Gen.Variant.Zusy.160712_d36e5c8aae

by malwarelabrobot on January 11th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.160712 (B) (Emsisoft), Gen:Variant.Zusy.160712 (AdAware), Trojan.Win32.Qkkbal.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d36e5c8aaeb29b6cff7613f430ce0495
SHA1: ee577f8e9f3aae23eaf5d1ebe246018d4de5d83a
SHA256: 19a86788d9b692956c010ba46174b567c2a50db62951aeb217b80f73d701cb7f
SSDeep: 49152:PntTX56Ii R91itoH6c /gWNADrI19GQSl0QcbMs/rd/0LKL8XdYCPBGF:P9oejMOBAgWNADULwgh5Le5GF
Size: 2147328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Soft creation company
Created at: 2017-01-02 13:25:54
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WMIC.exe:2192

The Trojan injects its code into the following process(es):

%original file name%.exe:2060

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WMIC.exe:2192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The process %original file name%.exe:2060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8F65.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8F53.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA48C.tmp (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8F54.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8F66.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\caspolms.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA48D.tmp (2712 bytes)
C:\Windows\System32\repair-registry.exe.bak (324466 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\caspol.exe (50 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8F65.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8F53.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA48C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8F54.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8F66.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA48D.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4]
"Blob" = "0F 00 00 00 01 00 00 00 14 00 00 00 5D 82 AD B9"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d36e5c8aaeb29b6cff7613f430ce0495_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"DHCP-Service" = "C:\Windows\system32\DHCP-Service.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"2796BAE63F1801E277261BA0D77770028F20EEE4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
6c6a8dc7b6c2b951bb4d79ff87279d1a c:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\caspol.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 104152 104448 4.67598 ea437eb124808ab012ccc25d93aa336d
.rdata 110592 28146 28160 4.46604 2a36cd4e315443b43c4620372d9a9076
.data 139264 12480 5632 2.26135 b37653ac83a62b9683f8689b82ddcb74
.rsrc 155648 2007820 2008064 5.54511 118031d44752f36f57e92913e4227ea7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 212.30.134.167
www.dropbox.com 162.125.66.1
dl.dropboxusercontent.com 162.125.66.6
smtp.gmail.com 64.233.165.108


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86402
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT
If-None-Match: "8017f9a85f10d21:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: VVV.download.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Sat, 12 Nov 2016 01:34:12 GMT
Accept-Ranges: bytes
ETag: "02e4de843cd21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 50939
Date: Tue, 10 Jan 2017 06:41:28 GMT
Connection: keep-alive
X-CCC: RU
X-CID: 2
MSCF............,...................I.................kI;. .authroot.s
tl.6....7..CK...<.[.........].y.Q..YKv..%k.....!..H!.Q.-..$tU$.)7k.
.R.=...n3......}?...3gf......h<.2...4.(q..f......&{.`....02.s...2@`
.J&#.<#..q..0Xy%.4..egd.:M.B....in.([....W....(.|.....|....s!..Mo..
@......|"(n;Z..'~DE.}(........Mz:T....x..{..n.`z..-.\.............q...
.ld2z..N/.b.J...........X.S.:UN.S.v."..'l........:yz.<."!.]O..6.:d.
....C.P ....P($.Y.Q y..y..B....u.`...u.00.....|(..A.J.Cp.c...X..g.....
....}..'........D.QVFf0...D...a6.f.0.....k.*8...<.;..o...(.....f...
L.0..C.......I.A!.H.....'._)....Qc.V.....5D..,..d../(..j.F.d.....`..f.
..$>:_%.W..(....@.r.9..Ob.e.$..m.~.]....g.......%`e_..&Qhp .......e
y.c.....H`.%<9.......#.\S...R.5....v.......dWE.....:...../"3.._..l.
XiH.J!..............{.5C_...i.U....7....;p....Q.`....L.j........u....b
.`:Mk.L.......*..@M^m..Jv...g........<d:l..Kq.X...*y...x1.u.......
.....z.....c.(<.b...l.#....,z~..M.Y.]..Z....F..N./..[.#....Ol...f.k
........U.rF)D....3..sK...`..W.....5.=.@#a....!./....>...g.(. ..9..
>!.K..e..j..{x.0.^,...U9..ru.C......,..q^1.G..A.e.F[...".1..*...^..
.L..#:,7...:.z.n...fI1.....l..E.q>......E...x n....H....t....5.....
\...<.l....7}.`\..~_..#..Bz....i..[{.w.....a...c....E w?..6..l.....
.x8..H....7.e.;.%.:.!.*Q....#..bT.......(....ka.......B..|.........1..
..t.r...fk....C.t`....@3.P..*t..nmD.....8$.bd..`D...5X.....H..L../1:..
Ap...w.\...,..U..../"X......}X...a...G....N.X..<....MG....r..H.....
_@..Q2..T...Q.....].e.G./.v,.Z5ib..5........9 ............z..!...g

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2060:

.text
`.rdata
@.data
.rsrc
tGHt.Ht&
 Bv.SCv=kAv
1.2.3
Visual C   CRT: Not enough memory to complete call to strerror.
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
USER32.DLL
KERNEL32.dll
ole32.dll
OLEAUT32.dll
mscoree.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
zcÁ
c:\%original file name%.exe
v2.0.50727
KERNEL32.DLL

caspol.exe_1712:

.text
`.rdata
@.data
.rsrc
@.reloc
VKEYt
)~$)~,)~0
j.Yf;
_tcPVj@
.PjRW
Dw.AEwb
CBv.SCv5
@-@-@-@-
@-@-@-@-@-@-@-@-
ln.uw
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
inflate 1.2.5 Copyright 1995-2010 Mark Adler
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
;3 #>6.&
'2, / 0&7!4-)1#
HTTP/1.0 200 OK
HTTP/1.0 404 Not Found
classid = 'clsid:8AD9C840-044E-11D1-B3E9-00805F499D93'
codebase = 'hXXp://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab#Version=1,4,0,0'
WIDTH = %d HEIGHT = %d >
<PARAM NAME = CODE VALUE = VncViewer.class >
<PARAM NAME = ARCHIVE VALUE = VncViewer.jar >
<PARAM NAME = PORT VALUE=%d>
CODE = VncViewer.class \
ARCHIVE = VncViewer.jar \
WIDTH = %d \
HEIGHT = %d \
PORT =%d \
pluginspage ='hXXp://java.sun.com/products/plugin/index.html#download'>
caspol [-sc_prompt] [-sc_exit] [-id:????] [-stopreconnect][-autoreconnect[ ID:????]] [-connect host[:display]] [-connect host[::port]] [-repeater host[:port]] [-run]
error [%s]: attempt to seek before beginning of zipfile
caution: filename not matched: %s
caution: excluded filename not matched: %s
%d archive%s successfully processed.
warning [%s]: zipfile is empty
error [%s]: reported length of central directory is
%ld bytes too long (Atari STZip zipfile? J.H.Holm ZIPSPLIT 1.1
%s: cannot find any matches for wildcard specification "%s".
error [%s]: missing %ld bytes in zipfile
%d archive%s had fatal errors.
note: %s may be a plain executable, not an archive
error [%s]: NULL central directory offset
error [%s]: start of central directory not found;
%d "zipfiles" were directories.
[%s]:
Zipfile is disk %u of a multi-disk archive, and this is not the disk on
which the central zipfile directory begins (disk %u).
