MD5: 6585c1ccff5df84f586b306fb4b22a9a
SHA1: 91522fa95641921b5a625a7a9ec710b94958cd80
SHA256: 9383aa838e5afb67190c9fba301efd213e1ae8b2e296f1d0813b23eea10ba4a4
SSDeep: 24576:j3ovLKFTpghXWJgYsb3Rt35CJ31mYgdto/VOACdhrJrlBziTDyELEZ951lcTRtaV:OG4ReNgWyr7Be/yEU1lX0TZagKDv
Size: 2037624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SafeInstall, LLC
Created at: 2014-07-18 22:18:07
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1592

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\custom-check.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\rockettab.vi.zip (883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\smartdriverupdater.vi.zip (928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\screen.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\uninstallhelper.vi.zip (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\secureweb.vi.zip (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\pcspeedup.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\pcspeedup.vi.zip (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoosuite.vi.zip (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\bg-installprogress.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\title-bar.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\process.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\blasteroids.vi.zip (833 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\websearches.vi.zip (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\muvic.vi.zip (786 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\responsemanager.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\screenmanager.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_startpage.test.vi.zip (739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\knctr.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_keepmysettingsx.vi.zip (412 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\searchdonkey.vi.zip (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\btn.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\maxthon.vi.zip (754 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\registryhelper.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\arcadeparlor.vi.zip (889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\close.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\knockout-2.2.1.js (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SCC[1].dll (25212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\json2.js (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\radio.png (870 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\linkey.vi.zip (1 bytes)
%System%\wbem\Logs\wbemprox.log (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\speedupmypc_sales_r2_v2.vi.zip (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\darkux_3step_r2_v4.vi.zip (11960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\yahoo-widget.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\fulldiskfighter.vi.zip (968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\6585c1ccff5df84f586b306fb4b22a9a.log (3557835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\speedupmypc_sales_r2_v2.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\point-loadingbar.png (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\driverfighter.vi.zip (939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_defaultsearch.vi.zip (434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\registryhelper.vi.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\ping.response.json (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\winferno.vi.zip (941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\defaulttab.vi.zip (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCC.dll (14951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\yahoo.js (806 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\jquery.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\loadingbar.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\wecareaspca.vi.zip (973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_defaultsearch.test.vi.zip (739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\btn-win.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\checkbox.png (650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\testsuitemanager.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\seaapp.vi.zip (885 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\truedownloader.vi.zip (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\vd1-yahoo-toolbar.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dealgest.vi.zip (759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\common.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\step-contents.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\smartpccleaner.vi.zip (930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\uifactory.js (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\offerbox.vi.zip (793 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\clickmanager.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\freeflvconverting.vi.zip (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\btn-win-cancel.png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\convertfilesforfree.vi.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\wecaresavethechildren.vi.zip (955 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\smartweb.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ENG.SCC.config[1].txt (739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\fulldiskfighter.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\nortonsecurityscan.vi.zip (834 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\severeweatheralerts.vi.zip (816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\offerparser.js (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\smartpccleaner.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\lodash.custom.min.js (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\7zip_bimo.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\step-contents-stepped.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\contentexplorer.vi.zip (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\screenfactory.js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\knctr.vi.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\container-separator.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\omigaplus.vi.zip (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\genieo.vi.zip (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\noyahoo.js (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\slowpcfighter.vi.zip (926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\pcoptimizerpro.vi.zip (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\nortonantivirus.vi.zip (892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\jquery-1.10.2.min.js (6984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\7zip_bimo\7-zip_new.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS2.zip (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\nortoninternetsecurity.vi.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\installprogress.png (998 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\smartdriverupdater.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\darkux_3step_r2_v4.vi.json (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\darkux_3step_r2_v4.vi.html (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\minmax.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\filewhiz_tn.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\view.darkux_3step_r2_v4.vi.json (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\css\style.css (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\driverfighter.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\converterfreeonline.vi.zip (690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\kaspersky.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\7zip_bimo_7268.txt (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\blitzmediaplayeroffer.vi.zip (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\kaspersky.vi.zip (888 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\utils.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\bg-loadingbar.png (297 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\nortonsecurityscan.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\surfcanyon.vi.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS.dll (11704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\wecarecleanwater.vi.zip (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\custom-form-elements.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCC.config (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\7zip_bimo.vi.zip (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\contentexplorer.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\jenkatgamesarcadeplus.vi.zip (856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\weatherbug.vi.zip (889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\resultsbay.vi.zip (664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\config.xml (15904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\driverscanner.vi.zip (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\mypcbackup.vi.zip (904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_startpage.vi.zip (422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\product-icon.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\script.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCCLog.txt (168898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\pcoptimizerpro.vi.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SymCCISDll.txt (38245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\smartweb.vi.zip (821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\config.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\driversupport.vi.zip (882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\bg_disc_wrap.gif (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCC.config (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)

Registry activity

The process %original file name%.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014073020140731]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014073020140731]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\InstallIQ]
"test" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014073020140731]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1405711087"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 E5 F3 CE A8 86 FB 01 1F 77 31 60 1F 3A 31 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014073020140731]
"CachePrefix" = ":2014073020140731:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014073020140731]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014073020140731\"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKLM\SOFTWARE\InstallIQ]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\InstallIQ]
"test"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: SafeInstall, LLC
Product Name: SafeInstaller
Product Version: 1.0.53.0
Legal Copyright: Copyright (C) 2014
Legal Trademarks:
Original Filename: safeinstall.exe
Internal Name: SafeInstaller
File Version: 1.0.53.0
File Description: Safe Installer
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://1-vinstaller.com/api/productsession	66.77.96.160
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC.dll
hxxp://a568.d.akamai.net/upgrade/NSS/SymCCIS/Production/SCC/w3i/ENG.SCC.config.txt
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC.dll	72.247.8.67
hxxp://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production/SCC/w3i/ENG.SCC.config.txt	72.247.8.67
stats.norton.com	63.245.201.111

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /upgrade/NSS/SymCCIS/Production/SCC.dll HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: liveupdate.symantecliveupdate.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "38212789a0f996c9f49d2646446c02f3:1402650668"

Last-Modified: Fri, 13 Jun 2014 09:09:28 GMT

Accept-Ranges: bytes

Content-Length: 167264

Content-Type: application/octet-stream

Cache-Control: max-age=305

Expires: Wed, 30 Jul 2014 06:37:06 GMT

Date: Wed, 30 Jul 2014 06:32:01 GMT

Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........r.........
........................E...............................Q.............
......................Rich............PE..L......S...........!........
.>.......z....................................................@....
.....................Ew......tx..{....p..=............t..`........... 
......................................................................
..........text....`.......T......PEC2TO...... ....rsrc.... ...p.......
X.............. ....reloc...............r..............@..............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.........................................................*..U..9k3e..O
.U...-.[O?wV|.........Uk .B..u3g5.I...jUi..c#.d.N.k.....jxf....f.....M
..k./K.>.'S(..8.......Wz.j.....Q.Q.z p...F.....Z...A.n..&...Id.....
..>o...5.1...&?.....cA.!.}L...>..u......D...c.~3.:.M%.d.......BU
.....o4[.$..|..n..$.vL<..~...Jd...uV.}....Q."..e..........Q...z..O.
P..;...R.qlm.z.......4.'..O.._.C..[..C...].._..`r.;[.c.9@2..,6..m1...x
.f=....d...9HR..?...A..?.f........>GUa..Q=^#\....<.e..e@r.)..y.Q
.J...{..<`*....~f.Q......p..V....P.BP...y..=...?.....>O.f.?.
<<< skipped >>>

GET /upgrade/NSS/SymCCIS/Production/SCC/w3i/ENG.SCC.config.txt HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: liveupdate.symantecliveupdate.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Apache

ETag: "b8dbac3cc2be258b539c305a828416aa:1395133614"

Last-Modified: Tue, 18 Mar 2014 09:06:50 GMT

Accept-Ranges: bytes

Content-Length: 3216

Content-Type: text/plain

Cache-Control: max-age=1178

Expires: Wed, 30 Jul 2014 06:51:40 GMT

Date: Wed, 30 Jul 2014 06:32:02 GMT

Connection: keep-alive
...<..iy..}...e_.k.2..#r...-..\\^../..SG>Jc.G2...S... .d".!..:.\
..A...='.... .......^....0...>.y..G...X...(.v..u.._...z.....#.[....
yIie.......G.^1h...-.....7i........L(,.t......<.3....9.&.......q...
..]O.6..A..h...^.:q.....X4a;T.....2.[.h. ..................`S...u.....
.\.y.-...b...YVPT.CqXK....c....\,....R.N.[..2.[.h. ..SV.3..-......#.!u
......A.S...^......o..p"d#../q...-.......0a.3.g. ..A...........{xE...%
.ws=....d'Y....C...$..k.7...4.]|....Z..L..R.O._S?.g........n..G.v...d.
...!........\r.T...V.{.]h2.Z.]I...S.}.B..}..._%.n.t.6XK..rK.v.K...3Na.
.-...?......~_.....9..|............!fr.qON".H .......[.k..&..1l.>a2
......3.C.#.A.y.....zx......4.."......u...%.....t.Nsb.&r..NS..]/.c^.j(
z0M..pSn.:..t.....&~...E.|ab.L..(}..8..S._3...r....H.Y....0f...X<..
U.o....b.g..U...av.....P#W..,.4..x..._..Y..D.......s...K.....8.....?.H
.P.L..b.H..J.R..y...........R......'@.l.. k.. .z..m..8.9h.....3#...hkO
.AiD....W>1...3...J.....eVqE.H.......v....._.........f..-0....@:...
.&.`.M.{...O.Ew.O..c..P.....(c...a;T......M~.1*.........hL..l.A....F}&
lt;)K.#.T.n.#..h{...U.&.`.M.{.di<:hTh.(............y..!.[.-RJ\...._
...Tp.PD"#.".E.....gu,.3..o(X...ZL.....eX.(...y\....t..py1...EE...R...
.DOQ.H. .y......S.f...x]v.R...?..8|...........f..-0..Z...u.n.......
..`..;.5.(...S...EE...R..l..*.].F.....$.u%.".IT.F.....$...(c...]O.6..A
[email protected]...._..w.....(i...g. ..A..jyE. ..B..cH..{j,g........(..
....!....,..........N..W.Q.M...<'..U...~.$}.Z..]/...:U..@p(U...~.$}
@.......%..h_...O]3...y..I.!.R....a......l..D.9:...K. .r.s.xa...H.
<<< skipped >>>

