SearchProtect_12fd3fdd30

by malwarelabrobot on May 13th, 2014 in Malware Descriptions.

Behaviour:
PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.


The description has been automatically generated by Lavasoft program Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 12fd3fdd30842b7b335c8b3e984bec2b
SHA1: 9fe1f2b1fb6f2e1bbbe7b068cd5f79832c36be39
SHA256: 0d214af9bc5e43a3a4036c43939e650ca57aa16cc5ecf55ff72af097081aec1c
SSDeep: 49152:OPwLxnxU03/7or20GcszfC4GHcRZms43faM5/QxiuO1G2eon VK7lv:O88kcszfLG8RZJ6/Qkueeon VKRv
Size: 2336800 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Conduit
Created at: 2011-07-06 17:31:20
Analyzed on: WindowsAda SP3 32-bit


Summary:

Payload

No specific payload has been found.

Process activity

The program creates the following process(es):

%original file name%.exe:2032
CltMngSvc.exe:2104
CltMngSvc.exe:2092
cltmng.exe:2516
cltmng.exe:1196
nst29.exe:632
SPRunner.exe:884
nsj2E.exe:2944

The program injects its code into the following process(es):
No processes have been created.

File activity

The process %original file name%.exe:2032 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\json2.js (784 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Program Files%\SearchProtect\ffprotect\application.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\nsprotector.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (2 bytes)
%Program Files%\SearchProtect\bin\SPHook64.dll (21216 bytes)
%Program Files%\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (2 bytes)
%Program Files%\SearchProtect\ffprotect\nsprotector.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\main.html (2 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Program Files%\SearchProtect\bin\ChromeModule.dll (33455 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Program Files%\SearchProtect\bin\FirefoxModule.dll (41699 bytes)
%Program Files%\SearchProtect\ffprotect\abstraction.js (52 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (6 bytes)
%Program Files%\SearchProtect\bin\InternetExplorerModule.dll (44462 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2E.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso27.tmp (227043 bytes)
%Program Files%\SearchProtect\bin\SPTool64.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp\ConduitMsTimestamp.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook64.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe (105913 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (1 bytes)
%Program Files%\SearchProtect\bin\uninstall.exe (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2C.tmp (741694 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\CltMngSvc.exe (8184 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
%Program Files%\SearchProtect\bin\SPHook32.dll (20416 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\application.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2D.tmp (1856 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook32.dll (20416 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (784 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\main.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst29.exe (3616 bytes)
%Program Files%\SearchProtect\bin\CltMngSvc.exe (8184 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\abstraction.js (52 bytes)
%Program Files%\SearchProtect\bin\SPRunner.exe (22552 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPTool64.exe (15536 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (11 bytes)
%Program Files%\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\bin\cltmng.exe (105913 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\FirefoxModule.dll (41699 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\main.html (986 bytes)
%Program Files%\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\popupTransparent.xul (1 bytes)
%Program Files%\SearchProtect\Dialogs\lib\json2.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPRunner.exe (22552 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\InternetExplorerModule.dll (44462 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\ChromeModule.dll (33455 bytes)
%Program Files%\SearchProtect\Dialogs\spbd\main.html (986 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp\ConduitMsTimestamp.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy26.tmp (0 bytes)

The process cltmng.exe:1196 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\SProtectorRepository\EN (1512 bytes)
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\rep.dat (1981 bytes)

The process nst29.exe:632 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz2B.tmp\inetc.dll (24 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2B.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2B.tmp\a.txt (0 bytes)

The process SPRunner.exe:884 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Program Files%\Mozilla Firefox\browser\chrome.manifest (258 bytes)
%Program Files%\Mozilla Firefox\browser\nsprotector.js (1 bytes)

The process nsj2E.exe:2944 makes changes in the file system.
The program creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk30.tmp\inetc.dll (24 bytes)

The program deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk30.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk30.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2F.tmp (0 bytes)

Registry activity

The process %original file name%.exe:2032 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 8C 8A 12 9D 96 69 27 7D B5 5F 31 64 FA D6 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayVersion" = "1.7.0.72"

[HKCU\Software\SearchProtect\ffprotect]
"ffHomepage" = "{}"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2B.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd28.tmp\,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\SearchProtect]
"SPID" = "SP8ABC9271-93D9-43BD-AC03-9E81B6D82F0F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"Publisher" = "Conduit"

[HKCU\Software\SearchProtect\ffprotect]
"ffSettings" = "{}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayIcon" = "%Program Files%\SearchProtect\bin\cltmng.exe"

[HKLM\SOFTWARE\SearchProtect]
"Environment" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayName" = "Search Protect by conduit"
"UninstallString" = "%Program Files%\SearchProtect\bin\uninstall.exe /S"