%s: cannot find either %s or %s.
warning [%s]: end-of-central-directory record claims this
is disk %u but that the central directory starts on disk %u; this is a
%s: cannot find zipfile directory in %s,
%sand cannot find %s, period.
%d file%s had no zipfile directory.
warning [%s]: zipfile claims to be last disk of a multi-part archive;
together in order. Expect "errors" and warnings...true multi-part support
%d archive%s had warnings but no fatal errors.
error: cannot create %s
warning [%s]: %ld extra byte%s at beginning or within zipfile
%s: write error (disk full?).
error: cannot open zipfile [ %s ]
warning: extra field too long (%d). Ignoring...
error: cannot delete old %s
compressed WinNT security data missing (%d bytes)%s
%s: bad extra field length (%s)
skipping: %-22s %svolume label
%s: bad file comment length
unsupported NTSD EAs version %d
error: %s%s
%s %s: %ld bytes required to uncompress to %lu bytes;
%s supposed to require %lu bytes%s%s%s
compressed EA data missing (%d bytes)%s
skipping: %-22s unsupported compression method %u
error [%s]: bad extra-field CRC lx (should be lx)
unknown compression method for EAs (%u)
Caution: zero files tested in %s.
skipping: %-22s need %s compat. v%u.%u (can do v%u.%u)
error: %s%s %s
%s: stored in VMS format. Extract anyway? (y/n)
warning: %s appears to use backslashes as path separators
warning: set times/attribs failed for %s
EF block length (%u bytes) exceeds remaining EF data (%u bytes)
%lu file%s skipped because of unsupported compression or encoding.
warning: stripped absolute path spec from %s
At least one %serror was detected in %s.
warning: %s is probably truncated
%lu file%s skipped because of incorrect password.
skipping: %-22s unable to get password
file #%lu: bad zipfile offset (%s): %ld
%s: mismatching "local" filename (%s),
No errors detected in %s for the %lu file%s tested.
%s: unknown compression method
%s: bad filename length (%s)
No errors detected in compressed data of %s.
%s: warning, no memory for comparison with local header
error: unsupported extra-field compression type (%u)--skipping
skipping: %-22s `%s' method not supported
(may instead be incorrect password)
%8sing: %-22s %s%s
skipping: %-22s incorrect password
%s: ucsize %lu <> csize %lu for STORED entry
The associated file has type code `%c%c%c%c' and creator code `%c%c%c%c'
file last modified on (DOS date/time): %s
- A subfield with ID 0xx (%s) and %u data bytes
The local extra field has %lu bytes of %scompressed BeOS file attributes
%u %s %u u:u:u
MS-DOS file attributes (X hex): %s%s%s%s%s%s%s%s
There %s a local extra field with ID 0xx (%s) and
%u data bytes (%s).
File is marked as %s, File Dates are in %d Bit
The QDOS extra field subtype is `%c%c%c%c'
number of Shannon-Fano trees (implosion): %c
file last modified on (UT extra field modtime): %s %s
%lu file%s, %lu bytes uncompressed, %lu bytes compressed: %s%d.%d%%
This zipfile constitutes disk %u of a multi-part archive. The central
directory starts on disk %u; %u of its entries %s contained within
extended local header: %s
The Mac long filename is %s
uuu.uuu
file security status: %sencrypted
File is marked as %s
The AOS/VS extra field revision is %d.%d
field is %s and has %u bytes of VMS %s information%s
file system or operating system of origin: %s
minimum software version required to extract: %u.%u
length of file comment: %u characters
length of extra field: %u bytes
The local extra field has %lu bytes of %scompressed AtheOS file attributes
Theos file attributes (X hex): %s
apparent file type: %s
Archive: %s %ld %u
The file was originally a Tandem %s file, with file code %u
Indexed
Amiga file attributes (o octal): %s
MS-DOS file attributes (X hex): none
length of filename: %u characters
Key Sequenced
Archive: %s %ld bytes %u file%s
The zipfile comment is %u bytes long and contains the following text:
???? ??? ?? ??:??:??
The 128-bit MD5 signature is %s
Unix file attributes (o octal): %s
compression sub-type (deflation): %s
%2u-%s-u u:u
error: EF data block (type 0xx) size %u exceeds remaining extra field
space %u; block length has been truncated.
VMS file attributes (o octal): %s
disk number on which file begins: disk %u
size of sliding dictionary (implosion): %cK
central directory contains %u %s. The central directory is %lu
Keyed
unknown (%d)
The local extra field has %lu bytes of %scompressed Macintosh
minimum file system compatibility required: %s
The local extra field has UTC/GMT %s time%s
MS-DOS file attributes (X hex): read-only
compression method: %s
version of encoding software: %u.%u
this zipfile, out of a total of %u %s. The entire central
\background.bmp
black_layered.cpp : OpenInputdesktop Error
black_layered.cpp : OpenInputdesktop OK
black_layered.cpp : !GetUserObjectInformation
black_layered.cpp : SelectHDESK to %s (%x) from %x
black_layered.cpp : SelectHDESK:!SetThreadDesktop
black_layered.cpp : end BlackWindow
kernel32.dll
ntdll.dll
interKey larger than maxNum
0.0.0
12-12-2002
Plugin.dsm
*.dsm
SecureVNC;0;0xx;%s
LKERNEL32.DLL
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows NT\CurrentVersion
%u.%u
NTDLL.DLL
\HAL.DLL
Windows
Windows Embedded Compact
Windows CE .NET
Windows CE
Windows 95
Windows 95 SP1
Windows 95 B [aka OSR2]
Windows 95 C [aka OSR2.5]
Windows 98
Windows 98 SP1
Windows 98 Second Edition
Windows Millenium Edition
Windows ??
