Gen.Trojan.Heur.PT.SmWaOAD21fi_51bd6e8e95

by malwarelabrobot on September 23rd, 2014 in Malware Descriptions.

Trojan.Win32.Scar.hskr (Kaspersky), Gen:Trojan.Heur.PT.SmW@aOAD21fi (B) (Emsisoft), Gen:Trojan.Heur.PT.SmW@aOAD21fi (AdAware), GenericAutorunWorm.YR, GenericInjector.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan, Worm, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 51bd6e8e95bba41a4697a101b2d6a187
SHA1: 65789c6261342acf1c47551b88f33e712685e661
SHA256: f059350004859eca7def5e834ca31cade5160afb7fb92053c3805a834c16403a
SSDeep: 12288:todAI3o7QvJ/RGtBp9T9e3dr1/qbio1NcTUrz7Ly/rqNDiS4Rn4xsluubAJsEEd:DWSi/Rim3z/qJ1sUbLy/rODGBHukAG
Size: 722432 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2011-03-25 15:17:42
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Banker. Steals data relating to online banking systems, e-payment systems and credit card systems.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Trojan creates the following process(es):

SACBENTP285944DEFB2A.exe:892
%original file name%.exe:1700
mofcomp.exe:372
mofcomp.exe:776

The Trojan injects its code into the following process(es):

WRSA.exe:2008
WRSA.exe:352

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SACBENTP285944DEFB2A.exe:892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Webroot\WRSA.exe (3785 bytes)

The process %original file name%.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\SACBENTP285944DEFB2A.exe (3825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\wsa.bat (52 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\SACBENTP285944DEFB2A.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\wsa.bat (0 bytes)

The process mofcomp.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1587 bytes)
%WinDir%\Temp\tmp41.tmp (2 bytes)
%System%\wbem\AutoRecover\3FB02EC54EF11291FA75FBAC8D6B80D4.mof (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\tmp41.tmp (0 bytes)

The process mofcomp.exe:776 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\mofcomp.log (1291 bytes)
%WinDir%\Temp\tmp40.tmp (2 bytes)
%System%\wbem\AutoRecover\3FB02EC54EF11291FA75FBAC8D6B80D4.mof (6 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\tmp40.tmp (0 bytes)

The process WRSA.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\drivers\WRkrn.sys (112 bytes)
%Documents and Settings%\All Users\Application Data\WRData\~tmp.hiv (33604 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere\Webroot SecureAnywhere.lnk (629 bytes)
%System%\WRusr.dll (149 bytes)
%WinDir%\Temp\perflib_perfdata_7a8.dat (4 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\All Users\Application Data\WRData\dbi.db (714 bytes)
C:\$Directory (1732 bytes)
%Documents and Settings%\All Users\Application Data\WRData\WR.mof (1 bytes)
%Documents and Settings%\All Users\Application Data\WRData\dbg.db (1636 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\WRData\~tmp.hiv (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere\Webroot SecureAnywhere.lnk (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (0 bytes)

Registry activity

The process SACBENTP285944DEFB2A.exe:892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 B7 66 87 0E A3 C6 6D F4 78 90 9A A5 C8 C7 35"

[HKLM\SOFTWARE\WRData]
"InstalledVersion" = "134218217"

[HKCU\Software\WRData]
"InstallOpt" = "38498"

[HKLM\SOFTWARE\WRData]
"InstallDir" = "%Program Files%\Webroot\WRSA.exe"
"nid" = "134218217"

[HKCU\Software\WRData]
"LIC" = "SACBENTP285944DEFB2A"
"3" = "0"

The process %original file name%.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 16 14 CF 70 C7 B4 82 4B E1 CA B9 35 C9 EE EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp]
"wsa.bat" = "wsa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process mofcomp.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 6D D8 C2 37 4B 59 07 E6 B7 6A 25 6C 4D 6A 3E"

[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Autorecover MOFs timestamp" = "130558497636928750"

The process mofcomp.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF FF D5 E1 55 5D 92 38 15 B4 47 61 57 0D B4 BE"

[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Autorecover MOFs timestamp" = "130558497636303750"
"Autorecover MOFs" = "%System%\WBEM\cimwin32.mof, %System%\WBEM\cimwin32.mfl, %System%\WBEM\system.mof, %System%\WBEM\wmipcima.mof, %System%\WBEM\wmipcima.mfl, %System%\WBEM\regevent.mof, %System%\WBEM\regevent.mfl, %System%\WBEM\ntevt.mof, %System%\WBEM\ntevt.mfl, %System%\WBEM\secrcw32.mof, %System%\WBEM\secrcw32.mfl, %System%\WBEM\dsprov.mof, %System%\WBEM\dsprov.mfl, %System%\WBEM\msi.mof, %System%\WBEM\msi.mfl, %System%\WBEM\policman.mof, %System%\WBEM\policman.mfl, %System%\WBEM\subscrpt.mof, %System%\WBEM\wmi.mof, %System%\WBEM\wmi.mfl, %System%\WBEM\scm.mof, %System%\WBEM\fevprov.mof, %System%\WBEM\fevprov.mfl, %System%\WBEM\wmitimep.mof, %System%\WBEM\wmitimep.mfl, %System%\WBEM\wmipdskq.mof, %System%\WBEM\wmipdskq.mfl, %System%\WBEM\wmipicmp.mof"

The process WRSA.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = ""

[HKLM\System\CurrentControlSet\Services\WRkrn\Instances]
"DefaultInstance" = "WRkrn"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = ""

[HKCR\CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}]
"(Default)" = "WRShellExt"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control]
"CloneTimeStampFlags" = "432977565"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"NoModify" = "1"

[HKCR\*\shellex\ContextMenuHandlers\WRShellExt]
"(Default)" = "{69D72956-317C-44bd-B369-8E44D4EF9802}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = ""

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"InstallLocation" = "%Program Files%\Webroot\"

[HKLM\SOFTWARE\WRData]
"GWord" = "WSASME.EXE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\WRData]
"CTX" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WRkrn]
"(Default)" = "Driver"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"UninstallString" = "%Program Files%\Webroot\WRSA.exe -uninstall"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"EstimatedSize" = "695"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\WRData]
"rCV" = "1"

[HKLM\System\CurrentControlSet\Services\WRSVC]
"Description" = "Webroot SecureAnywhere Endpoint Protection v8.0.1.233"

[HKLM\SOFTWARE\WRData]
"InstalledVersion" = "134218217"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\Folder\shellex\ContextMenuHandlers\WRShellExt]
"(Default)" = "{69D72956-317C-44bd-B369-8E44D4EF9802}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"VersionMajor" = "8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"Publisher" = "Webroot"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 06 A0 92 1A FA 49 B5 0B D6 F1 22 6B 35 DB EB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\System\CurrentControlSet\Services\WRkrn\Instances\WRkrn]
"Altitude" = "321611"

[HKLM\SOFTWARE\WRData]
"InstallDir" = "%Program Files%\Webroot\WRSA.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\WRkrn]
"MSvc" = "WRSVC"

[HKLM\System\CurrentControlSet\Services\WRkrn\Instances\WRkrn]
"Flags" = "0"

[HKCR\CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32]
"(Default)" = "%System%\WRusr.dll"

[HKLM\System\CurrentControlSet\Services\WRSVC]
"CSD" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]
"VersionMinor" = "0"
"DisplayName" = "Webroot SecureAnywhere"
"DisplayVersion" = "8.0.1.233"
"DisplayIcon" = "%Program Files%\Webroot\WRSA.exe"
"NoRepair" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\WRkrn]
"DeleteFlag"
"WOW64"

The process WRSA.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 36 18 BD B7 72 4A 75 F8 3D C5 A9 67 F9 2B F2"

[HKLM\SOFTWARE\WRData]
"BLV" = "E3 17 B9 E7 73 89 DF 89 C8 2C 84 9F 37 2F F2 EC"

[HKCU\Software\Microsoft\Windows\CurrentVersion]
"wInstallTime" = "1411376161"

[HKCU\Software\WRData]
"LIC" = "SACBENTP285944DEFB2A"
"17" = "1927995897"

[HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WRSVC]
"(Default)" = "Service"

[HKCU\Software\WRData]
"5" = "ivTHbMBs"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\WRSVC]
"WOW64"
"DeleteFlag"

Dropped PE files

MD5 File path
cbe1be460b6da29669169379afe61720 c:\Program Files\Webroot\WRSA.exe
b666f9ae523f9150e1ee1f6c8242441c c:\WINDOWS\system32\WRusr.dll
8570519458afa754d99292a815bc49b9 c:\WINDOWS\system32\drivers\WRkrn.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\drivers\WRkrn.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

ZwAllocateVirtualMemory
ZwAssignProcessToJobObject
ZwCreateThread
ZwDebugActiveProcess
ZwDeleteKey
ZwDeleteValueKey
ZwDuplicateObject
ZwOpenProcess
ZwOpenSection
ZwOpenThread
ZwProtectVirtualMemory
ZwSetContextThread
ZwSetValueKey
ZwSystemDebugControl
ZwTerminateProcess
ZwTerminateThread
ZwWriteVirtualMemory

Using the driver " %System%\drivers\WRkrn.sys" the Trojan attaches its filter-device object to the Volume Device Object (VDO) of the file system driver.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.MPRESS1 4096 765952 718848 5.54368 ab7a591948a0dfb81c8e9d20364bd65c
.MPRESS2 770048 1228 1536 3.48797 bb1c5ba93743189ec186fa9dce165a49
.rsrc 774144 1040 1536 2.62402 b9520c33f1e3aea0922a32485ebeba1f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ronb1-1759004122.us-east-1.elb.amazonaws.com/arm.asp
hxxp://g74.p4.webrootcloudav.com/arm.asp 50.16.211.74


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /arm.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
Host: g74.p4.webrootcloudav.com
Content-Length: 1141
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache

TV=1&TT=AWARE&SV=134218217&InstanceMID=19ceb69d6a09dedff47750851539a8874a1a04894327bb608db5179dd6a9ae21&HEADERS=$$$01$$$314F04E9OLCKIKPLHKHRNEMEPDQDLGQRNFNHPHFIOIIGNQIHJPHDMIIPEKECMGJLRKHLHHOCOPDOLFJEEJRNGJNRMIKPCCHGRIEEEQQNRHHJNLFGFPDCNLNLMMQMNLGDCEHHPKIIIGCMCJFHJHRLHJHPHECDMQHCDEGIJQONJNCGONLJHKFINLGEOEPQJPKEOMKMNKDOLCNGGGNKOLENDRMNOLRKEPIPMLRQJNQKMLGIHDQEECPHMGNFMHKJQHOHGMKNDLEMQLNFLRFCNKMNOLKDNJQQKHJIFQIJERKCMOCFPGCJKMLQEQHLDLHQPMEJLQNMHQPQKNHENNCEDDQGHKMKMPLLGODPFJQLJRMMNREHCKMOMMINLQLFOKKMRCCPOHOQLKIQMCOJOFMNRJRICCCORNMFPJEDFIENHOOHIPFQRLIPQMOFIHLQKEKMKDEIMROIRQGFONPHJPKINQHEEQKIPQLJCFHNLLJERNJCJLPJOLJCEROIMNMGNIOPMEORHCOREHLEDLGRHNRGJGFRLJJEHHPEMLPRMQRQGMQMDLQEQQJHNKLHEIRQMERQJEKGHGJOGHLLKJCIQPHMGRLIFMOHLKQCOPLKCQOOHJPMKEDCEJEPFFCQRFRIDHHREKNHRMDKOENMJKCEIIDKQPQMLELMLDMHDGHNCFNDOLELRPLPLFGOJHHLNEFPNPIOQKDCLLILGLLNKMHJLFIMQKCKFGMGNNCMLRMPINNFQFERGLQNRRGQGCNDDPFNFOMKORJDMJRJQHGJDCFENOFNJFNCCQEDIEJPPREDNLQLPHCPFFGDKOOKDNDLMMHHECFHPIEPQJKFFCGHPLOCFOKNLQRJMEDCMEPRCLEOICNMEEMIRRDCENDMLPINLRLOPFKHQPLLDJGPKRRGGEDFMQDEMLNENLMHDDCPJKKIPEKPQDKQIEOFDOOFEDDLMOHLDJGQOMCLCGMPPHGCQLDCLKIHFRHIQKJIIRCEKNHIOKDENMJNJIOKIFQMQPGFDLQLCFDH&
HTTP/1.1 200 OK
Cache-Control: private,no-cache
Content-Type: application/octet-stream
Date: Mon, 22 Sep 2014 13:58:15 GMT
Expires: Sun, 21 Sep 2014 13:58:16 GMT
Pragma: no-cache
Server: Microsoft-IIS/7.5
Set-Cookie: errtext=; path=/
X-Powered-By: ASP.NET
Content-Length: 2530
Connection: keep-alive
<?xml version='1.0' encoding='UTF-8' ?>.<pvx_com_xml><!
[CDATA[.TT=AWARE.TV=1.SV=134218217.InstanceMID=19ceb69d6a09dedff477508
51539a8874a1a04894327bb608db5179dd6a9ae21.$$^^URL=156A21CCKFQTKNGRFQMN
SPQROJGHUIRLFRQSJQSMOFNFHJJJKLSHQTJPOPQUPTQSQKHQPTNKKGIKGLNTNIPLNHMKUR
FRGPUHQQNGILGFQLQUIUGONTSOTLMSTJOPFINQHFRSMNHUMJPIISMIRKTHOPHGTLFNKUSU
FIUOSUQJOUQMUQOISQJNFGNULIRMNNGGJFPOFFJSJRILFURGMOHJNURGITHJLMTTRSRJRP
GHRNSOHJLRLMTOQKSNKQUFFHFSGMFNKIOGRQHLMOIUSMQRRPUKKUIFSMGROHMGQTPQIFIR
NHPTQHKTMFJSOGHQHLPMNMGMTUSLPTNTQMHLPNPGOQPJLOHGITSNNSPNUHNRRPNPFGSQKK
RTQGNQKQTIPIHJJFPGPGNTSMLSUMUHGFHIMIFSIISKHRURIORPHRLQKFRGSGIMGMNHSMJM
MLOLNUHUIOINOSNQNPLKMJUNQSTRHQIOUIOGOHRLUUTOUQJGUHTIGIJOPRMTFKFGNUHNRK
PGSMIHUFQGUJFMUOTUFKGLHGMGRLJMUJMNRUHFJIJRPRQNHMRHOOFQHPRNFRHUIPQHLQUH
QGSJGPHIKULLUQRMQGIFRJRPHOSJRQOHSRTQHKPPIIRKJIJNSTPKQPGFKGQLTPNHRNITMS
PUHKLJLUGPUIOSLFOPIFFORGJSQMFLMSLPNITRFHNLIJURPLJUKJIQIIMGQNSQJIHKSNKF
FOPUFBKM.$$^^UPD=9FE3A845OEOCEAJHMFCKNIOLLBICBFDMEHCAKDKFHGLPDGIKKGPPG
HDOFFFNDEHJNNNLNCKCCLNLDFDAELBBMPBCDIECHIEDJGDNLHFJDAPFMMCGAJBDNBOENCP
HEBFCCEFOLGGNMFOOANJKINCCPJJONCKBCMDEBGHBGCKFDOACKKJAGMCMIAJJDFAIMGNLL
INFIHHLMCNMMCJFNLNCKOHDBLFFKHPJGFHMAKJDPNHNOEDINGAADIACPDKMCCLMBKKGAJB
NICPIIDFJFEKLOJOCPMAGJKHMBHCHJMBIGCLKKJAJCCADNPHOBDFFCEPJDFHFOFJIPPEDA
OHDEEKHHGPBMDOCGPAGPP.$$^^HDR=09703BD6AAMBOHJPCIOHEDJFCONIGFNAMLIKKNIJ
LONDEGNCIFOBFJNNFAJAFMEPIIGACFHJLNKFODMLNGEDLGAHNGDFPAOPHHHILPLBGEANJJ
NPJOPIBKNAAJAAJJKLKCLMPIAOMFGCCBNKKEOAAHMDAEJJPOMGMLNAKHNNKCBKJCIJABCH
OPFDBLMPCEBNBLBCGJAEEBKMJFKAJJDCEPLCBIOBHMHHIJAFELBDJJLNNAKICCJMKG
<<< skipped >>>

POST /arm.asp HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Accept: */*
Host: g74.p4.webrootcloudav.com
Content-Length: 1206
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache
Cookie: errtext=

TV=1&TT=WALL&SV=134218217&InstanceMID=19ceb69d6a09dedff47750851539a8874a1a04894327bb608db5179dd6a9ae21&HEADERS=$$$01$$$F38AC12CNSJRNKOGNOLNHEGOFRKHFKKNPPFDRNJGSMSRDFSSDFDPQQOGMHSRQLFGHLPORIIFGQLJFORDIJFMOKJQEJISKDDJGNIDKRQMNINLQMSMEEQEINGHHMFKINLDFQMHOKFKHOHORSKDNMDOLOROLNOGGFRFHNSHJJOMJGOEIDFFDDHPRQOOIMFKFJSKIIGKFKNEHSDEQGDIMKQJPDIJIJDIKFEDHFNGDHSIQJMRERDLFOGOJLEMJMJQFMFOHFJIIEHHREQQILIFHGKJGFEDHDKGGRROHMSNELQQMOMEJDMISQPOIQLSNQLLNRKIFJFDRJHHKGPDDOMLJLGRNDKFEIHGGHHKSGMGFKMDRKQFJDJMLRNFKIEJFGHSEOPHRFDKSSFKLKLRFGRJFGDPQHOFFOEMHGMOJJMEHPOSKQLGJNQDONOEGMJSEEKOQFIOGLKGJMSJEPJLRFGGRLNKSMKGHMJFIHFRKNFKLPJIDRDKLRMFFPFDJSDJKFFSJJFMIDFMJISHEMFMMHMRLKRNJHRONNHKENHNQEJOKIOSFJKLIFRSPKPLIQFDERFDDRQRRHRRSIDOKKMPIIPLGRHHPNEKFLGFOQPNPFORDKRLQFRSHKRDESPSEDKOSJMFPOKHQIQMNQSOIKHGLRIQGEELHRFPHMEKLLRMIODGQEIORIFLDLSMFQFGRJPHFJMIOGJIDJQHQJFJIIRFDHQKOJSIROIMFHSKPDQDLDRRMPGFGJGGODNHHOISQEMESDHFDGMSNSEMNQFMELIPKOIMLLJQSIODMIRDJHOPPRKHRFIDDHQGGLINJPHPQMLGMHRGNFKSISEMLLQSFEIFLPEERKFQINPNENDIKEKJNHPDKNMPNKRKHGQSOMNFKHEMGLHDDJIDGDLHSLKGPOKELHMOLRNGNSPMMQENHHROHQGJSDOIFGFOQNGOOPNJSPSJQNLLNNKDDKLMQGJENGEPRGFHERIKPGJLEKQLJGMOPGNJDOOLDOEFRNNJHSDFLMDHJQHDIMLDEMOHLIDMFIIMSMEJPSKKROLIIMJKNPKPMFNLGODDQPQGGNDGGQGDNQDRQSDDGM&
HTTP/1.1 200 OK
Cache-Control: private,no-cache
Content-Type: application/octet-stream
Date: Mon, 22 Sep 2014 13:58:15 GMT
Expires: Sun, 21 Sep 2014 13:58:16 GMT
Pragma: no-cache
Server: Microsoft-IIS/7.5
Set-Cookie: errtext=; path=/
X-Powered-By: ASP.NET
Content-Length: 57100
Connection: keep-alive
<?xml version='1.0' encoding='UTF-8' ?>.<pvx_com_xml><!
[CDATA[.TT=WALL.TV=1.SV=134218217.InstanceMID=19ceb69d6a09dedff4775085
1539a8874a1a04894327bb608db5179dd6a9ae21.$$^^LIC=7D014AA7ITOTNNVRKHPSH
IRSTHIRSNOOOHLUONRNWURHUIOMJONOLWVWOKHJTNWONTOWKVMKUKVOKNNRJHRHLIUJISR
UOTQKIWVRPTNULWMJQROPJMKNTHKRSOLIQTUOQSSIVMWNNQUSPMTRRPQUOVPRHQRJSHWLS
UUJWQUNSUOPVPORWVRHKLWLUIKQISLVQRSWUQWPSUVRTWTNVKOLMHLRNUVPNLKJUSKWNUL
PPVITMTUHLOPUTUNTVKHLSTKRVOMKLLPRRTHSTUMSHURRIHQKOVUQONRQWRMSHPMJHLMTQ
JJROVMNSRWKNWTHLPHJTHQQRITTRKQOVOPJTWKOURIJTSHKVSTJOKPWMKSRWSRWVJRPWVJ
OUURLMIRQUTQWLQNWNQMJLIMRHTLVKPPNJUQJKPQVNIJUNMHJJNTLRSNKVWLJVVSWPKLWI
IHJHFUI.$$^^STR=D9773CD1DDDDDJKFPHEKQHIFFELKGIMELFRFPIRLSSMILDEHDJKFDN
MRESONKRKPNOLDLIQGIKHSGPEHDNMSJMIPLESEGHJNSFSSKLKJSJLSQNPPLGJELGNLJEJS
NJMQRISSHLSRSMJSFJILFNPRJMFFQHHJQISIFRKIPQOKPPRDKDNMJELPJIQILPIPMGONGM
GDHNOFSKENKGDKKSQIFLPIHRSKRFQMFQDHHNSDFNDHILFQFGLQIJQOHGIMSGDMPHQQQJFJ
HQQGFPIFFONDLJJMMDMNGEISHDIFIPGRRIMEEMPIDFFSQDGLOPHJMNFOLHRJHNEOKEKEEI
IIDQDERLQEHPOSHGILJLJMJHGNRDODRRFHKNRDHRHHPIPJRJQIDFDDMKJLJSJEFKEFGDGL
MJINNEGSRGLGMMNOMGSIMFEDPDIEOEQFMGFGLIDIHSDRPMJMDPINHOQESEPJHKSNHPRQSL
FLSRDMSQDRHPDISKMEEIJKRGEEKHMDHIKGPFSMKPRNPMGGGJOMMMOSDHQJGGKHMOKILJON
PQQQQPNOISJONGGJODGHQHHMMQPHIEJEDGKFKSGNFHNQLDHQDHOKIFRKNGEMMMMSRESLJJ
EDLHDPIEFDKJPQONKMMJLMGJEEILRGSQEQDRPDRNQODDPLOMJKHLLFGQFHGNFDDKGKFPHE
NLGMIKGSLDILMGRNFHLMHJJOKFRHEPDEMROFDEOLHPRHGDMRIGKMMIQMHFHDKSEFDMJGNE
KOMJKROGEPPEKMOINMNGHEIKMPQGPQOKRQDFNOHDMIHRKINONPERKEHFERMFJMSMSHELFQ
PEEPDEGLGEHPGPEEHRPSSJKFHSFPHDOENPDILLQJRKQKLKIPQJEQEPJGHQSHGRRKFQ
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

WRSA.exe_352:

