MD5: b998b1844de7b694dc4078102a1111ea
SHA1: bc160eb24df810bb01d5b42c36b06cfc462d3b1b
SHA256: 20ccfa6b1777da1a0c38df73721e0f10a77a71e9c63f100419ba59776be27e91
SSDeep: 393216:FXQm0LLi6tOBSiGta7NAC8JDsPn70iC VapFwWGkWO8DfGDzJ:FXrOTpo5IDyhC gpm9kWTDMV
Size: 16777216 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-14 08:50:27
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

SPSetup33757_Settings.exe:544
wscript.exe:1680
clntinsthlp.exe:1072
%original file name%.exe:556
sgvrfy32.exe:252
sgvrfy32.exe:776

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SPSetup33757_Settings.exe:544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (15021 bytes)
%WinDir%\winipbin\cmproxfr.dll (290 bytes)
%WinDir%\winipbin\rcxaemap.dll (1755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU3.tmp (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU2.tmp (106 bytes)
%WinDir%\winipbin\urluxui32.dll (4283 bytes)
%WinDir%\winipbin\bissimo.dll (245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU1.tmp (106 bytes)
%WinDir%\winipbin\eanipw.dll (3880 bytes)
%WinDir%\winipbin\svrltwp.dll (3691 bytes)
%WinDir%\winipbin\quasimo.dll (3760 bytes)
%WinDir%\Logs\splog.txt (20296 bytes)
%WinDir%\winipbin\vdorctrl.dll (15021 bytes)
%WinDir%\winipbin\mossimo.dll (281 bytes)
%WinDir%\winipbin\sgvrfy32.exe (17629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (15021 bytes)
%WinDir%\winipbin\svrltmgr.dll (15021 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU2.tmp (0 bytes)

The process wscript.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\clntprxy.dll (601 bytes)
%System%\clntprxyio.dll (31 bytes)

The process %original file name%.exe:556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\install.vbs (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Client360ProxyX86.dll (1704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\clntinsthlp.exe (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Client360ProxyX64.dll (1401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\clntprxyio.dll (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SPSetup33757_Settings.exe (309363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\install.vbs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Client360ProxyX86.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\clntinsthlp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Client360ProxyX64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SPSetup33757_Settings.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\clntprxyio.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)

The process sgvrfy32.exe:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\wbem\Logs\wbemprox.log (75 bytes)

Registry activity

The process SPSetup33757_Settings.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSVxRsc.dll,"

[HKCR\CLSID\{482D7655-1B0D-42B2-9D15-04323BCCC653}]
"(Default)" = "Manofbat"

[HKCR\CLSID\{482D7655-1B0D-42B2-9D15-04323BCCC653}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\winipbin]
"sgvrfy32.exe" = "sgvrfy32"

[HKCR\CLSID\{DB0236C8-9132-4C14-8459-8426421B9466}]
"(Default)" = "dosexchm"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{DB0236C8-9132-4C14-8459-8426421B9466}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{482D7655-1B0D-42B2-9D15-04323BCCC653}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\svrltmgr.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{DB0236C8-9132-4C14-8459-8426421B9466}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\vdorctrl.dll"

[HKCR\Iekuvox\CLSID]
"(Default)" = "{482D7655-1B0D-42B2-9D15-04323BCCC653}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\CLSID\{482D7655-1B0D-42B2-9D15-04323BCCC653}\ProgID]
"(Default)" = "Iekuvox"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Winipdat" = "{DB0236C8-9132-4C14-8459-8426421B9466}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Iekuvox]
"(Default)" = "Manofbat"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 C5 27 3E E8 AF 3F ED D1 43 37 1E 76 FD AC 1A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\wzodlg32.dll"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{Cb8DE863-0561-4ffd-9B86-5BA2E941BA52}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"(Default)"
"WebExtLocation"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCheckStub"

The process wscript.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 4B DD 23 22 AD 29 97 4B 1C 60 76 B2 2F 43 4A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP]
"SPSetup33757_settings.exe" = "SPSetup33757_Settings"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP]
"clntinsthlp.exe" = "clientinstallhelper"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process clntinsthlp.exe:1072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 11 B0 AE D0 17 5C AB C8 A7 8C 80 D6 3E 25 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 2B 00 C8 5D 7C 96 75 7E 04 5A 01 5B 83 9C A5"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process sgvrfy32.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 BD A4 15 A3 3A 11 03 82 14 71 01 F0 42 F4 78"

The process sgvrfy32.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 AD 5A 22 62 B3 15 E3 64 B5 38 97 C0 26 FA 1A"

[HKLM\System\CurrentControlSet\Services\System Event Dispatcher]
"Description" = "Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\c:\%original file name%.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSVxRsc.dll, , \??\%WinDir%\winipbin\msocxusys.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ra.dll, , \??\c:\windows\winipbin\sgvrfy32.log,"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\System Event Dispatcher]
"EventMessageFile" = "%WinDir%\winipbin\sgvrfy32.exe"
"TypesSupported" = "7"
"ParameterMessageFile" = "%WinDir%\winipbin\sgvrfy32.exe"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16428
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

.FGy,

u&u

8sqliu

 2 34 567

tCPQW

SShH0b

SRSSh

SShp<b

xSSSh

FTPjKS

FtPj;S

C.PjRV

tCPVW

|$4.rM

kernel32.dll

%s_%s

0x%p,%d,%d

Global\%s

%d,0x%p

secur32.dll

ReadSettingsWebMailStrings

WriteSettingsWebMailStrings

locmlurl

locmsurl

locmrmsg

loclurl

locmurl

INTRWEB

AgentSettings.Drives

AgentSettings.YPagerPorts

AgentSettings.XMPPPorts

AgentSettings.SMTPPorts

AgentSettings.POPPorts

AgentSettings.OSCARPorts

AgentSettings.MSNPorts

AgentSettings.IRCPorts

AgentSettings.IMAPPorts

AgentSettings.HTTPSPorts

AgentSettings.HTTPPorts

AgentSettings.GnutellaPorts

AgentSettings.FTPPorts

MSG_Owner

WebMail

SMTPPOP

vKey

szKeyword

KeyEventDef

PortRange

KeywordRecord

ExportXMLSystem

ImportXMLSetting

\\.\%s%d

Windows-1252

%s %dx%dx%d

WindowsVersion

%d.%d.%d %s

" webmailrev="