POST /api/productsession HTTP/1.1

Content-Type: application/json; charset=utf-8

Accept: application/json

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

Host: 1-vinstaller.com

Content-Length: 260

Cache-Control: no-cache

{"CampaignName":"","ShortName":"7zip_bimo","ProductSubId":-1,"AccountId":14380,"VersionId":-1,"InstallerVersion":"1.0.53.0","OSId":5,"TemplateId":319,"LangId":1033,"ParentOfferIds":[],"Browsers":[{"Key":"IE","Value":6}],"DefaultBrowser":{"Key":"IE","Value":6}}
HTTP/1.1 200 OK

Cache-Control: no-cache

Pragma: no-cache

Content-Type: application/json; charset=utf-8

Expires: -1

Server: Microsoft-IIS/7.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

P3P: CP="PSA OUR DEM"

X-Robots-Tag: noindex, nofollow

Date: Wed, 30 Jul 2014 06:31:59 GMT

Content-Length: 12258
{"Response":{"configuration":{"month":7,"week":31,"year":2014,"targetb
rowser":{"Key":"IE","Value":"6"},"pingurl":"hXXp://1-vinstaller.com/ap
i/productsession","postbackurl":"hXXp://1-vinstaller.com/api/trackoffe
rinstalldetails","errorurl":"hXXp://1-vinstaller.com/api/installerror"
,"host":"hXXp://dl2.v47installer.com/lm/","compliant":false,"randomoff
ersort":false},"productsession":{"productid":2957,"productsubid":-1,"p
roductsessionid":"92798542-4d76-4782-84a1-16fffc36fb38","shortname":"7
zip_bimo","deviceclienttype":7,"guiclienttype":7,"versionid":-1,"sessi
on":{"accountid":14380,"vendorid":6944,"campaignid":8281851,"campaignn
ame":"Default","countryid":124,"country":"CA"}},"accountconfiguration"
:{"accountid":14380,"accountverticalid":18,"showwelcomescreen":true,"s
howdownloadmanager":true,"showfirstofferinwelcomescreen":true,"allowic
ondrop":true,"active":true},"offers":[{"accountid":14380,"offerid":202
28,"parentofferid":5780,"position":1,"active":true,"offerversion":0.0,
"configuration":{"configid":"passshow.v.all","type":"exe","displayname
":"PassShow","downloadurl":"hXXp://jpeg.syncrvloader.com/apps/dist/103
0-2031_PassShow.exe","commandline":"/mstp12","stopchrome":"1","stopfir
efox":"1","stopie":"1"}},{"accountid":14380,"offerid":19875,"parentoff
erid":4424,"position":2,"active":true,"offerversion":0.0,"configuratio
n":{"configid":"itibiti.all","type":"exe","displayname":"Itibiti","dow
nloadurl":"hXXp://VVV.itibitiphone.com/download/Itibiti_Knctr_B.exe","
commandline":"/verysilent /norestart","msiinstall":"1"}},{"account
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.text-qu

`.text-co

`.text-coko

`.text-co"(

`.text-tig

`.text-co;

`.rdata

@.data

.data-qu)

.data-co

.data-co8

.data-co(

.data-co,

.data-co)

.data-cot

.data-ti

.rsrc

CSShZ

7SSh$

7SSh.

7SSh3

7SSh8

CSSh3

CSSh8

CSSh=

CSShk

<-t}<.

<*u%F

CSSh`

<:%u4

t8Ht.HHt#

.FGy1

Af;FP}%S3

|$|.tD

#t.Ht

 2 34 567

u.SSV

1t.Ht

9sxv%UW

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

Operation not permitted

Inappropriate I/O control operation

Broken pipe

0xX

Invalid CRT parameter

QuickStartApp.cpp

vi.engine.xml

chk_firefox

chk_chrome

%s[%d]

position=%d, active=%d

%d,%d,%d

** Debug mode: simulating stopping Firefox

** Debug mode: simulating stopping Chrome

%s must be closed before continuing. Press OK to close %s now. You may need to close %s manually.

Firefox

Google Chrome

%d err: %s

Chrome

firefox

chrome

opera

searchprotector.exe

view=%d,sel=%d,inst=%d,conf=%d,can=%d,err=%d,eid=%d,pos=%d,%s

.json

control.txt

00000000-0000-0000-0000-000000000000

QuickStartProcess.cpp

%programfiles%\Free Offers from Freeze.com

disabling offer because system doesn't have Firefox

disabling offer because system doesn't have Chrome

%s[%s]: view=%s accept=%s

%s,%s

WindowsErrorCode

targetbrowser/key

%s:v=%s,id=%s,rc=%d,f=%d,e=%d,i=%s,p=%s,pb=%s,ex=%s,tr=%s,px=%d

%s:v=%s,rc=%d,os=%s,%s,%s|ie=%s

%d,%d,%s,%s,%s,%s

%d,%d,%d,%d,%d

%d,%d,%s,%s,%s,%s,%s

%d,%s,%s,%s,%s,%d,%d,%d,%d,%d,%d,%d,%d,%s,%s,%d,%s

offers

%s,%s,%s,%s,%s,%s,%s,%s

%s,%d,%s,%s

Unable to open thankyou page; url is empty or invalid!

statsd.response.txt

Web.Installer.VDI.CommError

Web.Installer.VDI.InstallError

Web.Installer.VDI.OfferDownloadError

Web.Installer.VDI.OfferInstallError

Web.Installer.VDI.OfferInstallFailed

http://dl2.v47installer.com/lm/bundles/keepmysettingsx/keepmysettingsx.zip

http://sdspapi.com/api/values

http://us.yhs4.search.yahoo.com/yhs/search?p={searchTerms}&ei=UTF-8&hspart=w3i&hsimp=yhs-synd1&type=W3i_DS,221,0_0,Search,20140522,19669,0,FF29,7635

Software\Microsoft\Windows\CurrentVersion\Uninstall\InstallX Search Protect for Yahoo

http://dl2.v47installer.com/lm/bundles/keepmysettingsx/spv1.zip

spv1.zip

.html

MainWnd.cpp

OfferThread.cpp

Setting offer checkbox value: key=

COfferExe::GetXpiFilename

c:\tfs.vs2012\admin\windows\main\installer.quickstart.application\installer.quickstart.lib\OfferExe.h

downloadurl

downloadurl.64bit

msie.downloadurl

msie.commandline

firefox.downloadurl

firefox.commandline

chrome.downloadurl

chrome.commandline

allbrowser.downloadurl

allbrowser.commandline

regkeyadd

ieregkey

firefox.pref

firefox.xpimethod

firefox.xpilocation

firefox.xpidelete

LUA account detected, and flag lua_runasdesktopuser detected, forcing executeAsDesktopUser

iconurl

configuration/downloadurl

configuration/downloadurl.64bit

configuration/msie.downloadurl

configuration/msie.commandline

configuration/firefox.downloadurl

configuration/firefox.commandline

configuration/chrome.downloadurl

configuration/chrome.commandline

configuration/allbrowser.downloadurl

configuration/allbrowser.commandline

configuration/regkeyadd

configuration/ieregkey

configuration/firefox.pref

configuration/firefox.xpimethod

configuration/firefox.xpilocation

configuration/firefox.xpidelete

configuration/iconurl

adding %s entry, ourVal='%s', theirVal='%s'

COfferExe::Download

Download url is empty!

_firefox is NULL!

COfferExe::OnInstall

Install is a dropfile; no exe to run...

Icon offer (in exe config) detected, running icon install

COfferExe::Run

COfferExe::HandleFirefoxOptions

firefoxoffer

HandleFirefoxOptions called with incorrect preferences set in config!

COfferExe::BuildCommandLine

msiexec.exe /i "%s" /qn ALLUSERS=2 REBOOT=ReallySuppress

msiexec.exe /i "%s" %s

Could not find firefox exe to install

Offer is installing XPI for Firefox 8 or higher, enabling GUI.

"%s" "%s"

"%s" %s

COfferExe::RunSearchProtectInstall

COfferExe::WaitForInstallProcess

OfferExe.cpp

COfferExe::WaitForProcessStarted

waiting for registry key:

COfferExe::WaitForRegistryValue

Registry key found.

Registry key found (64-bit).

COfferExe::WaitForFile

COfferExe::InstallXpi

Bad RegKeyAdd config; not correct format: (missing hive \ )

Bad RegKeyAdd config; not correct format: (missing , )

Bad RegKeyAdd config; not correct format: (missing = )

unable to set regkey from following RegKeyAdd:

RegKeyAdd:

unrecognized values in RegKeyAdd:

unable to set regkey from following IERegKey:

IERegKeyAdd:

unrecognized values in IERegKey:

COfferExe::FinishXpiInstall

COfferExe::CancelXpiInstall

COfferExe::RunIconInstall

%s_%s.url

configuration/url

configuration/msie.url

configuration/firefox.url

configuration/chrome.url

All urls are empty!

COfferStartPage::InstallFirefox

_firefox is NULL!

** Debug mode: simulated setting Firefox startpage:

Error writing Firefox pref for startpage!

Error setting Firefox new tab!

Set new tab in Firefox.

Firefox startpage set successful.

chromeoffer

COfferStartPage::InstallChrome

_chrome is NULL!