`.rsrc
B'hG.Ir
SUPPORTHOME
WEBROOTHOME
SUPPORT
/exeshowaddremove
-proxyport=
-proxypass=
-key=
/key=
DlExec
TempKeycode
ChangeKeyCode
virusscan.jotti.org
VVV.virustotal.com
sophos.com
grisoft.com
pandasoftware.com
trendmicro.com
virustotal.com
f-secure.com
kaspersky.com
mcafee.com
webroot.com symantec.com
webrootanywhere.com
webrootcloudav.com
prevxinfo.com
prevx.com
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
hXXp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
scrnsave.scr
res://ieframe.dll/securityatrisk.htm
res://ieframe.dll/repost.htm
res://ieframe.dll/offcancl.htm
res://ieframe.dll/noaddoninfo.htm
res://ieframe.dll/noaddon.htm
res://ieframe.dll/inprivate.htm
res://ieframe.dll/navcancl.htm
res://mshtml.dll/blank.htm
C:\Windows\system32\blank.htm
hXXp://go.microsoft.com/fwlink/?LinkId=54896
hXXp://go.microsoft.com/fwlink/?LinkId=69157
BURLT
Software\Microsoft\Windows\CurrentVersion\App Paths
Terminal Server Client\TransportExtensions
Ole\AppCompat\ActivationSecurityCheckExemptionList
.html
UrlSearchHooks
Extensions\CmdMapping
Keyboard Layouts
Userinstallable.drivers
LoginScript
rdpwd\Tds\tcp
Cmdline
SetupExecute
Image File Execution Options
wowcmdline
cmdline
Windows
SCRNSAVE.EXE
KeyFileName
Explorer\ShellExecuteHooks
PendingFileRenameOperations
FileRenameOperations
BootExecute
Software\Policies\Microsoft\Windows\System\Scripts
AppCertDlls
DefaultPassword
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
$$^^URL
ProxyPort
ProxyPassword
UninstallKey
websec
UPDATEURL
ERRURL
URLSTR
URLFILEUPLOAD
URLINBOUND
URLSLAP
hXXp://webcache.google
hXXp://developers.facebook.com
hXXp://static.ak.fbcdn.net
hXXp://VVV.facebook.com
video.ak.fbcdn.net
VVV.facebook.com
driver.cab
sp1.cab
sp2.cab
sp3.cab
A suspicious file was detected: %S - %s - X
Applied unique machine ID: X
In-memory infection identified: %S
Configuration Saved: %s
Removed invalid LSP chain entry: %S
Connected to %s
Monitoring process %S [%s]. Type: %i (%i)
End passive write scan (%i file(s))
Begin passive write scan (%i file(s))
Saved the product log to %S
Rule Overridden: MD5: %s, Size: %i bytes, ID: X, Result: %i
Website determination changed: %S [Level: X] [Type: X]
>>> Service started [%s]
SLevel updated to %s
Applied license key: %s
Executed cleanup script: %S
Submitted file at user request: %S
Updating from %S
Scan Results: Files Scanned: %i, Duration: %S, Malicious Files: %i
Scan Started: %S [ID: %i - Flags: %i/%i]
Configuration imported from %S
Configuration exported to %S
Cleanup tool %i executed
Determination flags modified: %S - MD5: %s, Size: %i bytes, Flags: X
Blocked process from accessing protected data: %S [Type: %i]
Closed network connection: [X.%i - X.%i]
Blocked process from connecting to the Internet: %S [MD5: %s]
Infection found in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
File blocked in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
Blocked website: %s
Rolled back infection: %S
Infection detected: %S [MD5: %s] [%i/X] [%s]
Installation successfully completed (%s/%s)
GetWindowsDirectoryA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CallNamedPipeW
GetWindowsDirectoryW
GetNamedPipeClientProcessId
CreateIoCompletionPort
%m/%d %I:%M %p
%d/%m %I:%M %p
127.0.0.1
_CorExeMain
1.3.6.1.5.5.7.3.3
g%i.p4.webrootcloudav.com/arm.asp
000000000000000
Win32.Override.1
Win32.LocalInfect.3
Win32.LocalInfect.1
Win32.AutoBlock.1
Win32.UserAdded
Win32.RuleBlock.1
Win32.Untrusted.1
Caution.Rootkit
Community.OuterEdge
Community.Heuristic
Win32.LocalADS
Win32.LocalInfect.0
Win32.LocalInfect.2
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,MM=Y,LSysC:%I64X,TSysC:%I64X,
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,LSysC:%I64X,TSysC:%I64X,
%commonfiles%
Êche%
%cookies%
úvorites%
%documents%
%start%
%startup%
Þsktop%
VVV.google.com
if exist "%s" goto d
Nspr4Hook::hookerPrOpenTcpSocket
if exist "%s"
VVV.bing.com
ru.brans.pl
proxim.ircgalaxy.pl
irc.zief.pl
core.ircgalaxy.pl
kernel32.dll
SLAPKEY
%s/arm.asp
%s/aot.asp
184.72.40.115
174.129.33.10
79.125.105.211
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
arm.asp
%Y-%m-%d %H:%M:%S.000
serverexecutable
%s\wininit.ini
1%iX%s^%s
DEX%s^
C0X%s^
C1X%s^%s
C2X%s^
(%i %s)
Removing all components... %c
.pvxdtr
https
PACKED_EXE,
[Ovr=X*Age=%i*Pop=%i*Dir=%i*Adv=%i*],
00000000000000000000
00000000
0000000000000000
00000000000000
URLBlob
Start: X. End: X. Seq: X. DB: X. Install: X. Command: %s. Parameters: %s
reg %s /f
%x %x
1.2.3
%m-%d
hXXp://
%2sX
%2ss
JOBHTTP
$$$01$$$
%S,%s,
WSASME.EXE
operating systems
%C:\boot.ini
%s\%S
"%S\%s",SynProc %i
XXX
v8.0.1.233
@.dll
%S\%s.dll
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
FilterConnectCommunicationPort
RegSaveKeyExW
RegRestoreKeyW
RegSaveKeyW
RegCloseKey
RegFlushKey
RegOpenKeyExW
RegOpenKeyExA
RegSetKeySecurity
RegCreateKeyExW
RegDeleteKeyExW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExW
RegQueryInfoKeyW
CertOpenStore
CertCloseStore
CryptMsgClose
CertFindCertificateInStore
CryptMsgGetParam
CertFreeCertificateContext
CertGetNameStringW
MsgWaitForMultipleObjectsEx
ExitWindowsEx
ShellExecuteW
ShellExecuteExW
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSetCredentials
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSendRequest
WinHttpOpen
WinHttpOpenRequest
WinHttpReadData
WinHttpCloseHandle
winhttp
CryptCATCatalogInfoFromContext
msvcrt
OS=%i%i^OSLang=%i^OSFull=%s^AVV=%s^AVS=%s^AVA=%s^AVU=%s^IB=%S^IBV=%S^FWE=%s^
%u%u%u
PX%sMID3%sSRC
MACX%s
(Build %d)
%s (Build %d)
Server 2008 WebServer
Server 2003 Web Edition
Windows Version Unknown
Windows %s %s
Windows %s %s %s
-X
HTTP/1.1 500
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\%s
{C27CCE38-8596-11D1-B16A-00C0F0283688}
{C1A8AF25-1257-101B-8FB0-0020AF039CA8}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%i
20323:TCP
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
14671:UDP
c:\windows\explorer.exe
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\DomainProfile\GloballyOpenPorts
Software\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST
Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AE68DC3-F16E-457D-947A-092D614C7ABD}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{B4B5AD48-8D34-41D3-BD8A-8A10BD9BDED3}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\86AEEA3A39CAF6F4D8D287BB7F4E228B
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4A73EC6-EFC4-488D-AF1A-F2C3CD1BC072}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}
255.255.255.255
$$$04$$$
$$$03$$$
$$$02$$$
AntiVirusProduct.instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}"
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --siluninstall -name=webroot --nostartmenu --noaddremove -noshut
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --userinstallie --userinstallff -name=webroot --nostartmenu --noaddremove --installforallusers -j "%S\pkg" --disablenotes --disableidentities --disablevault --disablecontext --lpbarpath="%S\PKG\WRBar.dll" --lpbarpath64="%S\PKG\WRBar64.dll" -noshut
WRCLOUDALPHA.EXE
%s %s
sShortDate
%a %Y-%m-%d %H:%M
%a %d-%m-%Y %H:%M
%a %Y-%m-%d %H:%M:%S
%a %d-%m-%Y %H:%M:%S
%s%I64XXXX
XXXXXXXXX%I64X
UpdateURL
Software\Classes\winbio.winbiotools
Software\Classes\Typelib\{130e4dce-ffac-15e3-5893-74950afeea4c}
Software\Classes\Typelib\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Clsid\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Interface\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Typelib\{8a4f328c-c9f4-4449-a0df-a756a6b52abf}
Software\Classes\bho.fffplayer.1
Software\Classes\bho.fffplayer
Software\Microsoft\Active Setup\Installed Components\{b00589a8-44cb-ba97-5de2-7c733bbee8ed}
%s.i
Win32.MalComponent
Win32.Corrupted
Software\Microsoft\Windows\CurrentVersion\Policies
credssp.dll
Software\Microsoft\Windows\CurrentVersion\Policies\System
msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
%SystemRoot%\System32\svchost.exe -k netsvcs
%SystemRoot%\System32\qmgr.dll
System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider
%SystemRoot%\system32\ntmarta.dll
%SystemRoot%\system32\notepad.exe %1
Software\Classes\Applications\notepad.exe\shell\open\command
System\CurrentControlSet\Control\Session Manager\AppCertDlls
Software\Microsoft\PCHealth\ErrorReporting
DoReport
Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnBadCertRecving
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Policies\Microsoft\Windows NT\SystemRestore
%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
%SystemRoot%\system32\ntvdm.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows
comm.drv commdlg.dll ctl3dv2.dll ddeml.dll keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv progman.exe avicap.dll mapi.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe
Software\Classes\.exe\shell\open\command
Software\Classes\exefile\shell\open\command
Software\Classes\.exe
dontreportinfectioninformation
Windows\WindowsUpdate
Windows\WindowsUpdate\AU\NoAutoUpdate
DisableCMD
NoWindowsUpdate
%windir%\system32\choice.exe /T 1 /N /D N /M Uninstalling...
#pragma namespace("\\\\.\\root\\SecurityCenter")
[Description("Webroot SecureAnywhere Security Center Integration"),Override("HostingModel")]
Name="AVClientInt.AVClientIntProvider";
ClsId="{D486329C-1488-4CEB-9CC8-D662B732D904}";
SupportsPut="FALSE";
SupportsGet="TRUE";
SupportsDelete="FALSE";
SupportsEnumeration="TRUE";
instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}";
companyName="Webroot";
displayName="Webroot SecureAnywhere";
Microsoft\Office\%s\%s\%s\
http://
<html><body><img src="%s.bmp"></body></html>
WSA_SA_Report-%s
%a_%Y-%m-%d_%H-%M-%S
g1.p4.webrootcloudav.com/arm.asp
symsecureport
SQLANYs_sem5
semwebsrv
Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
memory.dmp
Microsoft\Windows NT\CurrentVersion\Winlogon\altdefaultusername
Microsoft\Windows NT\CurrentVersion\Winlogon\defaultusername
Microsoft\Windows\CurrentVersion\Explorer\Streams\
Microsoft\Windows\CurrentVersion\Explorer\DesktopStreamMRU\
Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\
msdownload.tmp\
Microsoft\Windows\Cookies\index.dat
Microsoft\Windows\Temporary Internet Files\index.dat
Cookies\index.dat
Local Settings\Temporary Internet Files\Content.IE5\index.dat
Microsoft\Windows\IEDownloadHistory\index.dat
Logs\IE9_NR_Setup.log
IE9_Main.log
IE9.log
IE8_Main.log
IE8.log
IE7_Main.log
IE7.log
IE Setup Log.txt
Microsoft\Windows\History\
Local Settings\Temporary Internet Files\Content.IE5\
Microsoft\Windows\Temporary Internet Files\
Microsoft\Windows\Cookies\
Microsoft\Internet Explorer\TypedUrls\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\
Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\
Microsoft\Internet Explorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\
Microsoft\InternetExplorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Find\
Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\
Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\
Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\&Documents\Menu\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Documents\
Microsoft\Windows\Recent\
$Recycle.bin\
Google\Chrome\User Data\Default\Cache\
Mozilla\Firefox\Profiles\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
P4REPORT
%S\Driver Cache\i386
%s,%i%i
8.0.1.233
%s %s%s
%i-%i-%i-X-X.tmp
%s %s%S %s
Microsoft\Windows NT\CurrentVersion
\REGISTRY\User\%S
Microsoft\Windows\CurrentVersion
IG=%s,
hXXp://anywhere.webrootcloudav.com/zerol/pkgwiscaway.exe
detail.webrootanywhere.com/p4inbound.asp
hXXp://VVV.webrootanywhere.com/betaeula.asp
*X
%.*s(%d)%s
=%%
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\WRSA.pdb
O|SSSh
SSSSh=
tcSSSh
SSSSh6
SSSSh7
PSSSh
(QPSSSSh,
SSSSh?
PIQSSSh
RjEQSSSShE
SSSSh@
RSSSSSSh
KPjVSSSh
QjfSSSh
SShaaa
}.VQR
PSSSSSSh
>\u%f
K Pj.SV
SSSh8
O|SSSSh
jtSSSSh$
SSh ;
tcPQ
SSSSh
S|Wj.WWh
jmj SSSh
N|Sj.SSh
jDSSSh
jJj)SSSh
N|Sj.SSj^jBSSSh
SShDDD
SSSSjJj)SSSh
W|Sj.SSj^jBSSSh
V|Sj.SSj^jBSSSh
t.SSSV
zcÁ
Allow users to remove threats without a password
Allow users to scan without a password
This website is already being protected with SecureAnywhere Browser Protection. Remove it from the Browser Protection list to change its Website Filtering options.
This application is being actively protected against keyloggers, screen-grabbers, clipboard stealers, and other information-stealing threats.
Assess the intent of new programs before allowing them to execute
Would you like to automatically import the settings that were used in your previous installation?
Automatically block files when detected on execution
Caution: Booting into Safe Mode may prevent access to encrypted hard drives. Ensure that you have all encryption keys available if you are using hard disk encryption so that your computer can boot properly. Do you want to continue?
Warn when new programs execute that are not trusted
Protect against keyloggers
Block phishing and known malicious websites
Block suspicious access to browser windows
The current operation cannot be aborted.
SecureAnywhere was unable to remove threats automatically. Click "Contact Support" to contact our Support engineers.
Configuration for HTTP websites
Configuration for HTTPS websites
Would you like SecureAnywhere to continue monitoring and alerting about the Windows Firewall?
Your keycode has been copied to the clipboard. You can now paste it into any application.
The keycode could not be verified at this time. Ensure that SecureAnywhere is allowed to connect to the Internet and try again.
Configuration settings could not be exported to the selected file.
Configuration settings could not be imported from the selected file.
SecureAnywhere has detected that the Windows Firewall is currently disabled. It is recommended that you enable the Windows Firewall to receive maximum protection. The firewall built into SecureAnywhere is fully compatible with the Windows Firewall and provides an additional layer of protection.||Would you like to enable the Windows Firewall now?
Displaying %s events
Displaying %s process events
Enable Password Protection
Password protection is not currently enabled. Do you want to enable it now?
Enable "right-click" scanning in Windows Explorer
Enter a valid keycode to continue.
First Exec - PID: %i
A full keycode is required to add custom applications. Would you like to obtain one now?
Store Execution History details
Hide the SecureAnywhere keycode on-screen
SecureAnywhere has detected a modification to the HOSTS file, which may have been created by malicious software. The entry has the contents:||[%S]||Would you like SecureAnywhere to remove this entry?
HTTP Proxy
Save non-executable file details to scan logs
Enter a valid keycode. If you continue to receive this message, contact SecureAnywhere Support.
I/O Operations
A full keycode is required to increase the default security level. Would you like to obtain one now?
A keycode is required to run a full system scan. Would you like to obtain one now?
Your SecureAnywhere keycode has been validated and activated. Your computer will now be rescanned to provide the most accurate protection.
Enter a keycode to continue.
Loading execution history process events...
The Execution History log is currently loading.
Loading %s execution history events...
Caution: Your current configuration settings may prevent access to SecureAnywhere. You may want to change your configuration settings now or use the command-line option "WRSA.exe -showgui" to show the SecureAnywhere interface if needed.
Operate background functions using fewer CPU resources
This website is blocked because of a policy added by the user to prevent access.
This website has been trusted locally and visitation is not blocked.
Contact SecureAnywhere Support to upload files larger than 10MB.
Insert a keycode for SecureAnywhere.
Password
This file is trying to access stored passwords
The password entered was incorrect.
Error: The entered passwords do not match.
PID %i active %s (CPU %s)
PID %i active %s
%s (PID: %i) started by %s (PID: %i)
%s (PID: %i) - (Parent PID: %i)
Enter your password below to enter:
Enter a password to enable protection.
Protect cookies and saved website data
An attempt to take a screenshot of your computer was detected. This screenshot may contain confidential information as a protected website is currently open. Do you want to allow this screenshot to continue?
Protect against URL grabbing attacks
Port
Randomize the installed filename to bypass certain infections
Allow the process to execute other processes
Allow access to windows with a High integrity level
Allow access to windows with a Medium integrity level
Select a configuration file to import
Select a file to execute
Select where you would like to export the configuration:
Select a file to report to Webroot
Select a removal script to execute:
Show SecureAnywhere in the Windows Action Center
Show the "Authenticating Files" popup when a new file is scanned on-execution
Show SecureAnywhere in the Windows Security Center
Configuration successfully exported.
Are you sure you want to visit this website? The contents could potentially compromise your identity or infect your computer.
Uninstall Webroot
Configuration saved. Close and re-open all open web browsers to update active protection.
Use the preconfigured policies for changing configuration settings for all websites.
This keycode is valid but has expired. Would you like to renew the keycode now?
Enter a valid, complete website name to configure.
Verify the DNS/IP resolution of websites to detect Man-in-the-Middle attacks
Verify websites when visited to determine legitimacy
This website contains a known threat and has been blocked.
Contact Support
Website determination updated. Close your web browser and open the web page again or refresh the current page to continue browsing.
SecureAnywhere Scan Log (Version %S)~|Log saved at %S~|
(User time: %s - Kernel time: %s)
Cycles: %s
MD5: %S - Size: %i bytes
(PID: %i, TID: %i) %s registry entry: %s\%.*s
(PID: %i, TID: %i) %s file: %.*s
%s: PID - %i
(PID: %i, TID: %i) %s process: %i - %s
(PID: %i, TID: %i) %s named pipe: %.*s
(PID: %i, TID: %i) %s module: %.*s
(PID: %i, TID: %i) %s code: %.*s (%S)
(PID: %i, TID: %i) %s IP %.*S
(PID: %i, TID: %i) %s Sector: %I64X - Length: %I64X
(PID: %i, TID: %i) %s URL: %.*S
(PID: %i, TID: %i) %s service - %.*s - %.*s, (%i, %i)
(PID: %i, TID: %i) %s mutex: %.*s
(PID: %i, TID: %i) Logging keystrokes
(PID: %i, TID: %i) Monitoring Windows events (%i)
(PID: %i, TID: %i) %s section: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Registry Key: %.*s~|~|Value: %.*s~|Type: X~|New Data: %s~|~|Previous Data: %s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Original Filename: %.*s~|~|New Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Target Process ID: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Module Name: %.*s~|Image Base: X~|Image Size: X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s~|Type: %S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Address: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Sector: %I64X~|Length: %I64X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|URL: %.*S~|~|Bytes Transferred: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Caption: %.*S~|Contents: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Service Name: %.*s~|Binary Path: %.*s~|Type: %i~|Start Type: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Mutex: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Windows Hook ID: %i~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Event Hook Minimum ID: X~|Event Hook Maximum ID: X
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Section: %.*s
View the Webroot software license agreement
Webroot SecureAnywhere protects your computer from viruses, spyware, trojans, rootkits, and other malicious software.
Enter your keycode to install and activate your software.
Help me find my keycode
By clicking Agree and Install, you accept the terms of the Webroot software license agreement.
Want to learn more about Webroot?
Help and Support
About Webroot SecureAnywhere
Login Theft Protection
Protected Websites
Websites on this list receive custom security to protect any information entered.
View/Edit Protected Websites
Password Required
Web Threat Shield
3. Close any open programs or web browsers (Recommended but not essential)
Reports
You may save a scan log, which Technical Support uses for diagnostics.
View an audit log of all monitored executed code. This allows you to manage running processes and identify potential problems quickly.
Not collecting execution history events
Password:
Repeat Password:
If a Webroot researcher has instructed you to execute a Removal script, select the script to begin.
Import / Export
Block websites from creating high risk tracking information
Analyze websites for phishing threats
Enter the website address to protect (e.g. VVV.webroot.com)
Add Website
Analyze search engine results and identify malicious websites before visitation
Detect websites being redirected by the HOSTS file
Look for malware on websites before visitation
Look for exploits in website content before visitation
Website Filter
View/edit the list of blocked websites to change how they should be handled or add new websites to block.
View Websites
Website
Enter the website address to configure (e.g. VVV.webroot.com)
You received your keycode by email.
Your keycode is located on the CD sleeve.
If you have misplaced your keycode:
Contact Webroot Support at hXXp://VVV.webroot.com/support
Help me find my license keycode
You can also import your settings from another computer using this screen.
Import Settings
Export Settings
Activate a new keycode
Keycode:
Enter your new keycode into the field below and click Activate:
Enter your keycode here...
Are you sure you want to abort the current operation?
Identity && Privacy - protect yourself while browsing web sites
Enter a password that is at least six characters long for better security.
Only executable files can be overridden.
Warning: Clearing the product log will prevent Webroot technical support from assisting you accurately. Are you sure you want to clear the log?
The username or password is invalid.
I forgot my password
Downloading Password Management Components...
Installing Password Management...
Windows System
Windows Desktop
Windows Registry Streams
Windows Update Temporary folder
Windows Temporary folder
Clean Index.dat (cleaned on reboot)
URL history
Securely erase files by overwriting contents with random data using seven passes and clean free space around files.
Erase files by overwriting contents with random data using three passes.
Clean files using standard file deletion techniques, bypassing the Windows Recycle Bin.
SecureAnywhere has detected a significant infection on your computer which requires manual assistance to clean. Contact Webroot Support to help clean your computer.
Your SecureAnywhere subscription entitles you to use Backup && Sync which makes it easy to share files on your computer and protect your important files from loss. Click "Download and Install" to use this feature.
Select specific files and folders to back up to your online storage in the Cloud to protect important files from loss.
Webroot Internet Security Complete is already installed on your computer. Use the Sync & Sharing features within WISC to prevent incompatibilities.
Backup & Sync was not installed successfully. If you continue to receive this error, contact Webroot Support.
Your SecureAnywhere subscription entitles you to use Password Management that makes managing your web site logons easy and more secure. Click "Download and Install" to use this feature.
Install Password Management
Manage your personal information, websites, and passwords at your My Webroot account.
- Automatically fill in your login information for remembered websites
- Create secure, hack-resistant passwords for website logins
Password Management makes web browsing easier and more secure.
Password Management is On
Password Management was not installed successfully. If you continue to receive this error, contact Webroot Support.
Password Management
SecureAnywhere was unable to restore all files to their original locations and has copied them to a dedicated Quarantine folder located at [%s]. Would you like to view the Quarantine folder now?
The keycode is currently hidden and cannot be copied.
%-5i %S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%-5i ...%.*S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%S (%S) - %S@%S drive - %i%% Free (%i MB Total), Serial Number: X~|
%S (%S)@%S, Number of Logins: %i, %S~|
%S on %S@%i MB, %i MHz (Form Factor: %S, Manufacturer ID: %S, Serial Number: %S, Part Number: %S)~|
%S on %S@%i MB, (Form Factor: %S)~|
%S@%S drive - No media~|
%S@%S, Last Login: %s, Number of Logins: %i, %S~|
%S@%S, Service: %S, Status: X,
%S@(%S) %S, Service: %S, Status: X,$