To automatically run itself each time Windows is booted, the program adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SearchProtectAll" = "%Program Files%\SearchProtect\bin\cltmng.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SearchProtect" = "%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe"

The program deletes the following value(s) in system registry:
The program disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"

The process CltMngSvc.exe:2104 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 79 12 53 B6 F1 DE 7C B3 79 C9 C3 AB 68 1E 2F"

The process CltMngSvc.exe:2092 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 3A F8 C9 19 A9 9E C9 10 CB 82 D8 54 C0 37 80"

The process cltmng.exe:2516 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 5C 41 16 F7 FA E3 30 64 C3 B8 32 59 F2 E1 A8"

The process cltmng.exe:1196 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 D3 C2 B0 0B 62 6B ED 13 A5 68 FC 2B 89 EA 21"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\SearchProtect\ffprotect]
"ffHomepage" = "{}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\SearchProtect\ffprotect]
"ffKeepAlive" = "{timestamp: 1399992598}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\SearchProtect\ffprotect]
"ffSettings" = "{}"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nst29.exe:632 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 76 7A BE FE 0D 11 70 3B D0 4E 89 5A 3F 5A 55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2B.tmp\,"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsj2E.exe:2944 makes changes in the system registry.
The program creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 B0 C3 CD 18 86 26 AD CF D0 73 F3 59 3C 8F 77"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz2B.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd28.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk30.tmp\,"

The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The program modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The program deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
46d71381bd7609dc5ef9372dec3bd713 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\ChromeModule.dll
d76786ba05443c6fdd0184e0838e9968 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\CltMngSvc.exe
86f4c9976c2c91742ca37cca83c9240a c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\FirefoxModule.dll
536631a821dfc158d248566d5d1b5f10 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\InternetExplorerModule.dll
3202bcc7a2e920dd049e357c720b9562 c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPHook32.dll
134bcf1e18fccf48054547bb5dd2775e c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPHook64.dll
196909a9dc2265c21aa49bd9cfa319aa c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPRunner.exe
539887fe850807a17260fafa1a5a37ba c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\SPTool64.exe
0a89171e6f87ea8848f6fbbee8ad366e c:\Documents and Settings\"%CurrentUserName%"\Application Data\SearchProtect\bin\cltmng.exe
cbb0857b4e4c5d947a0933733f19affc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj2E.exe
cbb0857b4e4c5d947a0933733f19affc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst29.exe
46d71381bd7609dc5ef9372dec3bd713 c:\Program Files\SearchProtect\bin\ChromeModule.dll
d76786ba05443c6fdd0184e0838e9968 c:\Program Files\SearchProtect\bin\CltMngSvc.exe
86f4c9976c2c91742ca37cca83c9240a c:\Program Files\SearchProtect\bin\FirefoxModule.dll
536631a821dfc158d248566d5d1b5f10 c:\Program Files\SearchProtect\bin\InternetExplorerModule.dll
3202bcc7a2e920dd049e357c720b9562 c:\Program Files\SearchProtect\bin\SPHook32.dll
134bcf1e18fccf48054547bb5dd2775e c:\Program Files\SearchProtect\bin\SPHook64.dll
196909a9dc2265c21aa49bd9cfa319aa c:\Program Files\SearchProtect\bin\SPRunner.exe
539887fe850807a17260fafa1a5a37ba c:\Program Files\SearchProtect\bin\SPTool64.exe
0a89171e6f87ea8848f6fbbee8ad366e c:\Program Files\SearchProtect\bin\cltmng.exe
ea8833537f79d2bd0fb19f4d10231c3e c:\Program Files\SearchProtect\bin\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Conduit
Product Name: Search Protect
Product Version: 1.7.0.72
Legal Copyright: 2012 (c) Conduit. All rights reserved.
Legal Trademarks:
Original Filename: SearchProtect (R) P
Internal Name: Unknown
File Version: 1.7.0.72
File Description: Search Protect by Conduit
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 25506 25600 4.49191 3291075913c14a1799655a261fb21cca
.rdata 32768 6386 6656 3.3883 170563e94de7ebfd6e622a164ce38c8a
.data 40960 419484 512 0.991115 23d69b1e3a55dee07701198b7650a06b
.ndata 462848 1642496 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 2105344 36984 37376 4.09452 3a34d048205e5244e81b510137cc5436

Dropped from:

Downloaded by:

Similar by SSDeep:

b9527a4060835d7e61f34676fd217dfd
89bbf2a124b4f648b227877779364f7e
e693c884bcb191222313c106d4ecae0f

Similar by Lavasoft Polymorphic Checker:

Total found: 2
2e6ba9375e72306f1b3087338bccac7f
765c1e65d2dde64a60a273f3998cf22f

URLs

URL IP
hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://sp-installer.conduit-data.com/ 50.16.210.106
sp-settings.spccint.com 23.32.152.11
servicemap.conduit-services.com 23.45.35.152
sp-translation.conduit-services.com 23.45.35.152
sp-autoupdate.conduit-services.com 23.45.35.152