** Debug mode: simulated setting Chrome startpage:

Error setting Chrome startpage: browser is still running!

Error writing Chrome pref for startpage!

Can't set new tab Chrome, function is not implemented.

Chrome startpage set successful.

OfferStartPage.cpp

startpageurl

oldstartpageurl

http://ff.search.yahoo.com/gossip?output=fxjson&command={searchTerms}

http://search.yahoo.com/search?p={searchTerms}&ei=UTF-8&fr=w3i&type=#REVENUE_TAG#

http://search.yahoo.com/favicon.ico

configuration/msie.searchname

configuration/firefox.searchname

configuration/firefox.suggesturl

configuration/firefox.selectedengine

configuration/firefox.keywordurl

configuration/chrome.selectedengine

configuration/chrome.keyword

configuration/chrome.faviconurl

configuration/chrome.suggesturl

Error setting IE search: url is empty!

Internet Explorer version 6 or older does not support default search!

COfferDefaultSearch::InstallFirefox

** Debug mode: simulated setting Firefox default search:

Failed to write Yahoo xml for Firefox!

Firefox default search set successful.

COfferDefaultSearch::InstallChrome

** Debug mode: simulated setting Chrome default search:

Failed to set search pref for chrome!

Chrome default search set successful.

OfferDefaultSearch.cpp

searchurl

oldsearchurl

http://vinstaller.com/api/trackofferinstalldetails

http://vinstaller.com/api/installerror

ping.response.json

postback.response.json

config.xml

pingurl

postbackurl

errorurl

statsdurl

uninstalloptionurl

PingUrl

PostbackUrl

Sending session request, url=

Ping url is empty!

Ping url is invalid!

http://dl5.v1installer.com/

PingResponse.cpp

targetbrowser/Key

PingThread.cpp

offer %s[%s]: isInstalled=%d canShow=%d

rule %s[%s]: isInstalled=%d

QuickStartDetectThread.cpp

ResourceThread.cpp

Sending postback request, url=

Postback url is empty!

Postback url is invalid!

Response/url

passed

CRequirementManager::RunExecute

CRequirementManager::ParseExecuteResult

invalid flag in execute result:

Software\Microsoft\Windows\CurrentVersion\RunOnce

Running requirement.OnInstall:

Running requirement.OnCancel:

requirement.OnCancel is empty, skipping.

Running requirement.OnExit:

requirement.OnExit is empty, skipping.

%programdata%\W3i\UninstallHelper\iqu.ini

2.0.1.0

%programdata%\W3i\UninstallHelper\import

quickstart.xml

quickstart%d.xml

Failed to save IQU data, too many import files in directory!

%programfiles%\W3i\UninstallHelper\UninstallHelper.exe

quickstart_si.xml

quickstart_si%d.xml

Failed to save SoftwareInfo data, too many import files in directory!

http://dl.installiq.com/API/IQU/SoftwareInfo.aspx

UH executable not found!

"%s" /silent /noswinfo

%s:%d

handling firefox cookies...

FF.GetCookiesError

FF.NoCookies

firefox: no cookies found

FF.SetCookieError

FF.SetCookies

firefox: set cookies

getting firefox cookies for

CCookieManager::GetFirefoxCookies

Error enumerating firefox cookies!

firefoxenum

http://

cookie.dat

Vista.NoResult

Vista.SavedLow

Vista.NoCookies

Vista.CopiedLow

%a, %d-%b-%Y %H:%M:%S GMT

cookieman.exe

Vista.ExtractError

Vista.CreateLowError

handling chrome cookies

Chrome.GetCookiesError

Chrome.NoCookies

Chrome: no cookies found

Chrome.SetCookieError

Chrome.SetCookies

Chrome: set cookies succeeded

getting Chrome cookies for

CCookieManager::GetChromeCookies

Error enumerating chrome cookies!

chromeenum

Safari.GetCookiesError

Safari.NoCookies

Safari.SetCookieError

Safari.SetCookies

ErrorLogger.cpp

explorer.exe

CDialogWindowJson::OnBeforeNavigate2, url=

DialogWindowJson.cpp

%s: view=%s accept=%s

chk_%s=

checkbox found; %s=%s

adding disclosure(%s): %s

installedbrowsers/firefox

installedbrowsers/chrome

installedbrowsers/opera

view.buildconfig.json

view.productconfig.json

ProgressDialog.cpp

Installing %d of %d

uninstalloption.exe

InstallIQFirefoxLock

postinstallexecute

postinstallexecuteintegrity

stopfirefox

stopchrome

configuration/postinstallexecute

configuration/postinstallexecuteintegrity

/msie.autoconfirm

/firefox.autoconfirm

/chrome.autoconfirm

msie.autoconfirm

firefox.autoconfirm

chrome.autoconfirm

COffer::WaitForFirefoxLock

Offer.cpp

_firefoxLock is already created!

Waiting for Firefox lock...

Firefox lock status:

Releasing Firefox lock

PostInstallExecute:

iexplore.exe

** Debug mode: simulating PostInstallExecute:

Cannot run post-install execute, file does not exist:

COffer::PostInstallExecute

PostInstallExecute command failed!

http:

Adding UH data: %s|%s,%s

Failed to extract uninstall option exe!

Error; uninstalloption.exe doesn't exist (after download and extract!)

Error copying uninstalloption.exe to program files!

error downloading uninstall option url!

http://airdownload.adobe.com/air/win/download/latest/AdobeAIRInstaller.exe

%programfiles%\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe

"%s" %s "%s"

AdobeAirInstaller.exe

Uninstall keys:

/uninstallkeys/uninstallkey

%s/uninstallkeys/uninstallkey[%d]/type/text()

%s/uninstallkeys/uninstallkey[%d]/value/text()

%firefoxprofiles%

Unknown uninstall key type encountered, skipping lookup

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

crterr:%d

Win32Err:%d

HRESULT:0x%X

@ line %d in function <%s>.

Unknown error: %d

wininet.dll

IDispatch error #%d

LoadLibrary failed in loading current exe:

CoreResource.cpp

CStringW.GetBuffer failed!

0xx

%s. {%s} @ line %d in function <%s> in module %s.

Win32Err:%d

HRESULT:0x%X

Error:%d

HttpStatus:%d

-- %s line %d --

[X]

L%d:d.d.d_d:d:d.d

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /%d

%s_%x%x%x%x%x

CoreFile.cpp

Exception %X in module %s at: 0x%p.

dbghelp.dll

0x%p %s

CoreProcess.cpp

ShellExecuteCommand:

Failed to execute command:

CCoreProcess::ShellExecuteCommand

CCoreProcess::CloseProcessWindowsByModuleName

CCoreProcess::ShellExecuteCommandAndWait

CCoreProcess::GetProcessExe32

CCoreProcess::GetProcessExe64

kernel32.dll

CoreXml.cpp

_ftprintf_s failed writing header to

]/Key/text()

CCoreXml::ParseRequiredKeyValue

CCoreXml::ParseRequiredKeyInt

CoreThread.cpp

https://

ftp://

CCoreSystem::GetWindowsVersionId

Missing windows version, check the code!!

CoreSystem.cpp

%s (Build %d)

CCoreSystem::CacheWindowsInfo

Unknown OS! Major: 0xX, Minor: 0xX

%windows%

%system%

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Þsktopdir%

Þsktop%

%userprofile%

%s0x%.2x%.2x%.2x%.2x%.2x%.2x-

SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727

SOFTWARE\Microsoft\NET Framework Setup\NDP\v1.1.4322

SOFTWARE\Microsoft\.NETFramework\policy\v1.0

3321-3705

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\

Iphlpapi.dll

%windows%\Desktop

VBoxService.exe

vboxtray.exe

proc.vboxsvc

vmtoolsd.exe

proc.vboxtray

vmicsvc.exe

proc.vmtools

proc.hvsvc

reg.vboxguest

reg.vboxmouse

reg.vboxsvc

reg.vboxsf

reg.vboxvid

reg.vboxbios

%system%\vboxhook.dll

reg.vboxsguest

file.vboxhook

reg.vmvid

reg.vmpci

reg.vmdbg

reg.vmcrd

reg.vmmem

reg.vmmouse

reg.vmdsk

reg.vmtools

reg.vmsnap

reg.vmnet64

reg.hvgenctr

reg.hvvmbus

SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\0000

reg.hvvid

SYSTEM\CurrentControlSet\Control\Class\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}\0000

reg.hvscsi

reg.hvinput

reg.vboxdisk

reg.vmdisk

reg.hvdisk

sng.vmt1

sng.vmt3

sng.vmt2

gen.dbg

sng.vmt4

gen.diftime

CCoreRegKey::Create

Warning: HKEY_CLASSES_ROOT opened for writing! This can lead to unpredictable results.

CCoreRegKey::Open

RegCreateKeyEx failed on key=

RegOpenKeyEx failed on key=

Registry key is not open! (

CoreRegKey.cpp

CCoreRegKey::GetValueType

CCoreRegKey::GetValueSize

CCoreRegKey::GetValueString

CCoreRegKey::GetValue

CCoreRegKey::SetValue

CCoreRegKey::DeleteValue

RegDeleteKeyExA

CCoreRegKey::DeleteKey

RegDeleteKey failed on

RegDeleteKeyEx failed on

CCoreRegKey::EnumSubKeys

SHCopyKey failed for

CCoreRegKey::CopyTree

CCoreEntryPoint::LoadProcAddress

CCoreEntryPoint::CCoreEntryPoint

Advapi32.dll

UniqueId.cpp

subKey is NULL!

%u,%u,%u,%u

0.0.0.0

\/:*?"<>|

createurlfilefail

Failed to create URL file!

Encryption key not initialized!

CoreEvent.cpp

shell32.dll

CoreVista.cpp

Software\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_CURRENT_CONFIG

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

%Y-%m-%dT%H:%M:%S

CommandLine.cpp

%s.%s

iexplore,ie.http

Failed to get IE version key!

