protocol
IBM multi-proto channel support
Transport HDLP

.exe_1728_rwx_00C90000_000B0000:

ntdll.dll
LdrQueryImageFileExecutionOptions
NtAcceptConnectPort
NtCompactKeys
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtCreateKey
NtCreateKeyedEvent
NtCreateNamedPipeFile
NtCreatePort
NtCreateWaitablePort
NtDelayExecution
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtFlushKey
NtImpersonateClientOfPort
NtListenPort
NtLoadKey
NtLoadKey2
NtLockProductActivationKeys
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKeyedEvent
NtQueryInformationPort
NtQueryKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryPortInformationProcess
NtQueryValueKey
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtRenameKey
NtReplaceKey
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtRequestPort
NtRequestWaitReplyPort
NtRestoreKey
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSetDefaultHardErrorPort
NtSetInformationKey
NtSetThreadExecutionState
NtSetValueKey
NtUnloadKey
NtUnloadKeyEx
NtWaitForKeyedEvent
NtYieldExecution
RtlCheckRegistryKey
RtlComputeImportTableHash
RtlCreateRegistryKey
RtlEnumProcessHeaps
RtlFormatCurrentUserKeyPath
RtlGetProcessHeaps
RtlQueryProcessHeapInformation
RtlValidateProcessHeaps
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
ZwAcceptConnectPort
ZwCompactKeys
ZwCompleteConnectPort
ZwCompressKey
ZwConnectPort
ZwCreateKey
ZwCreateKeyedEvent
ZwCreateNamedPipeFile
ZwCreatePort
ZwCreateWaitablePort
ZwDelayExecution
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwImpersonateClientOfPort
ZwListenPort
ZwLoadKey
ZwLoadKey2
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwOpenKey
ZwOpenKeyedEvent
ZwQueryInformationPort
ZwQueryKey
ZwQueryMultipleValueKey
ZwQueryOpenSubKeys
ZwQueryPortInformationProcess
ZwQueryValueKey
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwRenameKey
ZwReplaceKey
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSaveKey
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSetDefaultHardErrorPort
ZwSetInformationKey
ZwSetThreadExecutionState
ZwSetValueKey
ZwUnloadKey
ZwUnloadKeyEx
ZwWaitForKeyedEvent
ZwYieldExecution
?SsHd
>SsHd
secserv.dll
.aspack
.pcle
.sforce
|BaseProcessInitPostImport
.txt2
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ
LDR: %s - failing because LdrpLoadDll(%wZ) returned status %x
LDR: %s - Exception lx thrown running initialization routines for %wZ
LDR: exception lx thrown within function %s
|_CorExeMain
Invalid flags (x) specified to RtlCreateHeap
LDR: LdrpWalkImportDescriptor() failed to probe %wZ for its manifest, ntstatus 0xlx
LDR: %s - failed to allocate dynamic array of %u DLL initializers to run
[%x,%x] LDR: Real INIT LIST for process %wZ pid %u 0x%x
[%x,%x] %wZ init routine %p
[%x,%x] LDR: %wZ loaded
[%x,%x] LDR: calling init routine %p for DLL_PROCESS_ATTACH
[%x,%x] LDR: DLL_PROCESS_ATTACH for dll "%wZ" (InitRoutine: %p) failed
LDR: %s - caught exception lx snapping thunks (#1)
LDR: %s - caught exception lx snapping thunks (#2)
LDR: TlsVector %x Index %d = %x copied from %x to %x
LDR: %s - caught exception lx calling TLS callbacks
Failed to initialize a new segment (%x)
Abandoning uncommitted range (%x for %x)
Failing creating uncommitted range (%x for %x)
NAME - %s
LDR: %s - Exception %x thrown by LdrpRunInitializeRoutines
LDR: %s - caught exception lx while checking image checksums
LDR: %s - Caught exception lx
(%d) [%ws] %ws (%lx) deinit %lx
LDR: %s - exception lx caught while sending DLL_PROCESS_DETACH
LDR: %s - Dll name missing extension; with extension added the length is too long
DllName->Length: %u
LDR: %s - Exception %x thrown by LdrpWalkImportDescriptor
LDR: Unloading %wZ due to error %x walking import descriptors
LDR: Unloading %wZ because either its init routine or one of its static imports failed; status = 0xlx
LDR: failed to load mscoree.dll, status=%x
LDR: PID: 0x%x finished - '%wZ'
LDR: %s - failing because we were unable to map the image base address (%p) to the PIMAGE_NT_HEADERS
LDR: PID: 0x%x started - '%wZ'
LDR: Stack trace database size is %u Mb
LDR: %s - unable to create process heap
LDR: %s failing process initialization due to inability to create loader private heap.
LDR: %s - failed call to NtQuerySymbolicLinkObject with status %x
LDR: %s - unable to allocate current working directory buffer
LDR: %s - failed to allocate PEB_LDR_DATA
LDR: %s - failing process initialization due to inability allocate "%wZ"'s LDR_DATA_TABLE_ENTRY
LDR: %s - failing process initialization due to inability to allocate NTDLL's LDR_DATA_TABLE_ENTRY
LDR: %s - unable to set current directory to "%wZ"; status = %x
LDR: %s - unable to set current directory to NtSystemRoot; status = %x
LDR: %s - unable to allocate heap for the image's .local path
LDR: Unable to load kernel32.dll. Status=%x
LDR: Failed to find post-import process init function in kernel32; ntstatus 0xlx
LDR: %s - call to LdrpWalkImportDescriptor failed with status %x
LDR: %s - call to LdrpSetProtection(%p, FALSE, TRUE) failed with status %x
LDR: %s - call to LdrRelocateImage failed with status %x
LDR: %s - call to LdrpSetProtection(%p, TRUE, TRUE) failed with status %x
LDR: %s - failed to initialize TLS slots; status %x
LDR: %s - Failed running kernel32 post-import function; status 0xlx
LDR: %s - Failed running initialization routines; status %x
LDR: %s - failed call to NtOpenSymbolicLinkObject with status %x
LDR: ***NONFATAL*** %s - call to NtDelayExecution waiting on loader lock failed; ntstatus = %x
LDR: %s - Call to NtQueryVirtualMemory failed with ntstaus %x
LDR: %s - call to LdrpInitializeProcess() failed with ntstatus %x
because path search required %u bytes
LDR: %s - NtOpenFile failed; status = %x
LDR: %s %wZ (%lx)
LDR: %s call to RtlComputePrivatizedDllName_U() failed with status %lx
LDR: %s calling LdrpCopyUnicodeString() failed; exiting with status %lx
LDR: %s failed calling LdrpResolveDllNameForAppPrivateRediretion with status %lx
LDR: %s failed call to LdrpCopyUnicodeString() in redirected case; status = %lx
LDR: %s - call to RtlDosSearchPath_U failed
LDR: LdrResolveDllName - Failing resolution because found path too long (%u bytes; max is %u bytes)
LDR: %s - failed to allocate string for full dll name; length requested: %u
LDR: %s - Required path length required for %ws changed from %lu to %lu; try launching the app again.
LDR: %s - failing because RtlFindCharInUnicodeString failed with status %x
LDR: %s - call back to app compat redirection function @ %p (cb data: %p) failed with status %x
LDR: %s - call to LdrpCheckForKnownDll("%ws", ...) failed with status %x
LDR: %s - call to LdrpResolveDllName on dll "%ws" failed with status %x
LDR: Loading (%s, %s) %wZ
LDR: %s - call to RtlDosPathNameToNtPathName_U on path "%wZ" failed; returning status %x
LDR: %s - LdrpCreateDllSection (%wZ) failed with status %x
LDR: %s - failed to map view of section; status = %x
LDR: %s - unable to map ViewBase (%p) to image headers; failing with status %x
LDR: %s - failed to allocate new data table entry for %p
[%x,%x] LDR: Failed to map view of section; ntstatus = %x
[%x,%x] LDR: %s - NtMapViewOfSection on no reloc needed dll failed with status %x
LdrpLoadImportModule
LDR: %s - RtlDosApplyFileIsolationRedirection_Ustr failed with status %x
LDR: %s - LdrpMapDll(%p, %ls, NULL, TRUE, %d, %p) failed with status %x
LDR: %s - LdrpWalkImportDescriptor [dll %ls] failed with status %x
LDR: %wZ bound to %s
LDR: %wZ failed to load import module %s; status = %x
LDR: %wZ has correct binding to %s
LDR: %wZ has stale binding to %s
LDR: %wZ bound to %s via forwarder(s) from %wZ
LDR: LdrpWalkImportTable - failing with STATUS_OBJECT_NAME_INVALID due to no import descriptor name
LDR: Stale Bind %s from %wZ
LDR: LdrpWalkImportTable - LdrpSnapIAT failed with status %x
LDR: %s used by %wZ
LDR: LdrpWalkImportTable - LdrpLoadImportModule failed on import %s with status %x
LDR: Snapping imports for %wZ from %s
LDR: LdrpWalkImportTable - LdrpSnapIAT #2 failed with status %x
Execute '.cxr %p' to dump context
RTL: Acquire Shared Sem Timeout %d(%I64u secs)
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)
RTL: Convert Exclusive Sem Timeout %d (%I64u secs)
RTL: Enter Critical Section Timeout (%I64u secs) %d
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu
SXS: %s() passed the empty activation context data
SXS: %s() called with invalid flags 0xlx
SXS: %s() called with invalid cookie type 0xI64x
SXS: %s() called with invalid cookie tid 0xI64x - should be lx
SXS: %s() Active frame is not the frame being deactivated %p != %p
SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)
SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0xlx.
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0xlx.
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.
SXS: String hash table entry at %p has invalid key offset (= %ld)
8SsHdu
SXS: %s() received invalid non-zero sub-instance index %lu
SXS: %s() found activation context data at %p with assembly roster that has no root
SXS: %s() - Caller passed invalid flags (0xlx)
SXS: %s() - Caller passed meaningless flags/class combination (0xlx/0xlx)
SXS: %s() - caller asked for unknown information class %lu
SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer
SXS: %s() - caller supplied no buffer to populate and no place to return required byte count
SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL
SXS: %s() - Caller passed invalid address, not in any .dll (%p)
SXS: %s() - Caller asked to use activation context from hmodule but passed NULL
SXS: %s() - Caller passed invalid hmodule (%p)
SXS: %s() - caller asked to use active activation context but passed %p
SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu
SXS: Unable to expand %%SystemRoot%%\WinSxS\ Status = 0x08lx
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0xlx
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0xlx
SXS: Unable to open registry key %wZ Status = 0xlx
SXS: %s() bad parameters:
SXS: %s() bad parameters
SXS: StorageLocation->Length: 0x%x
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.
SXS: Attempt to translate DOS path name "%S" to NT format failed
SXS: Unable to open assembly directory under storage root "%S"; Status = 0xlx
SXS: %s() passed the empty activation context
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx
d:\xpsp\base\ntdll\sxsisol.cpp
rUS.Length <= This->PrivatePreallocatedString->MaximumLength
[%x.%x] SXS: %s - Relative redirection plus env var expansion.