Windows NT
Windows 2000 (Professional)
Windows 2000 Server
Windows 2000 (Domain Controller)
Windows 2000
Windows XP (Starter Edition)
Windows XP (Personal)
Windows XP (Professional)
Windows Server 2003
Windows Server 2003 (Domain Controller)
Windows Server 2003 R2
Windows Server 2003 R2 (Domain Controller)
Windows XP
, (Web Edition)
Windows Vista (Starter Edition)
Windows Vista (Home Basic)
Windows Vista (Home Premium)
Windows Vista (Business)
Windows Vista (Enterprise)
Windows Vista (Ultimate)
Windows Server 2008
Windows Server 2008 (Domain Controller)
Windows Vista
Windows 7 Thin PC
Windows 7 (Starter Edition)
Windows 7 (Home Basic)
Windows 7 (Home Premium)
Windows 7 (Professional)
Windows 7 (Enterprise)
Windows 7 (Ultimate)
Windows Server 2008 R2
Windows Server 2008 R2 (Domain Controller)
Windows 7
Windows 8 Thin PC
Windows 8 RT
Windows 8 (Starter Edition)
Windows 8 (Pro)
Windows 8 (Enterprise)
Windows Server 2012
Windows Server 2012 (Domain Controller)
Windows 8
Windows 8.1 Thin PC
Windows 8.1 RT
Windows 8.1 (Starter Edition)
Windows 8.1 (Pro)
Windows 8.1 (Enterprise)
Windows Server 2012 R2
Windows Server 2012 R2 (Domain Controller)
Windows 8.1
Windows 10 Thin PC
Windows 10 RT
Windows 10 (Starter Edition)
Windows 10 (Home)
Windows 10 (Pro)
Windows 10 (Enterprise)
Windows 10 Nano Server
Windows 10 ARM64 Server
Windows Server 2016
Windows Server 2016 (Domain Controller)
Windows 10
Build:%d
Service Pack:%d.%d
Service Pack:%d
Service Pack:0.%d
, (Windows Essential Business Server Manangement Server)
, (Windows Essential Business Server Messaging Server)
, (Windows Essential Business Server Security Server)
HTTPConnect
AutoPortSelect
PortNumber
HTTPPortNumber
net stop "%s"
hXXp://VVV.uvnc.com
hXXp://forum.uvnc.com
net start "%s"
shell32.dll
HideDesktop.cpp : Killwallpaper %i
HideDesktop.cpp : Killwallpaper %i %i
HideDesktop.cpp : Restorewallpaper %i
HideDesktop.cpp : Restorewallpaper %i %i
HideDesktop.cpp : Failed to get SPI value for 0xx (0xx)
HideDesktop.cpp : Retrieved SPI value for 0xx: 0xx
HideDesktop.cpp : Failed to set SPI value for 0xx to 0xx (0xx)
HideDesktop.cpp : Set SPI value for 0xx to 0xx
HideDesktop.cpp : Failed to restore SPI value for 0xx (0xx)
HideDesktop.cpp : Restored SPI value for 0xx to 0xx
HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHING (0xx)
HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHING: 0xx
HideDesktop.cpp : Failed to get SPI value for SPI_GETFONTSMOOTHINGTYPE (0xx)
HideDesktop.cpp : Retrieved SPI value for SPI_GETFONTSMOOTHINGTYPE: 0xx
HideDesktop.cpp : Failed to get SPI value for SPI_GETCLEARTYPE (0xx)
HideDesktop.cpp : Retrieved SPI value for SPI_GETCLEARTYPE: 0xx
HideDesktop.cpp : Failed to set SPI value for SPI_SETCLEARTYPE (0xx)
HideDesktop.cpp : Set SPI value for SPI_SETCLEARTYPE: 0xx
HideDesktop.cpp : Failed to set SPI value for SPI_SETFONTSMOOTHING (0xx)
HideDesktop.cpp : Set SPI value for SPI_SETFONTSMOOTHING: 0xx
HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHING (0xx)
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHING: 0xx
HideDesktop.cpp : Failed to restore SPI value for SPI_SETCLEARTYPE (0xx)
HideDesktop.cpp : Restored SPI value for SPI_SETCLEARTYPE: 0xx
HideDesktop.cpp : Failed to restore SPI value for SPI_SETFONTSMOOTHINGTYPE (0xx)
HideDesktop.cpp : Restored SPI value for SPI_SETFONTSMOOTHINGTYPE: 0xx
caspolms.ini
passwd
passwd2
{34F673E0-878F-11D5-B98A-00B0D07B8C7C}
Wtsapi32.dll
winlogon.exe
winsta.dll
user32.dll
sas.dll
cad.exe
LockWorkstation failed with error 0x%0X
advapi32.dll
SYSTEM\CurrentControlSet\Services\%s
Tcpip
SYSTEM\CurrentControlSet\Control\SafeBoot\%s\%s
/boot.ini
operating systems
bcdedit.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
ding_dong.wav
RICHED32.DLL
<%s>:
TextChat.cpp : OpenInputdesktop Error
TextChat.cpp : OpenInputdesktop OK
TextChat.cpp : !GetUserObjectInformation
TextChat.cpp : SelectHDESK to %s (%x) from %x
TextChat.cpp : SelectHDESK:!SetThreadDesktop
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable called
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\tableinitcmtemplate.cpp : failed to allocate translation table
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\tableinitcmtemplate.cpp : Using video Palette
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\tableinitcmtemplate.cpp : Using mirror video Palette
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\tableinitcmtemplate.cpp : got %u palette entries
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\tableinitcmtemplate.cpp : rfbInitColourMapSingleTable done
\uvnckeyboardhelper.exe
keyEvent
c:\video0.dat
c:\video1.dat
videodriver.cpp : Error video.dat
No '%s' found.
DevNum:%d
Name:%s
String:%s
ID:%s
Key:%s
Attach.ToDesktop
Fail: Using 32bit caspol.exe with a 64bit driver?
mv2.dll
1.00.22
Driver verion is not 1.00.22
driver info: required version 1.00.22
vistahook.cpp : REct %i %i %i %i
vistahook.cpp : OpenInputdesktop Error
vistahook.cpp : OpenInputdesktop OK
vistahook.cpp : !GetUserObjectInformation
vistahook.cpp : SelectHDESK to %s (%x) from %x
vistahook.cpp : SelectHDESK:!SetThreadDesktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\mylogo.bmp
AutoAccept:%u
AutoReject:%u
AutoAccept: %u
AutoReject: %u
vncbuffer.cpp : request local buffer[%d]
vncbuffer.cpp : fast blits detected - using DIBsection buffer
vncbuffer.cpp : unable to allocate main buffer[%d]
vncbuffer.cpp : unable to allocate back buffer[%d]
vncbuffer.cpp : unable to allocate cache buffer[%d]
vncbuffer.cpp : unable to allocate scaled buffer[%d]
vncbuffer.cpp : local buffer=%d
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : GetPalette called but no encoder set
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : request client buffer[%u]
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : raw encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : RRE encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : CoRRE encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : Hextile encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : Ultra encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : jpeg encoder is only supported on 32bit color display
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : ZRLE encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : ZYWRLE encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : XZ encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : XZYW encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : Zlib encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : ZlibHex encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : Tight encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : unknown encoder requested
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : client pixel format is not supported
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncencodemgr.h : SetClientFormat called
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncpasswd.h : PASSWD : ToText called
vncclient.cpp : init update thread
vncclient.cpp : update thread gone
vncclient.cpp : kill update thread
vncclient.cpp : enable update thread
vncclient.cpp : disable update thread
vncclient.cpp : wait timeout
vncclient.cpp : enable/disable synced
vncclient.cpp : starting update thread
vncclient.cpp : stopping update thread
0.0.0.0
RFB d.d
vncclient.cpp : Repeater connect
vncclient.cpp : Repeater connected, waiting viewer
vncclient.cpp : Reconnect to repeater
vncclient.cpp : Keepalive received
vncclient.cpp : m_ms_logon set to %s
vncclient.cpp : no password specified for server - client rejected
This server does not have a valid password enabled. Until a password is set, incoming connections cannot be accepted.
vncclient.cpp : loopback connection attempted - client rejected
vncclient.cpp : loopback connection attempted - client accepted
vncclient.cpp : authentication failed
\logging.dll
vncclient.cpp : connections already exist - client rejected
vncclient.cpp : non-shared connection - disconnecting old clients
vncclient.cpp : Leaving InitAuthenticate
After DH: g=%I64u, m=%I64u, i=%I64u, key=%I64u
CheckUserGroupPasswordUni result=%i
password authentication
vncclient.cpp : Failed to send challenge to client
vncclient.cpp : Failed to receive challenge response from client
View-only password authentication
vncclient.cpp : failed to set socket timeout(%d)
vncclient.cpp : DSMPlugin Pointer to socket OK
vncclient.cpp : Invalid DSMPlugin Pointer
vncclient.cpp : A connection using DSM already exist - client rejected to avoid crash
vncclient.cpp : client connected : %s (%hd)
Could not connect using %s!