Loading IE cookies for url:[

wrote %d cookies

CoreInternetExplorer.cpp

-noframemerging "%s"

ie.http\shell\open\command

Unable to find iexplore.exe, using shell execute (with possible warnings)

Default search regkey not found (may be a brand new install)

EnumSubKeys failed!

ieframe.dll

http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC

url is empty!

Replacing existing provider url:

Error setting provider url!

CCoreInternetExplorer::FindFirstHistoryUrl

findfirsturlfailed

FindFirstUrlCacheEntry() failed!!

FindUrlCache handle is null!! Did you call FindFirstHistoryUrl first??

CCoreInternetExplorer::FindNextHistoryUrl

findnexturlfailed

FindNextUrlCacheEntry() failed!!

FindCloseUrlCache() failed!!

CCoreInternetExplorer::FindCloseHistoryUrl

findcloseurlfailed

msgText is required!

msgTitle is required!

browser.search.selectedEngine

browser.search.defaultenginename

browser.startup.homepage

keyword.URL

MozillaWindowClass

MozillaUIWindowClass

firefox.exe,firefox.url,firefoxportableurl,firefoxurl,firefox

Software\Mozilla\Mozilla Firefox

CCoreFirefox::GetVersion

firefoxver

Failed to get Firefox version key!

Profile%d

profiles.ini

%appdata%\Mozilla\Firefox

Loading Firefox3 cookies for url:[

Firefox versions prior to 3 are not supported by LoadProfileCookies!

cookies.sqlite

%s=%s

Enumerating Firefox3 cookies for

cookies.txt

Found partial cookie in Firefox profile:

Enumerating Firefox cookies for

-requestPending -osint -new-window "%s"

firefox.exe

%programfiles%\Mozilla Firefox

PathToExe

CCoreFirefox::GetPrefString

prefs.js

CoreFirefox.cpp

user_pref("%s", %s%s%s);

CCoreFirefox::SetPrefString

CCoreFirefox::SetDefaultSearch

suggestionUrl is empty!

searchUrl is empty!

Setting Firefox default search engine:

Can't set search engine while Firefox is running!

SearchUrl=

SuggestionUrl=

Failed to write Yahoo search prefs for Firefox!

http://www.mozilla.org/2006/browser/search/

browser.search.order.2

browser.search.order.1

downloads.sqlite

Failed to open downloads.sqlite database!

places.sqlite

select source from moz_downloads where source like '%%%s%%' order by id desc

Failed to open places.sqlite database!

select url from moz_places where url like '%%%s%%' order by id desc

CCoreFirefox::SetStartpage

browser.startup.page

cannot set startpage; firefox is currently running!

CCoreFirefox::SetNewTab

Cannot set newtab because firefox is running!

browser.newtab.url

firefox pref: keyword.URL=

firefox pref: browser.search.param.yahoo-fr=

browser.search.param.yahoo-fr

CCoreChrome::SetCookie

c:\tfs.vs2012\admin\windows\main\core.cpplib\core.cpplib.browser\CoreChrome.h

Chrome_WindowImpl_0

Chrome_RenderWidgetHostHWND

Chrome_WidgetWin_0

chrome.exe,chrome.hwd,chromehtml,chromiumhtml,chrome,chromium

Chrome_WidgetWin_1

CCoreChrome; Cookie file does not exist

%local_appdata%\Google\Chrome\User Data\Default\Cookies

select name, value, host_key, path, expires_utc from cookies where

Loading Google Chrome cookies for url:[

Enumerating Google Chrome cookies for

host_key like '%

Chrome cookie file does not exist

CCoreChrome::EnumCookiesLegacy

select host_key, name, value, path, expires_utc from cookies where host_key like '%

CCoreChrome::EnumCookiesV33

Enumerating Google Chrome cookies (v33) for

Failed to decrypt chrome cookie:

select host_key, name, value, path, expires_utc, encrypted_value from cookies where host_key like '%

chrome.dll

Chrome cookie:

Unable to find chrome.exe, using shell execute (with possible warnings)

--new-window "%s"

ChromeHTML\shell\open\command

chrome.exe

%programfiles%\Google\Chrome\Application

%local_appdata%\Google\Chrome\Application

CCoreChrome::GetStartpage

CCoreChrome::GetStartupPages

session/startup_urls

session/urls_to_restore_on_startup

CoreChrome.cpp

CCoreChrome::IsMultiStartPageEnabled

CCoreChrome::SetStartpage

CCoreChrome::SetStartPageOld

CCoreChrome::SetStartPageNew

%local_appdata%\Google\Chrome\User Data\Default\Web Data

SELECT value FROM meta WHERE key='Default Search Provider ID'

SELECT id, short_name, url FROM keywords where id = %s

default_search_provider_data/template_url_data

CCoreChrome::GetDSUrlFromPrefTemplate

default_search_provider_data/template_url_data/short_name

default_search_provider_data/template_url_data/url

CCoreChrome::SetDefaultSearch

default_search_provider_data/template_url_data/id

CCoreChrome: keyword param cannot be blank

CCoreChrome: Name param cannot be blank

http://www.yahoo.com/favicon.ico

CCoreChrome: url param cannot be blank

failed to set Database keyword search!!

Found existing default search in Chrome: id=

Successfully set Default Search provider in chrome

Chrome v25 or higher detected, skipping keyword_backup and keyword hashing..

Failed to set keyword hash!!

failed to set database keyword search backup table!

CCoreChrome::SetDatabaseKeywordSearch

keywords

UPDATE meta SET value='%s' WHERE key='Default Search Provider ID'

sql string is empty

CCoreChrome::SetDatabaseKeywordSearchBackup

Successfully added default search data to keyword and meta tables

UPDATE meta SET value='%s' WHERE key='Default Search Provider ID Backup'

keywords_backup

CCoreChrome::SetPrefDefaultSearchTemplate

Successfully added default search data to keyword_backup and meta tables

chrome preferences failed to load!

default_search_provider_data/template_url_data/

keyword

favicon_url

suggestions_url

CCoreChrome::FindSearchEntryID

url = '

keyword like '%

url like '%

SELECT id FROM keywords WHERE

Please, don't change this Chrome setting

Setting existing default search in Chrome:

CCoreChrome::SetExistingDefaultSearchUrl

Error opening Chrome Web Data!

Looking up default search url:

unable to set the database keyword hash!

Sqlite is not open!

CCoreChrome::LookupDefaultSearchUrl

SELECT id FROM keywords WHERE short_name='%s'

SELECT id FROM keywords WHERE url='%s'

LookupDefaultSearchUrl: id not found in row

LookupDefaultSearchUrl: url not found in table

CCoreChrome::GetPreference

%local_appdata%\Google\Chrome\User Data\Default\Preferences

CCoreChrome::LoadChromePreferences

UPDATE %s set short_name='%s', keyword='%s', url='%s', favicon_url='%s'

, suggest_url='%s'

, show_in_default_list=%s, safe_for_autoreplace=%s, input_encodings='%s'

INSERT INTO %s (

WHERE id=%s

short_name, keyword, favicon_url, url,

input_encodings, show_in_default_list, suggest_url, prepopulate_id,

safe_for_autoreplace, originating_url, date_created, usage_count,

created_by_policy, instant_url, last_modified, sync_guid) VALUES (

%s, '%s', %s, %s,

'%s', '%s', '%s', '%s',

%s, '%s', %s, '%s')

'%s', %s, '%s', %s,

SELECT id || short_name || keyword || favicon_url || url || safe_for_autoreplace || originating_url || date_created || usage_count || input_encodings || show_in_default_list || suggest_url || prepopulate_id || created_by_policy || instant_url || last_modified || sync_guid FROM keywords_backup ORDER BY id ASC

CCoreChrome::GetHashData

INSERT OR REPLACE INTO meta (key,value) VALUES (?,?)

CCoreChrome::InsertHashSignature

%local_appdata%\Google\Chrome\User Data\Default\History

select url from downloads_url_chains where url like '%%%s%%' order by id desc

CoreFirefoxXPIInstaller.cpp

CCoreFirefoxXpiInstaller::Install

CCoreFirefoxXpiInstaller::GetXpiInfo

install.rdf

xml.LoadBuffer failed on

Firefox.exe not found!

Installing Firefox add-ons via package...

installiq.xpi

Create install.rdf failed!

CCoreFirefoxXpiInstaller::InstallAsPackage

Running Firefox to install add-ons:

Error running Firefox!