%S@Device ID: %S, Internal Name: %S~|
%S@Never logged in~|
%S@Port: %S, Status: %i, Jobs: %i~|
%i fragments, %u bytes@%S (MFT: %i)~|
%s@Minidump: %S~|
%s@System Analysis completed in %i seconds (%s)~|
, Problem code - X,
Active Applications@%i - %i windows (%i visible)~|
Active Applications@%i windows (%i visible)~|
Active Directory@%S~|
Auto Update State@%S~|
Browser@%S %S~|
CPU@%s (%i %S)~|
Common AppData Directory@%S~|
Current Processor Speed@%dMHz~|
DHCP Server@%s~|
DNS Server@%s~|
External Clock Speed@%dMHz~|
External IP Address@%s~|
Gateway@%s~|
Graphics Card@%s - %iMB Free Video RAM, %iMB Total~|
Home Page@%S~|
Hostname@%s~|
IP Address@%s~|
IP Mask@%s~|
Internet Cache@%i KB (%s)~|
Last Update Check@%S~|
Last Update Download@%S~|
Last Update Install@%S (%i %S ago)~|
Last Update Install@%S~|
Maximum Supported RAM Size@%i MB~|
Next Scheduled Install Time@%S~|
Next Scheduled Update Check@%S~|
OS Install Date@%s~|
OS@%s (Language: %i)~|
Operating System
Phishing Filter@%S~|
Search History, URL History, and Recent Playlist
Slot %i - %S (%S)@%S - Bus Number: 0xX, Device Number: 0xX, Segment Group Number: 0xX~|
Spyware Protection@%S %S (%S)~|
Spyware Protection@%S %S (%S, %S)~|
System Access Level@%s~|
System Boot Drive Device@%S~|
System Directory@%S~|
System Family@%S~|
System GUID@x-xx-xxxx-xxxx~|
System Manufacturer@%S~|
System Product Name@%S~|
System Proxy@%S~|
System Serial Number@%S~|
System Temporary Files@%i KB (%s)~|
System Uptime@%S (Tick Count: %i)~|
System Version@%S~|
Third Party Firewall@%S %S (%S)~|
UAC Status@%S~|
Update Type@%S~|
User Account Level@%s~|
User Temporary Files@%i KB (%s)~|
Username@%S (%S) - Session ID: %i~|
Username@%S - Session ID: %i~|
Virus Protection@%S %S (%S)~|
Virus Protection@%S %S (%S, %S)~|
Windows Experience Rating
Windows Firewall@Disabled~|
Windows Firewall@Enabled and Active~|
Windows Updates
~|~|This new key must be used on all future installations of Webroot software:~|~|%.4s-%.4s-%.4s-%.4s-%.4s~|~|Thank you for upgrading!
- Internet Explorer 7.0 and higher, Mozilla Firefox 3.6 and higher; Identity Shield feature in Webroot SecureAnywhere Complete also supports Google Chrome 11 and higher, and Opera 11 and higher
All attached devices have reported to be functioning properly.
Windows Automatic Updates are disabled
Contact Support by clicking the "?" button in the upper right corner of this window.
Create an account to access your security on all your devices online from any Web browser.
Purchase Webroot SecureAnywhere now for uninterrupted protection.
Don't waste a second. Get the fastest security ever. Buy Webroot SecureAnywhere.
Enter your email address to validate your license key and activate realtime threat prevention:
Firefox
If you have other security software installed on your system, you do not need to uninstall it. Webroot SecureAnywhere software is designed to work alongside your existing security software and will automatically upgrade earlier versions of Webroot or Prevx software. If you do experience any issues, please contact our Support team.
Last Password Change: %i %s ago
Malware scanning - detect and report threats
Mozilla Firefox - Cached Files
New Webroot Keycode.txt
No password configured
Operating Systems (32 and 64bit in all Editions)
Please wait until the current operation is complete before shutting down SecureAnywhere.
Please wait until the download of Password Management is finished to download Backup & Sync.
Save Keycode and Continue
SecureAnywhere is currently managed by the Web Console and all changes need to be applied centrally. Please refer to the SecureAnywhere documentation for further information.
Settings - Currently being managed by the Web Console
System Analysis was cancelled and the report may be incomplete.
Screen resolution and bit depth support true color images.
The Windows firewall is disabled.
The credentials used to log into Backup & Sync are invalid. Please login again.
There are currently no items in the execution history log.
To learn more about Webroot's complete portfolio of security solutions, visit VVV.webroot.com.
View Full Report
Visit Webroot.com
Webroot SecureAnywhere has been successfully installed and is actively protecting your computer. You do not need to do anything further - it will continue running in the background, blocking threats if they try to enter.~|~|Accessing Webroot SecureAnywhere is quick and easy - you can locate it any time in your system tray or notification area. You may need to expand your notification area with the "Up" or "Left" arrow to see the Webroot icon.
Webroot SecureAnywhere
Webroot SecureAnywhere~|(c) 2006-2012
Webroot SecureAnywhere`
Webroot System Analyzer
Webroot was unable to be installed because the current user account has limited rights. Please elevate the Webroot installer or install using an administrative account.
Without this protection, your PC is vulnerable to spyware and virus attacks. Don't waste a second - get the fastest security ever. Buy Webroot SecureAnywhere.
Not all RAM can be used by your 32bit operating system.
Protection disabled. Get complete protection with Webroot SecureAnywhere.
Your account gives you anytime access to your security from any Web browser.
Your Webroot SecureAnywhere trial ends in %i days!
Your Webroot SecureAnywhere trial ends tomorrow!
Your Webroot SecureAnywhere trial is expired!
Your new keycode is shown below and is also provided in a text file on your computer's desktop. Use this new keycode for all future installations and upgrades.
Your operating system is up to date.
It is recommended to change your password every 90 days.
Your hardware is adequate for running your operating system.
VVV.geeksquad.com
SecureAnywhere could not be installed. Please contact SecureAnywhere support to assist with your installation.
SecureAnywhere is not compatible with your current operating system. Please consider upgrading your operating system to Windows XP Service Pack 2 or higher.
- Windows XP SP2, SP3
- Windows Vista SP1, SP2
- Windows 7 SP0, SP1
I would like to receive alerts, special offers, important product updates, and newsletters from Webroot.
View the Webroot Privacy Policy
Note: Although your settings will be saved locally, your PC is currently centrally managed by the Web Console and your settings may be overwritten on the next database communication.
Scan with Webroot
To receive the fastest response to a file inquiry, we recommend writing into our support inbox so that a Webroot researcher will immediately look at the submitted information. Would you like to open a support ticket now?
A cleanup license key is required to remove threats.
SecureAnywhere Identity Shield protects your sensitive information on banking, web transacting, and social networking websites while peacefully coexisting with other security software.
Welcome to Webroot
Webroot FastScan quickly assesses your PC security by detecting malicious threats using the Webroot Realtime Threat Database while peacefully coexisting with other security software.
Update now to faster, lighter, and more effective protection. Installation will take less than 10 seconds with scans typically taking less than 2 minutes. Webroot SecureAnywhere protects your computer from all types of malicious activity.
You don't need to do anything further. Webroot SecureAnywhere Identity Shield is now helping to protect you and your personal information when you bank, shop, interact, and transact online.
Aborting the current scan will prevent Webroot from detecting and cleaning all threats. Are you sure you want to abort?
SecureAnywhere has detected active threats on your computer and needs a license key to remove them.
Enable enhanced customer support
Please wait a few moments and try again. Contact Webroot Support if this error persists.
The operation failed with error code %i. %s
The command you selected did not complete successfully. Contact Webroot Support if this error persists.
Backup allows you to automatically back up and access your files securely from a web-based portal.
Web Console
SecureAnywhere is using %2.2f%% of your disk space. The average scan time is %4.1f %s.
SecureAnywhere has used %2.2f%% of your CPU since installation and %2.3f%% disk space. Average scan time is %4.1f %s.
Next scan starts in %s.
%i%% - %s files scanned. %s %s
Scan Complete - %i active %s found in %s. %s
Scan ended - %i active %s found in %s. %s
%s files scanned in %s. No threats found. %s
Scan aborted. %s files scanned in %s. %s
Last scanned %s. %s %s %s removed.
Last scanned %s. %s
Protection has been active for %s.
%s system events have been inspected since installation.
%s system events have been inspected since bootup (%s.%c %s since installation).
%i%% - Cleaned %s bytes (%i files, %i registry entries). Cleaning %s
%i%% - Cleaning %s
System Cleaner is scheduled to run in %s. So far, it has cleaned %s %s.
System Cleaner is scheduled to run in %s.
System Cleaner last cleaned %s. So far, it has cleaned %s %s.
Click here for personal support if you have any questions about SecureAnywhere
Enable Windows Explorer right click secure file erasing
SecureAnywhere Backup allows you to back up your files online so that they can be access through the secure portal in the event of hardware malfunction or system problems, or just to provide easier means for sharing files securely.
Show Windows Explorer overlay icons
Web requests were denied. Please ensure that proxy settings are correct and log in with your current user credentials.
A connection is being established with the Webroot Backup && Sync cloud infrastructure.
Backup is idle and will next archive files at %S. Files were last archived at %S.
Backup is currently idle and is configured to begin automatically archiving files at %S.
Backup allows you to automatically back up and access your files securely from the SecureAnywhere website.
Scanning for threats: %s
By clicking Agree and Begin Analysis, you accept the terms of the Webroot software license agreement.
View report summary
Operating system detected
Detecting operating system information
SecureAnywhere Backup && Sync allows you to protect your data and access it easier by synchronizing it across devices and securely backing it up to prevent data loss. Click "Login" to create your account or log into an existing account.
Please wait until the current operation is complete.
Google Chrome
.text
h.rdata
H.data
.rsrc
B.reloc
SShhA
TransportAddress
HTTP/
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrkrn.pdb
KeDelayExecutionThread
ZwOpenKey
ZwQueryValueKey
ntoskrnl.exe
WRITE_PORT_UCHAR
HAL.dll
TDI.SYS
FltCloseClientPort
FltCloseCommunicationPort
FltCreateCommunicationPort
FLTMGR.SYS
SeExports
ZwCreateKey
ZwSetValueKey
585=5^5}5
"hXXp://crl.verisign.com/tss-ca.crl0
hXXp://ocsp.verisign.com0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Webroot Inc.1>0<
Webroot Inc.0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
.pdata
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrkrn.pdb
`.data
@.reloc
WmiExecuteMethodW
NtRequestWaitReplyPort
NtConnectPort
NtAlpcConnectPort
NtAlpcSendWaitReceivePort
NtAlpcCreatePortSection
NtRequestPort
NtAlpcCreatePort
NtSecureConnectPort
NtDeleteKey
NtDeleteValueKey
NtSetValueKey
NtDelayExecution
NtCreatePort
http:\/\/
hXXps://
PSOWRX
hXXp://%.*s
Chrome_OmniboxView
Chrome_AutocompleteEditView
%s://%S
search.yahoo
WebDrawText
webkit
PSOTBX
Chrome_RenderWidgetHostHWND
MozillaContentWindowClass
MozillaWindowClass
Chrome_WidgetWin_
OperaWindowClass
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsagreen.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsagreen.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsared.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsared.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
nspr4.dll
advapi32.dll
bcrypt.dll
ws2_32.dll
sspicli.dll
secur32.dll
wininet.dll
ntdll.dll
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrusr.pdb
>HTTPu6
msvcrt.dll
GetProcessHeap
KERNEL32.dll
SetWindowsHookExW
SetWindowsHookExA
EnumWindows
EnumChildWindows
USER32.dll
SHELL32.dll
ole32.dll
ADVAPI32.dll
PSAPI.DLL
WS2_32.dll
URLDownloadToFileW
URLDownloadToFileA
urlmon.dll
InternetOpenUrlA
WININET.dll
OLEACC.dll
RPCRT4.dll
OLEAUT32.dll
UrlIsW
SHLWAPI.dll
Secur32.dll
GDI32.dll
MSIMG32.dll
WRUsr.dll
\\x3ca href\\x3d\\x22http
<a href="http
<a class=sla href="http
6 6$6(6,6064686<6
@.rsrc
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrusr.pdb
%u6HcA
tù7u HcG<
?;5URLURLURL
)|]({\(z['yZ'wY'vX&uW&tV%sU%rT
%sU%rT
GetCPInfo
CertGetCertificateContextProperty
_acmdln
_amsg_exit
GetAsyncKeyState
MapVirtualKeyExW
GetKeyboardLayout
keybd_event
UnhookWindowsHookEx
v.pL>
00000000006
20.sp
%uV7"iL
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
CRYPT32.dll
DDRAW.dll
DSOUND.dll
iphlpapi.dll
NETAPI32.dll
WINSPOOL.DRV
WINTRUST.dll
ddbl.db
dbk.db
dbj.db
dbi.db
dbh.db
dbg.db
dbf.db
dbe.db
dbd.db
dbc.db
dbb.db
dba.db
index.dat
content url
searchurl
use custom search url
scrnsave.exe
Default_Search_Url
Default_Page_Url
.cn/index
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Software\Microsoft\Windows\CurrentVersion\Media Center\Service\Video
Software\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance
Software\Microsoft\Ole\appcompat\activationsecuritycheckexemptionlist
Software\Microsoft\Internet Explorer\UrlSearchHooks
Software\Microsoft\Internet Explorer\Extensions\CmdMapping
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers
"%ProgramFiles%\Internet Explorer\iexplore.exe"
"%ProgramFiles%\Mozilla Firefox\firefox.exe"
"%ProgramFiles%\Internet Explorer\iexplore.exe" %1
rundll32.exe url.dll,FileProtocolHandler %l
rundll32.exe url.dll,TelnetProtocolHandler %l
rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1
regedit.exe "%1"
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"
"%SystemRoot%\System32\msiexec.exe" /i "%1" %*
Msi.Package
%SystemRoot%\system32\mmc.exe "%1" %*
.mpeg
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"
"%SystemRoot%\System32\WScript.exe" "%1" %*
rundll32.exe shdocvw.dll,OpenURL %l
%SystemRoot%\system32\NOTEPAD.EXE %1
"%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome
%SystemRoot%\system32\mshta.exe "%1" %*
cmdfile
"%SystemRoot%\hh.exe" %1
chm.file
ieuser.exe
crashreporter.exe
plugin-container.exe
epic.exe
waol.exe
iron.exe
safari.exe
firefox
winlogon.exe
spoolsv.exe
services.exe
audiodg.exe
svchost.exe
lsass.exe
consent.exe
dwm.exe
lsm.exe
procexp64.exe
procexp.exe
dplp2.exe
dplp.exe
watchdogx64.exe
flashcookiecleaner.exe
shredder.exe
atieclxx.exe
atiesrxx.exe
searchfilterhost.exe
werfault.exe
ravcpl64.exe
nvtray.exe
clpsla.exe
clps.exe
mtxagent.exe
googleupdate.exe
googlecrashhandler.exe
downloaderapp.exe
ccleaner.exe
ccleaner64.exe
conhost.exe
irperl.exe
fswscs.exe
bsplayer.exe
wow_helper.exe
realplay.exe
nmake.exe
cl.exe
winrar.exe
fsdomnodeie.dll
jhook.dll
yzshadow.exe
yahoomessenger.exe
wspace.exe
wlmail.exe
wdict32.exe
vmware-vmx.exe
vmware.exe
ultramon.exe
translateclient.exe
totalcmd.exe
thunderbird.exe
stpass.exe
splwow64.exe
skype.exe
sidebar.exe
sllauncher.exe
sbrender.exe
rocketdock.exe
robotaskbaricon.exe
roboform.dll
robo.exe
popupblocker.exe
pdfvista.exe
patrol.exe
packpro.exe
outlook.exe
opstm080.exe
opera.exe
notepad  .exe
mvtapp.exe
msnmsgr.exe
fsocrserver.exe
jfw.exe
iexplore.exe
helppane.exe
google.exe
gamebooster.exe
firefox.exe
excel.exe
eudora.exe
eqgame.exe
dsNetworkConnect.exe
dllhost.exe
digsby.exe
communicator.exe
crazy browser.exe
ctfmon.exe
chrome.exe
bttray.exe
babylon.exe
ati2evxx.exe
aolsoftware.exe
admunch64.exe
admunch.exe
adblock.exe
acrotray.exe
acrord32.exe
acrodist.exe
acrobat.exe
verclsid.exe
wrbar.exe
WRSyncManager.exe
wrinstall.exe
snippingtool.exe
Portugu
s (Brazilian Portuguese)
Ftaskmgr.exe
csrss.exe
"%s" %s
"%s" %S
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
%s\%s
%c:\%s
%s:%i
msiexec
%drivers%
*\windows\system32\drivers\*
%fonts%
*\windows\fonts\*
%%restore%%\%s
\\?hostname?\?share?\%s
%%winsxs%%\%s
c:\windows/
windows\system32/
Webroot
WRusr.dll
\\.\%c:
Windows\System32\windbg48.sys
m0rpheus.tpl
%SystemRoot%\System32\svchost.exe
mscoree.dll
%S(%s)
tcpip
.net clr
%S(%s\%s\, %s)
%S(HKLM\Software\Classes\%s\, %s)
%S(%s\%s\)
%S(%s\Software\Classes\%s\)
%S(%s\%s\%s)
/scanfile="%s"
%s\sfc.exe
Writing MBR> New Data: [%S]
Executing Command> %s
Terminating Module Parent> %i - %s
Closing Handle> %i - PID: %i - %s
Renaming Registry Key> %s\%s to %s\%s
Deleting File> %s
Writing Registry Value> %s\%s - %s
Writing File Data> %s - [New Data: %s]
Deleting Directory> %s
Deleting Registry Value> %s\%s - %s
Deleting Registry Key> %s\%s
Fixing LSP> %S
Core Component> Un-patching file [%s] - New Size: %i bytes
Copying File> %s to %s
Terminating Process> %i - %s
Stopping Service> %s
Deleting Service> %s
Starting Routine> %s...
\\.\pipe\WRSynUM2
\\.\WRSYNAPSE
\temporary asp.net files\
\opera\temporary_downloads\
\microsoft.net\framework\
\$recycle.bin\S-
mbam.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncExcl
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncGreen
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncYellow
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncRed
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32
%s\Symantec\
%s\Common Files\Symantec Shared\
%s\Symantec.cloud\
\\.\pipe\
wmiprvse.exe
\Slow.pvx
\Slowusr.pvx
%i %s
%s %S - %i%%, %i %s)
%s - %s
hXXps://*
hXXp://*
%ProgramFiles%\Webroot\WRSA.exe
%S - %s
InstallLogo.bmp
\\?\%c:
%i %s, %i %s
%i %s,
s\\.\PhysicalDrive%i
[%C] %s
[%C] %s [MD5: %S] [Flags: X.%i]
[%C] %s [MD5: %S] [Flags: X.%i] [Threat: %S]
[%S] - CPU: %i%%, Physical Memory: %i%%, Virtual Memory: %i%%, Page File: %i%%, Processes: %i
res%i.db
-%i-%i.tmp
bcdedit.exe
autorun.inf
\services.exe
\drivers\pciide.sys
\drivers\smbe.sys
\drivers\eubkmon.sys
\drivers\acpi.sys
\drivers\wdf01000.sys
\drivers\cdrom.sys
\drivers\serial.sys
\drivers\ipsec.sys
\drivers\tcpip.sys
\drivers\afd.sys
\drivers\rdbss.sys
\drivers\mrxsmb.sys
\drivers\netbt.sys
\microsoft.net\
.crdownload
.partial
\windows\installer\
\config.msi\
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Software\Microsoft\Windows\CurrentVersion\Uninstall
{98C3BECF-DD5F-44D2-8EF3-
rundll32.exe
http*://
hXXp://VVV.
opera
%S(%s, %.*S)
%S(%s, %s)
%S(%s, 0x%S)
Temp\%.*S-%S-%.*S.WR
\\.\pipe\WRSVCPipe
%S(%i)
desktop.ini
%s %s %s
%i (%s %s)
%s: %s
PKG\WRSyncManager.exe
PKG\files_zh_cn_qt.qm
PKG\files_zh_cn.qm
PKG\files_de_de_qt.qm
PKG\files_de_de.qm
PKG\files_es_es_qt.qm
PKG\files_es_es.qm
PKG\files_ja_jp_qt.qm
PKG\files_ja_jp.qm
PKG\files_en_us_qt.qm
PKG\files_en_us.qm
PKG\WRBar.dll
%s (%s)
*.mpeg, *.avi, *.mp4
*.mp3, *.m4a
*.jpg, *.jpeg, *.png
*.xls, *.xlsx
*.doc, *.docx
%s (%S)
%s - %S
%s\Administrator
%C:%s
A:\%s
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
WRHTTP
dst%2S.db
Chrome
Opera
Software\Mozilla\Mozilla Firefox
http\shell\open\command
Software\Classes\http\shell\open\command
&OLDLIC=%s
hXXp://products.webroot.com/disp2012/?CMD=P40IPM&LIC=%S&LANG=%S&email=%s&optin=%S&DeviceMID=%S&InstanceMID=%S
partnerno=%S&MIDHEX=%S&datelogged=%S&Lastinfected=%S&Currentbads=%i&highbads=%i&mediumbads=%i&Lowbads=%i&identifynownowvalue=%S
I%S(%s\%s\%s, %s)
%S(%s\%s\%s, %s%s%s)
%S(%s, 0)
%s\drivers\%s.sys
%s\2i
Pipe
%s\%s\%i
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
dow.lac
centro.txt
1.pac
AutoConfigUrl
hXXp://
Software\classes\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\openhomepage\command
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
ekrn.exe
"%ProgramFiles%\Mozilla Firefox\firefox.exe" -safe-mode
firefox.exe\shell\safemode\command
firefox.exe\shell\open\command
iexplore.exe\shell\open\command
\WRSYNAPSEPORT
%s\%s.lnk
%s\%s\%s.lnk
%s\%s\%s\%s.lnk
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}
{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}
{C14874EA-ACE4-4A47-8A81-18C4D1C40868}
{1914B27A-33C8-46F8-A1C2-F993268D4564}
{69D72956-317C-44bd-B369-8E44D4EF9802}
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
"%S%s" %S%S
Software\Microsoft\Windows\CurrentVersion\Run
XXX.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Uninstall\Webroot Software
\Webroot\Security\Current\Products\WISE
\Webroot\Security\Current\Products\WAV
\Webroot\Security\Current\Products\WISC
rSoftware\Web Filtering
Software\Microsoft\Windows\CurrentVersion\RunOnce
5db%i.db
System\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes
%s %S %S
dbo%i-e.db
dbo%i-%I64X.db
dbm%i.db
tPKG\WRBar.exe
PKG\LPBar.dll
%s\wrSync%i.dat
%s\icon%i.ico
t%s_%i
%s %s %S - %s
%s %s %s %S - %s
%S?LANG=%S
%s\Webroot\Spy Sweeper\install.dat
Software\Webroot\Install
notepad.exe
hXXp://VVV.webroot.com
%S %S
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
%s %i:00 %s %s
*.exe
%s %i %s
WRSA.exe
%i:i %s
SystemCleaner.log
%s\SecureAnywhere Console.lnk
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
UMTX-%s
CURRENT_USER\%s
MACHINE\%s
\explorer.exe
%s\sysnative
%s\WRData
%s - [%S] %i files scanned, %i %s found in %s
si3112r.sys
atmdlc.sys
C:\$MBR.1
\??\%c:\
%S(%s\%s\%s\)
%System%\webcheck.dll
rundll32 shell32,Control_RunDLL "sysdm.cpl"
logonui.exe
userinit.exe,
%S(%s\%.*s\, %I64X)
W%S(%s\%.*s, %I64X-%I64X)
%S(%s\%.*s\)
%S(%s\%.*s\%.*s)
%S(%s\%.*s, %.*s)
%S(%I64X, %I64X)
_reg.tmp
%UserProfile%\Local Settings\Application Data
%UserProfile%
hXXp://twitter.com/*
hXXp://VVV.facebook.com/*
Generating license key... (less than two minutes remaining)
Building your SecureAnywhere web console... (less than one minute remaining)
Preparing the web console for first time use... (less than one minute remaining)
Finalizing your SecureAnywhere web console... (less than 10 seconds remaining)
SysAnalyzerLog-%S.log
%s (%i bytes)
%S(%s, %S)
%S(Removing %s...#(PX5: %S - MD5: %S))
TcpTimedWaitDelay
MaxUserPort
TcpNumConnections
ActiveProcesses.log
webdrive
\Dell Support Center\
;"%s"
WR.mof
wbem\mofcomp.exe
%S - Removing %s
%S - Removing %s - %s
%S - Removing %s - %i bytes
%s\%i.bat
WRTemp_%i_X
%s\WR%i.exe
libAllegro.dll
Lang.dat
dbq.db
5WRupdate%i.exe
%s\%S.html
%s\%S.bmp
Duration: %s
%S (Hostname: %S - Local IP: %S)
Scan Started: %S
%s/%s
%s\System\CurrentControlSet\Enum\ROOT\LEGACY_%s\0000
%s\Services\%s
Embedded Web Browser from: hXXp://bsalsa.com/
Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Software\Classes\.exe\shell
Software\Policies\Microsoft\Windows\System
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
System\CurrentControlSet\Services\Tcpip\Parameters
%S(Removing rootkits - Please wait...#)
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SavUI.exe
SymCorpUI.exe
DoScan.EXE
SNAC.EXE
Rtvscan.exe
DefWatch.exe
ccSvcHst.exe
SmcGui.exe
Smc.exe
SemSvc.exe
dbsrv9.exe
CCApp.exe
vptray.exe
AMSadmin.exe
VPC32.exe
NMain.exe
Msiexec.exe
"%s\installTeefer.exe" -u -l2 -f "\install.log"
Microsoft.VC90.CRT.manifest
msvcr90.dll
msvcp90.dll
%s\temp
%s\checksum.exe
%s\temp\tmpremove.exe
dbp.db
Webroot\Sync
This removal tool only supports Windows XP.
PKG\WebrootShellExt.dll
\AGENTCOMMANDS.txt
Software\Classes\CLSID\%s\%s
%s\shell\open\command
%S\%s
%s\prefetch
%SYSTEMDRIVE%\RECYCLER
%SYSTEMDRIVE%
~tmp.hiv
%s\temp\WR-X.tmp
%s\Start Menu\Programs\Startup
WSATemp.exe
dbn.db
%s-%i
*.log
lwrSync.dll
PxPlugin.dll
A file was in use during the cleanup operation and could not be cleaned. A reboot is required to fully remove this file.
PKG.tmp
Software\Google\Chrome
ace%i.db
Win32.%S %s
\%s%s
NetworkEvents.log
WRLog.log
WEH-Tcp
RDP-Tcp
WRrem%i.exe
&CNTID=%S&SNUM=%S&CType=%S
&%S=%S
hXXp://%S?%S=%S%S&%S=%S&%S=%S&%S=%S&LANG=%S&VER=%i%i%i%i
%S?UPD=%S&LANG=%S
To ensure the highest quality experience with SecureAnywhere, we recommend contacting our Support and Sales team to assist with your deployment. Would you like to contact them now?
Opening your web console...
Your web console has been created and you can now easily deploy SecureAnywhere to other PCs and centrally manage configuration policies without needing any extra hardware.
Log-in to your Web Console
SecureAnywhere Endpoint Protection provides an easy to use, web-based console to manage the security of all of the devices in your organization.
By clicking Agree and Begin, you accept the terms of the Webroot software license agreement.
rtmp%d
\\.\DISPLAY
\Windows\explorer.exe
\Device\Tcp
\Device\Udp
\Device\NamedPipe
\System32\spoolsv.exe
\System32\services.exe
\System32\winlogon.exe
\System32\lsass.exe
\System32\svchost.exe
\System32\lsm.exe
\System32\csrss.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
{X-X-X-XX-XXXXXX}
WRkrn.sys
(c) Webroot 2006-2012
user32.dll
shdocvw.dll
ieframe.dll
rpcrt4.dll
WINDOW: %s - %s
ShXXps://
tmpremove.exe
smc.exe
msctf.dll
browseui.dll
dwmapi.dll
uxtheme.dll
"%s" %S"%s"
hXXps://VVV.webroot.com
eSoftware\Microsoft\Windows\CurrentVersion\Internet Settings
RapportKE64
RapportKELL
wsock32.dll
%s\%s\%s\%s
wrSync4.dat
wrSync3.dat
wrSync2.dat
wrSync1.dat
Webr