Could not connect to %s!
vncclient.cpp : PostAddNewClient I
vncclient.cpp : negotiated version
vncclient.cpp : authenticated connection
vncclient.cpp : sent pixel format to client
vncclient.cpp : vncClientThread
vncclient.cpp : remote pixel format invalid
vncclient.cpp : Cache protocol extension enabled
vncclient.cpp : XOR protocol extension enabled
vncclient.cpp : compression level requested: %d
vncclient.cpp : image quality level requested: %d
vncclient.cpp : fine-grained image quality level requested: %d
vncclient.cpp : subsampling requested: %d
vncclient.cpp : LastRect protocol extension enabled
vncclient.cpp : X-style cursor shape updates enabled
vncclient.cpp : Full-color cursor shape updates enabled
vncclient.cpp : PointerPos protocol extension enabled
vncclient.cpp : ServerState protocol extension enabled
vncclient.cpp : KeepAlive protocol extension enabled
vncclient.cpp : IdleTime protocol extension enabled
vncclient.cpp : FTProtocolVersion protocol extension enabled
vncclient.cpp : Extended clipboard protocol extension enabled
vncclient.cpp : Streaming DSM support enabled
vncclient.cpp : ZRLE found
vncclient.cpp : XZ found
vncclient.cpp : Tight found
vncclient.cpp : defaulting to raw encoder
vncclient.cpp : failed to select raw encoder!
vncclient.cpp : rfbSetServerInput: inputs %s
vncclient.cpp : failed to close desktop
vncclient.cpp : client disconnected : %s (%hd)
vncclient.cpp : PostAddNewClient II
vncclient.cpp : vncClient() executing...
vncclient.cpp : TEST 4
vncclient.cpp : ~vncClient() executing...
vncclient.cpp : deleting socket
vncclient.cpp : client Kill() called
vncclient.cpp : FATAL! client update region is empty!
vncclient.cpp : updating local pixel format
vncclient.cpp : updating local pixel format and buffer size
vncclient.cpp : protocol enabled too many times!
vncclient.cpp : failed to send RFB message to client
vncclient.cpp : ******** Sending %d Cache Rects
vncclient.cpp : *** Sending CacheZip Rects=%d Size=%d (%d)
vncclient.cpp : Compress returned error in File Send :%d
%s%s%s%s
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - Call
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - 1
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - WSLocked
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - currentUser = %s
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - OpenProcessToken Error
vncclient.cpp : %%%%%%%%%%%%% vncClient::DoFTUserImpersonation - ImpersonateLoggedOnUser Failed
vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - 1
vncclient.cpp : %%%%%%%%%%%%% vncClient::UNDoFTUserImpersonation - Impersonationtoken exists
Connect to Technical Support
caspol.Update.DrawRect
caspol.Update.CopyRect
caspol.Update.Mouse
vncdesktop.cpp : ### PixelsGrid %d created !
vncdesktop.cpp : ~vncDesktop
vncdesktop.cpp : Desktop thread running, force close
vncdesktop.cpp : ~vncDesktop Shutdown()
vncdesktop.cpp : delete ((RGBPixelList)
vncdesktop.cpp : ~vncDesktop m_lGridsList.clear
vncdesktop.cpp : ~vncDesktop:: second request to close InitWindowthread
vncdesktop.cpp : failed to DeleteDC hrootdc
vncdesktop.cpp : InitDesktop Failed
vncdesktop.cpp : InitVideo driver Called
vncdesktop.cpp : Driver option enabled
vncdesktop.cpp : no default desktop
vncdesktop.cpp : Driver option disabled
vncdesktop.cpp : Break log
vncdesktop.cpp : InitBitmap Failed
vncdesktop.cpp : ThunkBitmapInfo Failed
vncdesktop.cpp : Removing real Dib buffer and replace by driver communication buffer
vncdesktop.cpp : EnableOptimisedBlits Failed
vncdesktop.cpp : SetPixFormat Failed
vncdesktop.cpp : SetPixShift Failed
vncdesktop.cpp : SetPalette Failed
vncdesktop.cpp : failed to DeleteDC hmemdc
vncdesktop.cpp : failed to DeleteObject
vncdesktop.cpp : failed to close desktop
vncdesktop.cpp : InitDesktop...
WindowsScreenSaverClass
vncdesktop.cpp : KillScreenSaver...
vncdesktop.cpp : Killing ScreenSaver
vncdesktop.cpp : No driver used
vncdesktop.cpp : Failed m_rootdc
vncdesktop.cpp : bitmap dimensions are %d x %d
vncdesktop.cpp : failed to create compatibleDC(%d)
vncDesktop : root device doesn't support BitBlt
vncDesktop : memory device doesn't support GetDIBits
vncdesktop.cpp : failed to create memory bitmap(%d)
vncdesktop.cpp : created memory bitmap
vncdesktop.cpp : unable to get display format
vncdesktop.cpp : unable to get display colour info
vncdesktop.cpp : got bitmap format
vncdesktop.cpp : DBG:used/bits/planes/comp/size = %d/%d/%d/%d/%d
vncdesktop.cpp : DBG:display context has %d planes!
vncdesktop.cpp : DBG:memory context has %d planes!
unsupported truecolour pixel format for setpixshifts
vncdesktop.cpp : unable to allocate logical palette
vncdesktop.cpp : unable to get system palette entries
vncdesktop.cpp : unable to create HPALETTE
vncdesktop.cpp : unable to select() HPALETTE
vncdesktop.cpp : warning - failed to RealizePalette
vncdesktop.cpp : initialised palette OK
vncdesktop.cpp : framebuffer has %u palette entries
vncdesktop.cpp : unable to create temporary DC
vncdesktop.cpp : unable to select DIB section into temporary DC
vncdesktop.cpp : unable to set DIB section palette
vncdesktop.cpp : unable to restore temporary DC bitmap
vncdesktop.cpp : no palette data for truecolour display
vncdesktop.cpp : attempting to enable DIBsection blits
vncdesktop.cpp : failed to build DIB section - reverting to slow blits
vncdesktop.cpp : enabled slow blits OK
vncdesktop.cpp : enabled fast DIBsection blits OK
vncdesktop.cpp : initialising desktop handler
vncdesktop.cpp : failed to start hook thread
WTSAPI32.DLL
%c) session%i %s user=%s status=%s
UVNC experimental server 1.2.1.1 pre-connect window
vncdesktop.cpp : Set extended clipboard data
vncdesktop.cpp : Failed to set extended clipboard data
vncdesktop.cpp : Driver option is enabled
vncdesktop.cpp : Closing pending driver driver version
vncdesktop.cpp : Start Mirror driver
vncdesktop.cpp : Start Mirror driver Failed
vncdesktop.cpp : Using non driver mode
vncdesktop.cpp : Driver Used
vncdesktop.cpp : Shared memory mapped
vncdesktop.cpp : Sethook_restart_wanted hook=%d driver=%d
vncdesktop.cpp : Hookdll status changed
vncdesktop.cpp : Driver Status changed
vncdesktopsink.cpp : ShutdownInitWindowthread
vncdesktopsink.cpp : ~vncDesktop::Tell initwindowthread to close
vncdesktopsink.cpp : ~vncDesktop::ERROR: messageloop blocked
vncdesktopsink.cpp : ~vncDesktop:: iniwindowthread proper closed
vncdesktopsink.cpp : initwindowthread already closed
vncdesktopsink.cpp : StartInitWindowthread
vncdesktopsink.cpp : StartInitWindowthread default desk
vncdesktopsink.cpp : ERROR: initwindowthread failed to start
vncdesktopsink.cpp : StartInitWindowthread started
vncdesktopsink.cpp : StartInitWindowthread reactivate
vncdesktopsink.cpp : StartInitWindowthread no default desk
vncdesktopsink.cpp : wmcreate
vncdesktopsink.cpp : set W8 hooks OK
vncdesktopsink.cpp : set W8 hooks Failed, wddm >= 1.2 ?