WebMailRevLevel

svrapi.dll

netapi32.dll

\\%s\%s

AgentSettings.XMPPCaptureType

AgentSettings.IRCCaptureType

ValidatePortsCallback

%systemroot%

sprui\msnetsys.xxx

sprui\msnetsys.dll

microsoft\..\*32.dll

SvrUrlItemLegacy

SvrUrlItem

Stop.Time

Start.Time

PortRangeLegacy

ValidateServerCert

AuthenPassword

SmtpAuthType

KeywordRecordLegacy

KeyEventDefLegacy

Msg_Owner

LastMsgRcvdTime

AgentSettings.pRecordURLList

AgentSettings.pSvrBlockUrlList

AgentSettings.pDriveFiltersList

AgentSettings.pPortPortsList

AgentSettings.pPortAppsList

AgentSettings.pEmailLastRecvTimeList

AgentSettings.pEmailFilterList

AgentSettings.pBlockAllAppsList

AgentSettings.pBlockInPortsList

AgentSettings.pBlockOutPortsList

AgentSettings.pBlockUsersList

AgentSettings.pKeyEventList

AgentSettings.pUsersList

AgentSettings.pAppsList

AgentSettings.pBlockedProgramsList

AgentSettings.pBlockIMsList

AgentSettings.pURLList

pKeywordsList

MYSPACE_HTTP

FACEBOOK_HTTP

GTALK_HTTP

MSN_HTTP

KEYSTROKES

bNetLogin

UrlID

UrlType

UrlData

KeyData

KeywordData

KeyStrokeCount

URLCount

ReportData

strErrMsg

RemotePort

DesktopDataBase.Size

DesktopDataBase.Type

KEYWORD

BLK_WEB

WEBMAIL

SMTP

254.254.254.254

CUSTWEB

%s\%s

sys.dll

\\.\%s

%systemroot%\

%d-%X

CreateFileNewPassword1

CreateFileNewPassword2

CreateFileNewPassword

-%d.%s

spddd

0x%p,0x%p,%d

0x%p,%d

Unable to recover from corrupt file %s !

Corrupt file (%s, type %d) accessed for write access. Resetting.

Get-Crypt-Keys

DecompressData: Memory Sanity Check Failed, file %s

wsock32.dll

Connect - Unable to load CommDll library, %s

Connect - Unable to load client object: %s !

Connect to LicenseManager - Attempting to connect via IP address (%s, %d).

ChangeModeLMLicense - Invalid response packet size, %u

RequestLicense - Invalid response packet size, %u

ReserveLicense - Invalid response packet size, %u

AddLMSerialNumber - Invalid response packet size, %u

GetLMSerialNumbers - Invalid response packet size, %u

GetLMSerialNumbersEx - Invalid response packet size, %u

GetLMSNLicenses - Invalid response packet size, %u

GetLMSNLicense - Invalid response packet size, %u

GetLMLicenseInfo - Invalid response packet size, %u

%s %d

GetLMSNRegCode - Invalid response packet size, %u

GetLMSNRegCodeEx - Invalid response packet size, %u

SetLMSNUnlockCode - Invalid response packet size, %u

SetLMSNUnlockCodeEx - Invalid response packet size, %u

GetLMSNEvalModeResponse - Invalid response packet size, %u

TypesSupported

%s -sa

Manual Start Service pending local (%d)

Stop service '%s' on '%s' (%d)

Service %sstopped '%s' on '%s'

Unable to QueryServiceStatus on '%S' err=%d

Unexpected service state %d after STOP command

Unable to send STOP command to '%S', err=%d

Unable to open handle to '%S', err=%d

Unable to open SCM stopping '%S', err=%d

StopService: %S

StopEXE

Failed to Stop EXE service (%d)

Service EXE Stopped (%d)

SendMsgService

Failed to send service control message: %d (%d) to '%s'

Service control messsage sent: %d to '%s'

%s -r%d

ServiceRestart: (%d)

Service dependent on: %s

Failed to add Service dependency: %s (%d)

Service add dependency: %s

Service User Control Message: %u (%d)

Windows Firewall Interface is not available

Windows Firewall is DISABLED

WFAddServiceToCollection: ERROR %d

WFAddServiceToCollection: %d (%d)

WFRemoveServiceFromCollection: ERROR %d

WFRemoveServiceFromCollection: %d

WFDisableServiceInCollection: ERROR %d

WFDisableServiceInCollection: %d

CheckWinFWDependency dependency string added '%s'

0x%p,0x%p,%d,0x%p,%d,0x%p

0x%p,0x%p,%d,0x%p,%d

%s: invalid data type (%s)

%s: pData NULL

0x%p,0x%p,%d,0x%p,%d,0x%p,%d

ServiceBase::WriteServiceSetting(): error saving "%s"