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 496
Connection: Keep-Alive
Cache-Control: no-cache

{"event_type":"install_start","SP_ID":"SP8ABC9271-93D9-43BD-AC03-9E81B6D82F0F","SP_version":"1.7.0.72","carrier_type":"","carrier_ID":"","carrier_version":"","carrier_userid":"","carrier_UM":"","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","hp_takeover":"false","other_takeover":"false","environment":"","sequence_timestamp":"1399992589483","browser":"UNKNOWN","browser_version":"", "installation_session_id":"IB9476675-FD9A-4171-9D68-92486F905A14"}
HTTP/1.1 202 Accepted
Date: Tue, 13 May 2014 14:49:56 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
HTTP/1.1 202 Accepted..Date: Tue, 13 May 2014 14:49:56 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..

The program connects to the servers at the folowing location(s):

CltMngSvc.exe_2104:

.text
`.rdata
@.data
.rsrc
@.reloc
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Output\Release\bin\CltMngSvc.pdb
KERNEL32.dll
RegOpenKeyW
ReportEventW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
SHLWAPI.dll
WTSAPI32.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
GetCPInfo
GetProcessHeap
zcÁ
%Program Files%\SearchProtect\bin\CltMngSvc.exe
/1::::0/
.8:::;::8.
0"8    8<<5
>633,,   ,&36>
ttt.ttt{mnn
ttt.ttttprp
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
11F1M1S1v1
0<0\002\2
.mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
%s (Error: %d)
kernel32.dll
1.7.0.72
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

cltmng.exe_1196:

.text
`.rdata
@.data
.rsrc
@.reloc
.hp|h
.jlhl
-j}h@
.jQh0
.jLhd
j.Yf;
_tcPVj@
.PjRW
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by 
Camellia for x86 by 
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by 
RC4 for x86, CRYPTOGAMS by 
Montgomery Multiplication for x86, CRYPTOGAMS by 
SHA1 block transform for x86, CRYPTOGAMS by 
SHA256 block transform for x86, CRYPTOGAMS by 
FtPS
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
0123456789-
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
.\boost/exception/detail/exception_ptr.hpp
Visual C   CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
RSA part of OpenSSL 1.0.0e 6 Sep 2011
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
PUBLIC KEY
SHA-512 part of OpenSSL 1.0.0e 6 Sep 2011
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
Big Number part of OpenSSL 1.0.0e 6 Sep 2011
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
pubkey
PEM part of OpenSSL 1.0.0e 6 Sep 2011
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.0e 6 Sep 2011
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
?456789:;<=
!"#$%&'()* ,-./0123
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
ERAND part of OpenSSL 1.0.0e 6 Sep 2011
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.0e 6 Sep 2011
Stack part of OpenSSL 1.0.0e 6 Sep 2011
Diffie-Hellman part of OpenSSL 1.0.0e 6 Sep 2011
value.single
value.set
ASN.1 part of OpenSSL 1.0.0e 6 Sep 2011
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.0e 6 Sep 2011
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.0e 6 Sep 2011
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
SHA1 part of OpenSSL 1.0.0e 6 Sep 2011
SHA-256 part of OpenSSL 1.0.0e 6 Sep 2011
RIPE-MD160 part of OpenSSL 1.0.0e 6 Sep 2011
SHA part of OpenSSL 1.0.0e 6 Sep 2011
MD5 part of OpenSSL 1.0.0e 6 Sep 2011
MD4 part of OpenSSL 1.0.0e 6 Sep 2011
CAST part of OpenSSL 1.0.0e 6 Sep 2011
Blowfish part of OpenSSL 1.0.0e 6 Sep 2011
:RC2 part of OpenSSL 1.0.0e 6 Sep 2011
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.0e 6 Sep 2011
libdes part of OpenSSL 1.0.0e 6 Sep 2011
DES part of OpenSSL 1.0.0e 6 Sep 2011
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
\X
ddddddZ
ddddddZ
%d.%d.%d.%d
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.0e 6 Sep 2011
x%s
%s - d:d:d%.*s %d%s
3ECDSA part of OpenSSL 1.0.0e 6 Sep 2011
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
keylength
keyfunc
.\crypto\pkcs12\p12_key.c
'() ,-./:=?
%lu:%s:%s:%d:%s
Verifying - %s
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.0e 6 Sep 2011
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.0e 6 Sep 2011
[[%s]]
[%s] %s=%s
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
ECDH part of OpenSSL 1.0.0e 6 Sep 2011
%s.dll
Main.cpp
14:55:56
P%d_T%d_Dld_ld_ld_Tld_ld_ld
- inflate 1.1.3 Copyright 1995-1998 Mark Adler
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\FileHandler.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\Logger\Log4cxxWrapper.cpp
\StringFileInfo\xx\%s
%d/%d/%d d:d:d
Module %d
Image Base: 0xx Image Size: 0xx
Checksum: 0xx Time Stamp: 0xx
File Size: %-10d File Time: %s
Company: %s
Product: %s
FileDesc: %s
FileVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
kernel32.dll
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 9
Windows Server 9
Web Server Edition
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
Windows XP Professional x64 Edition
Windows Server 2003
Web Edition
Windows XP
Windows 2000
(build %d)
This sample does not support this version of Windows.
Error occurred at %s.
Operating system: %s
Operating system: Could not Determine
%d processor(s), type %d.
%d%% memory in use.
%d MBytes physical memory.
%d MBytes physical memory free.
%d MBytes paging file.
%d MBytes paging file free.
%d MBytes user address space.
%d MBytes user address space free.
a Float Denormal Operand
a Float Invalid Operation
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
%s\CRASH_REPORT_%s.txt
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
===== [end of %s] =====
%s\CRASH_DUMP_%s.dmp
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
Error creating dump file, err=%d
WM_CTLCOLORMSGBOX
WM_VKEYTOITEM
WM_KEYDOWN
WM_KEYUP
WM_SYSKEYDOWN
WM_SYSKEYUP
WM_KEYLAST
WM_DDE_EXECUTE
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\Utils.cpp
Utils::GetHttpHeaderData
Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8
Windows Server 2012
Windows 9
Windows Server 9
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\PingSender.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Services\ServiceManager.cpp
ServiceManager_::GetDefaultServiceMapUrl
ServiceManager_::SetServiceMapUrl
ServiceManager_::SetServiceMapUrlToSettings
ServiceManager_::HttpAsyncCallBack
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\SelfProtector\SelfProtector.cpp
key path:
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Dialogs\DialogsManager.cpp
DialogsManager_::HandleDialogInvokeSync
Navigation URL=
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\BrowserManager.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\ToolbarManager.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Settings\SettingsManager.cpp
SettingsManager_::ParseKeyValueSettings
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Main\SearchProtector.cpp
SearchProtector_::InitLoginService
SearchProtector_::GetAppDataExePath
the value the Arg has been passed.
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Main\CommandLineHandler.cpp