vncdesktopsink.cpp : set SC hooks OK
vncdesktopsink.cpp : failed to set system hooks
vncdesktopsink.cpp : set hooks OK
vncdesktopsink.cpp : unset W8 hooks OK
vncdesktopsink.cpp : unset SC hooks OK
vncdesktopsink.cpp : Unsethooks Failed
vncdesktopsink.cpp : Unsethooks OK
vncdesktopsink.cpp : WM_DESTROY
vncdesktopsink.cpp : Monitor22 %i
vncdesktopsink.cpp : Monitor3 %i %i
vncdesktopsink.cpp : Monitor222 %i
vncdesktopsink.cpp : Power3 %i %i
vncdesktopsink.cpp : WM_DISPLAYCHANGE
vncdesktopsink.cpp : Resolution switch detected, driver active
vncdesktopsink.cpp : Resolution switch by driver activation removed
vncdesktopsink.cpp : Resolution switch detected, driver NOT active
vncdesktopsink.cpp : InitWindow called
vncdesktopsink.cpp : InitWindow:OpenInputdesktop Error
vncdesktopsink.cpp : InitWindow:OpenInputdesktop OK
vncdesktopsink.cpp : InitWindow:!GetUserObjectInformation
vncdesktopsink.cpp : InitWindow:SelectHDESK to %s (%x) from %x
vncdesktopsink.cpp : InitWindow:SelectHDESK:!SetThreadDesktop
vncdesktopsink.cpp : failed to register window class
vncdesktopsink.cpp : failed to create hook window
vncdesktopsink.cpp : OOOOOOOOOOOO load hookdll's
\vnchooks.dll
\schook.dll
SetKeyboardFilterHook
vncdesktopsink.cpp : OOOOOOOOOOOO start dispatch
vncdesktopsink.cpp : OOOOOOOOOOOO %i %i
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_quit
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user 4
vncdesktopsink.cpp : RFB_SCREEN_UPDATE
vncdesktopsink.cpp : REct3 %i %i %i %i
vncdesktopsink.cpp : RFB_MOUSE_UPDATE
vncdesktopsink.cpp : OOOOOOOOOOOO called wm_user 3
vncdesktopsink.cpp : OOOOOOOOOOOO end dispatch
vncDesktopSW.cpp : SWinit
vncDesktopSW.cpp : GetQuarterSize
UAC protected windows.
vncdesktopthread.cpp : threadHandle stop
vncdesktopthread.cpp : Wait for viewer init
vncdesktopthread.cpp :     Screensize changed
vncdesktopthread.cpp : m_SWtoDesktop
vncdesktopthread.cpp : m_hookswitch
vncdesktopthread.cpp : desktop switch %i %i
vncdesktopthread.cpp :     InputDesktopSelected
vncdesktopthread.cpp : m_desktop->Shutdown
vncdesktopthread.cpp : Shutdown KillAuthClients
vncdesktopthread.cpp : m_desktop->Startup
vncdesktopthread.cpp : Startup KillAuthClients
vncdesktopthread.cpp : m_videodriver == NULL
vncdesktopthread.cpp : threadHandle
vncdesktopthread.cpp : threadHandle2
vncdesktopthread.cpp : SCR: new screen format %dx%dx%d
vncdesktopthread.cpp : Size changed
vncdesktopthread.cpp : Request Monitor %d
vncdesktopthread.cpp : First two Monitor: width = %d height = %d
vncdesktopthread.cpp : Last two monitor: width = %d height = %d
vncdesktopthread.cpp : Monitor %d: width = %d height = %d
vncdesktopthread.cpp : ***********###############************ %i %i %i %i %i %i
vncdesktopthread.cpp : Format changed
vncdesktopthread.cpp : Hook changed 1
vncdesktopthread.cpp : Hook changed 2
vncdesktopthread.cpp : Hook changed
vncdesktopthread.cpp : quitting desktop server thread
vncdesktopthread.cpp : quitting desktop server thread:SetBlockInputState
vncdesktopthread.cpp : quitting desktop server thread:ClearShiftKeys
vncdesktopthread.cpp : quitting desktop server thread:g_DesktopThread_running=false
vncdesktopthread.cpp : quitting desktop server thread:m_desktop->Shutdown
getBgColour: bpp %d?
%s: unusual colour = %d
vncencoder.cpp : remote palette data requested
vncencoder.cpp : generating BGR233 palette data
vncencoder.cpp : generating 8-bit palette data
vncencoder.cpp : failed to obtain colour map data!
vncencoder.cpp : settranslatefunction called
vncencoder.cpp : only 8, 16 or 32 bits supported remotely - %d requested
vncencoder.cpp : only 8, 16 or 32 bits supported locally - %d in use
vncencoder.cpp : only 8-bit palette format supported remotely
vncencoder.cpp : only 8-bit palette format supported locally
vncencoder.cpp : no encoding required - both 8-bit palettized
vncencoder.cpp : local truecolour, remote palettized. using BGR233 palette
vncencoder.cpp : unknown local pixel format in use!
vncencoder.cpp : using 8-bit colourmap to truecolour translation
vncencoder.cpp : no translation required
vncencoder.cpp : single LUT used
vncencoder.cpp : triple LUT used
vncencoderCursor.cpp : cursor handle is NULL.
vncencoderCursor.cpp : GetIconInfo() failed.
vncencoderCursor.cpp : cursor bitmap handle is NULL.
vncencoderCursor.cpp : GetObject() for bitmap failed.
vncencoderCursor.cpp : incorrect data in cursor bitmap.
vncencoderCursor.cpp : GetBitmapBits() failed.
vncencoderCursor.cpp : vncDesktop::GetRichCursorData() failed.
vncEncodeTight.cpp : calling deflateInit2 with zlib level:%d
vncEncodeTight.cpp : deflateInit2 returned error:%d:%s
vncEncodeTight.cpp : calling deflateParams with zlib level:%d
vncEncodeTight.cpp : deflateParams returned error:%d:%s
vncEncodeTight.cpp : deflate() call failed.
vncEncodeUltra.cpp : Memory error
vncEncodeUltra.cpp : Ultra encoder stats: rawdata=%d protocol=%d compressed=%d transmitted=%d
vncEncodeUltra.cpp : Ultra encoder efficiency: %.3f%%
vncEncodeUltra.cpp : ********QUEUEQUEUE********** %d %d %d
vncEncodeZlib.cpp : Memory error
vncEncodeZlib.cpp : Zlib Xor encoder stats: rawdata=%d protocol=%d compressed=%d transmitted=%d
vncEncodeZlib.cpp : Zlib Xor encoder efficiency: %.3f%%
vncEncodeZlib.cpp : deflateInit2 returned error:%d:%s
vncEncodeZlib.cpp : deflate returned error:%d:%s
vncEncodeZlib.cpp : compression error
vncEncodeZlib.cpp : ********QUEUEQUEUE********** %d %d %d
vncEncodeZlibHex.cpp : Memory error
vncEncodeZlibHex.cpp : calling deflateInit2 with zlib level:%d
vncEncodeZlibHex.cpp : deflateInit2 returned error:%d:%s
vncEncodeZlibHex.cpp : deflate returned error:%d:%s
/VncViewer.jar
vnchttpconnect.cpp : started HTTP server thread
vnchttpconnect.cpp : HTTP client connected
vnchttpconnect.cpp : quitting HTTP server thread
GET %s
vnchttpconnect.cpp : file %s requested
vnchttpconnect.cpp : parameters read
vnchttpconnect.cpp : filename didn't begin with '/'
vnchttpconnect.cpp : sending main page
vnchttpconnect.cpp : sent page
vnchttpconnect.cpp : requested file recognised
vnchttpconnect.cpp : sending file...