0x%p,0x%p,%d,0x%p,%d,%d

0x%p,%d,0x%p,0x%p,0x%p,0x%p,%d

System\CurrentControlSet\Services\%s\Parameters

regsmtp

useRunKey

lulweb

lulport

PortFileName

URLFileName

KeystrokeFileName

mswshostport

WebServiceListenPort

mschostport

CCSListenPort

mswhostport

WFSListenPort

HostListenPort

msdhostport

DSListenPort

mslhostport

LMListenPort

mswebole

mswebcom

mswebrev

mswebext

HtmlMsg

SuspendMsg

webinetmask

AgentSettings.MaskProgramTitles

AgentSettings.ProgramInactivityTimeout

webinetprg

AgentSettings.CapturePrograms

webcap64

AgentSettings.CaptureContentIE

webcap32

AgentSettings.CaptureContentFF

webcap16

AgentSettings.CaptureContentChrome

webinturl

AgentSettings.IncludeAOLCSURLS

weblocposts

AgentSettings.CapturePOSTS

weblocaolse

AgentSettings.CaptureAOLSE

weblocxpcom

AgentSettings.CaptureXPCOM

URLOldestData

URLMaxDataSize

webloccheck

AgentSettings.IncludeLocalURLS

webnetcheck

AgentSettings.IncludeNetURLS

webinetcheck

AgentSettings.CaptureINetURLS

AgentSettings.MaskPasswords

AgentSettings.CaptureChars

KeyStrokesOldestData

KeyStrokesMaxDataSize

AgentSettings.CaptureKeyStrokes

portPortLst

portPortInc

AgentSettings.PortPortsInclude

portAppLst

portAppInc

AgentSettings.PortAppsInclude

portIAF

PortInactivityFlush

portOld

PortOldestData

portMDS

PortMaxDataSize

portCap

AgentSettings.CapturePort

AgentSettings.DriveFileTracking

AgentSettings.DriveDefault.Types

AgentSettings.CaptureCloud

AgentSettings.DriveFiltersInclude

AgentSettings.DriveDefault.Disposition

AgentSettings.CaptureIMAPI

AgentSettings.CapturePrintPages

AgentSettings.CapturePrinters

AgentSettings.CaptureDrives

hlpvsbftp

webcaphtml

AgentSettings.CaptureINetHTMLUploads

webinetipxp

AgentSettings.CaptureP2P

AgentSettings.StampChat

AgentSettings.CaptureSkype

AgentSettings.CaptureINetMSNExchange

AgentSettings.YPagerCaptureType

AgentSettings.AOLProcessCaptureType

AgentSettings.OSCARCaptureType

AgentSettings.MSNCaptureType

AgentSettings.CaptureINetMySpace443

AgentSettings.CaptureINetOSCAR

AgentSettings.CaptureINetAimExpress

webinetipx

AgentSettings.CaptureChat

AgentSettings.NotesPollingInterval

AgentSettings.NotesLastMsgRcvdTime

AgentSettings.LastMsgRcvdTime

webfiltlst

webfiltdef

AgentSettings.EmailFilterDefaultIgnore

AgentSettings.UseAltMAPICapture

webineticmp

AgentSettings.CaptureINetWebEMail

AgentSettings.MailAttachMaxDataSize

webinetudp

AgentSettings.CaptureAttachments

webinetxde

AgentSettings.CaptureAOLEMail

webinettimap

AgentSettings.CaptureINetIMAPEMail

webinettcp

AgentSettings.CaptureINetSMTPEMail

WebMapiBox

AgentSettings.MAPIInboxOnly

webnotes

AgentSettings.CaptureNotesEMail

webmapi

AgentSettings.CaptureMAPIEMail

webemap

AgentSettings.CaptureEMail

portusb6

portusb5

AgentSettings.SendVScroll

portusb3

AgentSettings.SendEnterEvent

portusb4

AgentSettings.SendMouseWheel

portusb7

AgentSettings.SendMouseRightClick

portusb2

AgentSettings.SendMouseDoubleClick

portusb1

AgentSettings.SendMouseClick

portpnp3

SnapTriggerKeyEnter

portpnp4

portpnp5

portpnp2

portpnp1

SnapTriggerHttpPost

SnapTriggerUrl

AgentSettings.InactivityTimeout

AgentSettings.BlockUsers

AgentSettings.SvrBlockRevertLocal

AgentSettings.SvrBlockEnable

AgentSettings.BlockIMsAccess

AgentSettings.BlockUrlsAccess

AgentSettings.BlockIMsList

AgentSettings.BlockUrlsList

AgentSettings.BlockInternetAccessAll

AgentSettings.BlockInternetAccess

AgentSettings.RecordUrlsList

AgentSettings.RecordUrls

AgentSettings.DenyListedUsers

AgentSettings.RecordUsers

AgentSettings.DenyListedApps

AgentSettings.RecordApps

SnapshotHotkey

ToggleRecordHotkey

HostLoginType

HostLoginPassword

HostLoginUsername

KeywordEmailSubjectStrPRogramWindowCaption

KeywordEmailSubjectStrProgramName

KeywordEmailSubjectStrP2P

KeywordEmailSubjectStrUrls

KeywordEmailSubjectStrKeyStrokes

KeywordEmailSubjectStrWebPages

KeywordEmailSubjectStrChat

KeywordEmailSubjectStrEmail

KeywordEmailFormatStrPRogramWindowCaption

KeywordEmailFormatStrProgramName

KeywordEmailFormatStrP2P

KeywordEmailFormatStrUrls

KeywordEmailFormatStrKeyStrokes

KeywordEmailFormatStrWebPages

KeywordEmailFormatStrChat

KeywordEmailFormatStrEmail

KeywordEmailTimeout

KeywordScreenshotPeriod

KeywordScreenshotRate

ScanWebPages

AgentSettings.CaptureINetWebPages

ScanUrls

ScanKeystrokes

TakeKeywordScreenshot

SendKeywordEmail

SendServerKeywords

AgentSettings.PoliciesPath

shellsvcmsg

TerminalServiceMsgSent

AgentSettings.DecoyFile

AgentSettings.ComAddinName

AgentSettings.ComAddinID

AgentSettings.MapiClsId

AgentSettings.BhoClsId

AgentSettings.pBlockFilesList

SentimentWebPort

SentimentWebURL

SentimentWebHost

AgentSettings.SAFProcessorPath

AgentSettings.FirefoxCaptureESRPath

AgentSettings.FirefoxCaptureLastPath

AgentSettings.FirefoxCapturePath

AgentSettings.DynProcessorWOW64Path

AgentSettings.DynProcessorPath

AgentSettings.AgentWOW64Path

AgentSettings.AgentPath

keydele

DeleteKey

keydeleroot

DeleteKeyRoot

AgentSettings.DeviceName

AgentSettings.DriverPath

KeywordMAPIPath

KeywordServerInfo

LCFireWallHTTPPort

SMTPPort

rmtporttok

RmtPortalToken

rmtportpass

RmtPortalPassword

rmtportlog

RmtPortalLogin

rmts3seckey

RmtS3SecretKey

rmts3keyid

RmtS3KeyID

AgentSettings.CaptureConsoles

AgentSettings.LFMaskShared

AgentSettings.BhoActive

WinAdminPassword

StartRecordingWithWindows

DataFilePasswordHash

AgentSettings.NetInitDelay

AgentSettings.ClearFF

AgentSettings.BlockFileAccess

AdminHotkey

AdminPasswordHash

AdminPassword

AgentSettings.LogFileMask

AgentSettings.LogFileLevel

AgentSettings.LogFilePath

AgentSettings.UseLogFile

DisallowKeystrokeCapture

ineturls

ineturlsn

msocxushell.dll

wwfwnetex.drv

tudmdxiufrm.drv

winfatiosys32.drv

winnetkernel32.drv

winkernel32hlp.drv

wwfwnetex.dll

udmdxiufrm.dll

msfatiosys32.dll

msnetKernel32.dll

mskernel32hlp.dll

-0561-4ffd-9B86-5BA2E941BA52}\OLE\Shell\Commands

MapiAuthentication.Addin

CEAdmin.cfg

CreateObjectSqlite

msnetsys.dll

msnetxml.dll

0x%p,%d,0x%p,0x%p,%d

SetAdminPasswordHash

SnapshotHotkeyDisplayable

ToggleRecordHotkeyDisplayable

AdminHotkeyDisplayable

GetUserInfo - Unable to load NETAPI32.DLL library.