WRSA.exe_352_rwx_01001000_00205000:

SUPPORTHOME
WEBROOTHOME
SUPPORT
/exeshowaddremove
-proxyport=
-proxypass=
-key=
/key=
DlExec
TempKeycode
ChangeKeyCode
virusscan.jotti.org
VVV.virustotal.com
sophos.com
grisoft.com
pandasoftware.com
trendmicro.com
virustotal.com
f-secure.com
kaspersky.com
mcafee.com
webroot.com symantec.com
webrootanywhere.com
webrootcloudav.com
prevxinfo.com
prevx.com
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
hXXp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
scrnsave.scr
res://ieframe.dll/securityatrisk.htm
res://ieframe.dll/repost.htm
res://ieframe.dll/offcancl.htm
res://ieframe.dll/noaddoninfo.htm
res://ieframe.dll/noaddon.htm
res://ieframe.dll/inprivate.htm
res://ieframe.dll/navcancl.htm
res://mshtml.dll/blank.htm
C:\Windows\system32\blank.htm
hXXp://go.microsoft.com/fwlink/?LinkId=54896
hXXp://go.microsoft.com/fwlink/?LinkId=69157
BURLT
Software\Microsoft\Windows\CurrentVersion\App Paths
Terminal Server Client\TransportExtensions
Ole\AppCompat\ActivationSecurityCheckExemptionList
.html
UrlSearchHooks
Extensions\CmdMapping
Keyboard Layouts
Userinstallable.drivers
LoginScript
rdpwd\Tds\tcp
Cmdline
SetupExecute
Image File Execution Options
wowcmdline
cmdline
Windows
SCRNSAVE.EXE
KeyFileName
Explorer\ShellExecuteHooks
PendingFileRenameOperations
FileRenameOperations
BootExecute
Software\Policies\Microsoft\Windows\System\Scripts
AppCertDlls
DefaultPassword
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
$$^^URL
ProxyPort
ProxyPassword
UninstallKey
websec
UPDATEURL
ERRURL
URLSTR
URLFILEUPLOAD
URLINBOUND
URLSLAP
hXXp://webcache.google
hXXp://developers.facebook.com
hXXp://static.ak.fbcdn.net
hXXp://VVV.facebook.com
video.ak.fbcdn.net
VVV.facebook.com
driver.cab
sp1.cab
sp2.cab
sp3.cab
A suspicious file was detected: %S - %s - X
Applied unique machine ID: X
In-memory infection identified: %S
Configuration Saved: %s
Removed invalid LSP chain entry: %S
Connected to %s
Monitoring process %S [%s]. Type: %i (%i)
End passive write scan (%i file(s))
Begin passive write scan (%i file(s))
Saved the product log to %S
Rule Overridden: MD5: %s, Size: %i bytes, ID: X, Result: %i
Website determination changed: %S [Level: X] [Type: X]
>>> Service started [%s]
SLevel updated to %s
Applied license key: %s
Executed cleanup script: %S
Submitted file at user request: %S
Updating from %S
Scan Results: Files Scanned: %i, Duration: %S, Malicious Files: %i
Scan Started: %S [ID: %i - Flags: %i/%i]
Configuration imported from %S
Configuration exported to %S
Cleanup tool %i executed
Determination flags modified: %S - MD5: %s, Size: %i bytes, Flags: X
Blocked process from accessing protected data: %S [Type: %i]
Closed network connection: [X.%i - X.%i]
Blocked process from connecting to the Internet: %S [MD5: %s]
Infection found in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
File blocked in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
Blocked website: %s
Rolled back infection: %S
Infection detected: %S [MD5: %s] [%i/X] [%s]
Installation successfully completed (%s/%s)
GetWindowsDirectoryA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CallNamedPipeW
GetWindowsDirectoryW
GetNamedPipeClientProcessId
CreateIoCompletionPort
%m/%d %I:%M %p
%d/%m %I:%M %p
127.0.0.1
_CorExeMain
1.3.6.1.5.5.7.3.3
g%i.p4.webrootcloudav.com/arm.asp
000000000000000
Win32.Override.1
Win32.LocalInfect.3
Win32.LocalInfect.1
Win32.AutoBlock.1
Win32.UserAdded
Win32.RuleBlock.1
Win32.Untrusted.1
Caution.Rootkit
Community.OuterEdge
Community.Heuristic
Win32.LocalADS
Win32.LocalInfect.0
Win32.LocalInfect.2
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,MM=Y,LSysC:%I64X,TSysC:%I64X,
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,LSysC:%I64X,TSysC:%I64X,
%commonfiles%
Êche%
%cookies%
úvorites%
%documents%
%start%
%startup%
Þsktop%
VVV.google.com
if exist "%s" goto d
Nspr4Hook::hookerPrOpenTcpSocket
if exist "%s"
VVV.bing.com
ru.brans.pl
proxim.ircgalaxy.pl
irc.zief.pl
core.ircgalaxy.pl
kernel32.dll
SLAPKEY
%s/arm.asp
%s/aot.asp
184.72.40.115
174.129.33.10
79.125.105.211
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
arm.asp
%Y-%m-%d %H:%M:%S.000
serverexecutable
%s\wininit.ini
1%iX%s^%s
DEX%s^
C0X%s^
C1X%s^%s
C2X%s^
(%i %s)
Removing all components... %c
.pvxdtr
https
PACKED_EXE,
[Ovr=X*Age=%i*Pop=%i*Dir=%i*Adv=%i*],
00000000000000000000
00000000
0000000000000000
00000000000000
URLBlob
Start: X. End: X. Seq: X. DB: X. Install: X. Command: %s. Parameters: %s
reg %s /f
%x %x
1.2.3
%m-%d
hXXp://
%2sX
%2ss
JOBHTTP
$$$01$$$
%S,%s,
WSASME.EXE
operating systems
%C:\boot.ini
%s\%S
"%S\%s",SynProc %i
XXX
v8.0.1.233
@.dll
%S\%s.dll
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
FilterConnectCommunicationPort
RegSaveKeyExW
RegRestoreKeyW
RegSaveKeyW
RegCloseKey
RegFlushKey
RegOpenKeyExW
RegOpenKeyExA
RegSetKeySecurity
RegCreateKeyExW
RegDeleteKeyExW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExW
RegQueryInfoKeyW
CertOpenStore
CertCloseStore
CryptMsgClose
CertFindCertificateInStore
CryptMsgGetParam
CertFreeCertificateContext
CertGetNameStringW
MsgWaitForMultipleObjectsEx
ExitWindowsEx
ShellExecuteW
ShellExecuteExW
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSetCredentials
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSendRequest
WinHttpOpen
WinHttpOpenRequest
WinHttpReadData
WinHttpCloseHandle
winhttp
CryptCATCatalogInfoFromContext
msvcrt
OS=%i%i^OSLang=%i^OSFull=%s^AVV=%s^AVS=%s^AVA=%s^AVU=%s^IB=%S^IBV=%S^FWE=%s^
%u%u%u
PX%sMID3%sSRC
MACX%s
(Build %d)
%s (Build %d)
Server 2008 WebServer
Server 2003 Web Edition
Windows Version Unknown
Windows %s %s
Windows %s %s %s
-X
HTTP/1.1 500
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\%s
{C27CCE38-8596-11D1-B16A-00C0F0283688}
{C1A8AF25-1257-101B-8FB0-0020AF039CA8}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%i
20323:TCP
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
14671:UDP
c:\windows\explorer.exe
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\DomainProfile\GloballyOpenPorts
Software\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST
Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AE68DC3-F16E-457D-947A-092D614C7ABD}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{B4B5AD48-8D34-41D3-BD8A-8A10BD9BDED3}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\86AEEA3A39CAF6F4D8D287BB7F4E228B
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4A73EC6-EFC4-488D-AF1A-F2C3CD1BC072}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}
255.255.255.255
$$$04$$$
$$$03$$$
$$$02$$$
AntiVirusProduct.instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}"
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --siluninstall -name=webroot --nostartmenu --noaddremove -noshut
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --userinstallie --userinstallff -name=webroot --nostartmenu --noaddremove --installforallusers -j "%S\pkg" --disablenotes --disableidentities --disablevault --disablecontext --lpbarpath="%S\PKG\WRBar.dll" --lpbarpath64="%S\PKG\WRBar64.dll" -noshut
WRCLOUDALPHA.EXE
%s %s
sShortDate
%a %Y-%m-%d %H:%M
%a %d-%m-%Y %H:%M
%a %Y-%m-%d %H:%M:%S
%a %d-%m-%Y %H:%M:%S
%s%I64XXXX
XXXXXXXXX%I64X
UpdateURL
Software\Classes\winbio.winbiotools
Software\Classes\Typelib\{130e4dce-ffac-15e3-5893-74950afeea4c}
Software\Classes\Typelib\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Clsid\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Interface\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Typelib\{8a4f328c-c9f4-4449-a0df-a756a6b52abf}
Software\Classes\bho.fffplayer.1
Software\Classes\bho.fffplayer
Software\Microsoft\Active Setup\Installed Components\{b00589a8-44cb-ba97-5de2-7c733bbee8ed}
%s.i
Win32.MalComponent
Win32.Corrupted
Software\Microsoft\Windows\CurrentVersion\Policies
credssp.dll
Software\Microsoft\Windows\CurrentVersion\Policies\System
msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
%SystemRoot%\System32\svchost.exe -k netsvcs
%SystemRoot%\System32\qmgr.dll
System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider
%SystemRoot%\system32\ntmarta.dll
%SystemRoot%\system32\notepad.exe %1
Software\Classes\Applications\notepad.exe\shell\open\command
System\CurrentControlSet\Control\Session Manager\AppCertDlls
Software\Microsoft\PCHealth\ErrorReporting
DoReport
Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnBadCertRecving
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Policies\Microsoft\Windows NT\SystemRestore
%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
%SystemRoot%\system32\ntvdm.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows
comm.drv commdlg.dll ctl3dv2.dll ddeml.dll keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv progman.exe avicap.dll mapi.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe
Software\Classes\.exe\shell\open\command
Software\Classes\exefile\shell\open\command
Software\Classes\.exe
dontreportinfectioninformation
Windows\WindowsUpdate
Windows\WindowsUpdate\AU\NoAutoUpdate
DisableCMD
NoWindowsUpdate
%windir%\system32\choice.exe /T 1 /N /D N /M Uninstalling...
#pragma namespace("\\\\.\\root\\SecurityCenter")
[Description("Webroot SecureAnywhere Security Center Integration"),Override("HostingModel")]
Name="AVClientInt.AVClientIntProvider";
ClsId="{D486329C-1488-4CEB-9CC8-D662B732D904}";
SupportsPut="FALSE";
SupportsGet="TRUE";
SupportsDelete="FALSE";
SupportsEnumeration="TRUE";
instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}";
companyName="Webroot";
displayName="Webroot SecureAnywhere";
Microsoft\Office\%s\%s\%s\
http://
<html><body><img src="%s.bmp"></body></html>
WSA_SA_Report-%s
%a_%Y-%m-%d_%H-%M-%S
g1.p4.webrootcloudav.com/arm.asp
symsecureport
SQLANYs_sem5
semwebsrv
Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
memory.dmp
Microsoft\Windows NT\CurrentVersion\Winlogon\altdefaultusername
Microsoft\Windows NT\CurrentVersion\Winlogon\defaultusername
Microsoft\Windows\CurrentVersion\Explorer\Streams\
Microsoft\Windows\CurrentVersion\Explorer\DesktopStreamMRU\
Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\
msdownload.tmp\
Microsoft\Windows\Cookies\index.dat
Microsoft\Windows\Temporary Internet Files\index.dat
Cookies\index.dat
Local Settings\Temporary Internet Files\Content.IE5\index.dat
Microsoft\Windows\IEDownloadHistory\index.dat
Logs\IE9_NR_Setup.log
IE9_Main.log
IE9.log
IE8_Main.log
IE8.log
IE7_Main.log
IE7.log
IE Setup Log.txt
Microsoft\Windows\History\
Local Settings\Temporary Internet Files\Content.IE5\
Microsoft\Windows\Temporary Internet Files\
Microsoft\Windows\Cookies\
Microsoft\Internet Explorer\TypedUrls\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\
Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\
Microsoft\Internet Explorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\
Microsoft\InternetExplorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Find\
Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\
Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\
Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\&Documents\Menu\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Documents\
Microsoft\Windows\Recent\
$Recycle.bin\
Google\Chrome\User Data\Default\Cache\
Mozilla\Firefox\Profiles\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
P4REPORT
%S\Driver Cache\i386
%s,%i%i
8.0.1.233
%s %s%s
%i-%i-%i-X-X.tmp
%s %s%S %s
Microsoft\Windows NT\CurrentVersion
\REGISTRY\User\%S
Microsoft\Windows\CurrentVersion
IG=%s,
hXXp://anywhere.webrootcloudav.com/zerol/pkgwiscaway.exe
detail.webrootanywhere.com/p4inbound.asp
hXXp://VVV.webrootanywhere.com/betaeula.asp
*X
%.*s(%d)%s
=%%
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\WRSA.pdb
O|SSSh
SSSSh=
tcSSSh
SSSSh6
SSSSh7
PSSSh
(QPSSSSh,
SSSSh?
PIQSSSh
RjEQSSSShE
SSSSh@
RSSSSSSh
KPjVSSSh
QjfSSSh
SShaaa
}.VQR
PSSSSSSh
>\u%f
K Pj.SV
SSSh8
O|SSSSh
jtSSSSh$
SSh ;
tcPQ
SSSSh
S|Wj.WWh
jmj SSSh
N|Sj.SSh
jDSSSh
jJj)SSSh
N|Sj.SSj^jBSSSh
SShDDD
SSSSjJj)SSSh
W|Sj.SSj^jBSSSh
V|Sj.SSj^jBSSSh
t.SSSV
zcÁ
Allow users to remove threats without a password
Allow users to scan without a password
This website is already being protected with SecureAnywhere Browser Protection. Remove it from the Browser Protection list to change its Website Filtering options.
This application is being actively protected against keyloggers, screen-grabbers, clipboard stealers, and other information-stealing threats.
Assess the intent of new programs before allowing them to execute
Would you like to automatically import the settings that were used in your previous installation?
Automatically block files when detected on execution
Caution: Booting into Safe Mode may prevent access to encrypted hard drives. Ensure that you have all encryption keys available if you are using hard disk encryption so that your computer can boot properly. Do you want to continue?
Warn when new programs execute that are not trusted
Protect against keyloggers
Block phishing and known malicious websites
Block suspicious access to browser windows
The current operation cannot be aborted.
SecureAnywhere was unable to remove threats automatically. Click "Contact Support" to contact our Support engineers.
Configuration for HTTP websites
Configuration for HTTPS websites
Would you like SecureAnywhere to continue monitoring and alerting about the Windows Firewall?
Your keycode has been copied to the clipboard. You can now paste it into any application.
The keycode could not be verified at this time. Ensure that SecureAnywhere is allowed to connect to the Internet and try again.
Configuration settings could not be exported to the selected file.
Configuration settings could not be imported from the selected file.
SecureAnywhere has detected that the Windows Firewall is currently disabled. It is recommended that you enable the Windows Firewall to receive maximum protection. The firewall built into SecureAnywhere is fully compatible with the Windows Firewall and provides an additional layer of protection.||Would you like to enable the Windows Firewall now?
Displaying %s events
Displaying %s process events
Enable Password Protection
Password protection is not currently enabled. Do you want to enable it now?
Enable "right-click" scanning in Windows Explorer
Enter a valid keycode to continue.
First Exec - PID: %i
A full keycode is required to add custom applications. Would you like to obtain one now?
Store Execution History details
Hide the SecureAnywhere keycode on-screen
SecureAnywhere has detected a modification to the HOSTS file, which may have been created by malicious software. The entry has the contents:||[%S]||Would you like SecureAnywhere to remove this entry?
HTTP Proxy
Save non-executable file details to scan logs
Enter a valid keycode. If you continue to receive this message, contact SecureAnywhere Support.
I/O Operations
A full keycode is required to increase the default security level. Would you like to obtain one now?
A keycode is required to run a full system scan. Would you like to obtain one now?
Your SecureAnywhere keycode has been validated and activated. Your computer will now be rescanned to provide the most accurate protection.
Enter a keycode to continue.
Loading execution history process events...
The Execution History log is currently loading.
Loading %s execution history events...
Caution: Your current configuration settings may prevent access to SecureAnywhere. You may want to change your configuration settings now or use the command-line option "WRSA.exe -showgui" to show the SecureAnywhere interface if needed.
Operate background functions using fewer CPU resources
This website is blocked because of a policy added by the user to prevent access.
This website has been trusted locally and visitation is not blocked.
Contact SecureAnywhere Support to upload files larger than 10MB.
Insert a keycode for SecureAnywhere.
Password
This file is trying to access stored passwords
The password entered was incorrect.
Error: The entered passwords do not match.
PID %i active %s (CPU %s)
PID %i active %s
%s (PID: %i) started by %s (PID: %i)
%s (PID: %i) - (Parent PID: %i)
Enter your password below to enter:
Enter a password to enable protection.
Protect cookies and saved website data
An attempt to take a screenshot of your computer was detected. This screenshot may contain confidential information as a protected website is currently open. Do you want to allow this screenshot to continue?
Protect against URL grabbing attacks
Port
Randomize the installed filename to bypass certain infections
Allow the process to execute other processes
Allow access to windows with a High integrity level
Allow access to windows with a Medium integrity level
Select a configuration file to import
Select a file to execute
Select where you would like to export the configuration:
Select a file to report to Webroot
Select a removal script to execute:
Show SecureAnywhere in the Windows Action Center
Show the "Authenticating Files" popup when a new file is scanned on-execution
Show SecureAnywhere in the Windows Security Center
Configuration successfully exported.
Are you sure you want to visit this website? The contents could potentially compromise your identity or infect your computer.
Uninstall Webroot
Configuration saved. Close and re-open all open web browsers to update active protection.
Use the preconfigured policies for changing configuration settings for all websites.
This keycode is valid but has expired. Would you like to renew the keycode now?
Enter a valid, complete website name to configure.
Verify the DNS/IP resolution of websites to detect Man-in-the-Middle attacks
Verify websites when visited to determine legitimacy
This website contains a known threat and has been blocked.
Contact Support
Website determination updated. Close your web browser and open the web page again or refresh the current page to continue browsing.
SecureAnywhere Scan Log (Version %S)~|Log saved at %S~|
(User time: %s - Kernel time: %s)
Cycles: %s
MD5: %S - Size: %i bytes
(PID: %i, TID: %i) %s registry entry: %s\%.*s
(PID: %i, TID: %i) %s file: %.*s
%s: PID - %i
(PID: %i, TID: %i) %s process: %i - %s
(PID: %i, TID: %i) %s named pipe: %.*s
(PID: %i, TID: %i) %s module: %.*s
(PID: %i, TID: %i) %s code: %.*s (%S)
(PID: %i, TID: %i) %s IP %.*S
(PID: %i, TID: %i) %s Sector: %I64X - Length: %I64X
(PID: %i, TID: %i) %s URL: %.*S
(PID: %i, TID: %i) %s service - %.*s - %.*s, (%i, %i)
(PID: %i, TID: %i) %s mutex: %.*s
(PID: %i, TID: %i) Logging keystrokes
(PID: %i, TID: %i) Monitoring Windows events (%i)
(PID: %i, TID: %i) %s section: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Registry Key: %.*s~|~|Value: %.*s~|Type: X~|New Data: %s~|~|Previous Data: %s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Original Filename: %.*s~|~|New Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Target Process ID: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Module Name: %.*s~|Image Base: X~|Image Size: X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s~|Type: %S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Address: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Sector: %I64X~|Length: %I64X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|URL: %.*S~|~|Bytes Transferred: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Caption: %.*S~|Contents: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Service Name: %.*s~|Binary Path: %.*s~|Type: %i~|Start Type: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Mutex: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Windows Hook ID: %i~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Event Hook Minimum ID: X~|Event Hook Maximum ID: X
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Section: %.*s
View the Webroot software license agreement
Webroot SecureAnywhere protects your computer from viruses, spyware, trojans, rootkits, and other malicious software.
Enter your keycode to install and activate your software.
Help me find my keycode
By clicking Agree and Install, you accept the terms of the Webroot software license agreement.
Want to learn more about Webroot?
Help and Support
About Webroot SecureAnywhere
Login Theft Protection
Protected Websites
Websites on this list receive custom security to protect any information entered.
View/Edit Protected Websites
Password Required
Web Threat Shield
3. Close any open programs or web browsers (Recommended but not essential)
Reports
You may save a scan log, which Technical Support uses for diagnostics.
View an audit log of all monitored executed code. This allows you to manage running processes and identify potential problems quickly.
Not collecting execution history events
Password:
Repeat Password:
If a Webroot researcher has instructed you to execute a Removal script, select the script to begin.
Import / Export
Block websites from creating high risk tracking information
Analyze websites for phishing threats
Enter the website address to protect (e.g. VVV.webroot.com)
Add Website
Analyze search engine results and identify malicious websites before visitation
Detect websites being redirected by the HOSTS file
Look for malware on websites before visitation
Look for exploits in website content before visitation
Website Filter
View/edit the list of blocked websites to change how they should be handled or add new websites to block.
View Websites
Website
Enter the website address to configure (e.g. VVV.webroot.com)
You received your keycode by email.
Your keycode is located on the CD sleeve.
If you have misplaced your keycode:
Contact Webroot Support at hXXp://VVV.webroot.com/support
Help me find my license keycode
You can also import your settings from another computer using this screen.
Import Settings
Export Settings
Activate a new keycode
Keycode:
Enter your new keycode into the field below and click Activate:
Enter your keycode here...
Are you sure you want to abort the current operation?
Identity && Privacy - protect yourself while browsing web sites
Enter a password that is at least six characters long for better security.
Only executable files can be overridden.
Warning: Clearing the product log will prevent Webroot technical support from assisting you accurately. Are you sure you want to clear the log?
The username or password is invalid.
I forgot my password
Downloading Password Management Components...
Installing Password Management...
Windows System
Windows Desktop
Windows Registry Streams
Windows Update Temporary folder
Windows Temporary folder
Clean Index.dat (cleaned on reboot)
URL history
Securely erase files by overwriting contents with random data using seven passes and clean free space around files.
Erase files by overwriting contents with random data using three passes.
Clean files using standard file deletion techniques, bypassing the Windows Recycle Bin.
SecureAnywhere has detected a significant infection on your computer which requires manual assistance to clean. Contact Webroot Support to help clean your computer.
Your SecureAnywhere subscription entitles you to use Backup && Sync which makes it easy to share files on your computer and protect your important files from loss. Click "Download and Install" to use this feature.
Select specific files and folders to back up to your online storage in the Cloud to protect important files from loss.
Webroot Internet Security Complete is already installed on your computer. Use the Sync & Sharing features within WISC to prevent incompatibilities.
Backup & Sync was not installed successfully. If you continue to receive this error, contact Webroot Support.
Your SecureAnywhere subscription entitles you to use Password Management that makes managing your web site logons easy and more secure. Click "Download and Install" to use this feature.
Install Password Management
Manage your personal information, websites, and passwords at your My Webroot account.
- Automatically fill in your login information for remembered websites
- Create secure, hack-resistant passwords for website logins
Password Management makes web browsing easier and more secure.
Password Management is On
Password Management was not installed successfully. If you continue to receive this error, contact Webroot Support.
Password Management
SecureAnywhere was unable to restore all files to their original locations and has copied them to a dedicated Quarantine folder located at [%s]. Would you like to view the Quarantine folder now?
The keycode is currently hidden and cannot be copied.
%-5i %S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%-5i ...%.*S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%S (%S) - %S@%S drive - %i%% Free (%i MB Total), Serial Number: X~|
%S (%S)@%S, Number of Logins: %i, %S~|
%S on %S@%i MB, %i MHz (Form Factor: %S, Manufacturer ID: %S, Serial Number: %S, Part Number: %S)~|
%S on %S@%i MB, (Form Factor: %S)~|
%S@%S drive - No media~|
%S@%S, Last Login: %s, Number of Logins: %i, %S~|
%S@%S, Service: %S, Status: X,
%S@(%S) %S, Service: %S, Status: X,$
%S@Device ID: %S, Internal Name: %S~|
%S@Never logged in~|
%S@Port: %S, Status: %i, Jobs: %i~|
%i fragments, %u bytes@%S (MFT: %i)~|
%s@Minidump: %S~|
%s@System Analysis completed in %i seconds (%s)~|
, Problem code - X,
Active Applications@%i - %i windows (%i visible)~|
Active Applications@%i windows (%i visible)~|
Active Directory@%S~|
Auto Update State@%S~|
Browser@%S %S~|
CPU@%s (%i %S)~|
Common AppData Directory@%S~|
Current Processor Speed@%dMHz~|
DHCP Server@%s~|
DNS Server@%s~|
External Clock Speed@%dMHz~|
External IP Address@%s~|
Gateway@%s~|
Graphics Card@%s - %iMB Free Video RAM, %iMB Total~|
Home Page@%S~|
Hostname@%s~|
IP Address@%s~|
IP Mask@%s~|
Internet Cache@%i KB (%s)~|
Last Update Check@%S~|
Last Update Download@%S~|
Last Update Install@%S (%i %S ago)~|
Last Update Install@%S~|
Maximum Supported RAM Size@%i MB~|
Next Scheduled Install Time@%S~|
Next Scheduled Update Check@%S~|
OS Install Date@%s~|
OS@%s (Language: %i)~|
Operating System
Phishing Filter@%S~|
Search History, URL History, and Recent Playlist
Slot %i - %S (%S)@%S - Bus Number: 0xX, Device Number: 0xX, Segment Group Number: 0xX~|
Spyware Protection@%S %S (%S)~|
Spyware Protection@%S %S (%S, %S)~|
System Access Level@%s~|
System Boot Drive Device@%S~|
System Directory@%S~|
System Family@%S~|
System GUID@x-xx-xxxx-xxxx~|
System Manufacturer@%S~|
System Product Name@%S~|
System Proxy@%S~|
System Serial Number@%S~|
System Temporary Files@%i KB (%s)~|
System Uptime@%S (Tick Count: %i)~|
System Version@%S~|
Third Party Firewall@%S %S (%S)~|
UAC Status@%S~|
Update Type@%S~|
User Account Level@%s~|
User Temporary Files@%i KB (%s)~|
Username@%S (%S) - Session ID: %i~|
Username@%S - Session ID: %i~|
Virus Protection@%S %S (%S)~|
Virus Protection@%S %S (%S, %S)~|
Windows Experience Rating
Windows Firewall@Disabled~|
Windows Firewall@Enabled and Active~|
Windows Updates
~|~|This new key must be used on all future installations of Webroot software:~|~|%.4s-%.4s-%.4s-%.4s-%.4s~|~|Thank you for upgrading!
- Internet Explorer 7.0 and higher, Mozilla Firefox 3.6 and higher; Identity Shield feature in Webroot SecureAnywhere Complete also supports Google Chrome 11 and higher, and Opera 11 and higher
All attached devices have reported to be functioning properly.
Windows Automatic Updates are disabled
Contact Support by clicking the "?" button in the upper right corner of this window.
Create an account to access your security on all your devices online from any Web browser.
Purchase Webroot SecureAnywhere now for uninterrupted protection.
Don't waste a second. Get the fastest security ever. Buy Webroot SecureAnywhere.
Enter your email address to validate your license key and activate realtime threat prevention:
Firefox
If you have other security software installed on your system, you do not need to uninstall it. Webroot SecureAnywhere software is designed to work alongside your existing security software and will automatically upgrade earlier versions of Webroot or Prevx software. If you do experience any issues, please contact our Support team.
Last Password Change: %i %s ago
Malware scanning - detect and report threats
Mozilla Firefox - Cached Files
New Webroot Keycode.txt
No password configured
Operating Systems (32 and 64bit in all Editions)
Please wait until the current operation is complete before shutting down SecureAnywhere.
Please wait until the download of Password Management is finished to download Backup & Sync.
Save Keycode and Continue
SecureAnywhere is currently managed by the Web Console and all changes need to be applied centrally. Please refer to the SecureAnywhere documentation for further information.
Settings - Currently being managed by the Web Console
System Analysis was cancelled and the report may be incomplete.
Screen resolution and bit depth support true color images.
The Windows firewall is disabled.
The credentials used to log into Backup & Sync are invalid. Please login again.
There are currently no items in the execution history log.
To learn more about Webroot's complete portfolio of security solutions, visit VVV.webroot.com.
View Full Report
Visit Webroot.com
Webroot SecureAnywhere has been successfully installed and is actively protecting your computer. You do not need to do anything further - it will continue running in the background, blocking threats if they try to enter.~|~|Accessing Webroot SecureAnywhere is quick and easy - you can locate it any time in your system tray or notification area. You may need to expand your notification area with the "Up" or "Left" arrow to see the Webroot icon.
Webroot SecureAnywhere
Webroot SecureAnywhere~|(c) 2006-2012
Webroot SecureAnywhere`
Webroot System Analyzer
Webroot was unable to be installed because the current user account has limited rights. Please elevate the Webroot installer or install using an administrative account.
Without this protection, your PC is vulnerable to spyware and virus attacks. Don't waste a second - get the fastest security ever. Buy Webroot SecureAnywhere.
Not all RAM can be used by your 32bit operating system.
Protection disabled. Get complete protection with Webroot SecureAnywhere.
Your account gives you anytime access to your security from any Web browser.
Your Webroot SecureAnywhere trial ends in %i days!
Your Webroot SecureAnywhere trial ends tomorrow!
Your Webroot SecureAnywhere trial is expired!
Your new keycode is shown below and is also provided in a text file on your computer's desktop. Use this new keycode for all future installations and upgrades.
Your operating system is up to date.
It is recommended to change your password every 90 days.
Your hardware is adequate for running your operating system.
VVV.geeksquad.com
SecureAnywhere could not be installed. Please contact SecureAnywhere support to assist with your installation.
SecureAnywhere is not compatible with your current operating system. Please consider upgrading your operating system to Windows XP Service Pack 2 or higher.
- Windows XP SP2, SP3
- Windows Vista SP1, SP2
- Windows 7 SP0, SP1
I would like to receive alerts, special offers, important product updates, and newsletters from Webroot.
View the Webroot Privacy Policy
Note: Although your settings will be saved locally, your PC is currently centrally managed by the Web Console and your settings may be overwritten on the next database communication.
Scan with Webroot
To receive the fastest response to a file inquiry, we recommend writing into our support inbox so that a Webroot researcher will immediately look at the submitted information. Would you like to open a support ticket now?
A cleanup license key is required to remove threats.
SecureAnywhere Identity Shield protects your sensitive information on banking, web transacting, and social networking websites while peacefully coexisting with other security software.
Welcome to Webroot
Webroot FastScan quickly assesses your PC security by detecting malicious threats using the Webroot Realtime Threat Database while peacefully coexisting with other security software.
Update now to faster, lighter, and more effective protection. Installation will take less than 10 seconds with scans typically taking less than 2 minutes. Webroot SecureAnywhere protects your computer from all types of malicious activity.
You don't need to do anything further. Webroot SecureAnywhere Identity Shield is now helping to protect you and your personal information when you bank, shop, interact, and transact online.
Aborting the current scan will prevent Webroot from detecting and cleaning all threats. Are you sure you want to abort?
SecureAnywhere has detected active threats on your computer and needs a license key to remove them.
Enable enhanced customer support
Please wait a few moments and try again. Contact Webroot Support if this error persists.
The operation failed with error code %i. %s
The command you selected did not complete successfully. Contact Webroot Support if this error persists.
Backup allows you to automatically back up and access your files securely from a web-based portal.
Web Console
SecureAnywhere is using %2.2f%% of your disk space. The average scan time is %4.1f %s.
SecureAnywhere has used %2.2f%% of your CPU since installation and %2.3f%% disk space. Average scan time is %4.1f %s.
Next scan starts in %s.
%i%% - %s files scanned. %s %s
Scan Complete - %i active %s found in %s. %s
Scan ended - %i active %s found in %s. %s
%s files scanned in %s. No threats found. %s
Scan aborted. %s files scanned in %s. %s
Last scanned %s. %s %s %s removed.
Last scanned %s. %s
Protection has been active for %s.
%s system events have been inspected since installation.
%s system events have been inspected since bootup (%s.%c %s since installation).
%i%% - Cleaned %s bytes (%i files, %i registry entries). Cleaning %s
%i%% - Cleaning %s
System Cleaner is scheduled to run in %s. So far, it has cleaned %s %s.
System Cleaner is scheduled to run in %s.
System Cleaner last cleaned %s. So far, it has cleaned %s %s.
Click here for personal support if you have any questions about SecureAnywhere
Enable Windows Explorer right click secure file erasing
SecureAnywhere Backup allows you to back up your files online so that they can be access through the secure portal in the event of hardware malfunction or system problems, or just to provide easier means for sharing files securely.
Show Windows Explorer overlay icons
Web requests were denied. Please ensure that proxy settings are correct and log in with your current user credentials.
A connection is being established with the Webroot Backup && Sync cloud infrastructure.
Backup is idle and will next archive files at %S. Files were last archived at %S.
Backup is currently idle and is configured to begin automatically archiving files at %S.
Backup allows you to automatically back up and access your files securely from the SecureAnywhere website.
Scanning for threats: %s
By clicking Agree and Begin Analysis, you accept the terms of the Webroot software license agreement.
View report summary
Operating system detected
Detecting operating system information
SecureAnywhere Backup && Sync allows you to protect your data and access it easier by synchronizing it across devices and securely backing it up to prevent data loss. Click "Login" to create your account or log into an existing account.
Please wait until the current operation is complete.
Google Chrome
.text
h.rdata
H.data
.rsrc
B.reloc
SShhA
TransportAddress
HTTP/
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrkrn.pdb
KeDelayExecutionThread
ZwOpenKey
ZwQueryValueKey
ntoskrnl.exe
WRITE_PORT_UCHAR
HAL.dll
TDI.SYS
FltCloseClientPort
FltCloseCommunicationPort
FltCreateCommunicationPort
FLTMGR.SYS
SeExports
ZwCreateKey
ZwSetValueKey
585=5^5}5
"hXXp://crl.verisign.com/tss-ca.crl0
hXXp://ocsp.verisign.com0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Webroot Inc.1>0<
Webroot Inc.0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
.pdata
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrkrn.pdb
`.data
@.reloc
WmiExecuteMethodW
NtRequestWaitReplyPort
NtConnectPort
NtAlpcConnectPort
NtAlpcSendWaitReceivePort
NtAlpcCreatePortSection
NtRequestPort
NtAlpcCreatePort
NtSecureConnectPort
NtDeleteKey
NtDeleteValueKey
NtSetValueKey
NtDelayExecution
NtCreatePort
http:\/\/
hXXps://
PSOWRX
hXXp://%.*s
Chrome_OmniboxView
Chrome_AutocompleteEditView
%s://%S
search.yahoo
WebDrawText
webkit
PSOTBX
Chrome_RenderWidgetHostHWND
MozillaContentWindowClass
MozillaWindowClass
Chrome_WidgetWin_
OperaWindowClass
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsagreen.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsagreen.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsared.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsared.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
nspr4.dll
advapi32.dll
bcrypt.dll
ws2_32.dll
sspicli.dll
secur32.dll
wininet.dll
ntdll.dll
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrusr.pdb
>HTTPu6
msvcrt.dll
GetProcessHeap
KERNEL32.dll
SetWindowsHookExW
SetWindowsHookExA
EnumWindows
EnumChildWindows
USER32.dll
SHELL32.dll
ole32.dll
ADVAPI32.dll
PSAPI.DLL
WS2_32.dll
URLDownloadToFileW
URLDownloadToFileA
urlmon.dll
InternetOpenUrlA
WININET.dll
OLEACC.dll
RPCRT4.dll
OLEAUT32.dll
UrlIsW
SHLWAPI.dll
Secur32.dll
GDI32.dll
MSIMG32.dll
WRUsr.dll
\\x3ca href\\x3d\\x22http
<a href="http
<a class=sla href="http
6 6$6(6,6064686<6
@.rsrc
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrusr.pdb
%u6HcA
tù7u HcG<
?;5URLURLURL
)|]({\(z['yZ'wY'vX&uW&tV%sU%rT
%sU%rT
GetCPInfo
CertGetCertificateContextProperty
_acmdln
_amsg_exit
GetAsyncKeyState
MapVirtualKeyExW
GetKeyboardLayout
keybd_event
UnhookWindowsHookEx
v.pL>
00000000006
20.sp
ddbl.db
dbk.db
dbj.db
dbi.db
dbh.db
dbg.db
dbf.db
dbe.db
dbd.db
dbc.db
dbb.db
dba.db
index.dat
content url
searchurl
use custom search url
scrnsave.exe
Default_Search_Url
Default_Page_Url
.cn/index
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Software\Microsoft\Windows\CurrentVersion\Media Center\Service\Video
Software\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance
Software\Microsoft\Ole\appcompat\activationsecuritycheckexemptionlist
Software\Microsoft\Internet Explorer\UrlSearchHooks
Software\Microsoft\Internet Explorer\Extensions\CmdMapping
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers
"%ProgramFiles%\Internet Explorer\iexplore.exe"
"%ProgramFiles%\Mozilla Firefox\firefox.exe"
"%ProgramFiles%\Internet Explorer\iexplore.exe" %1
rundll32.exe url.dll,FileProtocolHandler %l
rundll32.exe url.dll,TelnetProtocolHandler %l
rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1
regedit.exe "%1"
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"
"%SystemRoot%\System32\msiexec.exe" /i "%1" %*
Msi.Package
%SystemRoot%\system32\mmc.exe "%1" %*
.mpeg
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"
"%SystemRoot%\System32\WScript.exe" "%1" %*
rundll32.exe shdocvw.dll,OpenURL %l
%SystemRoot%\system32\NOTEPAD.EXE %1
"%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome
%SystemRoot%\system32\mshta.exe "%1" %*
cmdfile
"%SystemRoot%\hh.exe" %1
chm.file
ieuser.exe
crashreporter.exe
plugin-container.exe
epic.exe
waol.exe
iron.exe
safari.exe
firefox
winlogon.exe
spoolsv.exe
services.exe
audiodg.exe
svchost.exe
lsass.exe
consent.exe
dwm.exe
lsm.exe
procexp64.exe
procexp.exe
dplp2.exe
dplp.exe
watchdogx64.exe
flashcookiecleaner.exe
shredder.exe
atieclxx.exe
atiesrxx.exe
searchfilterhost.exe
werfault.exe
ravcpl64.exe
nvtray.exe
clpsla.exe
clps.exe
mtxagent.exe
googleupdate.exe
googlecrashhandler.exe
downloaderapp.exe
ccleaner.exe
ccleaner64.exe
conhost.exe
irperl.exe
fswscs.exe
bsplayer.exe
wow_helper.exe
realplay.exe
nmake.exe
cl.exe
winrar.exe
fsdomnodeie.dll
jhook.dll
yzshadow.exe
yahoomessenger.exe
wspace.exe
wlmail.exe
wdict32.exe
vmware-vmx.exe
vmware.exe
ultramon.exe
translateclient.exe
totalcmd.exe
thunderbird.exe
stpass.exe
splwow64.exe
skype.exe
sidebar.exe
sllauncher.exe
sbrender.exe
rocketdock.exe
robotaskbaricon.exe
roboform.dll
robo.exe
popupblocker.exe
pdfvista.exe
patrol.exe
packpro.exe
outlook.exe
opstm080.exe
opera.exe
notepad  .exe
mvtapp.exe
msnmsgr.exe
fsocrserver.exe
jfw.exe
iexplore.exe
helppane.exe
google.exe
gamebooster.exe
firefox.exe
excel.exe
eudora.exe
eqgame.exe
dsNetworkConnect.exe
dllhost.exe
digsby.exe
communicator.exe
crazy browser.exe
ctfmon.exe
chrome.exe
bttray.exe
babylon.exe
ati2evxx.exe
aolsoftware.exe
admunch64.exe
admunch.exe
adblock.exe
acrotray.exe
acrord32.exe
acrodist.exe
acrobat.exe
verclsid.exe
wrbar.exe
WRSyncManager.exe
wrinstall.exe
snippingtool.exe
Portugu
s (Brazilian Portuguese)
Ftaskmgr.exe
csrss.exe
"%s" %s
"%s" %S
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
%s\%s
%c:\%s
%s:%i
msiexec
%drivers%
*\windows\system32\drivers\*
%fonts%
*\windows\fonts\*
%%restore%%\%s
\\?hostname?\?share?\%s
%%winsxs%%\%s
c:\windows/
windows\system32/
Webroot
WRusr.dll
\\.\%c:
Windows\System32\windbg48.sys
m0rpheus.tpl
%SystemRoot%\System32\svchost.exe
mscoree.dll
%S(%s)
tcpip
.net clr
%S(%s\%s\, %s)
%S(HKLM\Software\Classes\%s\, %s)
%S(%s\%s\)
%S(%s\Software\Classes\%s\)
%S(%s\%s\%s)
/scanfile="%s"
%s\sfc.exe
Writing MBR> New Data: [%S]
Executing Command> %s
Terminating Module Parent> %i - %s
Closing Handle> %i - PID: %i - %s
Renaming Registry Key> %s\%s to %s\%s
Deleting File> %s
Writing Registry Value> %s\%s - %s
Writing File Data> %s - [New Data: %s]
Deleting Directory> %s
Deleting Registry Value> %s\%s - %s
Deleting Registry Key> %s\%s
Fixing LSP> %S
Core Component> Un-patching file [%s] - New Size: %i bytes
Copying File> %s to %s
Terminating Process> %i - %s
Stopping Service> %s
Deleting Service> %s
Starting Routine> %s...
\\.\pipe\WRSynUM2
\\.\WRSYNAPSE
\temporary asp.net files\
\opera\temporary_downloads\
\microsoft.net\framework\
\$recycle.bin\S-
mbam.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncExcl
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncGreen
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncYellow
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncRed
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32
%s\Symantec\
%s\Common Files\Symantec Shared\
%s\Symantec.cloud\
\\.\pipe\
wmiprvse.exe
\Slow.pvx
\Slowusr.pvx
%i %s
%s %S - %i%%, %i %s)
%s - %s
hXXps://*
hXXp://*
%ProgramFiles%\Webroot\WRSA.exe
%S - %s
InstallLogo.bmp
\\?\%c:
%i %s, %i %s
%i %s,
s\\.\PhysicalDrive%i
[%C] %s
[%C] %s [MD5: %S] [Flags: X.%i]
[%C] %s [MD5: %S] [Flags: X.%i] [Threat: %S]
[%S] - CPU: %i%%, Physical Memory: %i%%, Virtual Memory: %i%%, Page File: %i%%, Processes: %i
res%i.db
-%i-%i.tmp
bcdedit.exe
autorun.inf
\services.exe
\drivers\pciide.sys
\drivers\smbe.sys
\drivers\eubkmon.sys
\drivers\acpi.sys
\drivers\wdf01000.sys
\drivers\cdrom.sys
\drivers\serial.sys
\drivers\ipsec.sys
\drivers\tcpip.sys
\drivers\afd.sys
\drivers\rdbss.sys
\drivers\mrxsmb.sys
\drivers\netbt.sys
\microsoft.net\
.crdownload
.partial
\windows\installer\
\config.msi\
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Software\Microsoft\Windows\CurrentVersion\Uninstall
{98C3BECF-DD5F-44D2-8EF3-
rundll32.exe
http*://
hXXp://VVV.
opera
%S(%s, %.*S)
%S(%s, %s)
%S(%s, 0x%S)
Temp\%.*S-%S-%.*S.WR
\\.\pipe\WRSVCPipe
%S(%i)
desktop.ini
%s %s %s
%i (%s %s)
%s: %s
PKG\WRSyncManager.exe
PKG\files_zh_cn_qt.qm
PKG\files_zh_cn.qm
PKG\files_de_de_qt.qm
PKG\files_de_de.qm
PKG\files_es_es_qt.qm
PKG\files_es_es.qm
PKG\files_ja_jp_qt.qm
PKG\files_ja_jp.qm
PKG\files_en_us_qt.qm
PKG\files_en_us.qm
PKG\WRBar.dll
%s (%s)
*.mpeg, *.avi, *.mp4
*.mp3, *.m4a
*.jpg, *.jpeg, *.png
*.xls, *.xlsx
*.doc, *.docx
%s (%S)
%s - %S
%s\Administrator
%C:%s
A:\%s
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
WRHTTP
dst%2S.db
Chrome
Opera
Software\Mozilla\Mozilla Firefox
http\shell\open\command
Software\Classes\http\shell\open\command
&OLDLIC=%s
hXXp://products.webroot.com/disp2012/?CMD=P40IPM&LIC=%S&LANG=%S&email=%s&optin=%S&DeviceMID=%S&InstanceMID=%S
partnerno=%S&MIDHEX=%S&datelogged=%S&Lastinfected=%S&Currentbads=%i&highbads=%i&mediumbads=%i&Lowbads=%i&identifynownowvalue=%S
I%S(%s\%s\%s, %s)
%S(%s\%s\%s, %s%s%s)
%S(%s, 0)
%s\drivers\%s.sys
%s\2i
Pipe
%s\%s\%i
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
dow.lac
centro.txt
1.pac
AutoConfigUrl
hXXp://
Software\classes\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\openhomepage\command
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
ekrn.exe
"%ProgramFiles%\Mozilla Firefox\firefox.exe" -safe-mode
firefox.exe\shell\safemode\command
firefox.exe\shell\open\command
iexplore.exe\shell\open\command
\WRSYNAPSEPORT
%s\%s.lnk
%s\%s\%s.lnk
%s\%s\%s\%s.lnk
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}
{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}
{C14874EA-ACE4-4A47-8A81-18C4D1C40868}
{1914B27A-33C8-46F8-A1C2-F993268D4564}
{69D72956-317C-44bd-B369-8E44D4EF9802}
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
"%S%s" %S%S
Software\Microsoft\Windows\CurrentVersion\Run
XXX.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Uninstall\Webroot Software
\Webroot\Security\Current\Products\WISE
\Webroot\Security\Current\Products\WAV
\Webroot\Security\Current\Products\WISC
rSoftware\Web Filtering
Software\Microsoft\Windows\CurrentVersion\RunOnce
5db%i.db
System\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes
%s %S %S
dbo%i-e.db
dbo%i-%I64X.db
dbm%i.db
tPKG\WRBar.exe
PKG\LPBar.dll
%s\wrSync%i.dat
%s\icon%i.ico
t%s_%i
%s %s %S - %s
%s %s %s %S - %s
%S?LANG=%S
%s\Webroot\Spy Sweeper\install.dat
Software\Webroot\Install
notepad.exe
hXXp://VVV.webroot.com
%S %S
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
%s %i:00 %s %s
*.exe
%s %i %s
WRSA.exe
%i:i %s
SystemCleaner.log
%s\SecureAnywhere Console.lnk
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
UMTX-%s
CURRENT_USER\%s
MACHINE\%s
\explorer.exe
%s\sysnative
%s\WRData
%s - [%S] %i files scanned, %i %s found in %s
si3112r.sys
atmdlc.sys
C:\$MBR.1
\??\%c:\
%S(%s\%s\%s\)
%System%\webcheck.dll
rundll32 shell32,Control_RunDLL "sysdm.cpl"
logonui.exe
userinit.exe,
%S(%s\%.*s\, %I64X)
W%S(%s\%.*s, %I64X-%I64X)
%S(%s\%.*s\)
%S(%s\%.*s\%.*s)
%S(%s\%.*s, %.*s)
%S(%I64X, %I64X)
_reg.tmp
%UserProfile%\Local Settings\Application Data
%UserProfile%
hXXp://twitter.com/*
hXXp://VVV.facebook.com/*
Generating license key... (less than two minutes remaining)
Building your SecureAnywhere web console... (less than one minute remaining)
Preparing the web console for first time use... (less than one minute remaining)
Finalizing your SecureAnywhere web console... (less than 10 seconds remaining)
SysAnalyzerLog-%S.log
%s (%i bytes)
%S(%s, %S)
%S(Removing %s...#(PX5: %S - MD5: %S))
TcpTimedWaitDelay
MaxUserPort
TcpNumConnections
ActiveProcesses.log
webdrive
\Dell Support Center\
;"%s"
WR.mof
wbem\mofcomp.exe
%S - Removing %s
%S - Removing %s - %s
%S - Removing %s - %i bytes
%s\%i.bat
WRTemp_%i_X
%s\WR%i.exe
libAllegro.dll
Lang.dat
dbq.db
5WRupdate%i.exe
%s\%S.html
%s\%S.bmp
Duration: %s
%S (Hostname: %S - Local IP: %S)
Scan Started: %S
%s/%s
%s\System\CurrentControlSet\Enum\ROOT\LEGACY_%s\0000
%s\Services\%s
Embedded Web Browser from: hXXp://bsalsa.com/
Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Software\Classes\.exe\shell
Software\Policies\Microsoft\Windows\System
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
System\CurrentControlSet\Services\Tcpip\Parameters
%S(Removing rootkits - Please wait...#)
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SavUI.exe
SymCorpUI.exe
DoScan.EXE
SNAC.EXE
Rtvscan.exe
DefWatch.exe
ccSvcHst.exe
SmcGui.exe
Smc.exe
SemSvc.exe
dbsrv9.exe
CCApp.exe
vptray.exe
AMSadmin.exe
VPC32.exe
NMain.exe
Msiexec.exe
"%s\installTeefer.exe" -u -l2 -f "\install.log"
Microsoft.VC90.CRT.manifest
msvcr90.dll
msvcp90.dll
%s\temp
%s\checksum.exe
%s\temp\tmpremove.exe
dbp.db
Webroot\Sync
This removal tool only supports Windows XP.
PKG\WebrootShellExt.dll
\AGENTCOMMANDS.txt
Software\Classes\CLSID\%s\%s
%s\shell\open\command
%S\%s
%s\prefetch
%SYSTEMDRIVE%\RECYCLER
%SYSTEMDRIVE%
~tmp.hiv
%s\temp\WR-X.tmp
%s\Start Menu\Programs\Startup
WSATemp.exe
dbn.db
%s-%i
*.log
lwrSync.dll
PxPlugin.dll
A file was in use during the cleanup operation and could not be cleaned. A reboot is required to fully remove this file.
PKG.tmp
Software\Google\Chrome
ace%i.db
Win32.%S %s
\%s%s
NetworkEvents.log
WRLog.log
WEH-Tcp
RDP-Tcp
WRrem%i.exe
&CNTID=%S&SNUM=%S&CType=%S
&%S=%S
hXXp://%S?%S=%S%S&%S=%S&%S=%S&%S=%S&LANG=%S&VER=%i%i%i%i
%S?UPD=%S&LANG=%S
To ensure the highest quality experience with SecureAnywhere, we recommend contacting our Support and Sales team to assist with your deployment. Would you like to contact them now?
Opening your web console...
Your web console has been created and you can now easily deploy SecureAnywhere to other PCs and centrally manage configuration policies without needing any extra hardware.
Log-in to your Web Console
SecureAnywhere Endpoint Protection provides an easy to use, web-based console to manage the security of all of the devices in your organization.
By clicking Agree and Begin, you accept the terms of the Webroot software license agreement.
rtmp%d
\\.\DISPLAY
\Windows\explorer.exe
\Device\Tcp
\Device\Udp
\Device\NamedPipe
\System32\spoolsv.exe
\System32\services.exe
\System32\winlogon.exe
\System32\lsass.exe
\System32\svchost.exe
\System32\lsm.exe
\System32\csrss.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
{X-X-X-XX-XXXXXX}
WRkrn.sys
(c) Webroot 2006-2012
user32.dll
shdocvw.dll
ieframe.dll
rpcrt4.dll
WINDOW: %s - %s
ShXXps://
tmpremove.exe
smc.exe
msctf.dll
browseui.dll
dwmapi.dll
uxtheme.dll
"%s" %S"%s"
hXXps://VVV.webroot.com
eSoftware\Microsoft\Windows\CurrentVersion\Internet Settings
RapportKE64
RapportKELL
wsock32.dll
%s\%s\%s\%s
wrSync4.dat
wrSync3.dat
wrSync2.dat
wrSync1.dat
Webr