(1 , 7 , 0 , 72)
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\TranslationManager.cpp
TranslationManager_::GetServiceUrl
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Services\TimerBasedServiceHandler.cpp
TimerBasedServiceHandler::HttpAsyncCallBack
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Services\ServiceHandler.cpp
ServiceHandler::HttpAsyncCallBack
ServiceHandler::GetServiceUrl
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\AliasManager.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\SelfProtector\RegistryProtector.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\SelfProtector\ProtectorBase.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\SelfProtector\FilesProtector.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Dialogs\DialogBase.cpp
DialogBase::CompetitorURL
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Dialogs\SettingsDialog.cpp
SettingsDialog::GetNavigationURL
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\AssetHandlers\AssetHandler.cpp
, using default url :
, using url as is
AssetHandler::UpdateUrlParams
AssetHandler::MergeSearchUrlParameters
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Settings\ModuleSettingsManager.cpp
ModuleSettingsManager::GetAssetUrl
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\UsageManager.cpp
UsageManager_::FlushReportsQueue
UsageManager_::FlushReport
UsageManager_::EnqueueReport
ErrorManager_::ReportError
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\ErrorManager.cpp
ErrorManager_::ReportErrors
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\SearchAssetsManager.cpp
SearchAssetsManager_::GetCtidAssetUrl
SearchAssetsManager_::GetCurrentAssetUrl
SearchAssetsManager_::SetUrlByCtidAndAsset
SearchAssetsManager_::GetUrlByCtidAndAsset
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\TakeoverUsageData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Settings\InitData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\AssetHandlerClassFactory.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Main\FinishInstallHandler.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\BrowserUserCtid.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Settings\RepositoryManager.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Settings\InitDataManager.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Settings\ServerSettingsManager.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\UninstallManager.cpp
UninstallManager::RemoveSelfFromPendingFileRenameOperations
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\LoginManager.cpp
LoginManager::~LoginManager
LoginManager::LoginManager
LoginManager::RequestService
LoginManager::CreateInitialJson
LoginManager::GetBrowserSpecificData
LoginManager::GetInstalledCompetitors
LoginManager::ReqestServiceByBrowser
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\AutoUpdateManager.cpp
ShellExecute error
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\ProtectionUserChangedAssetUsageData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\ProtectionUsageData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\UsageData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\BrowserSpecificUsageData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\AssetHandlers\FFAssetHandler.cpp
FFAssetHandler::UpdateUrlParams
FFAssetHandler::GetRevertSettingsRegKeyByOS
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\AssetHandlers\IEAssetHandler.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\SearchProtectorLibrary\Usages\FunnelDataManager.cpp
FunnelDataManager_::ReportFunnelData
FunnelDataManager_::CreateInitialReportJson
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\RegistryHandler.cpp
RegistryHandler::CreateKey
RegistryHandler::GetKey
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\HTTP\HTTPManager.cpp
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc
Conduit::SearchProtector::Utils::HTTPManager::AsyncThreadProc_
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc
Conduit::SearchProtector::Utils::HTTPManager::RequestAsync
Conduit::SearchProtector::Utils::HTTPManager::CheckInternetConnection
Conduit::SearchProtector::Utils::HTTPManager::DownloadFileAsync
Conduit::SearchProtector::Utils::HTTPManager::AsyncDownloadThreadProc_
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\TimerWindow.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\DataChangeNotifier.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\CompressionHandler.cpp
Content-Disposition: form-data; name="%s"; filename="%s"
Content-Disposition: form-data; name="%s"
https
HTTP/1.0
https://
Content-Type: application/x-www-form-urlencoded
http://
Content-Length: %u
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\BrowserModule.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\Data\UsersProfileData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\Data\UserBrowserAsset.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\ToolbarSettings.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\Events\Event.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\Data\SearchAssetData.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\Data\BrowserAsset.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\BaseModule\ModuleAction.cpp
nWebBrowserContainer::WebBrowserContainer
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\DialogsLibrary\WebBrowserContainer.cpp
WebBrowserContainer::~WebBrowserContainer
WebBrowserContainer::Initialize