GetUserInfo - Unable to get NETAPI32.DLL function pointers.

GetUserInfo - NetWkstaUserGetInfo error (%d,0x%p).

%s:%s\%s

NETAPI32.DLL

GetComputerInfo - Unable to load NETAPI32.DLL library.

GetComputerInfo - Unable to get NETAPI32.DLL function pointers.

GetComputerInfo - NetWkstaGetInfo error (%d,0x%p).

-0561-4ffd-9B86-5BA2E941BA52}

SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

WebExtLocation

bSOFTWARE\Microsoft\Windows\CurrentVersion\Run

WebCheckStub

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

CLSID\%s

clntprxyio.dll

clntprxy.dll

SpectorCNE.chm

%s -u

CLSID\%s\InProcServer32

SOFTWARE\Wow6432Node\Classes\CLSID\{4A85C0C0-C52C-4C08-9E88-F012BF35623A}

SOFTWARE\Classes\CLSID\{7640DFF4-252C-470E-ACB7-1922EA57A0B9}

SCHTASKS /CREATE /SC ONSTART /RU SYSTEM /TN %s /TR "%s"

RD /Q "%s"

SCHTASKS /DELETE /F /TN %s

RD /S /Q "%s"

xxxxx

xxxxxxxxxxxxxxxxx.cmd

CKeywordLists

Recorder::getKeywords

No keyword list: %s

Loading keyword list: %s size:%d

number of cached keyword lists: %d

number of user keyword lists: %d

CKeywordLists::LoadKeywords Get List failed

CKeywordLists::FindListId

CKeywordLists::getCachedKWList

CKeywordLists::MakeKeywordInfo

CKeywordLists::FindKWListInUserList

CKeywordLists::AddListToKeywords

AddListToKeywords: added %d keywords

AddListToKeywords: size %d

KWLFile::LoadInfo --- keyword source file name is %s

KeywordList

KeywordUserLists

KeywordListNames

KWLFile::GetList case KWLT_Words name key record (%s). Added to the list

KWLFile::GetList case KWLT_Names name key record (%s) Added to the list

ERROR GetList: Keyword List:%s size:%d

ERROR GetList: Keyword List:%s ReadValue failed

GetList: Keyword List:%s Section:%s size:%d

GetList: Keyword List:%s Section:%s failed, no lists!

%s_%d

PB: Could not create named pipe server.

\\.\pipe\BAPipe

PB: Could not send language data, export returned false.

PB: Could not send language data, export not found.

%s\diohd0.dll

hXXp://%s:%i

Operations

print 'ERROR: ' ..db_errlog();

return;}$records = [%s];foreach ($records as $value){

if ($record.Type != "FileCopyRecord")

$userinfo = %s;

if ($record.ComputerUserInfo != $userinfo.ComputerUserInfo)

L:%s\%s\%s

N:%s\%s

/DeviceService/ReportTerminalServiceClient?device=

Failed to load communications library (%s).

Failed to load server object: %s

Started listening on port %d (%d).

0x%p, %d, 0x%p

CommHost: Received RemoteCommand (%d) from computer %s SN %s MachineID %s

ProcessGetSetupFileIni (%d,%d)

GetSetupFileContent '%s' (0x%p,%d) (%d)

ProcessGetIPAddress (%d,%d) '%s - %s'

%d.%d.%d.%d

ProcessGetLogFile (%d,%d)

GetLogFileContent '%s' (0x%p,%d) (%d)

Calling TermClient from ExecuteUninstall

CheckSettingsImport1

CheckSettingsImport

msnwcfg.ini

0x%p, %d, 0x%p, %d

EnumKeys

ALERT DATA: no. of alerts %d

ALERT DATA: [username = %s, User Hash = %d, Source: %s, Keywords %s]

InitClient: Unable to load CommDLL (%s)

InitWFSClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient: Unable to create client object: %s

InitClient: Attempting to connect via IP address (%s, %d).

InitClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient Comm Path %s

PushData: Failed to initialize client communications (Port %d on %s).

PushData: Session complete. Sent %d data transactions, %d snapshot files.

PushData: Session complete. Sent %d data transactions, %d snapshot files, %d sentiment scores.

Unable to signal sentiment scoring mutex - will attempt again on next data push (%d)

d-%x.sdf

PushData: Pushing, maximum %d seconds.

PushData: Failed to send all users to server - sent %d/%d records.

PushData: Unable to open User data file %s - error %d !!!

Checking Pushed Data ended, total time: %d msecs

AddKeystrokesToList

ProcessKeystrokeFile1

ProcessKeystrokeFile

ProcessDF: Could not find any transactions for transmission (%s, %d, %d).

ProcessDF: Failed to send record to server (%s)

DataPush::ProcessDisplayFile CreateFileNewPassword (%s,%s) failed!!!

DataPush::ProcessDisplayFile SendFile (%s,%s) failed!!!

DataPush::ProcessDisplayFile End, '%s'

Unable to delete file (%s) : %s

snapshotXX.%s

CheckUrlCategory

SendDataRecord: Returned no URL page category for (%s).

SendDataRecord: Returned URL page category: %d for (%s).

Score send failed with response code %d

Attempting to send sentiment scores to %s:d/%s

Unable to create sentiment scoring web request

Unable to create sentiment scoring web client

Found %d unsent sentiment scores

%s - WSA Startup returned [%d]

%s - Found dns domain [%s]

Kernel32.dll

%s - Found domain [%s]InfoPush::Initialize

%s - Found computer name [%s]

InitPushClient: CCS Host Initialize Success '%s' in %d secs on Port: %d (%d)

InitPushClient: CCS Host Initialize Failed '%s' in %d secs (WSAErr: %d) (%d)!!!