xmlns:NC="http://home.netscape.com/NC-rdf#"
xmlns:em="http://www.mozilla.org/2004/em-rdf#">
[email protected]
{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
*.*.*
Error creating install.rdf!
CCoreFirefoxXpiInstaller::CreateInstallRDF
Installed Firefox extension:
CCoreFirefoxXpiInstaller::SetResult
Can't get Firefox default profiles folder!
CCoreFirefoxXpiInstaller::GetExtensionsFolder
c:\tfs.vs2012\admin\windows\main\core.cpplib\core.cpplib.browser\CoreSearchProtectorApp.h
keepmysettingsx.exe
https://installer.freeze.com/LogError.aspx
Restoring V1 toolbar uninstall key...
Error replacing toolbar uninstall key!
Software\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
Software\Microsoft\Windows\CurrentVersion\Uninstall\KeepMySettingsX
Renaming V1 uninstall key...
Error opeing uninstall registry key in HKLM\
Error copying V1 registry key!
CoreSearchProtectorApp.cpp
Error removing V1 registry key from HKLM\
CCoreSearchProtectorApp.ShutDown: window not found
Software\Microsoft\Windows\CurrentVersion\Run
Error removing registry key from HKLM\
apiurl
dsotherurl
spotherurl
searchkeyword
http://bing.com
%s/provider[%d]
https://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-us:IE-Address&ie=&oe=
http://google.com
firefoxstartpage
firefoxsearch
chromestartpage
chromesearch
config.dat
Yahoo uninstall key not found
Error replacing Yahoo Toolbar uninstall key!
UninstallKey
Software\Microsoft\Windows\CurrentVersion\Uninstall\
UninstallKey=
ChromeStartPage
ChromePriorSearchUrl
FirefoxPriorSearchUrl
ChromePriorStartPage
FirefoxPriorStartPage
CoreBrowserOptionUninstaller.cpp
c:\tfs.vs2012\admin\windows\main\core.cpplib\core.cpplib.browser\CoreSafari.h
safari.exe,safariurl,safari
%appdata%\Apple Computer\Safari\Cookies\Cookies.binarycookies
Loading Safari cookies for url:[
CoreSafari.cpp
%appdata%\Apple Computer\Safari\Cookies\Cookies.plist
Failed to get Safari version key!
safari.exe
-url "%s"
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
http\shell\open\command
Can't find shell associations or shell command reg keys!
CoreBrowser.cpp
SQLite format 3
REINDEXEDESCAPEACHECKEYBEFOREIGNOREGEXPLAINSTEADDATABASELECTABLEFTHENDEFERRABLELSEXCEPTRANSACTIONATURALTERAISEXCLUSIVEXISTSAVEPOINTERSECTRIGGEREFERENCESCONSTRAINTOFFSETEMPORARYUNIQUERYATTACHAVINGROUPDATEBEGINNERELEASEBETWEENOTNULLIKECASCADELETECASECOLLATECREATECURRENT_DATEDETACHIMMEDIATEJOINSERTMATCHPLANALYZEPRAGMABORTVALUESVIRTUALIMITWHENWHERENAMEAFTEREPLACEANDEFAULTAUTOINCREMENTCASTCOLUMNCOMMITCONFLICTCROSSCURRENT_TIMESTAMPRIMARYDEFERREDISTINCTDROPFAILFROMFULLGLOBYIFISNULLORDERESTRICTOUTERIGHTROLLBACKROWUNIONUSINGVACUUMVIEWINITIALLY
CREATE TABLE sqlite_master(
sql text
0123456789ABCDEF3.7.5
CREATE TEMP TABLE sqlite_temp_master(
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
unzip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
1.2.7
deflate 1.2.7 Copyright 1995-2012 Jean-loup Gailly and Mark Adler
inflate 1.2.7 Copyright 1995-2012 Mark Adler
Detect.cpp
Dll %s failed, resultcode = %x
SymCCIS.dll
SymCCIS2.zip
RunDLL productlist="%s" resultcodes="%s"
/execute/text()
Missing ExecuteResult in requirement config!
/executeresult/text()
%programfiles%\iTunes\iTunes.exe
SOFTWARE\Microsoft\Windows Live\Messenger
ydetect.ytb
msnmsgr.exe
ydetect.yhp
ydetect.yas
Rules.cpp
RegKeyExists
regkey
chromeprefs
firefoxprefs
CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\InprocServer32
%firefoxprofiles%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\install.rdf
CDetectionYahooToolbar::IsInstalledFirefox
KeyExists
SourceKey
hkey_local_machine
hkey_current_user
hkey_current_config
hkey_classes_root
multireg: key found:
multireg%d
multireg: unable to parse key:
1.1.0.6
//flag[%d]/text()
Cannot evaluate .NET Version, .NET may not be installed!
DetectionFile.cpp
wajam_validate.zip
wajamexemissing
extracted wajam exe file not found!
Timed out waiting for wajam_validate.exe!
Unable to get returncode from wajam_validate.exe!
wajam_validate.exe detection process result = %d
yahoo.com
live.com
google.com
ask.com
msn.com
aol.com
DetectionFirefoxPrefs.cpp
CDetectionFirefoxPrefs::OnEvaluate
CDetectionChromePrefs::OnEvaluate
DetectionChromePrefs.cpp
)] disabled because of minimum windows version.
minwindowsversion
DetectionRule.cpp
Disabled; Firefox is not installed
Disabled; rule target is not Firefox
Disabled; Chrome is not installed
Disabled; rule target is not Chrome
asktbdet.zip
Ask detection process result = %d
CoreWininet.cpp
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
wininet: connecting to %s:%d
CCoreWininet::HTTPSendRequest
HTTPSendRequest:
httpopenrequest
wininet: HttpOpenRequest failed!
httpreqerr
wininet: Request handle is NULL after HttpSendRequest!
unable to set wininet http decoding
wininet: HttpAddRequestHeaders (post flag) failed!
Content-Type: application/x-www-form-urlencoded
Range: bytes=%u-
httpaddheaders
wininet: HttpAddRequestHeaders (range specification) failed!
Range: bytes=%u-%u
httpaddheader
httpsendreq
wininet: HttpSendRequest failed! (verb=
httptimeout
wininet: HttpQueryInfo failed!
wininet: HttpSendRequest failed!
httpqueryinfo
httpproxy
wininet: Server responded with error: %d, %s. %s %s
wininet: HttpSendRequest: status OK received
httpstatus
wininet: HttpQueryInfo for content range failed!
wininet: HttpQueryInfo for file size failed!
wininet: Operation cancelled by caller.
Software\Microsoft\Windows\CurrentVersion\Internet Settings
HTTP Status %d: %s
API url is invalid!
apiUrl is null!
%m/%d/%Y
Url is null!
%s, %s, l=0xx
[0x%X]
d:%s
01234567
%s(%s);
CoreJSON2.cpp
Node path not valid; node "%s" in path "%s" is not type Node!
PackageZlib.cpp
Error: %d bytes of %d read from file %s.
unzOpenCurrentFilePassword failed!
Error: %d bytes of %d were written to file %s.
unzOpenCurrentFilePassword failed! err=
Package.cpp
autorun.txt
CCoreSqlite::OpenDatabase
CCoreSqlite::CloseDatabase
CCoreSqlite::ExecuteStatement
dbexecerror
sqlite3_exec failed, returned error:
CoreSqlite.cpp
CCoreSqlite::StandardExecuteCallback
CCoreSqlite::PrepareCompiledStmt
Cannot prepare statement, sql is empty!
Failed to prepare compiled statement, sqlite returned error: %d
sqlempty
sqliteerror
CCoreSqlite::BindTextToCompiledStmt
bind text failed, errorcode=%d
CCoreSqlite::ExecuteCompiledStmt
sqlite3_step failed, errorcode=%d
CCoreSqlite::CheckStmtRowValid
sqlitestepfailed
Cannot get row results: statement has not executed!!
sqlite3_finalize failed, errorcode=%d
CCoreSqlite::CloseCompiledStmt
SQLITE_
d-d-d d:d:d
d-d-d
d:d:d
failed memory resize %u to %u bytes
failed to allocate %u bytes of memory
API call with %s database connection pointer
922337203685477580
RowKey
%s-shm
OsError 0x%x (%u)
%s\etilqs_
Recovered %d frames from WAL file %s
invalid page number %d
Failed to read ptrmap key=%d
2nd reference to page %d
%d of %d pages missing from overflow list starting at %d
Bad ptr map entry key=%d expected=(%d,%d) got=(%d,%d)
freelist leaf count too big on page %d
failed to get page %d
unable to get the page. error code=%d
Page %d:
On tree page %d cell %d:
btreeInitPage() returns error code %d
On page %d at right child:
Corruption detected in cell %d on page %d
Fragmentation of %d bytes reported as %d on page %d
Multiple uses for byte %d of page %d
Pointer map page %d is referenced
Page %d is never used
Outstanding page count goes from %d to %d during this analysis