vnchttpconnect.cpp : file successfully sent
fake %d down
fake %d up
Found dead key 0x%x '%c'
keysym 0x%x
************** DEAD KEY
Compose dead 0x%x 0x%x
Composed 0x%x
Found key
Simulating ALT %d%d%d
ignoring unrecognised Latin-1 keysym 0x%x
latin-1 key: keysym %d(0x%x) vkCode 0x%x down %d capslockOn %d
ignoring unknown keysym %d
taskmgr.exe
vnckeymap.cpp : setshiftstate %d - (%s->%s)
vnckeymap.cpp : new state %d (%s)
caspol.log
Error opening log file %s
error code 0xX
codec.cfg
caspol.AddClient.Message.Init
caspol.AddClient.Message
caspol.AddAutoClient.Message
caspol.AddStopClient.Message
caspol.AddStopAllClient.Message
caspol.AddRepeaterID.Message
caspol.TrayIconBalloon2.Message
UltraVNC.Viewer.FileTransferSendPacketMessage
dwmapi.dll
vncmenu.cpp : DisableAero %i
vncmenu.cpp : Reset %i
vncmenu.cpp : vncmenu(server)
wtsapi32.dll
icon1.ico
icon2.ico
vncmenu.cpp : vncmenu killed
vncmenu.cpp : IP interface change detected %s %s
vncmenu.cpp : IsIconSet
vncmenu.cpp : Failed IsIconSet
vncmenu.cpp : vncMenu::Shutdown: Close menu - Disconnect all - Shutdown server
vncmenu.cpp : WM_TASKBARCREATED
vncmenu.cpp : ############## Kill vncMenu thread
vncmenu.cpp : Add client reconnect from timer
vncmenu.cpp : user name has changed
vncmenu.cpp : show default properties requested
vncmenu.cpp : show user properties requested
vncmenu.cpp : KillAuthClients() ID_KILLCLIENTS
vncmenu.cpp : KillAuthClients() ID_CLOSE
vncmenu.cpp : no submenu available
vncmenu.cpp : vncMenu WM_CLOSE call - All cleanup done
vncmenu.cpp : quitting from WM_DESTROY
vncmenu.cpp : SHUTDOWN OS detected
vncmenu.cpp : Session ID %i
vncmenu.cpp : WM_QUERYENDSESSION session!=0
vncmenu.cpp : WM_ENDSESSION
vncmenu.cpp : ############### Usernames change: old="%s", new="%s"
vncmenu.cpp : Warning: exception handling balloon message
Activeds.dll
netapi32.dll
radmin32.dll
\authSSP.dll
vncntlm.cpp : GetProcAddress
CheckUserPasswordSDUni result=%i
You selected ms-logon, but authSSP.dll
was not found.Check you installation
\authadmin.dll
authadmin.dll not found
\workgrpdomnt4.dll
workgrpdomnt4.dll not found
\ldapauth.dll
ldapauth.dll not found
\ldapauthnt4.dll
ldapauthnt4.dll not found
\ldapauth9x.dll
ldapauth9x.dll not found
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncpasswd.h : PASSWD : FromText called
c:\users\rudi\desktop\ultravnc_1211\caspol\caspol\vncpasswd.h : PASSWD : FromClear called
vncproperties.cpp : show per-user Properties
vncproperties.cpp : show default system Properties
vncproperties.cpp : dialog result = %d
vncproperties.cpp : warning - empty password
vncproperties.cpp : no password - QUITTING
vncproperties.cpp : INITDIALOG properties
View only and full password are the same
vncproperties.cpp : enddialog (OK)
vncproperties.cpp : enddialog (CANCEL)
Password
Password2
vncproperties.cpp : ***** DBG - Entering Load
vncproperties.cpp : ***** DBG - User mode
vncproperties.cpp : ***** DBG - Service mode
vncproperties.cpp : ***** DBG - NO current user
vncproperties.cpp : ***** DBG - Force USER SYSTEM 1
vncproperties.cpp : ***** DBG - UserName = %s
vncproperties.cpp : ***** DBG - Machine level prefs
vncproperties.cpp : loading local-only settings
vncproperties.cpp : ***** DBG - Load User Preferences
vncproperties.cpp : clearing user settings
vncproperties.cpp : ***** DBG - Local Preferences - Default
vncproperties.cpp : loading DEFAULT local settings
vncproperties.cpp : ***** DBG - User Settings on
vncproperties.cpp : ***** DBG - LoadUser Preferences
vncproperties.cpp : loading "%s" local settings
vncproperties.cpp : ***** DBG - Override system settings with users settings
vncproperties.cpp : loading "%s" global settings
vncproperties.cpp : ***** DBG - User Settings off
vncproperties.cpp : bypassing user-specific settings (both local and global)
vncproperties.cpp : $$$$$$$$$$ ApplyUserPrefs - Plugin Enabled - Call SetDSMPlugin()
vncproperties.cpp : $$$$$$$$$$ ApplyUserPrefs - Plugin NOT enabled
vncproperties.cpp : saving current settings to registry
vncproperties.cpp : ***** DBG - Force USER SYSTEM 2
vncproperties.cpp : file %s not writable, error saving new settings
NoPassword,
vncproperties.cpp : OpenInputdesktop Error
vncproperties.cpp : OpenInputdesktop OK
vncproperties.cpp : !GetUserObjectInformation
vncproperties.cpp : SelectHDESK to %s (%x) from %x
vncproperties.cpp : SelectHDESK:!SetThreadDesktop
vncpropertiesPoll.cpp : show per-user Properties
vncpropertiesPoll.cpp : dialog result = %d
vncpropertiesPoll.cpp : Error while reading Window Name %d
vncpropertiesPoll.cpp : enddialog (OK)
vncpropertiesPoll.cpp : enddialog (CANCEL)
vncpropertiesPoll.cpp : Reset Reg
vncpropertiesPoll.cpp : clearing user settings
vncpropertiesPoll.cpp : loading DEFAULT local settings
vncpropertiesPoll.cpp : loading "%s" local settings
vncpropertiesPoll.cpp : loading "%s" global settings
vncpropertiesPoll.cpp : file %s not writable, error saving new settings
vncserver.cpp : shutting down server object1
vncserver.cpp : Waiting for desktop to shutdown
vncserver.cpp : ~server m_pDSMPlugin = NULL
vncserver.cpp : shutting down server object2
vncserver.cpp : ShutdownServer m_pDSMPlugin = NULL
vncserver.cpp : AddClient() started
vncserver.cpp : failed to initialise client object
vncserver.cpp : AddClient() done
vncserver.cpp : Desktop init failed, unlock in application mode ?