WRSA.exe_2008:

`.rsrc
B'hG.Ir
SUPPORTHOME
WEBROOTHOME
SUPPORT
/exeshowaddremove
-proxyport=
-proxypass=
-key=
/key=
DlExec
TempKeycode
ChangeKeyCode
virusscan.jotti.org
VVV.virustotal.com
sophos.com
grisoft.com
pandasoftware.com
trendmicro.com
virustotal.com
f-secure.com
kaspersky.com
mcafee.com
webroot.com symantec.com
webrootanywhere.com
webrootcloudav.com
prevxinfo.com
prevx.com
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
hXXp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
scrnsave.scr
res://ieframe.dll/securityatrisk.htm
res://ieframe.dll/repost.htm
res://ieframe.dll/offcancl.htm
res://ieframe.dll/noaddoninfo.htm
res://ieframe.dll/noaddon.htm
res://ieframe.dll/inprivate.htm
res://ieframe.dll/navcancl.htm
res://mshtml.dll/blank.htm
C:\Windows\system32\blank.htm
hXXp://go.microsoft.com/fwlink/?LinkId=54896
hXXp://go.microsoft.com/fwlink/?LinkId=69157
BURLT
Software\Microsoft\Windows\CurrentVersion\App Paths
Terminal Server Client\TransportExtensions
Ole\AppCompat\ActivationSecurityCheckExemptionList
.html
UrlSearchHooks
Extensions\CmdMapping
Keyboard Layouts
Userinstallable.drivers
LoginScript
rdpwd\Tds\tcp
Cmdline
SetupExecute
Image File Execution Options
wowcmdline
cmdline
Windows
SCRNSAVE.EXE
KeyFileName
Explorer\ShellExecuteHooks
PendingFileRenameOperations
FileRenameOperations
BootExecute
Software\Policies\Microsoft\Windows\System\Scripts
AppCertDlls
DefaultPassword
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
$$^^URL
ProxyPort
ProxyPassword
UninstallKey
websec
UPDATEURL
ERRURL
URLSTR
URLFILEUPLOAD
URLINBOUND
URLSLAP
hXXp://webcache.google
hXXp://developers.facebook.com
hXXp://static.ak.fbcdn.net
hXXp://VVV.facebook.com
video.ak.fbcdn.net
VVV.facebook.com
driver.cab
sp1.cab
sp2.cab
sp3.cab
A suspicious file was detected: %S - %s - X
Applied unique machine ID: X
In-memory infection identified: %S
Configuration Saved: %s
Removed invalid LSP chain entry: %S
Connected to %s
Monitoring process %S [%s]. Type: %i (%i)
End passive write scan (%i file(s))
Begin passive write scan (%i file(s))
Saved the product log to %S
Rule Overridden: MD5: %s, Size: %i bytes, ID: X, Result: %i
Website determination changed: %S [Level: X] [Type: X]
>>> Service started [%s]
SLevel updated to %s
Applied license key: %s
Executed cleanup script: %S
Submitted file at user request: %S
Updating from %S
Scan Results: Files Scanned: %i, Duration: %S, Malicious Files: %i
Scan Started: %S [ID: %i - Flags: %i/%i]
Configuration imported from %S
Configuration exported to %S
Cleanup tool %i executed
Determination flags modified: %S - MD5: %s, Size: %i bytes, Flags: X
Blocked process from accessing protected data: %S [Type: %i]
Closed network connection: [X.%i - X.%i]
Blocked process from connecting to the Internet: %S [MD5: %s]
Infection found in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
File blocked in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
Blocked website: %s
Rolled back infection: %S
Infection detected: %S [MD5: %s] [%i/X] [%s]
Installation successfully completed (%s/%s)
GetWindowsDirectoryA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CallNamedPipeW
GetWindowsDirectoryW
GetNamedPipeClientProcessId
CreateIoCompletionPort
%m/%d %I:%M %p
%d/%m %I:%M %p
127.0.0.1
_CorExeMain
1.3.6.1.5.5.7.3.3
g%i.p4.webrootcloudav.com/arm.asp
000000000000000
Win32.Override.1
Win32.LocalInfect.3
Win32.LocalInfect.1
Win32.AutoBlock.1
Win32.UserAdded
Win32.RuleBlock.1
Win32.Untrusted.1
Caution.Rootkit
Community.OuterEdge
Community.Heuristic
Win32.LocalADS
Win32.LocalInfect.0
Win32.LocalInfect.2
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,MM=Y,LSysC:%I64X,TSysC:%I64X,
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,LSysC:%I64X,TSysC:%I64X,
%commonfiles%
Êche%
%cookies%
úvorites%
%documents%
%start%
%startup%
Þsktop%
VVV.google.com
if exist "%s" goto d
Nspr4Hook::hookerPrOpenTcpSocket
if exist "%s"
VVV.bing.com
ru.brans.pl
proxim.ircgalaxy.pl
irc.zief.pl
core.ircgalaxy.pl
kernel32.dll
SLAPKEY
%s/arm.asp
%s/aot.asp
184.72.40.115
174.129.33.10
79.125.105.211
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
arm.asp
%Y-%m-%d %H:%M:%S.000
serverexecutable
%s\wininit.ini
1%iX%s^%s
DEX%s^
C0X%s^
C1X%s^%s
C2X%s^
(%i %s)
Removing all components... %c
.pvxdtr
https
PACKED_EXE,
[Ovr=X*Age=%i*Pop=%i*Dir=%i*Adv=%i*],
00000000000000000000
00000000
0000000000000000
00000000000000
URLBlob
Start: X. End: X. Seq: X. DB: X. Install: X. Command: %s. Parameters: %s
reg %s /f
%x %x
1.2.3
%m-%d
hXXp://
%2sX
%2ss
JOBHTTP
$$$01$$$
%S,%s,
WSASME.EXE
operating systems
%C:\boot.ini
%s\%S
"%S\%s",SynProc %i
XXX
v8.0.1.233
@.dll
%S\%s.dll
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
FilterConnectCommunicationPort
RegSaveKeyExW
RegRestoreKeyW
RegSaveKeyW
RegCloseKey
RegFlushKey
RegOpenKeyExW
RegOpenKeyExA
RegSetKeySecurity
RegCreateKeyExW
RegDeleteKeyExW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExW
RegQueryInfoKeyW
CertOpenStore
CertCloseStore
CryptMsgClose
CertFindCertificateInStore
CryptMsgGetParam
CertFreeCertificateContext
CertGetNameStringW
MsgWaitForMultipleObjectsEx
ExitWindowsEx
ShellExecuteW
ShellExecuteExW
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSetCredentials
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSendRequest
WinHttpOpen
WinHttpOpenRequest
WinHttpReadData
WinHttpCloseHandle
winhttp
CryptCATCatalogInfoFromContext
msvcrt
OS=%i%i^OSLang=%i^OSFull=%s^AVV=%s^AVS=%s^AVA=%s^AVU=%s^IB=%S^IBV=%S^FWE=%s^
%u%u%u
PX%sMID3%sSRC
MACX%s
(Build %d)
%s (Build %d)
Server 2008 WebServer
Server 2003 Web Edition
Windows Version Unknown
Windows %s %s
Windows %s %s %s
-X
HTTP/1.1 500
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\%s
{C27CCE38-8596-11D1-B16A-00C0F0283688}
{C1A8AF25-1257-101B-8FB0-0020AF039CA8}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%i
20323:TCP
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
14671:UDP
c:\windows\explorer.exe
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\DomainProfile\GloballyOpenPorts
Software\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST
Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AE68DC3-F16E-457D-947A-092D614C7ABD}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{B4B5AD48-8D34-41D3-BD8A-8A10BD9BDED3}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\86AEEA3A39CAF6F4D8D287BB7F4E228B
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4A73EC6-EFC4-488D-AF1A-F2C3CD1BC072}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}
255.255.255.255
$$$04$$$
$$$03$$$
$$$02$$$
AntiVirusProduct.instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}"
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --siluninstall -name=webroot --nostartmenu --noaddremove -noshut
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --userinstallie --userinstallff -name=webroot --nostartmenu --noaddremove --installforallusers -j "%S\pkg" --disablenotes --disableidentities --disablevault --disablecontext --lpbarpath="%S\PKG\WRBar.dll" --lpbarpath64="%S\PKG\WRBar64.dll" -noshut
WRCLOUDALPHA.EXE
%s %s
sShortDate
%a %Y-%m-%d %H:%M
%a %d-%m-%Y %H:%M
%a %Y-%m-%d %H:%M:%S
%a %d-%m-%Y %H:%M:%S
%s%I64XXXX
XXXXXXXXX%I64X
UpdateURL
Software\Classes\winbio.winbiotools
Software\Classes\Typelib\{130e4dce-ffac-15e3-5893-74950afeea4c}
Software\Classes\Typelib\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Clsid\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Interface\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Typelib\{8a4f328c-c9f4-4449-a0df-a756a6b52abf}
Software\Classes\bho.fffplayer.1
Software\Classes\bho.fffplayer
Software\Microsoft\Active Setup\Installed Components\{b00589a8-44cb-ba97-5de2-7c733bbee8ed}
%s.i
Win32.MalComponent
Win32.Corrupted
Software\Microsoft\Windows\CurrentVersion\Policies
credssp.dll
Software\Microsoft\Windows\CurrentVersion\Policies\System
msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
%SystemRoot%\System32\svchost.exe -k netsvcs
%SystemRoot%\System32\qmgr.dll
System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider
%SystemRoot%\system32\ntmarta.dll
%SystemRoot%\system32\notepad.exe %1
Software\Classes\Applications\notepad.exe\shell\open\command
System\CurrentControlSet\Control\Session Manager\AppCertDlls
Software\Microsoft\PCHealth\ErrorReporting
DoReport
Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnBadCertRecving
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Policies\Microsoft\Windows NT\SystemRestore
%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
%SystemRoot%\system32\ntvdm.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows
comm.drv commdlg.dll ctl3dv2.dll ddeml.dll keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv progman.exe avicap.dll mapi.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe
Software\Classes\.exe\shell\open\command
Software\Classes\exefile\shell\open\command
Software\Classes\.exe
dontreportinfectioninformation
Windows\WindowsUpdate
Windows\WindowsUpdate\AU\NoAutoUpdate
DisableCMD
NoWindowsUpdate
%windir%\system32\choice.exe /T 1 /N /D N /M Uninstalling...
#pragma namespace("\\\\.\\root\\SecurityCenter")
[Description("Webroot SecureAnywhere Security Center Integration"),Override("HostingModel")]
Name="AVClientInt.AVClientIntProvider";
ClsId="{D486329C-1488-4CEB-9CC8-D662B732D904}";
SupportsPut="FALSE";
SupportsGet="TRUE";
SupportsDelete="FALSE";
SupportsEnumeration="TRUE";
instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}";
companyName="Webroot";
displayName="Webroot SecureAnywhere";
Microsoft\Office\%s\%s\%s\
http://
<html><body><img src="%s.bmp"></body></html>
WSA_SA_Report-%s
%a_%Y-%m-%d_%H-%M-%S
g1.p4.webrootcloudav.com/arm.asp
symsecureport
SQLANYs_sem5
semwebsrv
Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
memory.dmp
Microsoft\Windows NT\CurrentVersion\Winlogon\altdefaultusername
Microsoft\Windows NT\CurrentVersion\Winlogon\defaultusername
Microsoft\Windows\CurrentVersion\Explorer\Streams\
Microsoft\Windows\CurrentVersion\Explorer\DesktopStreamMRU\
Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\
msdownload.tmp\
Microsoft\Windows\Cookies\index.dat
Microsoft\Windows\Temporary Internet Files\index.dat
Cookies\index.dat
Local Settings\Temporary Internet Files\Content.IE5\index.dat
Microsoft\Windows\IEDownloadHistory\index.dat
Logs\IE9_NR_Setup.log
IE9_Main.log
IE9.log
IE8_Main.log
IE8.log
IE7_Main.log
IE7.log
IE Setup Log.txt
Microsoft\Windows\History\
Local Settings\Temporary Internet Files\Content.IE5\
Microsoft\Windows\Temporary Internet Files\
Microsoft\Windows\Cookies\
Microsoft\Internet Explorer\TypedUrls\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\
Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\
Microsoft\Internet Explorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\
Microsoft\InternetExplorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Find\
Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\
Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\
Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\&Documents\Menu\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Documents\
Microsoft\Windows\Recent\
$Recycle.bin\
Google\Chrome\User Data\Default\Cache\
Mozilla\Firefox\Profiles\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
P4REPORT
%S\Driver Cache\i386
%s,%i%i
8.0.1.233
%s %s%s
%i-%i-%i-X-X.tmp
%s %s%S %s
Microsoft\Windows NT\CurrentVersion
\REGISTRY\User\%S
Microsoft\Windows\CurrentVersion
IG=%s,
hXXp://anywhere.webrootcloudav.com/zerol/pkgwiscaway.exe
detail.webrootanywhere.com/p4inbound.asp
hXXp://VVV.webrootanywhere.com/betaeula.asp
*X
%.*s(%d)%s
=%%
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\WRSA.pdb
O|SSSh
SSSSh=
tcSSSh
SSSSh6
SSSSh7
PSSSh
(QPSSSSh,
SSSSh?
PIQSSSh
RjEQSSSShE
SSSSh@
RSSSSSSh
KPjVSSSh
QjfSSSh
SShaaa
}.VQR
PSSSSSSh
>\u%f
K Pj.SV
SSSh8
O|SSSSh
jtSSSSh$
SSh ;
tcPQ
SSSSh
S|Wj.WWh
jmj SSSh
N|Sj.SSh
jDSSSh
jJj)SSSh
N|Sj.SSj^jBSSSh
SShDDD
SSSSjJj)SSSh
W|Sj.SSj^jBSSSh
V|Sj.SSj^jBSSSh
t.SSSV
zcÁ
Allow users to remove threats without a password
Allow users to scan without a password
This website is already being protected with SecureAnywhere Browser Protection. Remove it from the Browser Protection list to change its Website Filtering options.
This application is being actively protected against keyloggers, screen-grabbers, clipboard stealers, and other information-stealing threats.
Assess the intent of new programs before allowing them to execute
Would you like to automatically import the settings that were used in your previous installation?
Automatically block files when detected on execution
Caution: Booting into Safe Mode may prevent access to encrypted hard drives. Ensure that you have all encryption keys available if you are using hard disk encryption so that your computer can boot properly. Do you want to continue?
Warn when new programs execute that are not trusted
Protect against keyloggers
Block phishing and known malicious websites
Block suspicious access to browser windows
The current operation cannot be aborted.
SecureAnywhere was unable to remove threats automatically. Click "Contact Support" to contact our Support engineers.
Configuration for HTTP websites
Configuration for HTTPS websites
Would you like SecureAnywhere to continue monitoring and alerting about the Windows Firewall?
Your keycode has been copied to the clipboard. You can now paste it into any application.
The keycode could not be verified at this time. Ensure that SecureAnywhere is allowed to connect to the Internet and try again.
Configuration settings could not be exported to the selected file.
Configuration settings could not be imported from the selected file.
SecureAnywhere has detected that the Windows Firewall is currently disabled. It is recommended that you enable the Windows Firewall to receive maximum protection. The firewall built into SecureAnywhere is fully compatible with the Windows Firewall and provides an additional layer of protection.||Would you like to enable the Windows Firewall now?
Displaying %s events
Displaying %s process events
Enable Password Protection
Password protection is not currently enabled. Do you want to enable it now?
Enable "right-click" scanning in Windows Explorer
Enter a valid keycode to continue.
First Exec - PID: %i
A full keycode is required to add custom applications. Would you like to obtain one now?
Store Execution History details
Hide the SecureAnywhere keycode on-screen
SecureAnywhere has detected a modification to the HOSTS file, which may have been created by malicious software. The entry has the contents:||[%S]||Would you like SecureAnywhere to remove this entry?
HTTP Proxy
Save non-executable file details to scan logs
Enter a valid keycode. If you continue to receive this message, contact SecureAnywhere Support.
I/O Operations
A full keycode is required to increase the default security level. Would you like to obtain one now?
A keycode is required to run a full system scan. Would you like to obtain one now?
Your SecureAnywhere keycode has been validated and activated. Your computer will now be rescanned to provide the most accurate protection.
Enter a keycode to continue.
Loading execution history process events...
The Execution History log is currently loading.
Loading %s execution history events...
Caution: Your current configuration settings may prevent access to SecureAnywhere. You may want to change your configuration settings now or use the command-line option "WRSA.exe -showgui" to show the SecureAnywhere interface if needed.
Operate background functions using fewer CPU resources
This website is blocked because of a policy added by the user to prevent access.
This website has been trusted locally and visitation is not blocked.
Contact SecureAnywhere Support to upload files larger than 10MB.
Insert a keycode for SecureAnywhere.
Password
This file is trying to access stored passwords
The password entered was incorrect.
Error: The entered passwords do not match.
PID %i active %s (CPU %s)
PID %i active %s
%s (PID: %i) started by %s (PID: %i)
%s (PID: %i) - (Parent PID: %i)
Enter your password below to enter:
Enter a password to enable protection.
Protect cookies and saved website data
An attempt to take a screenshot of your computer was detected. This screenshot may contain confidential information as a protected website is currently open. Do you want to allow this screenshot to continue?
Protect against URL grabbing attacks
Port
Randomize the installed filename to bypass certain infections
Allow the process to execute other processes
Allow access to windows with a High integrity level
Allow access to windows with a Medium integrity level
Select a configuration file to import
Select a file to execute
Select where you would like to export the configuration:
Select a file to report to Webroot
Select a removal script to execute:
Show SecureAnywhere in the Windows Action Center
Show the "Authenticating Files" popup when a new file is scanned on-execution
Show SecureAnywhere in the Windows Security Center
Configuration successfully exported.
Are you sure you want to visit this website? The contents could potentially compromise your identity or infect your computer.
Uninstall Webroot
Configuration saved. Close and re-open all open web browsers to update active protection.
Use the preconfigured policies for changing configuration settings for all websites.
This keycode is valid but has expired. Would you like to renew the keycode now?
Enter a valid, complete website name to configure.
Verify the DNS/IP resolution of websites to detect Man-in-the-Middle attacks
Verify websites when visited to determine legitimacy
This website contains a known threat and has been blocked.
Contact Support
Website determination updated. Close your web browser and open the web page again or refresh the current page to continue browsing.
SecureAnywhere Scan Log (Version %S)~|Log saved at %S~|
(User time: %s - Kernel time: %s)
Cycles: %s
MD5: %S - Size: %i bytes
(PID: %i, TID: %i) %s registry entry: %s\%.*s
(PID: %i, TID: %i) %s file: %.*s
%s: PID - %i
(PID: %i, TID: %i) %s process: %i - %s
(PID: %i, TID: %i) %s named pipe: %.*s
(PID: %i, TID: %i) %s module: %.*s
(PID: %i, TID: %i) %s code: %.*s (%S)
(PID: %i, TID: %i) %s IP %.*S
(PID: %i, TID: %i) %s Sector: %I64X - Length: %I64X
(PID: %i, TID: %i) %s URL: %.*S
(PID: %i, TID: %i) %s service - %.*s - %.*s, (%i, %i)
(PID: %i, TID: %i) %s mutex: %.*s
(PID: %i, TID: %i) Logging keystrokes
(PID: %i, TID: %i) Monitoring Windows events (%i)
(PID: %i, TID: %i) %s section: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Registry Key: %.*s~|~|Value: %.*s~|Type: X~|New Data: %s~|~|Previous Data: %s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Original Filename: %.*s~|~|New Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Target Process ID: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Module Name: %.*s~|Image Base: X~|Image Size: X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s~|Type: %S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Address: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Sector: %I64X~|Length: %I64X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|URL: %.*S~|~|Bytes Transferred: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Caption: %.*S~|Contents: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Service Name: %.*s~|Binary Path: %.*s~|Type: %i~|Start Type: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Mutex: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Windows Hook ID: %i~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Event Hook Minimum ID: X~|Event Hook Maximum ID: X
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Section: %.*s
View the Webroot software license agreement
Webroot SecureAnywhere protects your computer from viruses, spyware, trojans, rootkits, and other malicious software.
Enter your keycode to install and activate your software.
Help me find my keycode
By clicking Agree and Install, you accept the terms of the Webroot software license agreement.
Want to learn more about Webroot?
Help and Support
About Webroot SecureAnywhere
Login Theft Protection
Protected Websites
Websites on this list receive custom security to protect any information entered.
View/Edit Protected Websites
Password Required
Web Threat Shield
3. Close any open programs or web browsers (Recommended but not essential)
Reports
You may save a scan log, which Technical Support uses for diagnostics.
View an audit log of all monitored executed code. This allows you to manage running processes and identify potential problems quickly.
Not collecting execution history events
Password:
Repeat Password:
If a Webroot researcher has instructed you to execute a Removal script, select the script to begin.
Import / Export
Block websites from creating high risk tracking information
Analyze websites for phishing threats
Enter the website address to protect (e.g. VVV.webroot.com)
Add Website
Analyze search engine results and identify malicious websites before visitation
Detect websites being redirected by the HOSTS file
Look for malware on websites before visitation
Look for exploits in website content before visitation
Website Filter
View/edit the list of blocked websites to change how they should be handled or add new websites to block.
View Websites
Website
Enter the website address to configure (e.g. VVV.webroot.com)
You received your keycode by email.
Your keycode is located on the CD sleeve.
If you have misplaced your keycode:
Contact Webroot Support at hXXp://VVV.webroot.com/support
Help me find my license keycode
You can also import your settings from another computer using this screen.
Import Settings
Export Settings
Activate a new keycode
Keycode:
Enter your new keycode into the field below and click Activate:
Enter your keycode here...
Are you sure you want to abort the current operation?
Identity && Privacy - protect yourself while browsing web sites
Enter a password that is at least six characters long for better security.
Only executable files can be overridden.
Warning: Clearing the product log will prevent Webroot technical support from assisting you accurately. Are you sure you want to clear the log?
The username or password is invalid.
I forgot my password
Downloading Password Management Components...
Installing Password Management...
Windows System
Windows Desktop
Windows Registry Streams
Windows Update Temporary folder
Windows Temporary folder
Clean Index.dat (cleaned on reboot)
URL history
Securely erase files by overwriting contents with random data using seven passes and clean free space around files.
Erase files by overwriting contents with random data using three passes.
Clean files using standard file deletion techniques, bypassing the Windows Recycle Bin.
SecureAnywhere has detected a significant infection on your computer which requires manual assistance to clean. Contact Webroot Support to help clean your computer.
Your SecureAnywhere subscription entitles you to use Backup && Sync which makes it easy to share files on your computer and protect your important files from loss. Click "Download and Install" to use this feature.
Select specific files and folders to back up to your online storage in the Cloud to protect important files from loss.
Webroot Internet Security Complete is already installed on your computer. Use the Sync & Sharing features within WISC to prevent incompatibilities.
Backup & Sync was not installed successfully. If you continue to receive this error, contact Webroot Support.
Your SecureAnywhere subscription entitles you to use Password Management that makes managing your web site logons easy and more secure. Click "Download and Install" to use this feature.
Install Password Management
Manage your personal information, websites, and passwords at your My Webroot account.
- Automatically fill in your login information for remembered websites
- Create secure, hack-resistant passwords for website logins
Password Management makes web browsing easier and more secure.
Password Management is On
Password Management was not installed successfully. If you continue to receive this error, contact Webroot Support.
Password Management
SecureAnywhere was unable to restore all files to their original locations and has copied them to a dedicated Quarantine folder located at [%s]. Would you like to view the Quarantine folder now?
The keycode is currently hidden and cannot be copied.
%-5i %S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%-5i ...%.*S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%S (%S) - %S@%S drive - %i%% Free (%i MB Total), Serial Number: X~|
%S (%S)@%S, Number of Logins: %i, %S~|
%S on %S@%i MB, %i MHz (Form Factor: %S, Manufacturer ID: %S, Serial Number: %S, Part Number: %S)~|
%S on %S@%i MB, (Form Factor: %S)~|
%S@%S drive - No media~|
%S@%S, Last Login: %s, Number of Logins: %i, %S~|
%S@%S, Service: %S, Status: X,
%S@(%S) %S, Service: %S, Status: X,$