unknown database %s
keyinfo(%d
%s(%d)
%s-mjX
foreign key constraint failed
bind on a busy prepared statement: [%s]
unable to use function %s in the requested context
zeroblob(%d)
abort at %d in [%s]: %s
cannot open savepoint - SQL statements in progress
constraint failed at %d in [%s]
no such savepoint: %s
cannot %s savepoint - SQL statements in progress
cannot commit transaction - SQL statements in progress
cannot rollback transaction - SQL statements in progress
sqlite_master
sqlite_temp_master
SELECT name, rootpage, sql FROM '%q'.%s WHERE %s ORDER BY rowid
database table is locked: %s
cannot change %s wal mode from within a transaction
statement aborts at %d: [%s] %s
cannot open value of type %s
cannot open virtual table: %s
no such column: "%s"
cannot open view: %s
indexed
foreign key
cannot open %s column for writing
misuse of aliased aggregate %s
%s: %s.%s
%s: %s.%s.%s
not authorized to use function: %s
%s: %s
%r %s BY term out of range - should be between 1 and %d
too many terms in %s BY clause
Expression tree is too large (maximum depth %d)
too many SQL variables
variable number must be between ?1 and ?%d
too many columns in %s
EXECUTE %s%s SUBQUERY %d
misuse of aggregate: %s()
%.*s"%w"%s
sqlite_rename_table
%s%.*s"%w"
sqlite_rename_parent
sqlite_rename_trigger
%s OR name=%Q
type='trigger' AND (%s)
sqlite_
there is already another table or index with this name: %s
view %s may not be altered
table %s may not be altered
UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d 18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
UPDATE "%w".sqlite_sequence set name = %Q WHERE name = %Q
sqlite_sequence
Cannot add a PRIMARY KEY column
UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
UPDATE "%w".%s SET sql = substr(sql,1,%d) || ', ' || %Q || substr(sql,%d) WHERE type = 'table' AND name = %Q
sqlite_altertab_%s
sqlite_stat1
DELETE FROM %Q.%s WHERE tbl=%Q
CREATE TABLE %Q.%s(%s)
SELECT tbl, idx, stat FROM %Q.sqlite_stat1
too many attached databases - max %d
invalid name: "%s"
database %s is already in use
no such database: %s
unable to open database: %s
cannot detach database %s
sqlite_detach
database %s is locked
%s %T cannot reference objects in database %s
sqlite_attach
access to %s.%s.%s is prohibited
access to %s.%s is prohibited
object name reserved for internal use: %s
there is already an index named %s
duplicate column name: %s
too many columns on %s
table "%s" has more than one primary key
default value of column [%s] is not constant
AUTOINCREMENT is only allowed on an INTEGER PRIMARY KEY
no such collation sequence: %s
CREATE %s %.*s
CREATE TABLE %Q.sqlite_sequence(name,seq)
UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d
UPDATE %Q.%s SET rootpage=%d WHERE #%d AND rootpage=#%d
view %s is circularly defined
use DROP TABLE to delete table %s
table %s may not be dropped
DELETE FROM %s.sqlite_sequence WHERE name=%Q
use DROP VIEW to delete view %s
DELETE FROM %Q.sqlite_stat1 WHERE tbl=%Q
DELETE FROM %Q.%s WHERE tbl_name=%Q and type!='trigger'
number of columns in foreign key does not match the number of columns in the referenced table
foreign key on %s should reference only one column of table %T
indexed columns are not unique
unknown column "%s" in foreign key definition
views may not be indexed
table %s may not be indexed
there is already a table named %s
virtual tables may not be indexed
sqlite_autoindex_%s_%d
index %s already exists
table %s has no column named %s
CREATE%s INDEX %.*s
INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
index associated with UNIQUE or PRIMARY KEY constraint cannot be dropped
no such index: %S
DELETE FROM %Q.sqlite_stat1 WHERE idx=%Q
DELETE FROM %Q.%s WHERE name=%Q AND type='index'
a JOIN clause is required before %s
table %s may not be modified
unable to identify the object to be reindexed
cannot modify %s because it is a view
sqlite_version
sqlite_compileoption_used
sqlite_source_id
sqlite_compileoption_get
foreign key mismatch
%d values for %d columns
table %S has %d columns but %d values were supplied
table %S has no column named %s
PRIMARY KEY must be unique
%s.%s may not be NULL
unable to open shared library [%s]
sqlite3_extension_init
error during initialization: %s
no entry point [%s] in shared library [%s]
automatic extension loading failed: %s
foreign_keys
foreign_key_list
*** in database %s ***
unsupported encoding: %s
%s - %s
malformed database schema (%s)
unsupported file format
database schema is locked: %s
SELECT name, rootpage, sql FROM '%q'.%s ORDER BY rowid
RIGHT and FULL OUTER JOINs are not currently supported
unknown or unsupported join type: %T %T%s%T
cannot have both ON and USING clauses in the same join
a NATURAL join may not have an ON or USING clause
cannot join using column %s - column not present in both tables
USE TEMP B-TREE FOR %s
COMPOUND SUBQUERIES %d AND %d %s(%s)
LIMIT clause should come after %s not before
ORDER BY clause should come after %s not before
no such index: %s
SELECTs to the left and right of %s do not have the same number of result columns
no such table: %s
sqlite_subquery_%p_
sqlite3_get_table() called with two or more incompatible queries
cannot create %s trigger on view: %S
INSERT INTO %Q.%s VALUES('trigger',%Q,%Q,0,'CREATE TRIGGER %q')
cannot create INSTEAD OF trigger on table: %S
no such trigger: %S
no such column: %s
-- TRIGGER %s
cannot VACUUM - SQL statements in progress
PRAGMA vacuum_db.synchronous=OFF
SELECT 'CREATE INDEX vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE sql LIKE 'CREATE INDEX %'
SELECT 'CREATE TABLE vacuum_db.' || substr(sql,14) FROM sqlite_master WHERE type='table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
SELECT 'CREATE UNIQUE INDEX vacuum_db.' || substr(sql,21) FROM sqlite_master WHERE sql LIKE 'CREATE UNIQUE INDEX %'
SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
INSERT INTO vacuum_db.sqlite_master SELECT type, name, tbl_name, rootpage, sql FROM main.sqlite_master WHERE type='view' OR type='trigger' OR (type='table' AND rootpage=0)
UPDATE %Q.%s SET type='table', name=%Q, tbl_name=%Q, rootpage=0, sql=%Q WHERE rowid=#%d
vtable constructor did not declare schema: %s
vtable constructor failed: %s
no such module: %s
table %s: xBestIndex returned an invalid plan
%s SUBQUERY %d
%s AS %s
%s TABLE %s
%s USING INTEGER PRIMARY KEY
%s USING %s%sINDEX%s%s%s
%s (rowid>? AND rowid
%s (rowid=?)
%s (rowid
%s (rowid>?)
%s (~%lld rows)
%s VIRTUAL TABLE INDEX %d:%s
cannot use index: %s
at most %d tables in a join
the INDEXED BY clause is not allowed on UPDATE or DELETE statements within triggers
the NOT INDEXED clause is not allowed on UPDATE or DELETE statements within triggers
unable to close due to unfinished backup operation
SQL logic error or missing database
unknown operation
large file support is disabled
unknown database: %s
no such vfs: %s
misuse at line %d of [%.10s]
database corruption at line %d of [%.10s]
cannot open file at line %d of [%.10s]
&#xX;
%s="%s"
%s='%s'
version="%s"
standalone="%s"
encoding="%s"
CoreDialogCloseProcess.cpp
CoreHtmlDialog.cpp
onBeforeNavigate2 called, url=
CoreIEControl.cpp
uxtheme.dll
CCoreWinTask::AddExecAction
Error getting IExecAction!
c:\tfs.vs2012\admin\windows\main\core.cpplib\core.cpplib.browser\CoreOpera.h
EnumCookies is not implemented for Opera!
CCoreOpera::EnumCookies
CCoreOpera::SetCookie
SetCookie is not implemented for Opera!