%s - Addr = [AddrInfo = %p]

%s - Reverting to IP Addr [%s]

%s - Skipping loopback alternate IP address [%s]

InitPushClient: CCS Host resolve '%s' (%d) %s

%s - HostEntEntry = [AddrInfo = %p]

InitPushClient: CCS Host getaddrinfo Failed '%s' (WSAErr: %d)!!!

%s - Resolved %s [ %p ]

InitPushClient: Initializing UDP client to '%s' on Port: %d AltIP:(%d) '%s' - '%s'

InitCommClient: Unable to load CommDLL (%s)

InitCommClient: Unable to create client object: %s

InitCommClient: Attempting to connect via IP address (%s, %d).

InitCommClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitCommClient: Initializing TCP client using '%s'

Error deleting m_pUdp object

PushOSInfo: Pushing info to server end '%s\%s' (%d,0x%p,0x%p) (%d) (0x%p)

PushOSInfo: Pushing info to server start (%d,%d,%d)

PushRecordInfo: Pushing info to server end S(%d,%d) R(%d,%d,%d) (%d,%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server check S(%d,%d,%d,%d,%d) R(%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server message out of sync flush (%d, %d, %d, %d)

PushRecordInfo: Pushing info to server start [Port = %d, Stop = %d, Uninstalling = %d, Bootstrap = %d]

ExecUpdateSyncThread End '%s' - (%d,%d)

%s#%s

ExecCombinationsRequest with flag %X

ExecChangeModeThread End '%s' - (%d,%d)

Error communicating with CCS to retrieve new mode [%d]

Got new mode from CCS [Mode = %d, Wrote Setting = %d]

%s End

%s Start

InfoPush::ExecNotifyOfLicenseRecheck

ExecUpdateRequest Abort '%s'

ExecUpdateThread End '%s' - (%d,%d,%d)

ExecInstallRequest Abort '%s'

ExecInstallThread End '%s' - (%d,%d,%d,%d) (%d,%d)

spsetup.exe

RunSetupExe

RunSetupExe End (%d)

RunSetupExe Start '%s' '%s'

ExecUninstallRequest Abort '%s'

EWSCCSimulate.exe

InfoPushInput.txt

Move file to the new directory %s from %s failed with %d.

Skipping user [%s] for EWS definitions update. 5 minute interval has not elapsed.

Unable to create user information state for user [%s]

ExecUninstallThread End '%s'

GetClientInfo '%s' (%d,%d,%d,%d,%d) ( %s )

GetRecordState '%s' (%d-%d-%d,%d,%d,%d,%d,%d,%d,%d,%d,%d)

GetClientOSInfo '%s' (%d) '%s' '%s' '%s'

%s\%s\%s

Windows NT

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

Starting alert definition fetch for user [%s].

Could not set popup mode to %s for all keywords for user %s.

Could not set popup mode to %s for all keywords for user %s as Recon instance was not found.

Could not set popup mode to %s for all keywords for default user.

Could not set popup mode to %s for all keywords for default user as Recon instance was not found.

Alert definitions received with [Flags %d ] [ NumOfDefaultUserKeywords %d ] [NumOfUserKeywords %d ]

Unable to update alert definitions for user [%s].

Write alert definitions done for [%s] [Sync = %d, ews = %p].

Unable to write alert definitions for [%s] [Erase = %d] [Sync = %d, ews = %p].

Erase alert definitions done for [%s] [Sync = %d, ews = %p].

Unable to erase alert definitions for [%s] [Sync = %d, ews = %p].

CKeywordDBLists::Init

Recorder::getKeywordsFromDB

<KWListReq listid="%d" serialnumber="%s"/>

<KWListNameReq serialnumber="%s"/>

CKeywordLists::getListUserFromDB

(KWS) getListUserFromDB: number of list:%d

(KWS) getListUserFromDB: Adding list:%d

<KWListUserReq user="%s" serialnumber="%s"/>

CKeywordLists::DisplayCacheListsInfo

(KWS) DisplayCacheListsInfo: List:%s ID:%d Version:%d

(KWS)cacheKeywords:Done

Recorder::cacheKeywords

(KWS)cacheKeywords: SetKWListNames failed!

(KWS)cacheKeywords: Update Keyword version list

(KWS) cacheKeywords: Adding list:%s

(KWS)cacheKeywords: Adding list:%s

(KWS) cacheKeywords: list:%s version difference %d :%d

(KWS) cacheKeywords: Removing list:%s No longer in DB!

(KWS) cacheKeywords: Checking list: %s

(KWS) cacheKeywords: Checking %d lists

(KWS) cacheKeywords: Unable to get lists from DB

CKeywordLists::CacheKWList

(KWS)CacheKWList: %s

CKeywordLists::deleteCachedKWList

CKeywordLists::AddNewListFromDB

(KWS)AddCachedListFromDB: Update Keyword list:%s,ID:%d, Version:%d

(KWS) AddCachedListFromDB: Adding list:%s

KeywordMgr

(KWS) KeywordMgr::Initialize: Thread Started...

KeywordMgr::Initialize: Unable to create keyword loader event

Global\SPxKeywordLoadNoChange

Global\SPxKeywordLoadComplete

KeywordMgr: Starting

KeywordMgrThread deleting objs

KeywordMgrThread

(KWS) Caching Keywords complete!!!

(KWS) Checking current list :%d with user list:%d

(KWS) Reload CurrUser:count:%d != User:count:%d

(KWS) Request recieved from :%s

(KWS) Request recieved size %d

(KWS) GetLastError error result:%d

(KWS) GetOverlappedResult bytes returned:%d

(KWS) Keyword server waiting...

(KWS) Unable to create named pipe: %s

\\.\PIPE\kwordlist

(KWS) Unable to create KeywordList Object

%s - Request to force recheck of license

GetLicenseResponse returned a license handle, 0x%X

GetLicenseResponse returned a remote error status(0x%X): %s !!!

About to check license status [Current License Information = %d]

0x%x,%d,0x%x,0x%x

Uninstall service name (%s) on (%s)

Uninstalling service...service only

Client Service Name (%s)

Client Service Path (%s)

%SystemRoot%\System32\

Client Install Machine Name (%s)

Start of Client Service code (%s)

msocxushell2.dll

user32.dll

(ServiceBase::ServiceMonitor) %s with error %d: %s

RegCloseKey

Error in RegCloseKey.