%S@Device ID: %S, Internal Name: %S~|
%S@Never logged in~|
%S@Port: %S, Status: %i, Jobs: %i~|
%i fragments, %u bytes@%S (MFT: %i)~|
%s@Minidump: %S~|
%s@System Analysis completed in %i seconds (%s)~|
, Problem code - X,
Active Applications@%i - %i windows (%i visible)~|
Active Applications@%i windows (%i visible)~|
Active Directory@%S~|
Auto Update State@%S~|
Browser@%S %S~|
CPU@%s (%i %S)~|
Common AppData Directory@%S~|
Current Processor Speed@%dMHz~|
DHCP Server@%s~|
DNS Server@%s~|
External Clock Speed@%dMHz~|
External IP Address@%s~|
Gateway@%s~|
Graphics Card@%s - %iMB Free Video RAM, %iMB Total~|
Home Page@%S~|
Hostname@%s~|
IP Address@%s~|
IP Mask@%s~|
Internet Cache@%i KB (%s)~|
Last Update Check@%S~|
Last Update Download@%S~|
Last Update Install@%S (%i %S ago)~|
Last Update Install@%S~|
Maximum Supported RAM Size@%i MB~|
Next Scheduled Install Time@%S~|
Next Scheduled Update Check@%S~|
OS Install Date@%s~|
OS@%s (Language: %i)~|
Operating System
Phishing Filter@%S~|
Search History, URL History, and Recent Playlist
Slot %i - %S (%S)@%S - Bus Number: 0xX, Device Number: 0xX, Segment Group Number: 0xX~|
Spyware Protection@%S %S (%S)~|
Spyware Protection@%S %S (%S, %S)~|
System Access Level@%s~|
System Boot Drive Device@%S~|
System Directory@%S~|
System Family@%S~|
System GUID@x-xx-xxxx-xxxx~|
System Manufacturer@%S~|
System Product Name@%S~|
System Proxy@%S~|
System Serial Number@%S~|
System Temporary Files@%i KB (%s)~|
System Uptime@%S (Tick Count: %i)~|
System Version@%S~|
Third Party Firewall@%S %S (%S)~|
UAC Status@%S~|
Update Type@%S~|
User Account Level@%s~|
User Temporary Files@%i KB (%s)~|
Username@%S (%S) - Session ID: %i~|
Username@%S - Session ID: %i~|
Virus Protection@%S %S (%S)~|
Virus Protection@%S %S (%S, %S)~|
Windows Experience Rating
Windows Firewall@Disabled~|
Windows Firewall@Enabled and Active~|
Windows Updates
~|~|This new key must be used on all future installations of Webroot software:~|~|%.4s-%.4s-%.4s-%.4s-%.4s~|~|Thank you for upgrading!
- Internet Explorer 7.0 and higher, Mozilla Firefox 3.6 and higher; Identity Shield feature in Webroot SecureAnywhere Complete also supports Google Chrome 11 and higher, and Opera 11 and higher
All attached devices have reported to be functioning properly.
Windows Automatic Updates are disabled
Contact Support by clicking the "?" button in the upper right corner of this window.
Create an account to access your security on all your devices online from any Web browser.
Purchase Webroot SecureAnywhere now for uninterrupted protection.
Don't waste a second. Get the fastest security ever. Buy Webroot SecureAnywhere.
Enter your email address to validate your license key and activate realtime threat prevention:
Firefox
If you have other security software installed on your system, you do not need to uninstall it. Webroot SecureAnywhere software is designed to work alongside your existing security software and will automatically upgrade earlier versions of Webroot or Prevx software. If you do experience any issues, please contact our Support team.
Last Password Change: %i %s ago
Malware scanning - detect and report threats
Mozilla Firefox - Cached Files
New Webroot Keycode.txt
No password configured
Operating Systems (32 and 64bit in all Editions)
Please wait until the current operation is complete before shutting down SecureAnywhere.
Please wait until the download of Password Management is finished to download Backup & Sync.
Save Keycode and Continue
SecureAnywhere is currently managed by the Web Console and all changes need to be applied centrally. Please refer to the SecureAnywhere documentation for further information.
Settings - Currently being managed by the Web Console
System Analysis was cancelled and the report may be incomplete.
Screen resolution and bit depth support true color images.
The Windows firewall is disabled.
The credentials used to log into Backup & Sync are invalid. Please login again.
There are currently no items in the execution history log.
To learn more about Webroot's complete portfolio of security solutions, visit VVV.webroot.com.
View Full Report
Visit Webroot.com
Webroot SecureAnywhere has been successfully installed and is actively protecting your computer. You do not need to do anything further - it will continue running in the background, blocking threats if they try to enter.~|~|Accessing Webroot SecureAnywhere is quick and easy - you can locate it any time in your system tray or notification area. You may need to expand your notification area with the "Up" or "Left" arrow to see the Webroot icon.
Webroot SecureAnywhere
Webroot SecureAnywhere~|(c) 2006-2012
Webroot SecureAnywhere`
Webroot System Analyzer
Webroot was unable to be installed because the current user account has limited rights. Please elevate the Webroot installer or install using an administrative account.
Without this protection, your PC is vulnerable to spyware and virus attacks. Don't waste a second - get the fastest security ever. Buy Webroot SecureAnywhere.
Not all RAM can be used by your 32bit operating system.
Protection disabled. Get complete protection with Webroot SecureAnywhere.
Your account gives you anytime access to your security from any Web browser.
Your Webroot SecureAnywhere trial ends in %i days!
Your Webroot SecureAnywhere trial ends tomorrow!
Your Webroot SecureAnywhere trial is expired!
Your new keycode is shown below and is also provided in a text file on your computer's desktop. Use this new keycode for all future installations and upgrades.
Your operating system is up to date.
It is recommended to change your password every 90 days.
Your hardware is adequate for running your operating system.
VVV.geeksquad.com
SecureAnywhere could not be installed. Please contact SecureAnywhere support to assist with your installation.
SecureAnywhere is not compatible with your current operating system. Please consider upgrading your operating system to Windows XP Service Pack 2 or higher.
- Windows XP SP2, SP3
- Windows Vista SP1, SP2
- Windows 7 SP0, SP1
I would like to receive alerts, special offers, important product updates, and newsletters from Webroot.
View the Webroot Privacy Policy
Note: Although your settings will be saved locally, your PC is currently centrally managed by the Web Console and your settings may be overwritten on the next database communication.
Scan with Webroot
To receive the fastest response to a file inquiry, we recommend writing into our support inbox so that a Webroot researcher will immediately look at the submitted information. Would you like to open a support ticket now?
A cleanup license key is required to remove threats.
SecureAnywhere Identity Shield protects your sensitive information on banking, web transacting, and social networking websites while peacefully coexisting with other security software.
Welcome to Webroot
Webroot FastScan quickly assesses your PC security by detecting malicious threats using the Webroot Realtime Threat Database while peacefully coexisting with other security software.
Update now to faster, lighter, and more effective protection. Installation will take less than 10 seconds with scans typically taking less than 2 minutes. Webroot SecureAnywhere protects your computer from all types of malicious activity.
You don't need to do anything further. Webroot SecureAnywhere Identity Shield is now helping to protect you and your personal information when you bank, shop, interact, and transact online.
Aborting the current scan will prevent Webroot from detecting and cleaning all threats. Are you sure you want to abort?
SecureAnywhere has detected active threats on your computer and needs a license key to remove them.
Enable enhanced customer support
Please wait a few moments and try again. Contact Webroot Support if this error persists.
The operation failed with error code %i. %s
The command you selected did not complete successfully. Contact Webroot Support if this error persists.
Backup allows you to automatically back up and access your files securely from a web-based portal.
Web Console
SecureAnywhere is using %2.2f%% of your disk space. The average scan time is %4.1f %s.
SecureAnywhere has used %2.2f%% of your CPU since installation and %2.3f%% disk space. Average scan time is %4.1f %s.
Next scan starts in %s.
%i%% - %s files scanned. %s %s
Scan Complete - %i active %s found in %s. %s
Scan ended - %i active %s found in %s. %s
%s files scanned in %s. No threats found. %s
Scan aborted. %s files scanned in %s. %s
Last scanned %s. %s %s %s removed.
Last scanned %s. %s
Protection has been active for %s.
%s system events have been inspected since installation.
%s system events have been inspected since bootup (%s.%c %s since installation).
%i%% - Cleaned %s bytes (%i files, %i registry entries). Cleaning %s
%i%% - Cleaning %s
System Cleaner is scheduled to run in %s. So far, it has cleaned %s %s.
System Cleaner is scheduled to run in %s.
System Cleaner last cleaned %s. So far, it has cleaned %s %s.
Click here for personal support if you have any questions about SecureAnywhere
Enable Windows Explorer right click secure file erasing
SecureAnywhere Backup allows you to back up your files online so that they can be access through the secure portal in the event of hardware malfunction or system problems, or just to provide easier means for sharing files securely.
Show Windows Explorer overlay icons
Web requests were denied. Please ensure that proxy settings are correct and log in with your current user credentials.
A connection is being established with the Webroot Backup && Sync cloud infrastructure.
Backup is idle and will next archive files at %S. Files were last archived at %S.
Backup is currently idle and is configured to begin automatically archiving files at %S.
Backup allows you to automatically back up and access your files securely from the SecureAnywhere website.
Scanning for threats: %s
By clicking Agree and Begin Analysis, you accept the terms of the Webroot software license agreement.
View report summary
Operating system detected
Detecting operating system information
SecureAnywhere Backup && Sync allows you to protect your data and access it easier by synchronizing it across devices and securely backing it up to prevent data loss. Click "Login" to create your account or log into an existing account.
Please wait until the current operation is complete.
Google Chrome
.text
h.rdata
H.data
.rsrc
B.reloc
SShhA
TransportAddress
HTTP/
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrkrn.pdb
KeDelayExecutionThread
ZwOpenKey
ZwQueryValueKey
ntoskrnl.exe
WRITE_PORT_UCHAR
HAL.dll
TDI.SYS
FltCloseClientPort
FltCloseCommunicationPort
FltCreateCommunicationPort
FLTMGR.SYS
SeExports
ZwCreateKey
ZwSetValueKey
585=5^5}5
"hXXp://crl.verisign.com/tss-ca.crl0
hXXp://ocsp.verisign.com0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Webroot Inc.1>0<
Webroot Inc.0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
.pdata
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrkrn.pdb
`.data
@.reloc
WmiExecuteMethodW
NtRequestWaitReplyPort
NtConnectPort
NtAlpcConnectPort
NtAlpcSendWaitReceivePort
NtAlpcCreatePortSection
NtRequestPort
NtAlpcCreatePort
NtSecureConnectPort
NtDeleteKey
NtDeleteValueKey
NtSetValueKey
NtDelayExecution
NtCreatePort
http:\/\/
hXXps://
PSOWRX
hXXp://%.*s
Chrome_OmniboxView
Chrome_AutocompleteEditView
%s://%S
search.yahoo
WebDrawText
webkit
PSOTBX
Chrome_RenderWidgetHostHWND
MozillaContentWindowClass
MozillaWindowClass
Chrome_WidgetWin_
OperaWindowClass
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsagreen.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsagreen.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsared.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsared.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
nspr4.dll
advapi32.dll
bcrypt.dll
ws2_32.dll
sspicli.dll
secur32.dll
wininet.dll
ntdll.dll
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrusr.pdb
>HTTPu6
msvcrt.dll
GetProcessHeap
KERNEL32.dll
SetWindowsHookExW
SetWindowsHookExA
EnumWindows
EnumChildWindows
USER32.dll
SHELL32.dll
ole32.dll
ADVAPI32.dll
PSAPI.DLL
WS2_32.dll
URLDownloadToFileW
URLDownloadToFileA
urlmon.dll
InternetOpenUrlA
WININET.dll
OLEACC.dll
RPCRT4.dll
OLEAUT32.dll
UrlIsW
SHLWAPI.dll
Secur32.dll
GDI32.dll
MSIMG32.dll
WRUsr.dll
\\x3ca href\\x3d\\x22http
<a href="http
<a class=sla href="http
6 6$6(6,6064686<6
@.rsrc
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrusr.pdb
%u6HcA
tù7u HcG<
?;5URLURLURL
)|]({\(z['yZ'wY'vX&uW&tV%sU%rT
%sU%rT
GetCPInfo
CertGetCertificateContextProperty
_acmdln
_amsg_exit
GetAsyncKeyState
MapVirtualKeyExW
GetKeyboardLayout
keybd_event
UnhookWindowsHookEx
v.pL>
00000000006
20.sp
%uV7"iL
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
KERNEL32.DLL
CRYPT32.dll
DDRAW.dll
DSOUND.dll
iphlpapi.dll
NETAPI32.dll
WINSPOOL.DRV
WINTRUST.dll
ddbl.db
dbk.db
dbj.db
dbi.db
dbh.db
dbg.db
dbf.db
dbe.db
dbd.db
dbc.db
dbb.db
dba.db
index.dat
content url
searchurl
use custom search url
scrnsave.exe
Default_Search_Url
Default_Page_Url
.cn/index
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Software\Microsoft\Windows\CurrentVersion\Media Center\Service\Video
Software\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance
Software\Microsoft\Ole\appcompat\activationsecuritycheckexemptionlist
Software\Microsoft\Internet Explorer\UrlSearchHooks
Software\Microsoft\Internet Explorer\Extensions\CmdMapping
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers
"%ProgramFiles%\Internet Explorer\iexplore.exe"
"%ProgramFiles%\Mozilla Firefox\firefox.exe"
"%ProgramFiles%\Internet Explorer\iexplore.exe" %1
rundll32.exe url.dll,FileProtocolHandler %l
rundll32.exe url.dll,TelnetProtocolHandler %l
rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1
regedit.exe "%1"
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"
"%SystemRoot%\System32\msiexec.exe" /i "%1" %*
Msi.Package
%SystemRoot%\system32\mmc.exe "%1" %*
.mpeg
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"
"%SystemRoot%\System32\WScript.exe" "%1" %*
rundll32.exe shdocvw.dll,OpenURL %l
%SystemRoot%\system32\NOTEPAD.EXE %1
"%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome
%SystemRoot%\system32\mshta.exe "%1" %*
cmdfile
"%SystemRoot%\hh.exe" %1
chm.file
ieuser.exe
crashreporter.exe
plugin-container.exe
epic.exe
waol.exe
iron.exe
safari.exe
firefox
winlogon.exe
spoolsv.exe
services.exe
audiodg.exe
svchost.exe
lsass.exe
consent.exe
dwm.exe
lsm.exe
procexp64.exe
procexp.exe
dplp2.exe
dplp.exe
watchdogx64.exe
flashcookiecleaner.exe
shredder.exe
atieclxx.exe
atiesrxx.exe
searchfilterhost.exe
werfault.exe
ravcpl64.exe
nvtray.exe
clpsla.exe
clps.exe
mtxagent.exe
googleupdate.exe
googlecrashhandler.exe
downloaderapp.exe
ccleaner.exe
ccleaner64.exe
conhost.exe
irperl.exe
fswscs.exe
bsplayer.exe
wow_helper.exe
realplay.exe
nmake.exe
cl.exe
winrar.exe
fsdomnodeie.dll
jhook.dll
yzshadow.exe
yahoomessenger.exe
wspace.exe
wlmail.exe
wdict32.exe
vmware-vmx.exe
vmware.exe
ultramon.exe
translateclient.exe
totalcmd.exe
thunderbird.exe
stpass.exe
splwow64.exe
skype.exe
sidebar.exe
sllauncher.exe
sbrender.exe
rocketdock.exe
robotaskbaricon.exe
roboform.dll
robo.exe
popupblocker.exe
pdfvista.exe
patrol.exe
packpro.exe
outlook.exe
opstm080.exe
opera.exe
notepad  .exe
mvtapp.exe
msnmsgr.exe
fsocrserver.exe
jfw.exe
iexplore.exe
helppane.exe
google.exe
gamebooster.exe
firefox.exe
excel.exe
eudora.exe
eqgame.exe
dsNetworkConnect.exe
dllhost.exe
digsby.exe
communicator.exe
crazy browser.exe
ctfmon.exe
chrome.exe
bttray.exe
babylon.exe
ati2evxx.exe
aolsoftware.exe
admunch64.exe
admunch.exe
adblock.exe
acrotray.exe
acrord32.exe
acrodist.exe
acrobat.exe
verclsid.exe
wrbar.exe
WRSyncManager.exe
wrinstall.exe
snippingtool.exe
Portugu
s (Brazilian Portuguese)
Ftaskmgr.exe
csrss.exe
"%s" %s
"%s" %S
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
%s\%s
%c:\%s
%s:%i
msiexec
%drivers%
*\windows\system32\drivers\*
%fonts%
*\windows\fonts\*
%%restore%%\%s
\\?hostname?\?share?\%s
%%winsxs%%\%s
c:\windows/
windows\system32/
Webroot
WRusr.dll
\\.\%c:
Windows\System32\windbg48.sys
m0rpheus.tpl
%SystemRoot%\System32\svchost.exe
mscoree.dll
%S(%s)
tcpip
.net clr
%S(%s\%s\, %s)
%S(HKLM\Software\Classes\%s\, %s)
%S(%s\%s\)
%S(%s\Software\Classes\%s\)
%S(%s\%s\%s)
/scanfile="%s"
%s\sfc.exe
Writing MBR> New Data: [%S]
Executing Command> %s
Terminating Module Parent> %i - %s
Closing Handle> %i - PID: %i - %s
Renaming Registry Key> %s\%s to %s\%s
Deleting File> %s
Writing Registry Value> %s\%s - %s
Writing File Data> %s - [New Data: %s]
Deleting Directory> %s
Deleting Registry Value> %s\%s - %s
Deleting Registry Key> %s\%s
Fixing LSP> %S
Core Component> Un-patching file [%s] - New Size: %i bytes
Copying File> %s to %s
Terminating Process> %i - %s
Stopping Service> %s
Deleting Service> %s
Starting Routine> %s...
\\.\pipe\WRSynUM2
\\.\WRSYNAPSE
\temporary asp.net files\
\opera\temporary_downloads\
\microsoft.net\framework\
\$recycle.bin\S-
mbam.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncExcl
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncGreen
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncYellow
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncRed
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32
%s\Symantec\
%s\Common Files\Symantec Shared\
%s\Symantec.cloud\
\\.\pipe\
wmiprvse.exe
\Slow.pvx
\Slowusr.pvx
%i %s
%s %S - %i%%, %i %s)
%s - %s
hXXps://*
hXXp://*
%ProgramFiles%\Webroot\WRSA.exe
%S - %s
InstallLogo.bmp
\\?\%c:
%i %s, %i %s
%i %s,
s\\.\PhysicalDrive%i
[%C] %s
[%C] %s [MD5: %S] [Flags: X.%i]
[%C] %s [MD5: %S] [Flags: X.%i] [Threat: %S]
[%S] - CPU: %i%%, Physical Memory: %i%%, Virtual Memory: %i%%, Page File: %i%%, Processes: %i
res%i.db
-%i-%i.tmp
bcdedit.exe
autorun.inf
\services.exe
\drivers\pciide.sys
\drivers\smbe.sys
\drivers\eubkmon.sys
\drivers\acpi.sys
\drivers\wdf01000.sys
\drivers\cdrom.sys
\drivers\serial.sys
\drivers\ipsec.sys
\drivers\tcpip.sys
\drivers\afd.sys
\drivers\rdbss.sys
\drivers\mrxsmb.sys
\drivers\netbt.sys
\microsoft.net\
.crdownload
.partial
\windows\installer\
\config.msi\
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Software\Microsoft\Windows\CurrentVersion\Uninstall
{98C3BECF-DD5F-44D2-8EF3-
rundll32.exe
http*://
hXXp://VVV.
opera
%S(%s, %.*S)
%S(%s, %s)
%S(%s, 0x%S)
Temp\%.*S-%S-%.*S.WR
\\.\pipe\WRSVCPipe
%S(%i)
desktop.ini
%s %s %s
%i (%s %s)
%s: %s
PKG\WRSyncManager.exe
PKG\files_zh_cn_qt.qm
PKG\files_zh_cn.qm
PKG\files_de_de_qt.qm
PKG\files_de_de.qm
PKG\files_es_es_qt.qm
PKG\files_es_es.qm
PKG\files_ja_jp_qt.qm
PKG\files_ja_jp.qm
PKG\files_en_us_qt.qm
PKG\files_en_us.qm
PKG\WRBar.dll
%s (%s)
*.mpeg, *.avi, *.mp4
*.mp3, *.m4a
*.jpg, *.jpeg, *.png
*.xls, *.xlsx
*.doc, *.docx
%s (%S)
%s - %S
%s\Administrator
%C:%s
A:\%s
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
WRHTTP
dst%2S.db
Chrome
Opera
Software\Mozilla\Mozilla Firefox
http\shell\open\command
Software\Classes\http\shell\open\command
&OLDLIC=%s
hXXp://products.webroot.com/disp2012/?CMD=P40IPM&LIC=%S&LANG=%S&email=%s&optin=%S&DeviceMID=%S&InstanceMID=%S
partnerno=%S&MIDHEX=%S&datelogged=%S&Lastinfected=%S&Currentbads=%i&highbads=%i&mediumbads=%i&Lowbads=%i&identifynownowvalue=%S
I%S(%s\%s\%s, %s)
%S(%s\%s\%s, %s%s%s)
%S(%s, 0)
%s\drivers\%s.sys
%s\2i
Pipe
%s\%s\%i
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
dow.lac
centro.txt
1.pac
AutoConfigUrl
hXXp://
Software\classes\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\openhomepage\command
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
ekrn.exe
"%ProgramFiles%\Mozilla Firefox\firefox.exe" -safe-mode
firefox.exe\shell\safemode\command
firefox.exe\shell\open\command
iexplore.exe\shell\open\command
\WRSYNAPSEPORT
%s\%s.lnk
%s\%s\%s.lnk
%s\%s\%s\%s.lnk
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}
{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}
{C14874EA-ACE4-4A47-8A81-18C4D1C40868}
{1914B27A-33C8-46F8-A1C2-F993268D4564}
{69D72956-317C-44bd-B369-8E44D4EF9802}
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
"%S%s" %S%S
Software\Microsoft\Windows\CurrentVersion\Run
XXX.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Uninstall\Webroot Software
\Webroot\Security\Current\Products\WISE
\Webroot\Security\Current\Products\WAV
\Webroot\Security\Current\Products\WISC
rSoftware\Web Filtering
Software\Microsoft\Windows\CurrentVersion\RunOnce
5db%i.db
System\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes
%s %S %S
dbo%i-e.db
dbo%i-%I64X.db
dbm%i.db
tPKG\WRBar.exe
PKG\LPBar.dll
%s\wrSync%i.dat
%s\icon%i.ico
t%s_%i
%s %s %S - %s
%s %s %s %S - %s
%S?LANG=%S
%s\Webroot\Spy Sweeper\install.dat
Software\Webroot\Install
notepad.exe
hXXp://VVV.webroot.com
%S %S
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
%s %i:00 %s %s
*.exe
%s %i %s
WRSA.exe
%i:i %s
SystemCleaner.log
%s\SecureAnywhere Console.lnk
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
UMTX-%s
CURRENT_USER\%s
MACHINE\%s
\explorer.exe
%s\sysnative
%s\WRData
%s - [%S] %i files scanned, %i %s found in %s
si3112r.sys
atmdlc.sys
C:\$MBR.1
\??\%c:\
%S(%s\%s\%s\)
%System%\webcheck.dll
rundll32 shell32,Control_RunDLL "sysdm.cpl"
logonui.exe
userinit.exe,
%S(%s\%.*s\, %I64X)
W%S(%s\%.*s, %I64X-%I64X)
%S(%s\%.*s\)
%S(%s\%.*s\%.*s)
%S(%s\%.*s, %.*s)
%S(%I64X, %I64X)
_reg.tmp
%UserProfile%\Local Settings\Application Data
%UserProfile%
hXXp://twitter.com/*
hXXp://VVV.facebook.com/*
Generating license key... (less than two minutes remaining)
Building your SecureAnywhere web console... (less than one minute remaining)
Preparing the web console for first time use... (less than one minute remaining)
Finalizing your SecureAnywhere web console... (less than 10 seconds remaining)
SysAnalyzerLog-%S.log
%s (%i bytes)
%S(%s, %S)
%S(Removing %s...#(PX5: %S - MD5: %S))
TcpTimedWaitDelay
MaxUserPort
TcpNumConnections
ActiveProcesses.log
webdrive
\Dell Support Center\
;"%s"
WR.mof
wbem\mofcomp.exe
%S - Removing %s
%S - Removing %s - %s
%S - Removing %s - %i bytes
%s\%i.bat
WRTemp_%i_X
%s\WR%i.exe
libAllegro.dll
Lang.dat
dbq.db
5WRupdate%i.exe
%s\%S.html
%s\%S.bmp
Duration: %s
%S (Hostname: %S - Local IP: %S)
Scan Started: %S
%s/%s
%s\System\CurrentControlSet\Enum\ROOT\LEGACY_%s\0000
%s\Services\%s
Embedded Web Browser from: hXXp://bsalsa.com/
Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Software\Classes\.exe\shell
Software\Policies\Microsoft\Windows\System
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
System\CurrentControlSet\Services\Tcpip\Parameters
%S(Removing rootkits - Please wait...#)
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SavUI.exe
SymCorpUI.exe
DoScan.EXE
SNAC.EXE
Rtvscan.exe
DefWatch.exe
ccSvcHst.exe
SmcGui.exe
Smc.exe
SemSvc.exe
dbsrv9.exe
CCApp.exe
vptray.exe
AMSadmin.exe
VPC32.exe
NMain.exe
Msiexec.exe
"%s\installTeefer.exe" -u -l2 -f "\install.log"
Microsoft.VC90.CRT.manifest
msvcr90.dll
msvcp90.dll
%s\temp
%s\checksum.exe
%s\temp\tmpremove.exe
dbp.db
Webroot\Sync
This removal tool only supports Windows XP.
PKG\WebrootShellExt.dll
\AGENTCOMMANDS.txt
Software\Classes\CLSID\%s\%s
%s\shell\open\command
%S\%s
%s\prefetch
%SYSTEMDRIVE%\RECYCLER
%SYSTEMDRIVE%
~tmp.hiv
%s\temp\WR-X.tmp
%s\Start Menu\Programs\Startup
WSATemp.exe
dbn.db
%s-%i
*.log
lwrSync.dll
PxPlugin.dll
A file was in use during the cleanup operation and could not be cleaned. A reboot is required to fully remove this file.
PKG.tmp
Software\Google\Chrome
ace%i.db
Win32.%S %s
\%s%s
NetworkEvents.log
WRLog.log
WEH-Tcp
RDP-Tcp
WRrem%i.exe
&CNTID=%S&SNUM=%S&CType=%S
&%S=%S
hXXp://%S?%S=%S%S&%S=%S&%S=%S&%S=%S&LANG=%S&VER=%i%i%i%i
%S?UPD=%S&LANG=%S
To ensure the highest quality experience with SecureAnywhere, we recommend contacting our Support and Sales team to assist with your deployment. Would you like to contact them now?
Opening your web console...
Your web console has been created and you can now easily deploy SecureAnywhere to other PCs and centrally manage configuration policies without needing any extra hardware.
Log-in to your Web Console
SecureAnywhere Endpoint Protection provides an easy to use, web-based console to manage the security of all of the devices in your organization.
By clicking Agree and Begin, you accept the terms of the Webroot software license agreement.
rtmp%d
\\.\DISPLAY
\Windows\explorer.exe
\Device\Tcp
\Device\Udp
\Device\NamedPipe
\System32\spoolsv.exe
\System32\services.exe
\System32\winlogon.exe
\System32\lsass.exe
\System32\svchost.exe
\System32\lsm.exe
\System32\csrss.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
{X-X-X-XX-XXXXXX}
WRkrn.sys
(c) Webroot 2006-2012
user32.dll
shdocvw.dll
ieframe.dll
rpcrt4.dll
WINDOW: %s - %s
ShXXps://
tmpremove.exe
smc.exe
msctf.dll
browseui.dll
dwmapi.dll
uxtheme.dll
"%s" %S"%s"
hXXps://VVV.webroot.com
eSoftware\Microsoft\Windows\CurrentVersion\Internet Settings
RapportKE64
RapportKELL
wsock32.dll
%s\%s\%s\%s
wrSync4.dat
wrSync3.dat
wrSync2.dat
wrSync1.dat
Webr