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)
%s: %s() failed 0x%lx
%s: OldBase : %p
%s: NewBase : %p
%s: Diff : 0x%I64x
%s: NextOffset : %p
%s: *NextOffset : 0x%x
%s: SizeOfBlock : 0x%lx
Heap missing last entry in committed range near %x
RTL: Expand variables for %wZ failed - Status == %lx Size %x > %x <%x>
RtlpCallQueryRegistryRoutine: skipping expansion. Status=%x RequiredLength=%x
RtlpCallQueryRegistryRoutine: skipping environment expansion. ValueLength=%x
RtlQueryRegistryValues: Miscomputed buffer size at line %d
Invalid heap signature for heap at %x
, passed to %s
Unable to release memory at %p for %p bytes - Status == %x
ProcessHeapsListIndex
i9\\.\WMIDataDevice
Set 0x%X protection for %p section for %d bytes, old protection 0x%X
CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X
LDR: %s - exception lx caught while copying %u bytes from %p to %p
Last checkpoint: %s line %d
NTDLL: Calling thread (%X) not owner of CritSect: %p Owner ThreadId: %X
AVRF: chain: thunk: %s == %s ?
AVRF: Found duplicate for (%ws: %s) in %ws
AVRF: Checking %ws for duplicate (%ws: %s)
AVRF: Chaining (%ws: %s) to %ws
AVRF: Unable to unprotect IAT to modify thunks (status X).
AVRF:SilviuC: New thunk for %s is null.
AVRF: Snapped (%ws: %s) with (%ws: %p).
AVRF: found verified export %s @ %p
AVRF: failed to enable handle checking (status %X)
VERIFIER INTERNAL ERROR %p: pid 0x%X: %s
%p : %s
VERIFIER INTERNAL WARNING %p: pid 0x%X: %s
VERIFIER STOP %p: pid 0x%X: %s
Page heap: found %s @ address %p
Page heap: detected CRT heap @ %p
AVRF: %ws: failed to load provider `%ws' (status X) from %ws
AVRF: provider %ws passed an invalid descriptor @ %p
AVRF: pid 0x%X: found dll descriptor for `%ws' with verified exports
Snapped (%ws) operator new ...
Snapped (%ws) operator delete ...
Snapped (%ws) operator new[] ...
Snapped (%ws) operator delete[] ...
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.
SsHd;
SXS: %s() passed string section at %p only %lu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!
SXS: %s() found assembly information section with wrong magic value
SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!
SXS: %s() passed string section at %p with too small of a header
SXS: %s() found assembly information section with element list overlapping section header
SXS: %s() found assembly information section with search structure overlapping section header
SXS: %s() found assembly information section with user data overlapping section header
SXS: %s() found assembly information section with user data too small
SXS: %s() found assembly information section with user data extending beyond section data
SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context
SXS: %s() received invalid file index (%d) in Assembly (%d)
|SXS: Unable to open storage root subkey %wZ; Status = 0xlx
SXS: Unabel to query location from storage root subkey %wZ; Status = 0xlx
*** Assertion failed: %s%s
*** %s%s%sSource File: %s, line %ld
VirtualQuery Failed 0xx %x
VirtualProtect Failed 0xx %x
::%hs%u.%u.%u.%u
::ffff:0:%u.%u.%u.%u
:%u.%u.%u.%u
%u.%u.%u.%u
>%u}F
Trace database: failing attempt to save biiiiig trace (size %u)
*** Unhandled exception 0xlx, hit in %ws:%s
*** A stack buffer overrun occurred in %ws:%s
The stack trace should show the guilty function (the function directly above __report_gsfailure).
*** Resource timeout (%p) in %ws:%s
The resource is owned exclusively by thread %x
The resource is owned shared by %d threads
*** Critical Section Timeout (%p) in %ws:%s
The critical section is owned by thread %x.
*** Inpage error in %ws:%s
This failed because of error %x.
This means that the I/O device reported an I/O error. Check your hardware.
*** An Access Violation occurred in %ws:%s
The instruction at %p tried to %s
*** enter .exr %p for the exception record
*** enter .cxr %p for the context
*** Restarting wait on critsec or resource at %p (in %ws:%s)
.hotp1
I64X: VA64 6I64X -> 6I64X %s
I64X: PC32 X -> X (target X) %s
I64X: VA32 X -> X %s
None%s
Validation failed for global range %u of %u
I64X: jmp X (PC X) {
Inserting %u hooks into target image
Header too large (%u>%u) for copy/normalize/validate
PAGE_EXECUTE
0xX
PAGE_EXECUTE_WRITECOPY
PAGE_EXECUTE_READWRITE
PAGE_EXECUTE_READ
Page heap: Failed changing VM at X size 0x%X
from %s to %s (Status X)
Exception record (.exr on 1st word, .cxr on 2nd word)
Page heap: pid 0x%X: vm limit: vspace: disabling full page heap
Page heap: pid 0x%X: vm limit: pfile: disabling full page heap
Page heap: pid 0x%X: vm limit: reenabling full page heap
Page heap: enabling fault injection for process 0x%X
Page heap: assert: (SystemInfo.PageSize == PAGE_SIZE)
Page heap: assert: (SystemInfo.AllocationGranularity == VM_UNIT_SIZE)
HEAP %p (Seg %p) At %p Error: %s
Heap %x - headers modified (%x is %x instead of %x)
This is located in the %s field of the heap header.
Heap block at %p is not last block in segment (%x)
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)
Heap entry %p is beyond uncommited range [%x .. %x)
Heap entry %p has incorrect PreviousSize field (x instead of x)
Heap block at %p has incorrect segment index (%x)
Heap block at %p does not match address of next uncommitted address (%x)
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)
Invalid Address specified to %s( %p, %p )
dedicated (x) free list empty but marked as non-empty
dedicated (x) free list non-empty but marked as empty
dedicated (x) free list element %p is marked busy
Dedicated (x) free list element %p is wrong size (x)
Non-Dedicated free list element %p with too small size (x)
Pseudo Tag x size incorrect (%x != %x) %x
Tag x (%ws) size incorrect (%x != %x) %x
May not destroy the process heap at %x
Just allocated block at %p for 0x%x bytes
Just allocated block at %p for 0x%x bytes with tag %ws
Invalid allocation size - %p (exceeded %x)
About to reallocate block at %p to 0x%x bytes
About to rellocate block at %p to 0x%x bytes with tag %ws
Just reallocated block at %p to 0x%x bytes
Just reallocated block at %p to 0x%x bytes with tag %ws
ntdll.pdb
: :$:(:,:
2-3}6
:&: :6:?:
3 3(3.343]3
5_5P5
2#3 3;3^3|3
1(1/161@1
5 5$505?6
&0\00181<1\1
\\.\CON
{lx-x-x-xx-xxxxxx}
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
kernel32.dll
user32.dll
.Local\
%SystemRoot%\WinSxS\
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
.Local
ApiPort
!CSRPORT
CSRPORT!
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\User\.Default
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
\bootstat.dat
\system32\mscoree.dll
mscoree.dll
DebugProcessHeapOnly
\WindowsSS
%%%u!%s!
\\?\UNC\
\\?\UNC
ADVAPI32.DLL
"/\[]:|<> =;,?*
Objects>%4u
Objects=%4u
verifier.dll
msvcrt.dll
ole32.dll
Software\Microsoft\Windows\CurrentVersion
\system32\kernel32.dll
%s_%d
lX-X-X-XX-XXXXXX
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\NetworkCards
%ws\%u
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Device\Harddisk%d\Partition0
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
The operation that was requested is pending completion.
An open/create operation completed while an oplock break is underway.
{Connect Failure on Primary Transport}
An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed.
The computer WAS able to connect on a secondary transport.
Cached page was locked during operation.
An operation is blocked waiting for an oplock.
{Local Session Key}
A user session key was requested for a local RPC connection. The session key returned is a constant value and not unique to this connection.
A serial I/O operation was completed by another write to a serial port.
A serial I/O operation completed because the time-out period expired.
{Password Too Complex}
The Windows password is too complex to be converted to a LAN Manager password.
The LAN Manager password returned is a NULL string.
The network transport returned partial data to its client. The remaining data will be sent later.
The network transport returned data to its client that was marked as expedited by the remote system.
The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.
The specified registry key is referenced by a predefined handle.
A yield execution was performed and no thread was available to run.
The operating system will currently accept only 16-bit (R2) pc-cards on this controller.
The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact
the CPU manufacturer to see if this mix of processors is supported.
A single step or trace operation has just been completed.
Handles to objects have been automatically closed as a result of the requested operation.
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administratively-defined GUID prefix was found.
The media has changed and a verify operation is in progress so no reads or writes may be performed to the device, except those used in the verify operation.
No more entries are available from an enumeration operation.
A long jump has been executed.
The Plug and Play query operation was not successful.
A frame consolidation has been executed.
The device has indicated that it's door is open. Further operations require it closed and secured.
{Operation Failed}
The requested operation was unsuccessful.
The requested operation is not implemented.
The instruction at "0xlx" referenced memory at "0xlx". The memory could not be "%s".
An invalid parameter was passed to a service or function.
The specified request is not a valid operation for the target device.
The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.
Not enough virtual memory or paging file quota is available to complete the specified operation.
An attempt was made to execute an illegal instruction.
An attempt was made to execute an invalid lock sequence.
There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.
Windows cannot continue from this exception.
An invalid or unaligned stack was encountered during an unwind operation.
An invalid unwind target was encountered during an unwind operation.
Device parity error on I/O operation.
Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort
Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port.
Attempt to send a message to a disconnected communication port.
The NtConnectPort request is refused.
The type of port handle is invalid for the operation requested.
Insufficient quota exists to complete the operation
An attempt to set a processes DebugPort or ExceptionPort was made, but a port already exists in the process.
An operation involving EAs failed because the file system does not support EAs.
An EA operation failed because EA set is too large.
An EA operation failed because the name or EA index is invalid.
A non close operation has been requested of a file object with a delete pending.
An attempt was made to set the control attribute on a file. This attribute is not supported in the target file system.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Indicates the requested operation would disable or delete the last remaining administration account.
When trying to update a password, this return status indicates that the value provided as the current password is not correct.
When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.
When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.
The user account's password has expired.
The application or DLL %hs is not a valid Windows image. Please check this against your installation diskette.
An operation failed because the disk was full.
Floating-point denormal operand.
Floating-point invalid operation.
An attempt was made to install more paging files than the system supports.
An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.
The maximum named pipe instance count has been reached.
An instance of a named pipe cannot be found in the listening state.
The named pipe is not in the connected or closing state.
The specified pipe is set to complete operations and there are current I/O operations queued so it cannot be changed to queue operations.
The specified handle is not open to the server end of the named pipe.