Remote user successfully connected (%s) and is currently sharing your desktop.
vncserver.cpp : Authenticated() done
vncserver.cpp : killing unauth client
vncserver.cpp : killing auth client
vncserver.cpp : KillClient() done
vncserver.cpp : Killing client named: %s
vncserver.cpp : KillClient() from name done
vncserver.cpp : Client %s is not Ultra. Doesn't know TextChat
vncserver.cpp : TextChat with client named: %s
vncserver.cpp : KillAuthClients() done
%s - %s
vncserver.cpp : KillUnauthClients() done
vncserver.cpp : removing unauthorised client
vncserver.cpp : removing authorised client
vncserver.cpp : deleting desktop server
vncserver.cpp : client disconnect - failed to logoff user!
vncserver.cpp : desktop deleted
vncserver.cpp : RemoveClient() done
vncserver.cpp : SockConnect %d
vncserver.cpp : trying port number %d
vncserver.cpp : SockConnect Done %d
vncserver.cpp : KillAuthClients() fix up a lock-up
vncserver.cpp : Failed rootdc
vncserver.cpp : authhosts cleared
vncserver.cpp : authhosts set to "%s"
vncserver.cpp : client %s rejected due to blacklist entry
vncserver.cpp : verify failed - null hostname
vncserver.cpp : verify host - malformed AuthHosts string
vncserver.cpp : verify host - pattern processing failed!
vncserver.cpp : client %s verifiedHost %u prior to adjustment
vncserver.cpp : client %s verifiedHost %u after adjustment
vncserver.cpp : Unable to set new desktop size
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - Entry
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - Enabled
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - Is Loaded
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - FORCE RELOADING OF THE PLUGIN
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - New one - Unload the current
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - Plugin NOT loaded - Try to load it
vncserver.cpp : $$$$$$$$$$ DSMPlugin cannot be loaded
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - Plugin successfully loaded
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - Init plugin call
VNCPasswordNeeded
NoPassword
vncserver.cpp : $$$$$$$$$$ SetDSMPlugin - SetPluginParams call
vncserver.cpp : DSMPlugin Params OK
vncserver.cpp : Unable to set DSMPlugin Params
vncserver.cpp : Unable to init DSMPlugin
vncserver.cpp : AutoConnectRetry(): started
vncserver.cpp : Attempting AutoReconnect....
explorer.exe
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - ERROR : No window station
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Usersize 0
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: NOT impersonating user
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: No user logged on
vncservice.cpp : getusername error %d
vncservice.cpp : @@@@@@@@@@@@@ GetCurrentUser - Error: Unknown OS
vncservice.cpp : !GetUserObjectInformation
vncservice.cpp : SelectHDESK to %s (%x) from %x
vncservice.cpp : SelectHDESK:!SetThreadDesktop
vncservice.cpp : SelectDesktop
vncservice.cpp : OpenInputdesktop2 named
vncservice.cpp : OpenInputdesktop2 NULL
vncservice.cpp : OpenInputdesktop2
vncservice.cpp : OpenInputdesktop2 OK
vncservice.cpp : SelectDesktop failed to close desktop
vncservice.cpp : OpenInputDesktop %i I
vncservice.cpp : OpenInputDesktop II
vncservice.cpp : failed to close input desktop
vncservice.cpp : !GetUserObjectInformation(threaddesktop
vncservice.cpp : !GetUserObjectInformation(inputdesktop
vncservice.cpp : threadname, inputname differ
vncservice.cpp : failed to select logon desktop
vncservice.cpp : generating ctrl-alt-del
vncservice.cpp : preparing to generate ctrl-alt-del
vncservice.cpp : spawn ctrl-alt-del thread...
vncservice.cpp : unable to lock workstation - not NT
vncservice.cpp : locking workstation
vncservice.cpp : unable to load User32 DLL (%u)
vncservice.cpp : unable to locate LockWorkStation - requires Windows 2000 or above (%u)
vncservice.cpp : call to LockWorkstation failed
vncservice.cpp : PostAddNewClient failed
vncsockconnect.cpp : started socket connection thread
vncsockconnect.cpp : Woo hoo! Served Java applet via RFB!
vncsockconnect.cpp : accepted connection from %s
vncsockconnect.cpp : quitting socket connection thread
vsocket.cpp : VSocket() m_pDSMPlugin = NULL
vsocket.cpp : closing socket
vsocket.cpp : shutdown socket
vsocket.cpp : WriteExact: DSMPlugin-RestoreBuffer Alloc Error
vsocket.cpp : zero bytes read1
vsocket.cpp : socket error 1: %d
vsocket.cpp : zero bytes read2
vsocket.cpp : zero bytes read3
vsocket.cpp : HTTP socket error: %d
vnclang_server.dll
Unsupported OS
Error OS not supported
caspol.cpp : test... %s %d
caspol.cpp : PostAddNewClient III
caspol.cpp : PostAddNewClient IIII
caspol.cpp : PostAddNewRepeaterClient I
caspol.cpp : OpenInputdesktop Error
caspol.cpp : OpenInputdesktop OK
caspol.cpp : !GetUserObjectInformation
caspol.cpp : SelectHDESK to %s (%x) from %x
caspol.cpp : SelectHDESK:!SetThreadDesktop
caspol.cpp : getusername error %d
caspol.cpp : Username %s
caspol.cpp : failed to create tray menu
caspol.cpp : PostAddNewClient IIIII
caspol.cpp : PostAddNewRepeaterClient II
caspol.cpp : ****************** WaitForSingleObject - Shutdown server
caspol.cpp : ***** DBG - caspolAPPMain
caspol.cpp : %s -- exiting
caspol.cpp : server created ok
caspol.cpp : ***************** SDEvent created
caspol.cpp : ################## Closing Imp Thread
caspol.cpp : ################## SHUTING DOWN SERVER ####################
Bogus message code %d
Invalid component ID %d in SOS
IDCT output block size %d not supported
Wrong JPEG library version: library is %d, caller expects %d
Invalid memory pool code %d
Unsupported JPEG data precision %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters at scan script entry %d
Invalid scan script at entry %d
Improper call to JPEG library in state %d
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Buffer passed to JPEG library is too small
Too many color components: %d, max %d
Unsupported color conversion request
Bogus DAC index %d
Bogus DAC value 0x%x
Bogus DHT index %d
Bogus DQT index %d
Empty JPEG image (DNL not supported)
Maximum supported image dimension is %u pixels
Cannot transcode due to multiple use of quantization table %d
Backing store not supported
Huffman table 0xx was not defined
Quantization table 0xx was not defined
Not a JPEG file: starts with 0xx 0xx
Insufficient memory (case %d)
Cannot quantize more than %d color components
Cannot quantize to fewer than %d colors
Cannot quantize to more than %d colors
Unsupported JPEG process: SOF type 0xx
Failed to create temporary file %s
Unsupported marker type 0xx
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unknown APP0 marker (not JFIF), length %u
Unknown APP14 marker (not Adobe), length %u
Define Arithmetic Table 0xx: 0xx
Define Huffman Table 0xx
Define Quantization Table %d precision %d
Define Restart Interval %u
Freed EMS handle %u
Obtained EMS handle %u
= = = = = = = =
JFIF APP0 marker: version %d.d, density %dx%d %d
Warning: thumbnail image size does not match data length %u
JFIF extension marker: type 0xx, length %u
with %d x %d thumbnail image
Miscellaneous marker 0xx, length %u
Unexpected marker 0xx
%4u %4u %4u %4u %4u %4u %4u %4u
Quantizing to %d = %d*%d*%d colors
Quantizing to %d colors
Selected %d colors for quantization
At marker 0xx, recovery action %d
RST%d
Smoothing not supported with nonstandard sampling ratios
Start Of Frame 0xx: width=%u, height=%u, components=%d
Component %d: %dhx%dv q=%d
Start Of Scan: %d components
Component %d: dc=%d ac=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Closed temporary file %s
Opened temporary file %s
JFIF extension marker: JPEG-compressed thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: RGB thumbnail image, length %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Freed XMS handle %u
Obtained XMS handle %u
Unknown Adobe color transform code %d
Inconsistent progression sequence for component %d coefficient %d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: found marker 0xx instead of RST%d
Arithmetic table 0xx was not defined
%ld%c
lzma_stream_encoder error: %d
lzma_code flush error: %d
lzma_code error: %d
Enter password for:
Password incorrect--reenter:
%sEmpty zipfile.