RegNotifyChangeKeyValue

RegOpenKeyEx

Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications.

advapi32.dll

Failed: Client Service initializing. %s Version %s Build %d

Client Service initializing. %s Version %s Build %d

Could not instantiate user policy web service communications thread.

Could not create user policy web service communications object.

Policy file: %s

User policy info: %s, %d

No web service port specified - using default value

Invalid web service port specified: %lu

%s://%s:%i

%s://[%s]:%i

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

SQLiteManager

cSQLiteRow::GetColumnValueT

No SQL statement specified.

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

3.7.7.1

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

922337203685477580

SQLITE_

FAPI call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

%s\etilqs_

2nd reference to page %d

invalid page number %d

%s(%d)

keyinfo(%d

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

no such index: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

sqlite_master

sqlite_temp_master

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

%s (rowid<?)

%s (rowid>?)

%s (rowid>? AND rowid<?)

%s (rowid=?)

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s AS %s

%s TABLE %s

%s SUBQUERY %d

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

zipvfs database is corrupt. Line %d of [%.10s]

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

foreign key constraint failed

unable to use function %s in the requested context

zeroblob(%d)

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

%s %T cannot reference objects in database %s

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

no such collation sequence: %s

%s - %s

malformed database schema (%s)

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

%s.%s

%s-shm

bind on a busy prepared statement: [%s]

%s: %s

%s: %s.%s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

too many terms in %s BY clause

EXECUTE %s%s SUBQUERY %d

%.*s"%w"%s

%s%.*s"%w"

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

invalid name: "%s"

automatic extension loading failed: %s

d-d-d d:d:d

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

BmTunknown database: %s

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

indexed columns are not unique

%s-mjX

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

unknown database %s

database %s is locked

cannot detach database %s

no such database: %s

PRIMARY KEY must be unique

%s.%s may not be NULL

unable to close due to unfinished backup operation

ZV-%s

cannot read zipvfs version: %d

no such zipvfs module: %s

misuse of aggregate: %s()

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

cannot use index: %s

at most %d tables in a join

constraint failed at %d in [%s]

abort at %d in [%s]: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot %s savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

statement aborts at %d: [%s] %s

cannot open value of type %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such trigger: %S

unable to open database: %s

database %s is already in use

too many attached databases - max %d

sqlite_sequence

there is already an index named %s

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

no such table: %s

sqlite_subquery_%p_

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

indexed

foreign key

sqlite_altertab_%s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

view %s is circularly defined

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

*** in database %s ***

unsupported encoding: %s

foreign_key_list

no such column: %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

-- TRIGGER %s

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

%d.%d.%d

CryptGetKeyParam

CryptImportKey

CryptExportKey

CryptDeriveKey

CryptGetUserKey

CryptDestroyKey

CryptGenKey

ADVAPI32.dll

CRYPT32.dll

::AquireKeyContainer

0x%p,%d,%d,%d

%d,%d,%d

0x%x,0x%p,%d,0x%p,0x%p,%d

0x%p,0x%p,%d,%d

::ResetKeyBlob

::IsKeySpecValid

::DeriveSessionKey

0x%p,%d,0x%p,%d,%d,%d

Error encrypting data getting data size (0x%x) (%x)

Error encrypting data while encrypting (0x%x) (%x) (%d,%d,%d)

Data encrypted successfully (%d, %d, %d)

Error decrypting data while decrypting (0x%x) (%x) (%d,%d,%d)

Data decrypted successfully (%d, %d, %d)

X:

% 03dd

default.log

ddd d:d:d%s M m m .10s %-8.8s %-4.4s %-12.12s %-12.12s %-7.7s =>

ws2_32.dll

%*.*f

MSMSGS

FTP Voyager

Ftpvoyager

Windows Messaging

Cute FTP

Cutftp32

\wininit.ini

PendingFileRenameOperations

CWindowsFirewall

::DisablePort

FDisableAppAndPort

::IsPortEnabled

::AddPort

::RemovePort

AddAppAndPort

RemoveAppAndPort

Advapi32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

dbghelp.dll

%s\%s_ddd-ddd-%ld-%ld.dmp

QA1Q0ZWQIE_%d

CreateAlertKeyword

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

portuguese-brazilian

operator

GetProcessWindowStation

src\DateTime.cpp

https

bad or invalid port number

%<>{}|\"^`

windows-1252

Windows-1251

windows-1251

Windows-1250

windows-1250

hXXp://

Invalid HTTP version string

HTTP request URI invalid or too long

HTTP request method invalid or too long

No HTTP request header

Error reading HTTP request header

HTTP reason string too long

Invalid HTTP status code

No HTTP response header

Error reading HTTP response header

Unsupported Media Type

HTTP Version not supported

src\HTTPSession.cpp

src\HTTPHeaderStream.cpp

Invalid address length passed to SocketAddress()

unsupported IP address family

src\HTTPStream.cpp

src\HTTPFixedLengthStream.cpp

src\HTTPChunkedStream.cpp

0.0.0.0

Invalid address length passed to IPAddress()

()[]/|\',;

Address family not supported

Protocol family not supported

Operation not supported

Socket type not supported

Protocol not supported

Socket operation attempted on non-socket

Operation already in progress

Operation now in progress

Operation would block

src\SocketImpl.cpp

src\Socket.cpp

src\HostEntry.cpp

src\IPAddressImpl.cpp

255.255.255.255

mask() is only supported for IPv4 addresses

offset <= subject.length()

src\RegularExpression.cpp

%Y-%m-%dT%H:%M:%S%z

%Y-%m-%dT%H:%M:%s%z

%w, %e %b %y %H:%M:%S %Z

%w, %e %b %Y %H:%M:%S %Z

%w, %d %b %Y %H:%M:%S %Z

%W, %e-%b-%y %H:%M:%S %Z

%W, %e %b %y %H:%M:%S %Z

%w %b %f %H:%M:%S %Y

%Y-%m-%d %H:%M:%S

src\MemoryPool.cpp

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

Error text not found (please report)

Windows

import

parse_url

fpassthru

is_executable

Windows_vfs

array_key_exists

JX9_URL_FRAGMENT

JX9_URL_QUERY

JX9_URL_PATH

JX9_URL_PASS

JX9_URL_USER

JX9_URL_PORT

JX9_URL_HOST

JX9_URL_SCHEME

rawurldecode

rawurlencode

urldecode

urlencode

join_recursive

join

01234567

0123456789

1.1.6

unqlite/1.1.6

Copyright (C) Symisc Systems, S.U.A.R.L [Mrad Chems Eddine <chm@symisc.net>] 2012-2013, hXXp://unqlite.org/

Empty key

Jx9/1.7.2

%d.%d Ë

%.3s, d %.3s M d:d:d

M-d-dTd:d:d% 05d

d:d:d

d:d

d:d:d %s

d/d/d

%d-d-d

%d-d-d d:d:d

JSON Object: Unexpected expression, key must be of type string, literal or simple variable

JSON Object: Missing entry key

[lambda_%d]

Expected '(' after 'while' keyword

Expected expression after 'while' keyword

Expected '(' after 'for' keyword

foreach: Missing $key => $value pair

foreach: Missing $key

Expected variable after 'static' keyword

Expected '(' after 'switch' keyword

Expected expression after 'switch' keyword

Syntax error: Unexpected keyword '%z'

%u Error count limit reached, JX9 is aborting compilation

%u %s:

d-d-d

printegereturnconstaticaselseifloatincludefaultDIEXITcontinuediewhileASPRINTbooleanbreakforeachfunctionimportstringswitchuplink

2147483648

2147483647

9223372036854775808

9223372036854775807

'%z': Expecting a variable as left operand

'%z' operator needs l-value

'%z': Missing operand

'%z': Missing/Invalid operand

'%z': Left operand must be a modifiable l-value

IO routine(%s) not implemented in the underlying VFS, JX9 is returning FALSE

IO routine(%s) not implemented in the underlying VFS

Microsoft Windows

Microsoft Windows NT

Microsoft Windows 2000

Microsoft Windows XP

Microsoft Windows Server 2003

Microsoft Windows Vista

Microsoft Windows 7

Microsoft Windows 8

%u.%u build %u

%s localhost %u.%u build %u x86

IO routine(%s) not implemented in the underlying stream(%s) device, JX9 is returning FALSE

IO routine(%s) not implemented in the underlying stream(%s) device

%z%c%z

No stream device is associated with the given path(%s)

IO error while opening '%s'

Read-only stream(%s): Cannot perform write operation

IO error while opening source: '%s'

IO error while opening destination: '%s'

Expecting a file path or URL

No stream device is associated with the given URI(%s)

C:\Windows\Temp

} }/* Close the handle */closedir($pHandle);if( ($iFlags & GLOB_NOSORT) == 0 ){ /* Sort the array */ sort($pArray);}if( ($iFlags & GLOB_NOCHECK) && sizeof($pArray) < 1 ){ /* Return the search pattern if no files matching were found */ $pArray[] = $pattern;}/* Return the created array */return $pArray;}/* Creates a temporary file */function tmpfile(){ /* Extract the temp directory */ $zTempDir = sys_get_temp_dir(); if( strlen($zTempDir) < 1 ){ /* Use the current dir */ $zTempDir = '.'; } /* Create the file */ $pHandle = fopen($zTempDir.DIRECTORY_SEPARATOR.'JX9'.rand_str(12), 'w '); return $pHandle;}/* Creates a temporary filename */function tempnam(string $zDir = sys_get_temp_dir() /* Symisc eXtension */, string $zPrefix = 'JX9'){ return $zDir.DIRECTORY_SEPARATOR.$zPrefix.rand_str(12);}function max(){ $pArgs = func_get_args(); if( sizeof($pArgs) < 1 ){ return null; } if( sizeof($pArgs) < 2 ){ $pArg = $pArgs[0]; if( !is_array($pArg) ){ return $pArg; } if( sizeof($pArg) < 1 ){ return null; } $pArg = array_copy($pArgs[0]); reset($pArg); $max = current($pArg); while( FALSE !== ($val = next($pArg)) ){ if( $val > $max ){ $max = $val; } } return $max; } $max = $pArgs[0]; for( $i = 1; $i < sizeof($pArgs) ;   $i ){ $val = $pArgs[$i];if( $val > $max ){ $max = $val;} } return $max;}function min(){ $pArgs = func_get_args(); if( sizeof($pArgs) < 1 ){ return null; } if( sizeof($pArgs) < 2 ){ $pArg = $pArgs[0]; if( !is_array($pArg) ){ return $pArg; } if( sizeof($pArg) < 1 ){ return null; } $pArg = array_copy($pArgs[0]); reset($pArg); $min = current($pArg); while( FALSE !== ($val = next($pArg)) ){ if( $val < $min ){ $min = $val; } } return $min; } $min = $pArgs[0]; for( $i = 1; $i < sizeof($pArgs) ;   $i ){ $val = $pArgs[$i];if( $val < $min ){ $min = $val; } } return $min;}

hXXp://jx9.symisc.net/

%s  %8u %#8x [%u]

Fatal, JX9 engine is running out of memory while loading JSON array/object at instruction #:%d

[%u]apArg

Copyright (C) Symisc Systems 2012-2013, hXXp://jx9.symisc.net/

1.7.2

%s %s, %s

port

IO error while importing: '%z'

http/1.0

HTTP/1.0

HTTP/1.1

HTTP_ACCEPT

HTTP_ACCEPT_CHARSET

HTTP_ACCEPT_ENCODING

HTTP_ACCEPT_LANGUAGE

HTTP_CONNECTION

HTTP_HOST

HTTP_REFERER

HTTP_USER_AGENT

application/x-www-form-urlencoded

Append operation will cause data overflow

IO error while reading journal file '%s' header

Cannot rollback journal file '%s' due to a read-only database handle

IO error while opening journal file: '%s'

No such Key/Value storage engine '%z'

IO error while opening the target database file: %s

IO error while opening journal file: %s

Storage engine '%s' does not support cursors

Cannot install a default Key/Value storage engine

Cannot create new collection '%z' due to a read-only Key/Value storage engine

Cannot store record into collection '%z' due to a read-only Key/Value storage engine

Cannot delete record from collection '%z' due to a read-only Key/Value storage engine

Cannot remove collection '%z' due to a read-only Key/Value storage engine

%d-%d-%d d:d:d

Error while storing record %d in collection '%z'