WebBrowserContainer::CreateExternal
WebBrowserContainer::Navigate
Failed Navigate bsUrl=
WebBrowserContainer::InitContainer
Calling Navigate bsUrl=
WebBrowserContainer::Finalize
WebBrowserContainer::SetLocation
WebBrowserContainer::AddBehaviorToBodyElement
WebBrowserContainer::SetVisible
WebBrowserContainer::OnBeforeNavigate
WebBrowserContainer::OnDocumentComplete
WebBrowserContainer::GetWindowContext
WebBrowserContainer::InjectJs
WebBrowserContainer::OnNavigateComplete
WebBrowserContainer::OnNavigateError
WebBrowserContainer::HasFocusIO
WebBrowserContainer::TranslateAcceleratorIO
WebBrowserContainer::OnRefresh
WebBrowserContainer::OnFocus
WebBrowserContainer::UIActivateIO
WebBrowserContainer::OnSize
WebBrowserContainer::OnRefreshComplete
WebBrowserContainer::FocusChange
WebBrowserContainer::SetAlphaColorKey
, m_pWebBrowser =
WebBrowserContainer::SetDragAndDropFiles
WebBrowserContainer::SetMainToolbarBrowserTransparent
WebBrowserContainer::InvokeSync
WebBrowserContainer::InvokeASync
WebBrowserContainer::SetInvokeSyncCallback
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\DialogsLibrary\WebBrowserDefs.cpp
WebBrowserExternal::~WebBrowserExternal
WebBrowserExternal::Invoke
WebBrowserExternal::OnApiWriteDebugString
WebBrowserExternal::WebBrowserExternal
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\DialogsLibrary\WebBrowserExternal.cpp
WebBrowserExternal::GetDispatch
WebBrowserExternal::GenerateFunctionsAndDISPIDs
WebBrowserExternal::GetTypeInfo
WebBrowserExternal::GetTypeInfoCount
WebWindow::WindowProc_
WebWindow::WebWindow
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\DialogsLibrary\WebWindow.cpp
WebWindow::~WebWindow
WebWindow::OnKillFocus
WebWindow::OnSetFocus
WebWindow::Show
WebWindow::Create
WebWindow::GetClientRect
WebWindow::GetWindowRect
WebWindow::OnEraseBackground
WebWindow::SetAlphaColorKey
CWebBrowserFocusWnd::~CWebBrowserFocusWnd
CWebBrowserFocusWnd::CWebBrowserFocusWnd
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\DialogsLibrary\WebBrowserFocusWnd.cpp
WebBrowserDispatcher::~WebBrowserDispatcher
WebBrowserDispatcher::InitGIT
WebBrowserDispatcher::WebBrowserDispatcher
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\DialogsLibrary\WebBrowserDispatcher.cpp
WebBrowserDispatcher::GetIDsOfNames
WebBrowserDispatcher::GetDocumentInterface
WebBrowserDispatcher::DisconnectAllHtmlEvents
WebBrowserDispatcher::ConnectEvents
WebBrowserDispatcher::DisconnectEvents
WebBrowserDispatcher::Invoke
WebBrowserDispatcher::OnNavigateError
WebBrowserDispatcher::OnWindowStateChanged
WebBrowserDispatcher::OnDocumentComplete
WebBrowserDispatcher::OnBeforeNavigate
WebBrowserDispatcher::OnNavigateComplete
WebBrowserDispatcher::OnDownloadComplete
WebBrowserDispatcher::OnDownloadBegin
WebBrowserDispatcher::OnWindowClosing
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Utils\BaseWnd.cpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\SearchProtector\Dev\1.7.0\Output\Release\bin\cltmng.pdb
SetProcessShutdownParameters
KERNEL32.dll
USER32.dll
SHLWAPI.dll
VERSION.dll
PSAPI.DLL
dbghelp.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
CreateIoCompletionPort
GetProcessHeap
GetCPInfo
GDI32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
UrlUnescapeW
InternetCrackUrlW
HttpQueryInfoA
HttpSendRequestExW
HttpSendRequestW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpEndRequestW
WININET.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegNotifyChangeKeyValue
ReportEventA
COMCTL32.dll
zcÁ
.?AVwindows_file_codecvt@@
.?AVIHttpAsyncCallback@Utils@SearchProtector@Conduit@@
.PA_W
.?AV?$thread_data@V?$bind_t@XV?$BindThis2@_NVDialogsManager_@@PAVIWebBrowserContainer@@PAUtagDISPPARAMS@@@@V?$list2@V?$value@PAVIWebBrowserContainer@@@_bi@boost@@V?$value@PAUtagDISPPARAMS@@@23@@_bi@boost@@@_bi@boost@@@detail@boost@@
.?AV?$sp_counted_impl_p@VLoginManager@@@detail@boost@@
.?AVCmdLineInterface@TCLAP@@
.?AVCmdLineParseException@TCLAP@@
.?AVCmdLineOutput@TCLAP@@
.?AVCmdLine@TCLAP@@
.?AVLoginManager@@
.?AVIWebBrowserContainer@@
.?AVWebBrowserDispatcher@@
.?AVWebBrowserContainer@@
.?AVWebWindow@@
.?AVWebBrowserExternal@@
.?AVCWebBrowserFocusWnd@@
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\
/1::::0/
.8:::;::8.
0"8    8<<5
>633,,   ,&36>
ttt.ttt{mnn
ttt.ttttprp
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
<&< <:
1 353)535=5
;(<4<9<><
4'4,4;4@4
: :-:::?:
3 34393
< 
3 3-3:3?3
=%=*=9=>=
2(2F2j2x2
5 5-5:5?5
7 7:7?7}7
0%0*090>0
?#?(?7?
<#<(<7<<<~<
;!;.;;;@;
5 5%5u5
0 0-0:0?0
; ;%;4;9;
?!?0?5?~?
=#=(=7=<=
0!0.0;0@0
= =%=4=9=|=
3 3%3-3{3
2!20252~2
? ?%?4?9?|?
0&0 0:0?0
7$7)787=7
3"3'363;3
0 0090|0
6 808n8s8 9œ9h9
7%7*797>7
7"7'767;7~7
<$<)<8<=<
9&9 9:9?9
>!>.>;>@>
333F3K3P3]3u3z3
5S5F5K5P5]5r5w5
3 4G4C4Q4g4l4q4~4
1 2%2S2_2m2
=$=3=8={=
6#6(676<6
7'8,858;8
1&1 1:1?1
11L1S1
0%1S1a1o1
4 4D494
6!60656~6
='=,=;=@=
7 7/747}7
7 7-7:7?7
:$:):8:=:
7&7 7:7?7
6 77u7
%0S0a0o0
4%4*494>4
= =-=:=?=
9"9'969;9~9
:':,:;:@:
2!2&2[2`2
5S5F5K5P5]5u5z5
8%8*898>8
3!30353~3
6%7S7a7o7
2"2'262;2
4 4-4:4?4
>!>&>5>:>|>
78u8
=$=)=8===
1$1)181=1
8!80858~8
4!40454~4
; ;/;4;};
7%8X8^8i8
0(2,2024282<2@2
313F3U3h3r3
78u8
5054585<5
1%2U2
1%1S1[1
8%8S8[8
5%6-6u6}6
3%4U4i4q4
3%4U4
8 8$8(8,808
0 0$0(0,00040
5 5$5(5,50545
1(3,3034383<3
,7074787<7
= =$=(=,=0=4=8=<=
1 1(141\1
> >(>4>\>
0$0,040|0
combase.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
portuguese-brazilian
Login
LoggerConfig.xml
1.7.0.72
SetProcessShutdownParameters ,bRet:
CreateIoCompletionPort, hFile=
Error in CreateIoCompletionPort, err