The specified named pipe is in the disconnected state.
The specified named pipe is in the closing state.
The specified named pipe is in the connected state.
The specified named pipe is in the listening state.
The specified named pipe is not in message mode.
The specified I/O operation on %hs was not completed before the time-out period expired.
The passed ACL did not contain the minimum required information.
The request is not supported.
Indicates an attempt was made to operate on the security of an object that does not have security associated with it.
Used to indicate that an operation cannot continue without blocking for I/O.
Used to indicate that a read operation was done on an empty pipe.
Indicates the Sam Server was in the wrong state to perform the desired operation.
Indicates the Domain was in the wrong state to perform the desired operation.
This operation is only allowed for the Primary Domain Controller of the domain.
This error indicates that the requested operation cannot be completed due to a catastrophic media failure or on-disk data structure corruption.
An invalid parameter was passed to a service or function as the first argument.
An invalid parameter was passed to a service or function as the second argument.
An invalid parameter was passed to a service or function as the third argument.
An invalid parameter was passed to a service or function as the fourth argument.
An invalid parameter was passed to a service or function as the fifth argument.
An invalid parameter was passed to a service or function as the sixth argument.
An invalid parameter was passed to a service or function as the seventh argument.
An invalid parameter was passed to a service or function as the eighth argument.
An invalid parameter was passed to a service or function as the ninth argument.
An invalid parameter was passed to a service or function as the tenth argument.
An invalid parameter was passed to a service or function as the eleventh argument.
An invalid parameter was passed to a service or function as the twelfth argument.
A malformed function table was encountered during an unwind operation.
The logon session is not in a state that is consistent with the requested operation.
Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.
Indicates that the transaction state of a registry sub-tree is incompatible with the requested operation.
This error should only be returned by the Windows redirector on a remote drive.
Indicates an operation has been attempted on a built-in (special) SAM account which is incompatible with built-in accounts.
The operation requested may not be performed on the specified group because it is a built-in special group.
The operation requested may not be performed on the specified user because it is a built-in special user.
An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.
An attempt was made to operate on a thread within a specific process, but the thread specified is not in the process specified.
Your system is low on virtual memory. To ensure that Windows runs properly, increase the size of your virtual memory paging file. For more information, see Help.
The specified image file did not have the correct format, it appears to be a 16-bit Windows image.
The SAM database on a Windows Server is significantly out of synchronization with the copy on the Domain Controller. A complete synchronization is required.
The NtCreateFile API failed. This error should never be returned to an application, it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines.
The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.
The connection handle given to the transport was invalid.
The address handle given to the transport was invalid.
The exception %s (0xlx) occurred in the application at location 0xlx.
An invalid level was passed into the specified system call.
{Incorrect Password to LAN Manager Server}
You specified an incorrect password to a LAN Manager 2.x or MS-NET server.
The pipe operation has failed because the other end of the pipe has been closed.
An I/O operation initiated by the Registry failed unrecoverably.
An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.
The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The length of a secret exceeds the maximum length allowed. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The requested operation cannot be performed in fullscreen mode.
An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.
A Windows Server has an incorrect configuration.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.
Illegal operation attempted on a registry key which has been marked for deletion.
An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.
An attempt was made to create a symbolic link in a registry key that already has subkeys or values.
An attempt was made to create a Stable subkey under a Volatile parent key.
The I/O device reported an I/O error.
Log file space is insufficient to support this operation.
A write operation was attempted to a volume after it was dismounted.
The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
There is no user session key for the specified logon session.
The size of the buffer is invalid for the specified operation.
The transport rejected the network address specified as invalid.
The transport rejected the network address specified due to an invalid use of a wildcard.
The transport address could not be opened because all the available addresses are in use.
The transport address could not be opened because it already exists.
The transport address is now closed.
The transport connection is now disconnected.
The transport connection has been reset.
The transport cannot dynamically acquire any more nodes.
The transport aborted a pending transaction.
The transport timed out a request waiting for a response.
The transport did not receive a release for a pending response.
The transport did not find a transaction matching the specific
The transport had previously responded to a transaction request.
The transport does not recognized the transaction request identifier specified.
The transport does not recognize the transaction request type specified.
The transport can only process the specified request on the server side of a session.
The transport can only process the specified request on the client side of a session.
The %hs system process terminated unexpectedly with a status of 0xx (0xx 0xx).
Windows was unable to save all the data for the file %hs. The data has been lost.
The parameter(s) passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.
The user's password must be changed before logging on the first time.
Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing onode is moved or the extent stream is converted to a large stream.
The attempt to find the object found an object matching by ID on the volume but it is out of the scope of the handle used for the operation.
The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
The transport connection attempt was refused by the remote system.
The transport connection was gracefully closed.
The transport endpoint already has an address associated with it.
An address has not yet been associated with the transport endpoint.
An operation was attempted on a nonexistent transport connection.
An invalid operation was attempted on an active transport connection.
The remote network is not reachable by the transport.
The remote system is not reachable by the transport.
The remote system does not support the transport protocol.
No service is operating at the destination port of the transport on the remote system.
The transport connection was aborted by the local system.
The requested operation cannot be performed on a file with a user mapped section open.
Attempting to login during an unauthorized time of day for this account.
The account is not authorized to login from this station.
The entrypoint should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.
The callback entrypoint should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.
The contacted server does not support the indicated part of the DFS namespace.
A callback return system service cannot be executed when no callback is active.
The password provided is too short to meet the policy of your user account.
Please choose a longer password.
The policy of your user account does not allow you to change passwords too frequently.
This is done to prevent users from changing back to a familiar, but potentially discovered, password.
If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.
You have attempted to change your password to one that you have used in the past.
The policy of your user account does not allow this. Please select a password that you have not previously used.
The specified compression format is unsupported.
An attempt was made to create more links on a file than the file system supports.
{Windows Evaluation Notification}
The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, please upgrade this installation using a licensed distribution of this product.
The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.
Error Status was 0x%x
An operation was attempted to a volume after it was dismounted.
There was no match for the specified key in the index.
The Windows I/O reparse tag passed for the NTFS reparse point is invalid.
The Windows I/O reparse tag does not match the one present in the NTFS reparse point.
The user data passed for the NTFS reparse point is invalid.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The guid passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item id passed was not recognized as valid by a WMI data provider.
The remote storage service is not operational at this time.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.
An error occurred while performing a cross domain move operation.
The requested operation requires a directory service, and none was available.
The requested interface is not supported.
The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.
Mutual Authentication failed. The server's password is out of date at the domain controller.
Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file.
The medium changer's transport element contains media, which is causing the operation to fail.
Error Status: 0x%x.
This operation is supported only when you are connected to the server.
The system image %s is not properly signed.
Current device power state cannot support this request.
The WMI operation is not supported by the data block or method.
There is not enough power to complete the requested operation.
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
The requested operation can be performed only on a global catalog server.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
This operation can not be performed on the current domain.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client cert name does not matches the user name or the KDC name is incorrect.
The encryption type requested is not supported by the KDC.
This operation is not supported on a Microsoft Small Business Server
The Master File Table on the volume is too fragmented to complete this operation.
Copy protection error - The given sector does not contain a valid key.
Copy protection error - DVD session key not established.
The kerberos protocol encountered an error while validating the KDC certificate during smartcard Logon
The transport determined that the remote system is down.
An unsupported preauthentication mechanism was presented to the kerberos package.
The encryption algorithm used on the source file needs a bigger key buffer than the one used on the destination file.
An attempt to remove a processes DebugPort was made, but a port was not already associated with the process.
An attempt to do an operation on a debug port failed because the port is in the process of being deleted.
This version of Windows is not compatible with the behavior version of directory forest, domain or domain controller.
The specified image file did not have the correct format, it appears to be a 32-bit Windows image.
The specified image file did not have the correct format, it appears to be a 64-bit Windows image.
The SID filtering operation removed all SIDs.
The create operation failed because the name contained at least one mount point which resolves to a volume to which the specified device object is not attached.
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
The requested key container does not exist on the smart card
The requested certificate does not exist on the smart card
The requested keyset does not exist
The smartcard certificate used for authentication has been revoked.
An untrusted certificate authority was detected While processing the
smartcard certificate used for authentication. Please contact your system
The revocation status of the smartcard certificate used for
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication has expired. Please
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The type UUID is not supported.
The name syntax is not supported.
The operation cannot be performed.
No interfaces have been exported.
There is nothing to unexport.
The requested operation is not supported.
A floating point operation at the RPC server caused a divide by zero.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
Invalid asynchronous RPC call handle for this operation.
A null context handle is passed as an [in] parameter.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
A close operation is pending on the Terminal Connection.
The MODEM.INF file was not found.
The modem (%1) was not found in MODEM.INF.
Transport driver error
The requested operation cannot be completed because the Terminal Connection is currently busy processing a connect, disconnect, reset, or delete operation.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
Windows was not able to process the application binding information.
The requested lookup key was not found in any active activation context.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
The activation context being deactivated is not active for the current thread of execution.

.exe_1728_rwx_00D40000_00092000:

ImmProcessKey
USER32.dll
ActivateKeyboardLayout
ArrangeIconicWindows
CallMsgFilter
CallMsgFilterA
CallMsgFilterW
CascadeChildWindows
CascadeWindows
CliImmSetHotKey
CloseWindowStation
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateWindowStationA
CreateWindowStationW
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
EnumChildWindows
EnumDesktopWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsW
EnumWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextW
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardType
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LockWindowStation
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OemKeyScan
OpenWindowStationA
OpenWindowStationW
RegisterHotKey
SetConsoleReserveKeys
SetKeyboardState
SetProcessWindowStation
SetWindowStationUser
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookW
TileChildWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHookEx
UnloadKeyboardLayout
UnlockWindowStation
UnregisterHotKey
VkKeyScanA
VkKeyScanExA
VkKeyScanExW
VkKeyScanW
WINNLSGetIMEHotkey
keybd_event
=.cmd
=.pif
=.lnk
=.com
=.bat
F\ FTP
s.RPRP
tcPV
*9]0t#SSh
u.KKt*
~,SSSh
SSSSh
SSSh$6A~P
6SSSSh
t>SSh`
u"SSh`
ADVAPI32.dll
MSIMG32.dll
POWRPROF.dll
WINSTA.dll
RegCreateKeyExW
RegCloseKey
RegDeleteKeyW
ReportEventW
RegQueryInfoKeyW
GDI32.dll
KERNEL32.dll
ntdll.dll
GetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetCPInfo
GetSystemWindowsDirectoryW
NtQueryKey
NtEnumerateValueKey
NtYieldExecution
NtCreateKey
NtSetValueKey
NtDeleteValueKey
NtEnumerateKey
NtOpenKey
NtQueryValueKey
user32.pdb
windows.hlp
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
$$$006666
&$%Uooqkezs
['$$#%&(4
2<===@@=
0 00@0[0
0V0
9œ9S9|9
;";&;*;.;2;6;:;
8$8-858E8L8S8Z8a8h8o8v8}8
;(;7;>;};
2$3 363@3
;#<)<4<:<
7 8$8(8,8|8
IMM32.DLL
SETUPAPI.DLL
&%d %ws
Control Panel\Input Method\Hot Keys
Virtual Key
Key Modifiers
kbdus.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\
$winnt$.inf
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Fonts
Keyboard Layout\Preload
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\LastFontSweep
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1 Fonts
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Upgraded Type1
keyboardlayout.ini
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\LastType1Sweep
\Windows\WindowStations
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Windows
Keyboard Layout
kbdkor.dll
kbdjpn.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout
imm32.dll
Hot Keys
00000409
x:\...\
OLE32.DLL
%SystemRoot%\System32\user32.dll
Software\Microsoft\Windows\CurrentVersion\Reliability
hh.exe
indicdll.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
IgnoreRemoteKeyboardLayout
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Reliability
\snapshot.dll
Windows XP USER API Client DLL
5.1.2600.5512 (xpsp.080413-2105)
Windows
Operating System
5.1.2600.5512
Error Instrument: ProcessName: %1 WindowTitle: %2 MsgCaption: %3 MsgText: %4 CallerModuleName: %5 BaseAddr: %6 ImageSize: %7 ReturnAddr: %8
Zero width &joiner
Zero width &non-joiner
&More Windows...gInsufficient memory to create the bitmap. Close one or more applications to increase available memory.