warning: cannot set time for %s
[ %s ]
warning (%d): could not set file attributes
CreateFile() error %d when trying set file time
SetFileTime failed: %d
warning: CreateFile() error %d (set file times for %s)
warning: SetFileTime() for %s error %d
warning: skipped "../" path component(s) in %s
warning (%d): could not set file attributes for %s
mapname: conversion of %s failed
labelling %s %-22s
checkdir error: path too long: %s
checkdir error: cannot create %s
unable to process %s.
checkdir error: %s exists but is not directory
-> %s
checkdir: cannot create extraction directory: %s
Skipping %s
XABKEY
.r.-... %u.%u
%s %s %8lu
=%%
%s %s
Unable to allocate memory in zip library at %s
wiz.exe
Verify password:
Enter password:
zip error: %s (%s)
attempting to restore %s to its previous state
zip warning: %s%s
.Z:.zip:.zoo:.arc:.lzh:.arj
was getting encryption password
zero length password not allowed
was verifying encryption password
password verification failed
mm not supported
no such option: %c
M----
--M
-M not supported, use -MM for Must Match
zip diagnostic: %s %s
freshening: %s
updating: %s
was zipping %s
was copying %s
deleting: %s
User terminated operation
adding: %s
Enter comment for %s:
total bytes=%lu, compressed=%lu -> %d%% savings
excluding %s
replace: can't open %s
made by version %d.%d on system type %d:
needs unzip %d.%d on system type %d:
local flags = 0xx, central = 0xx:
undefined bits used in flags = 0xx:
unknown compression method %u:
starts on disk %u:
unknown internal attributes = 0xx:
zip info: %s%s
zip info: %s has %ld bytes of %sextra data
zip: reading %s
compressed size %ld, actual size %ld for %s
zip warning: %s %s truncated.
%s: adjusting offsets for a preamble of %lu bytes
offset %u--local = x, central = x
%s: %s a preamble of %lu bytes
zip diagnostic: deleting file %s
deleting directory %s (if empty)
zip diagnostic: %scluding %s
zip -0 not supported for I/O on pipes or devices
(deflated %d%%)
C:\Users\rudi\Desktop\UltraVNC_1211\caspol\Vista\caspol.pdb
WS2_32.dll
WINMM.dll
VERSION.dll
USERENV.dll
d3d11.dll
GetProcessHeap
WinExec
WaitNamedPipeW
SetProcessShutdownParameters
KERNEL32.dll
ExitWindowsEx
GetKeyState
keybd_event
GetKeyboardState
EnumWindows
EnumDesktopWindows
VkKeyScanA
MapVirtualKeyA
GetAsyncKeyState
USER32.dll
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
ShellExecuteExA
SHFileOperationA
SHELL32.dll
ole32.dll
IMM32.dll
GetCPInfo
PeekNamedPipe
zcÁ
:;,= "[]<>|
C:\UltraVNC\caspol.log
C:\UltraVNC
.?AVvncHTTPConnectThread@@
.?AVvncHTTPConnect@@
.?AVvncTimedMsgBoxThread@@
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\caspol.exe
192.168.11.133
WARNING : Running WinVNC without setting a password is a dangerous security risk!
Until you set a password, WinVNC will not accept incoming connections.
WARNING : This machine has no default password set. WinVNC will present the Default Properties dialog now to allow one to be entered.
No password has been set & this machine has been preconfigured to prevent users from setting their own.
Unable to load the Rich Edit (RICHED32.DLL) control!
Chat with <%s> - UltraVNC
You selected ms-logon, but the auth.dll
You selected ms-logon, but the authad.dll
It presumably does not support TextChat
META-INF/MANIFEST.MF}
META-INF/_02621E4.SF}
META-INF/_02621E4.RSA
!n.lD
AuthPanel.class}V[\
ButtonPanel.classuV]p
ClipboardFrame.class
DesCipher.class
D\%D$
DH.classmV
FTPFrame$StrComp.classeQ
FTPFrame.class
$[KeY
OptionsFrame.class
~.rER
RecordingFrame.class
<.vF 
RfbProto.class
.PiVB\
SessionRecorder.class
VncCanvas.class
Qu0%C
Voq'%f
VncViewer.class
D.Ll1
META-INF/MANIFEST.MFPK
META-INF/_02621E4.SFPK
META-INF/_02621E4.RSAPK
AuthPanel.classPK
ButtonPanel.classPK
ClipboardFrame.classPK
DesCipher.classPK
DH.classPK
FTPFrame$StrComp.classPK
FTPFrame.classPK
OptionsFrame.classPK
RecordingFrame.classPK
RfbProto.classPK
SessionRecorder.classPK
VncCanvas.classPK
VncViewer.classPK
$` n.nd
^.Zua
,du.bSq
l%csU
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='Win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='X86' publicKeyToken='6595b64144ccf1df' language='*' />
;';/;7;?;
>">)>0>8?
5$5,545^5
9-9a9}9
0&1-1Z1p1}1
3=3K3u3
6(7,7074787
1{3!5'5;5
?0?4?8?<?
55H5S5c5i5
= =9=?=~=
3 3$3(3,3034383<3
0 0$0(0,0004080
2$2(2,202
3p45
3*31383?3
2%4X4
? ?$?(?,?0?4?8?
9 9$9(9,90949
= =@=\=`=
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
n.exe
\winsta.dll
\\.\Pipe\TerminalServer\SystemExecSrvr\%d
Poll Console Windows Only
UltraVNC Server 1.2.1.1
Display Number or Ports to use:
Ports
Http:
Enable JavaViewer (Http Connect)
Keyboard && Mouse
Alternate keyboard method
VNC Password:
View-Only Password:
Require MS Logon (User/Pass./Domain)
New MS Logon (supports multiple domains)
Log debug infos to the WinVNC.log file
This machine has been preconfigured with WinVNC settings, which cannot be overridden by individual users. The preconfigured settings may be modified only by a System Administrator.DThe WinVNC settings for the current user are unavailable at present.PYou do not have sufficient priviliges to edit the default local WinVNC settings.
Until you set a password, WinVNC will not accept incoming connections.9The Plugin cannot be loaded.
WVNCNYou selected ms-logon, but the authad.dll
WARNINGLYou selected ms-logon, but the auth.dll
was not found.Check you installationevncDesktop : root device doesn't support BitBlt
WinVNC cannot be used with this graphic device driverkvncDesktop : memory device doesn't support GetDIBits
Unable to process MS logon4Unable to load the Rich Edit (RICHED32.DLL) control!
AutoAccept:%u Ctrl-alt-del require service, no permission;The file cad.exe was not found in the same folder as winvncsPermission denied on cad.exe, UltraVNC must be installed in "program files" else special cad permission is refused.
12.20.05.598
caspol.exe
1.2.1.1
WinVNC.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WMIC.exe:2192

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8F65.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab8F53.tmp (51 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1700 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabA48C.tmp (50 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8F54.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar8F66.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\caspolms.ini (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarA48D.tmp (2712 bytes)
    C:\Windows\System32\repair-registry.exe.bak (324466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\CLR Security Config\caspol.exe (50 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "DHCP-Service" = "C:\Windows\system32\DHCP-Service.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet