MD5: 44fa48b9c193a3dc8a132e1719976e26
SHA1: 49599a203e8f3aef1f287b3720fd0f82eb934520
SHA256: 9a2cb0d855f0c97cda944e72f34e0f9763f472a958da5d97b52d536b4442dcf0
SSDeep: 393216:Hzb2CR16xq8WDFstdvzHodhIO4monUuuu1918U:Hzb2CR1iWDYRHojRNoUuuq18U
Size: 14962272 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-25 21:13:38
Analyzed on: WindowsXP SP3 32-bit

Summary:

Keylogger. Tracking software that records keyboard and/or mouse activity. Keyloggers typically either store the recorded keystrokes for later retrieval or they transmit them to the remote process or person employing the keylogger. While there are some legitimate uses of keyloggers, but they are often used maliciously by attackers to surreptitiously track behavior to perform unwanted or unauthorized actions included but not limited to identity theft.

Payload

Process activity

The Application creates the following process(es):

sgvrfy32.exe:1184
sgvrfy32.exe:1864
%original file name%.exe:332

The Application injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:332 makes changes in the file system.
The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (7972 bytes)
%WinDir%\winipbin\urluxreg32.dll (5744 bytes)
%WinDir%\winipbin\svrltmgr.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU7F.tmp (102 bytes)
%WinDir%\winipbin\svrltwp.dll (1723 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU7D.tmp (102 bytes)
%WinDir%\winipbin\cmproxfr.dll (279 bytes)
%WinDir%\winipbin\vdorctrl.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU7E.tmp (102 bytes)
%WinDir%\winipbin\sgvrfy32.exe (7386 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UUU7F.tmp (0 bytes)

Registry activity

The process sgvrfy32.exe:1184 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 64 11 6F 40 6C C1 F6 41 DD A5 B4 83 3F 80 62"

The process sgvrfy32.exe:1864 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 8A 03 FA 0C D5 5C 6B B2 8F BA ED A7 C1 73 E1"

[HKLM\System\CurrentControlSet\Services\System Event Dispatcher]
"Description" = "Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications."

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSVxRsc.dll, , \??\%WinDir%\winipbin\msocxusys.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\ra.dll, , \??\c:\windows\winipbin\sgvrfy32.log,"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\System Event Dispatcher]
"EventMessageFile" = "%WinDir%\winipbin\sgvrfy32.exe"
"TypesSupported" = "7"
"ParameterMessageFile" = "%WinDir%\winipbin\sgvrfy32.exe"

The process %original file name%.exe:332 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:

[HKCR\CLSID\{0DF187A3-A074-4828-8983-E5B987CA4AF7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MSVxRsc.dll,"

[HKCR\CLSID\{26297DF6-6639-4C47-AD25-ED60D7A431F6}]
"(Default)" = "Macohbat"

[HKCR\CLSID\{0DF187A3-A074-4828-8983-E5B987CA4AF7}]
"(Default)" = "serewmic"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%\winipbin]
"sgvrfy32.exe" = "sgvrfy32"

[HKCR\Resitmov]
"(Default)" = "Macohbat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{26297DF6-6639-4C47-AD25-ED60D7A431F6}\ProgID]
"(Default)" = "Resitmov"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Winipdat" = "{0DF187A3-A074-4828-8983-E5B987CA4AF7}"

[HKCR\CLSID\{0DF187A3-A074-4828-8983-E5B987CA4AF7}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\vdorctrl.dll"

[HKCR\CLSID\{26297DF6-6639-4C47-AD25-ED60D7A431F6}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\svrltmgr.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 27 CB C2 B8 5E 3B 84 7D E8 1C 8B EC D9 1B 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}\InprocServer32]
"(Default)" = "%WinDir%\winipbin\wzodlg32.dll"

[HKCR\Resitmov\CLSID]
"(Default)" = "{26297DF6-6639-4C47-AD25-ED60D7A431F6}"

[HKCR\CLSID\{26297DF6-6639-4C47-AD25-ED60D7A431F6}\InprocServer32]
"ThreadingModel" = "Apartment"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCR\CLSID\{Cb8DE863-0561-4ffd-9B86-5BA2E941BA52}]

The Application deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"(Default)"
"WebExtLocation"

The Application disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCheckStub"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5
504c71171e81c746cd2293ac4cb3f1ce
19e485ae0a81b8287fcafbdc13b236aa
7f47610632cc3fa3ec85d43b6ae8aa7b
2b2aa55cff84401863bcc096d96dafdf
41e973209cbdecc163e2937080f49a0e

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Application connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

tCPQW

SShX-M

X@SSh8;M

VSShtOM

SSh`OM

SSh<\M

SShP`M

SShxcM

SShd9N

SSht9N

tcPhx<N

SShP&O

SSh43O

SSh,4O

SSh@4O

SShT4O

SShl4O

.FGy,

u&u

SSh<<O

8sqliu

 2 34 567

QA1Q0ZWQIE_%d

kernel32.dll

SvrUrlItemLegacy

SvrUrlItem

Stop.Time

Start.Time

PortRangeLegacy

PortRange

ValidateServerCert

AuthenPassword

SmtpAuthType

szKeyword

KeywordRecordLegacy

KeywordRecord

vKey

KeyEventDefLegacy

KeyEventDef

WebMail

SMTPPOP

Msg_Owner

LastMsgRcvdTime

AgentSettings.pRecordURLList

AgentSettings.pSvrBlockUrlList

AgentSettings.pDriveFiltersList

AgentSettings.pPortPortsList

AgentSettings.pPortAppsList

AgentSettings.pEmailLastRecvTimeList

AgentSettings.pEmailFilterList

AgentSettings.pBlockAllAppsList

AgentSettings.pBlockInPortsList

AgentSettings.pBlockOutPortsList

AgentSettings.pBlockUsersList

AgentSettings.pKeyEventList

AgentSettings.pUsersList

AgentSettings.pAppsList

AgentSettings.pBlockedProgramsList

AgentSettings.pBlockIMsList

AgentSettings.pURLList

pKeywordsList

rollback to %s;

release savepoint %s;

savepoint %s;

lst_%s_

bin_%s_

sys.dll

0x%p,%d,%d

CryptGetKeyParam

CryptImportKey

CryptExportKey

CryptDeriveKey

CryptGetUserKey

CryptDestroyKey

CryptGenKey

ADVAPI32.dll

CRYPT32.dll

::AquireKeyContainer

0x%p,%d,%d,%d

%d,%d,%d

0x%x,0x%p,%d,0x%p,0x%p,%d

0x%p,0x%p,%d

0x%p,%d

::ResetKeyBlob

::IsKeySpecValid

::DeriveSessionKey

0x%p,%d,0x%p,%d,%d,%d

Error encrypting data getting data size (0x%x) (%x)

Error encrypting data while encrypting (0x%x) (%x) (%d,%d,%d)

Data encrypted successfully (%d, %d, %d)

Error decrypting data while decrypting (0x%x) (%x) (%d,%d,%d)

Data decrypted successfully (%d, %d, %d)

GetSetupFileContent '%s' (0x%p,%d) (%d)

ProcessGetIPAddress (%d,%d) '%s - %s'

%d.%d.%d.%d

GetLogFileContent '%s' (0x%p,%d) (%d)

0x%p, %d, 0x%p, %d

ProcessGetSetupFileIni (%d,%d)

ProcessGetLogFile (%d,%d)

CheckSettingsImport1

CheckSettingsImport

msnwcfg.ini

0x%p, %d, 0x%p

CommHost: Received RemoteCommand (%d) from computer %s SN %s MachineID %s

EnumKeys

Failed to load communications library (%s).

Failed to load server object: %s

Started listening on port %d (%d).

%d-%X

spddd

Get-Crypt-Keys

DecompressData: Memory Sanity Check Failed, file %s

wsock32.dll

Unable to recover from corrupt file %s !

Corrupt file (%s, type %d) accessed for write access. Resetting.

CreateFileNewPassword2

CreateFileNewPassword

-%d.%s

Checking Pushed Data ended, total time: %d msecs

AddKeystrokesToList

ProcessKeystrokeFile1

ProcessKeystrokeFile

CheckUrlCategory

SendDataRecord: Returned no URL page category for (%s).

SendDataRecord: Returned URL page category: %d for (%s).

InitClient: Unable to load CommDLL (%s)

InitWFSClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient: Unable to create client object: %s

InitClient: Attempting to connect via IP address (%s, %d).

InitClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitClient Comm Path %s

DataPush::ProcessDisplayFile CreateFileNewPassword (%s,%s) failed!!!

DataPush::ProcessDisplayFile SendFile (%s,%s) failed!!!

DataPush::ProcessDisplayFile End, '%s'

Unable to delete file (%s) : %s

snapshotXX.%s

PushData: Failed to send all users to server - sent %d/%d records.

PushData: Unable to open User data file %s - error %d !!!

ProcessDF: Could not find any transactions for transmission (%s, %d, %d).

ProcessDF: Failed to send record to server (%s)

PushData: Failed to initialize client communications (Port %d on %s).

PushData: Session complete. Sent %d data transactions, %d snapshot files.

d-%x.sdf

PushData: Pushing, maximum %d seconds.

%*.*f

%s:u,%s,%s,%p,%p,%s,%s,(%s),%s

%m/%d/%Y %H:%M:%S

OutMsgThread

OutMsg

%s_%s

Global\%s

InitPushClient: CCS Host Initialize Success '%s' in %d secs on Port: %d (%d)

InitPushClient: CCS Host Initialize Failed '%s' in %d secs (WSAErr: %d) (%d)!!!

InitPushClient: CCS Host resolve '%s' (%d) %d.%d.%d.%d

InitPushClient: CCS Host gethostbyname Failed '%s' (WSAErr: %d)!!!

InitPushClient: Initializing UDP client to '%s' on Port: %d AltIP:(%d) '%s'

RunSetupExe

RunSetupExe End (%d)

RunSetupExe Start '%s' '%s'

ExecUninstallThread End '%s'

portCap

webinetipxp

webinetprg

webemap

webinetcheck

webinetipx

GetClientInfo '%s' (%d,%d,%d,%d,%d) ( %s )

GetRecordState '%s' (%d-%d-%d,%d,%d,%d,%d,%d,%d,%d,%d,%d)

GetClientOSInfo '%s' (%d) '%s' '%s' '%s'

%s\%s\%s

Windows NT

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows NT\CurrentVersion

%d,0x%p

InitCommClient: Unable to load CommDLL (%s)

InitCommClient: Unable to create client object: %s

InitCommClient: Attempting to connect via IP address (%s, %d).

InitCommClient: Connect failed (%s, %d, %s, %s) (%s, %s, %s, %s).

InitCommClient: Initializing TCP client using '%s'

PushOSInfo: Pushing info to server end '%s\%s' (%d,0x%p) (%d) (0x%p)

PushOSInfo: Pushing info to server start (%d,%d,%d)

ExecUpdateThread End '%s' - (%d,%d,%d)

ExecInstallThread End '%s' - (%d,%d,%d,%d) (%d,%d)

spsetup.exe

ExecUninstallRequest Abort '%s'

ExecUpdateRequest Abort '%s'

ExecInstallRequest Abort '%s'

ExecUpdateSyncThread End '%s' - (%d,%d)

%s#%s

PushRecordInfo: Pushing info to server end S(%d,%d) R(%d,%d,%d) (%d,%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server check S(%d,%d,%d,%d,%d) R(%d,%d,%d,%d,%d)

PushRecordInfo: Pushing info to server message out of sync flush (%d, %d, %d, %d)

PushRecordInfo: Pushing info to server start (%d,%d,%d)

InfoPush: Initializing info push thread (%d)

Kernel32.dll

CKeywordDBLists::Init

Recorder::getKeywordsFromDB

<KWListReq listid="%d" serialnumber="%s"/>

<KWListNameReq serialnumber="%s"/>

CKeywordLists::getListUserFromDB

(KWS) getListUserFromDB: number of list:%d

(KWS) getListUserFromDB: Adding list:%d

<KWListUserReq user="%s" serialnumber="%s"/>

CKeywordLists::DisplayCacheListsInfo

(KWS) DisplayCacheListsInfo: List:%s ID:%d Version:%d

CKeywordLists::CacheKWList

(KWS)CacheKWList: %s

CKeywordLists::deleteCachedKWList

CKeywordLists::AddNewListFromDB

(KWS)AddCachedListFromDB: Update Keyword list:%s,ID:%d, Version:%d

(KWS) AddCachedListFromDB: Adding list:%s

(KWS)cacheKeywords:Done

Recorder::cacheKeywords

(KWS)cacheKeywords: SetKWListNames failed!

(KWS)cacheKeywords: Update Keyword version list

(KWS) cacheKeywords: Adding list:%s

(KWS)cacheKeywords: Adding list:%s

(KWS) cacheKeywords: list:%s version difference %d :%d

(KWS) cacheKeywords: Removing list:%s No longer in DB!

(KWS) cacheKeywords: Checking list: %s

(KWS) cacheKeywords: Checking %d lists

(KWS) cacheKeywords: Unable to get lists from DB

CKeywordLists

CKeywordLists::MakeKeywordInfo

CKeywordLists::FindKWListInUserList

KeywordMgr

KeywordMgrThread deleting objs

KeywordMgrThread

(KWS) Caching Keywords complete!!!

(KWS) Checking current list :%d with user list:%d

(KWS) Reload CurrUser:count:%d != User:count:%d

(KWS) Request recieved from :%s

(KWS) Request recieved size %d

(KWS) GetLastError error result:%d

(KWS) GetOverlappedResult bytes returned:%d

(KWS) Keyword server waiting...

(KWS) Unable to create named pipe: %s

\\.\PIPE\kwordlist

(KWS) Unable to create KeywordList Object

KeywordMgr::Initialize: Unable to create keyword loader event

(KWS) KeywordMgr::Initialize: Thread Started...

Global\SPxKeywordLoadNoChange

Global\SPxKeywordLoadComplete

KeywordMgr: Starting

KeywordListNames

KeywordUserLists

KeywordList

ERROR GetList: Keyword List:%s size:%d

ERROR GetList: Keyword List:%s ReadValue failed

GetList: Keyword List:%s Section:%s size:%d

GetList: Keyword List:%s Section:%s failed, no lists!

0x%x,%d,0x%x,0x%x

GetLicenseResponse returned a license handle, 0x%X

GetLicenseResponse returned a remote error status(0x%X): %s !!!

WebMailRevLevel

Connect - Unable to load CommDll library, %s

Connect - Unable to load client object: %s !

Connect to LicenseManager - Attempting to connect via IP address (%s, %d).

RequestLicense - Invalid response packet size, %u

%s %d

% 03dd

default.log

ddd d:d:d%s M m m .10s %-8.8s %-4.4s %-12.12s %-12.12s %-7.7s =>

X:

Advapi32.dll

%s_%d

0x%p,0x%p,%d,0x%p,%d,0x%p

Uninstall service name (%s) on (%s)

Uninstalling service...service only

Client Service Name (%s)

Client Service Path (%s)

%SystemRoot%\System32\

Client Install Machine Name (%s)

Start of Client Service code (%s)

msocxushell2.dll

%s -sa

Manual Start Service pending local (%d)

Stop service '%s' on '%s' (%d)

Service %sstopped '%s' on '%s'

Unable to QueryServiceStatus on '%S' err=%d

Unexpected service state %d after STOP command

Unable to send STOP command to '%S', err=%d

Unable to open handle to '%S', err=%d

Unable to open SCM stopping '%S', err=%d

StopService: %S

StopEXE

Failed to Stop EXE service (%d)

Service EXE Stopped (%d)

SendMsgService

Failed to send service control message: %d (%d) to '%s'

Service control messsage sent: %d to '%s'

%s -r%d

ServiceRestart: (%d)

WFAddServiceToCollection: ERROR %d

WFAddServiceToCollection: %d (%d)

WFRemoveServiceFromCollection: ERROR %d

WFRemoveServiceFromCollection: %d

WFDisableServiceInCollection: ERROR %d

WFDisableServiceInCollection: %d

0x%p,0x%p,%d,0x%p,%d

%s: invalid data type (%s)

%s: pData NULL

0x%p,0x%p,%d,0x%p,%d,0x%p,%d

ServiceBase::WriteServiceSetting(): error saving "%s"

0x%p,0x%p,%d,0x%p,%d,%d

0x%p,%d,0x%p,0x%p,0x%p,0x%p,%d

System\CurrentControlSet\Services\%s\Parameters

Service User Control Message: %u (%d)

TypesSupported

%d.%d.%d

Dispatches system events, such as Windows logons, user inactivity, and shutdown notifications.

advapi32.dll

Client Service initializing. %s Version %s Build %d

regsmtp

useRunKey

lulport

PortFileName

URLFileName

KeystrokeFileName

mschostport

CCSListenPort

mswhostport

WFSListenPort

HostListenPort

msdhostport

DSListenPort

mslhostport

LMListenPort

mswebole

mswebcom

mswebrev

mswebext

HtmlMsg

SuspendMsg

webinetmask

AgentSettings.MaskProgramTitles

AgentSettings.ProgramInactivityTimeout

AgentSettings.CapturePrograms

webinturl

AgentSettings.IncludeAOLCSURLS

weblocposts

AgentSettings.CapturePOSTS

weblocaolse

AgentSettings.CaptureAOLSE

weblocxpcom

AgentSettings.CaptureXPCOM

AgentSettings.HTTPSPorts

AgentSettings.HTTPPorts

URLOldestData

URLMaxDataSize

webloccheck

AgentSettings.IncludeLocalURLS

webnetcheck

AgentSettings.IncludeNetURLS

AgentSettings.CaptureINetURLS

AgentSettings.MaskPasswords

AgentSettings.CaptureChars

KeyStrokesOldestData

KeyStrokesMaxDataSize

AgentSettings.CaptureKeyStrokes

portPortLst

portPortInc

AgentSettings.PortPortsInclude

portAppLst

portAppInc

AgentSettings.PortAppsInclude

portIAF

PortInactivityFlush

portOld

PortOldestData

portMDS

PortMaxDataSize

AgentSettings.CapturePort

AgentSettings.DriveFileTracking

AgentSettings.DriveFiltersInclude

AgentSettings.Drives

AgentSettings.DriveDefault.Types

AgentSettings.DriveDefault.Disposition

AgentSettings.CaptureIMAPI

AgentSettings.CapturePrinters

AgentSettings.CaptureDrives

hlpvsbftp

AgentSettings.FTPPorts

AgentSettings.GnutellaPorts

webcaphtml

AgentSettings.CaptureINetHTMLUploads

AgentSettings.CaptureP2P

AgentSettings.StampChat

AgentSettings.CaptureSkype

AgentSettings.CaptureINetMSNExchange

AgentSettings.XMPPCaptureType

AgentSettings.YPagerCaptureType

AgentSettings.AOLProcessCaptureType

AgentSettings.OSCARCaptureType

AgentSettings.MSNCaptureType

AgentSettings.IRCCaptureType

AgentSettings.CaptureINetMySpace443

AgentSettings.CaptureINetOSCAR

AgentSettings.CaptureINetAimExpress

AgentSettings.XMPPPorts

AgentSettings.YPagerPorts

AgentSettings.OSCARPorts

AgentSettings.MSNPorts

AgentSettings.IRCPorts

AgentSettings.CaptureChat

AgentSettings.NotesPollingInterval

AgentSettings.NotesLastMsgRcvdTime

AgentSettings.LastMsgRcvdTime

webfiltlst

webfiltdef

AgentSettings.EmailFilterDefaultIgnore

AgentSettings.UseAltMAPICapture

AgentSettings.IMAPPorts

AgentSettings.POPPorts

AgentSettings.SMTPPorts

webineticmp

AgentSettings.CaptureINetWebEMail

AgentSettings.MailAttachMaxDataSize

webinetudp

AgentSettings.CaptureAttachments

webinetxde

AgentSettings.CaptureAOLEMail

webinettimap

AgentSettings.CaptureINetIMAPEMail

webinettcp

AgentSettings.CaptureINetSMTPEMail

WebMapiBox

AgentSettings.MAPIInboxOnly

webnotes

AgentSettings.CaptureNotesEMail

webmapi

AgentSettings.CaptureMAPIEMail

AgentSettings.CaptureEMail

portusb6

portusb5

AgentSettings.SendVScroll

portusb3

AgentSettings.SendEnterEvent

portusb4

AgentSettings.SendMouseWheel

portusb7

AgentSettings.SendMouseRightClick

portusb2

AgentSettings.SendMouseDoubleClick

portusb1

AgentSettings.SendMouseClick

portpnp3

SnapTriggerKeyEnter

portpnp4

portpnp5

portpnp2

portpnp1

SnapTriggerHttpPost

SnapTriggerUrl

AgentSettings.InactivityTimeout

AgentSettings.BlockUsers

AgentSettings.SvrBlockRevertLocal

AgentSettings.SvrBlockEnable

AgentSettings.BlockIMsAccess

AgentSettings.BlockUrlsAccess

AgentSettings.BlockIMsList

AgentSettings.BlockUrlsList

AgentSettings.BlockInternetAccessAll

AgentSettings.BlockInternetAccess

AgentSettings.RecordUrlsList

AgentSettings.RecordUrls

AgentSettings.DenyListedUsers

AgentSettings.RecordUsers

AgentSettings.DenyListedApps

AgentSettings.RecordApps

SnapshotHotkey

ToggleRecordHotkey

HostLoginType

HostLoginPassword

HostLoginUsername

KeywordEmailSubjectStrPRogramWindowCaption

KeywordEmailSubjectStrProgramName

KeywordEmailSubjectStrP2P

KeywordEmailSubjectStrUrls

KeywordEmailSubjectStrKeyStrokes

KeywordEmailSubjectStrWebPages

KeywordEmailSubjectStrChat

KeywordEmailSubjectStrEmail

KeywordEmailFormatStrPRogramWindowCaption

KeywordEmailFormatStrProgramName

KeywordEmailFormatStrP2P

KeywordEmailFormatStrUrls

KeywordEmailFormatStrKeyStrokes

KeywordEmailFormatStrWebPages

KeywordEmailFormatStrChat

KeywordEmailFormatStrEmail

KeywordEmailTimeout

KeywordScreenshotPeriod

KeywordScreenshotRate

ScanWebPages

AgentSettings.CaptureINetWebPages

ScanUrls

ScanKeystrokes

TakeKeywordScreenshot

SendKeywordEmail

SendServerKeywords

CaptureKeywords

AgentSettings.DecoyFile

AgentSettings.ComAddinName

AgentSettings.ComAddinID

AgentSettings.MapiClsId

AgentSettings.BhoClsId

AgentSettings.pBlockFilesList

AgentSettings.SAFProcessorPath

AgentSettings.DynProcessorWOW64Path

AgentSettings.DynProcessorPath

AgentSettings.AgentWOW64Path

AgentSettings.AgentPath

keydele

DeleteKey

keydeleroot

DeleteKeyRoot

AgentSettings.DeviceName

AgentSettings.DriverPath

KeywordMAPIPath

KeywordServerInfo

LCFireWallHTTPPort

SMTPPort

rmtporttok

RmtPortalToken

rmtportpass

RmtPortalPassword

rmtportlog

RmtPortalLogin

rmts3seckey

RmtS3SecretKey

rmts3keyid

RmtS3KeyID

AgentSettings.CaptureConsoles

AgentSettings.LFMaskShared

AgentSettings.BhoActive

WinAdminPassword

StartRecordingWithWindows

DataFilePasswordHash

AgentSettings.NetInitDelay

AgentSettings.ClearFF

AgentSettings.BlockFileAccess

AdminHotkey

AdminPasswordHash

AdminPassword

AgentSettings.LogFileMask

AgentSettings.LogFileLevel

AgentSettings.LogFilePath

AgentSettings.UseLogFile

DisallowKeystrokeCapture

ineturls

ineturlsn

msocxushell.dll

wwfwnetex.drv

tudmdxiufrm.drv

winfatiosys32.drv

winnetkernel32.drv

winkernel32hlp.drv

wwfwnetex.dll

udmdxiufrm.dll

msfatiosys32.dll

msnetKernel32.dll

mskernel32hlp.dll

-0561-4ffd-9B86-5BA2E941BA52}\OLE\Shell\Commands

MapiAuthentication.Addin

NewWFSListenPort

NotifyPort

CEASListenPort

NewCEASListenPort

CCSDbLoginName

CCSDbPassword

ProxyPort

NewLMListenPort

DBSqlType

DBPassword

NewDSListenPort

WebMailIniPath

0x%p,%d,0x%p,0x%p,%d

%systemroot%

SetAdminPasswordHash

SnapshotHotkeyDisplayable

ToggleRecordHotkeyDisplayable

AdminHotkeyDisplayable

CEAdmin.cfg

secur32.dll

WriteSettingsWebMailStrings

locmlurl

locmsurl

locmrmsg

loclurl

locmurl

INTRWEB

MSG_Owner

ExportXMLSystem

ImportXMLSetting

\\.\%s%d

Windows-1252

%s %dx%dx%d

WindowsVersion

%d.%d.%d %s

" webmailrev="

svrapi.dll

netapi32.dll

\\%s\%s

ValidatePortsCallback

microsoft\..\*32.dll

MYSPACE_HTTP

FACEBOOK_HTTP

GTALK_HTTP

MSN_HTTP

KEYSTROKES

bNetLogin

UrlID

UrlType

UrlData

KeyData

KeywordData

KeyStrokeCount

URLCount

ReportData

strErrMsg

RemotePort

DesktopDataBase.Size

DesktopDataBase.Type

KEYWORD

BLK_WEB

WEBMAIL

SMTP

254.254.254.254

CUSTWEB

GetComputerInfo - Unable to load NETAPI32.DLL library.

GetComputerInfo - Unable to get NETAPI32.DLL function pointers.

GetComputerInfo - NetWkstaGetInfo error (%d,0x%p).

NETAPI32.DLL

-0561-4ffd-9B86-5BA2E941BA52}

SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks

SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

WebExtLocation

bSOFTWARE\Microsoft\Windows\CurrentVersion\Run

WebCheckStub

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

CLSID\%s

%s -u

CLSID\%s\InProcServer32

SCHTASKS /CREATE /SC ONSTART /RU SYSTEM /TN %s /TR "%s"

RD /Q "%s"

SCHTASKS /DELETE /F /TN %s

RD /S /Q "%s"

xxxxx

xxxxxxxxxxxxxxxxx.cmd

SpectorCNE.chm

SOFTWARE\Wow6432Node\Classes\CLSID\{4A85C0C0-C52C-4C08-9E88-F012BF35623A}

SOFTWARE\Classes\CLSID\{7640DFF4-252C-470E-ACB7-1922EA57A0B9}

MSMSGS

FTP Voyager

Ftpvoyager

Windows Messaging

Cute FTP

Cutftp32

RemoteRegDeleteKey

IMsgBox

\wininit.ini

GetLastErrorMsg

ws2_32.dll

RemoteRegConnectKey

::DisablePort

::IsPortEnabled

CWindowsFirewall

::AddPort

::RemovePort

DisableAppAndPort

AddAppAndPort

RemoveAppAndPort

large file support is disabled

unknown operation

SQL logic error or missing database

foreign_keys

sqlite_compileoption_get

sqlite_compileoption_used

sqlite_log

sqlite_source_id

sqlite_version

sqlite_attach

sqlite_detach

sqlite_stat1

sqlite_rename_parent

sqlite_rename_trigger

sqlite_rename_table

RowKey

3.7.7.1

SQLite format 3

CREATE TABLE sqlite_master(

sql text

CREATE TEMP TABLE sqlite_temp_master(

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

922337203685477580

SQLITE_

?API call with %s database connection pointer

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

%s\etilqs_

2nd reference to page %d

invalid page number %d

%s(%d)

keyinfo(%d

%r %s BY term out of range - should be between 1 and %d

Expression tree is too large (maximum depth %d)

too many SQL variables

variable number must be between ?1 and ?%d

too many columns in %s

%s OR name=%Q

type='trigger' AND (%s)

table %s may not be altered

sqlite_

SELECT tbl, idx, stat FROM %Q.sqlite_stat1

access to %s.%s.%s is prohibited

access to %s.%s is prohibited

object name reserved for internal use: %s

duplicate column name: %s

too many columns on %s

unknown column "%s" in foreign key definition

number of columns in foreign key does not match the number of columns in the referenced table

foreign key on %s should reference only one column of table %T

a JOIN clause is required before %s

cannot modify %s because it is a view

table %s may not be modified

foreign key mismatch

error during initialization: %s

no entry point [%s] in shared library [%s]

unable to open shared library [%s]

sqlite3_extension_init

unknown or unsupported join type: %T %T%s%T

RIGHT and FULL OUTER JOINs are not currently supported

USE TEMP B-TREE FOR %s

COMPOUND SUBQUERIES %d AND %d %s(%s)

%s:%d

no such index: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

sqlite_master

sqlite_temp_master

vtable constructor did not declare schema: %s

vtable constructor failed: %s

no such module: %s

table %s: xBestIndex returned an invalid plan

%s (~%lld rows)

%s VIRTUAL TABLE INDEX %d:%s

%s (rowid<?)

%s (rowid>?)

%s (rowid>? AND rowid<?)

%s (rowid=?)

%s USING INTEGER PRIMARY KEY

%s USING %s%sINDEX%s%s%s

%s AS %s

%s TABLE %s

%s SUBQUERY %d

database corruption at line %d of [%.10s]

misuse at line %d of [%.10s]

cannot open file at line %d of [%.10s]

zipvfs database is corrupt. Line %d of [%.10s]

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

foreign key constraint failed

unable to use function %s in the requested context

zeroblob(%d)

DELETE FROM %Q.%s WHERE %s=%Q

CREATE TABLE %Q.%s(%s)

%s %T cannot reference objects in database %s

default value of column [%s] is not constant

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

no such collation sequence: %s

%s - %s

malformed database schema (%s)

cannot join using column %s - column not present in both tables

cannot have both ON and USING clauses in the same join

a NATURAL join may not have an ON or USING clause

%s.%s

%s-shm

bind on a busy prepared statement: [%s]

%s: %s

%s: %s.%s

%s: %s.%s.%s

misuse of aliased aggregate %s

not authorized to use function: %s

too many terms in %s BY clause

EXECUTE %s%s SUBQUERY %d

%.*s"%w"%s

%s%.*s"%w"

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

Cannot add a PRIMARY KEY column

invalid name: "%s"

automatic extension loading failed: %s

d-d-d d:d:d

d:d:d

d-d-d

SELECTs to the left and right of %s do not have the same number of result columns

LIMIT clause should come after %s not before

ORDER BY clause should come after %s not before

BmTunknown database: %s

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

Failed to read ptrmap key=%d

failed to get page %d

%d of %d pages missing from overflow list starting at %d

freelist leaf count too big on page %d

Fragmentation of %d bytes reported as %d on page %d

Multiple uses for byte %d of page %d

Corruption detected in cell %d on page %d

On page %d at right child:

On tree page %d cell %d:

unable to get the page. error code=%d

btreeInitPage() returns error code %d

Page %d:

Outstanding page count goes from %d to %d during this analysis

Pointer map page %d is referenced

Page %d is never used

indexed columns are not unique

%s-mjX

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such vfs: %s

%s mode not allowed: %s

no such %s mode: %s

unknown database %s

database %s is locked

cannot detach database %s

no such database: %s

PRIMARY KEY must be unique

%s.%s may not be NULL

unable to close due to unfinished backup operation

ZV-%s

cannot read zipvfs version: %d

no such zipvfs module: %s

misuse of aggregate: %s()

database schema is locked: %s

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

cannot use index: %s

at most %d tables in a join

constraint failed at %d in [%s]

abort at %d in [%s]: %s

database table is locked: %s

cannot change %s wal mode from within a transaction

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

cannot commit transaction - SQL statements in progress

cannot rollback transaction - SQL statements in progress

cannot %s savepoint - SQL statements in progress

no such savepoint: %s

cannot open savepoint - SQL statements in progress

statement aborts at %d: [%s] %s

cannot open value of type %s

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

unsupported file format

no such trigger: %S

unable to open database: %s

database %s is already in use

too many attached databases - max %d

sqlite_sequence

there is already an index named %s

DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

no such index: %S

unable to identify the object to be reindexed

no such table: %s

sqlite_subquery_%p_

cannot create INSTEAD OF trigger on table: %S

cannot create %s trigger on view: %S

cannot open %s column for writing

no such column: "%s"

cannot open view: %s

cannot open virtual table: %s

indexed

foreign key

sqlite_altertab_%s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

CREATE%s INDEX %.*s

table %s has no column named %s

sqlite_autoindex_%s_%d

index %s already exists

there is already a table named %s

virtual tables may not be indexed

views may not be indexed

table %s may not be indexed

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

table "%s" has more than one primary key

CREATE TABLE %Q.sqlite_sequence(name,seq)

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

CREATE %s %.*s

view %s is circularly defined

table %S has no column named %s

%d values for %d columns

table %S has %d columns but %d values were supplied

*** in database %s ***

unsupported encoding: %s

foreign_key_list

no such column: %s

there is already another table or index with this name: %s

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

view %s may not be altered

-- TRIGGER %s

DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

DELETE FROM %s.sqlite_sequence WHERE name=%Q

use DROP VIEW to delete view %s

use DROP TABLE to delete table %s

table %s may not be dropped

the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers

the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers

1.2.3

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

inflate 1.2.3 Copyright 1995-2005 Mark Adler

GetProcessWindowStation

operator

Service.pdb

WSOCK32.dll

DisconnectNamedPipe

ConnectNamedPipe

CreateNamedPipeA

GetWindowsDirectoryA

WinExec

GetProcessHeap

KERNEL32.dll

GetKeyNameTextA

MapVirtualKeyA

GetKeyboardLayout

ExitWindowsEx

MapVirtualKeyExA

USER32.dll

GDI32.dll

RegCloseKey

RegGetKeySecurity

RegOpenKeyExA

RegSetKeySecurity

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

ReportEventA

RegCreateKeyA

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

GetCPInfo

PeekNamedPipe

vdorctrl.dll

vdorctrl2.dll

svrltmgr.dll

svrltmgr64.dll

mxcrsc32.exe

snxapi.exe

vdorctrl.sys

wshvtx.exe

secadtr.dll

cmproxfr.dll

ashl16.dll

ashl32.dll

sgvrfy32.exe

nmcpusym.dll

xsysym.dll

svrltwp.dll

svrltwp64.dll

svrlser.dll

vidithnk.dll

wzodlg32.dll

winipdat.log

safser32.dll

ntvshl.exe

mzsyk32.dll

SOFTWARE\Classes\CLSID\{F105F8A8-9D47-4942-B13B-DAC8DF268396}

zcÁ

nipbin\sgvrfy32.exe

7.4.1112

%WinDir%\winipbin

urluxreg32.dll

%WinDir%\winipbin\sgvrfy32.exe

4$444*5=5

=!=1=]=|=

2 2(212:2

2P2U2E3J3E4D4S4

^70888"9-9

4"5)50575=5

4 4$4(4,40444

607\7}7`9

8%9U9z9

1 1$1(1,1014181

5(545<5\5

>$>8>@>`>

2(242<2\2

=,=8=@=`=

>(>4><>\>

= =4=<=\=

;,;8;@;`;

0 0$0(0,00080

set[@name="%S"]

777705555443332

5555443332

5555443332

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   sgvrfy32.exe:1184
   sgvrfy32.exe:1864
   %original file name%.exe:332

2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\ra.dll (7972 bytes)
   %WinDir%\winipbin\urluxreg32.dll (5744 bytes)
   %WinDir%\winipbin\svrltmgr.dll (7972 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MSVxRsc.dll (9606 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU7F.tmp (102 bytes)
   %WinDir%\winipbin\svrltwp.dll (1723 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU7D.tmp (102 bytes)
   %WinDir%\winipbin\cmproxfr.dll (279 bytes)
   %WinDir%\winipbin\vdorctrl.dll (7972 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\UUU7E.tmp (102 bytes)
   %WinDir%\winipbin\sgvrfy32.exe (7386 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.