Op&en Soft Keyboard
Close So&ft Keyboard
Windows
Other people are logged on to this remote computer. Shutting down Windows might cause them to lose data. Also, someone at the remote location will have to restart the computer manually.
Other people are logged on to this computer. Shutting down Windows might cause them to lose data.
Other people are logged on to this computer. Restarting Windows might cause them to lose data.
Hardware: Maintenance (Planned)"Hardware: Installation (Unplanned) Hardware: Installation (Planned)%Operating System: Upgrade (Unplanned)#Operating System: Upgrade (Planned)
-Operating System: Reconfiguration (Unplanned) Operating System: Reconfiguration (Planned)
8A restart or shutdown to service hardware on the system.AA restart or shutdown to begin or complete hardware installation.6A restart or shutdown to upgrade the operating system.CA restart or shutdown to change the operating system configuration.BA restart or shutdown to troubleshoot an unresponsive application.>A restart or shutdown to troubleshoot an unstable application.0A restart or shutdown to service an application. A shutdown or restart for an unknown reason1The computer displayed a blue screen crash event.
The system became unresponsive.GA restart or shutdown to perform planned maintenance on an application.

.exe_1728_rwx_00E40000_000F7000:

KERNEL32.dll
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
BaseProcessInitPostImport
CallNamedPipeA
CallNamedPipeW
CmdBatNotification
ConnectNamedPipe
CreateIoCompletionPort
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
GetCPFileNameFromRegistry
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetDefaultSortkeySize
GetLargestConsoleWindowSize
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetProcessHandleCount
GetProcessHeap
GetProcessHeaps
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryW
PeekNamedPipe
RegisterWowExec
SetCPGlobal
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetNamedPipeHandleState
SetProcessShutdownParameters
SetThreadExecutionState
TransactNamedPipe
VDMConsoleOperation
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeW
WinExec
NTDLL.RtlAddVectoredExceptionHandler
NTDLL.RtlDecodePointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDeleteCriticalSection
NTDLL.RtlEncodePointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEnterCriticalSection
NTDLL.RtlGetLastWin32Error
NTDLL.RtlAllocateHeap
NTDLL.RtlFreeHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlSizeHeap
NTDLL.RtlInitializeSListHead
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlLeaveCriticalSection
NTDLL.RtlQueryDepthSList
NTDLL.RtlRemoveVectoredExceptionHandler
NTDLL.RtlRestoreLastWin32Error
NTDLL.RtlCaptureContext
NTDLL.RtlCaptureStackBackTrace
NTDLL.RtlFillMemory
NTDLL.RtlMoveMemory
NTDLL.RtlUnwind
NTDLL.RtlZeroMemory
NTDLL.RtlSetCriticalSectionSpinCount
NTDLL.RtlSetLastWin32Error
NTDLL.RtlTryEnterCriticalSection
NTDLL.VerSetConditionMask
DirOperationControl
UrlCanonicalizeW
SHDeleteKeyW
PathCreateFromUrlW
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
EnumDesktopWindows
CloseWindowStation
twain_32.dll
Jt.HH;
midiOutShortMsg
SXS: %s() LdrFindOutOfProcessResource failed; nt status = lx
advapi32.dll
ReportEventW
RegSaveKeyW
RegSaveKeyExW
RegSaveKeyA
RegRestoreKeyW
RegQueryInfoKeyW
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegNotifyChangeKeyValue
RegEnumKeyW
RegEnumKeyExW
RegDeleteKeyW
RegCreateKeyW
RegCreateKeyExW
RegCloseKey
ElfReportEventW
CryptExportKey
CryptDestroyKey
\Device\NamedPipe\Win32Pipes.x.x
CM_Open_DevNode_Key
CryptCATCatalogInfoFromContext
SetPortW
EnumPrinterKeyW
EnumPortsW
DeletePrinterKeyW
DeletePortW
ConfigurePortW
AddPortW
ShellExecuteW
ShellExecuteExW
ShellExecuteExA
ShellExecuteA
SHFileOperationW
SHFileOperationA
FindExecutableW
FindExecutableA
ImportPrivacySettings
MprConfigTransportGetInfo
MprConfigTransportGetHandle
MprConfigTransportDelete
MprConfigTransportCreate
MprConfigInterfaceTransportRemove
MprConfigInterfaceTransportGetInfo
MprConfigInterfaceTransportGetHandle
MprConfigInterfaceTransportEnum
MprConfigInterfaceTransportAdd
MprAdminTransportCreate
MprAdminPortGetInfo
MprAdminPortEnum
MprAdminInterfaceTransportAdd
MimeOleParseMhtmlUrl
ImmGetVirtualKey
ImageGetCertificateHeader
ImageGetCertificateData
ImageEnumerateCertificates
GdiplusShutdown
|CAGetCertTypePropertyEx
CAGetCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeFlagsEx
CAGetCertTypeFlags
CAGetCertTypeExtensionsEx
CAGetCertTypeExtensions
CAGetCertTypeExpiration
CAGetCACertificate
CAFreeCertTypeProperty
CAFreeCertTypeExtensions
CAFindCertTypeByName
CAEnumNextCertType
CAEnumCertTypesForCAEx
CAEnumCertTypesForCA
CACountCertTypes
CACloseCertType
CACertTypeAccessCheck
ApphelpCheckExe
WZCPassword2Key
EapcfgNodeFromKey
SetupDiOpenDevRegKey
SetupDiCreateDevRegKeyW
SXS: %s() BasepSxsCreateStreams() failed
winlogon.EXE
PWVSSh
SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx
SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx
SXS: %s - Failing thread create becuase NtQueryInformationThread() failed with status lx
u\SSh
kernel32: No mapping for ImageInformation.Machine == x
TermsrvLogInstallIniFile
TermsrvGetWindowsDirectoryW
TermsrvGetWindowsDirectoryA
SXS: %s failing because RtlQueryInformationActivationContext() returned status lx
SXS: %s - Failure getting active activation context; ntstatus lx
SXS: %s() LdrAccessOutOfProcessResource failed; nt status = lx
SXS: %s() LdrCreateOutOfProcessImage failed
SXS: %s() NtQueryInformationFile failed
SXS: %s() empty lpSource %ls
SXS: %s() Calling csrss server failed
SXS: %s() RtlMultiAppendUnicodeStringBuffer failed
SXS: %s() NtMapViewOfSection failed
SXS: %s() AssemblyDirectory is not null terminated
SXS: %s() BaseDllMapResourceIdW failed
SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0
SXS: %s() Bad lpAssemblyDirectory %ls
SXS: %s() Bad lpSource PathType %ls, 0x%lx
SXS: %s() Bad lpAssemblyDirectory PathType %ls, 0x%lx
SXS: %s() bad wProcessorArchitecture 0x%x
SXS: Invalid parameter(s) passed to FindActCtxSection*()
->cbSize = %u
SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed
QSSSSh
\twain_32.dll
ReportFault
SXS: %s() NtCreateSection() failed
SXS: %s() NtOpenFile(%wZ) failed
SXS: %s() Null %p or size 0x%lx too small
SXS: %s() Bad flags/size 0x%lx/0x%lx
.debug
.reloc
.rsrc1
.rsrc
|wzcsapi.dll
wzcdlg.dll
wtsapi32.dll
ws2_32.dll
wmvcore.dll
wmi.dll
wldap32.dll
wintrust.dll
winsta.dll
winspool.drv
winscard.dll
winmm.dll
wininet.dll
winhttp.dll
version.dll
uxtheme.dll
utildll.dll
usp10.dll
userenv.dll
user32.dll
urlmon.dll
tapi32.dll
syssetup.dll
sti.dll
shsvcs.dll
shlwapi.dll
shell32.dll
shdocvw.dll
sfc.dll
setupapi.dll
secur32.dll
scecli.dll
samlib.dll
rtutils.dll
rpcrt4.dll
regapi.dll
rasman.dll
rasdlg.dll
rasapi32.dll
query.dll
pstorec.dll
psapi.dll
printui.dll
powrprof.dll
pidgen.dll
pautoenr.dll
oleaut32.dll
oleacc.dll
ole32.dll
odbc32.dll
ocmanage.dll
ntmarta.dll
ntlsapi.dll
ntlanman.dll
ntdsapi.dll
ntdsa.dll
netshell.dll
netrap.dll
netplwiz.dll
netman.dll
netcfgx.dll
netapi32.dll
mswsock.dll
mssign32.dll
msrating.dll
msimg32.dll
msi.dll
mshtml.dll
msgina.dll
mscat32.dll
msacm32.dll
mprui.dll
mprapi.dll
mpr.dll
mobsync.dll
mlang.dll
lz32.dll
linkinfo.dll
keymgr.dll
kdcsvc.dll
iphlpapi.dll
inetcomm.dll
imm32.dll
imgutil.dll
imagehlp.dll
hnetcfg.dll
gdiplus.dll
gdi32.dll
esent.dll
efsadu.dll
duser.dll
dnsapi.dll
dhcpcsvc.dll
devmgr.dll
ddraw.dll
d3dxof.dll
cscdll.dll
cryptui.dll
crypt32.dll
credui.dll
comdlg32.dll
comctl32.dll
certcli.dll
cdfview.dll
cabinet.dll
browseui.dll
authz.dll
apphelp.dll
advpack.dll
activeds.dll
WinStationIsHelpAssistantSession
WinStationEnumerate_IndexedW
|UnlockUrlCacheEntryStream
UnlockUrlCacheEntryFileW
UnlockUrlCacheEntryFileA
SetUrlCacheEntryInfoW
SetUrlCacheEntryGroupW
SetUrlCacheConfigInfoA
RetrieveUrlCacheEntryStreamW
RetrieveUrlCacheEntryFileW
RetrieveUrlCacheEntryFileA
RegisterUrlCacheNotification
ReadUrlCacheEntryStream
LoadUrlCacheContent
IsHostInProxyBypassList
InternetShowSecurityInfoByURLW
InternetOpenUrlW
InternetOpenUrlA
InternetCreateUrlW
InternetCreateUrlA
InternetCrackUrlW
InternetCrackUrlA
InternetCombineUrlW
InternetCanonicalizeUrlW
InternetCanonicalizeUrlA
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoW
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestW
HttpEndRequestA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoExW
GetUrlCacheEntryInfoExA
GetUrlCacheEntryInfoA
GetUrlCacheConfigInfoW
GetUrlCacheConfigInfoA
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryA
FtpRenameFileA
FtpRemoveDirectoryA
FtpPutFileEx
FtpOpenFileW
FtpOpenFileA
FtpGetFileSize
FtpGetFileEx
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryA
FtpFindFirstFileW
FtpFindFirstFileA
FtpDeleteFileW
FtpDeleteFileA
FtpCreateDirectoryW
FtpCreateDirectoryA
FtpCommandA
FreeUrlCacheSpaceW
FindNextUrlCacheEntryW