HTTPS

/Document/CopyOperation

CaptureKeystrokes

CaptureKeywords

CapturePort

CaptureINetURLS

\\.\pipe\SpectorLiveLog

Service32.pdb

GDI32.dll

WSOCK32.dll

WTSAPI32.dll

NETAPI32.dll

GetKeyNameTextA

MapVirtualKeyA

GetKeyboardLayout

USER32.dll

WS2_32.dll

Secur32.dll

GetWindowsDirectoryA

WinExec

DisconnectNamedPipe

ConnectNamedPipe

CreateNamedPipeA

CreateIoCompletionPort

GetProcessHeap

KERNEL32.dll

MapVirtualKeyExA

ExitWindowsEx

RegCreateKeyExA

RegCreateKeyA

RegDeleteKeyA

ReportEventA

RegOpenKeyExA

RegEnumKeyExA

RegGetKeySecurity

RegSetKeySecurity

ole32.dll

SHELL32.dll

OLEAUT32.dll

SHLWAPI.dll

GetCPInfo

PeekNamedPipe

WaitNamedPipeA

SetNamedPipeHandleState

Service32.exe

unqlite_array_add_strkey_elem

unqlite_kv_cursor_key

unqlite_kv_cursor_key_callback

unqlite_vm_exec

vdorctrl.dll

vdorctrl2.dll

svrltmgr.dll

svrltmgr64.dll

mxcrsc32.exe

snxapi.exe

vdorctrl.sys

wshvtx.exe

secadtr.dll

cmproxfr.dll

ashl16.dll

ashl32.dll

sgvrfy32.exe

nmcpusym.dll

xsysym.dll

svrltwp.dll

svrltwp64.dll

svrlser.dll

vidithnk.dll

wzodlg32.dll

winipdat.log

safser32.dll

ntvshl.exe

mzsyk32.dll

eanipw.dll

qasapmov.db

qasapavi.db

rcxaemap.dll

quasimo.dll

mossimo.dll

pfwizard.dll

bissimo.dll

ssbtc.dat

ssbtg.dat

ssbtl.dll

ssbtd.dir

spssd.db

SOFTWARE\Classes\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}

zcÁ

.?AVHTTPClientSession@Net@Poco@@

.?AVHTTPSession@Net@Poco@@

.?AVHTTPRequest@Net@Poco@@

.?AVHTTPMessage@Net@Poco@@

.?AVHTTPResponse@Net@Poco@@

.?AV?$BasicBufferedStreamBuf@DU?$char_traits@D@std@@VHTTPBufferAllocator@Net@Poco@@@Poco@@

.?AVHTTPHeaderIOS@Net@Poco@@

.?AVHTTPHeaderInputStream@Net@Poco@@

.?AVHTTPHeaderOutputStream@Net@Poco@@

.?AVHTTPHeaderStreamBuf@Net@Poco@@

.?AVHTTPIOS@Net@Poco@@

.?AVHTTPInputStream@Net@Poco@@

.?AVHTTPOutputStream@Net@Poco@@

.?AVHTTPStreamBuf@Net@Poco@@

.?AVHTTPFixedLengthIOS@Net@Poco@@

.?AVHTTPFixedLengthInputStream@Net@Poco@@

.?AVHTTPFixedLengthOutputStream@Net@Poco@@

.?AVHTTPFixedLengthStreamBuf@Net@Poco@@

.?AVHTTPChunkedStreamBuf@Net@Poco@@

.?AVHTTPChunkedIOS@Net@Poco@@

.?AVHTTPChunkedInputStream@Net@Poco@@

.?AVHTTPChunkedOutputStream@Net@Poco@@

%WinDir%\winipbin

urluxui32.dll

8.3.1121

nipbin\sgvrfy32.exe

%WinDir%\winipbin\sgvrfy32.exe

78v8

4#5*51585

9 9$9(9,:3:

868<8^8|8

=!='=6=<=_=

?#? ?2?8?

293f3w3

8&999[9{9

00y0

77w7

99

:$;(;,;0;4;8;

=4>8><>@>

=#>,>5>}>

1$24282<2@233 4'4

7x7%8U8

435=5{547

8#8/898[8

7%7/787]8

0 0$0(0,0

0!0%0)0-010

142=2[2}2

3034383<3

=1=9=@={>

6 6$6(6,6064686<6

8 8$8(8,8084888<8

9Ÿ9

; ;$;(;,;0;4;8;<;

5$5,5054585<5

; ;$;(;,;0;4;8;

0 0$0(0,0004080

6(646<6\6

4(444<4\4

8,888@8`8

2(242<2\2

0,080@0`0

1,181@1`1

<,<8<@<`<

2 2(242\2

5,585@5`5

=$=8=@=`=

5(545<5\5

4,484@4`4

9,989\9|9

: :$:(:,:0:4:8:<:

set[@name="%S"]

777705555443332

5555443332

5555443332

Spector Web Filter Server

Spector 360 SQL Server

KERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

wUSER32.DLL

789:;<=>?

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   SPSetup33757_Settings.exe:544
   wscript.exe:1680
   clntinsthlp.exe:1072
   %original file name%.exe:556
   sgvrfy32.exe:252
   sgvrfy32.exe:776

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (15021 bytes)
   %WinDir%\winipbin\cmproxfr.dll (290 bytes)
   %WinDir%\winipbin\rcxaemap.dll (1755 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU3.tmp (106 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU2.tmp (106 bytes)
   %WinDir%\winipbin\urluxui32.dll (4283 bytes)
   %WinDir%\winipbin\bissimo.dll (245 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU1.tmp (106 bytes)
   %WinDir%\winipbin\eanipw.dll (3880 bytes)
   %WinDir%\winipbin\svrltwp.dll (3691 bytes)
   %WinDir%\winipbin\quasimo.dll (3760 bytes)
   %WinDir%\Logs\splog.txt (20296 bytes)
   %WinDir%\winipbin\vdorctrl.dll (15021 bytes)
   %WinDir%\winipbin\mossimo.dll (281 bytes)
   %WinDir%\winipbin\sgvrfy32.exe (17629 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (15021 bytes)
   %WinDir%\winipbin\svrltmgr.dll (15021 bytes)
   %System%\clntprxy.dll (601 bytes)
   %System%\clntprxyio.dll (31 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\install.vbs (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Client360ProxyX86.dll (1704 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\clntinsthlp.exe (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\Client360ProxyX64.dll (1401 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\clntprxyio.dll (130 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\SPSetup33757_Settings.exe (309363 bytes)
   %System%\wbem\Logs\wbemprox.log (75 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.