Exit function. uiKey=
uiMonitorKey=
MonitorDirectoryThread(): I/O Operation has been canceled, Stopped=
CloseHandle on hDirOPPort, GetLastError=
PWM_SYSKEYUP
AIDispatch error #%d
user32.dll
Clog4cxx.dll
Firefox
Chrome
SOFTWARE\Microsoft\Windows NT\CurrentVersion
wUrl=
https://servicemap.conduit-services.com/sp
https://servicemap.qaconduit-services.com/sp
Exit function. wUrl=
ChromeModule.dll
FirefoxModule.dll
InternetExplorerModule.dll
rep.dat
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/smart_ptr/shared_ptr.hpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/thread/win32/thread_primitives.hpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/thread/win32/thread_heap_alloc.hpp
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0
Unsupported dialog position =
cNot enough arguments were passed
Finish Reason is unsupported =
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/smart_ptr/scoped_ptr.hpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/auto_buffer.hpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/signal_template.hpp
_shared_state.unique()
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/signals2/detail/slot_groups.hpp
this_map_it != _group_map.end()
it != _list.end()
map_it != _group_map.end()
weakly_equivalent(map_it->first, key)
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/optional/optional.hpp
members_.capacity_ >= N
members_.capacity_ >= n
size_ <= members_.capacity_
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/variant/detail/visitation_impl.hpp
D:\builds\34\Search Protector\SP-1.7.0-CI\Sources\3rdParty\Boost\boost_1_53_0\boost/variant/detail/forced_return.hpp
Missing Export entries in DLL
!pAssetChangedData
pAssetEvent == NULL
Enter function. wkey=
GetSetting wkey=
GetSetting failed getting wkey=
Overwritting previous setting. key=
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect
SOFTWARE\Microsoft\Windows\CurrentVersion
fmsvcp100.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
ymsvcr100.dll
GetProccessID Failed on explorer.exe!
yIntegrity level is high while explorer.exe is not!
Software\Microsoft\Windows\CurrentVersion\Run
m_InitDataChangeQueue.size() =
Missing array of translated keys!
translatedKeys
keyId
Couldn't find translation for key
sCouldn't find default translation for key
Enter function. wKey=
Interval hasn't passed yet for
data.iRefreshInterval=
Getting service failed. URL:
. HTTP Code:
Exit function. Failed getting Client Log service, Not reporting error on it,Avoid Poison Reverse
Key has changed!
g..\Dialogs\spsd\main.html
No knowledge of current url for asset.
KnownUrlForState
Current url:
No last known url (Shouldn't happen). Sending Asset change event
, Known url=
CurrentUrl=
wCurrentUrl=
PreviousUrl=
!pAssetChangeEvent || !pAssetChangeEvent->NewAssetData()
MyKnownUrl=
NewUrl=
Unable to parse CTID from new conduit search URL:
Not protecting firefox!
This lose event already executed.
e, new URL
, prev URL
Url found as invalid
Failed to build default url :
http://search.conduit.com/?ctid=
No valid url to takeover with
Url before update:
m_pSearchAssetData->Url()=
SearchAssetManaget->GetCtidAssetUrl failed for CTID:
aggressiveTakeoverWindowSec
wNewUrl=
Enter function. wMainUrl=
wMainUrl=
Enter function. wSearchApiCtidUrl=
aNew url and search api urls are identical. Nothing to merge or takeover.
Set key path [
Enqueuing usage report:
No queued usages to report
Unable to build usage report
Deleted the error report from requests map =
CRASH*.txt
tKeepCrashReports
Maxed out retries count for error report:
CRASH*.dmp
HomePageUrl
SearchUrl
takeover_url
SPSetup.exe
tPathToExe
pSoftware\Mozilla\Mozilla Firefox
Change in exe directory detected.
serviceMapUrl
3.6.0.0
3.7.0.0
CustomizedAssetUrl
Unknown server setting. key =
PendingFileRenameOperations
Unable to get current Asset URL for
LoginData=
Not sending login for browser =
Sending login for browser =
autoUpdateModuleUrl
.AutoUpdateDownloadUrl
Invalid URL
Starting download: m_wAutoUpdateURL=
DownloadFileAsync Error. Unable to download auto-update file, URL:
SPUpdater.exe
lReg Key:
Url Reverted to
revertedUrl
different from new url
d-d-d d:d:d
RegCloseKey failed. Name=
hKey is null. Error code:
RegCloseKey failed
, bKeyExist=
RegCreateKeyExW failed
ExitFunction hKey = 0x
rRegNotifyChangeKeyValue failed
pHttpAsyncData == NULL
Deleting pHttpAsyncData
Exception(...) while trying to send HTTP request
Exception while trying to send HTTP request
wUrl=
Tsearch.qasite.com
search.conduit.com
%s%s%s
], Url[
Shell.Explorer
Failed reciving IWebBrowser 2 from IUnknown
EnterFunction bsUrl=
Navigate received null Url
WebWindow::Create failed
Exception: Navigate failed!!! url=
m_pWebBrowser is NULL !!!
Browser is busy navigation will not be execute
Stoping IWebBrowser2 ...
m_pWebBrowser->Stop failed. hRes=
=get_URL failed
eEnterFunction clrColorKey =
SetAlphaColorKey failed
Windows.External.writeDebugString
Windows.External.InvokePlatformAction: param 1 is not string
SP_Web_Window
Failed to load user32.dll
m_pWebBrowser is NULL
SPHOOK_MSG_USER_CHANGED_HOMEPAGE
SPHOOK_MSG_NEW_WINDOW_CREATED
SPHOOK_MSG_IE_FRAME_ACTIVATED
SPHOOK_MSG_USER_CHANGED_SEARCH_PROVIDER
SPHOOK_REGISTRY_CHANGED_MSG
SPHOOK_MSG_END_HOOK
WSetWindowSubclass Failed
Assertion failed: %s, file %s, line %d
%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2032
    CltMngSvc.exe:2104
    CltMngSvc.exe:2092
    cltmng.exe:2516
    cltmng.exe:1196
    nst29.exe:632
    SPRunner.exe:884
    nsj2E.exe:2944