FindNextUrlCacheEntryExW
FindNextUrlCacheEntryExA
FindNextUrlCacheEntryA
FindNextUrlCacheContainerW
FindNextUrlCacheContainerA
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryExW
FindFirstUrlCacheEntryExA
FindFirstUrlCacheEntryA
FindFirstUrlCacheContainerW
FindFirstUrlCacheContainerA
FindCloseUrlCache
DeleteUrlCacheGroup
DeleteUrlCacheEntryW
DeleteUrlCacheEntryA
DeleteUrlCacheContainerA
CreateUrlCacheGroup
CreateUrlCacheEntryW
CreateUrlCacheEntryA
CreateUrlCacheContainerW
CreateUrlCacheContainerA
CommitUrlCacheEntryW
CommitUrlCacheEntryA
|WinHttpSetTimeouts
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpOpenRequest
WinHttpOpen
WinHttpCrackUrl
WinHttpConnect
WinHttpCloseHandle
|UrlMkSetSessionOption
UrlMkGetSessionOption
URLOpenBlockingStreamW
URLDownloadToFileW
URLDownloadToCacheFileW
IsValidURL
GetMarkOfTheWeb
CreateURLMoniker
CoInternetParseUrl
CoInternetIsFeatureEnabledForUrl
CoInternetGetSecurityUrl
CoInternetCombineUrl
SceSetupUpdateSecurityKey
RasShareConnection
RasIsSharedConnection
DsMakePasswordCredentialsW
DsFreePasswordCredentials
|NetpUpgradePreNT5JoinInfo
NetUserChangePassword
NetUnjoinDomain
NetJoinDomain
NetGetJoinInformation
|SpcGetCertFromKey
GetCryptProvFromCert
FreeCryptProvFromCert
|ShowModelessHTMLDialog
MPRUI_DoPasswordDialog
PRShowSaveFromMsginaW
PRShowRestoreFromMsginaW
KRShowKeyMgr
GetUdpStatistics
GetTcpStatistics
|IcfGetOperationalMode
SetViewportOrgEx
SetViewportExtEx
JetMakeKey
CryptUIDlgViewCertificateW
CryptVerifyCertificateSignature
CryptSignAndEncodeCertificate
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgClose
CryptImportPublicKeyInfoEx
CryptImportPublicKeyInfo
CryptHashPublicKeyInfo
CryptExportPublicKeyInfo
CertVerifySubjectCertificateContext
CertVerifyCertificateChainPolicy
CertStrToNameW
CertSetCertificateContextProperty
CertRegisterPhysicalStore
CertRDNValueToStrW
CertOpenSystemStoreW
CertOpenStore
CertNameToStrW
CertGetPublicKeyLength
CertGetNameStringW
CertGetIssuerCertificateFromStore
CertGetEnhancedKeyUsage
CertGetCertificateContextProperty
CertGetCertificateChain
CertFreeCertificateContext
CertFreeCertificateChain
CertFreeCTLContext
CertFindSubjectInCTL
CertFindExtension
CertFindCertificateInStore
CertFindCTLInStore
CertEnumCertificatesInStore
CertDuplicateCertificateContext
CertDuplicateCTLContext
CertDeleteCertificateFromStore
CertCreateCertificateContext
CertCreateCTLContext
CertControlStore
CertCompareCertificateName
CertCloseStore
CertAddCertificateContextToStore
CredUICmdLinePromptForCredentialsW
SSSSh
PSSSSSSh
t.PSW
mem16.dll
ImpersonateNamedPipeClient
VWSSh
t.hlt
hypertrm.exe"
hypertrm.exe
.exr (exception record)
.cxr (context record)
serialui.dll
mekr386.exe
PVWSSh
SXS: %s() BaseDllMapResourceIdA failed
-. "%ls" %ld
(LRU) (Exe Name) (FileSize)
Total Entries = 0x%x
xpsp2res.dll
xpsp3res.dll
?456789:;<=
!"#$%&'()* ,-./0123
|CertAutoEnrollment
VSSHP
ntdll.dll
NtQueryValueKey
NtOpenKey
NtFlushKey
NtSetValueKey
NtCreateKey
NtEnumerateKey
NtEnumerateValueKey
RtlFormatCurrentUserKeyPath
NtQueryKey
NtDeleteValueKey
RtlGetProcessHeaps
NtCreateNamedPipeFile
NtSetThreadExecutionState
LdrQueryImageFileExecutionOptions
NtDelayExecution
NtYieldExecution
kernel32.pdb
0!1'1;1|1
;,<0<8<<<
67
2,242<2}2@3
: :$:(:,:0:4:8:<:
8 8$8(8,8084888<8
< <$<(<,<0<4<8<<<@<]<
$0(040:0
<%=`=[?~?
1!202<2|2
4 4$4(4,4044484
sShortDate
win.ini
.Config
.Manifest
\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
\Windows
\NLS\NlsSectionSortkey
\system32\Apphelp.dll
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
ADVAPI32.DLL
\\.\MountPointManager
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
hotkey.%u %s
wowexec.pif
cmd /c
hotkey.
setup.exe
\DosDevices\pipe\
\\.\pipe\
\REGISTRY\USER\.DEFAULT
WUSER32.DLL
~RF%4x.TMP
netmsg.dll
pipe\
c:\temp\
EmbdTrst.DLL
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
%ws%u\DosDevices\%ws
WINDOWS
\\?\GLOBALROOT
Application.Manifest
"/\[]:|<> =;,?
\REGISTRY\Machine\Software\Microsoft\Windows NT\currentVersion\Time Zones
\Registry\Machine\Software\Policies\Microsoft\Windows\System
AppCertDlls
tsappcmp.dll
\inifile.upd
t\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
DRMHeader.SubscriptionContentID
DRMHeader.ContentDistributor
DRMHeader.SECURITYVERSION
DRMHeader.CID
DRMHeader.LAINFO
DRMHeader.KID
LicenseStateData.Transfer.NONSDMI
LicenseStateData.Transfer.SDMI
LicenseStateData.Print.redbook
LicenseStateData.Play
ActionAllowed.Backup
ActionAllowed.Transfer.NONSDMI
ActionAllowed.Transfer.SDMI
ActionAllowed.Print.redbook
ActionAllowed.Play
BaseLAURL
Transfer.NONSDMI
Transfer.SDMI
Print.redbook
Software\Microsoft\Windows NT\CurrentVersion\Time Zones
TimeZoneKeyName
PendingFileRenameOperations%d
PendingFileRenameOperations
%s\system32\
\system32\faultrep.dll
mwowcmdline
cmdline
CONSOLE.DLL
conime.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console
\INF\INTL.INF
DNSAPI.DLL
cfgmgr32.dll
The operation completed successfully.
Not enough storage is available to complete this operation.
The process cannot access the file because another process has locked a portion of the file.
The request is not supported.
Windows cannot find the network path. Verify that the network path is correct and the destination computer is not busy or turned off. If Windows still cannot find the network path, contact your network administrator.
The specified server cannot perform the requested operation.
The specified network password is not correct.
The pipe has been ended.
The system does not support the command requested.
This function is not supported on this system.
The data area passed to a system call is too small.
Attempt to use a file handle to an open disk partition for an operation other than raw disk I/O.
A JOIN or SUBST command cannot be used for a drive that contains previously joined drives.
An attempt was made to use a JOIN or SUBST command on a drive that has already been joined.
An attempt was made to use a JOIN or SUBST command on a drive that has already been substituted.
The system tried to delete the JOIN of a drive that is not joined.
The system tried to join a drive to a directory on a joined drive.
The system tried to join a drive to a directory on a substituted drive.
The system tried to SUBST a drive to a directory on a joined drive.
The system cannot perform a JOIN or SUBST at this time.
The system cannot join or substitute a drive to or for a directory on the same drive.
An attempt was made to join or substitute a drive for which a directory on the drive is the target of a previous substitute.
System trace information was not specified in your CONFIG.SYS file, or tracing is disallowed.
DosMuxSemWait did not execute; too many semaphores are already set.
The file system does not support atomic changes to the lock type.
The operating system cannot run %1.
The flag passed is not correct.
The operating system cannot run this application program.
The operating system is not presently configured to run this application.
The pipe state is invalid.
All pipe instances are busy.
The pipe is being closed.
No process is on the other end of the pipe.
The wait operation timed out.
The mounted file system does not support extended attributes.
The volume is too fragmented to complete this operation.
There is a process on other end of the pipe.
Waiting for a process to open the other end of the pipe.
The I/O operation has been aborted because of either a thread exit or an application request.
Overlapped I/O operation is in progress.
Error performing inpage operation.
The requested operation cannot be performed in full-screen mode.
The configuration registry key is invalid.
The configuration registry key could not be opened.
The configuration registry key could not be read.
The configuration registry key could not be written.
An I/O operation initiated by the registry failed unrecoverably. The registry could not read in, or write out, or flush, one of the files that contain the system's image of the registry.
Illegal operation attempted on a registry key that has been marked for deletion.
Cannot create a symbolic link in a registry key that already has subkeys or values.
Cannot create a stable subkey under a volatile parent key.
The account name is invalid or does not exist, or the password is invalid for the account name specified.
The executable program that this service is configured to run in does not implement the service.
A serial I/O operation was completed by another write to the serial port.
A serial I/O operation completed because the timeout period expired.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
An attempt was made to create more links on a file than the file system supports.
The specified program requires a newer version of Windows.
The specified program is not a Windows or MS-DOS program.
The specified program was written for an earlier version of Windows.