WRSA.exe_2008_rwx_01001000_00205000:

SUPPORTHOME
WEBROOTHOME
SUPPORT
/exeshowaddremove
-proxyport=
-proxypass=
-key=
/key=
DlExec
TempKeycode
ChangeKeyCode
virusscan.jotti.org
VVV.virustotal.com
sophos.com
grisoft.com
pandasoftware.com
trendmicro.com
virustotal.com
f-secure.com
kaspersky.com
mcafee.com
webroot.com symantec.com
webrootanywhere.com
webrootcloudav.com
prevxinfo.com
prevx.com
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
hXXp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
hXXp://VVV.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
scrnsave.scr
res://ieframe.dll/securityatrisk.htm
res://ieframe.dll/repost.htm
res://ieframe.dll/offcancl.htm
res://ieframe.dll/noaddoninfo.htm
res://ieframe.dll/noaddon.htm
res://ieframe.dll/inprivate.htm
res://ieframe.dll/navcancl.htm
res://mshtml.dll/blank.htm
C:\Windows\system32\blank.htm
hXXp://go.microsoft.com/fwlink/?LinkId=54896
hXXp://go.microsoft.com/fwlink/?LinkId=69157
BURLT
Software\Microsoft\Windows\CurrentVersion\App Paths
Terminal Server Client\TransportExtensions
Ole\AppCompat\ActivationSecurityCheckExemptionList
.html
UrlSearchHooks
Extensions\CmdMapping
Keyboard Layouts
Userinstallable.drivers
LoginScript
rdpwd\Tds\tcp
Cmdline
SetupExecute
Image File Execution Options
wowcmdline
cmdline
Windows
SCRNSAVE.EXE
KeyFileName
Explorer\ShellExecuteHooks
PendingFileRenameOperations
FileRenameOperations
BootExecute
Software\Policies\Microsoft\Windows\System\Scripts
AppCertDlls
DefaultPassword
Software\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
$$^^URL
ProxyPort
ProxyPassword
UninstallKey
websec
UPDATEURL
ERRURL
URLSTR
URLFILEUPLOAD
URLINBOUND
URLSLAP
hXXp://webcache.google
hXXp://developers.facebook.com
hXXp://static.ak.fbcdn.net
hXXp://VVV.facebook.com
video.ak.fbcdn.net
VVV.facebook.com
driver.cab
sp1.cab
sp2.cab
sp3.cab
A suspicious file was detected: %S - %s - X
Applied unique machine ID: X
In-memory infection identified: %S
Configuration Saved: %s
Removed invalid LSP chain entry: %S
Connected to %s
Monitoring process %S [%s]. Type: %i (%i)
End passive write scan (%i file(s))
Begin passive write scan (%i file(s))
Saved the product log to %S
Rule Overridden: MD5: %s, Size: %i bytes, ID: X, Result: %i
Website determination changed: %S [Level: X] [Type: X]
>>> Service started [%s]
SLevel updated to %s
Applied license key: %s
Executed cleanup script: %S
Submitted file at user request: %S
Updating from %S
Scan Results: Files Scanned: %i, Duration: %S, Malicious Files: %i
Scan Started: %S [ID: %i - Flags: %i/%i]
Configuration imported from %S
Configuration exported to %S
Cleanup tool %i executed
Determination flags modified: %S - MD5: %s, Size: %i bytes, Flags: X
Blocked process from accessing protected data: %S [Type: %i]
Closed network connection: [X.%i - X.%i]
Blocked process from connecting to the Internet: %S [MD5: %s]
Infection found in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
File blocked in realtime: %S [MD5: %s, Size: %i bytes] [%i/X] [%s]
Blocked website: %s
Rolled back infection: %S
Infection detected: %S [MD5: %s] [%i/X] [%s]
Installation successfully completed (%s/%s)
GetWindowsDirectoryA
ConnectNamedPipe
CreateNamedPipeW
DisconnectNamedPipe
CallNamedPipeW
GetWindowsDirectoryW
GetNamedPipeClientProcessId
CreateIoCompletionPort
%m/%d %I:%M %p
%d/%m %I:%M %p
127.0.0.1
_CorExeMain
1.3.6.1.5.5.7.3.3
g%i.p4.webrootcloudav.com/arm.asp
000000000000000
Win32.Override.1
Win32.LocalInfect.3
Win32.LocalInfect.1
Win32.AutoBlock.1
Win32.UserAdded
Win32.RuleBlock.1
Win32.Untrusted.1
Caution.Rootkit
Community.OuterEdge
Community.Heuristic
Win32.LocalADS
Win32.LocalInfect.0
Win32.LocalInfect.2
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,MM=Y,LSysC:%I64X,TSysC:%I64X,
ScanSeq:%i,ScanType:%s,VM:%c,L:%s,LSysC:%I64X,TSysC:%I64X,
%commonfiles%
Êche%
%cookies%
úvorites%
%documents%
%start%
%startup%
Þsktop%
VVV.google.com
if exist "%s" goto d
Nspr4Hook::hookerPrOpenTcpSocket
if exist "%s"
VVV.bing.com
ru.brans.pl
proxim.ircgalaxy.pl
irc.zief.pl
core.ircgalaxy.pl
kernel32.dll
SLAPKEY
%s/arm.asp
%s/aot.asp
184.72.40.115
174.129.33.10
79.125.105.211
Content-Type: application/x-www-form-urlencoded
HTTP/1.1
arm.asp
%Y-%m-%d %H:%M:%S.000
serverexecutable
%s\wininit.ini
1%iX%s^%s
DEX%s^
C0X%s^
C1X%s^%s
C2X%s^
(%i %s)
Removing all components... %c
.pvxdtr
https
PACKED_EXE,
[Ovr=X*Age=%i*Pop=%i*Dir=%i*Adv=%i*],
00000000000000000000
00000000
0000000000000000
00000000000000
URLBlob
Start: X. End: X. Seq: X. DB: X. Install: X. Command: %s. Parameters: %s
reg %s /f
%x %x
1.2.3
%m-%d
hXXp://
%2sX
%2ss
JOBHTTP
$$$01$$$
%S,%s,
WSASME.EXE
operating systems
%C:\boot.ini
%s\%S
"%S\%s",SynProc %i
XXX
v8.0.1.233
@.dll
%S\%s.dll
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
FilterConnectCommunicationPort
RegSaveKeyExW
RegRestoreKeyW
RegSaveKeyW
RegCloseKey
RegFlushKey
RegOpenKeyExW
RegOpenKeyExA
RegSetKeySecurity
RegCreateKeyExW
RegDeleteKeyExW
RegDeleteKeyW
RegEnumKeyExA
RegEnumKeyExW
RegQueryInfoKeyW
CertOpenStore
CertCloseStore
CryptMsgClose
CertFindCertificateInStore
CryptMsgGetParam
CertFreeCertificateContext
CertGetNameStringW
MsgWaitForMultipleObjectsEx
ExitWindowsEx
ShellExecuteW
ShellExecuteExW
WinHttpConnect
WinHttpSetTimeouts
WinHttpSetOption
WinHttpAddRequestHeaders
WinHttpSetCredentials
WinHttpQueryDataAvailable
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpSendRequest
WinHttpOpen
WinHttpOpenRequest
WinHttpReadData
WinHttpCloseHandle
winhttp
CryptCATCatalogInfoFromContext
msvcrt
OS=%i%i^OSLang=%i^OSFull=%s^AVV=%s^AVS=%s^AVA=%s^AVU=%s^IB=%S^IBV=%S^FWE=%s^
%u%u%u
PX%sMID3%sSRC
MACX%s
(Build %d)
%s (Build %d)
Server 2008 WebServer
Server 2003 Web Edition
Windows Version Unknown
Windows %s %s
Windows %s %s %s
-X
HTTP/1.1 500
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\%s
{C27CCE38-8596-11D1-B16A-00C0F0283688}
{C1A8AF25-1257-101B-8FB0-0020AF039CA8}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%i
20323:TCP
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
14671:UDP
c:\windows\explorer.exe
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\PublicProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\StandardProfile\GloballyOpenPorts
System\CurrentControlSet\Services\SharedAccess\FirewallPolicy\DomainProfile\GloballyOpenPorts
Software\Microsoft\Windows\CurrentVersion\Uninstall\WRUNINST
Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AE68DC3-F16E-457D-947A-092D614C7ABD}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{B4B5AD48-8D34-41D3-BD8A-8A10BD9BDED3}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1
Software\Microsoft\Windows\CurrentVersion\Uninstall\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\86AEEA3A39CAF6F4D8D287BB7F4E228B
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SEP
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sevinst
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F4A73EC6-EFC4-488D-AF1A-F2C3CD1BC072}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A3AEEA68-AC93-4F6F-8D2D-78BBF7E422B8}
255.255.255.255
$$$04$$$
$$$03$$$
$$$02$$$
AntiVirusProduct.instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}"
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --siluninstall -name=webroot --nostartmenu --noaddremove -noshut
-ffuuid {8ac62a8b-8b3f-43ba-9b1a-90c299b9dfda} --userinstallie --userinstallff -name=webroot --nostartmenu --noaddremove --installforallusers -j "%S\pkg" --disablenotes --disableidentities --disablevault --disablecontext --lpbarpath="%S\PKG\WRBar.dll" --lpbarpath64="%S\PKG\WRBar64.dll" -noshut
WRCLOUDALPHA.EXE
%s %s
sShortDate
%a %Y-%m-%d %H:%M
%a %d-%m-%Y %H:%M
%a %Y-%m-%d %H:%M:%S
%a %d-%m-%Y %H:%M:%S
%s%I64XXXX
XXXXXXXXX%I64X
UpdateURL
Software\Classes\winbio.winbiotools
Software\Classes\Typelib\{130e4dce-ffac-15e3-5893-74950afeea4c}
Software\Classes\Typelib\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Clsid\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Interface\{86727a1a-8140-4cfa-abfa-1620398fcec5}
Software\Classes\Typelib\{8a4f328c-c9f4-4449-a0df-a756a6b52abf}
Software\Classes\bho.fffplayer.1
Software\Classes\bho.fffplayer
Software\Microsoft\Active Setup\Installed Components\{b00589a8-44cb-ba97-5de2-7c733bbee8ed}
%s.i
Win32.MalComponent
Win32.Corrupted
Software\Microsoft\Windows\CurrentVersion\Policies
credssp.dll
Software\Microsoft\Windows\CurrentVersion\Policies\System
msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
%SystemRoot%\System32\svchost.exe -k netsvcs
%SystemRoot%\System32\qmgr.dll
System\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider
%SystemRoot%\system32\ntmarta.dll
%SystemRoot%\system32\notepad.exe %1
Software\Classes\Applications\notepad.exe\shell\open\command
System\CurrentControlSet\Control\Session Manager\AppCertDlls
Software\Microsoft\PCHealth\ErrorReporting
DoReport
Software\Microsoft\Windows\CurrentVersion\Internet Settings
WarnOnBadCertRecving
Software\Microsoft\Windows NT\CurrentVersion\SystemRestore
Software\Policies\Microsoft\Windows NT\SystemRestore
%SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
%SystemRoot%\system32\ntvdm.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows
comm.drv commdlg.dll ctl3dv2.dll ddeml.dll keyboard.drv lanman.drv mmsystem.dll mouse.drv netapi.dll olecli.dll olesvr.dll pmspl.dll shell.dll sound.drv system.drv toolhelp.dll vga.drv wfwnet.drv win87em.dll winoldap.mod winsock.dll winspool.exe wowdeb.exe timer.drv rasapi16.dll compobj.dll storage.dll ole2.dll ole2disp.dll ole2nls.dll typelib.dll msvideo.dll avifile.dll msacm.dll mciavi.drv mciseq.drv mciwave.drv progman.exe avicap.dll mapi.dll
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
explorer.exe
Software\Classes\.exe\shell\open\command
Software\Classes\exefile\shell\open\command
Software\Classes\.exe
dontreportinfectioninformation
Windows\WindowsUpdate
Windows\WindowsUpdate\AU\NoAutoUpdate
DisableCMD
NoWindowsUpdate
%windir%\system32\choice.exe /T 1 /N /D N /M Uninstalling...
#pragma namespace("\\\\.\\root\\SecurityCenter")
[Description("Webroot SecureAnywhere Security Center Integration"),Override("HostingModel")]
Name="AVClientInt.AVClientIntProvider";
ClsId="{D486329C-1488-4CEB-9CC8-D662B732D904}";
SupportsPut="FALSE";
SupportsGet="TRUE";
SupportsDelete="FALSE";
SupportsEnumeration="TRUE";
instanceGuid="{D486329C-1488-4CEB-9CC8-D662B732D904}";
companyName="Webroot";
displayName="Webroot SecureAnywhere";
Microsoft\Office\%s\%s\%s\
http://
<html><body><img src="%s.bmp"></body></html>
WSA_SA_Report-%s
%a_%Y-%m-%d_%H-%M-%S
g1.p4.webrootcloudav.com/arm.asp
symsecureport
SQLANYs_sem5
semwebsrv
Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
memory.dmp
Microsoft\Windows NT\CurrentVersion\Winlogon\altdefaultusername
Microsoft\Windows NT\CurrentVersion\Winlogon\defaultusername
Microsoft\Windows\CurrentVersion\Explorer\Streams\
Microsoft\Windows\CurrentVersion\Explorer\DesktopStreamMRU\
Microsoft\Windows\CurrentVersion\Explorer\StreamMRU\
msdownload.tmp\
Microsoft\Windows\Cookies\index.dat
Microsoft\Windows\Temporary Internet Files\index.dat
Cookies\index.dat
Local Settings\Temporary Internet Files\Content.IE5\index.dat
Microsoft\Windows\IEDownloadHistory\index.dat
Logs\IE9_NR_Setup.log
IE9_Main.log
IE9.log
IE8_Main.log
IE8.log
IE7_Main.log
IE7.log
IE Setup Log.txt
Microsoft\Windows\History\
Local Settings\Temporary Internet Files\Content.IE5\
Microsoft\Windows\Temporary Internet Files\
Microsoft\Windows\Cookies\
Microsoft\Internet Explorer\TypedUrls\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\
Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery\
Microsoft\Internet Explorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\
Microsoft\InternetExplorer\ExplorerBars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Find\
Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU\
Microsoft\Windows\CurrentVersion\Explorer\RunMRU\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\
Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\&Documents\Menu\
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Documents\
Microsoft\Windows\Recent\
$Recycle.bin\
Google\Chrome\User Data\Default\Cache\
Mozilla\Firefox\Profiles\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install
P4REPORT
%S\Driver Cache\i386
%s,%i%i
8.0.1.233
%s %s%s
%i-%i-%i-X-X.tmp
%s %s%S %s
Microsoft\Windows NT\CurrentVersion
\REGISTRY\User\%S
Microsoft\Windows\CurrentVersion
IG=%s,
hXXp://anywhere.webrootcloudav.com/zerol/pkgwiscaway.exe
detail.webrootanywhere.com/p4inbound.asp
hXXp://VVV.webrootanywhere.com/betaeula.asp
*X
%.*s(%d)%s
=%%
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\WRSA.pdb
O|SSSh
SSSSh=
tcSSSh
SSSSh6
SSSSh7
PSSSh
(QPSSSSh,
SSSSh?
PIQSSSh
RjEQSSSShE
SSSSh@
RSSSSSSh
KPjVSSSh
QjfSSSh
SShaaa
}.VQR
PSSSSSSh
>\u%f
K Pj.SV
SSSh8
O|SSSSh
jtSSSSh$
SSh ;
tcPQ
SSSSh
S|Wj.WWh
jmj SSSh
N|Sj.SSh
jDSSSh
jJj)SSSh
N|Sj.SSj^jBSSSh
SShDDD
SSSSjJj)SSSh
W|Sj.SSj^jBSSSh
V|Sj.SSj^jBSSSh
t.SSSV
zcÁ
Allow users to remove threats without a password
Allow users to scan without a password
This website is already being protected with SecureAnywhere Browser Protection. Remove it from the Browser Protection list to change its Website Filtering options.
This application is being actively protected against keyloggers, screen-grabbers, clipboard stealers, and other information-stealing threats.
Assess the intent of new programs before allowing them to execute
Would you like to automatically import the settings that were used in your previous installation?
Automatically block files when detected on execution
Caution: Booting into Safe Mode may prevent access to encrypted hard drives. Ensure that you have all encryption keys available if you are using hard disk encryption so that your computer can boot properly. Do you want to continue?
Warn when new programs execute that are not trusted
Protect against keyloggers
Block phishing and known malicious websites
Block suspicious access to browser windows
The current operation cannot be aborted.
SecureAnywhere was unable to remove threats automatically. Click "Contact Support" to contact our Support engineers.
Configuration for HTTP websites
Configuration for HTTPS websites
Would you like SecureAnywhere to continue monitoring and alerting about the Windows Firewall?
Your keycode has been copied to the clipboard. You can now paste it into any application.
The keycode could not be verified at this time. Ensure that SecureAnywhere is allowed to connect to the Internet and try again.
Configuration settings could not be exported to the selected file.
Configuration settings could not be imported from the selected file.
SecureAnywhere has detected that the Windows Firewall is currently disabled. It is recommended that you enable the Windows Firewall to receive maximum protection. The firewall built into SecureAnywhere is fully compatible with the Windows Firewall and provides an additional layer of protection.||Would you like to enable the Windows Firewall now?
Displaying %s events
Displaying %s process events
Enable Password Protection
Password protection is not currently enabled. Do you want to enable it now?
Enable "right-click" scanning in Windows Explorer
Enter a valid keycode to continue.
First Exec - PID: %i
A full keycode is required to add custom applications. Would you like to obtain one now?
Store Execution History details
Hide the SecureAnywhere keycode on-screen
SecureAnywhere has detected a modification to the HOSTS file, which may have been created by malicious software. The entry has the contents:||[%S]||Would you like SecureAnywhere to remove this entry?
HTTP Proxy
Save non-executable file details to scan logs
Enter a valid keycode. If you continue to receive this message, contact SecureAnywhere Support.
I/O Operations
A full keycode is required to increase the default security level. Would you like to obtain one now?
A keycode is required to run a full system scan. Would you like to obtain one now?
Your SecureAnywhere keycode has been validated and activated. Your computer will now be rescanned to provide the most accurate protection.
Enter a keycode to continue.
Loading execution history process events...
The Execution History log is currently loading.
Loading %s execution history events...
Caution: Your current configuration settings may prevent access to SecureAnywhere. You may want to change your configuration settings now or use the command-line option "WRSA.exe -showgui" to show the SecureAnywhere interface if needed.
Operate background functions using fewer CPU resources
This website is blocked because of a policy added by the user to prevent access.
This website has been trusted locally and visitation is not blocked.
Contact SecureAnywhere Support to upload files larger than 10MB.
Insert a keycode for SecureAnywhere.
Password
This file is trying to access stored passwords
The password entered was incorrect.
Error: The entered passwords do not match.
PID %i active %s (CPU %s)
PID %i active %s
%s (PID: %i) started by %s (PID: %i)
%s (PID: %i) - (Parent PID: %i)
Enter your password below to enter:
Enter a password to enable protection.
Protect cookies and saved website data
An attempt to take a screenshot of your computer was detected. This screenshot may contain confidential information as a protected website is currently open. Do you want to allow this screenshot to continue?
Protect against URL grabbing attacks
Port
Randomize the installed filename to bypass certain infections
Allow the process to execute other processes
Allow access to windows with a High integrity level
Allow access to windows with a Medium integrity level
Select a configuration file to import
Select a file to execute
Select where you would like to export the configuration:
Select a file to report to Webroot
Select a removal script to execute:
Show SecureAnywhere in the Windows Action Center
Show the "Authenticating Files" popup when a new file is scanned on-execution
Show SecureAnywhere in the Windows Security Center
Configuration successfully exported.
Are you sure you want to visit this website? The contents could potentially compromise your identity or infect your computer.
Uninstall Webroot
Configuration saved. Close and re-open all open web browsers to update active protection.
Use the preconfigured policies for changing configuration settings for all websites.
This keycode is valid but has expired. Would you like to renew the keycode now?
Enter a valid, complete website name to configure.
Verify the DNS/IP resolution of websites to detect Man-in-the-Middle attacks
Verify websites when visited to determine legitimacy
This website contains a known threat and has been blocked.
Contact Support
Website determination updated. Close your web browser and open the web page again or refresh the current page to continue browsing.
SecureAnywhere Scan Log (Version %S)~|Log saved at %S~|
(User time: %s - Kernel time: %s)
Cycles: %s
MD5: %S - Size: %i bytes
(PID: %i, TID: %i) %s registry entry: %s\%.*s
(PID: %i, TID: %i) %s file: %.*s
%s: PID - %i
(PID: %i, TID: %i) %s process: %i - %s
(PID: %i, TID: %i) %s named pipe: %.*s
(PID: %i, TID: %i) %s module: %.*s
(PID: %i, TID: %i) %s code: %.*s (%S)
(PID: %i, TID: %i) %s IP %.*S
(PID: %i, TID: %i) %s Sector: %I64X - Length: %I64X
(PID: %i, TID: %i) %s URL: %.*S
(PID: %i, TID: %i) %s service - %.*s - %.*s, (%i, %i)
(PID: %i, TID: %i) %s mutex: %.*s
(PID: %i, TID: %i) Logging keystrokes
(PID: %i, TID: %i) Monitoring Windows events (%i)
(PID: %i, TID: %i) %s section: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Registry Key: %.*s~|~|Value: %.*s~|Type: X~|New Data: %s~|~|Previous Data: %s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Original Filename: %.*s~|~|New Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Target Process ID: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Module Name: %.*s~|Image Base: X~|Image Size: X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Filename: %.*s~|Type: %S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Address: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Sector: %I64X~|Length: %I64X~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|URL: %.*S~|~|Bytes Transferred: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Caption: %.*S~|Contents: %.*S~|
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Service Name: %.*s~|Binary Path: %.*s~|Type: %i~|Start Type: %i
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Mutex: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Windows Hook ID: %i~|Filename: %.*s
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Event Hook Minimum ID: X~|Event Hook Maximum ID: X
Process ID: %i~|Thread ID: %i~|Event Type: %s~|Access: %s~|~|Section: %.*s
View the Webroot software license agreement
Webroot SecureAnywhere protects your computer from viruses, spyware, trojans, rootkits, and other malicious software.
Enter your keycode to install and activate your software.
Help me find my keycode
By clicking Agree and Install, you accept the terms of the Webroot software license agreement.
Want to learn more about Webroot?
Help and Support
About Webroot SecureAnywhere
Login Theft Protection
Protected Websites
Websites on this list receive custom security to protect any information entered.
View/Edit Protected Websites
Password Required
Web Threat Shield
3. Close any open programs or web browsers (Recommended but not essential)
Reports
You may save a scan log, which Technical Support uses for diagnostics.
View an audit log of all monitored executed code. This allows you to manage running processes and identify potential problems quickly.
Not collecting execution history events
Password:
Repeat Password:
If a Webroot researcher has instructed you to execute a Removal script, select the script to begin.
Import / Export
Block websites from creating high risk tracking information
Analyze websites for phishing threats
Enter the website address to protect (e.g. VVV.webroot.com)
Add Website
Analyze search engine results and identify malicious websites before visitation
Detect websites being redirected by the HOSTS file
Look for malware on websites before visitation
Look for exploits in website content before visitation
Website Filter
View/edit the list of blocked websites to change how they should be handled or add new websites to block.
View Websites
Website
Enter the website address to configure (e.g. VVV.webroot.com)
You received your keycode by email.
Your keycode is located on the CD sleeve.
If you have misplaced your keycode:
Contact Webroot Support at hXXp://VVV.webroot.com/support
Help me find my license keycode
You can also import your settings from another computer using this screen.
Import Settings
Export Settings
Activate a new keycode
Keycode:
Enter your new keycode into the field below and click Activate:
Enter your keycode here...
Are you sure you want to abort the current operation?
Identity && Privacy - protect yourself while browsing web sites
Enter a password that is at least six characters long for better security.
Only executable files can be overridden.
Warning: Clearing the product log will prevent Webroot technical support from assisting you accurately. Are you sure you want to clear the log?
The username or password is invalid.
I forgot my password
Downloading Password Management Components...
Installing Password Management...
Windows System
Windows Desktop
Windows Registry Streams
Windows Update Temporary folder
Windows Temporary folder
Clean Index.dat (cleaned on reboot)
URL history
Securely erase files by overwriting contents with random data using seven passes and clean free space around files.
Erase files by overwriting contents with random data using three passes.
Clean files using standard file deletion techniques, bypassing the Windows Recycle Bin.
SecureAnywhere has detected a significant infection on your computer which requires manual assistance to clean. Contact Webroot Support to help clean your computer.
Your SecureAnywhere subscription entitles you to use Backup && Sync which makes it easy to share files on your computer and protect your important files from loss. Click "Download and Install" to use this feature.
Select specific files and folders to back up to your online storage in the Cloud to protect important files from loss.
Webroot Internet Security Complete is already installed on your computer. Use the Sync & Sharing features within WISC to prevent incompatibilities.
Backup & Sync was not installed successfully. If you continue to receive this error, contact Webroot Support.
Your SecureAnywhere subscription entitles you to use Password Management that makes managing your web site logons easy and more secure. Click "Download and Install" to use this feature.
Install Password Management
Manage your personal information, websites, and passwords at your My Webroot account.
- Automatically fill in your login information for remembered websites
- Create secure, hack-resistant passwords for website logins
Password Management makes web browsing easier and more secure.
Password Management is On
Password Management was not installed successfully. If you continue to receive this error, contact Webroot Support.
Password Management
SecureAnywhere was unable to restore all files to their original locations and has copied them to a dedicated Quarantine folder located at [%s]. Would you like to view the Quarantine folder now?
The keycode is currently hidden and cannot be copied.
%-5i %S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%-5i ...%.*S@Working Set: %-4iMB ^ Virtual: %-4iMB ^ Handles: %-4i ^ User Objects: %-4i ^ Kernel Time: d:d:d:d ^ User Time: d:d:d:d ^ Page Faults: %-7i ^ Parent PID: %-5i ^ Session ID: %-2i ^ Commandline: [%S]~|
%S (%S) - %S@%S drive - %i%% Free (%i MB Total), Serial Number: X~|
%S (%S)@%S, Number of Logins: %i, %S~|
%S on %S@%i MB, %i MHz (Form Factor: %S, Manufacturer ID: %S, Serial Number: %S, Part Number: %S)~|
%S on %S@%i MB, (Form Factor: %S)~|
%S@%S drive - No media~|
%S@%S, Last Login: %s, Number of Logins: %i, %S~|
%S@%S, Service: %S, Status: X,
%S@(%S) %S, Service: %S, Status: X,$
%S@Device ID: %S, Internal Name: %S~|
%S@Never logged in~|
%S@Port: %S, Status: %i, Jobs: %i~|
%i fragments, %u bytes@%S (MFT: %i)~|
%s@Minidump: %S~|
%s@System Analysis completed in %i seconds (%s)~|
, Problem code - X,
Active Applications@%i - %i windows (%i visible)~|
Active Applications@%i windows (%i visible)~|
Active Directory@%S~|
Auto Update State@%S~|
Browser@%S %S~|
CPU@%s (%i %S)~|
Common AppData Directory@%S~|
Current Processor Speed@%dMHz~|
DHCP Server@%s~|
DNS Server@%s~|
External Clock Speed@%dMHz~|