  2. Delete the original program file.
  3. Delete or disinfect the following files created/modified by the program:

    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\json2.js (784 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
    %Program Files%\SearchProtect\ffprotect\application.js (601 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\nsprotector.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\main.html (2 bytes)
    %Program Files%\SearchProtect\bin\SPHook64.dll (21216 bytes)
    %Program Files%\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\information.png (2 bytes)
    %Program Files%\SearchProtect\ffprotect\nsprotector.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\main.html (2 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\bubble.css (1 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
    %Program Files%\SearchProtect\bin\ChromeModule.dll (33455 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
    %Program Files%\SearchProtect\bin\FirefoxModule.dll (41699 bytes)
    %Program Files%\SearchProtect\ffprotect\abstraction.js (52 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.js (6 bytes)
    %Program Files%\SearchProtect\bin\InternetExplorerModule.dll (44462 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2E.exe (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\dialogsApi.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\separation-line.png (938 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso27.tmp (227043 bytes)
    %Program Files%\SearchProtect\bin\SPTool64.exe (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp\ConduitMsTimestamp.dll (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook64.dll (21216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd28.tmp\System.dll (11 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\images\warning.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\images\x-mouseover-LTR.png (1 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-default-LTR.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe (105913 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\SearchProtector.css (3 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\settings.js (11 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\ok-button.png (1 bytes)
    %Program Files%\SearchProtect\bin\uninstall.exe (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2C.tmp (741694 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\CltMngSvc.exe (8184 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\images\warning.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\bubble.js (6 bytes)
    %Program Files%\SearchProtect\bin\SPHook32.dll (20416 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\application.js (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2D.tmp (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPHook32.dll (20416 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\SearchProtector.css (3 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\json2.js (784 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\main.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst29.exe (3616 bytes)
    %Program Files%\SearchProtect\bin\CltMngSvc.exe (8184 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\information.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\abstraction.js (52 bytes)
    %Program Files%\SearchProtect\bin\SPRunner.exe (22552 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-default-RTL.png (1 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPTool64.exe (15536 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\bubble.css (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spsd\settings.js (11 bytes)
    %Program Files%\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spsd\images\ok-button.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\spbd\main.html (986 bytes)
    %Program Files%\SearchProtect\bin\cltmng.exe (105913 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\images\x-mouseover-RTL.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\lib\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\Dialogs\dialogsApi.js (2 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\lib\jquery.min.js (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\FirefoxModule.dll (41699 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\Dialogs\spbd\main.html (986 bytes)
    %Program Files%\SearchProtect\Dialogs\spsd\images\separation-line.png (938 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\popupTransparent.xul (1 bytes)
    %Program Files%\SearchProtect\Dialogs\lib\json2.js (784 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\SPRunner.exe (22552 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\InternetExplorerModule.dll (44462 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\ChromeModule.dll (33455 bytes)
    %Program Files%\SearchProtect\Dialogs\spbd\main.html (986 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\ffprotect\SProtectorRepository\EN (1512 bytes)
    %Documents and Settings%\%current user%\Application Data\SearchProtect\bin\rep.dat (1981 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz2B.tmp\inetc.dll (24 bytes)
    %Program Files%\Mozilla Firefox\browser\chrome.manifest (258 bytes)
    %Program Files%\Mozilla Firefox\browser\nsprotector.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk30.tmp\inetc.dll (24 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SearchProtectAll" = "%Program Files%\SearchProtect\bin\cltmng.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SearchProtect" = "%Documents and Settings%\%current user%\Application Data\SearchProtect\bin\cltmng.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now