No application is associated with the specified file for this operation.
The message can be used only with synchronous operations.
The device has indicated that cleaning is required before further operations are attempted.
There was no match for the specified key in the index.
The point passed to GetMouseMovePoints is not in the buffer.
The format of the specified password is invalid.
The operation was canceled by the user.
The requested operation cannot be performed on a file with a user-mapped section open.
The network transport endpoint already has an address associated with it.
An operation was attempted on a nonexistent network connection.
An invalid operation was attempted on an active network connection.
The network location cannot be reached. For information about network troubleshooting, see Windows Help.
No service is operating at the destination network endpoint on the remote system.
The operation could not be completed. A retry should be performed.
The network address could not be used for the operation requested.
The operation being requested was not performed because the user has not been authenticated.
The operation being requested was not performed because the user has not logged on to the network.
An attempt was made to perform an initialization operation when initialization has already been completed.
This operation is supported only when you are connected to the server.
This operation is not supported on a Microsoft Small Business Server
The remote system is not available. For information about network troubleshooting, see Windows Help.
Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.
KDC certificate during smartcard logon.
The smartcard certificate used for authentication has been revoked.
An untrusted certificate authority was detected While processing the
smartcard certificate used for authentication. Please contact your system
The revocation status of the smartcard certificate used for
The smartcard certificate used for authentication was not trusted. Please
The smartcard certificate used for authentication has expired. Please
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
No encryption key is available. A well-known encryption key was returned.
The password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Unable to update the password. The value provided as the current password is incorrect.
Unable to update the password. The value provided for the new password contains values that are not allowed in passwords.
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirement of the domain.
Logon failure: unknown user name or bad password.
Logon failure: user account restriction. Possible reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has been enforced.
Logon failure: the specified account password has expired.
Unable to perform a security operation on an object that has no associated security.
The security account manager (SAM) or local security authority (LSA) server was in the wrong state to perform the security operation.
The domain was in the wrong state to perform the security operation.
This operation is only allowed for the Primary Domain Controller of the domain.
Unable to complete the requested operation because of either a catastrophic media failure or a data structure corruption on the disk.
The logon session is not in a state that is consistent with the requested operation.
Unable to impersonate using a named pipe until data has been read from that pipe.
The transaction state of a registry subtree is incompatible with the requested operation.
Cannot perform this operation on built-in accounts.
Cannot perform this operation on this built-in special group.
Cannot perform this operation on this built-in special user.
A cross-encrypted password is necessary to change a user password.
A cross-encrypted password is necessary to change this user password.
There is no user session key for the specified logon session.
Mutual Authentication failed. The server's password is out of date at the domain controller.
This operation can not be performed on the current domain.
Hot key is already registered.
Class still has open windows.
Hot key is not registered.
This list box does not support tab stops.
Child windows cannot have menus.
All handles to windows in a multiple-window position structure must have the same parent.
The paging file is too small for this operation to complete.
Invalid keyboard layout handle.
This operation requires an interactive window station.
This operation returned because the timeout period expired.
The event log file has changed between read operations.
The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
The configuration data for this product is corrupt. Contact your support personnel.
This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
SQL query syntax invalid or unsupported.
This installation package could not be opened. Verify that the package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer package.
This installation package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer package.
There was an error starting the Windows Installer service user interface. Contact your support personnel.
The language of this installation package is not supported by your system.
Function could not be executed.
Function failed during execution.
Data of this type is not supported.
The Windows Installer service failed to start. Contact your support personnel.
This installation package is not supported by this processor type. Contact your product vendor.
This patch package could not be opened. Verify that the patch package exists and that you can access it, or contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package could not be opened. Contact the application vendor to verify that this is a valid Windows Installer patch package.
This patch package cannot be processed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service.
Invalid command line argument. Consult the Windows Installer SDK for detailed command line help.
The requested operation completed successfully. The system will be restarted so the changes can take effect.
The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded exists on your computer an
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The universal unique identifier (UUID) type is not supported.
The name syntax is not supported.
The server endpoint cannot perform the operation.
No interfaces have been exported.
There is nothing to unexport.
The requested operation is not supported.
A floating-point operation at the RPC server caused a division by zero.
A null context handle was passed from the client to the host during a remote procedure call.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
The supplied user buffer is not valid for the requested operation.
The specified port is unknown.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
The user's password must be changed before logging on the first time.
The object exporter specified was not found.
Invalid asynchronous RPC call handle for this operation.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
Not all object UUIDs could be exported to the specified entry.
Interface could not be exported to the specified entry.
The window style or class attribute is invalid for this operation.
The requested metafile operation is not supported.
The requested transformation operation is not supported.
The requested clipping operation is not supported.
The network connection was made successfully, but the user had to be prompted for a password other than the one originally specified.
The requested operation is not allowed when there are jobs queued to the printer.
The requested operation is successful. Changes will not be effective until the system is rebooted.
The requested operation is successful. Changes will not be effective until the service is restarted.
The importation from the file failed.
The GUID passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item ID passed was not recognized as valid by a WMI data provider.
The medium currently exists in an offline library and must be online to perform this operation.
The operation cannot be performed on an offline library.
The library, drive, or media pool must be empty to perform this operation.
A resource required for this operation is disabled.
The drive cannot be cleaned or does not support cleaning.
The resource required for this operation does not exist.
The operation identifier is not valid.
The operator or administrator has refused the request.
The transport cannot access the medium.
Unable to retrieve status about the transport.
Cannot use the transport because it is already in use.
Unable to open or close the inject/eject port.
The media type cannot be removed from this library since at least one drive in the library reports it can support this media type.
The remote storage service is not operational at this time.
A cluster node is not available for this operation.
The operation could not be completed because the cluster group is not online.
The operation could not be completed because the cluster resource is online.
The group or resource is not in the correct state to perform the requested operation.
A cluster network is not available for this operation.
All cluster nodes must be running to perform this operation.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
This operation cannot be performed on the cluster resource as it the quorum resource. You may not bring the quorum resource offline or modify its possible owners list.
The cluster node is not ready to perform the requested operation.
The cluster join operation was aborted.
The cluster join operation failed due to incompatible software versions between the joining node and its sponsor.
The system configuration changed during the cluster join or form operation. The join or form operation was aborted.
The specified node does not support a resource of this type. This may be due to version inconsistencies or due to the absence of the resource DLL on this node.
The specified resource name is not supported by this resource DLL. This may be due to a bad (or changed) name supplied to the resource DLL.
The join operation failed because the cluster database sequence number has changed or is incompatible with the locker node. This may happen during a join operation if the cluster database was changing during the join.
The resource monitor will not allow the fail operation to be performed while the resource is in its current state. This may happen if the resource is in a pending state.
An operation was attempted that is incompatible with the current membership state of the node.
The join operation failed because the cluster instance ID of the joining node does not match the cluster instance ID of the sponsor node.
This computer cannot be made a member of a cluster because it does not have the correct version of Windows installed.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The server is not trusted for remote encryption operation.
Recovery policy configured for this system contains invalid recovery certificate.
The encryption algorithm used on the source file needs a bigger key buffer than the one on the destination file.
The disk partition does not support file encryption.
A registry key for event logging could not be created for this session.
A close operation is pending on the session.
The MODEM.INF file was not found.
The modem name was not found in MODEM.INF.
Transport driver error
The requested operation cannot be completed because the terminal connection is currently busy processing a connect, disconnect, reset, or delete operation.
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the RDN attribute of an object.
The requested cross-domain move operation could not be performed.
An operations error occurred.
The requested authentication method is not supported by the server.
The server does not support the requested critical extension.
The operation affects multiple DSAs
The server is not operational.
The specified method is not supported.
The specified control is not supported by the server.
The add replica operation cannot be performed. The naming context must be writable in order to create the replica.
The attribute specified in the operation is not present on the object.
Illegal modify operation. Some aspect of the modification is not permitted.
The operation must be performed at a master DSA.
The operation could not be performed because the object's parent is either uninstantiated or deleted.
The operation cannot be performed because child objects exist. This operation can only be performed on a leaf object.
The operation is out of scope.
The operation cannot continue because the object is in the process of being removed.
The operation can only be performed on an internal master DSA object.
Insufficient access rights to perform the operation.
The operation cannot be performed on a back link.
The operation could not be performed because the directory service is shutting down.
The requested FSMO operation failed. The current FSMO holder could not be contacted.
Subtree notifications are only supported on NC heads.
The requested delete operation could not be performed.
The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available.
The replication operation failed because of a schema mismatch between the servers involved.
The operation cannot replace the hidden record.
This directory server is shutting down, and cannot take ownership of new floating single-master operation roles.
The directory service is missing mandatory configuration information, and is unable to determine the ownership of floating single-master operation roles.
The directory service was unable to transfer ownership of one or more floating single-master operation roles to other servers.
The replication operation failed.
An invalid parameter was specified for this replication operation.
The directory service is too busy to complete the replication operation at this time.
The distinguished name specified for this replication operation is invalid.
The naming context specified for this replication operation is invalid.
The distinguished name specified for this replication operation already exists.
The replication operation encountered a database inconsistency.
The server specified for this replication operation could not be contacted.
The replication operation encountered an object with an invalid instance type.
The replication operation failed to allocate memory.
The replication operation encountered an error with the mail system.
The replication operation encountered a database error.
The requested operation is not supported by this version of the directory service.
The replication operation failed due to a collision of object names.
The replication operation failed because a required parent object is missing.
The replication operation was preempted.
The replication operation was terminated because the system is shutting down.
The server specified for this replication operation was contacted, but that server was unable to contact an additional server needed to complete the operation.
The version of the Active Directory schema of the source forest is not compatible with the version of Active Directory on this computer. You must upgrade the operating system on a domain controller in the source forest before this computer can be added as a domain controller to that forest.
The requested operation requires a directory service, and none was available.
The requested search operation is only supported for base searches.
The schema update operation tried to add a backward link attribute that has no corresponding forward link.
Source and destination for the cross-domain move operation are identical. Caller should use local move operation instead of cross-domain move operation.
Another operation which requires exclusive access to the PDC FSMO is already in progress.
A cross-domain move operation failed such that two versions of the moved object exist - one each in the source and destination domains. The destination object needs to be removed to restore the system to a consistent state.
The directory cannot validate the proposed naming context name because it does not hold a replica of the naming context above the proposed naming context. Please ensure that the domain naming master role is held by a server that is configured as a global catalog server, and that the server is up to date with its replication partners. (Applies only to Windows 2000 Domain Naming masters)
The operation can not be performed because the server does not have an infrastructure container in the domain of interest.
The replica/child install failed to read the objectVersion attribute in the SCHEMA section of the file schema.ini in the system32 directory.
Only DSAs configured to be Global Catalog servers should be allowed to hold the Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)
The DSA operation is unable to proceed because of a DNS lookup failure.
The object requested was not found, but an object with that key was found.