External IP Address@%s~|
Gateway@%s~|
Graphics Card@%s - %iMB Free Video RAM, %iMB Total~|
Home Page@%S~|
Hostname@%s~|
IP Address@%s~|
IP Mask@%s~|
Internet Cache@%i KB (%s)~|
Last Update Check@%S~|
Last Update Download@%S~|
Last Update Install@%S (%i %S ago)~|
Last Update Install@%S~|
Maximum Supported RAM Size@%i MB~|
Next Scheduled Install Time@%S~|
Next Scheduled Update Check@%S~|
OS Install Date@%s~|
OS@%s (Language: %i)~|
Operating System
Phishing Filter@%S~|
Search History, URL History, and Recent Playlist
Slot %i - %S (%S)@%S - Bus Number: 0xX, Device Number: 0xX, Segment Group Number: 0xX~|
Spyware Protection@%S %S (%S)~|
Spyware Protection@%S %S (%S, %S)~|
System Access Level@%s~|
System Boot Drive Device@%S~|
System Directory@%S~|
System Family@%S~|
System GUID@x-xx-xxxx-xxxx~|
System Manufacturer@%S~|
System Product Name@%S~|
System Proxy@%S~|
System Serial Number@%S~|
System Temporary Files@%i KB (%s)~|
System Uptime@%S (Tick Count: %i)~|
System Version@%S~|
Third Party Firewall@%S %S (%S)~|
UAC Status@%S~|
Update Type@%S~|
User Account Level@%s~|
User Temporary Files@%i KB (%s)~|
Username@%S (%S) - Session ID: %i~|
Username@%S - Session ID: %i~|
Virus Protection@%S %S (%S)~|
Virus Protection@%S %S (%S, %S)~|
Windows Experience Rating
Windows Firewall@Disabled~|
Windows Firewall@Enabled and Active~|
Windows Updates
~|~|This new key must be used on all future installations of Webroot software:~|~|%.4s-%.4s-%.4s-%.4s-%.4s~|~|Thank you for upgrading!
- Internet Explorer 7.0 and higher, Mozilla Firefox 3.6 and higher; Identity Shield feature in Webroot SecureAnywhere Complete also supports Google Chrome 11 and higher, and Opera 11 and higher
All attached devices have reported to be functioning properly.
Windows Automatic Updates are disabled
Contact Support by clicking the "?" button in the upper right corner of this window.
Create an account to access your security on all your devices online from any Web browser.
Purchase Webroot SecureAnywhere now for uninterrupted protection.
Don't waste a second. Get the fastest security ever. Buy Webroot SecureAnywhere.
Enter your email address to validate your license key and activate realtime threat prevention:
Firefox
If you have other security software installed on your system, you do not need to uninstall it. Webroot SecureAnywhere software is designed to work alongside your existing security software and will automatically upgrade earlier versions of Webroot or Prevx software. If you do experience any issues, please contact our Support team.
Last Password Change: %i %s ago
Malware scanning - detect and report threats
Mozilla Firefox - Cached Files
New Webroot Keycode.txt
No password configured
Operating Systems (32 and 64bit in all Editions)
Please wait until the current operation is complete before shutting down SecureAnywhere.
Please wait until the download of Password Management is finished to download Backup & Sync.
Save Keycode and Continue
SecureAnywhere is currently managed by the Web Console and all changes need to be applied centrally. Please refer to the SecureAnywhere documentation for further information.
Settings - Currently being managed by the Web Console
System Analysis was cancelled and the report may be incomplete.
Screen resolution and bit depth support true color images.
The Windows firewall is disabled.
The credentials used to log into Backup & Sync are invalid. Please login again.
There are currently no items in the execution history log.
To learn more about Webroot's complete portfolio of security solutions, visit VVV.webroot.com.
View Full Report
Visit Webroot.com
Webroot SecureAnywhere has been successfully installed and is actively protecting your computer. You do not need to do anything further - it will continue running in the background, blocking threats if they try to enter.~|~|Accessing Webroot SecureAnywhere is quick and easy - you can locate it any time in your system tray or notification area. You may need to expand your notification area with the "Up" or "Left" arrow to see the Webroot icon.
Webroot SecureAnywhere
Webroot SecureAnywhere~|(c) 2006-2012
Webroot SecureAnywhere`
Webroot System Analyzer
Webroot was unable to be installed because the current user account has limited rights. Please elevate the Webroot installer or install using an administrative account.
Without this protection, your PC is vulnerable to spyware and virus attacks. Don't waste a second - get the fastest security ever. Buy Webroot SecureAnywhere.
Not all RAM can be used by your 32bit operating system.
Protection disabled. Get complete protection with Webroot SecureAnywhere.
Your account gives you anytime access to your security from any Web browser.
Your Webroot SecureAnywhere trial ends in %i days!
Your Webroot SecureAnywhere trial ends tomorrow!
Your Webroot SecureAnywhere trial is expired!
Your new keycode is shown below and is also provided in a text file on your computer's desktop. Use this new keycode for all future installations and upgrades.
Your operating system is up to date.
It is recommended to change your password every 90 days.
Your hardware is adequate for running your operating system.
VVV.geeksquad.com
SecureAnywhere could not be installed. Please contact SecureAnywhere support to assist with your installation.
SecureAnywhere is not compatible with your current operating system. Please consider upgrading your operating system to Windows XP Service Pack 2 or higher.
- Windows XP SP2, SP3
- Windows Vista SP1, SP2
- Windows 7 SP0, SP1
I would like to receive alerts, special offers, important product updates, and newsletters from Webroot.
View the Webroot Privacy Policy
Note: Although your settings will be saved locally, your PC is currently centrally managed by the Web Console and your settings may be overwritten on the next database communication.
Scan with Webroot
To receive the fastest response to a file inquiry, we recommend writing into our support inbox so that a Webroot researcher will immediately look at the submitted information. Would you like to open a support ticket now?
A cleanup license key is required to remove threats.
SecureAnywhere Identity Shield protects your sensitive information on banking, web transacting, and social networking websites while peacefully coexisting with other security software.
Welcome to Webroot
Webroot FastScan quickly assesses your PC security by detecting malicious threats using the Webroot Realtime Threat Database while peacefully coexisting with other security software.
Update now to faster, lighter, and more effective protection. Installation will take less than 10 seconds with scans typically taking less than 2 minutes. Webroot SecureAnywhere protects your computer from all types of malicious activity.
You don't need to do anything further. Webroot SecureAnywhere Identity Shield is now helping to protect you and your personal information when you bank, shop, interact, and transact online.
Aborting the current scan will prevent Webroot from detecting and cleaning all threats. Are you sure you want to abort?
SecureAnywhere has detected active threats on your computer and needs a license key to remove them.
Enable enhanced customer support
Please wait a few moments and try again. Contact Webroot Support if this error persists.
The operation failed with error code %i. %s
The command you selected did not complete successfully. Contact Webroot Support if this error persists.
Backup allows you to automatically back up and access your files securely from a web-based portal.
Web Console
SecureAnywhere is using %2.2f%% of your disk space. The average scan time is %4.1f %s.
SecureAnywhere has used %2.2f%% of your CPU since installation and %2.3f%% disk space. Average scan time is %4.1f %s.
Next scan starts in %s.
%i%% - %s files scanned. %s %s
Scan Complete - %i active %s found in %s. %s
Scan ended - %i active %s found in %s. %s
%s files scanned in %s. No threats found. %s
Scan aborted. %s files scanned in %s. %s
Last scanned %s. %s %s %s removed.
Last scanned %s. %s
Protection has been active for %s.
%s system events have been inspected since installation.
%s system events have been inspected since bootup (%s.%c %s since installation).
%i%% - Cleaned %s bytes (%i files, %i registry entries). Cleaning %s
%i%% - Cleaning %s
System Cleaner is scheduled to run in %s. So far, it has cleaned %s %s.
System Cleaner is scheduled to run in %s.
System Cleaner last cleaned %s. So far, it has cleaned %s %s.
Click here for personal support if you have any questions about SecureAnywhere
Enable Windows Explorer right click secure file erasing
SecureAnywhere Backup allows you to back up your files online so that they can be access through the secure portal in the event of hardware malfunction or system problems, or just to provide easier means for sharing files securely.
Show Windows Explorer overlay icons
Web requests were denied. Please ensure that proxy settings are correct and log in with your current user credentials.
A connection is being established with the Webroot Backup && Sync cloud infrastructure.
Backup is idle and will next archive files at %S. Files were last archived at %S.
Backup is currently idle and is configured to begin automatically archiving files at %S.
Backup allows you to automatically back up and access your files securely from the SecureAnywhere website.
Scanning for threats: %s
By clicking Agree and Begin Analysis, you accept the terms of the Webroot software license agreement.
View report summary
Operating system detected
Detecting operating system information
SecureAnywhere Backup && Sync allows you to protect your data and access it easier by synchronizing it across devices and securely backing it up to prevent data loss. Click "Login" to create your account or log into an existing account.
Please wait until the current operation is complete.
Google Chrome
.text
h.rdata
H.data
.rsrc
B.reloc
SShhA
TransportAddress
HTTP/
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrkrn.pdb
KeDelayExecutionThread
ZwOpenKey
ZwQueryValueKey
ntoskrnl.exe
WRITE_PORT_UCHAR
HAL.dll
TDI.SYS
FltCloseClientPort
FltCloseCommunicationPort
FltCreateCommunicationPort
FLTMGR.SYS
SeExports
ZwCreateKey
ZwSetValueKey
585=5^5}5
"hXXp://crl.verisign.com/tss-ca.crl0
hXXp://ocsp.verisign.com0
Thawte Certification1
0hXXp://crl.verisign.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Webroot Inc.1>0<
Webroot Inc.0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
.pdata
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrkrn.pdb
`.data
@.reloc
WmiExecuteMethodW
NtRequestWaitReplyPort
NtConnectPort
NtAlpcConnectPort
NtAlpcSendWaitReceivePort
NtAlpcCreatePortSection
NtRequestPort
NtAlpcCreatePort
NtSecureConnectPort
NtDeleteKey
NtDeleteValueKey
NtSetValueKey
NtDelayExecution
NtCreatePort
http:\/\/
hXXps://
PSOWRX
hXXp://%.*s
Chrome_OmniboxView
Chrome_AutocompleteEditView
%s://%S
search.yahoo
WebDrawText
webkit
PSOTBX
Chrome_RenderWidgetHostHWND
MozillaContentWindowClass
MozillaWindowClass
Chrome_WidgetWin_
OperaWindowClass
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsagreen.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsagreen.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
<a style="position: relative; display: inline; padding: 0pt; margin: 0pt; width: auto;" target="_blank" href="hXXp://VVV.webroot.com" border="0"><img src="hXXp://anywhere.webrootcloudav.com/wsared.png" style="position: relative; display: inline; border: 0pt none; margin: 0pt; height: 13px; float: none; width: 22px; border="0"></a>
\x3ca\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20padding:\x200pt;\x20margin:\x200pt;\x20width:\x20auto;\x22\x20target=\x22_blank\x22\x20href=\x22hXXp://VVV.webroot.com\x22\x20border=\x220\x22\x3e\x3cimg\x20src=\x22hXXp://anywhere.webrootcloudav.com/wsared.png\x22\x20style=\x22position:\x20relative;\x20display:\x20inline;\x20border:\x200pt\x20none;\x20margin:\x200pt;\x20height:\x2013px;\x20float:\x20none;\x20width:\x2022px;\x20border=\x220\x22\x3e\x3c/a\x3e
nspr4.dll
advapi32.dll
bcrypt.dll
ws2_32.dll
sspicli.dll
secur32.dll
wininet.dll
ntdll.dll
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_x86\i386\wrusr.pdb
>HTTPu6
msvcrt.dll
GetProcessHeap
KERNEL32.dll
SetWindowsHookExW
SetWindowsHookExA
EnumWindows
EnumChildWindows
USER32.dll
SHELL32.dll
ole32.dll
ADVAPI32.dll
PSAPI.DLL
WS2_32.dll
URLDownloadToFileW
URLDownloadToFileA
urlmon.dll
InternetOpenUrlA
WININET.dll
OLEACC.dll
RPCRT4.dll
OLEAUT32.dll
UrlIsW
SHLWAPI.dll
Secur32.dll
GDI32.dll
MSIMG32.dll
WRUsr.dll
\\x3ca href\\x3d\\x22http
<a href="http
<a class=sla href="http
6 6$6(6,6064686<6
@.rsrc
d:\tasks\code\tasks\factory\sourcenow\binary\objfre_wlh_amd64\amd64\wrusr.pdb
%u6HcA
tù7u HcG<
?;5URLURLURL
)|]({\(z['yZ'wY'vX&uW&tV%sU%rT
%sU%rT
GetCPInfo
CertGetCertificateContextProperty
_acmdln
_amsg_exit
GetAsyncKeyState
MapVirtualKeyExW
GetKeyboardLayout
keybd_event
UnhookWindowsHookEx
v.pL>
00000000006
20.sp
ddbl.db
dbk.db
dbj.db
dbi.db
dbh.db
dbg.db
dbf.db
dbe.db
dbd.db
dbc.db
dbb.db
dba.db
index.dat
content url
searchurl
use custom search url
scrnsave.exe
Default_Search_Url
Default_Page_Url
.cn/index
Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Software\Microsoft\Windows\CurrentVersion\Media Center\Service\Video
Software\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance
Software\Microsoft\Ole\appcompat\activationsecuritycheckexemptionlist
Software\Microsoft\Internet Explorer\UrlSearchHooks
Software\Microsoft\Internet Explorer\Extensions\CmdMapping
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers
"%ProgramFiles%\Internet Explorer\iexplore.exe"
"%ProgramFiles%\Mozilla Firefox\firefox.exe"
"%ProgramFiles%\Internet Explorer\iexplore.exe" %1
rundll32.exe url.dll,FileProtocolHandler %l
rundll32.exe url.dll,TelnetProtocolHandler %l
rundll32 %SystemRoot%\system32\shscrap.dll,OpenScrap_RunDLL %1
regedit.exe "%1"
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "%L"
"%SystemRoot%\System32\msiexec.exe" /i "%1" %*
Msi.Package
%SystemRoot%\system32\mmc.exe "%1" %*
.mpeg
"%ProgramFiles%\Windows Media Player\wmplayer.exe" /prefetch:9 /Open "%L"
"%SystemRoot%\System32\WScript.exe" "%1" %*
rundll32.exe shdocvw.dll,OpenURL %l
%SystemRoot%\system32\NOTEPAD.EXE %1
"%ProgramFiles%\Internet Explorer\iexplore.exe" -nohome
%SystemRoot%\system32\mshta.exe "%1" %*
cmdfile
"%SystemRoot%\hh.exe" %1
chm.file
ieuser.exe
crashreporter.exe
plugin-container.exe
epic.exe
waol.exe
iron.exe
safari.exe
firefox
winlogon.exe
spoolsv.exe
services.exe
audiodg.exe
svchost.exe
lsass.exe
consent.exe
dwm.exe
lsm.exe
procexp64.exe
procexp.exe
dplp2.exe
dplp.exe
watchdogx64.exe
flashcookiecleaner.exe
shredder.exe
atieclxx.exe
atiesrxx.exe
searchfilterhost.exe
werfault.exe
ravcpl64.exe
nvtray.exe
clpsla.exe
clps.exe
mtxagent.exe
googleupdate.exe
googlecrashhandler.exe
downloaderapp.exe
ccleaner.exe
ccleaner64.exe
conhost.exe
irperl.exe
fswscs.exe
bsplayer.exe
wow_helper.exe
realplay.exe
nmake.exe
cl.exe
winrar.exe
fsdomnodeie.dll
jhook.dll
yzshadow.exe
yahoomessenger.exe
wspace.exe
wlmail.exe
wdict32.exe
vmware-vmx.exe
vmware.exe
ultramon.exe
translateclient.exe
totalcmd.exe
thunderbird.exe
stpass.exe
splwow64.exe
skype.exe
sidebar.exe
sllauncher.exe
sbrender.exe
rocketdock.exe
robotaskbaricon.exe
roboform.dll
robo.exe
popupblocker.exe
pdfvista.exe
patrol.exe
packpro.exe
outlook.exe
opstm080.exe
opera.exe
notepad  .exe
mvtapp.exe
msnmsgr.exe
fsocrserver.exe
jfw.exe
iexplore.exe
helppane.exe
google.exe
gamebooster.exe
firefox.exe
excel.exe
eudora.exe
eqgame.exe
dsNetworkConnect.exe
dllhost.exe
digsby.exe
communicator.exe
crazy browser.exe
ctfmon.exe
chrome.exe
bttray.exe
babylon.exe
ati2evxx.exe
aolsoftware.exe
admunch64.exe
admunch.exe
adblock.exe
acrotray.exe
acrord32.exe
acrodist.exe
acrobat.exe
verclsid.exe
wrbar.exe
WRSyncManager.exe
wrinstall.exe
snippingtool.exe
Portugu
s (Brazilian Portuguese)
Ftaskmgr.exe
csrss.exe
"%s" %s
"%s" %S
HKEY_USERS
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
%s\%s
%c:\%s
%s:%i
msiexec
%drivers%
*\windows\system32\drivers\*
%fonts%
*\windows\fonts\*
%%restore%%\%s
\\?hostname?\?share?\%s
%%winsxs%%\%s
c:\windows/
windows\system32/
Webroot
WRusr.dll
\\.\%c:
Windows\System32\windbg48.sys
m0rpheus.tpl
%SystemRoot%\System32\svchost.exe
mscoree.dll
%S(%s)
tcpip
.net clr
%S(%s\%s\, %s)
%S(HKLM\Software\Classes\%s\, %s)
%S(%s\%s\)
%S(%s\Software\Classes\%s\)
%S(%s\%s\%s)
/scanfile="%s"
%s\sfc.exe
Writing MBR> New Data: [%S]
Executing Command> %s
Terminating Module Parent> %i - %s
Closing Handle> %i - PID: %i - %s
Renaming Registry Key> %s\%s to %s\%s
Deleting File> %s
Writing Registry Value> %s\%s - %s
Writing File Data> %s - [New Data: %s]
Deleting Directory> %s
Deleting Registry Value> %s\%s - %s
Deleting Registry Key> %s\%s
Fixing LSP> %S
Core Component> Un-patching file [%s] - New Size: %i bytes
Copying File> %s to %s
Terminating Process> %i - %s
Stopping Service> %s
Deleting Service> %s
Starting Routine> %s...
\\.\pipe\WRSynUM2
\\.\WRSYNAPSE
\temporary asp.net files\
\opera\temporary_downloads\
\microsoft.net\framework\
\$recycle.bin\S-
mbam.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncExcl
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncGreen
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncYellow
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\_WrSyncRed
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}
CLSID\{69D72956-317C-44bd-B369-8E44D4EF9802}\InProcServer32
%s\Symantec\
%s\Common Files\Symantec Shared\
%s\Symantec.cloud\
\\.\pipe\
wmiprvse.exe
\Slow.pvx
\Slowusr.pvx
%i %s
%s %S - %i%%, %i %s)
%s - %s
hXXps://*
hXXp://*
%ProgramFiles%\Webroot\WRSA.exe
%S - %s
InstallLogo.bmp
\\?\%c:
%i %s, %i %s
%i %s,
s\\.\PhysicalDrive%i
[%C] %s
[%C] %s [MD5: %S] [Flags: X.%i]
[%C] %s [MD5: %S] [Flags: X.%i] [Threat: %S]
[%S] - CPU: %i%%, Physical Memory: %i%%, Virtual Memory: %i%%, Page File: %i%%, Processes: %i
res%i.db
-%i-%i.tmp
bcdedit.exe
autorun.inf
\services.exe
\drivers\pciide.sys
\drivers\smbe.sys
\drivers\eubkmon.sys
\drivers\acpi.sys
\drivers\wdf01000.sys
\drivers\cdrom.sys
\drivers\serial.sys
\drivers\ipsec.sys
\drivers\tcpip.sys
\drivers\afd.sys
\drivers\rdbss.sys
\drivers\mrxsmb.sys
\drivers\netbt.sys
\microsoft.net\
.crdownload
.partial
\windows\installer\
\config.msi\
Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
Software\Microsoft\Windows\CurrentVersion\Uninstall
{98C3BECF-DD5F-44D2-8EF3-
rundll32.exe
http*://
hXXp://VVV.
opera
%S(%s, %.*S)
%S(%s, %s)
%S(%s, 0x%S)
Temp\%.*S-%S-%.*S.WR
\\.\pipe\WRSVCPipe
%S(%i)
desktop.ini
%s %s %s
%i (%s %s)
%s: %s
PKG\WRSyncManager.exe
PKG\files_zh_cn_qt.qm
PKG\files_zh_cn.qm
PKG\files_de_de_qt.qm
PKG\files_de_de.qm
PKG\files_es_es_qt.qm
PKG\files_es_es.qm
PKG\files_ja_jp_qt.qm
PKG\files_ja_jp.qm
PKG\files_en_us_qt.qm
PKG\files_en_us.qm
PKG\WRBar.dll
%s (%s)
*.mpeg, *.avi, *.mp4
*.mp3, *.m4a
*.jpg, *.jpeg, *.png
*.xls, *.xlsx
*.doc, *.docx
%s (%S)
%s - %S
%s\Administrator
%C:%s
A:\%s
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
WRHTTP
dst%2S.db
Chrome
Opera
Software\Mozilla\Mozilla Firefox
http\shell\open\command
Software\Classes\http\shell\open\command
&OLDLIC=%s
hXXp://products.webroot.com/disp2012/?CMD=P40IPM&LIC=%S&LANG=%S&email=%s&optin=%S&DeviceMID=%S&InstanceMID=%S
partnerno=%S&MIDHEX=%S&datelogged=%S&Lastinfected=%S&Currentbads=%i&highbads=%i&mediumbads=%i&Lowbads=%i&identifynownowvalue=%S
I%S(%s\%s\%s, %s)
%S(%s\%s\%s, %s%s%s)
%S(%s, 0)
%s\drivers\%s.sys
%s\2i
Pipe
%s\%s\%i
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
dow.lac
centro.txt
1.pac
AutoConfigUrl
hXXp://
Software\classes\clsid\{871c5380-42a0-1069-a2ea-08002b30309d}\shell\openhomepage\command
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
ekrn.exe
"%ProgramFiles%\Mozilla Firefox\firefox.exe" -safe-mode
firefox.exe\shell\safemode\command
firefox.exe\shell\open\command
iexplore.exe\shell\open\command
\WRSYNAPSEPORT
%s\%s.lnk
%s\%s\%s.lnk
%s\%s\%s\%s.lnk
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs
{8D7FC74C-E409-42DF-8EEE-69D45FAE2F30}
{6DA1ED92-315E-4D0B-B354-9D5F519DBA95}
{C14874EA-ACE4-4A47-8A81-18C4D1C40868}
{1914B27A-33C8-46F8-A1C2-F993268D4564}
{69D72956-317C-44bd-B369-8E44D4EF9802}
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData
"%S%s" %S%S
Software\Microsoft\Windows\CurrentVersion\Run
XXX.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion\Uninstall\Webroot Software
\Webroot\Security\Current\Products\WISE
\Webroot\Security\Current\Products\WAV
\Webroot\Security\Current\Products\WISC
rSoftware\Web Filtering
Software\Microsoft\Windows\CurrentVersion\RunOnce
5db%i.db
System\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes
%s %S %S
dbo%i-e.db
dbo%i-%I64X.db
dbm%i.db
tPKG\WRBar.exe
PKG\LPBar.dll
%s\wrSync%i.dat
%s\icon%i.ico
t%s_%i
%s %s %S - %s
%s %s %s %S - %s
%S?LANG=%S
%s\Webroot\Spy Sweeper\install.dat
Software\Webroot\Install
notepad.exe
hXXp://VVV.webroot.com
%S %S
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
%s %i:00 %s %s
*.exe
%s %i %s
WRSA.exe
%i:i %s
SystemCleaner.log
%s\SecureAnywhere Console.lnk
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Download
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Detect
Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
UMTX-%s
CURRENT_USER\%s
MACHINE\%s
\explorer.exe
%s\sysnative
%s\WRData
%s - [%S] %i files scanned, %i %s found in %s
si3112r.sys
atmdlc.sys
C:\$MBR.1
\??\%c:\
%S(%s\%s\%s\)
%System%\webcheck.dll
rundll32 shell32,Control_RunDLL "sysdm.cpl"
logonui.exe
userinit.exe,
%S(%s\%.*s\, %I64X)
W%S(%s\%.*s, %I64X-%I64X)
%S(%s\%.*s\)
%S(%s\%.*s\%.*s)
%S(%s\%.*s, %.*s)
%S(%I64X, %I64X)
_reg.tmp
%UserProfile%\Local Settings\Application Data
%UserProfile%
hXXp://twitter.com/*
hXXp://VVV.facebook.com/*
Generating license key... (less than two minutes remaining)
Building your SecureAnywhere web console... (less than one minute remaining)
Preparing the web console for first time use... (less than one minute remaining)
Finalizing your SecureAnywhere web console... (less than 10 seconds remaining)
SysAnalyzerLog-%S.log
%s (%i bytes)
%S(%s, %S)
%S(Removing %s...#(PX5: %S - MD5: %S))
TcpTimedWaitDelay
MaxUserPort
TcpNumConnections
ActiveProcesses.log
webdrive
\Dell Support Center\
;"%s"
WR.mof
wbem\mofcomp.exe
%S - Removing %s
%S - Removing %s - %s
%S - Removing %s - %i bytes
%s\%i.bat
WRTemp_%i_X
%s\WR%i.exe
libAllegro.dll
Lang.dat
dbq.db
5WRupdate%i.exe
%s\%S.html
%s\%S.bmp
Duration: %s
%S (Hostname: %S - Local IP: %S)
Scan Started: %S
%s/%s
%s\System\CurrentControlSet\Enum\ROOT\LEGACY_%s\0000
%s\Services\%s
Embedded Web Browser from: hXXp://bsalsa.com/
Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Software\Classes\.exe\shell
Software\Policies\Microsoft\Windows\System
Software\Microsoft\Windows\CurrentVersion\Policies\Associations
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
System\CurrentControlSet\Services\Tcpip\Parameters
%S(Removing rootkits - Please wait...#)
Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
SavUI.exe
SymCorpUI.exe
DoScan.EXE
SNAC.EXE
Rtvscan.exe
DefWatch.exe
ccSvcHst.exe
SmcGui.exe
Smc.exe
SemSvc.exe
dbsrv9.exe
CCApp.exe
vptray.exe
AMSadmin.exe
VPC32.exe
NMain.exe
Msiexec.exe
"%s\installTeefer.exe" -u -l2 -f "\install.log"
Microsoft.VC90.CRT.manifest
msvcr90.dll
msvcp90.dll
%s\temp
%s\checksum.exe
%s\temp\tmpremove.exe
dbp.db
Webroot\Sync
This removal tool only supports Windows XP.
PKG\WebrootShellExt.dll
\AGENTCOMMANDS.txt
Software\Classes\CLSID\%s\%s
%s\shell\open\command
%S\%s
%s\prefetch
%SYSTEMDRIVE%\RECYCLER
%SYSTEMDRIVE%
~tmp.hiv
%s\temp\WR-X.tmp
%s\Start Menu\Programs\Startup
WSATemp.exe
dbn.db
%s-%i
*.log
lwrSync.dll
PxPlugin.dll
A file was in use during the cleanup operation and could not be cleaned. A reboot is required to fully remove this file.
PKG.tmp
Software\Google\Chrome
ace%i.db
Win32.%S %s
\%s%s
NetworkEvents.log
WRLog.log
WEH-Tcp
RDP-Tcp
WRrem%i.exe
&CNTID=%S&SNUM=%S&CType=%S
&%S=%S
hXXp://%S?%S=%S%S&%S=%S&%S=%S&%S=%S&LANG=%S&VER=%i%i%i%i
%S?UPD=%S&LANG=%S
To ensure the highest quality experience with SecureAnywhere, we recommend contacting our Support and Sales team to assist with your deployment. Would you like to contact them now?
Opening your web console...
Your web console has been created and you can now easily deploy SecureAnywhere to other PCs and centrally manage configuration policies without needing any extra hardware.
Log-in to your Web Console
SecureAnywhere Endpoint Protection provides an easy to use, web-based console to manage the security of all of the devices in your organization.
By clicking Agree and Begin, you accept the terms of the Webroot software license agreement.
rtmp%d
\\.\DISPLAY
\Windows\explorer.exe
\Device\Tcp
\Device\Udp
\Device\NamedPipe
\System32\spoolsv.exe
\System32\services.exe
\System32\winlogon.exe
\System32\lsass.exe
\System32\svchost.exe
\System32\lsm.exe
\System32\csrss.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\*
{X-X-X-XX-XXXXXX}
WRkrn.sys
(c) Webroot 2006-2012
user32.dll
shdocvw.dll
ieframe.dll
rpcrt4.dll
WINDOW: %s - %s
ShXXps://
tmpremove.exe
smc.exe
msctf.dll
browseui.dll
dwmapi.dll
uxtheme.dll
"%s" %S"%s"
hXXps://VVV.webroot.com
eSoftware\Microsoft\Windows\CurrentVersion\Internet Settings
RapportKE64
RapportKELL
wsock32.dll
%s\%s\%s\%s
wrSync4.dat
wrSync3.dat
wrSync2.dat
wrSync1.dat
Webr


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    SACBENTP285944DEFB2A.exe:892
    %original file name%.exe:1700
    mofcomp.exe:372
    mofcomp.exe:776

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\Webroot\WRSA.exe (3785 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\SACBENTP285944DEFB2A.exe (3825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3F.tmp\wsa.bat (52 bytes)
    %System%\wbem\Logs\mofcomp.log (1587 bytes)
    %WinDir%\Temp\tmp41.tmp (2 bytes)
    %System%\wbem\AutoRecover\3FB02EC54EF11291FA75FBAC8D6B80D4.mof (4 bytes)
    %WinDir%\Temp\tmp40.tmp (2 bytes)
    %System%\drivers\WRkrn.sys (112 bytes)
    %Documents and Settings%\All Users\Application Data\WRData\~tmp.hiv (33604 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Webroot SecureAnywhere\Webroot SecureAnywhere.lnk (629 bytes)
    %System%\WRusr.dll (149 bytes)
    %WinDir%\Temp\perflib_perfdata_7a8.dat (4 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %Documents and Settings%\All Users\Application Data\WRData\dbi.db (714 bytes)
    C:\$Directory (1732 bytes)
    %Documents and Settings%\All Users\Application Data\WRData\WR.mof (1 bytes)
    %Documents and Settings%\All Users\Application Data\WRData\dbg.db (1636 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now