CCoreOpera::LoadCookies
LoadCookies is not implemented for Opera!
opera.exe,opera.protocol,opera.url,opera,operanext,operastable
CCoreOpera::OpenUrl
OpenURL is not implemented for Opera!
Software\Opera Software
opera.exe
%programfiles%\Opera
launcher.exe
%programfiles%\Opera Next
CoreIEHost.cpp
m_WebBrowserEvents failed
IWebBrowser2 failed
_WebBrowserEvents failed
_webBrowser->Quit failed!
Not initialized or _webBrowser is NULL!
Sending Quit to web browser...
IWebBrowser failed!
CCoreIEHost::DeleteHistoryUrl
CCoreIEHost.OnDocumentComplete:
WebBrowser object is NULL!
Error: Collection didn't support IHTMLElementCollection!
*** set key code to 0 ****
c:\tfs.vs2012\admin\windows\main\Installer.QuickStart.Application\ReleaseNoMFC\quickstart.pdb
KERNEL32.dll
USER32.dll
OLEAUT32.dll
SHDeleteEmptyKeyA
SHLWAPI.dll
COMCTL32.dll
GetProcessHeap
GetCPInfo
ShellExecuteExA
SHELL32.dll
ole32.dll
PSAPI.DLL
VERSION.dll
USERENV.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
InternetCombineUrlA
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindCloseUrlCache
HttpOpenRequestA
HttpAddRequestHeadersA
HttpSendRequestA
HttpQueryInfoA
WININET.dll
UrlEscapeA
SHCopyKeyA
gdiplus.dll
IsValidURL
urlmon.dll
GetWindowsDirectoryA
EnumWindows
EnumChildWindows
GetKeyboardState
GDI32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegDeleteKeyA
RegQueryInfoKeyA
RegEnumKeyExA
ADVAPI32.dll
CRYPT32.dll
zcÁ
.?AV?$_Ref_count@VCOfferExe@@@std@@
.?AV?$_Ref_count_obj@VCOfferExe@@@std@@
.?AV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@
.?AVCOfferExe@@
.?AVCCoreStringUrl@@
.?AV?$CFlags@W4WebArgFlag@@@@
.?AV?$CCoreEntryPoint@P6GJPAUHKEY__@@PBDKK@Z@@
.?AVCCoreRegKey@@
.?AV?$CAtlArray@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@V?$CElementTraits@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@2@@ATL@@
.?AVCCoreFirefox@@
.?AV?$CFlags@W4CoreFirefoxCache@@@@
.?AV?$_Func_impl@U?$_Callable_obj@V?$_Bind@$00XU?$_Pmf_wrap@P8CCoreChrome@@AEXPAVCCoreSqlite@@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@ZXV1@PAV2@PAV34@U_Nil@std@@U56@U56@U56@U56@@std@@QAVCCoreChrome@@AAV?$_Ph@$00@2@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@U_Nil@2@U72@U72@U72@@std@@$0A@@std@@V?$allocator@V?$_Func_class@XPAVCCoreSqlite@@U_Nil@std@@U23@U23@U23@U23@U23@@std@@@2@XPAVCCoreSqlite@@U_Nil@2@U52@U52@U52@U52@U52@@std@@
.?AVCCoreChrome@@
.?AV?$CFlags@W4CoreChromeCache@@@@
.?AV?$_Func_base@XPAVCCoreSqlite@@U_Nil@std@@U23@U23@U23@U23@U23@@std@@
.?AV?$_Bind@$00XU?$_Pmf_wrap@P8CCoreChrome@@AEXPAVCCoreSqlite@@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@ZXV1@PAV2@PAV34@U_Nil@std@@U56@U56@U56@U56@@std@@QAVCCoreChrome@@AAV?$_Ph@$00@2@PAV?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@U_Nil@2@U72@U72@U72@@std@@
.?AVCCoreFirefoxXpiInstaller@@
.?AV?$_Ref_count_obj@VCCoreOpera@@@std@@
.?AV?$_Ref_count_obj@VCCoreChrome@@@std@@
.?AV?$_Ref_count_obj@VCCoreFirefox@@@std@@
.?AV?$_Ref_count_obj@VCDetectionChromePrefs@@@std@@
.?AV?$_Ref_count_obj@VCDetectionFirefoxPrefs@@@std@@
.?AVCDetectionFirefoxPrefs@@
.?AVCDetectionChromePrefs@@
.?AV?$CAtlArray@UWebArg@@V?$CElementTraits@UWebArg@@@ATL@@@ATL@@
.?AVCCoreWebArgs@@
.?AVCCoreSqlite@@
.?AV?$CAtlArray@PAV?$CAtlMap@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@V12@V?$CElementTraits@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@2@V32@@ATL@@V?$CElementTraits@PAV?$CAtlMap@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@V12@V?$CElementTraits@V?$CStringT@DV?$StrTraitATL@DV?$ChTraitsCRT@D@ATL@@@ATL@@@ATL@@@2@V32@@ATL@@@2@@ATL@@
.?AVCCoreSqliteResult@@
.?AVexecution_error@TinyXPath@@
.?AV?$CFlags@W4CoreOperaCache@@@@
.?AVCCoreOpera@@
.?AUDWebBrowserEvents2@@
.?AVCCoreWebBrowserEvents@@
c:\%original file name%.exe
@.reloc
Vista.BadArgs
\cookie.ini
\cookie.dat
Vista.BadArgs2
Domain%d
Name%d
\cookie%d.dat
\cookie%d.ini
Vista.NoAppLow
Vista.WideFail
Vista.GetCookieFail
Vista.AllocFail
Vista.CreateFileError
Vista.WriteFileError
Vista.SetCookie
SetCookie%d
Vista.SetCookieError
Error: %d. %s
c:\tfs.vs2012\admin\windows\main\Installer.QuickStart.Application\ReleaseNoMFC\Installer.CookieMan.pdb
3 3%3,323
T.qmu
Url 87
(.ALPO
.STBs
6.GQr
Hu.nbKzO
pI.sqO
Db.bE
B(P%S
u.oq$
]j.cA
==.vp
 g.oLWJ
wajam_validate.exe
R2dmjg
Z.Md*J
s1.IE
darkux_3step_r2_v4.vi.zip
T.Kod
.bL{\
Z.ATO
`.LZ/
%S\t|
 .Mw$
B.y%X
*t.hI<{
^.gXd
*^n.qm
.iB$%
.DhEFmJ
_s.UzTo
.OHFG
<_J%C/P3r\
7zip_bimo.vi.zip%k
maxthon.vi.zip
EIWEb76,
offerbox.vi.zip
pcoptimizerpro.vi.zipXQ#
QkKU6sql
n9 .PK
pcspeedup.vi.zip
registryhelper.vi.zip
driverscanner.vi.zip
fulldiskfighter.vi.zipfr$j`
smartpccleaner.vi.zip
speedupmypc_sales_r2_v2.vi.zipk6
weatherbug.vi.zipbC
nortonsecurityscan.vi.zip
wecaresavethechildren.vi.zip5
wecarecleanwater.vi.zip
wecareaspca.vi.zipC
winferno.vi.zip
uninstallhelper.vi.zipl
driverfighter.vi.zip
kaspersky.vi.zip/@/N
slowpcfighter.vi.zip
genieo.vi.zip
searchdonkey.vi.zip
nortoninternetsecurity.vi.zip
defaulttab.vi.zip
knctr.vi.zip: 
yahoosuite.vi.zip 
arcadeparlor.vi.zip
severeweatheralerts.vi.zip
seaapp.vi.zip
nortonantivirus.vi.zip
secureweb.vi.zip{
yahoo_hpds_defaultsearch.test.vi.zip
blasteroids.vi.zip%
blitzmediaplayeroffer.vi.zipXo
mypcbackup.vi.zip
convertfilesforfree.vi.zip
driversupport.vi.zip
contentexplorer.vi.zip!
muvic.vi.zipm
freeflvconverting.vi.zip
smartdriverupdater.vi.zip
rockettab.vi.zip0
surfcanyon.vi.zip
truedownloader.vi.zip`";
yahoo_hpds_startpage.test.vi.zip
converterfreeonline.vi.zip
resultsbay.vi.zip
.iCo7
linkey.vi.zip}
jenkatgamesarcadeplus.vi.zipr
omigaplus.vi.zip
smartweb.vi.zip
websearches.vi.zipUv>
dealgest.vi.zip
yahoo_hpds_defaultsearch.vi.zipDs 0
yahoo_hpds_startpage.vi.zip
yahoo_keepmysettingsx.vi.zip9
7zip_bimo_7268.txt
config.xmlPK
darkux_3step_r2_v4.vi.zipPK
7zip_bimo.vi.zipPK
maxthon.vi.zipPK
offerbox.vi.zipPK
pcoptimizerpro.vi.zipPK
pcspeedup.vi.zipPK
registryhelper.vi.zipPK
driverscanner.vi.zipPK
fulldiskfighter.vi.zipPK
smartpccleaner.vi.zipPK
speedupmypc_sales_r2_v2.vi.zipPK
weatherbug.vi.zipPK
nortonsecurityscan.vi.zipPK
wecaresavethechildren.vi.zipPK
wecarecleanwater.vi.zipPK
wecareaspca.vi.zipPK
winferno.vi.zipPK
uninstallhelper.vi.zipPK
driverfighter.vi.zipPK
kaspersky.vi.zipPK
slowpcfighter.vi.zipPK
genieo.vi.zipPK
searchdonkey.vi.zipPK
nortoninternetsecurity.vi.zipPK
defaulttab.vi.zipPK
knctr.vi.zipPK
yahoosuite.vi.zipPK
arcadeparlor.vi.zipPK
severeweatheralerts.vi.zipPK
seaapp.vi.zipPK
nortonantivirus.vi.zipPK
secureweb.vi.zipPK
yahoo_hpds_defaultsearch.test.vi.zipPK
blasteroids.vi.zipPK
blitzmediaplayeroffer.vi.zipPK
mypcbackup.vi.zipPK
convertfilesforfree.vi.zipPK
driversupport.vi.zipPK
contentexplorer.vi.zipPK
muvic.vi.zipPK
freeflvconverting.vi.zipPK
smartdriverupdater.vi.zipPK
rockettab.vi.zipPK
surfcanyon.vi.zipPK
truedownloader.vi.zipPK
yahoo_hpds_startpage.test.vi.zipPK
converterfreeonline.vi.zipPK
resultsbay.vi.zipPK
linkey.vi.zipPK
jenkatgamesarcadeplus.vi.zipPK
omigaplus.vi.zipPK
smartweb.vi.zipPK
websearches.vi.zipPK
dealgest.vi.zipPK
yahoo_hpds_defaultsearch.vi.zipPK
yahoo_hpds_startpage.vi.zipPK
yahoo_keepmysettingsx.vi.zipPK
7zip_bimo_7268.txtPK
PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
Emscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL
combase.dll
777705555443332
5555443332
5555443332
mscoree.dll
Please email Customer Support at [email protected] if you need further assistance.
Installer.QuickStart
1.0.53.0
safeinstall.exe