The syntax of the linked attribute being added is incorrect. Forward links can only have syntax 2.5.5.1, 2.5.5.7, and 2.5.5.14, and backlinks can only have syntax 2.5.5.1
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
The operation requires that destination domain auditing be enabled.
The operation couldn't locate a DC for the source domain.
The replication operation could not be completed due to a schema incompatibility.
The replication operation could not be completed due to a previous schema incompatibility.
The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.
The requested operation can be performed only on a global catalog server.
The operation requires that source domain auditing be enabled.
A Filter was passed that uses constructed attributes.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
For security reasons, the operation must be run on the destination DC.
Critical Directory Service System objects cannot be deleted during tree delete operations. The tree delete may have been partially performed.
This version of Windows is too old to support the current directory forest behavior. You must upgrade the operating system on this server before it can become a domain controller in this forest.
This version of Windows is too old to support the current domain behavior. You must upgrade the operating system on this server before it can become a domain controller in this domain.
This version of Windows no longer supports the behavior version in use in this directory forest. You must advance the forest behavior version before this server can become a domain controller in the forest.
This version of Windows no longer supports the behavior version in use in this domain. You must advance the domain behavior version before this server can become a domain controller in the domain.
The version of Windows is incompatible with the behavior version of the domain or forest.
The sort order requested is not supported.
Unable to continue operation because multiple conflicting controls were used.
Rename or move operations on naming context heads or read-only objects are not allowed.
Move operations on objects in the schema naming context are not allowed.
The requested action is not supported on standard server.
The directory service cannot perform the requested operation because the servers
Operation not allowed on a disabled cross ref.
Schema update failed: Duplicate msDS-INtId. Retry the operation.
The remote create cross reference operation failed on the Domain Naming Master FSMO. The operation's error is in the extended data.
DNS request not supported by name server.
DNS operation refused.
DNS bad key.
Try DNS operation again later.
The operation requested is not permitted on a DNS root server.
Invalid operation for DNS zone.
The operation cannot be performed because this zone is shutdown.
TCP/IP network protocol not installed.
A blocking operation was interrupted by a call to WSACancelBlockingCall.
A non-blocking socket operation could not be completed immediately.
A blocking operation is currently executing.
An operation was attempted on a non-blocking socket that already had an operation in progress.
An operation was attempted on something that is not a socket.
A required address was omitted from an operation on a socket.
A protocol was specified in the socket function call that does not support the semantics of the socket type requested.
An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call.
The support for the specified socket type does not exist in this address family.
The attempted operation is not supported for the type of object referenced.
Only one usage of each socket address (protocol/network address/port) is normally permitted.
A socket operation encountered a dead network.
A socket operation was attempted to an unreachable network.
The connection has been broken due to keep-alive activity detecting a failure while the operation was in progress.
An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
A socket operation failed because the destination host was down.
A socket operation was attempted to an unreachable host.
A Windows Sockets implementation may have a limit on the number of applications that may use it simultaneously.
The Windows Sockets version requested is not supported.
The specified transport mode filter already exists.
The specified transport mode filter does not exist.
The requested lookup key was not found in any active activation context.
The transport filter is pending deletion.
IKE failed to find valid machine certificate
Certificate Revocation Check failed
Invalid certificate key usage
Invalid certificate type
No private key associated with machine certificate
Peer's certificate did not have a public key
Error processing Cert payload
Error processing Certificate Request payload
Peer failed to send valid machine certificate
Certification Revocation check of peer's certificate failed
Failed to load SECURITY.DLL.
Unsupported ID
Invalid certificate signature
The lifetime value received in the Responder Lifetime Notify is below the Windows 2000 configured minimum value. Please fix the policy on the peer machine.
Key length in certificate is too small for configured security requirements.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
Manifest Parse Error : System does not support the specified encoding.
Manifest Parse Error : Switch from current encoding to specified encoding not supported.
Assembly Protection Error : The public key for an assembly was too short to be allowed.
The storage operation should block until more data is available.
The storage operation should retry immediately.
The notified event sink will not influence the storage operation.
Drag-drop operation canceled
FORMATETC not supported
Invalid window handle passed
An asynchronous operation was specified. The operation has begun, but its outcome is not known yet.
The transaction was successfully aborted. However, this is a coordinated transaction, and some number of enlisted resources were aborted outright because they could not support abort-retaining semantics
An abort operation was already in progress.
No such interface supported
Operation aborted
The data necessary to complete this operation is not yet available.
Use of Ole1 services requiring DDE windows is disabled
The server process could not be started because the configured identity is incorrect. Check the username and password.
The operation attempted is not supported.
Unable to complete the call since there is no COM  security context inside IObjectControl.Activate.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call may have executed.
The callee (server [not server application]) is not available and disappeared; all connections are invalid. The call did not execute.
Impersonate on unsecure calls is not supported.
Unable to obtain the Windows directory
The version of ACL format in the stream is not supported by this implementation of IAccessControl
Does not support a collection.
Wrong module kind for the operation.
Unable to perform requested operation.
Attempted an operation on an invalid object.
There is insufficient memory available to complete operation.
An error occurred during a seek operation.
A disk error occurred during a write operation.
A disk error occurred during a read operation.
There is insufficient disk space to complete operation.
Share.exe or equivalent is required for operation.
Illegal operation called on non-file based storage.
Illegal operation called on object with extant marshallings.
OLE32.DLL has been loaded at the wrong address.
Copy Protection Error - The given sector does not have a valid CSS key.
Copy Protection Error - DVD session key not established.
Need to run the object to perform this operation
There is no cache to operate on
Object is static; operation not allowed
compobj.dll is too old for the ole2.dll initialized
Not able to perform the operation because object is not given storage yet
Object doesn't support IViewObject interface
Class does not support aggregation (or class object is remote)
Could not read key from registry
Could not write key to registry
Could not find the key in the registry
A network error interrupted the operation.
There was an error in a Windows GDI call while converting the bitmap to a DIB
There was an error in a Windows GDI call while converting the DIB to a bitmap.
Operation exceeded deadline
Operation unavailable
Intermediate operation failed
User input required for operation to succeed
COM  is required for this operation, but is not installed
Task Scheduler security services are available only on Windows NT.
The task object version is either unsupported or invalid.
The task has been configured with an unsupported combination of account settings and run time options.
A retaining commit or abort is not supported
The requested isolation level is not valid or supported.
The transaction manager doesn't support an asynchronous operation for this method.
The requested semantics of retention of isolation across retaining commit and abort boundaries cannot be supported by this transaction implementation, or isoFlags was not equal to zero.
An import object for the transaction could not be found.
A time-out was specified, but time-outs are not supported.
The requested operation is already in progress for the transaction.
The Transaction Manager has disabled its support for TIP.
The transaction manager has disabled its support for remote/network transactions.
The partner transaction manager has disabled its support for remote/network transactions.
The transaction manager has disabled its support for XA transactions.
The requested operation requires that JIT be in the current context and it is not
The requested operation requires that the current context have a Transaction, and it does not
Server execution failed
Bad Key.
Key not valid for use in specified state.
Key does not exist.
Insufficient memory available for the operation.
Provider's public key is invalid.
Keyset does not exist
The keyset is not defined.
Keyset as registered is invalid.
The Keyset parameter is invalid.
The key parameters could not be set because the CSP uses fixed parameters.
The function requested is not supported
The per-message Quality of Protection is not supported by the security package
The certificate chain was issued by an authority that is not trusted.
An unknown error occurred while processing the certificate.
The received certificate has expired.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client cert name does not matches the user name or the KDC name is incorrect.
The encryption type requested is not supported by the KDC.
An unsupported preauthentication mechanism was presented to the kerberos package.
The requested operation requires delegation to be enabled on the machine.
The received certificate was mapped to multiple accounts.
SEC_E_NO_KERB_KEY
An error occurred while performing an operation on a cryptographic message.
The streamed cryptographic message requires more data to complete the decode operation.
An error occurred during encode or decode operation.
The specified certificate is self signed.
The previous certificate or CRL context was deleted.
The certificate does not have a property that references a private key.
Cannot find the certificate and private key for decryption.
Cannot find the certificate and private key to use for decryption.
The certificate is revoked.
No Dll or exported function was found to verify revocation.
The revocation function was unable to check revocation for the certificate.
The certificate is not in the revocation server's database.
The string contains an invalid X500 name attribute key, oid, value or delimiter.
The dwValueType for the CERT_NAME_VALUE is not one of the character strings. Most likely it is either a CERT_RDN_ENCODED_BLOB or CERT_TDN_OCTED_STRING.
The Put operation can not continue. The file needs to be resized. However, there is already a signature present. A complete signing operation must be done.
The cryptographic operation failed due to a local security option setting.
No DLL or exported function was found to verify subject usage.
The subject was not found in a Certificate Trust List (CTL).
None of the signers of the cryptographic message or certificate trust list is trusted.
The public key's algorithm parameters are missing.
OSS Certificate encode/decode error code base
OSS ASN.1 Error: Unsupported BER indefinite-length encoding.
ASN1 Certificate encode/decode error code base.
ASN1 function not supported for this PDU.
The request's current status does not allow this operation.
The certification authority's certificate contains invalid data.
Certificate service has been suspended for a database restore operation.
The certificate contains an encoded length that is potentially incompatible with older enrollment software.
The operation is denied. The user has multiple roles assigned and the certification authority is configured to enforce role separation.
The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.
Cannot archive private key. The certification authority is not configured for key archival.
Cannot archive private key. The certification authority could not verify one or more key recovery certificates.
The request is incorrectly formatted. The encrypted private key must be in an unauthenticated attribute in an outermost signature.
The request contains an invalid renewal certificate attribute.
An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
The permissions on this certification authority do not allow the current user to enroll for certificates.
The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
The requested certificate template is not supported by this CA.
The request contains no certificate template information.
The request is missing a required private key for archival by the server.
The request was made on behalf of a subject other than the caller. The certificate template must be configured to require at least one signature to authorize the request.
The request template version is newer than the supported template version.
The request includes a private key for archival by the server, but key archival is not enabled for the specified certificate template.
The public key does not meet the minimum size required by the specified certificate template.
The key is not exportable.
You cannot add the root CA certificate into your local store.
The key archival hash attribute was not found in the response.
An unexpetced key archival hash attribute was found in the response.
There is a key archival hash mismatch between the request and the response.
Signing certificate cannot include SMIME extension.
The certificate for the signer of the message is invalid or not found.
The signature of the certificate can not be verified.
The timestamp signature and/or certificate could not be verified or is malformed.
A certificate's basic constraint extension has not been observed.
The certificate does not meet or contain the Authenticode financial extensions.
The file did not pass the hints check.
Failed on a file operation (open, map, read, write).
The trust verification action specified is not supported by the specified trust provider.
The form specified for the subject is not one supported or known by the specified trust provider.
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
The validity periods of the certification chain do not nest correctly.
A certificate that can only be used as an end-entity is being used as a CA or visa versa.