%original file name%.exe_1592_rwx_00EC0000_00002000:


The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_1592_rwx_01390000_00002000:


The procedure %s could not be located in the DLL %s.
The ordinal %d could not be located in the DLL %s.

%original file name%.exe_1592_rwx_10001000_00082000:


SSSSh
t%SWh
1.3.6.1.4.1.311.10.3.5
1.3.6.1.4.1.311.10.3.6
1.3.6.1.5.5.7.3.3
2.5.4.6
2.5.4.8
2.5.4.7
2.5.4.10
2.5.4.11
2.5.4.3
WINTRUST.dll
CRYPT32.dll
{X-X-X-XX-XXXXXX}
operator
GetProcessWindowStation
SCC_CheckCriteria_Web
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
2.0.0.29
CryptCATCatalogInfoFromContext
CryptMsgClose
CertCloseStore
CertFreeCertificateContext
CertFindCertificateInStore
CryptMsgGetParam
CertGetEnhancedKeyUsage
CertNameToStrW
CertGetNameStringW
URLOpenStreamW
urlmon.dll
DeleteUrlCacheEntryW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
WININET.dll
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteExW
SHELL32.dll
ole32.dll
SHLWAPI.dll
USERENV.dll
GetProcessHeap
GetWindowsDirectoryW
GetCPInfo
MsgWaitForMultipleObjectsEx
RegEnumKeyExW
RegQueryInfoKeyW
OLEAUT32.dll
SHDeleteKeyW
SHDeleteEmptyKeyW
SYMCCIS.dll
zcÁ
O .BN 
c:\%original file name%.exe
0xX
..\Source\ccVerifyTrustStatic.cpp
%SymEFA%
EFACli.dll
CLSID\%s\LocalServer32
CLSID\%s\InprocServer32
NTDLL.DLL
..\Source\ccVerifyTrustImpl.cpp
..\Source\FileCache.cpp
g..\Source\VerifyFile.cpp
..\Source\ccVerifyTrustPolicy.cpp
..\Source\CatalogIterator.cpp
..\Source\CatalogFileHash.cpp
WinTrust.dll
..\Source\CatalogContext.cpp
..\Source\ccSymModuleLifetimeMgrImpl.cpp
%s, %s, %s, %s(%ld)
..\Source\ccModule.cpp
..\Source\ccSystemInfo.cpp
..\Source\ccRegistry.cpp
..\Source\ccStringConvert.cpp
CSIDL_WINDOWS
SOFTWARE\Microsoft\Windows\CurrentVersion
..\Source\ccPathExpansion.cpp
\\?\UNC
..\Source\ccSplitPath.cpp
..\Source\ccOSInfo.cpp
\wpeutil.dll
\FACTORY.exe
\wpeinit.exe
..\Source\ccMemory.cpp
..\Source\ccFile.cpp
..\Source\ccWow64FsRedirection.cpp
%s\%s
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_FILE_NOT_FOUND
CIsolation::GetRegistryHive(): RegOpenKeyEx() returned ERROR_ACCESS_DENIED
isolate.ini
%COMMON_SILO_DATA%
..\Source\ccEncryptedString.cpp
..\Source\ccSynchronize.cpp
..\Source\ccSymDllLifetimeMgr.cpp
kernel32.dll
KERNEL32.DLL
PSAPI.DLL
..\Source\ccPEBReader.cpp
..\Source\ccPrivilege.cpp
..\Source\ccSymIndexValueCollectionImpl.cpp
AWTSAPI32.DLL
..\Source\ccSymDllLifetimeMgrLocal.cpp
..\Source\ccSymIndexValueCollection.cpp
..\Source\ccSymValueCollection.cpp
ÌROOT%
rcPFRes.dll
rcPxyEvt.dll
rcProxy.dll
rcSvcHst.dll
rcEmlPxy.dll
rcLgView.dll
rcErrDsp.dll
rcAlert.dll
rcApp.dll
ccEmlPxy.dll
ccGLog.dll
ccJobMgr.dll
ccGEvt.dll
ccIPC.dll
ccRkSn.dll
PFPriv.dll
ccPxyIns.dll
ccPxyEvt.dll
ccInst64.dll
ccEvtCli.dll
ccTrstPc.dll
ccSvc.dll
ccEraser.dll
OEHeur.dll
ccCharCv.dll
ccInst.dll
DefUtDCD.dll
ccScanw.dll
ccScan.dll
dec_abi.dll
ccDec.dll
ccALEng.dll
ccErrDsp.dll
ccProSub.dll
ccVrTrst.dll
ccSetEvt.dll
ccSet.dll
ccAlert.dll
..\Source\ccArchive.cpp
..\Source\ccDummyArchive.cpp
..\Source\ccInstanceFactory.cpp
..\Source\ccSymValueCollectionConvert.cpp
..\Source\ccSymStreamArchive.cpp
Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
Software\Microsoft\Windows\CurrentVersion
ÌROOT%\
ÌDATA%\
..\Source\ccSymInstalledApps.cpp
..\Source\ccSymDigest.cpp
..\Source\ccSymKeyValueCollectionImpl.cpp
..\Source\ccSymMemoryImpl.cpp
Archive.Write(CMemoryImpl::CSerializeImpl::Version) == FALSE
Archive.Read(nVersion) == FALSE
..\Source\ccSymStringImpl.cpp
Archive.Write(CStringImpl::Version) == FALSE
..\Source\ccSymInstanceFactoryImpl.cpp
t..\Source\ccMessageLock.cpp
..\Source\ccSymKeyValueCollection.cpp
..\Source\ccSymPersist.cpp
ÌROOT%\ccSet.dll
..\Source\ccSymObjectRepository.cpp
CommonClient\OBJID\%s
..\Source\ccMemoryArchive.cpp
..\Source\ccSymMemoryStreamImpl.cpp
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
FileDownloader::callURLOpenStream
CHttpRequest::CHttpRequest
CHttpRequest::~CHttpRequest
CHttpRequest::RequestPage
CHttpRequest::ParseURLW
https
[s d, d - d:d:d:d]
%s %ld
%s %s
%s 0x%x
http://cps.qalabs.symantec.com/teams/isp/symccis
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Staging
http://liveupdate.symantecliveupdate.com/upgrade/NSS/SymCCIS/Production
SymCCIS.dll
SCC.dll
OfferUI.dll
SymInstallStub.exe
SymCCISDll.txt
Total CheckCriteria execution time in seconds =
NortonOfferEngineImpl::CheckCriteria_Web
downloadStubInstallerExe() failed, HR =
Failed to delete existing SCC.dll, GetLastError =
NortonOfferEngineImpl::downloadStubInstallerExe
Failed to delete existing SymInstallStub.exe, GetLastError =
NortonOfferEngineImpl::buildComponentDownloadURL
NortonOfferEngineImpl::getTestEnvironmentRootURL
NortonOfferEngineImpl::getISExeDestPath
getISExeDestPath() returned =
NortonOfferEngineImpl::sendPingForCheckCriteriaWeb
NortonOfferEngineImpl::getCheckCriteriaPingDataWeb
NortonOfferEngineImpl::getStubInstallerCmdLine
getStubInstallerCmdLine() returned =
NortonOfferEngineImpl::deleteDeclineCountRegKeyForThisProduct
NortonOfferEngineImpl::deleteDeclineCountParentKeyIfNoMoreProductsExist
Deleting DeclineCount subkey for partner =
Failed to create/open DECLINE_COUNT_REG_KEY
Advapi32.dll
http://stats.norton.com/n/p?
PingData::SendCheckCriteriaWebPing
PingData::createBaseURL
PingData::getCheckCriteriaPingURL
PingData::getCheckCriteriaWebPingURL
PingData::getInstallProductsPingURL
PingData::getOfferAcceptancePingURL
pingURL =
X.X
%u.%u.%u.%u.%u
Utility::LaunchProcessWithShellExecute
ShellExecuteEx failed, GetLastError =
; 5->>>>
000000000
00000000000001

%original file name%.exe_1592_rwx_10084000_00002000:


NRTN_OfferEngine_CheckCriteria_Web
kernel32.dll
urlmon.dll
URLOpenStreamW
WININET.dll
USER32.dll
MsgWaitForMultipleObjectsEx
ADVAPI32.dll
SHELL32.dll
ole32.dll
SHLWAPI.dll
USERENV.dll
OLEAUT32.dll
2.0.0.29

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\custom-check.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\rockettab.vi.zip (883 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\smartdriverupdater.vi.zip (928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\screen.js (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\uninstallhelper.vi.zip (507 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\secureweb.vi.zip (821 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\pcspeedup.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\pcspeedup.vi.zip (820 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoosuite.vi.zip (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\bg-installprogress.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\title-bar.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\process.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\blasteroids.vi.zip (833 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\websearches.vi.zip (731 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\muvic.vi.zip (786 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\responsemanager.js (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\screenmanager.js (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_startpage.test.vi.zip (739 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\knctr.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_keepmysettingsx.vi.zip (412 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\searchdonkey.vi.zip (861 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\btn.png (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\maxthon.vi.zip (754 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\registryhelper.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\arcadeparlor.vi.zip (889 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\close.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\knockout-2.2.1.js (2696 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SCC[1].dll (25212 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\json2.js (776 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\radio.png (870 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\linkey.vi.zip (1 bytes)
   %System%\wbem\Logs\wbemprox.log (228 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\speedupmypc_sales_r2_v2.vi.zip (825 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\darkux_3step_r2_v4.vi.zip (11960 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\yahoo-widget.png (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\fulldiskfighter.vi.zip (968 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\6585c1ccff5df84f586b306fb4b22a9a.log (3557835 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\speedupmypc_sales_r2_v2.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\point-loadingbar.png (205 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\driverfighter.vi.zip (939 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_defaultsearch.vi.zip (434 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\registryhelper.vi.zip (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\ping.response.json (388 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\winferno.vi.zip (941 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\defaulttab.vi.zip (866 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SCC.dll (14951 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\yahoo.js (806 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\jquery.min.js (6984 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\loadingbar.png (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\wecareaspca.vi.zip (973 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_defaultsearch.test.vi.zip (739 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\btn-win.png (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\checkbox.png (650 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\testsuitemanager.js (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\seaapp.vi.zip (885 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\truedownloader.vi.zip (818 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\vd1-yahoo-toolbar.png (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dealgest.vi.zip (759 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\common.js (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\step-contents.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\smartpccleaner.vi.zip (930 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\uifactory.js (381 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\offerbox.vi.zip (793 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\clickmanager.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\freeflvconverting.vi.zip (999 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\btn-win-cancel.png (776 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\convertfilesforfree.vi.zip (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\wecaresavethechildren.vi.zip (955 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\smartweb.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ENG.SCC.config[1].txt (739 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\fulldiskfighter.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\nortonsecurityscan.vi.zip (834 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\severeweatheralerts.vi.zip (816 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\offerparser.js (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\smartpccleaner.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\lodash.custom.min.js (1928 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\7zip_bimo.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\step-contents-stepped.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\contentexplorer.vi.zip (823 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\screenfactory.js (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\knctr.vi.zip (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\container-separator.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\omigaplus.vi.zip (726 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\genieo.vi.zip (904 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\noyahoo.js (226 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\slowpcfighter.vi.zip (926 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\pcoptimizerpro.vi.zip (720 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\nortonantivirus.vi.zip (892 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\jquery-1.10.2.min.js (6984 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\7zip_bimo\7-zip_new.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS2.zip (161 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\nortoninternetsecurity.vi.zip (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\installprogress.png (998 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\smartdriverupdater.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\darkux_3step_r2_v4.vi.json (75 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\darkux_3step_r2_v4.vi.html (776 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\minmax.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\filewhiz_tn.png (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\view.darkux_3step_r2_v4.vi.json (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\css\style.css (392 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\driverfighter.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\converterfreeonline.vi.zip (690 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\kaspersky.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\7zip_bimo_7268.txt (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\blitzmediaplayeroffer.vi.zip (852 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\kaspersky.vi.zip (888 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\utils.js (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\bg-loadingbar.png (297 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\nortonsecurityscan.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\surfcanyon.vi.zip (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SymCCIS.dll (11704 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\wecarecleanwater.vi.zip (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\custom-form-elements.js (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SCC.config (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\7zip_bimo.vi.zip (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\contentexplorer.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\jenkatgamesarcadeplus.vi.zip (856 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\weatherbug.vi.zip (889 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\resultsbay.vi.zip (664 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\config.xml (15904 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\driverscanner.vi.zip (811 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\mypcbackup.vi.zip (904 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\yahoo_hpds_startpage.vi.zip (422 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\product-icon.png (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\script.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SCCLog.txt (168898 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\pcoptimizerpro.vi.json (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\SymCCISDll.txt (38245 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\smartweb.vi.zip (821 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\js\config.js (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\driversupport.vi.zip (882 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qs_12212020\dialogs\library\images\bg_disc_wrap.gif (2 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.