A path length constraint in the certification chain has been violated.
A certificate contains an unknown extension that is marked 'critical'.
A certificate being used for a purpose other than the ones specified by its CA.
A parent of a given certificate in fact did not issue that child certificate.
A certificate is missing or has an empty value for an important field, such as a subject or issuer name.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
An internal certificate chaining error has occurred.
A certificate was explicitly revoked by its issuer.
The certification path terminates with the test root which is not trusted with the current policy settings.
The revocation process could not continue - the certificate(s) could not be checked.
The certificate's CN name does not match the passed value.
The certificate is not valid for the requested usage.
The certificate was explicitly marked as untrusted by the user.
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
The certificate has invalid policy.
The certificate has an invalid name. The name is not included in the permitted list or is explicitly excluded.
The requested device registry key does not exist.
The operation cannot be performed on a device information element that has not been registered.
The operation does not require any files to be copied.
The operation cannot be performed because the device information set is locked.
The operation cannot be performed because the device information element is locked.
The operation cannot be performed because the file queue is locked.
The operation cannot be performed because the device interface is currently active.
The operation cannot be performed because the device interface has been removed from the system.
The driver selected for this device does not support Windows XP.
The driver selected for this device does not support Windows.
Operation not allowed in WOW64.
The operation involving unsigned file copying was rolled back, so that a system restore point could be set.
An INF was copied into the Windows INF directory in an improper manner.
The operation requires a Smart Card, but no Smart Card is currently in the device.
The operation has been aborted to allow the server application to exit.
The reader driver does not meet minimal requirements for support.
The smart card does not meet minimal requirements for support.
The requested order of object creation is not supported.
This smart card does not support the requested feature.
The requested certificate does not exist.
The requested certificate could not be obtained.
A communications error with the smart card has been detected. Retry the operation.
The requested key container does not exist on the smart card.
The identity or password set on the application is not valid
The DLL does not support the components listed in the TypeLib
The server catalog version is not supported
This operation can not be performed on the system application
This operation is not enabled on this platform
Application Proxy is not exportable
System application is not exportable
Can not subscribe to this component (the component may have been imported)
The partition cannot be exported, because one or more components in the partition have the same file name
Applications that contain one or more imported components cannot be installed into a non-base partition
The COM  Catalog Server threw an exception during execution
MSMQ is required for the requested operation and is not installed
Unable to marshal an interface that does not support IPersistStream
The ProgID provided to the copy operation is invalid. The ProgID is in use by another registered CLSID.
Only Application Files (*.MSI files) can be installed into partitions.
Applications containing one or more legacy components may not be exported to 1.0 format.
The SID filtering operation removed all SIDs.
Windows NT BASE API Client DLL
5.1.2600.5512 (xpsp.080413-2111)
Windows
Operating System
5.1.2600.5512
$$$$Guinea$Republic of Guinea)$$$$Guyana$Cooperative Republic of Guyana
$$$$Panama$Republic of Panama $$$$Portugal$Portuguese Republic:$$$$Papua New Guinea$Independent State of Papua New Guinea
$$$$Turkey$Republic of Turkey
$$$860 (OEM - Portuguese)
Portuguese (Brazil)$Brazil $$$1047 (IBM EBCDIC - Latin-1/Open System)
Turkish$Turkey
Portuguese (Portugal)$Portugal

.exe_1728_rwx_00F40000_0009C000:

ADVAPI32.dll
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptGetUserKey
CryptHashSessionKey
CryptImportKey
CryptSetKeyParam
ElfReportEventA
ElfReportEventW
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameW
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
MSChapSrvChangePassword
MSChapSrvChangePassword2
QueryWindows31FilesMigration
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyW
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegFlushKey
RegGetKeySecurity
RegLoadKeyA
RegLoadKeyW
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyW
RegOverridePredefKey
RegQueryInfoKeyA
RegQueryInfoKeyW
RegReplaceKeyA
RegReplaceKeyW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyA
RegSaveKeyExA
RegSaveKeyExW
RegSaveKeyW
RegSetKeySecurity
RegUnLoadKeyA
RegUnLoadKeyW
ReportEventA
ReportEventW
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SynchronizeWindows31FilesAndWindowsNTRegistry
WmiExecuteMethodA
WmiExecuteMethodW
PSSSSSSh
PSSSSSSh#
PSSSSSSh
PSSSSSSh
(PSSSSSSh
0PSSSSSSh
8PSSSSSSh
SSSSSSh
PSSSSSSh!
CPDuplicateKey
CPGetUserKey
CPHashSessionKey
CPImportKey
CPExportKey
CPGetKeyParam
CPSetKeyParam
CPDestroyKey
CPDeriveKey
CPGenKey
kernel32.dll
PSSSh
PSShZ
CloseWindowStation
GetProcessWindowStation
MsgWaitForMultipleObjects
8.YYu
TermsrvSetKeySecurity
TermsrvRestoreKey
TermsrvDeleteKey
TermsrvSetValueKey
tsappcmp.dll
Windows Setup
user32.dll
sndrec32.exe
soundrec.exe
packgr32.exe
packager.exe
mplay32.exe
mplayer.exe
mciole16.dll
mciole.dll
$Microsoft Root Certificate Authority
Windows 3.1 Migration
t%SVW)E
mpr.dll
Unable to locate init routine, error = %d
Unable to load client dll, error = %d
ldap_msgfree
1.2.840.113556.1.4.529
wldap32.dll
SamiChangePasswordUser2
SamiChangePasswordUser
SetProcessWindowStation
OpenWindowStationW
It.Iu
PSShL
t.Ht#Ht Ht
ShellExecuteExW
AccProvGetOperationResults
AccProvCancelOperation
WINREG: Frame %d = 0x%x
Frames %d
WINREG: Name: %S
WINREG: Unable to retrieve object name error 0x%x
WINREG: Tracked key data for object 0x%x
imagehlp.dll
SSSSSh
WINTRUST.dll
Secur32.dll
KERNEL32.dll
ntdll.dll
RPCRT4.dll
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
SetNamedPipeHandleState
GetProcessHeap
WaitNamedPipeW
NtQueryKey
NtEnumerateKey
RtlFormatCurrentUserKeyPath
NtNotifyChangeKey
NtDeleteValueKey
NtEnumerateValueKey
NtDeleteKey
NtQueryValueKey
NtSetValueKey
NtOpenKey
NtCreateKey
NtFlushKey
NtLoadKey
NtUnloadKey
NtReplaceKey
NtNotifyChangeMultipleKeys
NtQueryMultipleValueKey
NtRestoreKey
NtSaveKey
NtSaveMergedKeys
NtSaveKeyEx
advapi32.pdb
0p.yx
%x~O>
%D$#>
7,7<7\7}7
9#:*:@:{:
3 3%3.3=3
8$9(90949@9
1&2,263@3
:,:0:<:_:
3 3$303;3
3M4H4Z4`4e4
3"3'333<3
<"<)
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer
\Software\Policies\Microsoft\Windows\Safer
\UrlZones
%HKEY_CURRENT_USER
\PIPE\
NTMARTA.DLL
%SystemRoot%\
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%s\u
REG.DAT
Windows 3.1 Migration Status
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
t\\.\pipe\net\NtControlPipe
lX-X-X-XX-XXXXXX
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt
nuser32.dll
msi.dll
\PIPE\InitShutdown
.u
system.ini
reg.dat
%SystemRoot%\Debug\UserMode\appmgmt.log
%SystemRoot%\Debug\UserMode\appmgmt.bak
%HKEY_LOCAL_MACHINE
%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}
certificate
%SystemRoot%\System32\Drivers\
\pipe\svcctl
Group%d
ncacn_ip_tcp
UrlZones
DisallowExecution
iphlpapi.dll
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
perfh004.dat
perfc004.dat
progman.ini
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\Settings
SoftWare\Microsoft\Windows NT\CurrentVersion\Program Manager\UNICODE Groups
Windows NT Network Provider
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
W\winsta.dll
feclient.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
samlib.dll
SupportUrl
Wshell32.dll
CEvents::Report called with more params then expected!
APPMGMT (%x.%x) d:d:d:d
appmgmts.dll
%s_%d
{x-x-x-xx-xxxxxx}
setupapi.dll
%ws\%u
\\.\%s
\Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port %d\Scsi Bus %d\Target ID %d\Logical Unit Id %d
\Device\Harddisk%d\Partition0
\\.\PhysicalDrive%d
W%s\%s
\Device\Video%d
DefaultSettings.YResolution
DefaultSettings.XResolution
DefaultSettings.VRefresh
DefaultSettings.BitsPerPel
HardwareInformation.BiosString
HardwareInformation.AdapterString
HardwareInformation.DacType
HardwareInformation.ChipType
HardwareInformation.MemorySize
SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
PerfDbg.Etl
C:\perfdbg.etl
$winnt$.inf
Export
ncacn_nb_tcp
\PIPE\winreg
\SystemRoot\system32\perf0000.dat
\SystemRoot\system32\prf00000.dat
Advanced Windows 32 Base API
5.1.2600.5512 (xpsp.080413-2113)
advapi32.dll
Windows
Operating System
5.1.2600.5512
An exception occurred while performing Windows 3.1 migration. Some data
The entire contents of %1 was migrated into the Windows NT registry.
Windows NT registry.
the Windows NT registry.
The contents of the Windows 3.X Program Manager group file %1 was not
migrated into the Windows NT registry, as a group of that name, %2,
Contents of %1 migrated to the Windows NT registry.
Unable to migrate all or part of the %1 file into the Windows NT registry.
Unable to migrate all or part of the %1 section of %2 into the Windows
into the Windows NT registry.
Unable to load the contents of the Windows 3.1 Program Manager group file %1.
Error Code was %2. Group not migrated to the Windows NT registry.
Unable to convert the contents of the Windows 3.1 Program Manager group
file %1. into the Windows NT format. Error Code was %2. Group not
migrated to the Windows NT registry.
Unable to migrate all or part of %1 to the Windows NT registry.
the Windows NT registry. It is incompatible with Windows NT.
Allows programs to execute with only access to resources granted to open well-known groups, blocking access Administrator and Power User privileges, and personally granted rights.
Software cannot access certain resources, such as cryptographic keys and credentials, regardless of the access rights of the user.
Allows programs to execute as a user that does not have Administrator or Power User access rights, but can still access resouces accessible by normal users.

.exe_1728_rwx_10028000_00015000:

msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc
hJK.ZH
O.qt0


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    mscorsvw.exe:1924
    %original file name%.exe:1692

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\ .bat (109 bytes)
    C:\jm_c (182 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\404[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IJT3DEFP\desktop.ini (67 bytes)
    C:\.exe (9605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\km[1].gif (18723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\desktop.ini (67 bytes)
    %WinDir%\Code2.txt (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4TOJWX4Z\Cookies[1].txt (369209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q9JK3VWX\gg[1].htm (557 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.